ZeroFox Daily Intelligence Brief - May 4, 2026

ZeroFox Daily Intelligence Brief - May 4, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• “313 Team” Claims Responsibility for Canonical Service Disruption
• 30,000 Facebook Accounts Compromised in Large-Scale Phishing Operation
• Telegram Mini Apps Abused to Power Crypto Scams and Android Malware Campaign

“313 Team” Claims Responsibility for Canonical Service Disruption

Source: https://techcrunch.com/2026/05/01/ubuntu-services-hit-by-outages-after-ddos-attack/

What we know: Canonical and its operating system Ubuntu have faced a disruption to its public-facing infrastructure, which disrupted websites and the security API, blocking updates. The hacktivist group “Islamic Cyber Resistance in Iraq 313 Team” reportedly claimed responsibility for the attack, warning Canonical to make contact or face continued disruption.

Context: The group reportedly conducted a large-scale DDoS attack using a DDoS-for-hire service, “Beamed,” generating traffic floods of up to 3.5 tbps. Beamed is a booter or a stresser platform that enables users to pay to launch such attacks without needing their own infrastructure. The issue is now resolved.

Analyst note: Although the Islamic Cyber Resistance in Iraq 313 Team has historically operated as a hacktivist group, its use of DDoS attacks to pressure Canonical into making contact indicates a shift toward coercive activity, where disruption is leveraged to compel engagement. Whether this coercion is financially motivated remains largely unclear.

30,000 Facebook Accounts Compromised in Large-Scale Phishing Operation

Source: https://hackread.com/google-appsheet-facebook-accountdumpling-scam/

What we know: A large-scale phishing campaign, “AccountDumpling,” has exploited a popular no-code application development platform to send legitimate-looking emails and hijack over 30,000 Facebook accounts globally. The phishing emails impersonated Meta, using fake copyright claims and account disablement warnings, some threatening permanent suspension within 24 hours.

Context: Attackers deployed multiple techniques, fake Facebook pages, social engineering lures, job scams, and more. This operation is reportedly linked to a company in Vietnam that enables people to recover their Facebook accounts. The stolen data is funneled to Telegram bots run by users under aliases “Big Bosss” and “@mansinblack.”

Analyst Note: The campaign’s multiple operational components and links to a Vietnam-based entity likely suggest a structured, financially motivated operation, which is a scalable campaign, rather than opportunistic phishing attempts.

Telegram Mini Apps Abused to Power Crypto Scams and Android Malware Campaign

Source: https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/

What we know: A large-scale fraud operation has been using Telegram Mini Apps to run crypto scams, impersonate well-known brands, and distribute Android malware. The platform, called FEMITBOT, relies on Telegram bots and in-app WebViews to display phishing dashboards with fake balances and prompts for deposits.

Context: The operation runs on a shared backend infrastructure that supports multiple campaigns, enabling attackers to switch branding and domains, while impersonating companies like Apple and NVIDIA. It also distributes APK files disguised as legitimate apps and uses tracking scripts to monitor user activity.

Analyst Note: Embedding phishing interfaces within Telegram enables malicious content to blend with legitimate platform activity, which reduces user suspicion. The operation uses sideloaded APKs and reused infrastructure that supports scalable distribution, which very likely increases user exposure to credential compromise and financial theft.

DEEP AND DARK WEB INTELLIGENCE

Exploit user zestix: Threat actor “zestix” has claimed to have leaked about 81.7 GB of data tied to Michigan Central Station and “Ford Project 19563” on dark web forum Exploit. The dataset allegedly includes sensitive project materials such as CAD files, geotechnical reports, cost estimates, safety calculations, progress photos, and technology documentation.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-31431: CVE-2026-31431 (or “Copy Fail”) is a local privilege escalation flaw that enables an unprivileged user to gain root access due to a logic bug in the Linux kernel’s cryptographic authentication template. The bug enables attackers to corrupt the kernel’s in-memory page cache and inject code into privileged binaries, achieving root execution and affects Linux systems dating back to 2017.

Affected products: Affected products are included in this advisory.