ZeroFox Daily Intelligence Brief - June 3, 2026

ZeroFox Daily Intelligence Brief - June 3, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Dashlane Users Targeted in 2FA Brute-Force Campaign
• CISA Advises Tighter Security for Critical Automatic Gauge Systems
• Chinese Threat Actors Target Czech, Taiwanese Entities for Data Exfiltration

Dashlane Users Targeted in 2FA Brute-Force Campaign

Source: https://techcrunch.com/2026/06/02/password-manager-dashlane-says-hackers-stole-some-customers-password-vaults/

What we know: Password manager Dashlane has disclosed that threat actors brute-forced two-factor authentication (2FA) protections on at least 20 user accounts. This attack reportedly enabled attackers to register unauthorized devices and download encrypted password vaults containing stored credentials and sensitive data.

Context: Although the stolen vaults remain encrypted, users with weak or easily guessable master passwords face a higher risk of attackers cracking the vaults and accessing information. The attack targeted customer accounts rather than Dashlane’s internal systems, with the company stating there is no evidence that its infrastructure was compromised.

Analyst note: Dark web forum users are likely to see advertisements of some of the compromised vaults. Successful vault compromises are likely to provide attackers with access to other accounts and then other victims. If affected users stored corporate credentials, VPN access, API keys, and more within their vaults, this is likely to provide actors an entry point into enterprise environments.

CISA Advises Tighter Security for Critical Automatic Gauge Systems

Source: https://www.cisa.gov/news-events/news/cisa-urges-stronger-security-automatic-tank-gauge-systems

What we know: CISA has published a fact sheet urging operators of automatic tank gauge (ATG) systems to implement security measures to protect against active cyber threats.

Context: ATG systems are widely deployed across the energy, chemical, food and agriculture, and transportation sectors to remotely monitor fuel levels, temperature, and leak detection. Threat actors are exploiting critical vulnerabilities like authentication bypasses, hardcoded credentials, OS command injection, SQL injection, and privilege escalation to obtain administrative control over these systems.

Analyst Note: Internet-exposed operational technology (OT) with weak credentials remain a prime target for threat actors, who exploit peripheral devices to easily bypass traditional network defenses. Since these systems are embedded across the energy, transport, and agricultural sectors, successful exploitation is likely to cause disruptions in logistics and also lead to environmental leaks, causing damage beyond digital disruption.

Chinese Threat Actors Target Czech, Taiwanese Entities for Data Exfiltration

Source: https://www.darkreading.com/threat-intelligence/china-uses-dual-method-attack-czech-taiwan-orgs

What we know: China-linked threat actors are reportedly targeting Taiwanese and Czech entities in Operation Dragon Weave to exfiltrate data from government, research, academic, technology, and finance sectors.

Context: Attackers deployed the Azureveil backdoor using spear-phishing emails with ZIP attachments, leveraging Azure Blob Storage for command-and-control (C2). Researchers reported that the malware used a “dead-drop” technique, which enabled attackers and victims to trade data through shared Azure storage containers, rather than via direct communication.

Analyst Note: The use of legitimate cloud infrastructure for C2 activity is likely intended to obscure unauthorized activity. Attackers are likely targeting Czech due to its close ties with Taiwan. The attackers associated with China very likely suggest interest in stealing information that could give China a strategic edge against Taiwan.

DEEP AND DARK WEB INTELLIGENCE

Exploit user SantaAd: Well-regarded threat actor "SantaAd" has advertised alleged 80,160 Fortinet entry points on dark web forum Exploit. The entry points are allegedly located in different countries. The starting bid for the collection was offered for auction at USD 10,000, with an instant purchase price of USD 15,000. If legitimate, the access is likely to enable unauthorized intrusion to exposed networks and facilitate follow-on malicious activity.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Google Android security patches 2026: Google has released patches for 124 security vulnerabilities impacting its Android operating system, including a zero-day flaw. The zero-day, tracked as CVE-2025-48595, can be exploited to gain code execution and escalate privileges without requiring any user interaction.

Affected products: The affected products arelisted in this advisory.