ZeroFox Daily Intelligence Brief - March 27, 2026

ZeroFox Daily Intelligence Brief - March 27, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Espionage Concerns Rise as India Investigates Pakistan-Linked Spy Activity
• UK Sanctions Key Online Fraud Network
• Geopolitical Focus: Trump Postpones Striking Iranian Energy Plants, Putin Seeks Donations

Espionage Concerns Rise as India Investigates Pakistan-Linked Spy Activity

Source: https://www.theregister.com/2026/03/26/india_pakistan_cctv/

What we know: Indian authorities uncovered a suspected Pakistan-linked surveillance operation involving covert CCTV cameras installed near critical infrastructure, streaming footage via cellular networks.

Context: On March 14, police in Ghaziabad, India, arrested suspects after discovering covert, solar-powered CCTV cameras targeting railway stations and key infrastructure. The cameras reportedly transmitted live footage over cellular networks, potentially using stolen SIM-linked accounts, to recipients in Pakistan.

Analyst note: Railways and transport hubs are critical for both civilian stability and military logistics, making them high-value surveillance targets. Monitoring railways likely suggests intent to map logistics, troop movement, and civilian patterns, making it useful for orchestrating any kind of future escalations.

UK Sanctions Key Online Fraud Network

Source: https://www.gov.uk/government/news/uk-crackdown-on-vile-scam-centres-steps-up-with-sanctions-on-illicit-crypto-network

What we know: The United Kingdom has sanctioned Xinbi, one of the largest illicit marketplaces in Southeast Asia, which provides cryptocurrency-based services to scam centres including Cambodia’s “#8 Park” scam compound.

Context: The network reportedly enables large-scale online fraud using stolen personal data and coerced labour in scam centres. This action builds on earlier UK sanctions against the Prince Group. The UK authorities have issued a list of the sanctioned individuals who were reportedly co-ordinating the scam centres.

Analyst note: The sanctions are likely to disrupt funding for Southeast Asian scam operations, increasing risks for their international enablers. Such actions will likely spur closer cooperation between intelligence agencies and the private sector to shut down the channels scammers use for such large scale crypto-based frauds.

Geopolitical Focus: Trump Postpones Striking Iranian Energy Plants, Putin Seeks Donations

• U.S. President Donald Trump has extended the deadline to strike Iranian energy plants until April 6, 2026, as he stated that talks with Iran were going well. Meanwhile, Russia has reportedly called for a closed meeting of the U.N. Security Council to discuss Iran on March 27. Additionally, Thai cargo ship Mayuree Naree has run aground after being abandoned following an attack in the Strait of Hormuz on March 11.
• Two siblings have been indicted for leaving an explosive device outside MacDill Air Force Base in Florida on March 18, 2026. A third individual was also arrested for making a threatening call to the Air Force Base. The device did not detonate, but was deemed potentially deadly.
• Russian President Vladimir Putin is reportedly asking for donations from oligarchs to help stabilize the country's finances as the war with Ukraine presses on. Billionaire Suleiman Kerimov reportedly pledged 100 billion roubles (USD 1.23 billion) to Russia’s budget during a meeting with Putin.
• Two sailboats carrying humanitarian aid to Cuba have reportedly gone missing. A search-and-rescue operation is underway in the Caribbean.
• China has reportedly stationed obsolete fighter jets at six air bases close to the Taiwan Strait to operate as attack drones. These jets-turned-drones are expected to hit targets in the opening phase of an assault on Taiwan in large numbers to overwhelm air defenses.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user ByteToBreach: Threat actor "ByteToBreach” has advertised a dataset allegedly associated with oil marketer National Oil Ethiopia on dark web platform DarkForums. The leak allegedly contains 800 GB of Enterprise Resource Planning (ERP) records, including customer information, internal communications, operational business data, and personally identifiable information (PII). The advertisement is likely intended to coerce the company to pay a ransom, with the threat to sell the information to its rivals or other cybercriminals.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-33634: CVE-2026-33634 is a supply-chain vulnerability where malicious code was embedded into Trivy releases and GitHub Actions, enabling credential theft from users. CISA added CVE-2026-33634 to its KEV catalog after confirming active exploitation of a malicious code injection flaw in Trivy. Threat group TeamPCP was observed to be behind the Trivy supply-chain compromise by distributing credential-stealing malware via GitHub and Docker, while also deploying wiper malware and the CanisterWorm backdoor in targeted attacks against Iranian systems. Malicious GitHub Actions are likely to enable attackers to tamper with builds, inject backdoors into software, or exfiltrate sensitive secrets.

Affected products: Aqua Security’s Trivy scanner