ZeroFox Daily Intelligence Brief - May 22, 2026

ZeroFox Daily Intelligence Brief - May 22, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Illicit Service First VPN Dismantled in Europol-Supported Operation Saffron
• FBI Warns of Kali365 Phishing Platform Targeting OAuth Tokens
• Authorities Target KimWolf Botnet Behind Large-Scale Global DDoS Attacks

Illicit Service First VPN Dismantled in Europol-Supported Operation Saffron

Source: https://www.europol.europa.eu/media-press/newsroom/news/cybercriminal-vpn-used-ransomware-actors-dismantled-in-global-crackdown

What we know: Europol-supported Operation Saffron has taken down “First VPN,” a virtual private network (VPN) service popularly used in ransomware and data theft attacks. Authorities arrested its administrator, dismantled 33 servers located in 27 countries, and conducted a house search in Ukraine.

Context: First VPN was promoted on Russian-speaking cybercrime forums offering users anonymous payments, hidden infrastructure, and other cybercrime services. The domains, 1vpns[.]com, 1vpns[.]net, 1vpns[.]org, and associated onion domains, have been seized.

Analyst note: First VPN’s user database and intelligence-sharing with partner countries is very likely to yield operational leads on ransomware, fraud, and other cybercrime activities leading to exposure of more cybercriminals and their networks. While disruption to First VPN-linked criminal activity is likely, similar services will almost certainly emerge to fill the void.

FBI Warns of Kali365 Phishing Platform Targeting OAuth Tokens

Source: https://www.ic3.gov/PSA/2026/PSA260521

What we know: The FBI has warned about a new phishing-as-a-service (PhaaS) platform, called “Kali365,” that enables cybercriminals to steal a popular office suite’s OAuth tokens and bypass multi-factor authentication (MFA) protections without capturing passwords.

Context: The platform reportedly uses phishing emails containing certain legitimate device codes that trick users into giving attackers access to their accounts. Once the OAuth tokens are stolen, attackers are able to maintain persistent access to services without triggering additional MFA challenges.

Analyst note: Beyond just financially motivated cybercriminals, this type of platform is also likely to benefit state-backed espionage groups and others looking to establish persistence. Because the technique relies on legitimate authentication flows rather than malware or password theft, it could be attractive for long-term intelligence collection to evade traditional endpoint-focused defenses.

Authorities Target KimWolf Botnet Behind Large-Scale Global DDoS Attacks

Source: https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos

What we know: U.S. authorities have charged an individual of operating the KimWolf botnet, a distributed denial-of-service (DDoS) provider, that infected more than one million internet-connected devices worldwide.

Context: The botnet enabled cybercriminals to launch massive DDoS attacks reaching nearly 30 Tbps, including operations targeting a key government network infrastructure.The attacks caused significant financial losses to victims. This development follows the March 2026 law enforcement operation that disrupted the Aisuru, KimWolf, JackSkid, and Mossad botnets.

Analyst note: Even though arrests are made, sensitive networks are still ensnared in these botnets. Successors of arrested members are likely to identify these networks to siphon off important data to rebuild infrastructure or evolve the ecosystem using the same vulnerable IoT network.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user HiddenHq: Untested threat actor “HiddenHq" has advertised a dataset allegedly associated with Salesforce on dark web forum DarkForums. The actor claims the leak contains nearly one billion records across various industry verticals, including shipping, technology, retail, and aviation.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft Defender vulnerabilities: Microsoft has patched two Defender vulnerabilities that include a privilege escalation vulnerability in Microsoft Malware Protection Engine and a denial-of-service (DoS) flaw in Microsoft Defender Antimalware Platform. CVE-2026-41091 enables an attacker to gain SYSTEM-level privileges on the compromised device, while CVE-2026-45498 enables attackers to trigger DoS conditions on unpatched Windows devices.

Affected products: Microsoft Malware Protection Engine 1.1.26030.3008 and earlier; Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier