ZeroFox Daily Intelligence Brief - January 1, 2026

ZeroFox Daily Intelligence Brief - January 1, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• New Shai Hulud Npm Strain Fitted with Stealth and Reliability Upgrades
• Attackers Target IP Company and Steals Funds
• LockBit Ransomware Targets Fortis Healthcare in Data Extortion Attack

New Shai Hulud Npm Strain Fitted with Stealth and Reliability Upgrades

Source: https://thehackernews.com/2025/12/researchers-spot-modified-shai-hulud.html

What we know: Researchers have identified a new strain of the Shai Hulud npm malware embedded in “@vietmoney/react-big-calendar” package. The new strain is reportedly a modification of a Shai Hulud malware strain, which was re‑obfuscated and updated in December 2025 after being dormant since 2021.

Context: The updated strain introduces renamed loader and payload files, new GitHub exfiltration identifiers, and altered file names, alongside the removal of the dead-man switch. Additional changes include improved error handling, operating system-aware publishing logic, and adjustments to data collection and storage sequence.

Analyst note: The refinements likely point to a more persistent, scalable, and worm-like propagation for stealthier data theft. In the near future, if developments continue, this strain is likely to progress into automated campaigns abusing older, trusted npm packages to evade security controls.

Attackers Target IP Company and Steals Funds

Source: https://www.bleepingcomputer.com/news/security/hackers-drain-39m-from-unleash-protocol-after-multisig-hijack/

What we know: Decentralized intellectual property (IP) management platform Unleash Protocol confirmed a cyber incident, in which threat actors reportedly stole cryptocurrency worth USD 3.9 million. Stolen funds were then bridged out and reportedly laundered via an open source cryptocurrency mixer to obscure traceability.

Context: Threat actors obtained administrative control of the company’s multisig governance system and carried out an unauthorized smart contract upgrade. The malicious upgrade enabled illicit withdrawals of multiple assets, including wrapped IP (WIP), wrapped Ether (WETH), staked IP (stIP), and voting-escrowed IP (vIP).

Analyst Note: The laundered funds are likely to be moved into fresh wallets, cashed out via other exchanges, and reused to fund future cyber operations. It is likely that a large amount of cryptocurrency is held back or further bridged to evade attribution.

LockBit Ransomware Targets Fortis Healthcare in Data Extortion Attack

Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/98026

What we know: LockBit 5.0 ransomware has listed Fortis Healthcare on its leak site, likely indicating a data extortion attack targeting the organization.

Context: LockBit is a prominent ransomware-as-a-service group known for double extortion, while Fortis Healthcare operates large multi-specialty hospitals in India that handle sensitive patient and clinical data.

Analyst note: Healthcare organizations face intense pressure to pay ransoms to prevent disruptions in services making them easy targets.Moreover, financially motivated threat actors, like LockBit, are very likely to use the exposed patient data for double extortion, identity fraud, and further social engineering attacks.

DEEP AND DARK WEB INTELLIGENCE

Infrastructure Destruction Squad: Threat group Infrastructure Destruction Squad (IDS) claims to have gained unauthorized access to an undisclosed water treatment plant in Italy, releasing a screen recording as alleged proof of access. IDS says the compromised environment supports rainwater and wastewater treatment and includes systems for pumps, flow control, storage, and sensor monitoring, suggesting access beyond passive observation. If the claims are accurate, such access may be used for coercion, signaling, or future destructive activity, even if no immediate impact has been reported.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-13915: This critical authentication bypass flaw present in IBM's API Connect platform can enable unauthenticated actors to circumvent login controls and access exposed apps with low complexity and no user interaction. Given its low complexity and no‑interaction requirement, the vulnerability is likely to be rapidly weaponized, increasing the risk of widespread abuse, resulting in data exposure, service disruption, and downstream compromise of connected applications.

Affected products: Affected products are listed in this advisory.