ZeroFox Daily Intelligence Brief - March 20, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - March 20, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Authorities Seize Key Infrastructure Powering Large-Scale Global DDoS Campaigns
- U.S. Authorities Charge Corporate Insiders in AI Technology Smuggling Conspiracy
- Iran SITREP: Israel Strikes Syria, UAE Disrupts Terrorist Network, FBI Seizes Handala Domains
Authorities Seize Key Infrastructure Powering Large-Scale Global DDoS Campaigns
What we know: Law enforcement has disrupted Aisuru, KimWolf, JackSkid, and Mossad botnets, which were used to launch large-scale distributed denial-of-services (DDoS) attacks against global victims. Authorities also executed seizure warrants targeting domains, servers, and infrastructure, aiming to cut off botnet communications and prevent further attacks.
Context: The four botnets infected over 3 million devices globally, primarily internet of things (IoT) devices like routers, webcams, and digital video recorders, many of which were hijacked despite being behind firewalls. The operators of these illicit infrastructure monetized access through a cybercrime-as-a-service model, using compromised devices to launch hundreds of thousands of DDoS attacks worldwide.
Analyst note: This operation will likely see an increase in demand and pricing for other botnet accesses on underground markets, as supply is temporarily constrained. There is also likely to be a shift toward exploiting new devices and vulnerabilities as attackers look to build new infrastructure.
U.S. Authorities Charge Corporate Insiders in AI Technology Smuggling Conspiracy
What we know: United States authorities have charged three individuals with conspiring to unlawfully divert high-performance computer servers to China. The indictment alleges the defendants circumvented U.S. export control laws by shipping servers equipped with sensitive artificial intelligence technology and restricted graphics processing units (GPUs), valued at billions of dollars.
Context: The defendants allegedly utilized a Southeast Asian intermediary as a "straw buyer," claiming the servers were for regional use while secretly rerouting them to China in unmarked packaging. To evade detection, they also falsified records and staged thousands of "dummy" server replicas to mislead authorities.
Analyst Note: The U.S. Department of Commerce has placed restrictions on the export and reexport of items such as advanced AI chips as it could make a significant contribution to the military potential or nuclear proliferation of adversarial nations. The financial motivation of high value insiders like in this case is likely to lead to military advancements of adversarial states using obtained AI technology to create dangerous autonomous weapons and enhance their defense infrastructure.
Iran SITREP: Israel Strikes Syria, UAE Disrupts Terrorist Network, FBI Seizes Handala Domains
- A drone attack sparked fire at several units in Kuwait’s Mina Al-Ahmadi oil refinery early on March 20, 2026. The fire is being brought under control and no injuries have been reported. Additionally, Israel’s military on Friday confirmed strikes on sites in Syria in response to attacks against the Druze population. This marks the first Israeli attack on Syria after the start of the Iran war.
- The United Arab Emirates (UAE) disrupted “a terrorist network funded and operated by Lebanon’s Hezbollah and Iran.” Five individuals were arrested for alleged money laundering operations linked to a terrorist network, operating under a fake commercial cover.
- Liquefied natural gas (LNG) shortage is causing the ceramics and steel industry in India to cut down production. Global gas market outlook has reportedly been altered with Iran’s attack on the world’s largest LNG hub in Qatar’s Ras Laffan, with resumption now depending on the extent of damage and required repairs.
- The FBI seized four domains belonging to Iran-linked hacker groups, including that of hacktivist group Handala Hack Team. These domains were used by Iran’s Ministry of Intelligence and Security (MOIS) for attempted psychological operations targeting adversaries of the regime. The Handala Hack Team confirmed the seizure and also announced the launch of a new domain.
- CISA has released an advisory directing U.S. organizations to strengthen endpoint management system configurations following an Iran-linked cyberattack on an American medical technology company. Meanwhile, Iranian APTs reportedly showed increased infrastructure activity six months prior to Operation Epic Fury.
DEEP AND DARK WEB INTELLIGENCE
Reported data breach at Navia: Navia Benefit Solutions disclosed a data breach impacting about 2.7 million individuals after "an unauthorized actor" accessed its systems between December 22, 2025 and January 15, 2026. The breach is suspected to have exposed personal and employee benefits-related data, including SSNs, dates of birth, and contact details. Although the company has not confirmed the perpetrator behind this breach, it is likely that the attacker can present this stolen information for sale on dark web forums, enabling identity theft, business email compromise campaigns, or account takeover attempts.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2026-20963: This is an already-patched deserialization vulnerability in SharePoint servers that is under active exploitation by unknown threat actors. Exploitation enables unauthenticated threat actors to remotely execute code on the server without any user interaction. Successful exploitation is likely to result in theft of sensitive data and enable threat actors to deploy persistent backdoors. Previously, SharePoint flaws have been exploited by Chinese state-backed threat actors to compromise critical government networks.
Affected products: The affected products are listed in this advisory.
Tags: DIB, tlp:green