zerofox logo
Advisories

ZeroFox Daily Deep and Dark Web Intelligence - July 6, 2026

|by Alpha Team

banner image

ZeroFox Daily Deep and Dark Web Intelligence

Product Serial: D-2026-07-06a

TLP:CLEAR

Here is a curated list of critical incidents and compromised data observed in deep and dark web ransomware sites, forums, and marketplaces ingested into the ZeroFox Platform from July 3 to July 6, 2026.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit: https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report for today here

Key Findings

  • Ransomware and Digital Extortion: Multiple extortion groups posted new leak-site entries, including KRYBIT, World Leaks, BASHE, The Gentlemen, and INC Ransomware.
  • Unauthorized Access Marketplace: Threat actors advertised network access for sale on a Russian-language forum Exploit—including roughly 1,200 Fortinet VPN entry points, 3,000 super_admin-level FortiGate entry points tied to Turkey-based organizations, and backend access purportedly to Brazilian currency broker VIPS Corretora de Câmbio (Finance sector).
  • Vulnerability and Tooling Commercialization: An actor offered a "ClickFix" malware-delivery panel for sale on Exploit.
  • Emerging Extortion Infrastructure: ZeroFox identified a newly emerged ransomware leak site, "DOOMMAGEDDON," listing five named entities plus one undisclosed entry marked "PAID."
  • Data Dissemination and Telemetry: Forums hosted several data breach and sale claims referencing government and private-sector organizations, including the Inland Revenue Board of Malaysia and a claimed Golden Agri-Resources breach. Separately, credential intelligence systems ingested over 1.8 billion combined compromised account (CAC) and botnet records between June 8 and July 5, 2026.

Tags: tlp:clear dark web data breachthreat actor