ZeroFox Daily Intelligence Brief - April 6, 2026

ZeroFox Daily Intelligence Brief - April 6, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Qilin Ransomware Targets German Political Party
• TeamPCP Confirmed Behind European Commission Breach
• Social Engineering Attack Led to Axios Supply Chain Attack

Qilin Ransomware Targets German Political Party

Source: https://www.bleepingcomputer.com/news/security/die-linke-german-political-party-confirms-data-stolen-by-qilin-ransomware/

What we know: On March 26, 2026, ransomware group Qilin claims that it breached Die Linke, a German political party, stealing internal and employee data and threatening to leak it. The Party confirmed a cyber incident but has not verified a full data breach, noting member data was not compromised.

Context: The party views the ransomware group as a suspected Russian-speaking cybercrime group whose ransomware attacks could serve both financial and hybrid warfare objectives, including targeting critical infrastructure.

Analyst note: Although the ransomware group attacked a political party, it is unlikely that its motives are politically motivated given the lack of any espionage tactics, at the time of writing, such as establishing persistence, its noisy presence into the party’s infrastructure, and the group's claim of the breach itself. The group is likely aiming to gain financially by extorting the party and its members with threats of leaking the stolen data.

TeamPCP Confirmed Behind European Commission Breach

Source: https://www.securityweek.com/european-commission-confirms-data-breach-linked-to-trivy-supply-chain-attack/

What we know: CERT-EU has confirmed that TeamPCP breached the European Commission, exposing data from up to 71 clients, including 42 internal users and at least 29 other EU entities, after exfiltrating information from its cloud environment. The incident was disclosed on March 27.

Context: Additionally, late March 2026, the ShinyHunters extortion group published 350 GB of data allegedly linked to the Commission on its leak site, containing personal and email data, with CERT-EU confirming the breach.

Analyst note: Given that two separate threat entities have targeted the European Commission in such a short span of time, it is likely that TeamPCP is in a sort of partnership with ShinyHunters. There is likely a division of labor, where TeamPCP gains initial access and ShinyHunters monetizes exfiltrated data.

Social Engineering Attack Led to Axios Supply Chain Attack

Source: https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html

What we know: Axios npm package maintainer Jason Saayman has revealed that a social engineering campaign by North Korean threat actors led to the supply chain compromise. The threat actors reportedly impersonated a founder of a well-known company, cloning the “likeness” of the founder as well as the company itself.

Context: Saayman was guided to a threat actor-controlled Slack workspace, complete with the impersonated company’s branding. Then, the actors scheduled a fake virtual call that prompted Saayman to install a malicious update, triggering the deployment of a remote access trojan (RAT).

Analyst note: Threat actors likely used advanced AI tools to clone the founder’s likeness. These tools are now making less technical attacks, like social engineering and Clickfix schemes, more convincing by eliminating language barriers and the spelling errors that earlier signaled malicious activity.

DEEP AND DARK WEB INTELLIGENCE

Exploit user real123: A threat actor named "real123" has advertised phishing pages impersonating multiple banking and logistics companies on dark web forum Exploit. The threat actor has also promised fully encrypted backend and replacement for dead links. The actor is seeking USD 200 per phishing page. The advertisement is likely to attract less technically-advanced cybercriminals who can carry out phishing campaigns aimed at stealing credentials. Threat actors are likely to divert funds from compromised bank accounts and/or steal packages from logistical companies using stolen credentials.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-35616: This is an Improper Access Control vulnerability in FortiClient EMS that may enable an unauthenticated attacker to execute unauthorized code or commands via crafted requests. Fortinet has observed this to be exploited in the wild. There are reportedly over 2,000 exposed FortiClient EMS instances online, with the majority located in the United States and Germany. Successful exploitation of the vulnerability is likely to lead to malware deployment and/or further intrusion into a corporate network.

Affected products: FortiClientEMS versions 7.4.5 through 7.4.6