ZeroFox Daily Intelligence Brief - June 11, 2026

ZeroFox Daily Intelligence Brief - June 11, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ShinyHunters Target Oracle PeopleSoft in Data Theft Campaign
• China-Linked Actors Expand JDY Botnet, Influence U.S. AI Datacenter Debate
• CISA Urges Agencies to Remediate High-Risk Vulnerabilities Within 3 Days Amid AI Threats

ShinyHunters Target Oracle PeopleSoft in Data Theft Campaign

Source: https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/

What we know: The ShinyHunters extortion group is reportedly targeting Oracle PeopleSoft servers in an ongoing data theft attack, affecting over 100 organizations mostly in the education sector. UK’s Nottingham University has confirmed a related data breach, which also involves student financial information.

Context: PeopleSoft, used by large organizations to manage student administration, supply chain management, procurement, human resources, payroll, and finance was reportedly exploited using a “gadget chain” of old and zero-day vulnerabilities.

Analyst note: Operational disruptions, including payments, fee processing, scholarships, and procurement, are likely in the near term at affected organizations. If ransom demands go unmet, ShinyHunters will very likely publish portions of the stolen data, with students and faculty being the most exposed demographic. The compromised data is likely to be weaponized in financially motivated phishing and social engineering campaigns.

China-Linked Actors Expand JDY Botnet, Influence U.S. AI Datacenter Debate

Source: https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html

What we know: The China-linked botnet JDY has reportedly made a resurgence, with over 1,500 compromised small office/home office (SOHO) and internet of things (IoT) devices, despite law enforcement disruption in 2024. The botnet activity reportedly suggests industrialized reconnaissance effort, which is further used by groups like Volt-Typhoon.

Context: Separately, OpenAI has disrupted China-linked influence campaigns targeting AI debates in the United States using ChatGPT. U.S. authorities have also recently seized 13 domains linked to a Chinese recruitment operation for intelligence gathering targeting current and former U.S. government and military personnel.

Analyst Note: Collectively, these efforts suggest an intent by Chinese threat actors to build long-term strategic reconnaissance and data collection networks by operating across multiple domains targeting various sectors in the United States.

CISA Urges Agencies to Remediate High-Risk Vulnerabilities Within 3 Days Amid AI Threats

Source: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk

What we know: CISA has issued a directive, urging federal agencies to prioritize remediation for high-risk vulnerabilities within three days as threat actors increasingly use AI to accelerate possible exploitation.

Context: The directive also states that the urgency of vulnerability remediation should be based on variables such as asset exposure, Known Exploited Vulnerabilities (KEV) status, exploit automation and technical impact.

Analyst Note: While the directive addresses remediation for known vulnerabilities, newer AI models are also likely to help threat actors identify exploitable zero-days, making even a three-day remediation effort difficult. Internet exposed edge devices of critical infrastructure entities are very likely to be prime targets of threat actors.

DEEP AND DARK WEB INTELLIGENCE

PwnForums user Soral: Threat actor “Soral" has advertised data associated with U.S.-based healthcare company H1, on dark web forum PwnForums. The leaked data allegedly contains 2,064,071 records of medical professionals, including names, addresses, IDs, specialty names, diploma names, license, and work experience details. Threat actors are likely to leverage the data for identity theft, medical fraud, social engineering, and phishing campaigns by impersonating medical professionals.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Vulnerabilities in Vertiv UPS and Trane HVAC Systems: Critical security flaws have been disclosed in Vertiv uninterruptible power supply (UPS) network cards and Trane Tracer SC+ HVAC controllers used in data centers. Unauthenticated attackers can remotely exploit these vulnerabilities to bypass authentication, execute arbitrary code, or trigger denial-of-service conditions. Successful exploitation is very likely to result in complete control over power management systems, triggering significant operational disruption such as uncontrolled shutdowns of data center equipment, thermal shutdowns, and potential service outages.

Affected products: Vertiv UPS network cards, Trane Tracer SC+ HVAC controller.