CyberNews: 26/04/2026 Edition

Today’s roundup

Summary

A threat group tracked as UNC6692 is employing social engineering tactics via Microsoft Teams to deploy a new custom malware suite named "Snow." This sophisticated malware includes a browser extension, a tunneler, and a backdoor, indicating a multi-component attack framework targeting users through a common business communication platform.

The Trigona ransomware operation has evolved its attack methodologies, now utilizing a custom command-line tool, `uploader_client.exe`, for data exfiltration instead of publicly available utilities like Rclone or MegaSync. Observed in March 2026, this proprietary tool enables faster data theft through multiple parallel connections and evades detection by rotating TCP connections. Prior to deploying the exfiltration tool, attackers disable security software using various utilities, abuse vulnerable kernel drivers, and steal credentials with tools like Mimikatz, showcasing an increased investment in stealthy, custom malware.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch these flaws by May 8, 2026. Among them are CVE-2024-7399, a Samsung MagicINFO 9 Server path traversal vulnerability (CVSS 8.8) that allows arbitrary file writes and has seen active exploitation since May 2025 following public proof-of-concept release. CISA also included CVE-2025-29635, a D-Link DIR-823X command injection vulnerability actively targeted by Mirai botnets, and two SimpleHelp flaws: CVE-2024-57726 (missing authorization, CVSS 9.9) and CVE-2024-57728 (path traversal, CVSS 7.2), which can lead to privilege escalation and remote code execution, respectively.

Want to dig deeper?

Vulnerabilities