[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6It1TBGkaFp55y9FaqKUOZjsqsdNvJcn0gmifn3vJbE":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":62,"social_x":63,"article_count":64,"awareness_links":65,"status":126,"published_at":127,"created_at":128,"updated_at":128,"mastodon_posted_at":129,"executive_summary":130,"tagline":131,"cover_image_url":132},"d80a0a88-6825-43d0-8969-fc1e0988c746","2026-W16","2026-w16","2026-04-13","2026-04-19","🔥 Critical infrastructure under fire as water treatment malware surfaces, 13-year-old Apache bug exploits go wild, and North Korean infiltration schemes continue\n⚡ Zero-day exploitation accelerates with Windows Defender flaws actively used in attacks while law enforcement takes down 53 DDoS domains\n🏦 Major breaches cascade across sectors from Vercel's $2M ransom demand to France's 1.9M basketball federation records\n🛡️ Supply chain attacks multiply via GitHub malware distribution and compromised OAuth apps targeting developer workflows\n💰 Criminal markets evolve as threat actors pivot from disrupted phishing kits to sophisticated crypto theft operations\n🏛️ Regulatory pressure mounts with €200K+ GDPR fines for excessive monitoring and API security failures","## Vulnerabilities & Exploits\n\n**[Apache ActiveMQ CVE-2026-34197 added to CISA KEV amid active exploitation](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisa-flags-apache-activemq-flaw-as-actively-exploited-in-attacks\u002F)**. This 13-year-old RCE vulnerability in the Jolokia API is being actively exploited in the wild, with over 7,500 exposed instances online. **[Three Windows Defender zero-days actively exploited](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fthree-microsoft-defender-zero-days.html)**. BlueHammer was patched, but RedSun and UnDefend remain unpatched, allowing SYSTEM privilege escalation. **[Critical Protobuf.js RCE flaw enables JavaScript code execution](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcritical-flaw-in-protobuf-library-enables-javascript-code-execution\u002F)**. The vulnerability in this 50M weekly download library allows code injection through malicious schemas. **[ShowDoc vulnerability from 2020 used in active server takeovers](https:\u002F\u002Fhackread.com\u002Fshowdoc-vulnerability-patch-2020-server-takeover\u002F)**. CVE-2025-0520 allows unrestricted file upload on 2,000+ unpatched instances.\n\n### Key Takeaway\nPatch Apache ActiveMQ immediately and review legacy application inventories for unpatched CVEs in production systems.\n\n## Ransomware & Breaches\n\n**[Vercel confirms breach as ShinyHunters demand $2M ransom](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fvercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data\u002F)**. The development platform breach affects thousands of developers with stolen API keys, source code, and employee data. **[French Basketball Federation breached exposing 1.9M members](https:\u002F\u002Fdarkwebinformer.com\u002Ffrench-basketball-federation-breached-1-9-million-members-and-800k-parents-exposed-with-addresses-medical-certificates-and-minor-data\u002F)**. HexDex is selling the dataset including medical certificates and minor data. **[KelpDAO drained of $280M across Ethereum and Arbitrum](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2045591063012761635)**. Funds were moved through Tornado Cash mixing service. **[MORGUE database contains 251M Brazilian CPF records](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2045546123201266114)**. One of the largest personal identity document leaks in the region.\n\n### Key Takeaway\nImplement emergency incident response protocols and review third-party OAuth permissions for unauthorized access.\n\n## Supply Chain & Infrastructure\n\n**[CGrabber malware spreads through GitHub ZIP files](https:\u002F\u002Fhackread.com\u002Fcgrabber-direct-sys-malware-github-zip-files\u002F)**. The campaign uses DLL sideloading and direct syscalls to steal from 150+ crypto apps and browsers. **[Cursor AI vulnerability exposed developer devices](https:\u002F\u002Fwww.securityweek.com\u002Fcursor-ai-vulnerability-exposed-developer-devices\u002F)**. NomShub attack chain allows remote shell access via prompt injection and sandbox bypass. **[Six German hosting providers breached via Axmir panel pivot](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2045885388573593838)**. 7.2M database records and 18.2 GB source code exfiltrated. **[ZionSiphon malware targets Israeli water infrastructure](https:\u002F\u002Fwww.securityweek.com\u002Fzionsiphon-malware-targets-ics-in-water-facilities\u002F)**. OT-specific capabilities target chlorine dosing and pressure systems via USB propagation.\n\n### Key Takeaway\nAudit development tool security settings and implement network segmentation for OT\u002FICS environments.\n\n## APT & Nation-State\n\n**[Two US nationals sentenced for North Korean IT worker scheme](https:\u002F\u002Fwww.securityweek.com\u002Ftwo-north-korean-it-worker-scheme-facilitators-jailed-in-the-us\u002F)**. Wang brothers operated laptop farms enabling infiltration of 100+ companies, generating $5M for North Korea. **[Microsoft details cross-tenant helpdesk impersonation campaign](https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F04\u002F18\u002Fcrosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook\u002F)**. Attackers use external Teams to social engineer Quick Assist access for data exfiltration. **[Payouts King ransomware uses QEMU VMs to bypass endpoint security](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fpayouts-king-ransomware-uses-qemu-vms-to-bypass-endpoint-security\u002F)**. GOLD ENCOUNTER group runs Alpine Linux VMs to evade detection. **[AgingFly malware targets Ukrainian critical infrastructure](https:\u002F\u002Fx.com\u002FSentinelOne\u002Fstatus\u002F2045235378337030463)**. Novel campaign specifically designed for data exfiltration from Ukrainian systems.\n\n### Key Takeaway\nValidate external collaboration requests and implement behavioral monitoring for virtualization abuse.\n\n## Regulatory & Compliance\n\n**[Spain's AEPD fines transport company €200K for excessive phone monitoring](https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202411411)**. ARES CAPITAL violated data minimization by requiring four tracking apps on employee personal phones. **[EVO Banco fined €240K for API vulnerability affecting 1.27M customers](https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202406208)**. Migration system lacked encryption and access controls during onboarding. **[AXA Spain fined €200K for former employee data breach](https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202309453)**. Insufficient security allowed impersonation using insurance number and payment card digits. **[NIST stops rating non-priority flaws due to volume surge](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnist-to-stop-rating-non-priority-flaws-due-to-volume-increase\u002F)**. 263% increase in CVE submissions forces risk-based prioritization.\n\n### Key Takeaway\nReview employee monitoring practices for GDPR compliance and implement distributed vulnerability assessment approaches beyond NIST.\n\n## Law Enforcement Operations\n\n**[Operation PowerOFF seizes 53 DDoS domains](https:\u002F\u002Fwww.securityweek.com\u002F53-ddos-domains-taken-down-by-law-enforcement\u002F)**. 21-country operation arrested 4, exposed 3M criminal accounts, and warned 75,000 users. **[Tycoon 2FA phishers scatter after domain seizures](https:\u002F\u002Fwww.securityweek.com\u002Ftycoon-2fa-loses-phishing-kit-crown-amid-surge-in-attacks\u002F)**. Threat actors migrate to Mamba 2FA, EvilProxy, and Sneaky 2FA platforms.\n\n### Key Takeaway\nMonitor for threat actor migration to alternative platforms following law enforcement disruptions.\n\n## References\n\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisa-flags-apache-activemq-flaw-as-actively-exploited-in-attacks\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fthree-microsoft-defender-zero-days.html\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fvercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data\u002F\n- https:\u002F\u002Fhackread.com\u002Fcgrabber-direct-sys-malware-github-zip-files\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Ftwo-north-korean-it-worker-scheme-facilitators-jailed-in-the-us\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002F53-ddos-domains-taken-down-by-law-enforcement\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnist-to-stop-rating-non-priority-flaws-due-to-volume-increase\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Fzionsiphon-malware-targets-ics-in-water-facilities\u002F",[13,17,20,23,26,30,33,36,39,43,46,49,52,56,59],{"type":14,"value":15,"context":16},"cve","CVE-2026-34197","High-severity improper input validation in Apache ActiveMQ Classic enabling code injection and RCE via Jolokia API",{"type":14,"value":18,"context":19},"CVE-2024-32114","Authentication bypass in Apache ActiveMQ 6.0.0–6.1.1 exposing Jolokia API without credentials, making CVE-2026-34197 unauthenticated",{"type":14,"value":21,"context":22},"CVE-2023-46604","Critical ActiveMQ vulnerability (CVSS 10.0) weaponized in August 2025 to deliver DripDropper Linux malware",{"type":14,"value":24,"context":25},"CVE-2026-33825","BlueHammer Windows local privilege escalation vulnerability, patched in April 2026",{"type":27,"value":28,"context":29},"malware","BlueHammer","Windows LPE exploit, actively deployed since April 10, 2026",{"type":27,"value":31,"context":32},"RedSun","Windows Defender LPE exploit, unpatched, allows SYSTEM privilege escalation",{"type":27,"value":34,"context":35},"UnDefend","Windows Defender definition update blocking exploit, unpatched",{"type":27,"value":37,"context":38},"ZionSiphon","Malware targeting Israeli water treatment and desalination plants with OT\u002FICS capabilities",{"type":40,"value":41,"context":42},"domain","Stresser.tech","DDoS booter service disrupted in Operation PowerOff",{"type":40,"value":44,"context":45},"webstresser.org","DDoS-for-hire service shut down in 2018 with 136,000 users responsible for 4 million attacks",{"type":40,"value":47,"context":48},"ipstresser.com","DDoS-for-hire service seized in 2022",{"type":40,"value":50,"context":51},"zdstresser.net","DDoS-for-hire service seized in 2024",{"type":53,"value":54,"context":55},"mitre_attack","T1190","Exploit Public-Facing Application - targeted FFBB web infrastructure",{"type":53,"value":57,"context":58},"T1213","Data from Information Repositories - extracted federation membership database",{"type":53,"value":60,"context":61},"T1589.002","Gather Victim Identity: Email Addresses - harvested 1.4M+ emails and phone numbers","🚨 This week brought dangerous escalation in cyber threats: a 13-year-old Apache bug exploited in the wild, nation-state malware targeting water infrastructure, and massive supply chain compromises.\n\nKey developments:\n• Apache ActiveMQ CVE-2026-34197 added to CISA KEV after hiding for 13 years\n• ZionSiphon malware specifically targets Israeli water treatment OT systems\n• North Korean operatives infiltrated 100+ US companies via identity theft scheme  \n• Windows Defender zero-days actively exploited (2 remain unpatched)\n• Operation PowerOFF seized 53 DDoS domains, exposed 3M criminal accounts\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w16\n\n#cybersecurity #CISA #criticalinfrastructure #supplychain #zerodayexploits","🔥 Critical week: 13-year-old Apache bug exploited in wild, nation-state water malware discovered, North Korean scheme infiltrates 100+ companies. Law enforcement takes down 53 DDoS domains while legacy flaws weaponize at scale.\n\nhttps:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w16",80,[66,69,72,75,78,81,84,87,90,93,96,99,102,105,108,111,114,117,120,123],{"slug":67,"title":68},"sophisticated-malware-campaign-exploits-github-distribution-and-advanced-evasion-techniques","Sophisticated Malware Campaign Exploits GitHub Distribution and Advanced Evasion Techniques",{"slug":70,"title":71},"nation-state-malware-targets-critical-water-infrastructure-via-usb-and-ics-protocols","Nation-State Malware Targets Critical Water Infrastructure via USB and ICS Protocols",{"slug":73,"title":74},"critical-rce-vulnerability-in-widely-used-protobuf-javascript-library-affects-millions-of-applicatio","Critical RCE vulnerability in widely-used Protobuf JavaScript library affects millions of applications",{"slug":76,"title":77},"french-basketball-federation-data-breach-exposes-19m-members-including-minors","French Basketball Federation Data Breach Exposes 1.9M Members Including Minors",{"slug":79,"title":80},"us-nationals-enable-north-korean-it-worker-infiltration-of-fortune-500-companies","US Nationals Enable North Korean IT Worker Infiltration of Fortune 500 Companies",{"slug":82,"title":83},"apache-activemq-critical-rce-vulnerability-exploited-in-wild","Apache ActiveMQ Critical RCE Vulnerability Exploited in Wild",{"slug":85,"title":86},"microsoft-april-patches-cause-domain-controller-boot-loops","Microsoft April Patches Cause Domain Controller Boot Loops",{"slug":88,"title":89},"ai-development-tools-create-new-attack-surface-for-developer-compromise","AI Development Tools Create New Attack Surface for Developer Compromise",{"slug":91,"title":92},"nist-cve-enrichment-limitations-create-vulnerability-assessment-gaps","NIST CVE Enrichment Limitations Create Vulnerability Assessment Gaps",{"slug":94,"title":95},"international-law-enforcement-takes-down-53-ddos-for-hire-services","International Law Enforcement Takes Down 53 DDoS-for-Hire Services",{"slug":97,"title":98},"zero-day-exploits-highlight-critical-patch-management-gaps","Zero-Day Exploits Highlight Critical Patch Management Gaps",{"slug":100,"title":101},"law-enforcement-operation-dismantles-ddos-for-hire-infrastructure","Law Enforcement Operation Dismantles DDoS-for-Hire Infrastructure",{"slug":103,"title":104},"credential-stuffing-attack-leads-to-635k-theft-from-gaming-platform","Credential Stuffing Attack Leads to $635K Theft from Gaming Platform",{"slug":106,"title":107},"13-year-old-apache-activemq-vulnerability-exploited-via-default-credentials","13-Year-Old Apache ActiveMQ Vulnerability Exploited via Default Credentials",{"slug":109,"title":110},"13-year-old-apache-activemq-vulnerability-exploited-in-wild","13-Year-Old Apache ActiveMQ Vulnerability Exploited in Wild",{"slug":112,"title":113},"north-korean-it-workers-infiltrate-us-companies-through-identity-fraud-1776420572657","North Korean IT Workers Infiltrate US Companies Through Identity Fraud",{"slug":115,"title":116},"spanish-dpa-fines-company-200k-for-excessive-employee-phone-monitoring","Spanish DPA Fines Company €200K for Excessive Employee Phone Monitoring",{"slug":118,"title":119},"spanish-company-fined-200000-for-excessive-employee-phone-monitoring","Spanish Company Fined €200,000 for Excessive Employee Phone Monitoring",{"slug":121,"title":122},"ot-specific-malware-targets-water-infrastructure-control-systems","OT-Specific Malware Targets Water Infrastructure Control Systems",{"slug":124,"title":125},"axa-spain-fined-200k-for-former-employee-data-breach","AXA Spain Fined €200K for Former Employee Data Breach","published","2026-04-20T04:33:32.25+00:00","2026-04-20T04:31:16.828337+00:00","2026-04-20T04:45:06.638+00:00","### The week in one line\nCritical infrastructure faces coordinated attacks while legacy vulnerabilities explode into active exploitation campaigns.\n\n### What happened\nThis week marked a dangerous escalation in both the sophistication and scope of cyber threats targeting critical systems and supply chains. The discovery of a 13-year-old Apache ActiveMQ vulnerability being actively exploited demonstrates how dormant flaws can suddenly become weaponized at scale.\n\n• Apache ActiveMQ CVE-2026-34197 added to CISA KEV after 13 years of undetected presence in production systems\n• Three Windows Defender zero-days actively exploited with two remaining unpatched\n• ZionSiphon malware specifically engineered to target Israeli water treatment infrastructure via OT protocols\n• North Korean infiltration scheme exposed after placing operatives in 100+ US companies including Fortune 500 firms\n• Operation PowerOFF disrupted 53 DDoS-for-hire domains while exposing 3 million criminal user accounts\n\n### Why it matters for defenders and leaders\nThe convergence of supply chain compromises, critical infrastructure targeting, and nation-state operations creates a perfect storm for organizations unprepared for multi-vector attacks. Legacy vulnerability management approaches are failing as threat actors weaponize ancient flaws faster than traditional patch cycles.\n\n• Over 7,500 exposed Apache ActiveMQ instances remain vulnerable to a flaw that existed undetected for over a decade\n• Developer tools like Cursor AI and GitHub distribution channels are being weaponized for supply chain attacks\n• Critical infrastructure sectors including water treatment and aviation are under active attack from sophisticated malware\n• GDPR enforcement is accelerating with €200K+ fines for monitoring overreach and API security failures\n\n### What to do this week\n• Patch Apache ActiveMQ servers immediately and audit all instances for CVE-2026-34197 exposure\n• Conduct emergency review of legacy applications for unpatched CVEs using vulnerability scanners\n• Implement network segmentation between IT and OT environments to prevent lateral movement\n• Validate all external collaboration requests and disable unnecessary cross-tenant Teams features\n• Review third-party OAuth permissions and revoke suspicious authorizations across development platforms","Legacy flaws weaponized at industrial scale","https:\u002F\u002Fcdn.threatnoir.com\u002Fweekly\u002F2026-w16-cover.png"]