ZeroFox Daily Intelligence Brief - June 25, 2026

ZeroFox Daily Intelligence Brief - June 25, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Authorities Seize Servers and Credentials Linked to Amadey and StealC Malware Strains
• New Hacking Group Targets Ukraine’s Drone Defense Sector
• Geopolitical Focus: Earthquakes in Venezuela, Fire at Delhi Data Centre

Authorities Seize Servers and Credentials Linked to Amadey and StealC Malware Strains

Source: https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks

What we know: Europol and partners have disrupted Amadey and StealC malware operations’ infrastructure as part of Operation Endgame. Over 326 servers were taken down and command-and-control (C2) infrastructure disrupted, recovering approximately 27 million stolen credentials from over 300,000 systems.

Context: StealC is an information-stealing malware strain that extracts credentials and other sensitive data, while Amadey serves as a loader that delivers additional malware and can also steal sensitive information from compromised systems.

Analyst note: Following the takedown, cybercriminals relying on StealC and Amadey are likely to lose access to stolen assets harvested through these malware strains. This might disrupt initial-access opportunities required for further attacks. As a result, demand for alternative infostealers and access services is likely to increase on deep and dark web marketplaces.

New Hacking Group Targets Ukraine’s Drone Defense Sector

Source: https://hackread.com/ghostshell-hacking-group-ukraine-drone-defense-sector/

What we know: A newly identified threat actor GhostShell (MB-0009) has reportedly been conducting a targeted campaign against Ukraine's drone defense sector, including military units, supply chains, and volunteer groups.

Context: GhostShell reportedly employs decoy documents to gain initial access, which delivers a malicious compressed archive that establishes persistence upon opening via a hidden script in the Windows Startup folder. The script also contacts an external server to download three additional malicious files, including Vidar v2, an infostealer capable of harvesting saved passwords, browser history, and cryptocurrency wallet data.

Analyst note: The campaign is very likely a targeted espionage operation. The harvested credentials and system access could enable deeper infiltration of defense-adjacent infrastructure. Organizations involved in defense procurement or logistics should treat unsolicited compressed archives or drone-related documentation with heightened suspicion, and prioritize the review of endpoint persistence mechanisms.

Geopolitical Focus: Earthquakes in Venezuela, Fire at Delhi Data Centre

• A national state of emergency has been declared in Venezuela after 7.2 and 7.5 magnitude earthquakes struck the Caribbean coast, prompting officials to warn of high casualties and widespread structural damage. Additionally, a 6.9-magnitude earthquake hit Japan's northeast coast, halting local bullet trains but did not result in any tsunami warnings.
• Ukrainian President Volodymyr Zelensky has instructed his military and intelligence forces to launch preemptive strikes against facilities inside Russia that are being used to support and expand the war effort.
• Fire at a New Delhi data centre, co-owned by Tata Communications, has caused extensive damage to the facility, leaving customers fearing for loss of decades of data and disrupting Google Cloud services in India.
• American AI company Anthropic has accused Chinese e-commerce giant Alibaba of carrying out a massive distillation attack to illicitly extract capabilities from its Claude AI model.

DEEP AND DARK WEB INTELLIGENCE

PwnForums user pablomotos: Untested threat actor “pablomotos” has advertised data associated with U.S.-based online travel platform Tripadvisor on dark web forum PwnForums. The database allegedly contains 30 million records, including user IDs, display names, usernames, email addresses, passwords, and physical addresses. Threat actors are likely to leverage this data to conduct targeted phishing attacks against the exposed user accounts.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Ubiquiti UniFi OS and Lantronix vulnerabilities: CISA has warned that three previously patched vulnerabilities in Ubiquiti UniFi OS and one in Lantronix servers are being actively exploited. These flaws—which individually enable access control bypass, directory traversal, and arbitrary OS command injection—can be chained to achieve full remote code execution (RCE) with elevated privileges. Separately, a critical root-level command injection vulnerability in Lantronix, CVE-2025-67038, is also being actively exploited.

Affected products: Ubiquiti UniFi OS versions before 5.0.8; Lantronix EDS5000 running firmware 2.1.0.0R3.