Weekly Cyber Briefing 10.04.2026
Russia’s APT28 casts the net wide for enterprise credentials; ClickFix social engineering gains momentum; UNC6783 goes after helpdesk staff; an emergency patch for Fortinet FortiClient EMS customers; and Anthropic upends vulnerability and patch management
The maintainer of the popular open-source Axios project has revealed how he was tricked into downloading a remote access Trojan (RAT) onto his machine. North Korean threat actors impersonated a company founder in initial outreach. Then they invited the maintainer to a Slack Workspace branded with the company’s logos and featuring realistic channels, with staged activity, and fake profiles posing as other OSS maintainers. Eventually, they scheduled a meeting to connect with him. But the meeting displayed an error message requiring the victim to install a Teams update to resolve it. This downloaded the RAT.
A separate report claims the same actors have used the same techniques on countless other targets, while Google has also seen them targeting the crypto sector. It’s feasible that other threat groups adopt the same social engineering techniques.
Educate employees about man-in-the-middle attacks through real-world simulations. Reevaluate tools to block RAT downloads. Configure EDR/MDR tools to spot post-breach activity.
Fortinet has been forced to issue an emergency patch to fix a zero-day vulnerability being exploited in the wild. CVE-2026-35616 has a CVSS score of 9.1 and is an improper access control vulnerability which could allow an unauthenticated attacker to execute unauthorised code or commands via crafted requests. This is not to be confused with CVE-2026-21643, an SQL injection flaw that the vendor patched last week.
By hijacking organisations’ endpoint management infrastructure, threat actors could push malicious updates to endpoints and launch deeper attacks into cloud systems, for possible espionage and ransomware.
Follow Fortinet’s advice and apply the hotfix for FortiClient EMS 7.4.5 and 7.4.6. The upcoming FortiClientEMS 7.4.7 will also include a fix for this issue.
Anthropic has revealed Mythos, a powerful new model which it says found and exploited thousands of vulnerabilities across major operating systems and web browsers. OpenAI is reportedly developing similar capabilities. Anthropic has vowed to limit the product’s release and has set up Project Glasswing, under which tech vendors will use Mythos Preview to make their products more secure.
Although Anthropic has vowed to limit the release of Mythos, threat actors may well get their hands on it, collapsing the window of exposure for network defenders. Glasswing could ultimately make the digital world more secure, but it may also lead to an influx of emergency vendor patches for teams to apply.
Reevaluate patching cadence and consider automated, AI-powered tools to find and fix vulnerabilities and apply patches. Accelerate zero-trust plans to limit the blast radius of attacks. Build AI-powered vulnerability discovery into risk planning. Prioritise supply chain partners/vendors that use AI tooling to find and fix flaws.
Google is tracking a new financially motivated threat group targeting business process outsourcers and “high-value corporate entities” for data theft and extortion. UNC6783 uses live chat to target helpdesk and support staff with phishing messages that direct employees to spoofed Okta login pages hosted on Zendesk phishing domains. UNC6783 is also known to use fake security software updates to trick users into downloading remote access malware.
Threat actors continue to target helpdesks as the soft underbelly of the enterprise, in order to gain network access for data theft, ransomware and extortion. The phishing kit used here bypasses MFA by stealing clipboard contents and enabling devices to be enrolled for persistent access.
Implement phishing-resistant MFA such as FIDO2 hardware security keys, especially for support and helpdesk staff. Monitor live chat for suspicious interactions and external links. Educate employees about the campaign. Block domains that follow the [.]zendesk-support[.]com pattern. Monitor for any updates downloaded during support sessions. And audit newly enrolled MFA devices for any unauthorised ones.
The National Cyber Security Centre (NCSC) has warned that Russian hackers APT28 are hijacking vulnerable SOHO routers to steal Microsoft credentials. The hackers altered the DNS settings on these routers to point to virtual private servers (VPS) under their control, which acted as DNS resolvers. This allowed them to intercept authentication traffic and steal Microsoft logins and OAuth tokens. The DNS hijacking component of the so-called “Frost Armada” campaign is said to have been opportunistic, aimed at amassing a large number of potential targets that could later be whittled down.
Critical infrastructure, technology, government and defence firms were singled out for targeting by APT28 and, ultimately, espionage activity. DNS hijacking makes it extremely difficult for even security-conscious employees to spot phishing attempts, while the stealing of OAuth tokens could enable MFA bypass.
Update guidance for home workers (especially those using TP-Link or MikroTik routers) to replace devices that no longer receive support, install the latest firmware version, and disable remote management interfaces. Enforce Zero Trust network access model for home and office users, ideally using FIDO2/WebAuthn security keys.
Microsoft has also released a list of mitigations for DNS hijacking and credential theft.
Features 07.04.2026
What happens when threat actors hijack critical security controls?
Weekly Cyber Briefing 03.04.2026
Updates urged for BIG-IP and FortiClient EMS customers; open-source attackers hijack Axios and Telnyx; and the NCSC warns high-risk individuals about Russian messaging threats
Weekly Cyber Briefing 27.03.2026
A sophisticated supply chain attack compromises Trivy; firms are urged to patch two Citrix flaws; prompt poaching attacks surge; and Tycoon2FA is back up and running