ZeroFox Daily Intelligence Brief - February 10, 2026

ZeroFox Daily Intelligence Brief - February 10, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Breach of Staff Device Platform Endangers Employee Details
• Chinese APT Breached Four Major Telecom Service Providers in Singapore
• Cloud-Native Cybercrime Escalates; 60,000 Servers Compromised

Breach of Staff Device Platform Endangers Employee Details

Source: https://hackread.com/cyber-attack-european-commission-staff-mobile-systems/

What we know: The European Commission contained a cyber attack on January 30, 2026, that targeted its Mobile Device Management (MDM) systems used for managing staff phones and tablets. The attackers are suspected to have accessed employee names and phone numbers, but the Commission confirmed that no mobile devices themselves were compromised.

Context: The Commission has not confirmed the threat actor’s initial access method, but the breach is believed to be part of a broader campaign exploiting Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities (CVE-2026-1281 and CVE-2026-1340) against European institutions.

Analyst note: In the time that the Commission intercepted the attack, the threat actor is likely to have gained some access to confidential information stored in the MDM systems like device metadata, passcodes, employee names, and phone numbers. This access is likely to support reconnaissance of the Commission’s mobile infrastructure and attempts to escalate access into broader internal systems.

Chinese APT Breached Four Major Telecom Service Providers in Singapore

Source: https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/

What we know: China-linked advanced persistent threat (APT) “UNC3886” targeted Singapore’s four major telecommunication service providers last year—M1, SIMBA Telecom, Singtel, and StarHub. While the threat actors reportedly gained limited access, they were unable to disrupt services or exfiltrate sensitive or personal data.

Context: Singaporean Minister K. Shanmugam first revealed in July 2025 as an intrusion on critical infrastructure, but did not share details to preserve operational security. In at least one instance, UNC3886 exploited a zero-day flaw to bypass a perimeter firewall and exfiltrate a small amount of technical data.

Analyst Note: China-linked APTs have been implicated in breaches of telecom infrastructure in multiple countries, very likely suggesting a robust global cyber espionage campaign. Telecom intrusions are likely to help threat actors to further compromise devices of high-level targets.

Cloud-Native Cybercrime Escalates; 60,000 Servers Compromised

Source: https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html

What we know: A massive "worm-driven" campaign has reportedly turned cloud native environments into self-propagating crimebots. The campaign, previously reported in a January 2026 ZeroFox briefing, stems from a rapid-fire exploit in December 2025 that compromised over 59,000 Next.js and React-based servers within 48 hours.

Context: The campaign is attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce). It leverages misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications as persistent pathways to breach modern cloud infrastructure, leading to credential theft and cryptocurrency mining. Additionally, it has been observed to use pre-existing vulnerabilities and open-source platforms for the initial deployment of malware.

Analyst note: Threat actors are likely to escalate the campaign to sell "proxy-as-a-service" access to other threat actors. This access can be used as a persistent gateway for lateral movement across corporate networks even if the initial malware is removed. Moreover, organizations that run the targeted infrastructure are likely to fall collateral victim to the ongoing campaign.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user w1kkid (or wikkid): Threat actor “w1kkid” has advertised a dataset of over 536,000 records allegedly related to Ersten Group, which purportedly develops stalkerware applications. W1kkid claims to have leaked information of subscribers to a number of applications including XNSPY and Phonyspy. The leaked data allegedly includes email addresses, credit/debit card numbers (MD5 hashed), and user ID. The leaked data is likely to be used to compromise user accounts. This is also very likely to pose cyber and physical security risks to individuals being tracked using the stalkerware apps.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-1731: BeyondTrust has patched CVE-2026-1731, a critical pre-authentication remote code execution (RCE) vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw stems from an operating system command injection weakness that, on successful exploitation, enables unauthenticated attackers to execute arbitrary operating system commands without credentials or user interaction. Drawing from that, threat actors are likely to automate the exploits, scaling-up data exfiltration and service disruption.

Affected products: Remote Support versions 25.3.1 and prior; Privileged Remote Access versions 24.3.4 and prior