ZeroFox Daily Intelligence Brief - February 12, 2026

ZeroFox Daily Intelligence Brief - February 12, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Former Executive Accused of Trafficking Stolen Exploits to Russian Entities
• Payroll Scam: Fraudsters Redirect Paychecks to Their Accounts
• Volvo Group Employee Data Exposed in Conduent Breach

Former Executive Accused of Trafficking Stolen Exploits to Russian Entities

Source: https://techcrunch.com/2026/02/11/doj-says-trenchant-boss-sold-exploits-to-russian-broker-capable-of-accessing-millions-of-computers-and-devices/

What we know: The United States has charged an individual for selling proprietary cyber intrusion tools to a Russia-linked broker seeking zero-day exploits. The accused sold eight proprietary tools and exploit packages to the broker, who is suspected to cater to other Russian entities, including the Russian government.

Context: The individual previously served as an executive at a security services provider that supported multiple partners of the U.S. Intelligence Community as well as other intelligence organizations across the Five Eyes alliance.

Analyst note: The sale of zero day exploits to Russian entities is likely to trigger state-directed espionage and offensive cyber operations targeting military systems and civilian infrastructure. Immediate patching of the exposed zero-day vulnerabilities is likely to prevent an onslaught of threat actors seeking to steal sensitive information or establish long-term persistence across affected government devices and networks.

Payroll Scam: Fraudsters Redirect Paychecks to Their Accounts

Source: https://www.theregister.com/2026/02/11/payroll_pirates_business_social_engineering/?td=rt-3a

What we know: Threat actors are reportedly running a campaign, dubbed “payroll pirates,” posing as legitimate employees locked out of their system to trick the IT help desk into changing employee login credentials.

Context: They use this initial access to compromise HR platforms, like Workday, redirecting employee paychecks to an attacker controlled account. Moreover, to bypass security and detection, they use the targeted company's own infrastructure to impersonate legitimate internal users.

Analyst Note: There is a roughly even chance that threat actors conducting this campaign will incorporate AI-powered tactics to scale up and increase the scale of attack, targeting other sectors that use cloud-based SaaS platforms.

Volvo Group Employee Data Exposed in Conduent Breach

Source: https://www.securityweek.com/conduent-breach-hits-volvo-group-nearly-17000-employees-data-exposed/

What we know: Attackers have stolen sensitive employee data, including Social Security numbers, addresses, birth dates, and medical information, of nearly 17,000 Volvo Group North America employees in the aftermath of a breach that impacted its vendor, Conduent.

Context: In February 2025, the Safepay ransomware group claimed responsibility for the Conduent breach. Meanwhile, after Conduent discovered an intrusion in its network in January 2025, it launched an investigation that revealed that the attackers had maintained access to its systems since October 21, 2024.

Analyst note: A breach at an enterprise like Conduent, which provides back-office services to multiple entities, is likely to have long-lasting repercussions, primarily impacting clients and other downstream firms. The data exfiltrated in the breach will likely become tools in social engineering or triple extortion attacks.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Infrastructure Destruction Squad (IDS): Threat group IDS has claimed to have breached South Korean government infrastructure, including the Jeollanam-do Police Agency and national data centers. The leaked data allegedly includes identity records, police files, financial accounts, real estate contracts, communications, and wallet credentials. IDS framed the intrusion as politically motivated and aligned with China’s interests. If verified, the breach is likely to enable espionage, coercion, fraud, intelligence mapping, or reveal strategic intelligence.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20700: Apple has patched CVE-2026-20700, a zero-day remote code execution vulnerability in Apple’s Dynamic Link Editor (dyld), that can enable an attacker with memory write capability to execute arbitrary code on affected devices by manipulating how dyld processes data. The flaw was exploited in a sophisticated attack against specific targeted individuals, and was used alongside other zero days in the same incidents. Threat actors are likely to abuse unpatched versions to infiltrate deeper into victim operating systems, leading to broader system takeover and user data exfiltration.

Affected products: Apple iOS versions before iOS 26