New malware strains, ransomware campaigns, botnet activity
Autovista, a company specializing in automotive data and analysis, has been subjected to a ransomware attack. The company is currently collaborating with external cybersecurity professionals to investigate the incident.
CERT-UA has detailed a campaign by threat actor UAC-0247 that targeted Ukrainian government and healthcare institutions. The campaign used malware to steal sensitive data from Chromium-based browsers and WhatsApp, observed between March and April.
A six-year ransomware campaign has been discovered targeting Turkish homes and small to medium-sized businesses. This campaign has likely gone unnoticed for so long due to the under-reporting of smaller incidents compared to major enterprise breaches. Attackers leverage various tactics including phishing emails and exploit kits.
A new malware family called 'AgingFly' has been detected targeting Ukrainian government entities and hospitals. This malware is designed to steal authentication data from Chromium-based browsers and WhatsApp, likely to facilitate further compromise or espionage.
A suite of over 30 WordPress plugins, known as EssentialPlugin, has been compromised with malicious code. This allows attackers to gain unauthorized access to websites that use these plugins, potentially leading to further compromise or data theft.
A digitally signed adware tool has been observed disabling antivirus protections on numerous endpoints across various critical sectors, including education, utilities, government, and healthcare. The malicious scripts ran with SYSTEM privileges, indicating a high level of access and control achieved by the attacker.
Threat actors are exploiting n8n, an AI workflow automation platform, to conduct phishing campaigns and deliver malware. By using n8n, attackers can bypass traditional security filters and leverage trusted infrastructure to deliver malicious payloads or fingerprint devices via automated emails.
Automotive data provider Autovista has confirmed a ransomware attack is disrupting its services across Europe and Australia. The company has engaged external help to recover from the incident, and some of its customer organizations are advising their staff to block inbound emails from Autovista.
A mother and her ten-year-old son were held captive for approximately 20 hours during a cryptocurrency extortion scheme targeting the father. The father was forced to pay hundreds of thousands of euros to secure their release. This incident is part of a concerning trend in France involving such sophisticated criminal operations.
Over 100 Chrome extensions have been discovered to be stealing user data and creating backdoors into compromised systems. These malicious extensions appear to be part of a coordinated campaign, utilizing shared command-and-control infrastructure across multiple publishing accounts.
The Mirax RAT is being offered as a service (MaaS) to a select group of affiliates, primarily Russian speakers. This malware can compromise Android devices, turning them into residential proxy nodes and posing a threat to users in Europe.
The healthcare industry is experiencing a significant surge in cyberattacks, including phishing, ransomware, and web application attacks, exacerbated by the increased reliance on remote service delivery. Cybercriminals are targeting healthcare organizations for their sensitive patient and corporate data, with many providers struggling to cope due to under-resourcing and vulnerable systems.
Microsoft's April Patch Tuesday addresses 167 security issues, with a particular focus on critical vulnerabilities in Windows Internet Key Exchange, Microsoft SharePoint, and a SAP SQL injection flaw. One of the most pressing is an actively exploited zero-day vulnerability in SharePoint Server (CVE-2026-32201), which allows attackers to spoof the platform and access sensitive information.
Over 100 malicious Google Chrome extensions have been discovered in the official Chrome Web Store. These extensions are designed to steal user accounts and data, specifically targeting Google OAuth2 Bearer tokens, and also engage in ad fraud and deploy backdoors.
EDR killers, which exploit bring-your-own-vulnerable-driver (BYOVD) techniques, pose a significant challenge to endpoint detection and response systems. While difficult to counter, these attacks are not insurmountable, and enhanced defenses are required to mitigate their impact.
A fake Ledger Live application was discovered on Apple's App Store, which masqueraded as the legitimate cryptocurrency wallet software. This malicious app successfully defrauded 50 victims out of approximately $9.5 million in cryptocurrency within a short period.
Rival ransomware gangs 0APT and Krybit are engaged in an internal conflict, with 0APT threatening to expose Krybit affiliates. This dispute highlights the lack of cohesion within the cybercrime ecosystem.
A new Android remote access trojan (RAT) named Mirax has been observed, particularly in Spanish-speaking regions. Mirax campaigns have reportedly reached over 220,000 accounts on Meta platforms by using advertisements to compromise devices and turn them into SOCKS5 proxies.
Researchers have identified 108 malicious Google Chrome extensions designed to steal data from Google and Telegram accounts. These extensions communicate with a shared command-and-control infrastructure, aiming to collect user data and inject ads and malicious JavaScript into visited web pages.
Threat actors are exploiting four Microsoft vulnerabilities, including one patched nearly 14 years ago and another linked to ransomware. The US cybersecurity agency has issued a directive for federal agencies to patch these vulnerabilities within two weeks.
A malware strain named JanelaRAT, a derivative of BX RAT, has been actively targeting banks in Latin America, with a significant number of attacks recorded in Brazil in 2025. This malware is designed to steal financial and cryptocurrency data, capture user inputs like mouse movements and keystrokes, take screenshots, and collect system metadata.
A new infostealer dubbed 'Storm' has been identified that bypasses local decryption of stolen browser data. Instead, it sends this data directly to attacker-controlled servers for decryption, enabling advanced techniques like session hijacking. This method allows attackers to effectively bypass user passwords and multi-factor authentication (MFA).
Attackers are increasingly scanning for and deploying webshells with more sophisticated defenses, such as EncystPHP. This specific webshell is noted to be popular among threat actors compromising vulnerable FreePBX systems. Defenders should be aware of these evolving tactics.
A Russian-speaking threat actor compromised CPUID, the provider of CPU-Z and HWMonitor utilities, to distribute malware. Download links were replaced to serve trojanized versions of these legitimate software tools, embedding a new malware called STX RAT.
A fake website impersonating Anthropic's Claude AI chatbot has been identified distributing the PlugX Remote Access Trojan (RAT). The malware employs DLL sideloading techniques for execution and includes functionalities to clean up its tracks after deployment.
North Korean APT group APT37 has been observed conducting a social engineering campaign using Facebook. Threat actors befriend targets on the platform to build trust and then use this relationship to deliver the RokRAT malware.
In March 2026, there was a significant surge in high-impact vulnerabilities, with Recorded Future's Insikt Group identifying 31 critical flaws, a substantial increase from the previous month. Notably, the Interlock ransomware group is actively exploiting a zero-day vulnerability in Cisco's Firepower Management Center (FMC).
Threat actors compromised the CPUID website, which distributes popular hardware monitoring tools, and served trojanized versions of CPU-Z and HWMonitor. For less than 24 hours, users downloading these tools were at risk of installing the STX Remote Access Trojan (RAT). The breach lasted from April 9th to April 10th, 2024.
German police have identified Daniil Shchukin, also known as UNKN, Unknown, GandCrab, and Revi, as the alleged leader of a major global ransomware group. Shchukin and an accomplice, Anatoly Kravchuk, have been placed on Europol's most-wanted list for their alleged involvement in widespread extortion, causing significant economic damage.
The ongoing GlassWorm campaign has evolved with a new Zig dropper that targets developer IDEs. This dropper is disguised within an Open VSX extension, masquerading as a legitimate tool to stealthily infect developer machines.
Attackers compromised the CPUID project's API, altering download links on their official website. This allowed them to distribute malware disguised as legitimate installers for CPU-Z and HWMonitor. The compromised downloads were then distributed to users seeking legitimate system monitoring software.
The CPUID website was compromised, with attackers hijacking backend systems to serve malware instead of legitimate software downloads. This six-hour breach redirected users seeking tools like HWMonitor to malicious files, including credential stealers.
A phishing email contained a RAR archive with a JavaScript file named 'cbmjlzan.JS'. This file has a SHA256 hash of a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285 and is only detected as malicious by 15 out of many antivirus engines on VirusTotal.
Threat actors have compromised the update servers of the Smart Slider 3 Pro plugin for WordPress and Joomla to distribute a malicious version containing a backdoor. The incident affects version 3.5.1.35 and impacts a popular plugin with over 800,000 active installations.
A security researcher discovered that a vulnerability in Adobe Reader has been actively exploited by malware for at least four months. This exploit collects system information to aid attackers in future data theft and malicious activities, and it remains effective even on the latest Adobe Reader versions.
A new Lua-based malware named LucidRook is being utilized in sophisticated spear-phishing attacks. These attacks are specifically targeting non-governmental organizations and universities located in Taiwan, indicating a focused threat actor.
Dutch healthcare software vendor ChipSoft has been targeted by a ransomware attack, leading to the shutdown of its website and digital patient services. The attack has disrupted access for healthcare providers and patients relying on ChipSoft's solutions. The extent of the data breach and the specific ransomware group responsible are still under investigation.
Law enforcement agencies from the US, UK, and Canada have disrupted a global cryptocurrency scam worth $45 million. They have frozen $12 million in stolen funds and identified over 20,000 cryptocurrency wallet addresses linked to victims in 30 countries.
A new threat cluster, UAT-10362, has been observed conducting spear-phishing attacks against Taiwanese NGOs and suspected universities. The campaigns aim to deploy a novel Lua-based malware named LucidRook, which functions as a sophisticated stager.
Hackers compromised the update mechanism for the Smart Slider 3 Pro plugin, a popular tool for WordPress and Joomla websites. They then distributed a malicious version of the plugin containing multiple backdoors, posing a significant risk to user sites.
Malicious PDFs are being used to exploit a suspected zero-day vulnerability in Adobe Acrobat Reader. These PDFs profile targets by harvesting system data, determining which victims are most valuable for further compromise and deployment of second-stage payloads.
This article highlights a variety of cybersecurity threats, including a hybrid P2P botnet and a 13-year-old Remote Code Execution (RCE) vulnerability in Apache. It points out how older vulnerabilities are being exploited and how attackers are leveraging trusted platforms and tools. The bulletin emphasizes a trend of quiet escalations rather than high-profile zero-days.
A new variant of ClickFix malware for macOS bypasses security measures by using a single click to execute malicious scripts via the applescript:// URL scheme, launching the native Script Editor. This method circumvents recent Apple protections that scan commands pasted into Terminal, streamlining the infection chain and delivering the Atomic Stealer payload.
Threat actors have been actively exploiting a zero-day vulnerability in Adobe Reader since December 2025 through malicious PDF documents. The sophisticated exploit was identified after a malicious PDF artifact was uploaded to VirusTotal.
Hackers are exploiting a vulnerability in nearly 100 online stores using the Magento e-commerce platform to steal credit card information. They are hiding malicious code within a tiny, pixel-sized SVG image, making it difficult for security measures to detect. This allows them to steal sensitive financial data from unsuspecting customers.
An ex-FBI cyber chief, Cynthia Kaiser, now at Halcyon Ransomware Research Center, states that amateur criminals pose a greater threat than professional ones. This is because their lack of skill can lead to data being permanently lost as they may not be able to decrypt it even if ransomed.
A new campaign is targeting macOS users with the Atomic Stealer malware by employing a refined version of the ClickFix attack. This attack tricks users into executing commands within the Terminal application, leveraging macOS's Script Editor to achieve its malicious goals.
A new variant of the Chaos malware is now targeting misconfigured cloud deployments, expanding its reach beyond traditional routers and edge devices. This variant introduces a SOCKS proxy, allowing attackers to pivot and move laterally within compromised networks.
The Russian state-sponsored hacking group APT28 has launched a new spear-phishing campaign targeting Ukraine and NATO allies. This campaign is distributing a newly discovered malware suite called PRISMEX, which utilizes advanced techniques like steganography, COM hijacking, and cloud service abuse for its command and control infrastructure.
A new DDoS botnet named Masjesu has been identified, specifically targeting Internet of Things (IoT) devices. This botnet is designed for evasion, focusing on persistence rather than rapid, widespread infection. It actively avoids blacklisted IP addresses and critical infrastructure to maintain its operational stealth.
