Cybersecurity News | Daily Recap [02 Apr 2026]

Daily Recap, a cybersecurity news digest, covers malware campaigns like AVrecon and CrystalX, phishing services like EvilTokens and PXA Stealer, and notable incidents such as Hasbro and Drift, plus Go RAT and WhatsApp-based spyware trends. It also notes ongoing vulnerability patches (CVE-2026-20160, CVE-2026-20093, CVE-2026-5281, CVE-2025-53521, CVE-2026-25075, CVE-2026-3502) and law enforcement actions (Uranium Charges) across vendors like Cisco, Google, F5, StrongSwan, and companies including Nissan and Linx Security.
#AVrecon #SocksEscort #CrystalX #CrystalRAT #DeepLoad #NoVoice #EvilTokens #PXAstealer #AGEWHEEZE #WhatsAppFakeApp #WhatsAppVBS #CERTUA #DarkSword #Hasbro #Drift #Nissan #LinxSecurity #Depthfirst #Uranium #TornadoCash #Cisco #Google #F5 #StrongSwan #TrueConf

AVrecon router malware converts exposed home/SOHO devices into proxy nodes used for fraud and sold via the SocksEscort service (≈ 369,000 devices) – AVrecon Alert
CrystalX (aka CrystalRAT) is a Go‑based malware‑as‑a‑service offering RAT, stealers, keylogging, VNC and prankware via encrypted payloads and WebSocket C2 – CrystalX Malware
DeepLoad was observed in ClickFix campaigns delivering a persistent PowerShell loader that injects evasive DLLs and intercepts browser activity for live crypto theft – DeepLoad Drop
NoVoice Android apps on Google Play reached at least 2.3 million installs, using steganography and exploits to gain root and steal WhatsApp keys/backups – NoVoice Android

EvilTokens is a phishing‑as‑a‑service that automates Microsoft device‑code token theft to hijack accounts for BEC and persistent access – EvilTokens Kit
PXA Stealer (Vietnam‑linked) used spoofed LinkedIn recruiter lures, Google Forms and DLL sideloading to steal credentials and crypto data from professionals worldwide – PXA Stealer
Campaigns impersonating authorities delivered the Go RAT AGEWHEEZE via password‑protected ZIPs to ~1 million emails targeting state, medical, education and finance sectors – CERT‑UA Lure
WhatsApp-based attacks included a fake iPhone client distributing spyware and VBS‑based chains that use UAC bypass and cloud payload hosting to gain persistent elevated access – WhatsApp Fake App, WhatsApp VBS

Multiple vendors released fixes or warnings for active and high‑risk flaws—Cisco patched critical bugs including CVE-2026-20160 and CVE-2026-20093; Google patched 21 Chrome flaws including an actively exploited issue (CVE-2026-5281); Shadowserver found > 14,000 exposed F5 BIG‑IP APM instances vulnerable to the reclassified CVE-2025-53521; strongSwan patched a 15‑year integer underflow (CVE-2026-25075); and attackers exploited a TrueConf update zero‑day (CVE-2026-3502) prompting vendor patches and rebuild guidance – Cisco Patches, Chrome Update, F5 Exposure, strongSwan Flaw, TrueConf Zero‑Day

The FBI warned that many foreign‑developed mobile apps—particularly from China—can collect extensive device and location data, be subject to foreign laws, and may contain hidden malware, urging limited permissions and IC3 reporting – FBI Mobile Warning, FBI Mobile Warning
Apple expanded availability of iOS 18.7.7 fixes to more devices to block the actively exploited DarkSword exploit kit used to deploy infostealers/backdoors – iOS DarkSword

Hasbro detected unauthorized network access, took systems offline and engaged external responders while business continuity plans remain active and delays are possible – Hasbro Breach
Crypto platform Drift suspended services after an active attack that firms estimate stole roughly $130M–$285M in repeated conversions while teams and exchanges scrambled to contain losses – Drift Heist
Nissan says claimed theft stemmed from a third‑party vendor and found no evidence Nissan systems or customer data were compromised after a hacking group posted alleged files – Nissan Claim

Blackpoint Cyber’s 2026 report finds modern intrusions increasingly rely on legitimate credentials, administrative tools and social engineering (SSL VPN abuse, RMM misuse, ClickFix), urging stricter remote‑access controls – Routine Access Report
Opinion/analysis argues shifting from blunt blocking to session‑level governance (prompt DLP, extension risk‑scoring, agentless controls) to avoid a “workaround economy” that fuels invisible data exfiltration – Block the Prompt

Linx Security raised $50 million in a Series B to expand its AI‑native identity security and Autopilot remediation platform (total funding $83M) – Linx Security
Depthfirst secured $80 million in Series B (total $120M) and launched open‑source model Dfs‑mini1 for security tasks across domains – Depthfirst Raise

U.S. authorities charged Jonathan Spalletta for exploiting Uranium Finance in 2021, seizing roughly $31 million and alleging laundering via Tornado Cash amid fraud and money‑laundering counts – Uranium Charges

SHARE THIS STORY