ZeroFox Daily Intelligence Brief - January 28, 2026

ZeroFox Daily Intelligence Brief - January 28, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Chinese APT Salt Typhoon Reportedly Spied on UK Senior Officials’ Phones
• 174 Victims Targeted in USD 36M Global Fake Crypto Investment Scheme
• 16 Malicious ChatGPT Browser Extensions Detected

Chinese APT Salt Typhoon Reportedly Spied on UK Senior Officials’ Phones

Source: https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/

What we know: Chinese advanced persistent threat (APT) group Salt Typhoon has reportedly been suspected of spying on the mobile phones of senior UK officials around UK Prime Minister Keir Starmer.

Context: Staff of former UK prime ministers Boris Johnson, Liz Truss, and Rishi Sunak were also reportedly exposed. The operation is believed to have begun in 2021 and was uncovered in 2024 after U.S. sources revealed China-linked groups had accessed telecom providers globally, potentially intercepting calls and messages or at least harvesting sensitive metadata.

Analyst note: The suspected hack indicates that the Chinese espionage operation via telecom providers likely impacts multiple countries and governments. Staff devices near top political leaders are likely to be frequently targeted due to the relative ease of access and less rigorous monitoring than the leaders’ own highly secured devices.

174 Victims Targeted in USD 36M Global Fake Crypto Investment Scheme

Source: https://www.justice.gov/opa/pr/chinese-national-sentenced-prison-role-crypto-scam-targeting-americans

What we know: An individual has been sentenced to more than two years in prison for laundering over USD 36 million tied to a global digital asset investment scam. The scheme used fake cryptocurrency investment platforms and social engineering tactics via social media, calls, texts, and dating apps to defraud 174 victims.

Context: The individual promoted fraudulent digital asset investments and funneled stolen funds through shell companies and banks. The individual converted the funds into a stablecoin cryptocurrency, and transferred them to wallets linked to scam centers in Cambodia.

Analyst note: Scammers lure victims with promises of new, quick, and reliable investment opportunities to steal their credentials and other financial details. Inexperienced investors are likely to be especially vulnerable to these deceptive claims and fraudulent platforms.

16 Malicious ChatGPT Browser Extensions Detected

Source: https://hackread.com/fake-chatgpt-extensions-hijack-user-accounts/

What we know: Researchers have found 16 malicious browser extensions posing as ChatGPT productivity tools aiming to hijack user accounts. At the time of reporting, these extensions reportedly recorded about 900 downloads.

Context: The extensions lie in wait for users to log in and then steal session tokens and ChatGPT data. The browser extensions reportedly share similar code and communicate with attacker-controlled domains, such as chatgptmods[.]com and Imagents[.]top.

Analyst note: Given that these extensions have been downloaded about 900 times at the time of writing, threat actors are likely to have accessed compromised users' sensitive business data, code repositories, and personally identifiable information (PII).

DEEP AND DARK WEB INTELLIGENCE

BreachForums user CHONG: A threat actor, named "CHONG," has advertised access to CheckPoint VPN belonging to an undisclosed telecommunications company for USD 300, on BreachForums. The same access has also been advertised on Russian language dark web forum RehubCom by user “CHINA.” If legitimate, the sale is likely to be an initial access vector to intrude deeper into the target telecom company. The access is likely to appeal to state-backed threat actors attempting to breach telecom providers in larger espionage operations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-24858: This is a zero-day authentication bypass vulnerability in Fortinet products when FortiCloud single sign-on (SSO) is enabled. The bug is under active exploitation. Fortinet has blocked FortiCloud SSO connections from devices running vulnerable versions. This comes after reports of FortiGate firewalls being compromised on January 21, 2026. Compromised systems are very likely at risk of enabling further intrusions into networks that can be used for data theft, disruptions, and malware infection, among other attacks.

Affected products: The affected products are listed in this advisory.