zerofox logo
Advisories

ZeroFox Weekly Intelligence Brief – February 21, 2026

|by Alpha Team

banner image

ZeroFox Weekly Intelligence Brief – February 21, 2026

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EST) on February 19, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

Keenadu Malware Embedded in Various Android Device Brands Globally

What we know:

  • A sophisticated Android malware strain called Keenadu has been found embedded in the firmware of various Android device brands and trojanized apps across multiple applications, including some distributed through Google Play.
  • The malware strain's control and delivery mechanism, AKServer, uses geographic checks to limit exposure, shutting down Keenadu if the device is set to Chinese language and time zone.

ZeroDayRAT Expands Mobile Threats

What we know:

  • Researchers have observed a new commercial mobile spyware platform called ZeroDayRAT being sold on Telegram as a full-service surveillance and theft toolkit for Android and iOS devices.
  • ZeroDayRAT is designed to operate across Android versions 5 through 16 and iOS versions up to 26, providing broad compatibility for attackers.

Top U.S. Companies Targeted in Massive Phishing Campaign

What we know:

  • A financially motivated threat actor group dubbed GS7 is running a large-scale phishing campaign known as “Operation DoppelBrand.”
  • The campaign weaponizes brand impersonation to target Fortune 500 firms and other high-value entities, mainly in the United States.

Tags: tlp:green