Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Fortinet Confirms Active Exploitation of FortiClient EMS Vulnerability CVE-2026-35616 Enabling Remote Code Execution - On 4th April 2026, Fortinet disclosed that threat actors are actively exploiting a critical FortiClient Enterprise Management Server (EMS) vulnerability, tracked as CVE-2026-35616, affecting versions 7.4.5 and 7.4.6; FortiClient EMS 7.2 is not affected. Researchers from Defused observed the vulnerability being exploited as a zero-day prior to disclosure, and Fortinet confirmed exploitation in the wild. Internet scanning data identified more than 2,000 internet-accessible FortiClient EMS instances, primarily located in the US and Germany.
CVE-2026-35616 is an improper access control vulnerability in the FortiClient EMS API. It stems from insufficient enforcement of authentication and authorisation checks, which allows crafted requests to bypass these controls. Successful exploitation enables a threat actor to execute arbitrary code or commands on the affected server, resulting in full system compromise and potential access to managed endpoints.
Researcher Discloses CVE-2026-34197 Vulnerability in Apache ActiveMQ - On 7th April 2026, Horizon3.ai disclosed details of CVE-2026-34197, a code injection vulnerability affecting Apache ActiveMQ (versions prior to 5.19.4, 6.0.0, and prior to 6.2.3). Successful exploitation allows threat actors to execute arbitrary OS commands by invoking a management operation via the Jolokia API, causing the broker to retrieve a malicious remote configuration file. Apache patched the vulnerability in versions 6.2.3 and 5.19.4.
Although exploitation nominally requires credentials, many environments continue to rely on default credentials (admin:admin), significantly lowering the barrier for threat actors. Furthermore, in versions 6.0.0 through 6.1.1, no credentials are required at all due to CVE-2024-32114, which exposes the Jolokia API without authentication, effectively rendering those versions unauthenticated attack surfaces.
Docker Patches CVE-2026-34040 in Docker Engine - On 25th March 2026, Docker patched CVE-2026-34040, a high-severity authentication bypass vulnerability affecting Docker Engine versions prior to 29.3.1. Docker Engine is a container runtime platform that allows users to build, run, and manage containerised applications. The vulnerability stemmed from an incomplete fix for CVE-2024-41110, which had been patched on 24th July 2024.
Successful exploitation allows threat actors to send crafted API requests that bypass authorisation plugins (AuthZ) and create privileged containers, ultimately leading to access to the host file system. Docker addressed the vulnerability with the release of Docker Engine version 29.3.1.
Potential Threats
Malicious Chrome Extension “ChatGPT Ad Blocker” Harvests ChatGPT Conversations via Discord Webhook - On 26th March 2026, cybersecurity firm DomainTools published a technical analysis detailing a malicious Google Chrome extension named "ChatGPT Ad Blocker," identified on the Chrome Web Store. Created on 10th February 2026 and tied to the developer account krittinkalra, the extension masquerades as an ad-blocking tool targeting ChatGPT users to harvest their conversation data, exploiting user interest in blocking advertisements following OpenAI's free-tier advertisement rollout. Once installed, the extension establishes persistence via a Chrome alarm triggering every 60 minutes, retrieving remote configuration from a GitHub-hosted URL to allow the threat actor to dynamically modify its functionality and maintain continuous command-and-control (C2).
When a victim navigates to ChatGPT, the extension injects a content script that disables its purported ad-blocking functionality and activates a data exfiltration workflow instead. The script clones the DOM, removes scripts, styles, and images, and retains the majority of conversation data, including prompts and contextual information, before transmitting it as a file named page_dump.html to a hard-coded Discord webhook. A threat actor-controlled bot named "Captain Hook" receives the harvested conversations, completing the infection chain. DomainTools also identified three associated domains, blockaiads[.]com, openadblock[.]com, and gptadblock[.]com, all of which remain active.
VENOM PaaS Platform Enables Advanced AiTM and OAuth-Based Credential Theft Targeting Executives - On 2nd April 2026, Abnormal Security published a technical analysis detailing a credential theft campaign powered by a previously undocumented phishing-as-a-service (PhaaS) platform named VENOM. The platform enables threat actors to operate within Microsoft's authentication system, capturing credentials, MFA approvals, or tokens to establish long-term access across Microsoft 365 environments. The campaign targets C-suite executives by impersonating SharePoint document-sharing notifications, embedding a QR code constructed from Unicode characters that encodes a phishing URL with the victim's double Base64-encoded email address to evade detection. When scanned, the request resolves to a gate hosted on compromised websites, which applies multiple filtering layers before redirecting the victim to a credential-harvesting page.
The harvesting page requires a "#SandBox" URL fragment to activate its malicious content, otherwise serving a benign decoy website. Once activated, the harvester operates in either Adversary-in-the-Middle (AiTM) mode, forwarding the victim's login activity to Microsoft in real time, or Device Code mode, in which the victim authenticates via a legitimate Microsoft page and tokens are issued directly to the threat actor's backend. Persistence is established in AiTM mode by registering a threat actor-controlled MFA device appearing in Entra ID logs as "NO_DEVICE", whilst Device Code mode retains access via OAuth refresh tokens that remain valid unless explicitly revoked. Associated infrastructure included tls-api0365[.]sbs, api-tls365[.]sbs, apl365[.]sbs, and multiple IP addresses.
Threat Actors Use SMS Based QR Code Phishing Campaign Impersonating State Agencies to Steal Personal and Financial Information - On 5th April 2026, BleepingComputer reported that threat actors are sending fraudulent "Notice of Default" text messages impersonating state courts across multiple US states, including California, Connecticut, Illinois, New Jersey, New York, North Carolina, Texas, and Virginia. The messages claim recipients have unpaid traffic violations and instruct them to resolve the matter by scanning a QR code. Building on toll and parking scams observed in 2025, the campaign replaces direct links with QR codes leading to phishing sites that impersonate US state agencies, typically presenting a $6.99 payment request to lend credibility to the ruse.
When victims scan the QR code embedded in a fake court notice image, they are directed to a website requiring CAPTCHA verification before being redirected to a phishing page hosted on lookalike domains that mimic US state agency websites. These domains abuse .gov strings within non-.gov addresses to appear legitimate. Victims are prompted to enter personal details, including name, address, phone number, and email, followed by payment card information to settle the alleged violation. The harvested data enables follow-on fraud, identity theft, and further phishing activity.
General News
UK exposes Russian cyber unit hacking home routers to hijack internet traffic - British security officials have warned that hackers linked to Russian military intelligence have been exploiting vulnerable internet routers to hijack web traffic and conduct cyberespionage against a broad range of targets. The activity centres on compromising small office and home office routers exposed to the internet due to weak security settings or outdated software. Experts from the National Cyber Security Centre (NCSC), part of signals intelligence agency GCHQ, assessed the group widely known as Fancy Bear, BlueDelta, and APT28 as "almost certainly" Unit 26165 of Russia's GRU military intelligence agency, the highest confidence rating used by British intelligence. The group has previously been blamed for cyberattacks against the German parliament in 2015 and an attempted operation against the Organisation for the Prohibition of Chemical Weapons in 2018, as well as a joint advisory last year accusing it of targeting Western logistics providers and technology firms supporting Ukraine.
According to the NCSC, APT28 gains access by exploiting devices, including specific TP-Link router models that use the Simple Network Management Protocol (SNMP) with default or weak community strings. Many devices still rely on SNMP version 2, which lacks encryption, allowing attackers to intercept credentials and issue malicious commands remotely. Once inside a router, the hackers map connected networks to identify further targets and modify Domain Name System (DNS) settings to conduct adversary-in-the-middle attacks, enabling interception of login credentials, authentication tokens, and other sensitive data. Officials described the campaign as initially opportunistic, with attackers scanning widely for vulnerable devices before focusing on targets of intelligence interest. The NCSC urged organisations to secure management interfaces, restrict or disable SNMP where not required, and apply security updates promptly.
Cyber fraud surges to $17.6 billion in losses as scams, crypto theft soar - Cyber-enabled fraud accounted for the overwhelming majority of losses reported to the FBI's Internet Crime Complaint Centre (IC3) in 2025, with $17.6 billion stolen across 1,008,597 complaints. The centre's annual report revealed that cyber-enabled fraud represented 85% of all reported losses and 45% of total complaints. Investment fraud led in total losses at $8.6 billion, followed by business email compromise (BEC) scams at over $3 billion and tech support fraud at $2.1 billion. Cryptocurrency was identified as a major vehicle for theft, with more than $11.3 billion in losses tied to crypto, whilst approximately 22,000 complaints involved the use of AI, comprising roughly $893 million in reported losses. People aged 60 and older filed 201,266 complaints and accounted for approximately $7.7 billion in reported losses.
Ransomware continues to pose a significant and growing threat, with the FBI currently investigating over 200 ransomware variants, actors, and enablers. Sixty-three new variants were identified in 2025, resulting in 3,611 complaints tied to more than $32 million in losses, up from 3,156 complaints totalling just over $12 million in 2024. Fourteen of the 16 US critical infrastructure sectors were victims of ransomware attacks last year, with Cyber Division Section Chief Taushiana Bright noting that cybercriminals have "indiscriminately attacked hospitals, emergency responders, schools and entire city governments." Complaints filed to the IC3 are understood to represent only a small fraction of the overall ransomware ecosystem.
Snowflake customers hit in data theft attacks after SaaS integrator breach - Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. Whilst multiple cloud storage and SaaS vendors were targeted using the stolen tokens, the majority of attacks focused on the cloud data platform Snowflake. The company confirmed "unusual activity" linked to a specific third-party integration, stating that a small number of customer accounts were impacted and subsequently locked down as a precautionary measure. Snowflake stressed that the attacks did not involve any vulnerability or compromise of its own systems. The threat actor also allegedly attempted to use the stolen tokens to steal data from Salesforce, but was detected and blocked before succeeding.
Multiple sources have indicated that the attacks stem from a security incident at Anodot, an AI-based analytics company acquired by Glassbox in November 2025, though neither firm has publicly confirmed this. The ShinyHunters extortion gang has since confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from dozens of companies and are now demanding ransom payments to prevent the release of stolen data. Payoneer was the only affected company to respond, confirming awareness of the Anodot breach but stating it had not been impacted. Google's Threat Intelligence Group confirmed it is aware of and tracking the incident. BleepingComputer has contacted both Anodot and Glassbox but has yet to receive a response.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Storm-1175 | NEW | → | ● Basic | NEW | → | ● 49 | NEW | → | ● 25 |
| Ritsu08 | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| bitsafe | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| Krybit Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| Cry0 Ransomware Group |
NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Iranian Hackers | ▲ | DDoS | ▲ | CVE-2026-35616 | ▲ | SCADA | ▲ | |
| UNC1069 | ▲ | Stealware | ▲ | CVE-2025-59528 | ▲ | TP-LINK | ▲ | |
| Space Bears Ransomware Group | ▲ | Nightspire Ransomware | ▲ | CVE-2026-0740 | ▲ | Adobe | ▲ | |
| Storm-1175 | ▲ |
Horabot |
▲ | CVE-2024-44296 | ▲ | Joones Day | ▲ | |
| Cyber Legion | ▲ | TransferLoader | ▲ | CVE-2026-5281 | ▲ | Rostelecom | ▲ | |
Prominent Information Security Events
Malicious Chrome Extension "ChatGPT Ad Blocker" Harvests ChatGPT Conversations via Discord Webhook
Source: Insikt Group | Validated Intelligence Event
IOC: Domain - ai4chat[.]co
IOC: URL - hxxxs://raw[.]githubusercontent[.]com/krittinkalra/chatgpt-ad-blocker/main/rules.json
On 26th March 2026, DomainTools published a technical analysis detailing a malicious Google Chrome extension named "ChatGPT Ad Blocker," identified on the Chrome Web Store. Created on 10th February 2026 and tied to the developer account krittinkalra, the extension masquerades as an ad-blocking tool to harvest ChatGPT users' conversation data, exploiting interest in blocking advertisements following OpenAI's free-tier rollout. Once installed, it establishes persistence via a Chrome alarm triggering every 60 minutes, retrieving remote configuration from a GitHub-hosted URL to allow the threat actor to dynamically modify its behaviour and maintain continuous command-and-control (C2).
When a victim navigates to ChatGPT, the extension injects a content script that disables its purported ad-blocking functionality and activates a data exfiltration workflow instead. A secondary UI component triggers getSanitizedHTML(), which clones the entire Document Object Model (DOM), strips scripts, styles, and images, and retains the majority of conversation data - including user prompts and contextual information - whilst partially redacting longer text strings.
In the final stage, the harvested data is saved as page_dump.html and transmitted to a hard-coded Discord webhook, where a threat actor-controlled bot named "Captain Hook" receives victims' full ChatGPT conversations including prompts, responses, and metadata. DomainTools identified three associated domains - blockaiads[.]com, openadblock[.]com, and gptadblock[.]com - all of which remain active and promote the malicious extension.
VENOM PaaS Platform Enables Advanced AiTM and OAuth-Based Credential Theft Targeting Executives
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 91[.]132[.]95[.]144
IOC: Domain - api[.]ipapi[.]is
On 2nd April 2026, Abnormal Security published a technical analysis detailing a credential theft campaign powered by a previously undocumented phishing-as-a-service (PhaaS) platform named VENOM. The platform enables threat actors to operate within Microsoft's authentication system, capturing credentials, MFA approvals, or tokens to establish long-term access across Microsoft 365 environments. The campaign targets C-suite executives by impersonating SharePoint document-sharing notifications, with phishing emails sent from compromised infrastructure using dynamically generated sender addresses. These emails embed a QR code constructed from Unicode characters, encoding a phishing URL with the victim's double Base64-encoded email address to evade detection. When scanned, the request resolves to a gate hosted on compromised websites, which applies multiple filtering layers — including User-Agent inspection and IP reputation checks — before redirecting the victim to a credential-harvesting page.
The harvesting page requires a "#SandBox" URL fragment to activate its malicious content, otherwise serving a benign decoy website. Once activated, the harvester operates in one of two modes. In Adversary-in-the-Middle (AiTM) mode, the victim's login activity is forwarded to Microsoft in real time, capturing credentials and MFA inputs through dynamically generated endpoints. In Device Code mode, the victim is directed to authenticate via a legitimate Microsoft page, with access and refresh tokens subsequently issued directly to the threat actor's backend.
In the final stage, persistence is established before the session ends. In AiTM mode, the backend registers a threat actor-controlled MFA device that appears in Entra ID logs as "SoftwareTokenActivated" with the name "NO_DEVICE", before redirecting the victim to a legitimate Microsoft error page to reduce suspicion. In Device Code mode, access is retained via captured OAuth refresh tokens, which remain valid even after a password reset unless administrators explicitly revoke sessions and token grants.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2026-35616 (FortiClient) – This vulnerability can be addressed by applying the hotfix that has been released, while waiting for a full software patch (expected in the upcoming FortiClient EMS 7.4.7 release.
- CVE-2026-34197 (Apache ActiveMQ) – This vulnerability can be remediated by updating to versions 6.2.3 and 5.19.4.
- CVE-2026-34040 (Docker) – This vulnerability can be addressed by updating Docker Engine to version 29.3.1.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.