ZeroFox Daily Intelligence Brief

ZeroFox Daily Intelligence Brief - March 12, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

Iran SITREP - Dubai Airport Targeted, Hacktivist Group Focuses on Major Manufacturer
Compromised Nx Npm Package Led to Attacker Gaining Cloud Admin Access
German and French Authorities Dismantle EUR 1 Million Online Fraud Scheme

Iran SITREP - Dubai Airport Targeted, Hacktivist Group Focuses on Major Manufacturer

Dubai International Airport halted operations again on March 11 after projectiles struck the facility. Iran targeting the United Arab Emirates (UAE) has notably declined, but successful hits are increasing, suggesting a very likely decline in UAE interceptors and a likely decline in Iranian firepower.
The International Energy Agency (IEA) supported releasing oil reserves to ease global oil prices. Despite the decision, oil prices resumed their climb as continued Iranian targeting offset market optimism from added supply.
Among other ongoing cyber attacks and campaigns, on March 11, 2026, pro-Palestian hacktivist group “Handala Hack Team” claimed responsibility for a cyberattack against a U.S.-based medical technology company at one of its largest hubs.
Additionally, Iran has reportedly arrested media figures and those it accused of spying for foreign intelligence services, very likely out of paranoia over infiltration of the Islamic Republic by U.S. and Israeli intelligence.
U.S. operations are likely to persist at least into the next week, which will continue to put upward pressure on global markets and likely contribute to increased prices across multiple sectors.
Additionally, Iran’s Islamic Revolutionary Guard Corps (IRGC) has reportedly designated 29 technology infrastructure sites, including data centers and research facilities across Bahrain, Israel, Qatar, and the UAE, as potential retaliatory targets.

Compromised Nx Npm Package Led to Attacker Gaining Cloud Admin Access

Source: https://thehackernews.com/2026/03/unc6426-exploits-nx-npm-supply-chain.html

What we know: New research has documented the attack chain that completely compromised a victim organization’s cloud environment within 72 hours using stolen keys following last year’s supply chain compromise of the Nx npm package.

Context: The victim updated npm packages, including the compromised Nx library, leading to automatic execution of the QUIETVAULT credential stealer. The malware used AI to identify sensitive files and exfiltrated GitHub and npm API keys. These were leveraged to gain admin access in the cloud environment.

Analyst note: This instance indicates that threat actors are increasingly likely to leverage legitimate automation within CI/CD and developer workflows to breach cloud environments by compromising third party dependencies, like the Nx npm library, rather than direct attacks on the cloud environment.

German and French Authorities Dismantle EUR 1 Million Online Fraud Scheme

Source: https://www.eurojust.europa.eu/news/judicial-cooperation-key-arresting-leaders-online-fraud-group

What we know: A Eurojust-led investigation has led to the dismantling of an online fraud scheme in Germany run by a criminal group suspected to have defrauded victims of EUR 1 million.

Context: The criminal group used phishing emails to gain access to login credentials for online banking to withdraw funds from their victims’ accounts. The stolen funds were then transferred to fake cryptocurrency accounts. The main suspect has been arrested, and German and French authorities have seized cryptocurrencies and jewellery linked to the fraud scheme.

Analyst note: The investigations are likely to unravel the criminal network responsible for the fraud scheme, leading to more arrests, seizure, and dismantling of criminal infrastructure. Restitution for the victims is only likely after the long process of investigation and proceedings.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user Niphra: Untested threat actor “Niphra” is advertising a verified dataset from Sunrise Communications, one of Switzerland's major telecommunications companies, on BreachForums. Niphra claims it contains over 6 million customer records with personally identifiable information and payment details. At the time of reporting, the post is labeled as "Verified.” This likely indicates that a forum moderator has authenticated the legitimacy of the dataset. The alleged 6 million records from Sunrise Communications represent a large dataset from a major telecom provider, which is likely attractive to other forum users for bulk resale, spam campaigns, and credential harvesting.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Intel UEFI vulnerabilities: Intel has disclosed nine vulnerabilities in the Unified Extensible Firmware Interface (UEFI) firmware affecting certain reference platforms. Five of the flaws are rated high severity and could enable local code execution, privilege escalation, and information disclosure. Threat actors are likely to exploit unpatched versions to gain control of affected devices before operating systems load, enabling code execution and bypassing security controls.

Affected products: The list of affected products are included in this advisory.