ZeroFox Daily Intelligence Brief - May 28, 2026

ZeroFox Daily Intelligence Brief - May 28, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Glassworm Botnet Tied to Software Supply-Chain Attacks Disrupted
• FBI Warns of Spoofed FIFA Domains Targeting the 2026 World Cup
• Banking Trojan Campaigns Target Europe and Latin America

Glassworm Botnet Tied to Software Supply-Chain Attacks Disrupted

Source: https://www.bleepingcomputer.com/news/security/glassworm-botnet-disrupted-after-resilient-c2-infrastructure-takedown/

What we know: Cybersecurity researchers have disrupted the Glassworm botnet by targeting four command-and-control (C2) channels used to maintain connectivity with infected systems involved in software supply-chain attacks.

Context: Since October 2025, Glassworm has been targeting developers with malicious VS Code and OpenVSX extensions, later broadening its scope to GitHub and npm to compromise more than 400 artifacts. The operation utilized blockchain, peer-to-peer networks, and legitimate platforms for resilient communications to avoid detection.

Analyst note: The Glassworm operation is likely an indication of threat actors’ increasing dependency on public-facing services for spreading malware to complicate defense solutions and takedown efforts in software supply-chain attacks. Such operations are very likely to inspire copy-cat campaigns, where with the additional help of AI, threat actors will attempt to design malware distribution channels to evade detection.

FBI Warns of Spoofed FIFA Domains Targeting the 2026 World Cup

Source: https://www.ic3.gov/PSA/2026/PSA260527

What we know: The FBI has warned that cybercriminals are using spoofed versions of the official website of Fédération Internationale de Football Association (FIFA) ahead of the 2026 FIFA World Cup for cybercriminal activity. They are being used to sell fraudulent tickets and hospitality packages, conduct FIFA recruitment scams, and collect personally identifiable information (PII).

Context: The attackers register fake domains that closely imitate official FIFA branding, layouts, ticketing portals, and hiring pages through typosquatting, fake subdomains, and alternative top-level domains, such as .xyz, .live, .sale, and .org. Examples include misspelled domains like filfa[.]org and fake recruitment-themed domains such as jobs-fifa[.]com.

Analyst note: Operators of these scams have likely already collected some PII through spoofed websites. Additionally, these scams are likely enabling threat actors to build databases of football fans, travelers, and job seekers for use in future phishing operations tied to major sporting events.

Banking Trojan Campaigns Target Europe and Latin America

Source: https://thehackernews.com/2026/05/grandoreiro-malware-and-btmob-rat.html

What we know: Two separate banking trojans, Windows-based Grandoreiro malware and Android-based BTMOB RAT, have been identified in campaigns targeting users in Latin America and Europe. The Grandoreiro campaign targeted organizations and banking customers in Spain, Portugal, and Mexico, while BTMOB primarily targeted users in Brazil.

Context: Grandoreiro is a long-running banking trojan that reportedly stands out for its use of DLL side-loading, Delphi-based components, and WebRTC/STUN traffic to hide its communications and steal banking credentials. BTMOB involves an APK builder and a MaaS model. The trojan abuses accessibility services to enable remote control, credential theft, and rapid campaign customization without coding.

Analyst note: In the near future, threat actors are likely to deploy the two trojans through lures tailored to specific banks, languages, travel seasons, payroll cycles, or payment habits in Spain, Portugal, Mexico, Brazil, and neighboring markets. Therefore future campaigns are likely to adopt more precision fraud tactics, with phishing pages, fake app stores, and social engineering lured tuned to the victim’s region and financial behavior.

DEEP AND DARK WEB INTELLIGENCE

breachforums[.]rs user Vyntra: Threat actor Vyntra has claimed to have leaked a directory database allegedly associated with China-based global B2B marketplace Alibaba Group Holding on dark web forum BreachForums. The dataset is said to contain over 158,000 records of B2B suppliers, importers, and exporters. If the actor’s claims are true, there is a roughly even chance of the database exposing corporate details, product information, and sensitive communication identifiers, like phone numbers and email addresses.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-48172: This is a privilege escalation vulnerability in the LiteSpeed user-end plugin for cPanel that enables an unauthenticated attacker to execute arbitrary scripts with root privileges on affected servers. Successful exploitation is likely to result in complete root-level server compromise, enabling arbitrary code execution and data exfiltration. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Affected products: LiteSpeed user-end plugin for cPanel versions 2.3 to 2.4.4