Menu

Monthly Cyber Threats Report - April 2026

Issue 16: April 2026

Monthly Cyber Threats Report - April 2026

Editor's note

Francisco Sanches
Francisco Sanches

Welcome to the April 2026 edition of the Cyber Threat Report. This month's articles cover threats targeting widely used, internet-facing technologies and the shrinking time organisations have to respond to new vulnerabilities.

Our first article covers a critical zero-day vulnerability in Citrix NetScaler, CVE‑2026‑3055, which allows attackers to hijack sessions through memory exposure, similar to the earlier CitrixBleed vulnerability. Approximately 30,000 systems remain exposed.

The second article examines Storm-1175, a financially motivated threat actor exploiting unpatched perimeter systems to deploy Medusa ransomware, often within 24 hours of gaining initial access.

Our third article looks at CVE‑2026‑34621, a prototype pollution vulnerability in Adobe Acrobat Reader being exploited through malicious PDF documents delivered via spear-phishing campaigns.

Our fourth article covers a supply chain attack in which two malicious versions of Axios, a JavaScript HTTP client with approximately 100 million weekly downloads, were used to deploy a cross-platform Remote Access Trojan attributed to North Korean state actor Sapphire Sleet. Separately, we recommend reviewing the NCSC's recent advisory on the exposure of Russian military intelligence operations hijacking vulnerable routers to conduct cyber attacks.

News
abstract code
Storm-1175 targets exposed perimeter systems in Medusa ransomware campaign

This month, Microsoft Threat Intelligence reported that a financially motivated threat actor, tracked as Storm-1175, is conducting high-velocity ransomware campaigns (progression from initial access to ransomware deployment can occur within 24 hours) targeting internet-facing enterprise systems. The activity was identified through Microsoft’s ongoing threat monitoring and incident response investigations.

4 mins
News
curved texture of dots
Adobe Acrobat Reader: Prototype pollution vulnerability enables remote code execution

In late March 2026, Adobe disclosed a high-severity prototype pollution vulnerability in Adobe Acrobat Reader, tracked as CVE‑2026‑34621, which affects the application's JavaScript engine used to process embedded scripts within PDF documents. The vulnerability carries a CVSS score of 8.6 and has been confirmed as actively exploited in targeted attacks. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

4 mins
News
glowing lights over abstract texture
Axios supply chain attack deploys multi-OS malware

On March 30, 2026, StepSecurity identified two malicious versions of Axios - axios@1.14.1 and axios@0.30.4 - capable of delivering a cross-platform Remote Access Trojan (RAT). The packages were published to npm, an online database of JavaScript packages, and were available for approximately 3 hours before being unpublished.

3 mins

Subscribe

Never miss a publication by signing up to our mailing list

Monthly Cyber Threats Report - April 2026 Issues

Previous
How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

I'm looking for advice

Something else