ZeroFox Daily Intelligence Brief - March 23, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - March 23, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Fake CSAM and Cybercrime Services Platform Taken Down in International Operation
- LAPSUS$ Group Advertises 3 GB of AstraZeneca Data
- Iran SITREP: Trump Declares 48-Hour Ultimatum, Iran Targets Diego Garcia, Israel Severs Qasmiyeh Bridge, and More
Fake CSAM and Cybercrime Services Platform Taken Down in International Operation
What we know: Law enforcement authorities have dismantled over 373,000 dark web sites linked to fraudulent platform “Alice with Violence CP”, which falsely advertised child sexual abuse material (CSAM) and other cybercrime services. The operation also exposed fraudulent cybercrime-as-a-service offerings like stolen card data and system access, used to trick users into paying for non-existent services.
Context: Operation Alice led to the identification of one primary operator and 440 customers worldwide, along with the seizure of 105 servers and multiple electronic devices, and the issuance of an arrest warrant for the China-based suspect.
Analyst note: The takedown is likely to temporarily disrupt dark web scam infrastructure and deter opportunistic actors. It is likely to drive increased use of encrypted channels and invite-only forums with users seeking similar services, hindering further law enforcement detection and takedown.
LAPSUS$ Group Advertises 3 GB of AstraZeneca Data
Source: https://hackread.com/hacker-group-lapsus-astrazeneca-data-breach/
What we know: Threat group “LAPSUS$ Group” alleges a breach of AstraZeneca, with about 3 GB of internal data reportedly exfiltrated, including source code, employee data, and cloud configurations. The group is attempting to sell the data while hinting at potential follow-on attacks.
Context: The sample data provided in the group’s post about AstraZeneca includes GitHub Enterprise user records with employee details, 2FA status, and datasets tracking external collaborator access, and company affiliations. It also contains broader financial data fields such as assets, salaries, and income. The company has not, at the time of writing, confirmed this breach.
Analyst Note: If the claims by LAPSUS$ Group are accurate, the group is likely to pursue extortion or double-extortion tactics, releasing additional data in stages to increase pressure if the company does not meet its demands.
Iran SITREP: Trump Declares 48-Hour Ultimatum, Iran Targets Diego Garcia, Israel Severs Qasmiyeh Bridge, and More
- President Donald Trump has given a deadline of 48 hours to re-open the Strait of Hormuz, failing which the United States will target Iran’s power plants. In response, Iran says it will target the energy infrastructure in the middle east region causing irreversible damage. This has likely further spiked oil prices in the global market.
- Iran has launched two long range missiles targeting Diego Garcia, a joint UK-U.S. military base in the Indian ocean. Iran’s failed attempts (one missile failed, one was intercepted) followed the UK authorizing the United States to continue its operations in the base.
- Iran says it will not allow ships belonging to "Iran's enemies" to pass the strait. It remains open to those willing to coordinate security and safety arrangements with Tehran.
- Israeli forces have bombed the Qasmiyeh Bridge, South Lebanon, during strikes on Sunday in an attempt to sever the geographical connection between the southern Litani region and the rest of Lebanese territory. Israel has warned of a prolonged war against Hezbollah causing infrastructure damage and territorial losses unless the group is disarmed.
- The FBI has warned of Iran’s MOIS-led malware campaigns by Iran-linked threat actors who use Telegram as a command-and-control (C2) infrastructure to push the malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups globally.
- The U.S. Treasury Department has sanctioned a global network of 16 individuals and entities led by a Hezbollah financier for laundering and diverting over USD 100 million to fund Hizballah's operations. Meanwhile, Iran continues using its “asymmetric" information campaign attempting to increase moral pressure on the United States and Israel during the ongoing conflict.
DEEP AND DARK WEB INTELLIGENCE
DarkForums user algoyim: Untested threat actor “algoyim” has advertised access to a French government-owned entity linked to the Ministry of Culture. The access allegedly includes domain admin rights, root control over 282 virtual machines, admin access to employee workstations containing personal data, and full administration of enterprise cloud and identity platforms of leading tech-giants. If the actor's claims are true, this access is likely to enable threat actors to maintain long-term access into systems and exfiltrate government, employee, and citizen data.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2026-33017: This vulnerability in Langflow enables unauthenticated remote code execution via code injection, enabling attackers to run arbitrary Python code with full server privileges. The flaw has reportedly already been exploited in the wild within 20 hours of disclosure, with attackers conducting credential harvesting, data exfiltration, and deploying follow-on payloads on vulnerable systems. The short window between disclosure and exploitation likely suggests that threat actors are weaponizing vulnerabilities faster than most organizations have time to patch, increasing the risk of immediate widespread compromise.
Affected products: Langflow version prior to and including 1.8.1
Tags: DIB, tlp:green