ZeroFox Daily Intelligence Brief - February 18, 2026

ZeroFox Daily Intelligence Brief - February 18, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Suspected Phobos Ransomware Affiliate Detained in Poland
• Keenadu Malware Embedded Deep into Android Devices Globally
• ZeroFox Intelligence Flash Report - DDoS Attacks Target Spanish Government Websites

Suspected Phobos Ransomware Affiliate Detained in Poland

Source: https://www.bleepingcomputer.com/news/security/poland-arrests-suspect-linked-to-phobos-ransomware-operation/

What we know: Poland has detained an individual over alleged ties to the Phobos ransomware group, as part of the larger "Operation Aether." Authorities have seized computers and mobile phones that contained stolen credentials, server access data, as well as credit card numbers.

Context: Phobos is a ransomware-as-service operation, derived from the Crysis ransomware family, and was previously linked to breaches at over 1,000 public and private entities worldwide by the United States. In 2024, the alleged Phobos administrator was extradited to the United States, while 27 servers were seized and two suspected affiliates arrested in Thailand in 2025.

Analyst note: Operation Aether underscores that a focused law enforcement action targeting one ransomware family is very likely to effectively dismantle an international cybercrime organization. The stolen data recovered from the seized devices is likely to continue to pose a risk, as it could have already been sold or distributed to other threat actors.

Keenadu Malware Embedded Deep into Android Devices Globally

Source: https://thehackernews.com/2026/02/keenadu-firmware-backdoor-infects.html

What we know: A sophisticated Android malware strain called Keenadu is embedded in device firmware and trojanized apps across multiple applications, including some distributed through Google Play. The malware strain's control and delivery mechanism, AKServer, uses geographic checks to limit exposure, shutting down Keenadu if the device is set to Chinese language and a China time zone.

Context: Keenadu reportedly spreads through compromised over-the-air (OTA) firmware, system apps, third-party tools, and Google Play apps, impacting over 13,000 users (mainly in Russia, Japan, Germany, Brazil, and the Netherlands). The malware strain is designed to avoid detection by serving payloads not until two and half months after device initialization.

Analyst Note: The actor behind Keenadu is likely building a broad surveillance and data-theft pipeline. The multiple distribution paths (OTA firmware, trojanized apps, Google Play exposure) likely suggest an intent to create a durable supply-chain style foothold, enabling repeat infections and access across thousands of devices globally.

ZeroFox Intelligence Flash Report - DDoS Attacks Target Spanish Government Websites

Source: https://www.zerofox.com/advisories/38454/

What we know: Pro-Russian threat collectives NoName057(16) and Server Killers have claimed responsibility for targeting multiple Spanish government websites using coordinated distributed denial-of-service (DDoS) attacks. Furthermore, they have provided check-host links to verify their claims.

Context: This recent coordinated string of DDoS attacks, which earlier targeted UK organizations, demonstrates the persistent threat faced by NATO members and organizations perceived as pro-Ukraine by pro-Russian collectives.The alleged motivation behind their attacks was the Spanish government’s perceived support to Ukraine and its participation in Operation Eastwood.

Analyst note: It is very likely that pro-Russia and anti-west hacktivists will continue to target western institutions throughout the year. Additionally, NoName057(16) is likely to collaborate with other pro-Russia collectives to conduct DDoS attacks against perceived pro-western targets in the coming months.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user LAPSUS-GROUP: Threat actor "LAPSUS-GROUP" has leaked data allegedly associated with Adidas on BreachForums. The actor claimed that the breached dataset contains around 815,000 rows of information, including name, email, passwords, dates of birth, company details, and other technical information. Exposed user accounts are at risk of being taken over, leading to compromise of stored financial details. Additionally, the data is likely to be used for phishing, social engineering, and identity-theft attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-22769: CVE-2026-22769 is a hardcoded credential zero-day vulnerability in Dell RecoverPoint for Virtual Machines. A suspected China-linked threat group has been exploiting this vulnerability since mid-2024 to breach VMware-focused environments. After gaining access, the attackers deployed new Grimbolt backdoor malware and used stealthy “Ghost NIC” techniques to pivot deeper into victim networks. Threat actors are likely to gain unauthenticated remote access to VMware backup infrastructure, enabling root-level persistence and long-term control over critical systems.

Affected products: The affected products are listed in this advisory.