ZeroFox Daily Intelligence Brief - February 17, 2026

ZeroFox Daily Intelligence Brief - February 17, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Washington Hotel in Japan Targeted in Ransomware Attack
• Top U.S. Companies Targeted in Massive Phishing Campaign
• ZeroDayRAT Expands Mobile Threats with Surveillance and Financial Theft Features

Washington Hotel in Japan Targeted in Ransomware Attack

Source: https://www.bleepingcomputer.com/news/security/washington-hotel-in-japan-discloses-ransomware-infection-incident/

What we know: The Washington Hotel in Japan has disclosed a ransomware attack on its servers. An investigation is underway to determine the impact of the attack and to assess whether any customer data was compromised.

Context: The parent company Fujita Kanko Inc. (WHG Hotels) said an unauthorized intrusion was detected on February 13, 2026. It confirmed that attackers accessed various business data stored on the affected servers, but customer data was not stored on these servers. Some hotel properties are reportedly facing temporary unavailability of credit card terminals.

Analyst note: Although customer data is unlikely to have been compromised, the attack will very likely significantly disrupt hotel operations. Some digital facilities are likely to be temporarily unavailable and other operations could be conducted manually until systems are restored.

Top U.S. Companies Targeted in Massive Phishing Campaign

Source: https://www.darkreading.com/cyberattacks-data-breaches/operation-doppelbrand-weaponizing-fortune-500-brands

What we know: A financially motivated threat actor group dubbed GS7 is running a large-scale phishing campaign known as “Operation DoppelBrand”. The campaign weaponizes brand impersonation to target Fortune 500 firms and other high-value entities, mainly in the United States.

Context: Attackers create deceptive domains using registrars and route traffic through Cloudflare to conceal their IP addresses, making them difficult to trace. Victims are enticed to click on these links and provide their credentials, which are then sent to attacker-controlled Telegram bots (NfResultz by GS). Additionally, the obtained access is used to install remote management and monitoring on victims’ systems.

Analyst Note: Threat actors are likely to act as initial access brokers (IABs), selling the infrastructure access to affiliates and other ransomware groups. Moreover, the remote management system is likely to serve as a persistent gateway for threat actors, using initial access as a foothold to encrypt files and demand ransom. They are also likely to steal trade secrets and intellectual property to try and sell it to their competitors.

ZeroDayRAT Expands Mobile Threats with Surveillance and Financial Theft Features

Source: https://thehackernews.com/2026/02/new-zerodayrat-mobile-spyware-enables.html

What we know: Researchers have observed a new commercial mobile spyware platform called ZeroDayRAT being sold on Telegram as a full-service surveillance and theft toolkit for Android and iOS devices. ZeroDayRAT is designed to operate across Android versions 5 through 16 and iOS versions up to 26, providing broad compatibility for attackers.

Context: Once installed, ZeroDayRAT gives operators access to device details, messages, app activity, and real-time GPS tracking with location history. It also enables direct financial theft through wallet address substitution for crypto apps and banking stealer modules targeting mobile payment platforms like Apple Pay.

Analyst note: Since this platform provides an easy-to-use comprehensive suite of data theft and surveillance capabilities, it is likely to see an increase in wider criminal adoption and more aggressive campaigns. Threat actors are likely to use phishing lures, fake app marketplaces, and executable programs like APK files to infect more victims at scale.

DEEP AND DARK WEB INTELLIGENCE

Eurail B.V. Confirms Data Breach: Eurail B.V., the provider of European rail passes, has confirmed that customer data stolen in a recent breach is being sold on the dark web and a sample has been published on Telegram. The company is still investigating the extent of the compromise, which includes personal customer details like full names, passport numbers, bank account information, health data, and contact details. Eurail has advised affected customers to update their passwords, monitor bank activity, and be vigilant against phishing and scam attempts.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-2441: This is a recently-patched use-after-free vulnerability in CSS in Google Chrome, which was found being actively exploited in the wild. The flaw enables a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Browser-based flaws like this are likely to be used to steal session cookies and credentials stored on the browser, further leading to account takeover.

Affected products: Google Chrome prior to 145.0.7632.75