ZeroFox Daily Intelligence Brief - March 17, 2026

ZeroFox Daily Intelligence Brief - March 17, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Iran SITREP: Blast at UAE Oil Field, 245 Percent Increase in Cybercrime
• INTERPOL to Launch Operation Shadow Storm
• Operation ATLANTIC Targets Crypto Theft via Approval Phishing

Iran SITREP: Blast at UAE Oil Field, 245 Percent Increase in Cybercrime

• A drone attack caused a fire at Fujairah oil field in the United Arab Emirates (UAE). UAE authorities said no one has been injured in the blast. The UAE has also lifted a brief airspace closure on the morning of March 17, 2026.
• Newly appointed Iranian Supreme Leader Mojtaba Khamenei is reportedly injured and being managed by the Islamic Revolutionary Guard Corps (IRGC). ZeroFox assesses that any negotiations for a ceasefire will almost certainly have to meet the very likely hardline demands of the IRGC.
• Canada, France, Germany, Italy and Britain issued a joint statement discouraging potential Israeli ground ​offensive in Lebanon, citing devastating humanitarian consequences. More than 1 million people ​have been displaced in Lebanon due to the fighting between Iran-backed Hezbollah militants and Israel.
• European Union countries rejected President Trump’s call to send warships to secure the Strait of Hormuz, saying that it was not their war. EU diplomat Kaja Kallas added that they already have the Red Sea naval force in the region, called Operation Aspides, which will continue to ensure freedom of navigation.
• Cybercrime has reportedly increased by 245 percent since the start of the Iran war, with threat actors attempting credential harvesting to automated reconnaissance traffic. Banking and fintech sectors have been hit the hardest. Meanwhile, the EU sanctioned ​one Iranian ‌company and two China-based firms for cyber attacks against EU member states.

INTERPOL to Launch Operation Shadow Storm

Source: https://www.interpol.int/News-and-Events/News/2026/INTERPOL-report-warns-of-increasingly-sophisticated-global-financial-fraud-threat

What we know: INTERPOL is launching Operation Shadow Storm to crack down on hard-to-trace criminal leaders behind expanding scam centres. The organization disclosed how co-ordinated crime networks are using novel cybercriminal ways including AI-automated frauds, sextortion, and crypto-scams in "polycriminality," some of which even funds terrorist groups.

Context: Operation Shadow Storm will focus on cybercriminals running regional scam centres that mostly consist of trafficked humans who are forced into committing large-scale online frauds. These criminal leaders hide their tracks using intermediaries and shell companies, even when scam centres are seemingly shut down.

Analyst Note: Information deduced from this operation will likely help track down links to similar networks in different parts of the world. These criminals often have secret communication channels and devices that are likely to undergo advanced forensic analysis to prepare future defense strategies.

Operation ATLANTIC Targets Crypto Theft via Approval Phishing

Source: https://www.nationalcrimeagency.gov.uk/news/operation-atlantic

What we know: Law enforcement agencies have launched Operation ATLANTIC to identify victims of crypto asset theft through approval phishing scams and help prevent further losses. The operation also aims to recover stolen funds and dismantle fraud networks that exploit users by gaining unauthorized access to their crypto wallets.

Context: Approval phishing scams and fake investment schemes use fake prompts posing as trusted services to trick victims into approving wallet access, enabling attackers to drain funds through unauthorized transactions that are typically irreversible and hard to recover.

Analyst Note: It is likely that victims of certain scams like pig butchering are already trapped and are particularly vulnerable to approval phishing scams, as prolonged manipulation increases the likelihood of approving malicious access requests.

DEEP AND DARK WEB INTELLIGENCE

RehubCom user t2m3g: Untested threat actor "t2m3g" has advertised cloud console and remote desktop protocol (RDP) access to FIFA-related servers on Russian-language dark web forum RehubCom. The actor did not disclose pricing or proof of access, instead inviting potential buyers to make contact via private messages. If the claims are true, access to systems linked to FIFA could expose important communications, event planning, or vendor data.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-47813: CISA has warned U.S. agencies of an already patched vulnerability which can still be exploited as part of a chained remote code execution (RCE) attack. This high-severity information disclosure flaw in Wing FTP Server enables low-privileged actors to leak the application's local installation path via a malformed UID cookie. When combined with other critical bugs like CVE-2025-47812 and CVE-2025-27889, it enables attackers to steal passwords and execute arbitrary code on servers used by major global organizations.

Affected products: Wing FTP Server versions prior to 7.4.4