CyberNews: 06/04/2026 Edition

Published by Dunateo on 2026-04-06

Today’s roundup

  • CVE-2026-35616: Fortinet fixes actively exploited high-severity flaw
  • Hackers exploit React2Shell in automated credential theft campaign
  • Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools
  • $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation
  • Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
  • Traffic violation scams switch to QR codes in new phishing texts

    • Summary

    Fortinet has issued emergency patches for a critical FortiClient EMS vulnerability, CVE-2026-35616 (CVSS 9.1), which is actively exploited in the wild. The flaw is an improper access control issue allowing unauthenticated attackers to bypass authentication via an API and escalate privileges. Hotfixes are available for FortiClient EMS versions 7.4.5 and 7.4.6, with a permanent fix scheduled for version 7.4.7. The vulnerability was responsibly disclosed by Simo Kohonen from Defused and Nguyen Duc Anh.

    Threat actors are conducting a large-scale, automated credential theft campaign by exploiting the React2Shell vulnerability (CVE-2025-55182) in vulnerable Next.js applications. This campaign targets a wide array of systems to steal sensitive user credentials.

    Cisco Talos and Trend Micro report that Qilin and Warlock ransomware operations are employing the "bring your own vulnerable driver" (BYOVD) technique to disable over 300 Endpoint Detection and Response (EDR) tools on compromised hosts. Qilin attacks have been observed deploying a malicious DLL named "msimg32.dll" as part of this evasion strategy.

    The decentralized exchange Drift disclosed that the $285 million theft on April 1, 2026, resulted from a meticulously planned, six-month social engineering operation conducted by the Democratic People's Republic of Korea (DPRK). The attack, which began in late 2025, represents a significant nation-state cybercrime incident targeting a Solana-based platform.

    The German Federal Criminal Police (BKA) has publicly identified Daniil Maksimovich Shchukin, 31, as the individual known by the alias "UNKN" and the head of the notorious Russian ransomware groups GandCrab and REvil. Shchukin, along with 43-year-old Anatoly Sergeevitsch Kravchuk, is implicated in at least 130 cyberattacks in Germany between 2019 and 2021, extorting nearly 2 million euros and causing over 35 million euros in economic damages. REvil and GandCrab were pioneers in double extortion tactics.

    Scammers are now utilizing QR codes in fake "Notice of Default" text messages, impersonating state courts across the U.S. Recipients are pressured to scan the QR code, which directs them to phishing sites that demand a $6.99 payment while simultaneously harvesting personal and financial information.

    Want to dig deeper?

    Vulnerabilities

    CVE-2026-35616 Critical
    CVE-2025-55182 Critical