ZeroFox Daily Intelligence Brief - November 21, 2025

ZeroFox Daily Intelligence Brief - November 21, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ShinyHunters Target Salesforce Integrations Again, Claim Access to 285 Instances
• UK Disrupts Russian-Aligned Billion-Dollar Money Laundering Scheme
• U.S. Secret Service Disrupts Multi-Million Dollar Skimming Operation

ShinyHunters Target Salesforce Integrations Again, Claim Access to 285 Instances

Source: https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/

What we know: Salesforce is investigating a breach affecting some customers’ data and 285 Salesforce instances after threat actors accessed it through third-party company Gainsight and its connected apps with Salesforce.

Context: This activity follows August 2025 Salesloft/Drift OAuth token breach, where extortion group ShinyHunters stole billions of Salesforce records across hundreds of companies by abusing OAuth tokens from a third-party Salesforce integration. ShinyHunters has claimed responsibility for the Gainsight campaign, threatening to launch a new leak site containing data from both the Salesloft and Gainsight breaches.

Analyst note: If the claims are true, a dedicated leak site combining Salesloft and Gainsight breach data could result in large-scale exposure of sensitive data, increasing the risk of targeted phishing, business email compromise, fraud, and secondary extortion campaigns against customers and employees.

UK Disrupts Russian-Aligned Billion-Dollar Money Laundering Scheme

Source: http://nationalcrimeagency.gov.uk/news/operation-destabilise-nca-exposes-billion-dollar-money-laundering-network-that-purchased-bank-to-fund-russian-war-effort

What we know: The UK’s National Crime Agency’s (NCA) Operation Destabilise has uncovered and disrupted a billion-dollar laundering network that purchased a bank in Kyrgyzstan to enable sanctions evasion and process payments supporting Russian military activity. The operation has already led to major arrests and multimillion-pound asset seizures.

Context: Operation Destabilise targeted two Russian-linked laundering groups, Smart and TGR, for converting illicit UK cash into cryptocurrency and moving funds through the bought Kyrgyz bank and rouble-backed digital assets. The groups allegedly laundered money for transnational cybercrime while evading sanctions and obscuring financial trails.

Analyst note: Cybercriminals are increasingly trying to establish channels to facilitate evasion of law enforcement and sanctions. Such channels are very likely to enable undetected conversion of financial proceeds generated from the drugs trade, firearms supply, and organised immigration crime to clean cryptocurrency or even state-aligned financing.

U.S. Secret Service Disrupts Multi-Million Dollar Skimming Operation

Source: https://www.secretservice.gov/newsroom/releases/2025/11/credit-card-skimming-outreach-operation-tampa-nets-five-illegal-skimming

What we know: A U.S. Secret Service-led operation in Tampa has removed five illegal skimming devices from local businesses. Agents were able to prevent criminals from capturing card data and averted an estimated USD 5.2 million in potential losses nationwide.

Context: Criminals steal payment card numbers using illegal skimming devices on ATMs, gas pumps, and point-of-sale terminals. Skimming technology captures credit card data and encodes it onto new cards with magnetic strips, and is estimated to cost financial institutions and consumers over USD 1 billion annually.

Analyst note: Card skimming can lead to severe financial losses for targeted victims and entities. Law enforcement operations to tackle such illegal activities are very likely to increase public awareness.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user KaruHunters: Well-reputed threat actor “KaruHunters” has advertised stolen NVIDIA source code. Although the dataset appears well-formatted and legitimate, ZeroFox observed it is most likely sourced from NVIDIA’s publicly available kernel and package downloads. If the claims are true, even publicly available datasets reposted as “stolen” could be leveraged in phishing, social engineering, and fraud attempts against NVIDIA customers.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-40601: SonicWall has urged customers to patch this stack-based buffer overflow in the SonicOS SSLVPN service that can enable remote, unauthenticated attackers to crash Gen7 and Gen8 firewalls. Although no exploitation is reported, the flaw affects widely deployed perimeter devices. Hence, unpatched systems are likely to enable targeted disruption of corporate networks.

Affected products: The affected products have been listed in SonicWall’s advisory.