ZeroFox Daily Intelligence Brief - May 1, 2026

ZeroFox Daily Intelligence Brief - May 1, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Rise in Cyber-Enabled Cargo Theft Attacks
• 86,000 Private Messages and Images of Social Media Figures Leaked
• Critical cPanel Zero-Day Enables Unauthorized Access to Hosting Servers

Rise in Cyber-Enabled Cargo Theft Attacks

Source: https://www.ic3.gov/PSA/2026/PSA260430

What we know: The FBI warned that cargo theft losses in the United States and Canada reached nearly USD 725 million in 2025, marking a 60 percent increase from 2024, with incidents rising by 18 percent. Criminals hack systems of freight brokers, impersonate legitimate companies, and divert high-value shipments using spoofed emails and fake listings on load boards.

Context: One of the initial steps undertaken by the criminals involves them posting fake shipping jobs online. The carriers who respond are then tricked into installing remote access malware via phishing emails. Threat actors then steal credentials, cancel legitimate shipments and book legitimate high-value cargo under the company's stolen identity. Finally, the cargo gets redirected mid-transit to complicit drivers who resell it.

Analyst note: Logistics/transportation firms are advised to implement multi-channel verification for all shipments and maintain detailed physical documentation to disrupt diversion schemes. Key indicators of compromise include; spoofed sender domains, malicious attachments in load verification emails (ScreenConnect/RMM tool installations), unauthorized carrier account registrations, unexpected load booking modifications, and sudden GPS route deviations mid-transit.

86,000 Private Messages and Images of Social Media Figures Leaked

Source: https://hackread.com/private-chats-photos-celebs-expose-stalkerware-leak/

What we know: A publicly exposed database leaked about 86,000 private images, screenshots, and messages linked to a European celebrity and several other social media figures. Reportedly, the data, suspected to have been collected via stalkerware, includes phone screenshots and chat logs from apps like WhatsApp, Facebook, TikTok, and Instagram.

Context: The exposed data was discovered by a researcher in the first place reportedly because the stalkerware operator failed to secure the storage, leaving it open to anyone who could locate the misconfigured server. The dataset included highly sensitive content such as private messages, photos, contact details, and ID documents, and more.

Analyst Note: High-profile individuals are more likely to be targeted with tailored lures like fake brand deals, media files, or collaboration tools that trick them into installing malicious apps or granting access. Given the nature of the data, it is likely the actor used targeted phishing or social engineering to deploy stalkerware and gain visibility into victims’ devices.

Critical cPanel Zero-Day Enables Unauthorized Access to Hosting Servers

Source: https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/

What we know: A critical authentication bypass vulnerability, CVE-2026-41940, affecting web server management software cPanel, and used by several web hosting companies, is being actively exploited. Approximately 1.5 million cPanel instances are exposed online, though the number vulnerable to CVE-2026-41940 remains unknown.

Context: CVE-2026-41940 can enable attackers to fully hijack servers running cPanel, impacting millions of websites globally, with users urged to patch all affected versions. Meanwhile, ZeroFox has observed threat actor “NormalLeVrai” advertising a "second cPanel" information disclosure vulnerability that allegedly exposes website login credentials, including panel links, usernames, and passwords. They stated it affects 13,522 cPanel instances across 94 countries.

Analyst Note: Given the widespread use of cPanel across hosting environments, exploitation of CVE-2026-41940 is likely to enable attackers to compromise large numbers of websites from a single vulnerable server. Unpatched hosting providers are likely to expose multiple tenants, scaling the initial compromise extensively.

DEEP AND DARK WEB INTELLIGENCE

DarkForums and breachforums[.]rs user Cyber_Isnaad_Front: Hacktivist group Cyber_Isnaad_Front has advertised data from Israel-based defense company IMCO Group on DarkForums and BreachForums. The group claimed to have compromised the company’s network infrastructure and exfiltrated about 30 TB of data. One-third of which is allegedly related to military and defense electromechanical components. The actor priced the dataset at USD 500,000, stating it includes highly sensitive military technical data, partner communications, and employee information.

VULNERABILITY AND EXPLOIT INTELLIGENCE

SonicWall vulnerabilities: SonicWall patched three SonicOS vulnerabilities, including CVE-2026-0204 that allows attackers to bypass access controls and manipulate firewall settings. Two additional flaws (CVE-2026-0205 and CVE-2026-0206) could enable path traversal and denial-of-service attacks, prompting urgent patching of affected firewall devices.

Affected products: The affected products are listed in the advisory.