The cybersecurity landscape in early 2026 is being defined by a move toward "trusted-app" exploitation and highly targeted botnets. Disseminated via phishing emails with compliance-themed lures, PowMix uses randomized C2 beaconing intervals to bypass network-signature detection while maintaining a persistent, fileless presence in system memory.

Financial and cryptocurrency professionals are the primary targets of a novel social engineering campaign that weaponizes the Obsidian note-taking app to deliver the PHANTOMPULSE RAT. Attackers posing as venture capitalists lure victims from LinkedIn to Telegram before providing credentials to a "shared vault" in Obsidian.

Microsoft Defender has been turned against itself with the public release of the "RedSun" exploit, a critical local privilege escalation vulnerability disclosed by researcher Chaotic Eclipse. By abusing the Cloud Files API, the exploit tricks the antivirus engine into overwriting protected system files during routine scans of cloud-tagged data.

Top Malware Reported in the Last 24 Hours

New PowMix botnet targets Czech workers

A newly identified botnet named PowMix is actively targeting workers in the Czech Republic, employing sophisticated techniques to evade detection. Since December 2025, PowMix has been disseminated through phishing emails containing malicious ZIP files, which initiate a multi-stage infection process using PowerShell loaders. This botnet is designed for remote access, reconnaissance, and code execution, maintaining persistence via scheduled tasks and process tree verification. PowMix can execute various commands from its command-and-control server, including self-deletion and migration to new servers. Additionally, it distracts victims with decoy documents featuring compliance themes. The campaign shares similarities with the earlier ZipLine malware, particularly in its delivery methods, but its ultimate objectives remain unclear. PowMix's use of randomized beaconing intervals further complicates detection efforts.

PHANTOMPULSE RAT abuses Obsidian plugin

A novel social engineering campaign has been identified that exploits the Obsidian note-taking application to distribute a RAT named PHANTOMPULSE, specifically targeting individuals in the financial and cryptocurrency sectors. Attackers initiate contact through LinkedIn, posing as a venture capital firm, and then guide victims to a Telegram group to enhance credibility. Once convinced, victims are instructed to access a shared vault in Obsidian, where enabling community plugins triggers the execution of malicious code. This attack leverages legitimate features of Obsidian, allowing the malware to bypass traditional security measures. PHANTOMPULSE operates by using the Ethereum blockchain to resolve its C2 server, enabling comprehensive remote access to infected systems. 

ZionSiphon malware threatens water treatment systems

ZionSiphon is a newly discovered malware specifically designed to target operational technology within water treatment and desalination systems, aiming to sabotage their operations. This malware can manipulate hydraulic pressures and dangerously elevate chlorine levels, posing significant risks to water safety. Researchers from Darktrace identified that ZionSiphon includes a flawed encryption logic that currently renders it non-functional, but future iterations could rectify this issue. The malware checks if the host IP address falls within Israeli ranges and seeks out relevant water-related software to ensure it operates in the intended environment. It contains a function called “IncreaseChlorineLevel()” that appends harmful commands to configuration files, potentially leading to hazardous conditions. Additionally, ZionSiphon features a USB propagation mechanism, allowing it to spread to removable drives, which is concerning for critical infrastructure that may be air-gapped from the internet.

Top Vulnerabilities Reported in the Last 24 Hours

ActiveMQ vulnerability added to KEV catalog

A critical vulnerability, CVE-2026-34197, has been identified in Apache ActiveMQ Classic, with a CVSS score of 8.8, and is currently being actively exploited. This flaw arises from improper input validation, allowing attackers to execute arbitrary code through the Jolokia API, which can be accessed using default or even no credentials in certain versions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating that Federal Civilian Executive Branch agencies apply necessary fixes by April 30, 2026. The vulnerability affects multiple versions of ActiveMQ, and there are reports indicating that threat actors are targeting exposed Jolokia management endpoints.

Cisco patches critical vulnerabilities 

Cisco has addressed four critical vulnerabilities affecting its Identity Services and Webex Services, which could lead to arbitrary code execution and user impersonation. One significant issue, CVE-2026-20184, stems from improper certificate validation in the single sign-on (SSO) integration with Webex, allowing unauthenticated remote attackers to impersonate users. Additionally, CVE-2026-20147 involves insufficient validation of user input in the Identity Services Engine (ISE), enabling authenticated attackers with administrative credentials to execute remote code through crafted HTTP requests. Two other vulnerabilities, CVE-2026-20180 and CVE-2026-20186, also relate to input validation issues, permitting authenticated attackers with read-only admin credentials to execute arbitrary commands. 

New Microsoft Defender zero-day exploit revealed

A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a new Microsoft Defender vulnerability, dubbed "RedSun," which allows local privilege escalation to SYSTEM privileges on Windows 10, Windows 11, and Windows Server. This exploit takes advantage of a flaw in Windows Defender's handling of cloud-tagged files, enabling the overwriting of system files and execution of malicious code. The exploit uses the Cloud Files API to manipulate file handling and execute the attacker's payload. Although some antivirus programs detect the exploit due to its embedded EICAR test file, detection rates were reduced by encrypting the EICAR string. This release follows a previous exploit named "BlueHammer," which was also disclosed in protest against Microsoft's treatment of cybersecurity researchers.