Multiple Zero-Days Under Active Attack: Google, Citrix, and TrueConf Race to Patch Critical Flaws as CISA Issues Urgent Alerts

ShinyHunters Issues Final Warning to Cisco, Threatens to Leak Millions of Records

The data extortion group ShinyHunters has issued a final ultimatum to networking giant Cisco, demanding contact by April 3, 2026, before it begins leaking a massive trove of allegedly stolen data. The group claims to have exfiltrated over three million Salesforce records, source code, and other internal files by compromising Cisco's Salesforce and AWS environments. The threat actor referenced 'UNC6040', linking the breach to a previously disclosed vishing campaign that targeted Cisco employees, suggesting social engineering was a key component of the attack.

extortionvishingsocial engineeringSalesforceAWS +1 more

ShinyHunters Threatens to Leak Cisco Data, Claims Breach of Salesforce and AWS

Cloud Security

Unpatched Windows Zero-Day 'BlueHammer' Exploit Leaked, Allows SYSTEM-Level Access

CRITICAL

Unpatched Windows Zero-Day Exploit "BlueHammer" Leaked Online After Disclosure Dispute

A security researcher has publicly released a proof-of-concept (PoC) exploit for an unpatched Windows zero-day vulnerability dubbed "BlueHammer." The leak, which occurred after a dispute with the Microsoft Security Response Center (MSRC), exposes a local privilege escalation (LPE) flaw. The exploit allows a local attacker with limited access to gain full SYSTEM-level permissions on a compromised machine, significantly increasing the risk for Windows users as the vulnerability remains unpatched.

zero-dayLPEprivilege escalationWindowsexploit +2 more

Unpatched Windows Zero-Day 'BlueHammer' Exploit Leaked, Allows SYSTEM-Level Access

Vulnerability

Malware

Cyberattack

REF1695 Campaign Spreads RATs and Cryptominers via Fake Software Installers

MEDIUM

REF1695 Threat Actor Uses Bogus Installers on GitHub to Distribute RATs and Cryptominers

A long-running threat campaign, dubbed REF1695, has been active since November 2023, using counterfeit software installers to deliver a variety of malicious payloads. According to Elastic Security Labs, the operation uses ISO file lures to distribute malware including the PureMiner and PureRAT trojans, the CNB Bot implant, and various cryptominers like XMRig. The threat actor leverages GitHub as a content delivery network (CDN) to host its payloads, a tactic designed to evade detection by using a trusted platform.

cryptominingRATISO fileGitHubmalware delivery +1 more

REF1695 Campaign Spreads RATs and Cryptominers via Fake Software Installers

Malware

Phishing

Immigration Law Platform DocketWise Discloses Breach Affecting Over 116,000 People

DocketWise Data Breach Exposes Sensitive Personal Information of 116,666 Individuals

DocketWise, a cloud-based case management platform for immigration lawyers, has reported a data breach that exposed the highly sensitive personal information of 116,666 individuals. The breach, discovered in October 2025, occurred when an unauthorized actor gained access to a third-party partner repository containing law firm records. The compromised data includes names, Social Security numbers, passport numbers, financial details, and medical information, posing a significant risk of identity theft and fraud.

PIIsupply chainthird-party risklegal techGDPR +1 more

Immigration Law Platform DocketWise Discloses Breach Affecting Over 116,000 People

Supply Chain Attack

Policy and Compliance

NightSpire Ransomware Claims Attack on French Org, Threatens to Leak Audit Data

NightSpire Ransomware Group Targets French Organization OCACIA in Data Exfiltration Attack

The NightSpire ransomware group has claimed responsibility for a cyberattack against Association OCACIA, a French organization. On April 3, 2026, the group announced the breach on its leak site, threatening to publish sensitive internal documents if its ransom demands are not met. The allegedly exfiltrated data includes audit reports, non-compliance records, and corrective action plans, which could be highly damaging if released.

ransomwaredouble extortiondata leakRaaS

Ransomware

T-Mobile Confirms Insider Data Breach, States Only One Customer Affected

LOW

T-Mobile Clarifies Data Breach Notification, Cites Limited Insider Threat Incident

T-Mobile USA has clarified that a recent data breach notification was the result of an isolated insider threat incident, not a large-scale attack. A vendor employee improperly accessed the account information of a single customer, exposing their name, address, account PIN, and Social Security Number. T-Mobile stated that no credentials were compromised in the incident and that it has reset the affected customer's PIN and notified law enforcement.

insider threatPIIvendor risktelecommunicationsSIM swapping

Policy and Compliance

LinkedIn Accused of Secretly Scanning for 6,000+ Browser Extensions

INFORMATIONAL

Report Alleges LinkedIn Scans User Browsers for Thousands of Extensions to Collect Competitive Data

A new report from the user association Fairlinked e.V. alleges that LinkedIn is secretly scanning visitors' browsers for the presence of over 6,000 installed browser extensions. The practice, dubbed "BrowserGate," reportedly involves injecting hidden JavaScript to fingerprint users. The report claims this data is linked to user profiles and used for competitive analysis against sales tool rivals. LinkedIn has refuted the claims, stating the scanning is a security measure to protect its platform and users from data scraping.

privacyfingerprintingdata collectionbrowser securitysocial media

LinkedIn Accused of Secretly Scanning for 6,000+ Browser Extensions

Policy and Compliance

Other

Updated Articles (2)

European Commission Confirms Data Breach After ShinyHunters Claims 350GB Theft

ShinyHunters Hacking Group Claims Massive Data Breach at European Commission, Allegedly Stealing 350GB from Europa.eu Portal

Update:

CERT-EU has officially attributed the European Commission's data breach to the TeamPCP hacking group, clarifying previous claims by ShinyHunters. The incident, which occurred on March 19, 2026, involved the exfiltration of approximately 92GB of compressed data, including emails and documents, from the Commission's AWS environment. The attack vector was identified as a compromised version of the Trivy open-source vulnerability scanner, which facilitated the theft of a secret Amazon API key. This supply chain compromise allowed TeamPCP to gain unauthorized access, potentially affecting 29 EU entities and 42 internal clients, contradicting earlier downplayed impact assessments.

April 1, 2026

Updated: April 3, 2026

ShinyHuntersData BreachEuropean CommissionAWSCloud Security +2 more

Cyberattack

Chinese Hackers Exploit TrueConf Zero-Day in 'Operation TrueChaos'

TrueConfzero-dayChinaAPTHavoc +1 more

Chinese-Linked APT Exploits TrueConf Zero-Day (CVE-2026-3502) to Target Southeast Asian Governments

Update:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-3502, the TrueConf zero-day exploited in 'Operation TrueChaos,' to its Known Exploited Vulnerabilities (KEV) catalog. This designation mandates that all Federal Civilian Executive Branch (FCEB) agencies apply the patch by April 16, 2026. The vulnerability, with a CVSS score of 7.8, is actively exploited by a Chinese-nexus threat actor targeting Southeast Asian governments. New IOCs include an FTP server IP (47.237.15[.]197) and a malicious DLL (`iscsiexe.dll`), with C2 infrastructure observed on Alibaba Cloud and Tencent.

April 2, 2026

Updated: April 3, 2026

6 min read

Chinese Hackers Exploit TrueConf Zero-Day in 'Operation TrueChaos'

Vulnerability