ALERTS APRIL 2026 2025 2024 2023 2022
HOME AI
APT
BOTNET
CAMPAIGN
CRIME
CRYPTOCURRENCY
EXPLOIT
HACKING
GROUP
OPERATION
PHISHING
RANSOM
SPAM
VIRUS
VULNEREBILITY
| 2024
2025
2026 January(30)
February(48)
March(53)
April(50)
May(9)
June(0)
July(0)
August(0) SEPTEMBER(0)
October(0)
November(0)
December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 24.4.26 | DarkCloud via Sea-Freight-Themed Malspam | Symantec has observed a DarkCloud info stealer campaign distributed through malspam messages leveraging a sea-freight quotation lure. The operators impersonated a scientific and industrial supplies distributor based in India, sending emails under the subject line "Inquiry sea shipment rate from China to India" to solicit engagement from logistics and trade-adjacent recipients. | ALERTS | SPAM |
| 24.4.26 | Recent Mirai campaign exploits old vulnerabilities | Cybersecurity researchers at the Akamai identified a recent campaign leveraging a Mirai botnet variant to compromise network devices. This Mirai strain attempts exploitation of CVE-2025-29635 D-Link flaw as well as an even older CVE-2023-1389 TP-Link Archer vulnerability. | ALERTS | CAMPAIGN |
| 24.4.26 | Needle Stealer malware spread via fraudulent websites | Malwarebytes researchers recently identified a new cybersecurity threat in the form of a Go-based modular information stealer dubbed Needle Stealer. The observed campaign deceives victims using a fraudulent website, which poses as an artificial intelligence trading assistant (called TradingClaw) for the popular financial analysis platform, TradingView. | VIRUS | |
| 24.4.26 | Dindoor backdoor malware | Dindoor is a malicious backdoor built on the Deno runtime and considered an offshoot of the Tsundere Botnet. Threat actors distribute DinDoor to unsuspecting victims through deceptive MSI installer files, often utilizing phishing campaigns or drive-by downloads. | ALERTS | VIRUS |
| 24.4.26 | Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft | While many ransomware groups rely on off-the-shelf utilities such as Rclone or MegaSync to steal victim data, recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. | ALERTS | VIRUS |
| 23.4.26 | NGate Android Malware Targets Brazil with Trojanized HandyPay App | Researchers at ESET have discovered a new variant of the NGate malware family targeting Android users in Brazil. This iteration is particularly notable because it abuses HandyPay, a legitimate NFC relay application, rather than the open-source tools used in previous campaigns. | ALERTS | VIRUS |
| 23.4.26 | Typosquatted Domain Targets Developers with Malicious Antigravity Installer | Researchers at Malwarebytes have uncovered a campaign targeting developers via trojanized installers for Google’s Antigravity tool. The operation relies on a typosquatted domain that impersonates the legitimate site, distributing a version of the genuine application bundled with an additional malicious PowerShell script. | CAMPAIGN | |
| 23.4.26 | NWHStealer via Fake Downloads | Malwarebytes reports that NWHStealer is being spread through a wide mix of lures, including fake Proton VPN downloads, bogus hardware tools, mining software, and gaming mods, showing how broadly this infostealer is being seeded across the web. | ALERTS | VIRUS |
| 23.4.26 | Dual-Payload Loader Pushes Gh0st RAT & CloverPlus adware | Splunk says attackers are using an obfuscated loader to deliver two threats at once: Gh0st RAT for covert remote access and CloverPlus adware for quick monetization, combining long-term compromise with immediate profit. | ALERTS | VIRUS |
| 23.4.26 | Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor | The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses. | APT | |
| 23.4.26 | ZionSiphon malware | Cybersecurity firm Darktrace has uncovered ZionSiphon, a politically motivated malware strain specifically targeting water treatment and desalination plants. | ALERTS | VIRUS |
| 21.4.26 | Recent Cloverworm campaign targets macOS users with social engineering | Microsoft Threat Intelligence recently exposed a macOS-focused operation attributed to the North Korean state actor Cloverworm (aka Sapphire Sleet). Instead of exploiting software vulnerabilities, the group uses social engineering to compromise systems and exfiltrate sensitive information. | ALERTS | CAMPAIGN |
| 21.4.26 | Cross-Platform and Coordinated: The Gentlemen RaaS Targets Windows, Linux, and ESXi | According to findings from Check Point Research, the emerging "The Gentlemen" Ransomware-as-a-service (RaaS) operation has scaled rapidly in 2026, accounting for hundreds of confirmed victims. The group utilizes a cross-platform locker suite developed in Go and C, facilitating operations across Windows, Linux, and ESXi environments. | RANSOM | |
| 21.4.26 | Nexcorium botnet - a new Mirai variant | Cybersecurity researchers at FortiGuard Labs uncovered a new malicious campaign distributing Nexcorium, a sophisticated malware strain based on the notorious Mirai botnet. The attackers primarily compromise systems by weaponizing CVE-2024-3721, an operating system command injection flaw found in TBK DVR devices. | ALERTS | BOTNET |
| 21.4.26 | "Cracked" Software is Actually Lumma Stealer | Lumma Stealer and SectopRAT (ArechClient2) represent a previously observed attack chain currently resurfacing in a new campaign. The infection typically originates from "cracked" installers for popular software applications. | ALERTS | VIRUS |
| 21.4.26 | PowMix Botnet | Researchers at Cisco Talos recently published an article on PowMix botnet that has been targeting people and organizations in the Czech Republic since at least December 2025, using compliance- and job-themed lures to draw in victims across sectors. | BOTNET | |
| 21.4.26 | Transportation Sector Targeted by RMM-Laced Malspam | In a recent article, Proofpoint describes a cargo-theft-focused intrusion that went well beyond initial access, giving researchers a month-long view into how the actor operated after compromise. The attacker used email-delivered VBS and PowerShell to install ScreenConnect, then layered in additional remote management tools for redundancy and long-term access. | ALERTS | SPAM |
| 18.4.26 | Datto RMM Deployed via Multi-Stage Malspam Chain | Symantec has identified a multi-stage malspam campaign delivering a weaponized Datto Remote Monitoring and Management (RMM) agent as its final payload. The delivery chain is notable for its layered use of legitimate cloud infrastructure — a URL-shortening service (short.gy), Cloudflare R2 public object storage for both an HTML dropper and a PE binary — before installing a Datto RMM agent. | ALERTS | HACKING |
| 18.4.26 | MiningDropper mobile malware | Cyble Research and Intelligence Labs (CRIL) has identified a significant increase in the deployment of "MiningDropper," an advanced Android malware delivery framework. It covertly mines cryptocurrency while simultaneously acting as a conduit to install secondary malicious payloads, such as banking trojans, infostealers, and Remote Access Trojans (RATs). | VIRUS | |
| 18.4.26 | Mirax Android RAT | Mirax is an advanced Android banking trojan advertised and sold under the Malware-as-a-Service (MaaS) model. As reported by the researchers from Cleafy, Mirax grants attackers real-time control over compromised devices, enabling them to execute commands, monitor activities, and deploy dynamic, fake HTML screens over legitimate applications in efforts to steal user credentials | ALERTS | VIRUS |
| 18.4.26 | Malspam Campaign Delivers Masslogger via GitHub-Hosted Payload | Symantec has identified an active malspam campaign distributing Masslogger, a .NET-based credential stealer and keylogger, via a three-stage delivery chain that abuses GitHub for initial payload hosting. The campaign uses an order confirmation lure designed to prompt rapid user action. | ALERTS | CAMPAIGN |
| 18.4.26 | ViperTunnel - A New Python-based Backdoor | The ViperTunnel backdoor is a sophisticated Python-based proxy linked to EvilCorp affiliates. It achieves persistence by abusing the sitecustomize.py module to auto-execute malicious code whenever the Python interpreter starts. This modular threat establishes encrypted SOCKS5 tunnels to command-and-control servers, often masquerading as typical HTTPS traffic to bypass detection. | VIRUS | |
| 18.4.26 | Direct-Sys Loader and CGrabber Stealer distribution campaign | The Cyderes Howler Cell Threat Research Team recently uncovered a novel, multistage cyberattack campaign deploying two previously unknown malware strains: Direct-Sys Loader and CGrabber Stealer. The intrusion begins when victims download malicious ZIP archives concealed within GitHub user attachment links. Direct-Sys Loader employs direct system calls to quietly bypass standard behavioral security software. | ALERTS | CAMPAIGN |
| 18.4.26 | SmokedHam backdoor | In early 2026, Orange Cyberdefense investigated multiple cyberattacks targeting European businesses. These breaches commenced with fraudulent advertisements disguised as well known software installation packages, including Remote Desktop Manager (RDM) tools, SSH clients and RVTools. The discovered campaign lead to infection with the SmokedHam backdoor. | VIRUS | |
| 18.4.26 | CVE-2026-34197 - Apache ActiveMQ vulnerability | CVE-2026-34197 is a recently disclosed vulnerability affecting Apache ActiveMQ Broker and Apache ActiveMQ. If successfully exploited the flaw might allow the attackers to bypass configuration validation and load a remote malicious Spring XML application context leading up to arbitrary code execution on the broker's Java Virtual Machine (JVM). The flaw has already been addressed in the updated versions of the vulnerable products. | VULNEREBILITY | |
| 18.4.26 | STX RAT malware distributed via CPUID software compromise | On April 9, 2026, cybercriminals successfully compromised the official website of cpuid[.]com, a well-known publisher of system administration utilities. Through this breach, the threat actors distributed malware-laced versions of several widely used monitoring and diagnostic tools. As reported by the researchers from Securelist, the impacted programs included CPU-Z (version 2.19), HWMonitor (version 1.63), HWMonitor Pro (version 1.57), and PerfMonitor 2 (version 2.04). | ALERTS | VIRUS |
| 18.4.26 | New JanelaRAT variant distributed in the wild | JanelaRAT is a malware family designed to harvest cryptocurrency and financial information from Latin American banking customers. Active since mid-2023, this threat is a tailored adaptation of the BX RAT malware. The researchers from Securelist have recently discovered version 33 of this trojan being distributed under the disguise of a legitimate pixel art application. | VIRUS | |
| 10.4.26 | VantaBlack Ransomware | VantaBlack (self-chosen name) is a ransomware actor first observed in late 2025. Their ransomware is a Windows x64 binary built for double extortion: it encrypts files using a modern Salsa20/ChaCha symmetric cipher paired with an asymmetric RSA public key for key encapsulation (two distinct encrypted file extensions have been observed across samples — .E2WN0 and .35RUT), while simultaneously exfiltrating data with threatened publication on a dedicated leak site. | ALERTS | RANSOM |
| 10.4.26 | Torg Grabber Infostealer | Cybersecurity experts at Gen Digital have discovered a rapidly evolving information-stealing malware known as Torg Grabber. This variant is distributed via the ClickFix social engineering attack techniques. Once a system is compromised, Torg Grabber proceeds to extract sensitive data from system web browsers, aiming for user credentials, autofill details and cookies, among others. | VIRUS | |
| 10.4.26 | Masjesu botnet | Masjesu botnet is a highly advanced threat targeting the Internet of Things (IoT). As reported by the researchers from Trellix, the malware is primarily marketed on Telegram as a DDoS-for-hire service. The botnet infects a diverse spectrum of IoT hardware, including gateways and routers, and is compatible with numerous complex system architectures. | ALERTS | BOTNET |
| 10.4.26 | LucidRook Campaigns Target Taiwanese Entities | Researchers at Cisco Talos have identified LucidRook, a Lua-based stager used by UAT-10362 to target Taiwanese entities. Delivered through spear-phishing lures disguised as antivirus installers (LNK/EXE), LucidRook often operates alongside LucidPawn, a dropper, and LucidKnight, a reconnaissance tool. | ALERTS | CAMPAIGN |
| 10.4.26 | Operation NoVoice - a new Android malware delivery campaign | Cybersecurity researchers at McAfee have uncovered "Operation NoVoice," a widespread mobile malware campaign utilizing exploits for previously patched Android vulnerabilities from 2016 to 2021. Threat actors have been observed to distribute a malicious rootkit module via the Google Play Store, hiding it within more than fifty seemingly harmless applications, such as games and device cleaner apps. | OPERATION | |
| 10.4.26 | CVE-2026-33017 - Langflow Code Injection vulnerability exploited in the wild | CVE-2026-33017 is a recently disclosed critical (CVSS score 9.3) Code Injection vulnerability affecting Langflow, which is a tool for building and deploying AI-powered agents and workflows. If successfully exploited the flaw might allow the attackers to execute arbitrary code within the context of the vulnerable application, leading to full compromise of the underlying server. | ALERTS | VULNEREBILITY |
| 10.4.26 | CVE-2026-22765 - Dell Wyse Management Suite vulnerability | CVE-2026-22765 is a recently disclosed high severity (CVSS score 8.8) Missing Authorization vulnerability affecting Dell Wyse Management Suite, which is a centralized, web-based management solution designed to configure and monitor Dell thin client endpoints. | VULNEREBILITY | |
| 10.4.26 | Supply-chain attack: Axios npm compromise | StepSecurity reported that the widely used npm package axios — with over 100 million weekly downloads — was briefly compromised through two malicious releases, 1.14.1 and 0.30.4, published from a hijacked maintainer account on March 30–31, 2026. The poisoned versions did not alter axios's own code; instead, they added a hidden dependency, plain-crypto-js@4.2.1, whose postinstall script deployed a cross-platform remote access trojan for Windows, macOS, and Linux. | HACKING | |
| 10.4.26 | Casbaneiro Banking Trojan Campaigns Target Latin America and Europe | The Augmented Marauder threat group has evolved, deploying a sophisticated multi-pronged campaign that pairs the Casbaneiro banking trojan with the Horabot spreader. Researchers from BlueVoyant have highlighted that this duo targets Spanish-speaking organizations by transitioning from password-protected PDFs to obfuscated VBScript and AutoIT loaders. | ALERTS | CAMPAIGN |
| 10.4.26 | Qilin Ransomware Deploys Kernel-Level EDR Killer to Blind Defenses | A sophisticated Qilin ransomware campaign has been identified using a specialized "EDR Killer" tool to neutralize enterprise defenses. According to Cisco Talos, the attack begins with a malicious DLL sideloading technique that deploys dual kernel drivers. | RANSOM | |
| 10.4.26 | Cybercriminals bait users with leaked Anthropic Claude Code on GitHub to deliver Vidar Stealer | Following Anthropic’s accidental exposure of Claude Code source code through an npm package on March 31, 2026, cybercriminals swiftly capitalized on this incident. As reported by Zscaler, the malicious actors established a highly visible GitHub repository masquerading as the leaked data. Instead of receiving legitimate source code, victims inadvertently downloaded a malicious Rust-based executable disguised as a standard setup file. | ALERTS | VIRUS |
| 10.4.26 | Malicious LNK Delivery and GitHub-Based C2 Observed in New DPRK Campaign | Fortinet researchers have identified a sophisticated DPRK-linked campaign targeting Windows environments via malicious LNK files. The attack uses encoded PowerShell scripts and employs GitHub for command-and-control operations. | ALERTS | APT |
| 3.4.26 | Chinese-Nexus Monarch APT Deploys In-Memory AtlasCross RAT via Fake Installers | A recent report by Hexastrike details a campaign by Monarch (also known as Silver Fox or Void Arachne), a Chinese-nexus APT targeting Chinese-speaking users. The campaign leverages typosquatted domains impersonating popular applications such as Microsoft Teams, Signal, Telegram, and Zoom to distribute ZIP archives disguised as legitimate installers. | ALERTS | APT |
| 3.4.26 | CrystalX malware | CrystalX RAT is a novel Malware-as-a-Service (MaaS) variant marketed across Telegram and YouTube and utilizing promotional tactics like giveaways and video demonstrations. | VIRUS | |
| 3.4.26 | XLoader Levels Up: Advanced Obfuscation Fuels Stealthy Data Theft | An evolution of the Formbook infostealer, XLoader is doubling down on stealth. New variants detailed by Zscaler researchers employ advanced obfuscation and multi-layered network protection to mask their command-and-control infrastructure. | ALERTS | VIRUS |
| 1.4.26 | Resoker RAT malware | Resoker is a recently identified Remote Access Trojan (RAT) designed to grant threat actors comprehensive control over compromised endpoints. Unlike conventional malware that relies on dedicated centralized server infrastructure, this threat leverages legitimate Telegram Bot APIs instead. | ALERTS | VIRUS |
| 1.4.26 | Prismex malware distributed by the Swallowtail APT | Swallowtail threat group (also known as Pawn Storm, APT28 or Fancy Bear) has been reported to have launched a major cyber espionage campaign targeting the military and humanitarian supply chains of Ukraine and its allies across Central and Eastern Europe | VIRUS | |
| 1.4.26 | BrushWorm and BrushLogger malware | Elastic Security Labs recently uncovered a cyberattack targeting a financial organization in South Asia, deploying two custom-built malicious tools: a backdoor dubbed BrushWorm and a keylogger named BrushLogger. BrushWorm serves as the primary infection mechanism. I | ALERTS | VIRUS |
| 1.4.26 | BPFdoor - a stealthy backdoor distributed to telecommunications network for persistent access | A recent investigation by Rapid7 Labs has exposed a highly sophisticated, long-term espionage operation orchestrated by the Red Menshen threat group. Targeting global telecommunications providers and government networks, the group's primary objective is to embed stealthy malware deep within critical systems to maintain undetected, persistent access. | VIRUS | |
| 1.4.26 | EtherRAT malware distribution campaign | EtherRAT is a highly sophisticated malware designed to execute unauthorized commands, exfiltrate cloud credentials, and drain cryptocurrency wallets from the infected systems. A defining characteristic of this threat is its use of "EtherHiding", an increasingly prevalent evasion tactic that leverages the Ethereum blockchain to conceal its Command-and-Control (C2) infrastructure. | VIRUS | |
| 1.4.26 | HRSword tool abused by ransomware actors | The HRSword is a specialized, legitimate system monitoring tool developed by Chinese cybersecurity firm Huorong Network Technology, designed for diagnosing Windows system issues | RANSOM | |
| 1.4.26 | TDSSKiller tool abused by ransomware actors | TDSSKiller is a portable, free utility used to detect and remove advanced rootkits and bootkits that hide from standard antivirus software. | ALERTS | RANSOM |
| 1.4.26 | Three China-Aligned Clusters Orchestrate Layered Intrusion Against SEA Government | Unit 42 researchers at Palo Alto Networks identified a multi-faceted cyberespionage campaign targeting a Southeast Asian government, attributed to three China-aligned clusters. | CAMPAIGN | |
| 1.4.26 | A new GlassWorm distribution campaign | Cybersecurity experts at Aikido identified a sophisticated new phase of the GlassWorm malware campaign, which utilizes a complex, multi-stage attack framework to steal sensitive data and deploy a remote access trojan variant. | ALERTS | CAMPAIGN |