ZeroFox Daily Intelligence Brief - February 13, 2026

ZeroFox Daily Intelligence Brief - February 13, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report: Cryptocurrency Stealer for Sale on Dark Web
• Dutch Telecom Company Confirms Data Breach
• Romanian Pipeline Operator Confirms Data Stolen in Ransomware Attack

ZeroFox Intelligence Flash Report: Cryptocurrency Stealer for Sale on Dark Web

Source: https://www.zerofox.com/advisories/38375/

What we know: Threat actor “MysteryHack” is advertising on a dark web forum a malware suite called DeepLoad designed to actively facilitate real-time cryptocurrency theft. MysteryHack claims to be developing a “Binance stealer” module that uses a malicious browser extension to drain funds from victim accounts.

Context: The actor described DeepLoad as a centralized panel for multiple types of malware strains. Its primary function is to replace seven cryptocurrency wallet applications with counterfeit versions. DeepLoad features capabilities like wallet replacement, phishing automation, and more.

Analyst note: If the actor’s claims are true, the suite is likely to be an attractive offering among threat actors due to its ability to facilitate real-time cryptocurrency theft. This malware suite is likely to give threat actors faster and more efficient ways to steal cryptocurrency by deploying an infostealer-like tool that leverages malicious browser extensions to simplify account and wallet compromise.

Dutch Telecom Company Confirms Data Breach

Source: https://www.odido.nl/veiligheid

What we know: Odido, a large telecom provider in the Netherlands, has confirmed a breach that compromised its customer contact system. The ongoing internal investigation reveals that passwords, call logs, or billing information remain unexposed. Affected customers are being informed at the time of reporting.

Context: Odido is a major mobile and telecommunications provider, offering mobile, broadband, and television services to millions of customers nationwide. The company stated that the compromised customer data “may include” personally identifiable information (PII) including full name, address, mobile number, customer number, email address, IBAN (account number), date of birth, and passport or driver's license number/validity.

Analyst Note: Threat actors are likely to misuse the data to impersonate Odido or associated third-party vendors to send fake invoices to customers or even target them using spear-phishing emails that might include malicious documents.

Romanian Pipeline Operator Confirms Data Stolen in Ransomware Attack

Source: https://www.bleepingcomputer.com/news/security/romanias-oil-pipeline-operator-conpet-confirms-data-stolen-in-attack/

What we know: Romanian national oil pipeline operator Conpet S.A. has confirmed that the Qilin ransomware group stole company data in an attack that occurred on February 3, 2026.

Context: Qilin has claimed to have stolen 1 TB of data from Conpet and has published a set of sample data—including passport scans, a list of shareholders, and details of certain financial transactions—on its leak site. However, with investigations ongoing, Conpet has yet to officially confirm the volume of data stolen.

Analyst note: Threat actors are likely to use this attack on a critical infrastructure operator as a blueprint to target other entities associated with critical infrastructure, across countries. Moreover, Russia-aligned threat actors are also likely to be interested in the exfiltrated data, given NATO’s establishment of its second-largest logistics hub for Ukraine in Romania.

DEEP AND DARK WEB INTELLIGENCE

Exploit user Demonizacija: Untested threat actor “Demonizacija” is offering alleged EV Code Signing Certificates for USD 4,000 to bypass Windows SmartScreen warnings and UAC security prompts. The actor claims to produce these certificates independently, enabling files like .exe and .dll to display a verified publisher status and customized company names. For a 0.1 BTC deposit as proof of legitimacy, the actor claims to provide bulk, unused certificates from all certificate authorities to ensure prolonged use and high-quality service for bypassing malicious warnings.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-26225: Intego Personal Backup for macOS contains a local privilege escalation flaw due to backup task files being writable by non-privileged users but executed with elevated privileges. An attacker can craft a malicious task file to perform arbitrary file writes in protected system paths, ultimately escalating access to root. This vulnerability is likely to enable attackers to gain full control over affected macOS systems and disable security controls.

Affected products: Intego Personal Backup