Work with real ICS/OT security scenarios, tools, and techniques at the SANS ICS Security Summit.

Join experts and practitioners in Orlando, or attend virtually, for workshops, technical talks, and community discussions.

Register - https://thn.news/ics-security-summit-26

This week's ThreatsDay Bulletin is wild:

🧓 17-year-old Excel bug exploited again
💸 Fake Ledger app drains $9.5M
🛡️ New Defender zero-day drops
☁️ APT41 hiding in your cloud
🔗 WordPress plugins poisoned via acquisition
💬 $21B black market still live on Telegram
...and 12 more.

Read all new stories here ↓ https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html

88% of AI proof-of-concepts never make it to production, according to IDC. That wasn’t the case for Robinhood.

On April 23rd, join the Robinhood team live as they walk through their journey with AI, from evaluation to production. You’ll hear first-hand how they:

🔸 Doubled alert triage capacity across all severity levels
🔸 Built multi-agent AI systems to handle complex investigations
🔸 Use human-in-the-loop guardrails and confidence scoring to maintain accuracy
🔸 Reduced both threat exposure and incident exposure windows

If you're interested in maximizing your AI investment, this live session is for you - https://thn.news/tines-ai-roadmap

[Webinar] Ghost Identities in Autonomous AI...

Live session on securing non-human identities across cloud environments.

Learn to discover service accounts and API keys, remediate excessive permissions, and automate removal of ghost identities before risk escalates.

🔗 Watch it here → https://thehackernews.com/2026/04/webinar-find-and-eliminate-orphaned-non.html

⚠️ Researchers uncovered PowMix Botnet, active since Dec 2025.

Randomized C2 beaconing and phishing ZIP → LNK → PowerShell chains enable in-memory control and persistence.

RondoDox separately exploits 170+ flaws for DDoS and crypto mining.

🔗Read → https://thehackernews.com/2026/04/newly-discovered-powmix-botnet-hits.html

🚨 CISA flags active exploitation of an Apache ActiveMQ flaw enabling remote code execution.

Attackers abuse the Jolokia API to run OS commands. Default creds—and in some versions no auth—make it easier to exploit.

🔗 Read → https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html

⚠️ A global operation just disrupted DDoS-for-hire networks used by cybercriminals.

53 domains seized, 4 arrests in Operation PowerOFF across 21 countries. Authorities accessed 3M+ user accounts tied to these services.

🔗 Read → https://thehackernews.com/2026/04/operation-poweroff-seizes-53-ddos.html

🔥 NIST will now prioritize CVE analysis.

263% rise in vulnerabilities forced it to enrich only high-risk cases (KEV, federal, critical software). Others stay listed but without full analysis, marked “Not Scheduled.”

🔗 Read about it here → https://thehackernews.com/2026/04/nist-limits-cve-enrichment-after-263.html

Google updated Android 17 privacy rules while reporting 8.3B ads blocked and 24.9M accounts suspended in 2025.

Apps must now limit contact and location access or justify it. Separately, AI is stopping most malicious ads before users see them.

🔗 Read → https://thehackernews.com/2026/04/google-blocks-83b-policy-violating-ads.html

⚡ Researchers confirm exploitation of three Microsoft Defender flaws—one patched (CVE-2026-33825) , two unpatched.

Attackers escalate privileges and can block Defender updates.

🔗 Learn how these flaws are used in attacks → https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html

Attackers are exploiting CVE-2024-3721 in TBK DVRs to deploy Mirai variant Nexcorium.

It spreads via old exploits and default creds, persists on devices, and launches DDoS attacks. EoL TP-Link routers are also being targeted via known flaws.

🔗 Read → https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html

Sanctioned #cryptocurrency exchange Grinex is shutting down after a $13.74M hack.

Stolen funds were quickly moved and swapped to avoid freezing. The platform is linked to Garantex, flagged for laundering over $100M.

🔗 Read → https://thehackernews.com/2026/04/1374m-hack-shuts-down-sanctioned-grinex.html

The EU says its age verification app is ready for rollout.

Users can prove age with ID without sharing personal data. The system is anonymous, open source, and built to support child safety rules across platforms.

🔗 What the EU’s system actually does → https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html#anonymous-age-checks

🔥 Vercel disclosed a BREACH after an attacker used a compromised 3rd-party AI tool to take over an employee account.

Some internal systems, non-sensitive variables, and limited customer credentials were exposed. No evidence sensitive data was accessed.

🔗 Read → https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html

Researchers found OT malware targeting Israeli water systems.

ZionSiphon alters chlorine and pressure controls, scanning Modbus/DNP3/S7comm and spreading via USB. It activates only inside Israeli IP ranges + OT setups, but current code is unfinished.

🔗 Read → https://thehackernews.com/2026/04/researchers-detect-zionsiphon-malware.html

🛑 A design flaw in Anthropic’s MCP allows remote command execution on AI systems.

150M+ downloads affected as unsafe STDIO defaults expose 7,000+ services, including tools like LangChain and Flowise.

Anthropic calls the behavior “expected,” leaving the risk across the AI supply chain.

🔗 Read → https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html

AI tools look flawless in demos—but break in real operations.

Clean data and ideal prompts don’t exist in production. Messy inputs, latency, edge cases, and weak integrations quickly surface.

🔗 What breaks when AI leaves the demo → https://thehackernews.com/2026/04/why-most-ai-deployments-stall-after-demo.html

Stop using Spreadsheets & PDFs for Pentest Reporting.

Move from static files to live findings, automate remediation, and prove risk reduction.

🔗 See it in action → https://thn.news/plextrac-pentest

This week didn’t break anything. It bent everything:

⚡ Vercel hacked
🌐 DDoS busted
🤖 PowMix botnet
📢 Push fraud
📝 Obsidian RAT
⬇️ CPUID trojan
🧩 Chrome spyware
🧠 AI cyber
💰 Vect ransomware
💬 Teams trap
🗂️ CGrabber steal
📧 Mail breach
🔑 Access trade
🛠️ Adaptix C2
🧬 Adware backdoor
💉 SQL attacks
🖥️ VM stealth
🎭 Fake installer

🔗 Scroll through the full recap → https://thehackernews.com/2026/04/weekly-recap-vercel-hack-push-fraud.html

⚠️ SGLang has a critical flaw enabling remote code execution (CVSS 9.8) via malicious GGUF model files.

A crafted Jinja2 template runs when /v1/rerank is triggered, executing attacker code on the server.

🔗 How GGUF templates become an RCE path → https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html

⚠️ CISA added 8 actively exploited vulnerabilities to KEV across Cisco, Quest, PaperCut, TeamCity, Kentico, and Zimbra.

Includes 3 Cisco SD-WAN flaws and a Quest KACE bug (CVSS 10.0) enabling user impersonation.

Federal patch deadlines: April 23 (Cisco), May 4 (others).

🔗 Read → https://thehackernews.com/2026/04/cisa-adds-8-exploited-flaws-to-kev-sets.html