CyberNews: 19/04/2026 Edition

Published by Dunateo on 2026-04-19

Today’s roundup

  • Critical flaw in Protobuf library enables JavaScript code execution
  • Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

    • Summary

    A critical remote code execution (RCE) flaw has been identified in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. Proof-of-concept exploit code for this vulnerability has been publicly published, indicating an elevated risk for systems incorporating the library.

    Sophos researchers have observed a rise in threat actors abusing QEMU, an open-source emulator, to deploy hidden virtual machines. This tactic enables adversaries to evade detection, establish long-term persistence, steal credentials, exfiltrate data, and ultimately deliver ransomware like PayoutsKing. The report details two campaigns: STAC4713, linked to the GOLD ENCOUNTER group and PayoutsKing ransomware, which exploited exposed SonicWall VPNs and a SolarWinds Web Help Desk vulnerability (CVE-2025-26399). The STAC3725 campaign gained initial access by exploiting the CitrixBleed2 flaw, subsequently using QEMU VMs for reconnaissance and credential theft. These methods allow attackers to conceal their toolkit and operations, making detection and forensic analysis significantly more challenging.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-26399 Critical