ZeroFox Daily Intelligence Brief - September 18, 2025

ZeroFox Daily Intelligence Brief - September 18, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ShinyHunters Claims Breach of 1.5 Billion Salesforce Records
• ZeroFox Intelligence Brief - China’s Influence Operations Against Taiwan
• Over 200 New CopyCop Sites Push AI-Generated Disinformation

ShinyHunters Claims Breach of 1.5 Billion Salesforce Records

Source: https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/

What we know: ShinyHunters has reportedly claimed responsibility for stealing 1.5 billion Salesforce records from 760 companies by using OAuth tokens found in a breached Salesloft GitHub repository and social engineering.

Context: ShinyHunters reportedly stole the data records primarily from Contact, Case, Account, Opportunity, and User tables. Due to the scale of these attacks, the FBI recently issued an advisory with indicators of compromise (IoCs).

Analyst note: Investigations are ongoing, and further disclosures of impacted organizations are likely. Affected companies are likely to face continued extortion attempts, targeted phishing or business email compromise (BEC) campaigns, and possible public leaks of stolen Salesforce data.

ZeroFox Intelligence Brief - China’s Influence Operations Against Taiwan

Source: https://www.zerofox.com/advisories/35804/

What we know: ZeroFox has observed China deploying information warfare tactics against Taiwan on digital platforms, almost certainly aiming to weaken the Taiwanese public’s independence resolve by eroding national identity and undermining trust in democratic institutions and elected officials.

Context: China’s information warfare tactics are prevalent on social media platforms TikTok, X (formerly Twitter), YouTube, and Facebook. In July 2025, China was suspected of using an information campaign to sway a mass recall vote in Taiwan.

Analyst note: ZeroFox assessed that China’s influence operations very likely intensify during key political events, but they also extend beyond election cycles, demonstrating a sustained effort. China’s strategy for manipulating public opinion via social media can very likely be adapted to influence corporate perceptions on issues related to Taiwan.

Over 200 New CopyCop Sites Push AI-Generated Disinformation

Source: https://www.theregister.com/2025/09/18/russian_fakenews_network/

What we know: Threat group “CopyCop” (or “Storm-1516”) has launched over 200 new fake news websites impersonating local outlets and political organizations worldwide. Researchers observe the network uses self-hosted AI models to mass-produce disinformation targeting elections and political leaders.

Context: CopyCop, a Russia-backed disinformation network, reportedly uses self-hosted Llama 3 LLMs to generate fake news sites, rewrite articles, and create deepfakes to amplify pro-Kremlin narratives.

Analyst note: It is likely that in major countries, these sites are weeded out in the near future. However, the campaign could expand into more divisive and smaller nations, where threat actors are likely to deploy tailored disinformation to exploit local grievances, deepen divisions, and shape political outcomes with less resistance.

DEEP AND DARK WEB INTELLIGENCE

Breach at Tiffany’s: Tiffany has disclosed that the May 2025 breach has affected more than 2,500 customers, in which attackers accessed gift card details including names, contact info, and card PINs. At the time of writing, it remains unclear whether this incident is linked to the earlier Tiffany Korea breach suspected to be associated with the ShinyHunters Salesforce campaign. With card numbers and PINs exposed, attackers could resell gift cards on underground markets or use them for fraudulent transactions, including money laundering through luxury purchases.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-9971: Certain Industrial Cellular Gateway models from Planet Technology have a Missing Authentication vulnerability, enabling unauthenticated remote attackers to manipulate the device through a specific function. If attackers gain control, they could disrupt connected systems, steal sensitive data, or cause operational downtime.

Affected products: The affected products are listed in this advisory.