A new ransomware family called Kyber has been deployed in attacks combining a Rust-based Windows encryptor with a Linux ESXi variant on the same victim network, and its Windows build is one of the first in the wild to advertise post-quantum cryptography. Rapid7 analysed both variants during a March 2026 incident response and found the Windows build genuinely uses Kyber1024 (a NIST-selected post-quantum key-encapsulation algorithm) plus X25519 to wrap the AES-CTR keys that actually encrypt files, matching its ransom-note claims. The Linux ESXi variant makes the same post-quantum marketing claim but actually uses ChaCha8 with RSA-4096 - pure marketing theatre rather than real crypto defense. For victims the distinction does not matter: without the attacker's private key the files are unrecoverable regardless of algorithm. Windows-encrypted files get a '.#~~~' extension; Linux gets '.xhsyw'. The ESXi variant enumerates all VMs, encrypts datastore files, defaces management interfaces, adds crontab persistence, and terminates VMs. The Windows variant deletes shadow copies, disables boot repair, kills SQL/Exchange/backup services, clears event logs, wipes the Recycle Bin, and ships with an experimental Hyper-V shutdown feature. Only one victim appears on the Kyber leak site so far (a multi-billion-dollar American defence contractor and IT services provider), meaning most current victims are still in the extortion window and not publicly known.
Google's Mandiant team published a report on April 22 naming UNC6692, a previously untracked threat cluster running a high-conversion social engineering playbook against senior enterprise staff - 77% of observed targets were senior employees between March 1 and April 1, 2026. The attack opens with an email bombing burst, flooding the victim's inbox with spam to create urgency. The operator then sends a Microsoft Teams chat invite from an external account, posing as internal IT help, and offers to fix the spam problem via a link to a convincing phishing page called 'Mailbox Repair and Sync Utility v2.1.5'. The page forces Microsoft Edge via the microsoft-edge: URI scheme, harvests credentials through a fake 'Health Check' button, and downloads an AutoHotkey script from attacker-controlled AWS S3 that installs the SNOW malware family: SNOWBELT (a malicious Edge/Chromium extension disguised as 'MS Heartbeat' that holds persistence through Scheduled Tasks and a Startup-folder shortcut), SNOWGLAZE (a Python WebSocket tunneler wrapping traffic in Base64-encoded JSON), and SNOWBASIN (a Python bindshell for interactive remote control). Post-exploitation includes LSASS dumps, Pass-the-Hash lateral movement, PsExec and RDP over the SNOWGLAZE tunnel, and exfil via LimeWire.
Microsoft Threat Intelligence is warning of a surge in attacks where threat actors pose as IT or helpdesk staff in external Microsoft Teams cross-tenant chats to trick employees into granting remote access - then use legitimate tools to steal data while blending into normal IT activity. The attack chain has nine stages. First, the attacker opens an external Teams chat claiming to be internal IT addressing an account issue. They talk the target into starting a Quick Assist remote support session, giving the attacker direct control of the machine. From there they do quick recon via Command Prompt and PowerShell, drop a small payload in user-writable locations like ProgramData, and execute it through DLL side-loading using a trusted signed application (Autodesk, Adobe Reader, Windows Error Reporting, or even data loss prevention software - any binary with a valid Microsoft-trusted signature). HTTPS C2 blends into normal outbound traffic. They establish persistence via Windows Registry, then use Windows Remote Management (WinRM) to move laterally to domain controllers and high-value assets. Final stage: Rclone exfiltrates filtered data to external cloud storage. Microsoft's detection guidance is blunt - this blends into legitimate admin activity and is hard to distinguish from routine IT support.
Check Point researchers gained visibility into a SystemBC command-and-control server used by an affiliate of The Gentlemen ransomware-as-a-service operation and found over 1,570 compromised corporate networks that have not been publicly disclosed. The group's own data leak site only lists about 320 victims, meaning the real footprint is nearly 5x larger than public reporting suggests. The Gentlemen emerged in July 2025 and has become one of the most prolific RaaS operations. It uses a Go-based locker targeting Windows, Linux, NAS, and BSD systems, operates a classic double-extortion model, and abuses legitimate drivers plus custom tooling to bypass defenses. SystemBC is a SOCKS5 tunneling proxy that uses RC4-encrypted C2 communications and can download and execute additional malware in memory. Attack chain: initial access via internet-facing services or compromised credentials, followed by reconnaissance, Cobalt Strike deployment, SystemBC tunneling, lateral movement using Group Policy Objects for domain-wide compromise, then the encryptor. A notable TTP: during lateral movement, The Gentlemen pushes a PowerShell script that disables Windows Defender real-time monitoring, adds broad exclusions for staging shares and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying the ransomware binary on each reachable host. The ESXi variant shuts down virtual machines, adds persistence via crontab, and inhibits recovery. Victim geography spans US, UK, Germany, Australia, and Romania.
One of the most methodical WordPress supply chain attacks ever: a buyer known only as 'Kris' purchased the entire Essential Plugin portfolio (30+ free WordPress plugins) on the Flippa marketplace for six figures. In August 2025, they injected a PHP deserialization backdoor in version 2.6.7, disguised as a compatibility check for WordPress 6.8.2. The malicious code sat dormant for eight months, building trust. On April 5-6, 2026, the attacker activated it - the C2 domain analytics.essentialplugin[.]com began distributing payloads to every site running the compromised plugins. The backdoor injected cloaked SEO spam into wp-config.php, visible only to Googlebot. WordPress.org permanently closed all 31 plugins on April 7 and pushed a forced auto-update - but the cleanup only removed the phone-home code, not the wp-config.php modifications, meaning compromised sites still served spam after the 'fix'. This happened the same week as the Smart Slider 3 supply chain attack we reported April 11 - two different supply chain attacks via the WordPress trusted update channel in one week.
A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.
Microsoft Threat Intelligence published a detailed report on Storm-1175, a China-based financially motivated group that deploys Medusa ransomware at extreme speed - sometimes moving from initial access to full ransomware deployment within 24 hours. The group exploits internet-facing systems using a mix of zero-day and recently disclosed (n-day) vulnerabilities, having weaponized over 16 flaws across 10 products since 2023. Two vulnerabilities were exploited as zero-days a full week before public disclosure. Recent targets include healthcare, education, finance, and professional services organizations in the US, UK, and Australia. Their playbook: exploit a web-facing flaw, create persistence via new accounts and web shells, steal credentials with Mimikatz, disable Defender via registry modifications, exfiltrate data with Rclone, then deploy Medusa across the network.
The Axios supply chain attack we covered on March 31 has now been attributed to UNC1069, a North Korean threat group linked to BlueNoroff that specializes in financially motivated attacks against crypto exchanges and financial institutions. Google's Mandiant confirmed the attackers social-engineered the lead maintainer through a fake video call, deploying a RAT via the compromised npm account. Socket warns this wasn't a one-off - the same actors have compromised accounts spanning some of the most widely depended-upon packages in the npm registry.
McAfee uncovered a rootkit campaign called Operation NoVoice that distributed malware through more than 50 legitimate-looking apps on Google Play - cleaners, games, and gallery tools - downloaded at least 2.3 million times. Once opened, the apps silently profile the device and download root exploits targeting Android vulnerabilities patched between 2016 and 2021. After rooting, the malware replaces core system libraries so every app the user opens runs attacker code. It survives factory resets on older devices because the payload lives on the system partition.
A new phishing-as-a-service kit called EvilTokens is being sold on Telegram, turning OAuth device code phishing against Microsoft accounts into a turnkey attack. Victims receive emails with PDFs or HTML files containing QR codes or links to pages impersonating Adobe, DocuSign, or SharePoint. The kit captures Microsoft authentication tokens in real time - bypassing MFA - and gives attackers persistent access for business email compromise. The developer says Gmail and Okta support is coming next.
TrustStrike Labs