Weekly Threat Intel
April 3–10, 2026
- Developer workstations are primary targets. Three campaigns this week weaponized IDEs, package registries, and AI tooling — treat developer environments with production-grade security rigor.
- Patch edge devices immediately. Storm-1175 achieved sub-24-hour dwell time from initial access to Medusa ransomware deployment using zero-day exploits in BeyondTrust, SmarterMail, and GoAnywhere.
- EDR alone is insufficient. Qilin’s custom loader disables 300+ EDR drivers via DLL sideloading — layer kernel-level protections and behavioral analytics alongside endpoint agents.
- Audit AI infrastructure exposure. ComfyUI servers, university AI endpoints, and ChatGPT browser extensions were all exploited — inventory and harden all AI-facing services.
- ClickFix is cross-platform now. Social engineering via fake CAPTCHAs has expanded from Windows to macOS (Infiniti Stealer) — update user awareness training accordingly.
- Vet VS Code extensions rigorously. GlassWorm used a single trojanized OpenVSX extension to infect six IDEs simultaneously via native Zig binaries that bypass the JavaScript sandbox.
- Monitor for DPRK synthetic identities. North Korean operatives are using AI-generated photos and fake credentials to infiltrate dev teams at up to $300K/year — strengthen hiring verification processes.
- Developer Trust Under Siege: Claude Code, GlassWorm, and hermes-px
- Four Fronts: Russia, DPRK, South Asia, and China-Nexus
- Storm-1175 Burns Zero-Days; Qilin Kills 300+ EDR Drivers
- ClickFix Proliferates; New Stealers Target Every Platform
- AI Servers Conscripted; Telecom Networks Infiltrated
- React2Shell at Scale; Kubernetes Under Pressure
- Additional Threats Worth Tracking
Developer Trust Under Siege: Claude Code, GlassWorm, and hermes-px
Three distinct campaigns this week exploited developer tooling and AI infrastructure as attack vectors — each targeting a different link in the software supply chain.
Claude Code Leak Weaponized with Vidar & GhostSocks
After Anthropic accidentally exposed Claude Code’s full source via an npm source map on March 31, threat actors moved within hours. A GitHub repository titled “Leaked Claude Code” appeared near the top of search results, offering a Rust-based dropper (ClaudeCode_x64.exe) disguised as the leaked source. On execution, the dropper delivers Vidar v18.7 (infostealer) and GhostSocks (SOCKS5 proxy malware that converts victim machines into residential proxy infrastructure). The campaign was particularly effective because it exploited legitimate developer curiosity around a real, newsworthy event.
GlassWorm: Zig Dropper Infects Six IDEs at Once
Aikido Security discovered a trojanized OpenVSX extension (code-wakatime-activity-tracker) impersonating the legitimate WakaTime tool. The extension bundles Zig-compiled native binaries (win.node / mac.node) that execute outside the JavaScript sandbox with full OS-level access. The dropper scans the system for six IDE installations — VS Code, VS Code Insiders, Cursor, Windsurf, VSCodium, and Positron — and silently force-installs a secondary malicious extension into all of them. The second-stage implant uses blockchain-based C2 with geofencing to deploy a persistent RAT.
hermes-px: PyPI Package Hijacks University AI Endpoint
JFrog researchers uncovered hermes-px, a malicious PyPI package marketed as a “Secure AI Inference Proxy” that routes requests through Tor. In reality, it hijacks a Tunisian university’s private AI endpoint, bundles a stolen 246K-character Claude system prompt (bulk-renamed to “AXIOM-1” by “EGen Labs”), and exfiltrates every user prompt to a Supabase database — bypassing the very anonymity it promises. The package was unusually well-crafted, with polished documentation designed to avoid suspicion. All four versions were uploaded within a 46-minute window on April 3.
Why it matters: These three campaigns collectively demonstrate that developer tooling — IDEs, package registries, AI inference endpoints — has become a primary attack surface. Each exploited a different trust relationship: curiosity about leaked source code, trust in extension marketplaces, and trust in open-source AI tooling. Defenders should treat developer workstation security with the same rigor applied to production infrastructure.
Four Fronts: Russia, DPRK, South Asia, and China-Nexus
State-aligned threat activity this week spanned espionage, sabotage, financial theft, and hack-for-hire operations — with a notable escalation in Russian targeting of NATO logistics infrastructure.
PRISMEX Campaign Targets Ukraine & NATO Logistics
Trend Micro documented an intensifying Pawn Storm (APT28) campaign deploying the PRISMEX malware suite against Ukrainian defense bodies, NATO logistics hubs, and defense supply chains across Poland, Romania, Slovenia, Turkey, Slovakia, and the Czech Republic. PRISMEX exploits CVE-2026-21509 and CVE-2026-21513 to deliver payloads via malicious LNK files without user warnings, combining steganography, COM hijacking, and cloud service abuse for C2. Domain registration for WebDAV C2 servers began two weeks before public disclosure — indicating possible zero-day exploitation.
Synthetic Identities & Ottercookie Infrastructure
Two reports this week expanded the picture of DPRK cyber operations. Group-IB exposed a pipeline for creating synthetic developer identities using AI-generated photos, fake passports, and automated LinkedIn/email accounts — enabling North Korean operatives to infiltrate Western companies as remote developers earning up to $300K annually. Separately, Walmart Global Tech mapped active Ottercookie infrastructure — a NodeJS-based stealer and backdoor targeting developers through fake job interview scenarios.
Hack-for-Hire Operation Targets MENA Journalists
Lookout uncovered a hack-for-hire campaign linked to BITTER APT (suspected Indian government ties) targeting journalists, activists, and government officials across Bahrain, UAE, Saudi Arabia, Egypt, and the UK. The operation deploys ProSpy Android spyware masquerading as Signal, WhatsApp, and Zoom, while iPhone targets are social-engineered into surrendering Apple ID credentials for iCloud backup access. The campaign has been operational since at least 2022.
LucidRook Lua Malware Targets Taiwanese NGOs
Cisco Talos identified UAT-10362 conducting spear-phishing campaigns against Taiwanese NGOs and universities with LucidRook, a sophisticated Lua-based stager that embeds a Lua interpreter and Rust-compiled libraries within a DLL. The companion dropper “LucidPawn” includes region-specific anti-analysis checks that only execute in Traditional Chinese language environments. C2 infrastructure abuses compromised FTP servers and OAST (Out-of-band Application Security Testing) services.
Storm-1175 Burns Zero-Days; Qilin Kills 300+ EDR Drivers
Ransomware operations this week were notable for their speed and their investment in neutralizing endpoint defenses before encryption.
| Actor / Campaign | Initial Access | Notable TTPs | Severity |
|---|---|---|---|
| Storm-1175 / Medusa | CVE-2026-1731 (BeyondTrust RCE), CVE-2026-23760 (SmarterMail 0day), CVE-2025-10035 (GoAnywhere 0day) | Initial access to encryption in under 24 hours; PowerShell AV exclusion paths; Bandizip collection; Rclone exfiltration to attacker cloud | Critical |
| Qilin Ransomware | Various (most active RaaS group in recent months) | Custom msimg32.dll loader via DLL sideloading; EDR killer disables 300+ drivers from nearly every vendor; unregisters monitoring callbacks before process termination | Critical |
| Warlock Ransomware | BYOVD (Bring Your Own Vulnerable Driver) | Shares EDR-killing techniques with Qilin; kernel-level driver exploitation to disable security tooling | High |
Trend to watch: Microsoft’s report on Storm-1175 reveals the group has exploited more than a dozen CVEs since 2023 across Exchange, PaperCut, Ivanti, ConnectWise, TeamCity, SimpleHelp, CrushFTP, GoAnywhere, SmarterMail, and BeyondTrust — including at least three zero-days. Their sub-24-hour dwell time from initial access to ransomware deployment represents a significant compression of the attack timeline that leaves minimal window for defender response.
ClickFix Proliferates; New Stealers Target Every Platform
The infostealer ecosystem continued its rapid expansion this week, with ClickFix social engineering emerging as the dominant delivery mechanism across multiple independent campaigns.
WordPress ClickFix: Vidar, Impure Stealer & VodkaStealer
Rapid7 documented a large-scale compromise of 250+ WordPress sites across 12 countries, including a U.S. Senate candidate’s official webpage. Fake Cloudflare CAPTCHA pages trick users into executing PowerShell, which downloads a “DoubleDonut” two-stage shellcode loader that injects into svchost.exe before deploying Vidar, the new Impure Stealer (.NET with custom TLV encoding), or VodkaStealer (C++). The campaign features 31+ language support and anti-analysis debugger traps.
Infiniti Stealer: ClickFix Comes to macOS
Malwarebytes identified Infiniti Stealer, a new macOS-native infostealer using ClickFix social engineering to trick users into running a Terminal command. The payload is a Nuitka-compiled Python binary that harvests credentials, cookies, and cryptocurrency wallets. The appearance of ClickFix on macOS marks a significant expansion of the technique beyond its Windows origins.
Modular NodeJS RAT via gRPC over Tor
Netskope documented a new ClickFix campaign delivering a modular Windows RAT built on NodeJS that uses gRPC over Tor for C2 communication — an unusual protocol choice that makes traffic interception extremely difficult. The operation features a MaaS admin panel for managing cryptocurrency theft operations.
Reddit TradingView Lures: Vidar & AMOS
Hexastrike identified a campaign using hijacked and newly created subreddits to distribute fake TradingView Premium builds. Windows targets receive Vidar; macOS targets get AMOS (Atomic macOS Stealer) — demonstrating continued threat actor investment in cross-platform credential theft. The campaign capitalizes on financial software brand trust.
SantaStealer & PureLog Stealer
Two new MaaS stealers surfaced this week. Rapid7 documented SantaStealer (formerly BluelineStealer), featuring modular in-memory execution and browser credential theft, being advertised on underground forums. Separately, Trend Micro analyzed PureLog Stealer, delivered entirely in-memory via encrypted fileless techniques disguised as legal copyright violation notices.
Fake Avast Site Delivers Venom Stealer
Malwarebytes documented a fake Avast antivirus website that simulates a virus scan before tricking users into downloading Venom Stealer, which harvests credentials, session cookies, and cryptocurrency wallets and exfiltrates to a disguised C2 domain.
ChatGPT Ad Blocker: Browser Extension as Exfiltration Channel
DomainTools identified a malicious Chrome extension named “ChatGPT Ad Blocker” that silently copies users’ ChatGPT conversation HTML and exfiltrates it to a Discord webhook. The extension targets the growing population of users who interact with AI assistants for sensitive business tasks — making conversation data an increasingly valuable theft target.
AI Servers Conscripted; Telecom Networks Infiltrated
ComfyUI Servers: Cryptomining & Proxy Botnet
Censys discovered attackers exploiting unauthenticated ComfyUI AI image generation servers to deploy cryptominers and a Hysteria v2 proxy botnet. A Python scanner continuously sweeps cloud IP ranges, automatically installing exploitable custom nodes. Payloads include XMRig (Monero) and lolMiner (Conflux), with evasion via memfd_create fileless execution and process masquerading as kernel threads. A Flask-based C2 dashboard manages the operation. Out of 624 live instances scanned, 97 were successfully compromised in a single run — a 15.5% hit rate.
BPFDoor: 7 New Variants Target Global Telecom
Rapid7 Labs uncovered 7 new BPFDoor variants, including httpShell (HTTP tunneling with kernel-level packet filtering across IPv4/IPv6) and icmpShell (interactive sessions entirely over ICMP with dynamic PID-bound mutation). Both use stateless C2 routing that eliminates hardcoded C2 addresses. The ICMP relay functionality transforms infected systems into invisible network routers for lateral movement, masquerading as HPE ProLiant servers common in 4G/5G core systems. One variant uses NTP-over-SSL beaconing to blend with legitimate time-sync traffic.
Masjesu: Stealthy IoT DDoS-for-Hire Botnet
Trellix analyzed Masjesu, a commercially operated IoT botnet offering DDoS-for-hire services. It targets multiple CPU architectures and exploits various router vulnerabilities to build its fleet, supporting both application-layer and transport-layer attacks with evasion capabilities designed to avoid honeypot detection.
Note: The ComfyUI campaign is significant because it represents the first documented mass exploitation of AI inference infrastructure for botnet recruitment. As GPU-equipped servers proliferate for AI workloads, they present an attractive target: high-bandwidth, high-compute machines often deployed with minimal authentication.
React2Shell at Scale; Kubernetes Under Pressure
| CVE / Threat | Product | Impact | Status |
|---|---|---|---|
| CVE-2025-55182 | Next.js (React Server Components) | UAT-10608 exploited React2Shell to compromise 766+ hosts, deploying NEXUS Listener to harvest credentials, SSH keys, cloud tokens, and Kubernetes secrets at scale | Active exploitation |
| CVE-2026-1731 | BeyondTrust Remote Support / PRA | Critical RCE used by Storm-1175 for initial access in Medusa ransomware operations | Active exploitation |
| CVE-2026-21509 / CVE-2026-21513 | Microsoft (LNK / security bypass) | Chained by Pawn Storm to deliver PRISMEX malware without user warnings; domain registration pre-dated disclosure by 2 weeks | Active exploitation |
| CVE-2026-23760 | SmarterMail | Zero-day exploited by Storm-1175 one week before public disclosure | Patched |
| Kubernetes threats | Various (service account tokens, RBAC) | Unit 42 documented escalating attacks against Kubernetes environments, including React2Shell-based token theft and privilege escalation via misconfigured RBAC | Ongoing |
Trend to watch: The React2Shell exploitation campaign by UAT-10608 is notable for its automation. Using Shodan/Censys-style scanning to enumerate Next.js deployments, the group systematically harvested environment variables, SSH keys, Docker configs, and cloud provider credentials from 766 hosts — a fully industrialized credential harvesting pipeline that treats web applications as ore to be mined rather than targets to be selectively compromised.
Additional Threats Worth Tracking
RGB-Team: CMoon Worm & DarkBuilder
Kaspersky published analysis connecting the pro-Ukrainian hacktivist group RGB-Team to the CMoon self-spreading worm and revealing its lineage through DarkBuilder, a malware builder that also produces WhiteSnake stealer samples. The shared codebase between CMoon and WhiteSnake reveals how a single builder framework can produce both worm and stealer payloads with identical obfuscation functions.
In-Memory Loader Drops ScreenConnect
Zscaler documented an attack chain using a fake Adobe Acrobat Reader download to deploy an in-memory loader that installs ConnectWise ScreenConnect (a legitimate RMM tool) via obfuscated VBScript and PowerShell, bypassing UAC. The abuse of legitimate remote access tools continues to blur the line between authorized administration and unauthorized access.
ClipBanker via Trojanized Proxifier
Kaspersky identified a trojanized Proxifier installer distributed via GitHub that initiates a fileless infection chain to deploy ClipBanker, which silently replaces cryptocurrency wallet addresses in the clipboard. The use of a popular legitimate networking tool as a trojan horse highlights the continued risk of downloading software from unofficial sources.
@velora-dex/sdk npm Package Compromised
SafeDep identified version 9.4.1 of @velora-dex/sdk compromised to deliver a Go-based RAT (minirat) targeting macOS systems via a base64-encoded payload — continuing the trend of npm packages as malware delivery vectors.
SaaS Notification Pipeline Weaponization
Cisco Talos documented how threat actors are abusing automated notification infrastructure of legitimate SaaS platforms like GitHub and Jira to deliver spam and phishing emails that bypass traditional email security filters. By triggering notifications from trusted services, phishing emails inherit the sender reputation and DKIM signatures of the legitimate platform.
XSS Forum C&C Domain Compilation
Security Boulevard published a compilation of malware C2 domains and associated MD5 hashes belonging to members of the XSS underground forum — providing defenders with a rich set of indicators for blocking known criminal infrastructure.
Analyst Assessment: April 3–10 in Context
This week crystallized a trend that has been building throughout Q1 2026: the developer is the new perimeter. Three of the week’s most significant campaigns — the Claude Code lure, GlassWorm’s multi-IDE infection, and hermes-px’s AI proxy trojan — specifically targeted developer workstations and AI tooling. Combined with the ongoing DPRK synthetic identity infiltration of development teams, the message is clear: adversaries view the software development lifecycle not as a peripheral target but as a primary attack surface.
On the ransomware front, Storm-1175’s sub-24-hour dwell time from initial access to encryption represents a new operational tempo that most detection and response programs are not staffed to match. When combined with Qilin’s ability to neutralize 300+ EDR products before encryption, defenders face a shrinking window in which increasingly blind security tools must detect and respond to increasingly fast adversaries.
Finally, the exploitation of AI infrastructure as attack surface — ComfyUI servers conscripted into botnets, university AI endpoints hijacked via PyPI, ChatGPT conversations exfiltrated via browser extensions — signals that the AI tooling boom has outpaced the security measures protecting it. Organizations deploying AI inference infrastructure should audit authentication, network exposure, and supply chain dependencies with the same urgency they apply to traditional production systems.
Sources
- Trend Micro — Weaponizing Trust: Claude Code Lures and GitHub Release Payloads
- Zscaler ThreatLabz — Anthropic Claude Code Leak Analysis
- Aikido Security — GlassWorm: Zig Dropper Infects Every IDE on Your Machine
- JFrog Security Research — hermes-px: The “Privacy” AI Proxy That Steals Your Prompts
- Trend Micro — Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure
- Group-IB — DPRK Fake Remote Developers: Synthetic Identities at Scale
- Walmart Global Tech — Mapping Ottercookie Infrastructure
- Lookout Threat Intelligence — Beyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation
- Cisco Talos — New Lua-Based Malware “LucidRook” in Targeted Attacks Against Taiwanese Organizations
- Microsoft Security Blog — Storm-1175 Focuses Gaze on Vulnerable Web-Facing Assets in High-Tempo Medusa Ransomware Operations
- Cisco Talos — Qilin EDR Killer Infection Chain
- CyberSec Sentinel — BYOVD Ransomware Attacks Now Capable of Defeating Every Major EDR Product
- Rapid7 — WordPress Compromise Advances Global Stealer Operation
- Malwarebytes — Infiniti Stealer: A New macOS Infostealer Using ClickFix and Python Nuitka
- Netskope — From ClickFix to MaaS: Exposing a Modular Windows RAT and Its Admin Panel
- Hexastrike — Reddit TradingView Lures Leading to Vidar and AMOS Stealers
- Rapid7 — SantaStealer Is Coming to Town
- Trend Micro — Copyright Lures Mask a Multistage PureLog Stealer Attack
- Malwarebytes — Bogus Avast Website Fakes Virus Scan, Installs Venom Stealer Instead
- DomainTools — ChatGPT Ad Blocker Extension Malware
- Censys — ComfyUI Servers: Cryptomining and Proxy Botnet
- Rapid7 Labs — Stealthy BPFDoor Variants Uncovered
- Trellix — Masjesu: Rising Stealth IoT Botnet with DDoS Evasion
- Cisco Talos — UAT-10608: Inside a Large-Scale Automated Credential Harvesting Operation
- Unit 42 / Palo Alto Networks — Modern Kubernetes Threats
- Kaspersky / Securelist — RGB-Team: The Hacktivists Behind CMoon
- Zscaler ThreatLabz — Fileless Memory Loader Drops ScreenConnect
- Kaspersky / Securelist — ClipBanker Malware Distributed via Trojanized Proxifier
- SafeDep — Malicious @velora-dex/sdk Delivers Go RAT
- Cisco Talos — Weaponizing SaaS Notification Pipelines
- Security Boulevard — XSS Forum C&C Domain Compilation
- DomainTools — DPRK Malware Modularity, Diversity, and Functional Specialization
- Red Piranha — Threat Intelligence Report: March 31–April 6, 2026
This post was generated with Claude by Anthropic, based on source reporting from the publications listed above.