Last month, tensions on opposing sides of the cyber threat landscape lead to unexpected consequences. From ransomware gangs hacking each other to a Microsoft Defender exploit handed to attackers on a silver platter, April 2026 delivered a threat landscape defined by escalation, collateral damage, and unexpected chaos.
April at a Glance
April 2026 marked a particularly turbulent month across the global threat landscape. Ransomware activity surged to 756 claimed victims, with Qilin leading all groups at 107 victims, followed by TheGentlemen (75) and DragonForce (63). The United States remained the most targeted country, and Business Services the most affected sector.
Supply-chain attacks made headlines again as cloud platform Vercel disclosed a targeted breach originating from a compromised OAuth application at an AI vendor, demonstrating how third-party integrations continue to open dangerous backdoors into even security-conscious organizations. Meanwhile, North Korean IT workers continued their brazen laptop farm scheme, funneling over $5 million to the DPRK government through fraudulent employment at 100+ U.S. companies.
On the vulnerability front, a researcher named Chaotic Eclipse publicly released a working exploit (BlueHammer) for a Microsoft Defender privilege escalation flaw, adding it to CISA’s Known Exploited Vulnerabilities catalog within days. A CVSS 10.0 scored Adobe Connect flaw, a 9.9 Cisco ISE vulnerability, and multiple critical Chrome and FortiClient weaknesses rounded out a month that demanded urgent patch cycles from every security team.
Ransomware Landscape Snapshot
April saw 756 total claimed ransomware victims across all active groups. Qilin dominated with 107 claimed victims, while newer entrants like CoinbaseCartel and Krybit showed that the RaaS market remains dangerously accessible to newcomers.
Top 10 Groups by Claimed Victims:
- Qilin: 107 victims
- TheGentlemen: 75 victims
- DragonForce: 63 victims
- APT73: 60 victims
- Akira: 48 victims
- CoinbaseCartel: 44 victims
- LockBit 5: 36 victims
- IncRansom: 34 victims
- Krybit: 21 victims
- ShinyHunters: 20 victims
Notable Incidents This Month
France Titres Data Breach
11.7 million French government accounts were exposed after a cyber incident affecting the ants.gouv.fr portal, detected on April 15, 2026. Threat actor ‘breach3d’ claimed responsibility on hacker forums, alleging theft of up to 19 million records including names, email addresses, dates of birth, and login IDs. The data was reportedly offered for sale. Authorities including CNIL, the Paris Public Prosecutor, and ANSSI were notified.
Vercel Supply Chain Breach
Cloud development platform Vercel disclosed a targeted security incident stemming from a third-party supply chain compromise. The chain began with a Lumma Stealer infection at a Context.ai employee’s machine in February 2026, which was used to compromise an OAuth application and ultimately access Vercel’s internal environments. The adversary appeared on underground forums attempting to sell source code and critical API tokens for GitHub and NPM, alongside a leaked roster of 580 employee records.
AgingFly Malware Targeting Ukraine
A new malware family called AgingFly surfaced in cyberattacks targeting Ukrainian government offices and hospitals. Attacks began with phishing emails disguised as humanitarian aid offers. Unusually, AgingFly arrives with no built-in commands, retrieving its handlers as raw source code from a central server and compiling them at runtime on the victim’s machine, making static detection extremely difficult. The group behind these attacks is tracked as UAC-0247.
ADT Data Breach
ADT confirmed a breach following threats from the ShinyHunters extortion group. The company identified unauthorized access on April 20. Exposed information includes names, phone numbers, and addresses, with a smaller portion also involving dates of birth and the last four digits of Social Security numbers. ShinyHunters claimed they obtained more than 10 million records via a vishing attack that compromised an employee’s Okta SSO account, allowing access to ADT’s Salesforce environment.
Critical Vulnerabilities Requiring Immediate Action
- CVE-2026-27303: Adobe Connect (versions 12.10 and earlier) — Deserialization vulnerability, arbitrary code execution. CVSS 10.0. Update to Adobe Connect 12.11.
- CVE-2026-20180: Cisco ISE (versions 3.2 through 3.4) — Authenticated remote command execution. CVSS 9.9. Update to 3.2 Patch 8, 3.3 Patch 8, or 3.4 Patch 4.
- CVE-2026-35616: FortiClient EMS (versions 7.4.5–7.4.6) — Improper access control, unauthenticated code execution. CVSS 9.8. Upgrade to 7.4.7 or above.
- CVE-2026-6296: Google Chrome (prior to 147.0.7727.101) — Heap buffer overflow, sandbox escape. CVSS 9.6. Update immediately.
- CVE-2026-23818: HPE Aruba Networking Private 5G Core (1.25.3.0 and below) — Open redirect credential theft. CVSS 9.6. Upgrade to 1.25.3.1.
- CVE-2026-33825: Microsoft Defender (prior to 4.18.26020.6) — Privilege escalation to SYSTEM via trusted file handling abuse. CVSS 7.8. Update Defender platform immediately. CISA KEV listed.
Three Stories That Defined April
From the report’s full analysis, three events stand out for their impact, novelty, and what they reveal about where the threat landscape is heading.
BlueHammer: The Microsoft Defender Exploit That Shouldn’t Exist
A frustrated researcher publicly dropped a working privilege escalation exploit for Windows Defender, then released two more within two weeks. CISA added it to KEV within days. The complete attack chain abuses shadow copies, TOCTOU races, the Cloud Files API, and the SAM database, turning a trusted antivirus process into the weapon.
The Vercel Breach: How One AI Startup’s Infected Laptop Reached a Cloud Giant
A Lumma Stealer infection at an AI vendor employee’s machine triggered a chain of events that ultimately gave attackers access to Vercel’s internal environments, source code, and critical API tokens. This attack shows how modern software supply chains create invisible blast radii across the tech ecosystem.
Krybit vs. 0APT: When Ransomware Groups Just Can’t Get Along
In a rare and revealing event, ransomware gang 0APT dumped Krybit’s entire admin database, then Krybit hacked back within 48 hours. The mutual exposure laid bare the operational fragility of both groups: plaintext passwords, no confirmed payments, Tor keys leaked. The ransomware underground attacked itself, inadvertently giving defenders a small reprieve. It’s the little things.
Lessons Learned From a Frenetic Month
April reinforced what we know about about the modern threat environment. Supply-chain trust is increasingly weaponized, the Vercel breach shows that your security posture is only as strong as the least-secured OAuth application your employees connect to their accounts. Vulnerability disclosure timelines continue their collapse, with BlueHammer going from researcher frustration to public PoC to KEV listing in days.
And perhaps most revealing: the ransomware ecosystem is not a monolithic criminal enterprise. It is a volatile, competitive, ego-driven underground where groups undermine each other as readily as they target victims. While temporary feuds may give us a small bit of schadenfreude, and the threat actors will be back to criminal business as usual in no time. We’re here help you stay protected when they do.