ZeroFox Daily Intelligence Brief - September 8, 2025

ZeroFox Daily Intelligence Brief - September 8, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• China-Linked Threat Group Phishes for Sensitive Data
• North Korean Hackers Target Crypto Industry with Fake Job Offers
• Geopolitical Focus: Political Fallout, Conflict, and Violence

China-Linked Threat Group Phishes for Sensitive Data

Source: https://www.reuters.com/world/us/us-probes-malware-email-targeting-trade-talks-with-china-wsj-reports-2025-09-07/

What we know: Authorities are investigating a phishing email that carried malware traced to Chinese state-linked group “APT41.” The campaign reportedly sought insights into ongoing trade negotiations by targeting trade groups, law firms, and other agencies involved in such negotiations.

Context: The malicious email urged recipients to review an attached draft legislation, which once opened, would have given the group extensive access to the targeted organizations’ data. China has been observed deploying other espionage tactics as well for intelligence gathering, such as leveraging online job platforms to recruit insiders with security clearances.

Analyst note: The group likely aimed to collect intelligence that could provide China with an advantage in China-related trade negotiations. Such information could give China an upper hand in shaping tariff discussions, anticipating strategies, and influencing policy decisions.

North Korean Hackers Target Crypto Industry with Fake Job Offers

Source: https://www.securityweek.com/north-korean-hackers-targeted-hundreds-in-fake-job-interview-attacks/

What we know: North Korean hackers are reportedly targeting the cryptocurrency industry with fake job offers to steal digital assets and help finance Pyongyang’s nuclear weapons program.

Context: The hackers have been observed impersonating crypto firms on networking applications and tricking applicants into downloading malware as part of a “skills test.” Meanwhile, LinkedIn has rolled out recruiter verification to help combat recruitment scams.

Analyst note: Crypto companies worldwide are likely to face reputational threats as impersonation scams targeting the industry rise. Legitimate job advertisements are also likely to be duplicated in scam operations. Targeted crypto holders are likely to face financial losses as this campaign directly impacts their digital assets.

Geopolitical Focus: Political Fallout, Conflict, and Violence

• French Prime Minister (PM) Francois Bayrou will convene an extraordinary session of the French parliament, the Assemblée Nationale (AN), on September 8, 2025. ZeroFox, in its advisory, assessed that Francois Bayrou’s government is almost certain to fall on September 8 over budgetary disputes.
• On September 7, a Houthi drone struck Israel’s Ramon Airport, wounding one person, shattering windows, and briefly shutting down airspace before flights quickly resumed. The Houthis claimed responsibility for the attack.
• Russia has carried out a major air attack on Ukraine, striking multiple regions and setting fire to the main government building in central Kyiv. At least two people were reportedly killed in the capital. Ukrainian President Volodymyr Zelenskiy said the drone and missile barrage also hit Zaporizhzhia, Kryvyi Rih, Odesa, and the Sumy and Chernihiv regions.
• One person was killed and five others were injured in a shooting at the Alas Locas sports bar near Cleveland, Texas, early on September 7. The Liberty County Sheriff’s Office said the gunfire broke out around 2:30 a.m. (local time), and police are searching for the suspect at the time of writing.

DEEP AND DARK WEB INTELLIGENCE

Cause of the Salesloft Drift breach: Investigations have found that Salesloft Drift breach, affecting several organizations, stemmed from a compromised GitHub account. Threat actors breached the account between March and June 2025, stealing OAuth tokens to access customer data via Drift integrations. The breach has also been tied to Salesforce attacks. The development almost certainly underscores the supply chain risks originating from unauthorized access to GitHub accounts.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-42957: A critical vulnerability has been discovered in multiple SAP products, including SAP S/4HANA, which is widely used by global companies to manage finances, supply chains, and other core business operations. The flaw could enable attackers to take full control of a company’s SAP system. A successful exploit could lead to large-scale business disruption, financial losses, data theft, and compromise of critical supply chain operations.

Affected products: SAP S/4HANA (Private Cloud or On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, and 108