Weekly Situation Report : 4/20/26

EXECUTIVE SUMMARY

This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.

KEY TAKEAWAYS

• Multiple vulnerabilities in Adobe Acrobat are being actively exploited in real-world attacks.
• Hackers are conducting sophisticated remote access campaigns to infiltrate shipping systems and steal cargo.
• An impersonator posing as a Linux Foundation leader is using Slack messages to phish developers and steal credentials.
• Attackers are abusing n8n Cloud workflows to host phishing pages and deliver malware payloads.
• A trio of local Windows Defender vulnerabilities is being exploited in the wild to escalate privileges and bypass protections.

1. Adobe Acrobat Vulnerabilities Exploited in the Wild

SUMMARY

A critical prototype-pollution flaw in Adobe Reader is being actively exploited in the wild. The vulnerability is assigned CVE-2026-34621 and allows execution of JavaScript via specially crafted .pdf files.

Category

Known Exploited Vulnerabilities

Industry

Multiple

Sources

https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html

https://www.sophos.com/en-us/blog/adobe-reader-zero-day-vulnerability-in-active-exploitation

https://www.securityweek.com/adobe-reader-zero-day-exploited-for-months-researcher/

https://github.com/ercihan/CVE-2026-34621/blob/main/adobe_zero_day_analysis.pdf

https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html

https://helpx.adobe.com/security/products/acrobat/apsb26-43.html

ANALYST COMMENTS

Adobe released emergency updates to fix a critical Acrobat Reader vulnerability (CVE-2026-34621) that is actively being exploited. The issue is a prototype pollution flaw that allows attackers to execute arbitrary code, often triggered through specially crafted PDF files. It affects multiple versions of Acrobat, Acrobat DC, and Reader on Windows and macOS, with patches now available for all impacted versions. Security researchers report the vulnerability may have been exploited since December 2025, and CISA has added it to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by April 27, 2026.

Recent reports indicate the vulnerability is being used to target victims in Russia. Given the duration of exploitation and its inclusion in the CISA catalog, it is likely being taken advantage of by multiple groups targeting multiple regions. The vulnerability likely takes advantage of phishing and web application integrations with Acrobat Reader, resulting in execution of malicious JavaScript code against a vulnerable host.

ACTIONABLE GUIDANCE

Adobe has issued a patch that remediates this vulnerability and should be applied to all affected versions of Acrobat Reader on Windows and macOS. The affected versions can be seen below:

• Acrobat DC - 26.001.21367 and earlier
• Acrobat Reader DC - 26.001.21367 and earlier 
• Acrobat 2024 - 26.001.21367 and earlier

Organizations that use Acrobat Reader and integrate it with web applications through Adobe APIs may be especially at risk and should prioritize patching. If compromise is suspected, organizations should examine .pdf files on affected hosts and look for embedded content similar to the samples above, including signs of encoding or obfuscation that may indicate exploitation.

2. Hackers Running Sophisticated Remote Access Campaigns to Steal Cargo

SUMMARY

Security researchers uncovered sophisticated cybercriminal activities involving multiple remote access tools and novel certificate signing techniques. The campaign targets the trucking and logistics industry through load boards to steal cargo and financial information.

Category

Threat Actor Activities

Industry

Logistics and Shipping

Sources

https://therecord.media/cargo-thieving-hackers-running-sophisticated-campaigns
https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook

https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics

Internal OSec Research

ANALYST COMMENTS

Security researchers from Proofpoint conducted a month-long investigation into cybercriminal activities targeting the trucking and logistics sector, focusing on actions post-compromise. They discovered that after gaining access through compromised load board platforms, attackers installed multiple remote access tools like ScreenConnect to maintain control, even employing a script for trusted certificate signing to bypass Windows security measures. The researchers observed that these actors not only stole cargo but also targeted broader financial assets such as cryptocurrency wallets and banking credentials. Since many carriers are small enterprises with limited cybersecurity controls, the sector remains highly vulnerable to coordinated cyber enabled cargo theft.

Based on the tactics and samples analyzed, the threat actors rely heavily on RMM software and use these tools to elevate privileges for further activity. The threat actors have used a few variations of RMM software including Datto, ScreenConnect, and Kaseya based on examined network communications. The load board postings typically lure victims with job opportunities and redirect them to malicious sites, where an initial .vsb script is used to deploy RMM software necessary for further exploitation.

# Samples examined

1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5 - FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs

# Malicious code signing service
signer.bulbcentral[.]com
services-sc-files.s3.us-east-2.amazonaws[.]com  

# Confirmed network signals

screlay[.]amtechcomputers[.]net  - af124i1agga.anondns[.]net
af124i1agga.anondns[.]net  - af124i1agga.anondns[.]net
officcee404[.]com - ScreenConnect Domain C2

nq251os[.]top - ScreenConnect Domain C2
hxxps://qto12q[.]top/pdf.ps1  - Powershell staging
hxxps://carrier-packets-docs[.]com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs - URL serving VBS file after user visit


# Known signing sigature

SignerName: STEPHEN WHANG, CPA, INC. 

ValidFrom 5:00 PM 12/23/2025 
ValidTo 4:59 PM 12/24/2026 
SerialNumber 38 4B 49 3A B7 6F AE 54 F8 3A E6 BF A8 7E 5C 10 
Thumbprint D45D60B20006BC3A39AE1761CB5F5F5B067B4EE5 
CertIssuer Sectigo Public Code Signing CA EV R36

ACTIONABLE GUIDANCE

The threat actor relies heavily on social-engineering and PowerShell for initial compromise. Therefore, restricting PowerShell for non-IT users will help prevent this attack. The threat actor uses .vbs scripts, so restricting Windows Script Host execution may also help to prevent aspects of this campaign during the initial infection stages. Enforcing restrictions on software installation can further prevent the installation of RMM software that rely on the Windows installer. Organizations should also monitor for unauthorized RMM software, especially if they are used with custom domains and relays that might indicate command and control activity. If compromise is suspected, the identified IOCs should be used to hunt for malicious activity and trigger incident response if confirmed.

3. Fake Linux Foundation Leader Using Slack to Phish Devs

SUMMARY

A social engineering attack impersonating a Linux Foundation official targeted open source software developers. The threat actors used Slack and incorporated phishing links hosted on Google Sites to steal credentials and install malicious certificates.

Category

Phishing

Industry

Technology

Sources

https://www.theregister.com/2026/04/13/linux_foundation_social_engineering/

https://hackread.com/openssf-malware-slack-linux-foundation-figures/

Internal OSec Research

ANALYST COMMENTS

A social engineering campaign impersonating a Linux Foundation official targeted open source software developers via Slack, using Google Sites for phishing to steal credentials and install malware. The campaign targeted projects like TODO and CNCF by tricking developers into clicking fraudulent links, which led to credential theft and the installation of malicious certificates or binaries. This enabled interception of encrypted traffic and full system compromise. The malicious Google sites have been taken down. 

This indicates a shifting pattern of compromise to developers and maintainers of open-source repositories that may be integrated with enterprise projects. The goal is to disrupt the supply chain and enable large scale compromise of organizations that rely on these projects. Recent examples include incidents involving Trivy and Checkmarx, which led to significant downstream impact and further compromise of major organizations. The currently reported IOCs associated with this campaign include the following:

https://sites.google[.]com/view/workspace-business/join
2.26.97[.]61 - Malware serving IP address
cra@nmail[.]biz
CDRX-NM71E8T - fake access key

While the primary targets are developers and maintainers, this activity is likely intended to gain a foothold within supply chains to enable further compromise of organizations. Attribution remains unclear at this time, though recent activity from groups such as Lazarus, Team PCP, and Shinyhunters has demonstrated similar patterns.

ACTIONABLE GUIDANCE

While this threat does not focus on organizations, it should be taken seriously, especially those that rely on open-source libraries and projects. It targets open-source developers who may not operate within a company environment and therefore lack enterprise level security controls, creating gaps across the broader eco-system. 

As supply chain threats have increased over the last year, organizations should adopt a medium to long term strategy that includes maintaining a Secure Bill of Materials (SBOM). Additionally, all packages and processes should be tested within a sandbox environment to detect malicious behavior before integration into company projects. These steps help reduce the risk of large scale supply chain compromise and disruption, particularly for organizations with developer focused teams.

4. N8n Cloud Abused for Phishing and Malware Delivery

SUMMARY

Attackers are leveraging the AI workflow automation platform n8n Cloud to execute sophisticated phishing campaigns and deliver malware by exploiting trusted infrastructure.

Category

Phishing

Industry

Multiple

Sources

https://securityaffairs.com/190887/hacking/ai-platform-n8n-abused-for-stealthy-phishing-and-malware-delivery.html

https://blog.talosintelligence.com/the-n8n-n8mare/

https://github.com/hagezi/dns-blocklists/issues/9809

ANALYST COMMENTS

Attackers are exploiting the n8n AI workflow automation platform to launch phishing campaigns and deliver malware by abusing trusted infrastructure to bypass security controls. They use webhook links disguised as legitimate OneDrive URLs in emails, leading victims through CAPTCHA-protected pages to download malicious files like executables or MSI installers. These files deploy remote management tools for persistent access and data exfiltration. Additionally, n8n is used for device fingerprinting by embedding tracking images in emails to confirm access and collect device information.

This aligns with a broader trend of threat actors mixing legitimate domains within attack campaigns to evade detection. Our research has observed increasing abuse of platforms such as webflow.io, WordPress, and trycloudflare for hosting malicious content. In this campaign, n8n Cloud is the primary platform used, with webhook URLs such as the following being used:

# Example webhook URL from an OSec user created trial account

https://demotestzyx3467.app.n8n.cloud/webhook/download-file-93584bb8-ee2d-4005-a200-51bfvb755dab

Based on our testing, it was trivial to create an account using a temporary email address, which suggests the potential for automated account creation at scale, such as those used by PhaaS platforms. The currently identified malicious domains and n8n Cloud sites are listed below, though additional infrastructure may exist that was not identified during this analysis:

hxxps[://]onedrivedownload[.]zoholandingpage[.]com/my-workspace/DownloadedOneDrive - Download page after CAPTCHA
hxxps[://]majormetalcsorp[.]com/Openfolder - Download page after CAPTCHA
hxxps[://]pagepoinnc[.]app[.]n8n[.]cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496 - Malware serve
hxxps[://]monicasue[.]app[.]n8n[.]cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab - Malware serve

Analysis of the two samples available provided additional insight into the malware and the threat actor’s targeting scope. Both samples have recently appeared in malware sharing exchanges from multiple users.

7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0 - SharedDocument_lZmmtprq_installer.msi - last seen April 15th

93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a - DownloadedOneDriveDocument (1).exe - Noted as being Datto RMM - last seen April 16th

ACTIONABLE GUIDANCE

Based on the available information, the identified network IOCs should be blocked. If n8n.cloud related sites are used within the environment, only approved domains should be explicitly allowed for business use. Files meeting the naming convention noted above have a high likelihood of being malicious. The campaign primarily delivers .msi files rather than typical document based lures, so restricting the download and execution of binary files for non-IT users should be considered to reduce risk. As the malware also makes use of Datto and ITarian, network traffic from their related domains may indicate suspicious activity if the software is not used within the environment. This may include domains such as *.datto.com or *.comodo.com from unknown services. Windows start-up folders should also be examined to identify potential rogue applications or DLLs that are set to execute on user logon such as registry Run and RunOnce keys and the primary user’s start up folder.

5. TRIO of Local Windows Defender Bugs Exploited in the Wild

SUMMARY

Threat actors have taken advantage of a recently disclosed trio of bugs following their public disclosure. The vulnerabilities, which were released by security researcher Nightmare-Eclipse, include two local privilege escalation (LPE) and one Denial of Service (DoS) PoC targeting Defender.

Category

Critical Vulnerabilities

Industry

Multiple

Sources

https://securityaffairs.com/190887/hacking/ai-platform-n8n-abused-for-stealthy-phishing-and-malware-delivery.html

Internal OSec Research

ANALYST COMMENTS

A security researcher, NightMare-Eclipse, recently disclosed a trio of Windows related bugs that affect Microsoft Defender. Two of the bugs (BlueHammer and RedSun) result in local privilege escalation, with the third (UnDefend) resulting in Denial of Service (DoS) of Microsoft Defender. According to security researcher reports on social media, all three vulnerabilities have been exploited in the wild. BlueHammer is currently the only vulnerability known to have a patch available (recently released in April’s Patch Tuesday as CVE-2026-33825).

These bugs have public PoC code available and are known to have been exploited in the wild. RedSun and UnDefend currently are not known to have patching available to them. Currently no data is available on specific threat actors that have taken advantage of the bugs; however it is highly likely that multiple groups have taken advantage of the disclosed vulnerabilities. 

Both LPE vulnerabilities (BlueHammer and RedSun) generate EICAR related detections before full execution, which can serve as a strong indicator of exploitation. Currently known post-exploitation activity includes typical reconnaissance consistent with common threat actor behavior. Based on lab testing and external research, all Windows versions are likely affected, with greater risk to Windows 10 and 11 workstations.

ACTIONABLE GUIDANCE

Keeping Microsoft Defender and Windows systems up to date will ensure the latest protections are applied, including hot fixes released since the vulnerabilities were disclosed. Organizations that suspect compromise should look for instances of Defender that have been disabled or EICAR related detections in Defender’s protection history. Further investigation should focus on reviewing the identified events, particularly those involving the TieringServiceEngine.exe binary. As the vulnerabilities are likely used after initial access, organizations should also look for other indicators such as credential re-use, phishing activity, or other exploitation methods. Any confirmed compromised hosts should be isolated from the network and handled through formal incident response procedures.

Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS