ZeroFox Daily Intelligence Brief - March 26, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - March 26, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Russia Arrests Alleged LeakBase Administrator
- U.S. Imprisons and Fines Botnet-as-a-Service Operator
- Iran SITREP: Iran Rejects Ceasefire Demands, Regional Attacks Escalate, New Maritime Chokepoint Threatened
Russia Arrests Alleged LeakBase Administrator
Source: https://thehackernews.com/2026/03/leakbase-admin-arrested-in-russia-over.html
What we know: Russian authorities have reportedly arrested the administrator of the LeakBase cybercrime forum, known by the aliases Chucky, beakdaz, Chuckies, and Sqlrip. Authorities also seized technical equipment and other items from the suspect's residence.
Context: The arrest follows a coordinated operation earlier this month in which the United States and its allies dismantled LeakBase, seizing its data and two domains. LeakBase had been active since 2021 with over 147,000 users, allowing stolen personal databases, exploits, and other illicit services to be traded.
Analyst note: U.S.-led law enforcement action likely aided Russian authorities in arresting the alleged administrator. Such cooperation is rare given strained relations, and likely indicates that operating from Russia, while avoiding Commonwealth of Independent States (CIS) targets, is no longer a guaranteed safe haven for cybercriminals.
U.S. Imprisons and Fines Botnet-as-a-Service Operator
Source: https://www.securityweek.com/russian-cybercriminal-gets-2-year-prison-sentence-in-us/
What we know: A foreign national was sentenced to prison by the U.S. Department of Justice (DOJ) for managing the operation of a botnet that was used to launch ransomware attacks on the networks of dozens of U.S. corporations. The suspect also received a USD 100,000 fine and a USD 1.6 million money judgment.
Context: Between 2017 and 2021, the accused—using aliases like “milan” and “okart”—co-managed the Russia-based “Mario Kart” cybercrime group. They sold access to hacked computers (bots) to other groups for ransomware attacks, impacting over 70 U.S. corporations and generating more than USD 14 million in extortion payments.
Analyst note: The United States is very likely to continue arresting foreign cybercriminals by relying on international cooperation. Tactics such as sting operations and the monitoring of the suspect’s travel outside cybercrime hubs, such as Russia, will likely remain central to these efforts.
Iran SITREP: Iran Rejects Ceasefire Demands, Regional Attacks Escalate, New Maritime Chokepoint Threatened
- Iran has rejected a U.S. ceasefire proposal and stated it has no plans to engage in negotiations. The U.S. proposal to Iran reportedly includes a 30-day ceasefire, halting regional aggression, and reopening the Strait of Hormuz. Meanwhile, Iran seeks recognition of its rights, reparations, security guarantees, sanctions relief, and reduced U.S. military presence in the region as conditions to end the war.
- Escalating regional attacks saw drones and missiles targeting Gulf states including Kuwait, Bahrain, United Arab Emirates, and Saudi Arabia, with air defenses intercepting multiple threats and infrastructure damage reported.
- Iran will likely set its sights on the Bab el-Mandeb Strait, which could disrupt this major chokepoint if the United States conducts military action against its territory, including Kharg Island. The warning likely includes coordination with Iran-backed Houthi forces to target shipping through the Red Sea.
- On the cyber front, despite widespread claims, Iran-aligned hacktivists have shown limited verified impact in the Gulf, though activity has increased. Since the war began, malicious email campaigns targeting Gulf states have surged by 130 percent, reportedly peaking at nearly four times pre-war levels, likely indicating heightened but largely low-impact cyber activity.
- Pro-Iran group “Handala Hack Team” announced a USD 50 million bounty targeting two major political figures involved in the ongoing Middle East conflict. The group also provided encrypted communication channels for coordination, likely signaling potential intent to mobilize supporters beyond cyber activity.
DEEP AND DARK WEB INTELLIGENCE
DarkForums user HexDex: Untested threat actor “HexDex” advertised data allegedly associated with Système d’Information sur les Armes (SIA), a France-based weapon information system for civilian firearms. The database allegedly includes 60,000 records including weapons details, owner and transaction information, along with tracking data. If the actor’s claims are true, the exposed SIA data is likely to enable targeted theft of firearms and tracking of weapon owners, potentially facilitating criminal or extremist activity.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Apple vulnerabilities: Apple has released updates fixing more than 80 vulnerabilities across iOS, macOS, and other platforms, including high-severity flaws in WebKit and the kernel that could enable data leaks, sandbox escapes, and remote attacks. If patches are not deployed, threat actors are likely to exploit these vulnerabilities to execute remote code, bypass security controls, and gain unauthorized access to sensitive data across devices.
Affected products: The affected versions are included in this advisory.
Tags: DIB, tlp:green