ZeroFox Daily Intelligence Brief - November 28, 2025

ZeroFox Daily Intelligence Brief - November 28, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Scattered Lapsus$ Hunters Announce Return
• Cryptocurrency Exchange Hit by Alleged North Korea-Backed Cyber Threat Group
• OpenAI Confirms Limited Data Exposure in Mixpanel Breach

ZeroFox Intelligence Flash Report - Scattered Lapsus$ Hunters Announce Return

Source: https://www.zerofox.com/advisories/37080/

What we know: Threat group Scattered Lapsus$ Hunters (SLSH) has resurfaced with a new Telegram channel after nearly a month of inactivity. The group is now offering financial incentives to recruit insiders who can provide initial access to corporate networks.

Context: SLSH has been observed using Telegram to recruit corporate insiders for initial network access, such as VPN, Citrix, and administrative credentials. The group is selectively targeting employees at large global organizations while excluding those in Russia, China, Belarus, and North Korea.

Analyst note: SLSH’s recent activity on Telegram almost certainly indicates clear intent to continue and likely escalate its previously observed operations, such as conducting data breaches and data leaks, publicly exposing corporations, and actively recruiting insiders.

Cryptocurrency Exchange Hit Allegedly by North Korea-Backed Cyber Threat Group

Source: https://www.reuters.com/world/asia-pacific/south-korea-suspects-north-korea-behind-hack-crypto-exchange-upbit-yonhap-2025-11-28/

What we know: North Korea-associated threat group Lazarus Group has been suspected of targeting South-Korea based cryptocurrency exchange Upbit, resulting in the theft of 44.5 billion won (USD 30.4 million).

Context: Lazarus Group reportedly exploited vulnerabilities in Upbit’s systems to execute an “abnormal withdrawal,” targeting the exchange’s cryptocurrency holdings. Authorities are investigating the incident, which reportedly mirrors a similar 2019 crypto heist attributed to the group.

Analyst note: Lazarus Group is likely to convert the stolen cryptocurrency into cash through mixing services, use it to finance North Korea’s sanctioned programs, fund future cyber operations, and launder it through layered transactions for future operations.

OpenAI Confirms Limited Data Exposure in Mixpanel Breach

Source: https://www.securityweek.com/openai-user-data-exposed-in-mixpanel-hack/

What we know: OpenAI has confirmed limited data exposure of some of its API users stemming from a smishing campaign at data analytics provider Mixpanel. The security incident was detected on November 8, 2025.

Context: OpenAI has clarified that the breach did not involve chats, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs. Affected data potentially includes user profile details associated with platform.openai[.]com⁠, such as name, email address, organizational or user IDs, operating systems, and others.

Analyst note: OpenAI’s API metadata and other details are likely to be used in phishing or social engineering attacks against exposed individuals and organizations. Other customers of Mixpanel are also likely to be impacted by the breach.

DEEP AND DARK WEB INTELLIGENCE

Asahi data breach: Japanese brewer Asahi has revealed that personal data of over 1.5 million customers, hundreds of thousands of current and former employees, and over 100,000 external contacts may have been compromised in the September 2025 cyberattack. Leaked information potentially includes names, gender, addresses, and contact details. The exposure reportedly does not involve credit card information. The data is likely to be used to extort Asahi in exchange for not publishing or selling the information.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-54057: This is a cross-site scripting (XSS) vulnerability in Apache SkyWalking due to improper neutralization of script-related HTML tags in a web page. The vulnerability is likely to enable attackers to inject malicious code into a web interface leading to administrator accounts being hijacked.

Affected products: Apache SkyWalking versions through 10.2.0