ZeroFox Daily Intelligence Brief - April 27, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - April 27, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Itron Discloses Cyberattack on Internal IT Network
- Pre-Stuxnet Malware Fast16 Reveals Early State Cyber Sabotage
- ShinyHunters Targets Major Firms, Claims Millions of Records and Internal Data Theft
Itron Discloses Cyberattack on Internal IT Network
What we know: U.S.-based utility technology firm Itron has confirmed that an unauthorized third party accessed its internal IT network. Itron reportedly notified the law enforcement, blocked the activity and confirmed that no customer systems were affected.
Context: Itron provides energy and water resource management technology to utilities worldwide, serving 7,700 customers across 100 countries and managing 112 million endpoints. Cyberattacks targeting utility-sector vendors and their supply chains have exacerbated the tangible real-world impacts of cyber incidents in the recent years.
Analyst note: Itron's data breach, although contained, is likely to pose significant supply-chain risk as attackers could have stolen credentials or intellectual property that can be used against utility customers for extortion or identifying vulnerabilities in infrastructure. Furthermore, follow-on supply-chain targeting of Itron's downstream entities remains a concern worth monitoring, though no such activity has been reported to date.
Pre-Stuxnet Malware Fast16 Reveals Early State Cyber Sabotage
Source: https://thehackernews.com/2026/04/researchers-uncover-pre-stuxnet-fast16.html
What we know: Researchers have deciphered Fast16, a previously unknown, 2005-era, Lua-based cyber sabotage malware strain that predates Stuxnet (deployed on Iran in 2007). The malware strain was designed to covertly tamper with engineering and simulation software such as LS-DYNA, MOHID, and PKPM, which are used to model real-world physical systems.
Context: Fast16 is a self-propagating, kernel-level implant that subtly manipulates high-precision calculations to trigger hard-to-detect failures. It is suspected to have been deployed as a state-sponsored sabotage tool targeting Iran’s nuclear program by corrupting research outcomes rather than causing direct disruption.
Analyst note: Fast16 is likely limited in its current form to legacy environments, given its 2005-era design. However, now that its capabilities are understood, it is likely to inspire modernized variants tailored for contemporary systems. Such adaptations are likely to be leveraged in future cyber operations targeting research facilities and critical infrastructure during times of global conflicts.
ShinyHunters Targets Major Firms, Claims Millions of Records and Internal Data Theft
Source: https://www.theregister.com/2026/04/24/shinyhunters_claim_cruise_giant_carnivals/
What we know: Carnival Corporation has confirmed a cybersecurity incident after at least 7 million records linked to its Holland America loyalty program were found exposed, with associated personal data, including names, dates of birth, genders, and membership status details exposed.
Context: Carnival Corporation data was leaked by ShinyHunters, which claims to have exfiltrated not only customer information but also “terabytes” of internal corporate data after failed extortion negotiations with the company. Additionally, a major home security company has confirmed a cyberincident after ShinyHunters took credit for it and claimed to have stolen 10 million records containing customers' personal information.
Analyst note: Such large-scale data leaks, if confirmed by the companies, are likely to enable threat actors to conduct large-scale profiling and targeting, improving the effectiveness of social engineering campaigns across different sectors.
DEEP AND DARK WEB INTELLIGENCE
DarkForums user xorcat: Untested actor "xorcat" allegedly leaked 22.3 million records from Iraq's Agency of Intelligence and Federal Investigation on DarkForums. The dataset covers personally identifiable information of Iraqi citizens/foreigners with family links (spouses/relatives), addresses, jobs, national IDs, salaries, and cases tied to security investigations and criminal tracking. If the claim is true, the data can be misused for identity fraud using national IDs and PII, targeted extortion using family addresses, financial information and case histories, compromised state security ops from exposed tracking data, and geopolitical exploitation by adversaries.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Entra Agent ID flaw patched by Microsoft: A critical elevation-of-privilege vulnerability in Microsoft Entra ID (formerly Azure AD) is now fully patched. The flaw could enable an unauthenticated attacker to gain unauthorized administrative access to an Entra ID tenant. The flaw stemmed from validation failures in the missing tenant validation and trust in unsigned tokens by API that enabled attackers to bypass multi-factor authentication and impersonate administrators. Successful exploitation could have likely enabled data exfiltration, password resets, and the installation of permanent backdoors.
Affected products: Microsoft Entra ID
CVE-2025-48700: Over 10,000 internet-exposed Zimbra servers remain unpatched and are being actively targeted via this XSS flaw, enabling attackers to steal sensitive data through malicious emails. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. Most of these servers are reportedly located in Asia and Europe. Compromised Zimbra servers are likely to enable attackers to exploit trusted email channels for business email compromise, leading to unauthorized transactions, invoice fraud, and operational disruption.
Affected products: Zimbra Collaboration 8.8.15 and 9.0 and 10.0 and 10.1
Tags: DIB, tlp:green