[{"data":1,"prerenderedAt":153},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-17":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-17","Windows Defender Zero-Days Actively Exploited, Global DDoS Takedown, and Major Data Breaches at McGraw Hill & Amtrak","This cybersecurity brief for April 17, 2026, covers several critical developments. Threat actors are actively exploiting two unpatched zero-day vulnerabilities in Microsoft Defender for privilege escalation. A massive international law enforcement operation, 'PowerOFF,' dismantled a major DDoS-for-hire ecosystem, seizing 53 domains. In data breach news, the ShinyHunters group has leaked data for 13.5 million McGraw Hill accounts and over 2 million Amtrak customers, both breaches linked to Salesforce misconfigurations. Concurrently, NIST has announced a significant overhaul of its NVD program, scaling back analysis due to an overwhelming CVE backlog, which will reshape vulnerability management practices globally.","2026-04-17",9,[10,35,54,67,82,97,114,126,140],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":25,"createdAt":29,"updatedAt":30,"readingTime":31,"isUpdate":32,"updateSummary":33,"updateContent":34},"c7c9551d-25b7-4a30-bead-c6f1bc5204fb","unpatched-bluehammer-windows-zero-day-exploit-leaked","Researcher Leaks 'BlueHammer' Windows Zero-Day Exploit on GitHub After Dispute with Microsoft","Unpatched 'BlueHammer' Windows Zero-Day Exploit for Privilege Escalation Leaked Publicly, Affecting All Modern Windows Versions","critical","A security researcher has publicly released a functional proof-of-concept exploit on GitHub for an unpatched Windows zero-day vulnerability dubbed 'BlueHammer.' The exploit, released following a dispute with the Microsoft Security Response Center (MSRC), allows a local attacker with low privileges to escalate to full SYSTEM-level privileges on fully patched Windows 10, Windows 11, and Windows Server systems. The vulnerability is a logic bug, not a memory corruption flaw, making it difficult to patch and leaving billions of users exposed until Microsoft releases an official fix.",[18,19,20,21,22,23,24],"Zero-Day","Windows","BlueHammer","LPE","Privilege Escalation","Microsoft","Exploit",[26,27,28],"Vulnerability","Cyberattack","Threat Intelligence","2026-04-09T15:00:00.000Z","2026-04-17T00:00:00.000Z",5,true,"BlueHammer patched as CVE-2026-33825. Two new zero-days, 'RedSun' (LPE) and 'UnDefend' (Defender bypass), are now actively exploited.","The original 'BlueHammer' zero-day has been patched by Microsoft as CVE-2026-33825. However, the same researcher has disclosed two new unpatched zero-days: 'RedSun', a local privilege escalation (LPE) to SYSTEM, and 'UnDefend', which disables Microsoft Defender updates. All three exploits, including the patched 'BlueHammer', are now confirmed to be actively exploited in the wild by hands-on-keyboard attackers, as reported by Huntress Labs. This significantly escalates the threat, as attackers can gain full system control and evade detection even on patched systems.",{"id":36,"slug":37,"headline":38,"title":39,"severity":40,"excerpt":41,"tags":42,"categories":49,"createdAt":50,"updatedAt":30,"readingTime":51,"isUpdate":32,"updateSummary":52,"updateContent":53},"af8f885b-5f2b-488c-900f-2c919b1d15fd","shinyhunters-hacking-group-claims-amtrak-breach-threatens-leak","ShinyHunters Claims Amtrak Breach, Threatens to Leak 9.4M Records","ShinyHunters Hacking Group Claims Breach of Amtrak, Threatens to Leak 9.4 Million Records","high","The notorious hacking group ShinyHunters has claimed responsibility for a major data breach at Amtrak, the U.S. national railroad operator. The group posted the claim on its dark web forum, alleging the theft of 9.4 million records containing both customer PII and internal corporate data. ShinyHunters asserts the breach was achieved by compromising Amtrak's Salesforce systems, consistent with the group's recent tactics of targeting third-party service employees.",[43,44,45,46,47,48],"ShinyHunters","Data Breach","Amtrak","Salesforce","Supply Chain Attack","Threat Actor",[44,48,47],"2026-04-16T15:00:00.000Z",4,"ShinyHunters has publicly leaked over 2.1 million Amtrak customer records, including emails, names, and addresses, confirming the previously threatened breach.","ShinyHunters has publicly leaked over 2.1 million Amtrak customer records on April 17, 2026, confirming the previously threatened breach. The leaked dataset includes unique email addresses, names, and physical addresses, and has been ingested by services like Have I Been Pwned. This development escalates the incident from a claimed threat to a verified data exposure, significantly increasing the impact on affected individuals. The breach continues to be attributed to a compromised Salesforce environment, consistent with the group's recent tactics.",{"id":55,"slug":56,"headline":57,"title":58,"severity":40,"excerpt":59,"tags":60,"categories":64,"createdAt":65,"updatedAt":65,"readingTime":51,"isUpdate":66},"3e5af213-9a34-45fb-81df-2c6306137051","mcgraw-hill-data-breach-exposes-13-5-million-accounts","McGraw Hill Data Breach Exposes 13.5 Million Accounts After Salesforce Misconfiguration","McGraw Hill Confirms Breach of 13.5 Million Accounts; ShinyHunters Claims Attack via Salesforce Misconfiguration","Educational publishing giant McGraw Hill has confirmed a significant data breach exposing the personal information of 13.5 million unique email accounts. The incident was caused by a misconfigured webpage hosted on the Salesforce platform. The cybercrime group 'ShinyHunters' claimed responsibility, initially threatening to leak 45 million records before publicly distributing a 100GB dataset containing names, physical addresses, and phone numbers. The breach highlights the critical risk of supply chain and third-party platform security, as McGraw Hill's core internal systems were not compromised.",[44,46,61,43,62,63],"Misconfiguration","Education","Cloud Security",[44,63,48],"2026-04-17T15:00:00.000Z",false,{"id":68,"slug":69,"headline":70,"title":71,"severity":40,"excerpt":72,"tags":73,"categories":81,"createdAt":65,"updatedAt":65,"readingTime":31,"isUpdate":66},"c3e7743a-04df-4964-b92b-619548946b1c","nblock-ransomware-focuses-on-aes-256-encryption-and-anonymity","New 'NBLOCK' Ransomware Emerges, Using AES-256 Encryption and Tor for Anonymous Extortion","Researchers Analyze New 'NBLOCK' Ransomware Strain Focusing on Encryption and Anonymity","Security researchers at CYFIRMA have identified a new ransomware family named 'NBLOCK.' The malware encrypts victim files using AES-256, appends a '.NBLock' extension, and drops a ransom note named 'README_NBLOCK.txt'. Unlike some modern ransomware that focuses on data exfiltration, NBLOCK appears to be a more traditional file-encrypting strain, coercing victims to pay for a decryption key. All communication with the threat actors is handled through an anonymous Tor-based negotiation portal. Its distribution vectors are believed to be standard methods like phishing and malicious downloads.",[74,75,76,77,78,79,80],"Ransomware","NBLOCK","AES-256","Tor","Data Encryption","CYFIRMA","Malware",[74,80],{"id":83,"slug":84,"headline":85,"title":86,"severity":40,"excerpt":87,"tags":88,"categories":95,"createdAt":65,"updatedAt":65,"readingTime":31,"isUpdate":66},"628567fa-ab26-46ad-83ce-ff31bc8d6128","stealthy-powmix-botnet-targets-czech-republic-workforce","Stealthy 'PowMix' Botnet Targets Czech Workforce with Evasive C2 Communications","New 'PowMix' Botnet Campaign Discovered Targeting Workers in Czech Republic","Researchers at Cisco Talos have uncovered a new botnet named 'PowMix,' which has been targeting the workforce in the Czech Republic since at least December 2025. The malware is delivered via phishing emails containing malicious LNK files and uses PowerShell for in-memory execution. PowMix is designed for stealth, employing randomized command-and-control (C2) beaconing intervals and embedding encrypted data into URL paths to mimic legitimate API traffic and evade network signature-based detection. The campaign targets professionals in HR, legal, and recruitment with compliance-themed lures.",[89,90,91,92,93,94,80],"Botnet","PowMix","PowerShell","C2","Cisco Talos","Czech Republic",[80,48,96],"Phishing",{"id":98,"slug":99,"headline":100,"title":101,"severity":102,"excerpt":103,"tags":104,"categories":111,"createdAt":65,"updatedAt":65,"readingTime":51,"isUpdate":66},"e8f39ebe-e023-428f-98ca-896e135068cd","mozambique-approves-new-national-cybersecurity-and-cybercrime-laws","Mozambique Passes Sweeping Cybersecurity and Cybercrime Laws to Combat Rising Digital Threats","Mozambique Parliament Approves New National Cybersecurity and Cybercrime Legislation","informational","Mozambique's Parliament, the Assembly of the Republic, has approved two landmark laws to establish a national cybersecurity framework and combat cybercrime. The legislation comes in response to a sharp increase in cyberattacks, with over 173,000 incidents recorded in 2024. The new framework will create a national regulatory authority, mandate specific security measures for both public and private sector entities, and introduce fines for non-compliance. The move is a significant step in securing the nation's digital infrastructure and aligning with international standards.",[105,106,107,108,109,110],"Mozambique","Cybersecurity Law","Regulation","Cybercrime","Government","Policy",[112,113],"Regulatory","Policy and Compliance",{"id":115,"slug":116,"headline":117,"title":118,"severity":40,"excerpt":119,"tags":120,"categories":125,"createdAt":65,"updatedAt":65,"readingTime":31,"isUpdate":66},"fae486cb-e839-4e36-8ded-b7a32e727279","phishing-campaign-abuses-simplehelp-rmm-tool-via-fake-dhl-emails","Phishing Campaign Abuses Legitimate SimpleHelp RMM Tool via Fake DHL 'Shipment Arrived' Emails","Fake DHL Phishing Emails Drop SimpleHelp Remote Access Tool for Backdoor Access","A new phishing campaign is targeting businesses with convincing emails impersonating the shipping company DHL. The emails, with subject lines like 'Your shipment has arrived,' trick recipients into opening a malicious PDF attachment. Clicking a button within the PDF downloads a Windows screensaver file (.scr) which is a disguised installer for SimpleHelp, a legitimate remote monitoring and management (RMM) tool. The installer is pre-configured to connect to an attacker-controlled server, effectively giving the threat actors a persistent backdoor into the victim's network for further malicious activity.",[96,121,122,123,124,80],"DHL","SimpleHelp","RMM","Remote Access",[96,80,27],{"id":127,"slug":128,"headline":129,"title":130,"severity":40,"excerpt":131,"tags":132,"categories":138,"createdAt":65,"updatedAt":65,"readingTime":51,"isUpdate":66},"d20bb595-a667-4ec9-8e55-55df6ccc23cc","us-senior-care-providers-disclose-ransomware-attacks-data-leaks","Two U.S. Senior Care Providers Disclose Data Breaches by Sinobi and Worldleaks Ransomware Gangs","Windward Life Care and Legend Senior Living Report Data Breaches from 2025 Ransomware Attacks","Two providers of senior care services, Windward Life Care in California and Legend Senior Living in Kansas, have disclosed data breaches resulting from ransomware attacks that occurred in 2025. The ransomware groups Sinobi and Worldleaks have claimed responsibility, respectively. Both incidents involved data exfiltration followed by encryption, with the stolen data later being leaked on the dark web. The compromised information is highly sensitive, including names, Social Security numbers, financial data, and protected health information (PHI) of a vulnerable population.",[74,133,44,134,135,136,137],"Healthcare","Sinobi","Worldleaks","PHI","HIPAA",[74,44,139],"Industrial Control Systems",{"id":141,"slug":142,"headline":143,"title":144,"severity":15,"excerpt":145,"tags":146,"categories":152,"createdAt":65,"updatedAt":65,"readingTime":51,"isUpdate":66},"327e2021-7690-45a2-b3e2-59cda0405956","vulnerability-in-cursor-ai-editor-could-lead-to-hijacked-developer-machines","Critical 'NomShub' Vulnerability in Cursor AI Editor Allows for Complete Developer Machine Hijacking","Vulnerability Chain in Cursor AI Editor Risks Developer Hijacking via Malicious Repository","A critical set of vulnerabilities in the Cursor AI coding editor, collectively named 'NomShub' by researchers at Straiker, could allow an attacker to gain full remote shell access to a developer's machine. The attack requires no user interaction beyond the victim opening a malicious code repository in the editor. The vulnerability chain combines a prompt injection with a command sandbox bypass, allowing the attacker to write malicious code and then abuse Cursor's remote tunnel feature for RCE. The attack is particularly stealthy as it routes traffic through legitimate Microsoft Azure infrastructure.",[26,147,148,149,150,47,151],"Cursor AI","RCE","Developer Security","AI","Prompt Injection",[26,47,63],1776444972605]