zerofox logo
Advisories

ZeroFox Weekly Intelligence Brief – April 11, 2026

|by Alpha Team

banner image

ZeroFox Weekly Intelligence Brief – April 11, 2026

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EST) on April 9, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

BlueHammer Exploit Targets Windows SAM Database Through LPE Vulnerability

What we know:

  • Exploit code for an unpatched Windows local privilege exploitation (LPE) flaw has been released. This flaw could enable attackers to gain SYSTEM/admin privileges via a time-of-check to time-of-use (TOCTOU) race condition and path confusion issue.
  • Researchers noted the flaw is difficult to exploit but can grant local attackers access to the Security Account Manager (SAM) database containing password hashes.

Russian APT Fancy Bear Exploiting Routers in DNS Hijacking Campaign

What we know:

  • Russian military-linked threat group APT28 (Fancy Bear) has been carrying out a Domain Name System (DNS) hijacking campaign by exploiting MicroTik and TP-Link routers (mainly small office/home office [SOHO] routers) to steal credentials and other sensitive information.
  • The Federal Bureau of Investigation (FBI) said that it has cut off access to the compromised routers in the United States.

Token Theft Breach Hits Snowflake Customers via Suspected Third-Party Compromise

What we know:

  • Over a dozen companies were hit by data theft attacks after a third-party software as-a-service (SaaS) company was breached, and authentication tokens were stolen.
  • The attacks primarily targeted Snowflake customers, though the platform itself was not compromised.

Tags: tlp:green