{"id":579,"date":"2026-04-13T14:17:41","date_gmt":"2026-04-13T14:17:41","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=579"},"modified":"2026-04-13T14:17:41","modified_gmt":"2026-04-13T14:17:41","slug":"fiber-optic-spying-windows-rootkit-ai-vulnerability-hunting-and-more","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=579","title":{"rendered":"Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 13, 2026<\/span><\/span><span class=\"p-tags\">Cybersecurity \/ Hacking<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgZNd-YcwKXoD_PmPblT00GaI9GQJvtJTHZk-5RBS1QEtLRupE9KKh-ogAP61b-cLzJm90PHDoRVnhiUzxlqcn-3gB2EtBG2TYxt8erP8UmLj3t1L_9Ykh3vfbCXFBXAoeylbbTeK7jxJIDmqCqThPziWi0XOzbyMZ-UEWGl_PhP4xePoRbsm_RqpUKmQNW\/s1700-e365\/recaps-main.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Monday\u00a0is back, and the weekend\u2019s backlog of chaos is officially hitting the fan. We\u00a0are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It\u00a0is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically non-existent.<\/p>\n<p>The\u00a0variety this week is particularly nasty. We\u00a0have AI models being turned into autonomous exploit engines, North Korean groups playing the long game with social engineering, and fileless malware hitting enterprise workflows. There\u00a0is also a major botnet takedown and new research proving that even fiber optic cables can be used to eavesdrop on your private conversations.<\/p>\n<p>Skim\u00a0this before your next meeting. Let\u2019s get into\u00a0it.<\/p>\n<h2 style=\"text-align: left;\"><strong>\u26a1 Threat of the\u00a0Week<\/strong><\/h2>\n<p><strong>Adobe Acrobat Reader 0-Day Under\u00a0Attack\u00a0<\/strong>\u2014 Adobe released emergency updates to fix a critical security flaw in Acrobat Reader\u00a0that has come under active exploitation in the wild. The\u00a0vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6\u00a0out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. It\u00a0has been\u00a0described as a case of prototype pollution that could result in arbitrary code execution. The development comes days after security researcher and EXPMON founder Haifei Li disclosed details of\u00a0zero-day exploitation of the\u00a0flaw to\u00a0run malicious JavaScript code when opening specially crafted PDF\u00a0documents through Adobe\u00a0Reader. There is evidence suggesting that the vulnerability may have been under exploitation since December\u00a02025.<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top\u00a0News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/iran-linked-hackers-disrupt-us-critical.html\">U.S. Warns\u00a0of Hacking Campaign by Iran-Affiliated Cyber Actors\u00a0<\/strong>\u2014 U.S. agencies warned of a hacking campaign undertaken by Iranian threat actors hitting industrial control systems across the U.S. that has had disruptive and costly effects. The attacks, ongoing since last month, targeted programmable logic controllers (PLCs) in the energy sector, water and wastewater utilities, and government facilities that are left exposed to the public internet with the apparent intention of sabotaging their systems. \u00abIn a few cases, this activity has resulted in operational disruption and financial loss,\u00bb the agencies said. The\u00a0activity has not been attributed to any particular group. The\u00a0attacks are part of a wider pattern of escalating Iran-linked operations as the war led by the U.S. and\u00a0Israel against Iran entered its sixth week. The\u00a0U.S. and\u00a0Iran have since agreed to a two-week ceasefire.<\/li>\n<li><strong>Anthropic&#8217;s Mythos Model is a 0-Day and Exploit Generation Engine\u00a0<\/strong>\u2014 A closed consortium including tech giants and top security vendors is getting early access to a general-purpose frontier model that Anthropic says can autonomously discover software vulnerabilities at scale. Because there are concerns that frontier AI capabilities could be abused to launch sophisticated attacks, the idea is to use Mythos to improve the security of some of the most widely used software before bad actors get their hands on it. To\u00a0that end, Project Glasswing aims to apply these capabilities in a controlled, defensive setting, enabling participating companies to test and improve the security of their own products. In\u00a0early testing, Anthropic claims the model identified thousands of high-severity vulnerabilities across operating systems, web browsers, and other widely used software, not to mention devising exploits for N-day flaws, in some cases, under a day, significantly compressing the timeline typically required to build working exploits. \u00abNew AI models, especially those from Anthropic, have triggered a new set of actions for how we build and secure our products,\u00bb Cisco, which is one of the launch partners, <a href=\"https:\/\/blogs.cisco.com\/news\/rising-to-the-era-of-ai-powered-cyber-defense\">said<\/a>. \u00abWhile the capabilities now available to defenders are remarkable, they soon will also become available to adversaries, defining the critical inflection point we face today. Defensively, AI allows us to scan and secure vast codebases at a scale previously unimaginable. However, it also lowers the threshold for attackers, empowering less-skilled actors to launch complex, high-impact campaigns. Ultimately, AI is accelerating the pace of innovation for both defenders and adversaries alike. The\u00a0question is simply who gets ahead of it and how fast.\u00bb<\/li>\n<li><strong>Law Enforcement Operation Fells APT28 Router Botnet\u00a0<\/strong>\u2014 APT28 has been silently exploiting known vulnerabilities in small and home office (SOHO) routers since at least May 2025, and changing their DNS server settings to redirect victims to websites it controls for credential theft. The <a href=\"https:\/\/www.ic3.gov\/PSA\/2026\/PSA260407\">attack chain<\/a> begins with Forest Blizzard gaining unauthorized access to poorly secured SOHO routers and silently modifying their default network settings so that DNS lookups for select websites are altered to direct users to their bogus counterparts. Specifically, the actor replaces the router&#8217;s legitimate DNS resolver configuration with actor-controlled DNS servers. Since\u00a0endpoint devices, such as laptops, phones, and workstations, automatically inherit network configuration from routers via the Dynamic Host Configuration Protocol (DHCP), every device connecting through a compromised router unknowingly begins forwarding its DNS requests to Russian intelligence-controlled infrastructure. For\u00a0a select subset of high-priority targets, Forest Blizzard escalated beyond passive DNS collection to active Adversary-in-the-Middle (AiTM) attacks against Transport Layer Security (TLS) connections. The\u00a0compromised router redirects the victim&#8217;s DNS query to the actor-controlled resolver. The\u00a0malicious resolver returns a spoofed IP address, directing the victim&#8217;s device to actor-controlled infrastructure instead of the legitimate service. Forest\u00a0Blizzard then intercepts the underlying plaintext traffic \u2013 potentially including emails, credentials, and sensitive cloud-hosted content. The\u00a0activity has gradually declined over the past few weeks. The\u00a0operations are \u00ablikely opportunistic in nature, with the actor casting a wide net to reach many potential victims, before narrowing in on targets of intelligence interest as the attack develops,\u00bb per the U.K. government. \u00abThe GRU provides fraudulent DNS answers for specific domains and services \u2013 including Microsoft Outlook Web Access \u2014 enabling adversary-in-the-middle (AitM) attacks against encrypted traffic if users navigate through a certificate error warning. These\u00a0AitM attacks would allow the actors to see the traffic unencrypted.\u00bb The operation fits into a series of disruptions aimed at Russian government hackers dating back to 2018, including VPNFilter, Cyclops Blink, and MooBot.<\/li>\n<li><strong>Drift Protocol Links Hack to North Korea\u00a0<\/strong>\u2014 Drift Protocol has revealed that a North Korean state-linked group spent six months posing as a trading firm to steal $285 million in digital assets. The\u00a0attack has been described as a meticulously planned intelligence operation that began in fall 2025, when a group of individuals approached Drift staff at a major cryptocurrency conference, presenting themselves as a quantitative trading firm seeking to integrate with the protocol. Over\u00a0the next couple of months, the group built trust through in-person meetings, Telegram coordination, onboarding an Ecosystem Vault on Drift, and made a $1 million deposit of their own capital. But\u00a0once the exploit hit, the trading group vanished, with the chats and malware \u00abcompletely scrubbed\u00bb to cover up the tracks. The\u00a0Drift Protocol hack follows a pattern that is becoming increasingly frequent as this incident marks the 18th North Korea-linked act Elliptic has tracked in 2026.\u00a0<\/li>\n<li><strong>Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA\u00a0<\/strong>\u2014 An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA). The\u00a0targets included prominent Egyptian journalists and government critics, Mostafa Al-A&#8217;sar and Ahmed Eltantawy, along with an anonymous Lebanese journalist. The\u00a0spear-phishing attacks aimed to compromise their Apple and Google accounts by sending specially crafted links designed to capture their credentials. The\u00a0attack has been found to share infrastructure overlaps with an Android spyware campaign that leveraged deceptive websites impersonating Signal, ToTok, and Botim to deploy ProSpy and ToSpy to unspecified targets in the U.A.E. While\u00a0Bitter has not been attributed to espionage campaigns targeting civil society members in the past, the campaign once again demonstrates a growing trend of government agencies outsourcing their hacking operations to private hack-for-hire firms, which develop spyware and exploits for use by law enforcement and intelligence agencies to covertly access data on people&#8217;s phones.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd25 Trending\u00a0CVEs<\/strong><\/h2>\n<p>Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These\u00a0are the heavy hitters for the week: high-severity, widely used, or already being poked at in the\u00a0wild.<\/p>\n<p>Check the list, patch what you have, and hit the ones marked urgent first\u00a0\u2014 CVE-2026-34621 (Adobe Acrobat\u00a0Reader), CVE-2026-39987\u00a0(Marimo), CVE-2026-34040 (Docker\u00a0Engine), CVE-2025-59528 (Flowise), <a href=\"https:\/\/github.com\/dgraph-io\/dgraph\/security\/advisories\/GHSA-p5rh-vmhp-gvcw\">CVE-2026-34976<\/a>\u00a0(dgraph), <a href=\"https:\/\/source.android.com\/docs\/security\/bulletin\/2026\/2026-04-01\">CVE-2026-0049, CVE-2025-48651<\/a> (Android), <a href=\"https:\/\/www.wordfence.com\/blog\/2026\/04\/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin\/\">CVE-2026-0740<\/a> (Ninja Forms \u2013 File Upload\u00a0plugin), <a href=\"https:\/\/lists.apache.org\/thread\/2s11roxlv1j8ph6q52rqo1klvl01n14q\">CVE-2025-58136<\/a> (Apache Traffic\u00a0Server), <a href=\"https:\/\/www.wordfence.com\/blog\/2026\/04\/200000-wordpress-sites-affected-by-arbitrary-file-deletion-vulnerability-in-perfmatters-wordpress-plugin\/\">CVE-2026-4350<\/a> (Perfmatters\u00a0plugin), <a href=\"https:\/\/www.armosec.io\/blog\/cve-2026-32922-openclaw-privilege-escalation-cloud-security\/\">CVE-2026-32922<\/a>, <a href=\"https:\/\/blink.new\/blog\/cve-2026-33579-openclaw-privilege-escalation-2026\">CVE-2026-33579<\/a>, <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-9p3r-hh9g-5cmg\">GHSA-9p3r-hh9g-5cmg<\/a>, <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-g5cg-8x5w-7jpm\">GHSA-g5cg-8x5w-7jpm<\/a>, <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-8rh7-6779-cjqq\">GHSA-8rh7-6779-cjqq<\/a>, <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-hc5h-pmr3-3497\">GHSA-hc5h-pmr3-3497<\/a>, <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-j7p2-qcwm-94v4\">GHSA-j7p2-qcwm-94v4<\/a>, <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-fqw4-mph7-2vr8\">GHSA-fqw4-mph7-2vr8<\/a>, <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-9hjh-fr4f-gxc4\">GHSA-9hjh-fr4f-gxc4<\/a>, <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-hf68-49fm-59cq\">GHSA-hf68-49fm-59cq<\/a> (OpenClaw), <a href=\"https:\/\/chocapikk.com\/posts\/2026\/windfall-nextcloud-flow-windmill-rce\/\">CVE-2026-29059, CVE-2026-23696, CVE-2026-22683<\/a> (Windmill), <a href=\"https:\/\/horizon3.ai\/attack-research\/disclosures\/cve-2026-34197-activemq-rce-jolokia\/\">CVE-2026-34197<\/a> (Apache ActiveMQ), <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-4342\">CVE-2026-4342<\/a> (Kubernetes), <a href=\"https:\/\/github.com\/flatpak\/flatpak\/security\/advisories\/GHSA-cc2q-qc34-jprg\">CVE-2026-34078<\/a> (Flatpak), <a href=\"https:\/\/openssl-library.org\/news\/secadv\/20260407.txt\">CVE-2026-31790<\/a> (OpenSSL), <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2026\/4\/8\/nodejs-trust-falls-dangerous-module-resolution-on-windows\">CVE-2026-0775<\/a> (npm\u00a0cli), <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-26-040\/\">CVE-2026-0776<\/a> (Discord\u00a0Client), <a href=\"https:\/\/security.paloaltonetworks.com\/CVE-2026-0234\">CVE-2026-0234<\/a> (Palo Alto Networks), <a href=\"https:\/\/psirt.global.sonicwall.com\/vuln-detail\/SNWLID-2026-0003\">CVE-2026-4112<\/a> (SonicWall), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/536588\">CVE-2026-5437 through CVE-2026-5445<\/a> (Orthanc DICOM\u00a0Server), <a href=\"https:\/\/www.tp-link.com\/us\/support\/faq\/5055\/\">CVE-2026-30815, CVE-2026-30818<\/a> (TP-Link), <a href=\"https:\/\/supportportal.juniper.net\/s\/article\/2026-04-Security-Bulletin-vLWC-Default-password-is-not-required-to-be-changed-which-allows-unauthorized-high-privileged-access-CVE-2026-33784\">CVE-2026-33784<\/a> (Juniper Networks Support Insights Virtual Lightweight Collector), <a href=\"https:\/\/github.com\/facebook\/react\/security\/advisories\/GHSA-479c-33wc-g2pg\">CVE-2026-23869<\/a> (React Server Components), <a href=\"https:\/\/aws.amazon.com\/security\/security-bulletins\/2026-014-aws\/\">CVE-2026-5707, CVE-2026-5708, CVE-2026-5709<\/a> (AWS Research and Engineering\u00a0Studio), <a href=\"https:\/\/about.gitlab.com\/releases\/2026\/04\/08\/patch-release-gitlab-18-10-3-released\/\">CVE-2026-5173, CVE-2026-1092, CVE-2025-12664<\/a>\u00a0(GitLab), <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/04\/stable-channel-update-for-desktop.html\">CVE-2026-5860, CVE-2026-5858, CVE-2026-5859, from CVE-2026-5860 through CVE-2026-5873<\/a> (Google\u00a0Chrome), <a href=\"https:\/\/www.ibm.com\/support\/pages\/security-bulletin-security-vulnerabilities-have-been-found-ibm-verify-identity-access-and-ibm-security-verify-access-2\">CVE-2023-46233, CVE-2026-1188, CVE-2026-1342, CVE-2026-1346<\/a> (IBM Verify Identity Access and IBM Security Verify\u00a0Access), <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-5194\">CVE-2026-5194<\/a> (WolfSSL),\u00a0and <a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/detecting-kerberos-relay-attack-via-dns-cname-abuse\/\">CVE-2026-20929<\/a>\u00a0(<a href=\"https:\/\/cymulate.com\/blog\/kerberos-authentication-relay-via-cname-abuse\/\">Windows\u00a0HTTP.sys<\/a>).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83c\udfa5 Cybersecurity\u00a0Webinars<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/ghost-in-the-machine?source=recap\">The Blueprint for AI Agent Governance: Identity, Visibility, and Control<\/a> \u2192 As autonomous AI agents move from experimental \u00abslideware\u00bb to production middleware, they\u2019ve created a massive new attack surface: non-human identities. Join\u00a0this webinar to cut through the vendor noise and get a practical blueprint for the three pillars of agent security\u2014identity, visibility, and control. Learn\u00a0how to establish hardware-backed agent identities and implement forensic AI proxies to govern your machine workforce before the \u00abghosts\u00bb in your system become liabilities.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/state-of-ai-security?source=recap\">State of AI Security 2026: From Experimental Apps to Autonomous Agents<\/a> \u2192 AI is evolving from static tools to autonomous agents, outstripping traditional security faster than ever. With\u00a087% of leaders citing AI as their top emerging risk, the \u00abwait and see\u00bb approach is officially over. Join us to dissect the 2026 State of AI Security and gain a battle-tested roadmap for securing model runtimes, preventing agentic data leaks, and governing your machine workforce in production.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/agentic-exposure-validation?source=recap\">Validate 56% Faster: How AI Agents are Automating the Pentest Loop<\/a> \u2192 Vulnerability backlogs are endless, but true exploitability is rare. Agentic Exposure Validation uses autonomous AI to safely test your defenses in real-time, proving which risks are real and which are just noise. Join us to learn how to automate your validation loop, prioritize the 1% of flaws that actually matter, and shrink your attack surface at machine speed.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udcf0 Around the Cyber\u00a0World<\/strong><\/h2>\n<ul>\n<li><strong>Fake Claude Website Drops PlugX <\/strong>\u2014 A fake website impersonating Anthropic&#8217;s Claude to push a trojanized installer that deploys known malware referred to asPlugXusing a technique called DLL side-loading. The domain mimics Claude&#8217;s official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected,\u00bb Malwarebytes <a href=\"https:\/\/www.malwarebytes.com\/blog\/scams\/2026\/04\/fake-claude-site-installs-malware-that-gives-attackers-access-to-your-computer\">said<\/a>. \u00abBut in the background, it deploys a PlugX malware chain that gives attackers remote access to the system.\u00bb While PlugX is known to be widely shared among Chinese hacking groups and delivered via DLL side-loading, its source code has circulated in underground forums, indicating that other threat actors could also be weaponizing the malware in their own attacks.<\/li>\n<li><strong>Seized VerifTools Servers Expose 915,655 Fake IDs <\/strong>\u2014 In August 2025, a joint law enforcement operation between the Netherlands and the U.S. led\u00a0to the takedown of a fake ID marketplace called VerifTools. Last week, Dutch police <a href=\"https:\/\/www.politie.nl\/nieuws\/2026\/april\/9\/07-data-op-servers-blijken-goudmijn---8-aanhoudingen-voor-identiteitsfraude.html\">arrested<\/a> eight suspects in a nationwide operation targeting users of the illicit platform as part of an identity fraud investigation. The\u00a0male suspects, aged between 20 and 34, have been accused of identity fraud, forgery, and cybercrime-related offenses. In\u00a0addition, nine suspects have been ordered to report to the police station. This includes seven men aged 18 to 35, and two girls aged 15 and 16. Further investigation into VerifTools has revealed that there were 636,847 registered users from February 2021 to August 2025, with 915,655 fake documents generated between May 2023 and August 2025. Investigators also found 236,002 document images linked to the U.S. that\u00a0were purchased for about $1.47\u00a0million between July 2024 and August 2025.<\/li>\n<li><strong>U.K. Government Threatens Tech Execs with Jail Time <\/strong>\u2014 The U.K. government <a href=\"https:\/\/www.gov.uk\/government\/news\/new-laws-to-crackdown-on-harmful-pornography\">said<\/a> it submitted amendments to the Crime and Policing Bill that, besides criminalizing pornography depicting illegal sexual conduct between family members and adults roleplaying as children and prohibiting people from possessing or publishing such content, also aims to fine or imprison senior executives of companies who fail to remove people&#8217;s intimate images that have been shared without consent.<\/li>\n<li><strong>Optical Fibers for Acoustic Eavesdropping <\/strong>\u2014 New research from the Hong Kong Polytechnic University and Chinese University of Hong Kong has uncovered a critical side channel within telecommunication optical fiber that enables acoustic eavesdropping. \u00abBy exploiting the sensitivity of optical fibers to acoustic vibrations, attackers can remotely monitor sound-induced deformations in the fiber structure and further recover information from the original sound waves,\u00bb a group of academics <a href=\"https:\/\/www.ndss-symposium.org\/ndss-paper\/hiding-an-ear-in-plain-sight-on-the-practicality-and-implications-of-acoustic-eavesdropping-with-telecom-fiber-optic-cables\/\">said<\/a> in an accompanying paper. \u00abThis issue becomes particularly concerning with the proliferation of Fiber-to-the-Home (FTTH) installations in modern buildings. Attackers with access to one end of an optical fiber can use commercially available Distributed Acoustic Sensing (DAS) systems to tap into the private environment surrounding the other end.\u00bb<\/li>\n<li><strong>Storm-2755 Conducts Payroll Pirate Attacks <\/strong>\u2014 Microsoft said it observed an emerging, financially motivated threat actor dubbed Storm-2755 carrying out payroll pirate attacks targeting Canadian users by abusing legitimate enterprise workflows. \u00abIn this campaign, Storm-2755 compromised user accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, resulting in direct financial loss for affected individuals and organizations,\u00bb the company <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/09\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/\">said<\/a>. The tech giant also pointed out that the campaign is distinct from prior activityowing to differences in delivery and targeting.Particularly, this involves the exclusive targeting of Canadian users and the use of malvertising and search engine optimization (SEO) poisoning industry agnostic search terms like \u00abOffice 365\u00bb to lure victims to Microsoft 365 credential harvesting pages. Also notable is the use of adversary\u2011in\u2011the\u2011middle (AiTM) techniques to hijack authenticated sessions, allowing the threat actor to bypass multi-factor authentication (MFA) and blend into legitimate user activity.<\/li>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgRUPVJ_yoz9-sNmOOiyjvFurmHTfsZ_Reu2EywKnaBLbwtuT4Wf3is7KTDQ4i5o8diNNl2d2LP5_B4ThVG-UscxxujmIj16MTqoLC-o8Fb5_SWkHQTK0Cebd6ULgPdFwth0kFJGWSDOtpy9Q45TNJuW1WhyTPdcYX3Zl6fltpzOZ4M2lty58eGgmjygrYt\/s1700-e365\/msms.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgRUPVJ_yoz9-sNmOOiyjvFurmHTfsZ_Reu2EywKnaBLbwtuT4Wf3is7KTDQ4i5o8diNNl2d2LP5_B4ThVG-UscxxujmIj16MTqoLC-o8Fb5_SWkHQTK0Cebd6ULgPdFwth0kFJGWSDOtpy9Q45TNJuW1WhyTPdcYX3Zl6fltpzOZ4M2lty58eGgmjygrYt\/s1700-e365\/msms.jpg\" alt=\"\" border=\"0\" data-original-height=\"959\" data-original-width=\"2560\"\/><\/a><\/div>\n<li><strong>MITRE Releases F3 Framework to Fight Cyber Fraud <\/strong>\u2014 MITRE has released the Fight Fraud Framework (<a href=\"https:\/\/ctid.mitre.org\/fraud\">F3<\/a>), which it described as a \u00abfirst-of-its-kind effort to define and standardize the tactics and techniques used in cyber-enabled financial fraud.\u00bb The tactics cover the entire attack lifecycle: Reconnaissance, Resource Development, Initial Access, Defense Evasion, Positioning, Execution, and Monetization. By\u00a0codifying the tradecraft used to conduct fraud, the idea is to help financial institutions better understand, detect, and prevent fraud through a shared framework of adversary behaviors, it added. \u00abFraud actors often blend traditional cyber techniques with domain-specific fraud tactics, making a unified cyber-fraud framework essential,\u00bb MITRE <a href=\"https:\/\/www.mitre.org\/news-insights\/news-release\/mitres-center-threat-informed-defense-launches-framework-combat\">said<\/a>. \u00abF3 helps defenders connect technical signals to real-world fraud events, enabling a shift from reactive response to proactive defense.\u00bb<\/li>\n<li><strong>RegPhantom, a Stealthy Windows Kernel Rootkit <\/strong>\u2014 A new Windows kernel rootkit dubbed RegPhantom can give attackers code execution in kernel mode from an unprivileged user mode context without leaving any major visual evidence behind. \u00abThe malware abuses the Windows registry as a covert trigger mechanism: a usermode process can send an encrypted command through a registry write, which the driver intercepts and turns into arbitrary kernel-mode code execution,\u00bb Nextron Systems <a href=\"https:\/\/www.nextron-systems.com\/2026\/03\/20\/regphantom-backdoor-threat-analysis\/\">said<\/a>. \u00abWhat makes this threat notable is the combination of stealth, privilege, and trust abuse. The\u00a0driver runs as a signed kernel component, allowing it to operate at the highest privilege level on Windows systems. It\u00a0does not rely on normal driver loading behavior for its payloads and instead reflectively maps code into kernel memory, making the loaded module invisible to standard tools that enumerate drivers. It\u00a0also blocks the triggering registry write, wipes executed payload memory, and stores hook pointers in encoded form, which significantly reduces forensic visibility.\u00bb The first sample of RegPhantom in the wild was detected on June 18, 2025.<\/li>\n<li><strong>APT28&#8217;s NTLMv2 Hash Relay Attacks Detailed <\/strong>\u2014 In more APT28 (aka Pawn Storm) news, the threat actor has been attributed to NTLMv2 hash relay attacks through different methods against a wide range of global targets across Europe, North America, South America, Asia, Africa, and the Middle East between April 2022 and November 2023. The threat actor is known to break into mail servers and the corporate virtual private network (VPN) services of organizations around the world through brute-force credential attacks since 2019. \u00abPawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites,\u00bb Trend Micro <a href=\"https:\/\/www.trendmicro.com\/es_mx\/research\/23\/l\/pawn-storm-uses-brute-force-and-stealth.html\">said<\/a>. Successful exploitation of CVE-2023-23397 allows an attacker to obtain a victim&#8217;s Net-NTLMv2 hash and use it for authentication against other systems that support NTLM authentication. The\u00a0vulnerability, per Microsoft, has been exploited as a zero-day since April 2022. Select campaigns observed in October 2022 involved the use of phishing emails to drop a stealer that scanned the system periodically for files matching certain extensions and exfiltrated them to the free file-sharing service, free.keep.sh.<\/li>\n<li><strong>New RATs Galore <\/strong>\u2014 Trojanized FileZilla installers are being used to initiate an attack chain that leads to the deployment of <a href=\"https:\/\/www.esentire.com\/blog\/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities\">STX RAT<\/a>, a remote access trojan (RAT) with infostealer capabilities. Researchers have also discovered an active threat called <a href=\"https:\/\/www.pointwild.com\/threat-intelligence\/desckvb-rat-analysis-from-javascript-loader-to-fileless-net-rat\/\">DesckVB RAT<\/a>, a JavaScript-based trojan that deploys a PowerShell payload, which subsequently loads a .NET-based loader directly into memory. \u00abOnce executed, the RAT establishes communication with a command-and-control (C2) server, enabling attackers to remotely control the compromised system, exfiltrate sensitive data, and carry out various malicious activities while maintaining a low detection footprint,\u00bb Point Wild said. Some\u00a0of the other newly discovered RATs include <a href=\"https:\/\/securelist.com\/crystalx-rat-with-prankware-features\/119283\/\">CrystalX or WebCrystal RAT<\/a> (a new malware-as-a-service (MaaS) and a rebrand of WebRAT promoted on Telegram and YouTube with remote access, data theft, keylogging, spyware, and clipper capabilities), <a href=\"https:\/\/www.seqrite.com\/blog\/operation-dualscript-powershell-malware-retrorat-analysis\/\">RetroRAT<\/a> (a malware distributed via PowerShell and .NET\u00a0loaders as part of a campaign named Operation DualScript for system monitoring, financial activity tracking, clipboard hijacking to route cryptocurrency transactions, and remote command execution), <a href=\"https:\/\/labs.k7computing.com\/index.php\/resoker-a-telegram-based-remote-access-trojan\/\">ResokerRAT<\/a> (a malware that uses Telegram for C2 and receive commands on the victim machine), and <a href=\"https:\/\/www.cyfirma.com\/research\/crysome-rat-an-advanced-persistent-net-remote-access-trojan\/\">CrySome<\/a> (a C# RAT that offers full-spectrum remote operations on compromised systems, along with deeply integrated persistence, AV killer, and anti-removal architecture that leverages recovery partition abuse and offline registry modification).<\/li>\n<li><strong>Phishing Campaign Delivers Remcos RAT in Fileless Manner <\/strong>\u2014 Phishing emails are being used to deliver Remcos RAT in what has been described as a fileless attack. \u00abThe attack chain is initiated through a phishing email containing a ZIP attachment disguised as a legitimate business document,\u00bb Point Wild <a href=\"https:\/\/www.pointwild.com\/threat-intelligence\/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network\/\">said<\/a>. \u00abUpon execution, an obfuscated JavaScript dropper establishes the initial foothold and retrieves a remote PowerShell script, which acts as a reflective loader. This\u00a0loader employs multiple layers of obfuscation, including Base64 encoding, raw binary manipulation, and rotational XOR encryption, to reconstruct and execute a .NET\u00a0payload entirely in memory.\u00bb An important aspect of the campaign is the use of trusted system binaries to proxy malicious execution under the guise of legitimate processes. The\u00a0final RAT payload is retrieved dynamically from a remote C2 server, allowing the threat actor to switch payloads at any time.<\/li>\n<li><strong>Tycoon 2FA Switch Infrastructure and Use ProxyLine <\/strong>\u2014The operators of the Tycoon 2FA phishing kit have been observed increasingly relying on ProxyLine, a commercial datacenter proxy service, to evade IP and geo\u2011based detection controls following its return after the coordinated global takedown of its infrastructure last month. Following the takedown, threat actors have <a href=\"https:\/\/www.esentire.com\/blog\/tycoon-2fa-infrastructure-update-threat-actors-adapt-following-global-coalition-takedown\">pivoted<\/a> to new infrastructure providers like HOST TELECOM LTD, Clouvider, GREEN FLOID LLC, and Shock Hosting LLC. One\u00a0provider that has witnessed continued use pre- and post-takedown is M247 Europe SRL. In addition, Gmail-targeted Tycoon 2FA campaigns have implemented WebSocket-based communication for real-time credential harvesting and reduced detection footprint compared to traditional HTTP POST requests.<\/li>\n<li><strong>TeleGuard&#8217;s Security Failings Exposed <\/strong>\u2014 TeleGuard, an app that&#8217;s advertised as an \u00abencrypted messenger [that] offers uncompromising data protection\u00bb and has been downloaded more than a million times, has been found to suffer from poor encryption that allows an attacker to trivially access a user\u2019s private key and decrypt their messages. \u00abTeleGuard also uploads users&#8217; private keys to a company server, meaning TeleGuard itself could decrypt its users&#8217; messages, and the key can also at least partially be derived from simply intercepting a user&#8217;s traffic,\u00bb security researchers <a href=\"https:\/\/www.404media.co\/a-secure-chat-apps-encryption-is-so-bad-it-is-meaningless\/\">told<\/a> 404 Media.<\/li>\n<li><strong>Google Brings E2EE to Gmail for Android and iOS <\/strong>\u2014 Google officially expanded support for end-to-end encryption (E2EE) to Android and iOS devices for Gmail client-side encryption (CSE) users. \u00abUsers with a Gmail E2EE license can send an encrypted message to any recipient, regardless of what email address the recipient has,\u00bb Google <a href=\"https:\/\/workspaceupdates.googleblog.com\/2026\/04\/gmail-end-to-end-encryption-now-available-on-mobile-devices.html\">said<\/a>. The\u00a0feature is currently limited to only Enterprise Plus customers with the Assured Controls or Assured Controls Plus add-on.<\/li>\n<li><strong>Bad Actor Abuse GitHub and GitLab <\/strong>\u2014 Threat actors are turning to trusted services like GitHub and GitLab for spreading malware and stealing login credentials from unsuspecting users. About 53% of all campaigns abusing the GitHub domains have been found to deliver malware (e.g., XWorm, Venom RAT), whereas 64% of campaigns abusing GitLab domains deliver malware (e.g., DCRat). Select campaigns have also adopted a dual threat attack chain, leveraging GitHub or GitLab to trick users into downloading Muck Stealer, after which a credential phishing page automatically opens. \u00abThese Git repository websites are necessary and can&#8217;tbe blocked because of their use by enterprise software and normal business operations,\u00bb Cofense <a href=\"https:\/\/cofense.com\/blog\/the-growing-abuse-of-github-and-gitlab-in-phishing-campaigns\">said<\/a>. \u00abBy uploading malware or credential phishing pages to repositories hosted on these domains, threat actors can generate phishing links that won&#8217;tbe blocked by many email-based security defenses like secure email gateways (SEG). GitHub\u00a0and GitLab mark the latest trend in abuse of legitimate cloud collaboration platforms.\u00bb<\/li>\n<li><strong>FBI Extracts Signal Messages from iOS Notification History Database <\/strong>\u2014 The U.S. Federal Bureau of Investigation (FBI) managed to forensically extract copies of incoming Signal messages from a defendant&#8217;s iPhone, even after the app was deleted, by taking advantage of the fact that copies of the content were saved in the device&#8217;s push notification database, 404 Media <a href=\"https:\/\/www.404media.co\/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-database-2\/\">reported<\/a>. The\u00a0development reveals how physical access to a device can enable specialized software to run on it to yield sensitive data derived even from secure messaging apps in unexpected places. The problem is not limited to the Signal app, but one that stems from a more fundamental design decision regarding how Apple stores notifications. Signal already has a setting that blocks message content from displaying in push notifications. Users who are concerned about their privacy are advised to consider turning the option on.<\/li>\n<li><strong>Multiple Flaws in IBM WebSphere Liberty <\/strong>\u2014 Multiple security flaws have been disclosed in IBM WebSphere Liberty, a modular, cloud-friendly Java application server, that could be exploited to seize control of affected systems. The\u00a0vulnerabilities offer multiple pathways for attackers to move from network-level exposure or limited access to full server compromise, according to <a href=\"https:\/\/www.oligo.security\/blog\/new-websphere-liberty-vulnerabilities\">Oligo Security<\/a>. The\u00a0most severe is <a href=\"https:\/\/www.ibm.com\/support\/pages\/security-bulletin-ibm-websphere-application-server-liberty-affected-server-side-request-forgery-cve-2026-1561\">CVE-2026-1561<\/a> (CVSS score: 5.4), which enables pre-authenticated remote code execution in SSO-enabled deployments due to unsafe deserialization in SAML Web SSO. \u00abIBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF),\u00bb IBM said. \u00abThis may allow [a] remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.\u00bb<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity\u00a0Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/betterleaks\/betterleaks\">Betterleaks<\/a> \u2192 It is the next-generation successor to Gitleaks, built to find exposed credentials with greater speed and accuracy. It\u00a0eliminates the noise of false positives by moving beyond basic pattern matching to high-fidelity detection. Designed for modern CI\/CD pipelines, it helps developers identify and fix leaked API keys and sensitive data before they become security liabilities.<\/li>\n<li><a href=\"https:\/\/github.com\/elastic\/supply-chain-monitor\">Supply Chain Monitor<\/a> \u2192 This tool provides end-to-end visibility into your software supply chain by monitoring CI\/CD pipelines for suspicious activity. It\u00a0tracks build integrity, detects unauthorized changes, and surfaces vulnerabilities in real-time. By\u00a0integrating directly with your existing workflows, it helps ensure that the code you ship hasn&#8217;t been tampered with between the commit and production.<\/li>\n<\/ul>\n<p><em>Disclaimer: This is strictly for research and\u00a0learning. It hasn&#8217;t been\u00a0through a formal security audit,\u00a0so don&#8217;t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure\u00a0whatever you\u2019re doing stays on the right side of the\u00a0law.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>That\u2019s the wrap for this Monday. While\u00a0the headlines usually focus on the high-level nation-state drama, remember that most of these attacks still rely on someone, somewhere, clicking\u00a0a\u00a0\u00abtrusted\u00bb link or ignoring a basic patch.\u00a0Whether it\u2019s an AI-driven exploit engine or a fake trading firm, the goal is always to find the path of least resistance into your environment.<\/p>\n<p>Stay sharp, keep your edge devices updated,\u00a0and don\u2019t let the noise of the news cycle distract you from the basics of your own\u00a0defense.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 13, 2026Cybersecurity \/ Hacking Monday\u00a0is back, and the weekend\u2019s backlog of chaos is officially hitting the fan. We\u00a0are tracking a critical zero-day that has been quietly living in&hellip;<\/p>\n","protected":false},"author":1,"featured_media":580,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1194,910,1195,1197,1196,68,307],"class_list":["post-579","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-fiber","tag-hunting","tag-optic","tag-rootkit","tag-spying","tag-vulnerability","tag-windows"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=579"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/579\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/580"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}