End-of-Day report
Timeframe: Donnerstag 16-04-2026 18:00 - Freitag 17-04-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
New Microsoft Defender -RedSun- zero-day PoC grants SYSTEM privileges
A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a second Microsoft Defender zero-day, dubbed "RedSun," in the past two weeks, protesting how the company works with cybersecurity researchers.
https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/
ZionSiphon malware designed to sabotage water treatment systems
A new malware called ZionSiphon, specifically designed for operational technology, is targeting water treatment and desalination environments to sabotage their operations.
https://www.bleepingcomputer.com/news/security/zionsiphon-malware-designed-to-sabotage-water-treatment-systems/
Recently leaked Windows zero-days now exploited in attacks
Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions.
https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/
Every Old Vulnerability Is Now an AI Vulnerability
AIs danger isnt that its creating new bugs, its that its amplifying old ones.
https://www.darkreading.com/vulnerabilities-threats/every-old-vulnerability-ai-vulnerability
Totalrecall Reloaded: Tool zeigt Schwachstelle in Windows Recall
Eine neue Version des Tools Totalrecall zeigt, wie sich Daten aus Windows Recall immer noch vergleichsweise leicht abgreifen lassen.
https://www.golem.de/news/totalrecall-reloaded-tool-zeigt-schwachstelle-in-windows-recall-2604-207704.html
Für 2.300 US-Dollar: Forscher entlockt Claude gefährlichen Chrome-Exploit
Ein Forscher hat mit Claude Opus in rund 20 Stunden eine funktionierende Exploit-Kette für Chrome entwickelt. Mythos braucht es dafür gar nicht.
https://www.golem.de/news/fuer-2-300-us-dollar-forscher-entlockt-claude-gefaehrlichen-chrome-exploit-2604-207706.html
Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors
During a recent malware cleanup investigation, we encountered a compromised Joomla website where the site owner reported a strange issue. Their website displayed a large number of suspicious product links that had nothing to do with their business. These products were not added by the website owner and did not exist in their catalog.
https://blog.sucuri.net/2026/04/joomla-seo-spam-injector-obfuscated-php-backdoor-hijacking-site-visitors.html
North Korea targets macOS users in latest heist
Social engineering: low-cost, hard to patch, and scales well North Korean criminals set on stealing Apple users credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.
https://www.theregister.com/2026/04/16/north_korea_social_engineering_macos/
Spionageangst im Bendlerblock: Pistorius verbannt Privat-Handys aus Sitzungen
Wegen akuter Abhörgefahren durch Russland und China verschärft das Verteidigungsministerium die Regeln für Smartphones und Smartwatches in sensiblen Bereichen.
https://www.heise.de/news/Spionageangst-im-Bendlerblock-Pistorius-verbannt-Privat-Handys-aus-Sitzungen-11261358.html
Österlicher Zertifikats-GAU bei D-Trust: Zehntausende Zertifikate ungültig
Zwischen Gründonnerstag und Ostermontag mussten Admins ihre TLS-Zertifikate austauschen. Nun gibt D-Trust bekannt: Fast 60.000 waren nicht regelkonform.
https://www.heise.de/news/Oesterlicher-Zertifikats-GAU-bei-D-Trust-Zehntausende-Zertifikate-ungueltig-11261453.html
Windows-Updates: Unerwartete Server-Reboots und Anmeldestörungen
Die Updates für Windows Server im April haben Nebenwirkungen. Server starten unerwartet neu oder erlauben keine Admin-Anmeldungen.
https://www.heise.de/news/Windows-Updates-Unerwartete-Server-Reboots-und-Anmeldestoerungen-11261652.html
-Your shipment has arrived- email hides remote access software
This DHL-themed email tries to get recipients to install remote access software attackers can use to deploy further malware, including ransomware.
https://www.malwarebytes.com/blog/news/2026/04/your-shipment-has-arrived-email-hides-remote-access-software
Sometimes changing the password on your email mailbox isn-t enough
Have you ever taken a look at your Microsoft 365 mailbox rules? If not, it might be worth a few minutes of your time. Because newly released research reveals that hackers may already have beaten you to it. Read more in my article on the Fortra blog.
https://www.fortra.com/blog/sometimes-changing-password-your-email-mailbox-isnt-enough
A Deep Dive Into Attempted Exploitation of CVE-2023-33538
CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware.
https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/
New CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files
Hackers spread CGrabber and Direct-Sys malware through GitHub ZIP files, bypassing security tools to steal passwords, crypto wallets, and user data.
https://hackread.com/cgrabber-direct-sys-malware-github-zip-files/
New Mirai Variant Nexcorium Hijacks DVR Devices for DDoS Attacks
Cybersecurity researchers at Fortinet have discovered Nexcorium, a new Mirai-based malware targeting TBK DVR systems to turn them into a botnet for DDoS attacks.
https://hackread.com/mirai-variant-nexcorium-dvr-devices-ddos-attacks/
Android 13 erreicht Support-Ende: Millionen Geräte betroffen
Android 13 ist raus. Google hat schon Anfang März den Support für die im Jahr 2022 veröffentlichte OS-Version eingestellt.
https://heise.de/-11262547
Obfuscation vs the Optimizer: An LLVM Middle-End Arms Race
Obfuscation is security through obscurity; its purpose is to transform a piece of code into a much more complex representation, whilst preserving the original semantics of the code. A compilers job is to transform source code into binary code and produce the simplest and most optimized representation it can for a given architecture. These are contrary goals, yet this contradiction is where obfuscators find their greatest leverage.
http://blog.quarkslab.com/obfuscation-vs-the-optimizer-an-llvm-middle-end-arms-race.html
HTTP desync in Discords media proxy: Spying on a whole platform
In 2022, I came across a quirky behavior on media.discordapp.net when I miskeyed a space character into an attachment link: a 502 bad gateway. After some fiddling I realized that this was caused by a HTTP injection bug within the media proxy-s request to the upstream GCP bucket. The space character corrupted the proxied HTTP message, which caused the connection to prematurely terminate.
https://tmctmt.com/posts/http-desync-in-discord/
Russian GRU Cyber Campaign Targets Western Logistics Firms Supporting Ukraine
A new joint cybersecurity advisory has revealed an ongoing Russian GRU cyber campaign targeting Western logistics entities and technology companies, particularly those involved in coordinating and delivering aid to Ukraine. The activity has been linked to the Russian General Staff Main Intelligence Directorate-s Unit 26165, widely tracked in the cybersecurity community as APT28 or Fancy Bear.
https://thecyberexpress.com/russian-gru-cyber-campaign-targets-logistics/
Vulnerabilities
Angreifer attackieren Apache ActiveMQ Broker, Apache ActiveMQ
Admins sollten zügig die gegen derzeit laufende Attacken gerüsteten Versionen von Apache ActiveMQ Broker und Apache ActiveMQ installieren.
https://www.heise.de/news/Angreifer-attackieren-Apache-ActiveMQ-Broker-Apache-ActiveMQ-11262046.html
YubiKey Manager: Sicherheitslücke ermöglicht Ausführung untergeschobenen Codes
Yubico warnt vor einer Suchpfad-Schwachstelle im YubiKey Manager, libfido2 und python-fido2. Updates korrigieren die Fehler.
https://www.heise.de/news/YubiKey-Manager-Sicherheitsluecke-ermoeglicht-Ausfuehrung-untergeschobenen-Codes-11262018.html
LWN Security updates for Friday
https://lwn.net/Articles/1068400/