zerofox logo
Advisories

ZeroFox Daily Intelligence Brief - March 30, 2026

|by Alpha Team

banner image

ZeroFox Daily Intelligence Brief - March 30, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

  • European Commission Discloses Cyberattack; ShinyHunters Claims Breach
  • Apple Sends Lock Screen Notifications Following Coruna, DarkSword Discovery
  • Iran SITREP: 20 Tankers to Pass The Strait, Blackouts Hit Iran and More

European Commission Discloses Cyberattack; ShinyHunters Claims Breach

Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_26_748

What we know: The European Commission has disclosed a cyberattack affecting the cloud infrastructure hosting its Europa[.]eu web platform. Simultaneously, the ShinyHunters extortion group published 350 GB of data allegedly linked to the Commission on its leak site.

Context: The leaked dataset allegedly includes data dumps of mail servers, confidential documents, contracts, and other sensitive material. Initial investigations have revealed that some data was stolen from the targeted websites, but the websites remain available. The Commission's internal systems remain unaffected by the cyberattack.

Analyst note: The severity of the data leak needs to be assessed, but the leaked data is likely to contain personally identifiable information (PII) of people who interacted with the Europa[.]eu websites, along with email contents, and documents attached. Affected individuals are likely to receive protections or compensations under the GDPR rules.

Apple Sends Lock Screen Notifications Following Coruna, DarkSword Discovery

Source: https://thehackernews.com/2026/03/apple-sends-lock-screen-alerts-to.html

What we know: Apple is reportedly sending Lock Screen notifications, warning of web-based attacks, to iOS and iPadOS devices running versions between 13.0 and 17.2.1 and 18.4 and 18.7.

Context: The notifications come following the discovery of the spy-grade Coruna and DarkSword exploit kits in cybercrime communities. Apple is urging users to update to the latest versions or at least enable Lockdown mode. Threat actors are reportedly using the exploit kits to deliver malware via compromised websites.

Analyst Note: Less technically proficient actors, including some nation-state groups lacking in-house zero-day development capabilities, are now very likely to leverage these "second-hand" exploits that were previously limited to highly advanced actors. Successful use is likely to fully compromise devices, giving attackers access to credentials, messages, contacts, and other sensitive data, leading to account takeover and financial theft.

Iran SITREP: 20 Tankers to Pass The Strait, Blackouts Hit Iran and More

  • President Trump stated that Iran has agreed to allow 20 oil tankers to transit the Strait of Hormuz starting March 30. This is likely to temporarily ease the pressure on global energy flows while leaving broader sanctions and military risks intact.
  • Massive blackouts have hit Tehran, Isfahan, and Shiraz after Israel reportedly struck Tehran’s Marine Industries Organization and other industrial sites. Iran retaliated with ballistic missile strikes on a southern Israeli industrial complex. Concurrent attacks damaged a Kuwaiti power plant, a Saudi base, and aluminum facilities in Bahrain and the UAE.
  • Yemen’s Iran‑backed Houthis fired a missile toward Israel on March 28. However, the Israeli military claims to have successfully intercepted it in its first such engagement in the war, with no reported casualties or damage on the ground.
  • On March 29, Pakistan hosted a four-nation summit in Islamabad with foreign ministers from Saudi Arabia, Turkey, and Egypt to coordinate a de-escalation strategy. Prime Minister Shehbaz Sharif reportedly held an hour-long call with Iranian President Pezeshkian to facilitate this dialogue.
  • Ukraine has signed defense deals with Saudi Arabia, Qatar, and the UAE to share counter-drone expertise against Iranian-designed Shahed drones.
  • Iranian Parliament Speaker Mohammad Bagher Ghalibaf accused the United States of "secretly planning a ground invasion" while publicly signaling negotiations. He further warned that Iranian forces are "waiting" to confront any land assault.

DEEP AND DARK WEB INTELLIGENCE

BreachForums administrator ShinyHunters: Threat actor and site administrator “ShinyHunters” has leaked a database allegedly belonging to their own platform, BreachForums, following an internal power struggle. The dataset contains records for over 300,000 users, including User IDs, hashed passwords, email addresses, and IP addresses dating back to the forum's origin. The leak is likely intended to undermine a rival administrator and establish control over the community. If legitimate, the exposed data likely poses a risk of deanonymization for forum members, potentially exposing their identities to law enforcement and rival cybercriminals.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-4681: This critical remote code execution (RCE) vulnerability in PTC Windchill and FlexPLM has triggered an unprecedented response in Germany, where police physically visited companies at night to warn of imminent risk. These software tools are eminent in managing the blueprints and supply chains of Germany’s critical manufacturing and defense sectors. CISA and the BSI have issued urgent advisories, as the flaw enables unauthenticated attackers to execute arbitrary code on industrial systems. Since official patches are not yet available, organizations are urged to apply PTC's provided mitigations and monitor for indicators of compromise (IoCs) to prevent potential industrial espionage or network breaches.

Affected products: All versions of PTC Windchill and PTC FlexPLM

Tags: DIBtlp:green