ZeroFox Daily Intelligence Brief - January 15, 2026

ZeroFox Daily Intelligence Brief - January 15, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• New CISA Guidance Aims to Bolster Security in Connected OT and CNI Systems
• Illegal Service Provider Enabling Fraud Disrupted
• Geopolitical Focus: Iran Unrest, Greenland’s Future, Fighting in Syria, and More

New CISA Guidance Aims to Bolster Security in Connected OT and CNI Systems

Source: https://www.cisa.gov/news-events/news/cisa-uk-ncsc-fbi-unveil-principles-combat-cyber-risks-ot

What we know: CISA and other agencies have released new guidance on Secure Connectivity Principles for Operational Technology (OT). The guidance warns that increasingly connected OT environments, especially in critical national infrastructure (CNI), are being actively targeted due to exposed and insecure connectivity.

Context: According to the guidance, legacy OT systems, expanded remote access, and third-party integrations have widened the attack surface, making OT networks susceptible to threat actors. The guidance outlines principles to reduce exposure, secure connectivity, harden OT boundaries, and more.

Analyst note: Threat actors are likely to continue targeting exposed and insecure OT connectivity. Strengthening existing security protocols and establishing newer and improved ones are likely to deter such threat actors from accessing critical infrastructure data and systems.

Illegal Service Provider Enabling Fraud Disrupted

Source: https://www.securityweek.com/redvds-cybercrime-service-disrupted-by-microsoft-and-law-enforcement/

What we know: Researchers, with law enforcement, have disrupted RedVDS, a cybercrime service used to support phishing, business email compromise (BEC), and fraud operations. The operation seized RedVDS domains and servers and dismantled payment networks tied to the service.

Context: The threat group operating and developing RedVDS, dubbed Storm-2470, was reportedly responsible for at least USD 40 million in fraud-related losses. Since September 2025, RedVDS-enabled activity has resulted in the compromise or fraudulent access of over 191,000 email accounts spanning more than 130,000 organizations globally.

Analyst note: Threat actors are likely to reuse stolen credentials, phishing kits, and mailing lists from prior RedVDS campaigns to sustain BEC and fraud operations while testing new services or developing in-house hosting capabilities to reduce future disruption risk.

Geopolitical Focus: Iran Unrest, Greenland’s Future, Fighting in Syria, and More

• U.S. President Donald Trump has said he has been assured that Iranian executions over the ongoing unrest have been halted. ZeroFox assesses that the U.S. Department of War is unlikely to conduct sophisticated military operations against Iran. The United States is more likely to use diplomacy, increased global pressure, and low-level strikes to influence Iranian behavior.
• The Syrian military is opening a “humanitarian corridor” on January 15, 2026, to allow civilians to evacuate an area in Aleppo province. The area is reportedly witnessing a military buildup following clashes between government and Kurdish-led forces.
• At least 32 people have been confirmed dead and 66 others injured when a train in Thailand, carrying a total of 171 passengers, met with an accident. A construction crane fell onto the moving train in the country’s northeast causing a derailment. Some cabins of the train were also crushed, while one caught on fire.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user CamelliaBtw: Threat actor “CamelliaBtw” has claimed to have gained access to Russian messaging platform Max’s production systems, revealing user data, backend infrastructure, and its source code. CamelliaBtw claims the user data of politicians and other government leaders using the platform have also been obtained, including their Bcrypt hashed passwords. They have threatened to publicly release the first 5 GB of raw SQL database files if a ransom described as a “bug bounty” is not negotiated within 24 hours. The technical details provided by CamelliaBtw likely suggests the claim is legitimate. State adversaries of Russia are likely to be interested in the data breach.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Chrome security patches: Google has rolled out Chrome 144 with 10 security patches, including for three high-severity vulnerabilities. The high-severity flaws include an out-of-bounds memory access issue (CVE-2026-0899), an inappropriate implementation weakness (CVE-2026-0900), and an inappropriate implementation flaw in Blink (CVE-2026-0901). Unpatched web browsers are likely to be targeted in credential theft, RCE, and malware delivery, among other attacks.

Affected products: Chrome versions before 144.0.7559.59 (Linux), 144.0.7559.59/60 Windows/Mac