End-of-Day report
Timeframe: Montag 20-04-2026 18:00 - Dienstag 21-04-2026 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
Serial-to-IP Devices Hide Thousands of Old and New Bugs
The OT devices that translate machine talk into Internet-speak are riddled with vulnerabilities and more frequently targeted for attacks, researchers say.
https://www.darkreading.com/ics-ot-security/serial-ip-devices-thousands-of-bugs
BSI warnt: Phishing-Attacken über Signal nehmen zu
Angreifer kapern regelmäßig Signal-Konten mittels Phishing. Beim BSI gibt es nun einen Leitfaden mit Handlungsempfehlungen für Betroffene.
https://www.golem.de/news/bsi-warnt-phishing-attacken-ueber-signal-nehmen-zu-2604-207797.html
A .WAV With A Payload, (Tue, Apr 21st)
There have been reports of threat actors using a .wav file as a vector for malware. It's a proper .wav file, but they didn't use staganography. The .wav file will play, but you'll just hear noise.
https://isc.sans.edu/diary/rss/32910
Real Apple notifications are being used to drive tech support scams
Scammers have found a way to abuse legitimate Apple notification emails to trick people into calling fake tech support numbers.
https://www.malwarebytes.com/blog/news/2026/04/real-apple-notifications-are-being-used-to-drive-tech-support-scams
Fake-Jobvermittlungsagenturen jubeln Opfern Malware unter
Sie sind ansprechend designet und versprechen interessante Jobs zu Top-Konditionen. Leider ist an diesen Vermittlungsagenturen nichts echt. Über die Fake-Webseiten und dazugehörige Anwerbe-Mails wollen Kriminelle nicht nur an persönliche Informationen gelangen. Sie schummeln außerdem Schadsoftware auf die Geräte ihrer Opfer.
https://www.watchlist-internet.at/news/fake-jobvermittlungsagenturen/
Bad Apples: Weaponizing native macOS primitives for movement and execution
Cisco Talos documents several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture.
https://blog.talosintelligence.com/bad-apples-weaponizing-native-macos-primitives-for-movement-and-execution/
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Our research on Void Dokkaebi-s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk.
https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html
Deep Malware Analysis of a Multi-Stage Cobalt Strike Loader
In this blog post, we provide a detailed technical reconstruction of a multi-stage malware chain that ultimately delivers a Cobalt Strike Beacon.
https://www.joesecurity.org/blog/621128515416801396
Command Execution via Drag-and-Drop in Terminal Emulators
Many people may not be aware that terminal emulators such as Kitty and xfce4-terminal support dragging and dropping of files into the terminal to insert the file's path directly at the cursor position. While this feature has existed for a while, more people have started to notice this as Claude Code has grown in popularity and allows users to drag and drop files for Claude to process.
https://sdushantha.github.io/post/drop-it-like-its-hot
Inside An AWS Cloud Threat Detection SOC Lab: Simulating and Detecting Real Cloud Attacks
Cloud computing has become the backbone over time of how modern systems are built and run. As I started diving deeper into cloud security, I began to see just how much organizations and various industries depend on it, not just for convenience, but for scalability, speed, and the ability to support technologies like artificial intelligence and big data.
https://detect.fyi/inside-an-aws-cloud-threat-detection-soc-lab-simulating-and-detecting-real-cloud-attacks-a11e0ea98430
Context.ai OAuth Token Compromise
Compromised Context.ai OAuth tokens enabled attackers to perform a supply chain attack via trusted SaaS integrations. Learn how to assess the risk in your environment and how to prevent the next attack.
https://www.wiz.io/blog/contextai-oauth-token-compromise
Vulnerabilities
SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files
A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code.
https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html
Apache ActiveMQ RCE
CVE-2026-34197 is a high-severity remote code execution (RCE) vulnerability affecting Apache ActiveMQ Classic. The flaw resides in the exposed Jolokia JMX-HTTP interface and allows attackers to execute arbitrary commands on the underlying system via crafted broker management requests. Recent reporting indicates that this vulnerability has been added to CISA-s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and elevating its priority for remediation.
https://fortiguard.fortinet.com/threat-signal-report/6428
Schadcode-Lücke mit Höchstwertung bedroht Firebird
Das Open-Source-Datenbankmanagementsystem Firebird ist über mehrere Wege angreifbar. Es kann Schadcode auf Systeme gelangen.
https://www.heise.de/news/Schadcode-Luecke-mit-Hoechstwertung-bedroht-Firebird-11265291.html
--Supply Chain Compromise Impacts Axios Node Package Manager-
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.
https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager
LWN Security updates for Tuesday
https://lwn.net/Articles/1068830/