Microsoft has released the April 2026 Patch Tuesday updates, addressing more than 160 security vulnerabilities across its products, including a zero-day flaw in Microsoft SharePoint Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2026-32201, is classified as a spoofing issue, which stems from improper input validation. It could allow an unauthorized attacker to perform spoofing attacks over a network and gain access to sensitive information.
Adobe has also rolled out security updates to address a critical vulnerability in Acrobat Reader that is already being actively exploited in the wild. The flaw, tracked as CVE-2026-34621, could allow attackers to execute malicious code on affected systems.
CISA has flagged 7 security flaws as actively exploited, including CVE-2026-21643 (Fortinet FortiClient EMS), CVE-2020-9715 and CVE-2026-34621 (Adobe Acrobat and Reader), CVE-2023-36424 (Microsoft Windows Common Log File System Driver), CVE-2023-21529 (Microsoft Exchange Server), CVE-2025-60710 (Host Process for Windows Tasks), CVE-2012-1854 (Microsoft Visual Basic for Applications, VBA).
Threat actors are actively exploiting a high-risk flaw (CVE-2026-33032) in Nginx UI, allowing attackers to take full control of servers without authentication. The issue stems from an unprotected /mcp_message endpoint that lets attackers execute privileged actions, such as modifying and reloading Nginx configurations. A fix was released in version 2.3.4.
Hackers are exploiting a flaw in Marimo Python notebooks (CVE-2026-39987) to spread a new version of NKAbuse malware hosted on Hugging Face Spaces. Attacks began within hours of the vulnerability being disclosed and are mainly used to steal credentials. Researchers also spotted other attacks, including one from a Germany-based operator using multiple reverse-shell methods.
The National Institute of Standards and Technology (NIST) announced it is changing how it handles cybersecurity vulnerability records due to the increase of number of reported bugs. NIST will now only add extra details (“enrichment”) to vulnerabilities that are considered most important (already known to be exploited or marked critical for government systems). Other vulnerabilities will still be listed but won’t receive additional updates. The goal is to focus resources on the most serious issues and improve long-term management of the system.
A novel malware strain, dubbed ‘AgingFly,’ has been spotted in a series of cyberattacks targeting Ukrainian governments and hospitals with the goal of stealing authentication data from Chromium-based browsers and the WhatsApp desktop app. The campaign was uncovered last month by CERT-UA, which linked the activity to a threat cluster tracked as UAC-0247. The cybersecurity agency believes the attacks may also target individuals connected to Ukraine’s Defense Forces.
Russia-linked hackers targeted Ukrainian prosecutors and investigators, breaking into more than 170 email accounts in recent months. Data reviewed by Reuters suggests the campaign compromised at least 284 inboxes between September 2024 and March 2026. The activity, attributed to the Fancy Bear hacker group appears to be aimed at spying on officials involved in investigating corruption and Russian collaborators.
In a separate incident, a pro-Russian cyber group attempted to disrupt operations at a thermal power plant in western Sweden in spring 2025. The Swedish government said the attack was unsuccessful.
Hunt.io researchers identified more than 1,250 command-and-control servers across 165 Russian infrastructure providers, including shared hosting services, VPS providers, and telecom networks. Most of the servers were linked to IoT malware botnets such as Keitaro, Hajime, Mozi, and Mirai.
A new Python-based backdoor called ViperTunnel has been discovered, which is used to keep long-term access to systems and later sell that access to ransomware groups. It is believed to have been circulating around since late 2023 and is often installed after FAKEUPDATES (SocGholish) infections. The malware has been linked to the UNC2165 hacking group, associated with EvilCorp, and it is sometimes used with another tool called ShadowCoil that steals browser credentials.
The Chinese-linked threat group APT41 is using a sophisticated backdoor to target Linux-based cloud systems and steal sensitive credentials from major providers. The malware is designed to target cloud environments such as Amazon Web Services, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud.
Microsoft’s threat intelligence team has detailed a macOS campaign attributed to the North Korean group, tracked as ‘Sapphire Sleet,’ that uses social engineering instead of software flaws. Attackers trick users into running a fake “Zoom SDK Update” AppleScript file, which looks like a normal update but hides malicious code. Once executed, it can steal passwords, cryptocurrency, and personal data while bypassing macOS security features.
Another North Korean hacking group known as APT37, or ScarCruft, has been observed using social media to target victims. The attackers reportedly approached individuals on Facebook, sending friend requests to build trust. After establishing contact, they continued conversations on Messenger, later switching to Telegram, and then delivered malicious files.
Cybersecurity researchers have uncovered a new wave of the ongoing GlassWorm campaign that targets software developers by infecting multiple coding environments on a single machine. The attack involves an Open VSX extension called “specstudio.code-wakatime-activity-tracker,” disguised as the popular time-tracking tool WakaTime. The extension has since been removed.
Dozens of WordPress plugins were taken offline after it was discovered that they contained a hidden backdoor. The backdoor, added after the plugin company was sold, was used to spread malicious code to websites using those plugins. The code fetched spam links, redirects, and fake pages from a command-and-control server. It remained inactive for a time before recently being activated in what appears to be a supply chain attack.
A digitally signed adware tool was used to spread malicious payloads with full SYSTEM privileges, allowing attackers to disable antivirus protections on thousands of computers across multiple sectors, including education, government, and healthcare. The campaign abused the update feature of a legitimate installer tool to deliver malware, maintain persistence, and prevent security software from being reinstalled.
Threat actors have compromised an API for the CPUID project and modified download links to serve malware for the CPU-Z and HWMonitor utilities. Attackers gained access to a secondary API linked to CPUID’s website and made some changes that led to users being redirected to files hosted on Cloudflare R2 that delivered trojanized versions of software disguised as legitimate tools.
A new campaign has been spotted that spreads over 100 malicious Google Chrome extensions designed to steal user data and manipulate web browsing. The extensions connect to the same command-and-control (C&C) servers, allowing attackers to gather sensitive information such as login credentials, browsing activity, and user identities.
A study has found that third-party API routers that help connect users to large language models can be used by threat actors to trick users and inject malicious code in their devices and steal sensitive data. Researchers analyzed 28 paid routers from online marketplaces and 400 free ones from public communities. They found that nine of the routers were actively inserting malicious code into responses, and 17 were capturing and misusing cloud credentials as they passed through. In one case, a hacked router even stole cryptocurrency from a researcher’s wallet after getting access to a private key.
Darktrace's latest report analyzes ZionSiphon, an OT-focused malware targeting Israeli water treatment and desalination systems. The malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls.
Cisco Talos discovered a new malicious campaign active since December 2025 in the Czech Republic, involving a previously unknown botnet called PowMix. The botnet avoids detection by sending signals at random intervals and disguising its communication as normal web traffic. It can also update its control servers remotely. Researchers noted similarities to the earlier ZipLine campaign, including the malware delivery methods and its use of the legitimate cloud platform Heroku for command-and-control operations.
A new social engineering campaign, dubbed ‘REF6598,’ uses the Obsidian note-taking app to spread a previously unknown Windows malware called Phantompulse RAT. The attackers target people in finance and cryptocurrency by pretending to be a venture capital firm on LinkedIn, then moving conversations to Telegram groups with fake partners to gain trust and infect victims’ systems.
Silent Push has released a report detailing the evolution of Triad Nexus, a cybercrime network linked to Asian organized crime that runs scams, money laundering, and illegal gambling. Following the US sanctions targeting its associated service Funnull, the group shifted tactics by using front companies, account mules, and “infrastructure laundering” to hide its activity. It now exploits major cloud providers like Amazon, Cloudflare, Google, and Microsoft to continue operating and avoid detection.
The Rhadamanthys infostealer had an open API with no login protection, so security researchers could watch what it was doing for months before Europol shut it down in a takedown, according to Censys.
Microsoft’s DART team found that a financially motivated hacker group tracked as Storm-2755 was running “payroll theft” attacks against users in Canada. The attackers broke into employee accounts and redirected salary payments to their own accounts, causing financial losses. The group used fake ads and search engine tricks to lure victims, as well as advanced methods to steal login sessions and bypass multi-factor authentication.
Hackers have breached the Grinex crypto exchange, which Russia uses to bypass sanctions. The exchange reports that cryptocurrency worth 1 billion rubles (about 15 million USDT) was stolen. Grinex has suspended operations. According to the platform’s management, the hackers acted with the support of “Western intelligence agencies.”
Europol and 21 countries have carried out a coordinated operation against DDoS-for-hire (“booter”) services. Law enforcement agencies targeted over 75,000 users, sending warning messages and making 4 arrests. Authorities have also taken down 53 domains, issued 25 search warrants, and disrupted the infrastructure used for DDoS attacks.
The Ukrainian police arrested a member of an international cybercrime group who was wanted by the FBI for fraud totaling hundreds of millions of dollars. He stole data and extorted money in the United States and Europe, faked his own death, and lived in Ukraine under a false identity. He was detained in Uzhhorod, and his accomplices were also identified. Authorities seized assets and cryptocurrency worth millions of dollars. He has been charged with document forgery and money laundering. The authorities did not disclose the suspect’s identity or what cybercrime gang he was the member of.
In a separate case, police uncovered a 16-year-old who hacked parcel locker systems and created a fake app to steal packages without paying.
The FBI and Indonesian police shut down a global phishing operation that stole thousands of account credentials and attempted over $20 million in fraud. The police arrested the suspected developer and seized domains linked to the operation. The scheme used the W3LL phishing kit, which let criminals create fake login pages to trick people into giving up their account details.
Two American men were sentenced to prison for their involvement in a “laptop farms” operation that defrauded major US companies and generated $5 million for the North Korean government. Zhenxing “Danny” Wang, 39, and Kejia “Tony” Wang, 42, both from New Jersey, acted as intermediaries in a complex scheme that deceived Fortune 500 companies into hiring overseas tech workers who used stolen identities of US citizens. Zhenxing Wang was given more than seven years in prison, while Kejia Wang received a nine-year sentence.