CISA added four flaws to KEV on April 24 with a May 8 federal deadline. The headline is CVE-2024-57726 (CVSS 9.9), a missing authorization in SimpleHelp RMM that lets a low-privileged technician mint API keys above their role and escalate to server admin; companion CVE-2024-57728 (CVSS 7.2) chains a path traversal for RCE. SimpleHelp featured in DragonForce and Akira ransomware campaigns last year. CVE-2024-7399 (CVSS 8.8) is a Samsung MagicINFO 9 path traversal with a public PoC since 2024. The fourth, CVE-2025-29635, is the D-Link DIR-823X bug we covered last week.
Shadowserver scan data published Friday shows over 10,500 Zimbra Collaboration Suite instances still unpatched against CVE-2025-48700, a Classic-UI XSS that Synacor fixed in June 2025 but CISA only added to KEV on April 20. Exposed servers split nearly evenly between Asia (3,794) and Europe (3,793). The flaw triggers when a victim simply views a crafted email - no clicks - and runs JavaScript inside their authenticated session for mailbox theft and MFA backup-code retrieval. Zimbra is a recurring APT target: Russia's Winter Vivern, APT29, and APT28 have all run Zimbra-XSS campaigns against NATO and Ukrainian targets.
Sysdig observed the first in-the-wild exploitation of CVE-2026-33626 against its honeypot fleet 12 hours and 31 minutes after the GitHub advisory went live on April 21. LMDeploy is Shanghai AI Laboratory's open source toolkit for serving vision-language and text LLMs. The flaw is in load_image() in lmdeploy/vl/utils.py: it fetches arbitrary URLs from the image_url field without validating link-local, loopback, or RFC1918 ranges. CVSS 7.5. The attacker used LMDeploy as a generic SSRF primitive over an eight-minute session - port-scanning AWS IMDS, localhost Redis, MySQL, and an admin interface. v0.12.3 fixes it.
Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.
ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.
Kaspersky identified 26 malicious iOS apps live on the Apple App Store impersonating major cryptocurrency wallets including MetaMask, Coinbase, Trust Wallet, Ledger, TokenPocket, imToken, Bitpie, and OneKey. The campaign, named FakeWallet and linked to the SparkKitty operation, has been running since fall 2025. The apps used typosquatted names, cloned icons, and stub functionality (games, calculators, task planners) to pass App Store review. Some embed compromised viewDidLoad routines that scan the screen for mnemonic words as the user types and exfiltrate seed phrases via RSA-encrypted payloads. Apple removed 25 of the 26 after disclosure; the developer behind the 26th was terminated.
Zscaler ThreatLabz attributed a March 12 campaign to Tropic Trooper (APT23, Earth Centaur, KeyBoy, Pirate Panda), the China-linked group active since 2011. The new wave targets Chinese-speaking users in Taiwan plus targets in South Korea and Japan with AUKUS-themed lures. Two notable changes: a custom AdaptixC2 Beacon listener instead of Cobalt Strike, and GitHub Issues as the C2 channel. The dropper is a trojanized SumatraPDF reader that runs a TOSHIS-variant shellcode loader and drops AdaptixC2 in memory. For high-value victims, operators push VS Code and configure a tunnel ('code tunnel user login --provider github') for full remote access.
NASA's Office of Inspector General published a retrospective on April 24 detailing how Chinese national Song Wu, an engineer at a state-owned Chinese aerospace and defense conglomerate, ran a multi-year spear-phishing campaign from January 2017 to December 2021. Song impersonated real US engineers known to his targets and asked over email for copies of specific aerospace modeling software and source code that could design or modify weapons platforms. Targets included staff at NASA, US Air Force, Navy, Army, FAA, major universities, and private aerospace firms. Several victims, believing they were helping a friend, sent the requested software - inadvertently violating US export control laws.
At the Asness Summit in Nashville on April 24, former NSA director Tim Haugh and Mandiant founder Kevin Mandia argued Iran's current cyber posture more closely resembles a criminal actor than a sophisticated APT - reliant on dark-web-purchased credentials, basic security gaps, and information operations to amplify modest intrusions. They cited the March 11 Stryker attack as the template: no malware, no zero-day, just legitimate credentials used to abuse MDM and delete data the attacker had permission to delete. Mandia's CISO advice: assume valid credentials for your staff are already on sale and build detection around their misuse.
Kaspersky disclosed PhantomRPC at Black Hat Asia on April 24, an architectural flaw in how Windows handles a core internal communication system called RPC (Remote Procedure Call). When a privileged Windows process tries to talk to an RPC server that isn't running, the operating system doesn't check whether the thing answering is the real one - so a low-privileged attacker can stand up a fake RPC server, intercept the call, and inherit SYSTEM-level access. All Windows versions are affected. Kaspersky demonstrated five different exploitation paths and published the research tools on GitHub. Microsoft has not released a patch.
TrustStrike Labs