Microsoft has deployed new protections in its April 2026 cumulative updates for Windows 10 and Windows 11 to block a growing phishing vector that abuses Remote Desktop Protocol (.rdp) files. The updates (including KB5082200 for Windows 10 and KB5083769 / KB5082052 for Windows 11) introduce a one‑time educational prompt when users first open an RDP file and then require a security dialog on subsequent opens. That dialog displays whether the file is digitally signed, the remote system address, and lists any requested local resource redirections (drives, clipboard, devices) which are disabled by default until explicitly approved. The protections apply only when RDP files are opened directly, not to connections initiated inside the Remote Desktop client. Administrators can temporarily disable the warnings via a registry policy, and Microsoft warns that file signatures do not guarantee safety. The change responds to real-world abuse — notably by state‑linked groups using rogue RDP files in phishing campaigns — and Microsoft says future updates may deprecate older connection settings.

Nicholas Moore, a 25-year-old Tennessee man who admitted repeatedly accessing the U.S. Supreme Court’s electronic filing system and the networks of AmeriCorps and the Department of Veterans Affairs, was sentenced to 12 months of probation on April 17, 2026. Moore pleaded guilty in January to a misdemeanor count of fraud and related activity in connection with computers, admitting he used stolen login credentials to view and sometimes post victims’ personal information to an Instagram account called @ihackedthegovernment. Prosecutors said he accessed the Supreme Court e-filing account on more than 25 days in 2023 and revealed details from other federal systems, including phone numbers and medical data, but reported no financial losses. The Justice Department recommended probation rather than incarceration, characterizing Moore as a “vulnerable young man” with long-term disabilities; prosecutors had sought up to 36 months of probation while the defense sought 12 months. U.S. District Judge Beryl Howell imposed the 12-month probation term and did not order prison time or fines at sentencing.

Security researchers and vendors warn that three Microsoft Defender vulnerabilities—BlueHammer, RedSun and UnDefend—have been published as proof-of-concept code and are being weaponized in real-world attacks. The exploits were released on GitHub by a researcher using the aliases Chaotic Eclipse / Nightmare‑Eclipse after a dispute with Microsoft’s Security Response Center. BlueHammer (tracked as CVE-2026-33825) was publicly released in early April and patched by Microsoft in the April Patch Tuesday updates; Huntress reported BlueHammer exploitation beginning April 10. RedSun and UnDefend were published mid‑April and, as of April 16–18 reporting, remained unpatched. RedSun’s PoC enables local privilege escalation to SYSTEM by abusing Defender’s cloud-file handling to overwrite protected binaries; UnDefend can be used by a standard user to block Defender signature updates, degrading protection. Vendors have observed attacker activity consistent with hands‑on‑keyboard post‑exploitation (e.g., whoami /priv, cmdkey /list, net group). Microsoft says it supports coordinated disclosure. Security teams are urged to apply available updates, monitor endpoint telemetry for suspicious local executable activity and known IOC patterns, and isolate affected hosts while emergency mitigations and patches are developed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high‑severity Apache ActiveMQ vulnerability, CVE-2026-34197, to its Known Exploited Vulnerabilities (KEV) list on April 16–17, 2026, citing confirmed active exploitation. The flaw, described as improper input validation in ActiveMQ’s Jolokia management API, can enable remote code execution by convincing the broker to fetch remote configuration and run OS commands. Researcher Naveen Sunkavally of Horizon3 said the bug had been present in the codebase for about 13 years and was discovered with assistance from an AI tool. CISA’s KEV listing triggered Binding Operational Directive 22-01, giving federal civilian agencies until April 30, 2026 to patch or explain mitigation steps. Apache has issued fixes; administrators are urged to apply the vendor updates for the 5.19.x and 6.2.x series, audit externally reachable Jolokia endpoints, disable or restrict Jolokia where unnecessary, remove default credentials and monitor for signs of compromise. Security firms report thousands of exposed ActiveMQ instances and evidence of scans and exploitation attempts in the wild.

Grinex, a Kyrgyzstan-registered crypto exchange linked to Russia and sanctioned by the U.S., U.K. and EU, suspended operations after suffering a cyber heist that stole roughly 1 billion roubles (about $13.1 million) in mid-April 2026. Blockchain intelligence firms TRM Labs and Elliptic put the value of drained addresses at between $13.7 million and $15 million and identified about 70 linked addresses. Analysts say much of the stolen USDT was rapidly swapped into TRX or ETH to reduce the chance of freezing by Tether. TokenSpot, a separate Kyrgyz exchange with on-chain ties to Grinex, was also disrupted but lost only a small amount. Grinex accused “western intelligence” agencies of orchestrating the attack and said preliminary findings indicate the operation aimed to damage Russia’s financial sovereignty; those claims have not been independently verified. U.S. authorities previously sanctioned Grinex as a rebrand of Garantex, which U.S. Treasury accused of laundering illicit proceeds. Grinex has reported the incident to law enforcement and shared wallet data publicly.

A coordinated international law enforcement operation led by Europol has seized 53 web domains linked to DDoS-for-hire (“booter”) services and identified more than 3 million user accounts, authorities said. Operation PowerOFF, conducted April 13–16, involved agencies from 21 countries including the United States, United Kingdom, Japan, Germany and Brazil. The action resulted in four arrests, execution of 25 search warrants, seizure of servers and databases, removal of over 100 URLs from search results, and targeted warning ads aimed at potential users. Using data recovered from seized infrastructure, police and partners sent more than 75,000 emails and letters — and posted warnings on blockchain and cryptocurrency channels — to suspected customers of the services. U.S. agencies also seized several domains and infrastructure tied to named booter services. Officials said the takedowns disrupted technical backends that enabled attacks and combined enforcement with prevention measures to deter new users. Europol described DDoS-for-hire as a prolific, low-barrier cybercrime that can be used for harassment, extortion or to knock critical online services offline.