Qilin Ransomware Cripples US Governments, Adobe Rushes Critical RCE Patch, and Germany Accuses Russia of Widespread Phishing

Germany Officially Attributes Phishing Campaign Targeting Politicians' Signal Accounts to Russia

The German government has officially stated its belief that Russia was behind a widespread and sophisticated phishing campaign targeting the Signal messenger accounts of hundreds of high-profile individuals. The targets included Members of Parliament, government officials, diplomats, and journalists. The attack, which has reportedly been stopped, aimed to take over accounts by tricking victims with messages pretending to be from Signal support. German prosecutors have launched an espionage investigation, and the incident marks a significant escalation in cyber tensions between Berlin and Moscow.

GermanyRussiaPhishingSignalEspionage +2 more

Germany Accuses Russia of Orchestrating Large-Scale Signal Phishing Attack on Politicians

Adobe Scrambles to Patch Critical, Actively Exploited RCE Flaw in Commerce and Magento

CRITICAL

Actively Exploited RCE Vulnerability (CVE-2026-11234) in Adobe Commerce Prompts Emergency Patch

Adobe has released an emergency, out-of-band security update for a critical remote code execution (RCE) vulnerability, CVE-2026-11234, affecting Adobe Commerce and Magento Open Source. The flaw, which has a CVSS score of 9.8, is being actively exploited in the wild. An unauthenticated attacker can exploit the vulnerability to execute arbitrary code and achieve a full server takeover. Security firm SwiftSentry reported that attackers are using the flaw to inject credit card skimming malware and install backdoors on compromised e-commerce sites. All administrators are urged to apply the patch immediately.

AdobeMagentoCVE-2026-11234RCEVulnerability +4 more

Adobe Scrambles to Patch Critical, Actively Exploited RCE Flaw in Commerce and Magento

Global Wings Airline Breach Exposes Personal Data of 5 Million Passengers via Third-Party Vendor

Supply Chain Attack Hits Global Wings Airline: 5 Million Passengers' Data Exposed in Vendor Breach

Global Wings Airline has disclosed a major data breach affecting approximately 5 million of its passengers. The breach originated not within the airline's own systems, but from a third-party service provider responsible for managing the 'SkyMiles' loyalty program database. The exposed data includes sensitive personally identifiable information such as names, dates of birth, contact details, physical addresses, and passport numbers. The unauthorized access occurred over a nearly month-long period between March and April 2026. While financial data was reportedly not compromised, the stolen information is sufficient for identity theft and targeted phishing attacks.

Data BreachSupply Chain AttackAirlinePIIPassport +1 more

Global Wings Airline Breach Exposes Personal Data of 5 Million Passengers via Third-Party Vendor

APT 'ChronoDragon' Deploys New 'CoinThief' Backdoor in Financial Sector Espionage Campaign

State-Sponsored APT 'ChronoDragon' Targets Global Financials with 'CoinThief' Backdoor

The state-sponsored threat group 'ChronoDragon' is behind a new economic espionage campaign targeting major financial institutions in North America and Europe, according to a report from Mandiant. The advanced persistent threat (APT) actor is using a new, custom backdoor named 'CoinThief' to infiltrate banks, investment firms, and cryptocurrency exchanges. The campaign's primary goal is not direct financial theft but to steal sensitive data on market strategies, mergers and acquisitions, and proprietary trading algorithms. The attack begins with spear-phishing emails and leverages a sophisticated, stealthy backdoor to maintain long-term access and exfiltrate intelligence.

ChronoDragonAPTCoinThiefMandiantFinancial Sector +2 more

APT 'ChronoDragon' Deploys New 'CoinThief' Backdoor in Financial Sector Espionage Campaign

US Treasury Sanctions Crypto Exchange and Mixers for Laundering Ransomware Proceeds

MEDIUM

OFAC Sanctions Cortexchange, ChainScrub, and HelixMix for Facilitating Cybercrime and Ransomware Money Laundering

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has taken decisive action against the financial infrastructure supporting cybercrime by sanctioning a virtual currency exchange, 'Cortexchange', and two cryptocurrency mixing services, 'ChainScrub' and 'HelixMix'. These entities were added to the Specially Designated Nationals (SDN) list for their role in laundering hundreds of millions of dollars for ransomware groups like LockBit and Qilin, as well as other illicit actors. The move blocks the entities from the U.S. financial system and prohibits any U.S. persons from transacting with them, aiming to disrupt the profitability of cybercrime.

OFACSanctionsCryptocurrencyMoney LaunderingRansomware +3 more

US Treasury Sanctions Crypto Exchange and Mixers for Laundering Ransomware Proceeds

Log4j Deja Vu: Critical RCE Flaw in 'LogSpresso' Library Averts Major Supply Chain Crisis

CRITICAL

Emergency Patch Released for Critical 'LogSpresso' RCE Vulnerability (CVE-2026-23456)

A potential Log4j-level crisis has been averted with the emergency patching of CVE-2026-23456, a critical (10.0 CVSS) remote code execution vulnerability in the popular open-source Java logging library 'LogSpresso'. Discovered by researchers at Checkmarx, the flaw was alarmingly similar to the infamous Log4Shell vulnerability, allowing an unauthenticated attacker to achieve RCE by sending a specially crafted string to be logged. Given LogSpresso's use in thousands of enterprise applications, the vulnerability posed a massive supply chain risk. Thanks to responsible disclosure and swift action by the library's maintainers, a patch was released before any evidence of in-the-wild exploitation emerged.

LogSpressoCVE-2026-23456VulnerabilityRCEJava +3 more

Log4j Deja Vu: Critical RCE Flaw in 'LogSpresso' Library Averts Major Supply Chain Crisis

Cura360 HealthTech Startup Leaks 250,000 Patient Records via Public AWS S3 Bucket

Misconfigured AWS S3 Bucket at HealthTech Startup Cura360 Exposes 250,000 Patient Records

A severe data leak at health-tech startup Cura360 has exposed the protected health information (PHI) and personal data of over 250,000 patients. The cause was a misconfigured Amazon Web Services (AWS) S3 bucket that was left publicly accessible, allowing anyone on the internet to view and download its contents. The exposed data is highly sensitive, including full names, addresses, insurance details, and detailed medical records such as X-rays, MRIs, and lab results. The incident, discovered by a security researcher, is a major breach of patient privacy and a likely violation of HIPAA regulations.

Data LeakData BreachCloud SecurityAWSS3 +4 more

Cura360 HealthTech Startup Leaks 250,000 Patient Records via Public AWS S3 Bucket

Researchers Detail 'GlacierRAT,' a New Modular Malware Targeting Linux Servers

MEDIUM

CrowdStrike Uncovers 'GlacierRAT', a New Modular Remote Access Trojan for Linux

Cybersecurity firm CrowdStrike has released a detailed report on 'GlacierRAT,' a new and sophisticated modular Remote Access Trojan (RAT) designed specifically to compromise Linux-based servers. The malware, which is being sold on dark web forums, targets the backbone of cloud and data center environments. GlacierRAT's modular architecture allows attackers to load various plugins for a wide range of activities, including data exfiltration, command execution, and launching DDoS attacks. It typically gains access by exploiting vulnerable web applications and establishes persistence through systemd services or cron jobs.

GlacierRATLinuxMalwareRATCrowdStrike +2 more

Researchers Detail 'GlacierRAT,' a New Modular Malware Targeting Linux Servers

CISA Warns of 'ShadowProxy' Phishing-as-a-Service that Bypasses MFA

CISA and FBI Issue Joint Advisory on 'ShadowProxy' Phishing-as-a-Service (PhaaS) Platform

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory about the growing threat from 'ShadowProxy,' a sophisticated Phishing-as-a-Service (PhaaS) platform. Sold on dark web forums, ShadowProxy enables even low-skilled criminals to launch large-scale phishing campaigns capable of defeating multi-factor authentication (MFA). The platform uses an adversary-in-the-middle (AiTM) technique, acting as a reverse proxy to intercept credentials and, crucially, the session cookie generated after a successful MFA login. This allows attackers to hijack active sessions and gain full access to accounts like Microsoft 365 and Google Workspace.

ShadowProxyPhaaSPhishingMFAAiTM +3 more

CISA Warns of 'ShadowProxy' Phishing-as-a-Service that Bypasses MFA

Updated Articles (2)

Qilin Ransomware Group Targets City of Napoleon, Ohio, Threatening Municipal Data Leak

City of Napoleon, Ohio Hit by Qilin Ransomware Attack

Update:

The Qilin ransomware group has significantly escalated its operations, claiming 19 new victims within a 24-hour period around April 25, 2026. This aggressive campaign includes major disruptions to US public sector entities like Winona County, Minnesota, and Harrison County, West Virginia, which confirmed network outages. The attacks demonstrate a global reach, impacting organizations in Sweden and Japan, and targeting diverse sectors beyond government, such as Financial Services and Agriculture. This indicates a broader and more opportunistic targeting strategy by the group, increasing the overall threat landscape.

April 25, 2026

Updated: April 26, 2026

QilinRansomwareCyberattackGovernmentOhio +1 more

Qilin Ransomware Group Targets City of Napoleon, Ohio, Threatening Municipal Data Leak

LockBit and ShinyHunters Claim Major Breaches at Citizens Bank, Canada Life, and Law Firm

LockBit and ShinyHunters Post Data from Citizens Bank, Canada Life, and a Major Law Firm

Update:

The LockBit 5.0 ransomware operation has confirmed its breach of Bardehle Pagenberg, a European IP law firm, which was previously reported as an allegation. Additionally, LockBit has listed two new victims on its dark web leak site: Radio Studio Più, an Italian dance music station, and PT Murni Solusindo Nusantara, an Indonesian ICT provider. The new report provides an in-depth technical analysis of LockBit 5.0's TTPs, including initial access vectors, execution, post-exploitation techniques, and specific MITRE ATT&CK mappings. It also offers detailed detection, response, and mitigation strategies tailored for LockBit activity, such as behavioral rules, network analysis, and robust access controls. The addition of new victims and confirmed breach details indicates an increased scope of LockBit's ongoing campaign.

April 20, 2026

Updated: April 26, 2026