Malware Activity
How Attackers Are Weaponizing App Stores and Messaging Apps
Recent investigations highlight a troubling trend in which attackers are abusing trusted platforms to quietly compromise both mobile and desktop devices at scale. On Android, a sophisticated malware known as NoVoice was distributed through the official Google Play Store, hidden inside legitimate‑looking apps that infected over 2.3 million devices before being removed. These apps worked as advertised and raised no immediate red flags yet exploited outdated Android security flaws to gain deep system access and embed themselves so thoroughly that even factory resets may not fully remove them. At the same time, Microsoft has warned of a parallel campaign targeting Windows users via WhatsApp, where attackers deliver malicious script files through social engineering. Once opened, these files abuse built‑in Windows tools and trusted cloud services to bypass security controls, escalate privileges, and establish long‑term remote access. Together, these incidents underscore a growing reality: even official app stores and familiar messaging platforms can be leveraged as entry points, especially when devices are unpatched and users are caught off guard by seemingly routine interactions. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
Threat Actor Activity
TA416 Reverts Espionage Operations Back to Targeting EU/NATO, Expanding into Middle East
A China-linked cyberespionage group attributed by Proofpoint researchers, tracked as TA416 (also known as Mustang Panda, Twill Typhoon, RedDelta/SmugX), has refocused on European and Middle Eastern diplomatic targets since mid-2025, after two (2) years prioritizing Southeast Asia, Taiwan, and Mongolia. The Proofpoint researchers point out that the renewed activity closely tracks geopolitical flashpoints: heightened EU–China tensions over trade, the Russia–Ukraine war, rare earths, and, from March 2026, the Iran conflict. TA416’s primary targets are mailboxes tied to EU and NATO delegations and other diplomatic missions, later expanding to Middle Eastern government and embassy networks. Initial waves used “humanitarian concerns,” interview requests, collaboration proposals, and a Greenland troop-deployment article as lures, first for web-bug reconnaissance (tracking who opens emails) and then for malware delivery. Across late 2025–early 2026, the group repeatedly changed its initial infection chains while keeping the same objective: deploying a customized PlugX backdoor via DLL sideloading. Techniques included: Fake Cloudflare Turnstile pages impersonating Microsoft logins, leading to ZIP-smuggled LNK payloads; Abuse of Microsoft Entra ID OAuth redirects from legitimate Microsoft URLs to attacker download sites; and archives on Google Drive/compromised SharePoint containing a renamed MSBuild executable and malicious C# project files that fetch PlugX loaders. Recent PlugX variants add stronger evasion (API hashing, junk code, control-flow flattening), persistence via Run keys, and RC4-encrypted HTTP command-and-control (C2) with evolving protocols and config obfuscation. TA416 heavily uses re-registered legitimate domains, Cloudflare CDN, and VPS providers to evade reputation-based defenses. Overall, TA416 appears to be running long-term intelligence-gathering campaigns against EU/NATO and now Middle Eastern diplomatic entities, aligned with national strategic interests.
Vulnerabilities
Actively Exploited Chrome Zero-Day Highlights Ongoing Memory Safety Risks Across Browser Components
Google has released critical security updates for Google Chrome to address twenty-one (21) vulnerabilities, including the actively exploited zero-day CVE-2026-5281, a high-severity use-after-free flaw in Dawn, the browser’s WebGPU implementation, which allows a remote attacker who has already compromised the renderer process to execute arbitrary code via a crafted HTML page. Google confirmed in-the-wild exploitation but has withheld technical details to limit further weaponization. This vulnerability is part of a broader cluster of memory safety issues patched in the same release, with nineteen (19) high-severity flaws spanning key components such as CSS, GPU, V8, WebGL, WebCodecs, Web MIDI, WebView, Navigation, Compositing, and Dawn itself. Many involving use-after-free conditions, buffer overflows, and object corruption, underscoring persistent systemic risk within browser rendering pipelines. Notably, several vulnerabilities were identified internally by Google, indicating ongoing proactive threat hunting, while the volume and severity of issues signal heightened exploitation pressure. This marks the fourth Chrome zero-day actively exploited in 2026. The updates bring Chrome to version 146.0.7680.177/178 (Windows and macOS) and 146.0.7680.177 (Linux), and users (including those on Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi) are strongly urged to apply patches immediately. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-5281 to its Known Exploited Vulnerabilities (KEV) catalog, mandating remediation for federal agencies by no later than April 15, 2026, further reinforcing the urgency of patching across both enterprise and government environments.
- Cybersecurity News: Google Zero-day Vulnerability Article
- The Hacker News: Google Zero-day Vulnerability Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
