Beyond the breach: inside a cargo theft actor’s post-compromise playbook | Proofpoint US

Find out more about Proofpoint’s services and products at the £1.3bn (US$1bn) global technology conference in New York, which opens on Thursday.

Pulse ID: 69e24bf183d447d460792bbd
Pulse Link: https://otx.alienvault.com/pulse/69e24bf183d447d460792bbd
Pulse Author: CyberHunter_NL
Created: 2026-04-17 15:04:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Proofpoint #bot #CyberHunter_NL

The n8n n8mare: How threat actors are misusing AI workflow automation

Pulse ID: 69e24bc1afeb4b3a8e21b97e
Pulse Link: https://otx.alienvault.com/pulse/69e24bc1afeb4b3a8e21b97e
Pulse Author: CyberHunter_NL
Created: 2026-04-17 15:03:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #CyberHunter_NL

March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

Vulnerabilities identified by Insikt Group in March 2026 were exploited by more than 30 vendors, including Microsoft, Google, Apple, Qualcomm, and n8n, all in the same month.

Pulse ID: 69e24c0b72522013d514caa5
Pulse Link: https://otx.alienvault.com/pulse/69e24c0b72522013d514caa5
Pulse Author: CyberHunter_NL
Created: 2026-04-17 15:04:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #CyberSecurity #Google #InfoSec #Microsoft #OTX #OpenThreatExchange #RansomWare #ZeroDay #bot #CyberHunter_NL

In-Memory Loader Drops ScreenConnect

Security researcher ThreatLabz discovered an attack chain where attackers used a fake Acrobat Reader download to lure victims into installing ScreenConnect, a remote access tool that can be leveraged for malicious purposes.

Pulse ID: 69e24c2c6ab3af02c2d7bfbc
Pulse Link: https://otx.alienvault.com/pulse/69e24c2c6ab3af02c2d7bfbc
Pulse Author: CyberHunter_NL
Created: 2026-04-17 15:05:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #ScreenConnect #ThreatLabz #bot #CyberHunter_NL

Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 | Mandiant | Google Cloud Blog

Pulse ID: 69e24c4209ee4ef735104ec3
Pulse Link: https://otx.alienvault.com/pulse/69e24c4209ee4ef735104ec3
Pulse Author: CyberHunter_NL
Created: 2026-04-17 15:05:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Google #InfoSec #Mandiant #OTX #OpenThreatExchange #bot #CyberHunter_NL

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere | Malwarebytes

Pulse ID: 69e24b399265b525ec5bdd33
Pulse Link: https://otx.alienvault.com/pulse/69e24b399265b525ec5bdd33
Pulse Author: CyberHunter_NL
Created: 2026-04-17 15:01:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #MalWareBytes #Malware #OTX #OpenThreatExchange #VPN #Windows #bot #CyberHunter_NL

QEMU abused to evade detection and enable ransomware delivery

A look back at some of the key incidents involving the QEMU ransomware, and how it has been used to hide malicious activity within virtualized environments, as reported by Sophos researchers in late 2025.

Pulse ID: 69e23d47aed333fc5c20091f
Pulse Link: https://otx.alienvault.com/pulse/69e23d47aed333fc5c20091f
Pulse Author: CyberHunter_NL
Created: 2026-04-17 14:01:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RansomWare #Sophos #bot #CyberHunter_NL

Takes Aim at the Ransomware Throne

In February 2025, BlackBasta ransomware operations ceased after their internal chat logs were leaked online, leading to disbandment. However, former affiliates continued launching attacks using different ransomware families, including the relatively unknown Payouts King group that emerged in April 2025. ThreatLabz has observed continued ransomware activity consistent with former BlackBasta initial access brokers since early 2026, utilizing similar tactics including spam bombing, Microsoft Teams phishing, and Quick Assist abuse. Payouts King implements sophisticated evasion techniques including stack-based string obfuscation, API hashing, and direct system calls to terminate security processes. The ransomware leverages 4,096-bit RSA and 256-bit AES counter mode encryption, selectively encrypting files while targeting security software and employing anti-forensics techniques like shadow copy deletion and event log clearing.

Pulse ID: 69e1f1296b63ec46a94782ce
Pulse Link: https://otx.alienvault.com/pulse/69e1f1296b63ec46a94782ce
Pulse Author: AlienVault
Created: 2026-04-17 08:36:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Encryption #ICS #InfoSec #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #Spam #ThreatLabz #bot #AlienVault

A Deep Dive Into Attempted Exploitation of CVE-2023-33538

Active exploitation attempts targeting CVE-2023-33538 in end-of-life TP-Link Wi-Fi routers were identified after CISA added it to the KEV catalog in June 2025. The vulnerability affects several router models including TL-WR940N, TL-WR740N, and TL-WR841N. Observed attacks attempted to deploy Mirai-like botnet malware, specifically variants associated with the Condi IoT botnet. Through firmware emulation and reverse engineering, researchers confirmed the vulnerability exists but discovered that successful exploitation requires authentication. The in-the-wild attacks contained critical flaws: they targeted the wrong parameter (ssid instead of ssid1), lacked authentication, and relied on utilities not present in the router firmware. The command injection vulnerability in the WlanNetworkRpm endpoint allows remote attackers to execute arbitrary commands when authenticated. The malware establishes C2 communication and propagates across architectures. TP-Link confirmed affected devices are end-of-life with no patc...

Pulse ID: 69e1f0ddb1aa33b71576ca92
Pulse Link: https://otx.alienvault.com/pulse/69e1f0ddb1aa33b71576ca92
Pulse Author: AlienVault
Created: 2026-04-17 08:35:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CISA #CyberSecurity #Endpoint #InfoSec #IoT #Malware #Mirai #OTX #OpenThreatExchange #Vulnerability #bot #botnet #AlienVault

Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors

A compromised Joomla website displayed suspicious product links unrelated to the business. Investigation revealed heavily obfuscated PHP code injected at the top of index.php that contacted external command-and-control servers to receive instructions and manipulate content. The malware acts as a remote loader, assembling strings from two-character chunks to evade signature-based detection. It contacts primary C2 cdn.erpsaz.com and fallback cdn.saholerp.com, sending server fingerprint data and receiving dynamic instructions. Based on responses, it redirects visitors, injects spam content, or serves fake SEO pages to search engines. This approach allows attackers to control compromised sites remotely without modifying local files again, enabling dynamic spam injection, visitor redirection, and search engine manipulation while remaining undetected for extended periods.

Pulse ID: 69e1f0e855758d808bea9915
Pulse Link: https://otx.alienvault.com/pulse/69e1f0e855758d808bea9915
Pulse Author: AlienVault
Created: 2026-04-17 08:35:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CDN #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PHP #Spam #bot #AlienVault