ZeroFox Daily Intelligence Brief - March 5, 2026

ZeroFox Daily Intelligence Brief - March 5, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Authorities Take Down LeakBase, Seize Domains and Data
• Tycoon2FA Phishing Platform Disrupted, 330 Domains Seized
• LastPass Warns of New Phishing Campaign

Authorities Take Down LeakBase, Seize Domains and Data

Source: https://www.justice.gov/opa/pr/united-states-leads-dismantlement-one-worlds-largest-hacker-forums

What we know: The United States and allies have shut down the illicit forum LeakBase, seizing its data and two domains used to operate the platform. Authorities have also taken measures against 37 of the most active users of the platforms.

Context: The forum’s landing page has been replaced with a law enforcement seizure banner stating that users’ accounts, posts, credit details, private messages, and IP logs have been secured. Active since 2021 and backed by the ARES threat group, LeakBase grew to over 142,000 members, operating as a free-to-join cybercrime forum and marketplace offering leaked databases, exploits, and other illicit services.

Analyst note: Following the takedown, displaced members are likely to migrate to established data-leak and credential-trading communities such as BreachForums, Exploit[.]in, and XSS. Former members are likely to visit discussion forums like Dread to share updates and possible alternatives, verify arrests, warn others, and strategize where to regroup.

Tycoon2FA Phishing Platform Disrupted, 330 Domains Seized

Source: https://www.europol.europa.eu/media-press/newsroom/news/global-phishing-service-platform-taken-down-in-coordinated-public-private-action

What we know: Tycoon2FA, a phishing-as-a-service platform, has been disrupted, with 330 domains forming its core infrastructure (including phishing pages and attacker control panels) seized and taken offline.

Context: Tycoon2FA was a subscription-based phishing toolkit that enabled cybercriminals to intercept live authentication sessions and bypass multi-factor authentication. It generated millions of phishing emails monthly and facilitated unauthorized access to nearly 100,000 organizations worldwide, including schools, hospitals, and public institutions.

Analyst note: The disruption of Tycoon2FA is likely to cause short-term operational disruption among threat actors that relied on the service. However, it is unlikely to significantly reduce phishing activity in the long term, as the broader phishing-as-a-service ecosystem can adapt by shifting to alternative, more resilient infrastructure.

LastPass Warns of New Phishing Campaign

Source: https://www.bleepingcomputer.com/news/security/fake-lastpass-support-email-threads-try-to-steal-vault-passwords/

What we know: Password manager app LastPass is warning users of a phishing campaign designed to steal login credentials. This is the second such warning in 2026, with the last one reported in January 2026. LastPass added that its infrastructure has not been compromised, nor is there any impact on its systems.

Context: The phishing emails urge users to respond to suspicious activity with urgency by clicking on malicious links. The links redirect to the domain, verify-lastpass[.]com, mimicking LastPass login page. Indicators of compromise (IoCs) are detailed in this advisory.

Analyst note: Two-factor authentication (2FA) is likely to prevent less advanced phishing campaigns from being successful. LastPass account compromise likely risks account takeover attempts of other platforms and theft of sensitive files. Clicking on malicious links is also likely to lead to malware installation, which can further result in system-level compromise.

DEEP AND DARK WEB INTELLIGENCE

Hacktivist activity following Iran conflict: Following U.S. and Israeli airstrikes in Iran, ZeroFox has observed a number of pro-Iran hacktivist groups claiming cyberattacks against Israeli government, military and private entities on platforms like Telegram and BreachForums. Groups such as Moroccan Black Cyber Army, Handala Hack Team, and Conquerors Electronic Army claim to have launched everything from distributed denial-of-service (DDoS) attacks to breaches of industrial units. Pro-Russian hacktivist groups like Noname057(16) have also joined the attacks. The majority of claims are likely to be noise and attempts at undermining the target’s trust in its own systems. However, certain DDoS attacks are likely to cause temporary disruptions to targeted entity websites and other internet infrastructure.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-28289: This zero-click remote code execution (RCE) vulnerability in FreeScout, an open-source help desk and shared inbox, bypasses a prior patch using a zero-width space to upload a malicious file to evade validation and be saved as a valid dotfile. By sending a crafted email to a mailbox configured in FreeScout, attackers can write the payload to disk without authentication or user interaction and then access it to execute remote commands on the server. If exploited, this vulnerability is likely to enable attackers to gain full control of vulnerable FreeScout servers, leading to theft of helpdesk tickets, mailbox data, and other sensitive information handled by the platform.

Affected products: All FreeScout 1.8.206 installations running on Apache with AllowOverride All enabled