CIRCLE WITH A DOT

New security advisory:CVE-2026-41679 affects multiple systems.• Impact: Remote code execution or complete system compromise possible• Risk: Attackers can gain full control of affected systems• Mitigation: Patch immediately or isolate affected systemsFull breakdown:https://www.yazoul.net/advisory/cve/cve-2026-41679-paperclip-unauthenticated-remote-code-execution#InfoSec #ZeroDay #ThreatIntel

(catonetworks.com) Global Modbus/TCP Campaign Targets Internet-Exposed PLCs Across 70 Countries with China-Geolocated Infrastructure ObservedGlobal campaign targets internet-exposed Modbus/TCP PLCs across 70 countries, with China-geolocated infrastructure observed executing high-risk write operations and DoS-like bulk reads.In brief - Cato Networks identified a large-scale campaign probing 14,426 Modbus/TCP PLCs globally, with manufacturing (18%) as the top sector. Reconnaissance included automated fingerprinting and 3,240 Write Multiple Registers (0x10) attempts, while bulk reads suggest disruption intent. A subset of China-linked IPs used rare expanded device identification.Technically - The campaign employed Modbus/TCP function codes 0x03 (Read Holding Registers, ~235.5K requests) and 0x10 (Write Multiple Registers, 3,240 requests) with consistent parameters (e.g., starting at 0x0BB8). Scripted sequences paired 0x2B/0x0E (payload 0100/0200) for device ID with fixed 0x03 reads. Six China-geolocated IPs used payload 0200, a rare expanded identification method. Bulk reads near the 125-register limit (~158.1K against one target) align with resource exhaustion tactics. MITRE ATT&CK for ICS PoC (Wildcat Dam) demonstrated physical impact via register manipulation.Source: https://www.catonetworks.com/blog/global-campaign-discovered-with-modbus-plcs-targeted/#Cybersecurity #ThreatIntel

(gdatasoftware.com) Foxit PDF Brand Impersonation Campaign Delivers Concealed UltraVNC Remote Access ToolThreat actors are impersonating Foxit PDF to distribute trojanized installers delivering UltraVNC RAT via search engine poisoning. Campaign targets users in DE, US, UK, and UA with decoy passport lures and concealed persistence.In brief - Attackers abuse Foxit’s brand trust to trick users into executing fake PDF installers (e.g., Datei.exe) that silently deploy UltraVNC RAT. The malware establishes persistent remote access via C2 infrastructure at hallonews.servemp3.com:5500, enabling full system control.Technically - The attack chain begins with a trojanized binary (SHA256: 08b9cbdae903faf88b8027a12eee29265ff9b192b63aaa371d3d095b8ec00de5) fetching a malicious MSI (personalfoxypdf.msi) from hxxps://juneuk25.cfd. The MSI drops UltraVNC components into C:\intel-GPU\, using GPU/driver-themed filenames for evasion. Persistence is achieved via HKCU\Run, with gpu.cmd generating a system ID (IDD.txt) and SilentRun.vbs executing gpu.cmd silently. UltraVNC.ini preconfigures server settings, including passwords and ports, while firewall exceptions are added via gpu.txt. MITRE ATT&CK techniques include T1036 (Masquerading), T1204 (User Execution), T1027 (Obfuscation), and T1053/T1060 (Scheduled Task/Registry Run Keys).Source: https://blog.gdatasoftware.com/2026/04/38409-fake-foxit-vnc#Cybersecurity #ThreatIntel

(zscaler.com) Tropic Trooper Deploys AdaptixC2 Beacon with Custom GitHub C2 Listener via Trojanized SumatraPDFTropic Trooper (Earth Centaur/Pirate Panda) deploys AdaptixC2 Beacon via trojanized SumatraPDF in targeted cyber espionage campaign against Taiwan, South Korea, and Japan.In brief - China-nexus APT Tropic Trooper targets Chinese-speaking individuals using military lures to deliver a trojanized SumatraPDF binary. The attack deploys AdaptixC2 Beacon with a custom GitHub C2 listener, followed by VS Code tunnel abuse for persistent access. EntryShell and CobaltStrike (watermark '520') reinforce attribution.Technically - The trojanized SumatraPDF hijacks _security_init_cookie to execute TOSHIS loader, which resolves APIs via Adler-32 hashing and fetches second-stage shellcode from 158.247.193[.]100. Shellcode is decrypted using AES-128 CBC (key derived from MD5 of '424986c3a4fddcb6'). AdaptixC2 Beacon uses GitHub Issues API for C2, authenticating with a hardcoded PAT. RC4 session keys (16-byte, generated via RtlRandomEx(GetTickCount())) encrypt task results uploaded to GitHub. Post-compromise includes reconnaissance, scheduled task persistence, and VS Code tunnel deployment.Source: https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener#Cybersecurity #ThreatIntel

(sysdig.com) LMDeploy SSRF Vulnerability CVE-2026-33626 Exploited Within Hours of Disclosure Against AI Inference InfrastructureNew SSRF in LMDeploy (CVE-2026-33626) exploited 12h31m post-disclosure against AI inference infra. Attacker scanned AWS IMDS, Redis, MySQL, and admin endpoints via crafted image_url in /v1/chat/completions. OOB DNS to requestrepo.com confirmed blind SSRF.In brief - A critical SSRF in LMDeploy, used for vision-language models, was weaponized within hours of disclosure. Attackers targeted cloud metadata, internal services, and inference clusters, highlighting rapid exploitation of AI infrastructure vulnerabilities.Technically - CVE-2026-33626 stems from missing hostname validation in LMDeploy’s image URL loader. Attacker sent POST requests with SSRF payloads to 169.254.169.254 (IMDS), 127.0.0.1:6379/3306/8080, and /distserve/p2p_drop_connect. Detection via Falco rules for IMDS contact; remediation requires LMDeploy v0.12.3, IMDSv2 with httpTokens=required, and VPC egress controls.Source: https://webflow.sysdig.com/blog/cve-2026-33626-how-attackers-exploited-lmdeploy-llm-inference-engines-in-12-hours#Cybersecurity #ThreatIntel

THREAT INTEL | STERIMED Actor "qilin" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-22-sterimed-ransomware-attack-by-qilin-april-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

New security advisory:CVE-2026-34275 affects multiple systems.• Impact: Remote code execution or complete system compromise possible• Risk: Attackers can gain full control of affected systems• Mitigation: Patch immediately or isolate affected systemsFull breakdown:https://www.yazoul.net/advisory/cve/cve-2026-34275-oracle-e-biz-unauth-takeover#InfoSec #ZeroDay #ThreatIntel

INC Ransom claims ransomware attack on United States' Precision Coating Company. Allegedly exfiltrating proprietary developments, technologies, patents, and client data including components valued at $150M. #Ransomware #Healthcare #USA #ThreatIntel

@julie New-ish. We had a report of some ClickFix activity that used it, and was related to a recent Elastic report.https://discourse.ifin.network/t/phantompulse-rat-macos-using-clickfix/302

(cofense.com) Polymorphic Phishing: How Shape-Shifting Email Attacks Are Defeating Traditional DefensesPolymorphic phishing campaigns are systematically evading traditional email defenses by mutating all detectable attributes per message—sender addresses, subject lines, body content, attachments, URLs, and infrastructure—rendering signature-based detection ineffective.In brief - Polymorphic phishing has become a mainstream attack method, dynamically altering every email element to bypass static defenses. Organizations must adopt layered, context-aware security combining threat intelligence, automation, and behavioral analysis to detect campaign-level patterns rather than individual messages.Technically - These campaigns exploit structural polymorphism, varying per-message attributes while maintaining consistent social engineering themes (e.g., invoice fraud, IT alerts). Signature/hash-based tools fail as no two messages are identical. Effective mitigation requires real-time threat intelligence, automated correlation of campaign indicators, user-reported phishing data, and AI-driven pattern recognition to identify polymorphic campaigns pre-delivery.Source: https://cofense.com/blog/5-key-takeaways-from-inside-the-shape-shifting-inbox-understanding-modern-polymorphic-campaigns”#Cybersecurity #ThreatIntel

(jamf.com) DarkSword Leaked: Inside a Government-Grade iOS Safari Exploit Kit and Its Implications for the Mobile Threat LandscapeDarkSword, a government-grade iOS exploit kit, has leaked—enabling one-click RCE with sandbox escape on iOS 18.4–18.6.2. Source code exposure lowers the barrier for skilled attackers, expanding risk beyond elite operators.In brief - A sophisticated iOS exploit framework, DarkSword, has been leaked, exposing unpatched iPhones to remote code execution and sandbox escape. Originally used against high-value targets, its public availability now threatens broader exploitation, including cryptocurrency theft.Technically - DarkSword leverages JavaScript engine primitives (addrof/fakeobj) to achieve memory read/write, followed by a 100-step mitigation bypass to disable garbage collection and exploit mediaplaybackd for kernel access. The leaked build supports 28 devices across 26 firmware versions, includes debug artifacts, and targets cryptocurrency wallets. A commented-out 'startSandworm' function hints at prior kernel exploit reuse, while MIG message filtering bypasses reflect adaptation to iOS 18.4+ defenses.Source: https://www.jamf.com/blog/darksword-ios-exploit-kit-three-lessons-mobile-security/#Cybersecurity #ThreatIntel

Lotus Wiper detectedEnergy sector hitNo ransom, full wipeLOLBins + legacy targeting Defense strategy?Source: https://thehackernews.com/2026/04/lotus-wiper-malware-targets-venezuelan.htmlFollow @technadu #InfoSec #ThreatIntel

(cofense.com) Legitimate Tools as Weapons: How Threat Actors Abuse RATs and CVEs to Evade DetectionThreat actors increasingly abuse legitimate Remote Access Tools (RATs) to evade detection and deliver payloads. NetSupport Manager, ConnectWise ScreenConnect, FleetDeck, and Atera dominate, comprising 87% of observed abuse.In brief - Legitimate RATs like NetSupport (40%) and ConnectWise (34%) are exploited for persistence, lateral movement, and data exfiltration. Microsoft’s 2022 macro restrictions reduced Office-based attacks, shifting focus to RATs. Organizations must monitor trusted software and patch critical CVEs.Technically - Exploited CVEs include CVE-2017-11882 (Equation Editor RCE), CVE-2017-0199 (Windows API RCE), CVE-2018-0798, and CVE-2018-0806. RATs enable keylogging, screen capture, and secondary malware deployment. ConnectWise (formerly Parcel RAT) surged post-March 2024, while Atera’s cross-platform support complicates EDR detection. Macro-based delivery declined post-June 2022, but RAT abuse persists as a primary intrusion vector.Source: https://cofense.com/blog/weaponizing-apathy-how-threat-actors-exploit-vulnerabilities-and-legitimate-software#Cybersecurity #ThreatIntel

(sublime.security) AI-Powered Executive Impersonation: How Nation-State and Criminal Actors Are Targeting Financial InstitutionsAI-powered executive impersonation is escalating as nation-state and criminal actors target financial institutions with precision. North Korea, Russia, and Iran leverage agentic AI to automate OSINT, craft org charts, and mimic executive communication styles for scalable spear-phishing.In brief - Financial institutions face AI-driven impersonation attacks from nation-state actors seeking sanctions data, crypto theft, or geopolitical leverage. Multi-stage phishing establishes trust before delivering payloads, exploiting hierarchical urgency. Defenders should enforce MFA, patch hygiene, and out-of-band verification.Technically - Adversaries use agentic AI to parse LinkedIn, press releases, and corporate communications, replicating executive linguistic patterns. Multi-stage email attacks initiate benign threads before introducing malicious payloads, bypassing detection. Deepfake video and simulated Zoom environments are emerging vectors. Countermeasures include phishing-resistant MFA, identity governance, and skip-level verification protocols.Source: https://proxied2.sublime.security/blog/how-ai-is-scaling-executive-impersonation-in-financial-services#Cybersecurity #ThreatIntel

(malwarebytes.com) Needle Stealer: Golang-Based Modular Infostealer Distributed via Fake AI Trading Tool WebsiteNew campaign distributes *Needle Stealer*, a Golang-based modular infostealer targeting crypto wallets, browser data, and Telegram sessions via fake AI trading tool lures.In brief - Threat actors are using a fraudulent *TradingClaw* website to deliver *Needle Stealer*, a Golang infostealer with modular capabilities including clipboard hijacking, form grabbing, and malicious browser extensions. The malware selectively targets victims, exfiltrating cryptocurrency wallet credentials (MetaMask, Ledger, Trezor, Exodus) and browser data while evading detection through process hollowing and DLL hijacking.Technically - The infection chain starts with a ZIP file containing *iviewers.dll*, which leverages DLL hijacking to execute a second-stage DLL. This injects *Needle Stealer* into *RegAsm.exe* via process hollowing. The malware, written in Golang, unpacks hidden ZIPs (*base.zip*, *meta.zip*) to deploy malicious extensions into %LOCALAPPDATA%\Packages\Extensions. These extensions communicate with C2 endpoints (/backup-domains/active, /upload, /extension, /scripts) on domains like *coretest[.]digital* and *reisen[.]work*, enabling traffic redirection, script injection, and data exfiltration. Core functionality resides in the 'ext' package, supporting modular components like a wallet spoofer and clipboard hijacker.Source: https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers#Cybersecurity #ThreatIntel

CISA KEV: 8 flaws now actively exploited, including Quest KACE SMA CVSS 10.0 and Cisco SD-WAN. Google Antigravity bug enabled sandbox escape to RCE in AI dev tooling. 🟡 French ANTS breach may expose data tied to 19M records. Patch, isolate, and warn users. #cybersecurity #infosec #threatintel #vulnmgmtsolomonneas.dev/intel

(hunt.io) Malware Delivery via Open Directories: AsyncRAT and Cobalt Strike Campaign AnalysisNew analysis reveals threat actors exploiting open directories to deliver AsyncRAT and Cobalt Strike in multi-stage campaigns.In brief - Adversaries are using exposed open directories to host and deliver malware, including AsyncRAT via BITS abuse and Cobalt Strike through Fernet-encrypted Python executables. These campaigns demonstrate how unsecured infrastructure enables sophisticated intrusions.Technically - Campaign 1: VBScript (xx.txt) creates temp.xml with PowerShell, abuses BITSAdmin to fetch a disguised ZIP (f.jpg) containing 9 files, then self-deletes. Campaign 2: PyInstaller-compiled 1.exe (~10MB) uses Fernet to decrypt Cobalt Strike shellcode from a.txt, executed in-memory. The binary includes obfuscation (Base64 Chinese strings, QuickSort noise) and links to Supershell C2 (207.32.217[.]21, 121.37.21[.]229). Both leverage open directories for payload staging.Source: https://hunt.io/blog/gateway-to-intrusion#Cybersecurity #ThreatIntel

(security.com) Harvester APT Group Deploys New GoGra Linux Backdoor Targeting South Asia Using Microsoft Graph API for C2New Linux variant of GoGra backdoor attributed to Harvester APT leverages Microsoft Graph API for C2 over Outlook mailboxes, targeting South Asia.In brief - Harvester APT, a suspected nation-state actor, has deployed a Linux version of its GoGra backdoor. The malware abuses Microsoft Graph API and Outlook for covert C2, using decoy documents tied to Indian and Afghan cultural references. Persistence is achieved via systemd and XDG autostart, with AES-CBC encryption securing communications.Technically - GoGra Linux is a 5.9 MB i386 ELF delivered via Go dropper, disguised as a PDF. It establishes persistence through a systemd user unit and XDG autostart entry, masquerading as Conky. Hardcoded Azure AD credentials enable OAuth2 token acquisition, polling an Outlook folder ('Zomato Pizza') every 2 seconds. Commands are received via emails with 'Input' subject, decrypted using AES-CBC (key: b14ca5898a4e4133bbce2ea2315a1916), and executed via /bin/bash. Results are encrypted and returned with 'Output' subject, followed by deletion of the tasking email. Shared typos (e.g., 'ExcuteCommand') confirm codebase overlap with Windows variants.Source: https://www.security.com/threat-intelligence/harvester-new-linux-backdoor-gogra#Cybersecurity #ThreatIntel

(paloaltonetworks.com) AirSnitch: Novel Wi-Fi Attack Techniques Break WPA2/WPA3-Enterprise Client IsolationNew AirSnitch attack techniques disclosed at NDSS 2026 break WPA2/WPA3-Enterprise client isolation, enabling full MitM positioning without cryptographic key compromise. Affects major OS/hardware vendors; requires urgent mitigation via VLANs, MAC/IP spoofing prevention, and MACsec.In brief - AirSnitch exploits protocol-infrastructure gaps in WPA2/3-Enterprise to bypass client isolation, enabling traffic interception across access points. Mitigations include VLAN segmentation, GTK hardening, and device-to-device encryption.Technically - AirSnitch leverages three primitives: Gateway Bouncing (router MAC + victim IP to bypass L2 isolation), Port Stealing (MAC spoofing across BSSIDs to redirect PTK-encrypted traffic), and Broadcast Reflection (unicast payloads in broadcast frames re-encrypted via GTK). GTK misuse allows insider attackers to spoof broadcast/multicast frames. Cross-AP attacks hijack MAC-to-port mappings at distribution switches, enabling RADIUS brute-forcing, rogue APs, and DTLS exploitation.Source: https://unit42.paloaltonetworks.com/air-snitch-enterprise-wireless-attacks/#Cybersecurity #ThreatIntel

Nice, after half a century we got a new Five-Eyes-Alliance Querty-Keylogger Sample https://www.virustotal.com/gui/file/1d621137f6e2c44b84cba939510ec898c8b587acae0fe600b6ca5d74448c1208/detection#thruntersAnonymous #threatintel