Cyber Threat Brief — April 10 2026
⚠️ This report is AI-generated. Always validate findings.
1. Adobe Reader Unpatched Zero-Day — No CVE Assigned
TL;DR: EXPMON researcher Haifei Li disclosed an actively exploited Adobe Acrobat/Reader zero-day on April 9. No CVE, no patch. Weaponized PDFs with Russian-language oil/gas lures have been in the wild since at least November 2025, fingerprinting victims and exfiltrating data to a hardcoded C2.
What’s New:
- Public disclosure April 9 by EXPMON; Adobe has not acknowledged or patched.
- Exploit abuses Acrobat JavaScript engine privileged APIs for system fingerprinting, arbitrary file read, and AES-encrypted second-stage payload delivery.
- Earliest known VT sample (
Invoice540.pdf) submitted November 28, 2025; second sample March 23, 2026. - Russian-language lures referencing oil/gas industry current events — likely espionage-motivated.
- User-Agent string
Adobe Synchronizerused in C2 callbacks.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f | SHA-256 (Invoice540.pdf) | T1203 | EDR / file hash | Block / hunt |
169.40.2.68:45191 | C2 IP:port | T1071.001 | Firewall / proxy | Block |
User-Agent: Adobe Synchronizer | HTTP header | T1071.001 | Proxy / NDR | Alert on outbound from Acrobat processes |
Obfuscated JS in PDF /OpenAction | Execution trigger | T1059.007 | EDR process tree | Hunt: AcroRd32.exe / Acrobat.exe spawning network calls |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need: PDF-spawned outbound connection to non-Adobe IP; Acrobat JS API abuse via process telemetry |
| Elastic | None | Need: Acrobat child process network connection rule |
| Sigma | None | Need: proc_creation_win_acrobat_suspicious_network.yml — Acrobat process connecting to non-whitelisted IPs |
Sources: EXPMON / Haifei Li disclosure, The Hacker News, SecurityWeek, Forensic analysis (SHA-256)
2. APT28 PRISMEX Campaign — CVE-2026-21509 / CVE-2026-21513
TL;DR: Trend Micro published full analysis (April 8) of APT28/Pawn Storm deploying the PRISMEX malware suite against Ukraine and NATO ally defense/logistics orgs since September 2025. Four-stage chain: Excel steganography dropper → COM hijack persistence → PNG-embedded .NET payload → COVENANT Grunt C2 over Filen.io. Dual espionage/wiper capability confirmed.
What’s New:
- Trend Micro report published April 8; SOC Prime detection content released April 9.
- Four modular components: PrismexSheet (VBA stego dropper), PrismexDrop (COM hijack), PrismexLoader/PixyNetLoader (PNG “Bit Plane Round Robin” extraction), PrismexStager (COVENANT Grunt → Filen.io C2).
- Rapid weaponization of CVE-2026-21509 and CVE-2026-21513 — infrastructure prep observed January 12, two weeks before public disclosure.
- Wiper capability:
%USERPROFILE%directory erasure via Grunt payload observed in October 2025 incident. - Sectors: Ukraine government/defense/hydro, Poland rail, Romania/Slovenia/Turkey maritime, Czech/Slovak ammunition logistics.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
wellnesscaremed[.]com | C2 domain | T1071.001 | DNS / proxy | Block |
gateway.filen.io | C2 (cloud abuse) | T1102.002 | Proxy / CASB | Monitor; block if no business use |
adwapi64.dll | Dropped DLL | T1546.015 | EDR file create | Hunt in %APPDATA% paths |
EhStoreShell.dll | Proxy DLL | T1574.001 | EDR file create | Hunt |
SplashScreen.png, background.png | Stego carriers | T1027.003 | EDR file create | Hunt: large PNGs in Office temp dirs |
CLSID {68DDBB56-9D1D-4FD9-89C5-C0DA2A625392} | COM hijack | T1546.015 | Registry (Sysmon 13) | Alert: HKCU\Software\Classes\CLSID writes |
Scheduled task OneDriveHealth | Persistence | T1053.005 | Sysmon 1 / WinEventLog | Hunt: task restarting explorer.exe |
aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa | SHA-256 (exploit) | T1203 | EDR / VT | Block / hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Suspicious Scheduled Task Created via schtasks.exe (generic) | Need: specific rule for OneDriveHealth task restarting explorer.exe |
| Elastic | COM Object Hijacking (generic) | Need: rule scoping HKCU CLSID writes to adwapi64.dll or EhStoreShell.dll |
| Sigma | registry_set_com_hijack_inprocserver.yml (partial) | Need: Filen.io gateway network rule; stego PNG detection in Office temp dirs |
Sources: Trend Micro, The Hacker News, SOC Prime, Security Affairs
3. CyberAv3ngers Target U.S. Critical Infrastructure PLCs — CISA AA26-097A
TL;DR: Joint FBI/CISA/NSA/EPA/DOE/CNMF advisory (April 7) confirms IRGC-CEC-linked CyberAv3ngers compromising internet-exposed Rockwell Automation PLCs across U.S. water, energy, and government facilities since March 2026. Attackers use Studio 5000 Logix Designer (not a vuln exploit) to modify PLC logic and falsify HMI displays while deploying Dropbear SSH for persistence.
What’s New:
- Joint advisory AA26-097A published April 7 with STIX IOCs (XML + JSON) downloadable from CISA.
- No software vulnerability exploited — attackers target absent authentication on internet-exposed Rockwell CompactLogix/Micro850 PLCs.
- Post-access: Dropbear SSH on port 22 for persistent C2, PLC project file extraction/modification, SCADA HMI data manipulation (false readings).
- Operational disruption and financial loss confirmed at multiple victim sites.
- Escalation assessed as response to U.S.-Iran/Israel hostilities.
Actionable Intel
| Artifact | Type | ATT&CK (ICS) | Log Source | Action |
|---|---|---|---|---|
| Port 44818 (EtherNet/IP) | Network | T0883 | Firewall / IDS | Block from internet; alert on external inbound |
| Port 2222 (EtherNet/IP alt) | Network | T0883 | Firewall / IDS | Block from internet |
| Port 502 (Modbus TCP) | Network | T0883 | Firewall / IDS | Block from internet |
| Port 22 (Dropbear SSH) | Persistence | T1219 | Firewall / PLC logs | Hunt: unexpected SSH on OT endpoints |
| Dropbear SSH binary | Tool | T1219 | EDR / file hash | Hunt on PLC-adjacent hosts |
| Modified PLC project files | Logic manipulation | T0839 | Change mgmt / Rockwell logs | Diff project files against known-good baselines |
| Falsified HMI data | Impact | T0565 | Historian / SCADA logs | Cross-check HMI values vs. sensor data |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None (OT/ICS gap) | Need: Rockwell EtherNet/IP external connection rule; Dropbear process on non-standard OT host |
| Elastic | None (OT/ICS gap) | Need: ICS protocol detection on internet-facing interfaces |
| Sigma | None (OT/ICS gap) | Need: Dropbear SSH process creation on Windows/Linux OT hosts |
Sources: CISA AA26-097A, SecurityWeek, Picus Security, 1898 Advisories
Status Updates
- CVE-2026-35616 (FortiClient EMS): Federal CISA KEV deadline passed April 9; exploitation ongoing since March 31, still no full patch (7.4.7 pending), only hotfix available. Original brief.
- CVE-2026-1340 / CVE-2026-1281 (Ivanti EPMM): Second CVE-2026-1281 added to CISA KEV; federal deadline April 11; “thousands” of exploitation attempts confirmed; Ivanti released RPM detection tool for IOC scanning. Original brief.
- CVE-2026-4681 (PTC Windchill): Still no patch; German police continue physically notifying affected orgs; CISA ICS advisory ICSA-26-085-03 active. Original brief.
- CVE-2025-53521 (F5 BIG-IP APM): UNC5221 BRICKSTORM exploitation ongoing; federal deadline passed March 30. Original brief.