ZeroFox Daily Intelligence Brief - June 10, 2026

ZeroFox Daily Intelligence Brief - June 10, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ServiceNow Customer Data Accessed in Breach
• French Government Messaging Platform Breached via Social Engineering
• Russian Threat Groups Exploit Patched WinRAR Flaw in Ukraine Campaign

ServiceNow Customer Data Accessed in Breach

Source: https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/

What we know: ServiceNow, a business workflow management company, has reportedly disclosed a breach, where attackers accessed customer instances data by exploiting an unauthenticated API flaw. The issue primarily affected customers running the Australia release or older deployments with specific configurations.

Context: ServiceNow reportedly sent the disclosure notice directly to users and has not made a public announcement. However, community researchers reportedly shared possible indicators of compromise (IoC), including an IP address 51.159.98.241, where suspicious requests allegedly originated. ServiceNow deployed a security update on June 5, 2026.

Analyst note: Customer instances data is likely to be used to build target profiles. Targeted phishing campaigns are likely to begin impacting employees at affected organizations. Attackers are likely to impersonate IT helpdesks, HR teams, or ServiceNow itself. Phishing emails are likely to reference legitimate internal details (ticket numbers, system names, manager names) to appear convincing.

French Government Messaging Platform Breached via Social Engineering

Source: https://www.theregister.com/security/2026/06/09/france-probes-compromise-of-gov-messaging-platform-after-account-hijack/5252717

What we know: French authorities are investigating unauthorized access to Tchap, the French government's encrypted messaging platform used across ministries and public sector organizations.

Context: A threat actor claimed responsibility for the incident, alleging they achieved initial access by social-engineering an account on Tchap’s education environment. The actor claims to have accessed over 73,000 accounts, 643,000 messages, 60,000 media files, and access to various chat rooms. However, French officials maintain that only public chat room content was exposed and that private conversations remain encrypted.

Analyst note: The stolen data, involving documents and conversations shared by government personnel, is likely to be of high-value to nation-state actors, political groups, and corporate entities seeking intelligence advantages, political leverage, and / or policy influence. Additionally, French government personnel are very likely to be targeted in further social engineering and spear phishing campaigns using the data.

Russian Threat Groups Exploit Patched WinRAR Flaw in Ukraine Campaign

Source: https://thehackernews.com/2026/06/winrar-flaw-exploited-by-russia-aligned.html

What we know: Two Russia-aligned threat groups, “Gamaredon” and “SHADOW-EARTH-066,” are reportedly exploiting a patched WinRAR path traversal vulnerability (CVE-2025-8088) to target Ukrainian organizations. The campaigns deploy information-stealing malware strains to harvest browser credentials and documents.

Context: SHADOW-EARTH-066 delivers the GIFTEDCROOK infostealer in-memory. Notably, the group has shifted exfiltration from Telegram to dedicated command-and-control (C2) servers following Russia's blocking of the platform. Meanwhile, Gamaredon's delivers GammaSteel, a real-time file monitoring infostealer.

Analyst note: Unknown LNK files in Startup folders, unexpected PowerShell execution via cmd.exe, and unusual outbound C2 traffic are very likely IoC. The threat groups are also likely prioritizing gaining initial access over immediate intelligence value with the exploitation of a long-patched vulnerability, reserving the access and stolen data for future high-value attacks.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user BigBrother: On June 8, 2026, a moderately credible threat actor "BigBrother" advertised an alleged network access to the Smart Traffic Control Command Center of Tehran Traffic Police on deep and dark web forum DarkForums. The threat actor has quoted 1 BTC for the access. With an escalation of hostilities in the Iran conflict, such dark web advertisements offering data / access of intelligence value to governments and militaries are likely to increase to leverage the opportunity. The legitimacy of the access remains unknown.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft June 2026 patch Tuesday: Microsoft released security updates addressing 200 flaws and three publicly disclosed zero-day vulnerabilities. The updates include 33 critical vulnerabilities: 28 related to remote code execution (RCE), four associated with elevation of privilege, and one concerning information disclosure.

Affected products: The affected products are listed in this advisory.