ZeroFox Daily Intelligence Brief - February 27, 2026

ZeroFox Daily Intelligence Brief - February 27, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Europol Shares Project Compass’s Progress Against The Com
• CISA: RESURGE Malware Poses a Stealthy Threat
• Government Agencies Alert Cisco Users of Zero-Day Vulnerability and Exploitation

Europol Shares Project Compass’s Progress Against The Com

Source: https://www.europol.europa.eu/media-press/newsroom/news/project-compass-first-operational-results-against-com-network

What we know: Europol has shared results of “Project Compass,” an operation against decentralized extremist network “The Com.” Since January 2025, the operation—involving multiple Western countries—has led to the arrest of 30 perpetrators, complete and partial identification of 179 other perpetrators, and safeguarding of victims in 28 countries.

Context: The Com is an unorganized network of cybercriminals targeting minors and vulnerable individuals both online and offline. Members have been described as largely native English-language speakers indulging in activities from hacking Western government systems to blackmailing teenagers into harming themselves.

Analyst note: The ongoing operation is likely to help law enforcement establish connections between the decentralized network of members and further map emerging or existing coordinated cybercriminal campaigns.

CISA: RESURGE Malware Poses a Stealthy Threat

Source: https://www.cisa.gov/news-events/news/cisa-issues-updated-resurge-malware-analysis-highlighting-stealthy-active-threat

What we know: CISA has revealed new findings on RESURGE malware, a highly sophisticated malware implant that exploits vulnerabilities to gain covert Secure Shell (SSH) based command‑and‑control access.

Context: CISA further explains RESURGE’s capabilities to persist silently and modify files, manipulate integrity checks, and deploy a web shell to the Ivanti boot disk. It remains dormant on the compromised systems until a remote actor connects. The stealth capability enables the malware to evade routine scans and stay undetected on Ivanti Connect Secure devices, posing an active and ongoing threat to affected networks.

Analyst Note: Attackers, especially state-linked, are likely to use the malware implant’s stealth and persistence capabilities to conduct large-scale espionage, exfiltrate government policy documents, and gather intelligence from adversaries for years without alerting their standard intrusion detection.

Government Agencies Alert Cisco Users of Zero-Day Vulnerability and Exploitation

Source: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4416296/nsa-joins-asds-acsc-and-others-to-release-a-cybersecurity-alert-and-related-hun/

What we know: The U.S. National Security Agency (NSA) and other agencies belonging to the UKUSA Alliance, or the Five Eyes Alliance, have issued an alert warning of at least one malicious cyber actor targeting Cisco Catalyst Software Defined Wide Area Network (SD-WAN) systems.

Context: The actor exploited zero-day CVE-2026-20127 to add rogue peers to Cisco SD-WAN management planes, then exploited another vulnerability, CVE-2022-20775, to gain root access and maintain persistence. According to the actor’s tactics, techniques, and procedures (TTPs) detailed in the report, they sustained access through local accounts and SSH key abuse and covered their tracks by clearing logs, wiping command history, altering Elasticsearch records, and disabling syslog forwarding.

Analyst Note: In the absence of known ransomware or any destructive behavior, the actor’s behavior likely suggests their goal was stealthy persistence and strategic surveillance. The actor is likely aligned with nation-state adversaries and focused on intelligence collection rather than immediate financial gain.

DEEP AND DARK WEB INTELLIGENCE

Olympique de Marseille Confirms Cyberattack: Prominent French football club “Olympique de Marseille” has confirmed a cyberattack after a threat actor leaked a sample of stolen data on a hacking forum. The compromised data reportedly involves internal information of 400,000 staff and supporters. However, the club authorities reassure that no banking details or passwords have been compromised. The club is still investigating the full scope of the incident and has notified the relevant authorities, implementing security measures to contain the incident. The staff and partners have been warned against potential phishing attempts and unauthorized communications following the data exposure.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-71210 and CVE-2025-71211: These are two vulnerabilities in Apex One management console path traversal that could enable unauthenticated attackers to execute malicious code on unpatched systems, and are now patched. Threat actors are likely to target unpatched versions and carry out full compromise of the security management server, leading to endpoint compromise, security control bypass, lateral movement across the network.

Affected products: Versions prior to SaaS Apex One