Monthly Recap — 2026-04-01 -> 2026-05-01
AI Weaponization Collapses Trust as Identity Becomes the Perimeter Attackers are using artificial intelligence to make phishing and social engineering dramatically cheaper and more convincing, as seen in BlueNoroff's AI-generated deepfake meetings targeting Web3 executives and the Bluekit phishing platform's built-in AI assistant that crafts lures on demand. Because these AI tools can generate convincing scams and steal session cookies to bypass multi-factor authentication, traditional email filters and basic MFA are no longer sufficient barriers. In parallel, attackers are shifting from hacking infrastructure to hijacking identity and trust systems—installing legitimate remote-access tools via phishing, exploiting API authentication flaws like BOLA, and harvesting credentials through malicious AI browser extensions that spy on users in real time. This identity-focused shift compounds with the persistent exploitation of older vulnerabilities; groups like SHADOW-EARTH-053 still use years-old ProxyLogon flaws on unpatched Exchange servers, while CISA confirms CVE-2026-32202 (Microsoft Windows) and CVE-2026-41940 (cPanel) are already being exploited in the wild. Because AI models like Claude Mythos can now autonomously chain these vulnerabilities into working exploits at machine speed, defenders cannot rely on manual patching cadences to stay safe. These trends together suggest that the real perimeter is no longer the firewall but the identity layer, and defending it requires phishing-resistant authentication, automated response, and rigorous vetting of developer pipelines and third-party trust. Watch for AI-accelerated exploitation of unpatched systems and invest in identity-centric, machine-speed defenses before the next wave of automated attacks outpaces your team's response.
Detection / Hunteropenrouter
By the Numbers
- Total articles: 24
- By severity: Critical: 5, High: 15, Informational: 3, Medium: 1
- By category: APT: 3, general security news: 7, malware: 3, phishing/social engineering: 5, vulnerability: 6
Top Threats
AI-Powered Phishing and Social Engineering
AI is collapsing the cost of social engineering because platforms like Bluekit offer built-in AI assistants to generate lures, while BlueNoroff uses AI-generated deepfake video meetings to trick Web3 executives into running malicious PowerShell code. As a result, phishing volumes have surged—Microsoft recorded over 8 billion malicious emails in Q1 2026 with QR code phishing up 146%—and session-cookie theft allows attackers to bypass MFA entirely, making phishing-resistant authentication the only reliable defense.
- https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/
- https://www.varonis.com/blog/bluekit
- https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html
- https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/
- https://www.recordedfuture.com/blog/money-mule-solution
Developer Infrastructure and Supply Chain Compromise
Attackers are targeting the software build process because compromising a single CI/CD pipeline or npm package yields downstream access to cloud credentials and signing certificates, as demonstrated by the mini Shai-Hulud attack on SAP packages and Elastic's findings on pipeline abuse. Because North Korean groups like Lazarus infiltrate AI companies through fraudulent contractor identities rather than hacking them directly, vetting personnel and scoping pipeline secrets are now as critical as patching servers.
- https://www.elastic.co/security-labs/detecting-cicd-pipeline-abuse-with-llm-augmented-analysis
- https://www.sophos.com/en-us/blog/-mini-shai-hulud-supply-chain-attack-targets-sap-npm-packages
- https://www.recordedfuture.com/blog/lazarus-does-not-need-agi
- https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
Legitimate Tool Abuse and Identity Hijacking
Attackers are exploiting the blind spot around trusted tools because legitimate remote-access software like ScreenConnect and LogMeIn bypasses malware detection entirely, while malicious AI browser extensions steal passwords and API keys under the guise of productivity aids. This lets attackers maintain persistent access and harvest credentials without triggering traditional security alerts, making context-aware monitoring of tool installation and API authentication essential.
- https://any.run/cybersecurity-blog/rmm-blind-spot-for-cisos/
- https://www.akamai.com/blog/security/2026/apr/api-weak-spot-study-ai-compounding-security-pressures
- https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/
N-Day Vulnerability Exploitation at Machine Speed
Old vulnerabilities remain a primary entry point because groups like SHADOW-EARTH-053 still exploit years-old ProxyLogon flaws on unpatched Exchange servers, while CISA confirms CVE-2026-32202 and CVE-2026-41940 are already under active exploitation. Because AI models like Claude Mythos can autonomously discover and chain these flaws into working exploits faster than humans can patch, organizations must shift from static CVSS scoring to environment-specific risk and machine-speed automated response.
- https://www.zscaler.com/blogs/product-insights/exposure-management-after-mythos-4-urgent-changes-security-leaders-must-make
- https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html
- https://blog.talosintelligence.com/five-defender-priorities-from-the-talos-year-in-review/
Trending CVEs
- CVE-2026-32202 (2 mentions) — Microsoft Windows vulnerability actively exploited in the wild per CISA, allowing attackers to bypass security protections; underscores the N-day exploitation problem.
- CVE-2026-41940 (1 mentions) — WebPros cPanel and WHM missing-authentication flaw actively exploited per CISA; internet-facing web management platforms are high-value targets for unauthorized access.
- CVE-2024-1708 (2 mentions) — ConnectWise ScreenConnect vulnerability actively exploited per CISA, directly linked to the broader trend of attackers abusing legitimate RMM tools for persistent access.
- CVE-2021-26855 (ProxyLogon) (1 mentions) — Years-old Microsoft Exchange vulnerabilities still being exploited by SHADOW-EARTH-053 against government targets, illustrating the persistent long tail of legacy flaws.
Sector Trends
- Web3 / Cryptocurrency — North Korean groups like BlueNoroff are heavily targeting Web3 executives with AI-generated deepfake meetings because cryptocurrency theft directly funds state weapons programs, making this sector a persistent priority for state-sponsored financial crime.
- Government / Defense — China-aligned espionage groups like SHADOW-EARTH-053 are exploiting unpatched Exchange servers to maintain long-term access to Asian government and defense networks, because legacy infrastructure in these sectors often lags on patching cycles.
- Financial Services — Scams and authorized push payment fraud cost up to $1 trillion globally because money mule accounts remain the critical bottleneck; banks must adopt intelligence-led mule detection before regulatory liability shifts to them.
- Technology / Software Development — Developer pipelines and npm packages are under siege because compromising CI/CD automation or supply-chain dependencies yields downstream access to cloud credentials and signing certificates, turning developer trust into an attack surface.
Notable Incidents
- BlueNoroff AI-Deepfake Campaign Targets Web3 Executives — First major convergence of AI-generated deepfake video meetings with ClickFix social engineering, showing how AI collapses the cost of convincing executive-targeted lures.
- VECT 2.0 Ransomware Permanently Destroys Files Due to Coding Flaw — A critical programming error makes this ransomware permanently destroy files larger than 128 KB, meaning paying the ransom provides zero recovery—organizations must rely on backups alone.
- Claude Mythos AI Autonomously Chains Vulnerabilities into Exploits — Proof-of-concept demonstrating that AI can independently discover and chain vulnerabilities into working exploits at machine speed, rendering manual patching cadences obsolete.
- Mini Shai-Hulud Supply Chain Attack Targets SAP npm Packages — Enterprise SAP development tools were compromised to steal credentials via public GitHub repos, showing how supply-chain attacks on developer dependencies yield downstream access to corporate secrets.
- CISA Adds CVE-2026-41940 (cPanel) to actively Exploited Catalog — Missing authentication on widely used web management platforms is being actively exploited, highlighting how internet-facing trust-brokering systems are prime targets.