A Mirai variant named Nexcorium is being actively deployed via CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, to establish a DDoS botnet. The malware exploits the flaw to drop a downloader that executes architecture-specific payloads, displays a message indicating takeover by "nexuscorp," and leverages hard-coded credentials for lateral movement via Telnet. Persistence is achieved through crontab and systemd services, with command-and-control (C2) communication awaiting DDoS attack instructions. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices and deletes original binaries to hinder forensic analysis. Analysis by FortiGuard Labs confirms the multi-architecture infection process and identifies evidence in attack traffic pointing to a previously untracked threat actor group referred to as "Nexus Team," indicating potential attribution beyond earlier assumptions.

Microsoft is continuing to test and roll out File Explorer performance improvements for Windows 11, including preloading for faster launch times and context menu updates to reduce clutter. Recent updates introduce reliability fixes for the explorer.exe process, address bright white flashes in dark mode, and add Xbox mode as a full-screen gaming interface. Changes are being deployed to Insiders in the Release Preview channel running Windows 11 24H2/25H2 with builds 26100.8313 and 26200.8313 (KB5083631). Earlier testing focused on optional preloading of File Explorer to enhance launch performance and reorganizing the context menu into grouped tasks, alongside Startup Boost for Office apps introduced in May 2025.

Microsoft reverted a service update for Microsoft Teams desktop clients after it caused widespread launch failures. Affected users experienced a loading screen hang and an error stating: "We're having trouble loading your message. Try refreshing." The issue stemmed from a regression in the Teams client build caching system that pushed older client builds into an unhealthy state. This impacted Teams users globally, though the exact scope (user count or regions) was not disclosed. Microsoft confirmed the automated recovery system remediated the issue before reverting the update, requiring impacted users to fully quit and restart the Teams client to apply the fix.

The UK’s National Health Service (NHS) is advancing a multi-stakeholder cyber resilience strategy, with the National Cyber Security Centre (NCSC) detailing an 18-month coordinated plan to strengthen defences across the sector. The plan includes piloting Active Cyber Defence 2.0 tools, enhancing software supply chain security via the Software Security Code of Practice, and integrating threat intelligence and vulnerability disclosure processes. The NHS continues to engage suppliers on cybersecurity controls while promoting technical measures such as passkeys, External Attack Surface Management, and sector-wide threat hunting workshops. This effort builds on the January 2026 NHS open letter to suppliers demanding improved cybersecurity standards and follows historic incidents like the 2017 WannaCry attack and the 2024 Synnovis ransomware incident, which disrupted operations and resulted in patient harm.

A sanctioned cryptocurrency exchange operating in Kyrgyzstan, Grinex, reported a $13.2 million theft from Russian customers following a targeted cyber-attack described as highly sophisticated. The exchange attributed the incident to Western intelligence agencies, claiming the operation required unprecedented resources and technology to execute. Grinex suspended operations and filed criminal complaints while providing forensic details and blockchain addresses linked to the theft, including conversion of funds to TRX.

Since June 2025, threat actors have persistently targeted CVE-2023-33538, an authenticated command injection vulnerability affecting several discontinued TP-Link router models including TL-WR940N, TL-WR740N, and TL-WR841N. Attempts to weaponize the flaw have repeatedly failed due to incorrect exploitation techniques, including missing authentication, mis-targeted parameters, and reliance on non-existent BusyBox utilities. Despite publicly available proof-of-concept code since 2023 and inclusion in CISA’s KEV catalog, no successful compromise has been observed. Successful exploitation could have enabled denial-of-service conditions or persistent device access, but observed payloads—linked to Mirai-derived binaries similar to Condi IoT botnet—only achieved ineffective scanning and probing activity.

A phishing campaign continues to abuse Apple’s legitimate infrastructure to deliver callback phishing emails, now exploiting Apple account change notifications to embed fake purchase alerts. Scammers insert phishing text into Apple ID personal information fields, which Apple includes in security alerts sent to users. The emails originate from Apple’s servers ([email protected]), pass SPF, DKIM, and DMARC checks, and are distributed via Apple’s mailing infrastructure, bypassing spam filters and increasing legitimacy. The emails mimic iPhone purchase notifications via PayPal, claiming charges of $899, and prompt recipients to call a provided number to cancel the transaction. These scams aim to trick victims into granting remote access to their computers, enabling theft of funds, deployment of malware, or data theft. The campaign represents an evolution of prior tactics that abused iCloud Calendar invites to send phishing emails from Apple’s servers. Users are advised to treat unexpected account alerts—especially those claiming unauthorized purchases or urging calls to support numbers—with caution, particularly if they did not initiate recent changes.

NIST’s National Vulnerability Database (NVD) has implemented a risk-based enrichment model starting April 15, 2026, deprioritizing enrichment for vulnerabilities reported before March 1, 2026, and focusing on U.S. federal, critical, and actively exploited flaws. All submitted CVEs are cataloged, but those not meeting enrichment criteria are labeled 'Not Scheduled,' replacing the previous 'Deferred' status. NVD no longer provides CVSS scores for CVEs already scored by submitters unless misaligned. The decision follows a 263% increase in CVE submissions from 2020 to 2025 and continued acceleration in 2026, with Q1 2026 submissions nearly one-third higher than Q1 2025. NIST acknowledges its inability to clear the backlog stems from surging submission rates and now accepts enrichment requests via email ([email protected]) for lowest-priority CVEs to address potential oversights. NVD remains a critical resource for vulnerability management but prioritizes real-world exploitability over theoretical severity.

A critical remote code execution vulnerability in protobuf.js, a widely adopted JavaScript implementation of Protocol Buffers used for inter-service communication and structured data handling, has been disclosed. The flaw arises from unsafe dynamic code generation, where the library executes JavaScript functions constructed from untrusted protobuf schemas using the Function() constructor without proper validation of schema-derived identifiers. Attackers can craft malicious schemas containing identifier names that inject arbitrary code, which is executed when the application processes the schema. Successful exploitation allows arbitrary command execution on servers, developer machines, or cloud environments running affected versions, leading to credential theft, database access, and potential lateral movement within infrastructure. The vulnerability impacts protobuf.js versions 8.0.0/7.5.4 and lower, with patches released in 8.0.1, 7.5.5, and subsequent npm updates.

A recent Microsoft Edge browser update introduced a regression that disables the right-click paste option in chats within the Microsoft Teams desktop client. Users report the "Paste" option as greyed out when attempting to paste URLs, text, or images via context menu. The issue impacts both individual and corporate users across Windows and macOS environments. Microsoft has identified the root cause and is deploying a staged fix while monitoring recovery via telemetry. Workarounds include using keyboard shortcuts (Ctrl+C/Ctrl+V or Cmd+C/Cmd+V) to bypass the affected functionality.

NAKIVO Inc. released Backup & Replication v11.2 introducing automated real-time replication, support for VMware vSphere 9 and Proxmox VE 9.0/9.1, OAuth 2.0 email authentication, and expanded ransomware defense features. The update targets enterprise and MSP environments requiring rapid recovery, modern hypervisor compatibility, and hardened backup chains against ransomware and infrastructure failures. Key capabilities include agentless image-based backups with CBT, instant VM recovery, immutable storage across major cloud platforms, and pre-recovery malware scanning. The release coincides with VMware’s licensing transition to vSphere Foundation 9.0, ensuring continuity for organizations migrating environments.

The Payouts King ransomware operation has integrated the QEMU emulator to deploy hidden Alpine Linux virtual machines (VMs) on compromised hosts, enabling attackers to bypass endpoint security controls and execute malicious activities without detection. Using reverse SSH tunnels and scheduled tasks, threat actors associated with the GOLD ENCOUNTER group operate these VMs to harvest credentials, perform Active Directory reconnaissance, and stage data for exfiltration. Initial access vectors include exploitation of SonicWall VPNs, CitrixBleed 2 (CVE-2025-5777), Cisco SSL VPNs, and social engineering via Microsoft Teams phishing. The campaign employs multi-stage encryption, toolchain customization, and anti-analysis techniques to maintain persistence and evade detection.

Following a coordinated law enforcement takedown targeting the Tycoon 2FA phishing-as-a-service (PhaaS) operation, threat actors have rapidly redistributed tools, code, and techniques to competing PhaaS platforms including Mamba 2FA, EvilProxy, and Sneaky 2FA. This shift has coincided with a significant increase in device code phishing campaigns, which bypass traditional MFA by exploiting legitimate OAuth 2.0 and device authorization flows. Attackers are repurposing Tycoon 2FA’s artifacts and code—including unique obfuscation methods such as motivational-style comments in source code—to launch new campaigns that trick users into granting persistent account access via device approval prompts. Tycoon 2FA’s operational capacity dropped from over 9 million attacks per month to approximately 2 million following the takedown, but overall phishing activity has not declined proportionally. Instead, the ecosystem has fragmented, with Mamba 2FA nearly doubling its output to over 15 million attacks per month and EvilProxy rising from ~3 million to ~4 million monthly attacks.

A structured guide titled "The Underground Guide to Legit CC Shops: Cutting Through the Bullshit" has been published on underground forums, detailing how threat actors vet and select reliable stolen credit card shops amid an unstable ecosystem. The document shifts focus from using stolen cards to evaluating suppliers, emphasizing survivability, data quality (e.g., fresh BINs, low decline rates), and operational security (e.g., mirror domains, DDoS protection, cryptocurrency usage) as primary criteria for legitimacy. Trust is derived from community validation in closed forums and sustained historical presence rather than isolated testimonials. Technical vetting protocols include domain age, WHOIS privacy, SSL configuration, and social intelligence gathering to detect coordinated endorsement campaigns. The guide also categorizes shops by scale (automated platforms) and exclusivity (boutique vendor groups), reflecting diversification in the underground economy.

Microsoft’s multi-month Patch Tuesday campaign continues with the April 2026 release addressing 167 security vulnerabilities in Windows and related software, including two actively exploited zero-days (CVE-2026-32201 in SharePoint Server and CVE-2026-33825 in Microsoft Defender). Nearly 60% of the patched flaws are elevation-of-privilege bugs, marking the highest proportion in eight months, while eight Critical vulnerabilities were addressed, including unauthenticated remote code execution flaws in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) and secure tunneling components (CVE-2026-33827, CVSS 8.1). Following the April updates, threat actors are now exploiting two additional unpatched Microsoft Defender zero-days—RedSun and UnDefend—alongside the patched CVE-2026-33825 (BlueHammer). Exploitation activity has been observed since April 10, 2026, with RedSun and UnDefend PoCs deployed on April 16, 2026, featuring hands-on-keyboard techniques such as whoami /priv, cmdkey /list, and net group commands. Huntress confirmed real-world exploitation and took steps to isolate compromised systems to prevent post-exploitation damage. The April updates were distributed through Windows 11 cumulative updates KB5083769 (for versions 25H2/24H2) and KB5082052 (for 23H2), changing build numbers to 26200.8246 (25H2), 26100.8246 (24H2), and 22631.6936 (23H2). Windows 10 Enterprise LTSC and ESU participants received the April fixes via KB5082200, updating to build 19045.7184 (Windows 10) or 19044.7184 (Windows 10 Enterprise LTSC 2021).

Commercial AI models have reached a milestone in 2026 where all tested systems can autonomously complete vulnerability research tasks and 50% can generate working exploits without manual intervention. In contrast, 55% of models failed basic vulnerability research and 93% failed exploit development in 2025. Leading models such as Claude Opus 4.6 and Kimi K2.5 demonstrate the ability to discover and exploit vulnerabilities using simple prompts, significantly lowering the barrier for inexperienced attackers. Testing by Forescout’s Verde Labs identified four previously unknown zero-day vulnerabilities in OpenNDS, including one missed during prior manual analysis, using a combination of single prompts, the RAPTOR agentic framework, and proprietary extensions. The results underscore the rapid advancement of AI-driven vulnerability discovery and its implications for both offensive and defensive cybersecurity operations.

A live technical webinar scheduled for May 14, 2026, hosted by BleepingComputer in collaboration with Kaseya, will highlight how MSPs can integrate detection, response, and recovery to mitigate phishing-driven incidents that bypass traditional controls. The session emphasizes the operational impact of AI-powered phishing, business email compromise, and ransomware campaigns that leverage trusted SaaS platforms to evade perimeter defenses. It underscores that even when threats are detected, insufficient recovery planning and delayed response can escalate incidents into prolonged outages, increasing data theft, account takeover, and ransomware risks.

Law enforcement agencies from 21 countries executed Operation PowerOff, a coordinated takedown of 53 domains linked to DDoS-for-hire services. Four individuals were arrested, 25 search warrants executed, and over 3 million criminal user accounts exposed. Infrastructure was seized to disrupt ongoing attacks, and 75,000 warning communications were sent to identified service users. The operation expanded into a prevention phase targeting remaining online resources, including the removal of over 100 URLs from search engines and warnings placed on cryptocurrency and blockchain platforms used by cybercriminals. Europol described DDoS-for-hire services as one of the most accessible cybercrime trends, enabling low-skilled attackers to execute disruptive attacks.

A high-severity unauthenticated remote code execution (RCE) vulnerability (CVE-2026-34197) affects Apache ActiveMQ Classic, enabling attackers to execute arbitrary OS commands by abusing the Jolokia API. The flaw impacts versions prior to 5.19.4 and all versions from 6.0.0 to 6.2.3. The vulnerability was discovered using Anthropic’s Claude AI and reported by Horizon3’s Naveen Sunkavally to Apache on March 22, 2026. It was patched on March 30, 2026 in versions 5.19.4 and 6.2.3, though exploitation indicators have now emerged. CISA has added CVE-2026-34197 to its Known Exploited Vulnerabilities Catalog and ordered U.S. federal agencies to remediate within two weeks. ShadowServer reports over 7,500 exposed ActiveMQ servers online. Exploitation leaves traces in broker logs showing vm:// transport connections with brokerConfig=xbean:http:// query parameters and configuration warnings indicating payload execution.

Microsoft has confirmed that non-Global Catalog Windows domain controllers running April 2026 security updates (KB5082063) are entering reboot loops due to Local Security Authority Subsystem Service (LSASS) crashes during startup. The issue affects environments using Privileged Access Management (PAM) and disrupts authentication and directory services, potentially rendering domains unavailable. Affected platforms include Windows Server 2025, 2022, 23H2, 2019, and 2016. Microsoft is investigating and recommends contacting Support for Business for mitigation measures.

A credential stuffing attack on a fantasy sports betting platform compromised nearly 68,000 accounts and resulted in financial losses exceeding $635,000. Three defendants—Nathan Austad, Joseph Garrison, and Kamerin Stokes—have pleaded guilty or been sentenced in connection with the breach. Austad and Garrison used stolen credentials from multiple breaches to gain unauthorized access, sell compromised accounts, and launder proceeds totaling over $2.1 million. Stokes, who resold access in bulk, was sentenced to 30 months in prison and ordered to pay over $1.45 million in restitution and forfeiture after reopening his criminal enterprise despite prior guilty pleas and pretrial release violations. The attack occurred in November 2022 and exploited a new payment method and $5 deposit verification to drain funds rapidly. DraftKings subsequently refunded affected users. Investigations revealed coordinated operations spanning DraftKings, FanDuel, and Chick-fil-A accounts, with Stokes running online ‘shops’ for years prior to his arrest.

The RapperBot botnet, operated by Ethan Foltz, has been disrupted as part of the broader international Operation PowerOFF, which has now identified over 75,000 DDoS-for-hire users and taken down 53 domains across 21 countries. The operation, supported by Europol, has arrested four individuals, dismantled illegal booter services, and is transitioning into a prevention phase to curb future misuse. RapperBot has been responsible for over 370,000 DDoS attacks on victims in over 80 countries since 2021, primarily targeting U.S. government systems, major media platforms, gaming companies, and large tech firms. The botnet, also known as Eleven Eleven Botnet and CowBot, infected DVRs and Wi-Fi routers to launch attacks and mine Monero. Foltz was charged with aiding and abetting computer intrusions, and the botnet’s command-and-control infrastructure was seized in August 2025. The botnet added a cryptomining module in 2023 and conducted attacks ranging from several terabits to over 1 billion packets per second, with the largest exceeding 6 Tbps. Operation PowerOFF’s latest actions build on prior phases that dismantled key infrastructure and seized databases with over 3 million criminal accounts.

A new operational technology (OT)-focused malware named ZionSiphon has been identified with capabilities to manipulate water treatment and desalination systems in Israel. The malware contains sabotage logic designed to increase chlorine levels to dangerous concentrations and adjust hydraulic pressures via a function named 'IncreaseChlorineLevel().' It also includes a flawed encryption-based validation mechanism that currently prevents execution, triggering a self-destruct routine instead. Targeting is confirmed by IP range checks and OT software detection, though an XOR-based logic error causes these checks to fail. The malware’s current iteration remains non-functional, but researchers warn that a minor fix could activate its destructive payload.

A proof-of-concept exploit for a previously undisclosed Microsoft Defender local privilege escalation (LPE) zero-day tracked as "RedSun" has been published, enabling SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server systems with Defender enabled. The vulnerability leverages Defender’s cloud file handling behavior to overwrite critical system binaries via the Cloud Files API, exploiting a race condition in volume shadow copy operations and junction points to redirect file rewrites to an attacker-controlled executable in a protected system directory. The disclosure follows a second Microsoft Defender zero-day exploit ("BlueHammer", CVE-2026-33825) published by the same researcher within two weeks, both intended as protest against Microsoft’s handling of vulnerability disclosures with the MSRC.

A signed adware ecosystem from Dragon Boss Solutions LLC leveraging browsers like Chromstera and Artificius deployed SYSTEM-level antivirus-killing scripts via an abused Advanced Installer update mechanism across at least 23,500 hosts in 124 countries. The campaign’s malicious payload was pushed globally on March 22, 2025, using AI-assisted scripts to disable protections for ESET, McAfee, Kaspersky, and Malwarebytes while establishing persistence via scheduled tasks and Windows Defender exclusions. The primary update domain (chromsterabrowser[.]com) remained unregistered until researchers sinkholed it, exposing a latent risk where arbitrary payloads could have been delivered to already compromised systems. High-value targets included government entities, OT networks in energy/transport, 221 higher education institutions, 35 municipal governments, and Fortune 500 networks, with some infections dating back to 2022.

A pre-authenticated remote code execution (RCE) vulnerability in Marimo, tracked as CVE-2026-39987 (CVSS 9.3), was exploited in the wild within hours of public disclosure, enabling attackers to gain full PTY shells on exposed instances via the unauthenticated /terminal/ws WebSocket endpoint. The flaw, affecting Marimo versions prior to 0.23.0, initially led to rapid, human-driven exploitation campaigns focused on credential theft. Recent attacks have expanded to deploy a new NKAbuse malware variant hosted on Hugging Face Spaces, using typosquatted repositories to evade detection and establish persistent remote access. Additional exploitation activity includes sophisticated lateral movement, such as reverse-shell techniques and database enumeration, indicating a shift toward multi-stage attacks beyond initial credential harvesting. Threat actors validated the vulnerability within seconds, harvested credentials in under three minutes, and conducted reconnaissance from 125 IP addresses within the first 12 hours post-disclosure. GitHub assessed the flaw with a critical CVSS score of 9.3, and Marimo developers confirmed impact on instances deployed as editable notebooks or exposed via --host 0.0.0.0 in edit mode.

North Korean state actors continue to exploit fake employee schemes to infiltrate companies, particularly in blockchain and technology sectors, funneling stolen virtual currency and funds to North Korea's weapons program. The practice has escalated with remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has evolved into three distinct hacking groups: Labyrinth Chollima (cyber espionage targeting industrial, logistics, and defense), Golden Chollima (smaller-scale cryptocurrency theft), and Pressure Chollima (high-value heists). Each group uses distinct toolsets derived from the same malware framework used by Labyrinth Chollima in the 2000s and 2011s. A joint investigation uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division, with researchers capturing live activity of Lazarus operators on sandboxed laptops. The scheme, tracked as Jasper Sleet, PurpleDelta, and Wagemole, involves stealing or borrowing identities, using AI tools for interviews, and funneling salaries to the DPRK. Thousands of North Korean IT workers have infiltrated companies over the past two years, exploiting hiring processes and remote work environments. The U.S. Treasury has sanctioned individuals and entities involved, while Japan, South Korea, and the U.S. collaborate to combat the threat. Five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes, and two additional U.S. nationals, Kejia Wang and Zhenxing Wang, have now been sentenced to prison for operating a 'laptop farm' that facilitated the infiltration of over 100 companies, generating $5 million in illicit revenue and causing $3 million in damages to victim companies.

A widespread evasion technique involving deliberate APK malformation has been documented in more than 3,000 malicious Android samples spanning families such as Teabot, TrickMo, Godfather, and SpyNote. The technique manipulates APK structure (e.g., Local File Header vs Central Directory inconsistencies) to break static analysis pipelines while remaining installable and functional on Android devices. Static analysis tools including JADX crash or misinterpret malformed APKs, whereas the native Android installer tolerates inconsistencies, enabling malware to evade detection and complicate reverse engineering efforts.

Google has expanded the use of its Gemini AI models to detect and block malicious advertisements on its ad platforms, addressing a surge in sophisticated malvertising campaigns. In 2025, the company removed or blocked 8.3 billion ads and suspended 24.9 million advertiser accounts, including 602 million ads linked to scams. Threat actors are leveraging generative AI to scale deceptive advertising techniques, including cloaking, phishing, malware distribution, and cryptocurrency theft. These campaigns often impersonate legitimate services such as Google Authenticator and Homebrew, or pose as cryptocurrency platforms to drain wallets. Google’s AI-driven detection now analyzes advertiser behavior, campaign patterns, and intent in real time, enabling instant review and blocking of harmful content at submission.

McGraw-Hill confirmed a data breach affecting 13.5 million user accounts after ShinyHunters exploited a Salesforce environment misconfiguration to steal and leak non-sensitive data, including names, addresses, phone numbers, and email addresses. The company stated the breach did not impact its core Salesforce accounts, customer databases, courseware, or internal systems, though ShinyHunters claimed possession of 45 million records with PII. The affected webpages were secured promptly, and McGraw-Hill is collaborating with Salesforce to remediate the issue. Have I Been Pwned verified the leak of over 100GB of data tied to 13.5 million accounts. The incident remains distinct from a separate, unverified claim by a threat actor posing as ShinyHunters, who alleges breaching Vercel and selling stolen data, including API keys and employee records. Vercel has disclosed the incident and is investigating with law enforcement and incident response experts, while denying any impact to services.