Industrial sabotage has a long and secret history, as revealed by the discovery of fast16, a 2005-era malware framework that predates the infamous Stuxnet by five years. Uncovered by SentinelOne researchers, fast16 was a highly specialized "logic bomb" that targeted high-precision engineering and physics software.

State-sponsored espionage is masquerading as routine productivity in a new campaign by the Tropic Trooper (ScarCruft) group, which uses a trojanized version of SumatraPDF to target Asian infrastructure. The attack chain begins with a military-themed ZIP archive that launches a backdoored version of the popular PDF reader.

Microsoft Defender is at the center of an emergency patching mandate from CISA following the rapid weaponization of the "BlueHammer" zero-day. Tracked as CVE-2026-33825, this local privilege escalation flaw allows low-privileged users to achieve full SYSTEM permissions.

Top Malware Reported in the Last 24 Hours

Researchers uncover malware predating Stuxnet

Researchers have discovered a malware known as "fast16," which is believed to have been created around 2005, predating the Stuxnet worm by five years. This malware targets engineering and physics simulation software, aiming to induce errors in high-precision calculations that could lead to real-world consequences. SentinelOne's Vitaly Kamluk presented these findings at the Black Hat Asia conference, revealing that fast16 specifically targets tools like LS-DYNA, PKPM, and the MOHID modeling platform, which are used in critical applications such as structural analysis and environmental modeling. The malware's design suggests an intimate knowledge of the targeted software, indicating its purpose was likely industrial sabotage. 

GopherWhisper: New APT group with chock-full of malware

ESET Research has identified a new China-aligned APT group named GopherWhisper, which targets Mongolian governmental institutions using a sophisticated array of malware tools primarily written in Go. Key components of their arsenal include backdoors like LaxGopher and RatGopher, along with injectors and loaders such as JabGopher and FriendDelivery. GopherWhisper exploits legitimate services like Slack, Discord, and Microsoft 365 Outlook for command and control communications and data exfiltration. 

Tropic Trooper exploits SumatraPDF for attacks

A new cyber campaign attributed to the Tropic Trooper hacking group targets Chinese-speaking individuals in Taiwan, South Korea, and Japan using a trojanized version of SumatraPDF. This attack begins with a ZIP archive containing military-themed documents that launch the rogue SumatraPDF, displaying a decoy PDF while retrieving encrypted shellcode to deploy the AdaptixC2 Beacon. The backdoored application uses a modified loader, TOSHIS, linked to previous malware activities. This multi-stage attack involves the installation of Cobalt Strike Beacon and other payloads, with AdaptixC2 Beacon leveraging GitHub for command-and-control operations. As the attack progresses, the threat actors escalate their actions based on the perceived value of the compromised host, ultimately setting up remote access through Microsoft Visual Studio Code tunnels and employing additional trojanized applications to conceal their activities.

Top Vulnerabilities Reported in the Last 24 Hours

Hackers exploit mobile network vulnerabilities globally

A recent investigation by Citizen Lab has revealed that hackers are leveraging vulnerabilities in the SS7 and Diameter signaling protocols to conduct sophisticated surveillance campaigns on high-profile individuals worldwide. SS7, an older protocol used in 3G networks, is inherently insecure due to its lack of robust authentication and encryption mechanisms, allowing attackers to send malicious queries that can disclose a device's location. Although Diameter was designed to enhance security in 4G and early 5G networks, it remains susceptible to exploitation because modern mobile networks still rely on SS7 for compatibility. By spoofing legitimate operator identities, commercial surveillance vendors can execute tracking operations without detection.

CISA orders urgent patch for BlueHammer vulnerability

CISA has mandated U.S. federal agencies to patch the BlueHammer vulnerability (CVE-2026-33825) in Microsoft Defender within two weeks due to its exploitation in zero-day attacks. This high-severity privilege escalation flaw enables low-privileged local threat actors to gain SYSTEM permissions on unpatched devices by exploiting access control weaknesses. Microsoft released a patch for the vulnerability on April 14, following a leak of proof-of-concept exploit code. Researchers reported that these zero-days were actively exploited in broader cyberattacks, with suspicious activity linked to compromised environments and potential threat actors geolocated in Russia. The CISA has added the BlueHammer vulnerability to its KEV Catalog.

Critical LMDeploy vulnerability exploited rapidly

A high-severity security flaw, identified as CVE-2026-33626, was discovered in LMDeploy, an open-source toolkit for deploying LLMs, and was exploited within 13 hours of its disclosure. This vulnerability, which has a CVSS score of 7.5, pertains to a Server-Side Request Forgery (SSRF) issue in the vision-language module's load_image() function, allowing attackers to access sensitive data by fetching arbitrary URLs without proper validation. The first exploitation attempt was detected by Sysdig within 12 hours, originating from a specific IP address, and involved port scanning and DNS exfiltration.