← All threat briefs
Threat Brief

Weekly Situation Report — 4/20/26

Executive summary

This week’s developments for partners and clients: breaches, vulnerabilities, research, threat actor activity, and mitigation guidance.

Key takeaways

  • Multiple vulnerabilities in Adobe Acrobat are being actively exploited in real-world attacks.
  • Hackers are conducting sophisticated remote access campaigns to infiltrate shipping systems and steal cargo.
  • An impersonator posing as a Linux Foundation leader is using Slack messages to phish developers and steal credentials.
  • Attackers are abusing n8n Cloud workflows to host phishing pages and deliver malware payloads.
  • A trio of local Windows Defender vulnerabilities is being exploited in the wild to escalate privileges and bypass protections.

1. Adobe Acrobat Vulnerabilities Exploited in the Wild

Summary

A critical prototype-pollution flaw in Adobe Reader is being actively exploited. The vulnerability (CVE-2026-34621) allows execution of JavaScript via specially crafted PDF files.

Category: Known Exploited Vulnerabilities

Industry: Multiple

Analyst comments

Adobe released emergency updates for CVE-2026-34621, a prototype pollution vulnerability actively exploited in attacks. The flaw allows arbitrary code execution, typically triggered through malicious PDF files. It affects multiple Acrobat versions on Windows and macOS. Security researchers indicate exploitation may have occurred since December 2025. CISA added it to its Known Exploited Vulnerabilities catalog, mandating federal agencies apply patches by April 27, 2026.

Reports suggest victims in Russia have been targeted. Given the exploitation duration and CISA listing, multiple threat groups likely exploit this across various regions. The vulnerability typically leverages phishing and web application integrations with Acrobat Reader for malicious JavaScript execution.

Actionable guidance

Apply patches to all affected versions:

  • Acrobat DC - 26.001.21367 and earlier
  • Acrobat Reader DC - 26.001.21367 and earlier
  • Acrobat 2024 - 26.001.21367 and earlier

Organizations integrating Acrobat Reader with web applications should prioritize patching. If compromise is suspected, examine PDF files on affected hosts for embedded content with encoding or obfuscation indicating exploitation.

2. Hackers Running Sophisticated Remote Access Campaigns to Steal Cargo

Summary

Security researchers uncovered cybercriminal activities using multiple remote access tools and novel certificate signing techniques targeting the trucking and logistics industry through load boards.

Category: Threat Actor Activities

Industry: Logistics and Shipping

Analyst comments

Proofpoint researchers conducted a month-long investigation into post-compromise activities in the trucking and logistics sector. After gaining access via compromised load boards, attackers deployed remote access tools like ScreenConnect, employing certificate-signing scripts to bypass Windows security. They stole cargo and targeted financial assets including cryptocurrency wallets and banking credentials. Small carriers with limited cybersecurity controls remain highly vulnerable.

Threat actors leverage RMM software with privilege escalation for further activity. Observed variations include Datto, ScreenConnect, and Kaseya based on network communications. Load board postings lure victims with job opportunities, redirecting them to malicious sites where initial .vbs scripts deploy RMM software.

Sample IOCs:

1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5 - FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs

Malicious code signing service:
signer.bulbcentral[.]com
services-sc-files.s3.us-east-2.amazonaws[.]com

Confirmed network signals:
screlay[.]amtechcomputers[.]net - af124i1agga.anondns[.]net
af124i1agga.anondns[.]net
officcee404[.]com - ScreenConnect Domain C2
nq251os[.]top - ScreenConnect Domain C2
hxxps://qto12q[.]top/pdf.ps1 - Powershell staging
hxxps://carrier-packets-docs[.]com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs - VBS file URL

Known signing signature:
SignerName: STEPHEN WHANG, CPA, INC.
ValidFrom: 5:00 PM 12/23/2025
ValidTo: 4:59 PM 12/24/2026
SerialNumber: 38 4B 49 3A B7 6F AE 54 F8 3A E6 BF A8 7E 5C 10
Thumbprint: D45D60B20006BC3A39AE1761CB5F5F5B067B4EE5
CertIssuer: Sectigo Public Code Signing CA EV R36

Actionable guidance

Restrict PowerShell for non-IT users to prevent initial compromise. Block Windows Script Host execution to prevent .vbs script attacks. Enforce software installation restrictions to prevent unauthorized RMM deployment. Monitor for unauthorized RMM software using custom domains and relays indicating command and control activity. Hunt using identified IOCs and trigger incident response if confirmed.

3. Fake Linux Foundation Leader Using Slack to Phish Devs

Summary

A social engineering attack impersonating a Linux Foundation official targeted open source software developers via Slack, using phishing links on Google Sites to steal credentials and install malicious certificates.

Category: Phishing

Industry: Technology

Analyst comments

The campaign impersonated Linux Foundation officials on Slack, targeting projects like TODO and CNCF. Fraudulent links directed developers to Google Sites phishing pages harvesting credentials and installing malware or malicious certificates. This enabled encrypted traffic interception and full system compromise. Malicious Google sites were subsequently removed.

This represents a supply chain compromise pattern targeting open-source maintainers and developers. Recent similar incidents involving Trivy and Checkmarx caused significant downstream organizational impact. The goal is disrupting supply chains enabling large-scale compromise of organizations relying on these projects.

Associated IOCs:

https://sites.google[.]com/view/workspace-business/join
2.26.97[.]61 - Malware serving IP address
cra@nmail[.]biz
CDRX-NM71E8T - fake access key

Attribution remains unclear, though Lazarus, Team PCP, and Shinyhunters have demonstrated similar patterns.

Actionable guidance

While this threat targets developers outside organizational environments, it affects organizations relying on open-source libraries. Developers often lack enterprise security controls, creating ecosystem-wide gaps. Adopt a medium to long-term supply chain strategy including maintaining a Secure Bill of Materials (SBOM). Test all packages in sandbox environments before integration, reducing large-scale supply chain compromise risks.

4. N8n Cloud Abused for Phishing and Malware Delivery

Summary

Attackers exploit the n8n AI workflow automation platform to execute phishing campaigns and deliver malware by leveraging trusted infrastructure.

Category: Phishing

Industry: Multiple

Analyst comments

Threat actors abuse n8n Cloud to launch phishing campaigns and malware delivery, bypassing security controls through trusted infrastructure. Webhook links disguised as OneDrive URLs in emails direct victims through CAPTCHA-protected pages downloading malicious files (executables or MSI installers). These deploy remote management tools for persistent access and data exfiltration. N8n also enables device fingerprinting through embedded tracking images confirming access and collecting device information.

This reflects a broader trend of threat actors mixing legitimate domains in attack campaigns for detection evasion. Observed abuse includes webflow.io, WordPress, and trycloudflare hosting malicious content. Account creation proved trivial using temporary email addresses, suggesting automated account creation at scale typical of PhaaS platforms.

Example webhook URL:

https://demotestzyx3467.app.n8n.cloud/webhook/download-file-93584bb8-ee2d-4005-a200-51bfvb755dab

Identified malicious domains and n8n Cloud sites:

hxxps[://]onedrivedownload[.]zoholandingpage[.]com/my-workspace/DownloadedOneDrive
hxxps[://]majormetalcsorp[.]com/Openfolder
hxxps[://]pagepoinnc[.]app[.]n8n[.]cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496
hxxps[://]monicasue[.]app[.]n8n[.]cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab

Sample malware hashes:
7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0 - SharedDocument_lZmmtprq_installer.msi
93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a - DownloadedOneDriveDocument (1).exe (Datto RMM)

Actionable guidance

Block identified network IOCs. If n8n.cloud is used, allow only approved domains. Files matching the noted naming convention are likely malicious. Restrict .msi file downloads and execution for non-IT users. Monitor network traffic for unauthorized Datto and ITarian related domains (*.datto.com or *.comodo.com) indicating suspicious activity. Examine Windows startup folders for rogue applications or DLLs in registry Run and RunOnce keys and startup directories.

5. Trio of Local Windows Defender Bugs Exploited in the Wild

Summary

Threat actors exploit three recently disclosed bugs affecting Microsoft Defender: two local privilege escalation vulnerabilities and one Denial of Service flaw.

Category: Critical Vulnerabilities

Industry: Multiple

Analyst comments

Security researcher NightMare-Eclipse disclosed three Windows Defender bugs. BlueHammer and RedSun cause local privilege escalation (LPE), while UnDefend causes Denial of Service (DoS). All three have been exploited in the wild with public proof-of-concept code available. BlueHammer has a patch available (April’s Patch Tuesday, CVE-2026-33825). RedSun and UnDefend currently lack patches.

While specific threat actor attribution remains unclear, multiple groups likely exploit these disclosed vulnerabilities. Both LPE vulnerabilities generate EICAR-related detections before full execution, serving as strong exploitation indicators. Post-exploitation activity includes typical reconnaissance. All Windows versions are likely affected, with greater risk to Windows 10 and 11 workstations.

Actionable guidance

Keep Microsoft Defender and Windows systems updated for latest protections and hotfixes. Suspected compromise requires examining disabled Defender instances or EICAR detections in protection history, focusing on TieringServiceEngine.exe binary events. Investigate credential reuse, phishing activity, and other exploitation methods as these vulnerabilities typically follow initial access. Isolate confirmed compromised hosts and initiate formal incident response procedures.


Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec’s original threat research. Delivered weekly to partners and clients. REQUEST ACCESS

More briefs
Weekly Situation Report — 6/15/26Jun 18, 2026Weekly Situation Report — 6/8/26Jun 11, 2026Weekly Situation Report — 6/1/26Jun 4, 2026
Talk to an expert