ZeroFox Daily Intelligence Brief - January 26, 2026

ZeroFox Daily Intelligence Brief - January 26, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• 149 Million Stolen Credentials Exposed in Unsecured Database
• Russia-Linked Sandworm Targets Poland’s Power Infrastructure with Data Wiper Malware
• North Korean Threat Group Konni Targeting Blockchain Engineers and Developers

149 Million Stolen Credentials Exposed in Unsecured Database

Source: https://hackread.com/logins-roblox-tiktok-netflix-crypto-wallets-found/

What we know: A 96-GB unsecured database, containing over 149 million stolen usernames and passwords, was discovered publicly exposed online, accessible without any authentication for weeks.

Context: Researchers suspect that the data was harvested via highly organized infostealer malware. The dataset included credentials for email services, financial and crypto platforms, and government domains across multiple countries. It also exposed logins for platforms including TikTok, Roblox, Facebook, and Instagram, as well as dating apps.

Analyst note: In the time the database remained unsecured, threat actors likely gained sufficient access to leverage the exposed credentials to profile compromised users and enable multiple downstream cybercrime activities. In the near future, dark web forums are likely to see an increase in initial access brokers advertising credentials to crypto and other financial platforms enabling financial thefts.

Russia-Linked Sandworm Targets Poland’s Power Infrastructure with Data Wiper Malware

Source: https://www.reuters.com/technology/russian-military-intelligence-hackers-likely-behind-december-cyberattacks-polish-2026-01-23/

What we know: A late-2025 cyberattack targeting Poland’s power infrastructure has been linked to Russian state-linked threat group Sandworm, which attempted to deploy a data wiper, called DynoWiper. Polish officials confirmed that the attack targeted power plants and renewable energy management systems, but did not cause disruption.

Context: Sandworm is reportedly a Russian Main Intelligence Directorate-linked (GRU) threat group active since 2009. Nearly a decade earlier, Sandworm carried out a data-wiping attack on Ukraine’s energy grid that caused power outages for roughly 230,000 people.

Analyst note: As the Russia-Ukraine war continues, Poland, a weapons supplier to Ukraine, is likely to increasingly become a target for pro-Russia hacktivists and state-backed groups like Sandworm.

North Korean Threat Group Konni Targeting Blockchain Engineers and Developers

Source: https://www.bleepingcomputer.com/news/security/konni-hackers-target-blockchain-engineers-with-ai-built-malware/

What we know: North Korean threat group, Konni, is reportedly using AI-generated malware to target engineers and developers in the Asia-Pacific region’s blockchain sector. The group is also suspected to be linked to North Korean state-sponsored threat groups APT37 and Kimsuky.

Context: The attack reportedly begins with a blockchain-themed phishing campaign, which contains a discord-hosted link delivering a PDF lure and a malicious LNK shortcut file.

Analyst note: The blockchain-themed phishing campaign very likely suggests that the threat group is specifically targeting engineers and software developers with access to blockchain technology, rather than end users. This likely suggests the group intends a major cryptocurrency heist with access to blockchain infrastructure and API credentials.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user iProfessor: A threat actor, named "iProfessor," has advertised a dataset associated with U.S. telemedicine service provider Call-On-Doc. The threat actor claims to have sourced more than 1 million records directly from the internal systems of Call-On-Doc, which allegedly includes personally identifiable information (PII) of patients, along with their health data. The data also reportedly includes records for the “STD” category (sexually transmitted disease). If the data is legitimate, exposed individuals are likely to be targets of blackmail, extortion, phishing, and social engineering campaigns.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-31125: CISA has flagged this improper access control vulnerability in frontend tooling framework Vite as being actively exploited. The flaw exposes non-allowed files when the server is explicitly exposed to the network. Successful exploitation is likely to lead to unauthorized access to sensitive files, source code, and credentials.

Affected products: The affected products are listed in this advisory.