ZeroFox Daily Intelligence Brief - April 2, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - April 2, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Meta Accuses Italian Spyware Maker of Pushing Fake WhatsApp Versions
- Canada Imprisons Individual Linked to Online Extremist Group Terrorgram Collective
- Iran SITREP: U.S. President Talks of Winding Down War, Considers Leaving Nato; Senior Hezbollah Commander Killed; and More
Meta Accuses Italian Spyware Maker of Pushing Fake WhatsApp Versions
What we know: Meta has accused Italian spyware maker SIO of tricking some 200 iPhone users in Italy into downloading a fake version of WhatsApp that contained spyware. Meta did not specify who the victims were, but said it has alerted them.
Context: SIO was previously found to be behind a series of spyware Android apps. The firm’s website describes it as a provider of cyber intelligence solutions partnering with governments. In January 2025, Meta alerted 90 users in Italy, including journalists and pro-immigration activists, that they were targeted by spyware from U.S.-Israeli firm Paragon Solutions.
Analyst note: Ongoing spyware scandals suggest Italian government bodies may still be targeting critics with surveillance, despite cutting ties with Paragon a year earlier. Instances of governments deploying spyware across Europe stand in stark contrast to the European Union’s stringent data protection and privacy framework under the GDPR.
Canada Imprisons Individual Linked to Online Extremist Group Terrorgram Collective
What we know: Canadian Public Prosecution Service sentenced an individual to 20 years in prison for producing and disseminating violent extremist propaganda as part of the online network known as the “Terrorgram Collective” that inspired multiple terrorist attacks.
Context: Europol has also been involved in the investigation since 2022, mapping the Terrorgram network and identifying individuals linked to it across Europe and beyond.
Analyst note: In the short term, international law enforcement will likely disrupt the group’s activity and recruitment. However, it is unlikely to eliminate online extremism in the long term, as deeper factors like governance, education, and economic conditions continue to sustain it.
Iran SITREP: U.S. President Talks of Winding Down War, Considers Leaving Nato; Senior Hezbollah Commander Killed; and More
- U.S. President Donald Trump, in an address to the nation on April 1, 2026, said that U.S. objectives in Iran under Operation Epic Fury are “nearing completion,” warning of intensified strikes over the next two to three weeks to “finish the job.” He also suggested that the United States may step back from securing the Strait of Hormuz and urging other nations to take the lead.
- President Trump also reiterated consideration of withdrawing from NATO, though such a move would require Congressional approval and currently appears unlikely.
- The Israel Defense Forces reported fresh missile launches from Iran toward Israel shortly after President Trump concluded his address.
- Additionally, Israel has killed senior Hezbollah commander Haj Youssef Ismail Hashem in a strike on Beirut that reportedly left at least seven dead. The Israeli military confirmed the operation, with Hezbollah later acknowledging his death and describing him as a key figure in its southern front operations.
- Oil prices surged over USD 4 after President Trump signaled continued U.S. attacks on Iran with no clear timeline to end the conflict. Brent crude rose to USD 106.04 per barrel, while West Texas Intermediate crude climbed to USD 104.29.
- On the cyber front, suspected Iran-linked groups, including Islamic Revolutionary Guard Corps-associated clusters, conducted password-spraying attacks affecting more than 300 organizations in Israel and others in the UAE to gain access to sensitive data.
DEEP AND DARK WEB INTELLIGENCE
Breached[.]st user iym: Threat actor “iym” has advertised 8.3 million records of U.S. and Canadian law enforcement tipline data, including anonymous crime tips as well as personally identifiable information such as full names of suspects and tipsters, addresses, Social Security numbers, phone numbers, and email addresses. If the actor’s claims are true, access to tip data can reveal law enforcement plans and investigations, likely aiding criminal groups in evasion and countermeasures.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2026-5281: Google has released Chrome updates fixing 21 vulnerabilities, including actively exploited zero-day CVE-2026-5281, which is a use-after-free flaw enabling remote code execution. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalogue. Threat actors are likely to target users running unpatched versions, where successful exploitation can be chained with other flaws to escalate privileges, establish persistence, and exfiltrate data.
Affected products: The affected products are included in Google’s advisory.
Apple releases fixes for older versions: Apple has released iOS 18.7.7 and iPadOS 18.7.7 updates to protect older devices against the DarkSword exploit, a web-based attack capable of stealing sensitive data like messages, location, and cryptocurrency. The move follows the public leak of the DarkSword toolkit, which has already been used in targeted attacks and can now be widely exploited against users running unpatched iOS 18 versions. With the toolkit publicly leaked, it is likely that even low-skilled actors can launch attacks at scale, increasing the volume and spread of infection if fixes are not widely deployed.
Affected products: The affected products are included in Apple’s advisory.
Tags: DIB, tlp:green