End-of-Day report
Timeframe: Mittwoch 01-04-2026 18:00 - Donnerstag 02-04-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
NoVoice Android malware on Google Play infected 2.3 million devices
A new Android malware named NoVoice was found on Google Play, hidden in more than 50 apps that were downloaded at least 2.3 million times.
https://www.bleepingcomputer.com/news/security/novoice-android-malware-on-google-play-infected-23-million-devices/
New EvilTokens service fuels Microsoft device code phishing attacks
A new malicious kit called EvilTokens integrates device code phishing capabilities, allowing attackers to hijack Microsoft accounts and provide advanced features for business email compromise attacks.
https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels-microsoft-device-code-phishing-attacks/
Hackers exploit TrueConf zero-day to push malicious software updates
Hackers have targeted TrueConf conference servers in attacks that exploit a zero-day vulnerability, allowing them to execute arbitrary files on all connected endpoints.
https://www.bleepingcomputer.com/news/security/hackers-exploit-trueconf-zero-day-to-push-malicious-software-updates/
Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks
Internet security watchdog Shadowserver has found over 14,000 BIG-IP APM instances exposed online amid ongoing attacks exploiting a critical-severity remote code execution (RCE) vulnerability.
https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-instances-still-exposed-to-rce-attacks/
Cyberangriff auf Hasbro: Hacker infiltrieren IT von großem Spielwarenkonzern
Ein Angreifer ist in die IT-Umgebung von Hasbro eingedrungen. Der Spielwarenhersteller rechnet mit einer Aufarbeitungszeit von mehreren Wochen.
https://www.golem.de/news/cyberangriff-auf-hasbro-hacker-infiltrieren-it-von-spielwarenkonzern-2604-207189.html
Nur schwer löschbar: Android-Malware millionenfach über Google Play verteilt
Eine über den Google Play Store verbreitete Android-Malware nutzt alte Lücken aus, um tief ins System einzudringen. Anwender merken davon nichts.
https://www.golem.de/news/nur-schwer-loeschbar-android-malware-millionenfach-ueber-google-play-verteilt-2604-207201.html
CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE.
https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html
Incident Report: LiteLLM/Telnyx supply-chain attacks, with guidance
This post will drill deeper into two recent supply chain exploits, targeting users of popular PyPI packages - litellm & telnyx. We also provide Python developers and maintainers with guidance on what they can do to prepare and protect themselves from future incidents.
https://blog.pypi.org/posts/2026-04-02-incident-report-litellm-telnyx-supply-chain-attack/
European Commission cloud breach: a supply-chain compromise
In the interest of transparency, and in full agreement with the European Commission, CERT-EU is publishing this blog post to inform the wider community about a cybersecurity incident affecting the European Commission-s public website platform -europa.eu- hosted on Amazon Web Services (AWS) cloud infrastructure.
https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain
Polizeiliche Anzeigenstatistik 2025: Aktuelle Entwicklungen im Bereich -Internetbetrug-
Einen leichten Rückgang bei den Anzeigen, eine dezent gesunkene Aufklärungsquote - und eine Empfehlung für die Watchlist Internet. All das findet sich in der kürzlich veröffentlichten polizeilichen Anzeigenstatistik für das Jahr 2025.
https://www.watchlist-internet.at/news/polizeiliche-anzeigenstatistik-202/
Achtung Fake-Politiker: Wenn der Finanzminister plötzlich Anlagetipps verschickt
Wenn Kriminelle sich als bekannte Persönlichkeiten ausgeben, kann das schnell gefährlich werden. Besonders, wenn es um vermeintlich exklusive Anlagemöglichkeiten geht.
https://www.watchlist-internet.at/news/achtung-fake-politiker-wenn-der-finanzminister-ploetzlich-anlagetipps-verschickt/
The Invisible Army: Why IP Reputation Fails Against the Rotation Economy
Attackers route malicious traffic through ordinary home internet connections - and to a reputation feed, the source IP is indistinguishable from a legitimate users connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1-2 sessions, before any reputation system can flag them.
https://www.greynoise.io/blog/invisible-army-why-ip-reputation-fails-against-rotation-economy
vSphere and BRICKSTORM Malware: A Defenders Guide
Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors.
https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/
You-re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)
If you squint and look at the CISA KEV list, you might think its made up exclusively of vulnerabilities in file transfer solutions. While this would be wrong (and you shouldn-t squint, it-s bad for your eyes), file transfer solutions do play a decent role in the CISA KEV list due to how fondly threat actors, APT groups, and ransomware gangs alike perceive them.
https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/
FBI Warns of AVrecon Malware Targeting Network Devices Across 163 Countries
The router sitting in your home office or small business did not need to be hacked by a skilled operator to end up serving as infrastructure for banking fraud, password attacks, and digital marketplace scams. All it needed was an unpatched vulnerability and a malware dubbed "AVrecon" to infect and sell access to it within minutes. Last month, FBI alongside several international law enforcement agencies took down SocksEscort residential proxy service.
https://thecyberexpress.com/fbi-warns-of-avrecon-malware/
Vietnam-Linked PXA Stealer Campaign Exploits LinkedIn to Target Professionals Globally
A newly exposed global malware campaign reveals how PXA Stealer has been wielded by Vietnam-linked actors to siphon sensitive data from professionals across multiple countries using trusted platforms like LinkedIn. First documented in late 2024, this campaign has evolved into a new threat that leverages social engineering, advanced payload delivery, and stealthy execution to outmaneuver traditional defenses.
https://thecyberexpress.com/pxa-stealer-vietnam-linked-actors-linkedin/
Vulnerabilities
Critical Cisco IMC auth bypass gives attackers Admin access
Cisco has patched several critical and high-severity vulnerabilities, including an Integrated Management Controller (IMC) authentication bypass that enables attackers to gain Admin access.
https://www.bleepingcomputer.com/news/security/critical-cisco-imc-auth-bypass-gives-attackers-admin-access/
SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031
This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.The module doesnt sufficiently block access, leading to a authentication bypass vulnerability. Solution: Install the latest version.
https://www.drupal.org/sa-contrib-2026-031
XZ Utils 5.8.3: Sicherheitsupdate mit unklarem Risiko
Die Entwickler der weitverbreiteten XZ Utils haben eine aktualisierte Version veröffentlicht, die Sicherheitslücken ausbessert.
https://www.heise.de/news/XZ-Utils-5-8-3-Sicherheitsupdate-mit-unklarem-Risiko-11244419.html
200,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in MW WP Form WordPress Plugin
On March 16th, 2026, we received a submission for an Arbitrary File Move vulnerability in MW WP Form, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This vulnerability can only be exploited if the "Saving inquiry data in database" option in the form settings is enabled.
https://www.wordfence.com/blog/2026/04/200000-wordpress-sites-affected-by-arbitrary-file-move-vulnerability-in-mw-wp-form-wordpress-plugin/
LWN Security updates for Thursday
https://lwn.net/Articles/1066084/