ZeroFox Daily Intelligence Brief - April 28, 2026

ZeroFox Daily Intelligence Brief - April 28, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Chinese State-Sponsored Hacker Extradited to the United States
• Mobile SMS Blaster Scam Enables Mass Phishing Across Toronto, Canada
• Medtronic Discloses Data Breach

Chinese State-Sponsored Hacker Extradited to the United States

Source: https://www.justice.gov/usao-sdtx/pr/prolific-chinese-state-sponsored-contract-hacker-extradited-italy

What we know: An individual with alleged ties to China-linked APT group Silk Typhoon was extradited from Italy to the United States to face cyberespionage charges. The arrested individual worked for Shanghai Powerock Network Co., Ltd. (Powerock), one of many firms used to carry out hacking operations on behalf of the Chinese government.

Context: Silk Typhoon, also known as Hafnium, has been conducting coordinated intelligence-gathering campaigns against U.S.-based COVID-19 research organizations, targeting email servers and exploiting zero-days. The campaign compromised 60,000+ entities globally, making it one of China’s largest state-sponsored intrusions.

Analyst note: This extradition will likely lead to stricter travel limitations for Chinese contract hackers and an increased deterrence effect on the private firm contractor model. Tracking and mapping movements of co-conspirers is likely to provide deeper insights into state-sponsored operational structures and accelerate global policy initiatives to strengthen supply-chain security.

Mobile SMS Blaster Scam Enables Mass Phishing Across Toronto, Canada

Source:https://www.bleepingcomputer.com/news/security/canada-arrests-three-for-operating-sms-blaster-device-in-toronto/

What we know: Canadian authorities arrested three individuals for using a mobile “SMS blaster” that mimicked cellular towers to send phishing texts to nearby devices across the Greater Toronto Area. Operated from vehicles, the setup enabled large-scale targeting, with investigators estimating around 13 million mobile network entrapment incidents.

Context: The scam was operated from vehicles to enable mobile, large-scale targeting across the area. Additionally, beyond phishing attempts, the rogue setup forced devices off legitimate networks, potentially blocking access to emergency services and increasing threats to physical safety.

Analyst note: Illegal SMS blaster campaigns are likely to be increasingly exploited by organized crime in other regions due to their scalability and efficiency. As capabilities evolve, attackers are likely to leverage more advanced setups combining phishing with surveillance and potential service disruption to enhance impact and persistence.

Medtronic Discloses Data Breach

Source: https://securityaffairs.com/191391/cyber-crime/medtronic-discloses-security-incident-after-shinyhunters-claimed-theft-of-9m-records.html

What we know: Medical device giant Medtronic has confirmed a breach that affected its corporate IT systems. This came after ShinyHunters claimed theft of over 9 million records— threatening data leak unless demands are met. However, Medtronic states operations, products, and patient safety remain unaffected.

Context: Medtronic is the world's largest medical device maker by revenue. It also develops healthcare technologies and therapies, which makes it a low-tolerance target. Although Medtronic is no longer visible on ShinyHunters' data leak site, an investigation into the full scope of compromised data is ongoing.

Analyst note: Threat actors that laid hands on the stolen internal corporate data and personally identifiable information (PII) are likely to craft highly convincing social engineering attacks against employees and Medtronic’s partners. ZeroFox has observed copycat groups mimicking the ShinyHunters brand; however, this breach is highly likely attributable to the original group given its alignment with the ongoing multi-victim campaign, leaksite patterns, and structured ransom deadline.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Crimson: Threat actor “Crimson” advertised on dark web forum DarkForums “super administrator” access to the Abu Dhabi Department of Finance. If the actor’s claims are true, interested buyers are likely to gain full control over systems within the Abu Dhabi Department of Finance, leading to attacks against connected government entities and partners.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-21510: Russia-linked threat actor APT28 is reportedly exploiting a zero-click vulnerability in Windows SmartScreen and Shell security prompts, following an incomplete Microsoft patch. This enables the attackers to capture user NTLM hashes for relay attacks or offline cracking. While the February patch intended to enforce digital signature verification, the flaw enables unauthenticated attackers to trigger automatic NTLM authentication handshakes using crafted .lnk files, likely leading to lateral movement, data exfiltration, and espionage.

Affected products: Windows 10, Windows 11, and Windows Server (all versions including 2022)