[{"data":1,"prerenderedAt":159},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-03":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-03","Multiple Zero-Days Under Active Attack: Google, Citrix, and TrueConf Race to Patch Critical Flaws as CISA Issues Urgent Alerts","This week in cybersecurity is marked by a surge in actively exploited zero-day vulnerabilities, with Google patching a critical Chrome flaw (CVE-2026-5281), CISA mandating fixes for vulnerabilities in Citrix NetScaler (CVE-2026-3055) and TrueConf (CVE-2026-3502), and a new unpatched Windows LPE exploit 'BlueHammer' being leaked online. Major data breaches also hit the headlines, with the European Commission attributing a significant compromise to the TeamPCP hacking group and medical giant Stryker recovering from a destructive wiper attack by the Iran-linked Handala group. Extortion tactics continue as ShinyHunters threatens to leak alleged Cisco data.","2026-04-03",9,[10,33,55,70,86,102,118,131,144],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":25,"createdAt":27,"updatedAt":28,"readingTime":29,"isUpdate":30,"updateSummary":31,"updateContent":32},"1b86da6d-f5b8-439a-ae37-0faf100c5190","shinyhunters-claims-massive-data-breach-at-european-commission","European Commission Confirms Data Breach After ShinyHunters Claims 350GB Theft","ShinyHunters Hacking Group Claims Massive Data Breach at European Commission, Allegedly Stealing 350GB from Europa.eu Portal","high","The European Commission (EC) has confirmed a cyberattack targeting its Europa.eu web portal, following a claim by the notorious hacking group ShinyHunters. The group alleges it breached one of the Commission's Amazon Web Services (AWS) accounts and exfiltrated over 350GB of sensitive data, including mail servers, databases, and confidential documents. ShinyHunters has reportedly leaked a 90GB archive as proof. While the EC acknowledged the intrusion and data theft, it sought to downplay the impact, stating that internal systems were not affected and the breach was limited to public-facing websites. This incident marks the second data breach for the EC in 2026, raising serious questions about the security posture of EU institutions.",[18,19,20,21,22,23,24],"ShinyHunters","Data Breach","European Commission","AWS","Cloud Security","Cyberattack","Government",[19,26,23],"Threat Actor","2026-04-01T15:00:00.000Z","2026-04-03T12:00:00.000Z",5,true,"CERT-EU attributes EC data breach to TeamPCP, detailing a 92GB exfiltration via compromised Trivy scanner and stolen API key, impacting 29 EU entities.","CERT-EU has officially attributed the European Commission's data breach to the TeamPCP hacking group, clarifying previous claims by ShinyHunters. The incident, which occurred on March 19, 2026, involved the exfiltration of approximately 92GB of compressed data, including emails and documents, from the Commission's AWS environment. The attack vector was identified as a compromised version of the Trivy open-source vulnerability scanner, which facilitated the theft of a secret Amazon API key. This supply chain compromise allowed TeamPCP to gain unauthorized access, potentially affecting 29 EU entities and 42 internal clients, contradicting earlier downplayed impact assessments.",{"id":34,"slug":35,"headline":36,"title":37,"severity":15,"excerpt":38,"tags":39,"categories":46,"createdAt":48,"updatedAt":49,"readingTime":50,"cves":51,"isUpdate":30,"updateSummary":53,"updateContent":54},"f594afaf-1aa6-4b3a-9679-7059a364a48a","chinese-apt-exploits-trueconf-zero-day-to-target-governments","Chinese Hackers Exploit TrueConf Zero-Day in 'Operation TrueChaos'","Chinese-Linked APT Exploits TrueConf Zero-Day (CVE-2026-3502) to Target Southeast Asian Governments","A suspected Chinese-nexus advanced persistent threat (APT) group is exploiting a zero-day vulnerability, CVE-2026-3502, in the TrueConf video conferencing application. The campaign, dubbed 'Operation TrueChaos' by Check Point, targets government entities in Southeast Asia. The attackers compromise on-premises TrueConf servers and hijack the software's update mechanism to deliver malicious updates to client machines. The final payload observed in these attacks is the Havoc open-source post-exploitation framework, giving the threat actors a persistent foothold inside the targeted government networks. TrueConf has patched the flaw in client version 8.5.3.",[40,41,42,43,44,45],"TrueConf","zero-day","China","APT","Havoc","espionage",[47,26,23],"Vulnerability","2026-04-02T15:00:00.000Z","2026-04-03T00:00:00.000Z",6,[52],"CVE-2026-3502","CISA added CVE-2026-3502 (TrueConf zero-day) to its KEV catalog, mandating federal agencies patch by April 16, 2026, due to active exploitation.","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-3502, the TrueConf zero-day exploited in 'Operation TrueChaos,' to its Known Exploited Vulnerabilities (KEV) catalog. This designation mandates that all Federal Civilian Executive Branch (FCEB) agencies apply the patch by April 16, 2026. The vulnerability, with a CVSS score of 7.8, is actively exploited by a Chinese-nexus threat actor targeting Southeast Asian governments. New IOCs include an FTP server IP (47.237.15[.]197) and a malicious DLL (`iscsiexe.dll`), with C2 infrastructure observed on Alibaba Cloud and Tencent.",{"id":56,"slug":57,"headline":58,"title":59,"severity":15,"excerpt":60,"tags":61,"categories":67,"createdAt":68,"updatedAt":68,"readingTime":29,"isUpdate":69},"ba595929-6465-4ef3-be8a-485a00d34296","shinyhunters-issues-final-warning-to-cisco-threatens-massive-data-leak","ShinyHunters Threatens to Leak Cisco Data, Claims Breach of Salesforce and AWS","ShinyHunters Issues Final Warning to Cisco, Threatens to Leak Millions of Records","The data extortion group ShinyHunters has issued a final ultimatum to networking giant Cisco, demanding contact by April 3, 2026, before it begins leaking a massive trove of allegedly stolen data. The group claims to have exfiltrated over three million Salesforce records, source code, and other internal files by compromising Cisco's Salesforce and AWS environments. The threat actor referenced 'UNC6040', linking the breach to a previously disclosed vishing campaign that targeted Cisco employees, suggesting social engineering was a key component of the attack.",[62,63,64,65,21,66],"extortion","vishing","social engineering","Salesforce","cloud security",[19,26,22],"2026-04-03T15:00:00.000Z",false,{"id":71,"slug":72,"headline":73,"title":74,"severity":75,"excerpt":76,"tags":77,"categories":84,"createdAt":68,"updatedAt":68,"readingTime":29,"isUpdate":69},"7bb31a73-2c82-4c72-988a-c7e515d861ab","unpatched-windows-zero-day-exploit-bluehammer-leaked-online","Unpatched Windows Zero-Day 'BlueHammer' Exploit Leaked, Allows SYSTEM-Level Access","Unpatched Windows Zero-Day Exploit \"BlueHammer\" Leaked Online After Disclosure Dispute","critical","A security researcher has publicly released a proof-of-concept (PoC) exploit for an unpatched Windows zero-day vulnerability dubbed \"BlueHammer.\" The leak, which occurred after a dispute with the Microsoft Security Response Center (MSRC), exposes a local privilege escalation (LPE) flaw. The exploit allows a local attacker with limited access to gain full SYSTEM-level permissions on a compromised machine, significantly increasing the risk for Windows users as the vulnerability remains unpatched.",[41,78,79,80,81,82,83],"LPE","privilege escalation","Windows","exploit","PoC","TOCTOU",[47,85,23],"Malware",{"id":87,"slug":88,"headline":89,"title":90,"severity":91,"excerpt":92,"tags":93,"categories":99,"createdAt":68,"updatedAt":68,"readingTime":101,"isUpdate":69},"739e0af1-8aa8-4413-88ce-14e29dcab1f1","ref1695-threat-actor-spreads-rats-and-cryptominers-via-fake-installers","REF1695 Campaign Spreads RATs and Cryptominers via Fake Software Installers","REF1695 Threat Actor Uses Bogus Installers on GitHub to Distribute RATs and Cryptominers","medium","A long-running threat campaign, dubbed REF1695, has been active since November 2023, using counterfeit software installers to deliver a variety of malicious payloads. According to Elastic Security Labs, the operation uses ISO file lures to distribute malware including the PureMiner and PureRAT trojans, the CNB Bot implant, and various cryptominers like XMRig. The threat actor leverages GitHub as a content delivery network (CDN) to host its payloads, a tactic designed to evade detection by using a trusted platform.",[94,95,96,97,98,64],"cryptomining","RAT","ISO file","GitHub","malware delivery",[85,26,100],"Phishing",4,{"id":103,"slug":104,"headline":105,"title":106,"severity":15,"excerpt":107,"tags":108,"categories":115,"createdAt":68,"updatedAt":68,"readingTime":29,"isUpdate":69},"c57ef076-5f8e-48d2-9c1a-c50f6605bf8c","docketwise-data-breach-impacts-over-116000-individuals","Immigration Law Platform DocketWise Discloses Breach Affecting Over 116,000 People","DocketWise Data Breach Exposes Sensitive Personal Information of 116,666 Individuals","DocketWise, a cloud-based case management platform for immigration lawyers, has reported a data breach that exposed the highly sensitive personal information of 116,666 individuals. The breach, discovered in October 2025, occurred when an unauthorized actor gained access to a third-party partner repository containing law firm records. The compromised data includes names, Social Security numbers, passport numbers, financial details, and medical information, posing a significant risk of identity theft and fraud.",[109,110,111,112,113,114],"PII","supply chain","third-party risk","legal tech","GDPR","identity theft",[19,116,117],"Supply Chain Attack","Policy and Compliance",{"id":119,"slug":120,"headline":121,"title":122,"severity":15,"excerpt":123,"tags":124,"categories":129,"createdAt":68,"updatedAt":68,"readingTime":101,"isUpdate":69},"725bf928-cc42-4f8e-9d0a-46fdc158ba78","nightspire-ransomware-group-claims-attack-on-french-organization-ocacia","NightSpire Ransomware Claims Attack on French Org, Threatens to Leak Audit Data","NightSpire Ransomware Group Targets French Organization OCACIA in Data Exfiltration Attack","The NightSpire ransomware group has claimed responsibility for a cyberattack against Association OCACIA, a French organization. On April 3, 2026, the group announced the breach on its leak site, threatening to publish sensitive internal documents if its ransom demands are not met. The allegedly exfiltrated data includes audit reports, non-compliance records, and corrective action plans, which could be highly damaging if released.",[125,126,127,128],"ransomware","double extortion","data leak","RaaS",[130,26,19],"Ransomware",{"id":132,"slug":133,"headline":134,"title":135,"severity":136,"excerpt":137,"tags":138,"categories":143,"createdAt":68,"updatedAt":68,"readingTime":101,"isUpdate":69},"2bf07dea-fee6-4172-97af-5002342c0147","t-mobile-confirms-insider-data-breach-downplays-impact","T-Mobile Confirms Insider Data Breach, States Only One Customer Affected","T-Mobile Clarifies Data Breach Notification, Cites Limited Insider Threat Incident","low","T-Mobile USA has clarified that a recent data breach notification was the result of an isolated insider threat incident, not a large-scale attack. A vendor employee improperly accessed the account information of a single customer, exposing their name, address, account PIN, and Social Security Number. T-Mobile stated that no credentials were compromised in the incident and that it has reset the affected customer's PIN and notified law enforcement.",[139,109,140,141,142],"insider threat","vendor risk","telecommunications","SIM swapping",[19,117],{"id":145,"slug":146,"headline":147,"title":148,"severity":149,"excerpt":150,"tags":151,"categories":157,"createdAt":68,"updatedAt":68,"readingTime":101,"isUpdate":69},"b8ad1a12-2c19-4cff-9e5a-c8ae2b94ac21","linkedin-secretly-scans-user-browsers-for-thousands-of-extensions","LinkedIn Accused of Secretly Scanning for 6,000+ Browser Extensions","Report Alleges LinkedIn Scans User Browsers for Thousands of Extensions to Collect Competitive Data","informational","A new report from the user association Fairlinked e.V. alleges that LinkedIn is secretly scanning visitors' browsers for the presence of over 6,000 installed browser extensions. The practice, dubbed \"BrowserGate,\" reportedly involves injecting hidden JavaScript to fingerprint users. The report claims this data is linked to user profiles and used for competitive analysis against sales tool rivals. LinkedIn has refuted the claims, stating the scanning is a security measure to protect its platform and users from data scraping.",[152,153,154,155,156],"privacy","fingerprinting","data collection","browser security","social media",[117,158],"Other",1775683849393]