Welcome to my weekly Cyber Threat Bulletin — a focused look at the latest threats and trends shaping the cybersecurity landscape. If you enjoy these insights and could use an extra set of expert eyes on your security challenges, I'd love to chat with you!

Vulnerabilities

BlueHammer Exploit Joined by RedSun and UnDefend, All Observed in the Wild

Last week I reported on a Windows Defender proof of concept (PoC) privilege escalation exploit dubbed BlueHammer that was released by a security researcher frustrated with the Microsoft bug reporting process. Since then that researcher has released two more PoC exploits, RedSun (local privilege escalation) and UnDefend (denial of service). All three exploits have been observed in the wild according to researchers at Huntress. BlueHammer has been assigned CVE-2026–33825 and addressed in the April 2026 Patch Tuesday update. Organizations should review their potential exposure to these vulnerabilities and update where possible.

Supply Chain Attack

Hotel Staff Leveraged in Phishing Campaign Targeting Booking.com Customers

Threat actors are using phishing tactics to trick staff at hotels and other properties into downloading malware that steals the hotel's login credentials for the Booking.com partner portal. Once inside the portal, the criminals can access real customer booking information and use Booking.com's official messaging system to send fraudulent payment requests to travelers. The attackers send messages to guests with upcoming stays indicating there is a problem with the original payment or that card details need to be "verified" to secure the booking. They create a sense of urgency, threatening that the reservation will be canceled if the customer doesn't act quickly. The message includes a link to a fake payment page that looks identical to Booking.com's official page. Unsuspecting customers enter their credit card information, which is sent directly to the scammers. Organizations should warn employees about this campaign and scrutinize emails coming from Booking.com.

ShinyHunters Targets Rockstar Games via Third-Party Provider Anodot

ShinyHunters claimed responsibility for a supply-chain attack targeting Rockstar Games via a third-party analytics provider, Anodot. The threat actors bypassed Rockstar's direct defenses by obtaining compromised authentication tokens from Anodot, which granted them unauthorized access to Rockstar's Snowflake cloud data warehouse. After infiltrating the environment, the group issued a public ultimatum on the dark web, demanding a ransom, and threatening to release nearly 80 million records. Rockstar Games officially characterized the stolen data as "non-material company information," consisting primarily of internal business telemetry, including Zendesk support tickets, regional revenue metrics, and player behavior analytics for GTA Online. Organizations are reminded that a robust "know your supplier" (KYS) program is essential as these types of attacks against widely-used infrastructure continue. It is also good practice to inventory third-party access tokens and continuously monitor SaaS authentication paths, not just primary vendor connections.

Cybercrime

PUPs Become More Than Just a Nuisance

Researchers at Huntress analyzed a campaign attributed to threat group Dragon Boss Solutions finding that signed, apparently legitimate software was being used to silently deploy AV-disabling programs. The campaign appears to be widespread, with infected hosts identified across 124 countries, primarily in the United States, France, and Canada. This marks an important evolution in the cyber threat landscape where potentially unwanted programs (PUPs) are being repurposed as aggressive security-killing malware. Organizations typically put a lower priority on PUP triage but this research indicates that security posture must be reevaluated.

Phishing Campaign Delivers SimpleHelp RMM Tool

Researchers at Malwarebytes identified a phishing campaign that uses a "shipment arrived" email lure to trick users into installing SimpleHelp, a legitimate remote monitoring and management (RMM) tool that attackers repurpose as a backdoor. The process begins when a victim clicks a link within a PDF attachment, which triggers the download of a signed Windows screensaver file (.scr). Once a user grants permission via the standard Windows User Account Control prompt, the software installs itself and immediately initiates an outbound connection to the attacker's command and control (C2) server. This initial installation serves as a foothold for more severe activities, such as lateral movement across a corporate network, data exfiltration, or the eventual deployment of ransomware. Organizations should implement file extension filtering in web and email security tools and monitor and restrict the use of RMM software.

Other News and Resources

  • WebinarTV, who markets itself as a "search engine for public webinars," has reportedly been capturing and reposting Zoom meetings that hosts believed were private, including support sessions.
  • Darktrace's analysis of the ZionSiphon malware provides an in-depth look at threats targeting operational technology (OT) within Israeli water systems. This report highlights the growing danger to critical infrastructure and the need to defend against sophisticated cyber-physical attacks.
  • FBI's Atlanta Field Office and Indonesia's National Police dismantled a $20 million global phishing scheme associated with the W3LLSTORE marketplace, seizing infrastructure and detaining a suspected developer.
  • While the shortening of time between initial report of a vulnerability and exploitation is well known, I recently learned about a site that tracks this metric, the Zero Day Clock.

#ICYMI