ZeroFox Daily Intelligence Brief - March 9, 2026

ZeroFox Daily Intelligence Brief - March 9, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Europol Dismantles Globally Coordinated Criminal Web
• Fake SSA Emails Deliver Remote Access Trojan
• Iran SITREP - Iran’s New Supreme Leader Announced, Israel Targets Oil Storages in Iran, and Other Developments

Europol Dismantles Globally Coordinated Criminal Web

Source: https://www.europol.europa.eu/media-press/newsroom/news/small-swedish-town-to-global-crime-network-international-operation-strikes-top-tier-organised-crime

What we know: Operation Candy, a Europol-led effort, has exposed multiple criminal networks dealing in synthetic drugs and involved in large-scale money laundering. The operation has resulted in 15 arrests, and the seizure of 4 million Euros and 1.2 tonnes of synthetic drugs.

Context: The discovery comes after the Swedish authorities seized two local criminal phones in November 2023. The forensic investigation of the phones revealed encrypted communications, international contacts, and global operational details related to cross-continental crime groups.

Analyst Note: Authorities are likely to use the obtained data to map networks of crime groups that operate independently but share logistics and financial infrastructures.

Fake SSA Emails Deliver Remote Access Trojan

Source: https://hackread.com/social-security-scam-emails-fake-tax-doc-hijack-pc/

What we know: A new phishing campaign is impersonating the Social Security Administration (SSA) stealing data from thousands of users in the United States. Threat actors send emails containing malicious tax statements, exploiting the tax season to create urgency.

Context: The scam works by weaponizing a legitimate remote monitoring and management (RMM) tool called “Datto RMM” to evade standard antivirus detection. If victims click on the malicious pdf links a remote access trojan is installed. This gives the attacker complete control over their systems to steal private data.

Analyst Note: Peak periods of high online activity, such as tax season, are often exploited by attackers to craft phishing emails that create urgency and trick victims into downloading malware that infects their systems. This campaign is likely to facilitate large-scale identity theft and tax fraud by harvesting personal data from compromised systems.

Iran SITREP - Iran’s New Supreme Leader Announced, Israel Targets Oil Storages in Iran, and Other Developments

• The Assembly of Experts has announced Mojtaba Khamenei as the new Supreme leader of Iran on March 8, 2026.
• Israel has targeted Iranian oil facilities for the first time in the current conflict. Strikes were conducted against at least three oil storage facilities–two in the Tehran area and one in Alborz province. ZeroFox assesses this to be an effort to choke off Iran’s revenue and limit their ability to rearm.
• Iran is almost certainly seeking to degrade air defense capabilities across the region in an effort to force Gulf states to put pressure on the United States to end hostilities. Radar sites associated with the U.S.-built Thermal High Altitude Area Defense (THAAD) missile systems have been targeted by Iranian attacks in recent days, while sites in Jordan and Saudi Arabia have reportedly been struck.
• Kuwait Petroleum Corporation (KPC) began cutting oil production on Saturday and declared force majeure, adding to cuts in oil production across the region. Additionally, both Iran and the combined U.S. and Israeli forces have struck desalination plants across the region.
• Separately, the U.S. DOJ has moved to seize over USD15 million from a "shadow" shipping network used to launder Iranian and Russian oil profits to fund designated terrorist organizations.

DEEP AND DARK WEB INTELLIGENCE

Handala Hack Team: Iran-linked hacktivist collective “Handala Hack Team” has claimed to have compromised the Israel Institute for National Security Studies (INSS), allegedly maintaining persistent access to classified meetings and secret correspondence. The group claims to have stealthily recorded high-level decision-making sessions, which it plans to release publicly. The Handala Hack Team has consistently targeted prominent Israeli institutions with high-profile breach claims in the past. The intent is likely to spread undermined confidence in Israel’s security infrastructure through such narratives.

VULNERABILITY AND EXPLOIT INTELLIGENCE

22 Vulnerabilities discovered in Firefox: New vulnerabilities in Firefox have been identified using Anthropic’s Claude Opus 4.6 AI model. This includes 14 high-severity flaws and a critical logical error in the Just-In-Time (JIT) compiler of the browser's JavaScript engine tracked as CVE-2026-2796. While most flaws are addressed in Firefox 148, the model’s ability to generate raw exploits highlights a significant shift toward AI-driven vulnerability research, enabling the detection of complex logic errors that traditional automated tools are likely to miss.

Affected products: Versions prior to Firefox 148