Microsoft April 2026 Patch Tuesday Fixes 167 Flaws, 2 Zero-Days
Today is Patch Tuesday and it’s a big one — Microsoft shipped security updates addressing 167 vulnerabilities, including two zero-days and eight critical flaws, making this the second-largest monthly release in the company’s history. The actively exploited zero-day is a SharePoint Server spoofing vulnerability (CVE-2026-32201) already being used in the wild, while a second publicly disclosed zero-day in Microsoft Defender (CVE-2026-33825) appears to match the BlueHammer proof-of-concept exploit published to GitHub earlier this month. Among the critical flaws are a CVSS 9.8 unauthenticated RCE in the Windows IKE service, a potentially wormable TCP/IP vulnerability on IPv6/IPsec systems, and multiple Office RCE bugs in Word and Excel that can be triggered simply by previewing a malicious file in the Preview Pane — making Office updates a high priority for any organization whose users regularly handle email attachments.
108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
Researchers at Socket discovered a coordinated campaign in which 108 Chrome extensions — published across five publisher identities including Yana Project, GameGen, and Rodeo Games — all communicate with the same C2 server to steal credentials, inject ads, and run arbitrary JavaScript on every page visited. Among the specific behaviors documented: 54 extensions harvest Google account identity via OAuth2, 45 contain a backdoor that silently opens arbitrary URLs at browser startup, and several others exfiltrate Telegram Web session tokens every 15 seconds while stripping security headers from YouTube and TikTok to inject gambling overlays. All 108 share the same backend infrastructure hosted at the same IP address, and source code analysis revealed Russian language comments across several of the add-ons — though attribution remains unconfirmed. Users who have installed any of the extensions should remove them immediately and log out of all active Telegram Web sessions.
Russia Hacked Routers to Steal Microsoft Office Tokens
Russian military intelligence unit APT28 (Forest Blizzard) compromised over 18,000 mostly end-of-life SOHO routers — primarily older Mikrotik and TP-Link devices — without deploying any malware, instead exploiting known vulnerabilities to silently modify DNS settings to point to attacker-controlled servers. Once DNS was redirected, the hackers were able to intercept OAuth authentication tokens from Microsoft Office users on any network using the compromised routers, ultimately ensnaring over 200 organizations and 5,000 consumer devices at the campaign’s peak in December 2025. Researchers at Lumen’s Black Lotus Labs and the UK’s NCSC both issued advisories, noting that the hackers primarily targeted government agencies including ministries of foreign affairs and law enforcement, and that the attack required no user interaction — just being on a network whose router had already been silently reconfigured.
Triad Nexus Expands Global Fraud Operations Despite US Sanctions
New research from Silent Push reveals that Triad Nexus, a cybercrime network responsible for more than $200 million in reported losses, has not only survived 2025 US Treasury sanctions but actively expanded its operations, scaling its fraud ecosystem to where average victim losses now reach $150,000. The group has adopted “infrastructure laundering” — abusing compromised cloud accounts at AWS, Cloudflare, Google, and Microsoft to host scam platforms that blend with legitimate traffic — alongside a “US block” that serves legal restriction messages to US IP addresses to avoid scrutiny while continuing operations in less-regulated markets. Triad Nexus has also industrialized digital brand impersonation, deploying highly convincing replicas of banking portals, luxury retail sites, and public services, with new localized templates now targeting Spanish, Vietnamese, and Indonesian-speaking victims as the network pushes into emerging markets.
Black Shrantac ransomware targets industrial environments using living-off-the-land techniques
A newer ransomware group dubbed Black Shrantac is gaining traction by blending into enterprise environments using legitimate administrative tools, making detection significantly harder. The group combines living-off-the-land techniques with double extortion and has been observed exploiting perimeter vulnerabilities to gain access, then maintaining persistence while evading traditional defenses, particularly in industrial and OT-heavy environments.
The post InfoSec News Nuggets 04/15/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
