Malware Activity
When Old Devices and Destructive Malware Become Weapons
A series of recent cyber incidents highlight two growing and related risks: neglected network hardware and destructive malware aimed at disruption rather than profit. In one campaign, a Mirai botnet has been actively exploiting a known flaw in discontinued D‑Link routers, allowing attackers to remotely install malware and quietly turn these outdated devices into tools for large‑scale denial‑of‑service attacks. Although the vulnerability was disclosed more than a year ago, many of these routers remain in use despite no longer receiving security updates, making them easy targets. In a separate but equally concerning trend, a newly discovered wiper malware called Lotus was used in targeted attacks against Venezuela’s energy and utility sector. Unlike ransomware, Lotus is built to permanently destroy systems by wiping hard drives and removing all recovery options after attackers weaken defenses using simple scripts. Together, these incidents show how unpatched technology and purpose‑built destructive malware are increasingly being leveraged for disruption, especially against critical infrastructure, underscoring the importance of timely device replacement, strong defenses, and reliable offline backups. CTIX analyst will continue to report on the latest malware strains and attack methodologies.
Threat Actor Activity
ESET Reports Previously Undocumented GopherWhisper Spying on Mongolian Government
A newly identified China-aligned APT group dubbed GopherWhisper, attributed by cybersecurity company ESET, has been targeting Mongolian government institutions and other unidentified victims since at least 2023. Discovered by ESET in January 2025 via a new Go-based backdoor called LaxGopher, the group uses a custom toolkit written mostly in Go and abuses legitimate cloud services for command-and-control (C2) and exfiltration. GopherWhisper’s toolset includes multiple backdoors and loaders: LaxGopher (Slack-based C2, command execution, payload download), RatGopher (Discord-based C2), BoxOfFriends (Microsoft 365 Outlook/Graph API using draft emails for C2), SSLORDoor (C++ backdoor over raw TLS on port 443), JabGopher (injector for LaxGopher), FriendDelivery (loader for BoxOfFriends), and CompactGopher (file collector that compresses and exfiltrates data to file.io). ESET telemetry shows at least twelve (12) infected systems in a Mongolian government entity, while Slack and Discord C2 traffic suggests dozens more victims. By using hardcoded credentials, researchers accessed the attackers’ Slack, Discord, and Outlook infrastructure, reviewing more than 6,000 Slack and 3,000 Discord messages dating back to 2023. Timestamps, working-hour patterns in UTC+8, and zh-CN locale metadata support attribution to a China-based actor, reported by ESET. Indicators of Compromise (IOCs) have been published to help defenders detect and block this emerging threat, which CTIX analyst have attached in the ESET links below.
- The Hacker News: GopherWhisper Article
- Bleeping Computer: GopherWhisper Article
- ESET: GopherWhisper Report
- ESET: GopherWhisper White Paper
Vulnerabilities
Active Exploitation of Microsoft Defender Zero-Days Triggers CISA Patch Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring U.S. Federal Executive Branch (FCEB) agencies to patch a high-severity Microsoft Defender privilege escalation vulnerability, tracked as CVE-2026-33825 (“BlueHammer”), within two (2) weeks following confirmed zero-day exploitation in the wild. The flaw enables low-privileged attackers to gain SYSTEM-level access due to improper access control granularity and was patched by Microsoft on April 14, 2026, after public disclosure and proof-of-concept release by a researcher known as “Chaotic Eclipse,” who also revealed two (2) additional Defender-related zero-days (“RedSun” and “UnDefend”). Security researchers at Huntress Labs observed real-world attacks involving hands-on-keyboard activity, indicating broader intrusion campaigns rather than isolated testing, with evidence pointing to suspicious infrastructure, including FortiGate SSL VPN access and a Russia-linked IP. In response, CISA added CVE-2026-33825to its Known Exploited Vulnerabilities (KEV) catalog under, mandating remediation by no later than May 7, 2026, and warning of the significant risk posed to federal systems. The alert follows a separate CISA warning about another actively exploited Windows privilege escalation flaw (CVE-2025-60710), underscoring a growing trend of attackers leveraging local privilege escalation vulnerabilities to achieve full system compromise. CTIX analysts urge any affected readers to make sure they follow the CISA guidelines by the deadline to prevent future exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
