Cyber Threat Intelligence 13 April 2026

NCSA_THAICERT

Healthcare Sector

Health Insurance Lead Sites Sell Personal Data Within Seconds Of Form Submission
"Lead generation websites that offer health insurance quotes collect sensitive personal data and sell it to multiple buyers within seconds of a user clicking submit. A study by researchers at UC Davis, Stanford University, and Maastricht University mapped this process across 105 health insurance lead generation sites and monitored what happened to the data over 60 days. The researchers created 210 synthetic user profiles, each with a unique phone number and email address, and submitted forms across all 105 sites. They then tracked every inbound call, text, and email those profiles received."
https://www.helpnetsecurity.com/2026/04/10/health-insurance-lead-generation-privacy/
https://arxiv.org/pdf/2604.06759
Multiple Heap Buffer Overflows In Orthanc DICOM Server
"Multiple vulnerabilities have been identified in Orthanc DICOM Server version, 1.12.10 and earlier, that affect image decoding and HTTP request handling components. These vulnerabilities include heap buffer overflows, out-of-bounds reads, and resource exhaustion vulnerabilities that may allow attackers to crash the server, leak memory contents, or potentially execute arbitrary code."
https://kb.cert.org/vuls/id/536588
https://www.securityweek.com/orthanc-dicom-vulnerabilities-lead-to-crashes-rce/

Industrial Sector

Industrial Controllers Still Vulnerable As Conflicts Move To Cyber
"As the US government warns energy companies, water utilities, and industrial firms that state-sponsored adversaries are targeting Internet-connected operational technology, researchers have found a small number of older industrial control systems allow direct access without requiring authentication. A scan of the Internet for operational technology (OT) using the Modbus protocol found at least 179 devices that allow unauthenticated access, according to researchers at technology-evaluation firm Comparitech. While representing a relatively small number of devices, the dozens of public-facing systems are likely being targeted by cyberthreat actors, experts say."
https://www.darkreading.com/ics-ot-security/industrial-controllers-vulnerable-conflicts-cyber
Industry Reactions To Iran Hacking ICS In Critical Infrastructure: Feedback Friday
"The US government warned this week that Iran-linked hackers have targeted critical infrastructure organizations, hacking industrial control systems (ICS) and other operational technology (OT). According to an advisory written by CISA, the FBI, and several other agencies, hackers have targeted programmable logic controllers (PLCs) made by Rockwell Automation, but devices from other vendors are also at risk. Both Rockwell and Siemens have published advisories to alert customers. The attacks caused operational disruption and financial loss through tampering with vulnerable human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems."
https://www.securityweek.com/industry-reactions-to-iran-hacking-ics-in-critical-infrastructure-feedback-friday/

New Tooling

Little Snitch For Linux Shows What Your Apps Are Connecting To
"Network monitoring on Linux has long been a gap for users who want per-process visibility into outbound connections. Existing tools either operate at the command line or were designed for server security rather than desktop privacy. Objective Development, the Austrian company behind the macOS firewall utility Little Snitch, released a Linux version of the tool. It is free and, according to the company, will remain so."
https://www.helpnetsecurity.com/2026/04/10/little-snitch-for-linux-privacy/
https://github.com/obdev/littlesnitch-linux

Vulnerabilities

Juniper Networks Patches Dozens Of Junos OS Vulnerabilities
"Juniper Networks this week released patches for nearly three dozen vulnerabilities, including Junos OS and Junos OS Evolved bugs that could lead to privilege escalation, denial-of-service (DoS), and command execution. The most severe of the flaws is CVE-2026-33784 (CVSS score of 9.8), a default password in the Support Insights (JSI) Virtual Lightweight Collector (vLWC) that could be exploited remotely to take over a vulnerable device. “vLWC software images ship with an initial password for a high-privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible,” Juniper Networks explains."
https://www.securityweek.com/juniper-networks-patches-dozens-of-junos-os-vulnerabilities/
Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000
"Google announced this week the first stable version of Chrome 147, which includes patches for 60 vulnerabilities, including two that have been rated critical. The critical vulnerabilities both impact Chrome’s WebML component, which is designed for running machine learning models directly in the browser. The security holes, reported by anonymous researchers, have been described as a heap buffer overflow (CVE-2026-5858) and an integer overflow (CVE-2026-5859). The reporting researchers each earned $43,000 for their findings. The significant bug bounty rewards coupled with the severity rating suggest that the vulnerabilities can be exploited for sandbox escapes and/or remote code execution."
https://www.securityweek.com/chrome-147-patches-60-vulnerabilities-including-two-critical-flaws-worth-86000/
Marimo OSS Python Notebook RCE: From Disclosure To Exploitation In Under 10 Hours
"On April 8, 2026, a critical vulnerability was disclosed in marimo, an open-source reactive Python notebook platform. Currently being tracked as GHSA-2679-6mx9-h9xc, it is a pre-authentication remote code execution (RCE) vulnerability in the terminal WebSocket endpoint that allows attackers to obtain a full interactive shell on any exposed marimo instance through a single WebSocket connection – no credentials required. At the time of this writing, a CVE number has yet to be assigned. Within 9 hours and 41 minutes of the vulnerability advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempt in the wild, and a complete credential theft operation was executed in under 3 minutes. No public proof-of-concept (PoC) code existed at the time."
https://www.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours
https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html
https://www.bleepingcomputer.com/news/security/critical-marimo-pre-auth-rce-flaw-now-under-active-exploitation/
https://www.securityweek.com/critical-marimo-flaw-exploited-hours-after-public-disclosure/
https://securityaffairs.com/190623/hacking/cve-2026-39987-marimo-rce-exploited-in-hours-after-disclosure.html
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621
"Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. It has been described as a case of prototype pollution that could result in arbitrary code execution. Prototype pollution refers to a JavaScript security vulnerability that permits an attacker to manipulate an application'sobjects and properties."
https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html
https://www.securityweek.com/adobe-patches-reader-zero-day-exploited-for-months/
https://securityaffairs.com/190697/security/adobe-fixes-actively-exploited-acrobat-reader-flaw-cve-2026-34621.html

Malware

LOLBins – Analyzing Attack Techniques With MSBuild
"in recent years, cyber threat actors have consistently attempted to exploit living off the land binaries (LOLBins) built into systems to bypass detection by security products. such attack methods effectively evade traditional signature-based detection by not distributing a separate malicious file, but instead relying on tools trusted by the operating system. among them, MSBuild.exe is a Microsoft-signed Windows native development tool that can build and execute C# code through XML-based project files. threat actors exploit such characteristics to execute arbitrary code without explicitly leaving malware on disk, and covertly perform additional actions in the post-infiltration phase. in this article, we will introduce how the attack technique utilizing MSBuild works, look at actual attack cases, and suggest countermeasures."
https://asec.ahnlab.com/en/93290/
CPUID Hacked To Deliver Malware Via CPU-Z, HWMonitor Downloads
"Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. The two utilities have millions of users who rely on them for tracking the physical health of internal computer hardware and for comprehensive specifications of a system. Users who downloaded either tool reported on Reddit recently that the official download portal points to the Cloudflare R2 storage service and fetches a trojanized version of HWiNFO, another diagnostic and monitoring tool from a different developer."
https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/
https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html
https://www.theregister.com/2026/04/10/cpuid_site_hijacked/
Investigating Storm-2755: “Payroll Pirate” Attacks Targeting Canadian Employees
"Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor that Microsoft tracks as Storm-2755 conducting payroll pirate attacks targeting Canadian users. In this campaign, Storm-2755 compromised user accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, resulting in direct financial loss for affected individuals and organizations. While similar payroll pirate attacks have been observed in other malicious campaigns, Storm-2755’s campaign is distinct in both its delivery and targeting. Rather than focusing on a specific industry or organization, the actor relied exclusively on geographic targeting of Canadian users and used malvertising and search engine optimization (SEO) poisoning on industry agnostic search terms to identify victims."
https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/
https://www.bleepingcomputer.com/news/microsoft/microsoft-canadian-employees-targeted-in-payroll-pirate-attacks/
https://www.helpnetsecurity.com/2026/04/10/poisoned-office-365-search-results-lead-to-stolen-paychecks/
Scams, Slaves And (Malware-As-a) Service: Tracking a Trojan To Cambodia’s Scam Centers
"Incidents of malware-enabled fraud and remote access scams have been on the rise against the backdrop of proliferating industrial-scale scam operations in Southeast Asia, with many countries in the region issuing official warnings over the past three years. But connecting specific malware to the notorious compounds has been elusive … until now. In collaboration with the Vietnamese non-profit Chong Lua Dao, we uncovered an Android banking trojan that is likely operated from multiple locations including the K99 Triumph City compound in Cambodia. This conclusion relies on technical analysis, testimony from an escapee, and evidence taken from the facility by the human trafficking victim. The compound has been widely reported by the United Nations and other organizations as a scam center with connections to high-ranking political elites and the use of forced labor to run extensive malicious text, voice, and email campaigns."
https://www.infoblox.com/blog/threat-intelligence/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers/
https://hackread.com/android-banking-trojan-cambodia-scam-compounds/
Graphalgo Fake Recruiter Campaign Returns
"In February, the ReversingLabs research team described a malicious campaign featuring fake job interviews that the team called “graphalgo.” Two months later, RL researchers detected a larger set of fake companies that are part of the same graphalgo campaign — yet more sophisticated. These organizations link to several GitHub organizations related to blockchain companies that have been active on GitHub since June 2025. Their purpose is to provide trustworthiness to fake job offerings, and to host fake job interview tasks. RL researchers also identified several new techniques being used by threat actors. Here’s what we found."
https://www.reversinglabs.com/blog/graphalgo-campaign-respawned
https://hackread.com/graphalgo-scam-lazarus-hackers-us-llcs-malware/
Fake Claude Site Installs Malware That Gives Attackers Access To Your Computer
"Claude’s rapid growth—nearly 290 million web visits per month—has made it an attractive target for attackers, and this campaign shows how easy it is to fall for a fake site. We discovered a fake website impersonating Anthropic’s Claude to serve a trojanized installer. The domain mimics Claude’s official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected. But in the background, it deploys a PlugX malware chain that gives attackers remote access to the system."
https://www.malwarebytes.com/blog/scams/2026/04/fake-claude-site-installs-malware-that-gives-attackers-access-to-your-computer
GlassWorm Goes Native: New Zig Dropper Infects Every IDE On Your Machine
"We have been tracking GlassWorm for over a year. It first appeared in March 2025, when Aikido discovered malicious npm packages hiding payloads inside invisible Unicode characters. The campaign has expanded repeatedly since then, compromising hundreds of projects across GitHub, npm, and VS Code, and most recently delivering a persistent RAT through a fake Chrome extension that logged keystrokes and dumped session cookies. The group keeps iterating, and they just made a meaningful jump."
https://www.aikido.dev/blog/glassworm-zig-dropper-infects-every-ide-on-your-machine
https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html
https://securityaffairs.com/190638/malware/glassworm-evolves-with-zig-dropper-to-infect-multiple-developer-tools.html
OtterCookie Expands Targeting To AI Coding Tools: Analysis Of a Trojanized Npm Campaign
"On March 20, 2026, an npm account operating under the username gemini-check published a package titled gemini-ai-checker, presenting itself as a utility to verify Google Gemini AI tokens. Interestingly, the package README displayed wording copied from the legitimate package chai-await-async, a JavaScript assertion library with no obvious relationship to Gemini. Code analysis revealed the package contacts a Vercel-hosted staging endpoint, server-check-genimi.vercel[.]app to retrieve and execute a JavaScript payload. The account continues to host two malicious packages sharing the same infrastructure: express-flowlimit and chai-extensions-extras, which have been downloaded more than 500 times combined as of publication."
https://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/
Uncovering Webloc: An Analysis Of Penlink’s Ad-Based Geolocation Surveillance Tech
"Targeted and mass surveillance based on everyday consumer data from mobile apps and digital advertising has been referred to as advertising intelligence (ADINT). We refer to it as “ad-based surveillance technologies.” These technologies have proliferated alongside the personal data surveillance economy. They are poorly regulated and often sold by firms that operate without transparency, raising serious security, privacy, and civil liberties concerns – especially when used by authoritarian governments that lack proper oversight. In this report, we investigate, summarize and document what we know about the ad-based geolocation surveillance system Webloc. Developed by Cobwebs Technologies, Webloc is now sold by Penlink, after the companies merged in 2023."
https://citizenlab.ca/research/analysis-of-penlinks-ad-based-geolocation-surveillance-tech/
https://thehackernews.com/2026/04/citizen-lab-law-enforcement-used-webloc.html
Breaches/Hacks/Leaks
RaaS Gang Anubis Claims Signature Healthcare Data Theft
"A ransomware gang claimed late Thursday that it stole 2 terabytes of "critical" and "sensitive" patient information in an attack earlier this week on Massachusetts-based Signature Healthcare. The Anubis ransomware operation said it did not encrypt computer systems. But as of Friday morning, Signature Healthcare was no longer listed as a victim on Anubis' leak site. A Signature Healthcare spokeswoman on Friday declined comment on Anubis' claims and whether it is negotiating to pay a ransom, leading Anubis to take the health system off its darkweb leak site. The spokeswoman said the healthcare organization's medical group and its 125-year-old community hospital expects to be back online "in two weeks.""
https://www.bankinfosecurity.com/raas-gang-anubis-claims-signature-healthcare-data-theft-a-31394
ShinyHunters Claims Rockstar Games Snowflake Breach Via Anodot
"Rockstar Games is back in the news, not over Grand Theft Auto VI delays, but because the ShinyHunters hacking group claims it accessed the company’s Snowflake environment and may be holding a large volume of data at risk of being leaked. The message, published on the group’s dark web leak site on April 11 (UK time), sets a deadline of April 14 and follows a familiar pattern of pay or face public exposure. This case differs from a typical direct breach because the attackers pointed to Anodot, a SaaS platform used for cloud cost monitoring and analytics, as the entry point. In their post, they claimed, “Rockstar Games! Your Snowflake instances were compromised thanks to Anodot.com. Pay or leak.”"
https://hackread.com/shinyhunters-rockstar-games-snowflake-breach-anodot/
‘Snoopy’, ‘Adolf’ And ‘Password’: The Hungarian Government Passwords Exposed Online
"Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work. A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad. Among those affected were a senior military officer responsible for information security, a counter terrorism coordinator in the foreign affairs department, and an employee whose role was to identify hybrid threats against the country."
https://www.bellingcat.com/news/2026/04/09/the-hungarian-government-passwords-exposed-online/
https://www.theregister.com/2026/04/11/hungary_government_logins_breach/
A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report
"In February, we published our initial findings on the AI-assisted breach of Mexico's government infrastructure, warning of the elevated risk that AI-powered threat actors now pose. A single operator used AI to breach nine Mexican government organizations and exfiltrate hundreds of millions of citizen records. Today, we release the full technical report. We delayed publishing the report at the request of all parties involved in order to allow more time for corresponding incident response efforts. Incident response efforts have now progressed such that we are ready to publish our detailed findings. The report was shared with all relevant parties well in advance of publishing, adjusting accordingly based on feedback received, including requests to de-risk elements of the report."
https://gambit.security/blog-post/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report
https://hackread.com/hacker-claude-code-gpt-4-1-mexican-records/
Hackers Claim Control Over Venice San Marco Anti-Flood Pumps
"Hackers breached Venice ’s San Marco flood system, claiming control of pumps and the ability to disable defenses and flood coastal areas. The technologies that govern the physical world are the quiet infrastructure of modern life. From energy grids to water systems, from factories to flood defenses, operational technology (OT) has long had one essential mission: to keep everything running. But today, that is no longer enough. The question the market is asking has fundamentally changed: can these systems withstand a cyberattack? If the answer is no, then what we are building is not infrastructure, it is vulnerability at scale. This shift is not theoretical. It is happening now, and recent events in Venice have made it painfully real."
https://securityaffairs.com/190679/hacktivism/hackers-claim-control-over-venice-san-marco-anti-flood-pumps.html

General News

March 2026 Infostealer Trend Report
"this report analyzes Infostealer distribution trends and cases collected during the month of March 2026. It is based on data collected through ASEC’s automated collection and analysis system and ATIP’s real-time IOC service."
https://asec.ahnlab.com/en/93293/
Q1 2026 Vulnerability Trends Report
"q1 2026 saw a number of high-risk vulnerabilities reported with either public disclosures or confirmed exploits. an increase in remote code execution and authentication bypass family vulnerabilities was observed. Early publication of PoCs accelerated threat propagation. the potential for chain attacks through the perimeter and middle layers expanded."
https://asec.ahnlab.com/en/93285/
Analysis Of One Billion CISA KEV Remediation Records Exposes Limits Of Human-Scale Security
"Analysis of CISA's Known Exploited Vulnerabilities over the past four years shows critical vulnerabilities still open at Day 7 worsened from 56% to 63% despite teams closing 6.5x more tickets. Staffing cannot solve this. Of the 52 tracked weaponized vulnerabilities in our study, 88% were patched more slowly than they were exploited — half were weaponized before any patch existed. The problem is not speed. It is the operational model itself. Cumulative exposure, not CVE counts, is the true risk metric that security teams now need to measure. While dashboards reward the sprint to get patches implemented, breaches exploit the tail. AI is not another attack surface — instead, the transition period where AI-powered attackers face human defenders is the industry's most dangerous window."
Priority: 3 - Important
Relevance: General, Trends and statistics

https://www.bleepingcomputer.com/news/security/analysis-of-one-billion-cisa-kev-remediation-records-exposes-limits-of-human-scale-security/
https://www.qualys.com/forms/whitepapers/the-broken-physics-of-remediation

When Geopolitical Conflict Spills Into Cyberspace — How US Organizations Should Respond
"Modern conflict no longer begins with troops crossing borders; it often starts with packets crossing networks. For example, the escalation on February 28, 2026, involving Iran, the United States, and Israel gives insights on how quickly geopolitical cyber threats can evolve into full-spectrum confrontations. What unfolded was not just a regional clash but a preview of how cyber warfare attacks now operate alongside missiles, drones, and information campaigns. In this environment, cybersecurity for US organizations can no longer be treated as a purely technical function. It has become a matter of strategic resilience. Nation-state cyberattacks are synchronized with real-world conflict, creating ripple effects that extend far beyond the immediate battlefield."
https://cyble.com/blog/cyber-warfare-attacks/
Your Next Breach Will Look Like Business As Usual
"Your perimeter is hardened, your SOC is on high alert for zero-days, and your firewalls are pristine. But while you're watching the fences, the adversary is walking through the front door with a smile and a valid employee ID. In the modern threat landscape, attackers aren't always "breaking in" — they're simply logging in. Nearly one in three cyber intrusions now involve valid employee credentials, making this a leading attack vector. Armed with stolen credentials and supercharged by AI, threat actors are now operating as a trusted colleague, turning the very identity of your workforce into your greatest vulnerability."
https://www.darkreading.com/identity-access-management-security/your-next-breach-business-as-usual
What Vibe Hunting Gets Right About AI Threat Hunting, And Where It Breaks Down
"In this Help Net Security interview, Aqsa Taylor, Chief Security Evangelist, Exaforce, explains vibe hunting, an AI-driven approach to threat detection that inverts traditional hypothesis-driven methods. Instead of analysts defining attack vectors upfront, the AI scans datasets for anomalous patterns and surfaces potential threats. Taylor draws a firm line on responsibility: analysts must be able to explain their reasoning. When they cannot, the AI is steering the hunt. She also addresses enrichment, junior analyst development, and the failure modes that emerge when teams follow AI output without questioning it."
https://www.helpnetsecurity.com/2026/04/10/aqsa-taylor-exaforce-vibe-hunting/
MITRE Releases Fight Fraud Framework
"The non-profit MITRE Corporation on Thursday released a new framework to help organizations fight fraudsters. MITRE’s Fight Fraud Framework (MITRE F3) is a curated knowledge base that provides a behavior-based model of the tactics, techniques, and procedures (TTPs) fraudsters employ, informed by real-world attacks. “These incidents involve the intentional use of deceptive or illegal practices to fraudulently obtain money, assets, or information from individuals or institutions, and include actions carried out over cyber channels,” MITRE says."
https://www.securityweek.com/mitre-releases-fight-fraud-framework/
https://ctid.mitre.org/fraud#/

อ้างอิง
Electronic Transactions Development Agency (ETDA)