the threat gazette
Afternoon Update 2026-04-15
Intraday Update
Vulnerabilities

Windows Task Host Privilege Escalation (CVE-2025-60710) Added to KEV with SYSTEM Impact

CVE-2025-60710

CVE-2025-60710, a privilege escalation vulnerability in the Windows Task Host — the core system component that hosts DLL-based background processes and manages clean shutdown behavior — has been added to CISA KEV with a deadline of April 27. The flaw enables attackers to achieve SYSTEM-level privileges. EPSS sits at 15.5%, modest but now moot given confirmed exploitation. No CVSS score is currently available in enrichment data, which should not be read as a mitigating factor given the KEV status.

Local privilege escalation in a core Windows infrastructure component is almost universally deployed as the second stage of a kill chain, not a standalone attack — the interesting question this coverage doesn't answer is what initial access vector is being paired with this LPE in observed campaigns. Defenders should treat active exploitation of this as an indicator that full compromise chains are in operation, not isolated privilege abuse.

Local privilege escalation in a core Windows component is the second stage of a kill chain, essentially never a standalone attack — the analytically interesting unknown is what initial access is being paired with this in the observed campaigns. Cross-reference against the Rapid7 'more likely to be exploited' list from the morning digest: same-cycle KEV entries in Windows LPE bugs frequently surface in IR write-ups weeks later tied to specific intrusion sets.

2026-04-15
1 source
+ CVE-2025-60710
BleepingComputer

Editorial

The most strategically significant item today is the signed-adware AV-killer operation running at 23,500+ hosts/day in 124 countries behind a valid code-signing certificate. This is the same trust-layer exploitation pattern we've been tracking all week — Salesforce guest policies, Teams federation, npm maintainer takeovers, HuggingFace Spaces allow-listing — now extending into the code-signing PKI itself. Until the cert is revoked, signature-based endpoint trust is effectively dead weight against this campaign; the coverage burden falls entirely onto behavioral telemetry and the published C2 IOCs, and the same architectural question applies as with SaaS trust: which of our controls implicitly assume a signed binary is a safe binary, and what's the compensating control when that assumption breaks?\n\nMandiant's ~50% YoY increase in DLS post volume, with Germany absorbing disproportionate share back toward 2022–2023 pressure levels, quantifies the "ransomware expanding faster than defensive spending" thread from Wednesday — it's no longer inference from Halcyon rhetoric but GTI telemetry with ALPHV, LockBit, and Qilin named in the shift. For a financial institution, this reads as EU counterparty and operations concentration risk to price in now, not a European regional story. Meanwhile the Windows Task Host LPE (CVE-2025-60710) landing in KEV is a reminder that SYSTEM-level LPEs rarely travel alone in confirmed-exploitation telemetry; treat it as a signal that full kill chains are in flight and cross-reference against the pre-KEV triage list we flagged yesterday before next week's additions do the argument for us.

Notable

Malware

Signed Adware Tool Weaponized as AV-Killer at Scale; 23,500 Hosts/Day Across 124 Countries

A digitally signed adware binary has been weaponized to deploy SYSTEM-privilege payloads that terminate antivirus protections, with researchers observing more than 23,500 infected hosts across 124 countries connecting to operator infrastructure within a single 24-hour period. Affected sectors include education, utilities, government, and healthcare. The technique leverages a valid code-signing certificate to bypass trust controls before executing AV-kill scripts with SYSTEM privileges. Actionable IOCs including C2 infrastructure indicators are available from the underlying research.

The signed-binary-as-AV-killer technique is conceptually well-understood, but the operational scale here — 23,500+ hosts per day globally — indicates a mature, resourced campaign, not a research demo. The critical operational unknown is whether the signing certificate has been revoked; if it remains valid, signature-based trust controls are still bypassed and detection must rely on behavioral signals or the published C2 IOCs rather than file reputation.

A second outlet covered the same operation below the noise line today (story filtered as ranked_noise), which suggests the research is propagating fast — expect copycat tooling to follow. The certificate revocation question is the whole game: until the signing cert is pulled, this bypasses reputation and allow-list controls by design, and the earlier Marimo/NKAbuse chain already demonstrated that 2026's adversaries treat code-signing and trusted-platform hosting as interchangeable primitives.

Ransomware

Mandiant: Germany Tops European Ransomware Targeting; Global DLS Posts +50% YoY

ALPHV LockBit Qilin BlackCat Qilin

Google Threat Intelligence has published analysis showing Germany has reclaimed its position as the primary ransomware target in Europe, with data leak site posts rising approximately 50% globally across 2025 and German infrastructure absorbing disproportionate volume relative to regional peers — mirroring the elevated pressure observed in 2022–2023. Active operators driving the trend include ALPHV (BlackCat), LockBit, and Qilin. The report is sourced from Mandiant/GTI's own DLS telemetry, lending it materially higher confidence than open-source DLS scraping.

A 50% global DLS volume increase is not statistical noise — it represents a material shift in ransomware operational tempo that precedes the actual breach activity by weeks or months. Qilin's prominence in European operations is worth tracking specifically: the group has demonstrated sector-agnostic targeting including financial services adjacencies, and institutions with EU operations or significant German counterparty exposure should consider this an elevated ambient risk signal, not a distant European concern.

Worth pairing this with the Autovista ransomware disruption that surfaced below the line in today's noise tier — German automotive data processor outages are the sector-level corroboration of the Mandiant telemetry, not an unrelated datapoint. ALPHV/LockBit/Qilin as the named operators is the expected podium; Qilin's sector-agnostic targeting is the one with the most direct relevance to financial services adjacencies.

Briefs