ZeroFox Daily Intelligence Brief - June 8, 2026

ZeroFox Daily Intelligence Brief - June 8, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• PCPJack Hijacks Cloud Servers to Establish Distributed Email Relay Network
• Chinese APT Group Redeployed Custom Malware to Maintain Persistent Access
• Geopolitical Focus: Iran Fires Missiles at Israel, Earthquake in the Philippines

PCPJack Hijacks Cloud Servers to Establish Distributed Email Relay Network

Source: https://thehackernews.com/2026/06/pcpjack-hijacks-230-aws-google-cloud.html

What we know: Threat actor PCPJack has reportedly hijacked servers of three major cloud platforms to create a covert Simple Mail Transfer Protocol (SMTP) email relay network. Approximately 230 active proxy nodes were discovered, potentially suggesting the email operation had already reached a large scale.

Context: The operation was discovered using exposed directories on the group's command and control (C2) server that contained source code, deployment tools, logs, scanners, and active configurations. PCPJack was first discovered in April 2026, where it reportedly took steps to remove processes and artifacts associated with the TeamPCP threat group.

Analyst note: The campaign’s use of hijacked cloud servers as SMTP relays likely enables malicious emails to bypass standard security filters as they originate from trusted infrastructure. Additionally, given PCPJack's focus on credential theft, the SMTP infrastructure is likely to support campaigns aimed at acquiring high-value credentials such as developer secrets, cloud access keys, API tokens putting software maintainers, developers, and workflows at risk.

Chinese APT Group Redeployed Custom Malware to Maintain Persistent Access

Source: https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/

What we know: Chinese advanced persistent threat (APT) group VerdantBamboo reportedly used the Brickstorm backdoor and undocumented malware Plenet and AgentPSD to compromise a victim’s productivity suite and its Managed Services Provider (MSP) for at least 18 months before detection.

Context: Initial access was gained through an Egnyte Storage Sync system and an SSL VPN, enabling the attackers to bypass Conditional Access policies. The indicators of compromise are listed here.

Analyst note: In the near term, several other threat actors are likely to similarly adapt the worm using its source code to launch fresh attacks. Open-source dependencies used in fintech, cryptocurrency, and software-as-a-service (SaaS) environments are likely to be increasingly targeted.

Geopolitical Focus: Iran Fires Missiles at Israel, Earthquake in the Philippines

• Iran launched a barrage of missiles at Israel on June 7, 2026, marking its first strike since the April ceasefire. The strikes came following Israeli airstrikes in the outskirts of Beirut, Lebanon against Hezbollah.
• Three individuals were arrested for conspiring to provide material support to the ISIS terrorist group. The accused swore allegiance to ISIS, plotted multiple attacks, and specifically sought to fund plans to kill American service members deployed abroad before the FBI disrupted the plot.
• The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Iranian LPG Smuggling and Shadow Banking Networks involving individuals, front companies, and shadow fleet vessels. The network used front companies in the United Arab Emirates (UAE) and China to smuggle hundreds of millions of dollars' worth of Iranian LPG, intentionally disguised as Omani LPG to buyers in South and East Asia.
• On June 8, 2026, a shallow 7.8-magnitude earthquake struck off the coast of General Santos City in Southern Philippines, killing at least three people and injuring five others. The 10 km-deep tremor triggered regional tsunami warnings and coastal evacuations across the Philippines, Indonesia, and Japan. Tsunami advisories have since been lifted.

DEEP AND DARK WEB INTELLIGENCE

ShinyHunters publishes alleged DentaQuest data: U.S.-based healthcare company DentaQuest has confirmed a data breach. This comes after ShinyHunters published a 234 GB archive of data claiming to belong to DentaQuest. The leaked dataset reportedly affects approximately 2.6 million individuals and includes names, addresses, email addresses, phone numbers, dates of birth, government-issued IDs, health insurance information, and healthcare enrollment records. ZeroFox had previously observed an update on the ShinyHunters leak site claiming DentaQuest as a victim, threatening to publish data if ransom was not paid.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Chrome vulnerabilities: Google promoted Chrome 149 with patches for 429 vulnerabilities; most of which were use-after-free and insufficient validation of untrusted input issues. Additionally, numerous inappropriate implementation, insufficient policy enforcement, and out-of-bounds flaws were also addressed.

Affected products: The affected products are included in this advisory.