ZeroFox Daily Intelligence Brief - April 3, 2026

ZeroFox Daily Intelligence Brief - April 3, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Solana’s Drift Protocol Drained of Millions in Sophisticated Attack
• Fake GitHub Repo of Claude Code Leak Spreads Vidar and GhostSocks Malware
• Spanish Speakers Targeted by Banking Trojan “Casbaneiro”

Solana’s Drift Protocol Drained of Millions in Sophisticated Attack

Source: https://www.bleepingcomputer.com/news/security/drift-loses-280-million-north-korean-hackers-seize-security-council-powers/

What we know: Threat actors have taken control of Drift Protocol’s Security Council admin powers and drained around USD 280 million from the Solana-based DeFi platform in a sophisticated coordinated operation. All protocol functions remain frozen amid ongoing investigations.

Context: Drift is a decentralized, non-custodial exchange (DEX) built on the Solana blockchain that specializes in perpetual futures, spot trading, and lending. The attackers had spent days setting up durable nonce accounts and gathering multisig approvals to pre-sign malicious transactions. They then executed them on April 1 to seize admin control and remove withdrawal limits, eventually draining funds.

Analyst note: Drift is likely to face prolonged service disruption and be investigated by regulators and legal authorities for how it handled control of its admin keys and governance. Users will likely suffer large unrecovered losses, eroding trust in Drift and raising broader concerns about the resilience of DeFi governance models on Solana and other chains.

Fake GitHub Repo of Claude Code Leak Spreads Vidar and GhostSocks Malware

Source: https://www.theregister.com/2026/04/02/trojanized_claude_code_leak_github/

What we know: Threat actors are reportedly creating fake GitHub repositories claiming to contain the leaked source code of Anthropic’s Claude Code, to trick people into downloading credential-stealing infostealer Vidar and the GhostSocks malware.

Context: Vidar infostealer is capable of stealing credentials, credit card data, and browser history, and GhostSocks turns infected devices into a criminal proxy infrastructure that can be used for future cybercriminal activity to obscure the real online location. The malicious GitHub repository was published by idbzoomh.

Analyst Note: This incident indicates how threat actors exploit hype and high-profile events to advance their cybercriminal activities. Any future major data leaks are very likely to be leveraged to create fake versions designed to deceive users.

Spanish Speakers Targeted by Banking Trojan “Casbaneiro”

Source: https://www.darkreading.com/cyberattacks-data-breaches/bank-trojan-casbaneiro-worms-latin-america

What we know: A Brazil-based threat group called Augmented Marauder / Water Saci is conducting phishing attacks on Spanish-speaking people in South America and Europe to deploy the Hirabot malware to eventually deliver a banking trojan called Casbaneiro (or Metamorfo).

Context: The attack mechanism involves WhatsApp, ClickFix, and email-based phishing, with victims reportedly receiving an email urging mandatory appearance for a judicial summons. The email contains a password-protected PDF with an embedded malicious link that directs the victim to an attacker-controlled URL.

Analyst Note: The most notable aspect of the campaign are the aggressive anti-detection mechanisms and fileless execution techniques, which turn the infected hosts into self-propagating botnets. Internet banking users should be cautious when opening email attachments from untrusted sources, especially where legal-themed emails convey urgency and urge immediate action.

DEEP AND DARK WEB INTELLIGENCE

Cyber operations amid Iran conflict: Hacktivist groups supporting Iran, such as the Handala Hack Team, RuskiNet, DieNet, and Conquerors Electronic Army, have claimed various forms of cyberattacks against Israeli and Western government and private entities. The Handala Hack Team claimed a data breach of Israeli defense contractor PSK Wind Technologies. The 313 Team claimed distributed denial-of-service (DDoS) attacks against various Western private companies, including X. While most claims made by hacktivist groups are likely to be noise or false, often intended for psychological operations, some could be legitimate. Claims from groups such as Handala Hack, for instance, are likely to be legitimate at times.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20093: This is an already‑patched authentication bypass vulnerability in Cisco Integrated Management Controller (IMC), which enables an unauthenticated remote attacker to send crafted requests to the password change functionality and gain full administrative access without valid credentials. Successful exploitation can give threat actors low‑level control of the underlying server, enabling remote control and configuration access that could provide a strong foothold for further compromise within the infrastructure.

Affected products: Vulnerable products are listed in the advisory.