Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

Last Updated On

CCTTII--22002266--00442244
CCrriittiiccaall
AAccttiivvee  EExxppllooiittaattiioonn  CCoonnffiirrmmeedd

BlueHammer Exploited, Marimo RCE Hits KEV, GopherWhisper APT Abuses Slack and Discord

Over the past 24 hours, five active exploitation clusters and three secondary threat developments have created a compounded risk picture for enterprise, government, and developer environments. The leading signals are two CISA KEV additions: Marimo reactive Python notebook CVE-2026-39987, a pre-auth RCE exploited within ten hours of disclosure and now building a blockchain botnet from compromised AI and data science infrastructure; and Microsoft Defender BlueHammer CVE-2026-33825, a local privilege escalation flaw exploited as a zero-day four days before its patch shipped, with two companion flaws RedSun and UnDefend still unpatched and actively exploited. Windows IKE CVE-2026-33824 at CVSS 9.8 adds a pre-auth network RCE against VPN infrastructure to the patching queue. Storm-1175, a China-nexus ransomware operator, continues active Medusa deployment against exposed enterprise management tooling. ESET disclosed GopherWhisper, a new China-linked APT hiding C2 inside Slack, Discord, and Outlook. Supply-chain attacks hit Bitwarden CLI and Checkmarx KICS targeting developer pipelines. Rituals disclosed a loyalty programme breach affecting up to 40 million customers. Kyber ransomware is reported but unconfirmed by Tier 1 sources. Federal patch deadlines are May 6 for BlueHammer and May 7 for Marimo.

9.8

CVSS Score

0

IOC Count

14

Source Count

78

Confidence Score

CVEs

CVE-2026-33824 CVE-2026-39987 CVE-2026-40372 CVE-2026-33826 CVE-2026-33825 CVE-2026-3844 CVE-2024-27198 CVE-2024-27199 CVE-2024-57726 CVE-2024-57727 CVE-2024-57728 CVE-2025-31161 CVE-2025-52691 CVE-2026-1731 CVE-2025-10035 CVE-2026-23760 CVE-2025-48700 CVE-2025-66376

Actors

Storm-1175, GopherWhisper, UAC-0233, Trigona Ransomware Operation, TeamPCP (supply-chain group)

Sectors

Government, Enterprise IT (Windows endpoint), Financial Services, Healthcare, Software Development & Data Science (Marimo/AI-ML), WordPress-hosted sites and digital agencies, Retail & Consumer (Rituals breach), Organizations using CI/CD tooling (Bitwarden CLI, Checkmarx KICS), Organizations using ASP.NET Core applications

Regions

Global; U.S. Federal Civilian Agencies under BOD 22-01; Ukraine and conflict-adjacent government entities; Global My Rituals loyalty-program customers; Asia-Pacific and North America; European enterprises

Chapter 01 - Executive Overview

Today's threat picture is the most operationally dense single-day brief of the April 2026 cycle. Eight distinct threat clusters are active simultaneously, three of which involve confirmed in-the-wild exploitation of tools that sit at the core of enterprise security and productivity infrastructure: your Windows endpoint protection, your internal data science notebooks, and your developer pipelines. Two vulnerabilities are now in CISA's Known Exploited Vulnerabilities catalog with active federal remediation deadlines. The unifying pattern across all of today's incidents is attacker focus on trusted tooling. BlueHammer targets the endpoint protection agent itself. Marimo targets internal analytics platforms. The supply-chain compromises target the CLI tools and pipeline scanners developers invoke without scrutiny. GopherWhisper hides inside the collaboration platforms your teams use every hour. The tools most trusted by defenders have become the primary attack surface.

MARIMO PRE-AUTH RCE — Critical — Data Science, AI/ML, Internal Apps

CVE-2026-39987 is a critical pre-authentication remote code execution vulnerability in the Marimo reactive Python notebook. The /terminal/ws WebSocket endpoint accepts unauthenticated connections and delivers a full PTY terminal shell to any attacker who reaches it. No credentials. No user interaction. One network request. CVSS score: 9.3 Critical. Now listed in CISA's KEV catalog. Federal remediation deadline: May 7, 2026.

Sysdig documented exploitation within approximately ten hours of the public advisory publication on April 8, 2026. Within days, attackers were stealing credentials from .env configuration files and deploying NKAbuse malware variants through typosquatted HuggingFace Spaces, assembling a blockchain botnet of approximately 1,570 compromised notebook hosts.

For leadership, the strategic implication is direct: internal notebook platforms perceived as low-risk lab tools are not isolated. A Marimo instance with database credentials in its environment variables is a privileged entry point into production data infrastructure. It must be governed as a Tier-1 production asset.

Most urgent decision: Patch to Marimo version 0.23.0 immediately. If patching cannot be completed today, restrict all network access to Marimo instances. Rotate any credentials stored in .env files on previously exposed instances.

BLUEHAMMER DEFENDER LPE CLUSTER — Critical — Windows Enterprise Fleets

CVE-2026-33825, designated BlueHammer, is a local privilege escalation vulnerability in Microsoft Defender's antimalware platform. It exploits a TOCTOU race condition and insufficient access control granularity in Defender's remediation logic, allowing a low-privilege local user to redirect Defender's privileged file operations toward sensitive targets including the SAM database. Exploit chains abuse volume snapshots, NTFS junctions, and opportunistic locks to trick Defender into reading or writing high-value files under SYSTEM context, turning any existing low-privilege foothold on a Windows endpoint into full local compromise. CVSS: 7.8. Now listed in CISA's KEV catalog. Federal remediation deadline: May 6, 2026. In-the-wild exploitation confirmed by Huntress beginning April 10, 2026, four days before the patch shipped.

Two companion flaws, designated RedSun and UnDefend by researcher Chaotic Eclipse, remain completely unpatched as of this report date. Both have been actively exploited in the wild since April 16, 2026. UnDefend is of particular concern because it does not compromise the endpoint directly — it blinds it. By blocking Defender's security definition updates, UnDefend degrades the primary detection mechanism on affected endpoints, creating a window in which follow-on activity including credential theft and lateral movement proceeds without standard alerting. The confirmed exploitation chain is: BlueHammer to achieve SYSTEM privilege, then UnDefend to suppress detection, then RedSun to maintain privilege. This is a coordinated three-stage attack against the endpoint protection agent itself.

Most urgent decision: Verify Defender Antimalware Platform version 4.18.26050.3011 or later across all Windows endpoints today. Any endpoint running a prior version with anomalous SYSTEM-level process activity since April 10, 2026 should be treated as potentially compromised and escalated immediately.

WINDOWS IKE RCE (CVE-2026-33824) — Critical — VPN and IPsec Infrastructure

CVE-2026-33824 is the highest-CVSS vulnerability in today's brief at 9.8. It is an unauthenticated remote code execution flaw in Windows Internet Key Exchange Service Extensions, exploitable over the network with no authentication and no user interaction required. The attack vector is a double-free memory corruption triggered by a malformed IKE packet on UDP 500 or UDP 4500, the standard ports for IPsec and VPN gateway traffic. Patched in Microsoft's April 2026 Patch Tuesday cycle. No exploitation has been confirmed in sources as of this report date. However, the combination of CVSS 9.8, no authentication requirement, ubiquitous deployment in enterprise VPN infrastructure, and the precedent of adjacent Defender vulnerabilities already being weaponised places this squarely in the emergency patch verification category.

Most urgent decision: Confirm April 2026 Patch Tuesday deployment on all internet-exposed Windows systems running IKE and IPsec. If patching cannot be confirmed today, restrict UDP 500 and UDP 4500 to known peer IP ranges at the perimeter until verification is complete.

STORM-1175 / MEDUSA RANSOMWARE — High — Multi-Sector Enterprise

Microsoft Threat Intelligence has attributed a sustained, high-velocity campaign deploying Medusa ransomware to Storm-1175, a China-nexus financially motivated group. The actor has exploited more than sixteen CVEs across BeyondTrust, CrushFTP, SmarterMail, JetBrains TeamCity, SimpleHelp, and Oracle WebLogic, including two zero-day exploits used before public disclosure. Documented dwell time from initial access to ransomware deployment has been measured in hours in some cases. The group targets Linux systems as well as Windows infrastructure.

Most urgent decision: Verify patch status on all internet-exposed instances of BeyondTrust, CrushFTP, SmarterMail, JetBrains TeamCity, SimpleHelp, and Oracle WebLogic. Any instance that is internet-facing and unpatched should be taken offline until remediation is confirmed.

GOPHERWHISPER APT — High — Government Entities

ESET has disclosed GopherWhisper, a previously undocumented state-backed threat group linked to China, using Go-based backdoors with command-and-control traffic routed through Microsoft Outlook, Slack, and Discord APIs. Thousands of recovered messages from Slack and Discord channels indicate operations have been running since 2023. Targets are government entities across multiple countries. The operational significance is that GopherWhisper uses legitimate SaaS collaboration platforms as its command infrastructure, a technique that defeats traditional C2 detection logic based on unknown or suspicious domains. Standard network egress monitoring that whitelists Microsoft 365 and Slack traffic will not flag GopherWhisper C2 activity by itself.

Most urgent decision: Government and government-adjacent organisations must review anomalous access patterns on Outlook, Slack, and Discord API activity, particularly from service accounts or background processes, and revisit whether collaboration platform logging provides sufficient visibility for C2 detection.

SUPPLY-CHAIN COMPROMISES — High — Developer Tooling and CI/CD Pipelines

Two parallel supply-chain compromises were active within the reporting window. The @bitwarden/cli NPM package was tampered with — version 2026.4.0 contained a credential-stealing payload and was available for approximately 90 minutes before removal. Simultaneously, Checkmarx KICS Docker images and VSCode and Open VSX extensions were compromised to harvest developer secrets. Both incidents are associated with a group called TeamPCP and the Shai-Hulud worm. Attribution is low confidence as it is self-claimed with no Tier 1 corroboration. The operational risk is concrete: any CI/CD pipeline that pulled @bitwarden/cli 2026.4.0 or used KICS images during the compromise window may have had credentials and secrets exfiltrated.

Most urgent decision: If your environment pulled @bitwarden/cli 2026.4.0 from NPM or used KICS images during the compromise window, rotate all credentials and secrets immediately and rebuild pipelines from trusted sources.

BREEZE CACHE WORDPRESS PLUGIN (CVE-2026-3844) — Medium — Web Infrastructure

An unauthenticated file upload vulnerability in the Cloudways Breeze Cache WordPress plugin affecting versions up to 2.4.4 has seen more than 170 active exploitation attempts logged by Wordfence. The flaw requires the Host Files Locally Gravatars add-on to be enabled. A patch is available in version 2.4.5.

Most urgent decision: Upgrade Breeze Cache to version 2.4.5. Disable the Gravatar caching add-on on any site where it is active. Review web server logs for suspicious POST requests to Breeze-related upload endpoints and for unexpected file writes in web-root or upload directories.

RITUALS DATA BREACH — Medium — Consumer and Retail

Luxury cosmetics retailer Rituals disclosed that attackers accessed and exfiltrated My Rituals loyalty-programme data including names, contact details, dates of birth, and gender for an undisclosed number of members from a base of approximately 40 million. No passwords or payment data were reported compromised. Authorities have been notified. The company is warning customers of elevated phishing risk. No ransomware or extortion claim has been made publicly as of this report date. The regulatory exposure under GDPR Article 33 and Article 34 is material for an EU-centric retailer of this scale.

Most urgent decision: Organisations running large loyalty or membership databases should treat this as a prompt to rehearse their own Article 33 notification workflows, data minimisation practices, and customer phishing-risk communication playbooks.

KYBER RANSOMWARE — Awareness Only — Windows and VMware ESXi

A new ransomware operation named Kyber has been reported targeting Windows and VMware ESXi environments, with at least one variant implementing wiper-like destructive behaviour. Attribution is unconfirmed. Source coverage is single-source within the window, specifically Techmaniacs on April 23, 2026, with no Tier 1 corroboration found. Confidence score for this cluster individually: 35. No incident response action is warranted based on current intelligence alone. Monitor for Tier 1 corroboration before escalating.

Chapter 02 - Threat & Exposure Analysis

Today's threat landscape is characterised by very short exploitation windows for newly disclosed vulnerabilities, deliberate attacker focus on developer and analytics tooling as a privileged entry point into wider infrastructure, and increasing abuse of legitimate SaaS collaboration platforms as command-and-control infrastructure. Two of today's leading CVEs moved from initial public disclosure to confirmed in-the-wild exploitation in under 24 hours.

CVE-2026-39987 (Marimo): OSS Notebook RCE Targeting AI and ML Workloads

CVE-2026-39987 is a pre-authentication RCE in the Marimo reactive Python notebook. The /terminal/ws WebSocket endpoint fails to enforce authentication entirely, unlike other Marimo WebSocket endpoints which do implement authentication checks correctly. Any unauthenticated attacker who can reach the endpoint receives a full PTY terminal shell operating with the same privileges as the Marimo process. Because Marimo notebooks are commonly run with direct access to cloud credentials, database connection strings, and internal service tokens stored in environment variables and .env files, compromise of an exposed instance can quickly escalate from a single container to production data stores such as PostgreSQL and other internal services.

Sysdig's timeline shows exploitation began within roughly ten hours of public advisory publication. Exploitation events numbered in the hundreds across multiple cloud providers within days. Post-exploitation activity included systematic credential theft from .env files and deployment of an NKAbuse malware variant distributed via typosquatted HuggingFace Spaces, ultimately building a blockchain botnet of approximately 1,570 hosts before researchers documented the full campaign. CISA's KEV entry confirms this vulnerability is treated as a known exploited issue with a remediation due date of May 7, 2026 for federal agencies under BOD 22-01.

CVE-2026-33825 (BlueHammer): Defender LPE on Windows Endpoints

BlueHammer is rooted in insufficient granularity of access control combined with race-condition bugs in Microsoft Defender's remediation logic. The exploit chain works by abusing volume shadow copies, NTFS junction points, and opportunistic locks to trick Defender's privileged remediation process into performing file operations against attacker-chosen targets rather than the intended quarantine paths. This allows redirection of Defender's privileged reads and writes to sensitive files such as the SAM database or system binaries, achieving SYSTEM-level privilege escalation from a standard low-privilege user account. Huntress documented real-world exploitation beginning April 10, 2026, four days before Microsoft's patch shipped. The PoC was released publicly by researcher Chaotic Eclipse on approximately April 7, 2026. CISA has added BlueHammer to the KEV catalog and ordered US federal civilian executive branch agencies to patch by May 6, 2026.

RedSun adds a second LPE path in Defender via a separate mechanism. UnDefend uses a denial-of-service technique to block Defender's security definition update mechanism entirely. The practical consequence of UnDefend is that an affected endpoint's primary detection capability degrades over time and can no longer respond to emerging threat signatures, creating a blind spot that facilitates follow-on stages of an intrusion. Both flaws have confirmed public PoC code and both remain unpatched.

CVE-2026-3844: Breeze Cache WordPress Plugin File Upload

CVE-2026-3844 is a critical vulnerability in the Cloudways Breeze Cache plugin for WordPress that allows unauthenticated file uploads to the web server when the Host Files Locally Gravatars add-on is enabled, affecting versions up to 2.4.4. The flawed file upload implementation in the Gravatar-caching add-on does not enforce authentication on the upload endpoint, enabling attackers to place arbitrary files including web shells on the server and achieve initial code execution footholds. Wordfence has logged more than 170 exploitation attempts, indicating opportunistic mass scanning against WordPress sites running the vulnerable configuration. The vendor has released Breeze 2.4.5 to remediate the issue, but exploitation remains active wherever administrators have not yet upgraded or have left the risky add-on enabled.

CVE-2026-40372: ASP.NET Core Data Protection Privilege Escalation

CVE-2026-40372 is a high-impact vulnerability in the ASP.NET Core Data Protection cryptographic APIs carrying a CVSS score of 9.1. Microsoft discovered that NuGet packages in version 10.0.6 compute HMAC validation tags over incorrect payload bytes and then discard those tags, breaking the trust model for all encrypted and signed application data. This incorrect HMAC validation logic allows forged payloads to pass authenticity checks, enabling unauthenticated attackers to forge authentication cookies, antiforgery tokens, and other signed state used for authentication and authorisation. The flaw affects non-Windows platforms running the affected NuGet packages. Microsoft released an out-of-band update to version 10.0.7 to remediate the issue. No exploitation has been confirmed in sources as of this report date, but the authentication bypass potential is significant for any affected application.

CVE-2026-33824: Windows IKE Double-Free RCE

CVE-2026-33824 is a double-free memory corruption flaw in Windows Internet Key Exchange Service Extensions. The vulnerability is exploitable from the network with no authentication and no user interaction required by sending a malformed IKE negotiation packet to a target system on UDP 500 or UDP 4500. Successful exploitation results in arbitrary code execution in the context of the IKE service. The IKE service is widely deployed across enterprise environments for VPN gateway communications and IPsec-protected site-to-site links. At CVSS 9.8 with a network attack vector and no authentication requirement, the blast radius of successful exploitation would be broad. No public PoC or confirmed exploitation has been identified in sources within the reporting window. The patch shipped in April 2026 Patch Tuesday.

CVE-2026-33826: Windows Active Directory Authenticated RCE

CVE-2026-33826 is an improper input validation flaw in Windows Active Directory carrying a CVSS score of 8.0. An authenticated attacker with valid domain credentials can achieve arbitrary code execution without user interaction. This represents a meaningful lateral movement and post-exploitation risk in environments where an adversary has already obtained valid credentials, for example via the BlueHammer SAM access path. Patched in April 2026 Patch Tuesday. No confirmed exploitation in sources.

Trigona Ransomware: Custom Exfiltration Tooling

Trigona ransomware affiliates have shifted away from commodity exfiltration tools and are now using a custom command-line binary named uploader_client.exe that connects to a hardcoded server address and selectively targets specific file types to improve stealth and reduce detection signatures relative to tools like Rclone. Symantec-sourced reporting via BleepingComputer describes Trigona affiliates using AnyDesk for remote access, Mimikatz and NirSoft utilities for credential theft, and vulnerable kernel drivers loaded specifically to terminate security processes before launching the encryption payload. This bespoke toolchain indicates operational maturity and deliberate investment in detection evasion.

GopherWhisper APT: Collaboration Platforms as C2 Infrastructure

ESET's research reveals GopherWhisper as a previously undocumented state-backed group with China nexus using Go-based backdoors and routing all command-and-control traffic through legitimate Microsoft 365 Outlook, Slack, and Discord APIs. Thousands of recovered Slack and Discord messages confirm long-running operations against government entities since at least 2023. The use of legitimate SaaS platforms for C2 is a deliberate counter-detection technique: outbound HTTPS traffic to Microsoft 365 and Slack endpoints is whitelisted or minimally inspected in nearly all enterprise environments, meaning GopherWhisper C2 traffic blends invisibly into normal business communication patterns. Traditional domain-based or IP-based C2 detection will not surface this activity.

Supply-Chain Compromises: Bitwarden CLI and Checkmarx KICS

The @bitwarden/cli NPM package was briefly compromised when attackers published a malicious version 2026.4.0 containing a credential-stealing payload. This version was available for approximately 90 minutes before being removed. A parallel campaign targeted Checkmarx KICS by compromising its Docker images and VSCode and Open VSX extensions to harvest secrets from developer environments. Both incidents are claimed by a group called TeamPCP and are associated with activity attributed to the Shai-Hulud worm. Attribution confidence is low given self-claimed status and absence of Tier 1 corroboration. The primary concern for affected organisations is that automated CI/CD pipeline steps that do not pin package versions or verify image digests would have silently consumed the malicious artefacts and transmitted secrets to attacker infrastructure.

Rituals Data Breach

Rituals disclosed that attackers accessed and exfiltrated My Rituals loyalty-programme data including names, contact details, dates of birth, and gender for an unknown number of members from a total base of approximately 40 million. No passwords or payment card data were compromised. No public ransomware or extortion claim has been made. The firm has notified relevant authorities and is advising customers to remain vigilant against phishing attempts targeting the disclosed attributes. The breach method has not been disclosed in sources within the reporting window.

Cross-Incident Pattern Analysis

Three patterns emerge from the combined incident set. First, exploitation windows are collapsing: Marimo was exploited within ten hours of advisory publication, and BlueHammer was exploited four days before its patch shipped. The assumption that organisations have days or weeks to patch after disclosure is no longer tenable for high-profile CVEs. Second, trusted tooling is the primary attack surface: every leading incident today involves a tool that security or engineering teams rely on rather than a novel network-facing target. Third, collaboration and development platforms are now first-class threat surfaces: GopherWhisper's use of Slack and Outlook for C2 and the supply-chain attacks on Bitwarden and KICS both demonstrate that the development and communication toolchain is under sustained, sophisticated attack.

Chapter 03 - Operational Response

Marimo RCE (CVE-2026-39987): Immediate Containment and Hardening

Isolate exposure first. Identify all Marimo instances in your environment including lab, internal analytics, and shared data science deployments. Any instance bound to 0.0.0.0 or reachable from shared or external networks should be network-isolated immediately pending patch deployment. Patch and restart: upgrade Marimo to version 0.23.0 or later, which removes the unauthenticated /terminal/ws endpoint, and restart all services to ensure the new code is active. For any instance that was previously accessible and is now suspected to have been exposed, treat it as compromised until investigation proves otherwise: rotate all credentials stored in .env files and any other configuration sources accessible from the instance, revoke and reissue cloud credentials and database connection strings, and review access logs for evidence of the NKAbuse deployment pattern or unusual outbound connections to HuggingFace-related infrastructure.

If your environment includes notebook infrastructure that cannot be patched immediately, implement compensating controls: place the instance behind an authenticated reverse proxy, restrict access to named IP ranges, and enable application-layer logging for WebSocket connections to detect exploitation attempts.

BlueHammer Cluster (CVE-2026-33825, RedSun, UnDefend): Windows Endpoint Response

Verify Defender Antimalware Platform version 4.18.26050.3011 or later across every Windows endpoint in your environment. This version contains the BlueHammer fix and should be deployed via Microsoft Defender's automatic update mechanism as well as April 2026 Patch Tuesday. Endpoints on isolated or poorly managed network segments may not have received the automatic update and are highest risk. For endpoints running a pre-patch version, treat them as unverified exposure until the update is confirmed.

Identify any endpoints where Defender definition updates have stopped or are significantly lagged. This is a potential UnDefend exploitation indicator. Endpoints that are both running a pre-patch Defender version and showing stopped definition updates should be isolated immediately and escalated to incident response. These endpoints are both potentially compromised and detection-blind.

Hunt for anomalous SYSTEM-level process creation activity from April 10, 2026 to present. Specifically look for processes spawned under SYSTEM context from Defender service process parents, and for processes accessing the SAM registry hive outside of expected credential update workflows. Where SYSTEM-level compromise is confirmed, initiate credential rotation for all accounts whose hashes may have been accessible on the affected endpoint, including local administrator accounts and any cached domain credentials.

For RedSun and UnDefend, which remain unpatched, monitor Microsoft MSRC actively for official CVE assignments and patch availability. In the interim, restrict local user account scope to the minimum necessary, since both flaws require local access as a prerequisite.

Windows IKE RCE (CVE-2026-33824): Patch Verification and Exposure Reduction

Confirm April 2026 Patch Tuesday has been applied to all Windows systems, with priority on systems running IKE and IPsec VPN services. Enumerate all internet-exposed Windows endpoints with UDP 500 and UDP 4500 open and cross-reference against patch deployment status. If any IKE-exposed system is found to be unpatched, either apply the patch on an emergency basis or temporarily restrict IKE traffic to known peer IP ranges at the perimeter as a compensating control until patching is complete.

Storm-1175 / Medusa Ransomware: Exposure Reduction and Threat Hunting

Verify patch status on all internet-exposed instances of BeyondTrust Remote Support and Privileged Remote Access, CrushFTP, SmarterMail, JetBrains TeamCity, SimpleHelp RMM, and Oracle WebLogic. Any instance that is internet-facing and not fully patched should be taken offline until remediation is confirmed. Enable enhanced logging on all of these products if not already active. Review authentication logs on all of these products for unusual access patterns from April 1 to present. Storm-1175's documented capability to deploy Medusa within hours of initial access means log visibility is the primary early warning mechanism.

Validate backup integrity for any environment running the affected products. If Medusa has been deployed, uncompromised, tested, offline backups are the primary recovery mechanism.

GopherWhisper APT: Collaboration Platform Audit

For government and government-adjacent organisations, review Outlook, Slack, and Discord API access logs for patterns consistent with programmatic or service-account-driven access that does not correspond to known legitimate integrations or automation. Key anomaly signals include unusual message volumes from background processes, access from service accounts that have no business justification for collaboration tool usage, and API calls at unusual hours or from unusual source systems. Review tenant-level application authorisation grants and remove any unknown or unexplained OAuth application registrations on Microsoft 365 and Slack tenants.

Supply-Chain Compromises: Bitwarden CLI and Checkmarx KICS

For environments that may have pulled @bitwarden/cli version 2026.4.0 from NPM or used Checkmarx KICS Docker images or IDE extensions during the compromise window, the immediate actions are: rotate all credentials and secrets that would have been accessible to the pipeline at the time, rebuild pipeline images and tooling from known-good trusted sources, and audit pipeline logs for evidence of unexpected outbound connections during build steps that consumed the affected artefacts. Going forward, enforce package version pinning and cryptographic digest verification on all CI/CD toolchain dependencies.

WordPress Breeze Cache (CVE-2026-3844): Web Infrastructure Response

Locate all WordPress sites in your estate using Breeze Cache. Upgrade to version 2.4.5 immediately. Where the Host Files Locally Gravatars add-on is enabled, disable it as part of the upgrade or before. Review web server access logs for suspicious POST requests to Breeze or Gravatar-related upload endpoints from atypical IP ranges. Look for unexpected new files in web-root and upload directories. If web shell activity is found, treat the affected server as compromised and initiate full incident response.

ASP.NET Core Data Protection (CVE-2026-40372): Patch and Key Rotation

Patch all applications using Microsoft.AspNetCore.DataProtection version 10.0.6 to version 10.0.7. For any application where there is suspicion that forged payloads may have been submitted prior to patching, plan for Data Protection key-ring rotation to invalidate any cookies or tokens that may have been forged against the old validation logic.

Rituals Breach: Peer Awareness Actions

Organisations running large loyalty or member databases should review their own data minimisation and retention practices for marketing attributes such as dates of birth and contact details. Rehearse breach notification decision workflows for scenarios involving non-payment personal data under GDPR Article 33 and Article 34. Prepare customer phishing-risk communication templates specific to marketing data compromise scenarios, since this is the primary downstream risk to affected individuals.

Response Priority Order for Today

  • Priority one: BlueHammer cluster version verification and hunt across all Windows endpoints, with immediate isolation of any endpoint showing stopped Defender updates combined with anomalous process activity.

  • Priority two: Marimo patch and credential rotation for any previously exposed instance.

  • Priority three: IKE RCE patch deployment confirmation on VPN and IPsec infrastructure.

  • Priority four: Storm-1175 product patch verification on internet-exposed management tooling.

  • Priority five: Supply-chain credential rotation for any pipeline that consumed affected artefacts.

  • Priority six: Breeze Cache upgrade and WordPress log review.

  • Priority seven: GopherWhisper collaboration platform API audit for government-adjacent organisations.

  • Priority eight: ASP.NET Core Data Protection patch and key rotation review.

BlueHammer Cluster (CVE-2026-33825, RedSun, UnDefend)

2026-04-02 to 07: PoC exploit designated BlueHammer for a Microsoft Defender zero-day is released publicly by researcher Chaotic Eclipse. Analyses describe it as a local privilege escalation path to SYSTEM via Defender's remediation logic.

2026-04-10: Huntress detects and documents first confirmed in-the-wild exploitation of BlueHammer on customer endpoints, four days before a patch is available.

2026-04-13 to 14: Microsoft April 2026 Patch Tuesday released. CVE-2026-33825 patched in Defender Antimalware Platform version 4.18.26050.3011. 167 vulnerabilities addressed in total across the Patch Tuesday cycle.

2026-04-16: Chaotic Eclipse releases public PoC code for two additional Defender flaws, designated RedSun and UnDefend. Huntress documents real-world exploitation of all three flaws beginning on or around this date, including credential theft via SAM database access.

2026-04-22 to 23: CISA adds CVE-2026-33825 to the Known Exploited Vulnerabilities catalog. US FCEB agencies ordered to remediate by May 6, 2026 under BOD 22-01. SecurityAffairs and BleepingComputer report Huntress findings in full.

2026-04-24: RedSun and UnDefend remain unpatched. No CVE identifiers confirmed in sources for either flaw as of this report date.

Marimo RCE (CVE-2026-39987)

2026-04-08: GitHub advisory and vendor write-ups disclose the Marimo /terminal/ws pre-auth RCE, later assigned CVE-2026-39987.

2026-04-09: Sysdig observes first exploitation attempts within approximately ten hours of advisory publication. Credential theft from .env files documented within minutes of initial access in some cases.

2026-04-11 to 14: Hundreds of exploitation events recorded across multiple cloud providers. NKAbuse malware deployment via typosquatted HuggingFace Spaces documented. Blockchain botnet of approximately 1,570 hosts assembled.

2026-04-23: NVD reflects CISA KEV status for CVE-2026-39987 with a remediation due date of May 7, 2026 for federal agencies under BOD 22-01.

Windows IKE RCE (CVE-2026-33824)

2026-04-13 to 14: CVE-2026-33824 disclosed and patched as part of Microsoft April 2026 Patch Tuesday. CVSS 9.8 assigned.

2026-04-24: No in-the-wild exploitation confirmed in sources as of this report date. Patch deployment verification is the active action item.

Storm-1175 and Medusa Ransomware Campaign

2023 onwards: Storm-1175 active exploitation of multiple CVEs across web-facing products. More than sixteen CVEs exploited since 2023 per Microsoft Threat Intelligence.

Date unconfirmed: CVE-2025-10035 and CVE-2026-23760 exploited as zero-days prior to public disclosure.

2026-04-05: Microsoft publishes attribution of Storm-1175 to Medusa ransomware campaigns. BleepingComputer reports Microsoft Threat Intelligence findings.

2026-04-06: Microsoft Threat Intelligence Blog publishes detailed Storm-1175 actor profile.

2026-04-24: Campaign assessed as ongoing. Multiple products remain in the Storm-1175 target list.

UAC-0233 and Zimbra Exploitation

2025-09 earliest: UAC-0233 begins exploitation of Zimbra Collaboration Suite vulnerabilities against Ukrainian government entities, confirmed by CERT-UA.

2026-03 mid: CVE-2025-66376 added to CISA KEV catalog.

2026-04-20: CISA adds CVE-2025-48700 and seven other flaws to the KEV catalog. Federal deadline set for May 4, 2026.

GopherWhisper APT

2023 earliest: GopherWhisper operations against government entities begin, with thousands of recovered Slack and Discord C2 messages indicating sustained long-duration activity.

2026-04 (date within window not confirmed in sources): ESET publicly discloses GopherWhisper, documenting Go-based backdoors, collaboration platform C2 channels, and government targeting.

Supply-Chain Compromises

Date within April 2026 not confirmed precisely in sources: @bitwarden/cli NPM package version 2026.4.0 published with credential-stealing payload, available for approximately 90 minutes before removal.

Date within April 2026 not confirmed precisely in sources: Checkmarx KICS Docker images and IDE extensions compromised. TeamPCP claims responsibility.

Rituals Data Breach

Date of breach access not confirmed in sources. Disclosure published within reporting window. Rituals notifies authorities and customers. Investigation ongoing.

Kyber Ransomware

2026-04-23: Single source reports new Kyber ransomware operation targeting Windows and VMware ESXi. No Tier 1 corroboration found as of report date.

Chapter 04 - Detection Intelligence

CVE-2026-39987 (Marimo): Pre-Auth WebSocket RCE

The /terminal/ws WebSocket endpoint in Marimo versions prior to 0.23.0 accepts connections without any authentication check. This is distinct from other Marimo WebSocket endpoints which correctly invoke authentication validation before establishing connections. Once connected, the endpoint exposes a full PTY shell executing with the same OS-level privileges as the Marimo server process, which in many deployment configurations runs with access to cloud credentials, database connection strings, and internal service tokens stored in environment variables. Successful exploitation grants unauthenticated arbitrary code execution with no prerequisites beyond network reachability. Post-exploitation activity documented by Sysdig included reading .env files for credential theft, establishing outbound connections to PostgreSQL and other internal services, and deploying NKAbuse malware distributed via HuggingFace infrastructure to build a blockchain-based command-and-control botnet.

Attack vector: Network. Authentication required: None. User interaction: None. Privileges required: None. Scope: the Marimo process and all resources accessible from its execution context. Fixed in Marimo 0.23.0.

CVE-2026-33825 (BlueHammer): Defender TOCTOU LPE

The exploit chain for BlueHammer operates through the following stages. First, the attacker places a malicious file on disk and causes Microsoft Defender's real-time protection to flag it for remediation. Second, during Defender's privileged remediation operation, the attacker uses a combination of volume shadow copy manipulation, NTFS junction point creation, and opportunistic lock (oplock) callbacks to introduce a race condition between the moment Defender checks the path of the file it is about to operate on and the moment it actually performs the operation. This TOCTOU window allows the attacker to redirect Defender's privileged file reads or writes to a different target than Defender believes it is operating on. Third, by directing Defender's privileged write operation toward the SAM registry hive or a system binary path, the attacker achieves reading sensitive credential data or writing an attacker-controlled binary under SYSTEM context, completing local privilege escalation.

Underlying vulnerability class: CWE-1220 Insufficient Granularity of Access Control combined with a TOCTOU race condition in Defender's remediation workflow. Affected component: Microsoft Defender Antimalware Platform versions prior to 4.18.26050.3011. Fixed in April 2026 Patch Tuesday.

RedSun: separate LPE mechanism in Microsoft Defender. Technical mechanism beyond local privilege escalation is not confirmed in sources. CVE identifier not confirmed in sources as of report date. PoC released April 16, 2026. Status: unpatched.

UnDefend: denial-of-service technique targeting Defender's definition update mechanism. Blocks security definition updates from being applied, causing the endpoint's threat signature database to become progressively outdated. No technical mechanism detail beyond this confirmed in sources. CVE identifier not confirmed in sources as of report date. Status: unpatched.

CVE-2026-33824: Windows IKE Double-Free RCE

The vulnerability is a double-free memory corruption flaw classified as CWE-415 in Windows Internet Key Exchange Service Extensions. An unauthenticated attacker sends a specially crafted malformed IKE negotiation packet to a target Windows system on UDP 500 or UDP 4500. The malformed packet triggers a double-free condition in the IKE service's memory management, leading to arbitrary code execution in the context of the IKE service. The IKE service runs with high privileges and is responsible for IPsec security association negotiation. Successful exploitation yields code execution with high confidentiality, integrity, and availability impact. CVSS 9.8. Attack vector: Network. Authentication required: None. User interaction: None. Fixed in April 2026 Patch Tuesday. No public PoC or in-the-wild exploitation confirmed in sources as of report date.

CVE-2026-33826: Windows Active Directory Authenticated RCE

Improper input validation in Windows Active Directory allows an authenticated attacker with valid credentials to achieve arbitrary code execution without user interaction. CVSS 8.0. This is a significant post-exploitation and lateral movement amplifier in environments where an adversary has already obtained valid credentials via BlueHammer's SAM access path or via other credential theft techniques used in today's active campaigns. Fixed in April 2026 Patch Tuesday.

CVE-2026-40372: ASP.NET Core Data Protection HMAC Bypass

Microsoft.AspNetCore.DataProtection version 10.0.6 on non-Windows platforms contains incorrect HMAC validation logic: the implementation computes HMAC validation tags over incorrect payload bytes and then discards the resulting tags rather than using them for validation. The practical consequence is that the HMAC check does not actually validate the payload, meaning forged payloads pass authenticity checks. An unauthenticated attacker who understands the forging technique can craft valid-appearing authentication cookies, antiforgery tokens, and other Data Protection-signed state, enabling authentication bypass and privilege escalation in affected ASP.NET Core applications. Fixed in version 10.0.7 via out-of-band update. Exploitation requires the specific affected package version on a non-Windows host. No confirmed exploitation in sources.

CVE-2026-3844: Breeze Cache Unauthenticated File Upload

The Host Files Locally Gravatars add-on in Breeze Cache versions up to 2.4.4 implements a file upload endpoint that does not enforce authentication before accepting uploads. An unauthenticated attacker can send a POST request with a crafted payload to this endpoint and write arbitrary files to the web server's file system. This allows placement of web shells or other malicious scripts in the web-root or upload directories, granting initial remote code execution on the underlying web server. The attack requires the Gravatar caching add-on to be enabled but does not require any user interaction or prior authentication. Fixed in Breeze Cache 2.4.5. More than 170 exploitation attempts logged by Wordfence confirming active mass scanning.

Trigona Ransomware: Custom Exfiltration Toolchain

Trigona affiliates have replaced commodity exfiltration tools with a purpose-built binary named uploader_client.exe. This tool connects to a hardcoded server address, which prevents threat hunters from identifying the C2 infrastructure through pattern-based detection of known tools like Rclone. The binary selectively targets specific file types consistent with maximising the value of exfiltrated data for double-extortion purposes. Prior to launching uploader_client.exe, Trigona affiliates use AnyDesk for remote access establishment, Mimikatz for credential extraction, and NirSoft utilities for supplemental credential recovery. Vulnerable kernel drivers are loaded specifically to terminate security processes before the encryption payload executes, reducing the probability of detection and interruption during the final encryption phase.

GopherWhisper: Go-Based Backdoor with SaaS C2

GopherWhisper's backdoor is implemented in Go. Command-and-control communications are routed through legitimate Microsoft 365 Outlook, Slack, and Discord APIs using authenticated API calls that are indistinguishable in network traffic from normal business use of these services. ESET recovered thousands of messages from Slack and Discord channels used as C2, confirming sustained operational use since at least 2023. The use of Go as a backdoor language provides cross-platform capability and complicates static analysis relative to interpreted languages. The SaaS C2 channel technique defeats domain-based and IP-based C2 detection entirely since all traffic terminates at legitimate Microsoft and Slack infrastructure.

No explicit IOC values including IP addresses, domain names, file hashes, URLs, registry keys, mutex names, or SSL certificate fingerprints were published in the available sources consulted within the reporting window for any incident cluster in this brief. Both the attached version and the Deep Research version independently reached this same finding. This is not a gap in report construction but an accurate reflection of what the available public sources disclosed.

The following tool names, malware families, and infrastructure patterns are confirmed in sources without published concrete indicator values.

Tool names and malware families: NKAbuse backdoor variant deployed in the Marimo post-exploitation campaign via typosquatted HuggingFace Spaces. uploader_client.exe, the custom Trigona exfiltration binary that replaces commodity tools like Rclone. SystemBC proxy referenced in Trigona infrastructure context. Shai-Hulud worm associated with the TeamPCP supply-chain campaign. NirSoft utilities and Mimikatz used by Trigona affiliates for credential theft during pre-encryption phases. AnyDesk used by Trigona affiliates to establish remote access into victim environments.

Infrastructure patterns confirmed in sources without published specific values: Trigona's uploader_client.exe connects to a hardcoded server address that targets specific file types; the actual address is not published in open-source reporting. NKAbuse routes its C2 communications over the NKN peer-to-peer protocol rather than conventional HTTP or DNS channels, complicating standard network detection. GopherWhisper routes all command-and-control over authenticated API calls to Microsoft 365 Outlook, Slack, and Discord; the C2 infrastructure is entirely co-mingled with legitimate SaaS service traffic and produces no distinct network-layer IOCs. Typosquatted HuggingFace Spaces were used to distribute NKAbuse payloads to hosts compromised via the Marimo CVE; the specific Space names are not published in sources.

The only near-IOC value with a specific identifier confirmed in sources is the malicious NPM package version string @bitwarden/cli 2026.4.0, which contained a credential-stealing payload. This version has since been removed from the NPM registry. Organisations should check pipeline artefact logs for any reference to this version string in build dependencies during the approximately 90-minute window it was available.

CVE identifiers remain the primary actionable indicator set for this report. The full list is documented in Field 11. For network and endpoint blocking rules, the following enrichment sources are recommended in priority order: Sysdig threat research portal for Marimo and NKAbuse full indicator sets, Huntress Nightmare Eclipse intrusion report for BlueHammer exploitation indicators, ESET malware-ioc GitHub repository at github.com/eset/malware-ioc for GopherWhisper backdoor samples and infrastructure following public disclosure, Microsoft Defender Threat Intelligence portal for Storm-1175 actor indicator package, and Symantec and Broadcom threat intelligence sharing channels for Trigona uploader_client.exe hash and C2 network indicators.

Actor infrastructure normalisation evidence: no cross-incident infrastructure overlap has been identified in sources within the reporting window. This is assessed as a data gap rather than evidence of absence of overlap.

The following detection logic, SIGMA pseudocode, YARA patterns, and SIEM field references are derived from confirmed attack behaviors described in sources. Where detection is based on behavioral inference rather than confirmed source-cited indicators, this is stated explicitly. All pseudocode should be tested and tuned in a lab environment before production deployment.

BLUEHAMMER AND DEFENDER CLUSTER DETECTION

The primary deterministic detection signal for BlueHammer exposure is Defender Antimalware Platform version below 4.18.26050.3011. This is a low-noise, high-confidence exposure indicator deployable today in any endpoint management platform without requiring EDR telemetry calibration. Deploy this check before any other detection action.

// SIEM: Defender version exposure alert
// Source: Endpoint management platform (Intune / SCCM / MDE device inventory)

index=endpoint_management
  product="Microsoft Defender"
  platform_version < "4.18.26050.3011"
| stats count BY host, platform_version, last_seen
| where count > 0
| sort last_seen desc

Every result from this query is an active exposure requiring immediate remediation.

// SIEM: Anomalous SYSTEM-level process creation from Defender service parents
// Behavioral basis: BlueHammer post-exploitation — SYSTEM context process spawned
// from Defender parent is the direct consequence of a successful LPE exploit
// Date scope: April 10 2026 to present (confirmed exploitation start date)

index=windows EventCode=4688
  ParentProcessName IN (
    "MsMpEng.exe", "MpCmdRun.exe", "mpdefui.exe"
  )
  IntegrityLevel="System"
  NOT ProcessName IN (
    "MpCmdRun.exe", "MpSigStub.exe", "NisSrv.exe", "MpDlpCmd.exe"
  )
| where _time >= "2026-04-10T00:00:00Z"
| stats count BY host, ParentProcessName, ProcessName, CommandLine, _time
| where count > 0
| sort _time desc
// SIEM: UnDefend indicator — Defender definition update failure lag
// Behavioral basis: UnDefend blocks Defender definition updates, causing
// progressive signature staleness on affected endpoints
// Threshold: 48 hours stale, tunable per environment SLA

index=windows EventCode IN (2001, 2003)
  SourceName="Microsoft Antimalware"
| stats latest(_time) as last_successful_update BY host
| eval hours_stale = (now() - last_successful_update) / 3600
| where hours_stale > 48
| join type=left host [
    search index=windows EventCode=4688
      ParentProcessName="MsMpEng.exe"
      IntegrityLevel="System"
  ]
| table host, hours_stale, ParentProcessName, ProcessName, CommandLine

Endpoints matching both conditions — stale definitions and SYSTEM-context Defender children — should be isolated immediately and escalated to incident response.

// SIEM: SAM registry access by non-authorised process
// Behavioral basis: BlueHammer redirects Defender's privileged operations
// to the SAM hive, exposing local account password hashes

index=windows EventCode=4663
  ObjectName IN (
    "\\REGISTRY\\MACHINE\\SAM",
    "\\REGISTRY\\MACHINE\\SECURITY",
    "\\REGISTRY\\MACHINE\\SYSTEM"
  )
  ProcessName NOT IN (
    "lsass.exe", "svchost.exe", "services.exe",
    "MsMpEng.exe", "regsvc.exe"
  )
| stats count BY host, ProcessName, ObjectName, SubjectUserName, _time
| where count > 0
// YARA: BlueHammer exploitation artifact pattern
// Targets the documented NTFS junction and SAM access combination
// characteristic of the exploit chain

rule BlueHammer_Defender_LPE_Artifacts
{
    meta:
        description = "Detects BlueHammer-style Defender LPE exploit artifacts"
        date = "2026-04-24"
        confidence = "medium"
        source_basis = "Huntress Nightmare Eclipse research, SentinelOne analysis"
    strings:
        $junction = "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy"
                    ascii wide nocase
        $sam_path  = "\\REGISTRY\\MACHINE\\SAM" ascii wide
        $oplock    = "DeviceIoControl" ascii wide
        $ntfs_junc = "CreateSymbolicLink" ascii wide
    condition:
        ($junction and $sam_path) or
        ($ntfs_junc and $sam_path and $oplock)
}
MARIMO RCE (CVE-2026-39987) DETECTION
// SIEM: Unauthenticated WebSocket connection to /terminal/ws
// Behavioral basis: The vulnerable endpoint accepts connections
// with no authentication handshake; any access from untrusted IP
// space without a valid session should be treated as an exploitation attempt
// Requires WAF or reverse proxy logs with WebSocket metadata

index=web_proxy OR index=app_gateway
  uri_path="/terminal/ws"
  http_method="GET"
  upgrade_header="websocket"
  NOT (auth_header=* AND session_cookie=*)
| stats count BY src_ip, dest_host, uri_path, user_agent, _time
| where count > 0
| sort _time desc
// SIEM: Post-exploitation process spawning from Marimo container context
// Behavioral basis: Sysdig documented shell and network tool execution
// spawned from Marimo and its WSGI server process parents
// post-exploitation following /terminal/ws RCE

index=container_runtime OR index=linux_auditd
  parent_process IN (
    "marimo", "python3", "uvicorn", "gunicorn", "hypercorn"
  )
  child_process IN (
    "bash", "sh", "dash", "curl", "wget", "python3",
    "nc", "ncat", "nmap", "pip", "npm", "git", "env", "printenv"
  )
| stats count BY host, container_id, parent_process,
                 child_process, cmdline, _time
| where count > 0
// YARA: NKAbuse blockchain botnet loader
// Targets NKAbuse's documented use of the NKN peer-to-peer C2 protocol
// and HuggingFace distribution infrastructure observed in Sysdig research

rule NKAbuse_Blockchain_Botnet_Loader
{
    meta:
        description = "Detects NKAbuse loader artifacts from Marimo campaign"
        date = "2026-04-24"
        confidence = "medium"
        source_basis = "Sysdig Threat Research Team"
    strings:
        $nkn_domain  = "nkn.org" ascii wide
        $nkn_proto   = "NKN" ascii wide
        $blockchain  = "blockchain" ascii nocase wide
        $env_theft   = ".env" ascii
        $hf_dist     = "huggingface" ascii nocase
        $nkabuse_str = "NKAbuse" ascii wide
    condition:
        2 of them
}
WINDOWS IKE RCE (CVE-2026-33824) DETECTION

No public PoC exists in sources as of this report date. Pre-exploitation detection is therefore the primary available control. Enumerate all internet-exposed Windows systems with UDP 500 and UDP 4500 open and cross-reference against April 2026 Patch Tuesday deployment status. Any unpatched IKE-exposed system is a deterministic exposure indicator.

// SIEM: IKE service crash or unexpected restart as exploitation attempt indicator
// Behavioral basis: A successful double-free exploit would cause the IKE service
// to crash or restart before achieving code execution in some cases
// Scope to internet-exposed VPN gateway hosts

index=windows EventCode=7034
  Message IN (
    "*IKEEXT*", "*IKE*", "*IPsec*",
    "*Internet Key Exchange*"
  )
  host IN [list_of_internet_exposed_vpn_gateways]
| stats count, earliest(_time) as first_seen, latest(_time) as last_seen
         BY host, Message
| where count > 0
| sort last_seen desc
STORM-1175 AND MEDUSA RANSOMWARE DETECTION
// SIEM: Ransomware precursor — shadow copy deletion and backup destruction
// Behavioral basis: Storm-1175 Medusa deployment chain includes shadow copy
// deletion as a pre-encryption step; near-universal ransomware precursor signal
// Priority: deploy as Critical alert immediately if not already active

index=windows EventCode=4688
  CommandLine IN (
    "*vssadmin*delete*shadows*",
    "*wmic*shadowcopy*delete*",
    "*bcdedit*/set*safeboot*",
    "*net*stop*backup*",
    "*taskkill*/im*veeam*",
    "*sc*config*backup*disabled*",
    "*wbadmin*delete*",
    "*schtasks*/delete*backup*"
  )
| stats count BY host, user, CommandLine, ParentProcessName, _time
| where count > 0

This is the highest-yield single detection rule deployable today. It applies to Storm-1175 Medusa, Trigona, and Kyber simultaneously.

// SIEM: Web application service spawning anomalous shell children
// Behavioral basis: Storm-1175 initial access via public-facing app exploitation;
// web service process spawning command interpreter is the post-exploitation signal

index=windows EventCode=4688
  ParentProcessName IN (
    "*w3wp.exe*", "*tomcat*", "*javaw.exe*", "*node.exe*",
    "*TeamCity*", "*CrushFTP*", "*SmarterMail*",
    "*BeyondTrust*", "*simplehelp*", "*weblogic*"
  )
  ProcessName IN (
    "cmd.exe", "powershell.exe", "cscript.exe",
    "wscript.exe", "certutil.exe", "bitsadmin.exe",
    "mshta.exe", "regsvr32.exe"
  )
| stats count BY host, ParentProcessName, ProcessName, CommandLine, _time
| where count > 0
// YARA: Medusa ransomware end-stage identification
// Targets Medusa's documented file extension and ransom note naming conventions

rule Medusa_Ransomware_EndStage
{
    meta:
        description = "Detects Medusa ransomware file markers"
        date = "2026-04-24"
        confidence = "high"
        source_basis = "Microsoft TI, BleepingComputer"
    strings:
        $ext1  = ".medusa" ascii wide
        $note1 = "!!!READ_ME_MEDUSA!!!" ascii wide
        $note2 = "MEDUSA_README.txt" ascii wide
        $blog  = "MEDUSA BLOG" ascii wide
    condition:
        any of them
}
GOPHERWHISPER APT DETECTION
// SIEM: Programmatic Slack and Discord API access from non-user context
// Behavioral basis: GopherWhisper routes C2 over Slack and Discord APIs
// using calls that do not originate from legitimate desktop client processes
// Threshold of 10 requests should be tuned per environment baseline

index=proxy OR index=web_gateway
  dest_domain IN (
    "slack.com", "api.slack.com",
    "discord.com", "discordapp.com", "discord.gg"
  )
  user_agent NOT IN [known_slack_client_user_agents]
  src_process NOT IN (
    "slack.exe", "discord.exe", "electron.exe",
    "Teams.exe", "chrome.exe", "firefox.exe"
  )
| stats count, values(user_agent) as agents,
         values(src_process) as processes
         BY src_ip, src_host, dest_domain, _time
| where count > 10
// SIEM: Microsoft 365 Outlook API access from non-standard client context
// Behavioral basis: GopherWhisper uses Outlook API for C2 messaging
// against the Microsoft Unified Audit Log

index=o365_audit OR index=azure_ad
  Operation IN (
    "MailItemsAccessed", "MessageBind",
    "FolderBind", "SendAs"
  )
  ClientInfoString NOT IN [known_mail_client_strings]
  UserAgent NOT IN [known_outlook_user_agents]
| stats count BY UserId, ClientIPAddress,
                 ClientInfoString, UserAgent, _time
| where count > 5
TRIGONA RANSOMWARE DETECTION
// SIEM: AnyDesk execution on server-class systems
// Behavioral basis: Trigona affiliates use AnyDesk for persistent
// remote access on compromised server environments

index=windows EventCode=4688
  ProcessName IN ("*AnyDesk*", "*anydesk.exe*")
  host_type="server"
| stats count BY host, user, ProcessName, CommandLine, _time
| where count > 0
// SIEM: Trigona custom exfiltration tool execution
// Behavioral basis: uploader_client.exe is Trigona's purpose-built
// exfil binary confirmed in Symantec research via BleepingComputer

index=windows EventCode=4688
  ProcessName="*uploader_client.exe*"
| stats count BY host, user, ProcessName, CommandLine,
                 ParentProcessName, _time
| where count > 0
// YARA: Trigona custom exfiltration tool behavioral signatures
// Targets uploader_client.exe behavioral characteristics from Symantec research

rule Trigona_Custom_Exfil_Tool
{
    meta:
        description = "Detects Trigona uploader_client.exe behavioral markers"
        date = "2026-04-24"
        confidence = "medium"
        source_basis = "Symantec via BleepingComputer"
    strings:
        $tool_name = "uploader_client" ascii wide
        $exfil_ref = "upload" ascii wide
        $rclone_alt = "rclone" ascii nocase wide
        $anydesk    = "AnyDesk" ascii wide
        $mimikatz   = "mimikatz" ascii nocase wide
    condition:
        $tool_name or
        ($exfil_ref and not $rclone_alt and $anydesk)
}
BREEZE CACHE (CVE-2026-3844) DETECTION
// SIEM: Suspicious POST to Breeze or Gravatar upload endpoints
// Behavioral basis: CVE-2026-3844 is triggered via unauthenticated POST
// to Breeze Gravatar-related upload paths; 200-series response confirms
// successful file write

index=web_server_logs
  http_method="POST"
  uri_path IN (
    "*breeze*", "*gravatar*", "*cloudways*",
    "*cache/upload*", "*wp-content/uploads*"
  )
  src_ip NOT IN [known_admin_ip_ranges]
  http_status IN ("200", "201", "202", "204")
| stats count BY src_ip, uri_path, http_status,
                 filename_uploaded, _time
| where count > 0
| sort _time desc
ASP.NET CORE DATA PROTECTION (CVE-2026-40372) DETECTION
// SIEM: Data Protection HMAC validation failures on non-Windows ASP.NET hosts
// Behavioral basis: CVE-2026-40372 HMAC bypass; validation failures on
// affected hosts may indicate exploitation attempts against forged payloads

index=application_logs
  application_framework="ASP.NET Core"
  log_level IN ("Error", "Warning")
  message IN (
    "*DataProtection*", "*HMAC*",
    "*validation*failed*", "*unprotect*failed*",
    "*payload*invalid*", "*key*not*found*"
  )
  host_os NOT IN ("Windows")
| stats count BY host, application_name, message, _time
| where count > 0
Detection Priority Summary for Today

Priority one: Deploy Defender version check against endpoint management inventory immediately. This is deterministic, zero-noise, and actionable in minutes. Priority two: Deploy shadow copy deletion alert if not already active. This is the single highest-yield ransomware precursor detection applicable across Storm-1175, Trigona, and Kyber simultaneously. Priority three: Run the Defender SYSTEM-context process creation hunt from April 10 to present against your Windows EDR telemetry. Priority four: Check CI/CD pipeline build logs for any reference to @bitwarden/cli version 2026.4.0. Priority five: For government-adjacent organisations, run the Slack and Outlook API anomaly queries and review results before end of business.

Analyst note: No sources within the reporting window explicitly cited MITRE ATT&CK technique IDs. All technique mappings below are behaviorally inferred from confirmed attack behaviors described in sources. Each mapping explicitly states its inference basis. These mappings should be treated as detection-prioritisation hypotheses and threat hunting starting points, not confirmed source-cited technique assignments. MITRE D3FEND countermeasures are included where applicable.

T1190 — Exploit Public-Facing Application — Initial Access

Behavioral basis: Storm-1175's campaign involves systematic exploitation of internet-facing web applications and management portals including JetBrains TeamCity, BeyondTrust, CrushFTP, SmarterMail, and SimpleHelp. CVE-2026-33824 is a network-exploitable unauthenticated RCE against Windows IKE, a network-facing service. CVE-2026-39987 is exploitation of an unauthenticated WebSocket endpoint on an internet-accessible notebook server. CVE-2026-3844 is exploitation of an unauthenticated file upload endpoint on a publicly accessible WordPress site. All four clusters directly and unambiguously map to T1190.

D3FEND countermeasures: D3-NTF Network Traffic Filtering to restrict access to internet-facing application ports to authorised source ranges only. D3-SFA Software Feature Activation controls to restrict the Gravatar add-on in Breeze Cache and the /terminal/ws endpoint in Marimo to authenticated-only access paths.

T1068 — Exploitation for Privilege Escalation — Privilege Escalation

Behavioral basis: BlueHammer CVE-2026-33825 exploits a TOCTOU race condition in Microsoft Defender's remediation logic to escalate a low-privilege local user to SYSTEM. RedSun is a second confirmed LPE flaw in Defender exploited in the wild. CVE-2026-33826 allows an authenticated attacker to escalate within Windows Active Directory. CVE-2026-40372 allows an unauthenticated attacker to forge authentication material in ASP.NET Core applications at the application privilege layer.

D3FEND countermeasures: D3-UAP User Account Permissions enforcement to apply least-privilege controls on local user accounts, reducing the value of T1068 exploitation since BlueHammer and RedSun both require local access as a prerequisite. D3-SYSM System Monitoring for anomalous privilege transitions and Windows integrity level changes.

T1562.001 — Impair Defenses: Disable or Modify Tools — Defense Evasion

Behavioral basis: UnDefend explicitly blocks Microsoft Defender's security definition updates, causing progressive degradation of endpoint detection capability as signature databases become stale. Trigona affiliates load vulnerable kernel drivers specifically to terminate security processes before launching their encryption payload. Both are direct T1562.001 behaviors with the shared operational goal of removing detection capability before carrying out the attack's impact phase.

D3FEND countermeasures: D3-PM Platform Monitoring to detect unexpected termination of security service processes and abnormal Defender definition update failures.

T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain — Initial Access

Behavioral basis: The @bitwarden/cli NPM package compromise and the Checkmarx KICS Docker image and IDE extension tampering are direct supply-chain attacks targeting developer toolchain components consumed automatically by CI/CD pipelines. Both were designed to silently harvest credentials during automated build steps without requiring any human interaction beyond the normal pipeline execution.

D3FEND countermeasures: D3-SBV Software Bill of Materials Vulnerability analysis and cryptographic dependency verification through package version pinning and container image digest verification enforced in CI/CD pipeline configuration.

T1071.001 — Application Layer Protocol: Web Protocols — Command and Control

Behavioral basis: GopherWhisper routes all C2 communications through Microsoft 365 Outlook, Slack, and Discord APIs over HTTPS, making C2 traffic indistinguishable from legitimate business communication at the network layer. NKAbuse in the Marimo post-exploitation campaign routes its C2 over the NKN peer-to-peer protocol using application-layer messaging. Both are confirmed T1071.001 behavioral patterns based on documented infrastructure descriptions.

D3FEND countermeasures: D3-NGSF Next-Generation Firewall with application-layer inspection to identify programmatic API access patterns inconsistent with user-driven application behavior. D3-UEBA User and Entity Behavior Analytics on collaboration platform API usage volumes and timing patterns.

T1555 — Credentials from Password Stores — Credential Access

Behavioral basis: BlueHammer's documented post-exploitation path redirects Defender's privileged file operations to the SAM registry hive, exposing local account password hashes to the attacker. Marimo exploitation campaigns systematically target .env files containing cloud credentials and database connection strings as an immediate post-exploitation step documented by Sysdig. Trigona affiliates use Mimikatz and NirSoft utilities for credential extraction as part of their pre-encryption toolchain. All three clusters confirm credential store targeting.

D3FEND countermeasures: D3-CH Credential Hardening through enforcement of Windows Credential Guard to protect LSASS memory. D3-UA User Attribute Encryption and secrets management controls to protect credentials stored in application configuration files such as .env files.

T1486 — Data Encrypted for Impact — Impact

Behavioral basis: Medusa ransomware deployment by Storm-1175 is confirmed as the final-stage impact action following initial access and post-exploitation activity. Trigona ransomware encrypts victim data following its custom exfiltration phase. Kyber ransomware includes a reported wiper variant with destructive impact beyond encryption. All three confirm T1486 as the impact technique, with Kyber potentially also mapping to T1485 Data Destruction given the wiper behavior, though Kyber intelligence is low confidence.

D3FEND countermeasures: D3-BR Backup Recovery validation and testing to ensure offline, untampered, tested backups exist as the primary recovery mechanism against T1486 encryption attacks.

T1048 — Exfiltration Over Alternative Protocol — Exfiltration

Behavioral basis: GopherWhisper exfiltrates data over Slack, Discord, and Outlook APIs rather than conventional C2 channels, using legitimate SaaS infrastructure that generates no suspicious network indicators. Trigona's uploader_client.exe exfiltrates to a hardcoded server using a custom protocol specifically designed to avoid detection by commodity exfiltration tool signatures. Both represent deliberate use of alternative protocol channels to evade standard exfiltration detection logic.

D3FEND countermeasures: D3-NETLOGA Network Traffic Analysis to establish baselines for expected outbound data volumes and destinations, enabling anomaly detection when exfiltration volumes exceed normal business baselines even over legitimate SaaS channels.

T1059 — Command and Scripting Interpreter — Execution

Behavioral basis: Storm-1175's documented capability to deploy ransomware within hours of initial access requires scripted execution chains post-exploitation. Marimo post-exploitation grants an interactive PTY shell providing direct command interpreter access to the attacker. Trigona's toolchain involves sequential command-line utility execution including Mimikatz, NirSoft tools, and the custom uploader binary. This technique is inferred from operational patterns and tool usage descriptions rather than explicit technique citations in sources.

T1078 — Valid Accounts — Persistence and Defense Evasion

Behavioral basis: BlueHammer's documented SAM database access enables extraction of local account password hashes, which once cracked allow re-authentication using valid credentials without triggering exploitation-based detections. Storm-1175's post-access persistence and Trigona's use of Mimikatz both target credential acquisition explicitly to enable subsequent valid account use for lateral movement and persistence. Inferred from the credential theft patterns and operational persistence behaviors documented in sources.

Chapter 05 - Governance, Risk & Compliance

CISA KEV Regulatory Obligations

CISA's KEV entries for CVE-2026-39987 (Marimo) and CVE-2026-33825 (BlueHammer) are binding under Binding Operational Directive 22-01 for all US federal civilian executive branch agencies. The remediation due date for Marimo is May 7, 2026, and for BlueHammer it is May 6, 2026. Federal agencies must either apply the vendor-specified mitigations or discontinue use of affected products where mitigations are unavailable. Non-compliance with BOD 22-01 deadlines carries agency-level accountability and inspector general reporting risk.

Non-federal organisations in regulated sectors that model their patch SLAs on KEV listings must treat both CVEs as their highest-priority remediation items this week and must be prepared to demonstrate timely remediation or documented compensating controls during regulatory audits or incident investigations. For organisations subject to NIST SP 800-53, FISMA, or FedRAMP requirements, the KEV listing directly triggers SI-2 Flaw Remediation controls with documented timelines.

GDPR and EU Regulatory Exposure

The Rituals data breach involves personal data from what is primarily a European consumer base of approximately 40 million loyalty programme members. Under GDPR Article 33, Rituals is obligated to notify its competent supervisory authority within 72 hours of becoming aware of the breach. Under Article 34, notification to affected individuals is required where the breach is likely to result in a high risk to their rights and freedoms. Rituals has stated it has notified authorities and is advising customers of phishing risk, which is consistent with both obligations.

For peer organisations, this breach is a concrete prompt to test whether your own Article 33 notification workflow can actually execute within the 72-hour window for a breach of comparable scale. Organisations with large loyalty or membership databases should confirm by name which data protection officer, legal counsel, and supervisory authority contact are responsible for the notification decision, and should validate that their breach response playbook does not contain steps requiring external legal advice that would consume the 72-hour window before notification is sent.

NIS2 Obligations

Organisations in NIS2 scope operating Windows endpoints or internet-facing applications targeted by today's active exploitation clusters face NIS2 Article 21 cybersecurity risk management obligations. Article 21 requires organisations to take appropriate and proportionate technical and organisational measures to manage the risks posed to network and information systems. KEV-listed vulnerabilities with confirmed active exploitation represent exactly the class of risk that Article 21 risk management programmes must address within documented and defensible SLAs. Boards of NIS2-essential entities should receive a briefing today confirming BlueHammer and Marimo patch status, ensuring the organisation can demonstrate due diligence under Article 21 if an incident materialises before patching is complete.

DORA Obligations for Financial Services

Financial services entities in the EU subject to the Digital Operational Resilience Act face ICT risk management obligations under DORA Article 6 and incident reporting obligations under Article 19. The BlueHammer exploitation cluster targeting Windows endpoints and the Storm-1175 Medusa ransomware campaign targeting management infrastructure are precisely the class of ICT risks DORA Article 6 requires covered entities to identify, classify, and treat within a documented risk management framework. If Medusa ransomware is deployed against a DORA-covered entity, Article 19 incident reporting to competent authorities is triggered with timelines determined by incident classification. Financial services CISOs should confirm today that their DORA incident classification criteria and notification workflows have been updated to reflect ransomware and credential theft scenarios consistent with today's active campaigns.

HIPAA Obligations for Healthcare

Healthcare organisations where BlueHammer exploitation leads to SAM database access and credential theft, followed by access to systems containing protected health information, face HIPAA Breach Notification Rule obligations. For breaches affecting 500 or more individuals, covered entities must notify the US Department of Health and Human Services and affected individuals within 60 calendar days of discovery, and must provide media notice in affected states. The determinative HIPAA question is whether credential theft resulted in actual access to PHI. Healthcare CISOs should document their breach assessment conclusion on this point regardless of outcome, since HIPAA requires documentation of the assessment itself.

Software Supply Chain Regulatory Obligations

The Bitwarden CLI and Checkmarx KICS supply-chain compromises are directly relevant to emerging software supply chain regulatory requirements. US Executive Order 14028 on Improving the Nation's Cybersecurity and associated NIST guidance on secure software development frameworks require federal contractors to maintain SBOM controls and verify the integrity of third-party dependencies. The EU Cyber Resilience Act imposes analogous requirements on product manufacturers and software publishers operating in the EU market. Boards and risk committees should expect security and engineering leaders to present updated third-party software risk assessments and SBOM-driven dependency verification controls addressing open-source packages, container image registries, and IDE extension marketplaces following these incidents.

Board-Level Risk Summary

Three concurrent risk themes require board-level awareness today. First, the tools enterprises rely on to protect themselves including Windows endpoint protection and internal analytics platforms are the active attack surface in today's brief. Second, the speed of weaponisation has eliminated the traditional patching grace period: Marimo was exploited within ten hours of advisory publication and BlueHammer was exploited four days before its patch existed. Third, the regulatory consequences of a breach materialising from today's active clusters are immediate and multi-jurisdictional for any organisation operating across the US, EU, and UK. The primary board decision required today is ensuring that executive leadership has confirmed rather than assumed that BlueHammer and Marimo patches are deployed and verified across the full endpoint estate.

Chapter 06 - Adversary Emulation

BlueHammer LPE Scenario

In a controlled lab environment running a pre-patch Windows endpoint with Microsoft Defender Antimalware Platform version below 4.18.26050.3011, emulate the BlueHammer exploitation path by simulating a TOCTOU race condition against the Defender remediation workflow using NTFS junction creation and oplock manipulation. The objective is not to reproduce the full exploit but to validate whether your EDR telemetry captures the SYSTEM-context process creation event, whether your SIEM alert on anomalous SAM registry access fires correctly, and whether your SOC escalation workflow triggers within acceptable dwell-time thresholds.

Following the privilege escalation simulation, validate that credential rotation playbooks function correctly by running a tabletop exercise in which SYSTEM-level access is confirmed on an endpoint with cached domain credentials. Confirm which credentials would need rotation, who owns the rotation decision, and whether the rotation can be executed within four hours of confirmed compromise. This is the realistic containment window based on Storm-1175's documented dwell times.

Marimo RCE and Lateral Movement Scenario

In a controlled environment with a test Marimo instance running a version below 0.23.0, emulate an unauthenticated WebSocket connection to /terminal/ws to validate whether existing WAF rules, API gateway controls, or network egress monitoring detect and alert on the connection. The emulation does not require a live exploit; a simple authenticated WebSocket client sending a connection request to the endpoint without credentials is sufficient to test detection coverage.

Following simulated initial access, validate that compromise of the notebook container does not provide a path to production database credentials or cloud control plane access by testing the lateral movement paths Sysdig documented: reading .env files in the container filesystem, attempting outbound connections to internal PostgreSQL instances, and attempting to access cloud credential metadata endpoints such as the AWS instance metadata service. Any successful path from the notebook container to production resources represents a segmentation failure requiring architectural remediation regardless of whether the CVE is patched.

GopherWhisper C2 Detection Validation

For government-adjacent organisations, conduct a red team exercise in which a simulated implant makes programmatic API calls to a Slack workspace or Discord server owned and controlled by the security team, using a Go-based script rather than a standard desktop client. Validate whether this traffic is detected by your proxy, SIEM, or UEBA platform. If the traffic passes without alerting, your GopherWhisper detection coverage is insufficient. Use this exercise to calibrate the thresholds in the Slack and Discord API anomaly queries documented in Field 31.

Supply Chain Compromise Validation

Conduct a tabletop exercise simulating a scenario in which your CI/CD pipeline silently consumed a compromised NPM package version for approximately 90 minutes during a working day before the compromise was announced. The exercise should answer four specific questions: How quickly would your organisation detect that a malicious package version was consumed? What is the complete set of credentials and secrets that would be in scope for rotation? Can pipeline rebuild from trusted sources be completed within 24 hours? Who has authority to take production CI/CD pipelines offline while investigation and remediation proceed?

Storm-1175 Web-Facing Asset Exploitation Scenario

Conduct a targeted external penetration test or red team exercise focused specifically on the Storm-1175 target product list: BeyondTrust, CrushFTP, SmarterMail, JetBrains TeamCity, SimpleHelp, and Oracle WebLogic. The test objective should be to answer whether any of these products in your environment are reachable from the internet, whether they are running current patch levels, and whether post-exploitation detection coverage would identify the rapid lateral movement pattern Storm-1175 uses. Given that Storm-1175 has moved from initial access to ransomware deployment within hours in documented cases, detection must be pre-encryption rather than post-encryption. Validate that your detections fire before the shadow copy deletion phase, not after.

Ransomware Recovery Validation

Given that Medusa, Trigona, and potentially Kyber are all active within the reporting window, this is an appropriate moment to conduct a full backup recovery test for critical systems. Validate that backups are offline, untampered, and recoverable within your documented recovery time objective. A backup that has not been tested for recovery is not a backup for incident response purposes.

Intelligence Confidence78%

Factor

Score Contribution

Basis

CISA KEV listings (2 entries: Marimo + BlueHammer)

+High

Authoritative exploitation confirmation; highest-weight signal available

NVD CVSS scores confirmed

+Medium

CVE-2026-39987 (9.3), CVE-2026-33825 (7.8), CVE-2026-33824 (9.8), CVE-2026-40372 (9.1) confirmed in NVD and vendor sources

Huntress empirical exploitation telemetry (BlueHammer)

+High

Primary original research with documented real-world exploitation evidence

Sysdig exploitation timeline (Marimo)

+High

Primary original research; dated exploitation events with telemetry

Microsoft TI + BleepingComputer corroboration (Storm-1175)

+Medium

Two independent sources; elevated + standard weight

CERT-UA + CISA KEV corroboration (UAC-0233/Zimbra)

+High

Two independent authoritative sources

ESET single-source (GopherWhisper)

Neutral

Single primary research team; no independent government advisory in sources

Symantec single-source (Trigona)

Neutral

Single primary research team

TeamPCP self-claimed (supply-chain)

-Low

Self-attribution only; unverified

Zero published IOC values

-Medium

Limits actionability; enrichment pending for all incidents

RedSun + UnDefend no CVE IDs confirmed

-Low

Two active unpatched flaws with no official identifiers yet

Kyber ransomware single Tier 2 source

-Medium

No Tier 1 corroboration; low individual confidence