Reporting Period	Classification	Generated
2026-04-20 (24h)	TLP:CLEAR	2026-04-21

1. Executive Summary

The pipeline processed 89 reports from 15 distinct sources in the last 24 hours, with six items rated critical. CISA added Cisco Catalyst SD-WAN Manager flaw CVE-2026-20133 to the Known Exploited Vulnerabilities catalogue and ordered federal agencies to remediate by 24 April, while Shadowserver confirmed active exploitation of Apache ActiveMQ RCE CVE-2026-34197 against 6,400 exposed servers. A newly documented destructive wiper, “Lotus,” was attributed to a targeted campaign against Venezuelan energy and utility operators, and a publicly released zero-day local-privilege-escalation exploit (“RedSun.exe”) targeting Microsoft Defender enables SYSTEM-level compromise from a standard user. Financially motivated activity dominated the rest of the day: LayerZero and KelpDAO attributed the $290 million rsETH cross-chain heist to DPRK’s Lazarus Group (TraderTraitor), Vercel disclosed a Google Workspace compromise stemming from a third-party AI tool (Context.ai), and qilin plus The Gentlemen continue to saturate the RaaS telemetry with 10+ fresh victim listings.

2. Severity Distribution

Severity	Count	Key Drivers
🔴 CRITICAL	6	Cisco SD-WAN KEV (CVE-2026-20133); Apache ActiveMQ RCE (CVE-2026-34197); Lotus destructive wiper; Microsoft Defender LPE 0-day; Silex SD-330AC & SenseLive X3050 ICS
🟠 HIGH	56	RansomLock victim postings (qilin, The Gentlemen, Coinbase Cartel, shadowbyt3$, anubis, dragonforce); Lazarus KelpDAO heist; Void Dokkaebi/Famous Chollima; Vercel/Context.ai supply chain; Siemens ICS batch
🟡 MEDIUM	10	ESET NGate Android NFC malware; Cisco Talos phishing & MFA trends; StepDrainer MaaS
🟢 LOW	2	Minor breach disclosures
🔵 INFO	15	Microsoft MSRC informational CVE updates; Cisco Talos podcasts

3. Priority Intelligence Items

3.1 Cisco Catalyst SD-WAN Manager — CVE-2026-20133 added to CISA KEV with federal patch deadline

Source: BleepingComputer

CISA added CVE-2026-20133 — an unauthenticated information-disclosure flaw in Cisco Catalyst SD-WAN Manager (formerly vManage) — to the Known Exploited Vulnerabilities catalogue on 20 April based on evidence of active exploitation, and ordered Federal Civilian Executive Branch (FCEB) agencies to remediate by Friday 24 April. The bug stems from insufficient file-system access restrictions and can be triggered via the product API to read sensitive data from the underlying OS. Cisco patched CVE-2026-20133 in late February alongside two other SD-WAN flaws (CVE-2026-20128, CVE-2026-20122) that Cisco has separately acknowledged as exploited. Cisco’s own PSIRT advisory has not yet been updated to reflect the KEV action. Affected product: Catalyst SD-WAN Manager (all unpatched installations manageable via API).

SOC Action: Confirm all Catalyst SD-WAN Manager instances are on the February 2026 patch train; audit API access logs for unauthenticated GETs against management endpoints and correlate with the Emergency Directive 26-03 / Hunt & Hardening guidance. Where patching is blocked, restrict Manager API to a jump-host subnet and block internet-exposed 443/8443 at the edge.

3.2 Apache ActiveMQ — CVE-2026-34197 RCE under active exploitation against 6,400 internet-exposed servers

Source: BleepingComputer

A 13-year-old input-validation weakness in Apache ActiveMQ (CVE-2026-34197), discovered by Horizon3’s Naveen Sunkavally with assistance from Claude, allows authenticated actors to execute arbitrary code on unpatched brokers. Apache shipped fixes on 30 March in ActiveMQ Classic 6.2.3 and 5.19.4. Shadowserver now tracks 6,400 exposed, unpatched instances — 2,925 in Asia, 1,409 in North America, 1,334 in Europe — and CISA has required FCEB agencies to remediate by 30 April. Two prior ActiveMQ bugs (CVE-2016-3088, CVE-2023-46604) have historic ransomware association (TellYouThePass), so fast follow-on targeting is likely. Relevant ATT&CK: T1059, T1078, T1204.

Indicators of Compromise

Log artefact: broker connections using internal transport "VM" with query parameter brokerConfig=xbean:http://
Patched versions: ActiveMQ Classic 6.2.3, 5.19.4

SOC Action: Grep activemq.log for the string brokerConfig=xbean:http and any VM:// transport connections originating from non-loopback addresses; treat hits as probable post-exploit. If patching cannot complete this week, bind the broker to localhost, require mutual TLS on 61616/8161, and block egress HTTP from broker hosts to disrupt the Spring config-fetch chain.

3.3 Lotus data-wiper — destructive attack on Venezuelan energy and utilities sector

Sources: AlienVault OTX, BleepingComputer

Kaspersky and AlienVault disclosed a previously undocumented destructive wiper dubbed “Lotus” used in targeted attacks on Venezuelan energy and utility organisations in late 2025 / early 2026, timed with the regional geopolitical crisis and the mid-December PDVSA incident. Execution chain: two batch scripts (OhSyncNow.bat, notesreg.bat) disable the Windows UI0Detect service, enumerate users, force password resets, log off sessions, disable network interfaces, then invoke diskpart clean all, robocopy, and fsutil to pre-wipe volumes and fill free space. The Lotus payload then elevates privileges, deletes restore points via the Windows System Restore API, clears USN journals, retrieves disk geometry via IOCTL and overwrites physical sectors with zeros. The wiper binary was compiled months before deployment, consistent with long-dwell access. ATT&CK coverage: T1485 (Data Destruction), T1490 (Inhibit System Recovery), T1562.001 (Disable Security Tools), T1070.004 (File Deletion), T1059.003 (Windows Command Shell), T1489 (Service Stop).

Indicators of Compromise

Precursor scripts: OhSyncNow.bat, notesreg.bat
Service manipulation: UI0Detect disabled
LOLBins abused: diskpart, robocopy, fsutil
Sector focus: Venezuela energy & utilities

SOC Action: Deploy Sigma/EDR rules for (a) service-stop actions against UI0Detect, (b) diskpart spawning with clean all, (c) fsutil file createnew large-file-fill patterns, and (d) mass password-reset events on domain controllers. Alert on NETLOGON share writes of .bat files originating from non-administrative hosts. Back up offline copies of System Restore config and review domain privileged accounts for unused or long-dormant access.

3.4 Microsoft Defender zero-day LPE — public PoC “RedSun.exe” grants SYSTEM

Source: AlienVault OTX

A publicly released proof-of-concept, RedSun.exe, exploits a zero-day in Microsoft Defender’s remediation logic for cloud-tagged malicious files. By abusing filesystem primitives to redirect Defender’s high-privilege file operations, an unprivileged user can overwrite protected locations such as C:\Windows\System32 with attacker-controlled binaries, yielding arbitrary SYSTEM execution — no kernel exploit and no administrator rights required. AlienVault reports the technique is reliable and actively weaponised, with no confirmed patch at time of publication. Relevant ATT&CK: T1068 (Exploitation for Privilege Escalation), T1548 (Abuse Elevation Control), T1222 (File Permissions Modification), T1574 (Hijack Execution Flow).

Indicators of Compromise

SHA256: 57a70c383feb9af60b64ab6768a1ca1b3f7394b8c5ffdbfafc8e988d63935120
Filename: RedSun.exe
Abused component: Microsoft Defender TieringEngineService remediation flow

SOC Action: Block the SHA256 above in EDR and create a detection for Defender’s TieringEngineService performing writes into C:\Windows\System32\* initiated by a non-SYSTEM parent. Until Microsoft issues guidance, enforce Defender tamper protection, restrict Attack Surface Reduction rule bypasses, and hunt for recent modifications of Defender service DLLs outside scheduled update windows.

3.5 KelpDAO $290 M heist — LayerZero attributes to DPRK Lazarus Group (TraderTraitor)

Source: BleepingComputer

KelpDAO’s liquid-restaking protocol lost approximately 116,500 rsETH (~$293 M) on 18 April. LayerZero’s post-incident analysis states attackers compromised RPC nodes used by the DVN verification layer and simultaneously DDoS’d healthy nodes, forcing the verifier to consume poisoned blockchain data and accept a fabricated cross-chain message. Funds were laundered through Tornado Cash. LayerZero assesses with preliminary confidence that the operation is attributable to DPRK’s Lazarus Group, specifically the TraderTraitor cluster — the same grouping linked to the earlier $280 M Drift Protocol theft. Aave, Compound, and Euler were secondary-impacted through rsETH as collateral. ATT&CK: T1496 (Resource Hijacking), T1048 (Exfiltration Over Alternative Protocol).

SOC Action: Crypto/DeFi operators should harden RPC-node availability monitoring (simultaneous latency spikes on multiple healthy nodes plus verifier fall-back is a strong signal), require multi-node consensus for cross-chain message validation, and add Tornado Cash deposit addresses to outbound watchlists. Traditional enterprises with DPRK-IT-worker exposure should re-run Famous Chollima / Void Dokkaebi developer hiring audits (see §3.6).

3.6 Void Dokkaebi (Famous Chollima) — self-propagating supply-chain campaign via fake interview repositories

Source: AlienVault OTX

North-Korea-aligned Void Dokkaebi (aka Famous Chollima) has evolved its fake-interview lure into a worm-like supply-chain operation. Victim developers clone malicious Git repositories; malicious VS Code task configurations execute on workspace open, and obfuscated JavaScript is injected into local source files while Git history is tampered to hide modifications — each compromised developer seeds new repos. As of March 2026, 750+ infected repositories had been identified, with contamination reaching DataStax and Neutralinojs. Payload delivery traverses Tron, Aptos and Binance Smart Chain; deployed tooling includes DEV#POPPER RAT, BeaverTail, InvisibleFerret, OmniStealer, OtterCookie (intrusion-set tag: WageMole). ATT&CK: T1195.001/.002, T1199, T1566.001, T1204.002, T1059.007, T1071.001, T1567.002, T1573.001.

Indicators of Compromise

C2 IPs:
  154.91.0[.]196
  166.88.4[.]2
  198.105.127[.]210
  23.27.120[.]142
  23.27.20[.]143
  23.27.202[.]27
  83.168.68[.]219
  85.239.62[.]36

SHA256:
  23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8
  834a92277f1bd82d4d473ac0aa2ddb23208a3a8763a576b882e7326c42bc5412

Malware: DEV#POPPER RAT, BeaverTail, InvisibleFerret, OmniStealer, OtterCookie

SOC Action: Block listed IPs and SHA256s at EDR/proxy; deploy a VS Code workspace-trust policy that disables auto-run of .vscode/tasks.json for newly cloned repos. Inventory repositories cloned after March 2026 from unknown remotes and scan for the two file hashes and Git objects with rewritten history on recent pulls. Flag developer HR processes for take-home “coding tests” delivered via unknown recruiters.

3.7 Vercel breach via Context.ai third-party AI tool — OAuth → Google Workspace → production env vars

Source: The Record (Recorded Future News)

Vercel disclosed an intrusion traced back to compromise of Context.ai, a third-party AI agent/browser-extension used by one of its employees. The attacker pivoted via OAuth tokens into the employee’s Vercel Google Workspace account, then into Vercel environments and non-“sensitive” environment variables. Context.ai confirmed an AWS-environment compromise in March, reportedly stemming from an infostealer infection on a Context.ai employee device (Hudson Rock logs reference Roblox-exploit searches). Mandiant is assisting; affected Vercel customers were told to rotate credentials. ATT&CK: T1078 (Valid Accounts), T1566 (Phishing), T1528 (Steal Application Access Token).

SOC Action: Enumerate third-party OAuth grants in Google Workspace / M365 and revoke AI-agent or browser-extension integrations with broad scopes (admin.directory.*, drive.readonly, gmail.modify). For PaaS/CI-CD platforms, treat all non-“sensitive”-flagged environment variables as compromised if a workspace token was leaked — rotate API keys, signing keys and database credentials, then re-deploy. Block the Context.ai extension ID in enterprise browser policy until confirmed clean.

3.8 ICS advisories — Silex, SenseLive, and Siemens batch (CISA 20 April wave)

Source: CISA ICSA-26-111-10 (Silex), CISA ICSA-26-111-12 (SenseLive), CISA ICSA-26-111-01..11 (Siemens)

CISA released an eleven-advisory wave on 20 April. Two are critical: Silex Technology SD-330AC (≤1.42) and AMC Manager (≤5.0.2) — 13 CVEs including stack/heap buffer overflows, hard-coded crypto keys, and missing auth for critical functions (CVSSv3 9.8); vendor fix available in SD-330AC 1.50 and AMC Manager 5.1.0. SenseLive X3050 (V1.523) — 11 CVEs including authentication bypass via alternate path (CVE-2026-40630), hard-coded credentials, cleartext transmission, client-side-only auth (CVSSv3 9.8); SenseLive has not responded to CISA coordination, no vendor patch available. Siemens advisories cover RUGGEDCOM CROSSBOW SAM/SAC (authz bypass, SQLite arbitrary code exec), Industrial Edge Management (unauthenticated authorization bypass — critical-function impact), SCALANCE W-700, SINEC NMS password-reset authz bypass, TPM 2.0 OOB-read, and Hardy Barth Salia EV Charge Controller (unrestricted file upload). Sectors exposed: critical manufacturing, water/wastewater, energy, IT.

SOC Action: Prioritise patching in this order: (1) Siemens Industrial Edge Management (unauth remote access to connected devices); (2) Siemens RUGGEDCOM CROSSBOW SAC (SQLite RCE); (3) Silex SD-330AC/AMC Manager to 1.50 / 5.1.0. For SenseLive X3050, where no patch exists, isolate devices behind a jump-host, disable the web management interface, and force all sessions to terminate on a 15-minute idle timeout. Add ICS-CERT advisory IDs ICSA-26-111-01…12 to the next change-advisory cycle.

3.9 Ransomware operations — qilin, The Gentlemen, Coinbase Cartel, anubis, shadowbyt3$ and DragonForce dominate

Source: RansomLook (39 victim disclosures across listed groups on 20 April)

The RansomLook telemetry for the day shows qilin and The Gentlemen maintain the top slots for active victim postings (qilin accounting for ~10 fresh listings including Sea Air International Forwarders, PTS Office Systems, Industrial Carrocera Arbuciense, Heartland Steel Products, STERIMED, Safety Engineering Laboratories, ruskcountywi.us, Avitrans, Roman Catholic Archdiocese of St John); Coinbase Cartel posted Commscope, SIG.biz, Playmates Toys, Engie; shadowbyt3$ disclosed Stride Learning and Ellucian PowerCapus; anubis named Samuel I. White PC and ViaQuest; DragonForce listed Champion Homes; morpheus listed GGI; payoutsking, embargo, chaos, inc ransom, the gentlemen, ransomhouse, securotrop and Tox1 each logged one or more. Separately, a former ransomware negotiator pleaded guilty to BlackCat/ALPHV involvement, and Scattered Spider member Tyler “Tylerb” Buchanan pleaded guilty to wire-fraud conspiracy tied to the 2022 SMS-phishing spree that breached Twilio, LastPass, DoorDash, and Mailchimp.

SOC Action: For the named victim organisations, mirror RansomLook data and launch third-party-risk follow-ups (shared services, supplier notification). Broadly, prioritise detection around qilin’s phishing→valid-accounts chain (T1566/T1078) and The Gentlemen’s SystemBC proxy TTPs (T1021, T1071) — block outbound to known SystemBC infrastructure and alert on Microsoft Teams helpdesk-impersonation patterns correlated with this cluster (see §4).

4. AI-Identified Correlation Trends

Risk	Trend	Supporting Evidence
🔴 CRITICAL	Sophisticated APT groups leveraging social engineering and remote services	Iranian APT Seedworm Targets Global Organizations via Microsoft Teams; The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy (batch 80)
🟠 HIGH	Increased use of phishing and credential access techniques across sectors	Seiko USA defacement; $290 M KelpDAO theft; GUEGUEN Avocats (qilin); Teams helpdesk impersonation; FlowerStorm phishing kit (batch 80)
🟠 HIGH	Ransomware-as-a-Service operations targeting multiple sectors	SEL; City’Pro; The Go Solution; Cooperativa de Hospitales de Antioquia — all by qilin (batch 80)
🟠 HIGH	Everest ransomware group consistently targeting multiple sectors with double-extortion tactics	Umiles Group; Tokoparts; Straight Line Logistics; PT Brantas Abipraya; Nutrabio; Citizens Bank; Complete Aircraft Group; Frost Bank (batch 79)

The 20 April correlation batch (batch 80, 52 reports, 20 entries, 3 trends) also highlighted actor-level overlap between the two Scattered Spider guilty-plea reports (confidence 0.90, TTP: T1566, T1078), and a TTP cluster around T1566 (Phishing) spanning 12 distinct reports — the single largest cross-report correlation of the day.

5. Trending Entities (Pipeline-Wide)

Threat Actors

• qilin / Qilin (58 + 40 reports) — dominant RaaS operator across healthcare, logistics, legal and manufacturing victims; uses phishing → valid-accounts chains
• The Gentlemen (55 + 24 reports) — RaaS affiliate pairing Gentlemen ransomware with SystemBC proxy; heavy Teams-impersonation overlap
• nightspire (33 reports) — sustained mid-volume RaaS presence
• Coinbase Cartel (32 reports) — RaaS with Tox-based comms, posted Engie, Commscope, Playmates Toys, SIG.biz on 20 April
• TeamPCP (29 reports) — continuing presence in the hacktivist/defacement overlap
• DragonForce / dragonforce (27 + 27 reports) — customizable-payload RaaS cartel, listed Champion Homes
• shadowbyt3$ (24 reports) — active against education (Stride Learning, Ellucian)
• Lazarus Group — attribution added for $290 M KelpDAO rsETH heist via TraderTraitor sub-cluster
• Scattered Spider — second guilty plea (Tyler Buchanan) confirmed; core operators increasingly constrained by law-enforcement action
• Void Dokkaebi / Famous Chollima (WageMole) — worm-like supply-chain campaign via fake developer interviews

Malware Families

• RansomLock / RansomLook (46 + 11 reports) — aggregator tag, reflects volume of ransomware leak-site telemetry rather than a single family
• Qilin / dragonforce ransomware / Akira ransomware / Tox1 / Gentlemen ransomware / DragonForce ransomware — top RaaS payload families by pipeline frequency
• Lotus Wiper — new entrant; destructive wiper targeting Venezuelan energy sector
• RedSun.exe — new PoC exploit for Microsoft Defender LPE zero-day
• NGate — new Android NFC-stealer variant abusing HandyPay in Brazil
• DEV#POPPER RAT, BeaverTail, InvisibleFerret, OmniStealer, OtterCookie — Void Dokkaebi toolkit
• StepDrainer — MaaS multi-chain crypto wallet / NFT drainer

6. Source Distribution

Source	Reports	URL	Notes
RansomLock	38	link	Primary driver of the high-severity count — victim disclosures for qilin, The Gentlemen, Coinbase Cartel, shadowbyt3$, dragonforce, anubis, morpheus, chaos, embargo, ransomhouse, securotrop, payoutsking, inc ransom, Tox1
CISA	11	link	ICS advisory wave ICSA-26-111-01..12 (Silex, SenseLive, Siemens ×7, Hardy Barth)
BleepingComputer	9	link	Cisco SD-WAN KEV, ActiveMQ exploitation, Lotus wiper, KelpDAO heist, NGate, BlackCat negotiator plea
AlienVault	7	link	Lotus wiper analysis; RedSun.exe PoC; Void Dokkaebi; StepDrainer; macOS ClickFix
RecordedFutures	4	link	Vercel/Context.ai breach
Microsoft	4	link	MSRC informational CVE updates (CVE-2026-26168, CVE-2026-32288)
Wired Security	3	link	Geopolitical / OSINT coverage
Cisco Talos	3	link	macOS native-primitive abuse; phishing & MFA exploitation; state-sponsored printer threats
Wiz	2	link	Build-pipeline security
Sysdig	1	link	AI-offensive capability analysis
SANS	1	link	Research update
Upwind	1	link	Cloud security research
Schneier	1	link	Commentary
Crowdstrike	1	link	Threat research
Krebs on Security	1	link	Scattered Spider “Tylerb” guilty plea

7. Consolidated Recommendations

• 🔴 IMMEDIATE: Patch or isolate Cisco Catalyst SD-WAN Manager against CVE-2026-20133 (KEV, FCEB deadline 24 April) and Apache ActiveMQ against CVE-2026-34197 (patch to 6.2.3 / 5.19.4, FCEB deadline 30 April). Block the RedSun.exe SHA256 (57a70c38…6935120) and enforce Defender tamper-protection until a vendor fix lands.
• 🔴 IMMEDIATE: Energy/utility operators with Latin America exposure should deploy the Lotus-wiper precursor detections (UI0Detect stop, diskpart clean all, mass account disable) and verify offline backups are intact and air-gapped.
• 🟠 SHORT-TERM: Audit third-party AI-agent and browser-extension OAuth grants in Google Workspace / M365; treat any PaaS environment variables not flagged “sensitive” as compromised on a workspace-token leak (Vercel/Context.ai pattern). Rotate secrets before project deletion.
• 🟠 SHORT-TERM: Apply Siemens ICS patches in the order Industrial Edge Management → RUGGEDCOM CROSSBOW → SCALANCE / SINEC NMS; isolate SenseLive X3050 devices (no vendor patch) behind a jump-host.
• 🟡 AWARENESS: Update developer-hiring and onboarding guidance to counter the Void Dokkaebi fake-interview supply-chain campaign: disable VS Code workspace-trust auto-run, scan newly cloned repositories, and brief HR on the DPRK WageMole pattern. DeFi/crypto teams should assume continued Lazarus targeting of cross-chain verification layers.
• 🟢 STRATEGIC: RaaS volume (qilin, The Gentlemen, Coinbase Cartel, DragonForce, anubis, shadowbyt3$) remains the dominant operational pressure. Invest in Teams / helpdesk-impersonation detection (T1566+T1078 overlap identified by the AI correlation batch) and SystemBC proxy egress controls. Track law-enforcement disruption of Scattered Spider and BlackCat as attribution signal, not as threat reduction — affiliates are reorganising under RaaS brands captured above.

---

This brief was generated entirely by AI from automated threat intelligence collection and correlation pipelines, made up of 89 reports processed across 2 correlation batches. A human analyst reviewed and approved this report before publication, but AI-generated analysis may contain errors in attribution, severity assessment, or indicator extraction. Always verify IOCs, CVE details, and threat actor attribution against primary sources before taking operational action.