ZeroFox Daily Intelligence Brief: January 13, 2026

ZeroFox Daily Intelligence Brief - January 13, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Spanish Energy Company Breached
• Sweden’s Foxtrot Gang Suspect Arrested in Iraq
• Threat Actor Reportedly Claims Access to Target’s Internal Development Environment

ZeroFox Intelligence Flash Report - Spanish Energy Company Breached

Source: https://www.zerofox.com/advisories/37774/

What we know: Newly registered and unvetted actor “spain” announced on dark web forum BreachForums that they had breached Endesa, one of Spain’s largest gas and electricity companies. Following that, another actor under the name, “glock” posted the same advertisement on dark web forum DarkForums.

Context: Endesa confirmed that a threat actor gained unauthorized and illegitimate access to its systems and extracted sensitive Personally Identifiable Information (PII); however, online passwords were reportedly not extracted. The advertised dataset allegedly contains highly sensitive PII related to both customers and internal company business information.

Analyst note: The advertised dataset will almost certainly attract significant attention from potential buyers on the dark web forums, especially considering that Endesa has confirmed the breach. Threat actors will very likely use the data for social engineering attacks, such as phishing or smishing (SMS phishing) and identity fraud campaigns for financial gain.

Sweden’s Foxtrot Gang Suspect Arrested in Iraq

Source: https://www.europol.europa.eu/media-press/newsroom/news/otf-grimm-swedish-organiser-of-serious-violence-arrested-in-iraq

What we know: An individual, allegedly involved in coordinating violence-as-a-service linked to the Foxtrot Network, was arrested by Operational Taskforce (OTF) Grimm.

Context: The FoxTrot network has allegedly “systematically exploited children and young people” in Sweden. In March 2025, the United States sanctioned this network, accusing it of being leveraged by the Iranian regime.

Analyst Note: The arrest of a “High Value Target” is likely to disrupt the criminal network’s ability to coordinate violence internationally as extradition proceedings are underway. Interrogation of the suspect is also likely to enable law enforcement to zero-in on other members of the network.

Threat Actor Reportedly Claims Access to Target’s Internal Development Environment

Source: https://www.bleepingcomputer.com/news/security/targets-dev-server-offline-after-hackers-claim-to-steal-source-code/

What we know: An unknown threat actor has reportedly attempted to sell internal source code of American retailer Target Corporation on Gitea, a software development host platform. The threat actor has reportedly posted screenshots as evidence in a private hacking community, advertising a total dataset of about 860 GB.

Context: Researchers reportedly found multiple repositories on Gitea that appeared to be a sample of Target’s internal code and developer documentation. The alleged Gitea links have since been removed and Target’s developer Git server has also become inaccessible from the internet.

Analyst note: If the breach is legitimate, the leaked data is likely to help threat actors to further compromise Target’s internal network, leading to exfiltration of sensitive data, remote code execution (RCE), and more. Downstream entities are also likely to be impacted. Online services and billing systems are likely to be disrupted.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Infrastructure Destruction Squad (IDS): Threat group Infrastructure Destruction Squad (IDS) has claimed to have gained access to systems associated with Innovative Construction & Design Solutions, a U.S.-based engineering and design consulting firm. With legitimate data, the threat is likely to be significant for environments with strict temperature control requirements, such as at data centers, telecom towers, energy, and more.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-8110: This is a zero-day path traversal vulnerability affecting Gogs, a popular self-hosted Git service. A symlink bypass of an older patched RCE flaw enables authenticated users to overwrite files outside the repository. CISA has warned of active exploitation of the bug. Threat actors are likely to use the flaw to compromise developer environments, leading to source code manipulation, malware injection, and theft of sensitive data.

Affected products: Gogs service versions 0 through 0.13.3