ZeroFox Daily Intelligence Brief - June 16, 2026

ZeroFox Daily Intelligence Brief - June 16, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Spamming Package Targeting the U.S. SSA Advertised on DDW
• Crypto Scams Now Involve In-Person Cash Pickups
• China-Linked Actor Targets REDCap Servers, Steals Defense and Medical Research Data

ZeroFox Intelligence Flash Report - Spamming Package Targeting the U.S. SSA Advertised on DDW

Source: https://www.zerofox.com/advisories/40484/

What we know: ZeroFox has observed untested threat actor “mailerborn” advertising a spam distribution package targeting the U.S. Social Security Administration (SSA) on dark web forum Exploit. The package is priced at USD 3,000.

Context: The actor claims the package includes access to approximately 500 corporate Simple Mail Transfer Protocol (SMTP) servers, an antivirus-evasive command loader, and a per-recipient email generator. Beyond the SSA package, the actor has invited partners and investors for broader spamming campaigns targeting U.S. banks and government organizations.

Analyst note: Mailerborn's efforts to advertise the tool, recruit partners, and attract investors—alongside the high volume of posts since joining the forum—likely reflects an attempt to build credibility and scale operations beyond a single campaign. Mailerborn is untested and the package remains unverified, but the combination of claimed technical capabilities very likely represents a meaningful increase in phishing potential if the tooling performs as described.

Crypto Scams Now Involve In-Person Cash Pickups

Source: https://www.ic3.gov/PSA/2026/PSA260615

What we know: The FBI is warning of threat actors arranging for in-person cash pick ups from victims, usually senior citizens, to further their fake crypto investments scams.

Context: Scammers build trust with victims, posing as business or romance seekers, then instruct victims to start investing in fraudulent crypto investment firms. The victims are asked for more funds to be able to withdraw from the fake crypto accounts. Scammers are also adopting cash couriers to bypass security measures undertaken by legitimate financial institutions, which may deny suspicious transfers by victims to the scammers.

Analyst note: The shift from digital transfers to physical cash retrieval likely suggests that transnational cybercriminal groups are establishing localized physical logistics networks or partnering with domestic organized crime rings to facilitate their heist.

China-Linked Actor Targets REDCap Servers, Steals Defense and Medical Research Data

Source: https://www.theregister.com/research/2026/06/15/google-says-prc-linked-spies-hid-in-medical-research-networks-for-more-than-a-year/5254547

What we know: A China-linked espionage group, tracked as UNC6508, has reportedly compromised Research Electronic Data Capture (REDCap) servers at North American medical and military research organizations. The group deployed the custom InfiniteRed malware to maintain access and steal sensitive data from at least 2023.

Context: The threat actors reportedly searched for emails and data related to defense technologies, medical research institutions, and the Chikungunya virus. REDCap is a web application for managing and storing clinical and research data. UNC6508 was observed to have used stolen credentials to access administrative accounts, and deployed a malicious content compliance rule named “Patroit” to forward research emails to the email account—”BebitaBarefoot774”.

Analyst note: The actors’ targeted searches suggest a focus on intelligence collection and monitoring of strategic developments rather than preparation for immediate disruptive operations. However, the actors’ interest in the Chikungunya virus is likely to raise concerns of broader biological or public health attacks, but there is insufficient reporting to indicate preparations for a biological weapons program.

DEEP AND DARK WEB INTELLIGENCE

PwnForums user misere: Moderately credible threat actor "misere" has advertised data allegedly associated with JeVeuxAider[.]gouv[.]fr, an official French government portal on deep and dark web forum PwnForums. The threat actor claims to have exploited an Insecure Direct Object Reference (IDOR) vulnerability on an API endpoint. The leaked dataset reportedly includes data fields such as names, emails, phone numbers, dates of birth, and physical addresses. The threat actor has also been linked to the breach of the French government's Tchap messaging platform.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20262: This is an actively exploited vulnerability affecting Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). An attacker with at least a lower-privileged, single-task user account credential can exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit is likely to enable the attacker to create or overwrite any file on the underlying operating system.

Affected products: The affected products are listed in this advisory.