A former incident response negotiator pleaded guilty to conspiring with BlackCat (ALPHV) ransomware affiliates to extort U.S. organizations between 2023 and 2025. The defendant, Angelo Martino, shared confidential victim negotiation positions and insurance policy limits with the ransomware operators to maximize payouts. At least five U.S. organizations were victimized, including a financial services firm that paid $25.66 million and a nonprofit that paid $26.79 million. The operation involved a 20% revenue share paid to BlackCat administrators for access to the ransomware and extortion infrastructure.

Vercel confirmed a cyber-incident conducted by a highly sophisticated attacker who exploited an employee’s third-party AI tool, Context.ai, to access internal environments and non-sensitive environment variables. The incident was enabled by an OAuth token tied to a Vercel employee’s Google Workspace account and may have resulted in exposure of some customer environment variables. Vercel stated there is no evidence sensitive environment variables were accessed, npm packages were compromised, or projects like Next.js were affected. The company is collaborating with Mandiant, has notified affected customers, and is urging broader security measures including MFA enforcement and credential rotation. A threat actor allegedly linked to ShinyHunters claimed access and attempted to extort Vercel for $2 million. Earlier, Context.ai—an AI tool vendor—was compromised via an infostealer delivered through a gaming cheat script. Attackers stole OAuth tokens, including one from a Vercel employee with broad permissions, leading to unauthorized access to Vercel’s environments and potential downstream credential compromise. Context.ai acknowledged the theft of OAuth tokens and confirmed some consumer tokens were likely compromised. Vercel’s response includes incident response with Mandiant, limited customer notifications, and ongoing validation of threat actor claims.

PhantomCard and related NFC relay malware families have expanded their tactics in Brazil. A new NGate malware variant now uses a trojanized version of the HandyPay app to steal NFC payment data, leveraging cost-effective evasion mechanisms and targeting Brazilian Android users since November 2025. The malware mimics legitimate payment tools and prompts users to set it as the default NFC payment app, exfiltrating card data and PINs to attacker-controlled email addresses. The malware operates via fake Google Play pages distributing trojanized apps like 'Proteção Cartão' and through fake lottery scams via WhatsApp. NGate variants have evolved from using open-source NFCGate tools to abusing HandyPay, which requires no special permissions and is significantly cheaper than commercial NFC relay tools like NFU Pay or TX-NFC. Similar NFC relay malware, such as SuperCard X and KingNFC, are also active in the region, complicating the threat landscape for local financial organizations.

The April 1, 2026, $285 million Drift Protocol loss was part of a broader campaign by North Korea-linked Lazarus Group (TraderTraitor) targeting DeFi protocols. On April 18, 2026, the group executed a $290 million heist against KelpDAO by exploiting its cross-chain verification layer (DVN) via compromised RPC nodes, falsified data injection, and DDoS attacks, laundering funds through Tornado Cash. The attack paused KelpDAO’s rsETH contracts, froze Aave’s rsETH collateral usage, and was isolated to rsETH without broader contagion. Drift Protocol’s Security Council hijacking, attributed to UNC4736 (AppleJeus/Labyrinth Chollima), and KelpDAO’s DVN compromise both align with Lazarus Group’s pattern of sophisticated state-sponsored attacks on DeFi infrastructure.

A counterfeit Ledger Live application distributed through Apple’s App Store for macOS compromised approximately 50 users between April 8–11, 2026, resulting in the theft of $9.5 million in cryptocurrency assets. The illicit application, published under the name ‘Leva Heal Limited,’ tricked users into entering seed/recovery phrases, granting attackers full control over victim wallets and enabling fund transfers to attacker-controlled addresses. The incident is part of a broader Apple App Store infiltration campaign—dubbed FakeWallet by Kaspersky and linked to the SparkKitty operation—that deployed 26 malicious apps impersonating popular wallets (e.g., MetaMask, Coinbase, Trust Wallet) to steal seed phrases and drain crypto assets. Attackers used typosquatting, fake branding, and disguises as games or calculators to bypass regional restrictions and lure users, particularly in China. Apple removed the malicious Ledger Live app after reports emerged and all 26 FakeWallet apps following Kaspersky’s responsible disclosure.

Security researchers disclosed 20 new vulnerabilities across popular serial-to-IP converter models used in industrial networks, including multiple critical remote code execution (RCE) flaws with CVSS ratings up to 9.8. Thousands of additional known vulnerabilities were identified in the underlying software stacks of these devices, which rely on outdated libraries and end-of-life operating systems. Serial-to-IP converters bridge legacy industrial machinery with modern networks, making them critical targets in OT cyberattacks such as the 2015 Ukrainian power grid incident. Despite their role in enabling SCADA and remote monitoring, industry projections indicate the market for these devices will grow over the next decade, exacerbating exposure risks. The research highlights systemic security deficiencies, including unpatched firmware, lack of binary hardening, and exploitable default configurations.

Seiko USA’s website was defaced over the weekend with a ransom demand falsely claiming the theft of its Shopify customer database. Visitors to the Press Lounge section encountered an attacker-controlled page alleging full compromise of Shopify backend systems. The threat actors threatened to publish exfiltrated customer data unless a ransom was paid within 72 hours. The claimed stolen dataset includes names, email addresses, phone numbers, order history, transaction details, shipping addresses, shipping preferences, account creation dates, and customer notes. The attackers provided a specific Shopify account ID to verify contact and instructed Seiko USA to negotiate via an email address added to that account. The defacement was later removed by Seiko USA, but no public confirmation of the incident has been issued.

A phishing campaign targeting financial and healthcare organizations uses Microsoft Teams to impersonate IT staff and trick victims into granting remote access via Quick Assist, deploying the A0Backdoor malware. The campaign, linked to the BlackBasta ransomware group, uses sophisticated TTPs including digitally signed MSI installers, DNS MX-based C2 communication, and DLL sideloading with legitimate Microsoft binaries. The attackers have refined their tactics to include multi-stage attack chains, beginning with external Teams chats impersonating IT staff to initiate Quick Assist sessions. After gaining access, they perform reconnaissance, deploy payloads via DLL sideloading with signed applications, and use Windows Remote Management (WinRM) for lateral movement. Targeted exfiltration is conducted using tools like Rclone to transfer sensitive data to external cloud storage, blending malicious activity with legitimate administrative operations.

Research presented at Black Hat Asia 2026 demonstrates that WhatsApp’s design choices allow attackers to silently infer user online activity and extract device metadata without triggering user alerts. By exploiting application-layer message receipts and device fingerprinting mechanisms, threat actors—ranging from low-level scammers to nation-state APTs—can map victims’ online habits, tailor phishing campaigns, or optimize spyware deployment. No zero-day exploit is required; the attack leverages WhatsApp’s existing protocol and features. Meta has acknowledged aspects of the findings and is implementing mitigations, but the core permissive contact policy remains unchanged, continuing to expose 3.5 billion users to potential abuse.

Organizations relying solely on traditional backup strategies face significant operational and financial risks due to prolonged downtime, even when data recovery is possible. Backup solutions, while essential for data restoration, do not maintain business continuity during disruptions caused by hardware failures, accidental deletions, power outages, or ransomware attacks. According to the State of BCDR Report 2025 by Datto, 60% of organizations believed they could recover from downtime in under a day, but only 35% achieved this in practice. With average downtime costs estimated at $9,000 per minute, businesses that lack comprehensive Business Continuity and Disaster Recovery (BCDR) strategies risk substantial revenue loss, reputational damage, and customer attrition. The divergence between backup and BCDR underscores the need for solutions that enable rapid system failover, virtualized operations during recovery, and hybrid cloud backup to mitigate financial and operational impacts.

Tyler Robert Buchanan, a 24-year-old British man identified as a leader of the Scattered Spider cybercrime collective, pleaded guilty in the United States to wire fraud and aggravated identity theft. Buchanan was involved in stealing at least $8 million in cryptocurrency between September 2021 and April 2023 by orchestrating SMS phishing attacks against at least a dozen companies across entertainment, telecommunications, technology, and virtual currency sectors. The stolen credentials were used to hijack email accounts via SIM swapping, enabling unauthorized transfers from victims' cryptocurrency wallets. Buchanan was arrested in June 2024 in Palma de Mallorca, Spain, and has been in U.S. federal custody since April 2025; he is scheduled for sentencing on August 21, 2026, and faces up to 22 years in prison. Scattered Spider, also tracked as 0ktapus, Octo Tempest, Starfraud, UNC3944, and Muddled Libra, is a loose-knit group of English-speaking threat actors, some as young as 16, that coordinates operations via Telegram, Discord, and hacker forums. The group employs social engineering, phishing, MFA bombing, and SIM swapping to breach corporate networks. Some members are also linked to the violent hacking collective "the Com." Since early 2023, Scattered Spider has partnered with Russian ransomware gangs including BlackCat/AlphV, Qilin, and RansomHub. Earlier in 2025, Noah Michael Urban, a key Scattered Spider member known as "King Bob" and "Sosa," was sentenced to 10 years in prison for wire fraud and conspiracy, with restitution totaling $13 million. Urban was arrested in January 2024 and pleaded guilty in April 2024; his actions led to the compromise of over 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. In September 2024, two British teenagers, Thalha Jubair and Owen Flowers, were arrested and pleaded not guilty to charges related to the Transport for London breach and other attacks, with restitution claims exceeding $115 million.

A Mirai variant named Nexcorium is being actively deployed via CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, to establish a DDoS botnet. The malware exploits the flaw to drop a downloader that executes architecture-specific payloads, displays a message indicating takeover by "nexuscorp," and leverages hard-coded credentials for lateral movement via Telnet. Persistence is achieved through crontab and systemd services, with command-and-control (C2) communication awaiting DDoS attack instructions. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices and deletes original binaries to hinder forensic analysis. Analysis by FortiGuard Labs confirms the multi-architecture infection process and identifies evidence in attack traffic pointing to a previously untracked threat actor group referred to as "Nexus Team," indicating potential attribution beyond earlier assumptions.

Microsoft is continuing to test and roll out File Explorer performance improvements for Windows 11, including preloading for faster launch times and context menu updates to reduce clutter. Recent updates introduce reliability fixes for the explorer.exe process, address bright white flashes in dark mode, and add Xbox mode as a full-screen gaming interface. Changes are being deployed to Insiders in the Release Preview channel running Windows 11 24H2/25H2 with builds 26100.8313 and 26200.8313 (KB5083631). Earlier testing focused on optional preloading of File Explorer to enhance launch performance and reorganizing the context menu into grouped tasks, alongside Startup Boost for Office apps introduced in May 2025.

Microsoft reverted a service update for Microsoft Teams desktop clients after it caused widespread launch failures. Affected users experienced a loading screen hang and an error stating: "We're having trouble loading your message. Try refreshing." The issue stemmed from a regression in the Teams client build caching system that pushed older client builds into an unhealthy state. This impacted Teams users globally, though the exact scope (user count or regions) was not disclosed. Microsoft confirmed the automated recovery system remediated the issue before reverting the update, requiring impacted users to fully quit and restart the Teams client to apply the fix.

The UK’s National Health Service (NHS) is advancing a multi-stakeholder cyber resilience strategy, with the National Cyber Security Centre (NCSC) detailing an 18-month coordinated plan to strengthen defences across the sector. The plan includes piloting Active Cyber Defence 2.0 tools, enhancing software supply chain security via the Software Security Code of Practice, and integrating threat intelligence and vulnerability disclosure processes. The NHS continues to engage suppliers on cybersecurity controls while promoting technical measures such as passkeys, External Attack Surface Management, and sector-wide threat hunting workshops. This effort builds on the January 2026 NHS open letter to suppliers demanding improved cybersecurity standards and follows historic incidents like the 2017 WannaCry attack and the 2024 Synnovis ransomware incident, which disrupted operations and resulted in patient harm.

A sanctioned cryptocurrency exchange operating in Kyrgyzstan, Grinex, reported a $13.2 million theft from Russian customers following a targeted cyber-attack described as highly sophisticated. The exchange attributed the incident to Western intelligence agencies, claiming the operation required unprecedented resources and technology to execute. Grinex suspended operations and filed criminal complaints while providing forensic details and blockchain addresses linked to the theft, including conversion of funds to TRX.

Since June 2025, threat actors have persistently targeted CVE-2023-33538, an authenticated command injection vulnerability affecting several discontinued TP-Link router models including TL-WR940N, TL-WR740N, and TL-WR841N. Attempts to weaponize the flaw have repeatedly failed due to incorrect exploitation techniques, including missing authentication, mis-targeted parameters, and reliance on non-existent BusyBox utilities. Despite publicly available proof-of-concept code since 2023 and inclusion in CISA’s KEV catalog, no successful compromise has been observed. Successful exploitation could have enabled denial-of-service conditions or persistent device access, but observed payloads—linked to Mirai-derived binaries similar to Condi IoT botnet—only achieved ineffective scanning and probing activity.

A phishing campaign continues to abuse Apple’s legitimate infrastructure to deliver callback phishing emails, now exploiting Apple account change notifications to embed fake purchase alerts. Scammers insert phishing text into Apple ID personal information fields, which Apple includes in security alerts sent to users. The emails originate from Apple’s servers ([email protected]), pass SPF, DKIM, and DMARC checks, and are distributed via Apple’s mailing infrastructure, bypassing spam filters and increasing legitimacy. The emails mimic iPhone purchase notifications via PayPal, claiming charges of $899, and prompt recipients to call a provided number to cancel the transaction. These scams aim to trick victims into granting remote access to their computers, enabling theft of funds, deployment of malware, or data theft. The campaign represents an evolution of prior tactics that abused iCloud Calendar invites to send phishing emails from Apple’s servers. Users are advised to treat unexpected account alerts—especially those claiming unauthorized purchases or urging calls to support numbers—with caution, particularly if they did not initiate recent changes.

NIST’s National Vulnerability Database (NVD) has implemented a risk-based enrichment model starting April 15, 2026, deprioritizing enrichment for vulnerabilities reported before March 1, 2026, and focusing on U.S. federal, critical, and actively exploited flaws. All submitted CVEs are cataloged, but those not meeting enrichment criteria are labeled 'Not Scheduled,' replacing the previous 'Deferred' status. NVD no longer provides CVSS scores for CVEs already scored by submitters unless misaligned. The decision follows a 263% increase in CVE submissions from 2020 to 2025 and continued acceleration in 2026, with Q1 2026 submissions nearly one-third higher than Q1 2025. NIST acknowledges its inability to clear the backlog stems from surging submission rates and now accepts enrichment requests via email ([email protected]) for lowest-priority CVEs to address potential oversights. NVD remains a critical resource for vulnerability management but prioritizes real-world exploitability over theoretical severity.

A critical remote code execution vulnerability in protobuf.js, a widely adopted JavaScript implementation of Protocol Buffers used for inter-service communication and structured data handling, has been disclosed. The flaw arises from unsafe dynamic code generation, where the library executes JavaScript functions constructed from untrusted protobuf schemas using the Function() constructor without proper validation of schema-derived identifiers. Attackers can craft malicious schemas containing identifier names that inject arbitrary code, which is executed when the application processes the schema. Successful exploitation allows arbitrary command execution on servers, developer machines, or cloud environments running affected versions, leading to credential theft, database access, and potential lateral movement within infrastructure. The vulnerability impacts protobuf.js versions 8.0.0/7.5.4 and lower, with patches released in 8.0.1, 7.5.5, and subsequent npm updates.

A recent Microsoft Edge browser update introduced a regression that disables the right-click paste option in chats within the Microsoft Teams desktop client. Users report the "Paste" option as greyed out when attempting to paste URLs, text, or images via context menu. The issue impacts both individual and corporate users across Windows and macOS environments. Microsoft has identified the root cause and is deploying a staged fix while monitoring recovery via telemetry. Workarounds include using keyboard shortcuts (Ctrl+C/Ctrl+V or Cmd+C/Cmd+V) to bypass the affected functionality.

NAKIVO Inc. released Backup & Replication v11.2 introducing automated real-time replication, support for VMware vSphere 9 and Proxmox VE 9.0/9.1, OAuth 2.0 email authentication, and expanded ransomware defense features. The update targets enterprise and MSP environments requiring rapid recovery, modern hypervisor compatibility, and hardened backup chains against ransomware and infrastructure failures. Key capabilities include agentless image-based backups with CBT, instant VM recovery, immutable storage across major cloud platforms, and pre-recovery malware scanning. The release coincides with VMware’s licensing transition to vSphere Foundation 9.0, ensuring continuity for organizations migrating environments.

The Payouts King ransomware operation has integrated the QEMU emulator to deploy hidden Alpine Linux virtual machines (VMs) on compromised hosts, enabling attackers to bypass endpoint security controls and execute malicious activities without detection. Using reverse SSH tunnels and scheduled tasks, threat actors associated with the GOLD ENCOUNTER group operate these VMs to harvest credentials, perform Active Directory reconnaissance, and stage data for exfiltration. Initial access vectors include exploitation of SonicWall VPNs, CitrixBleed 2 (CVE-2025-5777), Cisco SSL VPNs, and social engineering via Microsoft Teams phishing. The campaign employs multi-stage encryption, toolchain customization, and anti-analysis techniques to maintain persistence and evade detection.

Following a coordinated law enforcement takedown targeting the Tycoon 2FA phishing-as-a-service (PhaaS) operation, threat actors have rapidly redistributed tools, code, and techniques to competing PhaaS platforms including Mamba 2FA, EvilProxy, and Sneaky 2FA. This shift has coincided with a significant increase in device code phishing campaigns, which bypass traditional MFA by exploiting legitimate OAuth 2.0 and device authorization flows. Attackers are repurposing Tycoon 2FA’s artifacts and code—including unique obfuscation methods such as motivational-style comments in source code—to launch new campaigns that trick users into granting persistent account access via device approval prompts. Tycoon 2FA’s operational capacity dropped from over 9 million attacks per month to approximately 2 million following the takedown, but overall phishing activity has not declined proportionally. Instead, the ecosystem has fragmented, with Mamba 2FA nearly doubling its output to over 15 million attacks per month and EvilProxy rising from ~3 million to ~4 million monthly attacks.

A structured guide titled "The Underground Guide to Legit CC Shops: Cutting Through the Bullshit" has been published on underground forums, detailing how threat actors vet and select reliable stolen credit card shops amid an unstable ecosystem. The document shifts focus from using stolen cards to evaluating suppliers, emphasizing survivability, data quality (e.g., fresh BINs, low decline rates), and operational security (e.g., mirror domains, DDoS protection, cryptocurrency usage) as primary criteria for legitimacy. Trust is derived from community validation in closed forums and sustained historical presence rather than isolated testimonials. Technical vetting protocols include domain age, WHOIS privacy, SSL configuration, and social intelligence gathering to detect coordinated endorsement campaigns. The guide also categorizes shops by scale (automated platforms) and exclusivity (boutique vendor groups), reflecting diversification in the underground economy.

Microsoft’s multi-month Patch Tuesday campaign continues with the April 2026 release addressing 167 security vulnerabilities in Windows and related software, including two actively exploited zero-days (CVE-2026-32201 in SharePoint Server and CVE-2026-33825 in Microsoft Defender). Nearly 60% of the patched flaws are elevation-of-privilege bugs, marking the highest proportion in eight months, while eight Critical vulnerabilities were addressed, including unauthenticated remote code execution flaws in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) and secure tunneling components (CVE-2026-33827, CVSS 8.1). Following the April updates, threat actors are now exploiting two additional unpatched Microsoft Defender zero-days—RedSun and UnDefend—alongside the patched CVE-2026-33825 (BlueHammer). Exploitation activity has been observed since April 10, 2026, with RedSun and UnDefend PoCs deployed on April 16, 2026, featuring hands-on-keyboard techniques such as whoami /priv, cmdkey /list, and net group commands. Huntress confirmed real-world exploitation and took steps to isolate compromised systems to prevent post-exploitation damage. The April updates were distributed through Windows 11 cumulative updates KB5083769 (for versions 25H2/24H2) and KB5082052 (for 23H2), changing build numbers to 26200.8246 (25H2), 26100.8246 (24H2), and 22631.6936 (23H2). Windows 10 Enterprise LTSC and ESU participants received the April fixes via KB5082200, updating to build 19045.7184 (Windows 10) or 19044.7184 (Windows 10 Enterprise LTSC 2021).

Commercial AI models have reached a milestone in 2026 where all tested systems can autonomously complete vulnerability research tasks and 50% can generate working exploits without manual intervention. In contrast, 55% of models failed basic vulnerability research and 93% failed exploit development in 2025. Leading models such as Claude Opus 4.6 and Kimi K2.5 demonstrate the ability to discover and exploit vulnerabilities using simple prompts, significantly lowering the barrier for inexperienced attackers. Testing by Forescout’s Verde Labs identified four previously unknown zero-day vulnerabilities in OpenNDS, including one missed during prior manual analysis, using a combination of single prompts, the RAPTOR agentic framework, and proprietary extensions. The results underscore the rapid advancement of AI-driven vulnerability discovery and its implications for both offensive and defensive cybersecurity operations.

A live technical webinar scheduled for May 14, 2026, hosted by BleepingComputer in collaboration with Kaseya, will highlight how MSPs can integrate detection, response, and recovery to mitigate phishing-driven incidents that bypass traditional controls. The session emphasizes the operational impact of AI-powered phishing, business email compromise, and ransomware campaigns that leverage trusted SaaS platforms to evade perimeter defenses. It underscores that even when threats are detected, insufficient recovery planning and delayed response can escalate incidents into prolonged outages, increasing data theft, account takeover, and ransomware risks.

Law enforcement agencies from 21 countries executed Operation PowerOff, a coordinated takedown of 53 domains linked to DDoS-for-hire services. Four individuals were arrested, 25 search warrants executed, and over 3 million criminal user accounts exposed. Infrastructure was seized to disrupt ongoing attacks, and 75,000 warning communications were sent to identified service users. The operation expanded into a prevention phase targeting remaining online resources, including the removal of over 100 URLs from search engines and warnings placed on cryptocurrency and blockchain platforms used by cybercriminals. Europol described DDoS-for-hire services as one of the most accessible cybercrime trends, enabling low-skilled attackers to execute disruptive attacks.

McGraw-Hill confirmed a data breach affecting 13.5 million user accounts after ShinyHunters exploited a Salesforce environment misconfiguration to steal and leak non-sensitive data, including names, addresses, phone numbers, and email addresses. The company stated the breach did not impact its core Salesforce accounts, customer databases, courseware, or internal systems, though ShinyHunters claimed possession of 45 million records with PII. The affected webpages were secured promptly, and McGraw-Hill is collaborating with Salesforce to remediate the issue. Have I Been Pwned verified the leak of over 100GB of data tied to 13.5 million accounts. The incident remains distinct from a separate, unverified claim by a threat actor posing as ShinyHunters, who alleges breaching Vercel and selling stolen data, including API keys and employee records. Vercel has disclosed the incident and is investigating with law enforcement and incident response experts, while denying any impact to services.