New. There's more, but this is getting too long.Zscaler: Payouts King Takes Aim at the Ransomware Throne https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne Picus: CVE-2026-21643: Critical SQL Injection in Fortinet FortiClient EMS Exploited in the Wild https://www.picussecurity.com/resource/blog/cve-2026-21643-critical-sql-injection-in-fortinet-forticlient-ems-exploited-in-the-wildMicrosoft: Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/Sohos: QEMU abused to evade detection and enable ransomware delivery https://www.sophos.com/en-us/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery @SophosXOps Sekoia: From APT28 to RePythonNET: automating .NET malware analysis https://blog.sekoia.io/apt28-to-repythonnet-automating-net-malware-analysis/ @sekoia_io Proopoint: Beyond the breach: inside a cargo theft actor’s post-compromise playbook https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook Group-IB: W3LL Unmasked https://www.group-ib.com/blog/w3ll-phishing-ecosystem-takedown/ Posted yesterday:Halcyon: 44% and Rising: What the Automotive Industry's Ransomware Problem Tells Us About Where Attacks Are Heading https://www.halcyon.ai/blog/44-percent-and-rising-automotive-ransomware #infosec #threatresearch #ransomware #threatintel #threatintelligence #Python #Fortinet #SQL #Apple #macOS #Microsoft #cybercrime

Former Black Basta affiliates are back - and scaling fast.• Email bombing + Teams impersonation• Exec-focused targeting• Rapid remote access• Multi-path monetization (extortion, data theft, ransomware)This is playbook reuse with improved speed + automation.Are leadership users part of your threat model?Source: https://cyberscoop.com/black-basta-affiliates-senior-executives-reliaquest/Follow @technadu for more threat intel insights.#InfoSec #ThreatIntel #Ransomware #CyberSecurity

(sophos.com) QEMU Virtualization Abused by Threat Actors for Defense Evasion in Two Distinct Ransomware and Espionage CampaignsThreat actors are actively abusing QEMU virtualization to evade endpoint security controls in two distinct campaigns: STAC4713 (PayoutsKing ransomware/GOLD ENCOUNTER) and STAC3725 (CitrixBleed2 exploitation).In brief - Sophos reports QEMU abuse for defense evasion, enabling covert credential harvesting, AD reconnaissance, and ransomware deployment via hidden VMs. Initial access via SonicWall VPN (CVE-2025-26399) and CitrixBleed2 (CVE-2025-5777). Audit for unauthorized QEMU, suspicious scheduled tasks, and port forwarding.Technically - STAC4713 uses a SYSTEM-level scheduled task ('TPMProfiler') to launch QEMU with Alpine Linux 3.22.0 (vault.db/bisrv.dll), establishing reverse SSH tunnels via AdaptixC2/OpenSSH (ports 32567/22022→22). Tools: wg-obfuscator, Chisel, BusyBox, Rclone. Credential theft via VSS snapshots and NTDS.dit/SAM/SYSTEM exfil. STAC3725 deploys ScreenConnect (AppMgmt service) and QEMU (qemu_custom.zip) post-CitrixBleed2 exploitation. Custom Alpine VM hosts Impacket, BloodHound.py, NetExec, Kerbrute, and Metasploit. TTPs include WDigest registry modification, FTK Imager abuse, and vulnerable kernel driver (K7RKScan_1516.sys) deployment.Source: https://www.sophos.com/en-us/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery#Cybersecurity #ThreatIntel

(picussecurity.com) Windows Defender Zero-Day CVE-2026-33825: BlueHammer and RedSun Local Privilege Escalation Exploits ExplainedNew zero-day LPE in Windows Defender (CVE-2026-33825, CVSS 7.8) exploited in the wild via BlueHammer & RedSun PoCs. Attackers achieve SYSTEM privileges on Win10/11/Servers by abusing TOCTOU race conditions in Defender’s remediation engine.In brief - A critical zero-day in Microsoft Defender enables local privilege escalation to SYSTEM via TOCTOU flaws. Exploits BlueHammer and RedSun demonstrate attack chains using NTFS junctions and oplocks. Patch now (April 2026 updates).Technically - CVE-2026-33825 exploits a TOCTOU race in Defender’s file remediation. BlueHammer triggers a detection, pauses Defender via oplock, then redirects the privileged write operation to System32 using NTFS junctions. RedSun abuses Cloud Files API rollback: a crafted file is replaced with a cloud placeholder, and junctions/oplocks redirect the rollback to a privileged directory, achieving SYSTEM-level code execution without prior privileges.Source: https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained#Cybersecurity #ThreatIntel

(picussecurity.com) CVE-2026-33032 (MCPwn): Critical Authentication Bypass in nginx-ui MCP Integration Enables Unauthenticated Full Server TakeoverCVE-2026-33032 (MCPwn): CVSS 9.8 authentication bypass in nginx-ui MCP integration enables unauthenticated full server takeover. Actively exploited in the wild with ~2,689 exposed instances. Patch to v2.3.4 immediately.In brief - A critical flaw in nginx-ui’s MCP integration (CVE-2026-33032) allows unauthenticated attackers to bypass authentication via the /mcp_message endpoint, leading to full nginx server compromise. Exploitation is trivial (two HTTP requests), and the vulnerability is already weaponized. Immediate patching is required.Technically - The vulnerability stems from missing AuthRequired() middleware on the POST /mcp_message endpoint in nginx-ui’s SSE-based MCP router (mcp/router.go). While /mcp enforces IPWhiteList() and AuthRequired(), /mcp_message only applies IPWhiteList(), which fails open when empty. Attackers chain CVE-2026-27944 to leak node_secret, establish an SSE session via GET /mcp, then invoke any of 12 MCP tools (e.g., nginx_config_add) via unauthenticated POST /mcp_message. Exploitation enables config injection, traffic interception, JWT forgery, and credential harvesting. Fixed in v2.3.4 by adding AuthRequired() to /mcp_message.Source: https://www.picussecurity.com/resource/blog/cve-2026-33032-mcpwn-how-a-missing-middleware-call-in-nginx-ui-hands-attackers-full-web-server-takeover#Cybersecurity #ThreatIntel

THREAT INTEL | Gastroenterology & Hepatology of CNY Actor "exitium" claims UndisclosedAllegedly exposed (+4 more)• Email addresses• Phone numbers• Physical addresses️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-15-gastroenterology-hepatology-of-cny-hit-by-exitium-apr-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

THREAT INTEL | Gastroenterology & Hepatology of CNY Actor "exitium" claims UndisclosedAllegedly exposed (+4 more)• Email addresses• Phone numbers• Physical addresses️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-15-gastroenterology-hepatology-of-cny-hit-by-exitium-apr-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

THREAT INTEL | Hacked 0APT🟢 Actor "krybit" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-15-hacked-0apt-ransomware-claim-by-krybit-april-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec