ZeroFox Daily Intelligence Brief - April 8, 2026

ZeroFox Daily Intelligence Brief - April 8, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Iran Updates: Two Week Ceasefire Underway, Cyber Actors Target U.S. Critical Infra, Oil Prices Drop, and More
• Russian APT Fancy Bear Exploiting Routers in DNS Hijacking Campaign
• Token Theft Breach Hits Snowflake Customers via Suspected Third-Party Compromise

Iran Updates: Two Week Ceasefire Underway, Cyber Actors Target U.S. Critical Infra, Oil Prices Drop, and More

• United States President Donald Trump has agreed to a proposed two-week ceasefire with Iran, conditional on safe passage through the Strait of Hormuz. Iran agreed that it would halt fighting if attacks against it stop. Additionally, Pakistan is mediating, urging a deadline extension and hosting potential talks in Islamabad.
• On April 7, 2026, Iranian threat actors targeted internet-exposed OT systems, including programmable logic controls (PLCs) from U.S. based Rockwell Automation (Allen-Bradley). It is likely that these cyberattacks will persist even if the ceasefire begins, as hacktivists and aligned actors continue to conduct opportunistic and retaliatory operations in support of broader geopolitical objectives.
• Oil prices dropped nearly 15 percent after President Trump paused military action against Iran and Tehran signaled temporary access through the Strait of Hormuz, at the time of writing. Brent crude oil fell 14.4 percent to USD 93.48 while U.S. crude dropped 14.7 percent to USD 96.27, though prices remain above pre-war levels.
• Within hours of the ceasefire announcement, Israel reported incoming Iranian ballistic missiles, while the United Arab Emirates activated air defenses against missiles and drones. Other Gulf states, including Saudi Arabia, Kuwait, Bahrain, and Qatar, also issued alerts or intercepted attacks.

Russian APT Fancy Bear Exploiting Routers in DNS Hijacking Campaign

Source: https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations

What we know: Russian military-linked threat group APT28 (Fancy Bear) has been carrying out a DNS hijacking campaign by exploiting MicroTik and TP-Link routers (mainly small office/small home [SOHO] routers) to steal credentials and other sensitive information. The FBI said that they have cut off access to the compromised routers in the United States.

Context: The campaign has been used to specifically target military, government, and critical infrastructure entities by filtering down a wide pool of impacted users worldwide. Recently, the United States banned the foreign-made routers over national security concerns.

Analyst note: Employees and contractors in government, military-industrial, and critical infrastructure sectors are very likely to be high-value initial targets. Such compromised access is likely to enable attackers to establish persistent presence in larger networks, monitor communications, access sensitive data, and carry out phishing using compromised legitimate email domains.

Token Theft Breach Hits Snowflake Customers via Suspected Third-Party Compromise

Source: https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/

What we know: Over a dozen companies were hit by data theft attacks after a third-party software as-a-service (SaaS) company was breached and authentication tokens were stolen. The attacks primarily targeted Snowflake customers, though the platform itself was not compromised.

Context: The incident is linked to a suspected breach at an AI-based anomaly detection company called Anodot, enabling attackers to access customer accounts via stolen tokens. ShinyHunters has reportedly claimed responsibility and is now extorting affected companies with threats of data leaks.

Analyst note: ShinyHunters is likely to leverage stolen data to extort its victims, failing which, compromised data like authentication tokens will be sold in dark web marketplaces. Stolen authentication tokens are likely to enable threat actors to further compromise victims by bypassing their password and MFA requirements. This is likely to enable them to gain unauthorized access to SaaS applications and access downstream communications.

DEEP AND DARK WEB INTELLIGENCE

PwnForums admin exposes alleged BreachForums admin: An admin post on dark web site PwnForums is accusing a Bulgarian cybersecurity specialist, allegedly known by the alias “N/A,” of being the administrator of BreachForums and closing it down on March 16, 2026 in an exit scam. The post further claims that N/A relaunched a new BreachForums domain under the username “Caine” and tried to sell the domain when the moderation community reportedly resigned after discovering the alleged scam. The evidence is not conclusive at the time of reporting.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-34040: This high-severity vulnerability in Moby, created by Docker Engine, can enable threat actors to bypass authorization plugins using specially crafted API requests. This flaw could enable creation of privileged containers with host access, risking full system compromise and credential theft. If threat actors bypass authorization plugins, they are likely to escalate from limited API access to full host compromise, which could expose user's assets including credentials, Kubernetes configs, and more.

Affected products: Docker’s Moby versions prior to 29.3.1