⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Mulakhas dial simana: l-jassousiya 3la l-fibm optique, rootkits dial Windows, w bidayat l-mouharrikat dial AI l-istighlal t-tagharat
Weekly Recap: Fiber Optic Spying, Windows Rootkits, and the Dawn of AI Exploit Engines
TL;DR: A critical Adobe zero-day (CVE-2026-34621) is under active exploit, while Anthropic’s new "Mythos" AI model demonstrates the ability to autonomously find vulnerabilities. Meanwhile, researchers have proven fiber optic cables can be used for eavesdropping, and a sophisticated new Windows rootkit, "RegPhantom," has been detected in the wild.
The cybersecurity landscape is shifting rapidly this week as the gap between vulnerability discovery and active exploitation continues to shrink. From state-sponsored infrastructure meddling to the weaponization of artificial intelligence, the variety of threats currently hitting enterprise workflows is particularly aggressive.
Threat of the Week: Adobe Acrobat Reader Zero-Day
Adobe has released emergency updates for a critical vulnerability in Acrobat Reader, identified as CVE-2026-34621 (CVSS score 8.6). This flaw, a case of prototype pollution, allows attackers to execute arbitrary code via malicious JavaScript when a user opens a specially crafted PDF. Evidence suggests this zero-day may have been exploited in the wild since as early as December 2025.
The Rise of Autonomous AI Exploit Engines
Anthropic has introduced a frontier model named Mythos, designed to autonomously discover software vulnerabilities at scale. While currently restricted to a closed consortium (including Cisco) under "Project Glasswing" for defensive purposes, the model has already identified thousands of high-severity bugs.
Cisco notes that while this allows defenders to scan codebases at an "unimaginable" scale, the technology will inevitably become available to adversaries, lowering the barrier for less-skilled actors to launch complex campaigns.
Infrastructure and State-Sponsored Attacks
- Iranian Infrastructure Hacking: U.S. agencies issued a warning regarding an ongoing campaign by Iran-affiliated actors targeting industrial control systems (PLCs). The attacks focus on exposed internet-facing systems in the energy, water, and wastewater sectors.
- APT28 Router Botnet Takedown: Law enforcement successfully disrupted a botnet operated by the Russian group APT28 (Forest Blizzard). The group had been compromising SOHO routers since May 2025 to perform DNS redirection and Adversary-in-the-Middle (AiTM) attacks to steal credentials.
- North Korean "Long Game": Drift Protocol revealed a $285 million theft by a North Korean group that spent six months posing as a legitimate trading firm, even meeting staff in person at conferences to build trust before deploying their exploit.
Emerging Technical Threats
RegPhantom: The Stealthy Windows Rootkit
A new kernel-mode rootkit dubbed RegPhantom has surfaced. This malware uses the Windows registry as a covert trigger; when a usermode process writes an encrypted command to the registry, the driver intercepts it to execute arbitrary kernel code. It is designed for extreme stealth, reflectively mapping code into memory to remain invisible to standard enumeration tools.
Fiber Optic Eavesdropping
Research from Hong Kong reveals that telecommunication optical fibers—specifically Fiber-to-the-Home (FTTH) installations—are susceptible to acoustic eavesdropping. By using Distributed Acoustic Sensing (DAS) systems, attackers can monitor sound-induced vibrations in the fiber to recover conversations from the surrounding environment.
"Payroll Pirates" and Fileless Malware
Microsoft is tracking a financially motivated actor, Storm-2755, targeting Canadian organizations. The actor uses malvertising and SEO poisoning to harvest credentials and bypass MFA via AiTM techniques, ultimately diverting employee salary payments to attacker-controlled accounts.
Identity and Fraud Trends
- VerifTools Takedown: A joint operation between the Netherlands and the U.S. seized VerifTools, a marketplace that generated over 915,000 fake ID documents for nearly 637,000 registered users.
- Git Platform Abuse: Threat actors are increasingly hosting malware on GitHub (53% of observed campaigns) and GitLab (64% of campaigns) to bypass Secure Email Gateways (SEGs) that typically trust these domains.
Conclusion
This week’s developments emphasize a "critical inflection point." As AI begins to automate the "pentest loop" for both sides, and traditional infrastructure like fiber optics and SOHO routers become active points of surveillance, the basics of defense—patching, MFA, and visibility—remain the most vital components of an organization's security posture.
Source: https://thehackernews.com/2026/04/weekly-recap-fiber-optic-spying-windows.html
