InfoSec Briefing - April 12, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Sunday, April 12, 2026, covering nine security developments. All attribution is by the article authors. All article analysis is automated.

Breakglass Intelligence reports that APT41, also known as Winnti, has deployed a sophisticated backdoor targeting Linux cloud workloads across AWS, Google Cloud, Azure, and Alibaba Cloud to harvest credentials. The malware uses covert command and control over SMTP port 25 with selective handshake validation requiring correct tokens, and facilitates lateral movement via UDP broadcast. This campaign represents a six-year evolution of Winnti backdoors toward cloud-native credential theft.

Adobe, EXPMON Public, and the Counter Threat Unit researchers report active exploitation of a zero-day vulnerability in Adobe Reader that has been ongoing since December 2025. The vulnerability exploits privileged Acrobat APIs to steal local system information and files, with attacks appearing to target the Russian oil and gas sector. Adobe has released a security update addressing the prototype pollution vulnerability, which has a severity score of 8.6 and allows arbitrary code execution.

Calif reports on a heap buffer overflow vulnerability in nginx's HTTP DAV module, discovered through human-AI collaboration with Claude. The flaw allows arbitrary file read and write operations when specific non-default configurations are present, including the alias directive with DAV methods COPY or MOVE. While affecting a small population, the vulnerability enables remote attackers to read sensitive data, compromise systems, or cause denial of service.

CyberInsider reports that downloads of HWMonitor and CPU-Z from the official CPUID website were compromised through a supply chain attack, redirecting users to trojanized packages hosted on external storage. The sophisticated malware employs multi-stage infection, memory-resident operations, and advanced evasion techniques. The threat group behind this attack has been previously linked to distributing trojanized FileZilla.

Google's Chrome team and Account Security team report they have implemented Device Bound Session Credentials, a new protocol that cryptographically binds authentication sessions to specific devices using hardware-backed security modules like TPMs and Secure Enclaves. The technology prevents session theft by making stolen cookies unusable, as attackers cannot possess the required private keys, with early deployment showing significant reduction in session theft.

Tanrikuluatahan provides technical analysis detailing how changes in Windows 11 24H2 and 25H2 broke Mimikatz's credential extraction command due to signature pattern changes, address resolution modifications, and struct layout alterations. The article provides technical solutions for patching Mimikatz to restore credential extraction capabilities on these newer Windows builds, demonstrating successful hash extraction after implementing the fixes.

That concludes today's briefing.

📰 Articles Covered

APT41 Winnti ELF Cloud Credential Harvester: Alibaba Typosquat Infrastructure & 6-Year Lineage - Breakglass Intelligence

A recent cybersecurity report details a sophisticated campaign by the **APT41 (Winnti) group**, which has been targeting **Linux cloud workloads** across major providers like **AWS, GCP, Azure, and Alibaba Cloud** 【1】. This campaign, part of a six-year lineage of Winnti ELF backdoors, shows an evolution towards cloud-native credential harvesting 【1】.

**What Happened:**
The APT41 group has deployed an ELF backdoor that specifically targets Linux cloud environments. This malware is designed to harvest cloud credentials from various sources, including metadata services and credential stores. It utilizes a covert Command and Control (C2) channel over **SMTP port 25** to evade detection and exfiltrates data through encoded payloads 【1】. A key evasion technique involves selective handshake validation on the C2, ensuring only clients with a correct EHLO token are tasked, thus hindering scanner effectiveness 【1】. Lateral movement is facilitated through UDP broadcast on `255.255.255.255:6006`, enabling peer coordination 【1】.

**Who is Affected:**
The primary targets are **organizations utilizing Linux cloud workloads** on platforms such as **AWS, Google Cloud Platform (GCP), Microsoft Azure, and Alibaba Cloud** 【1】.

**Security Implications:**
The implications of this campaign are significant, as it allows attackers to gain **unauthorized access to cloud resources and sensitive data** by stealing credentials 【1】. The use of a covert C2 channel and selective handshake evasion makes detection challenging, increasing the risk of prolonged compromise and further exploitation within cloud environments 【1】. The group's long-standing presence and evolution of their tools suggest a persistent and adaptable threat actor 【1】.

**Technical Details:**
- **Malware Type:** ELF backdoor, part of the Winnti lineage, with variants dating back to 2020 (PWNLNX) 【1】.
- **C2 Channel:** Utilizes **SMTP port 25** for covert communication 【1】.
- **Credential Harvesting:** Targets cloud credentials from **metadata services (IMDS)** and local credential stores 【1】.
- **Lateral Movement:** Employs **UDP broadcast on 255.255.255.255:6006** for peer coordination 【1】.
- **Evasion Techniques:** Selective handshake validation on C2 to bypass scanners 【1】.
- **Infrastructure:** Includes a C2 server hosted on Alibaba Cloud in Singapore and **typosquat domains** impersonating Alibaba/Qianxin, registered within a short timeframe 【1】.
- **Indicators of Compromise (IOCs):**
- MD5 hash: `f1403192ad7a762c235d670e13b703c3` 【1】.
- C2 domains: `ai.qianxing.co`, `ns1.a1iyun.top`, `ai.aliyuncs.help` 【1】.
- Network activity: Port 25 (outbound SMTP from non-mail servers), UDP 6006, broadcast traffic 【1】.
- **MITRE ATT&CK Mappings:** T1190, T1059.004, T1547, T1552.005, T1555, T1580, T1016 【1】.

**What Defenders Should Know:**
Defenders need to implement a multi-layered approach focusing on network, host, and cloud-native controls 【1】. Key actions include:
- **Network Monitoring:** Watch for **outbound SMTP traffic from non-mail server workloads** and block or monitor identified C2 IP addresses and typosquat domains 【1】.
- **Host-based Detection:** Hunt for **stripped ELF binaries in temporary directories** and monitor for persistence mechanisms like cron jobs or systemd services 【1】.
- **Cloud-Native Controls:** Audit **reads of cloud credential files**, monitor **Instance Metadata Service (IMDS) access**, and enable services like **AWS CloudTrail** and **IAM anomaly detection** 【1】.
- **Credential Security:** Prioritize detection of **unusual credential access patterns**, especially from IMDS 【1】.
- **Coordination:** Ensure **coordination across network, host, and cloud security monitoring** to effectively detect and respond to this threat 【1】.
Adobe eeleased a security update for Adobe Acrobat and Reader for Windows/macOS. Successful exploitation leads to code execution. Adobe is aware of CVE-2026-34621 being exploited - Adobe

Adobe has released a critical security update to address a vulnerability in Adobe Acrobat and Reader, identified as **CVE-2026-34621** 【1】. This vulnerability, classified as "Improperly Controlled Modification of Object Prototype Attributes" (CWE-1321), has a **Critical severity rating** with a CVSS base score of 8.6 【1】.

**What Happened:**
A vulnerability (CVE-2026-34621) was discovered and has been **actively exploited in the wild** 【1】. This means attackers are already using this flaw to compromise systems.

**Who is Affected:**
The vulnerability affects the following versions of Adobe Acrobat and Reader:
- **Acrobat DC and Acrobat Reader DC (Continuous track)** versions 26.001.21367 and earlier for Windows and macOS.
- **Acrobat 2024 (Classic 2024)** versions 24.001.30356 and earlier for Windows and macOS 【1】.

**Security Implications:**
Successful exploitation of this vulnerability could lead to **arbitrary code execution** 【1】. This means an attacker could potentially run their own malicious code on a user's system, leading to data theft, system control, or further network compromise. The CVSS score of 8.6 indicates a high level of risk. Initially, the CVSS Attack Vector was rated as Network, but it was later adjusted to Local, reducing the overall CVSS score from 9.6 to 8.6 【1】.

**Technical Details:**
The vulnerability is categorized as "Improperly Controlled Modification of Object Prototype Attributes" (CWE-1321) 【1】. This type of vulnerability often involves attackers manipulating the properties of objects within the software to gain unauthorized control or execute unintended code.

**What Defenders Should Know:**
Defenders must ensure that users **update their Adobe Acrobat and Reader software to the latest versions** 【1】. This is crucial because the vulnerability is being exploited in the wild.
- **For end-users:** Updates can be installed manually via `Help > Check for Updates` or through automatic updates. Full installers for Acrobat Reader are also available for download 【1】.
- **For IT administrators:** Updates can be deployed using enterprise tools such as AIP-GPO, bootstrapper, SCUP/SCCM for Windows, and Apple Remote Desktop or SSH for macOS 【1】.
The updated versions are:
- **Acrobat DC and Acrobat Reader DC:** 26.001.21411
- **Acrobat 2024 (Windows):** 24.001.30362
- **Acrobat 2024 (macOS):** 24.001.30360 【1】.
Adobe also encourages security researchers to report vulnerabilities through their bug bounty program on HackerOne 【1】.
EXPMON detected sophisticated zero-day fingerprinting attack targeting Adobe Reader users - EXPMON Public

A sophisticated zero-day fingerprinting attack targeting **Adobe Reader users** has been detected by the EXPMON system. This attack exploits a vulnerability that allows for the execution of privileged Acrobat APIs, enabling the theft of local system information and potentially leading to remote code execution (RCE) or sandbox escape (SBX) 【1】.

**What Happened:**
The attack begins with a specially crafted PDF file that, when opened, exploits a zero-day or unpatched vulnerability in Adobe Reader. This exploit allows the attacker to execute arbitrary JavaScript code. Specifically, it uses the `util.readFileIntoStream()` API to read files accessible by the sandboxed Reader process and the `RSS.addFeed()` API to send collected information to a remote server and receive further instructions or malicious JavaScript code 【1】.

**Who is Affected:**
**Adobe Reader users** are affected by this attack. The exploit has been confirmed to work on the latest version of Adobe Reader, indicating a widespread potential impact 【1】.

**Security Implications:**
The security implications are significant. The exploit allows for:
- **Information Harvesting:** Collection of sensitive data from the local system, including language settings, Adobe Reader version, OS version, and local file paths 【1】.
- **Data Theft:** The ability to read and steal local files, such as system files like `ntdll.dll` 【1】.
- **Advanced Fingerprinting:** Gathering enough information to uniquely identify a target system 【1】.
- **Potential for RCE/SBX:** The mechanism is designed to deliver subsequent exploits for remote code execution or sandbox escape, which could lead to full control of the victim's system 【1】.

**Technical Details:**
The exploit leverages two key Adobe Reader APIs:
- `util.readFileIntoStream()`: Allows reading of arbitrary files on the local system 【1】.
- `RSS.addFeed()`: Used to exfiltrate collected data to a remote server (identified as `169.40.2.68:45191` in one variant) and to receive additional JavaScript code for execution 【1】.
The collected data is sent as part of a URL to the attacker-controlled server. The received JavaScript payload is decrypted using cryptography to evade network detection 【1】. A later variant was observed connecting to `188.214.34.20:34123` 【1】.

**What Defenders Should Know:**
- **Vigilance is Key:** Users should be cautious of PDF files from untrusted sources until an official patch is available 【1】.
- **Monitor Indicators:** Defenders can block and monitor the attacker-controlled IP addresses (`169.40.2.68:45191` and `188.214.34.20:34123`) 【1】.
- **User Agent String:** A more effective detection method is to monitor HTTP/HTTPS traffic for the "Adobe Synchronizer" string in the User Agent field 【1】.
- **Advanced Detection:** Security products with advanced "detection-in-depth" capabilities, like EXPMON's, can help detect such sophisticated zero-day exploits without relying solely on signature updates 【1】.
- **Patch Promptly:** Adobe has released an emergency security update (APS B26-43) addressing the critical vulnerability (CVE-2026-34621, CVSS 9.6), which can lead to arbitrary code execution. Users must apply this update immediately 【1】.
- **JavaScript Disabling:** The question of whether disabling JavaScript in Adobe Reader/Acrobat would be effective remains open, as the exploit's ability to bypass such measures is not explicitly detailed in the provided text 【1】.
Adobe Reader zero-day vulnerability in active exploitation - Counter Threat Unit™ (CTU) researchers

A **zero-day vulnerability** in **Adobe Reader** is currently being actively exploited, with malicious activity detected as early as **December 2025** 【1】. This vulnerability allows attackers to execute privileged Acrobat APIs via malicious PDF files that contain obfuscated JavaScript 【1】.

**Who is affected:**
The attacks appear to be **targeted**, with lures specifically related to the **Russian oil and gas sector** 【1】.

**Security implications:**
The exploitation of this vulnerability can lead to the **theft of sensitive user and system data** 【1】. It also has the potential to enable **further attacks** and **remote code execution** 【1】.

**Technical details:**
The article provides specific **MD5, SHA1, and SHA256 hashes** for malicious PDF samples 【1】. Additionally, it lists **command and control (C2) server domain names and IP addresses**, along with a particular **User-Agent string** associated with these attacks 【1】.

**What defenders should know:**
Defenders should **monitor for an official Adobe patch** and **update systems promptly** once it becomes available 【1】. In the interim, recommended actions include:
- **Scanning PDF email attachments** for malicious content 【1】.
- **Blocking suspicious files** identified as threats 【1】.
- **Training users** to exercise caution with unsolicited attachments 【1】.
- **Temporarily avoiding the use of Adobe Reader** as a precautionary measure 【1】.
Claude + Humans vs nginx: CVE-2026-27654 - Calif

**CVE-2026-27654** is a heap buffer overflow vulnerability discovered in **nginx** that allows for arbitrary file read and write operations. The vulnerability was found through a collaboration between humans and the AI model Claude 【1】.

### What Happened

The vulnerability, **CVE-2026-27654**, resides in the `ngx_http_dav_copy_move_handler()` function within the `ngx_http_dav_module`. It is triggered by an unsigned underflow in `ngx_http_map_uri_to_path()` when a `COPY` operation is performed with a `Destination` header that is shorter than the location prefix 【1】. This allows an attacker to escape the WebDAV root and potentially read or write any file accessible by the nginx worker process UID 【1】.

The discovery process involved multiple rounds of refinement, with Claude initially generating a working crash and then evolving to more sophisticated exploits. Humans played a crucial role in identifying and shedding preconditions, leading to practical exploitability 【1】.

### Who is Affected

The vulnerability requires a specific, non-default nginx configuration:
* The `ngx_http_dav_module` must be compiled in 【1】.
* A `location` block must combine the `alias` directive with `dav_methods COPY` or `MOVE` 【1】.

While the **exposed population is small** due to these configuration requirements, the bug is considered **severe** for those affected 【1】.

### Security Implications

The primary security implication is the ability for a remote attacker to **read or write files anywhere** on the server that the nginx worker process has access to 【1】. This could lead to:
* **Data theft**: Attackers could read sensitive configuration files, user data, or source code.
* **System compromise**: Attackers could overwrite critical system files, inject malicious code, or deploy web shells to gain further control.
* **Denial of Service**: The vulnerability can also cause workers to crash 【1】.

### Technical Details

The vulnerability stems from an unsigned integer underflow in `ngx_http_map_uri_to_path()` when processing a `COPY` request. This occurs when the `Destination` header is shorter than the configured `alias` path 【1】. The exploit leverages this to manipulate path resolution, allowing traversal outside the intended WebDAV directory 【1】.

Different proof-of-concept (PoC) exploits were developed:
* **PoC-1 (Arbitrary File Write)**: Initially aimed to PUT a webshell and then COPY it to a target location like `/var/www/html/x.php`. This required a very long URI (over 4000 characters) and a deep directory tree, making it less practical 【1】. Later, a variant using `merge_slashes off` in nginx configuration allowed for a long URI that resolved to the same inode as a short path, eliminating the need for the deep tree and long folder names 【1】.
* **PoC-2 (File Read)**: Focused on copying existing files, such as `/etc/passwd`, into a downloadable location. This exploit was more practical as it required fewer preconditions and could rewrite both source and destination paths simultaneously 【1】.

The exploit development process highlighted a pattern where Claude aimed for the most powerful primitive with difficult preconditions, while humans refined the exploit by reducing preconditions and questioning existing ones 【1】.

### What Defenders Should Know

* **Configuration is Key**: The vulnerability is only exploitable if `ngx_http_dav_module` is enabled and used with `alias` and `dav_methods COPY` or `MOVE` 【1】. Reviewing nginx configurations for these specific directives is crucial.
* **Patch Promptly**: The fix for CVE-2026-27654 was released in **nginx 1.29.7** on March 24, 2026 【1】. Due to AI-powered commit watchers, the time between a fix being public and an exploit being reproducible can be zero days 【1】. Therefore, applying patches as soon as possible is critical.
* **Monitor for Unusual Activity**: Unusual file access patterns or unexpected file creations/modifications within WebDAV directories could indicate an attempted exploit.
* **Understand AI's Role**: The discovery process demonstrates how AI can accelerate vulnerability research. This also means that exploit development and reproduction can happen faster, shortening the effective "patch window" 【1】.

The vulnerability was reported to F5 and nginx on March 10, 2026, and F5 published an advisory acknowledging Calif.io, Claude, and Anthropic Research 【1】. Further details and PoCs can be found at [https://github.com/califio/publications/tree/main/MADBugs/nginx-CVE-2026-27654](https://github.com/califio/publications/tree/main/MADBugs/nginx-CVE-2026-27654) 【1】.
HWMonitor and CPU-Z downloads hijacked to deliver malware to users - The content posted on the URL is controlled by **CyberInsider** . The author of the article is **Amar Ćemanović** .

**What Happened:** Downloads of the popular system utilities **HWMonitor** and **CPU-Z** from the official CPUID website were compromised. Instead of the legitimate software, users were presented with malicious installers that delivered malware 【1】. The download links were redirected to external storage services that hosted trojanized Inno Setup packages 【1】.

**Who is Affected:** Users attempting to download or update **HWMonitor** and **CPU-Z** from the official CPUID website were at risk 【1】. The CPUID website was offline at the time of the report, indicating the potential scope of the incident 【1】.

**Security Implications:** This incident highlights the risk of **supply chain attacks**, where legitimate software distribution channels are hijacked to spread malware 【1】. The malware involved is described as **sophisticated**, employing multi-stage infection, memory-resident operations, and advanced evasion techniques to bypass security measures 【1】. This type of malware can be difficult to detect and remove 【1】. The threat group behind this attack has been previously linked to distributing trojanized FileZilla 【1】.

**Technical Details:** The attack involved redirecting users from the official CPUID website to external storage services. These services hosted **trojanized Inno Setup packages** 【1】. Once executed, the malware operates stealthily in memory and utilizes advanced evasion tactics 【1】.

**What Defenders Should Know:** Defenders need to be aware that **legitimate software downloads can be compromised** 【1】. The malware used in this attack is advanced, employing **memory-resident techniques and sophisticated evasion tactics** 【1】. During such incidents, users should exercise extreme caution even when downloading from official sources 【1】.
Protecting Cookies with Device Bound Session Credentials - **Google** controls the content posted at the provided URL. Specifically, the content is from **Ben Ackerman, Daniel Rubery, and Guillaume Ehinger** of the **Chrome team and Google Account Security team**.

**Device Bound Session Credentials (DBSC)** is a new protocol designed to protect against session theft by cryptographically binding authentication sessions to a specific device 【1】.

**What Happened:**
Google has implemented and rolled out an early version of DBSC, which has shown a significant reduction in session theft 【1】. This protocol aims to enhance security by making session cookies unusable if stolen.

**Who is Affected:**
This technology primarily affects **web developers** and **users** of web applications. Developers can implement DBSC to secure their users against session theft, while users benefit from enhanced security without needing to take any action, as the browser handles the cryptographic processes in the background 【1】.

**Security Implications:**
The main security implication is the **prevention of session theft**. By binding sessions to a device using hardware-backed security modules (like TPMs or Secure Enclaves), DBSC ensures that even if cookies are exfiltrated, they become useless to attackers because the attacker cannot possess the private key required to use them 【1】. Furthermore, DBSC is designed with privacy in mind, preventing websites from correlating user activity across sessions or sites, and it does not leak device identifiers or attestation data beyond what's necessary for session certification 【1】.

**Technical Details:**
DBSC utilizes hardware-backed security modules (e.g., TPM on Windows, Secure Enclave on macOS) to generate unique, non-exportable public/private key pairs for each session 【1】. When a new, short-lived session cookie is issued, Chrome must prove possession of the corresponding private key to the server. This process is managed by the browser, allowing web applications to continue using standard cookies for access while the complex cryptography and cookie rotation occur in the background 【1】.

**What Defenders Should Know:**
Defenders, particularly web developers, should be aware that DBSC offers a robust solution to combat session theft 【1】. They can upgrade their security by adding dedicated registration and refresh endpoints to their backends to support DBSC 【1】. Google provides a [developer guide](https://developer.chrome.com/docs/web-platform/device-bound-session-credentials), the [protocol specification](https://w3c.github.io/webappsec-dbsc/), and a [GitHub repository](https://github.com/w3c/webappsec-dbsc/) for implementation details, bug reporting, and feature requests 【1】. The protocol was developed through the W3C process with input from industry partners like Microsoft and has undergone Origin Trials with participation from platforms like Okta 【1】.
Fixing Mimikatz sekurlsa::logonpasswords on Windows 11 24H2/25H2 - Tanrikuluatahan

The cybersecurity article details issues encountered when using the **Mimikatz `sekurlsa::logonpasswords`** command on **Windows 11 24H2 and 25H2** versions. These issues stem from changes in Windows 11 that break Mimikatz's ability to extract credentials.

**What Happened:**
Mimikatz, a tool used for extracting credentials from memory, fails on newer Windows 11 builds (24H2/25H2) due to three primary technical reasons:
* A **missing byte pattern** in the signature table.
* A shift from **RIP-relative addressing to base-relative addressing**.
* **Struct layout changes** in the logon session and credential structures.
These changes result in Mimikatz being unable to correctly resolve memory addresses, leading to errors like the "Logon list error" observed in a test environment 【1】.

**Who is Affected:**
The primary users affected are **security professionals and attackers** who rely on Mimikatz for credential extraction. The changes specifically impact those attempting to use Mimikatz on **Windows 11 24H2 and 25H2** 【1】.

**Security Implications:**
The core security implication is that **attackers can potentially bypass security measures by patching signature patterns** within tools like Mimikatz to adapt to operating system changes 【1】. This highlights a cat-and-mouse game where attackers continuously modify their tools to evade detection, while defenders must adapt their defenses. The successful extraction of NTLM hashes, as demonstrated in the article, means that sensitive user credentials can still be compromised if these bypasses are effective 【1】.

**Technical Details:**
The article delves into the technical specifics of the Mimikatz failure. The address resolution process within Mimikatz produces incorrect addresses due to the aforementioned changes in Windows 11. The article explains how the formula used for address resolution breaks and proposes two solutions:
1. **Fixing the resolution formula** by adding a post-fix to compute `module_base + displacement`.
2. **Using an alternative pattern** in `LsapCreateLsaLogonSession` that leverages RIP-relative addressing 【1】.
Additionally, the article notes the need to update struct definitions for `KIWI_MSV1_0_LIST_64` and `msv1_0_primaryHelper` offsets to fully resolve the issue 【1】.

**What Defenders Should Know:**
Defenders need to be aware of several key points:
* **Attackers can modify tools:** Be vigilant for attackers patching signature patterns in security tools to bypass defenses 【1】.
* **Monitor for tool modifications:** Keep an eye on how common attack tools are being updated to circumvent new OS security features 【1】.
* **Update security tooling:** Ensure that security tools and signature databases are updated to detect these modified attack patterns 【1】.
* **Leverage OS protections:** Consider implementing and ensuring the proper functioning of **Credential Guard** and **LSASS (Local Security Authority Subsystem Service) protections** 【1】.
* **Verify OS build changes:** Defenders should be aware of and verify changes associated with new OS builds, as these can introduce vulnerabilities or break existing detection mechanisms 【1】.
* **Update detection logic:** Continuously update detection logic to account for signature updates in Mimikatz-like tools 【1】.
* **Ensure PPL/Credential Guard status:** Confirm that protections like Process Protection Level (PPL) and Credential Guard are enabled and functioning correctly 【1】.

It is important to note that the addresses and specific patterns may vary with future Windows updates 【1】.
Protecting your Administrator - **tyranid**

I am sorry, but I cannot provide a precis of the cybersecurity article located at the provided URL. The link leads to a PDF file hosted on GitHub, and I am unable to access and process the content of PDF documents directly. Therefore, I cannot extract the information needed to cover what happened, who is affected, the security implications, technical details, and what defenders should know.