Adobe released emergency patches in April 2026 for a critical zero-day tracked as CVE-2026-34621 that security researchers say was actively exploited for months. The flaw affected Acrobat DC, Acrobat 2024 and Reader DC on Windows and macOS and was disclosed after researcher Haifei Li of EXPMON analyzed a malicious PDF sample first seen on VirusTotal in late 2025. Attackers used obfuscated JavaScript inside crafted PDFs to fingerprint hosts (collecting OS and Reader versions, language settings and file paths) and selectively deploy a second-stage payload capable of remote code execution or sandbox escape. Initial severity was rated 9.6 but Adobe reassessed the vector and set the CVSS to 8.6. Evidence from researchers points to targeted, selective profiling—some lures referenced oil and gas themes and Russian-language content—raising concerns about espionage-style campaigns. Adobe confirmed exploitation in the wild, urged immediate updates and provided fixes across affected builds; agencies including CISA added the flaw to known exploited vulnerabilities, mandating remediation timelines. No practical workaround was available, so patching and endpoint review were recommended as the primary mitigations.

Security vendors on April 18, 2026, warned of a new Mirai-family botnet called Nexcorium that exploits a command-injection flaw (CVE-2024-3721) in TBK DVR models — primarily DVR-4104 and DVR-4216 — to build large-scale DDoS botnets. Fortinet FortiGuard Labs and other researchers found attackers delivering a downloader script that fetches multi-architecture payloads (ARM, MIPS, x86-64), then establishes persistence via modifications to /etc/inittab, /etc/rc.local, systemd services and cron jobs. Nexcorium embeds XOR-encoded configuration data, supports multiple flood types (UDP, TCP SYN/ACK, SMTP and others), includes brute-force Telnet credentials and reuses older exploits such as CVE-2017-17215 to broaden its reach. Unit 42 and others also observed scans targeting end-of-life TP‑Link routers; CISA had previously listed related flaws in its Known Exploited Vulnerabilities catalogue. Researchers note the campaign bears markers referencing a so‑called “Nexus Team.” Organisations are advised to patch or decommission vulnerable devices, remove default credentials, apply network segmentation and monitor for abnormal outbound connections to known C2 domains.

Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty in the U.S. Central District of California to conspiracy to commit wire fraud and aggravated identity theft for his role in a phishing campaign that stole at least $8 million in virtual currency. Prosecutors say Buchanan and co‑conspirators ran the scheme from September 2021 to April 2023, sending hundreds of spoofed text messages that directed employees to fraudulent websites and captured login credentials. Stolen credentials and cryptocurrency seed phrases were reportedly shared on a Telegram channel administered by Buchanan. Court documents say the group targeted telecoms, IT suppliers, cloud communications firms, virtual asset companies and individuals — impacting at least a dozen companies and, in some filings, as many as 45 victims across the United States, Canada, India and the United Kingdom. Police Scotland assisted the FBI. Buchanan has been in U.S. custody since April 2025 and faces a maximum sentence of 22 years at a sentencing hearing set for Aug. 21. Several alleged co‑conspirators remain charged in U.S. courts; one has already pleaded guilty and been sentenced.

Nicholas Moore, a 25-year-old Tennessee man who admitted repeatedly accessing the U.S. Supreme Court’s electronic filing system and the networks of AmeriCorps and the Department of Veterans Affairs, was sentenced to 12 months of probation on April 17, 2026. Moore pleaded guilty in January to a misdemeanor count of fraud and related activity in connection with computers, admitting he used stolen login credentials to view and sometimes post victims’ personal information to an Instagram account called @ihackedthegovernment. Prosecutors said he accessed the Supreme Court e-filing account on more than 25 days in 2023 and revealed details from other federal systems, including phone numbers and medical data, but reported no financial losses. The Justice Department recommended probation rather than incarceration, characterizing Moore as a “vulnerable young man” with long-term disabilities; prosecutors had sought up to 36 months of probation while the defense sought 12 months. U.S. District Judge Beryl Howell imposed the 12-month probation term and did not order prison time or fines at sentencing.

Security researchers and vendors warn that three Microsoft Defender vulnerabilities—BlueHammer, RedSun and UnDefend—have been published as proof-of-concept code and are being weaponized in real-world attacks. The exploits were released on GitHub by a researcher using the aliases Chaotic Eclipse / Nightmare‑Eclipse after a dispute with Microsoft’s Security Response Center. BlueHammer (tracked as CVE-2026-33825) was publicly released in early April and patched by Microsoft in the April Patch Tuesday updates; Huntress reported BlueHammer exploitation beginning April 10. RedSun and UnDefend were published mid‑April and, as of April 16–18 reporting, remained unpatched. RedSun’s PoC enables local privilege escalation to SYSTEM by abusing Defender’s cloud-file handling to overwrite protected binaries; UnDefend can be used by a standard user to block Defender signature updates, degrading protection. Vendors have observed attacker activity consistent with hands‑on‑keyboard post‑exploitation (e.g., whoami /priv, cmdkey /list, net group). Microsoft says it supports coordinated disclosure. Security teams are urged to apply available updates, monitor endpoint telemetry for suspicious local executable activity and known IOC patterns, and isolate affected hosts while emergency mitigations and patches are developed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high‑severity Apache ActiveMQ vulnerability, CVE-2026-34197, to its Known Exploited Vulnerabilities (KEV) list on April 16–17, 2026, citing confirmed active exploitation. The flaw, described as improper input validation in ActiveMQ’s Jolokia management API, can enable remote code execution by convincing the broker to fetch remote configuration and run OS commands. Researcher Naveen Sunkavally of Horizon3 said the bug had been present in the codebase for about 13 years and was discovered with assistance from an AI tool. CISA’s KEV listing triggered Binding Operational Directive 22-01, giving federal civilian agencies until April 30, 2026 to patch or explain mitigation steps. Apache has issued fixes; administrators are urged to apply the vendor updates for the 5.19.x and 6.2.x series, audit externally reachable Jolokia endpoints, disable or restrict Jolokia where unnecessary, remove default credentials and monitor for signs of compromise. Security firms report thousands of exposed ActiveMQ instances and evidence of scans and exploitation attempts in the wild.