ZeroFox Daily Intelligence Brief - January 19, 2026

ZeroFox Daily Intelligence Brief - January 19, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Researchers Hijack MaaS StealC Admin Panel to Observe Operations
• Alleged Black Basta Ransomware Leader Added to INTERPOL’s and EU’s Wanted Lists
• ZeroFox Intelligence Flash Report - U.S. Directive to Withdraw from Global Cybersecurity Organizations

Researchers Hijack MaaS StealC Admin Panel to Observe Operations

Source: https://www.bleepingcomputer.com/news/security/stealc-hackers-hacked-as-researchers-hijack-malware-control-panels/

What we know: Researchers have discovered a flaw in malware-as-a-service platform (MaaS) StealC’s admin panel that enabled them to observe active operator sessions, steal cookies, and hijack control of the platform's dashboard.

Context: By exploiting the bug, researchers gathered hardware, location, and operational intelligence on StealC operators. Researchers also found that most StealC infections occurred when victims searched for cracked versions of Adobe Photoshop and Adobe After Effects.

Analyst note: After this discovery, threat actors are likely to patch the compromised StealC panel, rotate infrastructure and credentials, or migrate to alternative MaaS platforms. In the future, the compromised platform can likely be turned into controlled honeypots, using exposed operational intelligence to identify, monitor, and trap StealC operators and affiliates.

Alleged Black Basta Ransomware Leader Added to INTERPOL’s and EU’s Wanted Lists

Source: https://thehackernews.com/2026/01/black-basta-ransomware-hacker-leader.html

What we know: Russia-linked ransomware-as-a-service (RaaS) group Black Basta’s alleged leader has been added to INTERPOL’s Red Notice and European Union’s (EU) Most Wanted lists. German and Ukrainian authorities have also identified two other suspected affiliates of the group.

Context: Authorities carried out raids at the residences of the two suspects and seized digital storage devices and cryptocurrency assets. The perpetrators reportedly worked as initial access providers, which enabled other group members to breach corporate networks and deploy ransomware.

Analyst Note: The seized assets are likely to help authorities disrupt the internet infrastructure being used by the ransomware operators. It is also likely to help authorities obtain a decryption key for Black Basta ransomware, which can later be used by affected organizations.

ZeroFox Intelligence Flash Report - U.S. Directive to Withdraw from Global Cybersecurity Organizations

Source: https://www.zerofox.com/advisories/37884/

What we know: The United States has signed a Presidential Memorandum withdrawing from 66 international organizations, including several global cybersecurity entities.

Context: This memorandum aligns with the Trump administration’s broader and ongoing review of U.S. participation in all international intergovernmental organizations, conventions, and treaties.

Analyst note: There is a roughly even chance that reduced U.S. participation in international cybersecurity and digital policy efforts will affect information-sharing and coordination with allied nations and government aligned tech giants, and the streamlining of U.S. law and policy with evolving multinational cybersecurity frameworks. Additional similar withdrawals are likely within the year, as the administration continues its reviews of international entities that are not in American interest.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user worldweknew7: A threat actor named, “worldweknew7,” has claimed unauthorized access to specific email accounts associated with Italian and Greek police forces on BreachForums. If the leaked credentials are active, they can likely be used to by-pass security and gain access to centrally controlled portals for deploying supply chain attacks. They can also trick major companies into revealing private information under the guise of official investigation.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-36911: This is an improper implementation vulnerability in Google Fast Pair feature of Bluetooth audio devices, which leads to devices failing to check if they are in pairing mode. It is the result of a logic error in the key-based pairing code. The flaw can enable attacks dubbed “WhisperPair,” leading to forced connections to attacker-controlled devices. Threat actors are likely to be able to surveil their victims and also eavesdrop on conversations.

Affected products: The affected products are listed in this advisory.