Cyber Threat Intelligence 14 April 2026

NCSA_THAICERT

Industrial Sector

Contemporary Controls BASC 20T
"Successful exploitation of this vulnerability could allow an attacker to enumerate the functionality of each component associated with the PLC, reconfigure, rename, delete, perform file transfers, and make remote procedure calls."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01
GPL Odorizers GPL750
"Successful exploitation of this vulnerability could allow a low privileged remote attacker to manipulate register values, which would result in too much or too little odorant being injected into a gas line."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-02
Why Manufacturing Cyber Security Is Becoming More Complex As Cyber Attacks Accelerate
"The global manufacturing sector entered 2025 facing one of the most aggressive cyber threat environments in its history. Digital transformation, smart factories, and interconnected supply chains have expanded operational efficiency to places 50 years ago we wouldn’t have thought possible. But, this comes with unprecedented cyber risk. According to the Manufacturing Threat Landscape 2025 report, cyber incidents targeting manufacturing increased sharply year over year, placing the industry at the center of global ransomware activity."
https://blog.checkpoint.com/security/why-manufacturing-cyber-security-is-becoming-more-complex-as-cyber-attacks-accelerate/
Empty Attestations: OT Lacks The Tools For Cryptographic Readiness
"In 2003, 55 million people lost power across the US and Canada because of a software bug and a failure to communicate. Nobody attacked anything. And more than two decades later, the same infrastructure faces sophisticated adversaries who are planning very carefully. Operational technology (OT) operates on a different set of priorities than the rest of us. In IT, confidentiality and integrity come first. In OT — the systems that open and close breakers, adjust voltage, and monitor load and faults — only one thing matters: availability."
https://www.darkreading.com/ics-ot-security/ot-lacks-tools-cryptographic-readiness

New Tooling

ZeroID: Open-Source Identity Platform For Autonomous AI Agents
"ZeroID is an open-source identity platform that implements an identity and credentialing layer specifically for autonomous agents and multi-agent systems. The core issue ZeroID targets is attribution in agentic workflows. When an orchestrator agent spawns sub-agents to carry out parts of a task, each sub-agent may call APIs, write files, or execute shell commands. Existing approaches offer limited traceability: shared service accounts carry no delegation trail, and standard OAuth 2.0 and OIDC flows were not designed for scenarios where agents operate asynchronously, spawn subordinates, or cross organizational boundaries without a human in the loop at each step."
https://www.helpnetsecurity.com/2026/04/13/zeroid-open-source-identity-platform-autonomous-ai-agents/
https://github.com/highflame-ai/zeroid

Vulnerabilities

Critical Flaw In WolfSSL Library Enables Forged Certificate Use
"A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. Researchers warn that an attacker could exploit the issue to force a target device or application to accept forged certificates for malicious servers or connections. wolfSSL is a lightweight TLS/SSL implementation written in C, designed for embedded systems, IoT devices, industrial control systems, routers, appliances, sensors, automotive systems, and even aerospace or military equipment."
https://www.bleepingcomputer.com/news/security/critical-flaw-in-wolfssl-library-enables-forged-certificate-use/
CISA Adds Seven Known Exploited Vulnerabilities To Catalog
"CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
CVE-2025-60710 Microsoft Windows Link Following Vulnerability
CVE-2026-21643 Fortinet SQL Injection Vulnerability
CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/04/13/cisa-adds-seven-known-exploited-vulnerabilities-catalog
https://www.theregister.com/2026/04/13/ransomware_gang_other_crims_attacking/
OpenAI Rotates MacOS Certs After Axios Attack Hit Code-Signing Workflow
"OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack. The company said that on March 31, 2026, the legitimate workflow downloaded and executed a compromised Axios package (version 1.14.1) that was used in attacks to deploy malware on devices. That workflow had access to code-signing certificates used to sign OpenAI's macOS apps, including ChatGPT Desktop, Codex, Codex CLI, and Atlas."
https://www.bleepingcomputer.com/news/security/openai-rotates-macos-certs-after-axios-attack-hit-code-signing-workflow/
https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html
https://cyberscoop.com/openai-axios-supply-chain-attack/
https://hackread.com/openai-macos-certificates-axios-supply-chain-breach/
https://www.securityweek.com/openai-impacted-by-north-korea-linked-axios-supply-chain-hack/

Malware

The Silent “Storm”: New Infostealer Hijacks Sessions, Decrypts Server-Side
"A new infostealer called Storm appeared on underground cybercrime networks in early 2026, representing a shift in how credential theft is developing. For under $1,000 a month, operators get a stealer that harvests browser credentials, session cookies, and crypto wallets, then quietly ships everything to the attacker's server for decryption. To understand why enterprises should care, it helps to know what changed. Stealers used to decrypt browser credentials on the victim's machine by loading SQLite libraries and accessing credential stores directly. Endpoint security tools got good at catching this, making local browser database access one of the clearest signs that something malicious was running."
https://www.bleepingcomputer.com/news/security/the-silent-storm-new-infostealer-hijacks-sessions-decrypts-server-side/
Interactive Brokers Phishing Scam: Fake IRS W-8BEN Renewal Alert
"Online trading platforms are popular among investors. Both beginners and professionals use them to study the financial markets, manage investments, and make profits online. Interactive Brokers is one such trusted platform, known for its low pricing and global market access. With presence in over 200 countries, the brand has now become a viable target for threat actors. The Cofense Phishing Defence Center (PDC) recently uncovered phishing campaigns impersonating Interactive Brokers, potentially putting accounts and financial investments at serious risk. The campaign starts with an email shown in Figure 1. The subject appears to be an IRS Compliance Requirement from Interactive Brokers, requesting a renewal of Form W-8BEN. This form is a mandatory requirement for non-US individual account holders of Interactive Brokers (IBKR) to certify foreign status."
https://cofense.com/blog/interactive-brokers-phishing-scam-fake-irs-w-8ben-renewal-alert
APT41 Winnti ELF Cloud Credential Harvester: Alibaba Typosquat Infrastructure & 6-Year Lineage
"A zero-detection ELF backdoor attributed to APT41 (Winnti) has been identified targeting Linux cloud workloads across AWS, GCP, Azure, and Alibaba Cloud environments. The implant uses SMTP port 25 as a covert command-and-control channel, harvests cloud provider credentials and metadata, and phones home to three Alibaba-themed typosquat domains hosted on Alibaba Cloud infrastructure in Singapore. A selective C2 handshake validation mechanism renders the server invisible to conventional scanning tools like Shodan and Censys."
https://intel.breakglass.tech/post/apt41-winnti-elf-cloud-credential-harvester-alibaba-typosquat
https://www.darkreading.com/cloud-security/apt41-zero-detection-backdoor-harvest-cloud-credentials
OpenSSF Flags Malware Campaign On Slack Posing As Linux Foundation Figures
"Open Source Security Foundation (OpenSSF), a group of open source software security specialists, is warning about a new phishing scam where hackers are targeting software developers using the Slack chat app. These scammers pretend to be well-known leaders from the Linux Foundation, with the aim of getting developers to download malware that could give them total control over a computer. Their modus operandi is based on mimicking a legitimate Google Workspace flow, which redirects unsuspecting developers to a malicious page."
https://hackread.com/openssf-malware-slack-linux-foundation-figures/
https://lists.openssf-vuln.org/g/siren/message/7
https://www.theregister.com/2026/04/13/linux_foundation_social_engineering/
Mailbox Rules In O365—a Post-Exploitation Tactic In Cloud ATO
"When was the last time you checked your mailbox rules? In Microsoft 365 environments, attackers typically gain initial access through credential phishing, password spraying, brute-force, or OAuth consent abuse. Once inside, adversaries focus on persistence and stealth rather than immediate disruption. Instead of deploying malware or C2 infrastructure, they abuse native platform features to operate undetected under the compromised identity. One especially effective technique for maintaining persistence is creating malicious mailbox rules. While mailbox rules are designed to help users organize email, attackers leverage them to delete, hide, forward, or mark messages as read, silently controlling email flow without alerting the victim."
https://www.proofpoint.com/us/blog/threat-insight/mailbox-rules-o365-post-exploitation-tactic-cloud-ato
https://www.infosecurity-magazine.com/news/mailbox-rule-abuse-stealthy-post/
Mirax: a New Android RAT Turning Infected Devices Into Potential Residential Proxy Nodes
"New Maas spreading: Mirax has emerged as a sophisticated Malware-as-a-Service (MaaS) offering, specifically targeting Android devices across Europe. It is actively marketed and distributed through underground malware forums. At the time of writing, Cleafy Threat Intelligence Team has seen multiple campaigns targeting Spanish-speaking countries and reaching over 200.000 accounts through Meta advertisements. Remote Access functionalities & Dynamic HTML Overlays: Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real time. This includes executing commands, navigating the user interface, and monitoring activity. A key feature is its use of dynamically fetched HTML overlays from its command-and-control (C2) infrastructure, which are rendered over legitimate applications."
https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes
https://www.infosecurity-magazine.com/news/mirax-trojan-devices-proxy-nodes/
JanelaRAT: a Financial Threat Targeting Users In Latin America
"JanelaRAT is a malware family that takes its name from the Portuguese word “janela” which means “window”. JanelaRAT looks for financial and cryptocurrency data from specific banks and financial institutions in the Latin America region. JanelaRAT is a modified variant of BX RAT that has targeted users since June 2023. One of the key differences between these Trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and perform malicious actions. The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features."
https://securelist.com/janelarat-financial-threat-in-latin-america/119332/
https://thehackernews.com/2026/04/janelarat-malware-targets-latin.html
North Korea's APT37 Uses Facebook Social Engineering To Deliver RokRAT Malware
"The North Korean hacking group tracked as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage, social engineering campaign in which threat actors approached targets on Facebook and added them as friends on the social media platform, turning the trust-building exercise into a delivery channel for a remote access trojan called RokRAT. "The threat actor used two Facebook accounts with their location set to Pyongyang and Pyongsong, North Korea, to identify and screen targets," the Genians Security Center (GSC) said in a technical breakdown of the campaign. "After building trust through friend requests, the actor moved the conversation to Messenger and used specific topics to lure targets as part of the initial social engineering stage of the attack.""
https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html

Breaches/Hacks/Leaks

European Gym Giant Basic-Fit Data Breach Affects 1 Million Members
"Dutch fitness giant Basic-Fit announced that hackers breached its systems and gained access to information belonging to a million of its customers. The company operates the largest gym chain in Europe, owning more than 1,700 clubs and over 430 franchises in 12 countries, including the Netherlands, Belgium, France, Spain, and Germany. In a disclosure published on its website earlier today, Basic-Fit states that club members impacted by the cyberattack have been informed directly."
https://www.bleepingcomputer.com/news/security/european-gym-giant-basic-fit-data-breach-affects-1-million-members/
https://therecord.media/dutch-gym-chain-basic-fit-hit-by-hackers
https://www.theregister.com/2026/04/13/basicfit_breach/
New Booking.com Data Breach Forces Reservation PIN Resets
"Booking.com has confirmed in a statement to BleepingComputer that hackers accessed some users' data from booking information associated with their reservations. The company took immediate action, forced PIN resets for existing and past reservations, and informed impacted users directly via email. Booking.com is one of the largest online travel platforms in the world, allowing users to book accommodation, flights, car rentals, airport taxis, and travel experiences. The service acts as a middleman between travelers and hospitality providers."
https://www.bleepingcomputer.com/news/security/new-bookingcom-data-breach-forces-reservation-pin-resets/
https://www.securityweek.com/booking-com-says-hackers-accessed-user-information/
https://securityaffairs.com/190757/data-breach/hackers-access-booking-com-user-data-company-secures-systems.html
https://www.theregister.com/2026/04/13/bookingcom_breach/
Iran-Linked Group Handala Claims To Have Breached Three Major UAE Organizations
"The group Handala claimed a major cyberattack against the UAE, targeting Dubai Courts Department, Dubai Land Department, and Dubai Roads and Transport Authority. They alleged destroying 6 petabytes of data and stealing 149 TB of sensitive information, framing the attack as retaliation and a warning to regional governments, though such claims remain unverified. “In response to the blatant betrayal of the Resistance Axis by the Epsteinist leaders of the UAE, and as a serious, preemptive warning to all treacherous governments in the region, Handala has launched one of its most powerful cyberattacks against the country’s critical infrastructure.” the group wrote on its Tor website. “During this operation, 6 petabytes of data have been completely destroyed…”"
https://securityaffairs.com/190716/hacking/iran-linked-group-handala-claims-to-have-breached-three-major-uae-organizations.html

General News

Q1 2026 Malware Statistics Report For Windows Web Servers
"AhnLab SEcurity intelligence Center (ASEC) analyzed the attack status and malware statistics of Windows web servers in the first quarter of 2026 based on AhnLab Smart Defense (ASD) logs. the analysis covers Internet Information Services (IIS) and Apache Tomcat web servers in Windows environments. command execution through the web shell is the main path of compromise, and subsequent malicious behaviors such as privilege escalation, proxy tools, backdoors, and CoinMiners are frequently identified."
https://asec.ahnlab.com/en/93335/
Q1 2026 Malware Statistics Report For Linux SSH Servers
"ASEC analyzed the statistics of attacks against Linux SSH servers in Q1 2026 based on honeypot logs. The P2PInfect worm dominated, accounting for 70.3% of all attack sources, and DDoS bots such as Mirai, XMRig, Prometei, and CoinMiner were identified as the main threats."
https://asec.ahnlab.com/en/93336/
Q1 2026 Malware Statistics Report For Windows Database Servers
"analysis of ASEC’s ASD logs for Q1 2026 showed a consistent trend of attacks against MS-SQL and MySQL. the number of attacks tended to decrease temporarily in February before increasing again in March."
https://asec.ahnlab.com/en/93333/
March 2026 Dark Web Issue Trends Report
"this report is a summary of deep web and dark web source-based material and contains some facts that cannot be fully verified due to the nature of the sources."
https://asec.ahnlab.com/en/93323/
March 2026 Dark Web Threat Actor Trends Report
"this report is a compilation of trends centered on hacktivists operating on the deep web and dark web. some alleged attacks are labeled as observations due to limited independent technical verification."
https://asec.ahnlab.com/en/93324/
March 2026 Dark Web Breach Trends Report
"this report is based on reports of data breaches and the sale of initial access rights posted on deep web-dark web forums. some parts of the report contain information that cannot be fully verified as factual due to the nature of the source."
https://asec.ahnlab.com/en/93325/
CSA: CISOs Should Prepare For Post-Mythos Exploit Storm
"As Anthropic's Claude Mythos model threatens to upend the vulnerability management ecosystem, security luminaries warn that chief information security officers (CISOs) should start getting ready now. Earlier this month, Anthropic unveiled Claude Mythos Preview, a new version of its large language model (LLM) that, while general purpose, was flagged by the AI firm for its skill at handling security tasks. Mythos can discover and exploit complex, high-severity vulnerabilities across major operating systems and Web browsers, according to Anthropic. Recent experimentation led to the discovery of thousands of bugs, Anthropic said, including an exploit of a patched 27-year-old flaw in OpenBSD."
https://www.darkreading.com/cloud-security/csa-cisos-prepare-post-mythos-exploit-storm
Alleged German DDoS-For-Hire Kingpin Behind Fluxstress Caught In Thailand
"Noah Christopher, a German national, was at his luxury flat in Thong Lor Soi 25 when he was arrested by Thai police last Friday. Christopher, 27, was arrested from the Watthana district of Bangkok following a years-long investigation by the German and EU law enforcement authorities. In the world of cybercrime, Christopher was a known figure. Between 2021 and 2025, he allegedly ran a Cybercrime-as-a-Service (CaaS) business to earn money. He, reportedly, created and operated two notorious CaaS platforms called Fluxstress and Neldowner that provided tools for hire. These platforms allowed customers anywhere in the world to launch Distributed Denial of Service (DDoS) attacks in which hackers bombard a website with so much fake traffic that it collapses and stops working for real users."
https://hackread.com/german-ddos-for-hire-kingpin-fluxstress-thailand/
Seized VerifTools Servers Expose 915,655 Fake IDs, 8 Arrested
"On April 7 and 8, Dutch police arrested eight suspects in a nationwide operation targeting users of the VerifTools platform as part of an identity fraud investigation. The suspects, all men aged 20 to 34, are accused of identity fraud, forgery, and cybercrime-related offenses. During searches, officers seized smartphones, laptops, cash, cryptocurrency, and weapons or items resembling them."
https://www.helpnetsecurity.com/2026/04/13/dutch-police-veriftools-identity-fraud-arrests/

อ้างอิง
Electronic Transactions Development Agency (ETDA)