ZeroFox Daily Intelligence Brief - December 3, 2025

ZeroFox Daily Intelligence Brief - December 3, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. DOJ Seizes Fraud Platform Linked to Burmese Scam Compound
• Unauthorized Access at University of Pennsylvania Exposes Personal Data of 1,488 Individuals
• MuddyWater Targets Israeli Organizations with Stealthy MuddyViper Backdoor

U.S. DOJ Seizes Fraud Platform Linked to Burmese Scam Compound

Source: https://www.justice.gov/opa/pr/justice-department-announces-seizure-tai-chang-scam-compound-domain-used-cryptocurrency

What we know: The U.S. Department of Justice (DOJ) has seized tickmilleas[.]com, a fake investment site, which lured victims into depositing funds by masquerading as a legitimate trading service. It was run out of Burmese scam compound Tai Chang.

Context: Tai Chang is associated with groups linked to Chinese organized crime and large-scale scam operations across Southeast Asia. Tickmilleas[.]com directed users to fraudulent mobile apps, several of which have been removed by Google and Apple. Meta separately has taken down more than 2,000 accounts connected to Tai Chang’s online activity.

Analyst note: The domain seizure follows the recent launch of the “Scam Center Strike Force” and its seizure of two other Tai Chang–linked scam domains. In the next few months, the strike force will very likely take down more Southeast Asian scam centers. These actions are also likely to raise public awareness of such overseas scams.

Unauthorized Access at University of Pennsylvania Exposes Personal Data of 1,488 Individuals

Source: https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-theft-after-oracle-ebs-hack/

What we know: The University of Pennsylvania has disclosed a data breach involving unauthorized access to its Oracle E-Business Suite servers. The attackers reportedly exploited a zero-day vulnerability, exposing personal information of 1,488 individuals.

Context: The University of Pennsylvania recently faced cyber intrusions in October 2025 affecting around 1 million students, alumni, and donors. This incident also follows ongoing data breaches at other organizations involving Cl0p ransomware actors exploiting an Oracle EBS zero-day vulnerability to steal sensitive data before extorting them.

Analyst note: If the Cl0p ransomware actors are responsible for this breach, they are likely to demand a ransom or threaten to publicly release stolen data. Stolen personal information is likely to be used to launch spear-phishing campaigns, financial fraud, and other attacks against students and staff.

MuddyWater Targets Israeli Organizations with Stealthy MuddyViper Backdoor

Source: https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html

What we know: Iran-associated advanced persistent threat (APT) group MuddyWater has targeted Israeli organizations across sectors like academia, government, manufacturing, and utilities using a previously undocumented backdoor, called MuddyViper.

Context: The backdoor reportedly enables attackers to collect system data, transfer files, and steal credentials and browser information. Its 20-command functionality, combined with certain variants that disguise as the Snake game, enhances the group’s stealth and persistent access into affected devices.

Analyst note: The threat actors are likely to use the backdoor’s functionalities to launch tailored attacks against high-value individuals and exfiltrate details of strategic projects within affected Israeli sectors. The exfiltrated data is likely to enable MuddyWater to support its home country's espionage and intelligence-gathering objectives.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user wizard: Threat actor “wizard” has advertised a dataset from UAE-based lifestyle platform Connector, containing 240,000 records including personal information like names, emails, gender, and nationalities. If this claim is true, affected individuals are likely to face risks of identity theft, phishing, and other forms of targeted fraud.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-13658: This vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges, which could grant complete control over a device or network. Threat actors are likely to exploit this bug to disable security measures, steal data, maintain stealthy access, and escalate the attack across systems.

Affected products: Longwatch Versions 6.309 to 6.334