Threat Research | Weekly Recap [19 Apr 2026]

Cybersecurity Threat Research ‘Weekly’ Recap: A roundup of social engineering, phishing, and remote-access abuse highlights Cross-tenant helpdesk impersonation, a Black Basta affiliate executive-targeting campaign, and the ClickFix phishing operation. The report also covers ransomware, extortion, data leaks, malware post-exploitation, cloud and identity abuse, and mobile-endpoint threats across multiple sectors. #CrossTenantHelpdesk #BlackBasta #ClickFix #UNC1069 #AgenziaDelleEntrate #YouTubeCopyrightNotices #InteractiveBrokers #MacSyncStealer #NightSpire #PayoutsKing #Qilin #TheGentlemen #INC_Ransom #MOIS #HomelandJustice #Karma #Handala #ForceHound #Keenadu #RecruitRat #SaferRat #Astrinox #Massiv #RedSun #TP-Link #JoomlaSEOSpam

Microsoft Teams/helpdesk impersonation and vishing used to launch Quick Assist, gain interactive control, then pivot via WinRM and exfiltrate data. Cross-tenant helpdesk impersonation playbook
Automated executive-targeting campaign from former Black Basta affiliates combines email bombing, Teams impersonation, and RMM tools like Supremo/Quick Assist for rapid access. Black Basta affiliate executive targeting
ClickFix phishing lures victims with a fake Claude installer, using mshta, obfuscated PowerShell, AMSI bypass, and process injection. Fake Claude installer ClickFix
Fake meeting lures target crypto/Web3 professionals, capturing audio/video and delivering OS-specific RAT payloads. UNC1069 fake meeting tactics
Phishing campaign impersonates the Italian Revenue Agency to harvest SPID credentials from public administrations. Agenzia delle Entrate phishing
Fake YouTube copyright notices use browser-in-the-browser Google login overlays to steal creator credentials and hijack channels. Fake YouTube copyright notices
Interactive Brokers phishing uses a fake W-8BEN renewal alert to redirect victims to credential-stealing pages. Fake IRS W-8BEN renewal
MacSync Stealer uses SEO poisoning and ClickFix-style fake CAPTCHA to make macOS users run Terminal commands that install infostealers. MacSync Stealer campaign

NightSpire expands via RaaS, using Go-based ransomware with double extortion, LOLBins, and credential dumping. NightSpire ransomware emulation
Payouts King ransomware blends spam bombing, phishing, vishing, Teams abuse, and strong obfuscation for selective encryption. Payouts King ransomware
March ransomware trends highlight continued pressure on critical infrastructure, with active campaigns from Qilin, The Gentlemen, and INC Ransom. March 2026 ransomware trends
Europe’s extortion landscape shifted toward Germany, with SafePay and Qilin driving a sharp rise in leak-site activity. Germany data leak landscape
MOIS-linked personas such as Homeland Justice, Karma, and Handala appear to form one coordinated hack-and-leak and destructive ecosystem. MOIS-linked influence ecosystem
March 2026 sector reporting shows malware, web shells, infostealers, CoinMiners, and ransomware impacting Korean/global financial organizations. Financial sector security issues

Operation PhantomCLR hides code execution inside signed Intel utility IAStorHelp.exe via AppDomainManager hijacking, reflective loading, and CloudFront domain fronting. Operation PhantomCLR
Kong RAT spreads through SEO poisoning and trojanized installers, then uses sideloading, UAC bypass, and modular TCP C2. Kong RAT campaign
PhantomPulse abuses Obsidian plugin sync and trojanized plugins to deploy a cross-platform RAT with blockchain-based C2 resolution. PhantomPulse RAT
RoningLoader emulation captures evolving post-compromise tradecraft from DragonBreath’s RAT operations. RoningLoader malware
Marimo exploitation was rapidly weaponized to deploy a botnet, harvest credentials, and establish persistence via HuggingFace-hosted infrastructure. Marimo CVE-2026-39987
APT37 used Facebook reconnaissance and tampered installer malware to stage shellcode and cloud-abused C2. APT37 pretexting-based intrusion

ForceHound maps Salesforce identities, permissions, connected apps, and privilege paths into BloodHound for exposure analysis. ForceHound for Salesforce auditing
ForceHound attack-path analysis shows transitive escalation to high-value Salesforce capabilities like ModifyAllData and ApiEnabled. ForceHound attack paths
Mailbox rules in Microsoft 365 are being abused for stealth persistence, thread hijacking, and exfiltration without malware. O365 mailbox rules abuse
Anonymous S3 request logging gaps allowed invisible access to public buckets from private VPCs until CloudTrail was updated. Anonymous S3 logging gap
108 malicious Chrome extensions share C2 infrastructure to steal Google/Telegram sessions, browsing data, and inject ads. Chrome extension C2 cluster
Joomla SEO spam injector uses an obfuscated PHP backdoor to fetch remote instructions and inject spam/redirects. Joomla SEO spam backdoor
Keenadu Android firmware backdoor appears embedded via malicious libraries or OTA updates for remote control and monetization. Keenadu backdoor network

Android banking trojans RecruitRat, SaferRat, Astrinox, and Massiv target hundreds of apps with overlays, screen capture, and 2FA theft. Android Bankers roundup
MiningDropper is a modular Android framework that can switch from miner deployment to infostealers or RAT payloads. MiningDropper Android campaign
JanelaRAT targets Latin American banking users with multi-stage phishing, sideloading, overlays, and session hijacking. JanelaRAT in Latin America
RedSun exploits a Windows Defender remediation flaw to race-write attacker binaries into System32 and gain SYSTEM. RedSun Windows 0day
TP-Link CVE-2023-33538 was actively scanned for Mirai-style botnet deployment against end-of-life routers. TP-Link router exploitation

AI-driven vulnerability discovery is shortening exploit timelines and forcing faster, more automated defense. Defending enterprise AI vulnerabilities
Agentic LLM browsers introduce new high-privilege abuse paths via XSS, IPC/Mojo compromise, prompt injection, and CSRF. Agentic browser vulnerabilities
Dependency cooldowns can reduce supply-chain exposure by delaying adoption of newly released npm/PyPI packages. Dependency cooldowns
Backup retry storms show retries are often a symptom of policy health issues, not a fix, and can degrade performance. Backup retry storms
RePythonNET-MCP automates .NET malware decompilation and config extraction to scale analysis. RePythonNET for .NET malware analysis
Cyble Blaze AI combines dark web and enterprise telemetry for unified threat visibility and response. Cyble Blaze AI visibility