Cyber Threat Intelligence 27 April 2026

NCSA_THAICERT

Industrial Sector

Threat Landscape For Industrial Automation Systems. Middle East, Q4 2025
"In the Middle East, the percentage of ICS computers on which threats from email clients were blocked was 1.8 times higher than the global average. High levels of email threats (phishing), spyware, and ransomware clearly indicate that technological systems in the region are highly exposed to advanced attackers. Likewise, the large percentage of malicious scripts and phishing pages further demonstrates the high risk of targeted attacks against the technological infrastructures of industrial enterprises in the region. Many of these scripts and pages are aimed at stealing authentication data for corporate services."
https://ics-cert.kaspersky.com/publications/reports/2026/04/24/threat-landscape-for-industrial-automation-systems-middle-east-q4-2025/

Vulnerabilities

Vulnerabilities Patched In CrowdStrike, Tenable Products
"CrowdStrike and Tenable informed customers this week about potentially serious vulnerabilities found and patched in their products. CrowdStrike published an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability affecting its LogScale product. The flaw can allow a remote attacker to read arbitrary files from the server filesystem. The cybersecurity giant pointed out that Next-Gen SIEM customers are not affected and the vulnerability has been mitigated for LogScale SaaS customers. LogScale Self-hosted customers have been advised to update to a patched version."
https://www.securityweek.com/vulnerabilities-patched-in-crowdstrike-tenable-products/
https://www.crowdstrike.com/en-us/security-advisories/cve-2026-40050/
https://securityaffairs.com/191343/hacking/critical-bug-in-crowdstrike-logscale-let-attackers-access-files.html
New ‘Pack2TheRoot’ Flaw Gives Hackers Root Linux Access
"A new vulnerability dubbed Pack2TheRoot could be exploited in the PackageKit daemon to allow local Linux users to install or remove system packages and gain root permissions. The flaw is identified as CVE-2026-41651 and received a high-severity rating of 8.8 out of 10. It has persisted for almost 12 years in the PackageKit daemon, a background service that manages software installation, updates, and removal across Linux systems. Earlier this week, some information about the vulnerability has been published, along with PackageKit version 1.3.5 that addresses the issue. However, technical details and a demo exploit have been not been disclosed to allow the patches to propagate."
https://www.bleepingcomputer.com/news/security/new-pack2theroot-flaw-gives-hackers-root-linux-access/
https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
https://securityaffairs.com/191231/security/12-year-old-pack2theroot-bug-lets-linux-users-gain-root-privileges.html
CISA Adds Four Known Exploited Vulnerabilities To Catalog
"CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalog
https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html
https://securityaffairs.com/191281/security/u-s-cisa-adds-simplehelp-samsung-and-d-link-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Over 10,000 Zimbra Servers Vulnerable To Ongoing XSS Attacks
"Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver. Zimbra is a popular email and collaboration software suite used by hundreds of millions of people worldwide, including hundreds of government agencies and thousands of businesses. The vulnerability (tracked as CVE-2025-48700) affects ZCS 8.8.15, 9.0, 10.0, and 10.1 and can allow unauthenticated attackers to access sensitive information after executing arbitrary JavaScript within the user's session."
https://www.bleepingcomputer.com/news/security/cisa-says-zimbra-flaw-now-exploited-over-10k-servers-vulnerable/
Agent ID Administrator Scope Overreach: Service Principal Takeover In Entra ID
"The Microsoft Agent Identity Platform (Preview) gives AI agents their own identities in Entra ID (blueprints, agent identities, agent users) so you can govern and secure them like any other principal. To manage that new control plane, Microsoft introduced the Agent ID Administrator role. On paper, it’s scoped to agent-related objects only. We discovered that accounts with only the Agent ID Administrator role could take over arbitrary service principals – including ones that have nothing to do with agent identities – by becoming owner, then adding credentials and authenticating as that principal. That’s full service principal takeover. In tenants where high-privileged service principals exist, it becomes a privilege escalation path."
https://www.silverfort.com/blog/agent-id-administrator-scope-overreach-service-principal-takeover-in-entra-id/
https://hackread.com/microsoft-entra-agent-id-flaw-tenant-takeover/

Malware

Extortion In The Enterprise: Defending Against BlackFile Attacks
"Unit 42 has responded to numerous incidents since February 2026 involving data theft and extortion across various industries. We attribute a specific portion of this financially-motivated activity with moderate confidence to the activity cluster CL-CRI-1116, which overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider. This blog is designed to provide RH-ISAC members with unique insights from Unit 42 investigations, along with defensive recommendations to counter this emerging threat activity."
https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/
https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs/
Flurry Of Supply-Chain Software Library Attacks
"No complex computer program is an island. The rely on third-party libraries, a fact not lost on hackers who lately have realized how effective it is to compromise the repository rather than individual targets. Numerous apps additionally rely on open-source projects, oftentimes distributed by npm, a package manager for the JavaScript programming language that's owned by Microsoft's GitHub. There's also Python Package Index - aka PyPI - a Python programming language software repository."
https://www.bankinfosecurity.com/flurry-supply-chain-software-library-attacks-a-31503
https://blog.gitguardian.com/renovate-dependabot-the-new-malware-delivery-system/
Operation TrustTrap: Anatomy Of a Large-Scale Deceptive Domain Spoofing Campaign
"Cyble Research and Intelligence Labs (CRIL) identified a campaign of over 16,800 malicious domains active since early 2026. It uses a potent technique — embedding government labels as subdomains to fake trust without DNS authority. We have dubbed this ‘Operation TrustTrap’. Spoofed portals resolve to infrastructure concentrated across Tencent Cloud and Alibaba Cloud APAC nodes, impersonating citizen-facing government services across several US states, with targeting extending into India, Vietnam, and UK-adjacent geographies. A distinct infrastructure cluster within the dataset we investigated carries TTPs consistent with APT36."
https://cyble.com/blog/operation-trusttrap-domain-spoofing-campaign/
Beyond PowerShell: Analyzing The Multi-Action ClickFix Variant
"This research documents a newly observed ClickFix variant observed by the CyberProof Threat Research Team, that continues to evolve beyond traditional payload delivery techniques by abusing native Windows utilities—specifically cmdkey and regsvr32. In this campaign, victims are socially engineered into executing a single malicious command via the Windows Run dialog (Win + R). That command chains multiple actions to stage credentials, retrieve a remote DLL, and execute it silently. By relying exclusively on trusted Windows components and avoiding obvious malware drops, the attacker achieves a high degree of stealth while maintaining execution reliability. CyberProof continues to track and analyze emerging ClickFix variants as adversaries refine their use of native Windows utilities and social engineering. To learn more about CyberProof’s ongoing research into ClickFix techniques and their continued evolution, explore our additional analysis covering related variants and abuse patterns observed in the wild:"
https://www.cyberproof.com/blog/beyond-powershell-analyzing-the-multi-action-clickfix-variant/
https://hackread.com/clickfix-variant-native-windows-tools-bypass-security/
PhantomRPC: A New Privilege Escalation Technique In Windows RPC
"Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues. Over the years, researchers have identified numerous vulnerabilities in services that rely on RPC, ranging from local privilege escalation to full remote code execution."
https://securelist.com/phantomrpc-rpc-vulnerability/119428/
Fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet
"Our investigation into fast16 starts with an architectural hunch. A certain tier of apex threat actors has consistently relied on embedded scripting engines as a means of modularity. Flame, Animal Farm’s Bunny, ‘PlexingEagle’, Flame 2.0, and Project Sauron each built platforms around the extensibility and modularity of an embedded Lua VM. We wanted to determine whether that development style arose from a shared source, so we set out to trace the earliest sophisticated use of an embedded Lua engine in Windows malware. Lua is a lightweight scripting language with a native proficiency for extending C/C++ functionality. Given the appeal of C++ for reliable high-end malware frameworks, this capability is indispensable to avoid having to recompile entire implant components to add functionality to already infected machines. We did not find an indication of direct shared provenance, but our investigation did uncover the oldest instance of this modern attack architecture."
https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/
https://thehackernews.com/2026/04/researchers-uncover-pre-stuxnet-fast16.html
https://www.securityweek.com/pre-stuxnet-sabotage-malware-fast16-linked-to-us-iran-cyber-tensions/
https://www.theregister.com/2026/04/24/fast16_sabotage_malware/
CVE-2026-33626: How Attackers Exploited LMDeploy LLM Inference Engines In 12 Hours
"On April 21, 2026, GitHub published GHSA-6w67-hwm5-92mq, later assigned CVE-2026-33626, a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy. LMDeploy is a toolkit for serving vision-language and text large language models (LLMs) developed by Shanghai AI Laboratory, InternLM. Within 12 hours and 31 minutes of its publication on the main GitHub advisory page, the Sysdig Threat Research Team (TRT) observed the first LMDeploy exploitation attempt against our honeypot fleet. The attacker did not simply validate the bug and move on. Instead, over a single eight-minute session, they used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP administrative interface, and an out-of-band (OOB) DNS exfiltration endpoint."
https://www.sysdig.com/blog/cve-2026-33626-how-attackers-exploited-lmdeploy-llm-inference-engines-in-12-hours
https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html
Signal Phishing Campaign Targets Germany’s Bundestag President Julia Klöckner
"Germany’s Bundestag President Julia Klöckner has reportedly become the latest European political figure targeted through a Signal-based phishing attack, reported Der Spiegel. The incident is another reminder that even trusted messaging apps can become entry points when attackers go after the person, not the platform. The attack targeted Klöckner’s phone through a Signal group chat linked to CDU officials. Chancellor Friedrich Merz was reportedly included but not compromised, and at least one other CDU lawmaker was also affected. “Chancellor Friedrich Merz is also part of the group, although German domestic intelligence reportedly found no evidence his phone had been compromised. Der Spiegel also reported that at least one other CDU lawmaker was affected.” reported Politico."
https://securityaffairs.com/191224/intelligence/signal-phishing-campaign-targets-germanys-bundestag-president-julia-klockner.html
Global Campaign Discovered With Modbus PLCs Targeted And China-Geolocated Infrastructure Observed
"From September – November 2025, Cato Networks threat researchers observed a global campaign involving suspicious Modbus/TCP (transmission control protocol) activity against internet-exposed PLCs (programmable logic controllers). The targeted footprint spanned 70 countries and 14,426 distinct targeted IPs, with the largest share of activity in the United States. The activity blended large-scale automated probing with more selective patterns that suggest deeper device fingerprinting, disruption attempts, and potential manipulation paths when PLCs are reachable from the public internet. Across the three months, we saw thousands of requests sourced from a broad and frequently low-reputation infrastructure set, alongside a small subset of higher-intent infrastructure of interest including sources geolocated to China. While it’s unclear who the threat actors are, these findings reinforce a simple takeaway: exposing Modbus to the internet materially increases both operational risk and the likelihood of follow-on attack activity."
https://www.catonetworks.com/blog/global-campaign-discovered-with-modbus-plcs-targeted/
Hold The Phone! International Revenue Share Fraud Driven By Fake CAPTCHAs
"CAPTCHAs, the mundane tasks where we demonstrate our ability to select bicycles or distinguish chihuahuas from blueberry muffins, are increasingly being weaponized to trick users into performing actions with unexpected consequences. Fake CAPTCHAs are commonly associated with ClickFix attacks but have also been leveraged in other kinds of campaigns, including those we’ve documented in our blog on malicious push notifications. One way we’ve observed fake CAPTCHA pages used in campaigns is related to a telecommunications fraud scheme known as international revenue share fraud (IRSF)."
https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/
https://hackread.com/fake-captcha-pages-exploit-clicks-send-texts/

Breaches/Hacks/Leaks

ADT Confirms Data Breach After ShinyHunters Leak Threat
"Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. In a statement shared today, the company said it detected unauthorized access to customer and prospective customer data on April 20, after which it terminated the intrusion and launched an investigation. This investigation determined that personal information was stolen during the breach."
https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/
https://therecord.media/ADT-data-breach-cyberattack
ShinyHunters Claim They Have Cruise Giant Carnival's Booty As 7.5M Emails Surface
"Carnival Corporation, the world's largest cruise company, is dealing with choppy waters after Have I Been Pwned flagged what it claimed were 7.5 million unique email addresses all allegedly tied to one of its subsidiaries. According to HIBP, the haul totals 8.7 million records and appears to relate to the Mariner Society loyalty program run by Holland America Line, a subsidiary of Carnival Corporation. It said the "data contained fields indicating it related to the Mariner Society loyalty program run by Holland America." The exposed data includes names, dates of birth, genders, and membership status details – the kind of personal data attackers can easily repurpose for fraud or phishing."
https://www.theregister.com/2026/04/24/shinyhunters_claim_cruise_giant_carnivals/
American Utility Firm Itron Discloses Breach Of Internal IT Network
"Utility technology company Itron, Inc. has disclosed that an unauthorized third party accessed some of its internal systems during a cyberattack. The company states that it activated its cybersecurity response plan when detecting the activity last month, notified law enforcement authorities, and engaged external advisors to support the investigation and incident containment. “On April 13, 2026, Itron, Inc. was notified that an unauthorized third party had gained access to certain of its systems,” the company says says in an 8-K filing with the U.S. Securities and Exchange Commission (SEC)."
https://www.bleepingcomputer.com/news/security/american-utility-firm-itron-discloses-breach-of-internal-it-network/

General News

Scam Center Strike Force Takes Major Actions Against Southeast Asian Scam Centers Targeting Americans
"The Department of Justice, through U.S. Attorney Jeanine Ferris Pirro and Assistant Attorney General A. Tysen Duva of the Criminal Division, together with its partners, today announced a series of coordinated actions by the Scam Center Strike Force against Southeast Asian criminal organizations operating scam centers that have defrauded Americans of billions of dollars. The Scam Center Strike Force’s actions include criminal charges against two Chinese nationals who managed a cryptocurrency investment fraud compound in Burma and attempted to open another compound in Cambodia, the seizure of a Telegram messaging app channel used to recruit human trafficking victims to a scam compound in Cambodia in order to work a law enforcement impersonation scam, and the seizure of 503 fake invesment websites, among other actions."
https://www.justice.gov/opa/pr/scam-center-strike-force-takes-major-actions-against-southeast-asian-scam-centers-targeting
https://www.darkreading.com/cyber-risk/us-busts-myanmar-ring-targeting-us-citizens-financial-fraud
Glasswing Secured The Code. The Rest Of Your Stack Is Still On You
"When Anthropic announced Project Glasswing this month, most coverage landed on the headline numbers: a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg flaw, a Linux kernel exploit chain assembled without human steering. The coalition behind it, including AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, Palo Alto Networks, and others, isn't there for the optics; they're there because the model's capabilities are real, and the coordinated disclosure pipeline matters. The part worth dwelling on is the FFmpeg result specifically. At least five million automated fuzzer testing passes hit that vulnerable line of code and not one caught it. Mythos Preview read the code, understood what it was doing, and found the flaw."
https://www.darkreading.com/cyberattacks-data-breaches/glasswing-secured-code-stack-on-you
AI Rush Is Reviving Old Cybersecurity Mistakes, Mandiant VP Warns
"The rush to adopt AI in enterprise environments is not only creating new security vulnerabilities, but is also reviving old security failures, a top Mandiant executive has warned. Speaking to Infosecurity during Google Cloud Next 26, Jurgen Kutscher, VP of Mandiant Consulting, part of Google Cloud, said that AI deployment in enterprises is often accompanied by a neglect of basic security controls. “A lot of the old problems are new again,” Kutscher said. “We’ve seen enterprises really worried about new AI threats like large language model poisoning while forgetting the most basic security controls.”"
https://www.infosecurity-magazine.com/news/ai-old-cybersecurity-mistakes/
Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents
"In March 2026, San Francisco once again became the epicenter of the cybersecurity world. Thousands of practitioners, vendors, and investors gathered at Moscone Center for the RSA Conference, where one theme dominated every keynote, panel, and booth conversation: Agentic AI. Not just AI as a tool, but AI as an actor. From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. Developments like Mythos, a next-generation AI framework capable of orchestrating complex, multi-step cyber operations, highlight both the promise and the risk of this shift."
https://www.securityweek.com/why-cybersecurity-must-rethink-defense-in-the-age-of-autonomous-agents/
NASA Investigators Expose a Chinese National Phishing For Defense Software
"For years, NASA employees and research collaborators thought they were simply sharing software with colleagues. Instead, they were emailing sensitive defense technology to a Chinese national who was impersonating U.S. engineers. Thanks to the NASA Office of Inspector General (OIG) and federal partners, this long-running ruse was revealed—halting further spread of protected information to foreign adversaries. To safeguard national security, the United States has established export controls that restrict the transfer of equipment, software, or technology to other countries. When NASA personnel fail to follow these regulatory mandates, even inadvertently, the OIG steps in to protect critical data, intellectual property, and defense-related articles."
https://oig.nasa.gov/news/nasa-investigators-expose-a-chinese-national-phishing-for-defense-software/
https://thehackernews.com/2026/04/nasa-employees-duped-in-chinese.html
Iran’s Cyber Threat May Be Less ‘shock And Awe’ Than ‘low And Slow,’ Officials Say
"After the Cybersecurity and Infrastructure Security Agency issued an advisory that said Iranian-linked cyber actors were looking to “cause disruptive effects within the United States,” the U.S. has been bracing for a major cyberattack against its critical infrastructure. But officials and cybersecurity experts told reporters on Friday that the more likely threat is not a digital shock-and-awe campaign, but something quieter: opportunistic intrusions, dressed up to look bigger than they are. Speaking at the Asness Summit on Modern Conflict and Emerging Threats in Nashville, former NSA director Tim Haugh and Kevin Mandia, a longtime cyber first responder and founder of a new AI cybersecurity venture, said Iran’s cyber operations have tended to rely less on novel capabilities than on exploiting basic security gaps — and then amplifying the results."
https://therecord.media/iran-cyber-warfare-haugh
The Npm Threat Landscape: Attack Surface And Mitigations
"The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. Since that watershed moment, Unit 42 has tracked an aggressive acceleration in the frequency and technical depth of supply chain compromises. Attacks have evolved from a series of isolated typosquatting incidents into systematic campaigns by various threat actors to weaponize the trust that powers modern software development."
https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
Home Cheat Home: The Problem With Residential Proxies
"In late January, Google and its partners took action to disrupt IPIDEA, one of the world's largest residential proxy networks. In this piece, we'll explore the basics of residential proxies, examine their role in cybercrime, speak to Google's efforts in reducing proxy problems, and offer advice to keep your home network safe."
https://blog.barracuda.com/2026/04/24/home-cheat-home--the-problem-with-residential-proxies
The Calm Before The Ransom: What You See Is Not All There Is
"There’s a bit of a pattern in the history of organizational failures that repeats too often to be a coincidence: A system runs smoothly for a long stretch, causing everyone to grow confident in it. Almost invariably, this also quietly erodes the vigilance that kept the system running smoothly in the first place. And then the system fails – at the precise moment when everyone involved would have told you it was in excellent shape. Counterintuitive as it may sound, stability itself can be destabilizing. It breeds complacency, which then reduces investments in preparedness and widens the gap between actual and perceived risk. Author Morgan Housel compressed this pattern into six words: “calm plants the seeds of crazy.” This plays out rather visibly and with near-clinical regularity in financial markets, but since it’s woven into the warp and woof of human psychology, cybersecurity is by no means spared from it."
https://www.welivesecurity.com/en/ransomware/calm-ransom-what-you-see-is-not-all-there-is/
Helping Romance Scam Victims Require a Proactive, Empathic Approach
"By the time Ayleen Charlotte realized what had happened, she was broke, in debt, and didn't know what to do. Her boyfriend, for well over a year, was actually Shimon Hayut, the infamous "Tinder Swindler," and she was one of many women he had scammed out of nearly everything they had. They were victims of a "pig-butchering" scam, a type of social engineering campaign in which the criminal spends months building trust with the target — just as a farmer takes time to fatten a pig before slaughter — before bilking them for large sums of money."
https://www.darkreading.com/cybersecurity-operations/building-teams-to-help-cyber-scam-victims
AI's Not Going To Kill Open Source Code Security
"Cal.com has closed its commercial codebase, abandoning years of AGPL-3.0 licensing in a move that has alarmed the developer community that helped build it and sent ripples through the broader open source world. "Open source is dead," says Cal.com co-founder and CEO Bailey Pumfleet. But my conversations with top open source developers such as Linux kernel maintainer Greg Kroah-Hartman suggest it is not. And I really don't think it is."
https://www.theregister.com/2026/04/26/opinion_column/

อ้างอิง
Electronic Transactions Development Agency (ETDA)