ZeroFox Daily Intelligence Brief - February 26, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - February 26, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Cybersecurity Researchers Disrupt Decade-Long Chinese Surveillance Campaign
- AI-Powered Smear Campaigns Target Anti-CCP Critics
- Law Enforcement Operation Targets Counterfeit Pharma Networks
Cybersecurity Researchers Disrupt Decade-Long Chinese Surveillance Campaign
What we know: Cybersecurity researchers have dismantled a massive China-linked hacking group, Gallium, that successfully infiltrated at least 53 organizations across 42 countries. The group deployed a backdoor to harvest sensitive voter IDs, national identification numbers, and call records.
Context: Active for nearly a decade, the group exploited common cloud-based spreadsheet tools to mask data exfiltration within legitimate network traffic. It specifically targeted government entities and telecommunications providers to monitor SMS messages and track individuals.
Analyst note: State-nexus actors are likely to use this campaign as a blueprint to weaponize popular software to bypass traditional defenses, turning standard business tools into conduits for mass surveillance. The theft of national identity data and call logs grants foreign intelligence the ability to map social networks and suppress dissent globally.
AI-Powered Smear Campaigns Target Anti-CCP Critics
Source: https://openai.com/index/disrupting-malicious-ai-uses/
What we know: An individual linked with the Chinese Communist Party (CCP) used AI tools to coordinate smear campaigns against CCP critics, including Japanese PM Sanae Takaichi. The operator used the help of the AI tools in campaigns to discredit Takaichi by impersonating Japanese citizens and amplifying negative online sentiment.
Context: The operation targeted Takaichi due to her "China hawk" stance and support for Taiwan. Prompts revealed that hundreds of individuals across various Chinese provinces conduct similar influence operations to generate political pressure over the cost of living in Japan, stir up anger over U.S. tariffs, and spread positive sentiments online about the conditions of oppressed people in Inner Mongolia.
Analyst Note: This attack model is likely to serve as a dangerous motivation for other adversaries. Amid the ongoing U.S.-Iran crisis, state-linked threat groups are likely to use LLMs to manage thousands of fake personas at scale. This enables small units to stir domestic unrest or target officials with high-efficiency, low-cost propaganda that mimics organic dissent.
Law Enforcement Operation Targets Counterfeit Pharma Networks
What we know: In Operation SHIELD VI, law enforcement agencies have targeted crime networks trafficking counterfeit medicines, doping substances, and illicit supplements distributed via online forums. The operation led to 3,354 prosecutions, investigations into 43 organised crime groups, and EUR 33 million (approximately USD 39 million) in seized illicit pharmaceuticals.
Context: The criminal networks exploited unregulated websites, social media platforms, online marketplaces, and dark web channels to distribute counterfeit pharmaceuticals and evade detection. Authorities dismantled 66 websites and monitored 233 more.
Analyst Note: Because many websites were dismantled and operations are being monitored, criminals are likely to lie low and peddle counterfeit medications on encrypted channels to avoid being monitored. Additionally, it is likely that counterfeit weight-loss drugs, certain diabetes medications, psychostimulants, and anti-anxiety treatments, as well, will continue to be in high demand, sustaining strong incentives for organised crime groups to continue production and distribution despite enforcement pressure.
DEEP AND DARK WEB INTELLIGENCE
Exploit user AckLine: Untested threat actor “AckLine” has advertised 16 GB of stolen data linked to Airbus on the Russian-language dark web forum Exploit, after allegedly maintaining persistent access to the company’s DevOps environment for over two months prior to exfiltration. The actor alleges the dataset includes development and source code files. If the threat actor’s claims are true, the alleged compromise of the company’s DevOps environment likely threatens its software supply-chain integrity, affecting build pipelines, proprietary technologies, and downstream customers.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2026-20127: Cisco has disclosed that this authentication bypass vulnerability in Cisco Catalyst SD-WAN was actively exploited as a zero-day since at least 2023. The flaw enabled remote attackers to log into SD-WAN controllers and add malicious rogue peers to targeted networks. CISA has also released guidance on hardening Cisco SD-WAN systems. This long-term campaign, given that it has gone undetected until now, likely indicates that the threat actor exploiting this vulnerability is focused on surveillance and data exfiltration for espionage, rather than causing operational disruption for immediate financial gain.
Affected products: The affected products are listed in Cisco's advisory.
CVE-2025-13942: Zyxel has addressed this command injection vulnerability in the UPnP function of certain Zyxel products that could enable a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests. There is a roughly even chance of financially motivated actors exploiting this bug to gain access to and then encrypt sensitive data from vulnerable devices.
Affected products: Zyxel 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders.
Tags: DIB, tlp:green