ZeroFox Daily Intelligence Brief - June 24, 2026

ZeroFox Daily Intelligence Brief - June 24, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Cyberattack Disrupts Banking Services in Iran
• U.S. Seizes Backend Infrastructure of Cambodian Company for Laundering Scam Money
• Dify Issues Fixes for Four Flaws Affecting AI Application Security

Cyberattack Disrupts Banking Services in Iran

Source: https://www.reuters.com/world/middle-east/iran-says-card-based-banking-hit-by-cyberattack-three-lenders-2026-06-23/

What we know: Iran has confirmed cyberattacks targeting three banks—Bank Melli, Bank Saderat, and Bank Tejarat. Card-related operations have been suspended at the banks to prevent further unauthorized access.

Context: The attack reportedly affected regional ATM networks, point-of-sale (POS) terminals, and card-linked mobile banking applications. The incident follows a separate cyberattack on June 14, 2026, targeting a shared communication system that disrupted operations at the three banks. Iranian authorities formally stated that central databases and customer information were not compromised.

Analyst note: A state-sponsored threat actor has likely established persistent access within Iran's centralized banking infrastructure leading to the incidents. Suspension of card-related operations is very likely to stifle daily cash flow and cause transaction bottlenecks at unaffected institutions due to sudden volume diversion.

U.S. Seizes Backend Infrastructure of Cambodian Company for Laundering Scam Money

Source: https://www.justice.gov/opa/pr/justice-department-seizes-backend-infrastructure-used-huione-group-money-laundering-services

What we know: The U.S. Justice Department has seized a cloud computing account used by subsidiaries of Huione Group, a Cambodia-based corporate conglomerate, for laundering proceeds from cryptocurrency investment and other cyber scams.

Context: Huione Group used this cloud computing account as part of a technological backbone that allowed billions in fraud proceeds, stolen through South-east Asian scam centres, to be transferred, moved, and concealed.Concurrently, the U.S. Treasury sanctioned nine individuals and 26 entities tied to the Prince Group, a transnational criminal organisation that utilised the Huione Group to launder and consolidate its digital scam proceeds.

Analyst note: The law enforcement action is likely to result in loss of some proceeds to the threat actors and result in temporary suspension of activities. However, the disruptions are likely to be short-lived as the threat actors are likely to build a new infrastructure to continue their criminal activities.

Dify Issues Fixes for Four Flaws Affecting AI Application Security

Source: https://www.darkreading.com/application-security/difytap-bugs-wiretap-ai-chat-histories

What we know: Four vulnerabilities in the open-source AI platform Dify have been found to potentially enable threat actors to access sensitive AI application data, including chat histories, uploaded documents, and user files. The flaws have been patched in Dify v1.14.2.

Context: The four vulnerabilities are tracked as CVE-2026-41947, CVE-2026-41948, CVE-2026-41949, and CVE-2026-41950. Dify is reportedly widely deployed, with more than 10 million Docker image downloads and thousands of internet-facing instances.

Analyst note: Given the role of AI platforms in managing internal organizational knowledge and business data, successful exploitation of the flaws is likely to enable long-term intelligence collection by providing sustained visibility into organizational processes and data flows.

DEEP AND DARK WEB INTELLIGENCE

Darkforums user Lordracks: Untested threat actor "Lordracks" has advertised an alleged database containing credit card information of U.S. residents tied to HongKong-based flight ticket supplier Onefly and U.S.-based fintech company BridgePay Network Solutions, on dark web forum DarkForums. The dataset allegedly includes personally identifiable information (PII), contact details, dates of birth, Social Security numbers (SSNs), and CVV. If legitimate, threat actors are very likely to conduct card-not-present fraud, identity theft, and targeted phishing attacks and also file for fraudulent credit applications and attempt account takeover.

DATA BREACHES INTELLIGENCE

London Hydro discloses data breach: Canadian electricity distributor London Hydro has disclosed a data breach potentially impacting the personal and account data of its customers. The data impacted includes PII, contact details, billing numbers, service addresses, pricing plans, meter numbers and types, and contract dates. London Hydro serves about 170,000 residential, institutional, commercial, and industrial customers in the City of London in Ontario. Exposed individuals and entities are likely to be targeted in social engineering and phishing attacks, with threat actors impersonating London Hydro for financial gains.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-8461: This is an out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder. The flaw enables denial-of-service (DoS) conditions and in some cases can be reportedly exploited for remote code execution (RCE).

Affected products: FFmpeg versions before 8.1.2.