ZeroFox Daily Intelligence Brief - January 20, 2026

ZeroFox Daily Intelligence Brief - January 20, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• UK Cyber Agency Warns of Ongoing Attacks by Pro-Russian Hackivist Groups
• New PDFSIDER Malware Leveraged Against Fortune 100 Company
• New SolyxImmortal Infostealer Exploits Legitimate APIs to Evade Detection

UK Cyber Agency Warns of Ongoing Attacks by Pro-Russian Hackivist Groups

Source: https://www.ncsc.gov.uk/news/ncsc-issues-warning-over-hacktivist-groups-disrupting-uk-organisations-online-services

What we know: The UK cyber agency has issued a warning to organizations and critical infrastructure operators of ongoing disruption attempts by pro-Russian hacktivist groups. A previous alert linked to the warning also specifically mentions hacktivist group NoName057(16).

Context: The alert warns that although denial of service (DoS) attacks are not technically advanced, they can still disrupt entire systems and essential online services if successful. These attacks also drain time and money as organizations work to analyze, defend against, and recover from them.

Analyst note: Hacktivist groups are very likely to increase their frequency of attacks during key events regarding the Ukraine-Russia war, such as negotiations or defense deals. Additionally, hacktivist groups are also likely to make exaggerated and false claims of attacks as part of psychological operations to sow chaos.

New PDFSIDER Malware Leveraged Against Fortune 100 Company

Source: https://hackread.com/hackers-exploit-pdf24-app-pdfsider-backdoor/

What we know: A new malware strain, PDFSIDER, has reportedly been observed in attacks targeting a Fortune 100 financial company. The strain is reportedly actively used by multiple ransomware groups, including Qilin, to deploy malicious payloads.

Context: PDFSIDER is a backdoor delivered via spearphishing emails, with threat actors using phishing and fake technical support lures to trick victims into downloading it.

Analyst Note: Threat actors are likely to leverage AI‑generated phishing content and deepfake IT‑support lures to scale PDFSIDER campaigns. The malware strain is most likely to be used by ransomware-as-a-service (RaaS) affiliates, initial access brokers, and financially motivated cybercriminal groups.

New SolyxImmortal Infostealer Exploits Legitimate APIs to Evade Detection

Source: https://www.securityweek.com/solyximmortal-information-stealer-emerges/

What we know: Researchers have discovered a new infostealer malware strain, “SolyxImmortal,” that abuses legitimate APIs and third party libraries to exfiltrate and harvest sensitive user data.

Context: SolyxImmortal is a Python-based infostealer that targets browser-stored credentials, documents, keystrokes, and screenshots. The infostealer uses Discord webhooks to receive real-time alerts and screenshots of high-value user actions and Discord’s legitimate HTTP infrastructure to evade detection.

Analyst note: Threat actors are likely to incorporate other well-known platforms as part of their command-and-control center in infostealer campaigns to monitor real-time updates and eventually exfiltrate credentials. The stolen data is then likely to be abused for account takeovers, financial theft, identity misuse, and further social-engineering attacks using trusted platforms.

DEEP AND DARK WEB INTELLIGENCE

Handala Hack Team claims exposure of Israeli spy network: Pro-Iranian hacktivist group Handala Hack Team has claimed to expose an alleged Israeli intelligence operative, for allegedly supporting anti-Iranian regime activity. The group alleges to have hacked the target’s phone and also uncovered the real identities of their associates. The claim is likely to be a psychological manipulation tactic to create panic within the Israeli intelligence community, as the alleged information obtained from the target’s phone has failed to impact the ongoing unrest.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-0629: CVE-2026-0629 is an authentication bypass flaw affecting more than 32 TP-Link's VIGI surveillance camera models that can enable attackers to reset admin passwords and gain full control. The vulnerability has reportedly exposed thousands of internet-facing cameras and enabled access to live video feeds and device functions. Compromised VIGI surveillance cameras are likely to be enrolled in a botnet, gathering sensitive visuals and becoming a part of a network of unauthorized surveillance.

Affected products: The affected products are listed in this advisory.