zerofox logo
Advisories

ZeroFox Daily Intelligence Brief - February 20, 2026

|by Alpha Team

banner image

ZeroFox Daily Intelligence Brief - February 20, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

  • ZeroFox Intelligence Flash Report - 0APT Syndicate Lacking Credibility
  • Over USD 20 Million Lost in Malware Enabled ATM Jackpotting Incidents in 2025
  • Personal Data of VIPs Exposed in Abu Dhabi’s Major Financial Summit

ZeroFox Intelligence Flash Report - 0APT Syndicate Lacking Credibility

Source: https://www.zerofox.com/advisories/38510/

What we know: ZeroFox assesses that newly founded and self-proclaimed ransomware-as-a-service (RaaS) collective 0APT Syndicate (0APT) is very likely a scam or hoax group.

Context: As of this writing, the group has not published any legitimate data from its list of 200 alleged victim companies; further, the purported data samples on its leak site cannot be downloaded and appear to be entirely fabricated.

Analyst note: 0APT’s tactics suggest this is highly likely a scam campaign targeting other cybercriminals with its advertised RaaS program. Although the group’s affiliate message calls it a “free Raas,” 0APT is asking for a 1 Bitcoin assessment fee (approximately USD 67,000) to join its affiliate program. ZeroFox assesses it is highly unlikely that the affiliate program exists.

Over USD 20 Million Lost in Malware Enabled ATM Jackpotting Incidents in 2025

Source: https://www.ic3.gov/CSA/2026/260219.pdf

What we know: The FBI has reported a rise in ATM jackpotting incidents across the United States, with over 700 attacks reported in 2025 resulting in more than USD 20 million in losses. In December 2025, members of Venezuela’s Tren de Aragua gang were indicted in the United States for orchestrating a multi-million-dollar ATM jackpotting scheme using the Ploutus malware strain.

Context: Threat actors are deploying malware such as Ploutus to directly compromise ATMs and force them to dispense cash without bank authorization. Ploutus exploits a software that controls ATM hardware functions, enabling attackers to bypass transaction approval systems and trigger cash withdrawals on demand.

Analyst Note: Unapprehended members of Tren de Aragua are likely to continue last year’s campaign into 2026. If law enforcement activity continues, threat actors are likely to adapt their tactics to avoid detection and target less-secured regional ATM operators.

Personal Data of VIPs Exposed in Abu Dhabi’s Major Financial Summit

Source: https://www.darkreading.com/cyber-risk/abu-dhabi-finance-week-leaked-vip-passport-details

What we know: A major data leak associated with the Abu Dhabi Finance Week (ADFW) has reportedly exposed the personal data of some 700 attendees, including high-profile individuals like former British Prime Minister David Cameron and former White House communications director Anthony Scaramucci.

Context: The data reportedly consists of personally identifiable information, ID cards and passports. The data was publicly exposed due to an unsecured cloud server for at least two months, before the ADFW secured it. Additionally, thousands of other documents associated with the ADFW summit were reportedly on the same server.

Analyst note: If threat actors accessed the data,they are likely to misuse it to impersonate former heads of government, finance and cryptocurrency leaders, and other high-value individuals to target government agencies, crypto investors, and other entities in phishing attacks for financial gains.

DEEP AND DARK WEB INTELLIGENCE

French government confirms data breach: A data breach at the French national bank account registry FICOBAhas reportedly exposed 1.2 million bank accounts. The unauthorized access occurred in January 2026. Threat actors used stolen credentials of an official to access the database. Exposed data includes account holder names, addresses, and international bank account numbers (IBANs). The information is likely to be used in phishing and identity theft for financial gains.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-26119: This is a now-patched privilege escalation flaw in Windows Admin Center due to improper authentication. The flaw enabled authorized attackers to escalate their privileges over a network. Threat actors with initial access to a system are very likely to be able to exploit this flaw to gain full control over the targeted network.

Affected products: Windows Admin Center versions up to (excluding) 2511

Tags: DIBtlp:green