ZeroFox Daily Intelligence Brief - March 16, 2026

ZeroFox Daily Intelligence Brief - March 16, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• INTERPOL Disrupts 45,000 IP Addresses and Servers Linked to Cybercrime
• Storm-2561 Uses SEO Poisoning to Distribute Fake VPN Installers
• Iran SITREP: Dubai Airport Fire, Trump Seeks NATO Support, Japan Releases Reserve

INTERPOL Disrupts 45,000 IP Addresses and Servers Linked to Cybercrime

Source: https://www.interpol.int/News-and-Events/News/2026/45-000-malicious-IP-addresses-taken-down-in-international-cyber-operation

What we know: INTERPOL-coordinated law enforcement action “Operation Synergia” has taken down over 45,000 malicious IP addresses and servers linked to phishing, malware, and ransomware activities. In total, 212 electronic devices and servers were seized.

Context: Macau authorities seized over 33,000 phishing and fraudulent servers connected to fake casinos and critical infrastructure. In Togo, 10 cybercrime suspects were arrested for hacking social media accounts and carrying out romance scams and sextortion. In Bangladesh, 40 were arrested for running loan and job scams, identity theft, and credit card fraud.

Analyst note: The law enforcement action will likely disrupt related cybercriminal operations in the short term. However, the broader networks are likely controlled by organized crime syndicates in various regions, and unless their leadership is arrested, these illicit activities are likely to resume once the cybercrime infrastructure is rebuilt.

Storm-2561 Uses SEO Poisoning to Distribute Fake VPN Installers

Source: https://www.theregister.com/2026/03/13/vpn_clients_spoofed/

What we know: Threat group Storm-2561 has conducted a campaign using SEO poisoning to redirect users searching for enterprise VPN software to malicious websites. Victims were tricked into downloading trojanized VPN installers hosted on GitHub that appeared legitimate but secretly installed malware.

Context: The installer sideloads malicious files to display a fake VPN login prompt that captures usernames and passwords and sends them to an attacker-controlled command-and-control server.

Analyst Note: Although this credential-theft campaign does not involve destructive tactics, its impact largely depends on whether the compromised VPN accounts lack multi-factor authentication (MFA). If MFA is not enabled, attackers are likely to use the stolen credentials to siphon off data and compromise networks.

Iran SITREP: Dubai Airport Fire, Trump Seeks NATO Support, Japan Releases Reserve

• Flights have been temporarily suspended and some diverted from Dubai’s international airport after a fire broke out on March 16, 2026, due to a drone attack. The fire, which affected one of the airport’s fuel tanks, has been contained.
• Meanwhile, on March 13, 2026 the United States began the deployment of a Marine Expeditionary Unit (MEU), as well as an accompanying amphibious ready group from the U.S. Navy, to the Middle East in support of Operation Epic Fury. The deployment of an amphibious capable MEU to the conflict zone is almost certainly designed to give President Trump options in the event of a larger escalation.
• President Trump called on NATO nations and China to send warships to help open up the Strait of Hormuz for oil tankers or face consequences. ZeroFox assesses that the U.S. has likely exhausted all means to alleviate oil shortages short of reopening the Strait of Hormuz (SoH). Conditions for an energy price shock will likely be met if the conflict extends into April.
• Vietnam is preparing for possible flight reductions starting April, especially on domestic routes, due to jet fuel export ban by China and Thailand. Additionally, Japan has started releasing oil from reserves.
• In cyberspace, Iranian state media and an Israeli daily business and economics newspaper reported that a cyberattack had struck the Israeli railway, allegedly disabling its network systems. Coordinated cyber operations targeting government infrastructure and private-sector entities continue across Israel, Iran, and other Middle Eastern countries.

DEEP AND DARK WEB INTELLIGENCE

Exploit user Insider005: Untested threat actor "Insider005" has advertised a complete database allegedly related to dark web platform BreachForums for USD 10,000 on its predominantly Russian-language alternative Exploit. The database, allegedly exfiltrated on March 10, 2026, contains 346,323 records of user information, including private messages, logs, posts, threads, invoices, and transactions details. The database is unlikely to contain new records, as there have been multiple alleged breaches linked to BreachForums in the recent past that could be recycled by the threat actor.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-3909 and CVE-2026-3910: Google has released an emergency update for Google Chrome 146 to patch two actively exploited zero-day vulnerabilities, tracked as CVE-2026-3909 and CVE-2026-3910. The flaws affect the Skia graphics library and V8 JavaScript engine. The vulnerabilities are likely to enable attackers to execute arbitrary code through malicious web pages, leading to system compromise. CISA has added these two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalogue.

Affected products: The affected products are included in Google’s advisory.