ZeroFox Daily Intelligence Brief - January 23, 2026

ZeroFox Daily Intelligence Brief - January 23, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Emerging Osiris Ransomware Leveraging POORTRY Driver to Bypass Security Controls
• Stolen Data of 12 U.S. Organizations Recovered from INC Ransomware
• New Phishing Campaign Misuses Popular Online Job Platform

Emerging Osiris Ransomware Leveraging POORTRY Driver to Bypass Security Controls

Source: https://thehackernews.com/2026/01/new-osiris-ransomware-emerges-as-new.html

What we know: Researchers have disclosed a new ransomware family, Osiris, observed in a late 2025 attack targeting a major food service franchisee in Southeast Asia. The intrusion reportedly used a bespoke bring your own vulnerable driver (BYOVD) technique, with a malicious driver, called POORTRY, to disable security controls.

Context: Osiris is reportedly a previously undocumented ransomware strain and not a rebrand of earlier Osiris/Locky variants. Researchers identified indicators suggesting that the threat actors behind Osiris may have prior associations with another major ransomware group, INC.

Analyst note: The threat actors behind the Osiris ransomware strain are likely to, in the near term, operationalize the strain at scale as a ransomware-as-a-service (RaaS) model, enabling attacks in other regions and industries.

Stolen Data of 12 U.S. Organizations Recovered from INC Ransomware

Source: https://www.bleepingcomputer.com/news/security/inc-ransomware-opsec-fail-allowed-data-recovery-for-12-us-orgs/

What we know: Researchers have reportedly recovered data stolen by INC ransomware group, belonging to a dozen U.S. organizations, due to the group’s operational security failure. The data was recovered from a backup that the group reportedly maintained using Rustic, a legitimate tool for encryption and backup.

Context: The stolen data was recovered and decrypted after a PowerShell script, “new[.]ps1”, was discovered. It contained Rustic commands and hardcoded environment variables, such as access keys, S3 passwords for encrypted repositories, and repository paths.

Analyst note: The infrastructure analysis very likely indicates that other threat actors are using legitimate tools, including commercial cloud storage providers, in their cybercrime operations. This incident reveals that stolen data is likely to be retained as a backup by threat actors even after a ransom event.

New Phishing Campaign Misuses Popular Online Job Platform

Source: https://hackread.com/hackers-linkedin-dms-pdf-tools-trojan/

What we know: Researchers have identified a new phishing campaign that uses popular online job platforms to target high-value professionals and trick them into downloading a Remote Access Trojan (RAT), capable of stealing data and monitoring the victims’ screen.

Context: Threat actors are reportedly targeting high-value professionals via direct messaging on online job platforms, using document names like “Project_Execution_Plan[.]exe” or “Upcoming_Products[.]pdf” to sound believable.

Analyst note: Threat actors are likely to further leverage similar online job portals to target high-value individuals directly. They are also likely to use more elaborate social engineering techniques, including fake job offers and referrals, to deliver malicious payloads.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Z‑Pentest Alliance: A pro-Russian hacktivist group, named “Z‑Pentest Alliance,” has claimed to have accessed the control system of the small hydroelectric power plant, “MVE PODĚBRADY,” in Czech Republic. Additionally, the threat actor also claims to have accessed SCADA systems associated with a Czech based water treatment plant, that controls the water quality and treatment operations. If the claims are true, the threat actor is likely to disrupt operations of the critical infrastructure, leading to power outages, compromised drinking water, and wastewater treatment.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-24061: This flaw in GNU InetUtils telnetd, which reportedly went unnoticed for 11 years, enables remote attackers to bypass authentication and log in as root by abusing an unsanitized USER environment variable. Threat actors are likely to target unpatched devices to gain immediate privileged access for malware deployment, lateral movement, and persistent footholds in compromised networks.

Affected products: GNU InetUtils version 1.9.3 up to, and including, version 2.7