End-of-Day report
Timeframe: Mittwoch 22-04-2026 18:00 - Donnerstag 23-04-2026 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
New Mirai campaign exploits RCE flaw in EoL D-Link routers
A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.
https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/
New GopherWhisper APT group abuses Outlook, Slack, Discord for comms
A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities.
https://www.bleepingcomputer.com/news/security/new-gopherwhisper-apt-group-abuses-outlook-slack-discord-for-comms/
Electricity Is a Growing Area of Cyber Risk
IT has long been concerned about ensuring systems receive the right amount of electricity. Cyberattackers are realizing they can manipulate voltage fluctuations for their purposes, too.
https://www.darkreading.com/cyber-risk/are-power-regulators-becoming-a-new-frontier-for-cyberattacks-
Hacker erbeuten Daten von Intersport-Kunden
Die Cyberkriminellen haben Kundendaten von Usern erbeutet, die den Onlineshop von Intersport benutzt haben.
https://futurezone.at/digital-life/intersport-hacker-angriff-kriminelle-daten-gestohlen-kunden-online-shop/403153415
Vercel Finds More Compromised Accounts in Context.ai-Linked Breach
Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems.
https://thehackernews.com/2026/04/vercel-finds-more-compromised-accounts.html
Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages
Apple has rolled out a software fix for iOS and iPadOS to address a Notification Services flaw that stored notifications marked for deletion on the device.The vulnerability, tracked as CVE-2026-28950 (CVSS score: N/A), has been described as a logging issue that has been addressed with improved data redaction.
https://thehackernews.com/2026/04/apple-patches-ios-flaw-that-stored.html
AI Tools Are Helping Mediocre North Korean Hackers Steal Millions
One group of hackers used AI for everything from vibe coding their malware to creating fake company websites-and stole as much as $12 million in three months.
https://www.wired.com/story/ai-tools-are-helping-mediocre-north-korean-hackers-steal-millions/
Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener
On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access.
https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener
Sicherheitsbehörden warnen vor chinesischen Mitnutzern
Nachrichtendienste und Cybersicherheitsbehörden warnen vor Angreifern aus der Volksrepublik, die Infrastruktur Nichtsahnender für Operationen nutzenn.
https://www.heise.de/news/Sicherheitsbehoerden-warnen-vor-chinesischen-Mitnutzern-11270370.html
Fake-Fahrzeugbericht: Diese Falle wartet beim Online-Autoverkauf!
Wer online ein KFZ verkaufen möchte, erhält oft seltsame Anfragen. Bestehen Interessent:innen auf der Erstellung eines zusätzlichen Prüfberichts und liefern gleich die dafür passende Website mit, ist allerhöchste Vorsicht angebracht! Mit derartigen Fake-Portalen ziehen Kriminellen ihren Opfern das Geld aus der Tasche und ergaunern Kreditkartendaten.
https://www.watchlist-internet.at/news/fake-fahrzeugbericht/
Hackers deployed wiper malware in destructive attacks on Venezuela-s energy sector
Hackers deployed a previously unknown wiper malware against Venezuela-s energy and utilities sector in an attack that appears to have been designed to destroy systems.
https://therecord.media/hackers-venezuela-wiper-malware-oil
Defending against China-nexus covert networks of compromised devices
Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it
https://www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-of-compromised-devices
Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite
Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim-s environment to achieve deep network penetration.
https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/
Signal-Phishing-Warnung: Auslöser wohl Angriff auf Julia Klöckner
Julia Klöckner ist offenbar Opfer der Signal-Phishing-Angriffe geworden, vor denen BfV und BSI am Mittwoch erneut gewarnt haben.
https://heise.de/-11268708
Tails 7.7: Warnung vor abgelaufenen Secure-Boot-Zertifikaten
Die Linux-Distribution für anonymes Bewegen im Netz, Tails, ist in Version 7.7 erschienen. Sie warnt vor alten Secure-Boot-Zertifikaten.
https://heise.de/-11269936
University of Warsaw Data Breach Exposes 200,000+ Sensitive Files on Darknet
Over 200,000 files containing sensitive personal information from the University of Warsaw have been leaked online. The University of Warsaw cyberattack, which targeted the institutions digital systems, resulted in the publication of the stolen data on the darknet in mid-April 2026.
https://thecyberexpress.com/university-of-warsaw-cyberattack/
Vulnerabilities
Sicherheitsupdate: Diverse Attacken auf IBM App Connect Enterprise möglich
IBMs Integrationsplattform App Connect Enterprise ist verwundbar. Angreifer können an mehreren Schwachstellen ansetzen.
https://www.heise.de/news/Sicherheitsupdate-Diverse-Attacken-auf-IBM-App-Connect-Enterprise-moeglich-11269193.html
n8n: Updates beheben kritische Sicherheitslücken in Automatisierungsplattform
Die Aktualisierung wurde per E-Mail allen Admins angekündigt, diese sollten sie nun prompt einspielen. Es droht Code-Einschleusung.
https://heise.de/-11268464
VMware Tanzu Spring Security: Angreifer können bösartigen Clients anmelden
Aufgrund von Sicherheitsproblemen ist im Kontext von VMware Tanzu Spring Security unter anderem die Authentifizierung umgehbar.
https://heise.de/-11268714
Kritische Lücke in Rubys Standardbibliothek ERB: Angreifer können Code ausführen
Die Ruby-Lücke ist nicht einfach auszunutzen, ermöglicht einem Angreifer aber, sensible Daten auszulesen, Code zu starten und Backdoors zu installieren.
https://heise.de/-11268704
Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions
Docker alerted Socket to malicious images pushed to the official checkmarx/kics Docker Hub repository after internal monitoring flagged suspicious new activity around KICS image tags. Our investigation found that attackers appear to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to a legitimate upstream release.
https://socket.dev/blog/checkmarx-supply-chain-compromise
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Socket researchers discovered that the Bitwarden CLI was compromised as part of the ongoing Checkmarx supply chain campaign. The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a compromised GitHub Action in Bitwarden-s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.
https://socket.dev/blog/bitwarden-cli-compromised
NTFS-Treiber für Linux: NTFS-3G schließt Rechteausweitungslücke
https://www.heise.de/news/NTFS-Treiber-fuer-Linux-NTFS-3G-schliesst-Rechteausweitungsluecke-11268864.html
LWN Security updates for Thursday
https://lwn.net/Articles/1069356/
DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service)
https://sec-consult.com/de/vulnerability-lab/advisory/dll-hijacking-in-efficientlab-controlio-cloud-based-employee-monitoring-service/