ZeroFox Daily Intelligence Brief - March 19, 2026

ZeroFox Daily Intelligence Brief - March 19, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Europol Targets Terrorist Audio Propaganda Online
• Multi-Actor Campaign Uses DarkSword to Steal Sensitive Data from iPhones
• Iran SITREP: Israel Strikes South Pars, Kills Iranian Intelligence Minister

Europol Targets Terrorist Audio Propaganda Online

Source: https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-largest-referral-action-targeting-terrorist-audio-propaganda

What we know: In a large coordinated operation, deemed to be its largest Referral Action Day, Europol has flagged 17,298 URLs hosting terrorist audio propaganda across 40 platforms. Investigators reviewed over 1,100 hours of content, with 77 percent removed following platform moderation processes.

Context: The operation focused on the growing use of audio-based platforms, which are more difficult to disrupt due to the requirement of linguistic nuance and contextual understanding. This, in turn, enables the persistent existence of propaganda material, making it easily accessible to individuals vulnerable to radicalisation.

Analyst note: Amid the ongoing conflict in the Middle East, Western countries are likely to experience influence operations through less detectable channels, such as audio. As a consequence, cybersecurity guidelines will likely be revised to address these risks.

Multi-Actor Campaign Uses DarkSword to Steal Sensitive Data from iPhones

Source: https://www.bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/

What we know: Threat actors of varying geopolitical connections are deploying the DarkSword exploit kit targeting iPhones running iOS 18.4 to 18.7. The actors then exfiltrated sensitive data including cryptocurrency wallet information, messages, location history, and credentials. The DarkSword exploit kit then deletes temporary files and exits after exfiltrating data.

Context: The DarkSword exploit kit has been used by multiple actors, including UNC6353 (suspected to be Russia linked), UNC6748, and customers of PARS Defense, targeting users across Saudi Arabia, Turkey, and Malaysia. The actors have been observed exploiting known vulnerabilities, such as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520, already patched by Apple.

Analyst Note: Given that the DarkSword exploit kit exits quickly after data exfiltration, this tactic likely supports targeted intelligence gathering alongside financial objectives, enabling short-term espionage as well as monetization aligned with state goals of generating revenue streams that can support their operations or sanctioned economies.

Iran SITREP: Israel Strikes South Pars, Kills Iranian Intelligence Minister

• Israel struck Iran’s South Pars gas field, while also killing intelligence minister Esmail Khatib and other senior figures. In retaliation, Iran targeted Qatar's Ras Laffan Industrial City, damaging a major LNG facility.
• A projectile of unconfirmed origins struck near the Bushehr Nuclear Power Plant in Iran, but no damage or injuries were reported.
• Oil prices escalated, after Iran’s South Pars gas field and retaliation at Ras Laffan Industrial City, as Brent crude rose above USD 110, while the United Kingdom’s gas prices also jumped about 6 percent to approximately 140 pence per therm.
• Iran is permitting a small number of vessels through the Strait of Hormuz (SoH), most of which are bound for countries with which Iran maintains relations, such as India and China. While Iran claims the SoH is open except for vessels associated with the United States and Israel, shipowners are likely wary of passing through.
• The United States is considering deploying thousands of additional troops to the Middle East as part of its campaign against Iran, with options including securing the Strait of Hormuz and potentially targeting key sites like Kharg Island.
• Amid the ongoing conflict, pro-Iran and pro-Russian hacktivist groups have launched cyberattacks targeting government and private-sector entities across Israel and other regions, including data leaks and DDoS attacks. Groups such as “INDOHAXSEC” and “NoName057(16)” have claimed breaches, data exfiltration, and service disruptions.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user vexin: Threat actor “vexin” has advertised cloud access to multiple companies across India, Brazil, Colombia, and the Netherlands. The actor claims that the access includes entry into cloud environments of firms spanning IT services, consulting, manufacturing, and business solutions providers. If the actor's claims are true, the access is likely to support reconnaissance into victim networks, intellectual property theft, and backdoor placement, increasing long-term risk even after initial access is sold or used.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-32746: This bug enables unauthenticated remote code execution via port 23 using crafted SLC messages during pre-authentication handshake, granting root-level access. Threat actors are likely to exploit this bug in unpatched systems to maintain access and move across connected networks, especially where internal segmentation and access controls are limited.

Affected products: GNU InetUtils telnet daemon

CVE-2026-3564: ConnectWise has confirmed this critical vulnerability in its ScreenConnect that could enable attackers to bypass authentication and gain unauthorized access. The flaw enables extraction of ASP.NET machine keys, potentially leading to session hijacking and privilege escalation, with reports of attempted abuse observed in the wild. Exploiting this vulnerability can likely lead to threat actors forging authenticated sessions and bypass login controls on victim devices.

Affected products: ScreenConnect version prior to 26.1