The Latin American financial sector is under a massive offensive from JanelaRAT, a BX RAT variant that has already clocked over 14,000 attacks in Brazil this year alone. By utilizing a specialized title bar detection mechanism, the malware targets specific banking and cryptocurrency websites to trigger the deployment of deceptive, fake overlays.

A new Android banking trojan named Mirax is sweeping across Europe by masquerading as "free" illegal streaming apps promoted through social media ads. Operating under a highly restricted Malware-as-a-Service model, Mirax grants its select affiliates full remote control over infected devices, allowing them to intercept SMS codes and deploy dynamic overlays to siphon banking credentials.

The foundational trust of certificate-based authentication has been shaken by CVE-2026-5194, a critical vulnerability in the wolfSSL library that allows for the acceptance of forged digital signatures. The flaw stems from improper hash algorithm verification during ECDSA checks, enabling attackers to trick the library into trusting malicious servers or files.

Top Malware Reported in the Last 24 Hours

JanelaRAT malware targets Latin American banks

JanelaRAT, a variant of BX RAT, has emerged as a significant threat to financial institutions in Latin America, particularly in Brazil and Mexico, with over 14,739 recorded attacks in Brazil alone in 2025. This malware is designed to steal sensitive financial and cryptocurrency data by employing a custom title bar detection mechanism to identify targeted websites. Its infection process typically begins with phishing emails that trick users into downloading malicious ZIP files or rogue MSI installers. Once executed, JanelaRAT establishes communication with a command-and-control server, enabling it to monitor user activity, capture keystrokes, and exfiltrate sensitive information through fake overlays. The malware's sophisticated techniques, including DLL side-loading and browser extension manipulation, allow it to evade detection while executing various malicious tasks.

Mirax trojan turns Android devices into proxies

Mirax is a newly identified Android banking trojan spreading across Europe, particularly targeting Spanish-speaking users through social media advertisements. This malware employs a restricted Malware-as-a-Service (MaaS) model, allowing only a select group of affiliates to access it, thereby enhancing its operational security. Mirax enables attackers to gain real-time control over infected devices, executing commands, monitoring activities, and deploying dynamic fake overlays to steal sensitive information. Its distribution relies heavily on social engineering tactics, promoting illegal streaming applications that lead users to download the malware from unverified sources. A distinctive feature of Mirax is its ability to convert infected devices into residential proxy nodes, allowing cybercriminals to route malicious traffic through legitimate IP addresses, thus broadening the malware's impact beyond financial theft to include account takeovers and other cybercriminal activities. 

Malicious Chrome extensions target user data

A recent cybersecurity investigation uncovered a campaign involving 108 malicious Google Chrome extensions that have collectively amassed around 20,000 installs. These extensions, published under various identities, communicate with a shared command-and-control infrastructure to steal user data and manipulate browser behavior. They engage in activities such as exfiltrating Google account credentials via OAuth2, hijacking Telegram Web sessions, and injecting ads and scripts into web pages. Notably, some extensions masquerade as legitimate tools, including gaming apps and social media enhancers, to deceive users. Researchers identified Russian language comments in the source code, suggesting a possible origin for the threat actors, but their identities remain unknown. 

Top Vulnerabilities Reported in the Last 24 Hours

Critical wolfSSL vulnerability enables forged certificates

A critical vulnerability in the wolfSSL library, tracked as CVE-2026-5194, allows improper verification of hash algorithms during ECDSA signature checks, potentially enabling attackers to exploit this flaw to accept forged certificates. This issue affects multiple signature algorithms, including ECDSA/ECC, DSA, ML-DSA, Ed25519, and Ed448. Discovered by Nicholas Carlini, the flaw can lead to reduced security in certificate-based authentication, as it allows smaller than appropriate digests to be accepted, thereby trusting malicious servers or files. With wolfSSL being utilized in over 5 billion applications worldwide, the implications of this vulnerability are significant. The flaw was addressed in wolfSSL version 5.9.1, released on April 8.

Adobe releases fix for Acrobat zero-day vulnerability

Adobe has issued an emergency security update for Acrobat Reader to address a critical zero-day vulnerability, tracked as CVE-2026-34621, which has been exploited in attacks since December. This flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, leading to arbitrary code execution and the potential theft of local files without user interaction. Discovered by Haifei Li of EXPMON, the vulnerability was flagged after a malicious PDF sample was submitted for analysis. The exploit leverages specific APIs to read and exfiltrate data from the system. Initially rated critical with a severity score of 9.6, Adobe later downgraded it to 8.6 after reassessing the attack vector. The affected versions include Acrobat DC, Acrobat Reader DC, and Acrobat 2024, all of which have received updates to fix this security issue.