ZeroFox Daily Intelligence Brief - February 3, 2026

ZeroFox Daily Intelligence Brief - February 3, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Iron Mountain Hit While Everest Alleges Massive Data Exfiltration
• “ClawHavoc" Campaign Hits OpenClaw: 341 Malicious Plug-ins Exposed
• ZeroFox Intelligence Event Assessment - Super Bowl LX

Iron Mountain Hit While Everest Alleges Massive Data Exfiltration

Source: https://www.ironmountain.com/about-us/media-center/press-releases/2026/february/iron-mountain-statement-cybersecurity-issue

What we know: A data management company, Iron Mountain, has confirmed that it has experienced a cybersecurity incident involving a single compromised credential that exposed non-sensitive information. Ransomware group Everest has claimed on their leak site to have exfiltrated over 1 TB of client “personal documents and information.”

Context: The group has threatened to release the compromised data if their demands are not met. Iron Mountain provides data storage, protection, recovery, and data center services to major companies and has not yet confirmed additional information about the nature of the attack.

Analyst note: If the group’s claims are true and the data is leaked, companies associated with Iron Mountain’s services are likely to risk exposing their confidential information, including their intellectual property, future projects and products, and employee and customer information.

“ClawHavoc" Campaign Hits OpenClaw: 341 Malicious Plug-ins Exposed

Source: https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/

What we know: Following the “Moltbook leak” that reportedly exposed private data of over 6,000 users, security auditors have found 341 malicious packages uploaded on Clawhub (OpenClaw’s official GitHub registry). Clawhub is a self-hosted AI assistant that was formerly known as both “Clawdbot” and “Moltbot.”

Context: These malicious packages masquerade as legitimate tools providing cryptocurrency trading automation, financial utilities, and social media or content services, tricking Clawhub users into installing "fake prerequisites". The prerequisites contain information-stealing malware payloads, designed to harvest browser credentials and steal sensitive data, like API keys, wallet private keys, SSH credentials, and browser passwords.

Analyst Note: A successful attack and consequent exfiltration can likely enable threat actors to conduct sophisticated and targeted social-engineering attacks. These can lead to draining financial assets and bypassing two-factor authentication to take over private or corporate infrastructure, turning a single compromised AI agent into a persistent gateway for identity theft and multi-stage extortion.

ZeroFox Intelligence Event Assessment - Super Bowl LX

Source: https://www.zerofox.com/advisories/38163/

What we know: ZeroFox has identified numerous scams related to Super Bowl LX, including sale of compromised account credentials for National Football League (NFL) employees and fake tickets. Additionally, ZeroFox assesses physical security planning to revolve around mitigating potential disruptions to the event in light of ongoing immigration-related tensions.

Context: The Super Bowl is scheduled for February 8, 2026, in Santa Clara, California. Previous iterations of the event have also witnessed financially motivated threat actors targeting attendees via scams related to accommodations and betting, among others.

Analyst note: ZeroFox assesses that accommodation fake listings, phishing schemes, ransomware attacks, credential harvesting, and business email compromise are likely to increase during the event.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user Angel_Batista: Well reputed threat actor “Angel_Batista” has claimed access to the French Ministry of Armed Forces domain “defense[.]gouv[.]fr”, scraping 2,971 miscellaneous data files related to the French Army. The actor states that the data is limited to files marked as “Diffusion Restreinte” and technical guides. Additionally, they claim continued access despite high-volume scraping activity. Although there are no claims of highly classified material, such access can likely be escalated for strategic intelligence gathering, reputational damage, or future data leaks involving more sensitive assets.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-25253: CVE-2026-25253 is a token exfiltration flaw in OpenClaw’s Control UI that trusts an unvalidated gateway URL and enables cross-site WebSocket, a computer communications protocol, hijacking. A hijacked link can steal gateway tokens and grant attackers operator-level access, enabling configuration changes and one-click remote code execution on the host. Threat actors are likely to leverage this flaw to craft malicious links to steal gateway tokens and execute arbitrary commands on victim devices.

Affected products: OpenClaw versions before 2026.1.29