San Mateo, CA, April 13, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Adobe zero-day hid in plain sight for months
Attackers have been exploiting a previously unknown Adobe Reader zero-day through malicious PDF files since at least December 2025, using social engineering and obfuscated JavaScript to steal data and potentially stage a more serious compromise. The exploit targets the latest version of Adobe Reader and takes advantage of a flaw that allows the document to invoke privileged Acrobat APIs. The known samples, including Invoice540.pdf, can exfiltrate harvested information to a remote server and pull down more JavaScript for execution. Researchers said the documents include Russian-language lures tied to oil and gas issues and may be tailored to selective victims. Although the follow-on payload was not retrieved, researchers warned that the exploit could enable fingerprinting, remote code execution, or sandbox escape in some cases. Read more.
France starts slow exit from Windows dependency
France is moving some government computers from Microsoft Windows to Linux as part of a broader push to reduce dependence on U.S. technology and strengthen digital sovereignty. French minister David Amiel said the goal is to “regain control of our digital destiny,” arguing that the government can no longer accept a lack of control over its data and digital infrastructure. The migration will begin with computers at DINUM, the government’s digital agency, though officials gave no timeline or named Linux distributions. The move follows France’s decision to replace Microsoft Teams with the French-made Visio, based on Jitsi, and plans to shift its health data platform to a new trusted platform by year’s end. The broader backdrop is Europe’s growing concern over reliance on foreign tech providers. Read more.
Spyware campaign quietly tracks journalists across MENA
Journalists and activists across the Middle East and North Africa were targeted in an apparent hack-for-hire spyware campaign tied by researchers to Bitter, a threat group with suspected Indian government links. Access Now, Lookout, and SMEX each investigated part of the activity, connecting spearphishing campaigns from 2023 and 2024 to shared infrastructure and the Android spyware ProSpy. Lookout said the wider operation has likely been active since at least 2022 and primarily targets civil society members, while possibly also reaching government officials. The Committee to Protect Journalists warned that spying on reporters can become the first step toward intimidation, threats, and attacks, putting journalists, sources, and families at risk. Read more.
macOS attack swaps Terminal for Script Editor
A new Atomic Stealer campaign is targeting macOS users through Script Editor, using a ClickFix-style lure that avoids the more familiar Terminal prompt. Attackers are pushing fake Apple-themed cleanup pages that appear to offer disk space recovery advice, then use the applescript:// URL scheme to open Script Editor with prefilled malicious code. That code runs an obfuscated curl | zsh command that downloads and launches Atomic Stealer in memory, ultimately deploying a Mach-O binary linked to the AMOS malware-as-a-service operation. The stealer can collect Keychain data, browser passwords, cookies, stored credit cards, cryptocurrency wallet extensions, desktop files, and system details. Researchers say Mac users should treat unexpected Script Editor prompts as high risk and rely on official Apple documentation. Read more.
Iranian hackers target critical U.S. infrastructure
U.S. agencies are warning that Iranian-affiliated cyber actors are actively targeting internet-facing OT devices across critical infrastructure sectors, including government facilities, water and wastewater systems, and energy operations. The campaign has focused on Rockwell Automation and Allen-Bradley PLCs, in which attackers used leased third-party infrastructure and configuration software to establish trusted connections, deploy Dropbear for remote access over port 22, extract project files, and manipulate HMI and SCADA data. Officials said the intrusions have already caused diminished PLC functionality, display manipulation, operational disruption, and financial loss. The activity fits a broader pattern of Iranian cyber escalation, with researchers and intelligence firms also pointing to coordinated influence operations, hack-and-leak campaigns, and DDoS activity tied to an Iran-aligned ecosystem. Defenders are urged to isolate PLCs, enable MFA, and monitor. Read more.
WordPress flaw actively exploited in Ninja Forms plugin
Users of the Ninja Forms File Uploads premium add-on are being urged to patch a critical WordPress vulnerability, tracked as CVE-2026-0740, that allows unauthenticated attackers to upload arbitrary files and achieve remote code execution. Wordfence said it blocked more than 3,600 attacks in 24 hours, suggesting active exploitation is already underway. The flaw affects versions through 3.3.26 and stems from missing checks on destination filenames, allowing attackers to upload PHP files and use path traversal to place them in the webroot. According to Wordfence, the issue results from a lack of validation of file types/extensions in the destination filename, enabling an unauthenticated attacker to upload arbitrary files and rename them to enable path traversal. The issue was reported in January, partially fixed in February, and fully addressed in version 3.3.27 on March 19 for affected WordPress sites worldwide. Read more.
$700M CISA cut could reshape U.S. cyber defense
The Trump administration wants to cut at least $707 million from CISA’s 2027 budget, saying the reduction would return the agency to its core mission of securing federal civilian networks and protecting critical infrastructure, while eliminating what it described as weaponization, waste, and duplicative programs. The proposal also repeats claims that CISA was involved in censorship, citing its efforts to counter election misinformation, even though those allegations have been repeatedly debunked. If approved, the cuts would reduce CISA’s operating budget to about $2 billion. The proposal follows earlier efforts to slash the agency’s funding, though lawmakers previously softened those reductions. The plan arrives as CISA faces staff losses, no Senate-confirmed director, and a string of major cyber incidents across the U.S. recently. Read more.
Grafana exploit turns AI features into data leak path
Noma Security says a new Grafana exploit dubbed GrafanaGhost can steal sensitive data without credentials, clicks, or visible signs of compromise by chaining weaknesses across domain validation, AI guardrails, and content security controls. The attack starts with a crafted external URL, uses prompt injection to bypass Grafana’s built-in protections, then triggers an outbound image request that quietly carries sensitive data to an attacker-controlled server. Researchers said the activity can look like routine AI behavior, making it difficult for SIEM, DLP, and endpoint tools to flag. “The attack surface isn’t a misconfigured firewall or an unpatched library, rather it is the weaponization of the AI’s own reasoning and retrieval behavior. These platforms trust the content they ingest far too implicitly,” said Sasi Levi, vulnerability research lead at Noma Labs. Read more.
Police name alleged leaders behind major ransomware gangs
German federal police have identified Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk as the alleged leaders of Russian threat groups GandCrab and REvil from at least early 2019 to July 2021, tying them to at least 130 extortion cases in Germany alone. Authorities said at least 25 victims paid $2.2 million in ransom, while total damage linked to the pair exceeded $40 million. Shchukin allegedly used the forum names UNKN and UNKNOWN to represent the operation publicly. After GandCrab’s 2019 retirement, REvil emerged using the same affiliate model and later escalated pressure with leak sites and data auctions. The group’s most prominent attacks included Acer, Texas local governments, and Kaseya. BKA believes both men are now in Russia and seeks public tips on their whereabouts. Read more.
Cybercrime losses hit $17B as scams keep scaling
Cybercrime cost U.S. victims more than $17.7 billion in 2025 as IC3 complaints topped 1 million, nearly 3,000 per day, showing internet-enabled fraud is still growing. Crypto investment scams caused the biggest losses at $7.2 billion, followed by business email compromise at more than $3 billion and fake tech or customer support scams at more than $2 billion. Identity theft, data breaches, and ransomware also remained major sources of damage. The FBI’s report also added a first-ever section on artificial intelligence after victims lost nearly $893 million to AI-enabled fraud and filed 22,364 complaints. The bureau said AI-generated phishing, audio deepfakes, video deepfakes, and fake online identities are making fraud harder to detect, prompting fresh warnings to tighten cybersecurity and basic online vigilance. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
