Hybrid Cloud
Cybersecurity
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 11-17 April
Microsoft patches 165 vulnerabilities, including an actively exploited SharePoint 0-day
Microsoft has released its Patch Tuesday update, addressing 165 vulnerabilities – one of the largest monthly releases in terms of CVE count. Eight flaws are rated critical, two moderate and the rest important. Of particular note is the 0-day CVE-2026-32201 (CVSSv3 6.5 according to the vendor), a spoofing vulnerability in Microsoft SharePoint Server, which is already being actively exploited.
CVE-2026-33825 (CVSSv3 7.8 according to the vendor) is also patched; this is a privilege escalation in Microsoft Defender previously disclosed publicly under the alias BlueHammer. CVE-2026-33827 (CVSSv3 8.1 according to the vendor) affects the Windows TCP/IP stack and allows remote code execution without authentication, with the potential to propagate in environments where IPv6 and IPsec are enabled. CVE-2026-33824 (CVSSv3 9.8 according to the vendor) is a critical RCE vulnerability in the Windows IKE service, exploitable remotely.
Microsoft considers that 19 of the published vulnerabilities are more likely to be exploited in the future.
Multi-stage campaign targeting critical sectors in the Middle East reveals tactics consistent with MuddyWater
Oasis Security analysed a multi-stage campaign cautiously attributed to an actor employing tactics consistent with MuddyWater, which combined mass reconnaissance of over 12,000 exposed systems with the exploitation of at least five recent CVEs, brute-force attacks against OWA, and a modular C2 infrastructure with Python and Go controllers capable of communicating via TCP, UDP and HTTP with AES encryption in CTR mode.
The operation evolved from automated scanning towards targeted intrusions against critical sectors in the Middle East, particularly aviation, energy and public bodies, and culminated in the confirmed exfiltration of sensitive data such as passports, payslips, credit cards and corporate documentation.
The most significant technical feature is the integration of several phases into a single operational chain, ranging from the identification of vulnerable surfaces and credential abuse to staging and information theft, supported by new C2 controllers with communication patterns that the authors consider to be consistent with those previously observed in MuddyWater campaigns.
A DDoS botnet reaches 13.5 million nodes and enables attacks of over 2 Tbps
A report by Qrator Labs indicates that the largest known DDoS botnet has grown to 13.5 million devices, a tenfold increase year-on-year, enabling attacks of up to 2.065 Tbps and 1 billion packets per second.
The infected devices are mainly concentrated in the US (16.0%), Brazil (13.6%) and India (6.5%), making geographical blocking difficult.
APT41 deploys an undetectable ELF backdoor to steal credentials in Linux cloud environments
Breakglass Intelligence has identified an APT41 campaign targeting Linux cloud workloads using a statically linked x86-64 ELF backdoor – which has not been detected on VirusTotal – that utilises SMTP (port 25) as a C2 channel to evade mass scans. The implant extracts credentials and metadata from AWS, GCP, Azure and Alibaba Cloud by exploiting metadata services.
The operation incorporates typosquatted domains mimicking Alibaba Cloud services and the Qianxin brand, registered in bulk in January 2026, and a C2 server that only responds to specific patterns from the malware.
Android banking Trojan affects 21 countries
Infoblox has published a report establishing, for the first time, a confirmed link between a fraud ring based on forced labour in Southeast Asia and an Android banking Trojan used in active campaigns across at least 21 countries.
The investigation, carried out in conjunction with the Vietnamese NGO Chong Lua Dao, links the malware operation to the K99 Triumph City complex in Sihanoukville, Cambodia, where trafficked individuals are forced to participate in the distribution and operation of the fraud.
The malware spreads through the continuous registration of fake domains that mimic legitimate services and banking institutions to trick users into installing malicious Android apps from outside official app stores. Once installed, the trojan allows the interception of SMS messages, bypassing biometric controls, overlaying fake screens on banking apps and manipulating sessions in real time, facilitating the theft of funds. The infrastructure is described as malware-as-a-service, with centralised development and control and affiliates responsible for recruiting victims.
Victims have been identified in Asia, Europe (including Spain) and Latin America, demonstrating an ability to adapt to local banks and languages.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
