ZeroFox Daily Intelligence Brief - April 13, 2026

ZeroFox Daily Intelligence Brief - April 13, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Trojanized Hardware Monitoring Tools Spread via Compromised CPUID Infrastructure Source
• W3LLSTORE PhaaS, Linked to Over USD 20 Million, in Fraud Dismantled
• Nearly 800 Hungarian Government Logins Leaked Across Multiple Ministries

Trojanized Hardware Monitoring Tools Spread via Compromised CPUID Infrastructure

Source: https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/

What we know: Threat actors compromised a CPUID API and temporarily replaced official download links with trojanized versions of tools like CPU-Z and HWMonitor. During the brief attack, malicious files such as HWiNFO_Monitor_Setup were distributed, using a Russian-language installer and DLL sideloading via a rogue CRYPTBASE[.]dll. The issue has since been fixed.

Context: CPU-Z and HWMonitor are tools used to monitor a device’s hardware health like temperatures, voltages, and performance, which have had millions of downloads. In this attack, threat actors distributed trojanized versions of CPU-Z (2.19), HWMonitor Pro (1.57), HWMonitor (1.63), and PerfMonitor (2.04). Over 150 users, including in organizations across sectors in Brazil, Russia, and China, have reportedly downloaded the malicious software.

Analyst note: The threat actors likely targeted IT professionals, system admins, hardware owners, and developers to access user and corporate endpoint devices. Compromised systems and endpoint devices are likely to be repurposed into proxy nodes or relay infrastructure, enabling attackers to route malicious traffic through trusted networks.

W3LLSTORE PhaaS, Linked to Over USD 20 Million, in Fraud Dismantled

Source: https://hackread.com/fbi-atlanta-indonesian-police-w3llstore-phishing-market/

What we know: W3LLSTORE phishing market has been dismantled by the FBI and the Indonesian National Police. The global phishing-as-a-service (PhaaS) operation is linked to over USD 20 million in attempted fraud and used in over 17,000 attacks worldwide between 2023-24.

Context: Authorities seized criminal infrastructure and detained a suspect. The W3LL phishing kit enabled cybercriminals to create fake login pages of legitimate platforms, enabling cybercriminals to steal credentials. While the marketplace shut down in 2023, the phishing kit continued to be sold privately through encrypted messaging platforms.

Analyst note: The law enforcement action is likely to help authorities identify other collaborators who developed and operated the PhaaS, potentially leading to their detention. However, the W3LL phishing kit’s code is likely to be leaked to the wider cybercrime world, enabling other cybercriminals to create different versions of the kit.

Nearly 800 Hungarian Government Logins Leaked Across Multiple Ministries

Source: https://www.theregister.com/2026/04/11/hungary_government_logins_breach/

What we know: Nearly 800 Hungarian government credentials were found circulating in breach dumps, impacting multiple ministries including defense, foreign affairs, and finance. Around 120 records tied to defense staff were exposed, some linked to a past data breach and others indicating possible infostealer infections.

Context: Officials were found to have reused government emails and passwords across third-party services, causing their credentials to be exposed in breach dumps when those platforms were compromised.

Analyst note: Exposed logins are likely to be used for credential stuffing attacks against government systems, email accounts, and VPNs to gain unauthorized access. If accounts are not secured with multifactor authentication and with new and stronger passwords put in place, the accounts are at risk of getting compromised by threat actors abusing the leaked credentials.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user hackboy: An untested threat actor "hackboy" has advertised a dataset allegedly exfiltrated from the Australia-based energy retailer and generator, Synergy, on DarkForums. The compromised dataset allegedly contains 900,002 subscriber registrations, including personally identifiable information (PII) and outstanding and ongoing payment information. If legitimate, exposed individuals are likely to be targeted in phishing and social engineering attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-39987: This is a pre-authenticated remote code execution (RCE) vulnerability impacting open-source Python notebook Marimo, used for data science and analysis. The flaw is reportedly under active exploitation and a credential theft operation is also reportedly underway. Compromised credentials as a result of successful exploitation are likely to lead to supply chain attack, impacting programmers using the open-source project as dependables.

Affected products: All versions of Marimo prior to and including 0.20.4