Share on X

ZeroFox Weekly Intelligence Brief – April 18, 2026

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EST) on April 16, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

Fake Ledger App Stole over USD 9 Million from 50 Victims

What we know:

A malicious fake Ledger Live app on Apple’s App Store targeted macOS users, draining nearly USD 9.5 million in cryptocurrencies from 50 victims across Bitcoin, Ethereum, Tron, Solana, and Ripple wallets.
Users were tricked into exposing their seed phrases, enabling threat actors to gain full wallet control and make immediate unauthorized transfers to attacker-controlled addresses.

Trojanized Hardware Monitoring Tools Spread via Compromised CPUID Infrastructure

What we know:

Threat actors compromised a CPUID API and temporarily replaced official download links with trojanized versions of tools such as CPU-Z and HWMonitor.
During the brief attack, malicious files such as HWiNFO_Monitor_Setup were distributed, using a Russian-language installer and Dynamic Link Library (DLL) sideloading via a rogue CRYPTBASE[.]dll.
The issue has since been fixed.

W3LLSTORE PhaaS, Linked to Over USD 20 Million in Fraud, Dismantled

What we know:

W3LLSTORE phishing market has been dismantled by the Federal Bureau of Investigation (FBI) and the Indonesian National Police.
The global phishing-as-a-service (PhaaS) operation is linked to over USD 20 million in attempted fraud and was used in over 17,000 attacks worldwide between 2023 and 2024.