ZeroFox Daily Intelligence Brief - February 11, 2026

ZeroFox Daily Intelligence Brief - February 11, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• UNC1069 Targets Cryptocurrency Sector
• Trojanized 7-Zip Download Used to Enroll Victims into Proxy Network
• Pig-Butchering Crypto Launderer Sentenced to 20 Years in Absentia

UNC1069 Targets Cryptocurrency Sector

Source: https://cybersecuritynews.com/unc1069-hackers-attacking-finance-sector-with-new-tools/

What we know: Financially motivated North Korean threat actor UNC1069 is targeting the cryptocurrency sector with a campaign that uses AI-generated videos and click-fix lures to deliver malware for macOS and Windows users.

Context: The infection chain reportedly uses compromised telegram accounts of executives in cryptocurrency firms to contact victims and lure them into fake zoom meetings. While in these meetings, the victims are tricked into running commands that deliver multiple malware families to the victim’s systems.

Analyst note: Threat actors are likely to leverage such AI-powered campaigns to target other operating systems across different sectors, including critical infrastructure. Furthermore, the campaign is likely to impact downstream entities re-using the compromised data to impersonate executives for financial gain.

Trojanized 7-Zip Download Used to Enroll Victims into Proxy Network

Source: https://www.bleepingcomputer.com/news/security/malicious-7-zip-site-distributes-installer-laced-with-proxy-tool/

What we know: A fake website impersonating 7-Zip, an open-source file archiver, is distributing a trojanized installer that infects users who believe they are downloading the legitimate tool, enrolling their devices into a residential proxy network.

Context: Cybercriminals use residential proxies to hide malicious activity by routing their traffic through home internet connections, making attacks look like everyday user behavior. The campaign reportedly surfaced after a user followed a YouTube PC-building tutorial and unknowingly installed malware from the malicious site.

Analyst Note: The threat actors behind this campaign are likely to build a large residential proxy botnet that lets them route malicious traffic through infected home devices. This infrastructure is likely to be sold or used to carry out credential stuffing, phishing attacks, fraud, or malware distribution.

Pig-Butchering Crypto Launderer Sentenced to 20 Years in Absentia

Source: https://www.justice.gov/opa/pr/man-sentenced-20-years-prison-role-73-million-global-cryptocurrency-investment-scam

What we know: A U.S. court has sentenced an individual to 20 years in prison in absentia for operating in an international cryptocurrency investment scam syndicate that laundered more than USD 73 million stolen from U.S. victims through large-scale pig-butchering operations.

Context: Investigators stated that the syndicate utilized messaging apps and social platforms to establish trust, then routed stolen funds through shell companies, U.S. bank accounts, Deltec Bank, and crypto wallets, one of which held over USD 341 million, to obscure the money trail.

Analyst note: Law enforcement is likely to track down other operators of the network via the arrested individual. It is also likely to recover some, if not all, of the financial resources tied to the scam network.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user iProfessor: Threat actor “iProfessor” has advertised more than seven terabytes of dataset, allegedly associated with Safe Home Security, a U.S.-based residential security provider. Additionally, the threat actor claims the data to be “extremely sensitive” containing confidential records including videos, audio logs and other documents containing PII (Personally Identifiable Information) among other information. If the claims are true, it can likely lead to severe physical and digital consequences for millions of customers.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft February 2026 patch Tuesday: Microsoft has patched close to 60 vulnerabilities, including six actively exploited zero-days and three zero-day vulnerabilities. Microsoft has also flagged 25 elevation of privilege, 12 remote code execution, and seven spoofing vulnerabilities, among others. Unpatched versions are likely to enable threat actors to execute malware, escalate privileges, and establish deeper persistence across compromised Windows environments.

Affected products: The affected products are included in this advisory.

CVE-2026-21643: Fortinet has released security updates to remediate this critical FortiClientEMS vulnerability that could enable unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests exploiting an SQL injection flaw. There is a roughly even chance of threat actors exploiting this vulnerability as part of initial access operations to establish footholds in enterprise environments, deploy follow-on malware, and facilitate lateral movement across compromised networks.

Affected products: FortiClientEMS version 7.4.4, FortiClientEMS version 7.2, and FortiClientEMS version 8.0