ZeroFox Daily Intelligence Brief - January 27, 2026

ZeroFox Daily Intelligence Brief - January 27, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ShinyHunters Targeting Nearly 100 Organizations in SSO Credential Stealing Campaign
• New Malware Stanley Helps Create Malicious Browser Extensions
• Geopolitical Focus: Adverse Weather Conditions, Casualties, and More

ShinyHunters Targeting Nearly 100 Organizations in SSO Credential Stealing Campaign

Source: https://www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/

What we know: Threat group ShinyHunters is reportedly targeting at least a hundred organizations in its ongoing single sign-on (SSO) credential stealing campaign. Canva and Epic Games are among some of the organizations being allegedly targeted.

Context: Though the organizations are being targeted, there is no evidence of breach. On the other hand, a leak site associated with threat collective “Scattered Lapsus$ Hunters” has been renamed to “ShinyHunters”. The new leak site lists three new organizations as victims, including Crunchbase that has confirmed a data breach.

Analyst note: Ongoing targeting of organizations suggest ShinyHunters are very likely attempting to breach cloud environments to steal sensitive data. ShinyHunters has also reportedly approached some victim entities with ransom demands.

New Malware Stanley Helps Create Malicious Browser Extensions

Source: https://www.bleepingcomputer.com/news/security/new-malware-service-guarantees-phishing-extensions-on-chrome-web-store/

What we know: Newly discovered malware-as-a-service (MaaS) “Stanley,” being sold on Russian language dark web forums, reportedly enables attackers to publish malicious browser extensions to the official web store bypassing the review process.

Context: The malicious browser extensions can reportedly cover an entire webpage with an iframe with the attacker’s phishing message. The extensions then enable credentials theft and other attacks on the victim system. The MaaS is priced between USD 2,000 to USD 6,000.

Analyst note: The MaaS is likely to reduce the technical expertise required to flood browser web stores with malicious extensions, enabling less advanced threat actors to carry out phishing attacks and credential theft. Credential theft is likely to lead to financial loss for the victims.

Geopolitical Focus: Adverse Weather Conditions, Casualties, and More

• The United States is in the midst of a massive winter storm, placing over 200 million people under weather alerts and leaving at least 21 dead. The storm has caused widespread power outages and dangerous travel conditions as snow, ice, and freezing rain continue. Thousands of flights have been canceled or delayed.
• On January 24 2026, the District of Columbia charged two individuals with running a years-long bribery scheme to rig military and NATO construction contracts. The individuals allegedly paid bribes in exchange for falsified performance reviews, inside bid information, and preferential oversight that steered contracts to their companies.
• U.S. and Italian authorities are intensifying security planning for the Winter Olympics amid growing concerns over drone threats, ranging from illicit filming to possible explosive attacks. The focus is on monitoring hard-to-secure outdoor mountain venues, maintaining tighter airspace controls, and deploying counter-drone systems.
• On January 25, 2026, seven people were killed and one person seriously injured after a private Bombardier Challenger 600 jet crashed during takeoff at Bangor International Airport, Maine. Investigations continue, with prevailing snowy weather and low visibility conditions.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user zer0sintt: Threat actor “zer0sintt” has advertised source code linked to Saudi Arabia’s General Authority for Military Industries. The actor claims that this advertisement on BreachForums is a repost following their ban on another platform, Mega, due to copyright issues. The actor attempts to use this incident as supposed proof of the legitimacy of their claims. It is likely that the actor being banned for copyright issues indicates that their data is recycled, was posted by another threat actor, or is advertised falsely.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-21509: CVE-2026-21509 is a security feature bypass flaw that can enable attackers to exploit malicious Office files to circumvent OLE protections via user interaction. Microsoft has issued emergency out-of-band updates to fix this actively exploited zero-day flaw in Microsoft Office. Attackers are likely to continue exploiting malicious Office documents to bypass OLE security controls in vulnerable systems. Affected devices are likely to increase the risk of initial access, malware delivery, and lateral movement.

Affected products: The affected products are listed in this advisory.