ZeroFox Daily Intelligence Brief - January 14, 2026

ZeroFox Daily Intelligence Brief - January 14, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Payment Card Details Swiped in Long Running Web Skimming Campaign
• Belgian Hospital AZ Monica Shifts Critical Care Patients After Cyberattack
• Telegram Proxy Links Can Reportedly Reveal Real IP Addresses

Payment Card Details Swiped in Long Running Web Skimming Campaign

Source: https://thehackernews.com/2026/01/long-running-web-skimming-campaign.html

What we know: An ongoing web skimming campaign has reportedly been targeting major payment networks, tricking victims into entering their payment card information, like expiry dates and CVC numbers. The attackers then proceed to steal the victim’s names, phone numbers, email addresses, and shipping addresses.

Context: This campaign is reportedly active since 2022 and linked to a malicious domain, cdn-cookie[.]com, hosted by sanctioned bulletproof hosting provider Stark Industries, now rebranded as THE[.]Hosting. The domain reportedly serves heavily obfuscated JavaScript skimmers to steal payment card data, while evading detection by checking for WordPress admin indicators such as the “wpadminbar.”

Analyst note: Customers of compromised websites, like e-commerce, especially those making online card payments on WordPress-based web shops, are likely most affected by this campaign. Threat actors are likely to use stolen details to successfully carry out carding fraud attacks, where they make online payments through their victim’s stolen card details.

Belgian Hospital AZ Monica Shifts Critical Care Patients After Cyberattack

Source: https://www.bleepingcomputer.com/news/security/belgian-hospital-az-monica-shuts-down-servers-after-cyberattack/

What we know: A cyberattack on Belgian hospital AZ Monica has resulted in serious disruptions to its IT systems, forcing the hospital to suspend scheduled procedures and operate at reduced capacity. Servers were shut down in response to the cyberattack.

Context: Non-urgent consultations have been postponed as the hospital staff has been unable to retrieve digital medical files of patients. Seven patients requiring critical care have been shifted to alternative hospitals, while others in the hospital are receiving regular treatments. New registrations are slow as they are being carried out manually.

Analyst Note: Digital medical files of patients being unretrievable likely suggests that threat actors have encrypted certain files from the hospital’s systems. Possible encryption of files also likely indicates a ransomware attack, as such groups are known to target healthcare entities to extort money.

Telegram Proxy Links Can Reportedly Reveal Real IP Addresses

Source: https://hackread.com/telegram-add-warning-proxy-links-ip-leak/

What we know: Researchers have discovered a single-click issue in Telegram that can reveal a user’s real IP address, location, and service provider, bypassing privacy or Virtual Private Network (VPN) settings. This issue stems from Telegram’s built-in tool MTProxy, which helps people evade censorship.

Context: Opening a proxy link leads to a connection test, initiating a direct network request from the user’s device. Threat actors can reportedly abuse this feature by distributing proxy links connected to their servers and disguised as usernames or website URLs. Telegram says this issue is not unique to the platform and that they will display a warning for proxy links.

Analyst note: The issue is likely to enable phishing and social engineering attacks. The trick is also likely to be employed by state entities to surveil activists and journalists attempting to bypass censorship or remain anonymous.

DEEP AND DARK WEB INTELLIGENCE

Telegram users NoName057(16) and DarkStormTeam: Hacktivist groups NoName057(16) and DarkStormTeam have claimed to have carried out distributed denial of service (DDoS) attacks on multiple Polish government, municipal, energy, and transportation organizations’ websites. The groups claimed that the attacks were retaliation for Poland’s perceived pro-Ukrainian stance. Additionally, NoName057(16) alleged to have gained unauthorized access to one of Poland's boiler room’s control systems. In a separate incident, Poland’s power system faced its largest cyberattack in years in late December, according to the country’s energy minister. It is likely that the further the Russia-Ukraine war continues, Poland, a weapons supplier to Ukraine, becomes increasingly a target for pro-Russia hacktivists and cybercriminals.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft January 2026 patch Tuesday: Microsoft has patched more than 100 vulnerabilities, including one actively exploited and two publicly disclosed zero-day flaws. One of these vulnerabilities, CVE-2026-20805, is a Windows Desktop Window Manager flaw that enables a local attacker to disclose sensitive information locally. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalogue. Unpatched versions are likely to enable threat actors to carry out reconnaissance, privilege escalation, or follow-on exploitation of affected devices.

Affected products: The affected products are included in this advisory.