Sweden on April 15, 2026, disclosed that a pro‑Russian cyber group linked to Russian intelligence attempted to disrupt operations at a thermal/heating power plant in western Sweden in mid‑2025. Civil Defence Minister Carl‑Oskar Bohlin said the attack failed because built‑in protection mechanisms and actions by the Swedish Security Service prevented serious consequences. Bohlin said the Security Service had identified the actor and that the case was no longer under active investigation. The government did not name the plant. Officials warned the incident reflects a shift from denial‑of‑service activity toward more sophisticated, potentially destructive attacks on operational technology that control physical infrastructure. Sweden compared the incident with recent strikes on energy and utility facilities in Poland, Denmark, Norway and Latvia that Western officials have linked to Russian‑aligned actors. The Kremlin has repeatedly denied responsibility for such operations. The Swedish government said it publicised the episode to raise awareness, bolster national resilience and coordinate with allies amid an uptick in hybrid attacks since Russia’s 2022 invasion of Ukraine.

Microsoft has deployed new protections in its April 2026 cumulative updates for Windows 10 and Windows 11 to block a growing phishing vector that abuses Remote Desktop Protocol (.rdp) files. The updates (including KB5082200 for Windows 10 and KB5083769 / KB5082052 for Windows 11) introduce a one‑time educational prompt when users first open an RDP file and then require a security dialog on subsequent opens. That dialog displays whether the file is digitally signed, the remote system address, and lists any requested local resource redirections (drives, clipboard, devices) which are disabled by default until explicitly approved. The protections apply only when RDP files are opened directly, not to connections initiated inside the Remote Desktop client. Administrators can temporarily disable the warnings via a registry policy, and Microsoft warns that file signatures do not guarantee safety. The change responds to real-world abuse — notably by state‑linked groups using rogue RDP files in phishing campaigns — and Microsoft says future updates may deprecate older connection settings.

Security firm ReliaQuest on April 15, 2026 published research showing a surge in a fast-scale intrusion campaign that mirrors the playbook of the defunct Black Basta ransomware group. The campaign, active since at least May 2025 and accelerating in March 2026, has targeted more than 100 employees across dozens of organizations with a heavy focus on senior leadership — roughly three-quarters of observed targets were executives, directors or managers. Attackers combine mass “email bombing” with Microsoft Teams help-desk impersonation to push victims to install remote monitoring and management (RMM) tools such as Supremo or to use Windows Quick Assist. Once connected, operators execute scripts disguised as legitimate utilities to gain hands-on access. ReliaQuest says the activity uses disposable Microsoft tenants, Russia-based source IPs and a highly automated workflow that enables intrusions within minutes. The highest-hit sectors include manufacturing, professional, scientific and technical services, finance and insurance, construction and technology. While researchers have not yet observed widespread ransomware encryption in the current wave, they warn the activity is consistent with pre-ransomware staging and could lead to data theft, extortion or subsequent ransomware deployment.

Security researchers at Socket disclosed on April 15, 2026, a coordinated campaign of 108 malicious Google Chrome extensions that together have around 20,000 installs on the Chrome Web Store. The add-ons, published under five developer identities (Yana Project, GameGen, SideGames, Rodeo Games and InterAlt), report to a common command-and-control backend (cloudapi[.]stream) and carry a mix of malicious behaviors. Fifty-four extensions harvest Google OAuth2 identity data, 45 contain a persistent backdoor that can open arbitrary URLs at browser start, and several strip security headers to inject ads into YouTube and TikTok. The most severe sample repeatedly exfiltrates active Telegram Web sessions every 15 seconds, enabling full account access without passwords or MFA. Socket has submitted takedown requests to Google and Chrome Web Store security teams; many extensions remained live at the time of reporting. Researchers warn the operation resembles a malware-as-a-service model, with some code comments suggesting Russian-language origins, but no definitive attribution has been made. Users are urged to audit installed extensions, remove any listed by Socket, revoke suspicious Google app access, and terminate other Telegram Web sessions if they used the flagged Telegram add-ons.

Security researchers disclosed a coordinated supply‑chain attack that placed backdoors into more than 30 WordPress plugins sold under the “Essential Plugin” portfolio. The plugins were bought on the marketplace Flippa by a buyer using the name “Kris” for a six‑figure sum; a malicious PHP deserialization backdoor was introduced in an August 8, 2025 update and remained dormant until it activated on April 5–6, 2026. During the activation window a command‑and‑control service at analytics.essentialplugin.com delivered payloads that injected code into wp-config.php and served cloaked SEO spam and redirects exclusively to Googlebot. WordPress.org permanently closed 31 affected plugins on April 7, 2026, and pushed an update to neutralise the phone‑home mechanism in plugin files, but the injected wp-config.php entries require manual cleanup. Researchers warn the attacker’s C2 resolution used an Ethereum smart contract, complicating domain takedown. The campaign echoes past plugin‑sale compromises and highlights a systemic gap: WordPress currently performs no ownership‑transfer code reviews or mandatory update code signing, leaving hundreds of thousands of sites at risk.