Cyber Threat Intelligence 20 April 2026

NCSA_THAICERT

Financial Sector

March 2026 Security Issues In The Korean & Global Financial Sector
"a number of malware samples including phishing, web shell, droppers, backdoor malware, downloaders, Infostealer, and CoinMiner targeting the financial sector have been distributed. we observed a number of cases where Korean disguised attachment names and HTML/JS execution methods were utilized to propagate phishing. account compromise campaigns through the Telegram API were confirmed, with approximately 4% of the compromised accounts coming from the financial sector. The AnySign4PC vulnerability was exploited in a watering hole attack by the Lazarus group, resulting in remote code execution, and multiple watering hole distribution sites were found to be continuously used."
https://asec.ahnlab.com/en/93421/

Vulnerabilities

The Dangers Of Reusing Protobuf Definitions: Critical Code Execution In Protobuf.js (GHSA-Xq3m-2v4x-88gg)
"Endor Labs researchers discovered a critical vulnerability in protobuf.js, the most widely used JavaScript runtime for Protocol Buffers, a data format used by millions of applications to exchange information, including services built on Google Cloud, Firebase, and most modern cloud platforms. The protobuf.js package is downloaded roughly 52 million times per week and is often installed as a hidden dependency of other popular libraries, meaning many development teams ship it without realizing it.Exploitation is straightforward. It requires an attacker to supply a malicious configuration file (protobuf schema) to the target application — a precondition that sounds narrow but is common in practice. Applications routinely load these files from shared registries, partner integrations, or third-party servers. Once a poisoned file is in memory, exploitation is trivial: the first message the application processes triggers the payload, with no authentication or user interaction required."
https://www.endorlabs.com/learn/the-dangers-of-reusing-protobuf-definitions-critical-code-execution-in-protobuf-js-ghsa-xq3m-2v4x-88gg
https://www.bleepingcomputer.com/news/security/critical-flaw-in-protobuf-library-enables-javascript-code-execution/
NomShub: Weaponizing Cursor's Remote Tunnel Through Indirect Prompt Injection And Sandbox Breakout
"NomShub is a critical vulnerability chain in the Cursor AI code editor where a malicious repository can silently hijack a developer's machine, combining indirect prompt injection, a sandbox escape via shell builtins, and Cursor's built-in remote tunnel to give attackers persistent, undetected shell access triggered simply by opening a repo."
https://www.straiker.ai/blog/nomshub-cursor-remote-tunneling-sandbox-breakout
https://www.securityweek.com/cursor-ai-vulnerability-exposed-developer-devices/

Malware

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
"Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft's handling of the vulnerability disclosure process. While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates."
https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html
https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/
https://www.helpnetsecurity.com/2026/04/17/microsoft-defender-zero-days-exploited/
https://securityaffairs.com/190961/hacking/microsoft-defender-under-attack-as-three-zero-days-two-of-them-still-unpatched-enable-elevated-access.html
QEMU Abused To Evade Detection And Enable Ransomware Delivery
"Sophos analysts are investigating the active abuse of QEMU, an “open-source machine emulator and virtualizer,” by threat actors seeking to hide malicious activity within virtualized environments. Attackers are drawn to QEMU and more common hypervisor-based virtualization tools like Hyper-V, VirtualBox, and VMware because malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself."
https://www.sophos.com/en-us/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery
https://www.bleepingcomputer.com/news/security/payouts-king-ransomware-uses-qemu-vms-to-bypass-endpoint-security/
https://securityaffairs.com/190982/security/hidden-vms-how-hackers-leverage-qemu-to-stealthily-steal-data-and-spread-malware.html
Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign
"IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks. FortiGuard Labs has analyzed a recent campaign exploiting CVE-2024-3721 in TBK DVR devices to deliver a multi-architecture Mirai variant called Nexcorium. By examining the infection chain, persistence mechanisms, and attack capabilities, we offer insights into the operational behavior of the associated threat actor and its potential impact on targeted environments."
https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign
https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html
https://hackread.com/mirai-variant-nexcorium-dvr-devices-ddos-attacks/
https://securityaffairs.com/190974/malware/nexcorium-mirai-variant-exploits-tbk-dvr-flaw-to-launch-ddos-attacks.html
Unpacking Direct-Sys Loader And CGrabber Stealer: Inside a Stealthy, Five-Stage Malware Chain
"Howler Cell has identified a multistage intrusion sequence that delivers two new malware families: Direct-Sys Loader, and CGrabber Stealer. Both families exhibit strong technical alignment, identical anti-analysis methods, and consistent cryptographic routines. This strongly suggests the loader and stealer originate from the same developer or development group."
https://www.cyderes.com/howler-cell/direct-sys-loader-cgrabber-stealer-five-stage-malware-chain
https://hackread.com/cgrabber-direct-sys-malware-github-zip-files/
Android Bankers: 4 Campaigns In A Row
"In recent months, Zimperium’s zLabs team has identified a surge in Android Banking Trojan activity, marking a sophisticated shift in the mobile threat landscape. Our researchers successfully tracked four distinct campaigns, RecruitRat, SaferRat, Astrinox, and Massiv, each leveraging robust Command-and-Control (C2) frameworks to facilitate credential theft, unauthorized financial transactions, and large-scale data exfiltration. Collectively, these campaigns target over 800 applications across the banking, cryptocurrency, and social media sectors. By employing advanced anti-analysis techniques and structural APK tampering, these families often maintain near-zero detection rates against traditional signature-based security mechanisms."
https://zimperium.com/blog/android-bankers-4-campaigns-in-a-row
https://hackread.com/recruitrat-saferrat-astrinox-massiv-android-malware/
This Old-School Scam Is Still Working
"When we read about this new malware tactic, or that novel social engineering approach, it’s easy to forget that there are scammers out there making a living from ancient methods. Recently, one of our researchers received this variation on the good old Nigerian advance-fee scam."
https://www.malwarebytes.com/blog/news/2026/04/this-old-school-scam-is-still-working
“Your Shipment Has Arrived” Email Hides Remote Access Software
"An attachment in an email impersonating DHL about a shipment contains a link to a preconfigured SimpleHelp remote access tool—an ideal starting point for attackers to explore a network, steal data, and drop additional malware. A German industrial spare parts and equipment supplier received an email pretending to be from DHL, claiming a shipment had arrived."
https://www.malwarebytes.com/blog/news/2026/04/your-shipment-has-arrived-email-hides-remote-access-software
Ukraine Confirms Suspected APT28 Campaign Targeting Prosecutors, Anti-Corruption Agencies
"A Ukrainian cyber official has confirmed that several local government agencies were targeted in a long-running cyber-espionage campaign attributed to a Russian state-linked hacker group. Taras Dzyuba, head of the information communications department at Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), told Recorded Future News that authorities are aware of the attacks, which Western researchers say compromised email accounts belonging to Ukrainian prosecutors and investigators. Earlier this week, Reuters reported that hackers linked to Russia had broken into more than 170 email accounts belonging to prosecutors and investigators across Ukraine in recent months."
https://therecord.media/ukraine-confirms-suspected-apt28-campaign-targeting-prosecutors
Apple Account Change Alerts Abused To Send Phishing Emails
"Apple account change notifications are being abused to send fake iPhone purchase phishing scams within legitimate emails sent from Apple's servers, increasing legitimacy and potentially allowing them to bypass spam filters. A reader shared an email with BleepingComputer that appeared to be a standard Apple security notification that stated their account information had been updated. However, embedded within the message was a phishing lure claiming that an $899 iPhone purchase had been made via PayPal, along with a phone number to call to cancel the transaction."
https://www.bleepingcomputer.com/news/security/apple-account-change-alerts-abused-to-send-phishing-emails/

Breaches/Hacks/Leaks

Grinex Exchange Blames "Western Intelligence" For $13.7M Crypto Hack
"Kyrgyzstan-based cryptocurrency exchange Grinex has suspended its operations after suffering a $13.7 million hack attributed to Western intelligence agencies. The funds were stolen from cryptocurrency wallets belonging to Russian users, as the platform enables crypto-ruble exchange operations between Russian businesses and individuals. Launched early last year, Grinex has Russian links and is believed to be a rebrand of Garantex, a Russian crypto exchange whose admin was arrested and whose domains were seized over allegations of processing more than $100 million in illicit transactions and enabling money laundering."
https://www.bleepingcomputer.com/news/security/grinex-exchange-blames-western-intelligence-for-137m-crypto-hack/
https://thehackernews.com/2026/04/1374m-hack-shuts-down-sanctioned-grinex.html
https://securityaffairs.com/190950/security/kyrgyzstan-based-crypto-exchange-grinex-shuts-down-after-13-7m-cyber-heist-blames-western-intelligence.html
Vercel Confirms Breach As Hackers Claim To Be Selling Stolen Data
"Cloud development platform Vercel has disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data. Vercel is a cloud platform that provides hosting and deployment infrastructure for developers, with a strong focus on JavaScript frameworks. The company is known for developing Next.js, a widely used React framework, and for offering services such as serverless functions, edge computing, and CI/CD pipelines that enable developers to build, preview, and deploy applications."
https://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/

General News

March 2026 Threat Trend Report On APT Groups
"this report analyzes the strategies, techniques, and impacts of APT groups believed to be state-sponsored. it excludes financial crimes groups from its scope and organizes major threat behaviors by ATIP’s representative names. the activities of 13 APT groups were aggregated based on publicly available data for the most recent month."
https://asec.ahnlab.com/en/93416/
Man Gets 30 Months For Selling Thousands Of Hacked DraftKings Accounts
"23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. According to court documents, the accounts were hijacked by Nathan Austad (aka Snoopy) with the help of Joseph Garrison (a third accomplice charged in May 2023) in a massive November 2022 credential-stuffing attack that compromised nearly 68,000 DraftKings accounts. U.S. prosecutors said Austad and Garrison used a list of credentials stolen in multiple breaches to hack into DraftKings accounts, then sold access to others who stole around $635,000 from roughly 1,600 compromised accounts."
https://www.bleepingcomputer.com/news/security/man-gets-30-months-for-selling-thousands-of-hacked-draftkings-accounts/
https://www.securityweek.com/another-draftkings-hacker-sentenced-to-prison/
https://securityaffairs.com/190943/cyber-crime/draftkings-hacker-sentenced-to-prison-ordered-to-pay-1-4-million.html
Scattered Spider Hacker Pleads Guilty In US Federal Court
"A senior figure in the Scattered Spider cybercrime group pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft on Friday in an Orange County, California, federal district court. The plea marks the conclusion of a digital crime spree by Tyler Robert Buchanan, 24, of Scotland. Buchanan has been in federal custody since April 2025, when Spanish authorities extradited Buchanan after arresting him in the Mediterranean resort city of Palma de Mallorca just as he attempted to leave the country for Naples on a chartered flight."
https://www.bankinfosecurity.com/scattered-spider-hacker-pleads-guilty-in-us-federal-court-a-31459
Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
"In the wake of a major takedown of phishing's biggest brand name, Tycoon 2FA, phishers worldwide have scattered. Some have stuck around, but many have moved to other phishing service providers, and some seem to be jumping on a fast-growing trend toward device code phishing. It would be shortchanging Tycoon 2FA to merely distinguish it as the world's premiere phishing-as-a-service (PhaaS) group. A year ago, it accounted for nearly 90% of all PhaaS activity everywhere, according to data from Barracuda. It essentially owned the PhaaS ecosystem."
https://www.darkreading.com/threat-intelligence/tycoon-2fa-hackers-device-code-phishing
Every Old Vulnerability Is Now An AI Vulnerability
"On March 10, 2026, Microsoft patched CVE-2026-26144, a cross-site scripting (XSS) vulnerability in Excel. XSS in Office isn't anything new, but what makes this XSS different is what happens after the script executes. The vulnerability chains with Copilot Agent mode. An attacker embeds a malicious payload in an Excel file. After a user opens it, the XSS fires without the user ever clicking anything. However, unlike most XSS attacks, which aim to steal a session cookie or redirect the user to a phishing site, this attack hijacks the Copilot Agent and silently exfiltrates data from the spreadsheet to an attacker-controlled endpoint: no user interaction, no visual prompt to indicate that anything had happened. The AI does the exfiltration for you."
https://www.darkreading.com/vulnerabilities-threats/every-old-vulnerability-ai-vulnerability
Coast Guard's New Cybersecurity Rules Offers Lessons For CISOs
"The US Coast Guard's first-ever mandatory cybersecurity framework for ports, vessels, and offshore facilities has taken effect, ending two decades of voluntary compliance and putting operators on a countdown with a 2027 deadline. The regulations affect any US-flagged vessel or maritime facility subject to the Maritime Transportation Security Act of 2002 and requires that they develop and maintain a cybersecurity plan, designate a cybersecurity officer (CySO), conduct annual assessments, and train any information- and operational-technology workers on their cybersecurity duties."
https://www.darkreading.com/cybersecurity-operations/coast-guards-cybersecurity-rules-lessons-cisos
Gemini Is Stopping Harmful Ads Before People Ever See Them
"Our safety teams work around the clock to stop bad actors that use increasingly sophisticated, malicious ads. In 2025, Gemini-powered tools dramatically improved our ability to detect and stop bad ads: Our systems caught over 99% of policy-violating ads before they ever served, and we’re continuing to evolve our defenses to stay ahead of even the most advanced schemes. Our teams have long used advanced AI to identify and stop scammers, and Gemini takes that work even further. Our models analyze hundreds of billions of signals — including account age, behavioral cues and campaign patterns — to stop threats before they reach people. Unlike earlier keyword-based systems, our latest models better understand intent, helping us spot malicious content and preemptively block it, even when it’s designed to evade detection."
https://blog.google/products/ads-commerce/2025-ads-safety-report/
https://thehackernews.com/2026/04/google-blocks-83b-policy-violating-ads.html
https://www.helpnetsecurity.com/2026/04/17/google-gemini-harmful-ads-blocking/
Commercial AI Models Show Rapid Gains In Vulnerability Research
"While non-public frontier AI models, like Anthorpic’s Claude Mythos, have been shown to identify thousands of zero-day vulnerabilities across major operating systems, commercial models are also indicating progress in the discovery of software bugs. Forescout’s Verde Labs found that just a year ago 55% of AI models failed basic vulnerability research and 93% failed exploit development tasks. Progress has been made however, and in 2026 the cybersecurity firm said all tested models’ complete vulnerability research tasks, and half can generate working exploits autonomously."
https://www.infosecurity-magazine.com/news/ai-models-rapid-gains/
Machine Identities: The Invisible Cyber Risk You Probably Aren’t Managing
"When we talk about identity in cybersecurity, most people think about users logging in. But modern IT environments rely on a far larger and less visible population of non‑human identities. Machine identities are the credentials that applications, scripts, APIs, cloud workloads, industrial devices, and automation tools use to authenticate. They include service accounts, API keys, certificates, tokens, and embedded credentials that let systems communicate automatically and continuously. In manufacturing, this might include production systems pulling data from ERP software, industrial controllers updating configurations, remote monitoring tools, or third‑party vendors accessing plant networks. These identities are essential for efficiency and uptime, but they also introduce risk."
https://blog.barracuda.com/2026/04/17/machine-identities-invisible-risk
Supply Chain Dependencies: Have You Checked Your Blind Spot?
"Some cyber business risks only show up when you take a closer look. Supply chain blind spots are a perfect example. Behind these essential third-party connections, products and services can lurk unseen vulnerabilities that precipitate major cyber incidents – halting operations, triggering downstream chaos, and making headlines with their financial, reputational, and legal/compliance impacts. As supply chains become increasingly digitized and complex, they provide cybercriminals a bigger “risk surface” to aim for. Organizations need to understand their supply chain dependencies in depth so they can map the risks and deploy effective resilience strategies to protect sensitive data and sustain business continuity. Yet according to the latest research from ESET and other sources, SMBs largely underestimate the potential risks they face from disruption caused by their supply chain, either from a malicious attack or operational outage."
https://www.welivesecurity.com/en/business-security/supply-chain-dependencies-have-you-checked-your-blind-spot/
Exposing Russian Malicious Infrastructure: 1,250+ C2 Servers Mapped Across 165 Providers
"Infrastructure analytics and ISP mapping reveal the hidden backbone of cyber threats. By examining hosting providers, cloud services, and telecom networks, analysts can identify patterns of persistent malware, phishing campaigns, and C2 infrastructure. During the last three months (1 Jan 2026 - 1 Apr 2026) analysis window, we identified more than 1,250 active command-and-control (C2) servers operating across 165 Russian infrastructure providers, spanning shared hosting platforms, virtual server providers, and telecommunications networks. That provider-level view is what separates actionable intelligence from an endless list of disposable indicators."
https://hunt.io/blog/russian-malicious-infrastructure-c2-servers-mapped
Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever
"Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. As we harden existing software with AI, threat actors will use it to discover and exploit novel vulnerabilities. Faced with this scenario, defenders have two critical tasks: hardening the software we use as rapidly as possible, and preparing to defend systems that have not yet been hardened."
https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities
The German Cyber Criminal Überfall: Shifts In Europe's Data Leak Landscape
"Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023. Germany moved to the forefront of European data leak targets in 2025. Following a 2024 period where the UK led in DLS victims, this pivot reflects a resurgence of the intense pressure observed across German infrastructure during 2022 and 2023."
https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape
That Data Breach Alert Might Be a Trap
"Receiving a data breach notice may have once been a rare event. With data breaches hitting record numbers, however, these notifications are no longer as surprising as they once were. In the US alone, there were 3,322 such breaches reported last year, resulting in nearly 280 million notices being emailed to victims. In Europe, daily incidents grew by 22% annually in 2025 to reach 443 on average per day. This represents a growing opportunity for fraudsters. They know that many people may be on the lookout for these notifications. And when they receive one, they may be more predisposed to follow the advice contained in it."
https://www.welivesecurity.com/en/scams/data-breach-alert-might-be-trap/

อ้างอิง
Electronic Transactions Development Agency (ETDA)