ZeroFox Weekly Intelligence Brief – March 28, 2026
|by Alpha Team
ZeroFox Weekly Intelligence Brief – March 28, 2026
ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EDT) on March 27, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.
Read the Brief
View the full report here
TeamPCP Expands Trivy Campaign; Iranian Systems Under Target
What we know:
- Threat group TeamPCP is continuing to expand the Trivy supply chain attack by pushing malicious Docker images, hijacking Aqua Security’s GitHub repositories, wiping Iran-specific Kubernetes clusters, and compromising the popular “LiteLLM” Python package on PyPI.
- TeamPCP has also been linked to compromising Checkmarx AST/KICS and over 10,000 GitHub workflows using trivy‑action.
- The cloud environments of thousands of organizations have reportedly been infected in the attack.
- TeamPCP is also suspected of working with notorious extortion crews such as Lapsus$.
United States, Australia Issue Cybersecurity Outline for Satellite Communications Systems
What we know:
- U.S. and Australian space agencies have released a report outlining cybersecurity risks and mitigation strategies for Low Earth Orbit (LEO) satellite communication (SATCOM) systems across space, ground, user, and communication and supply chain segments.
Authorities Seize Key Infrastructure Powering Large-Scale Global DDoS Campaigns
What we know:
- Law enforcement has disrupted Aisuru, KimWolf, JackSkid, and Mossad botnets, which were used to launch large-scale distributed denial-of-services (DDoS) attacks against global victims.
- Authorities also executed seizure warrants targeting domains, servers, and infrastructure, aiming to cut off botnet communications and prevent further attacks.
Tags: tlp:green