ZeroFox Daily Intelligence Brief - February 23, 2026

ZeroFox Daily Intelligence Brief - February 23, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Why European Energy Is Targeted by Cyber Threat Actors
• Russia-Linked Actor Breaches Over 600 Fortinet Firewalls Without Zero-Days
• Geopolitical Focus: Mexican Drug Lord Killed, U.S.-Iran Updates, And More

Why European Energy Is Targeted by Cyber Threat Actors

Source: https://www.zerofox.com/advisories/38537/

What we know: In 2024, ZeroFox observed at least 38 cyberattacks targeting the European energy sector, making it the second most targeted region after North America. In 2025, the incidents increased to at least 56 separate incidents, with its global share increasing to nearly 27 percent from 20 percent in 2024.

Context: European states have increased investment in the energy sector since Russia’s war in Ukraine began. Efforts to avoid energy shortages since 2022 have likely contributed to the high cost of living and an uncompetitive business landscape in Europe.

Analyst note: Financially- and geopolitically-motivated cyberattacks against European start-ups focusing on modern energy-related projects are very likely with an increase in investment. Russia is likely limiting supplies—thus driving up prices and contributing to the overall cost-of-living crisis—in an attempt to weaken Western resolve to back Ukraine.

Russia-Linked Actor Breaches Over 600 Fortinet Firewalls Without Zero-Days

Source: https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/

What we know: A Russia-linked threat actor has breached over 600 Fortinet FortiGate firewalls across 55 countries in five weeks by brute-forcing exposed management interfaces without MFA, not using zero-days. The actor is assessed to have low to moderate skillsets and was observed attempting multiple CVE exploits but abandoned hardened systems in favor of easier targets.

Context: After gaining access, the attacker stole configuration files, VPN creds, admin passwords, and network maps, and used AI-assisted tools to automate reconnaissance and lateral movement.

Analyst note: This incident suggests that organizations failing to rotate credentials and enforce MFA will increasingly become prime targets for opportunistic, AI-enabled threat actors. Rather than investing in vulnerability exploitation, such actors are likely to prioritize environments where weak authentication enables scalable, automated access with minimal resistance.

Geopolitical Focus: Mexican Drug Lord Killed, U.S.-Iran Updates, And More

• Mexico's most wanted drug lord Nemesio Oseguera Cervantes, known as "El Mencho," was killed on February 22, 2026, during a security operation to arrest him. El Mencho was the leader of the Jalisco New Generation (CJNG) drug cartel. The operation has triggered a wave of violence by the cartel members, with cars being torched and gunmen blocking highways in over half a dozen states.
• The United States and Iran are set to hold their next round of talks on February 26, in Geneva, amid the threat of U.S. military strikes and ongoing unrest in Iran. The United States has built up its largest military presence in the Middle East in decades as the two countries discuss nuclear concessions and other issues.
• On February 22, Russia struck several parts of Ukraine with drones and ballistic and cruise missiles, targeting majorly the country’s energy infrastructure. Early on February 23, Ukraine inflicted damage on Russian energy infrastructure, disrupting supplies of power, heat, and water in the Belgorod region.
• An armed individual was killed after intruding into the secure perimeter of U.S. President Donald Trump's Mar-a-Lago residence in Florida. The intruder was carrying what appeared to be a shotgun and a fuel can.
• The Northeast United States is being battered by a winter storm, described as “historic,” resulting in power outages and travel ban in New York City.

DEEP AND DARK WEB INTELLIGENCE

PayPal breach: PayPal has identified a data breach where certain individuals gained unauthorized access to approximately 100 customers’ personally identifiable information (PII). PayPal confirmed that the exposure resulted from a software error in its PayPal Working Capital (PPWC) loan application that granted unauthorized access to these individuals from July 1, 2025 to December 13, 2025. Given that the individuals had access to customer PII for several months, they are likely to sell this information on dark web forums, since full identity packages (or “fullz”) are commonly sold for identity fraud.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-2329: This vulnerability is an unauthenticated stack-based buffer overflow in a phone’s web API endpoint. A crafted “request” parameter can overflow a 64-byte stack buffer, enabling remote code execution with root privileges. This flaw is likely to enable attackers to remotely take full control of affected devices, hijacking phones to redirect calls and impacting operations.

Affected products: Grandstream versions GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP163