ZeroFox Daily Intelligence Brief - May 6, 2026

ZeroFox Daily Intelligence Brief - May 6, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Iran SITREP: Iran Supporters Claim Attacks Against the Jewish Community, Oil Prices Dip, Cyber Activities, and More
• North Korea-Linked Espionage Targets Gaming Platform Users
• DAEMON Tools Compromised in Supply Chain Attack

Iran SITREP: Iran Supporters Claim Attacks Against the Jewish Community, Oil Prices Dip, Cyber Activities, and More

• A group called Harakat Ashab al-Yamin al-Islamia (HAYI) has claimed to support Iran in its war against the United States and Israel and has reportedly conducted a campaign of attacks against Jewish targets in Europe. HAYI has claimed 17 attacks against Jewish communities, Israeli diplomatic missions, and Iranian dissident journalists across Europe.
• President Donald Trump has paused the U.S. “Project Freedom” initiative aimed at guiding ships through the Strait of Hormuz shortly after its launch. The move follows escalating clashes with Iran.
• Brent crude fell 1.7 percent to USD 108 per barrel and U.S. oil dropped 1.6 percent to USD 100.60.
• On May 6, the United Arab Emirates was hit by a second consecutive day of missile and drone attacks attributed to Iran, though Iranian officials denied responsibility. Iran launched missile and drone strikes on the UAE on May 5, 2026, its first since the April 8 ceasefire—and also targeted a ship in the Strait of Hormuz.
• Ideologically driven hacktivist groups have conducted coordinated cyber operations targeting U.S., Israeli, and allied infrastructure. Among them, hacktivist group “Handala Hack Team” has claimed to have breached the communications of an American diplomat. Separately, threat actor "Ababil of Minab" claimed to have breached South Florida’s Tri-Rail network.

North Korea-Linked Espionage Targets Gaming Platform Users

Source: https://thehackernews.com/2026/05/scarcruft-hacks-gaming-platform-to.html

What we know: North Korea-linked threat group ScarCruft conducted a supply chain attack by compromising a regional gaming platform and distributing trojanized apps embedded with the BirdCall backdoor.

Context: The campaign targeted sqgame[.]net, a gaming platform used by ethnic Koreans in China’s Yanbian region, a sensitive area linked to North Korean defector transit routes. The Android variant of BirdCall enables surveillance, including collecting contacts, messages, device data, screenshots, and audio recordings, while exfiltrating files and maintaining persistence.

Analyst Note: The North Korea government is, through this campaign, monitoring its citizen's movement by accessing their contacts, messages, and call logs to likely help identify networks, intermediaries, facilitators, and other connections. Harvested data is likely to enable further access to other accounts or platforms used by the same individuals for more thorough monitoring and mapping.

DAEMON Tools Compromised in Supply Chain Attack

Source: https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/

What we know: Threat actors have compromised installers for the popular DAEMON Tools virtual drive software, embedding a backdoor that has infected thousands of systems across more than 100 countries. The attack targets versions 12.5.0.2421 through 12.5.0.2434, with infections reported since April 8.

Context: The infection chain initially used an infostealer to identify high-value targets including government and scientific organizations. Threat actors then deployed a more advanced backdoor capable of executing commands or injecting malicious code directly into the target system's memory.

Analyst Note: Threat actors are likely to act as initial access brokers or move laterally to map the location of the most valuable data, including source code. They are also likely to install keyloggers capable of recording typed information and capturing periodic screenshots for real-time victim monitoring.

DEEP AND DARK WEB INTELLIGENCE

Exploit user Asian_Baddie: Moderately credible threat actor “Asian_Baddie” has allegedly advertised cPanel/WHM access with root‑level privileges to five undisclosed software development companies on Russian‑language, dark web forum Exploit. The targets include vendors of password management tools, data recovery suites, multimedia converters, screen‑recording tools, and system utility toolkits, each serving large user bases. If true, this access is likely to enable data theft or deployment of fake malicious updates affecting large user bases.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-23863 and CVE-2026-23866: Whatsapp has disclosed two medium-severity vulnerabilities that can enable attachment spoofing via NUL byte manipulation and arbitrary URL scheme redirection through flawed AI rich response validation. Threat actors can exploit these flaws for phishing or unauthorized code execution.

Affected products: Affected products are included in this advisory.