zerofox logo
Advisories

ZeroFox Daily Intelligence Brief - June 4, 2026

|by Alpha Team

banner image

ZeroFox Daily Intelligence Brief - June 4, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

  • A Global Stock Exchange Executive’s Communications Spied On
  • Five Eyes Issues Alert on Chinese Espionage Campaign Using Online Job Platforms
  • Codex AI Chains Decade Old Flaws into New “HTTP/2 Bomb” Exploit

A Global Stock Exchange Executive’s Communications Spied On

Source: https://www.darkreading.com/cyberattacks-data-breaches/global-stock-exchange-hit-monthslong-email-campaign

What we know: An unidentified threat actor has claimed a long-term espionage operation against a senior executive at an unnamed global stock exchange, maintaining access to the victim’s system and email account for at least five months.

Context: The threat actor reportedly deployed two malware strains disguised as Adobe and a cloud-based file hosting application and created scheduled tasks to maintain persistent access. The attacker reportedly stole all emails from August through November 2025 and subsequently exfiltrated the executive's mailbox every two to four weeks until at least February 2026.

Analyst note: The operation's prolonged duration likely suggests an intelligence-gathering objective. The intelligence is likely to be used for market-manipulation activities consistent with insider trading malpractices.

Five Eyes Issues Alert on Chinese Espionage Campaign Using Online Job Platforms

Source: https://www.ic3.gov/CSA/2026/260603.pdf

What we know: The FBI and its Five Eyes partners have issued a joint alert warning that Chinese military intelligence is using Western job platforms and professional networking sites to target government and military personnel, and others, with access to sensitive information.

Context: The tactic involves placing online job advertisements for foreign policy and defense analysts (or similar roles) for “cover companies” claiming to be located outside of China. Recruits are lured through paid trial reports before being steered toward providing classified material, with communication shifted to encrypted platforms and payments made via third-party services or cryptocurrency.

Analyst note: ZeroFox has published an advisory on this tactic, including infrastructure indicators from a documented incident. Chinese intelligence operatives almost certainly aim to acquire military, political, and economic intelligence to gain strategic advantage over the Five Eyes, and are likely to persist across regions by the actors leveraging multiple platforms and identities.

Codex AI Chains Decade Old Flaws into New “HTTP/2 Bomb” Exploit

Source: https://www.securityweek.com/http-2-bomb-exploit-knocks-web-servers-offline-in-seconds/

What we know: Researchers used OpenAI's Codex to discover a new exploit named "HTTP/2 Bomb" that chains two known denial-of-service (DoS) techniques, an HPACK compression bomb, and Slowloris-style memory hold, to disrupt major web servers operations within seconds.

Context: The exploit can reportedly be launched from a standard home internet connection and potentially affects over 880,000 websites running default configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora. The underlying vulnerabilities used in the chain include CVE-2016-6581, CVE-2025-53020, CVE-2016-8740, and CVE-2016-1546.

Analyst note: The use of AI to discover new exploit chains from existing and public vulnerabilities marks a notable shift in the threat landscape. As AI-assisted exploitation lowers the technical barrier to entry, lower-tier threat actors are likely to execute high-impact DoS and extortion campaigns with minimal infrastructure.

DEEP AND DARK WEB INTELLIGENCE

Exploit user antxdon: Untested threat actor "antxdon" has advertised a dataset allegedly linked to X (formerly Twitter) users on dark web forum Exploit. The threat actor claims the dataset allegedly contains 650 million records, including usernames, names, locations, bios, and other profile-related data. If legitimate, the access is likely to enable unauthorized access to profiles and facilitate account-takeover attempts.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Visual Studio (VS) Code zero-day: An exploit code for a VS Code zero-day vulnerability has been released. The flaw reportedly enables attackers to trick users into executing malicious commands, enabling theft of GitHub authentication tokens.

Affected products: Github[.]dev (browser-based version of VS Code) and VS Code (desktop)

Tags: DIBtlp:green