ZeroFox Daily Intelligence Brief - April 10, 2026

ZeroFox Daily Intelligence Brief - April 10, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Operation Atlantic Disrupt Millions in Crypto Fraud
• Zero-Day in Adobe Reader Actively Exploited Through Phishing PDFs
• ZeroFox Intelligence SITREP #33 - Military Strikes on Iran - April 9, 2026

Operation Atlantic Disrupt Millions in Crypto Fraud

Source: https://www.nationalcrimeagency.gov.uk/news/fraudsters-targeting-cryptocurrency-stopped-and-12-million-frozen-in-nca-led-operation-atlantic

What we know: UK-led Operation Atlantic froze more than USD 12 million in suspected criminal proceeds and identified around 20,000 victims of cryptocurrency and investment scams using “approval phishing." As a result, USD 45 million were identified in crypto-fraud schemes globally.

Context: Approval phishing scams—often using the lure of legitimate investment opportunities—trick victims into granting scammers access to their crypto wallets. Operation Atlantic disrupted multiple fraud networks across the UK, United States, and Canada through shared real-time intelligence between law enforcement agencies and private sector organisations.

Analyst note: The success of the operation shows a shift is likely towards real-time, cross‑border disruption of approval‑phishing crypto scams, with international agencies and private industry working side by side. Future campaigns will increasingly trace wallets, freeze assets early (before further transfer by criminals), and dismantle scam infrastructure at scale.

Zero-Day in Adobe Reader Actively Exploited Through Phishing PDFs

Source: https://www.bleepingcomputer.com/news/security/hackers-exploiting-acrobat-reader-zero-day-flaw-since-december/

What we know: Attackers have been exploiting a zero-day in Adobe Reader since December using malicious PDFs to steal data and potentially gain full system access. The campaign uses phishing lures and requires only opening the file, with no further user interaction needed. The malicious PDFs reportedly also use Russian-language lures themed around ongoing oil and gas industry events to target victims.

Context: The exploit is a fingerprinting-style attack leveraging unpatched flaws and abusing privileged APIs. The exploit enables attackers to execute follow-on remote code execution (RCE) and sandbox escape attacks, possibly leading to full system compromise.

Analyst note: The fingerprinting-style exploit likely suggests target profiling and tailored payload delivery, aiming for stealthy data theft and long-term system access to gather information.

ZeroFox Intelligence SITREP #33 - Military Strikes on Iran - April 9, 2026

• On April 7, 2026, the United States and Iran reached an agreement for a two-week ceasefire. Mere hours later, Iran imposed a closure of the Strait of Hormuz (SoH) in response to Israeli strikes targeting Hezbollah, resulting in widespread confusion over the ceasefire's validity.
• The ongoing accumulation of U.S. forces in the Middle East introduces further volatility, potentially signaling deterrence against Iranian actions but also risking miscalculations that could provoke escalation rather than restraint.
• ZeroFox assesses that such early setbacks have reduced the probability the truce will hold, and there is only a roughly even chance the agreed-upon ceasefire holds for the two-week duration and that a longer-term agreement can be reached in that time.
• Uncertainties surround Israel's commitment to the terms negotiated bilaterally between the United States and Iran amid ongoing operations against Hezbollah. Meanwhile, the U.S. State Department is to host a meeting with representatives from both sides to discuss cease-fire negotiations.
• The absence of verifiable commitments from the United States and Israel to curb future strikes raises doubts about Iran's incentives to maintain the truce that is likely to incentivize retaliatory moves.

DEEP AND DARK WEB INTELLIGENCE

Handala targets Israel’s Herzi Halevi: Threat group Handala has claimed that it infiltrated systems belonging to the former Chief of the General Staff of Israel Herzi Halevi and exfiltrated military data including images, videos, and operational details. The group alleges sustained access to senior Israeli military communications and is threatening to release the stolen data gradually. Retired officials like Herzi Halevi are likely to still retain valuable historical data, contacts, and communications. Compromising such an individual can likely be essential to map networks or access shared channels linked to active personnel.

VULNERABILITY AND EXPLOIT INTELLIGENCE

SonicWall vulnerabilities: SonicWall has patched four vulnerabilities in SMA1000 firewalls, including an SQL injection flaw (CVE-2026-4112) that could enable privilege escalation to admin access. Other issues could enable credential enumeration and TOTP bypass, and while no exploitation is observed, users are urged to update immediately. If exploited, these flaws are likely to enable attackers to access and compromise VPN infrastructure on SonicWall SMA1000 devices. Attackers are likely to attempt to steal data while maintaining persistent access, risking broader compromise.

Affected products: The affected products are included in SonicWall’s advisory.