Industrial Sector
- Threat Landscape For Industrial Automation Systems. Q4 2025
"In Q4 2025, the percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching its lowest level since 2022 — 19.7%. Regionally, the percentage ranged from 8.5% in Northern Europe to 27.3% in Africa. Four regions saw increases. Southern Europe led the way in terms of growth for this indicator."
https://ics-cert.kaspersky.com/publications/reports/2026/04/02/threat-landscape-for-industrial-automation-systems-q4-2025/
Vulnerabilities
- SAP Patches Critical ABAP Vulnerability
"SAP on Tuesday announced the release of 20 new and updated security notes as part of its April 2026 security patch day. The most severe of the resolved flaws is CVE-2026-27681 (CVSS score of 9.9), a critical SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution. “The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” software security firm Onapsis explains."
https://www.securityweek.com/sap-patches-critical-abap-vulnerability/ - ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited On Unpatched Servers
"A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of file extension, allowing an attacker to upload arbitrary PHP files and achieve remote code execution."
https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html
https://securityaffairs.com/190790/hacking/attackers-target-unpatched-showdoc-servers-via-cve-2025-0520.html - Microsoft April 2026 Patch Tuesday Fixes 167 Flaws, 2 Zero-Days
"Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, 7 of which are remote code execution flaws and the other is a denial of service flaw. The number of bugs in each vulnerability category is listed below:"
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
https://www.darkreading.com/vulnerabilities-threats/privilege-elevation-dominates-microsoft-patch-update
https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/
https://cyberscoop.com/microsoft-patch-tuesday-april-2026/
https://www.securityweek.com/microsoft-patches-exploited-sharepoint-zero-day-and-160-other-vulnerabilities/
https://www.theregister.com/2026/04/14/microsofts_massive_patch_tuesday/ - Adobe Patches 55 Vulnerabilities Across 11 Products
"Adobe’s latest Patch Tuesday updates fix 55 vulnerabilities across 11 of the company’s products. Nearly all of the 11 new advisories have a priority rating of 3, which indicates that the software giant does not expect them to be exploited in attacks. However, an advisory describing five critical ColdFusion vulnerabilities has a priority rating of 1, indicating that companies should prioritize patching because the product has historically been targeted by threat actors. Several ColdFusion vulnerabilities have been exploited in attacks in recent years."
https://www.securityweek.com/adobe-patches-55-vulnerabilities-across-11-products/ - New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
"Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below -"
https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/04/14/cisa-adds-two-known-exploited-vulnerabilities-catalog
Malware
- 108 Chrome Extensions Linked To Data Exfiltration And Session Theft Via Shared C2 Infrastructure
"Socket's Threat Research Team identified 108 malicious Chrome extensions operating as a coordinated campaign under a shared C2 infrastructure at cloudapi[.]stream. The extensions are published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) and collectively account for approximately 20k Chrome Web Store installs. All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator. The extensions remain live at the time of writing. We have submitted takedown requests to the Chrome Web Store security team and Google Safe Browsing."
https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2
https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html
https://www.bleepingcomputer.com/news/security/over-100-chrome-extensions-in-web-store-target-users-accounts-and-data/
https://www.infosecurity-magazine.com/news/chrome-extensions-expose-user-data/ - Fake Ledger Live App On Apple’s App Store Stole $9.5M In Crypto
"A malicious Ledger Live app for macOS available from Apple’s App Store has drained approximately $9.5 million in cryptocurrency from 50 victims in just a few days this month. Users who downloaded the fake Ledger app were tricked into entering their seed/recovery phrases, thus giving attackers full access to their wallets and allowing them to send digital assets to external addresses under their control. According to blockchain investigator ZachXBT, the attackers used several wallet addresses to receive funds across multiple chains, including Bitcoin, Ethereum, Tron, Solana, and Ripple."
https://www.bleepingcomputer.com/news/security/fake-ledger-live-app-on-apples-app-store-stole-95m-in-crypto/ - Are Former Black Basta Affiliates Automating Executive Targeting?
"A new campaign is successfully evolving “Black Basta’s” signature social engineering playbook into a faster, more targeted, and increasingly automated intrusion method aimed at senior leadership. Black Basta was a prolific Russia-linked ransomware-as-a-service (RaaS) group active from early 2022 until its internal chat logs were leaked in February 2025. This campaign, likely conducted by former affiliates, uses an automated, two-pronged social engineering attack: mass email bombing to overwhelm a target’s inbox followed by Microsoft Teams-based help desk impersonation to gain remote access. In some cases, attackers moved from initial chat engagement to executing malicious scripts in as little as 12 minutes."
https://reliaquest.com/blog/threat-spotlight-are-former-black-basta-affiliates-automating-executive-targeting
https://cyberscoop.com/black-basta-affiliates-senior-executives-reliaquest/ - Slithering Through The Noise - Deep Dive Into The VIPERTUNNEL Python Backdoor
"During a recent DragonForce ransomware engagement, we identified several artefacts indicative of anomalous behaviour inconsistent with typical campaign activity. During a persistence review, we aggregated Autoruns output from all endpoints to identify anomalies. A scheduled task named 523135538 was identified, configured to execute C:\ProgramData\cp49s\pythonw.exe without command-line arguments. Executing pythonw.exe without a script path or -c argument is atypical in legitimate Windows environments. Although DLL sideloading was initially suspected, analysis of the containing directory indicated a different persistence mechanism. Within the directory, we found C:\ProgramData\cp49s\Lib\sitecustomize.py. In Python, this module auto-imports at startup. Placing malicious code here ensures it runs whenever pythonw.exe starts, without command-line input. Analysis of sitecustomize.py clarified why the absence of command-line arguments was sufficient."
https://labs.infoguard.ch/posts/slithering_through_the_noise/
https://hackread.com/ransomware-vipertunnel-malware-uk-us-businesses/ - Post-Sanction Persistence: Triad Nexus' Operations Infrastructure Reborn As Threat Actor Distances Activity From FUNNULL CDN
"Triad Nexus is responsible for over $200 million in reported losses, driven largely by sophisticated “pig-butchering” and virtual currency scams. Individual victim losses average $150,000, highlighting the high conversion nature of its operations. Despite federal sanctions in 2025, the group has reinstated its global fraud engine, shifting its focus toward emerging markets while maintaining a persistent threat to Western enterprise assets. Triad Nexus continues to pose a direct risk to corporate brand integrity and customer trust. The group manages an industrialized catalog of impersonation assets targeting:"
https://www.silentpush.com/blog/triad-nexus-funnull-2026/
https://www.infosecurity-magazine.com/news/triad-nexus-expands-fraud/
https://www.securityweek.com/triad-nexus-evades-sanctions-to-fuel-cybercrime/ - Omnistealer Uses The Blockchain To Steal Everything It Can
"A new infostealer dubbed Omnistealer is turning the blockchain into a permanent malware hosting platform, which is bad news for both companies and everyday users. It’s pretty common for malware to store its payload on a public platform, ideally one that adds some trustworthiness to the download location, like Google docs, OneDrive, GitHub, npm, PyPI, and so on. The problem for malware peddlers is that these can be taken down. It can sometimes take a while and a lot of trouble, but it’s possible. Omnistealer gets around this by storing its staging code inside transactions on public blockchains like TRON, Aptos, and Binance Smart Chain."
https://www.malwarebytes.com/blog/news/2026/04/omnistealer-uses-the-blockchain-to-steal-everything-it-can - Satori Threat Intelligence Alert: Pushpaganda Manipulates Google Discovery Feeds With AI-Generated Content To Spread Malicious Notifications
"HUMAN’s Satori Threat Intelligence and Research Team has identified a novel ad fraud, social engineering, and scareware threat dubbed Pushpaganda. This operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages. Pushpaganda’s primary mechanism for luring unsuspecting users is through Google’s Discovery feeds, the collection of news stories that appear on many Google properties. The threat actors use advanced SEO techniques and AI-generated content to inject deceptive news stories into the personalized content streams of Android and Chrome users. Once a user is lured to an actor-controlled domain, they are manipulated into enabling push notifications that later deliver scareware, fake legal threats, and financial scams."
https://www.humansecurity.com/learn/resource/satori-threat-intelligence-alert-pushpaganda-manipulates-google-discovery-feeds-with-ai-generated-content-to-spread-malicious-notifications/
https://thehackernews.com/2026/04/ai-driven-pushpaganda-scam-exploits.html - New JanaWare Ransomware Targets Turkey Via Adwind RAT
"The Acronis TRU team identified a threat cluster leveraging a customized Adwind (Java RAT) variant with polymorphic characteristics to deliver a ransomware module, tracked as ‘JanaWare.’ Analysis of malware samples, infrastructure and telemetry indicates the campaign is likely focused on Turkish users. The malware enforces execution constraints based on system locale and external IP geolocation, which likely restricts activity to systems located in Turkey. Observed samples and telemetry suggest the activity has been ongoing since at least 2020. A sample compiled in November 2025 indicates that associated command-and-control infrastructure remains active. Obfuscation, polymorphism and geographic restrictions have likely contributed to limited visibility."
https://www.acronis.com/en/tru/posts/new-janaware-ransomware-targets-turkey-via-adwind-rat/
https://therecord.media/new-janaware-ransomware-targeting-turkey - No Honor Among Thieves As 0APT Threatens Rival Ransomware Gang Krybit
"Two rival ransomware gangs have locked horns after 0APT threatened to expose people affiliated with Krybit. Dark web watchers spotted the move on Sunday, though 0APT's motive for extorting a fellow criminal outfit remains unclear. The notion seems even more bizarre given that 0APT hypocritically described Krybit in its leak blog post as a ransomware group, and that "such groups pose significant risks to cybersecurity and data privacy worldwide." "If the group does not make the payment or contact us, we will reveal their identity photos, names, location, and other," 0APT said. "And if you are one of their victims, contact us to get your data unlocked.""
https://www.theregister.com/2026/04/14/0apt_krybit_spat/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
แหล่งอ้างอิง
ThaiCERT เน้นย้ำให้ผู้ใช้งานการ์ดจอ NVIDIA ทุกท่านตรวจสอบเวอร์ชันไดรเวอร์และดำเนินการอัปเดตโดยเร็วที่สุดเพื่อความปลอดภัยของข้อมูล
