ZeroFox Weekly Intelligence Brief – January 10, 2026

TLP:GREEN

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the cyber threat landscape. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EST) on January 8, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

Extensions Exfiltrating Chat Conversations

What happened: Cybersecurity researchers have detected a new malware campaign stealing real-time chatbot conversations from over 900,000 users. Two malicious Chrome extensions were used to exfiltrate personal conversations and all Chrome tab URLs to a threat actor-controlled server. The malware deceives users by impersonating a legitimate extension, which adds a sidebar on top of any website, enabling users to chat with popular large language models (LLMs) such as ChatGPT and DeepSeek. The threat actors reportedly abused “Lovable,” an AI-powered web development platform, to anonymize their activities and prevent researchers from tracing them back to the original actors.

Threat Actor Claims to Have Breached NordVPN

What happened: Threat actor “1011” has claimed to have breached Virtual Private Network (VPN) service provider NordVPN’s development server on dark web platform BreachForums. However, NordVPN has denied the breach. This campaign reportedly successfully bypassed multi-factor authentication in victim systems.

Threat Actor Zestix Advertises Stolen Corporate Cloud Data

What happened: Threat actor “Zestix” is advertising corporate data allegedly stolen from multiple organizations in critical sectors, including aviation, defense, healthcare, and government. The actor reportedly breached cloud environments using credentials harvested through infostealer malware strains.