ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
ThreatsDay Bulletin: Mn tghrat Excel dyal 17 3am l-zero-days jdad f Microsoft Defender
ThreatsDay Bulletin: From 17-Year-Old Excel Flaws to New Defender Zero-Days
TL;DR: This week’s threat landscape is a mix of the ancient and the cutting-edge. CISA has flagged a 2009 Excel vulnerability as actively exploited, while a new "RedSun" privilege escalation zero-day hits Microsoft Defender. Meanwhile, North Korean actors have successfully breached Zerion wallets using AI-driven social engineering, and a massive supply chain attack has poisoned a WordPress plugin suite with 180,000 installs.
Microsoft Troubles: Ancient Bugs and New Zero-Days
The recurring theme this week is the persistence of Microsoft vulnerabilities.
RedSun Zero-Day: Following the recent release of "BlueHammer," a researcher known as "Chaotic Eclipse" has disclosed a new unpatched privilege escalation vulnerability in Microsoft Defender, codenamed RedSun. Security experts confirm that RedSun reliably allows an unprivileged user to gain SYSTEM-level access on Windows 10, Windows 11, and Windows Server (as of the April 2026 updates).
17-Year-Old Excel RCE: CISA has officially added CVE-2009-0238 to its Known Exploited Vulnerabilities (KEV) catalog. This remote code execution flaw in Microsoft Office Excel allows attackers to take complete control of a system via a malformed object in a crafted file. Federal agencies have until April 28, 2026, to remediate this nearly two-decade-old bug.
RDP Phishing Protections: To combat the weaponization of Remote Desktop (.rdp) files by actors like APT29, Microsoft’s April 2026 update (CVE-2026-26151) now introduces security warnings and disables resource redirection by default.
Crypto Under Fire: Zerion Breached and Fake Ledger Apps
The cryptocurrency sector suffered several high-profile blows this week:
- North Korean "UNC1069" Strike: Cryptocurrency wallet service Zerion reported a $100,000 theft from internal hot wallets. The breach occurred after a team member was targeted by an AI-enabled social engineering attack. While company funds used for testing were taken, Zerion notes that user funds and core infrastructure remain unaffected.
- The $9.5M Fake App: A fraudulent app named "Ledger Live" successfully bypassed Apple’s App Store review process. Between April 7 and April 13, 2026, it drained $9.5 million from over 50 victims by tricking them into entering their recovery seed phrases.
- Xinbi Guarantee: Despite U.K. sanctions, the illicit marketplace "Xinbi Guarantee" continues to operate on Telegram, processing over $21 billion in transactions related to money laundering and scam equipment.
Supply Chain and Infrastructure Attacks
WordPress Plugin Poisoning: In a classic supply chain compromise, a threat actor acquired the "Essential Plugin" suite in early 2025. By August, they had planted a backdoor that injected malicious PHP into wp-config.php. The malware used an Ethereum smart contract for C2 resilience and hid its activity from site owners by only showing spam links to Googlebot. The plugins, which had 180,000 installs, have been permanently closed.
APT41 Cloud Backdoor: The China-linked APT41 is now using a purpose-built ELF backdoor to target Linux workloads across AWS, Azure, Google Cloud, and Alibaba Cloud. The implant uses SMTP Port 25 for stealthy communication and is designed to harvest cloud credentials while remaining invisible to scanners like Shodan.
SonicWall & FortiGate Brute-Force: Researchers have noted a "sharp rise" in brute-force attempts targeting edge devices, with 88% of the traffic originating from the Middle East. While many attempts fail, the persistence of the probing indicates a high-intensity effort to find weak credentials.
Regional Campaigns and Criminal Ecosystems
- JanaWare Ransomware: A localized campaign is targeting Turkish users with a polymorphic variant of Adwind. The attackers use a high-volume, low-value approach, demanding ransoms between $200 and $400.
- Triad Nexus: This sprawling fraud network has been laundering its infrastructure through "clean" front companies to evade U.S. sanctions. Responsible for $200 million in losses, the group uses "pixel-perfect" clones of luxury brands and public services to facilitate "pig butchering" scams.
- SmokedHam Backdoor: Malvertising for tools like RVTools is being used to deliver the SmokedHam backdoor, eventually leading to Qilin ransomware deployments.
Improving Defenses: E.U. Age Checks and Raspberry Pi Security
On a more positive note, some platforms are tightening the screws:
- E.U. Age Verification: The European Union is rolling out an open-source, anonymous age verification app. It allows users to prove their age via ID/Passport without sharing other personal data or being tracked.
- Raspberry Pi Sudo Changes: Version 6.2 of Raspberry Pi OS now disables passwordless
sudoby default. New users will be prompted for a password for administrator tasks, a move intended to bolster security against the rising tide of cybercrime. - Google Navigation Hijacking: Google has announced a new policy against "back button hijacking" (preventing users from leaving a site). Starting June 15, 2026, sites using these tactics may face demotions in search results.
Conclusion
This week serves as a stark reminder that cyber threats rarely truly disappear; they simply lie in wait or evolve. Whether it is a 17-year-old Excel bug suddenly seeing active use or a cutting-edge AI social engineering attack, the basics of security—patching, skepticism of "official" app stores, and monitoring for supply chain shifts—remain your best line of defense.
Source: https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html
