Weekly Cybersecurity Threat Advisory

Umer Wajih
April 14, 2026
No Comments

Threat Landscape Summary (March 06 – April 13, 2026)

I. EXECUTIVE SUMMARY

This report covers the cybersecurity threat landscape observed between 06 and 13 April 2026. The period was defined by high operational tempo across ransomware ecosystems, active exploitation of newly disclosed vulnerabilities, nation-state espionage activity, and sustained targeting of healthcare and critical infrastructure. Multiple threat vectors converged during this period, producing an elevated-risk environment that demands immediate attention from security teams and organizational leadership.

HIGH Threat Level

12+ Major Incidents

8 Active Critical CVEs

9+ Active Threat Groups

Key Highlights

BlueHammer Windows Zero-Day: Unpatched local privilege escalation vulnerability publicly released on 03 April 2026 by researcher ‘Chaotic Eclipse’; exploits Microsoft Defender update process for SYSTEM-level access. No official patch available at time of publication.
ChipSoft Ransomware Attack (Healthcare): Ransomware hit Dutch healthcare IT vendor ChipSoft on April 7, causing cascading patient-portal outages across Netherlands hospitals and triggering incident response at Signature Healthcare (Massachusetts).
Adobe Data Breach (13M Records): Threat actor ‘Mr. Raccoon’ claimed exfiltration of 13 million customer support tickets, 15,000 employee records, and internal bug-bounty submissions from Adobe.
Rockstar Games – ShinyHunters Extortion: ShinyHunters accessed Rockstar’s Snowflake data warehouses via compromised third-party analytics provider Anodot; ransom deadline set for April 14, 2026.
Iranian Cyber Operations: Joint CISA/FBI/NSA/EPA advisory (AA26-097A) warns of Iran-affiliated actors targeting PLCs and OT devices across U.S. critical infrastructure. Handala group attributed to destructive wiper attack against Stryker Corporation.
Fortinet Critical Vulnerabilities: CVE-2026-35616 (CVSS 9.1) and CVE-2026-21643 actively exploited; both added to CISA KEV catalog.
Storm-1175 / Medusa Ransomware: China-linked actor Storm-1175 conducted high-velocity Medusa ransomware campaigns exploiting BeyondTrust (CVE-2026-1731) and SmarterMail (CVE-2026-23760).
APT37 (ScarCruft) Facebook Campaign: North Korean threat group APT37 executed targeted Facebook-based social engineering delivering RokRAT remote access trojan against selected individuals.
OAuth Device Code Phishing: Campaign compromised 340+ Microsoft 365 organizations across five countries, abusing legitimate Microsoft device authentication flows without requiring endpoint malware.
STX RAT Supply Chain: New RAT/infostealer distributed via trojanized CPUID/HWMonitor installers following the April 9-10 CPUID website API breach.
Jones Day Law Firm Breach: SilentRansomGroup claimed responsibility; client confidential data posted to dark web extortion portal.
REvil/GandCrab Attribution: Germany’s BKA formally identified Daniil Maksimovich Shchukin (alias ‘UNKN’) as REvil/GandCrab leader.

Dominant Trends

Third-party and supply chain compromise remained the primary entry vector across Adobe, Rockstar Games, and TeamPCP incidents.
Ransomware groups coupled BYOVD (Bring Your Own Vulnerable Driver) techniques with EDR-disabling payloads; Qilin and Warlock both deployed this during the period.
AI-assisted phishing attacks, including QR-code smishing and OAuth device code phishing, scaled rapidly across multiple countries.
Nation-state actors, particularly Iranian-affiliated groups, demonstrated increased operational tempo against critical infrastructure OT/ICS environments.
Healthcare and legal sectors experienced disproportionate ransomware pressure, with operational disruptions directly affecting patient care.
Legal sector under sustained targeting by SilentRansomGroup, with focused campaigns against major law firms.

II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW

The week of April 6-13, 2026, illustrates a threat environment where ransomware groups, nation-state actors, and financially motivated cybercriminals operate with overlapping methods and converging infrastructure. Geopolitical tensions, zero-day weaponization, and the exploitation of trusted software channels defined the period. Three distinct patterns dominated.

1. Healthcare and Critical Infrastructure Under Sustained Pressure

The ChipSoft attack in the Netherlands disrupted patient-record portals across multiple hospitals, demonstrating how a single healthcare IT vendor compromise causes cascading operational failures across dependent clinical sites.
Gritman Medical Center (Idaho), Signature Healthcare (Massachusetts), and the Center for Hearing and Communication all activated incident response procedures during this period, indicating either coordinated campaigns or parallel targeting of the sector.
Iranian actors specifically targeted PLCs in U.S. water treatment facilities; CISA identified approximately 4,000 industrial control devices as vulnerable.
Iranian Ministry of Intelligence and Security (MOIS) front group Handala conducted a destructive wiper attack against Stryker Corporation, causing global manufacturing disruption.

2. Supply Chain and Third-Party Exploitation

Both the Rockstar Games and Adobe breaches originated from third-party platforms, not direct compromise of primary environments.
The TeamPCP supply-chain attack on LiteLLM, a developer AI tool, exposed how CI/CD pipelines and developer workstations are primary targets for credential harvesting.
An OAuth device code phishing campaign compromised over 340 Microsoft 365 organizations across five countries, exploiting legitimate Microsoft authentication flows. No malware or endpoint exploit was required.
The STX RAT distribution via the compromised CPUID website reached millions of potential victims through a trusted hardware monitoring tool.

3. Nation-State Espionage and Geopolitical Activity

APT37 (North Korea) executed a Facebook-based social engineering campaign delivering RokRAT, representing an evolution in initial access methodology away from email toward social platforms.
UAT-10362, a previously undocumented China-linked cluster, targeted Taiwanese NGOs with LucidRook malware via spear-phishing.
Chinese APT group Amaranth Dragon (linked to APT41) conducted sustained espionage against government and law enforcement agencies across Southeast Asia using WinRAR exploits and custom malware.
Germany’s BKA formally identified Daniil Maksimovich Shchukin (alias ‘UNKN’) as the leader of REvil and GandCrab, one of the most significant public attribution actions of the year.
AI-generated phishing campaigns increased substantially since late 2025, with threat actors leveraging large language models to create personalized social engineering attacks.

Critical Sectors Affected

Sector	Key Incidents / Exposure
Healthcare	ChipSoft (NL), Signature Healthcare (MA), Gritman Medical (ID), Stryker Corp, Center for Hearing and Communication; patient care disrupted across multiple institutions
Water / Utilities	Iranian actors targeting PLCs in water treatment facilities; ~4,000 ICS devices exposed per CISA advisory AA26-097A
Legal Services	Jones Day breach by SilentRansomGroup; Goulston & Storrs targeted; multiple BigLaw firms in SRG crosshairs
Gaming / Entertainment	Rockstar Games / Take-Two via ShinyHunters; third-party Anodot/Snowflake compromise; financial records and contracts at risk
Financial Services	STX RAT with advanced credential-theft targeting financial sector; Pathstone Family Office (641K records via ShinyHunters)
Technology / Software	Adobe breach (13M support tickets); TeamPCP LiteLLM supply-chain attack; CPUID API breach
Public Sector	Middlesex County NJ systems disrupted; North Attleboro Public Schools affected; Die Linke (Germany) hit by Qilin ransomware

Geographic Hotspots

United States: Primary target for Iranian critical infrastructure operations; ransomware campaigns against healthcare (Signature Healthcare, Gritman Medical) and legal sectors; OAuth phishing campaign across M365 tenants.
Netherlands: ChipSoft ransomware causing cascading hospital disruptions; Z-CERT confirmed incident.
Southeast Asia: Chinese APT groups (Amaranth Dragon/APT41, UAT-10362) conducting espionage against government, law enforcement, NGOs in Indonesia, Vietnam, Philippines, Taiwan.
Europe: Die Linke (Germany) hit by Qilin; CPUID infrastructure breach; secondary targeting by Iranian groups.
Australia: Iranian-linked ransomware activity; collaboration with U.S. intelligence agencies on threat sharing.

III. NOTABLE INCIDENTS AND DATA BREACHES

The reporting period witnessed significant security incidents across diverse sectors. The following profiles cover the most significant confirmed breaches and attacks observed between April 6-13, 2026.

1. ChipSoft Ransomware Attack | April 7, 2026

Sector: Healthcare IT

Actor: Unattributed ransomware group (Z-CERT confirmed incident as ransomware; specific group not named at time of publication)

Impact: Patient-portal outages across multiple Netherlands hospitals; cascading disruption at Signature Healthcare (Massachusetts) including ambulance diversions and delayed chemotherapy treatments

Status: Under investigation. Z-CERT (Netherlands healthcare CERT) confirmed incident typeSource: Z-CERT, SharkStriker Breach Tracker, PurpleOps

2. Adobe Data Breach | ‘Mr. Raccoon’ | April 2026

Actor: Mr. Raccoon (unattributed criminal actor)

Data Exposed: 13 million customer support tickets, 15,000 employee records, internal company documents, and bug-bounty program submissions

Impact: Significant risk of targeted phishing against Adobe customers and security researchers; exposure of internal security posture via bug-bounty data

Source: SharkStriker Breach Tracker, BleepingComputer

3. Rockstar Games / Take-Two – ShinyHunters Extortion | Disclosed April 13, 2026

Actor: ShinyHunters (financially motivated; known for large-scale breaches and extortion)

Attack Vector: Third-party provider Anodot compromised; authentication tokens used to access Rockstar’s Snowflake data warehouses

Data at Risk: Financial records, marketing data, contracts with Sony and Microsoft. Rockstar confirmed ‘limited non-material corporate data’ was affected

Extortion: Ransom deadline set for April 14, 2026; threat actors accepting offers via dark web portal

Impact Assessment: Limited operational impact; significant reputational and potential intellectual property exposure

Source: Outlook India, The Verge, Kotaku

4. CPUID Website API Breach | April 9-10, 2026

Vector: Secondary API endpoint compromise

Window: April 9 at 15:00 UTC to approximately April 10 at 10:00 UTC

Malware Link: The CPUID breach enabled distribution of STX RAT via trojanized CPU-Z and HWMonitor installers downloaded from the compromised infrastructure

Status: Under investigation. Full impact scope not confirmed at time of publication

Source: gHacks Security News

5. Stryker Corporation (Ongoing Impact from March 11, 2026)

Actor: Handala (Iranian MOIS front group)

Attack Type: Destructive wiper attack combined with data exfiltration

Attribution: Iranian state-sponsored; MOIS-directed operation with retaliatory motivation

Impact: Global manufacturing disruption, order processing delays, shipment impacts across medical device supply chains

Status: Containment achieved; recovery operations ongoing into the current reporting period

6. Jones Day Law Firm Breach | April 7, 2026

Actor: SilentRansomGroup (SRG)

Attack Vector: Targeted phishing and vishing campaign against specific partners

Data Exposed: Client confidential information; Federal Circuit practice group specifically targeted; at least 10 clients’ data compromised

Impact: Client data posted to dark web extortion portal; reputational and legal liability implications

Sector Trend: Legal firms under sustained targeting by specialized ransomware actors

7. OAuth Device Code Phishing | 340+ Microsoft 365 Organizations

Scale: 340+ organizations across five countries

Technique: Abuses Microsoft’s legitimate device authorization grant flow; victim completes real MFA, attacker receives valid session tokens

Risk: Tokens remain valid post-password reset unless tenant explicitly revokes them; enables persistent stealth access to Exchange Online, OneDrive, and Microsoft Graph

Source: Cloud Security Alliance, Acronis MSP Digest April 7, 2026

8. Middlesex County Cyber Attack | April 1-13 (Ongoing)

Sector: Public Sector / Government

Impact: Town and public safety systems disrupted; data scope under investigation

Source: SharkStriker Breach Tracker

9. Gritman Medical Center | April ~7, 2026

Sector: Healthcare

Impact: Clinic outages across multiple Idaho locations; incident response activated

Source: SharkStriker Breach Tracker

10. SongTrivia Ransomware | April ~8, 2026

Affected: SongTrivia Inc. (US)

Data Exposed: 2.92 million accounts; emails, passwords, and authentication tokensSource: SharkStriker Breach Tracker

IV. COMPREHENSIVE INCIDENT SUMMARY TABLE

Date	Incident	Organization	Impact
Apr 6-7	ChipSoft Ransomware / Signature Healthcare Disruption	ChipSoft (NL), Signature Healthcare (US)	Hospital portal outages, ambulance diversions, delayed chemotherapy
Apr ~7	Adobe Data Breach	Adobe Inc. (US)	13M support tickets, 15K employee records, bug-bounty data exfiltrated
Apr 7	Iranian Cyber Advisory	U.S. Critical Infrastructure	CISA/FBI/NSA/EPA advisory AA26-097A; PLC/OT devices at risk
Apr 7	Jones Day Law Firm Breach	Jones Day (US)	Client data exposed; SilentRansomGroup posted data to dark web
Apr ~7	Gritman Medical Ransomware	Gritman Medical Center, ID (US)	Clinic outages across multiple locations
Apr ~8	SongTrivia Ransomware	SongTrivia Inc. (US)	2.92M accounts exposed: emails, passwords, auth tokens
Apr 9	Fortinet KEV Addition	Fortinet (Global)	CVE-2026-35616 and CVE-2026-21643 added to CISA KEV; active exploitation confirmed
Apr 9-10	CPUID API Breach / STX RAT Distribution	CPUID / HWMonitor Users	Secondary API compromised; STX RAT distributed via trojanized installers to millions of users
Apr 9	UAT-10362 / LucidRook Campaign	Taiwanese NGOs and Universities	Spear-phishing delivering new Lua-based RAT ‘LucidRook’
Apr 13	Rockstar Games / Take-Two Extortion	Rockstar Games / Take-Two (US)	ShinyHunters via Anodot third-party; Snowflake data warehouses; ransom deadline April 14
Apr 13	APT37 Facebook / RokRAT Campaign	Targeted Individuals (Global)	RokRAT RAT delivered via Facebook social engineering; espionage targets
Ongoing	OAuth Device Code Phishing	340+ M365 Organizations	Valid session tokens stolen without malware; persistent access to Exchange, OneDrive

V. CRITICAL VULNERABILITIES AND CVEs

The reporting period featured multiple critical vulnerabilities with significant enterprise security implications. The most notable is the BlueHammer Windows zero-day, which remains unpatched at time of publication. Fortinet, Citrix, and BeyondTrust products continue to be actively targeted. Organizations are strongly advised to prioritize patching and implement compensating controls where patches are not yet available.

BlueHammer Windows Zero-Day (No CVE Assigned)

Released publicly on April 3, 2026, by security researcher ‘Chaotic Eclipse,’ BlueHammer is a local privilege escalation vulnerability exploiting the Microsoft Defender update process to achieve SYSTEM-level privileges. The researcher cited frustrations with Microsoft’s bug disclosure process as motivation for the public release.

Vulnerability Type: Local Privilege Escalation (LPE)

Affected Components: Microsoft Defender update mechanism

Affected Versions: All supported Windows versions: Windows 10, Windows 11, Windows Server 2019/2022

Exploitation Status: Proof-of-concept publicly available; active exploitation expected

Patch Status: No official patch available at time of publication

CVSS Score: 7.8 (High)

Mitigation: Apply Microsoft Defender signature updates with defensive mechanisms; restrict privileged access; monitor for suspicious Defender update activities

Full CVE Tracking Table | April 6-13, 2026

CVE ID	Product	Description	Severity	Mitigation
BlueHammer (unassigned)	Microsoft Windows / Defender	LPE via Defender update mechanism; SYSTEM-level access from limited user context	7.8 HIGH	Apply Defender sig updates; restrict privileged access; no official patch available
CVE-2026-35616	Fortinet FortiClient EMS	Improper Access Control; RCE. Added to CISA KEV April 6. Actively exploited in the wild.	9.1 CRITICAL	Update per CISA advisory FG-IR-26-099; audit for existing compromise before patching
CVE-2026-21643	Fortinet FortiClient EMS	SQL Injection; allows unauthenticated command execution. KEV deadline: May 8, 2026.	9.1 CRITICAL	Apply vendor patch; restrict HTTP access to FortiClient EMS
CVE-2026-5281	Google Chrome (Dawn / WebGPU)	Use-after-free in Chromium WebGPU; actively exploited; 4th Chrome zero-day in 2026.	8.8 HIGH	Apply Chrome 146.0.7680.71 or later out-of-band update immediately
CVE-2026-1731	BeyondTrust	Exploited by Storm-1175 in Medusa ransomware campaigns; CISA KEV status.	CRITICAL	Apply vendor patch; audit BeyondTrust internet-facing assets for signs of compromise first
CVE-2026-23760	SmarterTools SmarterMail	Exploited by Storm-1175 in Medusa campaigns; internet-facing mail servers at risk.	CRITICAL	Patch immediately; restrict internet-facing SmarterMail; audit for compromise
CVE-2026-3055	Citrix NetScaler ADC/GW	Out-of-bounds reads via SAML IDP configuration; active exploitation confirmed.	CRITICAL	Apply Citrix CTX696300 bulletin; restrict SAML IDP exposure; audit for compromise
CVE-2026-3502	TrueConf Client	Download without integrity check; code execution via tampered update server.	HIGH	Apply vendor patch per TrueConf advisory; block update-trueconf[.]net
CVE-2026-34621	Adobe Acrobat	Use-after-free; allows code execution via malicious PDF documents.	HIGH	Apply Adobe APSB26-43 security update
CVE-2025-8088	WinRAR	Path traversal; exploited by Amaranth Dragon (APT41-linked) against SEA government targets.	7.8 HIGH	Update WinRAR to latest version; block malicious archive delivery via email filters

Remediation Priority Guidance

Patch Immediately (24-48 hrs): CVE-2026-35616, CVE-2026-5281, CVE-2026-1731, CVE-2026-23760, CVE-2026-3055. All carry KEV catalog status or confirmed active exploitation.
Patch This Week: CVE-2026-21643, CVE-2026-3502, CVE-2026-34621, CVE-2025-8088, BlueHammer mitigations. Apply vendor advisories and validate via vulnerability scanner.
Critical Caution: All Fortinet, Citrix, and BeyondTrust products exposed to the internet must be audited for signs of compromise before patching. Patching without checking for existing access leaves attackers with persistence post-remediation.

CISA KEV Catalog Updates | April 6-13, 2026

CVE-2026-35616: Fortinet FortiClient EMS Improper Access Control. Added April 6, 2026.
CVE-2026-21643: Fortinet FortiClient EMS SQL Injection. Added April 8, 2026. Remediation deadline: May 8, 2026.
CVE-2026-1731: BeyondTrust. Added during reporting period.

ICS Advisories | April 7-9, 2026

CISA released multiple Industrial Control Systems advisories affecting products across critical infrastructure sectors. Organizations operating ICS/OT environments must review these advisories and implement recommended mitigations.

ICSA-26-097-01: Mitsubishi Electric GENESIS64 and ICONICS Suite; multiple vulnerabilities including remote code execution.
ICSA-26-099-01: Contemporary Controls BASC 20T; denial of service vulnerability.
ICSA-26-099-02: GPL Odorizers GPL750; authentication bypass and configuration manipulation vulnerabilities.

VI. THREAT ACTOR ACTIVITIES

Threat actor activities during this period demonstrate continued evolution in sophistication, targeting, and operational models. Nation-state actors have intensified operations aligned with geopolitical objectives, while financially motivated groups refine extortion tactics across increasingly specialized sectors.

1. Iranian Cyber Actors | Multiple Groups

Iranian-affiliated actors significantly escalated offensive operations since late February 2026, coinciding with heightened geopolitical tensions. Multiple groups operate with overlapping objectives across U.S. and allied critical infrastructure.

Groups: Handala (MOIS front), Cyber Av3ngers, Imperial Kitten, OilRig

Objectives: Destructive attacks, intelligence collection, critical infrastructure disruption

MITRE ATT&CK TTPs: T1190 (Exploit Public-Facing Application), T1133 (External Remote Services), T0865 (Spearphishing Attachment – ICS), T0886 (Remote Services – ICS), T0837 (Rootkit)

Target Sectors: Water utilities, energy, healthcare, manufacturing, government

Recent Campaigns: PLC exploitation targeting Unitronics devices in water treatment; destructive wiper attack against Stryker Corporation

Attribution: Iranian Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC) sponsorship confirmed via CISA advisory AA26-097A.

2. Storm-1175 | China-linked Active Ransomware Operator

Objective: Financial extortion via Medusa ransomware; possibly state-adjacent based on targeting patterns

MITRE ATT&CK TTPs: T1190 (Exploit Public-Facing Application), T1486 (Data Encrypted for Impact), T1083 (File and Directory Discovery)

Exploited CVEs: CVE-2026-1731 (BeyondTrust), CVE-2025-31161 (CrushFTP), CVE-2024-27198 (JetBrains TeamCity), CVE-2026-23760 (SmarterMail)

Target Sectors: Healthcare, enterprise IT, supply chain infrastructure

Source: Microsoft Threat Intelligence

3. ShinyHunters | Financially Motivated Extortion Actor

Objectives: Financial gain through data theft and extortion

TTPs: T1195 (Supply Chain Compromise), T1530 (Data from Cloud Storage Object), T1657 (Financial Theft); targeting third-party analytics and cloud cost-management tools to acquire authentication tokens for downstream Snowflake environments

Target Sectors: Technology, gaming, finance, telecommunications

Recent Victims: Rockstar Games (April 2026 via Anodot), Pathstone Family Office (641K records), Crunchbase (January 2026)

Notable Characteristics: Systematic targeting of Snowflake environments via third-party integrations; repeatable attack pattern identified since 2024 Snowflake campaign (AT&T, Ticketmaster, Santander)

4. SilentRansomGroup (SRG) | Legal Sector Specialist

Objectives: Financial gain through targeted data theft and extortion without encryption

TTPs: Vishing (voice phishing) campaigns, targeted spear-phishing, data exfiltration, extortion; sophisticated reconnaissance against specific partners

Target Sectors: Legal services, professional services, financial services

Recent Campaigns: Jones Day law firm breach; Goulston & Storrs targeting; multiple BigLaw firms

Notable Characteristics: Focus on legal sector; extortion without encryption; targeted approach against specific named partners

5. APT37 / ScarCruft | North Korea | Facebook-based Espionage

Objective: Espionage; intelligence collection against selected individuals of interest to North Korean intelligence

MITRE ATT&CK TTPs: T1566.003 (Spearphishing via Service), T1585 (Establish Accounts), T1219 (Remote Access Software), T1204 (User Execution)

Malware Delivered: RokRAT (remote access trojan)

Method: Two Facebook accounts with location set to Pyongyang used to build trust; targets moved to Messenger for malware delivery via fake PDF viewer application

Target Sectors: Journalists, political figures, researchers, diplomats

Source: The Hacker News, Genians Security Center (GSC)

6. Amaranth Dragon | APT41-linked | Southeast Asia Espionage

Objectives: Cyber espionage, intelligence collection, strategic access to government networks

TTPs: Phishing with malicious attachments, WinRAR exploit (CVE-2025-8088), PlugX deployment, custom malware

Target Sectors: Government agencies, law enforcement, diplomatic entities in Southeast Asia

Target Regions: Indonesia, Vietnam, Philippines, Thailand

Recent Campaigns: Sustained espionage throughout 2025-2026 against SEA government networks

7. UAT-10362 | China-linked | New Cluster Targeting Taiwan

Objective: Espionage; intelligence collection against civil society

MITRE ATT&CK TTPs: T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), T1105 (Ingress Tool Transfer)

Malware: LucidRook: Lua-based stager embedding a Lua interpreter and Rust-compiled libraries within a DLL

Target Sectors: NGOs and universities in Taiwan

8. Qilin Ransomware Group | BYOVD EDR Evasion

Objective: Financial extortion; multi-sector targeting

TTPs: T1562.001 (Impair Defenses: BYOVD); T1486; T1041 (Exfiltration Over C2); credential dumping pre-encryption

Notable Activity: Claimed Die Linke (German political party) and a U.S. sheriff’s office; deploying msimg32.dll for EDR disablement targeting 300+ EDR tools

Source: Cisco Talos, Trend Micro, PurpleOps Ransomware Tracker

9. REvil / GandCrab | BKA Attribution | April 2026

Actor Named: Daniil Maksimovich Shchukin (alias: UNKN), 31, Russian national

Background: Led both GandCrab (precursor) and REvil ransomware groups; responsible for at least 130 acts of sabotage and extortion against German victims 2019-2021

Significance: One of the most significant public attribution actions of 2026; reinforces law enforcement willingness to publicly name Russian cybercriminals
Source: KrebsOnSecurity

VII. MALWARE ANALYSIS

The reporting period featured newly identified malware strains, redeployed remote access trojans, and evolving ransomware families with advanced EDR-evasion capabilities. Understanding these threats is essential for developing effective detection and response.

1. STX RAT | New | Supply Chain Delivery via CPUID

STX RAT is a newly identified remote access trojan distributed through the compromised CPUID website following the April 9-10 API breach. The malware was embedded in trojanized CPU-Z and HWMonitor installers, reaching millions of potential victims through a trusted hardware monitoring distribution channel.

Capabilities: Remote desktop access, keystroke logging, credential theft, file exfiltration, hidden VNC functionality, browser credential harvesting, cryptocurrency wallet theft, authentication token capture

Delivery Method: Trojanized installers from compromised CPUID website

Affected Platforms: Windows (primary); potential cross-platform variants under development

Detection Evasion: Memory-only execution to avoid disk-based detection; encrypted C2 communications using custom protocols; anti-analysis techniques

Target Sectors: Finance, technology, general enterprise

SHA256 IOC: f81e14ac7309019208529599a848c2287789f0ccbcd2f7609e9f239f52376763

2. LucidRook | New – First Documented This Period

Capabilities: Sophisticated stager; downloads and executes secondary payloads; embedded Lua interpreter and Rust-compiled libraries within a DLL enable flexible interpreted payload execution

Delivery Method: Spear-phishing attachments targeting NGO and university email accounts

Affected Platforms: Windows

Attributed To: UAT-10362 (China-linked cluster)

Detection Guidance: Monitor for unusual DLL side-loading and Lua interpreter processes in non-developer environments

3. RokRAT | Redeployed | APT37 Facebook Campaign

Capabilities: Remote access, keylogging, file exfiltration, screenshot capture; uses cloud storage APIs for C2 to blend with legitimate traffic

Delivery Method: Facebook Messenger pretexting; targets prompted to install fake PDF viewer application containing the trojan

Affected Platforms: Windows

Attributed To: APT37 / ScarCruft (North Korea)

Detection Guidance: Block unsigned application installations prompted via social media; monitor cloud API calls for C2 indicators

4. Medusa Ransomware | Active | Storm-1175 Affiliate

Capabilities: Data encryption, data exfiltration for double extortion, lateral movement, credential harvesting

Delivery Method: Exploitation of known CVEs: BeyondTrust CVE-2026-1731, CrushFTP CVE-2025-31161, JetBrains TeamCity CVE-2024-27198, SmarterMail CVE-2026-23760

Affected Platforms: Windows enterprise environments

Notable TTPs: High-velocity exploitation, rapid lateral movement, EDR evasion

Source: Microsoft Threat Intelligence

5. Qilin Ransomware | EDR-Disabling BYOVD Module

Capabilities: Ransomware encryption; BYOVD technique targeting 300+ EDR tools via malicious DLL msimg32.dll; credential dumping pre-encryption

Delivery Method: Post-exploitation; deployed after initial access via VPN/RDP credential theft

Affected Platforms: Windows enterprise environments

Detection Guidance: Monitor for msimg32.dll in unexpected processes; alert on vulnerable signed driver loads; monitor SECURITY hive and LSA access

Source: Cisco Talos, Trend Micro, Bitdefender MDR

6. SnappyBee (Deed RAT) | Telecommunications Targeting

Capabilities: Data exfiltration, persistence, lateral movement, modular payload delivery

Delivery Method: Exploitation of Citrix NetScaler vulnerabilities (CVE-2026-3055); targeted intrusions

Affected Platforms: Windows and Linux variants

Associated Groups: Earth Estries, Salt Typhoon, Chinese APT ecosystem

Recent Campaigns: European telecommunications breach; sustained targeting of critical infrastructure

7. macOS ClickFix Variant | Cryptocurrency Targeting

Capabilities: Cryptocurrency wallet theft, credential harvesting, browser data exfiltration

Delivery Method: Deceptive applications, fake browser installers, Terminal-based installation scripts

Affected Platforms: macOS

Target Sectors: General users, cryptocurrency holders, creative professionals

Ransomware Ecosystem Trends

Double extortion remains standard practice, with groups emphasizing data theft alongside or in place of encryption.
BYOVD (Bring Your Own Vulnerable Driver) adoption is accelerating; Qilin and Warlock both deployed EDR-disabling DLL techniques during this period.
Ransomware-as-a-Service (RaaS) models continue to lower the barrier to entry for less sophisticated actors.
Decreasing ransom payment rates as organizations improve backup and recovery capabilities are driving groups toward more aggressive multi-extortion models.
Healthcare and education sectors absorb disproportionate ransomware pressure, partly due to less mature security postures and high operational disruption value.

VIII. RECOMMENDATIONS

A. For Technical Audiences

Immediate Actions | 24-48 Hours

Patch CVE-2026-35616, CVE-2026-5281, CVE-2026-3055, CVE-2026-1731, CVE-2026-23760 immediately. All carry CISA KEV status or confirmed active exploitation. Audit Fortinet, Citrix, and BeyondTrust internet-facing assets for signs of existing compromise before applying patches.
Apply BlueHammer mitigations. Push the latest Microsoft Defender signature update with defensive mechanisms; restrict privileged access; monitor for suspicious Defender update process activity. No official patch is yet available.
Revoke and reissue all Microsoft 365 OAuth tokens for high-risk users. The OAuth device code phishing campaign produces valid tokens that survive password resets. Explicit revocation is required at the tenant level.
Review third-party analytics and cloud-cost monitoring tool permissions. ShinyHunters’ Rockstar attack began via Anodot token compromise. Limit Snowflake and cloud warehouse access from third-party SaaS tools; apply least-privilege to all cloud integrations.
Deploy BYOVD detection rules. Qilin and Warlock are actively using vulnerable drivers to disable EDR. Enable block-mode WDAC policies to prevent unsigned or vulnerable driver loads. Monitor for msimg32.dll in unexpected process contexts.
Update Google Chrome to version 146.0.7680.71 or later. CVE-2026-5281 is the fourth Chrome zero-day exploited in 2026.
Block known IOCs immediately: Implement network-level blocking for threat actor infrastructure; update endpoint detection signatures with STX RAT and Qilin BYOVD indicators (see Section X).
Patch CVE-2026-21643 (Fortinet FortiClient EMS SQLi) per CISA KEV. BOD 22-01 remediation deadline: May 8, 2026.
Review ICS/OT environments: Assess exposure to CISA ICS advisories ICSA-26-097-01, ICSA-26-099-01, ICSA-26-099-02; implement compensating controls for PLC vulnerabilities identified in CISA advisory AA26-097A.

Strategic Improvements

Implement zero-trust segmentation for CI/CD pipelines. The TeamPCP LiteLLM attack demonstrates that developer workstations are credential exfiltration targets. Isolate AI tooling and development environments from production networks.
Enforce conditional access and device compliance policies on all Microsoft 365 tenants. OAuth device code phishing bypasses MFA at the protocol level; device compliance policies add a second gate that resists this technique.
Inventory and audit AI browser extensions across corporate endpoints. LayerX research (April 10) found AI extensions are 60% more likely to have a vulnerability than average extensions and 3x more likely to have cookie access. This surface is outside most DLP and SaaS security tools.
Develop Iranian actor-specific response playbooks. Create incident response procedures for Handala, Cyber Av3ngers, and OilRig TTPs, including destructive wiper scenarios and PLC/OT compromise response.
Expand dark web and threat intelligence monitoring. Both the Adobe and Rockstar breaches had observable dark web pre-extortion activity. Monitor for mentions of your organization, employee data, and third-party vendors.
Strengthen supply chain security. Conduct security assessments of third-party vendors and software suppliers; implement software integrity verification for downloaded installers and updates.
Enhance OT/IT network segmentation. Ensure proper segmentation between operational technology and enterprise networks; increase visibility into PLC and ICS communications.

B. For Non-Technical Audiences

Security Awareness

Do not accept friend requests from unknown individuals on social platforms. APT37 used Facebook friend requests followed by Messenger conversations to deliver malware. Verify any contact claiming to be a journalist, researcher, or conference organizer through official channels before engaging.
Never install software prompted by someone you met online. This includes PDF viewers, document readers, or utilities sent via messaging apps, regardless of how legitimate they appear.
Be suspicious of QR codes in unsolicited messages. An ongoing smishing campaign uses fake traffic violation notices with QR codes across multiple U.S. states. Scan QR codes only from sources you have verified independently.
Verify software download sources. Only download hardware monitoring tools, utilities, and software from official vendor websites. The CPUID supply chain attack demonstrates that even trusted platforms can be temporarily compromised.
Use a password manager and enable multi-factor authentication. Prioritize Microsoft 365, Google Workspace, and financial services accounts. Note that MFA alone does not protect against OAuth device code phishing; report any unexpected authentication prompts immediately.

Incident Response Preparedness

Know your organization’s reporting channel for suspicious activity. Report unusual emails, unexpected login alerts, or strange computer behavior to IT immediately. Early reporting limits breach scope.
Back up critical data regularly and verify that backups are stored offline or in an isolated environment. Ransomware groups specifically target backup systems to eliminate recovery options.
Confirm that your organization has tested its incident response plan within the past 12 months. Healthcare organizations must maintain manual fallback procedures for patient-record access and medication administration.
Understand your organization’s data breach regulatory reporting obligations. Prompt reporting to legal counsel and relevant authorities is often a compliance requirement following confirmed incidents.

Executive-Level Considerations

Ensure adequate cybersecurity budget allocation for threat-informed defense, including OT/ICS security programs if your organization operates critical infrastructure.
Review cyber insurance coverage for ransomware, third-party breach, and destructive wiper attack scenarios.
Evaluate your supply chain risk management program. Third-party access to cloud data warehouses is now a confirmed, repeatable attack vector.
Consider tabletop exercises covering healthcare-specific operational disruption scenarios; the ChipSoft attack produced cascading disruptions because dependent hospitals lacked adequate manual fallback procedures.

IX. ANALYST NOTES

The following observations extend beyond confirmed intelligence and incorporate MCS analyst assessment based on patterns observed during this reporting period. Speculative and inferential content is labeled accordingly.

Note 1: Healthcare Ransomware Clustering

The simultaneous disruption of ChipSoft (Netherlands), Gritman Medical (Idaho), Signature Healthcare (Massachusetts), and the Center for Hearing and Communication within a single reporting week is statistically unusual. While independent ransomware groups (Interlock, ANUBIS, unattributed) are involved across these incidents, the timing warrants monitoring for potential coordination or shared initial-access broker infrastructure.

A common initial-access broker may be selling healthcare sector credentials to multiple ransomware affiliates simultaneously, producing the appearance of coordinated campaigns without central direction.

Note 2: Snowflake as a Persistent Attack Surface

The Rockstar Games breach via Anodot follows the pattern established by the 2024 Snowflake campaign against AT&T, Ticketmaster, and Santander. Third-party tools with Snowflake data warehouse access are now a recognized and repeatable attack vector. Organizations have not yet systematically revoked unnecessary third-party Snowflake access, making further incidents probable.

Based on observed patterns ShinyHunters appears to systematically target companies that use Snowflake via third-party analytics platforms, rather than attacking Snowflake’s infrastructure directly. The entry point is consistently the third-party tool, not the data warehouse itself.

Note 3: Vulnerability Disclosure Tensions

The BlueHammer zero-day release by ‘Chaotic Eclipse’ highlights growing tensions in the vulnerability disclosure ecosystem. The researcher’s stated frustrations with Microsoft’s bug disclosure process raise concerns about potential future releases by other researchers facing similar experiences. This incident may signal a shift toward more adversarial researcher-vendor relationships, with public releases as leverage.

Note 4: AI Browser Extensions as an Emerging Threat Surface

LayerX research published April 10, 2026, documents that AI browser extensions are 60% more likely to have a vulnerability than average extensions, 3x more likely to have cookie access, and 6x more likely to have elevated permissions compared to one year ago. This threat surface is currently outside the scope of most DLP and SaaS security tools. Security teams should begin inventorying installed AI extensions across corporate endpoints and establish governance policies for their use.

Note 5: GPUBreach | Emerging Hardware-Level Research

Academic research published April 7 (GPUBreach, GDDRHammer, GeForge) demonstrates RowHammer-class attacks against GDDR6 GPU memory that can escalate privileges and, in some configurations, take full control of a host. No in-the-wild exploitation has been confirmed.

Organizations running GPU-intensive AI workloads on shared cloud infrastructure should monitor for exploitation tooling derived from this research over the next 60-90 days. This threat class has particular relevance to AI inference farms and high-performance computing environments.

Note 6: BKA Attribution of UNKN | Deterrence Signal

Germany’s formal public identification of Daniil Shchukin as the leader of REvil and GandCrab sends a deterrence signal to ransomware leadership globally. This is one of the highest-profile public attribution actions against a ransomware principal in 2026.

This attribution action may accelerate rebranding activity within current ransomware operations as leadership seeks to distance from exposed identities, potentially producing new group names or infrastructure changes over the next 30-60 days.

Note 7: Supply Chain Attack Maturation

The STX RAT distribution via compromised CPUID infrastructure and the Rockstar/Adobe third-party breaches collectively demonstrate that supply chain attacks have matured into a primary, repeatable attack category. Threat actors recognize that compromising trusted distribution channels provides access to large victim pools with minimal effort. MCS assesses that supply chain attacks will increase in frequency, targeting software update mechanisms, third-party libraries, and cloud service integrations.

Note 8: AI-Enabled Phishing at Scale The substantial increase in AI-generated phishing campaigns since late 2025 confirms the weaponization of large language models by threat actors. AI-generated content creates highly convincing, personalized attacks that evade traditional signature-based detection. Organizations should invest in behavior-based email security capable of detecting AI-generated content patterns, and update user awareness training to address these evolving techniques.

X. THREAT INDICATOR APPENDIX

The indicators below are derived from publicly disclosed intelligence sources referenced in this report. Security teams should import applicable indicators into SIEM, EDR, and firewall blocklists. All indicators should be validated in your environment before blocking. MCS does not independently confirm IOC accuracy; validate against your threat intelligence platform.

Malware File Hashes

SHA256 Hash	Malware Family	Description	Confidence
f81e14ac7309019208529599a848c2287789f0ccbcd2f7609e9f239f52376763	STX RAT	RAT / Infostealer; CPUID supply chain delivery	High
LucidRook DLL — Available via MISP / ISAC feed	LucidRook	Lua-based RAT stager; UAT-10362	High (THN/GSC)
msimg32.dll variants — See Cisco Talos ISAC feed	Qilin BYOVD	EDR-disabling DLL; BYOVD technique	High (Cisco Talos)

Malicious Domains and IPs

Type	Indicator	Associated Threat	Notes
Domain	update-trueconf[.]net	CVE-2026-3502 exploitation	Block at perimeter; associated with TrueConf update hijacking
Domain	cpuid[.]com (compromised April 9-10)	STX RAT distribution	Treat downloads from CPUID as suspect for the April 9-10 window; validate installer hash against IOC above
IP Address	185.220.xxx.xxx (Tor exit – Qilin C2)	Qilin ransomware C2	Medium confidence (PurpleOps); block Tor exit node ranges at perimeter if operationally feasible
URL Pattern	Device/code OAuth flow anomalies	OAuth Device Code Phishing Campaign	Alert on device authorization grant flows initiated from unexpected geographies or outside business hours; revoke suspicious tokens immediately

MITRE ATT&CK TTPs | This Reporting Period

TTP ID	Technique	Observed In
T1190	Exploit Public-Facing Application	Fortinet, Citrix, Chrome vulnerabilities; Storm-1175 BeyondTrust/SmarterMail exploitation
T1195	Supply Chain Compromise	STX RAT via CPUID; ShinyHunters via Anodot; TeamPCP via LiteLLM
T1133	External Remote Services	Iranian actor VPN/remote access exploitation; Qilin initial access
T1566.001	Spearphishing Attachment	SilentRansomGroup legal sector targeting; UAT-10362 LucidRook delivery
T1566.003	Spearphishing via Service	APT37 Facebook/Messenger RokRAT delivery
T1562.001	Impair Defenses: BYOVD	Qilin msimg32.dll EDR evasion; Warlock ransomware
T1530	Data from Cloud Storage Object	ShinyHunters Snowflake data warehouse exfiltration
T1078	Valid Accounts	OAuth token theft; STX RAT credential harvesting; Qilin post-exploitation
T1486	Data Encrypted for Impact	Medusa/Storm-1175, Qilin, ANUBIS ransomware operations
T0886	Remote Services (ICS)	Iranian PLC targeting per CISA advisory AA26-097A
T0865	Spearphishing Attachment (ICS)	Iranian OT environment targeting

Recommended IOC Sources for This Period

CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
AlienVault OTX: Search ‘Qilin’, ‘LucidRook’, ‘RokRAT’, ‘Storm-1175’, ‘STX RAT’
MISP Community Feeds: Cross-reference ShinyHunters and UAT-10362 IOC sets
Cisco Talos Intelligence: Qilin and Warlock BYOVD driver hashes
Microsoft Threat Intelligence Center (MSTIC): Storm-1175 campaign indicators
Genians Security Center (GSC): APT37 RokRAT Facebook campaign IOCs

XI. CONTACT INFORMATION

Meraal Cyber Security (MCS) — Threat Intelligence Team

Website: www.meraal.me
General Inquiries: Office@meraal.me
Threat Intelligence Lead: umerw@meraal.me
Phone: +92 42 357 27575 | +92 323 497 9477
Schedule a ThreatFence Demo: threatfence.net

Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.

Leave a Reply Cancel reply

Categories