สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
Latest posts made by NCSA_THAICERT
-
อัปเดตด่วน Apple แก้ไขช่องโหว่ iOS ที่อาจทำให้ข้อความที่ลบแล้วถูกกู้คืนได้โพสต์ใน Cyber Security News
-
Mirai Botnet ใช้ช่องโหว่ CVE-2025-29635 โจมตีเราเตอร์ D-Link รุ่นเก่าโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
กลุ่มแรนซัมแวร์ Kyber ทดลองใช้การเข้ารหัสแบบ Post-Quantum โจมตี Windows และ VMware พร้อมกันโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 24 April 2026โพสต์ใน Cyber Security News
Energy Sector
- Electricity Is a Growing Area Of Cyber Risk
"Organizations secure work phones and company laptops, but attackers could be lurking, targeting the electric current running those devices. Direct current (DC) power regulation helps to stabilize the energy powering electronics people use daily, from solar panels and connected cars to smartphones and essential computer parts. It's also vital across critical infrastructures like telecommunications, industrial automation, and data centers. DC regulators provide stable voltage to prevent damage or more concerningly, outages that stem from power surges. However, the power ecosystem is becoming more complex as technology advances -- opening a potential new attack vector. There are many famous attacks against DC power infrastructure, but they're often viewed as unexplained physical damage, safety failure systems, and mysterious outages, which may not be the case, explains Andy Davis, global research director at NCC Group."
https://www.darkreading.com/cyber-risk/electricity-growing-area-cyber-risk
Industrial Sector
- Milesight Cameras
"Successful exploitation of these vulnerabilities could crash the device being accessed or allow remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 - Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera
"Successful exploitation of this vulnerability could allow an attacker to bypass authentication and have remote access to sensitive information on the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-05 - Intrado 911 Emergency Gateway (EGW)
"Successful exploitation of this vulnerability could allow an attacker to read, modify, or delete files."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-06 - Carlson Software VASCO-B GNSS Receiver
"Successful exploitation of this vulnerability could enable a remote attacker to alter critical system functions or disrupt device operation."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-02 - Yadea T5 Electric Bicycle
"Successful exploitation of this vulnerability could result in an attacker being able to unlock and start the bicycle, leading to vehicle theft."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-01 - SpiceJet Online Booking System
"Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04 - Threat Landscape For Industrial Automation Systems. Russia, Q4 2025
"Russia ranked 10th among regions by percentage of ICS computers on which malicious objects were blocked. At the same time, the region held higher positions in the rankings based on threat figures in the following categories:"
https://ics-cert.kaspersky.com/publications/reports/2026/04/23/threat-landscape-for-industrial-automation-systems-russia-q4-2025/
New Tooling
- Scenario: Open-Source Framework For Automated AI App Red-Teaming
"Enterprises running customer service bots, data analytics agents, and other AI-driven applications in production handle sensitive records and connect to core business systems every day. LangWatch has released Scenario, an open-source framework that runs automated red-team exercises against AI agents using multi-turn attack techniques that mirror how adversaries operate in the wild. Single-prompt penetration tests have long been the standard approach for probing LLMs. Models often hold firm against a direct attack and then leak sensitive information across several conversational turns. Scenario structures those conversations deliberately, running sequences that begin with harmless exploration and build toward complex requests and authority-based pressure."
https://www.helpnetsecurity.com/2026/04/23/scenario-open-source-framework-for-automated-ai-app-red-teaming/
https://github.com/langwatch/scenario
Vulnerabilities
- Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload Via Fetch_gravatar_from_remote
"The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default."
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/breeze/breeze-cache-244-unauthenticated-arbitrary-file-upload-via-fetch-gravatar-from-remote
https://www.bleepingcomputer.com/news/security/hackers-exploit-file-upload-bug-in-breeze-cache-wordpress-plugin/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-39987 Marimo Remote Code Execution Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalog - Identifying And Remediating a Persistent Memory Compromise In Claude Code
"We recently discovered a method to compromise Claude Code’s memory and maintain persistence beyond our immediate session into every project, every session, and even after reboots. In this post, we’ll break down how we were able to poison an AI coding agent’s memory system, causing it to deliver insecure, manipulated guidance to the user. After working with Anthropic’s Application Security team on the issue, they pushed a change to Claude Code v2.1.50 that removes this capability from the system prompt."
https://blogs.cisco.com/ai/identifying-and-remediating-a-persistent-memory-compromise-in-claude-code
https://www.darkreading.com/vulnerabilities-threats/bad-memories-haunt-ai-agents - Can AI Attack The Cloud? Lessons From Building An Autonomous Cloud Offensive Multi-Agent System
"The offensive capabilities of large language models (LLMs) have until recently existed as theoretical risks – frequently discussed at security conferences and in conceptual industry reports, but rarely discovered in practical exploits. However, in November 2025, Anthropic published a pivotal report documenting a state-sponsored espionage campaign. In this operation, AI didn't just assist human operators – it became the operator, performing 80-90% of the campaign autonomously, at speeds that no human team could match. This disclosure shifted the conversation from "could this happen?" to "this is happening." But it also raised practical questions: Can AI actually operate autonomously end-to-end, or does it still require human guidance at each decision point? Where do current LLM capabilities excel, and where do they fall short compared to skilled human operators?"
https://unit42.paloaltonetworks.com/autonomous-ai-cloud-attacks/
https://www.darkreading.com/cyber-risk/zealot-shows-ai-execute-full-cloud-attacks
https://www.securityweek.com/ai-can-autonomously-hack-cloud-systems-with-minimal-oversight-researchers/ - Apple Intelligence Flaw Kept Stolen Tokens Reusable On Another Device
"Apple claims that Apple Intelligence, a GenAI service provided on its operating systems, is designed with an extra focus on user security and privacy through a two-stage authentication and authorization system using anonymous access tokens. However, researchers from The Ohio State University have identified vulnerabilities in this design, demonstrated on macOS 26.0 (Tahoe), that allow attackers to steal and reuse these tokens."
https://www.helpnetsecurity.com/2026/04/22/apple-intelligence-token-vulnerability-serpent-attack/
https://arxiv.org/pdf/2604.15637 - Hybrid Clouds Have Two Attack Surfaces And You’re Not Paying Enough Attention To Either
"Israeli researchers found a series of flaws in Microsoft's Windows Admin Center (WAC) and suggest this shows hybrid cloud management tools are a two-way attack surface that users don't spend enough time worrying about. Speaking at the Black Hat Asia conference in Singapore today, Ilan Kalendarov and Ben Zamir of Cymulate delivered a talk titled "Breaking Hybrid Boundaries Across Azure and Windows" in which they detailed four CVEs they found and reported to Microsoft – 2025-64669, 2026-20965, 2026-23660, and 2026-32196 – which has since fixed the flaws."
https://www.theregister.com/2026/04/23/wac_flaws_hybrid_cloud_security/
Malware
- Bitwarden CLI Compromised In Ongoing Checkmarx Supply Chain Campaign
"Socket researchers discovered that the Bitwarden CLI was compromised as part of the ongoing Checkmarx supply chain campaign. The open source password manager serves more than 10 million users and over 50,000 businesses, and ranks among among the top three password managers by enterprise adoption. The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign."
https://socket.dev/blog/bitwarden-cli-compromised
https://research.jfrog.com/post/bitwarden-cli-hijack/
https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/
https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html - Trigona Affiliates Deploy Custom Exfiltration Tool To Streamline Data Theft
"While many ransomware groups rely on off-the-shelf utilities such as Rclone or MegaSync to steal victim data, recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. The attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. The motivation for moving away from publicly available tools remains unknown. Many publicly available tools are now so well known that they may be flagged by security solutions. It is possible that the attackers are investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks. Trigona, which first appeared in late 2022, is operated as a Ransomware-as-a-Service (RaaS) by a cybercrime group Symantec calls Rhantus."
https://www.security.com/threat-intelligence/trigona-exfiltration-custom
https://www.bleepingcomputer.com/news/security/trigona-ransomware-attacks-use-custom-exfiltration-tool-to-steal-data/ - Executive Summary: Defending Against China-Nexus Covert Networks Of Compromised Devices
"China-nexus cyber actors have moved from using individually procured infrastructure to operating large scale “covert networks” – botnets built from compromised routers, and other edge devices. These networks are used for each phase of the Cyber Kill Chain, from reconnaissance and malware delivery, to command and control and data exfiltration against targets of espionage and offensive cyber operations. The threat is a dynamic, low-cost, deniable infrastructure model that can be rapidly re-shaped, rendering traditional static IP block lists ineffective."
https://www.ncsc.gov.uk/news/executive-summary-defending-against-china-nexus-covert-networks-of-compromised-devices
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a
https://www.bleepingcomputer.com/news/security/uk-warns-of-chinese-hackers-using-botnets-of-hijacked-consumer-devices-to-evade-detection/
https://www.darkreading.com/cyber-risk/china-hackers-industrializing-botnets
https://www.bankinfosecurity.com/hacked-devices-are-gateways-for-chinese-nation-state-hackers-a-31490
https://cyberscoop.com/china-nexus-covert-networks-advisory/
https://www.theregister.com/2026/04/23/china_covert_networks/ - GopherWhisper: A Burrow Full Of Malware
"ESET researchers have discovered a previously undocumented China-aligned APT group that we named GopherWhisper. The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal. In the observed campaign, the threat actors targeted a governmental entity in Mongolia. GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command and control (C&C) communication and exfiltration. Crucially, after we identified multiple Slack and Discord API tokens, we managed to extract a large number of C&C messages from those services, which provided us with great insight into the group’s activities."
https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
https://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf
https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html
https://www.bleepingcomputer.com/news/security/new-gopherwhisper-apt-group-abuses-outlook-slack-discord-for-comms/
https://www.darkreading.com/cyberattacks-data-breaches/chinese-apt-abuses-cloud-tools-spy-mongolia
https://therecord.media/china-linked-hackers-target-mongolian-gov-slack-discord
https://www.bankinfosecurity.com/unwary-chinese-hackers-hardcoded-credentials-into-backdoors-a-31487
https://www.helpnetsecurity.com/2026/04/23/gopherwhisper-apt-group/ - UAT-4356's Targeting Of Cisco Firepower Devices
"Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices, where the threat actor deployed their custom-built backdoor dubbed “FIRESTARTER.” FIRESTARTER considerably overlaps with the technical capabilities of RayInitiator’s Stage 3 shellcode that processes incoming XML-based payloads to endpoint APIs. In early 2024, Cisco Talos attributed ArcaneDoor, a state-sponsored campaign focused on gaining access to network perimeter devices for espionage, to UAT-4356."
https://blog.talosintelligence.com/uat-4356-firestarter/
https://www.cisa.gov/news-events/analysis-reports/ar26-113a
https://therecord.media/cisa-us-agency-breached-cisco-vulnerability-backdoor
https://cyberscoop.com/cisco-firestarter-malware-cisa-warning/ - Bad Connection: Uncovering Global Telecom Exploitation By Covert Surveillance Actors
"Our investigation uncovers two sophisticated telecom surveillance campaigns and, for the first time, links real-world attack traffic to mobile operator signalling infrastructure. The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years."
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
https://therecord.media/surveillance-companies-exploiting-telecom-systems-to-track-location
https://cyberscoop.com/surveillance-campaigns-use-commercial-surveillance-tools-to-exploit-long-known-telecom-vulnerabilities/ - 10 Indirect Prompt Injection Payloads Caught In The Wild
"As AI agents become mainstream — summarizing pages, indexing content and processing payments — attackers have found a way to weaponize them without ever touching the AI directly. It's called Indirect Prompt Injection (IPI). X-Labs researchers are finding it deployed across live web infrastructure right now. Unlike direct prompt injection, where a user sends malicious input to a model, IPI hides adversarial instructions inside ordinary web content. When an AI agent crawls or summarizes a poisoned page, it ingests those instructions and executes them as legitimate commands, with no indication anything went wrong."
https://www.forcepoint.com/blog/x-labs/indirect-prompt-injection-payloads
https://hackread.com/hackers-hidden-site-instruction-attack-ai-assistants/
https://www.infosecurity-magazine.com/news/researchers-10-wild-indirect/ - Inside RAMP: What a Leaked Database Reveals About Russia’s Ransomware Marketplace
"RAMP (Russian Anonymous Marketplace) was a Russian-language cybercrime forum that operated from late 2021 until it was seized by the FBI on January 28, 2026, in coordination with the U.S. Attorney’s Office for the Southern District of Florida. It ran as both a Tor hidden service and maintained a clearnet mirror at ramp4u.io, making it more accessible than many competing forums. The forum ran on XenForo 2.2.5, a commercial platform, and had dedicated sections for selling network access, malware, ransomware partnerships, stolen data, and hiring criminal freelancers. Thread titles appeared in Russian, English, and Chinese, highlighting its global audience from Western cybercriminals to East Asian threat actors."
https://www.comparitech.com/news/inside-ramp-what-a-leaked-database-reveals-about-russias-ransomware-marketplace/
https://securityaffairs.com/191171/cyber-crime/ramp-uncovered-anatomy-of-russias-ransomware-marketplace.html - Nightmare-Eclipse Tooling Moves From Public PoC To Real-World Intrusion
"Huntress has observed the use of Nightmare-Eclipse tooling, including BlueHammer, RedSun, and UnDefend, during a real-world intrusion investigation. In the clearest case, the activity included suspicious binaries staged in user-writable directories, hands-on-keyboard reconnaissance, likely compromised FortiGate SSL VPN access, and follow-on tunneling behavior. Organizations should review VPN logs, investigate the artifacts and paths below, and treat any confirmed execution as high-priority incident activity."
https://www.huntress.com/blog/nightmare-eclipse-intrusion
https://www.securityweek.com/recent-microsoft-defender-vulnerability-exploited-as-zero-day/ - Threat Spotlight: Device Code Phishing Is On The Rise With 7 Million Attacks In Four Weeks
"Device code authentication is an OAuth 2.0 login method that lets users sign in on one device by entering a short code on another, trusted device. This is ideal for devices with limited interfaces, such as TVs, printers or command line interface (CLI) tools. Device code phishing attacks exploit this process to gain persistent, authorized access to Microsoft services. Over the last month, Barracuda’s threat analysts have detected more than 7 million device code phishing attacks, largely powered by the recently reported EvilTokens phishing kit. Barracuda has also seen other attackers leveraging the approach together with Tycoon 2FA capabilities. It is likely that other phishing kits will follow."
https://blog.barracuda.com/2026/04/23/threat-spotlight-device-code-phishing - Snow Flurries: How UNC6692 Employed Social Engineering To Deploy a Custom Malware Suite
"Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization. The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers."
https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/
https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html - Dev Targeted By Sophisticated Job Scam: 'I Let My Guard Down, And Ran The Freaking Code'
"It all started with a LinkedIn message, as so many employment scams do these days. A recruiter claiming to work for a blockchain firm called Genusix Labs invited Boris Vujičić, a web developer based in Serbia, to apply for a full-time, remote developer job with the company. Vujičić is no stranger to recruitment scams. He told us he received messages like this daily, and his personal record is eight in one day. Plus, he used to work for Step Finance before a breach and subsequent $40 million cryptocurrency heist shuttered the decentralized-finance biz earlier this year."
https://www.theregister.com/2026/04/23/job_scam_targeted_developer/ - Tropic Trooper APT Takes Aim At Home Routers, Japanese Targets
"The China-linked advanced persistent threat (APT) known as Tropic Trooper appears to be changing up its tactics, techniques, and procedures (TTPs), with an odd spear-phishing effort that involved compromising a target's home Wi-Fi network. Tropic Trooper (aka Pirate Panda, KeyBoy, APT23, Bronze Hobart, and Earth Centaur) has been active since at least 2011. The group historically spies on government, military, healthcare, transportation, and high‑tech organizations in Taiwan, the Philippines, and Hong Kong, with researchers recently also finding one singular campaign in the Mideast. But its latest efforts are aimed at specific individuals in new geographies like Japan, Taiwan, and South Korea, according to recent analysis, indicating an expansion of not just operational modus operandi, but also victim profiles."
https://www.darkreading.com/threat-intelligence/tropic-trooper-apt-takes-aim-home-routers-japanese-targets
Breaches/Hacks/Leaks
- Cosmetics Giant Rituals Discloses Data Breach Affecting Customers
"Dutch cosmetics giant Rituals disclosed a data breach after attackers stole the personal information of an undisclosed number of customers from its "My Rituals" membership database. The company revealed the security incident in a Wednesday notice, saying that the breach was discovered earlier this month after it was alerted to unauthorized downloads of its members' data. Rituals has notified relevant authorities of the incident and has since contained the breach by blocking the attackers' access. It also added that it has yet to find evidence that the stolen information has been leaked online."
https://www.bleepingcomputer.com/news/security/cosmetics-giant-rituals-discloses-data-breach-affecting-customers/
https://www.securityweek.com/luxury-cosmetics-giant-rituals-discloses-data-breach/
https://securityaffairs.com/191192/data-breach/rituals-discloses-a-data-breach-impacting-member-personal-details.html - Vercel Finds More Compromised Accounts In Context.ai-Linked Breach
"Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems. The company said it made the discovery after expanding its investigation to include an extra set of compromise indicators, alongside a review of requests to the Vercel network and environment variable read events in its logs. "Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods," the company said in an update."
https://thehackernews.com/2026/04/vercel-finds-more-compromised-accounts.html
https://cyberscoop.com/vercel-attack-fallout-expands/ - Medical Data Of 500,000 Britons Put Up For Sale On Chinese Website
"Medical data belonging to 500,000 British citizens was listed for sale on the Chinese e-commerce website Alibaba, the UK government said Thursday. The data is held by the UK Biobank charity and includes genetic sequences, blood samples, medical scans and lifestyle information. Scientists, both at universities and private companies, can be given access for research purposes under legal contracts committing them to keep it secure. Despite these protections, the data was found advertised across three separate listings on Alibaba, science minister Ian Murray told the House of Commons, at least one of which appeared to contain data from all 500,000 of the database's volunteers."
https://therecord.media/medical-data-on-500000-britons-put-on-sale-alibaba
https://www.theregister.com/2026/04/23/500k_biobank_volunteers_data_listed/
General News
- AI Threats In The Wild: The Current State Of Prompt Injections On The Web
"At Google, our Threat Intelligence teams are dedicated to staying ahead of real-world adversarial activity, proactively monitoring emerging threats before they can impact users. Right now, Indirect Prompt Injection (IPI) is a top priority for the security community, anticipating it as a primary attack vector for adversaries to target and compromise AI agents. But while the danger of IPI is widely discussed, are threat actors actually exploiting this vector today – and if so, how? To answer these questions and to uncover real-world abuse, we initiated a broad sweep of the public web to monitor for known indirect prompt injection patterns. This is what we found."
https://security.googleblog.com/2026/04/ai-threats-in-wild-current-state-of.html - A Year In, Zoom’s CISO Reflects On Balancing Security And Business
"In this Help Net Security interview, Sandra McLeod, CISO at Zoom, reflects on her first year in the role. She talks about moving from reactive firefighting to business strategy, and what she heard from engineers, the board, and customers during her early months. McLeod discusses how she prepared for incident management, the dual job of handling crises and explaining them afterward, and her experience as a woman in technical leadership at Zoom. She closes with honest advice for women in security considering whether to pursue leadership roles themselves."
https://www.helpnetsecurity.com/2026/04/23/sandra-mcleod-zoom-ciso-leadership/ - GDPR Works, But Only Where Someone Enforces It
"A new measurement study of web tracking across ten countries offers a reality check for anyone working on privacy compliance. Researchers crawled the same set of globally popular websites from virtual machines located in Australia, Brazil, Canada, Germany, India, Singapore, South Africa, South Korea, Spain, and California. The results show that European privacy law does reduce tracking, and that most of the reduction happens in the two jurisdictions where regulators bring cases."
https://www.helpnetsecurity.com/2026/04/23/gdpr-enforcement-measurement-study/ - Ransomware, Fraud, And Lawsuits Drive Cyber Insurance Claims To New Peaks
"The 2026 InsurSec Report from At-Bay, covering more than 100,000 policy years of claims data, documents a 7% year-over-year rise in overall claim frequency and an all-time high average severity of $221,000. Ransomware severity reached $508,000, up 16% from the prior year, making it the costliest incident type by a wide margin. Remote access services served as the entry point for 87% of ransomware claims in 2025, up from 80% the year before. VPN compromises alone accounted for 73% of ransomware intrusions where an entry vector was identified, climbing from 38% in 2023 and 66% in 2024. One in three ransomware claims involved a SonicWall device."
https://www.helpnetsecurity.com/2026/04/23/cyber-insurance-claims-report/ - Cyber-Attacks Surge 63% Annually In Education Sector
"Schools and universities across the globe experienced a sharp increase in attacks last year thanks to the combined threat from geopolitical tensions, ransomware and hacktivism, according to Quorum Cyber. The security service provider’s 2026 Global Cyber Risk Outlook for Higher Education is compiled from FalconFeeds.io threat intelligence data covering the period November 2023 to October 2025. It revealed that total recorded incidents increased 63%, from 260 attacks between November 2023-October 2024 to 425 in the period November 2024-October 2025. Across 67 countries, data breaches rose by 73%, hacktivist activity increased by 75% and ransomware went up by 21%."
https://www.infosecurity-magazine.com/news/cyberattacks-surge-63-annually/ - How Cyberattacks On Companies Affect Everyone
"If you use the internet, you’ve likely been affected by cybercrime in some way. Even when an attack is aimed at a company, the fallout usually lands on ordinary people. The most obvious harm is stolen data. When attackers break into a business, it is usually customer information that ends up in criminal hands, and that can lead to identity theft, tax fraud, credit card fraud, and a long tail of scam attempts that can continue for months or years. For consumers, the breach itself is often just the start of the cleanup."
https://www.malwarebytes.com/blog/privacy/2026/04/how-cyberattacks-on-companies-affect-everyone - Chinese Firm Claims AI-Driven Bug Discovery Near Claude Mythos Scale
"On April 7, 2026, artificial intelligence developer Anthropic introduced its new general-purpose model Claude Mythos Preview to a restricted partnership of over 40 vetted organizations, including major technology and cybersecurity firms, as part of its defensive security initiative Project Glasswing. The company stated that the Claude Mythos model has identified thousands of high-severity vulnerabilities across widely used software, including major operating systems and web browsers. Crucially, in some cases it can autonomously develop exploits and chain vulnerabilities without human intervention. Anthropic has not released the system publicly, citing the risks associated with such capabilities and the need for further safeguards before deployment at scale."
https://www.nattothoughts.com/p/where-is-china-in-ai-driven-vulnerability
https://www.securityweek.com/chinese-cybersecurity-firms-ai-hacking-claims-draw-comparisons-to-claude-mythos/ - The Behavioral Shift: Why Trusted Relationships Are The Newest Attack Surface
"You can no longer recognize a phishing email by simply counting the typos. And you will get caught if you simply respond to a genuine-looking email without thinking. Analysis of almost 800,000 email attacks across more than 4,600 organizations shows attackers moving away from exploiting technical vulnerabilities in favor of targeting behavioral and organizational weaknesses. In short, email attackers are now targeting their victims with tailored tactics that exploit trusted relationships and routine workflows. The three primary email attack methods are phishing, business email compromise (BEC) and vendor email compromise (VEC). Phishing remains predominant, accounting for 58% of all attacks. BEC comprises 11% of attacks, while VEC (a subtype of BEC) accounts for more than 60% of all BEC attacks. Details are provided in Abnormal AI’s 2026 Attack Landscape Report."
https://www.securityweek.com/the-behavioral-shift-why-trusted-relationships-are-the-newest-attack-surface/
https://files.abnormalsecurity.com/production/files/2026-Attack-Landscape-Report.pdf
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Electricity Is a Growing Area Of Cyber Risk
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 23 เมษายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
ICSA-26-113-01 YADEA T5 Electric Bike
ICSA-26-113-02 Carlson Software VASCO-B GNSS Receiver
ICSA-26-113-03 Milesight Cameras
ICSA-26-113-04 SpiceJet Online Booking System
ICSA-26-113-05 Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera
ICSA-26-113-06 Intrado 911 Emergency Gateway (EGW)
ICSA-25-114-01 Schneider Electric Modicon Controllers (Update A)CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 23 เมษายน 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 8 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้
- CVE-2026-39987 Marimo Remote Code Execution Vulnerability
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 23 April 2026โพสต์ใน Cyber Security News
Financial Sector
- Shadow AI, Deepfakes, And Supply Chain Compromise Are Rewriting The Financial Sector Threat Playbook
"Financially motivated attacks continued to drive the bulk of cyber incidents against banks, insurers, and payment processors in 2025. Approximately 90% of breaches affecting financial institutions carried a financial motive, with data breaches accounting for roughly 64% of incidents and ransomware making up the remaining 36%. The average cost of a data breach in the sector reached $5.56 million per incident, placing finance second among all industries by breach cost. Personal data was the most frequently compromised category, appearing in 54% of cases. Internal organizational data accounted for 35% of compromised data, and credentials for 22%. Attackers used that access to enable downstream fraud, credential resale, and persistent network presence."
https://www.helpnetsecurity.com/2026/04/22/financial-sector-cyber-threats-report/
Industrial Sector
- Silex Technology SD-330AC And AMC Manager
"Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service, or configuration information may be altered without authentication."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-10 - SenseLive X3050
"Successful exploitation of these vulnerabilities could allow an attacker to take complete control of the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12 - Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary
"RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) contains a vulnerability that could allow an attacker to escalate their own privileges. Siemens has released a new version for RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-02 - Siemens SCALANCE
"SCALANCE W-700 IEEE 802.11n family before V6.6.0 are affected by multiple vulnerabilities. Siemens has released a new version for SCALANCE W-700 IEEE 802.11n family and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-07 - Siemens SINEC NMS
"SINEC NMS before V4.0 SP3 contains an Authorization Bypass vulnerability that could allow an attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. Siemens has released a new version for SINEC NMS and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-09 - Siemens TPM 2.0
"The products listed below contain a vulnerability that could allow an attacker to perform an out-of-bound read, potentially leading to information disclosure or denial of service of the TPM. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-01 - Siemens SINEC NMS
"Siemens SINEC NMS when used with User Management Component (UMC) contains an authentication bypass vulnerability due to insufficient validation of user identity. This could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. Siemens has released a new version for SINEC NMS and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-03 - Siemens Analytics Toolkit
"Multiple Siemens applications are affected by improper certificate validation in Siemens Analytics Toolkit. This could allow an unauthenticated remote attacker to perform man in the middle attacks. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-04 - Hardy Barth Salia EV Charge Controller
"Successful exploitation of these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-05 - Zero Motorcycles Firmware
"Successful exploitation of this vulnerability could allow an attacker to pair via Bluetooth with a motorcycle, gaining unauthorized access to all Bluetooth functions, including changing the firmware."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-06 - Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC)
"RUGGEDCOM CROSSBOW Station Access Controller (SAC) contains a vulnerability that could allow an attacker to achieve arbitrary code execution and to create a denial of service condition. Siemens has released a new version for RUGGEDCOM CROSSBOW Station Access Controller (SAC) and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-08 - Siemens Industrial Edge Management
"Industrial Edge Management contains an authorization bypass vulnerability that could be exploited by an unauthenticated remote attacker to circumvent authentication and to access connected Industrial Edge Devices through the remote connection feature. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-11
New Tooling
- PentAGI: Open-Source Autonomous AI Penetration Testing System
"Penetration testers have long relied on collections of specialized tools, manual coordination, and documented runbooks to work through a target assessment. PentAGI, an open-source project from VXControl, attempts to automate that entire workflow using a multi-agent AI system that plans, researches, and executes penetration tests with minimal human direction. PentAGI organizes work into a hierarchy of flows, tasks, subtasks, and actions. An orchestrator agent receives a goal and coordinates three specialist agents: a researcher that gathers information and queries known vulnerability sources, a developer that plans attack strategies, and an executor that runs commands in isolated containers."
https://www.helpnetsecurity.com/2026/04/22/pentagi-autonomous-ai-penetration-testing/
https://github.com/vxcontrol/pentagi
Vulnerabilities
- Microsoft Releases Emergency Patches For Critical ASP.NET Flaw
"Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. The security flaw (tracked as CVE-2026-40372) was found in the ASP.NET Core Data Protection cryptographic APIs, and it could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies. Microsoft discovered the flaw following user reports that decryption was failing in their applications after installing the .NET 10.0.6 update release during this month's Patch Tuesday."
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-security-updates-for-critical-aspnet-flaw/
https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html
https://securityaffairs.com/191130/security/microsoft-out-of-band-updates-fixed-critical-asp-net-core-privilege-escalation-flaw.html - Oracle Patches 450 Vulnerabilities With April 2026 CPU
"Oracle on Tuesday announced the release of 481 new security patches as part of its April 2026 Critical Patch Update (CPU). Across the 28 product families that received security updates, more than 300 patches address vulnerabilities that are remotely exploitable without authentication. Roughly three dozen fixes resolve critical-severity security defects. There appear to be approximately 450 unique CVEs listed on the latest Oracle CPU page. Approximately 240 are included in the risk matrix tables, but additional CVEs have been fixed as well, along with third-party issues not exploitable in Oracle’s products."
https://www.securityweek.com/oracle-patches-450-vulnerabilities-with-april-2026-cpu/ - Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
"A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. "Sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal," according to a description of the flaw in CVE.org. Developed by Cohere AI as an open-source project, Terrarium is a Python sandbox that's used as a Docker-deployed container for running untrusted code written by users or generated with assistance from a large language model (LLM)."
https://thehackernews.com/2026/04/cohere-ai-terrarium-sandbox-flaw.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog - Apple Fixes iOS Bug That Retained Deleted Notification Data
"Apple has released out-of-band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device. The bug, tracked as CVE-2026-28950, was fixed on April 22, 2026, in iOS 26.4.2 and iPadOS 26.4.2 and in iOS 18.7.8 and iPadOS 18.7.8. "Notifications marked for deletion could be unexpectedly retained on the device," reads the Apple security bulletin."
https://www.bleepingcomputer.com/news/security/apple-fixes-ios-bug-that-retained-deleted-notification-data/
https://support.apple.com/en-us/127002
https://www.helpnetsecurity.com/2026/04/22/apple-intelligence-token-vulnerability-serpent-attack/ - Over 1,300 Microsoft SharePoint Servers Vulnerable To Spoofing Attacks
"Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against a spoofing vulnerability that was exploited as a zero-day and is still being abused in ongoing attacks. The security flaw, tracked as CVE-2026-32201, affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the latest on-premises version, which uses a "continuous update" model). As Microsoft explained when it patched this security issue as part of the April 2026 Patch Tuesday, successful exploitation allows threat actors without privileges to perform network spoofing by taking advantage of an improper input validation weakness in low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/over-1-300-microsoft-sharepoint-servers-vulnerable-to-ongoing-attacks/ - The Zero-Days Are Numbered
"Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148. As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation. As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus. For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up."
https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
https://www.securityweek.com/claude-mythos-finds-271-firefox-vulnerabilities/
https://www.theregister.com/2026/04/22/mozilla_firefox_mythos_future_defenders/
Malware
- CVE-2025-29635: Mirai Campaign Targets D-Link Devices
"The Akamai SIRT discovered active exploitation attempts of the D-Link command injection vulnerability CVE-2025-29635 in our global network of honeypots in early March 2026. This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger remote command execution."
https://www.akamai.com/blog/security-research/cve-2025-29635-mirai-campaign-targets-d-link-devices
https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/
https://www.securityweek.com/mirai-botnet-targets-flaw-in-discontinued-d-link-routers/
https://securityaffairs.com/191135/malware/mirai-botnet-exploits-cve-2025-29635-to-target-legacy-d-link-routers.html
https://www.helpnetsecurity.com/2026/04/22/new-mirai-variants-target-routers-and-dvrs-via-old-flaws/ - Kyber Ransomware Double Trouble: Windows And ESXi Attacks Explained
"For executive leadership, the emergence of Kyber ransomware represents a significant and immediate threat due to its specialized, dual-platform deployment capability targeting mission-critical virtualization infrastructure (VMware ESXi) and core Windows file systems. This cross-platform approach, coupled with effective anti-recovery measures, drastically elevates the risk of a total operational disruption. Organizations should treat Kyber not merely as another ransomware strain, but as a specialized tool capable of causing a complete operational blackout. Recent real-world incidents have demonstrated that this approach can result in large-scale operational impact across enterprise environments."
https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/
https://www.bleepingcomputer.com/news/security/kyber-ransomware-gang-toys-with-post-quantum-encryption-on-windows/ - Namastex.ai Npm Packages Hit With TeamPCP-Style CanisterWorm Malware
"Last month, we responded to CanisterWorm, a worm-enabled npm supply chain campaign that compromised legitimate publisher space, replaced package contents with install-time malware, used stolen publishing access to republish malicious versions, and relied on an Internet Computer Protocol (ICP) canister as a dead-drop command and control (C2) channel. This campaign was attributed to a set of TeamPCP supply chain attacks. In this newly discovered npm incident, the malware uses the same core adversarial methods: install-time execution, credential theft from developer environments, off-host exfiltration, canister-backed infrastructure, and self-propagation logic intended to compromise additional packages. The overlap is notable enough on its own, and malicious packages included an explicit code reference to a TeamPCP/LiteLLM method inside the malicious payload."
https://socket.dev/blog/namastex-npm-packages-compromised-canisterworm
https://www.stepsecurity.io/blog/pgserve-compromised-on-npm-malicious-versions-harvest-credentials
https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html
https://www.bleepingcomputer.com/news/security/new-npm-supply-chain-attack-self-spreads-to-steal-auth-tokens/
https://www.theregister.com/2026/04/22/another_npm_supply_chain_attack/ - Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor
"The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses. The Symantec and Carbon Black Threat Hunter Team linked this new Linux malware to a previously known Windows espionage campaign by Harvester due to similarities in code, demonstrating that the threat actor is actively expanding its cross-platform capabilities."
https://www.security.com/blog-post/harvester-new-linux-backdoor-gogra
https://www.bleepingcomputer.com/news/security/new-gogra-malware-for-linux-uses-microsoft-graph-api-for-comms/
https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html - Weaponizing Apathy: How Threat Actors Exploit Vulnerabilities And Legitimate Software
"In today’s world, there is an increasingly high focus on malware trends rather than repurposed legitimate tools. Repurposed or legitimate software is often overlooked, even though these have the capability to compromise devices, deliver and execute malicious payloads, and steal information from users. Legitimate websites being abused is very common and often mentioned in media. Yet, the actual programs and software are less often looked at due to the false assumption that there is little that can be done to avoid these. An example of a legitimate program that threat actors have repeatedly repurposed or abused is Microsoft products."
https://cofense.com/blog/weaponizing-apathy-how-threat-actors-exploit-vulnerabilities-and-legitimate-software - Anatomy Of a Fraud Operation: Mule Account Creation On B2B Fintech Platforms In France
"Fintech platforms such as Revolut, Wise and N26 offer fast, fully remote account opening, streamlined KYC, and business-grade payment infrastructure — SEPA transfers, invoicing, payment processing, and in some cases cryptocurrency integration. These platforms built for freelancers and individual entrepreneurs have become a significant target for organised fraud networks across Europe. For a legitimate freelancer or micro-business owner, this combination of services are exactly what they need. For a fraud operator, it is exactly what they are looking for."
https://www.group-ib.com/blog/french-fintech-mule-accounts/ - Silent Lures: The Rise Of Empty Subject Email Attacks
"Silent Subject Campaigns, also known as Null Subject/Empty Subject campaigns are a lure phishing campaign or scam tactic where emails are sent without a subject line or with an extremely vague subject line. This is designed to encourage users to open the email out of curiosity, confusion, or a false sense of urgency. The primary objective of a Silent Subject Campaign is to gain initial access through social engineering, leading to credential compromise, unauthorized access, and potential lateral movement within targeted environments, especially focusing on high-value or VIP users. Cyberproof Threat Hunting and Managed Detection & Response Teams detected a widespread Null Subject phishing campaign targeting VIP users across multiple organizations from multiple sender domains."
https://www.cyberproof.com/blog/silent-lures-the-rise-of-empty-subject-email-attacks/
https://www.infosecurity-magazine.com/news/silent-subject-phishing-campaigns/ - Malicious Trading Website Drops Malware That Hands Your Browser To Attackers
"During our threat hunting, we found a campaign using the same malware loader from our previous research to deliver a different threat: Needle Stealer, data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets. In this case, attackers used a website promoting a tool called TradingClaw (tradingclaw[.]pro), which claims to be an AI-powered assistant for TradingView."
https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers - Anthropic Secretly Installs Spyware When You Install Claude Desktop
"I was working on a personal project, debugging a Native Messaging helper I had written for it. In the process I needed to check what Brave Browser had registered on my laptop. What I found was a file I had never put there. It was not mine. I had not installed it. I had not authorised it. I had not even been told about it. It was from Anthropic."
https://www.thatprivacyguy.com/blog/anthropic-spyware/
https://www.malwarebytes.com/blog/news/2026/04/researcher-claims-claude-desktop-installs-spyware-on-macos - Tropic Trooper Pivots To AdaptixC2 And Custom Beacon Listener
"On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. During our analysis, we observed that the threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. Based on the tactics, techniques, and procedures (TTPs) observed in this attack, ThreatLabz attributes this activity to Tropic Trooper (also known as Earth Centaur and Pirate Panda) with high confidence. In this blog post, ThreatLabz covers the Tropic Trooper campaign and the tools that were deployed to conduct intelligence gathering."
https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener - After Bluesky, Mastodon Targeted In DDoS Attack
"Following a similar assault on Bluesky just days prior, the decentralized social media platform Mastodon has also been targeted in a major distributed denial-of-service (DDoS) attack. The attack targeted Mastodon.social, the flagship Mastodon server, and caused what the organization classified as a ‘major outage’. According to the Mastodon status page, the DDoS attack started on April 20 at around 1 PM, and by 4 PM mitigations were rolled out and the site became accessible."
https://www.securityweek.com/after-bluesky-mastodon-targeted-in-ddos-attack/
https://securityaffairs.com/191144/cyber-crime/ddos-wave-continues-as-mastodon-hit-after-bluesky-incident.html - North Korean Hackers Use AppleScript, ClickFix In Fresh MacOS Attacks
"North Korean hackers have been using various social engineering and evasion techniques in recently observed attacks targeting macOS users within financial organizations. A campaign uncovered by Any.Run has relied on the infamous ClickFix technique to trick macOS users into installing information-stealing malware. The hackers have been mounting the attacks over Telegram, targeting business leaders, often using the compromised accounts of people known to the victim, with fake meeting invitations. The victims have been directed to websites mimicking Zoom, Microsoft Teams, or Google Meet, and prompted to “fix” a fake connection issue by copying and executing a command in the Terminal."
https://www.securityweek.com/north-korean-hackers-use-applescript-clickfix-in-fresh-macos-attacks/ - Malicious Checkmarx Artifacts Found In Official KICS Docker Repository And Code Extensions
"Docker alerted Socket to malicious images pushed to the official checkmarx/kics Docker Hub repository after internal monitoring flagged suspicious new activity around KICS image tags. Our investigation found that attackers appear to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to a legitimate upstream release. Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version. Our investigation found evidence that the malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data."
https://socket.dev/blog/checkmarx-supply-chain-compromise
https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html - Inside Lazarus: How North Korea Uses AI To Industrialize Attacks On Developers
"Expel is actively tracking an APT group that we assess with high confidence to be North Korean (DPRK) state-sponsored. We suspect that the threat actor is a subgroup or spin-off of a larger organization, potentially starting out as fraudulent IT workers before pivoting to malware. The group is extremely active in targeting Web3 developers and is primarily focused on stealing high-value digital assets such as cryptocurrency and NFTs. As much as $12M worth of cryptocurrency wallets were exfiltrated by the threat actor in 3 months, though hardware security tokens may limit damage."
https://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/
https://therecord.media/north-korean-hackers-siphon-12-million-from-crypto-users - TeamPCP Strikes Again: Xinference PyPI Package Compromised
"The JFrog security research team recently identified a supply chain attack targeting the xinference package on PyPI. Versions 2.6.0, 2.6.1, and 2.6.2 were compromised and yanked by maintainers after users reported suspicious behavior. If you installed or imported these versions, you must assume your environment is compromised. This is the latest hit in an ongoing multi-ecosystem campaign by the threat actor tracked as TeamPCP, who have recently compromised PyPI packages including litellm and telnyx, as well as npm, Go, OpenVSX, and GitHub repositories. The same actor marker, payload structure, and targeting profile tie this incident directly to that campaign."
https://research.jfrog.com/post/xinference-compromise/
Breaches/Hacks/Leaks
- Discord-Linked Group Accessed Anthropic’s Claude Mythos AI In Vendor Breach
"Two weeks after Anthropic announced Claude Mythos Preview (aka Claude Mythos and Mythos AI) as part of its Project Glasswing initiative, the company is investigating unauthorized access to the model through a third-party vendor environment. Reportedly, a handful of users on a Discord channel gained access to Mythos. Their focus was on gathering intelligence about unreleased AI models and appears to have used a combination of tactics to access the system. Bloomberg News reported on April 21, 2026, that the group made an “educated guess” about the model’s online location based on familiarity with Anthropic’s URL formatting conventions for other models."
https://hackread.com/discord-access-anthropic-claude-mythos-ai-breach/
https://www.engadget.com/ai/anthropic-is-investigating-unauthorized-access-of-its-mythos-cybersecurity-tool-091017168.html
https://www.theregister.com/2026/04/22/anthropic_mythos_hype_nothingburger/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Shadow AI, Deepfakes, And Supply Chain Compromise Are Rewriting The Financial Sector Threat Playbook
-
CISA เพิ่ม 8 ช่องโหว่ใหม่เข้า KEV หลังพบถูกใช้โจมตีจริงในวงกว้างโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แพลตฟอร์มคริปโต Grinex ปิดให้บริการหลังถูกโจมตี สูญเงินกว่า 13.7 ล้านดอลลาร์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เกลือเป็นหนอน! นักเจรจาค่าไถ่ไซเบอร์ในสหรัฐฯ แอบส่งข้อมูลลับให้กลุ่ม BlackCat เพื่อเพิ่มยอดเรียกค่าไถ่โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
