ZeroFox Daily Intelligence Brief - February 6, 2026

ZeroFox Daily Intelligence Brief - February 6, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Substack Notifies Users of Data Breach
• Spain’s Ministry of Science Shuts Down Systems Following “Technical Incident”
• Major University in Europe Targeted; Systems Forced Offline

Substack Notifies Users of Data Breach

Source: https://hackread.com/substack-breach-user-records-leak-cybercrime-forum/

What we know: Substack is sending notifications to users about an October 2025 data breach, where hackers stole users’ email addresses and phone numbers.

Context: Substack’s notification email confirms that though the hackers were able to access internal metadata, credit card numbers, passwords, and financial information were not stolen. Meanwhile, threat actor “w1kkid” advertised a Substack user database on BreachForums, containing 697,313 records of allegedly scraped data.

Analyst note: Since the data breach reportedly does not involve sensitive financial information, it is unlikely to have severe consequences. The allegedly scraped data advertised on BreachForums is also unlikely to contain information other than email addresses and phone numbers. However, impacted users are still likely at risk of social-engineering attacks.

Spain’s Ministry of Science Shuts Down Systems Following “Technical Incident”

Source: https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/

What we know: The Spanish Ministry of Science (Ministerio de Ciencia) has partially shut down its IT systems following a “technical incident.” This announcement follows a DarkForums post by threat actor “GordonFreeman” claiming administrator-level system access and leak of sensitive files targeting the Ministry.

Context: The government body maintains the systems used by universities, researchers, and students handling high-value, sensitive information. Meanwhile, threat actor GordonFreeman has also claimed to have breached the Public Key Infrastructure (PKI) portal of Spain’s civilian police force.

Analyst Note: Threat actor GordonFreeman has a roughly even chance of announcing additional breaches targeting Spanish government entities. Such announcements are likely to attract nation-state actors seeking geopolitical advantage. With the ongoing 2026 Winter Olympics and tensions with Russia, cyberattacks against European governments and critical infrastructure are very likely to increase in the coming few weeks.

Major University in Europe Targeted; Systems Forced Offline

Source: https://techcrunch.com/2026/02/05/one-of-europes-largest-universities-knocked-offline-for-days-after-cyberattack/

What we know: La Sapienza University in Rome has suffered a cyberattack that forced an emergency shutdown of its network, disrupting services and leaving its website offline. The University has not confirmed any details of the attack at the time of writing.

Context: An Italian media report says that the incident was a ransomware attack by pro-Russia group “Femwar02”, encrypting university data, and showing similarities to the Bablock/Rorschach malware strain. The news outlet claims a ransom demand was issued, but the University staff have not opened it to avoid starting a 72-hour countdown timer.

Analyst note: If the attack is a ransomware attack, the threat actors are likely to pressure the university into meeting demands by threatening to leak student and staff data on dark web forums. In the past year, ZeroFox observed 46 counts of ransomware attacks targeting the education industry in Europe and Russia.

DEEP AND DARK WEB INTELLIGENCE

Coupang breach escalates: A government-led investigation has uncovered an additional 165,000 compromised accounts in the Coupang breach, nearly accounting for two-thirds of South Korea’s population. The breach was confirmed in November and has escalated tensions between the allies over trade and security ties, likely causing the hike in tariffs from 15 to 25 percent on South Korean goods. Additionally, the suspect is identified as a former employee who gained access to an internal security key that led to the breach. Threat actors are likely to hire such insiders to leverage cryptographic keys and administrative credentials to impersonate legitimate users and bypass security controls to take over the entire platform.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20119: Cisco has released patches for CVE-2026-20119, a high-severity, zero-click vulnerability in Cisco’s text rendering engine. The flaw enables unauthenticated remote attackers to trigger a denial-of-service condition by sending malformed text, potentially forcing affected TelePresence CE and RoomOS devices into a reboot loop. The unpatched versions that remain susceptible to exploitation can likely lead to complete communication blackouts during critical business operations by making video conferencing hardware totally unusable.

Affected products: Cisco TelePresence CE and RoomOS versions older than 11.27.5.0 or 11.32.3.0 are affected and require immediate patching.