Major Stories of the Month

1. Anthropic's Claude Mythos Demonstrates Autonomous Vulnerability Discovery

• Anthropic launched a restricted preview of its "Claude Mythos" AI model, representing a fundamental shift in offensive capabilities where automated vulnerability discovery now outpaces human remediation at scale.
• The model successfully demonstrated the ability to autonomously identify and chain zero-day vulnerabilities across major operating systems and browsers, independently discovering a 13-year-old remote code execution (RCE) flaw in Apache ActiveMQ (CVE-2026-34197) and an authentication bypass in the NSA's Ghidra tool.
• Due to its potent offensive capabilities, access was strictly limited to 50 critical industry partners to prevent adversarial exploitation.

2. Axios npm Mass Supply Chain Compromise

• North Korea-attributed threat actors hijacked the primary maintainer account for the Axios npm package, a foundational JavaScript library with over 100 million weekly downloads.
• The attackers published malicious package versions containing the WAVESHAPER.V2 remote access trojan (RAT), which affected Windows, macOS, and Linux systems.
• The campaign directly targeted CI/CD pipelines, harvesting cloud provider credentials (AWS, Azure, GCP), Docker secrets, and SSH keys, marking a critical escalation from targeting security tools to attacking fundamental developer infrastructure.

3. Vercel Supply Chain Breach via Context.ai Compromise

• The cloud development platform Vercel, which created the NextJS framework and hosts tens of thousands of AI applications, suffered a breach originating from a third-party AI tool called Context.ai.
• Attackers leveraged stolen OAuth tokens to hijack a Vercel employee's Google Workspace account, gaining access to internal systems and exposing deployment configurations, source code, API/NPM/GitHub tokens, and customer credentials.
• This cascading trust chain exploitation prompted a threat actor to attempt extorting a $2 million ransom for the stolen data.

Top Ransomware Groups

Note: In 2025, ransomware attack volume surged while payment rates dropped, prompting actors to increasingly adopt "recovery denial" tactics, such as destroying backups and disabling endpoint security from the kernel level.

1. The Gentlemen -  This group emerged as the number two most active ransomware group in 2026. It utilizes multi-platform lockers targeting Windows, Linux, NAS, BSD, and ESXi. Affiliates use internet-facing VPNs/firewalls for access, deploying ransomware via GPO within hours. It has successfully compromised over 1,570 corporate networks utilizing a SystemBC proxy botnet, claiming 320+ victims (240 in 2026 alone) primarily across manufacturing, technology, and healthcare.
2. INC Ransom - These high-volume campaigns aggressively target the healthcare, legal, and education sectors globally. The group has exfiltrated 2TB of data affecting 237,830+ individuals from the National Association on Drug Abuse Programs.
3. Qilin - This active operator specializes in customized, double-extortion attacks against critical infrastructure, engineering, manufacturing, and healthcare domains. Ongoing disruption to NHS vendor Synnovis (from a June 2024 attack) has caused 120+ critical patient safety incidents in the 22 months since the breach, highlighting severe long-term impact.
4. Kyber Ransomware - The first confirmed ransomware operation implementing quantum-resistant cryptography (Kyber1024 hybrid scheme) in its Windows variant, Kyber has also been observed deploying dual-variant attacks against VMware ESXi environments.
5. Storm-1175 (Medusa) - This China-linked, financially motivated group deploys Medusa ransomware with a focus on high-velocity, N-day exploitation in the U.S., UK, and Australia. It's notable for a rapid weaponization window, where threat actors achieved access, data exfiltration, and full network encryption within 24 hours of a vulnerability's public disclosure.

Linux / Cloud / Identity Attacks: Top Threats

These threats were selected based on their critical severity scores (CVSs) and direct, widespread impact on enterprise cloud, artificial intelligence, and identity infrastructures.

1. Flowise AI Platform Arbitrary Code Execution (CVE-2025-59528)

• Type: Cloud / AI Automation Platform
• Impact: A critical vulnerability enabling unauthenticated attackers to perform arbitrary JavaScript injection on the Flowise AI platform.
• CVSS 10.0. Entered active exploitation in early April 2026, targeting a massive attack surface of 12,000 to 15,000 publicly exposed and internet-facing AI platform instances.

2. Nginx-ui Model Context Protocol Authentication Bypass (CVE-2026-33032)

• Type: Cloud Infrastructure Management / Identity
• Impact: A missing authentication flaw in the Model Context Protocol (MCP) integration allows unauthenticated remote attackers to execute arbitrary commands and achieve full server takeover of managed Nginx instances.
• CVSS 9.8. Currently under active exploitation in the wild. Attackers are bypassing default IP allowlists to deploy web shells for persistent access across enterprise infrastructure.

3. F5 BIG-IP APM Remote Code Execution (CVE-2025-53521)

• Type: Identity & Access Management / Network Infrastructure
• Impact: Originally classified as a denial-of-service, this vulnerability was reclassified after it was found to enable complete system compromise on BIG-IP Access Policy Manager instances, which handle critical enterprise VPNs, SSO platforms, and MFA systems.
• CVSS 9.3. F5 confirmed active, in-the-wild exploitation. Nation-state actors exploited the vulnerability for months as a zero-day to deploy webshells prior to public awareness.

Insights from Rubrik Zero Labs LLM Powered Advanced Analysis Systems

Top Threats Inside Backups: Our advanced analysis systems identify top and trending threats seen in the wild and compare that data with backup telemetry to detect stealthy malware. The following are the most prevalent families seen in the backup data that are potentially successful in bypassing first-line defenses.

Remote Access Trojans (RATs) & InfoStealers

These tools are primarily designed to spy on users, steal sensitive data, and maintain persistent control over a victim's machine.

• Gh0st RAT: A long-standing, powerful Trojan used to track keystrokes, capture live video/audio, and manage files on a remote Windows host; it is frequently utilized by APT groups.
• Nanocore: A modular, commodity RAT that allows attackers to perform a wide range of intrusive activities, including surveillance via webcam, remote file manipulation, and credential theft.
• Formbook: A prominent InfoStealer that specializes in harvesting form data from web browsers, logging keystrokes, and stealing passwords from various applications.
• SILKBELL: A sophisticated downloader and backdoor often used to profile systems and deploy secondary payloads in targeted cyber-espionage campaigns.

Ransomware

Malware designed to encrypt files and demand payment for the decryption key, often using extortion tactics to ensure payment.

• LockBit: One of the most prolific Ransomware-as-a-Service (RaaS) operations, known for its extremely fast encryption speed and "double extortion" tactic of leaking stolen victim data.

Botnets & Infrastructure Tools

These programs are designed to compromise a large number of devices to create a network for large-scale attacks or to facilitate anonymized communication.

• Mirai: Notorious malware that targets IoT devices like cameras and routers, turning them into a massive botnet used primarily for launching large-scale DDoS attacks.
• DARKCLOUD: An infrastructure-focused malware often used as a "bulletproof" hosting service or a botnet to shield command-and-control (C2) traffic for other malware families.
• SystemBC: A proxy-based botnet used by attackers to hide malicious traffic by routing it through SOCKS5 proxies, often used as a delivery mechanism for ransomware.

Backdoors & Persistence Mechanisms

Scripts or binaries designed to provide long-term access to a system, often by bypassing standard authentication or exploiting specific environment vulnerabilities.

• SNOWBELT: A stealthy backdoor tool designed to provide remote command execution and file transfer capabilities while maintaining a low profile on the victim’s network.

Top Threats Analyzed via Advanced Malware Analysis

SHA256: 0e7816e8ef5f34851f2537db002fb196805ef76e28f2b25c589d54bd69d72e59 (Network-triggered Backdoor Trojan)

Summary: GTPDoor is a highly specialized Linux backdoor targeting telecommunications infrastructure. It masquerades as [syslogd] and passively sniffs for specially-crafted GTP packets on UDP port 2152 to execute remote commands and exfiltrate data without opening active network connections.

First_Seen: 2026-04-10
 

SHA256: 2138fc6c95760c519c2a24e3f7956dfb50153fa38a3859abd21f64db7bdbdd5e (Proof-of-Concept Exploit Tool / Vulnerability Scanner)

Summary: This is a comprehensive Python-based framework exploiting critical React Server Components (CVE-2025-55182) and Next.js Server Actions (CVE-2025-66478) vulnerabilities. It features advanced gadget chains for arbitrary code execution, multi-threaded bulk scanning capabilities, and out-of-band callback verification.

First_Seen: 2026-03-05
 

SHA256: 24524a2ff17f18a350a884dfc4ac6eedbfbe7ad30698754cd6df73174166c6bc (Privilege Escalation Exploit (CVE-2015-1805))

Summary: "iovyroot" is a privilege escalation exploit utilizing race conditions and heap spraying to target the CVE-2015-1805 kernel vulnerability. It achieves root access by corrupting kernel memory on specifically targeted Android devices, including Sony Xperia, Nexus, Huawei, and Xiaomi models.

First_Seen: 2017-08-20
 

SHA256: 3b1ca89757eb7538841d828753964de49ee7563f229f3a1fbb0a33b02c6fa282 (Remote Access Trojan (RAT) / Botnet Client / Multi-Stage Implant)

Summary: RogueImplant is a sophisticated cloud-native Python RAT that detects environments like AWS, Azure, GCP, and Kubernetes. It employs adaptive persistence, steals Kubernetes secrets, attempts Docker container escapes, and possesses over 20 post-exploitation triggers including ransomware and cryptomining.

First_Seen: 2026-04-10 
 

SHA256: 5f7d0b20a66939f20fb8443851810f80435373f0612b74be48998a30abaf3e94 (Linux Botnet Agent / DDoS Bot)

Summary: Linux-TrojanDownloader is a multi-architecture botnet agent that relies on Pastebin as a dead drop resolver for C2 server IPs. It conducts extensive system reconnaissance, utilizes GitHub-hosted proxy lists for traffic obfuscation, and executes remote shell commands.

First_Seen: 2026-04-06
 

SHA256: 6b0b4a31545affd7842b06e8125514c3483feabbd8c2bcffc1c3836c58076d57 (Linux Rootkit with LD_PRELOAD Persistence)

Summary: AutoColor is a Linux rootkit leveraging LD_PRELOAD hijacking to inject itself into dynamically-linked processes. It stealthily hooks libc functions to hide its files and network connections while actively disabling SELinux and auditd protections.

First_Seen: 2026-04-13 
 

SHA256: 72bb2e01ca126f936d500bb3bc05c575e6295a37806863cb556888b2aee8c40f (Cryptocurrency Miner / Worm)

Summary: GHOST v6.0 is an advanced cryptomining worm targeting Monero and Conflux that rapidly propagates via harvested SSH keys. It features container escapes, aggressive termination of competitor miners, fileless execution via memfd_create, and utilizes an LD_PRELOAD rootkit for deep concealment.

First_Seen: 2026-04-12
 

SHA256: 842d326a9fd13a99648d7b52099852afa8951b97f9b15e858eb9589cbfdce6fb (Ransomware)

Summary: Elite Enterprise Ransomware targets Linux server environments, specifically focusing on databases and web directories 19, 20. It employs a multi-threaded ChaCha20+RSA-4096 hybrid encryption scheme and relies on active anti-debugging and anti-VM capabilities to evade analysis.

First_Seen: 2026-04-20
 

SHA256: 8edcc728a0564d0fafff164d02f312967a59ba3f5df0f06e8a357e005c72b9d1 (Credential Dumper / Memory Scraper)

Summary: VMKatz is an advanced credential harvesting framework that specifically attacks VMware ESXi hypervisors 22. Using a custom in-memory ELF loader, it successfully bypasses ESXi's VIB protection to load unsigned binaries, steal credentials from snapshot files, and enumerate VMFS datastores.

First_Seen: 2026-04-17 
 

SHA256: b240638b287c0f843c2cafd86c19625fb4cfd50ab992b59233465cc40426f75a (Discord-Based Remote Access Trojan (RAT) with Screen Recording)

Summary: This sophisticated RAT implements a full Discord Gateway WebSocket protocol for command and control operations. Utilizing a customized scripting language transpiler, it can hollow processes, securely store credentials via DPAPI, and execute high-quality screen recording leveraging the native Windows Media Foundation API.

First_Seen: 2026-04-06
 

SHA256: c13d3432776c36b62ccd9c89f5774e6b229ac318ae756554ecde25a21270e4ec (Self-Propagating Network Worm / Remote Code Execution Exploit)

Summary: This is a highly autonomous network worm built to compromise ComfyUI AI infrastructure vulnerabilities. It poisons supply chains by automatically installing vulnerable plugins, downloading secondary payloads, and perpetually scanning the network to maintain its botnet.

First_Seen: 2026-04-10
 

SHA256: c8cdf46fcbaebba29df13ca40a3ab8d37cdac54e333b3957facf4ef6c88cef34 (Linux ELF Process Injection Tool / Advanced Privilege Escalation Framework)

Summary: This advanced Linux framework abuses the newer seccomp user notification API to execute fileless process injection. By combining syscall interception, file descriptor injection, and memfd_create, it hijacks IFUNC resolvers to execute shellcode securely bypassing traditional process monitoring tools.

First_Seen: 2026-02-05
 

SHA256: d306e93b69c567579851c883ffc251df3644984f003d0a45d619b51da0a4358c (Credential Stealer / Social Engineering Tool)

Summary: The Walkie Talkie Stealer is a feature-rich Python toolkit posing as the social communication app "WalkieTalkie" . It steals session tokens, bypasses Chrome's App-Bound Encryption to steal local data, and abuses WebSocket and Firebase JWT tokens for real-time espionage and DM bombing.

First_Seen: 2026-04-17 

SHA256: d4cf0ea01fd70016f760020f05890a33934c600030d93574dea316ec68667457 (ELF Linux Malware - Potential Fileless Loader)

Summary: This stage 1 Linux ELF loader leverages memfd_create() or /dev/shm shared memory to establish a fileless execution chain. Built to evade disk-based forensic tools, it uses temporary, anonymous file descriptors and removes itself from the system post-execution.

First_Seen: 2026-04-13 
 

SHA256: ea9a4ce28bfb4fe07e1896a4084465d9f51115924ead729511358277e5773242 (Remote Access Trojan / Backdoor)

Summary: Operating under the guise of a 'Remote Support Script,' this RAT systematically breaks down security defenses and binary-patches termsrv.dll to bypass Windows Home RDP restrictions. It installs an OpenSSH server, opens persistent reverse SSH tunnels, and utilizes a Telegram bot for system data exfiltration.

First_Seen: 2026-04-06