ZeroFox Daily Intelligence Brief - January 29, 2026

ZeroFox Daily Intelligence Brief - January 29, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• FBI Seizes Russian Dark Web Forum RAMP
• ZeroFox Intelligence Flash Report - Cl0p List Latest Wave of Victims on Leak Site
• Seizure of IPIDEA Domains Knocks 13 Proxy Brands Offline

FBI Seizes Russian Dark Web Forum RAMP

Source: https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/

What we know: The FBI has seized popular Russian language dark web forum RAMP, which was used by cybercriminals to advertise and promote various cybercrime services, including ransomware operations.

Context: RAMP’s onion site and its clearnet domain, ramp4u[.]io, display a seizure notice and the domain server names reflect those used during FBI seizure operations. However, the FBI has not released an official statement yet. An alleged former RAMP operator, known as “Stallman,” confirmed the seizure on XSS dark web platform.

Analyst note: The seizure is likely to expose the forum users’ data such as emails, IP addresses, and messages, especially of those lacking robust operational security. Law enforcement is likely to use the data to disrupt or apprehend other cybercriminals. Other Russian language dark web forums are likely to witness more traffic due to RAMP’s seizure.

ZeroFox Intelligence Flash Report - Cl0p List Latest Wave of Victims on Leak Site

Source: https://www.zerofox.com/advisories/38105/

What we know: ZeroFox has observed that ransomware and digital extortion (R&DE) group Cl0p has claimed at least 46 victims on its leak site over the past week, an unusual spike in a short period of time.

Context: Cl0p has not yet provided any details about an ongoing campaign or the type of data allegedly compromised. Cl0p is one of the oldest ransomware collectives that is still active. It has had notable quarters of high-tempo activity related to targeted extortion campaigns, followed by several periods of relatively low activity.

Analyst Note: The unusual hike in the alleged number of victims portends an increase in Cl0p’s operational tempo in the near term that is likely to increase their notoriety in pressurizing alleged victims to pay the demanded ransoms.

Seizure of IPIDEA Domains Knocks 13 Proxy Brands Offline

Source: https://www.reuters.com/technology/google-disrupts-large-residential-proxy-network-reducing-devices-used-by-2026-01-28/

What we know: Residential proxy network IPIDEA has reportedly been dismantled after researchers seized control of its domains. The action took at least 13 proxy brands offline, disrupting services leveraged by cybercriminals to exploit millions of hijacked consumer devices.

Context: Cybercriminals use residential proxies to hide malicious activity by routing their traffic through real home internet connections, making attacks look like everyday user behavior. In this operation, researchers also identified over 600 Android apps and over 3,000 files tied to IPIDEA’s command-and-control systems.

Analyst note: Disrupting IPIDEA is likely to deter threat actors from continuing to operate distributed denial of service-capable (DDoS) botnets in the near term, like the Kimwolf botnet. However, sophisticated cybercriminals are likely to migrate to alternative residential proxy providers, creating an influx of demand for rebuilding of criminal proxy networks.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user FulcrumSec: Threat group FulcrumSec has claimed to have compromised Lena Health, a U.S.-based healthcare services company, with the data allegedly including over 2,000 patient records, phone calls, hospital discharge documents, and contact details. Some of the compromised audio recordings appear to be accessed via Twilio, the communications platform Lena Health allegedly used. If the threat actor's claims are true, this breach likely stemmed from a third-party source and risks extending beyond Lena Health, affecting other healthcare providers and services.

VULNERABILITY AND EXPLOIT INTELLIGENCE

SolarWinds security patches: SolarWinds has released patches for six vulnerabilities, including for four critical flaws, affecting its Web Help Desk software. The critical flaws include remote code execution (RCE) and authentication bypass vulnerabilities. Threat actors are likely to use automated tools to scan for publicly accessible Web Help Desk instances. Attackers are likely to use standardized payloads to hit multiple targets rapidly, given that Web Help Desk is a widely used software across different sectors.

Affected products: The affected products are listed in this advisory.