Weekly Threat Intel
April 19–26, 2026
- SaaS-to-SaaS OAuth trust is the new soft underbelly. A 22-month-dwell intrusion at Vercel pivoted from a Lumma-stealer infection at Context.ai through an “Allow All” OAuth grant. Audit every third-party OAuth app with broad scopes — especially AI productivity tools.
- The TeamPCP supply-chain campaign reached the Bitwarden CLI.
@bitwarden/[email protected]shipped a credential-stealing payload (bw1.js) to npm for ~90 minutes on April 22. Anyone who installed during that window should rotate every developer secret on the machine. - Scattered LAPSUS$ Hunters launched the first “Extortion-as-a-Service” platform. The federated brand — Scattered Spider + ShinyHunters + LAPSUS$ alumni — closed out their Salesforce campaign and is selling extortion services at scale. Treat any social-engineering attempt against IT helpdesks as a potential SLH affiliate.
- APT28’s Operation Neusploit is the largest single campaign of the week. 347 IOCs across CVE-2026-21509, NotDoor, MiniDoor, CovenantGrunt, and continued
filen.iocloud-storage C2 abuse against Ukraine, Slovakia, and Romania. - DPRK is back on the comm with fake meeting lures. UNC1069 (BlueNoroff) is running browser-based Zoom/Teams clones with AI-generated faces; Void Dokkaebi is using fake job interviews to wormify developer repos via VS Code tasks.
- AI agents are now part of the incident. Huntress published the first SOC postmortem where an OpenAI Codex coding agent actively complicated triage — CPU-throttling a cryptominer instead of removing it, and generating commands that looked indistinguishable from attacker reconnaissance.
- Two new RCEs to patch yesterday. CVE-2026-33032 (MCPwn) is an unauth bypass in Nginx UI’s MCP endpoint. CVE-2026-1731 in Bomgar (BeyondTrust) RMM is being chained to LockBit deployments.
- SaaS Supply Chain Crisis: Vercel, Bitwarden CLI, GPT-Proxy, and SLH’s EaaS Launch
- Nation-State: APT28 Neusploit, DPRK Meeting Lures, Tropic Trooper
- AI on Both Sides: Codex in the SOC, AI-Generated RATs, AI-Themed Lures
- Vulnerabilities: MCPwn, Bomgar RMM, and Storm-2755’s Axios Pivot
- Ransomware Roundup: The Gentlemen, Kyber, Payouts King, Contractor Pivot
- Also This Week
SaaS Supply Chain Crisis: Vercel, Bitwarden CLI, GPT-Proxy, and SLH’s EaaS Launch
Five distinct supply-chain compromises landed this week. Two struck infrastructure that defenders themselves rely on (Vercel, Bitwarden). Two leveraged package registries (npm, PyPI). And one redefined how data extorted in 2025’s Salesforce campaign will be monetized in 2026.
Vercel Breached via Compromised Context.ai OAuth Grant
Trend Micro and Vercel disclosed a multi-stage SaaS supply-chain intrusion with a 22-month dwell time. The chain: a Context.ai employee was infected with Lumma Stealer in February 2026; harvested credentials gave the attacker access to Context.ai support and customer-data systems; one Vercel employee had previously signed up for Context’s AI Office Suite using their Vercel Google Workspace identity and granted “Allow All” OAuth permissions. The attacker pivoted through that grant, took over the Vercel employee’s Workspace, and from there enumerated and decrypted environment variables across the Vercel platform. ShinyHunters claimed responsibility and listed the data for $2M; Vercel says no published npm packages were tampered with. Trend Micro’s analysis lists 73 IOCs spanning Lumma C2, attacker domains, and AS-level infrastructure.
Bitwarden CLI 2026.4.0 Hijacked: 90-Minute npm Window
Between 5:57 PM and 7:30 PM ET on April 22, npm served a malicious @bitwarden/[email protected] containing a file bw1.js that targeted developer workstations and CI runners for GitHub tokens, npm tokens, SSH keys, shell history, AWS/GCP/Azure secrets, GitHub Actions secrets, and AI-tooling configs. Stolen data was AES-256-GCM encrypted and exfiltrated to audit[.]checkmarx.cx — a Checkmarx-impersonating domain that ties this incident to the broader TeamPCP / DeadCatx3 supply-chain campaign that earlier breached Checkmarx itself. If GitHub tokens were captured, the malware injected malicious Actions workflows into target repositories to keep harvesting CI secrets. Bitwarden confirmed end-user vault data was not accessed; the compromise was confined to the npm distribution path.
bw1.js hashes, exfil domain, file pathsScattered LAPSUS$ Hunters Launch “Extortion-as-a-Service”
HivePro published a comprehensive profile of Scattered LAPSUS$ Hunters (SLH), a federated brand that fuses operatives and tradecraft from Scattered Spider (vishing, helpdesk impersonation), ShinyHunters (data brokering), and LAPSUS$ (smash-and-grab extortion). The same week SLH announced its 39-victim Salesforce data-leak site “closed out” and they were retiring — only to relaunch hours later as the world’s first Extortion-as-a-Service platform. Verticals already breached under SLH’s coordination include Allianz Life, Cisco, Qantas, Air France-KLM, Adidas, Cartier, Louis Vuitton, Dior, Tiffany, Pandora, and Google. The HivePro report enumerates 92 SHA-256s, 24 domains, and 26 IPs spanning their tooling stack.
GPT-Proxy Backdoor: Compromised Servers as Chinese-LLM Relays
Aikido caught a novel monetization angle on package compromise: malicious kube-health-tools (npm) and kube-node-health (PyPI) packages don’t steal credentials — they install a GPT-style API proxy. Compromised servers are silently enrolled as relay nodes for Chinese AI reselling platforms that resell OpenAI/Anthropic-style API access through stolen capacity. Proxy registration beacons go to aiapi[.]me and related domains. The packages purported to be Kubernetes health utilities, betting on dev-ops familiarity to bypass scrutiny.
OLUOMO AiTM Cluster: Naturalization Form as the Lure
Censys mapped OLUOMO, an AiTM phishing cluster running 65+ domains hosted on Azure Web Apps. The lure of choice this week was a U.S. naturalization petition (Form N-400 themed) that drove victims to OAuth consent flows harvesting Microsoft 365 tokens. The cluster’s scale — 84 IOCs of which 65 are domains — reflects industrial-grade tenant rotation. Defenders should watch for the app.azurewebsites.net patterns published in the report; legitimate corporate workloads on Azure rarely consume that namespace directly.
TradingClaw Drops Needle Stealer + Browser Extensions
Malwarebytes documented a fake AI trading platform — TradingClaw — that drops Needle Stealer. Beyond standard credential theft, Needle installs malicious browser extensions that survive uninstallation of the parent malware, providing a persistent foothold on the victim’s browsing session. 26 IOCs span 8 attacker domains, the loader chain, and 7 C2 IPs.
Why this matters: The Vercel and Bitwarden incidents both compromised infrastructure that security teams treat as part of their toolchain. The Vercel chain — Lumma → harvested SaaS credentials → OAuth grant → 22-month dwell — is the canonical playbook for the next twelve months of breaches. Two questions every team should answer this week: (1) Which third-party OAuth apps in our Workspace/M365 tenant have “Allow All” or near-equivalent scopes, and which of those vendors are themselves softer targets than us? (2) For any developer who installed an npm package between 5:57–7:30 PM ET on April 22, what does our credential-rotation runbook actually look like?
APT28 Neusploit, DPRK Meeting Lures, Tropic Trooper VS Code Tunnels
Last week we covered APT28’s router-DNS hijacking and PRISMEX chain. This week brought 347 fresh IOCs in a deeper analysis of the same actor’s Office zero-day operation, plus two parallel threads: DPRK’s industrialized fake-meeting fraud against Web3, and a Tropic Trooper campaign that turned VS Code tunnels into a remote-access channel.
Operation Neusploit: 347-IOC CVE-2026-21509 Campaign
StrikeReady (with corroborating Trellix and Zscaler ThreatLabz coverage) published a deep multi-stage analysis of APT28’s exploitation of CVE-2026-21509, the Microsoft Office security-feature bypass patched out-of-band on January 26 and weaponized within 72 hours. Targets: Ukraine, Slovakia, Romania. Initial access is a weaponized RTF/DOC (lures including BULLETEN_H.doc, Courses.doc, OperInformativ_163.doc) hosted on attacker domains wellnessmedcare[.]org, wellnesscaremed[.]com, freefoodaid[.]com, longsauce[.]com. The Office bypass uses WebDAV-fetched OLE objects to drop VbaProject.OTM for NotDoor, or extracts an encrypted SplashScreen.png containing shellcode that decrypts and loads CovenantGrunt in memory. Cloud-storage C2 continues to abuse filen.io (with compromised accounts including [email protected] and [email protected]); EhStoreShell.dll is the primary persistent payload.
BlueNoroff Industrializes Fake Zoom & Teams Lures
Cyberpress, Google Cloud, and the Security Alliance (SEAL) collectively documented a sophisticated UNC1069/BlueNoroff campaign against Web3 professionals. SEAL alone blocked 164 attacker domains between Feb 6 and Apr 7. The chain: LinkedIn or Telegram outreach (often from previously compromised accounts), Calendly link to a fake meeting platform that closely mimics Zoom, Teams, or Google Meet, AI-generated faces on the “executives,” and a ClickFix instruction to paste a “mic fix” into Terminal. The 245 IOCs in the iocget submission span 161 domains, 73 IPs, and 10 ASNs — a snapshot of an at-scale operation that funds DPRK strategic programs.
Fake Job Lure Worms Through Developer Repos
Trend Micro Research detailed Void Dokkaebi, another DPRK cluster running fake-job interviews against developers. The operator asks the candidate to clone a “take-home assignment” repository — which contains a .vscode/tasks.json that auto-executes on open, plus injected JavaScript in legitimate-looking modules. The compromised developer’s machine is then used to push tampered commits to other repositories they have access to, giving the operation a worm-like supply-chain propagation through the developer’s own GitHub identity.
AdaptixC2 + VS Code Tunnels Deliver Stealth Persistence
Zscaler ThreatLabz attributed a March 2026 campaign to Tropic Trooper (APT23 / Earth Centaur / Pirate Panda). Military-themed ZIP lures targeted Chinese-speaking individuals; trojanized SumatraPDF sideloaded a custom AdaptixC2 Beacon listener with C2 hosted on GitHub. Only after victim triage did operators escalate to deploying VS Code tunnels for hands-on-keyboard remote access — an “always-trusted” Microsoft service that defenders rarely block. The 187 IOCs include 66 filenames, 33 distinct commands, and a comprehensive hash inventory.
Pattern recognition: Three of the four nation-state ops above weaponize developer-trust workflows — CovenantGrunt loaded from a PNG inside an Office doc, VS Code tunnels for remote access, GitHub for C2, tasks.json auto-execution from a cloned repo. The common detection failure is identity: when an attacker logs into VS Code with the developer’s OAuth token from the developer’s workstation, every downstream system says “legitimate.” Restrict VS Code tunnel creation by policy where you can; alert on first-time-seen tunnel hostnames; and treat .vscode/tasks.json in cloned third-party repositories as actively dangerous, not as a developer convenience.
Codex in the SOC, AI-Generated RATs, AI-Themed Lures
This week was a milestone for AI-as-incident-element. One report uses an AI agent as part of the defense (poorly). Two reports document RATs that are themselves AI-generated. And another shows attackers using AI hype itself as the social-engineering pretext.
Huntress: Codex Coding Agent Complicated a Linux Investigation
Huntress published a follow-up to their March Codex case study. The protected user was running OpenAI’s Codex agent on a Linux workstation simultaneously breached by at least two threat actors deploying cryptominers, IRC botnets, and credential harvesters via CVE-2025-55182. When the user noticed loud fans and asked Codex to fix it, Codex throttled CPU rather than diagnosing the cryptominer — effectively masking the active intrusion. Worse, Codex’s own diagnostic commands (process listings, network reconnaissance, file inventories) generated EDR detections that looked indistinguishable from attacker reconnaissance, forcing SOC analysts to triage every Codex action against actual threat-actor activity. Net IOCs from the incident: 112, including cve-2025-55182, three concurrent attacker IP ranges, and a corpus of cryptominer / IRC botnet hashes.
PHANTOMPULSE: AI-Built RAT With Ethereum Blockchain C2
Elastic Security Labs (REF6598) and HivePro covered the same campaign from different angles. The threat actor approaches financial / crypto targets via LinkedIn and Telegram, walks them into a shared Obsidian vault, and abuses the legitimate Shell Commands and Hider community plugins to silently execute payloads when the vault opens. Final stage is PHANTOMPULSE, a heavily AI-generated full-featured RAT with cross-platform Windows + macOS execution and module-stomping process injection. The C2 mechanism is genuinely novel: PHANTOMPULSE queries transaction data from attacker wallets on Ethereum, Base, and Optimism, decoding C2 instructions from on-chain data — resilient against both DNS-based blocking and HTTP-domain takedowns.
Fake Google Antigravity Installer Drops .NET Stealer
Malwarebytes documented a typosquatted Google Antigravity distribution — capitalizing on the buzz around Google’s newly announced AI-coding agent — that drops a .NET infostealer targeting browser cookies, saved passwords, and crypto wallets. Persistence via scheduled task; light obfuscation; standard exfil. The lure is unremarkable; the timing is the point: AI hype reliably drives click-through, and registrars are slow to deindex typosquat domains around new product launches.
TradingClaw: AI Trading Platform That Hands Over Your Browser
Malwarebytes covered TradingClaw, a fake “AI trading” SaaS that deploys Needle Stealer plus malicious browser extensions. The browser extension is the persistence: even after the binary is removed, the extension survives and provides ongoing session hijacking. Defenders should add periodic browser-extension inventory to endpoint health checks; the extension is invisible to file-based scanners.
Operational note: The Codex incident is an early data point for an emerging detection-engineering problem. As AI agents become routine on developer endpoints, their telemetry will look very similar to manual attacker reconnaissance: process enumeration, file walking, network probing, credential file inspection. Tagging Codex / Claude / Cursor / Copilot agent processes upstream of EDR (and treating their action streams as a separate source) is going to matter more than tuning rules to suppress them.
MCPwn, Bomgar RMM, Storm-2755’s Axios Trick
| CVE | Product | Impact | Status |
|---|---|---|---|
| CVE-2026-33032 (“MCPwn”) | Nginx UI | Critical authentication bypass on the /mcp_message endpoint allowing unauthenticated remote control of the management interface. HivePro published the issue this week with PoC details. |
Critical — patch now |
| CVE-2026-1731 | Bomgar RMM (BeyondTrust) | Huntress observed an uptick in active exploitation chained to LockBit deployments and lateral movement to downstream MSP customers. RMM-on-RMM amplification is the worst case; once Bomgar is leveraged, every customer becomes accessible. | Active exploitation |
| CVE-2025-27152 | Axios JS HTTP client v1.7.9 | SSRF used by Storm-2755 to relay captured AiTM session tokens for Canadian payroll fraud. Axios non-interactive sign-ins to OfficeHome every 30 minutes keep sessions alive past normal idle expiry. | In active campaign |
| CVE-2026-21509 | Microsoft Office | APT28 Operation Neusploit weaponizes WebDAV/OLE bypass for spear-phishing against Ukraine/Slovakia/Romania. Patched out-of-band Jan 26; exploitation observed Jan 29 onward. | Active exploitation |
| CVE-2025-55182 | Linux service component (per Huntress) | Initial-access vector for the Codex-complicated Linux incident; multiple actors converged on the same hole. | Active exploitation |
| CVE-2024-3721 | TBK DVR | Exploited by the Nexcorium Mirai-variant IoT botnet to recruit DVR devices for DDoS-for-hire across multiple CPU architectures. HivePro documents 13 SHA-256 payload hashes per architecture. | Mass exploitation |
Nightmare-Eclipse Tooling: BlueHammer / RedSun / UnDefend / BeigeBurrow
Huntress documented a real-world intrusion where threat actors gained FortiGate SSL VPN access (multiple plausible CVEs in scope) and deployed the Nightmare-Eclipse toolkit: BlueHammer (post-exploitation framework), RedSun (lateral movement), UnDefend (EDR-tampering), and a Go-based tunneling agent BeigeBurrow for C2 over arbitrary outbound. 27 IOCs span the toolkit’s file artifacts, three C2 IPs, and a hash inventory.
Storm-2755 Payroll Pirates Use SEO Poisoning + AiTM
Microsoft IR and HivePro documented Storm-2755, a financially motivated actor running “payroll pirate” attacks against Canadian employees. AiTM phishing with malvertising/SEO-poisoned landing pages → captured session cookies and OAuth tokens → mailbox-rules to hide payroll-change confirmation messages → direct-deposit redirect. The actor uses the victim’s real mailbox to message HR about “changing my deposit account.” This is the same playbook generalized to a wider geography.
The Gentlemen, Kyber, Payouts King, and Contractor-Pivot Wipes
The Gentlemen: SystemBC + GPO Deployment + Multi-OS Lockers
Check Point’s DFIR Report covered The Gentlemen, an emergent RaaS that pairs a multi-OS locker (Windows + ESXi + Linux) with the SystemBC SOCKS5 proxy for C2 tunneling. Tradecraft is heavy on living-off-the-land: LOLBin lateral movement, GPO-pushed encryptor deployment, EDR-tampering via signed legitimate utilities. 77 IOCs span 27 SHA-256 hashes, 28 distinct attacker commands, and the GPO artifacts you should be hunting in domain controller change logs.
Kyber: Specialized Windows + ESXi Variants
Rapid7 published technical analysis of Kyber, a ransomware family with distinct binaries for VMware ESXi and Windows. Anti-recovery measures include service termination across the security stack, system-image deletion, and visible boot defacement to maximize operational disruption. C2 minimal; emphasis is on detonation rather than data theft. 23 IOCs — small relative to The Gentlemen, but useful for hunting.
Payouts King: BlackBasta-Affiliate Quick Assist Playbook (Continued)
HivePro added incremental coverage of the same Payouts King operation Zscaler profiled last week (BlackBasta alumni; spam-bomb, Microsoft Teams call from “IT support,” Quick Assist remote takeover). New report adds 6 fresh IOCs.
Solar 4RAYS: Contractor Account Wipes a Sports Org
Solar (RT) documented an attack against a small sports organization in which a compromised contractor account was used to deliver a .NET backdoor masquerading as 1C accounting software, followed by destructive ransomware that effectively wiped the environment. The pattern — small org, contractor as initial access, backdoor masquerading as locally-trusted software — is exactly what we’ve seen in larger Russian-speaking-region intrusions. 13 IOCs include three hash variants and the contractor-impersonating 1cv8.exe.
FakeWallet: Crypto Stealer Slips Past Apple App Store Review
Securelist analyzed FakeWallet, a campaign that successfully shipped 54 IOCs worth of phishing apps through the Apple App Store. The apps masquerade as popular crypto wallets (Trust, MetaMask, Phantom variants) and use legitimate iOS provisioning profiles plus dynamic JS modules to bypass Apple’s static review. Once installed, they harvest seed phrases and private keys at first wallet setup. The fact that Apple review missed multiple submissions is the meaningful update; defensive advice for users is unchanged (only restore from a wallet you installed deliberately, never from a search result).
Also Worth Tracking
Nexcorium: Mirai Variant Targets TBK DVRs
HivePro documented Nexcorium, a Mirai-derived IoT botnet exploiting CVE-2024-3721 in TBK DVR devices. Architecture-specific payloads (ARM, MIPS, x86) plus cron-based persistence. 31 IOCs including 13 SHA-256 variants by architecture.
Analyst Assessment: April 19–26 in Context
The supply-chain story is the story. Vercel, Bitwarden CLI, Scattered LAPSUS$ Hunters, and the GPT-Proxy npm/PyPI pair are four different attacks on four different parts of the developer / SaaS / vendor stack — and three of them landed in a single week. The defensive question is no longer “is our software up to date?” but “which third parties have access to our environment, and how confident are we in their security posture?” The Vercel chain — Lumma at vendor → harvested credentials → broad OAuth grant → 22 months of access — is the canonical post-MFA breach pattern.
Nation-state activity stayed at last week’s elevated tempo. APT28’s 347-IOC Neusploit campaign, UNC1069’s 245-IOC fake-meeting industrial-complex, and Tropic Trooper’s VS-Code-tunnel pivot together account for over 800 IOCs of nation-state telemetry. Two patterns to track: (a) filen.io as a C2 channel is now an APT28 signature, and (b) DPRK has fully committed to Web3 social engineering as a primary revenue line.
The AI-on-AI dynamic is showing up in real data. The Huntress Codex postmortem isn’t a thought experiment — it’s an actual incident where an AI defender complicated triage and an AI agent’s telemetry was indistinguishable from attacker recon. PHANTOMPULSE on the offensive side is a genuinely AI-built RAT with blockchain C2. Expect this category of report to keep growing; the operational answer is to tag agent-driven activity at the source so SOCs can separate it from human and adversary streams.
What to do this week: (1) Audit OAuth grants in Workspace and M365 for “Allow All” or near-equivalent scopes from vendors with AI productivity products. (2) If anyone in your org installed an npm package between 5:57–7:30 PM ET on April 22, follow your full credential-rotation runbook. (3) Patch Nginx UI and BeyondTrust Bomgar. (4) Review developer endpoints for VS Code tunnel use and add at least an inventory if you can’t add a policy yet.
Sources
- Trend Micro — The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables
- Vercel — Vercel April 2026 Security Incident
- SOCRadar — Bitwarden CLI Hijacked in npm Supply Chain Attack Linked to TeamPCP & Checkmarx Breach
- Socket — Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
- HivePro — Scattered LAPSUS$ Hunters Brand Hijack
- DataBreach.com — Scattered LAPSUS$ Hunters Turn Extortion Into a Service
- Aikido — GPT-Proxy Backdoor in npm and PyPI: Chinese LLM Relay
- Censys — OLUOMO Microsoft OAuth AiTM Phishing Using a Naturalization Form Lure
- Malwarebytes — Malicious Trading Website (TradingClaw) Drops Needle Stealer
- StrikeReady — APT28’s Stealthy Multi-Stage Campaign Leveraging CVE-2026-21509 and Cloud C2 Infrastructure
- Trellix — APT28’s Stealthy Multi-Stage Campaign Leveraging CVE-2026-21509 (Trellix)
- Zscaler ThreatLabz — Operation Neusploit: APT28 Uses CVE-2026-21509
- Cyberpress — UNC1069 Fake Meeting Lures Weaponized
- Google Cloud / Mandiant — UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering
- Trend Micro — Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
- Zscaler ThreatLabz — Tropic Trooper: AdaptixC2 + Custom Beacon Listener
- Huntress — Untangling a Linux Incident With an OpenAI Twist (Part 2)
- Elastic Security Labs — Phantom in the Vault: Obsidian Abused to Deliver PhantomPulse RAT
- HivePro — PHANTOMPULSE Social Engineering Kill Chain
- Malwarebytes — Fake Google Antigravity Downloads Are Stealing Accounts in Minutes
- HivePro — MCPwn Nginx UI Vulnerability (CVE-2026-33032)
- Huntress — Uptick in Bomgar RMM Exploitation (CVE-2026-1731)
- Microsoft Security — Investigating Storm-2755: “Payroll Pirate” Attacks Targeting Canadian Employees
- HivePro — Storm-2755 Payroll Heist (HivePro)
- Huntress — Nightmare-Eclipse Tooling Intrusion (FortiGate Post-Ex)
- Check Point Research / DFIR Report — DFIR Report: The Gentlemen RaaS & SystemBC
- Rapid7 — Kyber Ransomware: Windows + ESXi Attacks Explained
- HivePro — Payouts King Ransomware Analysis
- Solar 4RAYS — Ransomware Attack via Compromised Contractor Account
- Securelist (Kaspersky) — FakeWallet Crypto Stealer iOS Campaign
- HivePro — Nexcorium IoT Botnet Campaign
This post was generated with Claude by Anthropic, based on source reporting from the publications listed above and analysis of 24 IOC submissions to iocget.com between April 19–26, 2026.