Cyber Threat Brief — April 2 2026
⚠️ This report is AI-generated. Always validate findings.
1. Chrome Dawn WebGPU Use-After-Free Zero-Day — CVE-2026-5281
TL;DR: Google’s 4th actively exploited Chrome zero-day of 2026 is a UAF in the Dawn WebGPU layer allowing code execution via crafted HTML. CISA KEV added April 1; patch to 146.0.7680.178+ immediately.
What’s New:
- Use-after-free in Dawn (WebGPU abstraction layer translating API calls to Vulkan/Metal/Direct3D) enables code execution from a compromised renderer via crafted HTML page
- Reported by pseudonymous researcher
86ac1f1587b71893ed2ad792cd7dde32(same reporter found CVE-2026-4675 heap buffer overflow in WebGL and CVE-2026-4676 UAF in Dawn, both patched March 23) - CISA KEV added April 1, 2026 — federal deadline April 15, 2026
- Google confirms ITW exploitation; no attribution or target details released
- Fixed in Chrome 146.0.7680.177 (Linux) / 146.0.7680.177/.178 (Windows/Mac)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Chrome < 146.0.7680.178 | Vulnerable version | T1203 | EDR software inventory, SCCM | Query fleet for unpatched Chrome; force-update via GPO/MDM |
| Crafted HTML page (WebGPU API calls) | Exploit delivery | T1189 | Proxy logs, browser telemetry | Monitor for anomalous WebGPU shader/compute workloads in browser telemetry |
| Renderer process spawning child processes | Post-exploit behavior | T1055 | Sysmon EID 1, EDR | Alert on chrome.exe renderer spawning unexpected child processes (cmd, powershell, wscript) |
dawn.node / GPU process anomalies | Exploit indicator | T1203 | Chrome crash reports, EDR | Review Chrome GPU process crashes for UAF signatures |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: Chrome version compliance dashboard; anomalous browser child process rule |
| Elastic | Suspicious Browser Child Process (macOS) — partial | Gap: No Windows/Linux equivalent; no WebGPU-specific telemetry rule |
| Sigma | proc_creation_win_browsers_suspicious_child_process.yml (partial) | Gap: Does not differentiate renderer vs broker process lineage |
Sources: Google Chrome Releases · BleepingComputer · SecurityWeek · Security Affairs
2. UAC-0255 AGEWHEEZE RAT — CERT-UA Impersonation Campaign
TL;DR: UAC-0255 sent ~1M phishing emails impersonating CERT-UA on March 26-27, delivering a Go-based RAT via password-protected ZIP from Files.fm. C2 at 54.36.237.92:8443 (OVH, WebSocket). CERT-UA assessed the campaign as largely unsuccessful.
What’s New:
- Emails from
incidents@cert-ua[.]techurged recipients to install “specialized security software” (CERT_UA_protection_tool.zip) - ZIP hosted on Files.fm, password-protected; extracts Go-based AGEWHEEZE RAT with screen streaming, command execution, mouse/keyboard emulation, clipboard access, process/service management
- C2: WebSocket listener at
54.36.237.92:8443(OVH) with self-signed certificate - Persistence: scheduled tasks
SvcHelperandCoreService; registryRunkeys - Targets: Ukrainian state organizations, medical centers, security companies, educational institutions, financial institutions, software development companies
- CERT-UA assessment: attack largely unsuccessful — only several infected personal devices at educational institutions confirmed
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
incidents@cert-ua[.]tech | Phishing sender | T1566.001 | Email gateway | Block sender domain cert-ua[.]tech |
cert-ua[.]tech | Phishing domain | T1566.001 | DNS, proxy | Block domain |
54.36.237.92 | C2 IP (OVH) | T1071.001 | Firewall, NDR, proxy | Block and hunt in netflow |
Port 8443 (WebSocket) | C2 channel | T1071.001 | Firewall, NDR | Alert on outbound WebSocket to OVH ranges on 8443 |
CERT_UA_protection_tool.zip | Payload filename | T1204.002 | Email gateway, EDR | Block/alert on filename in email attachments and downloads |
Scheduled task SvcHelper | Persistence | T1053.005 | Sysmon EID 1, Windows Event 4698 | Hunt for task creation with this name |
Scheduled task CoreService | Persistence | T1053.005 | Sysmon EID 1, Windows Event 4698 | Hunt for task creation with this name |
%APPDATA% execution path | Execution location | T1204.002 | Sysmon EID 1, EDR | Alert on unsigned binaries executing from %APPDATA% |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Scheduled Task Created Via Command Line (generic) | Need: AGEWHEEZE-specific task name correlation (SvcHelper/CoreService) |
| Elastic | Suspicious Scheduled Task Created (generic) | Gap: No AGEWHEEZE IOC-specific rule; no Go-RAT WebSocket C2 pattern |
| Sigma | schtasks_creation_via_command_line.yml (generic) | Gap: Need rule for Go binary executing from %APPDATA% with WebSocket C2 |
Sources: The Hacker News · SOC Prime · CERT-UA
Status Updates
- CVE-2026-3055 (Citrix NetScaler): CISA KEV federal deadline is today, April 2. Active exploitation ongoing via SAMLRequest to
/saml/loginand NSC_TASS cookie memory leak. Metasploit module available. Original brief. - CVE-2026-4681 (PTC Windchill): No patch still available. German police physically warning organizations. Imminent exploitation threat persists. Original brief.
- CVE-2025-53521 (F5 BIG-IP APM): UNC5221 BRICKSTORM exploitation ongoing. Federal deadline passed March 30. No new artifacts. Original brief.
- CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing. No new artifacts. Original brief.
- UNC1069 axios npm (WAVESHAPER.V2): No new IOCs since initial disclosure. Malicious versions removed. Original brief.