ZeroFox Daily Intelligence Brief - January 9, 2026

ZeroFox Daily Intelligence Brief - January 9, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Kimsuky Actors Use Malicious QR Codes to Target U.S. Entities
• China-Linked UAT-7290 Expands Telecom Espionage to Southeastern Europe
• Astaroth Banking Trojan Spread via WhatsApp; Targets Users in Brazil

Kimsuky Actors Use Malicious QR Codes to Target U.S. Entities

Source: https://www.ic3.gov/CSA/2026/260108.pdf

What we know: North Korean state-sponsored advanced persistent threat (APT) group Kimsuky has used quishing or QR (quick response) code phishing to spear phish think tanks, academic institutions, and both U.S. and foreign government entities.

Context: Kimsuky actors leverage quishing to trick users into clicking malicious QR codes, which route the users through attacker-controlled redirectors and redirect them to pages that covertly harvest credentials. This enables the actors to bypass multi-factor authentication.

Analyst note: Kimsuky is likely to use the stolen credentials to compromise systems of the targeted entities and gain access to data that can give North Korea a strategic upper hand. Adversarial states are often likely to use such data to influence public opinions, spread incendiary disinformation, and disrupt key processes like elections.

China-Linked UAT-7290 Expands Telecom Espionage to Southeastern Europe

Source: https://www.bleepingcomputer.com/news/security/new-china-linked-hackers-breach-telcos-using-edge-device-exploits/

What we know: China-linked cyber espionage actor UAT-7290 has reportedly expanded its targeting sphere beyond South Asia to include telecommunications organizations in Southeastern Europe.

Context: The actor, after gaining access, reportedly conducts reconnaissance, exploits device flaws and deploys Linux malware to establish an espionage infrastructure shared with other China-aligned actors.

Analyst note: As the attack sphere expands from South Asia to Southern Europe, China is likely able to collect more communications data and monitor greater geopolitical developments. Compromised systems are likely to provide insights into foreign telecommunication infrastructure, security practices, and emerging technologies.

Astaroth Banking Trojan Spread via WhatsApp; Targets Users in Brazil

Source: https://thehackernews.com/2026/01/whatsapp-worm-spreads-astaroth-banking.html

What we know: A new campaign has reportedly been distributing the Astaroth banking trojan via WhatsApp in attacks targeting Brazilian users of the popular messaging platform.

Context: Users receive a message containing a ZIP archive, which, upon opening, triggers two modules. One module fetches the users’ contacts and forwards the malicious ZIP folder to these contacts. The other is a banking module, which operates covertly in the background, monitoring banking activities to collect credentials.

Analyst note: The campaign is likely to impact a large number of users in Brazil because of WhatsApp’s popularity in the country. Moreover, the campaign operators are likely to steal financial resources and launch other financial extortion scams using the stolen credentials.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user Toxic_Wolf: A threat actor named, “Toxic_wolf,” has leaked a dataset containing 23 million iCloud email addresses on Breach Forums. The threat actor joined the forum in December 2025 and has a reputation score of zero. Given the actor’s reputation and the type of data, which is allegedly only email addresses, it is likely that the data is either publicly available or recycled from an older breach.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20029: Cisco has patched this vulnerability in its Identity Services Engine (ISE), which enables threat actors to read arbitrary files via a malicious XML upload. A publicly available proof-of-concept (PoC) exploit code exists. Public PoC code lowers the barrier for abuse, likely raising the likelihood of increased targeted or opportunistic attacks against unpatched deployments.

Affected products: The affected products are included in Cisco’s advisory.