Fortinet has released out-of-band security updates to address a critical vulnerability in its FortiClient Endpoint Management Server (EMS) that is already being actively exploited in the wild. The vulnerability, tracked as CVE-2026-35616, is described as a missing authorization issue that can lead to code execution. The flaw exists due to missing authorization checks. A remote non-authenticated attacker can send a specially crafted HTTP request to certain API endpoint and execute arbitrary commands on the system.
A large-scale cyberattack campaign is targeting vulnerable Next.js apps by exploiting a critical flaw known as React2Shell (CVE-2025-55182), allowing hackers to automate the theft of sensitive credentials from cloud environments. At least 766 systems spanning multiple cloud providers and geographic regions have already been compromised, exposing a wide range of confidential data including database credentials, AWS keys, SSH private keys, API tokens, and environment secrets.
An international law enforcement effort has disrupted a large-scale cyber-espionage campaign dubbed “FrostArmada” attributed to the Russian state-linked hacking group APT28. Attackers modified the routers’ DNS settings, redirecting traffic through malicious servers under their control. This allowed them to intercept authentication requests and harvest login credentials and OAuth tokens linked to Microsoft accounts, including services like Microsoft 365 and Outlook.
US federal agencies have warned that Iran-linked hackers are targeting internet-exposed industrial controllers (PLCs) used in critical infrastructure. The attacks focus on Rockwell/Allen-Bradley devices and involve tampering with system files and data in control systems like HMI and SCADA. This can disrupt operations and interfere with real-time monitoring and control in industrial environments. According to Censys, there are 5,219 internet-exposed hosts globally responding to EtherNet/IP (EIP) and self-identifying as Rockwell Automation/Allen-Bradley devices, with the majority of them located in the US.
A threat actor believed to be linked to Iran is suspected of carrying out a large-scale password-spraying campaign against Microsoft 365 environments, primarily targeting organizations in Israel and the United Arab Emirates. The attacks focused on a wide range of sectors, including government agencies, municipalities, technology firms, transportation networks, energy providers, and private companies.
A threat group, tracked as UAT-10362, is targeting Taiwanese NGOs and universities using spear-phishing attacks. The threat actor deploys a new malware called LucidRook, which uses Lua and Rust to run hidden malicious code. The attack uses fake antivirus files and compromised servers to spread and control the malware. Researchers also found another tool named LucidKnight that collects system data and sends it through Gmail.
A threat actor known as UNC6783 is targeting business process outsourcing (BPO) providers as an initial attack vector to infiltrate high-value organizations across multiple industries. Security researchers say dozens of companies have already been affected, with attackers exploiting BPO relationships to access sensitive corporate data and carry out extortion schemes. UNC6783 mainly uses social engineering and phishing campaigns, often tricking BPO employees into handing over credentials or access.
The ReversingLabs research team has discovered a new wave of the North Korea-linked Graphalgo campaign where threat actors pose as recruiters to target crypto developers. They create fake companies and job interviews to trick developers into completing tasks that contain hidden malware. To appear legitimate, the attackers set up GitHub organizations linked to fake blockchain projects, making their scam more convincing and harder to detect.
A new report from Fortinet FortiGuard Labs says that the North Korean Kimsuky threat actor is leveraging GitHub as a command-and-control (C&C) platform in a multi-stage campaign targeting organizations in South Korea.
The Solana-based decentralized exchange Drift Protocol has disclosed that the $285 million cyberattack on April 1, 2026, was orchestrated by a threat actor linked to North Korea. Drift described the breach as “an attack six months in the making,” linking it with medium confidence to a state-sponsored threat group known as UNC4736 (aka AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces). According to Drift, the attackers combined technical intrusion methods with real-world social engineering tactics, beginning in the fall of 2025.
The China-based cybercriminal group Storm-1175 known for spreading the Medusa ransomware is orchestrating high-speed attacks using both known (n-day) and previously unknown (zero-day) software vulnerabilities. Storm-1175 targets new security flaws, sometimes exploiting them within a day of discovery or even before official patches are released. Once inside a system, the group moves fast, often stealing data and deploying ransomware within 24 hours.
A likely hack-for-hire operation, possibly linked to an Indian government–connected actor, targeted journalists, activists, and officials in the Middle East and North Africa. The attackers used phishing messages on iMessage and WhatsApp, often pretending to be Apple Support, and may have also targeted users on Telegram and Signal.
Cybersecurity researchers have identified a new version of the Chaos malware that now targets poorly secured cloud systems. First discovered in 2022, Chaos can infect both Windows and Linux devices, execute remote commands, spread to other machines by breaking into SSH accounts, install more malicious tools, mine cryptocurrency, and carry out various types of DDoS attacks.
Hackers compromised the update system of the Smart Slider 3 Pro plugin and distributed a malicious version (3.5.1.35). This version installed hidden backdoors, created a secret admin user, and stole sensitive data. The malware allowed attackers to run commands remotely without authentication and included additional tools for deeper system control. Users are advised to update to a safe version as soon as possible.
A large attack has affected about 100 Magento online stores by hiding credit card-stealing code inside an SVG image. When customers click checkout, they see a fake form that captures their payment details. Researchers from Sansec think the attackers likely got access using the PolyShell vulnerability discovered in March.
A new malware campaign is targeting macOS users by tricking them into using the Script Editor app. Hackers create fake Apple-themed websites that claim to help free up disk space, but instead guide users to run malicious scripts that install the Atomic Stealer malware on their devices.
Cybersecurity firm Trellix has uncovered new details about the Masjesu botnet designed to launch large-scale distributed denial-of-service (DDoS) attacks by hijacking vulnerable Internet of Things (IoT) devices. Active since at least 2023, Masjesu has been advertised mainly on Telegram, where its operator boasted the ability to execute attacks reaching hundreds of gigabytes in volume.
LayerX researchers discovered a way to turn Claude Code into a powerful hacking tool capable of cyberattacks and finding vulnerabilities. By simply editing a single project file (CLAUDE.md) with a few lines of text (no coding at all) they were able to bypass Anthropic’s safeguards and got it to perform a full penetration attack and steal credentials.
Hackers stole about $3.6 million in Bitcoin from Bitcoin Depot on March 23 by accessing company systems and taking control of account credentials. The company said the attack only affected its internal systems and did not impact customers or their data.
A team of researchers from the University of Toronto has devised a new technique, dubbed ‘GPUBreach,’ that leverages GPU memory vulnerabilities to escalate privileges and potentially compromise systems. GPUBreach is based on the Rowhammer technique used against system RAM, and applies it to GPU GDDR6 memory. By inducing targeted bit flips, the researchers demonstrated that attackers can corrupt GPU page table entries (PTEs), granting arbitrary memory read and write access to an unprivileged CUDA kernel.
German authorities have issued arrest warrant for two suspected key figures linked to the Revil/Gandcrab ransomware operations. 31-year-old Russian national Daniil Maksimovich Shchukin aka “UNKN” (Unknown) is believed to be a public representative and co-administrator for the groups. He promoted the ransomware services on cybercrime forums starting in 2019. Authorities also identified Anatoly Sergeevitsch Kravchuk, a 43-year-old believed to have developed the REvil ransomware.
A former infrastructure engineer from the US, 57-year-old Daniel Rhyne, pleaded guilty to a cyberattack on his employer. He used an administrator account to delete admin accounts and reset passwords, locking staff out of hundreds of systems in an attempt to extort the company.
An American man became the first person convicted under the US Take It Down Act after admitting he created and shared explicit images without consent. He used AI tools to make fake sexual images of women he knew and also created disturbing images involving minors. Authorities found he had many AI programs on his phone and had produced a large number of the illegal images.