ZeroFox Daily Intelligence Brief - August 26, 2025

ZeroFox Daily Intelligence Brief - August 26, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Spyware Vulnerability Found Enabling Password Resets
• Over a Million at Risk in Salesforce-Linked Data Breaches
• China-Backed Threat Actor Targeting Southeast Asia Diplomats with PlugX Malware

Spyware Vulnerability Found Enabling Password Resets

Source: https://techcrunch.com/2025/08/25/a-new-security-flaw-in-thetruthspy-phone-spyware-is-putting-victims-at-risk/

What we know: Researchers have discovered a vulnerability in TheTruthSpy, and its companion spyware apps, which enables anyone to reset passwords and hijack accounts, exposing victims’ sensitive data. At the time of writing, the vulnerability remains unpatched.

Context: TheTruthSpy has operated for nearly a decade as one of the largest spyware networks, with multiple near-identical apps, like Copy9, iSpyoo, and MxSpy. Since these apps reportedly share the same backend, any security flaw in TheTruthSpy also impacts all its rebranded or whitelabeled spyware variants.

Analyst note: Law enforcement could exploit this vulnerability to hijack spyware dashboards, map infrastructure, and identify operators. With access to this data, it could identify threat actors and their victims, while notifying those facing surveillance, physical danger, and other threats.

Over a Million at Risk in Salesforce-Linked Data Breaches

Source: https://www.bleepingcomputer.com/news/security/farmers-insurance-data-breach-impacts-11m-people-after-salesforce-attack/

What we know: A May data breach at Farmers Insurance affected 1.1 million customers after hackers accessed a third-party vendor’s database. The stolen data included names, addresses, birth dates, driver’s license numbers, and partial Social Security numbers (SSNs).

Context: The breach stemmed from the larger wave of Salesforce data theft attacks impacting multiple organizations. One of Farmers’ vendors detected the intrusion quickly and blocked access, but sensitive data had already been exposed. Additionally, French retailer Auchan has disclosed a cyberattack exposing data from hundreds of thousands of loyalty accounts, also likely tied to the ongoing Salesforce breach campaign.

Analyst note: Over a million of Farmers Insurance’s customers now face long-term fraud risks, with attackers potentially using the stolen data for identity theft, license scams, and social engineering. The attackers could further sell it on dark web marketplaces.

China-Backed Threat Actor Targeting Southeast Asia Diplomats with PlugX Malware

Source: https://thehackernews.com/2025/08/unc6384-deploys-plugx-via-captive.html

What we know: A China-linked threat actor, UNC6384, is leveraging advanced social engineering and adversary-in-the-middle (AitM) attacks to target various entities, including diplomats in Southeast Asia, to carry out operations in Beijing’s interests.

Context: The campaign uses a captive portal redirect to deliver a digitally signed downloader, called STATICPLUGIN. The downloader is signed by a private Chinese firm with a valid certificate by a Belgium-based global internet identity provider. It is then used to deliver the PlugX malware to target systems.

Analyst note: The development very likely indicates that trusted digital identity providers are being leveraged by private Chinese firms working for state-backed hacking groups to carry out cyber espionage.

DEEP AND DARK WEB INTELLIGENCE

XSS clone site: On August 25, 2025, ZeroFox observed an alternative dark web site, called XSSF, claiming to replace the seized Russian language dark web forum XSS. Multiple sites have emerged following law enforcement seizure of XSS, but there is no clarity on whether any of the platforms are legitimate alternatives. XSSF is likely a scam site. More such dark web platforms claiming to be XSS alternatives or run by its former operators are very likely to continue emerging.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-9074: Docker patched this flaw in Docker Desktop that had enabled containers to access the Docker Engine API without authentication. If patches are not deployed, this vulnerability could enable threat actors to have unauthorized access to user files on affected systems leading to full host compromise, privilege escalation, and persistence.

Affected products: Docker Desktop versions 4.25 to 4.44.3