ZeroFox Daily Intelligence Brief - April 22, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - April 22, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Security Gaps in Perforce Deployments Expose Critical Development Assets
- Software Consultancy Firm The Adaptavist Group Discloses Intrusion
- Mustang Panda Targets Indian Banks & U.S. Policy Experts
Security Gaps in Perforce Deployments Expose Critical Development Assets
Source: https://www.securityweek.com/unsecured-perforce-servers-expose-sensitive-data-from-major-orgs/
What we know: Over 6,000 exposed Perforce P4 (formerly Helix Core) servers were reportedly found to have enabled unauthenticated access to source code and, in some cases, full read-write control due to weak or missing credentials. These misconfigured servers reportedly leaked highly sensitive data, including client information, internal projects, personal data, credentials, source code, and product schematics.
Context: Additionally, some exposed systems belonged to organizations across gaming, academia, media, crypto, manufacturing, and are also used in semiconductor design. Perforce Helix Core is a centralized version control system (VCS) that helps teams manage, track, and collaborate on large project files like code, designs, and media.
Analyst note: Access to source code and read-write control in Perforce P4 servers is likely to enable intellectual property theft, malicious code injection, and downstream supply chain compromises.
Software Consultancy Firm The Adaptavist Group Discloses Intrusion
Source: https://www.theregister.com/2026/04/21/adaptavist_group_breach_spawns_impostor/
What we know: UK-based software consultancy firm The Adaptavist Group has disclosed a cyber incident where an attacker used compromised credentials to gain unauthorized access to some of its systems. The firm develops and sells tools and services around project management and collaboration platforms.
Context: Meanwhile, The Gentlemen ransomware group claimed “complete infrastructure compromise” of Adaptavist, allegedly referring to everything from customer environments to stealing source code, credentials, internal documents, and production systems. The firm has denied the scale of the incident, stating that only publicly available business data was affected.
Analyst Note: Leaked business data is almost certainly to be used in phishing attacks against exposed organizations leveraging the acknowledgement of a breach by Adaptavist. If the stolen data claims are legitimate, the cache of information is likely to result in supply chain attacks.
Mustang Panda Targets Indian Banks & U.S. Policy Experts
Source: https://www.darkreading.com/cyberattacks-data-breaches/chinese-apt-indian-banks-korean-policy
What we know: China‑linked APT group Mustang Panda is reportedly operating a spear‑phishing campaign against India’s banking sector. The group is also targeting U.S. and South Korean policy circles by impersonating prominent political scientist Victor Cha.
Context: Threat actors posed as IT support, while targeting Indian banks, to lure victims into opening malicious files triggering a dynamic link library (DLL) sideloading attack. LotusLite backdoor was then used to maintain persistence, establish shells, access files, and perform other remote operations for espionage.
Analyst Note: Mustang Panda is almost certainly broadening its geographic and sectoral targets by tracking financial‑diplomatic posture to gather strategic intelligence. State-aligned attackers are likely to be able to forecast economic decisions by tracking government and critical infrastructure-linked transactions and identify vulnerabilities.
DEEP AND DARK WEB INTELLIGENCE
Breachforums user NormalLeVrai: Untested threat actor "NormalLeVrai" has advertised an allegedly compromised cryptocurrency account containing 9.22998 BTC (valued at approximately USD 716,289) on dark web forum breachforums[.]ai. The account credentials were allegedly discovered within an employee email inbox following the breach of an undisclosed "well-known company." The actor claims to have successfully tested withdrawal using a small amount, but is selling the account to avoid the risk of cashing out the full amount. The actor’s reasoning for not cashing in on the account themselves is not sufficient, very likely making the advertisement to be a scam.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Google Antigravity vulnerability: A now-patched vulnerability in Google’s agentic integrated development environment (IDE) Antigravity has enabled attackers to bypass Strict Mode and achieve arbitrary code execution by injecting malicious flags into its file-search tool. This enables payload execution without user interaction. The flaw is likely to enable threat actors to compromise developer environments at scale, facilitating source code theft, credential exfiltration, and downstream supply chain attacks.
Affected products: Google's Antigravity.
Tags: DIB, tlp:green