ZeroFox Daily Intelligence Brief - April 29, 2026

ZeroFox Daily Intelligence Brief - April 29, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Emerging Ransomware Groups Clash
• Europol Crackdown on Black Axe
• Geopolitical Focus: UAE to Quit OPEC; U.S. Sanctions Chinese and Iranian Entities; and More

Emerging Ransomware Groups Clash

Source: https://www.zerofox.com/advisories/39668/

What we know: Two ransomware groups, “Krybit” and “0APT,” recently emerged on the ransomware threat landscape this year. Rivalry escalated between them in early April when 0APT exploited a vulnerability in Krybit’s backend to steal victim data and expose internal information. This prompted Krybit to deface 0APT’s leak site and release its alleged source code and operational logs within 48 hours.

Context: Krybit is a ransomware and digital extortion collective active since April 2026, operating a dark web blog and claiming at least 19 victims. 0APT surfaced in early 2026 with suspected fabricated victim claims, went dormant, and later reemerged targeting other ransomware groups such as “Everest” and “RansomHouse.”

Analyst note: Krybit and 0APT are likely immature ransomware groups with low-to-medium sophistication. However, they likely warrant continued monitoring due to Krybit’s expanding capabilities and infrastructure and 0APT’s persistence in attempting to establish itself among more established rivals.

Europol Crackdown on Black Axe

Source: https://www.europol.europa.eu/media-press/newsroom/news/europol-supports-hit-against-black-axe-criminal-organisation-in-switzerland-10-arrests

What we know: Europol supported Swiss and German authorities in arresting 10 suspected Black Axe members in Switzerland on April 28, 2026. The accused were reportedly conspirators in romance scams and cyberfraud causing money laundering and millions of Swiss francs in damages.

Context: Black Axe extortion group evolved from a late-1970s Nigerian student fraternity into a structured, violent transnational criminal organization. The group specializes in cyber-enabled financial crime, sophisticated social media scams, and phishing campaigns.

Analyst Note: Law enforcement authorities have made several similar arrests recently, likely highlighting an emerging pattern of cross-border coordination to dismantle active cybercriminal groups. Moreover, dual-citizenship hackers and transnational operators are likely to be targeted during international travel using real-time intelligence-sharing, exploiting the physical mobility required to manage distributed cybercrime networks.

Geopolitical Focus: UAE to Quit OPEC; U.S. Sanctions Chinese and Iranian Entities; and More

• The United Arab Emirates (UAE) has announced it will leave the Organisation of Petroleum Exporting Countries (OPEC) and OPEC+ after nearly 60 years to pursue an independent energy strategy and increase production flexibility. This move is likely to trigger a production surge and price war.
• The U.S. Office of Foreign Assets Control (OFAC) has warned financial institutions about sanctions risks tied to Chinese “teapot” refineries importing Iranian oil, which funds Iran’s regime and military programs. The alert urges stricter due diligence and elucidates on evasion tactics like front companies, shadow fleets, and deceptive shipping.
• The U.S. Department of the Treasury has sanctioned 35 individuals and entities involved in Iran’s “shadow banking” network, which moves billions of dollars to bypass sanctions and fund military and proxy activities. The action aims to disrupt Iran’s illicit financial lifelines, used for oil sales, weapons procurement, and terrorism financing, while warning global institutions they risk penalties if they engage with these networks.
• Ukrainian President Volodymyr Zelensky has accused Israel of allowing shipments of grain allegedly stolen by Russia to enter its ports, warning of possible sanctions and escalating diplomatic tensions. The dispute has strained relations and drawn attention from the European Union over potential illegal trade.

DEEP AND DARK WEB INTELLIGENCE

PwnForums user OriginalCrazyOldFart: Threat actor “OriginalCrazyOldFart" has allegedly leaked a dataset that concerns opioid (painkiller drug) distributors and rehabilitation facilities in the United States. The data is claimed to be sourced from an exposed object storage service using an indexer tool. The exposed data allegedly includes 405 MB of pharmacy data, 1.7 GB of treatment center records, as well as DEA and mortgage datasets. If the claim is true, the data is likely to be misused for targeted social engineering attacks and financial fraud.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-32202: This is a medium-severity spoofing vulnerability in Windows Shell confirmed by Microsoft to be under active exploitation. The bug stems from an incomplete patch for a previous vulnerability tracked as CVE-2026-21510. The flaw enables threat actors to steal NTLMv2 credentials via SMB authentication coercion using zero-click methods. If successfully exploited, the flaw can expose NTLM hashes, which are likely to be used in relay attacks or can be cracked offline without real-time connection to the victim’s system. However, the flaw alone does not enable remote access or system modification unless chained with other exploits.

Affected products: The affected products are listed in the advisory.