ZeroFox Daily Intelligence Brief - June 22, 2026

ZeroFox Daily Intelligence Brief - June 22, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - DragonForce Conceals C2 in Legitimate Relay Infrastructure
• Brazil’s Defense Alert System Reportedly Hacked
• Threat Landscape Expands Around FIFA World Cup 2026

ZeroFox Intelligence Flash Report - DragonForce Conceals C2 in Legitimate Relay Infrastructure

Source: https://www.zerofox.com/advisories/40582/

What we know: On June 16, 2026, researchers disclosed a December 2025 intrusion at a major U.S. services firm in which operators from the DragonForce ransomware collective deployed a custom backdoor called Backdoor.Turn into the firm’s enterprise collaboration infrastructure.

Context: Backdoor.Turn is a previously unseen in the wild Go-based remote access trojan (RAT) that can be injected into legitimate trusted collaboration instances to avoid detection. DragonForce almost certainly used this RAT to establish a command-and-control (C2) node within the trusted U.S. services firm’s network in order to maintain persistence.

Analyst note: ZeroFox assesses that this type of intrusion also likely represents a continuing shift from single-event extortion toward dual monetization: initial encryption and data theft followed by durable access that can be exploited later or sold to other criminal operators on deep and dark web (DDW) forums.

Brazil’s Defense Alert System Reportedly Hacked

Source: https://www.reuters.com/world/americas/suspected-hacker-sends-unauthorized-alert-across-brazil-2026-06-20/

What we know: Brazil’s Civil Defense has reported a suspected hacking of its official alert system that sent mass alerts to cell phones across multiple Brazilian states containing the word “misanthropy.”

Context: The attacker reportedly deactivated the platform and then maliciously reactivated it to send notifications on behalf of “someone outside the National System of Civil Protection and Defense.”

Analyst note: The attack was likely designed to demonstrate capability. Similar operations are likely to be leveraged to amplify social unrest, disrupt emergency response system, and erode confidence in government institutions.

Threat Landscape Expands Around FIFA World Cup 2026

Source: https://hackread.com/fifa-world-cup-2026-hackers-football-fake-tickets-sites/

What we know: Threat actors are reportedly targeting FIFA World Cup 2026 fans in phishing and fraud scams offering fake hotel bookings, fake tickets, cloned websites, and live chat features. Some of the campaign's infrastructure was observed to be linked to suspected China-based threat actors using payment platform tbpay[.]uk and chat services platform tawk[.]to to communicate with victims.

Context: The tournament, which runs from June 11 to July 19, 2026, observed multiple scam networks that involved more than 100 fraudulent domains impersonating betting sites, ticketing platforms, and other FIFA-related services. Additionally, despite FIFA being the sole authorized ticket seller, ticket resale activity was observed on certain Telegram channels.

Analyst note: Threat actors are likely to impersonate FIFA officials and affiliated organizations in phishing and infostealer campaigns targeting fans, sponsors, and partners. Hacktivists are also likely to leverage the event’s global presence and target the event’s infrastructure and organizing bodies with distributed denial-of-services (DDoS) attacks to direct attention to their ideological causes.

DEEP AND DARK WEB INTELLIGENCE

Exploit user dred871: A moderately-credible threat actor "dred871" has advertised Secure Shell (SSH) and Virtual Network Computing (VNC) access to the server of an alleged leading cryptocurrency platform developer on deep and dark web forum Exploit. The threat actor claims the compromised server contains the platform's full source code, scripts, database structures, and configuration files.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Unpatchable 'usbliter8' exploit: An unpatchable hardware-level exploit, dubbed usbliter8, affecting Apple A12 and A13 chips has reportedly been discovered. The vulnerability enables arbitrary code execution within SecureROM, compromising Apple's secure boot chain and allowing attackers with physical access to a device in DFU mode to execute unsigned code. As the flaw resides in immutable silicon, it reportedly cannot be remediated through software updates.

Affected products: The affected products are listed here.