zerofox logo
Advisories

ZeroFox Daily Intelligence Brief - June 26, 2026

|by Alpha Team

banner image

ZeroFox Daily Intelligence Brief - June 26, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

  • North Korea-Linked “Gaslight” Malware Deceives AI-Assisted Malware Analysis
  • Ukraine’s National Postal Service Disrupted
  • Polymarket Confirms Third-Party Compromise; Hackers Stole USD 3 Million from Users

North Korea-Linked “Gaslight” Malware Deceives AI-Assisted Malware Analysis

Source: https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html

What we know: Gaslight, a previously undocumented Rust-based macOS malware linked to North Korean threat actors, reportedly embeds prompt-injection payloads to deceive AI-assisted malware analysis tools into refusing or abandoning analysis.

Context: Gaslight reportedly functions as an information stealer and remote access implant, using the Telegram Bot API as its command-and-control (C2) channel. The malware also reportedly supports interactive shell access, enabling operators to execute commands and retrieve results from compromised macOS systems

Analyst note: Threat actors are likely exploiting trust in AI-generated analysis and AI-integrated security workflows to evade detection and deploy malware. As organizations increasingly integrate AI into cybersecurity operations, AI manipulation is likely to become a preferred tactic for threat actors.

Ukraine’s National Postal Service Disrupted

Source: https://databreaches.net/2026/06/25/ukraines-national-postal-service-ukrposhta-hacked-overnight/

What we know: Ukraine's national postal service, Ukrposhta, was reportedly compromised in a cyberattack that resulted in temporary disruptions to its mobile application and IT systems.

Context: Ukrposhta confirmed the attack in a brief public update stating that recovery operations are in progress. Meanwhile, pro-Russian hacktivist group “IT ARMY OF RUSSIA” has claimed responsibility for the attack, alleging that it compromised the infrastructure weeks prior and exfiltrated approximately 172 GB of data containing over 1.2 million user records.

Analyst note: Critical infrastructure and state-run services remain high-priority targets for politically motivated threat actors. Such disruptions are very likely to have cascading effects on civilian supply chains, courier networks, and government operations.

Polymarket Confirms Third-Party Compromise; Hackers Stole USD 3 Million from Users

Source: https://techcrunch.com/2026/06/25/polymarket-says-hackers-stole-users-funds/

What we know: Prediction market giant Polymarket has reportedly confirmed a security breach after hackers stole around USD 3 million from its users. The company stated that the incident has been contained, and all affected users will receive full refunds.

Context: Attackers compromised an unnamed third-party vendor to inject malicious code into the website, which exfiltrated funds from some users who interacted with the platform. The stolen crypto assets were quickly moved from the Polygon network to Ethereum to hide the trail and liquidate the funds.

Analyst note: The incident highlights the growing risks that third-party vendors bring to decentralized platforms and web applications, and the necessity to ensure security audits of all dependencies.

DEEP AND DARK WEB INTELLIGENCE

Exploit user Big-Bro: Well-known threat actor "Big-Bro" has advertised an alleged dataset of 31,000 Fortinet FortiGate entry points on dark web forum Exploit. According to Big-Bro, the targeted companies are located in different countries. The advertisement comes following the recent "FortiBleed" credential harvesting campaign targeting Fortinet FortiGate firewalls. It is unknown if the advertisement is related to the campaign. If legitimate, the leaked credentials are likely to be used to disable security controls on compromised systems, which can further assist in evasion of malicious activity.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20245: This is a privilege escalation vulnerability in Cisco Catalyst SD-WAN, exploited as a zero-day. The flaw enables an authenticated attacker with network administrator privileges to execute arbitrary commands with elevated privileges by uploading a crafted file to escalate privileges.

Affected products: Cisco Catalyst SD-WAN devices with netadmin-level access

Tags: DIBtlp:green