ZeroFox Daily Intelligence Brief - January 16, 2026

ZeroFox Daily Intelligence Brief - January 16, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Assessment - Q4 2025 Ransomware Wrap-up
• Heightened Cyber Risks for 2026 Winter Olympics
• Chinese Spies Target U.S. Government Entities in Maduro-Themed Phishing Campaign

ZeroFox Intelligence Assessment - Q4 2025 Ransomware Wrap-up

Source: https://www.zerofox.com/advisories/37854/

What we know: ZeroFox has observed at least 2,091 separate ransomware and digital extortion (R&DE) incidents in Q4 2025, an increase of approximately 46 percent from Q3 and nearly 7 percent more than the record-breaking 1,961 incidents observed in Q1 2025.

Context: North America-based organizations were the most targeted by a substantial margin, accounting for approximately 59 percent of all incidents. ZeroFox observed that the five most active R&DE collectives in Q4 2025 were almost certainly Qilin, Akira, Sinobi, Cl0p, and LockBit.

Analyst note: The trend very likely indicates that ransomware threat actors have not been discouraged from law enforcement action in the past. Integration of artificial intelligence (AI) is also likely to contribute to the rising rate of ransomware attacks, with threat actors using AI to scan for vulnerable devices.

Heightened Cyber Risks for 2026 Winter Olympics

Source: https://www.darkreading.com/remote-workforce/winter-olympics-podium-cyberattackers

What we know: Researchers are warning that the upcoming Milano Cortina 2026 Winter Games are likely to face heightened cyber threats, ranging from ransomware and distributed denial of service (DDoS) attacks to espionage and hacktivism.

Context: Financially motivated cybercriminals, nation-state actors, and hacktivists are reportedly expected to target the event’s games-related infrastructure, attendees, and partners due to the event’s scale, visibility, and global presence.

Analyst note: A broad range of victims are likely to be targeted during the high-profile event like organizers and vendors, critical infrastructure providers, and high-profile attendees. Fraudsters are likely to target attendees with ticketing and phishing scams. Hacktivists are likely to exploit the event’s global visibility by launching DDoS attacks against the event’s systems and defacing official websites to amplify their political messages.

Chinese Spies Target U.S. Government Entities in Maduro-Themed Phishing Campaign

Source: https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/

What we know: China-linked Advanced Persistent Threat (APT) group known as Mustang Panda is reportedly carrying out a phishing campaign targeting U.S. government agencies and policy-related organizations, using Nicolás Maduro’s capture as a lure.

Context: Researchers uncovered the campaign after coming across a malicious zip file, named "US now deciding what's next for Venezuela," uploaded to malware detection website VirusTotal. The file reportedly contained a backdoor malware strain called “Lotuslite”.

Analyst Note: Mustang Panda has conducted a targeted espionage against U.S. policymakers likely to secure a geopolitical advantage for China. The threat group is very likely to use the stolen information in influencing the public opinion and re-structure the state’s policies.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user HawkSec: Threat actor "HawkSec" has advertised a dataset allegedly associated with instant messaging platform Discord on dark web forum BreachForums. Reportedly, the dataset contains approximately 78.5 million files, including message content, voice session artifacts, user activity records, and server-related information. The description of the dataset differs from the October 2025 breach stemming from a third-party vendor. The dataset is likely to be derived from scraped and publicly available content on Discord, rather than exposure of private information, given the threat actor’s reputation remains untested.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-0227: This vulnerability, affecting GlobalProtect gateways and portals, enables threat actors to carry out denial of service (DoS). The flaw enables unauthenticated attackers to repeatedly crash firewalls into maintenance mode. A proof-of-concept (PoC) exploit exists in public. Threat actors are likely to weaponize the PoC to repeatedly knock GlobalProtect gateways offline, causing service outages, remote access disruption, and operational downtime.

Affected products: The affected products are listed in this advisory.