The Good

International law enforcement has delivered a massive blow to the global cybercrime economy with the simultaneous takedown of the W3LL phishing empire and the dismantling of 53 DDoS-for-hire domains under Operation PowerOFF. In a landmark collaboration between the FBI and Indonesian authorities, the alleged developer of the W3LL kit was arrested. Parallel to this, the Europol-led Operation PowerOFF targeted the infrastructure behind global "booter" services, seizing databases containing 3 million criminal accounts and disrupting access for 75,000 active users.

• Operation PowerOFF, a coordinated international law enforcement effort, successfully dismantled 53 DDoS-for-hire domains and arrested four individuals involved in commercial distributed denial-of-service operations. This operation, which involved 21 countries, disrupted access to DDoS services utilized by over 75,000 cybercriminals and uncovered databases containing more than 3 million criminal user accounts. Europol emphasized that DDoS-for-hire services enable even those with minimal technical knowledge to launch significant attacks against various targets, driven by motives ranging from financial gain to ideological reasons. 

• The UK Cyber Security Council has launched the Associate Cyber Security Professional title to support individuals starting their careers in cybersecurity. Open for applications from April 13 to May 17, this title complements existing certifications such as Practitioner, Principal, and Chartered Cyber Security Professional. To earn this certification, candidates must demonstrate competence in five key areas and commit to 75 hours of continuing professional development over three years. The initiative aims to help early-career professionals showcase their skills and readiness for cybersecurity roles, addressing the industry's ongoing skills gap. With many businesses struggling to fill technical positions, the Associate title provides a credible, government-backed credential for aspiring cybersecurity professionals.

• The FBI, in collaboration with Indonesian authorities, has successfully dismantled the W3LL phishing platform and arrested its alleged developer. This global operation targeted a sophisticated phishing kit and online marketplace that enabled cybercriminals to steal thousands of credentials and commit over $20 million in fraud. The W3LL Store sold phishing kits for $500, allowing attackers to create convincing replicas of corporate login portals and bypass multi-factor authentication. The marketplace facilitated the sale of more than 25,000 compromised accounts and continued operations through encrypted messaging platforms even after its shutdown. The W3LL phishing platform was linked to campaigns targeting Microsoft 365 accounts, enabling attackers to intercept credentials and execute business email compromise attacks, leading to significant financial losses for victims worldwide.

The Bad

Financial and cryptocurrency professionals are the primary targets of a novel social engineering campaign that weaponizes the Obsidian note-taking app to deliver the PHANTOMPULSE RAT. The Latin American financial sector is under a massive offensive from JanelaRAT, a BX RAT variant that has already clocked over 14,000 attacks in Brazil this year alone. Social engineering has taken a personal turn as the North Korean APT37 (ScarCruft) group leverages Facebook to distribute the RokRAT backdoor.

• A novel social engineering campaign has been identified that exploits the Obsidian note-taking application to distribute a RAT named PHANTOMPULSE, specifically targeting individuals in the financial and cryptocurrency sectors. Attackers initiate contact through LinkedIn, posing as a venture capital firm, and then guide victims to a Telegram group to enhance credibility. Once convinced, victims are instructed to access a shared vault in Obsidian, where enabling community plugins triggers the execution of malicious code. This attack leverages legitimate features of Obsidian, allowing the malware to bypass traditional security measures. PHANTOMPULSE operates by using the Ethereum blockchain to resolve its C2 server, enabling comprehensive remote access to infected systems. 

• JanelaRAT, a variant of BX RAT, has emerged as a significant threat to financial institutions in Latin America, particularly in Brazil and Mexico, with over 14,739 recorded attacks in Brazil alone in 2025. This malware is designed to steal sensitive financial and cryptocurrency data by employing a custom title bar detection mechanism to identify targeted websites. Its infection process typically begins with phishing emails that trick users into downloading malicious ZIP files or rogue MSI installers. Once executed, JanelaRAT establishes communication with a command-and-control server, enabling it to monitor user activity, capture keystrokes, and exfiltrate sensitive information through fake overlays. The malware's sophisticated techniques, including DLL side-loading and browser extension manipulation, allow it to evade detection while executing various malicious tasks.

• A recent cybersecurity investigation uncovered a campaign involving 108 malicious Google Chrome extensions that have collectively amassed around 20,000 installs. These extensions, published under various identities, communicate with a shared command-and-control infrastructure to steal user data and manipulate browser behavior. They engage in activities such as exfiltrating Google account credentials via OAuth2, hijacking Telegram Web sessions, and injecting ads and scripts into web pages. Notably, some extensions masquerade as legitimate tools, including gaming apps and social media enhancers, to deceive users. Researchers identified Russian language comments in the source code, suggesting a possible origin for the threat actors, but their identities remain unknown. 

• A critical vulnerability in the wolfSSL library, tracked as CVE-2026-5194, allows improper verification of hash algorithms during ECDSA signature checks, potentially enabling attackers to exploit this flaw to accept forged certificates. This issue affects multiple signature algorithms, including ECDSA/ECC, DSA, ML-DSA, Ed25519, and Ed448. Discovered by Nicholas Carlini, the flaw can lead to reduced security in certificate-based authentication, as it allows smaller than appropriate digests to be accepted, thereby trusting malicious servers or files. With wolfSSL being utilized in over 5 billion applications worldwide, the implications of this vulnerability are significant. The flaw was addressed in wolfSSL version 5.9.1, released on April 8.

• North Korea's APT37 group, also known as ScarCruft, has launched a sophisticated social engineering campaign using Facebook to deliver RokRAT. The attackers created fake accounts to befriend targets, then moved conversations to Messenger, where they employed pretexting to convince victims to install a tampered PDF viewer claiming it was necessary for accessing encrypted military documents. This viewer, a modified version of Wondershare PDFelement, executed embedded shellcode upon launch, establishing a foothold for the attackers. The campaign utilized compromised infrastructure for command-and-control operations, leveraging a legitimate Japanese real estate website to issue malicious commands. Ultimately, the malware was disguised as a harmless JPG image, enabling extensive remote access capabilities while evading detection by security software.

• Unknown threat actors compromised CPUID's website, distributing malicious executables for popular hardware monitoring tools like CPU-Z and HWMonitor. This breach, lasting less than 24 hours from April 9 to April 10, involved replacing legitimate download links with those leading to rogue sites. The attackers utilized a DLL side-loading technique, embedding a malicious file named "CRYPTBASE.dll" within the software, which enabled the deployment of the STX RAT malware. This remote access trojan is capable of extensive remote control and data theft operations. Over 150 victims, primarily individuals and organizations in sectors such as retail and telecommunications, were affected, with most infections reported in Brazil, Russia, and China. 

New Threats

Disseminated via phishing emails with compliance-themed lures, PowMix uses randomized C2 beaconing intervals to bypass network-signature detection while maintaining a persistent, fileless presence in system memory. Microsoft Defender has been turned against itself with the public release of the "RedSun" exploit, a critical local privilege escalation vulnerability. A new Android banking trojan named Mirax is sweeping across Europe by masquerading as "free" illegal streaming apps promoted through social media ads.

• A newly identified botnet named PowMix is actively targeting workers in the Czech Republic, employing sophisticated techniques to evade detection. Since December 2025, PowMix has been disseminated through phishing emails containing malicious ZIP files, which initiate a multi-stage infection process using PowerShell loaders. This botnet is designed for remote access, reconnaissance, and code execution, maintaining persistence via scheduled tasks and process tree verification. PowMix can execute various commands from its command-and-control server, including self-deletion and migration to new servers. Additionally, it distracts victims with decoy documents featuring compliance themes. The campaign shares similarities with the earlier ZipLine malware, particularly in its delivery methods, but its ultimate objectives remain unclear. PowMix's use of randomized beaconing intervals further complicates detection efforts.

• ZionSiphon is a newly discovered malware specifically designed to target operational technology within water treatment and desalination systems, aiming to sabotage their operations. This malware can manipulate hydraulic pressures and dangerously elevate chlorine levels, posing significant risks to water safety. Researchers from Darktrace identified that ZionSiphon includes a flawed encryption logic that currently renders it non-functional, but future iterations could rectify this issue. The malware checks if the host IP address falls within Israeli ranges and seeks out relevant water-related software to ensure it operates in the intended environment. It contains a function called “IncreaseChlorineLevel()” that appends harmful commands to configuration files, potentially leading to hazardous conditions. Additionally, ZionSiphon features a USB propagation mechanism, allowing it to spread to removable drives, which is concerning for critical infrastructure that may be air-gapped from the internet.

• A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a new Microsoft Defender vulnerability, dubbed "RedSun," which allows local privilege escalation to SYSTEM privileges on Windows 10, Windows 11, and Windows Server. This exploit takes advantage of a flaw in Windows Defender's handling of cloud-tagged files, enabling the overwriting of system files and execution of malicious code. The exploit uses the Cloud Files API to manipulate file handling and execute the attacker's payload. Although some antivirus programs detect the exploit due to its embedded EICAR test file, detection rates were reduced by encrypting the EICAR string. This release follows a previous exploit named "BlueHammer," which was also disclosed in protest against Microsoft's treatment of cybersecurity researchers. 

• Mirax is a newly identified Android banking trojan spreading across Europe, particularly targeting Spanish-speaking users through social media advertisements. This malware employs a restricted Malware-as-a-Service (MaaS) model, allowing only a select group of affiliates to access it, thereby enhancing its operational security. Mirax enables attackers to gain real-time control over infected devices, executing commands, monitoring activities, and deploying dynamic fake overlays to steal sensitive information. Its distribution relies heavily on social engineering tactics, promoting illegal streaming applications that lead users to download the malware from unverified sources. A distinctive feature of Mirax is its ability to convert infected devices into residential proxy nodes, allowing cybercriminals to route malicious traffic through legitimate IP addresses, thus broadening the malware's impact beyond financial theft to include account takeovers and other cybercriminal activities.