ZeroFox Daily Intelligence Brief - February 25, 2026

ZeroFox Daily Intelligence Brief - February 25, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• North Korea’s Lazarus Diversifies Attacks with Medusa Ransomware
• U.S. Sanctions Russian Zero-Day Broker Operation Zero
• Geopolitical Focus: Mexico Insecurity Heightened Ahead of World Cup

North Korea’s Lazarus Diversifies Attacks with Medusa Ransomware

Source: https://www.bleepingcomputer.com/news/security/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks/

What we know: A subgroup linked to North Korean hacker group Lazarus has been observed deploying Medusa ransomware in attacks targeting U.S. healthcare organizations and entities in the Middle East.

Context: The group has conducted multi-stage cyberattacks, in which it disables security controls, establishes persistence, steals and exfiltrates data using tools like RP_Proxy and Curl. It reportedly deploys Medusa ransomware after gaining full network control. Medusa ransomware, active since January 2021, has impacted over 300 critical infrastructure organizations by February 2025 globally.

Analyst note: Given that Medusa ransomware is deployed only after full network control has been established, it likely reflects that the Lazarus Group prioritizes reconnaissance, persistence, and data exfiltration within victim environments before initiating encryption. This approach likely suggests the group is combining ransomware monetization with intelligence collection, using encryption as a final leverage mechanism rather than the primary objective of the intrusion.

U.S. Sanctions Russian Zero-Day Broker Operation Zero

Source: https://home.treasury.gov/news/press-releases/sb0404

What we know: The U.S. Treasury's Office has sanctioned Russian company Matrix LLC (operating as Operation Zero), an affiliated UAE firm, and other associated individuals and entities for stealing and selling at least eight proprietary cyber tools created exclusively for the U.S. government and allies. Operation Zero claims the Russian government among its clients.

Context: The Treasury added that Operation Zero recruited hackers and developed business relationships using its social media accounts (mainly X and Telegram). The sanctions also coincide with the sentencing of an individual in the United States for selling a U.S. company’s sensitive and protected cyber-exploit components to Operation Zero.

Analyst Note: The designated entities’ accounts on X and Telegram are likely to be removed following the sanctions, specifically disrupting Operation Zero’s business and damaging its credibility if it rebrands. However, its accounts remain active at the time of writing.

Geopolitical Focus: Mexico Insecurity Heightened Ahead of World Cup

• Following the successful Mexican special forces operation that killed Mexico’s top cartel leader, Nemesio Oseguera Cervantes (aka El Mencho), ZeroFox assesses that retaliatory acts of violence are likely to continue over the coming weeks to dissuade further counter-narcotics operations. While Westerners are rarely targeted directly, the high level of instability in major cities poses a significant risk of collateral injury to innocent bystanders, including U.S. citizens. President Claudia Sheinbaum is facing mounting domestic as well as international pressure to deter the violence, ahead of the upcoming 2026 World Cup being hosted by Mexico. If Sheinbaum continues or grants permission to target more cartel leaders, a violent response that elevates the risk of violence nationwide is almost certain. There is a roughly even chance that highly publicized U.S. pressure against Mexican officials will lead cartels to directly target American interests.

DEEP AND DARK WEB INTELLIGENCE

CarGurus data breach: U.S.-based digital automotive marketplace CarGurus has allegedly suffered a data breach, after ShinyHunters published 6.1 GB of data containing approximately 12.4 million records on February 21, 2026. The data was leaked after the threat group’s warning to CarGurus on their leak site. The exposed dataset reportedly contains dealer account details and personally identifiable information (PII) including physical addresses, IP addresses, and finance pre-qualification application data. CarGurus is yet to release an official statement. Threat actors are likely to use the dataset in a variety of ways to financially extort victims, including phishing, social engineering, and insurance fraud.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Broadcom security patches: Broadcom has released patches for multiple vulnerabilities impacting VMware Aria Operations, including a high-severity command injection vulnerability tracked as CVE-2026-22719. The other vulnerabilities enable cross-site scripting (XSS) and privilege escalation. Successful exploitation of the vulnerabilities, individually or in a chain, is likely to help threat actors to compromise cloud environments.

Affected products: The affected products are listed in this advisory.