ZeroFox Daily Intelligence Brief - September 15, 2025

ZeroFox Daily Intelligence Brief - September 15, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Threat Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion
• Massive Data Leak Linked to the Great Firewall of China Published
• Geopolitical Focus: Worldwide Political and Security Developments

Threat Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion

Source: https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/

What we know: The FBI has issued an alert warning that threat groups UNC6040 and UNC6395 are compromising Salesforce environments to steal data and extort victims. The warning also contains indicators of control (IoCs) and mitigations to limit future attacks and contain ongoing ones.

Context: UNC6040 has deployed voice phishing (vishing), redirecting victims to malicious OAuth apps, while UNC6395 has abused stolen Salesloft Drift tokens to breach Salesforce and exfiltrate sensitive data and credentials. ZeroFox has observed this campaign affecting multiple major organizations and has analyzed likely repercussions of this campaign in the near future.

Analyst note: Other threat actors are likely to target OAuth-based platforms using tactics similar to UNC6040 and UNC6395. Implementing the FBI’s mitigations and analyzing IoCs can help organizations block such attacks and detect them before they escalate into broader breaches of connected companies.

Massive Data Leak Linked to the Great Firewall of China Published

Source: https://hackread.com/great-firewall-of-china-data-published-largest-leak/

What we know: Hacktivist group Enlace Hacktivista has allegedly leaked nearly 600 GB of data linked to the Great Firewall of China, containing its source code, technical documentations, internal messages, and other details involved in the development and maintenance of the system.

Context: The leak is reportedly traced to Chinese cybersecurity firm Geedge Networks and the MESA Lab, affiliated to the Chinese Academy of Sciences’ Institute of Information Engineering. Both the entities are often touted to lead the Chinese Firewall’s research and development.

Analyst note: A preliminary analysis of the leaked data suggests China has exported surveillance and censorship tech to countries like Pakistan, Ethiopia, and others linked to the Belt and Road Initiative (BRI). Further examination is likely to help in reconnaissance of the Firewall’s web of systems and uncover vulnerabilities. However, the dataset is likely to contain malware, given its sensitivity.

Geopolitical Focus: Worldwide Political and Security Developments

• Nepal has appointed former Chief Justice Sushila Karki as its new interim Prime Minister. Non-profit organization Hami Nepal (We are Nepal), led by a former disc jockey (DJ), emerged as a decisive force in installing Nepal’s new interim leadership. ZeroFox analyzes that even with an interim government, isolated incidents of demonstrations and violence are very likely to persist, hampering trade, transport, tourism, and hospitality sectors.
• 30 residential buildings have reportedly been destroyed in Gaza City, displacing thousands, as U.S. Secretary of State Marco Rubio arrived to discuss the Israel-Hamas conflict.
• Ukraine has launched a large drone attack with at least 361 drones against Russia, briefly causing a fire at the Kirishi oil refinery in the northwest. Russian officials said no injuries have been reported.
• Two individuals in Utah have been arrested for placing a lit but malfunctioning incendiary device under a news vehicle in Salt Lake City. Bomb squads have confirmed the device failed to detonate.
• The United States has sanctioned two Islamist actors, Sudan’s Finance Minister and chairman of the Justice and Equality Movement and the Al-Baraa Bin Malik Brigade, for their roles in Sudan’s civil war and ties to Iran.

DEEP AND DARK WEB INTELLIGENCE

Kimsuky group uses AI to target South Korea: North Korea’s Kimsuky group has reportedly used ChatGPT to generate a fake South Korean military ID for a phishing campaign that delivered malware. By leveraging AI to create more convincing lures, the group makes attacks harder to detect and more effective. These operations, as part of Pyongyang’s global intelligence-gathering, could strengthen North Korea’s espionage capabilities against South Korea and its allies.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-21043: Threat actors have exploited this bug in a zero-day vulnerability, targeting Samsung Android devices through malicious image parsing. This out-of-bounds write vulnerability in a closed-source image parsing library reportedly enables threat actors to execute arbitrary code on devices running Android 13 or later. If patches are not deployed, threat actors could exploit the flaw to harvest sensitive data from communication apps—including payment details, screenshots, and location information.

Affected products: The affected products are included in this update.