ZeroFox Daily Intelligence Brief - June 15, 2026

ZeroFox Daily Intelligence Brief - June 15, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Cal Water Allegedly Hacked by Iran-Linked Handala Hacktivist Group
• FBI Disrupts Massive AI-Assisted Phishing Operation
• Geopolitical Focus: U.S.-Iran Agreement, Anthropic suspended for Foreign Nationals, and more

Cal Water Allegedly Hacked by Iran-Linked Handala Hacktivist Group

Source: https://www.securityweek.com/iranian-cyber-group-handala-claims-cal-water-hack/

What we know: Iran-linked Handala hacktivist group has claimed responsibility for hacking California Water Service (Cal Water) in retaliation for U.S. actions against Iran. The group alleges it has the capability to disrupt water access but has opted not to.

Context: Handala has also published 5 GB of data allegedly linked to the US water utility. Cal Water’s Chico District has reportedly been affected in the attack. The leaked data reportedly contains personally identifiable information (PII) of customers, administrative credentials for the RTKBase platform, and a mountpoint-level NTRIP source password. Cal Water is yet to confirm a breach.

Analyst note: The RTKBase platform compromise is likely to enable threat actors to manipulate GPS data used for mapping underground water infrastructure, guiding repair or construction work, and monitoring ground movement near the infrastructure. However, the accesses listed so far are unlikely to directly disrupt customer water supply. Exposed individuals are likely to be targeted in identity theft, phishing, and social engineering attacks.

FBI Disrupts Massive AI-Assisted Phishing Operation

Source: https://www.bleepingcomputer.com/news/security/fbi-disrupts-massive-ai-powered-phishing-service-using-a-million-urls/

What we know: The FBI has dismantled "Outsider Enterprise," a China-based phishing-as-a-service operation used to steal credit card data and passwords, in a co-ordinated takedown. Outsider Enterprise had reportedly been active since 2023, causing an estimated USD 1.9 billion in losses.

Context: During the operation, authorities have seized administration servers, a Shopify storefront, a Telegram bot, USD 100,000 in Outsider payment wallets, and thousands of phishing domains that are now redirected to an FBI splash page. Threat actors used generative AI to clone trusted sites, craft scam messages, and automate real‑time data theft.

Analyst Note: Law enforcement seizure of the Telegram bot and payment wallets will very likely expose the identities of downstream affiliates who purchased the phishing kits, possibly leading to arrests. Threat actors are likely to rebrand the phishing tools and sell them in other countries, allowing the operation to continue while keeping low.

Geopolitical Focus: U.S.-Iran Agreement, Anthropic Fable 5 Suspended for Foreign Nationals

• The U.S. and Iran reached a preliminary agreement, to end the months-long conflict, with a formal signing scheduled for Friday in Switzerland. Key terms include the immediate reopening of the Strait of Hormuz, the lifting of the U.S. naval blockade, release of USD 25 billion in frozen Iranian assets, and a waiver on oil sanctions. In return, Iran has agreed to freeze its nuclear program at current levels.
• A cyberattack targeting ​a shared communications infrastructure disrupted services in four major Iranian banks. Reportedly, no customer data was compromised.
• The US government ordered Anthropic to suspend its two most advanced AI models, Fable 5 and Mythos 5, for all users worldwide over national security concerns regarding a jailbreak vulnerability. Anthropic is complying but disputes the order, arguing that the alleged jailbreak is narrow and non-universal, and emphasizing that the models maintain strong guardrails to prevent misuse.
• Russia launched a massive missile and drone attack on Kyiv on June 15, 2026, killing at least five people and injuring dozens across Ukraine. Among the targets struck was the historic Dormition Cathedral at the Kyiv Pechersk Lavra, with damage reported across 16 locations in the capital.
• The captain of a "ghost fleet" oil tanker pleaded guilty in Washington DC for leading the US Coast Guard on a pursuit from the Caribbean to the North Atlantic, after transporting 1.8 million barrels of sanctioned Iranian oil to Asia using deceptive tactics. The captain now faces up to five years in prison and subsequent deportation.

DEEP AND DARK WEB INTELLIGENCE

ShinyHunters claim Council of Europe data breach: ShinyHunters extortion group has claimed to have stolen approximately 297 GB of data—over 429,000 files—from Council of Europe, threatening to publish it unless demands are met. Given ShinyHunters’ track record, the breach is very likely legitimate. Depending on the severity of the data stolen, the exposure could endanger human rights victims, activists in authoritarian countries, and confidential case details, with potential links to International Court of Justice (ICJ) proceedings that could invite undue external influence. Furthermore, the data is likely to be leveraged in identity fraud, phishing, and social engineering attacks against exposed individuals.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20253: This is a pre-authentication remote code execution (RCE) vulnerability in Splunk Enterprise. The flaw enables any network-reachable user to invoke arbitrary file operations without credentials. An attacker can exploit this by pushing a malicious database dump onto the Splunk file system through unauthenticated backup endpoints. Successful exploitation is very likely to result in full remote code execution on the affected Splunk instance, enabling attackers to tamper with log data.

Affected products: Splunk Enterprise versions 10.0.0 to 10.0.6 and 10.2.0 to 10.2.3