ZeroFox Daily Intelligence Brief - March 25, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - March 25, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- U.S., Australia Issue Cybersecurity Outline for Satellite Communications Systems
- Cybercriminals Target Music Artists and Others with Fraud and Extortion Threats
- Iran SITREP: Iran SITREP: 2000 U.S. Paratroopers Ordered Towards the Middle East, Philippines Declares Energy Emergency, and More
U.S., Australia Issue Cybersecurity Outline for Satellite Communications Systems
What we know: U.S. and Australian space agencies have released a report outlining cybersecurity risks and mitigation strategies for Low Earth Orbit (LEO) satellite communication (SATCOM) systems across space, ground, user, and communication and supply chain segments.
Context: In the space segment, satellites’ reliance on radio frequency links makes them vulnerable to jamming, spoofing, and command injection. Ground segment hubs are exposed to malware, credential theft, and denial-of-service (DoS) attacks, while user devices can be exploited via phishing or misconfigurations.
Analyst note: LEO SATCOM systems are almost certainly to be targets of kinetic and cyber attacks during geopolitical flashpoints, as adversarial nations aim to sever emergency communications across government, military, and private sectors. Furthermore, for advanced non-state cybercriminals, satellite communications systems are high-value targets for extortion.
Cybercriminals Target Music Artists and Others with Fraud and Extortion Threats
What we know: FBI Nashville is warning of cybercriminals targeting the music industry to steal money and intellectual property from artists and listeners. Individuals also reported extortion attempts where threat actors used threats of violence, personal data, or explicit material to coerce victims into paying money or releasing unreleased music.
Context: Threat actors are leveraging AI-generated music and automated bots to fraudulently claim royalties, while an insider compromised accounts to steal and sell unreleased content. Listeners, particularly individuals mostly over the age of 60, were also targeted through romance scams, ticket fraud, and other schemes aimed at financial exploitation.
Analyst Note: Although these threats are primarily digital, extortion tactics are likely to escalate into risks to physical safety, particularly if attackers leverage stolen data to identify, track, and stalk victims.
Iran SITREP: 2000 U.S. Paratroopers Ordered Towards the Middle East, Philippines Declares Energy Emergency, and More
- Iran stated it will allow “Non-Hostile” ships through the State of Hormuz (SoH) in a letter to the United Nations’ maritime organization. Iran’s Foreign Ministry defined “Non-Hostile” ships as those that do not seek participation or support aggression against Iran.
- The Pentagon has reportedly ordered about 2,000 paratroopers to begin moving to the Middle East to give President Trump additional military options amid ongoing diplomatic efforts with Iran.
- Czech and Slovak police have reportedly detained three people on terrorism charges for conducting an arson attack against LPP Holding, a Czech-based defense and security technology company. The group which claimed responsibility for the attack had said the company develops its weapons in collaboration with an Israeli firm.
- Philippines has become the first country to declare a year-long state of national energy emergency, as the war and the Strait of Hormuz blockade has crippled the country’s fuel-dependent economy.
- Mohammad Bagher Zolghadr has been appointed as the head of Iran's Supreme National Security Council (SNSC) to replace Ali Larijani. Zolghadr was earlier the former deputy commander of IRGC.
- At least 50 Israeli companies have reportedly had their digital infrastructure "wiped" in a coordinated wave of cyberattacks, though officials maintain that critical national systems remain secure.
DEEP AND DARK WEB INTELLIGENCE
Breachforums[.]ac user Normal: A low-credibility threat actor, “Normal,” has advertised a massive 590 TB dataset allegedly stolen from French cloud provider OVHcloud. The actor claims that the breach affects 1.6 million customers and 6 million websites. The leak allegedly includes internal source code and private databases. A single-line sample was provided by the threat actor. However, OVHcloud founder Octave Klaba has officially denied the breach, stating that the data did not originate from their servers. The data is likely scraped and could be a scam to dupe other cybercriminals and dark web users. This is also likely to be an attempt at clout-chasing.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2026-3055 and CVE-2026-4368: Citrix has released patches for two vulnerabilities in NetScaler ADC and Gateway. While no active exploitation has been observed yet, the flaws resemble past widely exploited issues, making rapid patching critical to prevent potential initial access into enterprise networks. These flaws, if patches are not deployed, are likely to expose organizations to data leaks, enabling attackers to extract session tokens or credentials.
Affected products: The affected products are included in Citrix’s advisory.
Chrome 146 patch update: Google released a Chrome 146 update fixing eight high-severity vulnerabilities, including memory safety issues like buffer overflows and use-after-free bugs. Users are urged to update immediately, as other flaws from previous updates were targeted by attackers and exploited as zero-days. Successful exploitation can likely enable endpoint compromise, leading to credential theft, session hijacking, and lateral movement within enterprise environments.
Affected products: The affected versions are included in this advisory.
Tags: DIB, tlp:green