ZeroFox Daily Intelligence Brief - March 13, 2026

ZeroFox Daily Intelligence Brief - March 13, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• SocksEscort Residential Proxy Network Disrupted for Enabling Large-Scale Criminal Activities
• Former Ransomware Negotiator Charged for Acting as BlackCat Affiliate
• Iran SITREP - U.S. Aircraft Crashes, NATO Defends Turkey Air Base, IS Supporter Kills One in U.S.

SocksEscort Residential Proxy Network Disrupted for Enabling Large-Scale Criminal Activities

Source: https://www.europol.europa.eu/media-press/newsroom/news/europol-and-international-partners-disrupt-socksescort-proxy-service

What we know: Law enforcement has disrupted the SocksEscort proxy network, which allegedly compromised 369,000 routers and IoT devices and sold access to over 35,000 proxy nodes. Researchers previously disrupted the network in 2023, but operators later rebuilt the infrastructure and resumed infections using AVRecon malware.

Context: Investigators linked the SocksEscort proxy network to crimes including USD 1 million cryptocurrency theft, USD 700,000 fraud against a Pennsylvania manufacturer, and USD 100,000 fraud targeting military personnel. Proxy networks like SocksEscort proxy network are commonly used by threat actors by routing malicious traffic through legitimate residential IP addresses.

Analyst note: Blocking over 35,000 proxy nodes is likely to decrease malicious traffic routed through residential IPs in the short term. However, given that operators previously rebuilt the AVRecon botnet, threat actors are likely to reconstitute the proxy network or migrate to other residential proxy services in the near term.

Former Ransomware Negotiator Charged for Acting as BlackCat Affiliate

Source: https://www.documentcloud.org/documents/27872081-angelo-martino-charges/

What we know: The U.S. Department of Justice has charged an individual for participating in a scheme that secretly collaborated with the BlackCat (ALPHV) ransomware operation while working as a ransomware negotiator for a security company.

Context: The individual acted as an affiliate of the BlackCat ransomware operation, carrying out ransomware attacks and demanding payments while threatening to leak stolen victim data. In return for using the group’s ransomware tools and extortion infrastructure, they reportedly paid 20 percent of the collected ransom to the BlackCat administrators.

Analyst note: Insider access, gathered by the individual, to ransomware negotiation processes is likely to enhance the effectiveness of future extortion campaigns. The group is likely to exploit privileged knowledge of victim decision-making, negotiation strategies, and payment thresholds to maximize the likelihood of victims giving in to extortion demands such as the size of ransom payments.

Iran SITREP - U.S. Aircraft Crashes, NATO Defends Turkey Air Base, IS Supporter Kills One in U.S.

• A U.S. refuelling aircraft went down over western Iraq after an “incident” involving two aircraft during Operation Epic Fury. The U.S. military said it was not due to hostile or friendly fire.
• NATO air defenses reportedly intercepted and shot down missiles coming from Iran at Incirlik Air Base in southern Turkey, a major NATO facility. Meanwhile, the Iran-linked Iraqi militant group Ashab Alkahf has warned that French interests in Iraq and the wider region could be targeted. This came after a French soldier was killed in an attack in Erbil.
• In the United States, a convicted Islamic State (IS) supporter killed one person in a shooting at a Virginia university, while in Michigan an individual crashed a truck into a synagogue and preschool. ZeroFox assesses that Iran almost certainly maintains an extensive IRGC Qods Force and Hezbollah-linked networks in Europe and North America, potentially enabling surveillance or attacks.
• Thick black smoke rose over Al Quoz industrial area in Dubai after a fire; officials said debris from a successful interception caused minor building damage, with no reported injuries. Israel’s Ambassador to the United States Yechiel Leiter said Israel struck checkpoints linked to Iran’s Basij paramilitary forces in Tehran.
• U.S. Treasury Secretary Scott Bessent announced a temporary authorization allowing countries to buy Russian oil to stabilize markets disrupted by the Iran war. Iran has also broadened its attacks against shipping assets, pushing up the price of oil—likely over concerns about the length of the war.
• Iran-linked hackers posing as pro-Palestinian hacktivists—such as “Handala”—are reportedly a front for Iran state-linked APT “Void Manticore.” They are also reportedly collaborating with non-state linked cybercriminals to carry out disruptive cyberattacks. On the other hand, Poland thwarted a cyberattack on its nuclear research centre and is investigating possible Iranian involvement.

DEEP AND DARK WEB INTELLIGENCE

Telus breach: Canadian business process outsourcing (BPO) giant Telus has confirmed a cybersecurity incident involving unauthorized access to some of its ‌systems. At the same time, the ShinyHunters extortion group reportedly claimed responsibility for the attack, saying it has stolen 700 TB of data from Telus. The unverified sample data reportedly contains ‌information on at least two dozen companies, including personally identifiable information (PII), call data and recordings, FBI background check information, and source code. The threat actor group is likely to exaggerate the scale and significance of the alleged data theft, as Telus has stated that the intrusion has not affected its operations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Veeam Software security patches: Veeam Software has patched multiple vulnerabilities, including four critical remote code execution (RCE) flaws. Critical flaws CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669 enable RCE on vulnerable backup servers by low-privileged domain users, while the fourth flaw CVE-2026-21708 enables a Backup Viewer to gain RCE as the postgres user. Threat actors are likely to exploit vulnerable systems to steal sensitive enterprise data, backed-up using the software. Exploitation is also likely to make recovery of encrypted or exfiltrated data difficult.

Affected products: Veeam Backup & Replication versions 12.3.2.4465 and 13.0.1.2067