ZeroFox Daily Intelligence Brief - April 16, 2026

ZeroFox Daily Intelligence Brief - April 16, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Sweden Accuses Russia of a 2025 Cyberattack against Thermal Power Plant
• U.S. Authorities Disrupt Card Skimming and EBT Fraud
• Iran SITREP: U.S. President Optimistic About War’s End, Ceasefire Holds, U.S. Sanctions Iranian Oil Network, and More

Sweden Accuses Russia of a 2025 Cyberattack against Thermal Power Plant

Source: https://www.reuters.com/world/swedish-power-plant-targeted-by-pro-russian-group-2025-government-says-2026-04-15/

What we know: Sweden has accused Russian threat actors, with links to the state’s spy agencies, of attempting to sabotage a thermal power plant in early 2025. The cyberattack was thwarted due to a built-in protection mechanism.

Context: Sweden’s minister for civil defence cited the instance to highlight pro-Russian threat groups' growing destructive cyberattacks against organizations in Europe, which were earlier limited to denial-of-service attacks. The Russian embassy in Stockholm denied the accusations.

Analyst note: Russian state-linked cyberattacks against Europe’s critical infrastructure are very likely to continue into the near future as the Ukraine war rages on. Internet-exposed edge devices are likely to be prime targets, along with phishing attacks against individuals engaged in critical infrastructure and government entities.

U.S. Authorities Disrupt Card Skimming and EBT Fraud

Source: https://www.secretservice.gov/newsroom/releases/2026/04/dallas-field-office-card-skimming-outreach-operation-nets-13-illegal

What we know: U.S. authorities carried out a two-day operation across Texas to combat payment card skimming and Electronic Benefit Transfer (EBT) fraud and prevent approximately USD 13.5 million in potential theft.

Context: Authorities visited 462 businesses and inspected over 2,939 point-of-sale (PoS) systems, gas pumps, and ATMs. Threat actors install hidden skimming devices on payment infrastructure to capture card data, which is then used for unauthorized transactions or cloned cards.

Analyst note: Older or poorly monitored payment infrastructure are likely to be susceptible to fraud. Threat actors are also likely to shift towards other covert methods such as internal device tampering and digital skimming techniques to avoid physical detection efforts.

Iran SITREP: U.S. President Optimistic About War’s End, Ceasefire Holds, U.S. Sanctions Iranian Oil Network, and More

• President Trump has signaled the Iran conflict may be nearing an end, hinting at imminent developments while the White House expressed possibility about renewed U.S.-Iran talks via Pakistan and a bargain to also resolve Iran’s nuclear issue.
• Oil prices fell as possibly easing tensions and potential Hormuz transit outweighed supply concerns, with Brent down to USD 94.49 and WTI down to USD 90.59. Experts expect WTI crude to remain volatile between USD 80 and USD 100 until a peace deal is reached and navigation through the Strait of Hormuz is fully restored.
• Despite the U.S. naval blockade of the Strait of Hormuz (SoH), the 14-day ceasefire between the United States and Iran is holding, notably without Iran retaliating to the blockade. However, the conflict remains fragile elsewhere, with Israel targeting Hezbollah. Israel’s Lebanon campaign risks prolonging the conflict with Iran, which has signaled its readiness to reopen the SoH only if attacks on Hezbollah cease.
• According to an unnamed source, Iran may allow ships to transit safely via the Omani side of the Strait of Hormuz as part of a potential deal with the U.S. to prevent renewed conflict.
• Meanwhile, the U.S. Treasury has sanctioned over two dozen individuals, firms, and vessels tied to an Iranian oil magnate’s network to disrupt Tehran’s illicit oil transport and revenue streams. The network uses front companies posing as legitimate administrative, consulting, and shipping firms to mask operations and sustain Iran’s sanctioned oil activities.

DEEP AND DARK WEB INTELLIGENCE

BreachForums[.]ai user ShinyHunters: Threat actor ShinyHunters has advertised a dataset linked to Santander Bank, containing customer and employee data from Spain, Chile, and Uruguay. ShinyHunters claims that the data includes 30 million customer records, 28 million credit cards, 6 million account details, and employee and citizenship information. The actor has priced the dataset at USD 1 million as a one-time sale, while also indicating that Santander itself is welcome to purchase it. In the recent past, ShinyHunters has had a string of successful breaches, enabling them to establish credibility. There is a roughly even chance that threat actors will find it difficult to purchase this dataset due to its exorbitant price, despite the actor’s credibility, even if the claim was true. At the time of writing, Santander and major media outlets have not confirmed any recent breaches.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-33032: This flaw in Nginx UI is being actively exploited, enabling unauthenticated attackers to gain full server control via an exposed MCP endpoint. The bug enables remote config manipulation and service takeover, with thousands of internet-exposed instances at risk despite patches being available. Further widespread opportunistic exploitation is likely, with attackers targeting exposed instances for web server hijacking, persistence, and initial access into broader networks.

Affected products: Nginx versions prior to and including 2.3.5