ZeroFox Daily Intelligence Brief - May 14, 2026

ZeroFox Daily Intelligence Brief - May 14, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - ShinyHunters' Campaign Against the Education Sector
• China-Linked “FamousSparrow” Campaign Targets Azerbaijani Oil and Gas Company
• RubyGems Repository Abused for Covert Storage of Scraped Government Portal Data

ZeroFox Intelligence Flash Report - ShinyHunters' Campaign Against the Education Sector

Source: https://www.zerofox.com/advisories/39922/

What we know: ZeroFox has observed ShinyHunters escalating tactics in their ongoing attack campaign targeting the education sector. Recent attacks hit a major publisher and a cloud-based learning management system (LMS) used by hundreds of institutions worldwide.

Context: Educational institutions and LMS platforms hold vast troves of user, employee, and customer data. ShinyHunters chains breaches by using stolen data from one victim to compromise the next. Prestigious global universities were also listed among the targets.

Analyst note: Future operations exploiting weak access token protocols alongside sophisticated phishing—will almost certainly occur in the coming weeks and months. The group uses contextual intelligence from victim data to identify relational targets. Meanwhile, downstream entities remain at risk.

China-Linked “FamousSparrow” Campaign Targets Azerbaijani Oil and Gas Company

Source: https://www.darkreading.com/cyberattacks-data-breaches/china-famoussparrow-apt-south-caucasus-energy-firm

What we know: China-linked threat group “FamousSparrow” has been linked to a multi-wave intrusion targeting an Azerbaijani oil and gas company between December 2025 and February 2026.

Context: The attackers reportedly exploited vulnerable email server infrastructure using the ProxyNotShell exploit chain, repeatedly regaining access despite remediation attempts. The campaign reportedly marks the first known China-linked cyber intrusion into Azerbaijani industry, targeting a South Caucasus region that has become an increasingly critical energy corridor for Europe.

Analyst note: The campaign likely reflects China’s growing interest in expanding espionage against strategic energy infrastructure and supply routes in the South Caucasus. China is likely to target this region in the future to monitor energy flows, critical infrastructure, trade corridors, and geopolitical developments.

RubyGems Repository Abused for Covert Storage of Scraped Government Portal Data

Source: https://thehackernews.com/2026/05/gemstuffer-abuses-150-rubygems-to.html

What we know: A campaign dubbed “GemStuffer” has reportedly scraped data from UK local government portals and covertly exfiltrated it through more than 150 malicious Ruby gems uploaded to the RubyGems repository.

Context: The campaign reportedly abuses the RubyGems ecosystem as a storage and retrieval mechanism for scraped government-related data while testing large-scale package registry abuse techniques. The packages embedded the collected portal data into valid .gem archives and republished them using hardcoded API credentials, instead of distributing traditional malware strains.

Analyst note: The scraped data is likely to be archived, indexed, and reused for intelligence collection, profiling of government operations, or future targeting activity. Even if much of the information is publicly accessible, aggregating it at scale is likely to enable threat actors to map government structures, identify personnel and operational patterns, and support phishing, influence, or broader reconnaissance operations against public-sector entities.

DEEP AND DARK WEB INTELLIGENCE

PwnForums user ChimeraZ: Threat actor “ChimeraZ” has claimed to have leaked data associated with the French-based technology company Thales Group on dark web forum PwnForums. The leaked dataset allegedly contains 6,400 records in a 85 MB file, with samples said to include personally identifiable information (PII) such as full names, email addresses, phone numbers, and organizational details, and user account metadata.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-45185: This is a critical use-after-free (UAF) vulnerability in Exim. The flaw is triggered during the secure connection shutdown process while handling chunked email traffic, enabling an unauthenticated remote attacker to execute arbitrary code without credentials. Successful exploitation is very likely to result in access to mail data, and lateral movement depending on server permissions and configuration.

Affected products: GnuTLS-compiled Exim versions 4.97 to 4.99.2