ZeroFox Daily Intelligence Brief - July 7, 2026
|by Alpha Team

ZeroFox Daily Intelligence Brief - July 7, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- ZeroFox Daily Deep and Dark Web Intelligence
- FBI Arrests Alleged Member of Pro-Russian Hacktivist Group
- Indirect Prompt Injection Campaigns Target AI Agents
ZeroFox Daily Deep and Dark Web Intelligence
Source: https://www.zerofox.com/advisories/40825/
What we know: ZeroFox identified multiple critical findings across deep and dark web (DDW) forums between July 3 and July 6, 2026, including alleged data breach advertisements targeting defense, government, and financial sector organizations, as well as the sale of large-scale network access points affecting Fortinet infrastructure globally.
Context: A well-known threat actor advertised an auction for 1,200 Fortinet VPN entry points, while another advertised 3,032 FortiGate entry points with super_admin rights allegedly associated with Turkey-based organizations. ZeroFox additionally identified a new ransomware data leak site, ‘DOOMMAGEDDON’, which listed five publicly named victims.
Analyst note: The volume and diversity of critical findings observed within this short reporting window reflect a sustained and active DDW marketplace for stolen data and unauthorized access. The emergence of a new ransomware leak site further likely indicates the expansion of ransomware and digital extortion ecosystem, with new actors entering the space.
FBI Arrests Alleged Member of Pro-Russian Hacktivist Group
Source: https://hackread.com/fbi-spanish-police-arrest-cyber-army-russia-reborn-member/
What we know: FBI and Spanish authorities have arrested an alleged member of pro-Russian hacktivist group “The Cyber Army of Russia Reborn (CARR)”, also known as Z-Pentest Alliance, as part of Operation Riptide.
Context: CARR has been active since Russia’s invasion of Ukraine, repeatedly claiming responsibility for distributed denial-of-service (DDoS) and disruptive operations against government, critical infrastructure, private entities, and industrial control systems in Ukraine and allied nations.
Analyst note: Authorities will likely examine the seized devices and digital footprints from the suspect to map CARR's operational hierarchy, communication channels, and ties to state intelligence services. Furthermore, intelligence recovered from this operator could provide critical telemetry to map and disrupt other pro-Russian collectives in alliance with CARR, like TwoNet, KillNet, and NoName057(16).
Indirect Prompt Injection Campaigns Target AI Agents
Source: https://www.securityweek.com/prompt-injection-attacks-trick-ai-agents-into-making-crypto-payments/
What we know: Threat actors have reportedly conducted two indirect prompt injection campaigns targeting autonomous AI agents to make unauthorized payments. One campaign tricked AI agents into making unauthorized payments through fake API documentation and the other convinced AI agents that a fraudulent cryptocurrency platform is legitimate.
Context: The payment campaign reportedly used SEO poisoning, hidden HTML prompts, and hardcoded cryptocurrency wallets, supported by 10 GitHub repositories. The second campaign reportedly used keyword stuffing and manipulated metadata to improve search rankings and deceive AI agents.
Analyst note: Given the relatively recent adoption of LLM-powered agents across organizations, indirect prompt injection attacks are likely to challenge the effectiveness of existing safeguards, particularly for AI models with web-browsing or payment-execution capabilities.
DEEP AND DARK WEB INTELLIGENCE
DarkForums user Shadowreaper: Untested threat actor “Shadowreaper” advertised an alleged dataset from Aegis Defense Solutions, a U.S. security consulting and firearms training company, on DarkForums. The leaked database reportedly contains 890,000 records of personnel, financial, contractor files, and sensitive scanned documents pertaining to Top Secret/SCI and Special Access Program (SAP) clearance holders.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2026-48282: This is a maximum-severity remote code execution (RCE) vulnerability in Adobe ColdFusion that can be exploited by attackers without privileges on unpatched systems. The flaw is being actively exploited in the wild. This flaw enables unauthenticated attackers to execute arbitrary code and take over the underlying server without any credentials.
Affected products: Adobe ColdFusion versions 2025.9, 2023.20, and earlier
Tags: DIB, tlp:green