Executive Summary A sophisticated and persistent ransomware campaign has been targeting Turkish home users and small-to-medium businesses (SMBs) for at least six years, leveraging a strain identified as JanaWare . This campaign is distinguished by its exclusive focus on Turkish victims, achieved through rigorous geofencing and language checks, and by its use of advanced evasion techniques. The attackers employ low ransom demands, typically ranging from $200 to $400 USD, and u

Executive Summary Since October 2025, cybercriminals have been actively exploiting the webhook functionality of the n8n workflow automation platform to deliver malware and conduct advanced phishing campaigns. By leveraging the trusted cloud infrastructure of n8n , attackers have been able to bypass traditional email security controls, automate malicious payload delivery, and perform device fingerprinting on victims. This abuse has resulted in a dramatic increase in phishing

Executive Summary A critical authentication bypass vulnerability, tracked as CVE-2024-3273 , has been discovered in the Nginx UI web management interface. This flaw is now being actively exploited in the wild, enabling unauthenticated remote attackers to gain administrative access to Nginx UI instances. The vulnerability arises from an unprotected endpoint that allows attackers to execute privileged actions without authentication, leading to full server compromise, configur

Executive Summary Between April 2026 and the time of this report, a coordinated campaign involving over 100 malicious Chrome extensions has been identified in the official Chrome Web Store . These extensions, published under five distinct developer identities, have collectively amassed approximately 20,000 installations. The extensions target a broad user base by masquerading as legitimate tools, including gaming applications, social media utilities, and translation services

Executive Summary A critical supply chain compromise has impacted the EssentialPlugin suite of WordPress plugins, resulting in the deployment of malware to thousands of websites. Following the acquisition of EssentialPlugin in August/September 2025, a malicious actor introduced a dormant backdoor into over 30 plugins, which remained inactive until April 2026. Upon activation, the backdoor enabled arbitrary file writes and malware injection, leading to the creation of spam p

Executive Summary CVE-2026-33032 is a critical, actively exploited authentication bypass vulnerability in the nginx-ui web interface for Nginx . This flaw enables unauthenticated remote attackers to gain full control over the underlying Nginx server, including the ability to modify configuration files, restart services, and intercept or disrupt traffic. Public proof-of-concept code is available, and thousands of vulnerable instances have been identified in the wild. The vu

Executive Summary A new and highly sophisticated malware strain, AgingFly , has been identified as the primary tool in a wave of cyberattacks targeting Ukrainian government agencies and hospitals. These attacks, attributed to the threat cluster UAC-0247 , leverage advanced social engineering, multi-stage payload delivery, and custom malware to achieve persistent access, data exfiltration, and operational disruption. The campaign, active since at least March 2026, demonstrates

Executive Summary A sophisticated and widespread cyber campaign has been identified in which digitally signed software, distributed by Dragon Boss Solutions LLC , is being abused to deploy scripts that systematically disable antivirus (AV) protections on thousands of endpoints worldwide. This campaign leverages the trust inherent in code-signing certificates and the capabilities of commercial installer frameworks to escalate privileges, evade detection, and persistently remov

Executive Summary April 2026’s Patch Tuesday has introduced a critical wave of security updates from leading vendors including SAP , Adobe , Microsoft , and Fortinet . This month’s coordinated patch release addresses multiple high-severity vulnerabilities, several of which are already being actively exploited in the wild. The vulnerabilities span a range of attack vectors, including SQL injection, remote code execution, authentication bypass, and sensitive data exposure. Orga

Executive Summary Publication Date: April 14, 2026 OpenAI has unveiled GPT-5.4-Cyber , a specialized variant of its GPT-5.4 large language model, designed exclusively for vetted security professionals and organizations. This release, part of the Trusted Access for Cyber program, marks a significant evolution in the application of artificial intelligence to defensive cybersecurity. By lowering refusal boundaries and introducing advanced capabilities such as binary reverse e

Executive Summary Publication Date: April 2026 Microsoft has announced a $10 billion investment in Japan, spanning from 2026 to 2029, with the goal of accelerating the nation’s artificial intelligence ( AI ) infrastructure, strengthening cybersecurity, and developing local talent. This initiative, structured around the pillars of Technology, Trust, and Talent, is designed to support both public and private sector digital transformation. The following report provides a compre

Executive Summary Between February 4 and February 7, 2026, Hims & Hers experienced a data breach that exposed sensitive customer support data, including full names, email addresses, phone numbers, physical mailing addresses, order-related information, and general correspondence contained within support tickets. The breach was discovered on February 5, 2026, and was executed via a social engineering attack that compromised an employee’s Okta Single Sign-On (SSO) credentials,

Executive Summary Nearly 4,000 industrial control devices in the United States, primarily Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) , have been exposed to and targeted by Iranian state-backed cyberattacks since March 2026. These attacks have resulted in operational disruptions, forced manual operation at affected sites, and financial losses. The threat actors, attributed to Iranian advanced persistent threat (APT) groups affiliated with the Islam

Executive Summary Critical vulnerabilities have been identified in Orthanc , the widely adopted open-source DICOM server used for medical imaging workflows across healthcare and research environments. These vulnerabilities, present in all versions up to and including 1.12.10 , enable attackers to crash servers, exhaust system memory, leak sensitive information, and in certain scenarios, achieve remote code execution (RCE). The root causes include unsafe arithmetic operations,

Executive Summary Between April 9 and April 10, 2026, the official website of CPUID , the vendor behind the widely used CPU-Z and HWMonitor utilities, was compromised for approximately six hours. Attackers gained access to a secondary backend API, altering download links on the site to serve a trojanized installer instead of legitimate binaries. The malicious file, masquerading as a legitimate hardware monitoring tool, was designed to steal browser credentials and potential

Executive Summary A critical remote code execution (RCE) vulnerability, CVE-2026-39987 , has been identified in Marimo , an open-source reactive Python notebook platform. This flaw, which carries a CVSS score of 9.3, enables unauthenticated attackers to gain full shell access to affected systems via a misconfigured WebSocket endpoint. Notably, exploitation in the wild was observed less than 10 hours after public disclosure, underscoring the urgency and severity of the threat.

Executive Summary Google Chrome version 147.0.7727.55/56 for Windows and macOS, and 147.0.7727.55 for Linux, was released in April 2026, addressing a total of 60 security vulnerabilities. Among these, two critical flaws in the WebML (Web Machine Learning) component were identified and patched, with a combined bug bounty payout of $86,000. These vulnerabilities, CVE-2026-5858 and CVE-2026-5859 , could allow remote code execution if exploited. As of this report, there is no

Executive Summary A critical vulnerability, CVE-2026-2329 , has been identified in the Grandstream GXP1600 series of VoIP phones, exposing organizations to severe risks including remote code execution, credential theft, and real-time call interception. This stack-based buffer overflow flaw, rated CVSS 9.3, allows unauthenticated attackers to gain root-level access to affected devices over the network. The vulnerability is trivial to exploit, with public Metasploit modules an

Executive Summary A sophisticated, AI-assisted threat campaign has compromised over 600 FortiGate devices in 55 countries, marking a significant escalation in the use of artificial intelligence by cybercriminals. The campaign, first identified by Amazon Threat Intelligence , did not exploit any inherent vulnerabilities in FortiGate software. Instead, the attackers leveraged exposed management interfaces and weak, single-factor credentials, automating reconnaissance and expl

Executive Summary On February 17, 2026, a supply chain attack targeted the Cline CLI open-source package, resulting in the unauthorized installation of OpenClaw —an autonomous AI agent, on developer and CI/CD systems. The attack was executed by publishing a malicious version ( cline@2.3.0 ) to the npm registry using a compromised publish token. This version included a post-install script that silently installed OpenClaw globally on affected machines. The incident window las