Security firm ReliaQuest on April 15, 2026 published research showing a surge in a fast-scale intrusion campaign that mirrors the playbook of the defunct Black Basta ransomware group. The campaign, active since at least May 2025 and accelerating in March 2026, has targeted more than 100 employees across dozens of organizations with a heavy focus on senior leadership — roughly three-quarters of observed targets were executives, directors or managers. Attackers combine mass “email bombing” with Microsoft Teams help-desk impersonation to push victims to install remote monitoring and management (RMM) tools such as Supremo or to use Windows Quick Assist. Once connected, operators execute scripts disguised as legitimate utilities to gain hands-on access. ReliaQuest says the activity uses disposable Microsoft tenants, Russia-based source IPs and a highly automated workflow that enables intrusions within minutes. The highest-hit sectors include manufacturing, professional, scientific and technical services, finance and insurance, construction and technology. While researchers have not yet observed widespread ransomware encryption in the current wave, they warn the activity is consistent with pre-ransomware staging and could lead to data theft, extortion or subsequent ransomware deployment.

Sweden on April 15, 2026, disclosed that a pro‑Russian cyber group linked to Russian intelligence attempted to disrupt operations at a thermal/heating power plant in western Sweden in mid‑2025. Civil Defence Minister Carl‑Oskar Bohlin said the attack failed because built‑in protection mechanisms and actions by the Swedish Security Service prevented serious consequences. Bohlin said the Security Service had identified the actor and that the case was no longer under active investigation. The government did not name the plant. Officials warned the incident reflects a shift from denial‑of‑service activity toward more sophisticated, potentially destructive attacks on operational technology that control physical infrastructure. Sweden compared the incident with recent strikes on energy and utility facilities in Poland, Denmark, Norway and Latvia that Western officials have linked to Russian‑aligned actors. The Kremlin has repeatedly denied responsibility for such operations. The Swedish government said it publicised the episode to raise awareness, bolster national resilience and coordinate with allies amid an uptick in hybrid attacks since Russia’s 2022 invasion of Ukraine.

Security researchers at Socket disclosed on April 15, 2026, a coordinated campaign of 108 malicious Google Chrome extensions that together have around 20,000 installs on the Chrome Web Store. The add-ons, published under five developer identities (Yana Project, GameGen, SideGames, Rodeo Games and InterAlt), report to a common command-and-control backend (cloudapi[.]stream) and carry a mix of malicious behaviors. Fifty-four extensions harvest Google OAuth2 identity data, 45 contain a persistent backdoor that can open arbitrary URLs at browser start, and several strip security headers to inject ads into YouTube and TikTok. The most severe sample repeatedly exfiltrates active Telegram Web sessions every 15 seconds, enabling full account access without passwords or MFA. Socket has submitted takedown requests to Google and Chrome Web Store security teams; many extensions remained live at the time of reporting. Researchers warn the operation resembles a malware-as-a-service model, with some code comments suggesting Russian-language origins, but no definitive attribution has been made. Users are urged to audit installed extensions, remove any listed by Socket, revoke suspicious Google app access, and terminate other Telegram Web sessions if they used the flagged Telegram add-ons.

Security researchers disclosed a coordinated supply‑chain attack that placed backdoors into more than 30 WordPress plugins sold under the “Essential Plugin” portfolio. The plugins were bought on the marketplace Flippa by a buyer using the name “Kris” for a six‑figure sum; a malicious PHP deserialization backdoor was introduced in an August 8, 2025 update and remained dormant until it activated on April 5–6, 2026. During the activation window a command‑and‑control service at analytics.essentialplugin.com delivered payloads that injected code into wp-config.php and served cloaked SEO spam and redirects exclusively to Googlebot. WordPress.org permanently closed 31 affected plugins on April 7, 2026, and pushed an update to neutralise the phone‑home mechanism in plugin files, but the injected wp-config.php entries require manual cleanup. Researchers warn the attacker’s C2 resolution used an Ethereum smart contract, complicating domain takedown. The campaign echoes past plugin‑sale compromises and highlights a systemic gap: WordPress currently performs no ownership‑transfer code reviews or mandatory update code signing, leaving hundreds of thousands of sites at risk.

Microsoft on April 14-15 released one of its largest Patch Tuesday updates, addressing roughly 165–167 vulnerabilities across Windows and related products and shipping cumulative Windows 11 packages (KB5083769/KB5082052). The rollout includes two zero-days: CVE-2026-32201, a SharePoint Server spoofing flaw that Microsoft says was actively exploited and has been added to CISA’s Known Exploited Vulnerabilities list; and CVE-2026-33825, an elevation-of-privilege defect in Microsoft Defender (publicly disclosed and linked to exploit code nicknamed “BlueHammer”). The cycle also patched multiple critical issues, including a near-9.8 CVSS remote-code-execution bug in the IKEv2 extension (CVE-2026-33824), numerous elevation-of-privilege flaws, Office and RDP-related bugs, and quality-of-life fixes for Windows 11. Security firms warned administrators to prioritise emergency remediation, audit externally facing SharePoint instances, and deploy mitigations where immediate patching is not possible.