ZeroFox Daily Intelligence Brief - February 24, 2026

ZeroFox Daily Intelligence Brief - February 24, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Four Suspected Members of Hacktivist Group Anonymous Fénix Arrested in Spain
• Operation Olalampo Hits MENA Region Amid U.S.-Iran Conflict
• Anthropic Catches Chinese Companies Copying Claude’s Capabilities

Four Suspected Members of Hacktivist Group Anonymous Fénix Arrested in Spain

Source: https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-anonymous-fenix-hacktivists-for-ddosing-govt-sites/

What we know: Spanish authorities have arrested four suspected members of hacktivist group "Anonymous Fénix," for carrying out distributed denial-of-service (DDoS) attacks against Spanish government sites.

Context: The group had claimed to be part of the international hacktivist collective “Anonymous.” Spanish courts have ordered seizure of the group’s social media accounts, including its Telegram channel. In May 2025, the group’s alleged leader was arrested near Madrid.

Analyst note: Seized criminal infrastructure and information from the arrested individuals are likely to lead to the arrest of other affiliates, including those associated with the larger Anonymous hacker collective. Spanish authorities are also likely to share intelligence with their European and allied counterparts for an internationally-coordinated operation.

Operation Olalampo Hits MENA Region Amid U.S.-Iran Conflict

Source: https://www.darkreading.com/threat-intelligence/iran-muddywater-new-malware-tensions-mount

What we know: APT group MuddyWater is actively targeting organizations and individuals across the Middle East and North Africa (MENA) region using multiple attack variants to custom-lure victims.

Context: The surge in the ongoing campaign dubbed “Operation Olalampo” coincides with spiked military and political tensions between the United States and Iran. MuddyWater is using spear-phishing emails as the primary infection vector to deploy tailored malware families (CHAR, GhostBackDoor, HTTP_VIP) and take control over victims’ systems.

Analyst Note: The campaign highlights MuddyWater’s shift towards AI-accelerated espionage, using LLMs to rapidly develop customized malware. Threat actors are likely to escalate such live-off-the-cloud tactics to increasingly route their command centers through trusted apps like Telegram that blend into legitimate traffic, bypassing traditional security.

Anthropic Catches Chinese Companies Copying Claude’s Capabilities

Source: https://www.theguardian.com/technology/2026/feb/23/us-ai-anthropic-china

What we know: Anthropic has accused China-linked companies DeepSeek, Moonshot AI, and MiniMax of using 24,000 fake accounts and 16 million queries to extract Claude’s capabilities through large-scale illicit distillation methods.

Context: Distillation is an AI-training method where a smaller model learns to replicate the outputs of a larger, more advanced model. The companies allegedly used proxy-routed fake accounts to extract advanced AI capabilities at low cost, potentially bypassing U.S. export controls and flouting safety guardrails tied to national security.

Analyst note: If distilled models do not retain strong safety controls, they are likely to provide more detailed guidance on cyberattack techniques, be more susceptible to prompt injection abuse, and offer fewer restrictions around exploit development.

DEEP AND DARK WEB INTELLIGENCE

Optimizely data breach: U.S.-based ad tech company Optimizely has informed some of its customers of a data breach, after threat actors gained access to the firm’s internal systems in a voice-phishing (vishing) attack. The company reportedly said the threat actors stole “basic business contact information” and there is no evidence that sensitive customer data or personal information was accessed. Optimizely has not named the threat actor, but described them as a “loosely affiliated group” using “social engineering tactics.” The data is likely to be used to target exposed entities in further social engineering attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-27488: OpenClaw contains a server-side request forgery (SSRF) vulnerability in its cron webhook handler that enables webhook targets to access internal or metadata endpoints due to missing policy checks. This vulnerability is now patched in v2026.2.19. Attackers are likely to exploit devices with unpatched versions to access poorly segmented environments and escalate privileges to exfiltrate data.

Affected products: OpenClaw versions prior to v2026.2.19