Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

PUBLISHED ON

AApprr  2266,,  22002266
EEDDIITTIIOONN  000044

The Week the KEV Catalog Needed a Second Shift

Twelve CISA KEV entries in five days. One CVSS 9.9 in active ransomware chains. One hundred and eight browser backdoors in the official store.

WEEKLY OPENING

Twelve vulnerabilities joined CISA's Known Exploited Vulnerabilities catalog in five days. Eight arrived Monday, four on Friday, and none of them were trivial. The week opened with three Cisco Catalyst SD-WAN Manager flaws added simultaneously alongside a Zimbra vulnerability that CERT-UA had been tracking against Ukrainian government targets since September 2025, and it closed with SimpleHelp carrying a CVSS of 9.9 already confirmed operational in live ransomware and botnet deployment chains. Meanwhile, ShinyHunters confirmed breaches at Vercel and ADT, entering Vercel not through its own perimeter but through a third-party AI analytics vendor trusted enough to hold internal API keys. One hundred and eight Chrome extensions in the official Web Store were quietly harvesting Google OAuth tokens and exfiltrating Telegram session data to a single command-and-control server every fifteen seconds, all still live in the store at week's end. Welcome to the week the tools your teams trusted most required the most urgent attention.

EXECUTIVE TAKE

This week's threat landscape did not announce itself through novel techniques or unprecedented malware. It arrived through trusted infrastructure: the remote support tool your IT team uses to manage distributed systems, the authentication agent sitting on every managed endpoint, and the SaaS analytics vendor your developers onboarded without a security review. ShinyHunters compromised Context.ai, a third-party AI analytics provider integrated into Vercel's internal toolchain, and used that access to reach Vercel's internal API keys, session tokens, and employee database, with the $2 million asking price on underground forums indicating this was an intelligence asset being monetized rather than a conventional ransomware operation. Ransomware operators exploited CVE-2024-57726 in SimpleHelp, where any account holding technician-level privileges can generate API keys exceeding their designated role and escalate directly to server admin without any complex attack chain. The pattern is consistent: attackers are no longer primarily targeting hardened perimeters. They are pricing trusted relationships.

CISA's addition of twelve CVEs to the Known Exploited Vulnerabilities catalog across two waves reflects an exploitation environment where the disclosure-to-weaponization timeline has compressed to days for high-value management and infrastructure software. The April 20 batch included CVE-2025-32975 in Quest KACE SMA carrying a CVSS of 10.0 with confirmed exploitation dating to March 9, 2026 against a patch available since May 2025. The six-week gap between patch availability and exploitation confirmation is itself the intelligence: organizations with functional vulnerability management programs still absorbed over a month of active exploitation on fully patchable software. The April 25 batch added SimpleHelp CVE-2024-57726 (CVSS 9.9, ransomware confirmed) and Microsoft Defender CVE-2026-33825 BlueHammer (CVSS 7.8, public exploit code on GitHub weeks before the April 13 patch), with federal remediation deadlines of May 8, 2026 for both. The April 23 Cisco SD-WAN Manager deadline has already elapsed.

Ransomware remained at the same high operational baseline it has occupied since late 2025. ZeroFox Q1 2026 data documents 2,059 ransomware and digital extortion incidents in the first quarter, just 1.5 percent below the Q4 2025 record, with manufacturing absorbing nearly 20 percent of global attacks. The most active collectives, Qilin, Akira, The Gentlemen, INC Ransom, and Cl0p, together drove nearly half of observed Q1 incidents and demonstrated sustained operational capacity rather than episodic spikes. For organizations that have framed ransomware as a cyclical crisis requiring periodic response, this data is corrective: the volume has plateaued at a sustained operational level, targeting patterns are consistent, and entry vectors remain the same mix of unpatched remote management tooling, exposed APIs, default credentials on middleware, and identity-layer weaknesses that have characterized every high-volume ransomware year since 2021.

KEY FINDINGS

  • CVE-2024-57726 (SimpleHelp) CVSS 9.9: missing authorization in technician API paths allows any low-privileged technician account to create admin-level API keys and escalate directly to server admin; CISA KEV confirmed April 24 with explicit ransomware and botnet deployment warnings; companion CVE-2024-57728 (CVSS 7.2) zip slip path traversal enables arbitrary code execution on the SimpleHelp host server, forming a natural escalate-then-execute chain; federal deadline May 8, 2026; patch: upgrade above v5.5.7 immediately

  • CVE-2025-32975 (Quest KACE SMA) CVSS 10.0: authentication bypass via SSO handling; confirmed exploitation by Arctic Wolf dating to March 9, 2026, using Base64-encoded curl and wget payloads via the KPluginRunProcess endpoint with C2 callback to 216[.]126[.]225[.]156; patch available since May 2025; CISA KEV April 21; federal deadline May 12, 2026

  • CVE-2026-35616 (Fortinet FortiClient EMS) CVSS 9.1: SQL injection enabling unauthenticated remote code execution; actively exploited in the wild; emergency hotfix released by Fortinet; all internet-accessible EMS deployments should apply immediately

  • ShinyHunters confirmed breaches at Vercel (via third-party Context.ai supply chain pivot, internal API keys and tokens compromised, $2M asking price on underground forums) and ADT (10M+ customer records, confirmed April 23, active "Pay or Leak" ultimatum); unconfirmed claims at Udemy (1.4M records asserted), Mytheresa, Zara, Carnival, and 7-Eleven pending victim organization corroboration [NOT CONFIRMED]

  • 108 malicious Chrome extensions in the official Chrome Web Store unified under a single C2 at cloudapi[.]stream (IP: 144.126.135.238) running a Strapi CMS backend on port 1337; 54 extensions steal Google OAuth2 Bearer tokens, 45 deploy universal backdoors, 1 exfiltrates Telegram Web sessions on a 15-second polling interval; approximately 20,000 installs confirmed across five publisher identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt; extensions not confirmed removed from the Chrome Web Store as of April 25; source: Socket Research

  • CVE-2026-33825 (Microsoft Defender / "BlueHammer") CVSS 7.8: local privilege escalation to SYSTEM via CWE-1220 insufficient access control granularity; researcher "Chaotic Eclipse" published working exploit code to GitHub weeks before Microsoft's April 13 Patch Tuesday; CISA KEV addition this week confirms in-the-wild exploitation during the disclosure-to-patch window; CVE-2026-32201 (Microsoft SharePoint): confirmed exploited as a zero-day prior to April 13 patching, enabling network-based spoofing of trusted SharePoint content and interfaces; April 2026 Patch Tuesday addressed 163 CVEs total including 8 critical issues

  • CVE-2026-34197 (Apache ActiveMQ Classic): authenticated Jolokia-based code execution path dormant in the codebase for approximately 13 years; CISA KEV confirmed active exploitation; over 6,400 internet-exposed brokers still vulnerable despite a March 2026 patch per Shadowserver telemetry; exploitation path frequently relies on default admin credentials; federal deadline April 30, 2026; patch: upgrade to 5.19.5+ or 6.2.3+

  • CVE-2026-20122 / CVE-2026-20128 / CVE-2026-20133 (Cisco Catalyst SD-WAN Manager): three simultaneous CISA KEV additions April 20 forming a coherent intrusion chain; CVE-2026-20133 exposes sensitive configuration data including credentials to remote unauthenticated actors; CVE-2026-20122 enables authenticated file overwrite with vmanage privilege gain; federal deadline April 23, 2026 (elapsed); SD-WAN Manager compromise provides deep visibility into network topology and a path to reconfigure routing and pivot internally

  • UAC-0233 exploited Zimbra Collaboration (CVE-2025-48700 and CVE-2025-66376) against Ukrainian government entities since September 2025 per CERT-UA, enabling JavaScript execution without user interaction and exfiltrating credentials, session tokens, and up to 90 days of mailbox contents via DNS and HTTPS; campaign active six months before CISA KEV acknowledgment April 20; APT28 (Forest Blizzard) deployed the new PRISMEX malware suite against Ukrainian defense and Western aid infrastructure with documented escalation in January 2026

  • CVE-2024-7399 (Samsung MagicINFO 9 Server) CVSS 8.8: path traversal enabling SYSTEM-level arbitrary file write; KEV April 25; commonly deployed on OT-adjacent segments; CVE-2025-29635 (D-Link DIR-823X): command injection via POST to /goform/set_prohibiting; KEV April 25; device is end of life with no patch forthcoming, linked to active botnet infrastructure; CVE-2025-2749 (Kentico Xperience): path traversal in Staging Sync Server; KEV April 21; authenticated attacker can write to relative path locations

  • 36 malicious npm packages impersonating Strapi CMS plugins identified by Check Point Research; execute on install via postinstall hooks; harvest .env secrets and environment variables; establish C2 channels; enable Redis RCE and direct PostgreSQL exploitation in select packages; attack surface extends to AI pipeline tool poisoning enabling hijacking of agent tool calls mid-execution

  • Ransomware volume stabilized at sustained high baseline: ZeroFox Q1 2026 data shows 2,059 ransomware and digital extortion incidents, 1.5 percent below Q4 2025 record; manufacturing absorbed 419 incidents (approximately 20 percent of global attacks, highest of any sector, consistent since 2021); professional services, construction, retail, and healthcare together account for approximately 60 percent of remaining cases; top collectives Qilin, Akira, The Gentlemen, INC Ransom, Cl0p drove nearly half of all observed Q1 incidents

WEEKLY THREAT NARRATIVE

The Remote Admin Trust Problem: SimpleHelp and the CVSS 9.9 Nobody Patched

SimpleHelp is enterprise remote support software deployed by MSPs and internal IT operations precisely because it is engineered to give administrators control over distributed systems. CVE-2024-57726 (CVSS 9.9) dismantles that trust model with minimal technical complexity: any account holding technician-level privileges can generate API keys with permissions exceeding their designated role, escalating directly to server admin through an authorization logic flaw in the API handling layer. CISA's April 24 KEV listing with explicit ransomware and botnet deployment warnings confirms this is operational in production attack chains, not theoretical. The companion vulnerability CVE-2024-57728, a zip slip path traversal (CWE-22), adds arbitrary code execution on the SimpleHelp host server, providing an attacker who has escalated via CVE-2024-57726 a direct path to persistent host-level presence with no additional exploitation required. Organizations running SimpleHelp v5.5.7 or earlier should treat unpatched instances as potentially compromised and initiate forensic triage of API key creation events alongside patch deployment, not after it. For MSPs managing dozens of customer environments through a single SimpleHelp deployment, the blast radius of one compromised technician account is not bounded to a single tenant.

ShinyHunters: The Supply Chain Method

ShinyHunters operated this week at scale and with methodological precision. The Vercel breach, disclosed April 19, is the most instructive incident of the reporting period. The group did not attack Vercel's perimeter. They compromised Context.ai, a third-party AI analytics vendor integrated into Vercel's internal toolchain, and used that access to reach Vercel's internal API keys, session tokens, employee data, and internal database. Vercel CEO Guillermo Rauch publicly described the attackers as highly sophisticated. The $2 million asking price on underground forums positions this as an intelligence asset being monetized rather than a conventional ransomware operation. The ADT breach follows the group's established double extortion posture: unauthorized access detected April 20, publicly confirmed April 23, with the group claiming over 10 million customer records and issuing a public payment ultimatum.

The documented 2026 ShinyHunters playbook, per Obsidian Security, enters via voice phishing targeting IT helpdesk staff, triggers Okta password resets, enrolls new MFA authenticators before the legitimate user can respond, and then moves laterally through the SaaS tenant at scale. This is identity-centric SaaS intrusion, not ransomware in any traditional operational sense. The Udemy, Mytheresa, Zara, Carnival, and 7-Eleven claims remain unconfirmed by victim organizations and should be treated as actor assertions pending independent corroboration.

CISA KEV: Twelve Additions, One Week, No Quiet Time

CISA's decision to add twelve CVEs in two waves reflects an exploitation environment that is no longer accommodating patch cycles measured in months. The April 20 batch included CVE-2025-32975 in Quest KACE SMA, a CVSS 10.0 authentication bypass confirmed in active exploitation since March 9, 2026, against a patch available since May 2025. Arctic Wolf documented the specific attack pattern: Base64-encoded payloads executing via the KACE KPluginRunProcess endpoint, downloading additional tooling via curl from 216[.]126[.]225[.]156 for command-and-control establishment. The April 20 batch also included three Cisco Catalyst SD-WAN Manager flaws forming a coherent intrusion chain: CVE-2026-20133 leaks sensitive configuration data to remote unauthenticated actors, CVE-2026-20122 enables authenticated file overwrite with vmanage privilege gain, and together they provide a guided path through distributed network infrastructure. The April 23 federal remediation deadline has elapsed.

The April 25 additions closed the week with CVE-2024-57726 (SimpleHelp CVSS 9.9), CVE-2026-33825 (Microsoft Defender BlueHammer CVSS 7.8), CVE-2024-7399 (Samsung MagicINFO 9 Server SYSTEM-level file write), and CVE-2025-29635 (D-Link DIR-823X, end of life, no patch available). The D-Link situation merits its own sentence: CISA formally confirming exploitation on hardware with no vendor remediation path is an acknowledgment that a portion of deployed infrastructure cannot be patched into safety. The only viable response is decommission or hard network isolation.

The Browser Blind Spot: 108 Extensions, One C2

Socket Research identified 108 malicious Chrome extensions distributed through the official Chrome Web Store across five distinct developer identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. All 108 extensions route exfiltrated data to a single command-and-control server at cloudapi[.]stream (IP: 144.126.135.238), with a Strapi CMS backend operating on port 1337. The campaign's operational segmentation is notable: 54 extensions handle Google OAuth2 Bearer token theft, 45 deploy universal browser backdoors, and at least one exfiltrates Telegram Web session data on a 15-second polling interval. The 15-second cadence goes beyond passive credential harvesting into active session maintenance, suggesting the operator is interested in sustained persistent access rather than a single credential dump. Approximately 20,000 installations were confirmed at time of reporting. The extensions were not confirmed removed from the Chrome Web Store as of April 25. For enterprises relying on unmanaged browser environments, this campaign demonstrates that browser extensions represent an active, persistent, and largely unmonitored data exfiltration channel operating with the full permissions granted to user-installed software.

UAC-0233, APT28, and Sustained Ukrainian Targeting

CERT-UA attribution of UAC-0233 to a Zimbra Collaboration exploitation campaign targeting Ukrainian government entities since September 2025 documents a six-month operational arc before CISA's KEV acknowledgment this week. The actor exploited CVE-2025-66376, an XSS vulnerability in Zimbra's Classic UI, and CVE-2025-48700 to achieve code execution without user interaction, harvesting credentials, session tokens, 2FA codes, and up to 90 days of mailbox contents via DNS and HTTPS exfiltration channels. The gap between active campaign inception and formal international recognition reflects how sustained, low-noise operations against specific national targets can persist below the threshold of broad advisory issuance. Attribution to UAC-0233 by CERT-UA carries elevated confidence for Ukrainian threat context. Separately, APT28 (Forest Blizzard, Pawn Storm) deployed the PRISMEX malware suite against Ukrainian defense infrastructure and Western humanitarian and military aid organizations, with documented campaign escalation in January 2026. Seqrite Labs assessed behavioral overlap between UAC-0233 and APT28, but formal US government attribution mapping was not available within this reporting window.

Apache ActiveMQ and the Infrastructure Middleware Blind Spot

CVE-2026-34197 in Apache ActiveMQ Classic represents a Jolokia-based code execution path that existed in the codebase for approximately 13 years before active exploitation was confirmed in early 2026. Shadowserver telemetry cited in reporting shows over 6,400 internet-exposed ActiveMQ brokers still vulnerable despite a March 2026 patch, with exploitation relying on default or weak administrative credentials as a frequent initial entry point before leveraging the CVE itself. For organizations using ActiveMQ as a messaging bridge between enterprise applications and operational technology environments, the risk is not accurately captured by the headline CVSS score. It is better understood through the trusted and often unsegmented network position the broker occupies between IT and OT segments. CISA also issued seven new ICS advisories on April 23 covering widely deployed ICS and SCADA products across multiple sectors, continuing a pattern in which industrial control systems accumulate high-severity issues with operational lifetimes that make timely patching structurally difficult.

April 2026 Patch Tuesday and the Public Exploit Problem

Microsoft's April 2026 Patch Tuesday addressed 163 CVEs including eight rated critical and multiple issues confirmed as actively exploited or publicly disclosed. CVE-2026-33825 (BlueHammer) in Microsoft Defender represents a specific failure mode: researcher "Chaotic Eclipse" published working exploit code to GitHub weeks before the April 13 patch was available, creating a confirmed exploitation window against every organization running unpatched Defender. CISA's KEV addition this week confirms the window was used. CVE-2026-32201 in SharePoint was exploited as a zero-day before patching on April 13, enabling network-based spoofing of trusted SharePoint content and interfaces. Microsoft's April security guidance also emphasized hardening actions including blocking outbound connections from mshta.exe, restricting RDP file transfer capabilities, and hardening SMB against relay attacks, each of which reflects an active exploitation pattern observed in real-world post-compromise chains.

Malicious npm Packages: The Strapi Impersonation Campaign

Check Point Research documented a coordinated campaign involving 36 malicious npm packages impersonating Strapi CMS plugins. The packages execute immediately on installation through postinstall hook abuse, searching for environment variables and .env file contents, establishing outbound C2 communication channels, and in select higher-privilege installations enabling Redis RCE and direct PostgreSQL exploitation. The postinstall mechanism executes arbitrary code automatically when a developer runs npm install, requiring no additional user interaction. This campaign sits within a broader pattern identified the same week: third-party API routers for AI model integrations can be poisoned to hijack agent tool calls, intercept and alter commands mid-execution, and steal API credentials from AI-augmented development pipelines, extending the supply chain attack surface into production AI workflows.

NOTABLE TECHNICAL SIGNALS

CVEs

CVE-2024-57726 (SimpleHelp) | CVSS 9.9, CRITICAL | CWE-862 missing authorization in technician API handling | Any technician account generates admin-level API keys and escalates to server admin | CISA KEV April 24 | Confirmed active ransomware and botnet deployment in production chains | Patch: upgrade above v5.5.7 | Federal deadline May 8, 2026

CVE-2024-57728 (SimpleHelp) | CVSS 7.2, HIGH | CWE-22 zip slip path traversal | Admin account uploads crafted zip to achieve arbitrary code execution on the SimpleHelp server host | Natural post-escalation chain from CVE-2024-57726 | Patch: upgrade above v5.5.7

CVE-2025-32975 (Quest KACE SMA) | CVSS 10.0, CRITICAL | Authentication bypass via SSO handling | Exploitation confirmed March 9, 2026 by Arctic Wolf | C2 IP: 216[.]126[.]225[.]156 | Base64-encoded curl and wget payloads delivered via KPluginRunProcess POST | Patch: 13.0.385+, 13.1.81+, 13.2.183+, 14.0.341+, 14.1.101+ | CISA KEV April 21 | Federal deadline May 12, 2026

CVE-2026-35616 (Fortinet FortiClient EMS) | CVSS 9.1, CRITICAL | SQL injection enabling unauthenticated remote code execution | Actively exploited in the wild | Emergency hotfix released by Fortinet; apply immediately to all internet-accessible EMS deployments

CVE-2026-33825 (Microsoft Defender / BlueHammer) | CVSS 7.8, IMPORTANT | CWE-1220 insufficient access control granularity | Local privilege escalation to SYSTEM | Public exploit code from researcher "Chaotic Eclipse" published to GitHub weeks before April 13 patch | CISA KEV this week | Patch: April 2026 Patch Tuesday | Federal deadline May 8, 2026

CVE-2026-32201 (Microsoft SharePoint) | Severity: Important | Network-exploitable spoofing enabling falsified SharePoint content and interfaces | Confirmed wild exploitation prior to April 13 patch | Verify April 2026 Patch Tuesday application on SharePoint Server 2016, 2019, and Subscription Edition

CVE-2026-34197 (Apache ActiveMQ Classic) | HIGH | Jolokia API authenticated code execution path dormant in codebase approximately 13 years | Over 6,400 internet-exposed brokers still vulnerable per Shadowserver | Default admin credentials are common initial entry | CISA KEV | Patch: upgrade to 5.19.5+ or 6.2.3+ | Federal deadline April 30, 2026 (elapsed)

CVE-2026-20122 (Cisco Catalyst SD-WAN Manager) | CVSS 5.4 | Incorrect use of privileged APIs allows authenticated attacker to overwrite arbitrary files and gain vmanage user privileges | CISA KEV April 20 | Federal deadline April 23, 2026 (elapsed)

CVE-2026-20128 (Cisco Catalyst SD-WAN Manager) | SD-WAN Manager API authorization flaw completing three-CVE intrusion chain with CVE-2026-20122 and CVE-2026-20133 | CISA KEV April 20 | Federal deadline April 23, 2026 (elapsed)

CVE-2026-20133 (Cisco Catalyst SD-WAN Manager) | CVSS 6.5 | Sensitive configuration data including credentials exposed to remote unauthenticated actors | Natural chain entry point preceding CVE-2026-20122 | CISA KEV April 20 | Federal deadline April 23, 2026 (elapsed)

CVE-2025-48700 (Synacor Zimbra Collaboration Suite) | XSS enabling arbitrary JavaScript execution without user interaction | CERT-UA confirmed exploitation by UAC-0233 since September 2025 | CISA KEV April 20

CVE-2025-66376 (Zimbra Collaboration Classic UI) | XSS enabling RCE via crafted email lure | Credential and session token harvest via DNS exfiltration | APT28 behavioral alignment assessed by Seqrite Labs | CISA KEV confirmed

CVE-2024-7399 (Samsung MagicINFO 9 Server) | CVSS 8.8 | Path traversal enabling SYSTEM-level arbitrary file write | CISA KEV April 25 | Commonly deployed on OT-adjacent segments with limited monitoring coverage | Apply vendor patch

CVE-2025-29635 (D-Link DIR-823X) | CVSS 7.5 | Command injection via POST to /goform/set_prohibiting | CISA KEV April 25 | End-of-life hardware linked to active botnet infrastructure | No patch available: decommission or hard network-isolate

CVE-2025-2749 (Kentico Xperience) | CVSS 7.2 | Path traversal in Staging Sync Server | Authenticated attacker writes arbitrary data to relative path locations | CISA KEV April 21 | Patch available; disable staging endpoint if not in active use

CVE-2026-26127 (.NET) | Publicly disclosed denial-of-service | .NET application crash and potential service disruption via crafted input | Apply April 2026 Patch Tuesday

Vectors

  • Supply chain compromise via trusted third-party SaaS and AI analytics vendor (Context.ai to Vercel)

  • Voice phishing targeting IT helpdesk staff, triggering Okta password resets, followed by attacker-controlled MFA authenticator enrollment before legitimate user responds, then SaaS lateral movement (ShinyHunters 2026 TTP per Obsidian Security)

  • Missing authorization in remote management application API layer enabling low-privileged technician account escalation to server admin (SimpleHelp CVE-2024-57726)

  • Authentication bypass on internet-exposed endpoint management appliances (Quest KACE SMA CVE-2025-32975)

  • Jolokia API abuse against default-credential or weakly authenticated ActiveMQ message brokers (CVE-2026-34197)

  • Authenticated file overwrite and vmanage privilege gain on SD-WAN management plane chained with unauthenticated configuration disclosure (Cisco CVE-2026-20122 and CVE-2026-20133)

  • Path traversal and SYSTEM-level file write on exposed content management and signage servers (Samsung MagicINFO, Kentico Xperience)

  • Command injection on end-of-life edge routers with no vendor remediation path (D-Link DIR-823X)

  • XSS phishing email enabling silent credential and session harvest via DNS exfiltration without user interaction (Zimbra ZCS)

  • Browser extension distribution through official marketplace under multiple fake publisher identities, unified backend C2 infrastructure

  • Malicious npm package postinstall hook execution during developer npm install in CI/CD pipelines

Actors

ShinyHunters | Financially motivated cybercrime collective | TTP: voice phishing, Okta MFA manipulation, SaaS lateral movement, double extortion, supply chain pivot via third-party vendor compromise | Confirmed this week: ADT breach, Vercel via Context.ai | Unconfirmed claims: Udemy, Mytheresa, Zara, Carnival, 7-Eleven | Under Attribution: precise 2026 group composition and nation-state affiliation not publicly established

UAC-0233 | Ukraine-targeting threat cluster | Sustained Zimbra ZCS exploitation confirmed by CERT-UA since September 2025 | Campaign duration and mailbox exfiltration focus consistent with intelligence collection objectives | Likely Russian-aligned per behavioral pattern and CERT-UA operational context | Formal US government threat actor attribution [NOT CONFIRMED]

APT28 (Forest Blizzard, Pawn Storm) | Russian GRU-linked | PRISMEX malware suite deployed against Ukrainian defense and Western humanitarian and military aid infrastructure | Documented campaign escalation January 2026 | Behavioral overlap with UAC-0233 Zimbra campaign assessed by Seqrite Labs; canonical ATT&CK group mapping pending additional Tier 1 source corroboration

Chrome Extension Campaign Operator | Unattributed | Financially motivated based on OAuth token theft and active session hijacking objectives | MaaS-structured operation with shared C2, segmented payload distribution, and five separate publisher identity sets | No named group attribution within this reporting window

Ransomware Collectives (Q1 2026) | Qilin, Akira, The Gentlemen, INC Ransom, Cl0p | Together drove approximately 50 percent of 2,059 Q1 2026 ransomware and digital extortion incidents per ZeroFox | Manufacturing and professional services primary targeting profile | Sustained high-volume operational posture rather than episodic spikes

MITRE ATT&CK

Source-mapped from CERT-UA, Arctic Wolf, Obsidian Security, Socket Research, Check Point Research, ZeroFox, CISA advisories, Microsoft security guidance:

T1190 (Exploit Public-Facing Application) | SimpleHelp, Cisco SD-WAN Manager, Quest KACE SMA, Zimbra ZCS, Samsung MagicINFO 9, Apache ActiveMQ all exploited via disclosed CVEs this week

T1068 (Exploitation for Privilege Escalation) | BlueHammer CVE-2026-33825 and SimpleHelp CVE-2024-57726 both enable local or application-level escalation to SYSTEM or server admin

T1078 / T1078.004 (Valid Accounts / Cloud Accounts) | SimpleHelp technician accounts as API key escalation entry point; Okta cloud account compromise in ShinyHunters voice phishing chain

T1621 (Multi-Factor Authentication Request Generation) | ShinyHunters enrolls new MFA authenticators after helpdesk-triggered password reset, documented by Obsidian Security

T1566.002 (Spearphishing Link) | Zimbra XSS email lure delivery for UAC-0233 credential harvest

T1059.007 (Command and Scripting Interpreter: JavaScript) | Zimbra CVE-2025-66376 XSS payload executing arbitrary JavaScript without user interaction

T1071.004 (Application Layer Protocol: DNS) | Zimbra campaign data exfiltration via DNS by UAC-0233

T1071.001 (Application Layer Protocol: Web Protocols) | Chrome extension C2 HTTPS communication to cloudapi[.]stream

T1539 (Steal Web Session Cookie) | Chrome extension Telegram Web session exfiltration every 15 seconds; Zimbra session token harvest

T1176 (Browser Extensions) | 108 malicious Chrome extensions as primary delivery, persistence, and data theft mechanism

T1195.002 (Supply Chain Compromise: Software Supply Chain) | Context.ai compromise used to pivot to Vercel; 36 malicious npm Strapi impersonation packages in developer CI/CD pipelines

T1530 (Data from Cloud Storage) | Vercel internal database and SaaS-wide bulk exfiltration via ShinyHunters

T1486 (Data Encrypted for Impact) | Ransomware double extortion by Qilin, Akira, INC Ransom, Cl0p

T1021 (Remote Services) | RDP abuse in ransomware lateral movement and post-exploitation chains

T1552 (Unsecured Credentials) | Cisco SD-WAN Manager credential exposure via CVE-2026-20133; default ActiveMQ admin credentials enabling Jolokia API access

T1505 (Server Software Component) | SimpleHelp zip slip CVE-2024-57728 achieves persistent server-side implantation via arbitrary filesystem write

T1565 (Data Manipulation) | SharePoint spoofing CVE-2026-32201 enables manipulation of content integrity and presentation within collaboration portals

T1218.005 (Signed Binary Proxy Execution: Mshta) | mshta.exe outbound HTTP connections flagged in Microsoft April 2026 hardening guidance as active living-off-the-land abuse pattern

Threat Detection
YARA: Chrome Extension C2 Beacon (cloudapi[.]stream) | Socket Research April 2026
rule ChromeExt_CloudAPI_Stream_C2_Beacon_April2026 {
    meta:
        description = "Detects Chrome extension JS artifacts or network artifacts communicating with cloudapi[.]stream C2 infrastructure. 108-extension campaign, Socket Research April 2026."
        author      = "NightWatch CTI"
        date        = "2026-04-26"
        reference   = "Socket Research April 2026 — 108 Chrome Extension Campaign"
        severity    = "HIGH"
        tlp         = "WHITE"
    strings:
        $c2_domain   = "cloudapi.stream" ascii wide
        $c2_ip       = "144.126.135.238" ascii
        $strapi_port = ":1337/" ascii
        $oauth_steal = "oauth2/token" ascii nocase
        $tg_session  = "tgWebSession" ascii nocase
        $pub1        = "Yana Project" ascii wide
        $pub2        = "GameGen" ascii wide
        $pub3        = "SideGames" ascii wide
        $pub4        = "Rodeo Games" ascii wide
        $pub5        = "InterAlt" ascii wide
    condition:
        ($c2_domain or $c2_ip or $strapi_port)
        or ($oauth_steal and $tg_session)
        or (2 of ($pub1, $pub2, $pub3, $pub4, $pub5))
}
YARA: Apache ActiveMQ CVE-2026-34197 Jolokia Exploitation Artifacts
rule ActiveMQ_CVE_2026_34197_Jolokia_Exploit {
    meta:
        description = "Detects characteristic strings from Jolokia-based CVE-2026-34197 exploitation against Apache ActiveMQ Classic. Based on public CVE reporting."
        author      = "NightWatch CTI"
        date        = "2026-04-26"
        reference   = "CISA KEV / public reporting CVE-2026-34197"
        tlp         = "WHITE"
    strings:
        $jolokia = "jolokia" nocase
        $xbean   = "xbean:" nocase
        $vmproto = "vm://" nocase
        $brokerC = "brokerConfig=" nocase
    condition:
        2 of ($jolokia, $xbean, $vmproto, $brokerC)
}
YARA: Quest KACE SMA CVE-2025-32975 Post-Exploitation Artifacts | Arctic Wolf
rule KACE_SMA_CVE2025_32975_PostExploit {
    meta:
        description = "Detects Base64-encoded payload delivery artifacts from confirmed CVE-2025-32975 exploitation against Quest KACE SMA. Arctic Wolf March-April 2026."
        author      = "NightWatch CTI"
        date        = "2026-04-26"
        reference   = "https://arcticwolf.com/resources/blog/cve-2025-32975/"
        tlp         = "WHITE"
    strings:
        $kace_proc = "KPluginRunProcess" ascii nocase
        $c2_ip     = "216.126.225.156" ascii
        $shell_tmp = "/tmp/" ascii
        $shell_sh  = "/bin/sh" ascii
    condition:
        $kace_proc and ($c2_ip or ($shell_tmp and $shell_sh))
}
YARA: Malicious npm Strapi CMS Plugin Impersonation | Check Point Research April 2026
rule Malicious_NPM_Strapi_Impersonation_April2026 {
    meta:
        description = "Detects malicious npm packages impersonating Strapi CMS plugins with credential harvesting, C2 establishment, and RCE behaviors."
        author      = "NightWatch CTI"
        date        = "2026-04-26"
        reference   = "https://research.checkpoint.com/2026/13th-april-threat-intelligence-report/"
        mitre       = "T1195.002, T1059.007"
        tlp         = "WHITE"
    strings:
        $strapi_1  = "strapi-plugin-" ascii wide
        $strapi_2  = "@strapi/" ascii wide
        $postinst  = "\"postinstall\"" ascii
        $env_h     = "process.env" ascii
        $dotenv    = ".env" nocase ascii
        $redis_c2  = "createClient" ascii
        $net_conn  = "require('net').connect" ascii
        $pg_exp    = "pg.connect" ascii
        $b64_eval  = /eval\(Buffer\.from\([^)]{10,300},'base64'\)\.toString/ ascii
        $exec_sp   = /child_process[\s\S]{0,30}(exec|spawn)\s*\(/ ascii
    condition:
        (1 of ($strapi_1, $strapi_2))
        and $postinst
        and $b64_eval
        and (2 of ($env_h, $dotenv, $redis_c2, $net_conn, $pg_exp, $exec_sp))
}
SIGMA: SimpleHelp Technician Account Admin API Key Creation (CVE-2024-57726) | CISA KEV April 24
title: SimpleHelp Technician Account Admin API Key Creation (CVE-2024-57726)
id: 8f3a1d2e-4c77-4b2a-9e1f-simplehelp-priv-esc
status: experimental
description: >
  Detects API key creation by SimpleHelp technician accounts with
  admin-level permissions. CVE-2024-57726 (CVSS 9.9) allows any
  technician to generate admin API keys, escalating to server admin.
  CISA KEV April 24 2026 with ransomware deployment confirmed.
date: 2026/04/26
author: NightWatch CTI
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  - CVE-2024-57726
logsource:
  product: simplehelp
  category: application_log
detection:
  selection_event:
    EventType: 'API_KEY_CREATED'
  selection_account:
    UserRole: 'technician'
  selection_permission:
    KeyPermissionLevel|contains:
      - 'admin'
      - 'ADMIN'
      - 'server_admin'
  condition: selection_event and selection_account and selection_permission
falsepositives:
  - Legitimate admin delegation; validate against change management records
  - Planned MSP onboarding workflows with documented approval
level: critical
tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.t1078
  - cve.2024-57726
SIGMA: Okta MFA Enrollment Following Helpdesk-Initiated Password Reset (ShinyHunters TTP) | Obsidian Security
title: Okta MFA Enrollment Following Helpdesk-Initiated Password Reset
id: a3f9c1e2-4d7b-11ef-93ab-0242ac130003
status: experimental
description: >
  Detects MFA authenticator enrollment within 30 minutes of a helpdesk-
  triggered password reset. Consistent with ShinyHunters 2026 voice
  phishing TTP documented by Obsidian Security.
date: 2026/04/26
author: NightWatch CTI
references:
  - https://www.obsidiansecurity.com/blog/behind-the-breach-shinyhunters-2026-voice-phishing-campaign
logsource:
  product: okta
  service: system
detection:
  password_reset:
    eventType: 'user.account.reset_password'
    actor.alternateId|contains: 'helpdesk'
  mfa_enroll:
    eventType: 'user.mfa.factor.activate'
  timeframe: 30m
  condition: password_reset followed by mfa_enroll within timeframe
              where password_reset.target[0].id == mfa_enroll.target[0].id
falsepositives:
  - Legitimate helpdesk-assisted MFA re-enrollment
  - Correlate with ticketing system: no open ticket raises confidence significantly
level: high
tags:
  - attack.t1078.004
  - attack.t1621
  - attack.t1556.006
SIGMA: Suspicious mshta.exe Outbound HTTP Connection (Microsoft April 2026 Hardening Guidance)
title: Suspicious mshta.exe External HTTP Connection
id: cc4d9f3a-8b21-4e56-91ac-mshta-outbound26
status: experimental
description: >
  Detects mshta.exe executing with HTTP URLs in the command line,
  consistent with living-off-the-land script-based malware abuse.
  Aligns with Microsoft April 2026 Defender Secure Score guidance
  to block mshta.exe outbound network connections.
date: 2026/04/26
author: NightWatch CTI
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\\mshta.exe'
    CommandLine|contains: 'http'
  condition: selection
fields:
  - Image
  - CommandLine
  - ParentImage
  - User
falsepositives:
  - Legacy in-house applications using mshta with documented and approved URLs
level: medium
tags:
  - attack.t1218.005
  - attack.t1071.001
SIGMA: Quest KACE SMA CVE-2025-32975 Post-Exploitation Web Activity | Arctic Wolf
title: Quest KACE SMA KPluginRunProcess Exploitation (CVE-2025-32975)
id: b7e2d4f1-5c8a-11ef-a1bc-0242ac130005
status: experimental
description: >
  Detects Base64-encoded command execution via KACE KPluginRunProcess
  endpoint and known C2 callback. Consistent with CVE-2025-32975
  post-exploitation observed by Arctic Wolf from March 9 2026.
date: 2026/04/26
author: NightWatch CTI
references:
  - https://arcticwolf.com/resources/blog/cve-2025-32975/
logsource:
  category: webserver
  product: quest_kace_sma
detection:
  kace_plugin_call:
    cs-uri-stem|contains: '/KPluginRunProcess'
    cs-method: 'POST'
  b64_execution:
    cs-uri-query|base64offset|contains:
      - 'curl '
      - 'wget '
      - '/tmp/'
      - '/bin/sh'
  known_c2:
    c-ip: '216.126.225.156'
  condition: kace_plugin_call and (b64_execution or known_c2)
falsepositives:
  - Scheduled KACE maintenance tasks; establish baseline KPluginRunProcess
    call patterns before alerting
level: critical
tags:
  - attack.t1190
  - attack.t1059.004
  - attack.t1071.001
SIEM (Splunk SPL): Samsung MagicINFO 9 Path Traversal Exploitation (CVE-2024-7399)
index=web_logs sourcetype=access_combined
  (dest_port=7001 OR dest_port=8080 OR uri_path="/MagicInfo*")
| rex field=uri_path "(?P<raw_path>[^\?]*)"
| eval decoded_path=urldecode(raw_path)
| where match(decoded_path,"(?i)(\.\.[/\\]|%2e%2e[%2f%5c]|%252e%252e)")
| eval severity=case(
    match(decoded_path,"(?i)(system32|passwd|shadow|web\.xml|\.properties)"),
    "CRITICAL",
    match(decoded_path,"(?i)(etc|windows|boot)"), "HIGH",
    true(), "MEDIUM"
  )
| stats count min(_time) as first_seen max(_time) as last_seen
    values(decoded_path) as paths by src_ip, dest_ip, severity
| where count > 1
| sort -severity, -count
| table first_seen, last_seen, src_ip, dest_ip, severity, paths, count
SIEM (Generic SQL Pseudocode): Cisco SD-WAN Manager Unauthorized File Write (CVE-2026-20122)
SELECT
  event_timestamp,
  source_ip,
  destination_host,
  authenticated_user,
  http_method,
  uri_path,
  request_body_hash,
  response_status_code
FROM
  network_application_logs
WHERE
  (destination_host LIKE '%vmanage%'
   OR uri_path LIKE '%/dataservice/%')
  AND http_method IN ('POST', 'PUT', 'PATCH')
  AND (
    uri_path LIKE '%../../%'
    OR uri_path LIKE '%/upload%'
    OR request_body_hash IN (SELECT hash FROM known_malicious_uploads)
  )
  AND authenticated_user NOT IN (
    SELECT account_name FROM approved_sdwan_admins
  )
  AND event_timestamp >= CURRENT_TIMESTAMP - INTERVAL '7 days'
ORDER BY event_timestamp DESC;
-- ALERT: Any match = HIGH priority
-- Correlate: Check same source IP for prior CVE-2026-20133 info-disclosure requests
SIEM (Generic SQL Pseudocode): Apache ActiveMQ Jolokia API Abuse (CVE-2026-34197)
SELECT
  timestamp,
  src_ip,
  dest_ip,
  http_method,
  url,
  user_agent
FROM
  http_logs
WHERE
  dest_ip IN (${ACTIVEMQ_BROKER_IPS})
  AND url LIKE '%/jolokia/%'
  AND (
    url LIKE '%brokerConfig=%xbean:%'
    OR url LIKE '%vm://%'
  );
-- Correlate: check for preceding authentication events using default credentials
-- from the same source IP before the Jolokia request

DEFENDER PRIORITIES

Critical — Act before Monday morning: Any internet-exposed SimpleHelp instance running v5.5.7 or earlier should be treated as potentially compromised regardless of whether exploitation evidence is present. Patch first, then pull API key creation logs and audit for technician accounts that created keys with admin-level permissions outside of approved change windows. For MSPs, every customer environment managed through a single unpatched SimpleHelp deployment shares this exposure. The federal deadline is May 8, 2026, but the CISA KEV listing with explicit ransomware confirmation means your operational window is narrower than that.

Critical — Act before Monday morning: Any internet-exposed Quest KACE SMA appliance not patched to the fixed versions (13.0.385+, 13.1.81+, 13.2.183+, 14.0.341+, 14.1.101+) should be treated as potentially compromised. Arctic Wolf confirmed exploitation dating to March 9, 2026. Review KACE web logs for POST activity against /KPluginRunProcess and Base64-encoded curl or wget payloads. Block the known C2 IP 216[.]126[.]225[.]156 at perimeter immediately. The patch has been available since May 2025. The sixteen-day gap to the May 12 federal deadline is not a reason to delay.

Critical — This week: Fortinet FortiClient EMS deployments with external reachability require the emergency hotfix for CVE-2026-35616 (CVSS 9.1, unauthenticated SQL injection to RCE) to be applied before business hours Monday. If patching cannot be completed, take the management interface offline until it can.

High — This week: Pull Okta logs and hunt for the ShinyHunters vishing pattern: helpdesk-triggered password resets followed within 30 minutes by MFA authenticator enrollment, particularly during non-business hours. Cross-reference against your IT ticketing system: no open ticket associated with the reset is a high-confidence indicator. This detection window is narrow and the exploitation chain moves quickly once MFA persistence is established.

High — This week: Audit all installed Chrome extensions across managed endpoints against an approved baseline. Block cloudapi[.]stream and 144.126.135.238 at DNS and network egress. For environments without managed browser policies, treat any extension published under Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt as malicious and remove immediately. If your enterprise has no enforced extension allow-list, this week is the deadline to create one.

High — This week: Apply the full April 2026 Microsoft Patch Tuesday update across all endpoints, prioritizing CVE-2026-33825 (Defender BlueHammer, public exploit code confirmed used in the wild) and CVE-2026-32201 (SharePoint spoofing zero-day, exploited pre-patch). Validate that mshta.exe cannot make arbitrary outbound network connections via endpoint policy, and confirm EDR is logging mshta process creation with command-line arguments.

High — This week: Cisco Catalyst SD-WAN Manager patching for CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 is operating past its April 23 federal deadline. Restrict SD-WAN management API access to dedicated administrative networks or VPN-gated paths immediately, regardless of patching status, as a compensating control. Audit for unauthorized access to /dataservice/ endpoints and configuration file retrieval events from unexpected source IPs.

High — This week: Patch or upgrade Apache ActiveMQ Classic to 5.19.5+ or 6.2.3+, disable the Jolokia management endpoint where it is not operationally required, and audit broker configurations for default or weak admin credentials. For environments using ActiveMQ as a bridge between IT and OT segments, treat the broker as a critical network asset requiring the same patch urgency as perimeter appliances. Federal deadline for this CVE was April 30, 2026 and has elapsed.

Medium — Risk-managed timeline: Audit CI/CD pipeline npm dependency trees for packages matching strapi-plugin-* patterns. Inspect postinstall hooks for Base64 eval(Buffer.from(...,'base64').toString()) patterns. Run npm audit and enforce dependency pinning and lockfile integrity checks across development environments.

Medium — Risk-managed timeline: Apply patches for Samsung MagicINFO 9 Server (CVE-2024-7399), Kentico Xperience Staging Sync Server (CVE-2025-2749), and Cisco .NET (CVE-2026-26127) on your organization's standard vulnerability management SLA. For MagicINFO specifically, audit whether the server has any unintended internet or OT-segment exposure given the SYSTEM-level file write capability.

Ongoing operational action: D-Link DIR-823X devices with CVE-2025-29635 have no patch and will receive none. Identify every deployed unit in your inventory, document the business justification if any, and either decommission or place behind strict ingress ACLs that block all management interface access from untrusted networks. Leaving EoL hardware running with confirmed exploitation and active botnet linkage is a risk acceptance decision that should be made explicitly, not by default.

RECOMMENDED ACTIONS

  • Patch SimpleHelp above v5.5.7 immediately and audit API key creation logs for technician accounts that generated admin-level keys outside approved change windows; for MSPs, treat all customer environments managed through unpatched instances as requiring forensic review

  • Patch or isolate Quest KACE SMA to fixed versions (13.0.385+, 13.1.81+, 13.2.183+, 14.0.341+, or 14.1.101+), block C2 IP 216[.]126[.]225[.]156 at perimeter now, and investigate any prior POST activity to /KPluginRunProcess with Base64-encoded payloads

  • Apply the Fortinet FortiClient EMS emergency hotfix for CVE-2026-35616 on all internet-accessible deployments before business hours Monday; take the interface offline if patching cannot be completed in time

  • Pull Okta logs and hunt for ShinyHunters vishing pattern: helpdesk-initiated password reset followed within 30 minutes by MFA authenticator enrollment from a new device, cross-referenced against ticketing system for corresponding open request

  • Audit Chrome extensions across all managed endpoints against an approved baseline, block cloudapi[.]stream and 144.126.135.238 at DNS and egress, and remove any extensions published under the five known malicious publisher identities

  • Apply April 2026 Microsoft Patch Tuesday across all endpoints; prioritize CVE-2026-33825 (Defender BlueHammer) and CVE-2026-32201 (SharePoint zero-day); enforce mshta.exe outbound network restrictions via endpoint policy Patch Cisco Catalyst SD-WAN Manager for CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133; restrict management API access to trusted admin networks as a compensating control even before patching is complete

  • Patch Apache ActiveMQ to 5.19.5+ or 6.2.3+, disable the Jolokia endpoint where not operationally required, and rotate or remove any default admin credentials across all broker instances

  • Audit CI/CD npm dependency trees for packages with names matching strapi-plugin-*, inspect postinstall hooks for Base64 eval patterns, and enforce dependency pinning and lockfile integrity checks in all developer pipelines

  • Decommission or hard-isolate D-Link DIR-823X routers: no patch exists and exploitation is confirmed active with botnet infrastructure linkage; this is a documented risk with no vendor remediation path

  • Re-brief IT helpdesk staff explicitly on ShinyHunters voice phishing TTP: the initial entry vector is social, the escalation is technical, the window between reset and MFA enrollment is short, and policy-level controls have consistently outperformed detection-only approaches here

  • Validate backup segmentation and test restoration for both IT and OT workloads given sustained Q1 2026 ransomware volume; re-run incident response runbooks against modern double-extortion and data-leak scenarios specific to manufacturing, professional services, and critical infrastructure environments

CONFIDENCE & LIMITATIONS

High confidence (CISA KEV confirmation plus independent vendor or agency corroboration): CVE-2024-57726 and CVE-2024-57728 (SimpleHelp) with CISA KEV and vendor documentation; CVE-2025-32975 (Quest KACE SMA) with Arctic Wolf incident response telemetry and NVD confirmation; CVE-2026-33825 (Defender BlueHammer) and CVE-2026-32201 (SharePoint) with Microsoft, CrowdStrike, and CISA KEV corroboration; CVE-2026-34197 (Apache ActiveMQ) with CISA KEV and Shadowserver telemetry; Cisco SD-WAN Manager CVEs with CISA KEV and Cisco vendor confirmation; UAC-0233 Zimbra campaign with CERT-UA attribution and CISA KEV additions; ADT breach with company-confirmed disclosure; Vercel breach with CEO-confirmed public statement; ShinyHunters Okta vishing TTP with Obsidian Security documentation; ZeroFox Q1 2026 ransomware statistics as published.

Moderate confidence (single Tier 1 or strong Tier 2 source without cross-corroboration at time of publication): 108 Chrome extension campaign (Socket Research; not yet independently confirmed by Google or a second Tier 1 vendor at time of publication); CVE-2026-35616 (Fortinet FortiClient EMS) from security reporting with emergency hotfix confirmed by Fortinet; APT28 behavioral alignment with UAC-0233 Zimbra campaign (Seqrite Labs behavioral basis; not formal US government attribution); PRISMEX malware suite attribution to APT28 (Trend Micro; single-vendor primary reporting).

[NOT CONFIRMED]: Precise 2026 group membership composition of ShinyHunters. ShinyHunters breach claims at Udemy, Mytheresa, Zara, Carnival, and 7-Eleven pending victim organization corroboration. Formal US government attribution mapping of UAC-0233 to any canonical MITRE ATT&CK Group. Any CVE-specific exploitation in the malicious npm campaign beyond behavioral patterns documented by Check Point Research.

Kaspersky note: No Kaspersky GReAT reporting was used as primary attribution source in this edition.

MITRE ATT&CK note: All technique mappings are source-mapped from described behaviors in referenced reports. Where an explicit technique label was not stated in the underlying source, the behavioral basis for the mapping is identified in the Threat Narrative or ATT&CK subsection. No techniques have been inferred without a documented behavioral foundation.