{"id":607,"date":"2026-04-20T16:02:44","date_gmt":"2026-04-20T16:02:44","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/04\/20\/vercel-hack-push-fraud-qemu-abused-new-android-rats-emerge-more-cyberdefensa-mx\/"},"modified":"2026-04-20T16:02:44","modified_gmt":"2026-04-20T16:02:44","slug":"vercel-hack-push-fraud-qemu-abused-new-android-rats-emerge-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/04\/20\/vercel-hack-push-fraud-qemu-abused-new-android-rats-emerge-more-cyberdefensa-mx\/","title":{"rendered":"Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge &#038; More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>Monday\u2019s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It\u2019s not breaking systems\u2014it\u2019s bending trust.<\/p>\n<p>There\u2019s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cases hint at supply-chain spread, where one weak link reaches further than expected.<\/p>\n<p>Go through the whole recap. The pattern across access, execution, and control only shows up when you see it all together.<\/p>\n<h2 style=\"text-align: left;\"><strong>\u26a1 Threat of the Week<\/strong><\/h2>\n<p><strong>Vercel Discloses Data Breach<\/strong>\u2014Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to \u00abcertain\u00bb internal Vercel systems. The incident originated from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, which was used by an employee at the company, it added. \u00abThe attacker used that access to take over the employee\u2019s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as \u2018sensitive,&#8217;\u00bb the company said. It\u2019s currently not known who is behind the incident, but a threat actor using the ShinyHunters persona has claimed responsibility for the hack. Context.ai also disclosed a March 2026 incident involving unauthorized access to its AWS environment. However, it has since emerged that the attacker also likely compromised OAuth tokens for some of its consumer users. Furthermore, Hudson Rock uncovered that a Context.ai employee was compromised with Lumma Stealer in February 2026, raising the possibility that the infection may have triggered the \u00absupply chain escalation.\u00bb<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/operation-poweroff-seizes-53-ddos.html\">Law Enforcement Operation Brings Down DDoS-for-Hire Operation<\/a><\/strong>\u2014Law enforcement agencies across Europe, the U.S., and other partner nations cracked down on the commercial DDoS-for-hire ecosystem, targeting both operators and customers of services used to target websites and knock them offline. As part of the effort, authorities took down 53 domains, arrested four people, and sent warning notifications to thousands of criminal users. The U.S. Justice Department said court-authorized actions were undertaken to disrupt Vac Stresser and Mythical Stress. The actions are a persistent cat-and-mouse game, as booted services often reappear under new names and domains despite repeated takedowns. While these disruptions tend to have short-term results, the resilience of the criminal activity indicates that arrests need to be combined with infrastructure seizures, financial disruption, and user deterrence for lasting impact.<\/li>\n<li><strong>Newly Discovered PowMix Botnet Hits Czech Workers<\/strong>\u2014An active malicious campaign is targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025. \u00abPowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections,\u00bb Cisco Talos said. The never-before-seen botnet is designed to facilitate remote access, reconnaissance, and remote code execution, while establishing persistence by means of a scheduled task. At the same time, it verifies the process tree to ensure that another instance of the same malware is not running on the compromised host.<\/li>\n<li><strong>AI-Driven Pushpaganda Exploits Google Discover to for Ad Fraud<\/strong>\u2014A novel ad fraud scheme has been found to leverage search engine poisoning (SEO) techniques and artificial intelligence (AI)-generated content to push deceptive news stories into Google\u2019s Discover feed and trick users into enabling persistent browser notifications that lead to scareware and financial scams. The Pushpaganda campaign has been found to target the personalized content feeds of Android and Chrome users. \u00abThis operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages,\u00bb HUMAN Security said. Google has since rolled out fixes and algorithmic updates to address the issue.<\/li>\n<li><strong>Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT<\/strong>\u2014A social engineering campaign has abused Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Elastic Security Labs is tracking the activity under the name REF6598. It employs elaborate social engineering tactics through LinkedIn and Telegram to breach both Windows and macOS systems by tricking victims into opening a cloud-hosted vault in Obsidian. PHANTOMPULSE is an artificial intelligence (AI)-generated backdoor that uses the Ethereum blockchain for resolving its C2 server. On macOS, the attack is used to deliver an unspecified payload.<\/li>\n<li><strong>CPUID Downloads Hijacked to Serve STX RAT<\/strong>\u2014Unknown threat actors <a href=\"https:\/\/gist.github.com\/N3mes1s\/b5b0b96782b9f832819d2db7c6684f84\">hijacked<\/a> the official CPUID download page to serve trojanized installers that ultimately led to the deployment of STX RAT, a remote access trojan with infostealer capabilities. The attack did not compromise CPUID\u2019s original signed binaries, the threat actors served their own trojanized packages via redirect. \u00abThe threat actor compromised the official CPUID download page to serve a trojanized package, employing DLL sideloading as the initial execution vector followed by a layered, five-stage in-memory unpacking chain designed to evade detection,\u00bb Cyderes <a href=\"https:\/\/www.cyderes.com\/howler-cell\/how-cpuids-hwmonitor-supply-chain-was-hijacked-to-deploy-stx-rat\">said<\/a>. \u00abThe use of a timestomped compilation timestamp, reflective PE loading, and exclusively in-memory payload execution demonstrates a deliberate effort to hinder forensic analysis and bypass traditional security controls.\u00bb<\/li>\n<li><strong>108 Malicious Chrome Extensions Steal Google and Telegram Data<\/strong>\u2014A cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited. The extensions provide the expected functionality to avoid raising red flags, but malicious code running in the background connects to the threat actor\u2019s C2 server to perform the nefarious activities. At the center of the campaign is a backend hosted on a Contabo virtual private server (VPS), with multiple subdomains handling session hijacking, identity collection, command execution, and monetization operations. There is evidence indicating a Russian malware-as-a-service (MaaS) operation, based on the presence of a payment and monetization portal in its C2 infrastructure.<\/li>\n<li><strong>OpenAI Launches GPT-5.4-Cyber<\/strong>\u2014OpenAI announced a new model, GPT-5.4-Cyber, specifically designed for use by digital defenders. Artificial intelligence (AI) companies have repeatedly warned that more capable AI models could create an opening for bad actors to exploit vulnerabilities and security gaps in software with new speed and intensity. Unlike Anthropic, which said its new Claude Mythos model is only being privately released to a small number of trusted organizations due to concerns that it could be exploited by adversaries, OpenAI said \u00abthe class of safeguards in use today sufficiently reduce cyber risk enough to support broad deployment of current models,\u00bb but hinted at the need for more advanced protections in the long term. Defending critical software has long depended on the ability to find and fix vulnerabilities faster than attackers can exploit them. GPT-5.4-Cyber has a lower refusal boundary for legitimate cybersecurity work than standard GPT-5.4. It adds capabilities aimed at advanced defensive workflows, including binary reverse engineering. \u00abWe don\u2019t think it\u2019s practical or appropriate to centrally decide who gets to defend themselves,\u00bb OpenAI stated. \u00abInstead, we aim to enable as many legitimate defenders as possible, with access grounded in verification, trust signals, and accountability.\u00bb The use of AI for vulnerability discovery and analysis means that the barrier to entry for attackers is collapsing. Bad actors could ask an AI model to analyze differences between two versions of a binary and generate an exploit at a faster rate. Rob T. Lee, chief of research at the SANS Institute, <a href=\"https:\/\/x.com\/robtlee\/status\/2044241744296820786\">said<\/a> the debut of Mythos and GPT-5.4-Cyber is \u00abnothing more than one vendor trying to one-up another,\u00bb adding, \u00abWe need to start benchmarking how one AI model is able to find code vulnerabilities over another and how quickly they are doing it. There are real risks at stake here.\u00bb At the same time, researchers from <a href=\"https:\/\/aisle.com\/blog\/system-over-model-zero-day-discovery-at-the-jagged-frontier\">AISLE<\/a> and <a href=\"https:\/\/go.xint.io\/xint-mythos-appsec-findings-report\">Xint<\/a> found that it\u2019s possible to replicate Mythos\u2019s results with smaller, cheaper models. \u00abThe critical variable in AI vulnerability discovery is not the model alone,\u00bb Xint said. \u00abIt is the structured system that decides where to look, validates that findings are real and exploitable, eliminates false positives, and delivers actionable remediation.\u00bb<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd25 Trending CVEs<\/strong><\/h2>\n<p>Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.<\/p>\n<p>Check the list, patch what you have, and hit the ones marked urgent first \u2014 CVE-2026-20184 (Cisco Webex Services), CVE-2026-20147 (Cisco Identity Services Engine and ISE Passive Identity Connector), CVE-2026-20180, CVE-2026-20186 (Cisco Identity Services Engine), CVE-2026-33032 (nginx-ui), CVE-2026-32201 (Microsoft SharePoint Server), CVE-2026-27304 (Adobe ColdFusion), CVE-2026-39813, CVE-2026-39808 (Fortinet FortiSandbox), CVE-2026-40176, CVE-2026-40261 (Composer), CVE-2025-0520 (ShowDoc), <a href=\"https:\/\/github.com\/kyverno\/kyverno\/security\/advisories\/GHSA-8p9x-46gm-qfx2\">CVE-2026-22039<\/a> (<a href=\"https:\/\/orca.security\/resources\/blog\/kyverno-ssrf-vulnerability-cve-2026-4789\/\">Kyverno<\/a>), <a href=\"https:\/\/support.sap.com\/en\/my-support\/knowledge-base\/security-notes-news\/april-2026.html\">CVE-2026-27681<\/a> (SAP Business Planning and Consolidation and Business Warehouse),<a href=\"https:\/\/www.striga.ai\/research\/tomcat-tribes-unauth-rce\">CVE-2026-34486<\/a>, <a href=\"https:\/\/lists.apache.org\/thread\/9510k5p5zdvt9pkkgtyp85mvwxo2qrly\">CVE-2026-29146<\/a> (Apache Tomcat), <a href=\"https:\/\/www.aikido.dev\/blog\/axios-cve-2026-40175-a-critical-bug-thats-not-exploitable\">CVE-2026-40175<\/a> (Axios), <a href=\"https:\/\/cymulate.com\/blog\/cve-2026-32196-one-click-rce-windows-admin-center\/\">CVE-2026-32196<\/a> (Microsoft Windows Admin Center), <a href=\"https:\/\/advisory.splunk.com\/advisories\/SVD-2026-0403\">CVE-2026-20204<\/a> (Splunk Enterprise), <a href=\"https:\/\/advisory.splunk.com\/advisories\/SVD-2026-0407\">CVE-2026-20205<\/a> (Splunk MCP Server) <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/04\/stable-channel-update-for-desktop_15.html\">CVE-2026-6296, CVE-2026-6297, CVE-2026-6298, CVE-2026-6299, CVE-2026-6358<\/a>, <a href=\"https:\/\/www.hacktron.ai\/blog\/i-let-claude-opus-to-write-me-a-chrome-exploit\">CVE-2026-5873<\/a> (Google Chrome), <a href=\"https:\/\/tails.net\/news\/version_7.6.2\/\">CVE-2026-34078<\/a> (Tails), <a href=\"https:\/\/helpx.adobe.com\/security\/products\/acrobat\/apsb26-44.html\">CVE-2026-34622<\/a> (Adobe Acrobat Reader), <a href=\"https:\/\/www.strix.ai\/blog\/where-others-missed-it-etcd-auth-bypass\">CVE-2026-33413<\/a> (etcd), <a href=\"https:\/\/www.cyfirma.com\/research\/cve-2026-1492-wordpress-user-registration-membership-authentication-bypass-flaw\/\">CVE-2026-1492<\/a> (User Registration &amp; Membership plugin), <a href=\"https:\/\/support.hpe.com\/hpesc\/public\/docDisplay?docId=hpesbnw05032en_us&amp;docLocale=en_US\">CVE-2026-23818<\/a> (HPE Aruba Networking Private 5G Core On-Prem), <a href=\"https:\/\/oasis-security.io\/blog\/260128-Magento-CVE\">CVE-2025-54236<\/a> (Magento), <a href=\"https:\/\/github.com\/TryGhost\/Ghost\/security\/advisories\/GHSA-w52v-v783-gw97\">CVE-2026-26980<\/a> (Ghost CMS), <a href=\"https:\/\/github.com\/advisories\/GHSA-xjw8-8c5c-9r79\">CVE-2026-40478<\/a> (<a href=\"https:\/\/www.endorlabs.com\/learn\/its-about-thyme-how-a-whitespace-character-broke-thymeleafs-expression-sandbox-cve-2026-40478\">Thymeleaf<\/a>), <a href=\"https:\/\/github.com\/protobufjs\/protobuf.js\/security\/advisories\/GHSA-xq3m-2v4x-88gg\">CVE-2026-41242<\/a> (<a href=\"https:\/\/www.endorlabs.com\/learn\/the-dangers-of-reusing-protobuf-definitions-critical-code-execution-in-protobuf-js-ghsa-xq3m-2v4x-88gg\">protobufjs<\/a>), <a href=\"https:\/\/github.com\/mailcow\/mailcow-dockerized\/security\/advisories\/GHSA-r8fq-wrfm-cj2q\">CVE-2026-40871<\/a> (<a href=\"https:\/\/github.com\/lukehebe\/Vulnerability-Disclosures\/blob\/main\/CVE-2026-40871.md\">Mailcow<\/a>), <a href=\"https:\/\/aws.amazon.com\/security\/security-bulletins\/2026-015-aws\/\">CVE-2026-5747<\/a> (AWS Firecracker), and <a href=\"https:\/\/medium.com\/workday-engineering\/leveraging-raw-disk-reads-to-bypass-edr-f145838b0e6d\">CVE-2025-50892<\/a> (eudskacs.sys).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83c\udfa5 Cybersecurity Webinars<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/state-of-ai-security?source=recap\">The Force Awakens in AppSec: Rethinking Mythos &amp; Organizational Defenses at AI Speed<\/a> \u2192 This webinar explores how AI-powered hacking is making traditional security patching too slow to be effective. It focuses on the \u00abpatch gap\u00bb\u2014 the dangerous time between a bug being found and fixed\u2014and offers a new way to prioritize vulnerabilities based on real-world risk. The session provides practical strategies for security leaders to defend against automated, high-speed attacks.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/agentic-exposure-validation?source=recap\">The Rise of the Agent: Moving to Autonomous Exposure Validation<\/a> \u2192 This webinar explores how \u00abagentic\u00bb AI is changing security testing by using autonomous AI agents to simulate real-world attacks. Unlike traditional scanners, these tools continuously find and validate which security gaps are actually reachable by hackers. The session focuses on moving from slow, manual checks to automated exposure validation to stay ahead of AI-driven threats.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udcf0 Around the Cyber World<\/strong><\/h2>\n<ul>\n<li><strong>Vect Partners with BreachForums and TeamPCP <\/strong>\u2014Dataminr revealed that the Vect ransomware group has formalized partnerships with the BreachForums cybercrime marketplace and TeamPCP hacking group. The partnership will allow BreachForums members to deploy ransomware and will use the victims of TeamPCP\u2019s supply chain attacks to attack organizations that are in a vulnerable state. \u00abBetween the two partnerships, Vect will lower the barrier to entry for ransomware actors, incentivize group members to carry out attacks, and exploit pre-existing breaches to broaden impact,\u00bb the company <a href=\"https:\/\/www.dataminr.com\/resources\/intel-brief\/vect-breachforums-teampcp-converge-in-unprecedented-affiliate-mobilizatio\/\">said<\/a>. \u00abThe convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass dark web forum mobilization represents an unprecedented model of industrialized ransomware deployment.\u00bb<\/li>\n<li><strong>MuddyWater Targets Global Organizations via Microsoft Teams <\/strong>\u2014The Iranian hacking group known as MuddyWater has been observed using targeted social engineering to approach targets via Microsoft Teams by masquerading as IT support staff to trick them into running a botnet malware called Tsundere (aka Dindoor). \u00abA notable aspect of this intrusion was the abuse of Deno, a legitimate JavaScript and TypeScript runtime typically used for backend application development,\u00bb CyberProof <a href=\"https:\/\/www.cyberproof.com\/blog\/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams\/\">said<\/a>. \u00abThe attacker leveraged deno.exe to execute a highly obfuscated, Base64\u2011encoded payload \u2014 tracked as DINODANCE \u2014 directly in memory, minimizing on-disk artifacts and complicating detection.\u00bb Once decoded, the malware establishes C2 communications with a remote server, exfiltrating basic host metadata such as username, hostname, and operating system details.<\/li>\n<li><strong>Multi-Stage Intrusion Drops Direct-Sys Loader and CGrabber Stealer <\/strong>\u2014An attack chain involving ZIP archives distributed through GitHub user attachment URLs is abusing DLL side-loading to deliver a malware loader called Direct-Sys Loader, which performs anti-analysis checks and then drops CGrabber. The malware, for its part, avoids infecting machines running in the Commonwealth of Independent States (CIS) countries and collects browser credentials, crypto wallet data, password manager data, and a broad range of application artifacts. \u00abBy skipping execution on machines in those regions, they reduce the risk of attracting attention from local law enforcement and avoid targeting their own infrastructure or allies,\u00bb Cyderes <a href=\"https:\/\/www.cyderes.com\/howler-cell\/direct-sys-loader-cgrabber-stealer-five-stage-malware-chain\">said<\/a>. \u00abThe Direct-Sys Loader and CGrabber Stealer represent a cohesive, multi-stage, stealth-focused malware ecosystem engineered with advanced detection-evasion capabilities.\u00bb<\/li>\n<li><strong>Russian Hackers Target Ukrainian Agencies <\/strong>\u2014Threat actors linked to Russia broke into more than 170 email accounts belonging to prosecutors and investigators across Ukraine in recent months,\u00bb Reuters <a href=\"https:\/\/www.reuters.com\/world\/russia-linked-hackers-compromised-scores-ukrainian-prosecutors-email-accounts-2026-04-15\/\">reported<\/a>, citing data from <a href=\"https:\/\/ctrlaltintel.com\/research\/FancyBear\/\">Ctrl-Alt-Intel<\/a>. The espionage activity also targeted officials in Romania, Greece, Bulgaria, and Serbia. Speaking to The Record, Ukraine\u2019s State Service of Special Communications and Information Protection (SSSCIP) <a href=\"https:\/\/therecord.media\/ukraine-confirms-suspected-apt28-campaign-targeting-prosecutors\">confirmed<\/a> that local government agencies were targeted in a long-running hacking campaign that it has been tracking since 2023, with the attacks weaponizing flaws in Roundcube webmail software to run malicious code as soon as a specially crafted message is opened. The campaign is believed to be the work of APT28 (aka Fancy Bear).<\/li>\n<li><strong>Infostealer Lookup Services are Changing Cybercrime <\/strong>\u2014Hudson Rock revealed that infostealer lookup services, some accessible via a simple search on Google, are rapidly fueling a new era of initial access, shifting how cyber attacks begin and transforming a complex hacking process into a simple, automated transaction. \u00abThese platforms have effectively turned billions of compromised credentials and active session cookies into a highly searchable, low-cost commodity available to the masses,\u00bb it <a href=\"https:\/\/www.infostealers.com\/article\/the-new-era-of-initial-access-how-infostealer-lookup-services-are-changing-cybercrime\/\">said<\/a>. \u00abBecause this data is so easily accessible, organizations can no longer afford to be reactive.\u00bb<\/li>\n<li><strong>AdaptixC2 Detailed <\/strong>\u2014Kaspersky has detailed the inner workings of an open-source command-and-control (C2) framework known as AdaptixC2, which has seen increased adoption by bad actors over the past year. Written in Go and C++, AdaptixC2 is designed for post-exploitation and stealthy interaction with its malicious agents deployed on compromised systems. It also employs diverse network communication and post-exploitation techniques to get around traffic monitoring tools and minimize its footprint. \u00abUnlike many general-purpose C2 platforms, AdaptixC2 focuses on advanced agent-to-C2 communication and specific evasion techniques designed to bypass modern security tools, including EDR and NDR solutions,\u00bb the company <a href=\"https:\/\/securelist.com\/tr\/adaptixc2-network-and-host-detection\/119424\/\">said<\/a>. \u00abThe framework provides the flexibility to develop custom agents while also including standard agent implementations in Go and C++ for Windows, macOS, and Linux. Additionally, it supports a modular approach to extending its functionality.\u00bb<\/li>\n<li><strong>Adware Update Delivers EDR Killer <\/strong>\u2014In an unusual attack, a browser-hijacking adware family rolled out a multi-phase update that attempted to disable security software on infected hosts. The adware is signed by Dragon Boss Solutions LLC, a U.A.E.-based company that claims to conduct search monetization research and has promoted modified versions of the Chrome browser (e.g., Chromstera, Chromnius, and Artificius). \u00abThe signed software silently fetches and executes payloads capable of killing antivirus products, all while running with SYSTEM privileges,\u00bb Huntress <a href=\"https:\/\/www.huntress.com\/blog\/pups-grow-fangs\">said<\/a>. The antivirus killing capability was observed starting in late March 2025, although the loader and updater components date back to late 2024. \u00abThe operation uses an off-the-shelf software update mechanism to deploy these MSI and PowerShell-based payloads. Establishing WMI persistence disables security applications and blocks reinstallation of protective software,\u00bb it added. The MSI installer, downloaded from a fallback update server, performs reconnaissance, queries for installed security products, and runs a PowerShell script (\u00abClockRemoval.ps1\u00bb) to terminate running processes, disable antivirus services by tampering with the Windows Registry, delete installation directories, and force deletion when uninstallers fail. What\u2019s significant is that the update mechanism can be modified to deploy any payload. To make matters worse, the primary update domain baked into the operation to retrieve the MSI installer \u2013 chromsterabrowser[.]com \u2013 was left unregistered, meaning any threat actor could have registered the domain for as little as $10 and push malicious updates, turning an adware infection into a potential supply chain compromise. The domain has since been sinkholed. That said, 23,565 unique IP addresses connected to the sinkhole during a 24-hour monitoring period. The infections are concentrated around the U.S., France, Canada, the U.K., and Germany. These included universities, OT networks, government entities, primary and secondary educational institutions, healthcare organizations, and multiple Fortune 500 companies.<\/li>\n<li><strong>India Will Not Require Smartphone Makers to Preload Aadhaar App <\/strong>\u2014The Indian government will no longer require smartphone makers like Apple and Samsung to preload devices with a state-owned biometric identification app, Reuters <a href=\"https:\/\/www.reuters.com\/world\/china\/india-drops-proposal-mandate-national-id-app-aadhaar-smartphones-after-pushback-2026-04-17\/\">reported<\/a>. India\u2019s IT ministry reviewed the proposal and \u00abis not in favour of mandating the pre-installation of the Aadhaar App on smartphones,\u00bb UIDAI said in a statement. The Aadhaar request was the sixth time in two years the government has sought pre-installation of state apps on phones, according to industry communications. Smartphone makers flagged concerns about device security and compatibility when they received the Aadhaar preload proposal, and also flagged higher production costs as they \u200cwould have \u2060been required to run separate manufacturing lines for India and export markets.<\/li>\n<li><strong>SQL Injection Campaign Targets Payment Services <\/strong>\u2014An active <a href=\"https:\/\/oasis-security.io\/blog\/260304-SQLi\">SQL injection campaign<\/a> is operating through attacker infrastructure located in Canada. The campaign has targeted 35 websites, with confirmed successful SQL injection exploitation and data exfiltration affecting three organizations operating in the payment, real estate, and developer service sectors. Attacker-side artifacts indicate coordinated and deliberate exploitation rather than opportunistic scanning.<\/li>\n<li><strong>QEMU Abused for Defense Evasion <\/strong>\u2014Threat actors are abusing QEMU, an open-source machine emulator and virtualizer, to hide malicious activity within virtualized environments. \u00abAttackers are drawn to QEMU and more common hypervisor-based virtualization tools like Hyper-V, VirtualBox, and VMware because malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself,\u00bb Sophos <a href=\"https:\/\/www.sophos.com\/en-us\/blog\/qemu-abused-to-evade-detection-and-enable-ransomware-delivery\">said<\/a>. Two clusters of activity have been detected: STAC4713, which has used QEMU as a covert reverse SSH backdoor to deliver tooling and harvest domain credentials with the end goal of likely deploying <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/payouts-king-takes-aim-ransomware-throne\">Payouts King ransomware<\/a> (likely tied to former BlackBasta affiliates) after obtaining initial access via exploitation of known security flaws in SolarWinds Web Help Desk, and STAC3725, which exploits Citrix Bleed 2 (aka CVE-2025-5777) for obtaining a foothold and installs ScreenConnect for persistent remote access. The threat actors then deploy a QEMU VM to install additional tools for conducting enumeration and credential theft. \u00abFollow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims\u2019 environments and then sold the access to other threat actors,\u00bb Sophos said.<\/li>\n<li><strong>Fake Adobe Reader Site Drops ScreenConnect <\/strong>\u2014Threat actors are using fake Adobe Acrobat Reader website lures to lure victims into installing ConnectWise\u2019s ScreenConnect. The attack chain was detected in February 2026. \u00abThe attack uses .NET reflection to keep payloads in memory only, which helps it evade signature-based defenses and hinder forensic examination,\u00bb Zscaler ThreatLabz <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/memory-loader-drops-screenconnect\">said<\/a>. \u00abA VBScript loader dynamically reconstructs strings and objects at runtime to defeat static analysis and sandboxing. Auto-elevated Component Object Model (COM) objects are abused to bypass User Account Control (UAC) and run with elevated privileges without user prompts.\u00bb The attack employs an in-memory .NET loader that\u2019s responsible for launching ScreenConnect.<\/li>\n<li><strong>Nearly 6M Hosts Use FTP <\/strong>\u2014Censys <a href=\"https:\/\/censys.com\/blog\/ftp-exposure-brief\/\">said<\/a> it observed about 5,949,954 hosts running at least one internet-facing FTP service, down from over 10.1 million in 2024, which amounts to a decline of 40% in two years. Of these, nearly 2.45 million hosts had no evidence of encryption. \u00abOver 150,000 IIS FTP services return a 534 response, indicating TLS was never set up,\u00bb Censys said. \u00abFor most use cases, FTP can be replaced without significant disruption. If FTP must remain, enabling Explicit TLS is a configuration change, not a protocol upgrade, and both Pure-FTPd and vsftpd support it natively.\u00bb<\/li>\n<li><strong>Malformed APKs Bypass Detections as New Android RATs Emerge <\/strong>\u2014Threat actors are <a href=\"https:\/\/www.cleafy.com\/cleafy-labs\/malformed-apks-as-an-anti-analysis-technique-malfixer-tool\">increasingly<\/a> using <a href=\"https:\/\/zimperium.com\/blog\/over-3000-android-malware-samples-using-multiple-techniques-to-bypass-detection\">malformed APKs<\/a>, which refer to Android packages that can be installed and run on Android but are intentionally broken by using unsupported compression methods, header manipulation, or false password protection, to bypass static analysis tools and delay detection. Cleafy has released an open-source tool called <a href=\"https:\/\/github.com\/Cleafy\/Malfixer\">Malfixer<\/a> to detect and fix malformed APKs. The development comes as Zimperium <a href=\"https:\/\/zimperium.com\/blog\/android-bankers-4-campaigns-in-a-row\">flagged<\/a> four new Android malware families, RecruitRat, SaferRat, Astrinox (aka Mirax), and Massiv, that are capable of harvesting sensitive information and facilitating unauthorized financial transactions. In all, campaigns distributing these malware families target over 800 applications across the banking, cryptocurrency, and social media sectors. RecruitRat leverages recruitment-related social engineering and fraudulent job-seeking platforms for initial access. SaferRat is distributed through fake websites that claim to offer free access to premium streaming platforms and legitimate video streaming software. All four banking trojans abuse the native Session Installation API to bypass Android\u2019s sideloading restrictions and request accessibility services permissions to carry out their malicious activities.<\/li>\n<li><strong>Over 200 PrestaShop Stores Expose Installer <\/strong>\u2014More than 200 PrestaShop online stores have left their installation folder exposed online, allowing attackers to abuse the behavior to overwrite database configuration, gain admin access, and execute arbitrary code on the server. According to <a href=\"https:\/\/sansec.io\/research\/prestashop-installer-takeover\">Sansec<\/a>, the affected stores span 27 countries, including France, Italy, Poland, and the Czech Republic. Another set of 15 stores has been found to expose the Symfony Profiler, which is enabled when PrestaShop runs in debug mode.<\/li>\n<li><strong>How to Contain a Domain Compromise via Predictive Shielding <\/strong>\u2014Microsoft <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/17\/domain-compromise-predictive-shielding-shut-down-lateral-movement\/\">detailed<\/a> an attack chain in which a threat actor targeted a public sector organization in June 2025, methodically progressing from one state of the attack lifecycle to the next, starting with dropping a web shell following the exploitation of a file-upload flaw in an internet-facing Internet Information Services (IIS) server. The attacker then performed reconnaissance, escalated their privileges, leveraged the compromised IIS service account to reset the passwords of high-impact identities, and deployed Mimikatz to harvest credentials. Then, the threat actor abused privileged accounts and remotely created a scheduled task on a domain controller to capture NTDS snapshots. The attacker also planted a Godzilla web shell on the Exchange Server and leveraged their privileged context to alter mailbox permissions, allowing them to read and manipulate all mailbox contents. The threat actor subsequently used Impacket to enumerate the role assignments and other activities that were flagged and blocked by Microsoft Defender. \u00abThe threat actor then launched a broad password spray from the initially compromised IIS server, unlocking access to at least 14 servers through password reuse,\u00bb Microsoft said. \u00abThey also attempted remote credential dumping against a couple of domain controllers and an additional IIS server using multiple domain and service principals.\u00bb After Microsoft Defender\u2019s <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/shield-predict-threats\">predictive shielding<\/a> was enabled in late July 2025, the attacker\u2019s attempts to sign in to Microsoft Entra Connect servers were blocked. The campaign stopped on July 28, 2025.<\/li>\n<li><strong>Cargo Theft Malware Actor Conducts Remote Access Campaigns <\/strong>\u2014In November 2025, Proofpoint detailed a threat actor that used compromised load boards to gain access to trucking companies with the end goal of freight diversion and cargo theft. New research from the enterprise security company has revealed that the attacker abused multiple remote access tools like ScreenConnect, Pulseway, and SimpleHelp to establish persistence to a controlled decoy environment, with attempts made to identify financial access, payment platforms, and cryptocurrency assets to conduct freight fraud and broader financial theft. The actor maintained access for more than a month. At least one ScreenConnect instance is said to have leveraged a third\u2011party signing\u2011as\u2011a\u2011service provider to re-sign the installer with a valid but fraudulent code\u2011signing certificate. \u00abThis reconnaissance focused on identifying financial access \u2013 such as banking, accounting, tax software, and money transfer services \u2013 as well as transportation\u2011related entities, including fuel card services, fleet payment platforms, and load board operators,\u00bb the company <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook\">said<\/a>. \u00abThe latter activity was likely designed to support crimes against the transportation industry, including cargo theft and related financial fraud.\u00bb<\/li>\n<li><strong>British National Pleads Guilty to Scattered Spider Campaign <\/strong>\u2014Tyler Robert Buchanan, who was extradited from Spain to the U.S. last April following his arrest in the European nation in June 2024, pleaded guilty to hacking a dozen companies and stealing at least $8 million in digital assets. He pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. \u00abFrom September 2021 to April 2023, Buchanan and other individuals conspired to conduct cyber intrusions and virtual currency thefts,\u00bb the U.S. Justice Department <a href=\"https:\/\/www.justice.gov\/usao-cdca\/pr\/british-national-pleads-guilty-hacking-companies-and-stealing-least-8-million-virtual\">said<\/a>. \u00abThe victims and intended victims included interactive entertainment companies, telecommunications companies, technology companies, business process outsourcing (BPO) and information technology (IT) suppliers, cloud communications providers, virtual currency companies, and individuals.\u00bb Buchanan and his co-conspirators conducted SMS phishing attacks targeting a victim company\u2019s employees, tricking them into clicking on bogus links that exfiltrated their credentials via a phishing kit to an online Telegram channel under their control. The stolen data was then used to access the accounts, gather confidential company information, and siphon millions of dollars\u2019 worth of virtual currency after conducting SIM swapping attacks.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/bishopfox\/cirro\">Cirro<\/a> \u2192 It is an open-source tool designed to help security experts find hidden risks in cloud environments. It works by collecting data about people, their permissions, and the digital resources they use, then turning that information into a visual map. By showing how these different pieces are connected, the tool makes it easier to spot \u00abattack paths\u00bb\u2014the step-by-step routes a hacker could take to move through a system and reach sensitive data. While it is currently focused on Azure, it is built to be flexible so users can add other platforms over time.<\/li>\n<li><a href=\"https:\/\/github.com\/SpecterOps\/Janus\">Janus<\/a> \u2192 It is an open-source tool designed to help security teams track technical failures during operations. It automatically pulls logs from command-and-control (C2) platforms like Mythic and Cobalt Strike to identify where tools failed or commands were blocked. By organizing these \u00abfriction points\u00bb into reports, Janus helps teams see exactly where their workflow slows down and what tasks need to be improved or automated.<\/li>\n<\/ul>\n<p><em>Disclaimer: This is strictly for research and learning. It hasn\u2019t been through a formal security audit, so don\u2019t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you\u2019re doing stays on the right side of the law.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>That wraps this week\u2019s recap. Most of it isn\u2019t loud, but it shows how easy it is for trusted paths to turn into entry points and for normal activity to hide real access.<\/p>\n<p>Keep an eye on the basics. Check what you trust, watch how things run, and don\u2019t ignore the small changes.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Monday\u2019s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It\u2019s not breaking systems\u2014it\u2019s bending trust. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[1939,75,24,1664,1937,820,1313,1938,1940,1920],"class_list":["post-607","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-abused","tag-android","tag-cyberdefensa-mx","tag-emerge","tag-fraud","tag-hack","tag-push","tag-qemu","tag-rats","tag-vercel"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/607","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=607"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/607\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}