{"id":619,"date":"2026-04-16T14:06:14","date_gmt":"2026-04-16T14:06:14","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=619"},"modified":"2026-04-16T14:06:14","modified_gmt":"2026-04-16T14:06:14","slug":"defender-0-day-sonicwall-brute-force-17-year-old-excel-rce-and-15-more-stories","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=619","title":{"rendered":"Defender 0-Day,\u00a0SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 16, 2026<\/span><\/span>Hacking News \/ Cybersecurity News<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

You\u00a0know that feeling when you open your feed on a Thursday morning and it’s just… a\u00a0lot? Yeah. This\u00a0week delivered. We’ve got hackers getting creative in ways that are almost impressive if you ignore the whole \u00abcrime\u00bb part, ancient vulnerabilities somehow still ruining people’s days, and enough supply chain drama to fill a season of television nobody asked\u00a0for.<\/p>\n

Not\u00a0all bad though. Some\u00a0threat actors got exposed with receipts, a few platforms finally tightened things up, and there’s research in here that’s genuinely worth your time. Grab\u00a0your coffee and keep scrolling.<\/p>\n

\n
\n
    \n
  1. \n <\/p>\n
    \n Targeted wallet breach<\/span><\/p>\n

    \n Cryptocurrency wallet service Zerion has disclosed<\/a> that one of its team member’s devices was compromised, resulting in the theft of approximately $100K in stolen funds from internal company hot wallets. The company noted that user funds, Zerion apps, or infrastructure were not impacted by the breach. The team member is said to have been the target of an artificial intelligence (AI)-enabled social engineering attack carried by a North Korean threat actor tracked as UNC1069. The hacking group was recently attributed to the poisoning of the popular Axios npm package. \u00abThis allowed the attacker to gain access to some of the team members’ logged-in sessions and credentials as well as private keys to company hot wallets used for testing and internal purposes,\u00bb Zerion said. \u00abThis was not an opportunistic attack. The actor is clearly sophisticated and well-resourced. They planned the attack thoroughly.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  2. \n <\/p>\n
    \n Anonymous age checks<\/span><\/p>\n

    \n The European Union has announced that it will soon roll out a new online age verification app to allow users to prove their age when accessing online platforms. Users can set it up by downloading the app on their Android or iOS device using a passport or ID card. The Commission has emphasized that the app will respect users’ privacy. \u00abUsers will prove their age without revealing any other personal information,\u00bb President of the European Commission, Ursula von der Leyen, said<\/a>. \u00abPut simply, it is completely anonymous: users cannot be tracked. Third, the app works on any device \u2013 phone, tablet, computer, you name it. And, finally, it is fully open source \u2013 everyone can check the code.\u00bb The development comes as countries around the world are undertaking various stages of regulatory action to keep cyberspace a safer place for children and minors and protect them from serious harm.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  3. \n <\/p>\n
    \n New Defender zero-day<\/span><\/p>\n

    \n A researcher using the alias \u00abChaotic Eclipse\u00bb released a zero-day exploit called BlueHammer earlier this month following Microsoft’s handling of the vulnerability disclosure process. Although the issue appears to have been fixed as of this month’s Patch Tuesday release (CVE-2026-33825), the researcher has since disclosed<\/a> a new unpatched Microsoft Defender privilege escalation vulnerability<\/a>. The exploit has been codenamed RedSun<\/a>. \u00abThis works 100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled,\u00bb security researcher Will Dormann said<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

    <\/p>\n

  4. \n <\/p>\n
    \n Legacy Excel RCE active<\/span><\/p>\n

    \n The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added<\/a> an old remote code execution vulnerability impacting Microsoft Office to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the shortcoming by April 28, 2026. The vulnerability in question is CVE-2009-0238, which has a CVSS score of 8.8. \u00abMicrosoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object,\u00bb CISA said<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  5. \n <\/p>\n
    \n sudo now requires password<\/span><\/p>\n

    \n Raspberry Pi has released version 6.2 of its Raspberry Pi OS, which introduces one significant change: it disables passwordless sudo by default. As a result, users who run a sudo command for administrator-level access will be prompted to enter the current user’s password. The change affects only new installations; existing setups are untouched. \u00abGiven the ever-increasing threat of cybercrime, we continually review the security of Raspberry Pi OS to ensure it is sufficiently robust to withstand potential attacks,\u00bb Raspberry Pi said<\/a>. \u00abThis is always a tricky balance, as anything that makes the operating system more secure will invariably inconvenience legitimate users to some extent, so we try to keep such changes to a minimum. This particular security update is one that many users may not even notice, but it will affect some.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  6. \n <\/p>\n
    \n Stealth C2 frameworks uncovered<\/span><\/p>\n

    \n A previously undocumented command-and-control (C2) framework dubbed ObsidianStrike has been deployed on infrastructure belonging to a Brazilian law firm. \u00abOnly two instances of ObsidianStrike exist on the entire internet,\u00bb Breakglass Intelligence said<\/a>. \u00abThe framework has zero presence on GitHub, zero samples on VirusTotal or MalwareBazaar, and near-zero vendor detection. This is a fully private, Portuguese-language C2 built for targeted Windows operations, hidden behind a victim organization’s domain.\u00bb Also discovered by the security vendor is ArchangelC2<\/a>, a C2 panel behind an industrial-scale ScreenConnect remote-access fraud campaign that has been operational since November 2024.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  7. \n <\/p>\n
    \n Fake app drains $9.5M<\/span><\/p>\n

    \n A fake Ledger app managed<\/a> to slip onto the Apple App Store, draining $9.5 million in cryptocurrency<\/a> from more than 50 victims between April 7 and April 13, 2026. The app, named Ledger Live<\/a>, was released by a developer, \u00abSAS Software Company,\u00bb and published under \u00abLeva Heal Limited.\u00bb Users who downloaded the fraudulent app were tricked into entering their seed phrases, giving attackers full access to their wallets and allowing them to send digital assets to external addresses under their control. While Apple has since removed the macOS app from the store, questions remain as to how it managed to pass the company’s review process. In more Apple-related news, the company has also removed<\/a> a data harvesting app called Freecash from its App Store after it was deceptively<\/a>advertised<\/a> as a way to \u00abmake money just by scrolling TikTok,\u00bb while collecting sensitive information from users. This included details about a user’s race, religion, sex life, sexual orientation, health, and other biometrics. Once installed, however, instead of the promised functionality, users were routed to a roster of mobile games where they are offered cash rewards for completing time-limited in-game challenges. The app continues to be available on the Google Play Store.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  8. \n <\/p>\n
    \n Localized ransomware campaign<\/span><\/p>\n

    \n Cybercriminals are using a new ransomware strain called JanaWare to target people in Turkey, according to Acronis. The attack leverages phishing emails containing a Google Drive link that paves the way for the download and subsequent execution of a malicious JAR file via javaw.exe. The payload is a customized Adwind (aka AlienSpy, jRAT, or Sockrat) variant with polymorphic characteristics that’s used to deliver the ransomware module. The malware implements geofencing and environment filtering to ensure that the compromised systems match the Turkish language and region. While none of these tricks are particularly novel or advanced, they continue to work against unprotected small targets. It’s unclear how many people or businesses might have fallen prey to the scheme. The low-stakes, localized approach has allowed the campaign to persist since at least 2020 without any major disruption. \u00abVictimology appears to primarily include home users and small to medium-sized businesses. Initial access is assessed to occur via phishing emails delivering malicious Java archives,\u00bb the company said<\/a>. \u00abRansom demands observed in analyzed samples range from $200\u2013$400, consistent with a low-value, high-volume monetization approach.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  9. \n <\/p>\n
    \n Crackdown on navigation abuse<\/span><\/p>\n

    \n Google said it’s introducing a new spam policy for \u00abback button hijacking,\u00bb which occurs when a site interferes with a user’s browser navigation and prevents them from using their back button to immediately get back to the page they came from. Instead, the hijack could redirect users to sketchy sites or other pages they have never visited before. \u00abBack button hijacking interferes with the browser’s functionality, breaks the expected user journey, and results in user frustration,\u00bb Google said<\/a>. \u00abPages that are engaging in back button hijacking may be subject to manual spam actions or automated demotions, which can impact the site’s performance in Google Search results. To give site owners time to make any needed changes, we’re publishing this policy two months in advance of enforcement on June 15, 2026.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  10. \n <\/p>\n
    \n Stealth cloud credential theft<\/span><\/p>\n

    \n The China-linked hacking group known as APT41 has been attributed to an undetectable, purpose-built ELF backdoor targeting Linux cloud workloads across Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Alibaba Cloud environments. \u00abThe implant uses SMTP port 25 as a covert command-and-control channel, harvests cloud provider credentials and metadata, and phones home to three Alibaba-themed typosquat domains hosted on Alibaba Cloud infrastructure in Singapore,\u00bb Breakglass Intelligence said<\/a>. \u00abA selective C2 handshake validation mechanism renders the server invisible to conventional scanning tools like Shodan and Censys.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  11. \n <\/p>\n
    \n RDP phishing hardening<\/span><\/p>\n

    \n Starting with the April 2026 security update (CVE-2026-26151<\/a>), Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection (RDP) files, adding security warnings and turning off redirections by default. \u00abMalicious actors misuse this capability by sending RDP files through phishing emails,\u00bb Microsoft said<\/a>. \u00abWhen a victim opens the file, their device silently connects to a server controlled by the attacker and shares local resources, giving the attacker access to files, credentials, and more.\u00bb Russian hacking groups like APT29 have weaponized RDP configuration files to target Ukrainian government agencies, enterprises, and military entities in the past.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  12. \n <\/p>\n
    \n Plugin supply chain breach<\/span><\/p>\n

    \n Unknown threat actors have staged a supply chain attack on a WordPress plug-in maker called Essential Plugin (formerly WP Online Support) after acquiring it in early 2025 from the original developers in a six-figure deal to plant a backdoor in August and subsequently weaponize it early this month to distribute malicious payloads to any website with the plug-ins installed. WordPress has since permanently closed all the plugins. \u00abThe plugin’s wpos-analytics module had phoned home to analytics.essentialplugin.com, downloaded a backdoor file called wp-comments-posts.php (designed to look like the core file wp-comments-post.php), and used it to inject a massive block of PHP into wp-config.php,\u00bb Anchor Hosting said<\/a>. \u00abThe injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners.\u00bb In addition, it resolved the command-and-control (C2) domain through an Ethereum smart contract to make it resilient to takedown efforts. Prior to their removal, the plugins collectively had more than 180,000 installs. \u00abThis is a classical case of supply chain compromise that happened because the original vendor sold their plugins to a third-party, which turned out to be a malicious threat actor,\u00bb Patchstack said<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  13. \n <\/p>\n
    \n Sanctioned crypto market persists<\/span><\/p>\n

    \n Telegram has continued to host Xinbi Guarantee, an illicit marketplace that has processed over $21 billion in total transaction volume, despite sanctions issued by the U.K. last month. The development has raised questions about the platform’s willingness to police its own ecosystem and suspend bad actors. The Chinese-language bazaar is known to offer money laundering solutions to cryptocurrency scammers, harassment services, and products like electrified batons and tasers that cater to investment scams operating out of Southeast Asia. \u00abXinbi is still going strong,\u00bb Elliptic’s cofounder and chief scientist, Tom Robinson, told<\/a> WIRED. \u00abThey’re on track to become the largest market of this kind that has ever existed.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  14. \n <\/p>\n
    \n Malvertising leads to ransomware<\/span><\/p>\n

    \n Orange Cyberdefense has revealed<\/a> that threat actors used malvertising in three separate incidents observed between early February and early April 2026 to deliver the SmokedHam (aka Parcel RAT, SharpRhino, and WorkersDevBackdoor) backdoor by masquerading it as installers for RVTools or Remote Desktop Manager (RDM). The malware is assessed to be a modified version of the open-source trojan known as ThunderShell. In at least one case, the attack led to the deployment of Qilin ransomware, but not before dropping employee monitoring and remote desktop solutions like Controlio, TeraMind, and Zoho Assist for persistent access, exfiltrating KeePass password databases, and conducting discovery and lateral movement. The adoption of legitimate dual-use tools<\/a> is a concerning trend as it allows attackers to blend their actions into legitimate activity and reduce the risk of detection. The activity has been attributed with medium confidence to UNC2465, an affiliate of DarkSide, LockBit, and Hunters International. It also overlaps with a campaign detailed by Synacktiv<\/a> and Field Effect in early 2025.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  15. \n <\/p>\n
    \n APT lineage link uncovered<\/span><\/p>\n

    \n New research has discovered that the threat actor known as Water Hydra (aka DarkCasino) is still active in 2026, with new evidence uncovering a previously unreported connection between evilgrou-tech, a commodity operator, and the hacking group. \u00abThe handle ‘evilgrou’ is assessed with moderate confidence to be a deliberate reference to EvilNum (Evil + [num -> grou]p), the predecessor APT group from which WaterHydra\/DarkCasino splintered in late 2022,\u00bb Breakglass Intelligence said<\/a>. The strongest attribution indicator is a shared developer workspace path embedded in binaries associated with EvilNum and Water Hydra: \u00abC:\\Users\\Administrator\\Desktop\\vaeeva\\shellrundll.tlb.\u00bb These two artifacts are separated by two years, one in July 2022 and the other in January 2024.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  16. \n <\/p>\n
    \n Scientific software RCE risk<\/span><\/p>\n

    \n Cybersecurity researchers have disclosed<\/a> security flaws in HDF5 software, a file format to manage, process, and store heterogeneous data, that could be exploited to compromise a vulnerable system. \u00abThe discovered vulnerabilities, based on a stack buffer overflow, could allow threat actors to overwrite memory and compromise target systems for stealing highly classified research data, industrial espionage, or a foothold into the internal network,\u00bb ThreatLeap’s co-founder, Leon Juranic, said. \u00abIn practice, this means the vulnerability could be exploited by a single specially crafted malicious input file and, as a result, an entire system could get compromised.\u00bb The issues were addressed in October 2025 following responsible disclosure.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  17. \n <\/p>\n
    \n Brute-force surge on edge devices<\/span><\/p>\n

    \n Security researchers have detected a \u00absharp rise\u00bb in brute-force attempts to hijack SonicWall and FortiGate devices between January and March 2026, with the vast majority (88%) appearing to originate from the Middle East. Most attempts were unsuccessful, either blocked outright by security tools or directed at invalid usernames. \u00abAttackers are aggressively scanning and testing perimeter devices for weak or exposed credentials,\u00bb Barracuda Networks said<\/a>. \u00abEven when attacks fail, persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  18. \n <\/p>\n
    \n Fraud network evades sanctions<\/span><\/p>\n

    \n Triad Nexus, a sprawling cybercrime ecosystem acting as the backbone of scams, money laundering, and illicit gambling operations since at least 2020, has been observed using geographic fencing and laundering its infrastructure through \u00abclean\u00bb front companies to acquire accounts at major enterprise cloud providers (Amazon, Cloudflare, Google, and Microsoft) and avoid sanctions. Besides engaging in fraud, the group specializes in high-fidelity brand impersonation, weaponizing the digital identities of Global 2000 companies to dupe victims. \u00abThe network has industrialized brand theft on a global scale; its catalog includes ‘pixel-perfect’ clones of everything from high-end luxury goods to public services,\u00bb Silent Push said<\/a>. \u00abDespite federal sanctions in 2025, the group has reinstated its global fraud engine, shifting its focus toward emerging markets while maintaining a persistent threat to Western enterprise assets.\u00bb Triad Nexus is estimated to be responsible for over $200 million in reported losses, primarily fueled by pig butchering and virtual currency scams.\n <\/p>\n<\/p><\/div>\n<\/li>\n<\/ol>\n<\/section>\n<\/div>\n

    That’s a wrap for this week. If\u00a0anything here made you pause, good. Go\u00a0check your patches, side-eye your dependencies, and maybe don’t trust that app just because it’s sitting in an official store. The\u00a0basics still matter more than most people want to\u00a0admit.<\/p>\n

    We’ll be back next Thursday with whatever fresh chaos the internet cooks up. Until\u00a0then, stay sharp and keep your logs close. See\u00a0you on the other\u00a0side.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    \ue804Ravie Lakshmanan\ue802Apr 16, 2026Hacking News \/ Cybersecurity News You\u00a0know that feeling when you open your feed on a Thursday morning and it’s just… a\u00a0lot? Yeah. This\u00a0week delivered. We’ve got hackers…<\/p>\n","protected":false},"author":1,"featured_media":620,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1247,1249,1248,1246,1250,316,187],"class_list":["post-619","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-0daysonicwall","tag-17yearold","tag-bruteforce","tag-defender","tag-excel","tag-rce","tag-stories"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/619","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=619"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/619\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/620"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=619"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=619"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=619"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}