Ransomware

Scattered Spider Exploits Anodot SaaS Integration to Extort 12+ Downstream Customers

Scattered Spider

Since this morning's coverage: the Anodot supply chain extortion campaign has been confirmed at twelve-plus downstream victims — almost certainly a floor. Scattered Spider is now attributed as the operational access team, with ShinyHunters functioning as the monetization and data brokering layer, consistent with the documented ecosystem overlap between these groups. The attack pattern directly mirrors UNC5537's 2024 Snowflake campaign: breach a data intermediary with broad customer integration access, then apply extortion individually to each downstream target without needing N separate compromises. Any financial services organization using Anodot, or any SaaS analytics layer with read access to cloud data warehouses or BI stacks, should be auditing integration credentials and OAuth grants immediately. No CVEs are involved — this is credential and token-based lateral movement through SaaS trust relationships. The blast radius is bounded only by the number of customer integrations the compromised platform held.

The progression from direct Snowflake credential stuffing (2024) to targeting SaaS tools orbiting Snowflake (2026) is predictable evolution. The attack surface is not the data warehouse itself — it is every third-party integration holding credentials to it. MFA, SSO token scoping, and OAuth grant audits are the actual defensive primitives. This playbook will be replicated against other integration-heavy SaaS platforms; Anodot is the proof of concept, not the final target.

Editorial

Four distinct supply chain attack vectors in a single digest — Chrome extension coordination (108 extensions, one C2), WordPress plugin acquisition-as-backdoor, Axios npm compromise (now reattributed to UNC1069, not Scattered Spider or DPRK as initially reported), and the Anodot cloud analytics breach cascading to 12+ extorted downstream customers — represents a convergence that deserves strategic attention. These aren't related campaigns, which makes it worse: multiple unconnected actors have independently concluded that trust relationships between software components are the most efficient attack surface. For financial institutions consuming SaaS analytics, the Anodot story is the sharpest signal: a single vendor compromise generating a dozen extortion targets is exactly the third-party risk scenario that lives in risk registers but rarely drives proportionate controls.

The blockchain-based C2 infrastructure reported from UNC5142 and UNC5342 is the kind of tradecraft evolution that shifts the long-term calculus on disruption operations — you can't seize or sinkhole a smart contract, and the implications for dwell time are significant if this technique proliferates beyond these actors. Meanwhile, the Axios reattribution to UNC1069 (a Mandiant uncategorized cluster, meaning limited public reporting exists) is a useful corrective: initial attribution to headline names like Scattered Spider or DPRK was wrong, and downstream impacts like OpenAI's credential rotation show how npm supply chain compromises propagate through build pipelines that nobody audits until they detonate.

Critical

Vulnerabilities

Adobe Acrobat Sandbox Escape Zero-Day — Four Months of In-the-Wild Exploitation Before Emergency Patch

CVE-2026-34621

No new developments since this morning's coverage. CVE-2026-34621 remains an actively exploited sandbox restriction bypass in Adobe Acrobat and Reader enabling arbitrary code execution via malicious PDFs. Emergency out-of-band patch issued. Four months of zero-day exposure confirmed (since December 2025). Still no public IOCs or actor attribution — unusual for a vulnerability with this length of active exploitation.

2026-04-11

2 sources

+ CVE-2026-34621

The Hacker News, VulDB

2026-04-13

4 sources

Canadian Centre for Cyber Security, BleepingComputer, Malwarebytes Labs, Help Net Security

2026-04-14

1 source

TechCrunch Security

Notable

Malware

108 Coordinated Malicious Chrome Extensions Share C2 for Session Hijacking and Credential Theft

T1027 T1041 T1071.001 T1176 T1185 T1528 T1539 UPPERCUT

Socket's threat research team identified 108 malicious Chrome extensions operating as a coordinated campaign under five publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt) with shared C2 at cloudapi[.]stream. The extensions implement session cookie theft, browser session hijacking, and application access token theft — a combination that directly threatens any web-authenticated application where session tokens aren't device-bound, which in practice covers most enterprise SaaS, banking portals, and VPN web consoles. The scale and shared infrastructure indicate organized campaign activity rather than opportunistic extension malware.

Chrome Web Store content review has failed repeatedly to catch coordinated campaigns at this scale — 108 extensions with shared infrastructure is not subtle. Block cloudapi[.]stream at DNS/proxy immediately. Enterprise browser extension allow-listing should be treated with the same rigor as software installation policy.

Geopolitical

Axios npm Supply Chain Attack Reattributed to UNC1069; Compromised Version Identified as 1.14.1

UNC1069

Since this morning's coverage: the compromised Axios version is confirmed as 1.14.1, and attribution has shifted to UNC1069 — a Mandiant uncategorized cluster, replacing the earlier Scattered Spider and North Korean attributions from conflicting reports. OpenAI has confirmed rotation of the exposed macOS code-signing credentials. The critical question from this morning — whether this was npm axios proper (~50M weekly downloads) or a vendored fork — remains unanswered, though the specific version number suggests a narrow compromise window. Organizations should audit whether axios@1.14.1 appeared in CI/CD pipelines around March 31, 2026, and review pipeline artifacts and secrets accessible to those workflows.

Three distinct attribution claims (Scattered Spider, DPRK, UNC1069) in 48 hours is a reminder that early-stage attribution is essentially vibes. UNC designations exist precisely because premature labeling causes downstream confusion. Wait for Mandiant's completed analysis before updating threat models.

AI Threats

CVE-2025-59528 Flags at EPSS 0.836 with Public PoC but Missing Product Attribution

CVE-2023-23397 CVE-2023-46233 CVE-2025-12664 CVE-2025-48651 CVE-2025-58136 CVE-2025-59528 CVE-2026-0049 CVE-2026-0234 CVE-2026-0740 CVE-2026-0775 CVE-2026-0776 CVE-2026-1092 CVE-2026-1188 CVE-2026-1342 CVE-2026-1346 CVE-2026-1561 CVE-2026-20929 CVE-2026-22683 CVE-2026-23696 CVE-2026-23869 CVE-2026-29059 CVE-2026-30815 CVE-2026-30818 CVE-2026-31790 CVE-2026-32922 CVE-2026-33579 CVE-2026-33784 CVE-2026-34040 CVE-2026-34078 CVE-2026-34197 CVE-2026-34621 CVE-2026-34976 CVE-2026-39987 CVE-2026-4112 CVE-2026-4342 CVE-2026-4350 CVE-2026-5173 CVE-2026-5194 CVE-2026-5437 CVE-2026-5445 CVE-2026-5707 CVE-2026-5708 CVE-2026-5709 CVE-2026-5858 CVE-2026-5859 CVE-2026-5860 CVE-2026-5873 APT28 Clop Storm-2755 Chaos Cyclops Blink Ninja PlugX Remcos VPNFilter

Surfaced via THN's weekly recap of 47 CVEs: CVE-2025-59528 has an EPSS score of 0.836 and a public Exploit-DB proof-of-concept (EDB-52440), but product metadata is absent from available enrichment — meaning vulnerability management teams need to independently identify what this CVE affects before the EPSS model's exploitation prediction is validated in the wild. Also notable: CVE-2023-23397 (APT28's Outlook zero-click NTLM relay, EPSS 0.934) appearing in a 2026 active-exploitation roundup indicates persistent exploitation three years post-patch. Clop and Storm-2755 activity also noted.

CVE-2025-59528's missing product attribution combined with that EPSS score is an unusual gap — treat as a research priority. Clop resurfacing in active-campaign reporting has historically preceded mass-exploitation campaigns against managed file transfer infrastructure; pre-emptive audit of MFT assets is warranted.

Story Timeline

2026-04-13

1 source

+ CVE-2023-23397 · + CVE-2023-46233 · + CVE-2025-12664 · + CVE-2025-48651 · + CVE-2025-58136 · + CVE-2025-59528 · + CVE-2026-0049 · + CVE-2026-0234 · + CVE-2026-0740 · + CVE-2026-0775 · + CVE-2026-0776 · + CVE-2026-1092 · + CVE-2026-1188 · + CVE-2026-1342 · + CVE-2026-1346 · + CVE-2026-1561 · + CVE-2026-20929 · + CVE-2026-22683 · + CVE-2026-23696 · + CVE-2026-23869 · + CVE-2026-29059 · + CVE-2026-30815 · + CVE-2026-30818 · + CVE-2026-31790 · + CVE-2026-32922 · + CVE-2026-33579 · + CVE-2026-33784 · + CVE-2026-34040 · + CVE-2026-34078 · + CVE-2026-34197 · + CVE-2026-34621 · + CVE-2026-34976 · + CVE-2026-39987 · + CVE-2026-4112 · + CVE-2026-4342 · + CVE-2026-4350 · + CVE-2026-5173 · + CVE-2026-5194 · + CVE-2026-5437 · + CVE-2026-5445 · + CVE-2026-5707 · + CVE-2026-5708 · + CVE-2026-5709 · + CVE-2026-5858 · + CVE-2026-5859 · + CVE-2026-5860 · + CVE-2026-5873 · + APT28 · + Clop · + Storm-2755

The Hacker News

Malware

UNC5142 and UNC5342 Deploy Blockchain-Based C2 Infrastructure for Takedown Resistance

UNC5142 UNC5342 Amadey UPPERCUT

Attributed threat actors are moving C2 operations to blockchain networks to evade traditional takedown mechanisms. Blockchain-based C2 has been theorized for years, but seeing it deployed by tracked Mandiant clusters indicates the technique has reached operational maturity. Decentralized infrastructure eliminates the single points of failure that law enforcement and defenders have historically used to disrupt C2 networks.

This is tradecraft evolution worth tracking for detection engineering. Defenders should assess whether existing C2 detection capabilities cover blockchain protocol traffic patterns and whether DNS/proxy controls can identify blockchain-based C2 resolution.

Supply Chain

ShinyHunters Claims Rockstar Games Data via Anodot — Post-Deadline Escalation Expected

Scattered Spider

Continuing from AM coverage: ShinyHunters publicly naming Rockstar Games is consistent with their escalation pattern when ransom negotiations stall, previously deployed against Ticketmaster and Santander during the 2024 Snowflake campaign. The April 14 extortion deadline has passed. A public data dump is the likely next step. This is the named-victim anchor of the broader Anodot supply chain campaign documented at the critical level.

ShinyHunters' targeting of high-profile consumer brands is a deliberate media-pressure strategy — the public attention on the brand name generates more extortion leverage than a quiet demand against an unknown enterprise. The group understands reputational mechanics of breach disclosure as well as any ransomware operator.

Malware

Threat Actor Acquires 30 WordPress Plugins to Inject Persistent Backdoors

Proton

A coordinated supply chain compromise where an attacker purchased 30 legitimate WordPress plugin repositories and injected persistent backdoors, affecting all downstream users who update. The acquisition-as-attack technique bypasses traditional supply chain defenses that focus on code injection or credential theft.

Buying the supply chain rather than hacking it is a technique that translates across any ecosystem with transferable ownership — npm packages, browser extensions, mobile apps, even SaaS companies. Two additional duplicate stories in the pipeline for this item suggest a clustering issue worth investigating.

Social Engineering

PhantomPulse RAT Distributed via Trojanized Obsidian Productivity Application

RDAT Responder UPPERCUT cmd

Novel RAT malware distributed through a compromised Obsidian package, abusing trust in the legitimate productivity tool for initial access and credential harvesting. Obsidian's growing adoption in technical and enterprise environments makes this a relevant distribution vector.

Another entry in the supply chain pattern dominating today's digest. The common thread across Chrome extensions, npm packages, WordPress plugins, and now Obsidian is that attackers are systematically targeting trusted software distribution channels rather than exploiting vulnerabilities.

Vulnerabilities

Kali Forms WordPress Plugin Under Active Exploitation — CVE-2026-3584

CVE-2026-3584

CVE-2026-3584 (EPSS 0.17) in the Kali Forms WordPress plugin is under active exploitation with confirmed IOCs and attack signatures. Limited direct relevance to financial services core infrastructure, but organizations with WordPress-based properties should verify patching status.

Low priority for most FS environments unless WordPress is in the external web property stack.

Malware

Government Source Reports Active Scanning for EncystPHP Webshell

Government-sourced intelligence reports active reconnaissance scanning for EncystPHP webshell variants, with actionable IOCs provided. Indicates ongoing webshell deployment campaigns targeting PHP-based infrastructure.

Actionable IOCs from authoritative government source — route to SOC for indicator ingestion if PHP-based web applications are in scope.

Briefs

Ransomware

2026 Breach Retrospective Aggregates 17 Actors — Context Piece, Not Primary Intel

Comprehensive timeline of 2026 breaches involving 17 attributed actors, high-value CVEs with active exploitation (EPSS 0.94), KEV advisories, and environment-relevant vulnerabilities across multiple sectors.

CVE-2021-35587 CVE-2026-20127 CVE-2026-21509 ALPHV APT28 Akira Banished Kitten DragonForce Famous Chollima Kimsuky LAPSUS$ NoName057 Play Ransomware Qilin Salt Typhoon Scattered Spider TeamPCP UNC1069 UNC6395 Volt Typhoon Akira BlackCat Chaos Crimson FrameworkPOS Meteor Milan Net Crawler Pandora Qilin Stuxnet UPPERCUT Wiper ZeroT

Intelligence

APT29 Espionage Campaign Reporting — No Novel TTPs or Exploitation Vectors

Detailed coverage of APT29 state-sponsored campaign activity; extensive reporting but without novel exploitation vectors or active KEV advisories.

APT29 Attor Ferocious PLEAD PowerLess Wiper

Intelligence

APT29 Espionage Operations — Duplicate Coverage

Detailed coverage of APT29 state-sponsored campaign activity; extensive reporting but without novel exploitation vectors or active KEV advisories.

APT29 Attor Ferocious PLEAD PowerLess Wiper

Intelligence

APT29 Attribution Analysis — Duplicate Coverage

Detailed coverage of APT29 state-sponsored campaign activity; extensive reporting but without novel exploitation vectors or active KEV advisories.

APT29 Attor Ferocious PLEAD PowerLess Wiper

Malware

APT41 Cloud Credential Harvesting Backdoor — Limited Technical Detail

News coverage of APT41 delivering credential-stealing malware; limited technical detail and no exploitation evidence or IOCs provided.

APT41

Vulnerabilities

Apache Airflow CVE-2025-66236 Plaintext Secret Logging — EPSS 0.0004, Patch Available

CVE-2025-66236: Information disclosure in Airflow logging mechanism (EPSS 0.0004) with vendor patch available; low urgency.

CVE-2025-66236 T1592

Vulnerabilities

Dolibarr RCE via PHP Eval Whitelist Bypass — No Active Exploitation

Two-bug chain in Dolibarr 23.0.0 enables remote code execution through whitelist bypass; detailed technical writeup without active campaign evidence.

CVE-2026-22666 UPPERCUT

AI Threats

Research Analysis of Autonomous AI Agent Security Risks

Vendor security research on AI agent vulnerabilities in hypothetical autonomous systems; academic analysis without active threat indicators.

CVE-2025-55130 CVE-2026-25253 Responder

Vulnerabilities

Dell Security Advisory — Minimal Detail Available

Vendor security advisory stub with minimal vulnerability context; full details require direct vendor consultation.

ICS/OT

ABB ICS/SCADA Advisory — Details Pending Vendor Publication

Industrial control systems vendor advisory with ICS/SCADA implications; details pending vendor publication.

Credentials

FBI Takedown of Phishing Operation — Standard Law Enforcement Action

Law enforcement action against known phishing actor Lorenz; standard arrest/takedown announcement without novel tradecraft revelation.

Lorenz

Supply Chain

Social Engineering Campaign Impersonating Linux Leadership for Developer Credentials

Targeted phishing campaign using fake Linux leader identity to socially engineer development credentials; isolated incident without broader campaign scope.

Vulnerabilities

IBM Security Advisory via Government Source — Limited Detail

Vendor advisory from government source with IOCs; limited technical details without exploitation evidence.

Net Crawler

ICS/OT

CISA ICS Advisories Batch — Standard Cadence

Government ICS/SCADA security advisories; requires direct CISA channel consultation for complete details.

Social Engineering

FBI Arrests W3LL Phishing-as-a-Service Platform Developer

Law enforcement action against phishing service operator; standard takedown without indicator of broader operational disruption.

UPPERCUT

AI Threats

Government Evaluation of AI Model Cyber Capabilities

Formal assessment of large language model security properties; capability evaluation without active threat indicators.

Vulnerabilities

FFmpeg 8.0.1 DoS Patch — Negligible Exploitation Risk

Denial of service vulnerability patched in FFmpeg 8.0.1's zmqsend utility with negligible exploitation likelihood.

CVE-2026-30998 T1499

Vulnerabilities

Nitro PDF Pro Null Pointer Dereference Patched

Null pointer dereference vulnerability resolved in Nitro PDF Pro 14.41.1.4 and earlier for Windows.

CVE-2025-69624

Vulnerabilities

nocobase Plugin Sandbox Escape Patched — Minimal Risk

Sandbox escape vulnerability fixed in nocobase plugin-workflow-javascript up to version 2.0.23 with minimal exploitation risk.

CVE-2026-6224 T1611