Cyber Threat Brief — April 19 2026
⚠️ This report is AI-generated. Always validate findings.
1. UAC-0247 Data-Theft Campaign Targeting Ukrainian Healthcare & Government
TL;DR: CERT-UA disclosed UAC-0247 targeting Ukrainian clinics, emergency hospitals, and government entities (March–April 2026) with custom data-theft tools CHROMELEVATOR, ZAPIXDESK, and AGINGFLY RAT. Attack chain: phishing → mshta.exe → shellcode injection into runtimeBroker.exe → credential/data exfiltration.
What’s New:
- CERT-UA advisory published April 15–16; campaign active March–April 2026 targeting municipal healthcare and government
- CHROMELEVATOR bypasses Chromium DPAPI credential protections to extract saved passwords and cookies
- ZAPIXDESK decrypts local WhatsApp Web IndexedDB databases for message/session exfiltration
- AGINGFLY C# RAT uses AES-CBC encrypted WebSocket C2; capabilities include command execution, file download, screenshots, keylogging
- Attack chain: humanitarian-aid-themed phishing email → XSS-compromised legitimate site or AI-generated lure page → LNK download → mshta.exe HTA execution → decoy form + shellcode injection into runtimeBroker.exe
- Post-compromise: RUSTSCAN subnet reconnaissance, LIGOLO-NG/CHISEL tunneling, and in some cases XMRIG miner hidden inside modified WireGuard binary
- Defense Forces of Ukraine also targeted via malicious ZIP archives distributed through Signal, delivering AGINGFLY via DLL sideloading
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| mshta.exe spawning from LNK execution | Process chain | T1218.005 | EDR, Sysmon EID 1 | Alert — initial access |
| Shellcode injection into runtimeBroker.exe | Process injection | T1055 | EDR, Sysmon EID 8/10 | Alert — AGINGFLY staging |
| CHROMELEVATOR accessing Chrome Login Data / Cookies DB | File access | T1555.003 | EDR file telemetry, Sysmon EID 11 | Alert — credential theft |
| WhatsApp Web IndexedDB access by non-browser process | File access | T1005 | EDR, Sysmon EID 11 | Hunt — ZAPIXDESK indicator |
| LIGOLO-NG / CHISEL tunnel establishment | Network tunnel | T1572 | NDR, Zeek conn.log, firewall | Alert — C2 tunneling |
| RUSTSCAN port scanning from internal host | Network recon | T1046 | NDR, firewall, Zeek | Alert — lateral movement prep |
| XMRIG process or WireGuard binary with unexpected hash | Cryptominer | T1496 | EDR, process monitoring | Alert — resource hijacking |
| DLL sideloading delivering AGINGFLY via Signal ZIP | DLL sideload | T1574.002 | Sysmon EID 7, EDR | Alert — secondary delivery path |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Detect MSHTA Spawned from Shortcut (partial) | No CHROMELEVATOR/ZAPIXDESK-specific rules; write SPL for non-browser processes accessing Chrome Login Data or WhatsApp IndexedDB paths |
| Elastic | Mshta.exe Spawned by Explorer (partial) | No rule for runtimeBroker.exe injection or WhatsApp DB access; custom KQL needed |
| Sigma | win_proc_creation_susp_mshta.yml (partial), net_connection_chisel.yml | No CHROMELEVATOR/ZAPIXDESK rules; write Sigma for non-browser Chromium credential DB access |
Sources: CERT-UA Advisory · The Hacker News · GBHackers · SecurityAffairs
2. nginx-ui MCPwn Active Mass Exploitation — CVE-2026-33032
TL;DR: CVE-2026-33032 has escalated from unpatched-but-quiet to confirmed mass exploitation by botnet operators and ransomware affiliates. VulnCheck KEV listed April 13; 2,689 internet-exposed instances; two HTTP requests give full nginx server takeover.
What’s New:
- Recorded Future Insikt Group ranked CVE-2026-33032 risk score 94/100 and named it one of 31 most-exploited CVEs of March 2026
- VulnCheck added to KEV catalog April 13, 2026 — exploitation confirmed by multiple telemetry sources
- Exploitation codename “MCPwn” (Pluto Security): unauthenticated POST to
/mcp_messageinvokes 12 MCP tools includingnginx_config_addwith auto-reload — full takeover in two requests - Threat actors include botnet operators, ransomware affiliates, and opportunistic cryptominers — no single APT attributed
- Exploitation indicators: unauthorized nginx config changes, unexpected
creds.logfiles, unscheduled service reloads, anomalous POST to/mcp_messagefrom external IPs - Largest exposure clusters: China, US, Indonesia, Germany, Hong Kong across Alibaba Cloud, Oracle, Tencent, DigitalOcean
- Patched in v2.3.4 (March 15) but significant unpatched population remains
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST requests to /mcp_message from external IPs | HTTP request | T1190 | WAF, reverse proxy, nginx access log | Block/Alert — primary exploitation path |
| Unauthorized nginx config modifications (auto-reload) | Config tampering | T1584.004 | File integrity monitoring, nginx error log | Alert — post-exploitation |
creds.log or similar credential harvesting files | File artifact | T1003 | HIDS, FIM, Sysmon (if containerized w/ agent) | Hunt — credential theft indicator |
Shodan fingerprint http.favicon.hash:-1565173320 | Exposure | T1595 | ASM/attack surface management | Remediate — confirm not exposed |
| nginx-ui management port (default 9000) exposed to internet | Misconfiguration | T1190 | Shodan, Censys, internal ASM | Remediate — restrict to management VLAN |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No nginx-ui-specific rule; write SPL for HTTP POST to /mcp_message from non-localhost in reverse proxy logs |
| Elastic | None | No rule; custom KQL for nginx access logs with POST /mcp_message from external source IPs |
| Sigma | None | Write web_nginx_ui_mcpwn_cve_2026_33032.yml matching POST to /mcp_message endpoint from non-RFC1918 sources |
Sources: Rapid7 ETR · Picus Security MCPwn Analysis · The Hacker News · PurpleOps
Status Updates
- CVE-2026-34621 (Adobe Acrobat/Reader): ITW exploitation ongoing since Dec 2025; CISA KEV deadline May 4; no new IOCs. Original brief.
- CVE-2026-34197 (Apache ActiveMQ): CISA KEV added April 16; ransomware/cryptominer/webshell exploitation ongoing; federal deadline May 6. Original brief.
- BlueHammer/RedSun/UnDefend (Windows Defender): All three exploited ITW per Huntress; BlueHammer patched (CVE-2026-33825), RedSun and UnDefend remain unpatched with no CVE; expected fix Defender Platform ≥ 4.18.26050.3011. Original brief.
- CVE-2026-35616 (FortiClient EMS): Federal deadline passed April 9; 7.4.7 full fix still pending; exploitation ongoing since March 31. Original brief.
- CVE-2026-4681 (PTC Windchill): Still no vendor patch; CISA ICS advisory active; German police physically notifying affected orgs. Original brief.
- CVE-2026-1340/1281 (Ivanti EPMM): Mass exploitation continues; federal deadline passed April 11; RPM detection tool available. Original brief.
- CVE-2026-39808 (FortiSandbox): Public PoC active; ~2,400 exposed instances; no ITW exploitation confirmed yet. Original brief.