ZeroFox Daily Intelligence Brief: April 15, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - April 15, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Fake Ledger App Stole Over USD 9 Million from 50 Victims
- Cybercrime Network Triad Nexus Returns Despite U.S. Sanctions
- Over 100 Fake Chrome Extensions Affects About 20,000 Users
Fake Ledger App Stole Over USD 9 Million from 50 Victims
What we know: A malicious fake Ledger Live app on Apple’s App Store targeted macOS users, draining nearly USD 9.5 million in cryptocurrencies from 50 victims across Bitcoin, Ethereum, Tron, Solana, and Ripple wallets. Users were tricked into exposing their seed phrases, enabling threat actors to gain full wallet control, enabling immediate unauthorized transfers to attacker-controlled addresses.
Context: The fake app was reportedly listed on the Apple App Store under “Leva Heal Limited” (now taken down)—not affiliated with Ledger, which only offers its macOS app via its official website and not the App Store. Meanwhile, another major cryptocurrency company, Kraken, has reported that it is being extorted after insider-driven unauthorized access exposed limited client support data, though no funds were confirmed to be at risk.
Analyst note: Although the campaign was short-lived, the attackers siphoned a sizable amount of funds from a relatively small pool of victims (50 wallet owners), likely suggesting they targeted and exploited seed phrases belonging to high-value users before the fake app was discovered.
Cybercrime Network Triad Nexus Returns Despite U.S. Sanctions
Source: https://www.securityweek.com/triad-nexus-evades-sanctions-to-fuel-cybercrime/
What we know: Triad Nexus, a large-scale cybercrime network linked to Asian organized crime, has reportedly continued operations despite 2025 U.S. sanctions targeting Philippines-based company Funnull that it used to facilitate various types of fraud. The group is responsible for over USD 200 million in losses, mainly through pig butchering scams.
Context: Triad Nexus now leverages major cloud providers and account mules, while rotating infrastructure and blocking U.S. access to its domains to avoid detection. It has shifted operations to Spanish, Vietnamese, and Indonesian markets. It also conducts brand impersonation campaigns targeting financial institutions and luxury brands.
Analyst note: Triad Nexus’s return demonstrates the limited long-term impact of sanctions against cybercrime infrastructure. International law enforcement action, including sanctions, is likely to be more effective against global organized cybercrime groups, preventing their return in other markets.
Over 100 Fake Chrome Extensions Affects About 20,000 Users
Source: https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html
What we know: Hundred and eight malicious Chrome extensions have been found to share the same command-and-control (C2) infrastructure to steal user data and manipulate browser activity. The extensions, masquerading as utilities, games, and Telegram tools, have exfiltrated credentials, hijacked sessions, injected scripts, and enabled persistent browser-level abuse across almost 20,000 users.
Context: The 108 malicious extensions were published under multiple fake developer identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt). In the background, they captured session data, injected arbitrary scripts, stripped security headers, and redirected traffic via the common C2 server, whose IP address is reportedly 144.126.135[.]238.
Analyst note: Malicious extensions on app stores are particularly harmful because they often ask for high privileges, such as the ability to read and change all data on websites, giving them visibility into nearly all user activity in the browser. Given the large number of malicious extensions identified, users are likely to continue facing risks like credential and financial theft until all of them are detected and removed.
DEEP AND DARK WEB INTELLIGENCE
PwnForums user bytetobreach: Threat actor "bytetobreach" has advertised a dataset allegedly associated with U.S.-based VIP Universal Medical Insurance Group (VUMI) on dark web forum PwnForums. The dataset allegedly contains personally identifiable information (PII), including Social Security numbers of both agents and clients, passport, and taxpayer documents of approximately 300,000 insured individuals and over 25,000 staff. If the data is legitimate, exposed individuals and agents are very likely to be targeted in phishing, social engineering, and impersonation attacks to facilitate financial and insurance fraud.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Microsoft April 2026 patch Tuesday: Microsoft has released patches for 167 vulnerabilities, including two zero-day bugs tracked as CVE-2026-32201 (SharePoint server spoofing vulnerability) and CVE-2026-33825 (Defender elevation of privilege vulnerability). The majority of the vulnerabilities involve privilege escalation flaws. Successful exploitation of the flaws is likely to enable threat actors to gain unauthorized access to compromised systems.
Affected products: The affected products are listed in this advisory.
Tags: DIB, tlp:green