1. North Korea’s APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html
The North Korean hacking group tracked as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage social engineering campaign in which threat actors approached targets on Facebook and added them as friends, turning the trust-building exercise into a delivery channel for a remote access trojan called RokRAT, with the threat actors using two Facebook accounts listing their location as Pyongyang and Pyongsong, North Korea, to identify and screen targets. After building trust over Messenger, victims were tricked into installing a trojanized version of Wondershare PDFelement disguised as a PDF viewer required to open “encrypted military documents,” with the tampered installer silently deploying RokRAT, which abuses Zoho WorkDrive as C2 and uses a compromised Japanese real estate website to issue commands via payloads disguised as JPG images. The campaign reflects APT37’s continued focus on evolving delivery and evasion techniques rather than changing its core malware functionality.
2. Critical Marimo Pre-Auth RCE Flaw Now Under Active Exploitation https://www.bleepingcomputer.com/news/security/critical-marimo-pre-auth-rce-flaw-now-under-active-exploitation/
A critical pre-authentication remote code execution flaw tracked as CVE-2026-39987 and rated 9.3 out of 10 allows unauthenticated code execution in Marimo versions 0.20.4 and earlier, with attackers building an exploit directly from the developer’s advisory and immediately deploying it in attacks that exfiltrated sensitive information. The vulnerability stems from Marimo’s WebSocket endpoint /terminal/ws exposing an interactive shell without any authentication checks, giving any unauthenticated client direct PTY shell access running with the same privileges as the Marimo process. Marimo is a popular open-source Python notebook with around 20,000 GitHub stars, heavily used by data scientists and ML/AI practitioners, making exposed instances a high-value target for credential harvesting.
3. Email Provider Leak Containing Over 40M Records Exposes L’Oréal, Renault, French Embassy Traffic https://cybernews.com/security/alinto-email-data-leak-exposes-traffic/
French email provider Alinto accidentally exposed over 40 million SMTP records on a publicly accessible Elasticsearch cluster, with the leak revealing email addresses and traffic metadata from major corporations including L’Oréal, Renault, Carrefour, DHL, and others, as well as at least 14,000 unique French government email addresses including those from embassies, municipalities, and government branches worldwide. While the content of the emails was not exposed, the leaked metadata — sender and receiver addresses, timestamps, and relay details — is enough to map corporate and government communication networks and enable highly targeted phishing attacks that impersonate trusted contacts at predictable times. Cybernews disclosed the issue to Alinto and, despite receiving no reply, the publicly accessible database was secured the following day.
4. Fake Claude Site Installs Malware That Gives Attackers Access to Your Computer https://www.malwarebytes.com/blog/scams/2026/04/fake-claude-site-installs-malware-that-gives-attackers-access-to-your-computer
Malwarebytes researchers discovered a convincing fake website impersonating Anthropic’s Claude, where visitors who download the offered ZIP archive receive a copy of Claude that installs and runs as expected, but in the background deploys a PlugX malware chain that gives attackers remote access to the system. The attack uses a textbook DLL sideloading technique — placing a legitimate signed G DATA antivirus updater alongside a malicious avk.dll and an encrypted PlugX payload into the Windows Startup folder — with sandbox analysis confirming the malware established C2 communication within just 22 seconds of execution. The operators are exploiting Claude’s surging popularity (approximately 290 million monthly web visits) as a social engineering hook, reusing a publicly documented sideloading technique from just weeks prior with an AI-themed installer as the new lure.
5. $12 Million Frozen, 20,000 Victims Identified in Crypto Scam Crackdown https://www.helpnetsecurity.com/2026/04/13/crypto-scam-crackdown-12-million-frozen/
More than $12 million has been frozen and over 20,000 victims have been identified in an international law enforcement operation targeting cryptocurrency and investment scammers, with authorities also uncovering more than $45 million in suspected cryptocurrency fraud losses worldwide, and one UK victim identified during the operation thought to have lost more than £52,000 to the fraud. Dubbed Operation Atlantic and led by the UK’s National Crime Agency alongside the U.S. Secret Service, Ontario Provincial Police, and Ontario Securities Commission, the weeklong operation targeted “approval phishing” scams — where criminals trick victims into granting access to their cryptocurrency wallets, often through fake investment opportunities — with private-sector blockchain analytics firms helping trace illicit transactions and identify victims in real time before funds could be moved. The FBI’s broader cryptocurrency fraud data underscores the scale of the problem, with investment scams involving crypto accounting for $7.2 billion of $11.3 billion in total fraud-related losses reported in the most recent annual report.
