ZeroFox Daily Intelligence Brief - January 5, 2026

ZeroFox Daily Intelligence Brief - January 5, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Scattered Lapsus$ Hunters Claim a U.S. Cybersecurity Firm Hack
• New Zealand Health Portal Users Compromised
• Geopolitical Focus: Military Strikes, Undersea Cable Severed, and More

Scattered Lapsus$ Hunters Claim a U.S. Cybersecurity Firm Hack

Source: https://www.bleepingcomputer.com/news/security/hackers-claim-resecurity-hack-firm-says-it-was-a-honeypot/

What we know: Threat collective “Scattered Lapsus$ Hunters” claimed to have breached a U.S. cybersecurity firm and accessed internal data, including client information. However, the cybersecurity firm has said the threat collective breached a “honeypot” designed to monitor the activity of threat actors.

Context: The cybersecurity firm says it has narrowed down the collective’s IP address, which was briefly exposed during proxy connection failures. It has also collected data on the threat collective’s infrastructure, tactics, and techniques. On the other hand, the threat collective has said more information will be exposed on itsTelegram channel.

Analyst note: Threat actors associated with SLH are likely to attempt to evade law enforcement action by changing their location or abandoning their internet infrastructure, if the cybersecurity firm’s claims are true. It is likely that some affiliates will be apprehended by law enforcement.

New Zealand Health Portal Users Compromised

Source: https://www.reuters.com/legal/litigation/new-zealand-launches-review-medical-portal-hack-2026-01-05/

What we know: Manage My Health, a major New Zealand online health portal, has suffered a ransomware attack that exposed medical records of about 120,000 users.

Context: Manage My Health is used by numerous health centres, enabling patients and providers to access medical records, view lab results, book appointments, and order prescriptions. The threat actors reportedly accessed the health documents section of the website and released around 30 sensitive files.

Analyst note: Threat actors are likely to carry out targeted phishing attacks, identity theft, medical fraud, and blackmail against affected individuals.

Geopolitical Focus: Military Strikes, Undersea Cable Severed, and More

• U.S. President Donald Trump has warned of a second military strike in Venezuela if the remaining members of Nicolas Maduro’s administration do not cooperate with the United States. Currently, Delcy Rodríguez has taken over as the interim President of Venezuela. Trump has also warned of similar military action in Colombia and Mexico if the countries do not reduce the flow of illicit drugs.
• Chip manufacturer HieFo Corporation, allegedly controlled by a Chinese citizen, has been ordered by the U.S. government to divest from a chip and wafer fabrication deal with navigation products provider EMCORE. The order cited national security concerns due to potential access to EMCORE’s intellectual property and diversion of chip supply away from the United States.
• U.S. officials have determined that Ukraine did not launch drone strikes targeting Russian President Vladimir Putin’s residence in Novgorod last week, following allegations by Russia.
• U.S. authorities have arrested and charged an individual accused of planning a New Year’s Eve attack on a grocery store and a fast-food restaurant in support of Islamic State in Iraq and al-Sham (ISIS).
• Finnish authorities have detained two crew members and seized cargo ship Fitburg, sailing from St. Petersburg in Russia, after it was found near the site where an undersea internet cable between Finland and Estonia was severed. Investigators are examining whether the damage was accidental or a deliberate act of hybrid warfare.
• An activist group in Germany has claimed responsibility for a suspected arson attack that cut power to tens of thousands of homes, businesses, and hospitals in Berlin.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user victims: Threat actor “victim” has advertised over 3 million records from Tokyo FM Broadcasting, including names, email addresses, IP addresses, user agents, and internal system login IDs. If the threat actor’s claims are true, affected individuals are likely to face follow-on attacks such as credential‑stuffing, account‑takeover attempts, and unauthorized access to internal systems.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-14346: This bluetooth vulnerability in WHILL electric wheelchairs and Model F power chairs can enable attackers within a bluetooth range of about 30 feet to control the devices, risking patient safety. Attackers are likely to pair with a vulnerable wheelchair over Bluetooth to issue movement commands, alter configuration profiles, and override speed controls without authentication or user interaction.

Affected products: All versions of WHILL Model C2 Electric Wheelchairs and Model F Power Chairs