ZeroFox Daily Intelligence Brief - April 7, 2026

ZeroFox Daily Intelligence Brief - April 7, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Identities Revealed for RaaS Group Leaders of REvil and GandCrab
• AI-Driven Prt-Scan Campaign Targets GitHub Repositories at Scale
• Iran SITREP: Proposal Deadline Nears, Trump Threatens Infra Strikes, Phishing Campaign Leverages Iran War Panic

Identities Revealed for RaaS Group Leaders of REvil and GandCrab

Source: https://www.bleepingcomputer.com/news/security/german-authorities-identify-revil-and-gangcrab-ransomware-bosses/

What we know: German authorities have disclosed the real identities of two key leaders of the REvil and GandCrab ransomware groups linked to 130 attacks in the country resulting in EUR 35.4 million in damages. The ransomware group targeted entities worldwide and a REvil affiliate was also imprisoned in the United States in 2024 for carrying out 2,500 ransomware attacks.

Context: REvil (aka Sodinokibi) is a major ransomware-as-a-service (RaaS) gang that supplied malware and infrastructure to affiliates and operated between 2019 and 2021. In October 2021, a multi-country operation took down REvil’s servers and backups.

Analyst note: The public disclosure of the cybercriminals's identities is likely to help apprehend them during international travel. Additionally, their financial networks and/or assets, along with their associates, will almost certainly be traced and monitored for further law enforcement action. Furthermore, their real identities are likely to be used to map their potential activity in cybercrime forums or networks.

AI-Driven Prt-Scan Campaign Targets GitHub Repositories at Scale

Source: https://www.darkreading.com/application-security/ai-assisted-supply-chain-attack-targets-github

What we know: A threat actor used AI-assisted automation to launch over 450 exploit attempts against open-source repositories on GitHub. This campaign dubbed “prt-scan,” began with limited testing in mid-March before escalating on April 2 into a rapid, AI-driven wave of 475 malicious pull requests. Despite its scale, execution flaws indicated the actor had a poor understanding of GitHub permissions.

Context: The prt-scan campaign is the second recent operation using AI-assisted automation to target repositories with the vulnerable pull_request_target workflow on GitHub. It follows the earlier “hackerbot-claw” campaign, which exploited the same feature to steal tokens, secrets, and cloud credentials.

Analyst note: AI-augmented automation is lowering the barrier to entry for supply chain attacks, enabling even low-sophistication actors to conduct large-scale campaigns with speed and efficiency. AI adoption in such attacks will likely increase the frequency and breadth of future attacks, as adversaries can rapidly target hundreds of repositories with minimal effort.

Iran SITREP: Proposal Deadline Nears, Trump Threatens Infra Strikes, Phishing Campaign Leverages Iran War Panic

• U.S. President Trump has threatened to strike all power plants and bridges in Iran after Tehran rejected a 45-day ceasefire proposal, instead seeking a permanent end to the war. The deadline to accept the proposal is 8 pm EDT on April 7, 2026.
• Iran has warned of attacks on U.S. energy and tech infrastructure in the Middle East in retaliation for any strikes on its civilian infrastructure. A video showing Iranian military spokesperson Ebrahim Zolfaghari zoomed in on the Stargate data center in the United Arab Emirates (UAE). Stargate is a USD 500 billion joint venture between OpenAI, SoftBank, and Oracle to build AI data centers.
• On Monday, Israel attacked Iran’s South Pars natural gas complex for the second time to mount pressure on Tehran. The natural gas plant is an energy lifeline for Iran’s civilians and also provides a key source of export earning for the country.
• A phishing campaign exploiting the Iran war is sending fake “Public Safety” emails with malicious QR codes that lead to fake login pages to steal user credentials.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user NormalLeVrai: Threat actor “NormalLeVrai” has advertised the sale of data from UK-based airline booking companies. The actor claims that the dataset includes over 100,000 records, source code, and backups, with one site defaced, at the time of writing, and the data offered for USD 300. Interested buyers are likely to create fake booking portals or refund schemes using real customer and transaction data to increase credibility and successfully defraud victims.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-2699 and CVE-2026-2701: These are two critical vulnerabilities in Progress Software’s ShareFile service that can reportedly be chained together in an exploit to unauthorized make configuration changes and achieve remote code execution (RCE). Threat actors are likely to attempt exploiting the flaws as compromising file sharing accounts enable them to steal or encrypt sensitive files.

Affected products: Progress ShareFile Storage Zones Controller (SZC) 5.x version 5.12.3 or below