2026-04-06 AI创业新闻

Drift has revealed that the April 1, 2026, attack that led to the theft of $285 million was the culmination of a months-long targeted and meticulously planned social engineering operation undertaken by the Democratic People’s Republic of Korea (DPRK) that began in the fall of 2025. The Solana-based decentralized exchange described it as “an attack six months in the making,” attributing it with medium confidence to a North Korean state-sponsored hacking group dubbed UNC4736 , which is also tracked under the cyptonyms AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. The threat actor has a history of targeting the cryptocurrency sector for financial theft since at least 2018. It’s best known for the X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of decentralized finance (DeFi) platform Radiant Capital in October 2024.

“The basis for this connection is both on-chain (fund flows used to stage and test this operation trace back to the Radiant attackers) and operational (personas deployed across this campaign have identifiable overlaps with known DPRK-linked activity),” Drift said in a Sunday analysis. In an assessment published in late January 2026, cybersecurity company CrowdStrike described Golden Chollima as an offshoot of Labyrinth Chollima that’s primarily geared towards cryptocurrency theft by targeting small fintech firms in the U.S., Canada, South Korea, India, and Western Europe. “The adversary typically conducts smaller-value thefts at a more consistent operational tempo, suggesting responsibility for ensuring baseline revenue generation for the DPRK regime,” CrowdStrike said. “Despite improving trade relations with Russia, the DPRK requires additional revenue to fund ambitious military plans that include constructing new destroyers, building nuclear-powered submarines, and launching additional reconnaissance satellites.” In at least one incident observed in late 2024, UNC4736 delivered malicious Python packages through a fraudulent recruitment scheme to a European fintech company.

Upon gaining access, the threat actor moved laterally to the victim’s cloud environment to access IAM configurations and associated cloud resources, and ultimately diverted cryptocurrency assets to adversary-controlled wallets. How the Drift Attack Likely Unfolded Drift, which is working with law enforcement and forensic partners to piece together the sequence of events that led to the hack, said it was the target of a “structured intelligence operation” that required months of planning. Starting in or about fall 2025, individuals posing as a quantitative trading company approached Drift contributors at a major cryptocurrency conference and international crypto conferences under the pretext of integrating the protocol. It has since emerged that this was a deliberate approach, where members of this trading group approached and built rapport with specific Drift contributors at various major industry conferences that took place in several countries over a period of six months.

“The individuals who appeared in person were not North Korean nationals,” Drift explained. “DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building.” “They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. A Telegram group was established upon the first meeting, and what followed were months of substantive conversations around trading strategies and potential vault integrations. These interactions are typical of how trading firms interact and onboard with Drift.” Then, sometime between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, a step that required filling out a form with strategy details.

As part of this process, the individuals are said to have engaged with multiple contributors, asking them “detailed and informed product questions,” while depositing more than $1 million of their own funds. This, Drift said, was a calculated move designed to build a functioning operational presence inside the Drift ecosystem, with integration conversations continuing with the contributors through February and March 2026. This included sharing links for projects, tools, and applications that the company claimed to be developing. The possibility that these interactions with the trading group may have acted as the initial infection pathway assumed significance in the wake of the April 1 hack.

But as Drift revealed, their Telegram chats and malicious software had been deleted right around the time the attack took place. It’s suspected that there may be two primary attack vectors - One contributor may have been compromised after cloning a code repository shared by the group as part of efforts to deploy a frontend for their vault. A second contributor was persuaded into downloading a wallet product via Apple’s TestFlight to beta test the app. The repository-based intrusion vector is assessed to have involved a malicious Microsoft Visual Studio Code (VS Code) project that weaponizes the “tasks.json” file to automatically trigger the execution of malicious code upon the project in the IDE by using the “runOn: folderOpen” option.

It’s worth noting that this technique has been adopted by North Korean threat actors associated with the Contagious Interview campaign since December 2025, prompting Microsoft to introduce new security controls in VS Code versions 1.109 and 1.110 to prevent unintended execution of tasks when opening a workspace. “The investigation has shown so far that the profiles used in this third-party targeted operation had fully constructed identities including employment histories, public-facing credentials, and professional networks,” Drift said. “The people Drift contributors met in person appeared to have spent months building profiles, both personal and professional, that could withstand scrutiny during a business or counterparty relationship.” North Korea’s Fragmented Malware Ecosystem The disclosure comes as DomainTools Investigations (DTI) disclosed that DPRK’s cyber apparatus has evolved into a “deliberately fragmented” malware ecosystem that’s mission-driven, operationally resilient, and resistant to attribution efforts. This shift is believed to be a response to law enforcement actions and intelligence disclosures about North Korean hacking campaigns.

“Malware development and operations are increasingly compartmentalized, both technically and organizationally, ensuring that exposure in one mission area does not cascade across the entire program,” DTI said . “Crucially, this model also maximizes ambiguity. By separating tooling, infrastructure, and operational patterns along mission lines, the DPRK complicates attribution and slows defender decision-making.” To that end, DomainTools noted that DPRK’s espionage-oriented malware track is chiefly associated with Kimsuky , while Lazarus Group spearheads efforts to generate illicit revenue for the regime, transforming into a “central pillar” for sanctions evasion. The third track revolves around deploying ransomware and wiper malware for purposes of strategic signaling and drawing attention to its capabilities.

This disruptive branch is associated with Andariel . Social Engineering Behind Contagious Interview and IT Worker Fraud Social engineering and deception continue to be the main catalyst for many of the intrusions that have been attributed to DPRK threat actors. This includes the recent supply chain compromise of the hugely popular npm package, Axios , as well as ongoing campaigns like Contagious Interview and IT worker fraud. Contagious Interview is the moniker assigned to a long-running threat in which the adversary approaches prospective targets and tricks them into executing malicious code from a fake repository as part of an assessment.

Some of these efforts have used weaponized Node.js projects hosted on GitHub to deploy a JavaScript backdoor called DEV#POPPER RAT and an information stealer known as OmniStealer. On the other hand, DPRK IT worker fraud refers to coordinated efforts by North Korean operatives to land remote freelance and full-time roles at Western companies using stolen identities, AI-generated personas , and falsified credentials. Once hired, they generate steady revenue and leverage the access to introduce malware and siphon proprietary and sensitive information. In some cases, the stolen data is used to extort money from businesses.

The state-sponsored program deploys thousands of technically skilled workers in countries like China and Russia, who connect to company-issued laptops hosted at laptop farms in the U.S. and elsewhere. The scheme also relies on a network of facilitators to receive work laptops, manage payroll, and handle logistics. These facilitators are recruited through shell companies.

The process starts with recruiters who identify and screen potential candidates. Once accepted, the IT workers enter an onboarding phase, where facilitators assign identities and profiles, and guide them through resume updates, interview preparation, and initial job applications. The threat actors also work with collaborators to complete hiring requirements for full-time opportunities where strict identity verification policies are enforced. As noted by Chainalysis, cryptocurrency plays a central role in funneling a majority of the wages generated by these IT worker schemes back to North Korea while evading international sanctions.

“The cycle is constant and unending. North Korean IT workers understand that, sooner or later, they will either quit or be dismissed from any given role,” Flare and IBM X-Force said in a report last month. “As a result, they are continually shifting between jobs, identities, and accounts – never remaining in one position or using a single persona for very long.” New evidence unearthed by Flare has since revealed the campaign’s efforts to actively recruit individuals from Iran, Syria, Lebanon, and Saudi Arabia, with at least two Iranians receiving formal offer letters from U.S. employers.

There have been more than 10 instances of Iranian nationals being recruited by the regime. Facilitators have also been found to use LinkedIn to hire separate people from Iran, Ireland, and India, who are then coached to land the jobs. These individuals, called callers or interviewers, get on the phone with American hiring managers, pass technical interviews, and impersonate the real or fake Western personas curated by them. When a caller fails an interview, the facilitator reviews the recording and provides feedback.

“North Koreans are deliberately targeting U.S. defense contractors, cryptocurrency exchanges, and financial institutions,” Flare said . “While the primary motivations appear to be financial, the deliberate targeting evidenced from their documents indicates that there may be other objectives at play as well.” “The DPRK is not simply deploying its own nationals under false identities. It is building a multinational recruitment pipeline, drawing skilled developers from Iran, Syria, Lebanon, and Saudi Arabia into an infrastructure designed to infiltrate U.S.

defense contractors, cryptocurrency exchanges, financial institutions, and enterprises of every size. The recruits are real software engineers, paid in cryptocurrency, coached through interviews, and slotted into fabricated Western personas.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. “Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin,” SafeDep said . All identified npm packages follow the same naming convention, starting with “strapi-plugin-“ and then phrases like “cron,” “database,” or “server” to fool unsuspecting developers into downloading them. It’s worth noting that the official Strapi plugins are scoped under “@strapi/.” The packages, uploaded by four sock puppet accounts “umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1” over a period of 13 hours, are listed below - strapi-plugin-cron strapi-plugin-config strapi-plugin-server strapi-plugin-database strapi-plugin-core strapi-plugin-hooks strapi-plugin-monitor strapi-plugin-events strapi-plugin-logger strapi-plugin-health strapi-plugin-sync strapi-plugin-seed strapi-plugin-locale strapi-plugin-form strapi-plugin-notify strapi-plugin-api strapi-plugin-sitemap-gen strapi-plugin-nordica-tools strapi-plugin-nordica-sync strapi-plugin-nordica-cms strapi-plugin-nordica-api strapi-plugin-nordica-recon strapi-plugin-nordica-stage strapi-plugin-nordica-vhost strapi-plugin-nordica-deep strapi-plugin-nordica-lite strapi-plugin-nordica strapi-plugin-finseven strapi-plugin-hextest strapi-plugin-cms-tools strapi-plugin-content-sync strapi-plugin-debug-tools strapi-plugin-health-check strapi-plugin-guardarian-ext strapi-plugin-advanced-uuid strapi-plugin-blurhash An analysis of the packages reveals that the malicious code is embedded within the postinstall script hook, which gets executed on “npm install” without requiring any user interaction.

It runs with the same privileges as those of the installing user, meaning it abuses root access within CI/CD environments and Docker containers. The evolution of the payloads distributed as part of the campaign is as follows - Weaponize a locally accessible Redis instance for remote code execution by injecting a crontab (aka cron table) entry to download and execute a shell script from a remote server every minute. The shell script writes a PHP web shell and Node.js reverse shell via SSH to Strapi’s public uploads directory. It also attempts to scan the disk for secrets (e.g., Elasticsearch and cryptocurrency wallet seed phrases) and exfiltrate a Guardarian API module.

Combine Redis exploitation with Docker container escape to write shell payloads to the host outside the container. It also launches a direct Python reverse shell on port 4444 and writes a reverse shell trigger into the application’s node_modules directory via Redis. Deploy a reverse shell and write a shell downloader via Redis and execute the resulting file. Scan the system for environment variables and PostgreSQL database connection strings.

An expanded credential harvester and reconnaissance payload to gather environment dumps, Strapi configurations, Redis database extraction by running the INFO, DBSIZE, and KEYS commands, network topology mapping, and Docker/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files. Conduct PostgreSQL database exploitation by connecting to the target’s PostgreSQL database using hard-coded credentials and querying Strapi-specific tables for secrets. It also dumps matching cryptocurrency-related patterns (e.g., wallet, transaction, deposit, withdraw, hot, cold, and balance) and attempts to connect to six Guardarian databases. This indicates that the threat actor is already in possession of the data, obtained either via a prior compromise or through some other means.

Deploy a persistent implant designed to maintain remote access to a specific hostname (“prod-strapi”). Facilitate credential theft by scanning hard-coded paths and spawning a persistent reverse shell. “The eight payloads show a clear narrative: the attacker started aggressively (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,” SafeDep said. The nature of the payloads, combined with the focus on digital assets and the use of hard-coded database credentials and hostname, raises the possibility that the campaign was a targeted attack against a cryptocurrency platform.

Users who have installed any of the aforementioned packages are advised to assume compromise and rotate all credentials. The discovery coincides with the discovery of several supply chain attacks targeting the open-source ecosystem - A GitHub account named “ ezmtebo “ has submitted over 256 pull requests across various open-source repositories containing a credential exfiltration payload. “It steals secrets through CI logs and PR comments, injects temporary workflows to dump secret values, auto-applies labels to bypass pull_request_target gates, and runs a background /proc scanner for 10 minutes after the main script exits,” SafeDep said. A hijack of “ dev-protocol ,” a verified GitHub organization, to distribute malicious Polymarket trading bots with typosquatted npm dependencies (“ts-bign” and “levex-refa” or “big-nunber” and “lint-builder”) that steal wallet private keys, exfiltrate sensitive files, and open an SSH backdoor on the victim’s machine.

While ”levex-refa” functions as a credential stealer, “lint-builder” installs the SSH backdoor. Both ”ts-bign” and “big-nunber” are designed to deliver “levex-refa” and “lint-builder,” respectively, as a transitive dependency. A compromise of the popular Emacs package, “ kubernetes-el/kubernetes-el ,” that exploited the Pwn Request vulnerability in its GitHub Actions workflow by using the pull_request_target trigger to steal the repository’s GITHUB_TOKEN, exfiltrate CI/CD secrets, deface the repository, and inject destructive code to delete nearly all repository files. A compromise of the legitimate “ xygeni/xygeni-action “ GitHub Actions workflow using stolen maintainer credentials to plant a reverse shell backdoor.

Xygeni has since implemented new security controls to address the incident. A compromise of the legitimate npm package, “ mgc ,” by means of an account takeover to push four malicious versions (1.2.1 through 1.2.4) containing a dropper script that detects the operating system and fetches a platform-specific payload – a Python trojan for Linux and a PowerShell variant for Windows called WAVESHAPER.V2 – from a GitHub Gist. The attack shares direct overlap with the recent supply chain attack targeting Axios, which has been attributed to a North Korean threat cluster tracked as UNC1069. A malicious npm package named “ express-session-js “ that typosquats “express-session” and contains a dropper that retrieves a next-stage remote access trojan (RAT) from JSON Keeper to conduct data theft and persistent access by connecting to “216.126.237[.]71” using the Socket.IO library.

A compromise of the legitimate PyPI package, “ bittensor-wallet “ (version 4.0.2), to deploy a backdoor that’s triggered during a wallet decryption operation to exfiltrate wallet keys using HTTPS, DNS tunneling, and Raw TLS as exfiltration channels to either a hard-coded domain or one created using a Domain Generation Algorithm (DGA) that’s rotated daily. A malicious PyPI package named “ pyronut “ that typosquats “pyrogram,” a popular Python Telegram API framework, to embed a stealthy backdoor that’s triggered every time a Telegram client starts and seize control of the Telegram session and the underlying host system. “The backdoor registers hidden Telegram message handlers that allow two hardcoded attacker-controlled accounts to execute arbitrary Python code (via the /e command and the meval library) and arbitrary shell commands (via the /shell command and subprocess) on the victim’s machine,” Endor Labs said. A set of three malicious Microsoft Visual Studio Code (VS Code) extensions published by “ IoliteLabs “ – “solidity-macos,” “solidity-windows,” and “solidity-linux” – that were originally dormant since 2018 but were updated on March 25, 2026, to launch a multi-stage backdoor targeting Windows and macOS systems upon launching the application to establish persistence.

Collectively, the extensions had 27,500 installs prior to them being removed. Multiple versions of the “ KhangNghiem/fast-draft “ VS Code extension on Open VSX (0.10.89, 0.10.105, 0.10.106, and 0.10.112) that execute a GitHub-hosted downloader to deploy a second-stage Socket.IO RAT, an information stealer, a file exfiltration module, and a clipboard monitor from a GitHub repository. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 have been found to be clean. “That is not the release pattern you expect from a single compromised build or a maintainer who has fully switched to malicious behavior,” Aikido said.

“It looks more like two competing release streams sharing the same publisher identity.” In a report published in February 2026, Group-IB revealed that software supply chain attacks have become “the dominant force reshaping the global cyber threat landscape,” adding that threat actors are going after trusted vendors, open-source software, SaaS platforms, browser extensions, and managed service providers to gain inherited access to hundreds of downstream organizations. The supply chain threat can rapidly escalate a single localized intrusion into something that has a large-scale, cross-border impact, with attackers industrializing supply chain compromises and turning it into a “self-reinforcing” ecosystem, as it offers reach, speed, and stealth. “Package repositories such as npm and PyPI have become prime targets, stolen maintainer credentials, and automated malware worms to compromise widely used libraries – turning development pipelines into large-scale distribution channels for malicious code,” Group-IB said Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation. “An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests,” Fortinet said in a Saturday advisory. The issue affects FortiClient EMS versions 7.4.5 through 7.4.6.

It’s expected to be fully patched in the upcoming version 7.4.7, although the company has released a hotfix to address it. Simo Kohonen from Defused Cyber and Nguyen Duc Anh have been credited with discovering and reporting the flaw. In a post on X, Defused Cyber said it observed zero-day exploitation of CVE-2026-35616 earlier this week. According to watchTowr, exploitation attempts against CVE-2026-35616 were first recorded against its honeypots on March 31, 2026.

Successful exploitation of the flaw could allow an unauthenticated attacker to sidestep API authentication and authorization protections, and execute malicious code or commands via crafted requests. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the company added. The development comes merely days after another recently-patched, critical vulnerability in FortiClient EMS ( CVE-2026-21643 , CVSS score: 9.1) came under active exploitation. It’s currently not known if the same threat actor is behind the exploitation of both the flaws, and if they are being weaponized together.

Given the severity of the vulnerabilities, users are advised to update their FortiClient EMS to the latest version as soon as possible. “The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” watchTowr CEO and founder Benjamin Harris told The Hacker News. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days.

Easter, like any other holiday, represents opportunity.” “What is disappointing is the bigger picture. This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks.” “So, once again, organizations running FortiClient EMS and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning. Apply the hotfix. Attackers already have a head start.” Found this article interesting?

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416 , a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. “This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries,” Proofpoint researchers Mark Kelly and Georgi Mladenov said . “Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload.” TA416 has also been observed orchestrating multiple campaigns aimed at diplomatic and government entities in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026.

The effort is likely an attempt to gather regional intelligence pertaining to the conflict, the enterprise security company added. It’s worth mentioning here that TA416 also shares historical technical overlaps with another cluster known as Mustang Panda (aka CerenaKeeper, Red Ishtar, and UNK_SteadySplit). The two activity groups are collectively tracked under the monikers Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon. While TA416’s attacks are characterized by the use of bespoke PlugX variants, the Mustang Panda cluster has repeatedly deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks.

What’s common to both of them is the use of DLL side-loading to launch the malware. TA416’s renewed focus on European entities is driven a mix of web bug and malware delivery campaigns, with the threat actors using freemail sender accounts to conduct reconnaissance and deploy the PlugX backdoor via malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under their control, and compromised SharePoint instances. The PlugX malware campaigns were previously documented by StrikeReady and Arctic Wolf in October 2025. “A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient’s IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target,” Proofpoint said.

Attacks carried out by TA416 in December 2025 have been found to leverage third-party Microsoft Entra ID cloud applications to initiate redirects that lead to the download of malicious archives. Phishing emails used as part of this attack wave contain a link to Microsoft’s legitimate OAuth authorization endpoint that, when clicked, redirects the user to the attacker-controlled domain and ultimately deploys PlugX. The use of this technique has not escaped Microsoft’s notice, which last month warned of phishing campaigns targeting government and public-sector organizations that employ OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers. Further refinements to the attack chain were observed in February 2026, when TA416 began linking to archives hosted on Google Drive or a compromised SharePoint instance.

The downloaded archives, in this case, include a legitimate Microsoft MSBuild executable and a malicious C# project file. “When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it,” the researchers said. “In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, saving them to the user’s temp directory, and executing a legitimate executable to load PlugX via the group’s typical DLL side-loading chain.” The PlugX malware remains a consistent presence throughout TA416’s intrusions, although the legitimate, signed executables abused for DLL side-loading have varied over time. The backdoor is also known to establish an encrypted communication channel with its command-and-control (C2) server, but not before performing anti-analysis checks to sidestep detection.

PlugX accepts five different commands - 0x00000002 , to capture system information 0x00001005 , to uninstall the malware 0x00001007 , to adjust beaconing interval and timeout parameter 0x00003004 , to download a new payload (EXE, DLL, or DAT) and execute it 0x00007002 , to open a reverse command shell “TA416’s shift back to European government targeting in mid-2025, following two years of focus on Southeast Asia and Mongolia, is consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities,” Proofpoint said. “In addition, TA416’s expansion to Middle Eastern government targeting in March 2026 further highlights how the group’s tasking prioritization is likely influenced by geopolitical flashpoints and escalations. Throughout this period, the group has shown a willingness to iterate on infection chains, cycling through using fake Cloudflare Turnstile pages, OAuth redirect abuse, and MSBuild-based delivery, while continuing to update its customized PlugX backdoor.” The disclosure comes as Darktrace revealed that Chinese‑nexus cyber operations have evolved from strategically-aligned activity in the 2010s to highly adaptive, identity-centric intrusions with an intent to establish long-term persistence within critical infrastructure networks. Based on a review of attack campaigns between July 2022 and September 2025, U.S.-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the U.K., Panama, Colombia, the Philippines, and Hong Kong.

A majority of cases (63%) involved the exploitation of internet-facing infrastructure (e.g., CVE-2025-31324 and CVE-2025-0994 ) to obtain initial access. “In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after,” Darktrace said . “The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. “Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality,” the tech giant said . The approach offers added stealth as it allows malicious code to stay dormant during normal application execution and activate the web shell logic only when specific cookie values are present. This behavior, Microsoft noted, extends to web requests, scheduled tasks, and trusted background workers.

The malicious activity takes advantage of the fact that cookie values are available at runtime through the $_COOKIE superglobal variable, allowing attacker-supplied inputs to be consumed without additional parsing. What’s more, the technique is unlikely to raise any red flags as cookies blend into normal web traffic and reduce visibility. The cookie-controlled execution model comes in different implementations - A PHP loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute an encoded secondary payload. A PHP script that segments structured cookie data to reconstruct operational components such as file handling and decoding functions, and conditionally writes a secondary payload to disk and executes it.

A PHP script that uses a single cookie value as a marker to trigger threat actor-controlled actions, including execution of supplied input and file upload. In at least one case, threat actors have been found to obtain initial access to a victim’s hosted Linux environment through valid credentials or the exploitation of a known security vulnerability to set up a cron job that invokes a shell routine periodically to execute an obfuscated PHP loader. This ”self-healing” architecture allows the PHP loader to be repeatedly recreated by the scheduled task even if it was removed as part of cleanup and remediation efforts, thereby creating a reliable and persistent remote code execution channel. Once the PHP loader is deployed, it remains inactive during normal traffic and springs into action upon receiving HTTP requests with specific cookie values.

“By shifting execution control into cookies, the web shell can remain hidden in normal traffic, activating only during deliberate interactions,” Microsoft added. “By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs.” A common aspect that ties together all the aforementioned implementations is the use of obfuscation to conceal sensitive functionality and cookie-based gating to initiate the malicious action, while leaving a minimal interactive footprint. To counter the threat, Microsoft recommends enforcing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces; monitoring for unusual login activity; restricting the execution of shell interpreters; auditing cron jobs and scheduled tasks across web servers; checking for suspicious file creation in web directories; and limiting hosting control panels’ shell capabilities. “The consistent use of cookies as a control mechanism suggests reuse of established web shell tradecraft,” Microsoft said.

“By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls.” “Rather than relying on complex exploit chains, the threat actor leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069 . Maintainer Jason Saayman said the attackers tailored their social engineering efforts “specifically to me” by first approaching him under the guise of the founder of a legitimate, well-known company. “They had cloned the company’s founders’ likeness as well as the company itself,” Saayman said in a post-mortem of the incident. “They then invited me to a real Slack workspace.

This workspace was branded to the company’s CI and named in a plausible manner. The Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn posts.” Subsequently, the threat actors are said to have scheduled a meeting with him on Microsoft Teams. Upon joining the fake call, he was presented with a fake error message that stated “something on my system was out of date.” As soon as the update was triggered, the attack led to the deployment of a remote access trojan. The access afforded by the trojan enabled the attackers to steal the npm account credentials necessary to publish two trojanized versions of the Axios npm package (1.14.1 and 0.30.4) containing an implant named WAVESHAPER.V2.

“Everything was extremely well coordinated, looked legit, and was done in a professional manner,” Saayman added. The attack chain described by the project maintainer shares considerable overlaps with tradecraft associated with UNC1069 and BlueNoroff. Details of the campaign were extensively documented by Huntress and Kaspersky last year, with the latter tracking it under the moniker GhostCall. Source: Kaspersky In these attacks, users are displayed an error message seconds after joining the call, stating that their system is not functioning properly and instructing them to download a malicious Zoom or Teams SDK through a ClickFix -like pop-up message.

Depending on the operating system of the victim, this action leads to the execution of an AppleScript (for macOS) or a PowerShell (for Windows) script. One of the malicious payloads deployed as part of the attack chain is a Nim-based macOS backdoor (or a Go variant written for Windows) called CosmicDoor that delivers a comprehensive stealer suite dubbed SilentSiphon to capture credentials from web browsers and password managers, and secrets associated with GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust argo, and .NET NuGet. As detailed by Google-owned Mandiant in February 2026, some of these attacks have also have paved the way for the deployment of a C++ malware called WAVESHAPER, which then serves as a conduit for additional downloaders, backdoors, and information stealers like HYPERCALL, SUGARLOADER, HIDDENCALL, SILENCELIFT, and DEEPBREATH, and CHROMEPUSH. “Historically, […] these specific guys have gone after crypto founders, VCs, public people,” security researcher Taylor Monahan said.

“They social engineer them and take over their accounts and target the next round of people. This evolution to targeting [OSS maintainers] is a bit concerning in my opinion.” As preventive steps, Saayman has outlined several changes, including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices. The findings demonstrate how open-source project maintainers are increasingly becoming the target of sophisticated attacks, effectively allowing threat actors to target downstream users at scale by publishing poisoned versions of highly popular packages. With Axios attracting nearly 100 million weekly downloads and being used heavily across the JavaScript ecosystem, the blast radius of such a supply chain attack can be massive as it propagates swiftly through direct and transitive dependencies.

“A package as widely used as Axios being compromised shows how difficult it is to reason about exposure in a modern JavaScript environment,” Socket’s Ahmad Nassri said . “It is a property of how dependency resolution in the ecosystem works today.” Axios Attack Part of Broader, Coordinated Campaign In a follow-up analysis published on Friday, Socket said several maintainers across the Node.js ecosystem have come forward to report that they were targeted in a similar manner, indicating that high-impact, open-source project maintainers were unsuccessfully targeted as part of what has been described as a coordinated social engineering campaign. “The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a ‘fix.’” Socket CEO Feross Aboukhadijeh said . “That fix is a RAT.

Once it’s on your machine, they have your .npmrc tokens, browser sessions, AWS creds, andKeychain. 2FA doesn’t matter. OIDC publishing doesn’t matter. Game over.” Targets included Socket’s own engineers, Jordan Harband , who maintains ECMAScript polyfills and shims, and John-David Dalton , who is the creator of Lodash, a popular JavaScript utility library that offers methods to handle arrays, objects, and other types of data.

Also targeted were Matteo Collina, the lead maintainer of Fastify, Pino, and Undici, Scott Motte, the creator of dotenv, and Pelle Wessman, who is a maintainer of mocha, neostandard, npm-run-all2, and type-fest. While initial contact with Collina was via a Slack message, Wessman was invited to participate in a podcast recording, as part of which he was instructed to join a video call that turned out to be a fake version of the Streamyard live recording platform. Once the call began, the bogus site displayed a “technically plausible error message” and prompted Wessman to download a native app to resolve it. When Wessman refused to run it, the North Korean threat actors switched tactics and asked him to run a curl command in the Terminal app.

Having failed in this effort too, they erased all conversations and went dark. In another case documented by Jean Burellier, a Node.js core collaborator and contributor to Express, the social engineering effort began with a LinkedIn message from the threat actors, posing as the representative of a company named Openfort. After the initial trust-building exercise, Burellier was invited to join two Slack workspaces. As soon as he joined, he was placed in a private channel with no other visible members and invited to join a fake Microsoft Teams call.

From here, the attack chain mirrors that of what Huntress, Kaspersky, and Google documented, with the fake Teams page displaying a message to update the Teams SDK. When Burellier declined to install the update and suggested rescheduling the call, he was removed from the Slack workspaces, and the conversations were deleted. “The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that Axios was not a one-off target,” the software supply chain security company said. “It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers.” (The story was updated after publication on April 4, 2026, to reflect the latest developments.) Found this article interesting?

Why Third-Party Risk Is the Biggest Gap in Your Clients’ Security Posture

The next major breach hitting your clients probably won’t come from inside their walls. It’ll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That’s the new attack surface, and most organizations are underprepared for it. Cynomi’s new guide, Securing the Modern Perimeter: The Rise of Third-Party Risk Management , makes the case that TPRM is no longer a compliance formality.

It’s a frontline security challenge and a defining growth opportunity for MSPs and MSSPs who get ahead of it. The Modern Perimeter Has Expanded For decades, cybersecurity strategy revolved around a defined perimeter. Firewalls, endpoint controls, and identity management systems were deployed to protect assets within a known boundary. That boundary has dissolved.

Today, client data lives in third-party SaaS applications, flows through vendor APIs, and is processed by subcontractors that internal IT teams may not even know about. Security no longer stops at owned infrastructure. It extends across an interconnected ecosystem of external providers, and the accountability that comes with it extends there, too. The 2025 Verizon Data Breach Investigations Report found that third parties are involved in 30% of breaches.

IBM’s 2025 Cost of a Data Breach Report puts the average remediation cost of a third-party breach at $4.91 million. Third-party exposure has become a core feature of modern business operations, not an edge case. For proactive service providers, this shift creates a substantial opportunity. Organizations facing mounting third-party threats are looking for strategic partners who can own, streamline, and continuously manage the entire third-party risk lifecycle.

Service providers who step into that role can introduce new service offerings, deliver higher-value consulting, and establish themselves as central to their clients’ security and compliance programs. From Checkbox to Core Risk Function The traditional approach to vendor risk relied on annual questionnaires, spreadsheets, and the occasional follow-up email. It was never adequate, and it’s especially costly now. Regulatory frameworks like CMMC, NIS2, and DORA have raised the bar significantly.

Compliance now requires demonstrable, ongoing oversight of third-party controls, not a point-in-time snapshot from twelve months ago. Boards are asking harder questions about vendor exposure. Cyber insurers are scrutinizing supply chain hygiene before writing policies. And clients who’ve watched competitors absorb the fallout from a vendor’s breach understand that “it wasn’t our system” doesn’t limit their liability.

The market is responding accordingly. Global TPRM spending is projected to grow from $8.3 billion in 2024 to $18.7 billion by 2030. Organizations are treating vendor oversight as a governance function, on par with incident response or identity management, because the cost of ignoring it has become too high. For service providers, that budget allocation is a clear signal.

Clients are actively looking for partners who can own and manage vendor oversight as a defined, ongoing service. Scaling TPRM Is Where Most Providers Get Stuck Most MSPs and MSSPs recognize the opportunity. The hesitation comes down to delivery, and specifically to whether TPRM can be executed profitably at scale. Traditional vendor review relies on fragmented workflows and manual analysis.

Custom assessments must be sent, tracked, and interpreted, and risk must be tiered against each client’s specific obligations. This work often falls to senior consultants, making it expensive and hard to delegate. Multiplying this effort across a client portfolio with different vendor ecosystems, compliance needs, and risk tolerances can be unsustainable. This is why many providers offer TPRM as a one-off project instead of a recurring managed service.

But that’s also where the opportunity lies. Cynomi’s Securing the Modern Perimeter guide outlines how structured, technology-enabled TPRM can shift from a bespoke consulting engagement into a repeatable, high-margin service line that strengthens client retention, drives upsell, and positions service providers as integral partners in their clients’ security programs. Turning TPRM Into a Revenue Engine Third-party risk is a conversation starter that never runs out of material. Every new vendor a client onboards creates a potential risk discussion.

Regulatory updates are natural reasons to revisit vendor programs, and every breach in the news that traces back to a third party reinforces the stakes. TPRM, done well, keeps service providers embedded in client strategy rather than relegated to reactive support, and that positioning changes the nature of the relationship entirely. Providers who build out structured TPRM capabilities find that it opens doors to: Broader security advisory work Higher retainer values Stronger client relationships built on genuine business impact Differentiation in a crowded managed services market Credible third-party risk governance, signaling maturity to prospective clients The Bottom Line Third-party risk isn’t going away. The vendor ecosystems your clients depend on will keep growing more complex, with more SaaS platforms, AI-powered tools, subcontractors, and regulatory scrutiny layered on top.Organizations that manage this exposure well will have a meaningful advantage in resilience and compliance.

Building a structured, scalable TPRM practice that delivers consistent oversight across your portfolio creates far more leverage than adding headcount or assembling bespoke programs from scratch for every client. The infrastructure you build once pays dividends across every account. Cynomi’s Securing the Modern Perimeter: The Rise of Third-Party Risk Management is a practical starting point. It covers the full scope of modern third-party risk, what a governance-grade TPRM program looks like, and how service providers can build and scale this capability without sacrificing margins.

Discover how Cynomi helps MSPs and MSSPs operationalize TPRM at scale , or request a demo to explore how it fits your service model. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images

Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while silently scanning victims’ photo galleries for cryptocurrency wallet recovery phrases. Russian cybersecurity company Kaspersky said it found two infected apps on the App Store and one on the Google Play Store that primarily target cryptocurrency users in Asia. “The iOS variant, however, takes a different approach as it scans for cryptocurrency wallet mnemonic phrases, which are in English,” the company said.

“This makes the iOS variant potentially broader in reach, as it can affect users regardless of their region.” The improved version of SparkCat for Android incorporates several obfuscation layers compared to previous iterations. This includes the use of code virtualization and cross-platform programming languages to sidestep analysis efforts. What’s more, the Android version scans for Japanese, Korean, and Chinese keywords, indicating an Asian focus. SparkCat was first documented by Kaspersky in February 2025, highlighting its ability to leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to an attacker-controlled server.

The latest improvements to the malware show that it’s an actively evolving threat, not to mention the technical capabilities of the threat actors behind the operation. Kaspersky had previously assessed the malicious activity to be the work of a Chinese-speaking operator. “The updated variant of SparkCat requests access to view photos in a user’s smartphone gallery in certain scenarios — just like the very first version of the Trojan,” Kaspersky researcher Sergey Puzan told The Hacker News. “It analyzes the text in stored images using an optical character recognition module.” “If the stealer finds relevant keywords, it sends the image to the attackers.

Considering the similarities of the current sample and the previous one, we believe that the developers of the new version of malware are the same. This campaign again underscores the importance of using security solutions for smartphones to stay protected against a broad range of cyberthreats.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. “Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers,” the company said in a series of posts on X. “This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.” Drift noted that the attack did not exploit a vulnerability in its programs or smart contracts, and that there is no evidence of compromised seed phrases. Rather, the breach is said to have “involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering,” it explained.

To that end, the threat actors obtained sufficient multi-signature (multisig) approvals and executed a malicious admin transfer within minutes to gain control of protocol-level permissions, ultimately leveraging it to “introduce a malicious asset and remove all pre-set withdrawal limits, attacking existing funds.” According to a timeline of events shared by Drift, preparations for the hack were underway as early as March 23, 2026. The company said it’s coordinating with multiple security firms to determine the cause of the incident, adding it’s working with bridges, exchanges, and law enforcement to trace and freeze the stolen assets. A PIF Research Labs analysis reveals that the assets were drained within 10 seconds. “From first withdrawal (41.72M JLP at 16:06:09) to last primary withdrawal (2,200 wETH at 16:06:19),” it said.

“The major vaults were emptied in the time it takes to send a text.” In separate reports published Thursday, both Elliptic and TRM Labs said there are on-chain indications that North Korean crypto thieves may be behind the cryptocurrency heist. This included the use of Tornado Cash for initial staging, as well as the cross-chain bridging patterns and the speed and scale of post-hack laundering that are consistent with hacks previously attributed to North Korean threat actors, including the massive Bybit exploit of 2025 . “The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense,” TRM Labs said . “The attacker manufactured an entirely fictitious asset — CarbonVote Token — with a few thousand dollars in seeded liquidity and wash trading, and Drift’s oracles treated it as legitimate collateral worth hundreds of millions of dollars.” The blockchain intelligence firm also pointed out that the CarbonVote Token was deployed at 09:30 Pyongyang time.

Elliptic, in its own analysis of the security incident, said the on-chain behavior, laundering methodologies, and network-level indicators align with known tradecraft associated with threat actors from the Democratic People’s Republic of Korea (DPRK). The company also noted that, if confirmed, this incident “would represent the eighteenth DPRK act” it has tracked since the start of the year, with more than $300 million stolen to date. “It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the US government has linked to the funding of its weapons programs,” Elliptic said . “DPRK-linked actors are believed to have stolen over $6.5 billion dollars in cryptoassets in recent years.” The North Korean cryptoasset theft operation is estimated to have netted a record $2 billion in 2025, out of which approximately $1.46 billion originated from the hack of Bybit in February 2025.

Social engineering remains the primary initial access pathway through which these attacks are executed, leveraging persuasive personas and decoys to target the cryptocurrency and Web3 sectors through campaigns tracked as DangerousPassword (aka CageyChameleon, CryptoMimic, and CryptoCore) and Contagious Interview . As of late February 2026, the combined gains from the twin campaigns total $37.5 million this year. “The DPRK’s cryptoasset theft operation is not a series of isolated incidents. It is a sustained, well-resourced campaign that is growing in scale and sophistication,” Elliptic said .

“The evolution of the DPRK’s social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges. Individual developers, project contributors and anyone with access to cryptoasset infrastructure is a potential target.” The development coincides with the supply chain compromise of the popular Axios npm package, which multiple security vendors, including Google, Microsoft, CrowdStrike, and Sophos, have attributed to a North Korean hacking group called UNC1069, which overlaps with BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima. “This state-sponsored group focuses on generating revenue for the North Korean regime,” Sophos said . “The artifacts include identical forensic metadata and command-and-control (C2) patterns, as well as connections to malware exclusively used by Nickel Gladstone.

Based on these artifacts, it is highly likely that Nickel Gladstone is responsible for the Axios attacks.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as UAT-10608 . At least 766 hosts spanning multiple geographic regions and cloud providers have been compromised as part of the activity. “Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted to its command-and-control (C2),” security researchers Asheer Malhotra and Brandon White said in a report shared with The Hacker News ahead of publication.

“The C2 hosts a web-based graphical user interface (GUI) titled ‘NEXUS Listener’ that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.” The campaign is assessed to be targeting Next.js applications that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js App Router that could result in remote code execution, for initial access, and then dropping the NEXUS Listener collection framework. This is accomplished by means of a dropper that proceeds to deploy a multi-phase harvesting script that collects various details from the compromised system - Environment variables JSON-parsed environment from JS runtime SSH private keys and authorized_keys Shell command history Kubernetes service account tokens Docker container configurations (running containers, their images, exposed ports, network configurations, mount points, and environment variables) API keys IAM role-associated temporary credentials by querying the Instance Metadata Service for AWS, Google Cloud, and Microsoft Azure Running processes The cybersecurity company said the breadth of the victim set and the indiscriminate targeting pattern align with automated scanning, likely leveraging services like Shodan, Censys, or custom scanners, to identify publicly reachable Next.js deployments and probe them for the vulnerability. Central to the framework is a password-protected web application that makes all the stolen data available to the operator via a graphical user interface that features search capabilities to sift through the information. “The application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type that were successfully extracted from those hosts,” Talos said.

“The web application allows a user to browse through all of the compromised hosts. It also lists the uptime of the application itself.” The current version of NEXUS Listener is V3, indicating that the tool has undergone substantial development iterations before reaching the current stage. Talos, which was able to obtain data from an unauthenticated NEXUS Listener instance, said it contained API keys associated with Stripe, artificial intelligence platforms (OpenAI, Anthropic, and NVIDIA NIM), communication services (SendGrid and Brevo), along with Telegram bot tokens, webhook secrets, GitHub and GitLab tokens, database connection strings, and other application secrets. The extensive data gathering operation highlights how bad actors could weaponize access to compromised hosts to stage follow-on attacks.

Organizations are advised to audit their environments to enforce the principle of least privilege, enable secret scanning, avoid reusing SSH key pairs, implement IMDSv2 enforcement on all AWS EC2 instances, and rotate credentials if compromise is suspected. “Beyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of the victim organizations’ infrastructure: what services they run, how they’re configured, what cloud providers they use, and what third-party integrations are in place,” the researchers said. “This intelligence has significant value for crafting targeted follow-on attacks, social engineering campaigns, or selling access to other threat actors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. “This vulnerability is due to incorrect handling of password change requests,” Cisco said in an advisory released Wednesday. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.” “A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.” Security researcher “jyh” has been credited with discovering and reporting the vulnerability.

The shortcoming affects the following products regardless of the device configuration - 5000 Series Enterprise Network Compute Systems (ENCS) - Fixed in 4.15.5 Catalyst 8300 Series Edge uCPE - Fixed in 4.18.3 UCS C-Series M5 and M6 Rack Servers in standalone mode - Fixed in 4.3(2.260007), 4.3(6.260017), and 6.0(1.250174) UCS E-Series Servers M3 - Fixed in 3.2.17 UCS E-Series Servers M6 - Fixed in 4.15.3 Another critical vulnerability patched by Cisco impacts Smart Software Manager On-Prem (SSM On-Prem), which could enable an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability, CVE-2026-20160 (CVSS score: 9.8), stems from an unintentional exposure of an internal service. “An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service,” Cisco said . “A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.” Patches for the flaw have been released in Cisco SSM On-Prem version 9-202601.

Cisco said the vulnerability was discovered internally during the resolution of a Cisco Technical Assistance Center (TAC) support case. While neither of the vulnerabilities has been exploited in the wild, number of recently disclosed security flaws in Cisco products have been weaponized by threat actors. In the absence of a workaround, customers are recommended to update to the fixed version for optimal protection. Found this article interesting?

ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories

The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week. Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws coming back to haunt us, and some very clever new tricks that let attackers bypass security logs entirely without leaving a trace.

We are also seeing sketchier traffic on the underground and the usual supply chain mess, where one bad piece of code threatens thousands of apps. It is definitely worth a quick scan before you log off for the day, if only to make sure none of this is sitting in your own network. Let’s get into it. Pre-auth RCE chain exposed Security Flaws in Progress ShareFile watchTower Labs has disclosed two security flaws in Progress ShareFile (CVE-2026-2699 and CVE-2026-2701) that could be chained to achieve pre-authenticated remote code execution.

While CVE-2026-2699 is an authentication bypass via the “/ConfigService/Admin.aspx” endpoint, CVE-2026-2701 refers to a case of post-authenticated remote code execution. An attacker could combine the two vulnerabilities to sidestep authentication and upload web shells. Progress released fixes for the vulnerabilities with Storage Zone Controller 5.12.4 released on March 10, 2026. There are about 30,000 internet-facing instances, making patching against the flaws crucial.

Rootkit spreads via 50+ apps Operation Novoice Rootkit Campaign Targets Older Android Devices A new Android malware named NoVoice has been distributed via more than 50 apps that were downloaded at least 2.3 million times. While apps masqueraded as utilities, image galleries, and games, and offered the advertised functionality, the malware attempted to obtain root access on the device by exploiting 22 Android vulnerabilities that received patches between 2016 and 2021. “If the exploits succeed, the malware gains full control of the device,” McAfee Labs said . “From that moment onward, every app that the user opens is injected with attacker-controlled code.

This allows the operators to access any app data and exfiltrate it to their servers.” The malware avoids infecting devices in certain regions, like Beijing and Shenzhen in China, and implements more than a dozen checks for emulators, debuggers, and VPNs. It then contacts a remote server to send device information and fetch appropriate exploits to gain root access and disable SELinux. Upon gaining elevated access, the rootkit modifies system libraries to facilitate the execution of malicious code when specific apps are opened, install arbitrary apps, and enable persistence. NoVoice has been found to share some level of overlap with Triada .

One of the targeted apps is WhatsApp, which enabled the malware to harvest data from the app as soon as it was launched. Google has since removed the apps. The highest concentration of infections has been reported in Nigeria, Ethiopia, Algeria, India, and Kenya. FBI flags foreign app risks FBI Warns of Risky Foreign-Developed Mobile Apps The U.S.

Federal Bureau of Investigation (FBI) is warning of the data security risks associated with foreign-developed mobile applications. “As of early 2026, many of the most downloaded and top-grossing apps in the United States are developed and maintained by foreign companies, particularly those based in China,” the FBI said . “The apps that maintain digital infrastructure in China are subject to China’s extensive national security laws, enabling the Chinese government to potentially access mobile app users’ data.” The bureau also warned that these apps may harvest contact information under the pretext of inviting friends to use them, store personal data in Chinese servers, or contain malware that could collect data beyond what is authorized by the user. “This could include malicious code and hard-to-remove malware designed to exploit known vulnerabilities in various operating systems and insert a backdoor for escalated privileges, such as enabling the download and execution of additional malicious packages designed to provide unauthorized access to users’ data,” it added.

The FBI did not name the apps, but TikTok, Shein, Temu, and DeepSeek fit the profile. New bureau targets cyber threats U.S. Activates Bureau of Emerging Threats The U.S. State Department has officially launched the Bureau of Emerging Threats , a new unit tasked with protecting U.S.

national security against cyber attacks against critical infrastructure, threats in the space domain, and misuse of artificial intelligence (AI) and other advanced technology risks from Iran, China, Russia, and North Korea. Cybercrime kingpin extradited HuiOne Group Former Chairman Extradited to China Li Xiong, the former chairman of a Cambodian financial conglomerate, HuiOne , has been extradited to China. He has been accused of operating gambling dens, fraud, unlawful business operations, and money laundering. According to Xinhua , Li is said to be a key member of the transnational cybercrime syndicate masterminded by Chen Zhi , the chairman of Prince Group, who was extradited to China in January 2026 and has been indicted by the U.S.

for operating large-scale, forced-labor “pig butchering” scam compounds in Southeast Asia. In May 2025, the U.S. Treasury’s Financial Crimes Enforcement Network labeled Huione Group “a financial institution of primary money laundering concern.” Gmail username change arrives Google Officially Rolls Out the Ability to Change Email Address Google said it’s rolling out the ability to change a username to Google Account users in the U.S. “Your previous Google Account email ending in gmail.com will become an alternate email address,” Google said in a support document.

“You’ll receive emails to both your old and new addresses. The data saved in your account won’t be affected. This includes things like photos, messages, and emails sent to your previous email address.” While users can change back to their previous email address at any time, it’s not possible to create a new Google Account email ending in gmail.com for the next 12 months. The new email address cannot be deleted either.

Court halts AI risk label U.S. Court Blocks Supply Chain Risk Designation A U.S. federal judge has temporarily blocked the Trump administration’s designation of Anthropic as a supply chain risk . The AI company had argued that the designation was causing immediate and irreparable harm.

“Nothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for expressing disagreement with the government,” District Judge Rita Lin wrote in the ruling. Phishing apps target mobile users Threat Actors Target Android and iOS Users in Phishing Campaign Cybercriminals have set their sights on Android users through a new phishing scheme that disguises malicious applications as beta-testing opportunities for ChatGPT and Meta advertising tools. In these attacks, what appears to be an invitation to advertising apps turns out to be a carefully planned attempt to steal Facebook credentials and hijack control of user accounts.

“These messages push malicious apps delivered through ‘firebase-noreply@google.com’ via Firebase App Distribution, a legitimate Google service for distributing pre-release apps to testers,” LevelBlue said . “Once installed, these apps request Facebook credentials, leading to phishing and account takeover.” A similar campaign has leveraged phishing emails impersonating ChatGPT and Gemini to push users into downloading malicious iOS apps from the Apple App Store. “Disguised as business or ad management tools, these apps prompt for Facebook credentials, leading to credential harvesting,” the company added . Drive adds ransomware defense Google Makes Drive Ransomware Detection and File Restoration Generally Available Google has made ransomware detection and file restoration in Drive generally available after launching the feature in beta in September 2025 to help organizations minimize the impact of malware attacks on personal computers.

Ransomware detection pauses file syncing, and file restoration allows users to bulk restore their files to a previous version in Drive. “Compared to when the feature was in beta, we are now able to detect even more types of ransomware encryption and are able to do it faster,” Google said . “Our latest AI model is detecting 14x more infections, leading to even more comprehensive protection.” GhostSocks activity intensifies Surge in GhostSocks Activity Cybersecurity company Darktrace said it has observed a steady increase in GhostSocks activity across its customer base since late 2025. “In one notable case from December 2025, Darktrace detected GhostSocks operating alongside Lumma Stealer, reinforcing that the partnership between Lumma and GhostSocks remains active despite recent attempts to disrupt Lumma’s infrastructure,” it said.

Originally marketed on the Russian underground forum xss[.]is as a malware-as-a-service (MaaS), GhostSocks enables threat actors to turn compromised devices into residential proxies, leveraging the victim’s internet bandwidth to route malicious traffic through it. It utilizes the SOCKS5 proxy protocol, creating a SOCKS5 connection on infected devices. It began to be widely adopted following its partnership with Lumma Stealer in 2024. Open-source malware spikes 14x Malware in Open-Source Ecosystems Increases 14x The number of malware advisories across open-source ecosystems has increased 13.6x since January 2024, as threat actors take control of trusted packages to poison the software supply chain.

“Of the 1,011 npm ATO [Account takeover] advisories recorded in the OSV database over all time, 930 were filed in 2025, a roughly 12x year-over-year increase representing 92% of all ATOs reported on npm,” Endor Labs said . Among the 2025 npm ATO cases, 38.4% of affected packages had more than 1,000 monthly downloads, 18.5% exceeded 10,000, and 11.1% had more than 100,000. Attackers are deliberately targeting packages that are deeply embedded in production systems and automated CI/CD pipelines, maximizing the blast radius of each compromise.” XLoader boosts stealth tactics XLoader Continues to Evolve An updated version of the XLoader information-stealing malware (version 8.7) has been found to incorporate several changes to the code obfuscation to make automation and analysis more difficult. These include the use of encrypted strings that are decrypted at runtime, encrypted code blocks consisting of functions that are decrypted at runtime, and improved methods to conceal hard-coded values and specific functions, per Zscaler.

XLoader also uses a combination of multiple encryption layers with different keys for encrypting network traffic. “XLoader continues to be a highly active information stealer that constantly receives updates,” the company said . “As a result of the malware’s multiple encryption layers, decoy C2 servers, and robust code obfuscation, XLoader has been able to remain largely under the radar.” ImageMagick zero-days enable RCE Security Flaws in ImageMagick Cybersecurity researchers have found multiple zero-day vulnerabilities in ImageMagick that could be chained to achieve remote code execution through a single image or PDF upload. According to Pwn.ai , the attack works on the default configuration and the most restrictive “secure” configuration.

The issue affects every major Linux distribution, as well as WordPress installations that process image uploads. It remains unpatched as of writing. In the interim, it’s advised to process PDFs in an isolated sandbox with no network access, disable XML-RPC in WordPress, and block GhostScript. Attackers evade CloudTrail logging How to Silently Disable CloudTrail?

Adversaries are bypassing traditional CloudTrail detections, like StopLogging or DeleteTrail, and instead using lesser-known AWS APIs to blind logging systems. This includes creating “invisible activity zones” using PutEventSelectors, using StopEventDataStoreIngestion and DeleteEventDataStore to halt or destroy long-term forensic visibility, disabling anomaly detection via PutInsightSelectors, neutralizing cross-account protections through DeleteResourcePolicy and DeregisterOrganizationDelegatedAdmin. “The real risk is in the sequence: individually, these API calls look like routine maintenance—but chained together, they allow attackers to erase evidence and evade detection entirely,” Abstract Security said. LofyGang deploys dual-payload RAT LofyGang Returns with Improved RAT Malware The threat actor known as LofyGang resurfaced with a fake npm package (“undicy-http”) that delivers a dual-payload attack: a Node.js-based Remote Access Trojan (RAT) with live screen streaming, and a native Windows PE binary that uses direct syscalls to inject into browser processes and steal credentials, cookies, credit cards, IBANs, and session tokens from more than 50 web browsers and 90 cryptocurrency wallet extensions.

The session hijacking module targets Roblox, Instagram, Spotify, TikTok, Steam, Telegram, and Discord. “The Node.js layer independently operates as a full RAT with remote shell, screen capture, webcam/microphone streaming, file upload, and persistence capabilities, all controlled through a WebSocket C2 panel,” JFrog said . The Node.js layer also downloads a native PE binary to facilitate data exfiltration via a Discord webhook and a Telegram bot. Nothing here looks huge on its own.

That’s the point. Small changes, repeated enough times, start to matter. Things that used to be hard are getting easier. Things that were noisy are getting quiet.

You stop seeing the obvious signs and start missing the subtle ones. Read it like a pattern, not a list. Same ideas showing up in slightly different forms. Systems doing what they’re designed to do—just used differently.

That gap is where most problems live now. That’s the recap. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

2026-04-06 AI创业新闻

$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation