ZeroFox Daily Intelligence Brief - March 10, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - March 10, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Russia is Reportedly Hacking Signal and WhatsApp Accounts in Global Campaign
- ShinyHunters Allegedly Stole Data from 100 High-Profile Companies
- Iran SITREP - Oil Price Fluctuates, Missile Strikes, and Expanding Cyber Activity
Russia is Reportedly Hacking Signal and WhatsApp Accounts in Global Campaign
What we know: Two Dutch intelligence agencies are warning that Russian state-backed hackers are engaged in a global campaign to compromise Signal and WhatsApp accounts of government and military personnel, including that of Dutch government employees. The agencies assess that journalists of interest to the Russian state are likely to be targeted as well.
Context: Threat actors are primarily using phishing and social engineering attacks to take over accounts or to link their devices. In an X post, Signal clarified that their infrastructure has not been compromised. Ukraine has earlier warned of multiple such Russian attacks targeting instant messaging platforms to gather intelligence.
Analyst note: Compromised accounts of high-level individuals are likely to be used in further phishing attacks. Russia has likely expanded the campaign from Ukraine in response to the ongoing Iran conflict and concurrent discussions within the European Union (EU) regarding a potential energy crisis, which can be leveraged for geopolitical advantage.
ShinyHunters Allegedly Stole Data from 100 High-Profile Companies
Source: https://www.theregister.com/2026/03/09/shinyhunters_claims_more_highprofile_victims/
What we know: ShinyHunters extortion gang is reportedly claiming to have stolen Salesforce customer data from 100 high-profile companies, including Salesforce itself, password manager LastPass, and cloud data platform Snowflake.
Context: This comes after a recent Salesforce warning that a “known threat actor group” was scanning for misconfigured Experience Cloud platforms that potentially give guest users access to more data than intended. Salesforce added that hackers are using a modified version of an open source tool for mass scanning of public-facing Experience Cloud sites.
Analyst note: ShinyHunters extortion group is very likely expanding the number of targeted victims due to limited success in securing ransom payments, as a strategy to increase pressure and seriousness. The data stolen by ShinyHunters likely has limited use beyond phishing or social engineering campaigns
Iran SITREP - Oil Price Fluctuates, Missile Strikes, and Expanding Cyber Activity
- On March 10, 2026, oil prices fell after the U.S. President Donald Trump suggested the Middle East war involving Iran could end soon. This development follows oil prices surging to over USD 116 the previous day.
- Iran continued firing missiles and drones at regional targets, including Bahrain, Saudi Arabia, and Iraq. Saudi Arabia warned Iran to cease its attacks on regional states.
- Two Iranian ships reportedly departed a Chinese chemical storage port this week, raising questions about China’s support to Iran amid the conflict. It is very unlikely China will become militarily involved, but it is almost certain it will continue to provide material support to Iran.
- Saudi Arabia and the UAE started better utilizing pipelines designed to avoid the Strait of Hormuz, with the Saudi East-West pipeline capable of moving five million barrels a day and the UAE’s pipeline to the Gulf of Oman capable of moving 1.5 million barrels a day.
- Cyber operations continue across Israel, Iran, and other Middle Eastern countries. These activities appear to be driven primarily by pro-Iranian, pro-Palestinian, pro-Israel, anti-Iran, and pro-Russian hacktivist collectives and actors—”NoName057(16),” “Cardinal,” “Islamic Cyber Resistance in Iraq,” “shenira6core,” and “Hider_Nex.” The actors claim to carry out several types of attacks, including distributed denial-of-service (DDoS), website defacement, data exfiltration, and intrusions into industrial control systems (ICS).
- Meanwhile, Iran-linked advanced persistent threat (APT) MuddyWater reportedly breached several U.S. organizations early February. The group infiltrated multiple U.S. organizations, establishing access within sectors including banking, aviation, and a software development firm linked to Israeli operations. Its operational timing is likely suggestive that its campaign is connected to the ongoing conflict in the Middle East.
- Separately, the United States has convicted a contract killer of attempting to commit terrorism after authorities said he was sent by Iran-linked Islamic Revolutionary Guard Corps (IRGC) to arrange political assassinations and steal documents, a plot that was ultimately foiled by law enforcement.
DEEP AND DARK WEB INTELLIGENCE
Exploit user Rythem: An untested threat actor, “rythem,” has advertised Turkey-based hotel reservation data. The dataset allegedly contains 730,000 reservation records, including bookings linked to government officials and other high-profile individuals. Given that the records allegedly involve high-profile individuals in Turkey, intelligence-gathering threat actors are likely interested in the data for surveillance, profiling travel patterns, or identifying meeting locations.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2026-1603: This authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) can enable a remote threat actor to access specific stored credential data by exploiting affected versions. Threat actors are likely to extract stored credentials to gain unauthorized access to enterprise systems. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalogue
Affected products: Ivanti Endpoint Manager (EPM) 2024 SU4 SR1 and prior
Tags: DIB, tlp:green