ZeroFox Daily Deep and Dark Web Intelligence - July 6, 2026
|by Alpha Team

ZeroFox Daily Deep and Dark Web Intelligence
Product Serial: D-2026-07-06a
TLP:CLEAR
Here is a curated list of critical incidents and compromised data observed in deep and dark web ransomware sites, forums, and marketplaces ingested into the ZeroFox Platform from July 3 to July 6, 2026.
Standing Intelligence Requirements
For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit: https://cloud.zerofox.com/intelligence/advisories/14956
Link to Download
View the full report for today here
Key Findings
- Ransomware and Digital Extortion: Multiple extortion groups posted new leak-site entries, including KRYBIT, World Leaks, BASHE, The Gentlemen, and INC Ransomware.
- Unauthorized Access Marketplace: Threat actors advertised network access for sale on a Russian-language forum Exploit—including roughly 1,200 Fortinet VPN entry points, 3,000 super_admin-level FortiGate entry points tied to Turkey-based organizations, and backend access purportedly to Brazilian currency broker VIPS Corretora de Câmbio (Finance sector).
- Vulnerability and Tooling Commercialization: An actor offered a "ClickFix" malware-delivery panel for sale on Exploit.
- Emerging Extortion Infrastructure: ZeroFox identified a newly emerged ransomware leak site, "DOOMMAGEDDON," listing five named entities plus one undisclosed entry marked "PAID."
- Data Dissemination and Telemetry: Forums hosted several data breach and sale claims referencing government and private-sector organizations, including the Inland Revenue Board of Malaysia and a claimed Golden Agri-Resources breach. Separately, credential intelligence systems ingested over 1.8 billion combined compromised account (CAC) and botnet records between June 8 and July 5, 2026.
Tags: tlp:clear, dark web, data breach, threat actor