ZeroFox Daily Intelligence Brief - January 12, 2026

ZeroFox Daily Intelligence Brief - January 12, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Instagram Acknowledges Bug; Says There is No Data Breach
• Iranian State-Sponsored Threat Group Spear-Phishes Middle Eastern Entities
• Spanish LE Authorities Arrest 34 Connected to Black Axe Cybercrime Ring

Instagram Acknowledges Bug; Says There is No Data Breach

Source: https://www.bleepingcomputer.com/news/security/instagram-denies-breach-amid-claims-of-17-million-account-data-leak/

What we know: Instagram has acknowledged a systematic bug that enabled threat actors to send password reset emails reported by users. Additionally, it has denied all data breach claims on X

Context: Researchers discovered a dataset containing data of 17.5 million instagram users being sold on a dark web forum. The data was allegedly harvested in 2024 from an unconfirmed API leak. However, Meta has denied being aware of any API leaks or new data breaches.

Analyst note: The leaked data is likely scraped data gathered over several years. Despite that, threat actors will likely leverage the data to deploy sophisticated social engineering attacks, share emails containing hidden malicious links, and impersonate the victims for financial advantage.

Iranian State-Sponsored Threat Group Spear-Phishes Middle Eastern Entities

Source: https://thehackernews.com/2026/01/muddywater-launches-rustywater-rat-via.html

What we know: Researchers have attributed Iranian state-sponsored threat group MuddyWater to a wave of spear-phishing attacks targeting diplomatic, maritime, financial, and telecom entities in the Middle East.

Context: The group reportedly sends spear-phishing emails disguised as cybersecurity guidelines, accompanied by documents that contain a malicious link. The link, when clicked, installs malware on the target’s system. The malware then establishes persistent access, enabling file operations and command execution.

Analyst Note: This campaign is likely to enable MuddyWater actors to gain access to sensitive information or systems that can be further used by its sponsor state in disinformation campaigns to sway public opinion. The actors are also likely to use the persistent access to compromised systems to monitor state-related communications.

Spanish LE Authorities Arrest 34 Connected to Black Axe Cybercrime Ring

Source: https://www.europol.europa.eu/media-press/newsroom/news/34-arrests-in-spain-during-action-against-black-axe-criminal-organisation

What we know: Spanish law enforcement (LE) authorities, along with Europol, have arrested 34 individuals allegedly connected to the Black Axe group, which is involved in several criminal activities, including cyber-enabled fraud.

Context: Black Axe is believed to be responsible for fraud that resulted in damages worth at least USD 6.9 million (EUR 5.93 million). The network recruited money mules in impoverished areas with high unemployment rates. It primarily targeted Spanish nationality individuals and exploited them to facilitate the network’s criminal activities.

Analyst note: Criminal organizations like Black Axe recruit from high-unemployment zones, very likely by luring individuals with the promise of financial benefits. The LE action is likely to disrupt Black Axe’s activities in Spain. However, it will likely continue operations outside Spain.

DEEP AND DARK WEB INTELLIGENCE

BreachForums database leaked: Researchers have discovered a publicly disclosed database containing information, including digital footprint, on 323,986 users of popular dark web forum BreachForums. Based on the nature of the data, it is likely that the leak is partially recycled or derived from an earlier BreachForums incident rather than a fully new breach. The data leak is likely intended for reputational damage, given the ongoing disputes between BreachForum administrators.

VULNERABILITY AND EXPLOIT INTELLIGENCE

VMware ESXi bugs exploited in zero-day attacks: China-linked threat actors have exploited multiple VMware ESXi vulnerabilities in zero-day attacks to gain complete control overESXi hypervisor, the core of VMware's vSphere platform. Compromising the hypervisor can likely enable attackers to control all VMs on the host, access sensitive data, and deploy ransomware across the infrastructure.

Affected products: The affected products have been mentioned in VMware’s advisory addressing these vulnerabilities.