<![CDATA[Cyber Threat Intelligence 17 April 2026]]>Industrial Sector

Vulnerabilities

Malware

  • Inside ZionSiphon: Darktrace’s Analysis Of OT Malware Targeting Israeli Water Systems
    "Darktrace analysis reveals ZionSiphon, an OT‑focused malware targeting Israeli water treatment and desalination systems. The malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls, highlighting growing experimentation with politically motivated critical ‑infrastructure attacks against industrial operational technologies globally."
    https://www.darktrace.com/blog/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems
    https://www.bleepingcomputer.com/news/security/zionsiphon-malware-designed-to-sabotage-water-treatment-systems/
  • CVE-2026-39987 Update: How Attackers Weaponized Marimo To Deploy a Blockchain Botnet Via HuggingFace
    "Three days after the April 8, 2026, disclosure of a critical pre-authorization remote code execution (RCE) in the marimo Python notebook platform, the Sysdig Threat Research Team (TRT) observed multiple unique attacks, including a threat actor deploying malware that was hosted on HuggingFace Spaces using a marimo exploit. The malware binary we captured was a previously undocumented variant of NKAbuse, a Go-based backdoor using the NKN blockchain for C2."
    https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface
    https://www.bleepingcomputer.com/news/security/hackers-exploit-marimo-flaw-to-deploy-nkabuse-malware-from-hugging-face/
  • AI Meets Voice Phishing: How ATHR Automates The Full TOAD Attack Chain
    "Telephone-oriented attack delivery (TOAD) remains an especially effective way to get past email security controls. Instead of embedding malicious links or attachments, attackers send benign-looking emails with nothing more than a phone number. When the target calls, an operator talks them through installing remote access software or handing over credentials. Because the email itself carries few traditional technical indicators of compromise, legacy defenses struggle to catch it. Running these operations at scale has typically meant stitching together separate infrastructure for telephony, phishing panels, and email delivery, which limits who can pull it off."
    https://abnormal.ai/blog/athr-ai-voice-phishing-toad-attacks
    https://www.bleepingcomputer.com/news/security/new-athr-vishing-platform-uses-ai-voice-agents-for-automated-attacks/
  • Beyond The Breach: Inside a Cargo Theft Actor’s Post-Compromise Playbook
    "In late February 2026, Proofpoint researchers executed a malicious payload from a threat actor targeting transportation organizations inside a controlled decoy environment operated by our partners at Deception.pro. While the environment did not represent a transportation carrier, it remained compromised for more than a month—offering rare, extended visibility into post‑compromise operations, tooling, and decision‑making. Proofpoint previously documented this actor’s campaigns against trucking and logistics companies to facilitate cargo theft and freight fraud. In this case, the extended interaction revealed persistence through multiple remote management tools, the use of a previously unknown signing‑as‑a‑service capability designed to evade detection and suppress security warnings, and extensive post-compromise reconnaissance activity."
    https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook
    https://therecord.media/cargo-thieving-hackers-running-sophisticated-campaigns
    https://www.bankinfosecurity.com/freight-hacker-wields-code-signing-service-to-evade-defenses-a-31433
    https://www.helpnetsecurity.com/2026/04/16/cargo-theft-malware-actor-decoy-network/
  • PowMix Botnet Targets Czech Workforce
    "Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.” PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections. PowMix embeds the encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking legitimate REST API URLs. PowMix has the capability to remotely update the new C2 domain to the botnet configuration file dynamically."
    https://blog.talosintelligence.com/powmix-botnet-targets-czech-workforce/
    https://thehackernews.com/2026/04/newly-discovered-powmix-botnet-hits.html
  • Dissecting Sapphire Sleet’s MacOS Intrusion From Lure To Compromise
    "Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built‑in macOS security checks. This activity highlights how convincing user prompts and trusted system tools can be abused, and why awareness and layered security defenses remain critical."
    https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/
    https://www.darkreading.com/application-security/north-korea-clickfix-target-macos-users-data
    https://www.theregister.com/2026/04/16/north_korea_social_engineering_macos/
  • Unpacking The Unpackable: Malformed APKs As An Anti-Analysis Technique
    "As Android malware continues to evolve, APK malformation has emerged as a key anti-analysis technique, now seen in over 3,000 Android malware samples and increasingly employed across a broad range of malicious campaigns. By deliberately crafting broken or non-standard APK structures, attackers can evade static analysis tools, conceal malicious payloads, and delay detection. This tactic has already been observed in advanced malware families such as Teabot, TrickMo, and SpyNote, underlining its effectiveness in circumventing traditional defenses."
    https://www.cleafy.com/cleafy-labs/malformed-apks-as-an-anti-analysis-technique-malfixer-tool
    https://www.infosecurity-magazine.com/news/apk-malformation-android-malware/
  • “iCloud Storage Is Full” Scam Is Back, And Now It Wants Your Payment Details
    "A few months ago, we reported on a fake cloud storage alert that triggered a redirect chain to an app that has since been delisted from the Apple Store. The threat of losing your photos is a powerful lure, so scammers are now using it to steal personal and financial details. The Guardian warns about an iCloud-themed campaign that start with a few “your iCloud storage is full’ messages, then escalates to threats. If you don’t respond or take action, the emails claim your data will be wiped on a specific date. US Consumer Affairs has urged users not to click any links and to contact Apple directly if they receive such messages."
    https://www.malwarebytes.com/blog/news/2026/04/icloud-storage-is-full-scam-is-back-and-now-it-wants-your-payment-details
  • A Fake Slack Download Is Giving Attackers a Hidden Desktop On Your Machine
    "A trojanized Slack download from a typosquatting website is giving attackers something most users wouldn’t even know to look for: a hidden desktop running on their machine. The installer looks legitimate and even launches a working copy of Slack. But in the background, it can create an invisible session where attackers can browse, access accounts, and interact with your system without anything appearing on your screen. To be clear, this campaign has nothing to do with Slack, the company, and we’ve let them know what we found."
    https://www.malwarebytes.com/blog/threat-intel/2026/04/a-fake-slack-download-is-giving-attackers-a-hidden-desktop-on-your-machine
  • Payouts King Takes Aim At The Ransomware Throne
    "In February 2022, BlackBasta emerged as a successor to Conti ransomware and quickly rose to prominence. BlackBasta was operational for three years until February 2025 when their internal chat logs were leaked online, exposing the group’s inner workings. This led the group to disband and shutter the operation. However, similar to many ransomware groups, BlackBasta was largely driven by initial access brokers that launch attacks against organizations and then steal sensitive information and encrypt files. Although the BlackBasta brand disappeared, the group’s former affiliates have continued attacks by deploying different ransomware families such as Cactus. Zscaler ThreatLabz has observed continued ransomware activity that is consistent with attacks launched by former affiliates of BlackBasta. Some of these attacks have been attributed to a relatively unknown ransomware group that calls itself the Payouts King."
    https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne
  • Threat Spotlight: Tycoon 2FA Didn’t Die — It’s Scattered Everywhere
    "A year ago, Tycoon 2FA accounted for 89% of the phishing-as-a-service (PhaaS) activity seen by Barracuda threat analysts. This picture changed suddenly in March 2026 when Europol and other organizations launched a coordinated operation to disrupt and disable Tycoon 2FA’s attack infrastructure. The operation seized more than 300 domains and dismantled backend services supporting Tycoon’s large-scale MFA-bypassing phishing campaigns. A few weeks later, some security researchers reported that Tycoon 2FA activity was already back to pre-disruption levels. Barracuda’s own threat intelligence paints a more nuanced and complex picture of what happened in the wake of the initial disruption — one that has significant implications for security teams trying to monitor and detect attacker tools and behaviors."
    https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere
  • Phantom In The Vault: Obsidian Abused To Deliver PhantomPulse RAT
    "Elastic Security Labs has identified a novel social engineering campaign that abuses the popular note-taking application, Obsidian, as an initial access vector. The campaign, which we track as REF6598, targets individuals in the financial and cryptocurrency sectors through elaborate social engineering on LinkedIn and Telegram. The threat actors abuse Obsidian's legitimate community plugin ecosystem, specifically the Shell Commands and Hider plugins, to silently execute code when a victim opens a shared cloud vault. In the observed intrusion, Elastic Defend detected and blocked the attack at the early stage, preventing the threat actors from achieving their objectives on the victim's machine."
    https://www.elastic.co/security-labs/phantom-in-the-vault
    https://thehackernews.com/2026/04/obsidian-plugin-abuse-delivers.html
  • A Deep Dive Into Attempted Exploitation Of CVE-2023-33538
    "CVE-2023-33538 was publicly reported in June 2023, affecting the aforementioned end-of-life TP-Link routers. Proof-of-concept (PoC) exploits for the different routers appeared earlier that month. The PoC exploits were removed from their original GitHub post but can be retrieved via Web Archive. According to the report, the /userRpm/WlanNetworkRpm endpoint contains a vulnerability in processing the ssid1 parameter sent through an HTTP GET request, because the parameter value is not sanitized when the Wi-Fi router processes it. Consequently, an attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router."
    https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/
  • ChainShell: MuddyWater’s Russian MaaS Link
    "This report documents a direct operational link between the exposed infrastructure of Iranian threat actor MuddyWater and TAG-150 CastleRAT malware – a modular malware-as-a-service (MaaS) platform developed by Russian-speaking cybercriminals. Through our analysis of a misconfigured C2 web server, 15 malware samples, and a novel PE payload, JUMPSEC assesses that MuddyWater operates at least two CastleRAT builds against Israeli targets with high confidence, and that they deploy additional TAG-150 JavaScript RAT variants from the same infrastructure with moderate confidence."
    https://www.jumpsec.com/guides/chainshell-muddywater-russian-criminal-infrastructure/

Breaches/Hacks/Leaks

  • Researchers Say Fiverr Left User Files Open To Google Search
    "A security researcher named Morpheuskafka has found that thousands of private files from the Tel Aviv-based gig-work website Fiverr were left open for anyone to view online. The leaked data allegedly includes very sensitive items like tax forms, photos of driving licences, and work contracts. These documents were not stored on a private, restricted server but were actually indexed and appeared in Google search results. Fiverr uses a third-party service called Cloudinary to manage and store the images and PDFs that users send to each other. And, instead of using signed or expiring URLs that only authorised users could open, the platform, reportedly, used public URLs."
    https://hackread.com/fiverr-left-user-files-open-to-google-search/
  • Data Breach At Tennessee Hospital Affects 337,000
    "The Cookeville Regional Medical Center (CRMC) in Tennessee was targeted in a ransomware attack last year, and the cybersecurity incident resulted in a significant data breach. The medical center, which offers a wide range of healthcare services at its 289-bed hospital and outpatient locations, said in a data breach notice on its website that a network intrusion was discovered on July 14, 2025, and an investigation revealed that certain files had been stolen in the prior days. The probe showed that the compromised information could include name, date of birth, address, SSN, driver’s license number, financial account number, medical treatment information, and health insurance policy information."
    https://www.securityweek.com/data-breach-at-tennessee-hospital-affects-337000/
    https://securityaffairs.com/190898/cyber-crime/cookeville-regional-medical-center-hospital-data-breach-impacts-337917-people.html
    https://www.infosecurity-magazine.com/news/cookeville-medical-center-data/

General News

  • Europol-Supported Global Operation Targets Over 75 000 Users Engaged In DDoS Attacks
    "On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants. The following countries participated in the joint action: Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Sweden, Thailand, the United Kingdom and theUnited States."
    https://www.europol.europa.eu/media-press/newsroom/news/europol-supported-global-operation-targets-over-75-000-users-engaged-in-ddos-attacks
    https://www.bleepingcomputer.com/news/security/operation-poweroff-identifies-75k-ddos-users-takes-down-53-domains/
    https://cyberscoop.com/ddos-for-hire-takedowns-operation-poweroff/
  • US Nationals Behind DPRK IT Worker 'laptop Farm' Sent To Prison
    "Two U.S. nationals have been sent to prison for helping North Korean remote information technology (IT) workers to pose as U.S. residents and get hired by over 100 companies across the country, including many Fortune 500 firms. 42-year-old Kejia Wang and 39-year-old Zhenxing Wang were charged in June 2025 following a coordinated law enforcement action against the Democratic People's Republic of Korea (DPRK) government's fundraising operations led by the U.S. Department of Justice (DoJ). According to court documents, between 2021 and October 2024, the two generated more than $5 million in illicit revenue for the DPRK's government and an estimated $3 million in financial damages to companies that hired North Korean workers who were using the stolen identities of more than 80 U.S. citizens."
    https://www.bleepingcomputer.com/news/security/us-nationals-behind-north-korean-it-worker-laptop-farm-sent-to-prison/
    https://therecord.media/new-jersey-men-sentenced-north-korean-laptop-farms
    https://cyberscoop.com/us-nationals-sentenced-facilitate-north-korea-tech-worker-scheme/
    https://www.infosecurity-magazine.com/news/us-nationals-jailed-north-korea/
    https://www.helpnetsecurity.com/2026/04/16/north-korean-it-workers-scheme-us-facilitators/
    https://www.theregister.com/2026/04/16/nork_it_worker_scam_facilitators_sentenced_200_months/
  • The Phishing Paradox: The World’s Most Trusted Brands Are Cyber Criminals’ Entry Point Of Choice
    "In Q1 2026, Microsoft continued to be the most impersonated brand in phishing attacks, accounting for 22% of all brand impersonation attempts, according to data from Check Point Research (CPR). The results reinforce a long‑standing trend: attackers consistently exploit highly trusted brands to steal credentials and gain initial access to personal and enterprise environments. Apple climbed to second place with 11%, reflecting attackers’ increasing focus on consumer ecosystems tied to payments, identity, and personal devices. Google followed closely in third place at 9%, while Amazon ranked fourth with 7%. LinkedIn rose to fifth place with 6%, highlighting sustained attacker interest in professional identities and corporate access."
    https://blog.checkpoint.com/research/the-phishing-paradox-the-worlds-most-trusted-brands-are-cyber-criminals-entry-point-of-choice/
  • Ghost Breaches: How AI-Mediated Narratives Have Become a New Threat Vector
    "A company wakes up to a news story claiming it has suffered a major data breach. The details are specific, technical and convincing. But the breach didn’t happen. No systems were compromised. No data was taken. A language model generated the entire story, filling in plausible details from scratch. And before the company can figure out what’s going on, a reporter at a reputable outlet picks up the story and requests comment. Within hours, the company is drafting statements and mobilizing its communications team to address a fictional event. A second incident begins with something real. Years earlier, a company had suffered a genuine breach that received wide media coverage. The incident was investigated, resolved and closed. Then one of the outlets that originally reported on it redesigned its website. Old articles received new URLs and updated timestamps, and search engines re-indexed them as fresh content."
    https://cyberscoop.com/ai-generated-breach-narratives-ghost-threat-vector-op-ed/
  • Two-Factor Authentication Breaks Free From The Desktop
    "These days, organizations require two-factor authentication (2FA) to log into a variety of platforms and applications, such as messaging apps, cloud services and virtual private networks (VPNs). However, the average driver may not be aware that 2FA can protect the car sitting in their driveway. Authentication measures are consistently crucial as phishing campaigns become more sophisticated, and attackers steal credentials in mounting data leaks. Now 2FA is expanding beyond traditional IT computer use cases to include the physical world as well. Protocols can keep hackers from compromising the heat pump warming the house, breaching medical devices treating patients, or driving away in a stolen car."
    https://www.darkreading.com/endpoint-security/two-factor-authentication-breaks-free-from-the-desktop
  • W3LL Unmasked
    "For more than seven years, a shadowy threat actor known as W3LL orchestrated one of the most sophisticated BEC-focused phishing ecosystems around. Group-IB’s long-running investigation has provided in-depth visibility into the W3LL phishing ecosystem and uncovered crucial leads into the individuals behind this cybercriminal enterprise. The company has shared relevant findings with law enforcement authorities as part of broader efforts to disrupt this activity.W3LL’s tools and services, including an underground PhaaS marketplace called the W3LL Store, enabled over 500 cybercriminals to carry out business email compromise (BEC) attacks targeting organizations worldwide. The criminal empire was built around a phishing kit called W3LL Panel (aka OV6 panel) — designed to bypass multi-factor authentication (MFA), along with a suite of 16 other tools for compromising corporate Microsoft 365 accounts."
    https://www.group-ib.com/blog/w3ll-phishing-ecosystem-takedown/
  • EU Cybersecurity Standards Are At Risk If Supplier Ban Passes
    "Today, the European standards body ETSI sent a formal position paper to the European Commission, calling for changes to the proposed Cybersecurity Act 2 (CSA2), the EU’s planned revision to its existing cybersecurity certification framework. The paper focuses on two provisions: a proposed expansion of ENISA’s role in developing technical specifications, and a clause in Article 100(4)(a) that would bar entities from countries designated as posing cybersecurity concerns from participating in European standardization work tied to Commission requests. ETSI is one of three European Standardization Organizations (ESOs) recognized under EU law to develop harmonized standards. Its membership includes over 900 organizations across 64 countries."
    https://www.helpnetsecurity.com/2026/04/16/etsi-eu-cybersecurity-standards/
  • Command Integrity Breaks In The LLM Routing Layer
    "Systems that rely on LLM agents often send requests through intermediary routing services before reaching a model. These routers connect to different providers through a single endpoint and manage how requests are handled. This layer can influence what gets executed and what data is exposed. A recent study examined 28 paid routers and 400 free routers used to access model APIs. In testing, 1 paid router and 8 free routers injected malicious code into tool calls. “This is not a purely hypothetical threat,” the researchers wrote, noting that the behavior appears in paid and free router markets."
    https://www.helpnetsecurity.com/2026/04/16/llm-router-security-risk-agent-commands/
    https://arxiv.org/pdf/2604.08407
  • Automotive Ransomware Attacks Double In a Year
    "Ransomware is now the fastest growing and most disruptive cyber threat facing the automotive sector, accounting for 44% of attacks on carmakers in 2025, according to Halcyon. The security vendor crunched data from multiple sources to compile a new report on the industry. It claimed that ransomware attacks on carmakers more than doubled in 2025. “The surge in attacks reflects a calculated shift by cybercriminals who increasingly view the automotive industry as a lucrative target, driven by its rapid adoption of connected technology, growing reliance on cloud services, and a sprawling network of third-party suppliers that broadens criminals' opportunities to strike,” the report noted."
    https://www.infosecurity-magazine.com/news/automotive-ransomware-attacks/
  • Government Can’t Win The Cyber War Without The Private Sector
    "Cybersecurity is a contest between attackers and defenders. For far too long, governments have been defending their turf alone while attackers frequently target public-sector entities with little to no resistance, launching attacks with national ramifications. Despite rules and regulations meant to establish baseline controls, attacks continue to define a growing threat landscape. The harsh reality is that the threat surface has grown wildly beyond what governments can realistically defend. The digital infrastructure that governments aim to secure is a product of private companies. There are limits to what the state can secure on its own, which means the focus must shift to closer collaboration with the private sector."
    https://www.securityweek.com/government-cant-win-the-cyber-war-without-the-private-sector/

อ้างอิง
Electronic Transactions Development Agency (ETDA) eb61dc02-e9b5-4300-9775-20c52e70920a-image.png

]]>https://webboard-nsoc.ncsa.or.th/topic/2799/cyber-threat-intelligence-17-april-2026RSS for NodeMon, 20 Apr 2026 16:30:23 GMTMon, 20 Apr 2026 06:32:05 GMT60