zerofox logo
Advisories

ZeroFox Daily Intelligence Brief - March 24, 2026

|by Alpha Team

banner image

ZeroFox Daily Intelligence Brief - March 24, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

  • Gunra Ransomware Group Claims to Leak Semiconductor Company Data
  • TeamPCP Expands Trivy Campaign; Iranian Systems Under Target
  • Iran SITREP: U.S. Defers Strikes on Iranian Power Plants, Iran Dismisses De-escalation Claims, Oil Prices Volatile

Gunra Ransomware Group Claims to Leak Semiconductor Company Data

Source: https://www.theregister.com/2026/03/23/us_chip_testing_firm_shrugged/

What we know: Semiconductor company Trio-Tech International has disclosed a ransomware attack, at its Singapore subsidiary, that initially encrypted files and later escalated to unauthorized data exposure. This comes after the Gunra ransomware group had listed the company on its leak site.

Context: Trio-Tech provides semiconductor testing, manufacturing solutions, and distribution services. While the exact scope of compromised data has not been confirmed, attackers reportedly exfiltrated company information and published portions of it online, prompting concerns around potential exposure of sensitive corporate and operational data.

Analyst note: The incident is likely to facilitate intellectual property theft, exposing semiconductor designs, testing methodologies, or proprietary processes that competitors or nation-state actors could exploit.

TeamPCP Expands Trivy Campaign; Iranian Systems Under Target

Source: https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html

What we know: Threat group TeamPCP has expanded the Trivy supply-chain attack by pushing malicious Docker images, hijacking Aqua Security’s GitHub repositories, and wiping Iran-specific Kubernetes clusters.

Context: Aqua Security’s Trivy vulnerability scanner was compromised in a supply-chain attack, which distributed credential-stealing malware through official releases and GitHub Actions. Additionally, the same threat group is reportedly targeting Iranian systems with a wiper malware, while installing the CanisterWorm backdoor on other systems.

Analyst Note: The Trivy supply-chain attack is likely to enable the threat actors to compromise downstream entities and move deeper into corporate networks. The wiper attack against Iranian systems likely indicates state-aligned or geopolitically-motivated operations disguised as cybercriminal activity to obscure attribution.

Iran SITREP: U.S. Defers Strikes on Iranian Power Plants, Iran Dismisses De-escalation Claims, Oil Prices Volatile

  • Israel and Iran traded strikes on nuclear facilities, with Israel reportedly striking Iran’s Natanz facility and Iran retaliating with attacks on towns near the Dimona nuclear facility. ZeroFox assesses that strikes on nuclear sites are calculated to avoid radiation leaks and almost certainly to avoid nuclear escalation.
  • Zerofox further assesses that Iran is very unlikely to acquiesce to U.S. demands of re-opening the Strait of Hormuz (SoH). Iranian defiance will present President Trump with a choice of whether to follow through on his threats—which will almost certainly escalate the current crisis—or find a way to avoid escalation.
  • The United States has decided to halt strikes on Iranian power plants, seeking negotiations over a period of 5 days, post the 48 hours ultimatum. However, there are speculations that the United States is planning to seize Kharg Island, Iran’s main oil export hub and to send ground forces into Iran to secure highly enriched uranium.
  • Oil prices have spiked again after Iran denied U.S. claims of being involved in discussions with it to reach an agreement. Oil prices on Monday had dropped by 10 percent based on President Trump’s statement of productive negotiations insinuating SoH clearance.
  • Iran disputed claims of negotiations with the United States, with the Iranian Parliament Speaker claiming the U.S. President’s remarks are an attempt to manipulate the financial and oil markets. On the other hand, an Iranian Foreign Ministry spokesman said U.S. requests to end the war have been received.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Spirigatito: A moderately credible threat actor, “Spirigatito,” has advertised a dataset allegedly associated with Prefeitura Municipal de Caieiras, a municipal government entity in Brazil, on dark web site DarkForums. The dataset allegedly contains over 363,000 records, including personally identifiable information (PII) and protected health information (PHI). The threat actor has shared a sample, but did not quote a price instead directing interested parties to contact them. If the dataset is legitimate, exposed PII and PHI are likely to be used for further cybercrimes, such as insurance fraud, phishing, and social engineering attacks. enable threat actors to maintain long-term access into systems and exfiltrate government, employee, and citizen data.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-21992: Oracle has released emergency patches for a critical vulnerability in Oracle Identity Manager and Oracle Web Services Manager. The flaw enables unauthenticated remote code execution (RCE) via HTTP, giving attackers full control of the affected systems without user interaction. Threat actors are likely to exploit this flaw to escalate privileges, move laterally within corporate networks, and access sensitive data in unpatched environments.

Affected products: Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 and Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0

Tags: DIBtlp:green