π¨ North Korea-linked hackers spent 6 months building trust before stealing $285M from Drift.
They posed as a trading firm, met contributors in person, deposited $1M+, then used malicious code and a fake wallet app to gain access.
π How social engineering enabled the Drift crypto theft β https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html
They posed as a trading firm, met contributors in person, deposited $1M+, then used malicious code and a fake wallet app to gain access.
π How social engineering enabled the Drift crypto theft β https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html
π±23π€―13π₯10π7π5π3
π₯ Germanyβs BKA has identified a key figure behind the REvil #ransomware group.
Daniil Shchukin (βUNKNβ) is accused of leading REvil, linked to 130 attacks in Germany causing over β¬35.4M in damage, with β¬1.9M in ransom paid.
π Learn more here β https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html
Daniil Shchukin (βUNKNβ) is accused of leading REvil, linked to 130 attacks in Germany causing over β¬35.4M in damage, with β¬1.9M in ransom paid.
π Learn more here β https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html
π16π8π5π₯4β‘1
π Qilin and Warlock #ransomware are disabling defenses before attacks using BYOVD techniques.
Qilin uses a side-loaded DLL to kill 300+ EDR drivers via vulnerable kernel drivers. Warlock exploits SharePoint and uses similar drivers to bypass kernel-level security, often delaying ransomware execution.
π Find the technique disabling EDR tools β https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html
Qilin uses a side-loaded DLL to kill 300+ EDR drivers via vulnerable kernel drivers. Warlock exploits SharePoint and uses similar drivers to bypass kernel-level security, often delaying ransomware execution.
π Find the technique disabling EDR tools β https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html
π€―8π5π₯3
AI isnβt making attacks smarter, says Martin Zugec, Technical Solutions Director at Bitdefender. Itβs making them cheaper and easier to scale.
Current AI malware is often unreliable and less advanced, but it can hit thousands of standardized systems fast.
π Why scale matters more than sophistication in AI threats β https://thehackernews.com/expert-insights/2026/04/why-ai-does-not-need-to-be-innovative.html
Current AI malware is often unreliable and less advanced, but it can hit thousands of standardized systems fast.
π Why scale matters more than sophistication in AI threats β https://thehackernews.com/expert-insights/2026/04/why-ai-does-not-need-to-be-innovative.html
π7π5π2π₯1
Everything hit at once this week ...
π¦ Supply-chain: Axios hack
π Exploits: Chrome 0-day, TrueConf, Fortinet
π Patches: Apple DarkSword fixes
𧩠Malware: ClickFix, DeepLoad, Mirax, Venom
π€ Leak: Claude code exposure
π― Phishing: device code surge, banking scams
π΅οΈ Privacy: LinkedIn tracking claims
π°οΈ Spyware: Paragon use confirmed
π Infra: residential proxy abuse
π° Targeting: crypto org attacks
π± Policy: India SIM-binding
π APT: access regain attempts
π£ Insider: extortion case
β€οΈ Data: OkCupid settlement
π§ Trend: stealer surge, malicious extensions
Read the full recap β https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html
π¦ Supply-chain: Axios hack
π Exploits: Chrome 0-day, TrueConf, Fortinet
π Patches: Apple DarkSword fixes
𧩠Malware: ClickFix, DeepLoad, Mirax, Venom
π€ Leak: Claude code exposure
π― Phishing: device code surge, banking scams
π΅οΈ Privacy: LinkedIn tracking claims
π°οΈ Spyware: Paragon use confirmed
π Infra: residential proxy abuse
π° Targeting: crypto org attacks
π± Policy: India SIM-binding
π APT: access regain attempts
π£ Insider: extortion case
β€οΈ Data: OkCupid settlement
π§ Trend: stealer surge, malicious extensions
Read the full recap β https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html
π₯8β‘7π±3π2π1
This media is not supported in your browser
VIEW IN TELEGRAM
β οΈ A compromised AI library exposed developer machines.
1,705 packages pulled infected LiteLLM versions, harvesting SSH keys and cloud creds from local systems via dependencies.
It worked because secrets sit in plaintext across files and tools.
π How one dependency exposed thousands of environments β https://thehackernews.com/2026/04/how-litellm-turned-developer-machines.html
1,705 packages pulled infected LiteLLM versions, harvesting SSH keys and cloud creds from local systems via dependencies.
It worked because secrets sit in plaintext across files and tools.
π How one dependency exposed thousands of environments β https://thehackernews.com/2026/04/how-litellm-turned-developer-machines.html
π€―9π₯6π1
Automated pentesting evaluates environments through chained attack paths. If step A fails, steps B through Z never execute.
One blocked step near the top = cascading blind spot across every downstream technique.
Picus Security mapped these two other structural gaps in a new whitepaper.
Download now β https://thn.news/automated-blind-spots
One blocked step near the top = cascading blind spot across every downstream technique.
Picus Security mapped these two other structural gaps in a new whitepaper.
Download now β https://thn.news/automated-blind-spots
β‘5π₯4π3
π¨ Attackers now move across Windows, macOS, Linux, and mobile in one campaign.
Multi-OS attacks break SOC workflows, splitting one threat into many investigations and slowing validation.
That delay gives attackers time to spread and persist.
π Why fragmented triage increases risk β https://thehackernews.com/2026/04/multi-os-cyberattacks-how-socs-close.html
Multi-OS attacks break SOC workflows, splitting one threat into many investigations and slowing validation.
That delay gives attackers time to spread and persist.
π Why fragmented triage increases risk β https://thehackernews.com/2026/04/multi-os-cyberattacks-how-socs-close.html
π€―8π1π₯1π€1
π¨ DPRK-linked attackers used GitHub as C2 in phishing-led attacks on South Korean orgs.
LNK files trigger hidden PowerShell, set persistence, and exfiltrate system data to attacker repos while pulling new payloads.
π Read β https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html
LNK files trigger hidden PowerShell, set persistence, and exfiltrate system data to attacker repos while pulling new payloads.
π Read β https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html
π₯10π1π€1
β οΈ Iran-linked actors targeted Microsoft 365 accounts in 3 attack waves in March 2026, hitting 300+ orgs in Israel and 25+ in the UAE.
They used password spraying via Tor/VPNs to access mailboxes.
At the same time, Pay2Key ransomware resurfaced with stronger evasion and log wiping.
π Read β https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html
They used password spraying via Tor/VPNs to access mailboxes.
At the same time, Pay2Key ransomware resurfaced with stronger evasion and log wiping.
π Read β https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html
π17π₯9π€―6π5π1
π Flowise has a CVSS 10.0 RCE flaw (CVE-2025-59528) now under active attack.
A bug in MCP config lets attackers run JavaScript with full system access using just an API token. Over 12,000 exposed instances raise risk.
π Exploitation details β https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html
A bug in MCP config lets attackers run JavaScript with full system access using just an API token. Over 12,000 exposed instances raise risk.
π Exploitation details β https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html
β‘9π₯3
β οΈ WARNING: China-linked Storm-1175 is breaching networks and deploying ransomware in under 72 hours.
It chains zero-day and known flaws, then uses trusted tools to move, steal data, and evade detection across healthcare, finance, and more.
π Read β https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html
It chains zero-day and known flaws, then uses trusted tools to move, steal data, and evade detection across healthcare, finance, and more.
π Read β https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html
π6β‘3π₯3π±2
β‘ New research shows GPUs can be used to take over a system.
GPUBreach attack enables root access by flipping bits in GPU memory, corrupting page tables, and chaining into CPU exploitsβeven with IOMMU enabled.
π Read details β https://thehackernews.com/2026/04/new-gpubreach-attack-enables-full-cpu.html
GPUBreach attack enables root access by flipping bits in GPU memory, corrupting page tables, and chaining into CPU exploitsβeven with IOMMU enabled.
π Read details β https://thehackernews.com/2026/04/new-gpubreach-attack-enables-full-cpu.html
π±18π₯8π5π1π1
Ilan Nacmias at Sygnia shares a case where AI security tools worked, but no decisions were made.
Risks were clear, but teams disagreed and leaders saw things as under control. Progress came only after linking risk to business impact.
π Why AI didnβt fix execution in cybersecurity β https://thehackernews.com/expert-insights/2026/04/ai-will-change-cybersecurity-humans.html
Risks were clear, but teams disagreed and leaders saw things as under control. Progress came only after linking risk to business impact.
π Why AI didnβt fix execution in cybersecurity β https://thehackernews.com/expert-insights/2026/04/ai-will-change-cybersecurity-humans.html
π₯6β‘2
Credential security isnβt just about breaches.
Daily issues add up: 30% of helpdesk tickets are password resets (~$70 each), while exposed credentials often go unnoticed.
Forced resets increase weak passwords without reducing risk.
π Why credential issues cost more than breaches β https://thehackernews.com/2026/04/the-hidden-cost-of-recurring-credential.html
Daily issues add up: 30% of helpdesk tickets are password resets (~$70 each), while exposed credentials often go unnoticed.
Forced resets increase weak passwords without reducing risk.
π Why credential issues cost more than breaches β https://thehackernews.com/2026/04/the-hidden-cost-of-recurring-credential.html
π4π₯3π€1
Most attacks donβt start with exploits anymore. They start with access.
Across thousands of real-world incidents analyzed in the 2026 Annual Threat Report, one pattern is clear:
Attackers arenβt breaking in.
Theyβre logging in.
Hereβs what weβre seeing:
β³ Legitimate credentials are the #1 entry point
β³ Remote access tools are being used against you
β³ Traditional detection is missing what looks βnormalβ
This isnβt theory. This is what actually worked for attackers in 2025.
If your security strategy is still built around stopping malware, youβre already behind.
Download the Blackpoint Cyber 2026 Annual Threat Report and see how modern attacks are actually unfolding.
Download the report: https://thn.news/blackpoint-threat-2026
Across thousands of real-world incidents analyzed in the 2026 Annual Threat Report, one pattern is clear:
Attackers arenβt breaking in.
Theyβre logging in.
Hereβs what weβre seeing:
β³ Legitimate credentials are the #1 entry point
β³ Remote access tools are being used against you
β³ Traditional detection is missing what looks βnormalβ
This isnβt theory. This is what actually worked for attackers in 2025.
If your security strategy is still built around stopping malware, youβre already behind.
Download the Blackpoint Cyber 2026 Annual Threat Report and see how modern attacks are actually unfolding.
Download the report: https://thn.news/blackpoint-threat-2026
π7π₯2π1
β οΈ Attackers are hijacking exposed ComfyUI servers into crypto mining and proxy botnets.
Scanners exploit unauthenticated setups via custom nodes, run code, and install persistent malware. Infected systems mine crypto and resist removal.
π Read β https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html
Scanners exploit unauthenticated setups via custom nodes, run code, and install persistent malware. Infected systems mine crypto and resist removal.
π Read β https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html
π5π₯4
π Docker fixed a flaw letting attackers bypass AuthZ plugins with a padded API request (>1MB).
The plugin sees no body and allows it, while Docker executes itβcreating a privileged container with host access and exposed credentials.
π Learn how this leads to full host compromise β https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html
The plugin sees no body and allows it, while Docker executes itβcreating a privileged container with host access and exposed credentials.
π Learn how this leads to full host compromise β https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html
π₯7π3
--- β οΈ WEBINAR ALERT ---
The biggest identity risk in 2026 isnβt inside your IAM. Itβs everything outside it.
Hundreds of unmanaged apps are now being accessed by AI agents, expanding risk beyond what your team can see or control.
π Join the WEBINAR for data and practical steps to close the gaps β https://thehackernews.com/2026/04/webinar-how-to-close-identity-gaps-in.html
The biggest identity risk in 2026 isnβt inside your IAM. Itβs everything outside it.
Hundreds of unmanaged apps are now being accessed by AI agents, expanding risk beyond what your team can see or control.
π Join the WEBINAR for data and practical steps to close the gaps β https://thehackernews.com/2026/04/webinar-how-to-close-identity-gaps-in.html
π9π₯3
π¨ WARNING - APT28 ran a global router hijack to steal credentials.
The group compromised MikroTik and TP-Link devices, rewrote DNS settings, and redirected traffic for credential theft at scale -- impacting 18,000+ IPs across 120 countries, including government and cloud targets.
π Read here β https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html
The group compromised MikroTik and TP-Link devices, rewrote DNS settings, and redirected traffic for credential theft at scale -- impacting 18,000+ IPs across 120 countries, including government and cloud targets.
π Read here β https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html
π₯11π±5π4
β οΈ Iran linked hackers are targeting U.S. critical infrastructure with direct PLC disruption.
They access internet exposed devices using legitimate tools, then alter system data and operations, disrupting water, energy, and government services and causing financial loss.
π Read β https://thehackernews.com/2026/04/iran-linked-hackers-disrupt-us-critical.html
They access internet exposed devices using legitimate tools, then alter system data and operations, disrupting water, energy, and government services and causing financial loss.
π Read β https://thehackernews.com/2026/04/iran-linked-hackers-disrupt-us-critical.html
π₯21π12π4π2π€2