Trending Topics

CISA Sounds the Alarm on Apache ActiveMQ: A 13‑Year‑Old RCE Bug Is Now Being Actively Exploited

CISA has added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog after confirming active exploitation of this high-severity remote code execution flaw in Apache ActiveMQ Classic. The vulnerability went undetected in the codebase for roughly 13 years. It stems from improper input validation and an overly permissive Jolokia JMX-HTTP bridge exposed at /api/jolokia/, allowing an authenticated attacker to invoke sensitive broker management methods via crafted HTTP requests.

By abusing Jolokia's default policy - which permits exec operations across all org.apache.activemq:* MBeans - an attacker can trick ActiveMQ into fetching a remote configuration and executing arbitrary OS commands on the underlying server, effectively taking full control of the broker host.

In theory, exploitation requires credentials. In practice, the bar is considerably lower. Many deployments still rely on default usernames and passwords such as admin:admin, and in ActiveMQ versions 6.0.0 through 6.1.1, a separate bug, CVE-2024-32114, unintentionally exposes the Jolokia API without authentication - turning this into a fully unauthenticated RCE in those versions. Attack surface scans show thousands of ActiveMQ instances remain internet-accessible, and ActiveMQ brokers have been repeatedly targeted in malware campaigns since at least 2021, including earlier exploitation of CVE-2023-46604 to deploy custom Linux payloads.

CISA's KEV listing mandates U.S. federal civilian agencies to patch by April 30, 2026, and serves as a clear signal to private-sector defenders that exploitation is active today, not theoretical.

For organizations, this moves Apache ActiveMQ patching from important to urgent. Admins should identify all ActiveMQ Classic deployments - especially any exposed to the internet or reachable from untrusted networks - and upgrade to fixed versions, at minimum 5.19.4 or 6.2.3, as soon as possible. In parallel, security teams should lock down or disable the /api/jolokia/ endpoint, enforce strong non-default credentials, and place the web console behind VPN or zero-trust access controls rather than leaving it open to the internet.

Given that successful exploitation allows arbitrary command execution on the host, defenders should review logs and telemetry for suspicious Jolokia calls and shell activity, treat compromised brokers as potential beachheads for lateral movement, and be prepared to rebuild and re-key affected systems if compromise is suspected.

Direct‑Sys Loader + CGrabber: GitHub ZIPs Turn Into Stealthy Stealers for Passwords and Crypto

Researchers have uncovered a disciplined, multi-stage malware campaign using GitHub-hosted ZIP files to deliver two previously unknown threats: the Direct-Sys Loader and the CGrabber Stealer. The intrusion begins with ZIP archives distributed via GitHub user attachment links - samples like Eclipsyn.zip contain a legitimate, Microsoft-signed binary (Launcher_x64.exe) alongside a malicious DLL disguised as a normal dependency named msys-crypto-3.dll. When the signed executable runs, it sideloads the rogue DLL and kicks off the infection chain without dropping anything immediately suspicious.

The Direct-Sys Loader then takes over as a hardened staging component. It performs several layers of anti-analysis checks - searching for more than 60 security tools, scanning for virtualization environments such as VMware, Hyper-V, and VirtualBox, and looking for sandbox artifacts. If any are detected, the loader exits quietly to avoid triggering behavioral alerts. Otherwise, it uses direct syscalls to communicate with the Windows kernel, decrypts its payload in memory with ChaCha20, and hands off control to CGrabber without touching APIs that most EDR products monitor.

Once active, CGrabber operates as a full-spectrum information stealer. It targets saved passwords, credit cards, cookies, and autofill data from major browsers including Chrome, Edge, Brave, and Firefox, as well as private keys and wallet data from more than 150 crypto applications including MetaMask, Exodus, Coinbase, and Binance. It also harvests tokens and configuration data from messaging and gaming platforms such as Telegram, Discord, and Steam, and from VPN clients like NordVPN and ProtonVPN.

Before exfiltrating anything, CGrabber checks whether the victim is located in a Commonwealth of Independent States country and shuts down if so - a behavior commonly used to avoid drawing attention from local law enforcement. For everyone else, it aggregates stolen data into an in-memory ZIP, encrypts it with ChaCha20, and sends it via HTTP POST with custom headers such as X-Auth-Token, helping the traffic blend in with normal web activity and slip past basic network filtering.

For developers, researchers, and everyday users, this campaign is a concrete reminder that GitHub ZIPs and signed binaries are not automatically safe. The attackers are deliberately abusing trust in GitHub's infrastructure and Microsoft's code-signing to bypass both human judgment and automated defenses. Staying safe means treating ZIP archives from GitHub user attachments or unknown repositories with real skepticism, avoiding execution of embedded executables and DLLs unless provenance is clear, and enforcing application control and EDR policies capable of detecting DLL sideloading and direct-syscall loaders.

Organizations should also monitor for unexpected appearances of binaries like Launcher_x64.exe in unusual directories, watch for outbound traffic carrying suspicious custom headers, and treat any sign of CGrabber activity as a high-severity incident. The response should include credential resets, moving crypto funds to new wallets, and a full endpoint rebuild where compromise is confirmed.

Update on BlueHammer: Three Zero‑Days Put Microsoft Defender, SharePoint, and Browsers Under Pressure

A recent wave of disclosures highlights how Microsoft Defender itself has become a target, alongside SharePoint and Chromium-based browsers, in April 2026's latest round of zero-day activity.

The centerpiece on the endpoint side is CVE-2026-33825, an elevation-of-privilege flaw in Microsoft Defender now widely associated with the "BlueHammer" exploit. The bug stems from insufficiently granular access control and a time-of-check-to-time-of-use race condition in Defender's signature-update workflow, allowing a local low-privileged user to gain SYSTEM-level access by abusing path confusion during an update. Proof-of-concept code has been public since early April, Microsoft has rated exploitation as "more likely," and a fix has shipped as part of an Antimalware Platform update (version 4.18.26050.3011) that Defender should pull down automatically when update channels are healthy.

BlueHammer does not arrive in isolation. The same Patch Tuesday cycle includes an actively exploited SharePoint Server spoofing and cross-site scripting zero-day, CVE-2026-32201, which allows attackers to inject malicious script, impersonate trusted entities, and access or modify sensitive SharePoint content. It also includes a Chromium/WebGPU remote code execution zero-day, CVE-2026-5281, arising from a use-after-free in Google's Dawn WebGPU component that CISA has already added to its KEV catalog.

Together, these three vulnerabilities illustrate an attack chain defenders increasingly have to plan for: browser-based or phishing exploitation to gain an initial foothold, BlueHammer or a similar elevation-of-privilege bug to reach SYSTEM, then SharePoint or other collaboration platforms as the path to lateral movement and high-value data. April's Patch Tuesday also addressed more than 160 CVEs overall - including Critical RCE bugs in Windows TCP/IP, IKE, Active Directory, Office, and RDP - so the Defender and SharePoint zero-days should be treated as part of a broader hardening moment, not isolated curiosities.

For organizations that rely heavily on Microsoft Defender and Microsoft 365, the immediate priority is verifying that Defender's platform update has actually landed across the fleet rather than assuming auto-update has done its job. Endpoint and security teams should confirm the Antimalware Platform version is at least 4.18.26050.3011, apply all April 2026 cumulative patches, and accelerate SharePoint Server updates on any internet-exposed or business-critical farms. Browser updates for Chrome and Edge should be pushed to pull in the WebGPU fix, and controls around email attachments and Office macros should be tightened - including disabling the preview pane for untrusted documents where feasible.

More broadly, BlueHammer is a reminder that security products are still software. They must be patched, monitored, and treated as potential escalation pathways, with strong least-privilege defaults, robust EDR visibility around update mechanisms, and incident response plans that assume an attacker who has touched Defender may already have SYSTEM-level access on affected endpoints.

Nexcorium: Another Mirai Variant Turns DVRs into DDoS Artillery

A fresh Mirai-family variant dubbed Nexcorium is hijacking internet-connected DVRs to fuel DDoS attacks, a reminder that old IoT weaknesses are still driving very modern outages. Building on publicly available Mirai source code, Nexcorium focuses on DVR-based monitoring systems and exploits known command-injection bugs - including CVE-2024-3721 in TBK DVR devices - that allow unauthenticated attackers to execute shell commands via crafted HTTP POST requests. Once a vulnerable DVR is found, the bot downloads an architecture-specific payload, marks it executable, and runs it to enroll the device into the botnet. No user interaction required.

From there, infected DVRs can be directed to launch high-volume UDP, SYN, or GRE floods - a pattern consistent with previous Mirai waves that have driven multi-terabit-per-second attacks against ISPs and online services.

Nexcorium retains Mirai's core DNA while adding modern evasion features to make analysis and takedown harder. Researchers describe RC4-encrypted strings with keys that are themselves XOR-obfuscated, alongside anti-VM and anti-emulation checks that cause the malware to behave differently - or not run at all - inside sandboxes and virtualized analysis environments. The bot also verifies that it is running from one of a hard-coded set of directories, exiting if analysts try to execute it from unexpected paths.

Telemetry suggests tens of thousands of DVRs remain exposed online, with clusters of infection observed in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil - giving attackers plenty of runway to keep expanding Nexcorium's firepower if owners do not patch or replace affected devices.

For organizations and individuals, Nexcorium is another reminder that surveillance and recording gear is part of your attack surface, not set-and-forget infrastructure. DVRs should be updated to the latest firmware as soon as vendors release patches for CVE-2024-3721 and related flaws, and wherever possible taken off the public internet and placed behind firewalls or VPNs. Owners should change default credentials, disable unused remote management interfaces, and consider a factory reset if compromise is suspected - many Mirai-derived bots do not persist across reboots, but reinfection is fast on exposed devices.

On the network side, security teams should monitor for unusual outbound connections from DVR subnets and be prepared to rate-limit or geofence traffic if devices begin participating in DDoS activity. In a landscape where Mirai variants keep evolving while reusing the same classes of IoT weaknesses, basic hygiene on "boring" devices like DVRs remains one of the most effective ways to keep your organization from unknowingly contributing to the next record-breaking attack.

ZionSiphon: Politically Charged OT Malware Built to Poison and Break Israeli Water Systems

A newly discovered malware family dubbed ZionSiphon is the latest sign that politically motivated actors are moving from IT disruption into hands-on manipulation of industrial control systems. The target in this case is Israeli water treatment and desalination infrastructure. First analyzed by Darktrace, ZionSiphon combines familiar host-based techniques - privilege escalation, persistence, and USB propagation - with targeting logic tailored specifically to OT environments involved in desalination, reverse osmosis, chlorine control, and hydraulic pressure management.

The malware contains hard-coded Israeli IP ranges and a target list that names Mekorot (the national water company), major desalination plants including Sorek, Hadera, Ashdod, and Palmachim, and the Shafdan wastewater facility. That specificity leaves little doubt about the operator's intent or their familiarity with Israel's water sector.

Once deployed, ZionSiphon runs a series of checks to confirm it has landed on a relevant target. It inspects the host's IP against Israeli address blocks, scans for water and OT-related software and processes - including names like DesalPLC, ROController, SchneiderRO, ReverseOsmosis, and WaterGenix - and looks for configuration files tied to desalination and chlorine control systems. If those checks pass, its first action is local file tampering via a routine Darktrace calls IncreaseChlorineLevel(), which searches a hard-coded list of ICS configuration files and appends a fixed block of text to any it finds - a clear attempt to interfere with how chlorine dosing and pressure controls are configured.

The code also includes sabotage logic for ICS protocols such as Modbus and S7comm, subnet-wide scanning for OT-relevant services, and routines capable of raising chlorine levels to unsafe thresholds or disrupting hydraulic pressure - potentially threatening both operations and public safety if fully implemented.

For now, researchers assess ZionSiphon as a prototype rather than a fully weaponized tool. Darktrace found a flaw in its encryption and validation logic - an XOR mismatch - that breaks the country-verification check, causing the malware to self-destruct instead of executing its payload. Other implementation gaps suggest it is still under active development. Even so, its hard-coded Israel-specific IP ranges, water-sector process checks, and embedded propaganda strings make clear that OT attack concepts are now within reach of smaller, ideologically driven actors - not just top-tier nation-state units.

For water utilities and other critical infrastructure operators, ZionSiphon is a warning shot. It underscores the need for tight network segregation between IT and OT environments, continuous anomaly detection on industrial networks, strong controls over USB and removable media, and cross-visibility between security teams on both sides of the air gap. Unfinished experiments like this one need to be caught early - before the next version fixes the bugs and turns intent into impact.