Social engineering has taken a personal turn as the North Korean APT37 (ScarCruft) group leverages Facebook to distribute the RokRAT backdoor. By building rapport through fake accounts, attackers convince targets to install a tampered version of Wondershare PDFelement under the guise of viewing "encrypted" military documents.

A high-profile supply chain breach hit the CPUID website earlier this month, infecting popular hardware tools like CPU-Z and HWMonitor for a 24-hour window. This DLL side-loading technique quietly deploys the STX RAT, a remote access trojan that has already claimed over 150 victims across Russia, Brazil, and China.

The Marimo open-source Python notebook platform is facing a rapid wave of exploitation following the disclosure of a critical pre-authentication RCE flaw, CVE-2026-39987. Attackers began hitting exposed WebSocket endpoints within just 10 hours of the bug's release, using the access to execute commands and immediately pivot to credential theft.

Top Malware Reported in the Last 24 Hours

APT37 leverages Facebook, drops RokRAT

North Korea's APT37 group, also known as ScarCruft, has launched a sophisticated social engineering campaign using Facebook to deliver RokRAT. The attackers created fake accounts to befriend targets, then moved conversations to Messenger, where they employed pretexting to convince victims to install a tampered PDF viewer claiming it was necessary for accessing encrypted military documents. This viewer, a modified version of Wondershare PDFelement, executed embedded shellcode upon launch, establishing a foothold for the attackers. The campaign utilized compromised infrastructure for command-and-control operations, leveraging a legitimate Japanese real estate website to issue malicious commands. Ultimately, the malware was disguised as a harmless JPG image, enabling extensive remote access capabilities while evading detection by security software.

CPUID breach distributes STX RAT malware

Unknown threat actors compromised CPUID's website, distributing malicious executables for popular hardware monitoring tools like CPU-Z and HWMonitor. This breach, lasting less than 24 hours from April 9 to April 10, involved replacing legitimate download links with those leading to rogue sites. The attackers utilized a DLL side-loading technique, embedding a malicious file named "CRYPTBASE.dll" within the software, which enabled the deployment of the STX RAT malware. This remote access trojan is capable of extensive remote control and data theft operations. Over 150 victims, primarily individuals and organizations in sectors such as retail and telecommunications, were affected, with most infections reported in Brazil, Russia, and China. 

Top Vulnerabilities Reported in the Last 24 Hours

Critical Marimo RCE flaw exploited rapidly

A critical pre-authentication remote code execution vulnerability, tracked as CVE-2026-39987, has been discovered in the Marimo open-source Python notebook platform, affecting versions 0.20.4 and earlier. Exploitation of this flaw began within 10 hours of its public disclosure, with attackers leveraging the vulnerability to gain unauthorized access via a WebSocket endpoint. Researchers from Sysdig reported that the attackers executed commands to confirm remote command execution and quickly shifted focus to credential theft, targeting sensitive files such as the .env file to extract cloud credentials and application secrets. 

Critical Axios vulnerability exposes cloud systems

A critical vulnerability in the Axios HTTP client library, tracked as CVE-2026-40175, poses a significant risk by enabling RCE and compromising cloud infrastructure. This flaw arises from a lack of HTTP header sanitization, which, when combined with Server-Side Request Forgery (SSRF) and request smuggling capabilities, creates an exploitable attack vector. Attackers can exploit this vulnerability without any direct user input by leveraging a "Gadget" chain, allowing them to pollute Object.prototype through third-party dependencies. Consequently, malicious headers can be injected into outbound requests, enabling attackers to bypass AWS IMDSv2 protections, retrieve valid session tokens, and steal IAM credentials, leading to full cloud account compromise and additional impacts such as authentication bypass and cache poisoning.