ZeroFox Daily Intelligence Brief - March 4, 2026

ZeroFox Daily Intelligence Brief - March 4, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Iran SITREP: U.S.-Israel Diplomatic and Military Actions Heightens Threat Environment
• LexisNexis Confirms Second Data Breach
• Phishing Campaign Uses Fake Zoom Pages to Deploy Remote Monitoring Tools

Iran SITREP: U.S.-Israel Diplomatic and Military Actions Heightens Threat Environment

Source: https://www.zerofox.com/advisories/38695/

• Iran has selected its next Supreme Leader, Mojtaba Khamenei, son of slain Ali Khamenei. The new leader was said to have close ties to the Islamic Revolutionary Guard Corps (IRGC) and experience coordinating security and military affairs.
• The United States and Israel continue to target key decision-makers in Iran. Iran is likely seeking to increase ceasefire pressure by expanding its list of targets and signaling further escalation.
• With Iranian proxy groups entering the war, spillover into Iraq, Yemen, and Lebanon is likely. Individual attacks on servicemen, diplomats, and civilians are increasing in likelihood.
• Conflicting claims persist over the Strait of Hormuz, with the IRGC claiming closure, despite U.S. assertions that the waterway remains open and unobstructed.
• Israel continued strikes on Hezbollah in Beirut’s southern suburbs, with the Lebanese Ministry of Public Health reporting 52 deaths and 154 injuries over two days. Israel has also mobilized roughly 100,000 reservists.
• Global oil prices have stabilized, with an approximate increase of USD 5 from prewar levels. Further spikes are unlikely unless Iran broadens the conflict. However, in the United Kingdom, wholesale natural gas prices surged 50 percent on Monday after Qatar announced the shutdown of the world’s largest LNG refinery due to Iranian missile attacks.
• Additionally, ideologically aligned pro-Iranian, pro-Palestinian, and pro-Russian hacktivist groups have intensified coordinated distributed denial-of-service (DDoS) and intrusion attack claims against U.S., Israeli, Gulf, and Iranian targets. Meanwhile, American banks remain fearful of targeted attacks. An Israel-linked hacktivist group has claimed responsibility for a cyberattack on Iran’s major crypto exchange Nobitex, allegedly destroying USD 90 million in digital assets, days after targeting Bank Sepah.

LexisNexis Confirms Second Data Breach

Source: https://www.bleepingcomputer.com/news/security/lexisnexis-confirms-data-breach-as-hackers-leak-stolen-files/

What we know: U.S.-based data analytics giant LexisNexis has notified customers of a recent data breach after attackers gained unauthorized access to its servers. The incident exposed over 2 GB of customer and business information. This breach supersedes a separate incident previously reported in May 2025.

Context: Simultaneously, threat actor “FulcrumSec,” advertised data allegedly associated with LexisNexis on BreachForums. FulcrumSec claims to have gained unauthorized access by exploiting the React2Shell vulnerability,enabling access to over 400,000 cloud user profiles, including 118 accounts with .gov email addresses. However, LexisNexis states that the data is insignificant and old.

Analyst Note: Since the data breach reportedly does not involve sensitive financial information, it is unlikely to result in direct financial losses. Threat actors will likely leverage the data for secondary attacks like impersonation of government officials,social engineering attacks, and phishing campaigns.

Phishing Campaign Uses Fake Zoom Pages to Deploy Remote Monitoring Tools

Source: https://hackread.com/zoom-google-meet-phishing-monitoring-tool/

What we know: An active phishing campaign has been observed using fake Zoom pages and another popular videoconferencing platform to trick users into installing a remote monitoring tool.

Context: The campaign begins with fake meeting invites that open a clone of Zoom meeting room, where targets are coerced to download an “update” to fix the connection. Attackers then deploy a legitimate remote monitoring tool to track keystroke logging, clipboard contents, record screens, capture screenshots, access browsing history, and file systems.

Analyst Note: Threat actors are likely to steal login credentials stored on compromised devices, leading to account takeovers.

DEEP AND DARK WEB INTELLIGENCE

Cegedim Santé breached: Cegedim Santé, a supplier to France’s health ministry, has confirmed that approximately 15.8 million administrative records were stolen after attackers breached its MonLogicielMedical platform used by thousands of doctors. Around 165,000 files were leaked, including physician notes, some containing highly sensitive details such as HIV status and sexual orientation, and reports belonging to senior political figures. Threat actor “DumpSec” has advertised data linked to Cegedim on the deep and dark web forum BreachForums. Exposure of medical data, including HIV status and sexual orientation, is likely to lead to blackmail, discrimination, identity theft, targeted phishing and doxxing attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-21385: This is a high-severity zero-day vulnerability in a Qualcomm display component that is now patched. It is an integer overflow vulnerability that can further trigger memory corruption and escalate privileges on the system. The flaw has been actively exploited. The vulnerability is likely to be used to launch targeted attacks to compromise Android devices.

Affected products: 235 Qualcomm chipsets