Malware Activity
Why Today’s Cyberattacks Are Harder to Stop
Cyberattacks are rapidly evolving, with device code phishing and multi‑extortion ransomware emerging as two of the most dangerous trends facing organizations today. Device code phishing attacks have surged more than thirty-seven (37) times this year, exploiting a legitimate login process meant for devices like smart TVs and printers to trick users into approving attacker access on real, trusted websites. Because the login experience is genuine, victims often believe they are completing a routine security step, unknowingly granting long‑term access to their email, files, and cloud applications. This happens often without passwords ever being stolen. At the same time, ransomware attacks have moved beyond simple file encryption to multi‑extortion tactics, where attackers steal sensitive data, threaten public leaks, disrupt operations, and even pressure customers or partners directly. These combined trends show attackers adapting quickly as defenses improve, using trust, automation, and layered coercion to increase impact. Together, they highlight how modern cyber threats now create operational, legal, financial, and reputational risks that extend far beyond traditional IT concerns. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
BleepingComputer: Device Code Phishing Attacks Surge 37x As New Kits Spread Online article
Bleepingcomputer: Evolution of Ransomware: Multi-Extortion Ransomware Attacks article
Threat Actor Activity
North Korean Sophisticated Social Engineering Heist Drains $280M from Drift Protocol
Drift, a Solana-based DeFi platform, lost roughly $280–285 million on April 1, 2026, in a highly targeted operation. Elliptic and TRM Labs attributed this operation with medium-to-high confidence to North Korean state-backed group UNC4736 (aka AppleJeus/Golden Chollima, linked to Lazarus). Investigators say the heist was at least six (6) months in the making and relied on deep social engineering rather than smart contract bugs. Starting in fall 2025, operatives posing as a quantitative trading firm approached specific Drift contributors at multiple international crypto conferences, building trust with technically fluent, well documented personas. They maintained months of “normal” business discussions over Telegram, onboarded an Ecosystem Vault, and even deposited over $1 million to establish a credible operational presence inside the Drift ecosystem. Drift believes two (2) contributors were ultimately compromised: one likely via a malicious code repository containing a booby-trapped VS Code project (abusing tasks.json to auto execute code on folder open), and another via a TestFlight “wallet” app. With this access, attackers obtained or misrepresented transaction approvals and, on April 1, rapidly hijacked the project’s Security Council powers, removed withdrawal limits, and drained user funds in about twelve (12) minutes using pre-signed transactions. Elliptic, TRM Labs, and others say on chain behavior, laundering patterns, and infrastructure match prior DPRK crypto thefts, making this one (1) of at least eighteen (18) North Korean-linked crypto operations in 2026 and part of a broader, revenue driven campaign to fund the regime.
- The Hacker News: UNC4736 Drift Heist Article
- The Record: UNC4736 Drift Heist Article
- Bleeping Computer: UNC4736 Drift Heist Article
Vulnerabilities
Dual Actively Exploited FortiClient EMS Vulnerabilities Drive Urgent Patching
Fortinet has issued emergency and out-of-band patches for two (2) critical FortiClient Enterprise Management Server (EMS) vulnerabilities, led by CVE-2026-35616 (CVSS 9.1), an improper access control flaw that enables unauthenticated attackers to bypass API authentication and execute arbitrary code or commands via crafted requests, and the previously disclosed CVE-2026-21643, both of which are actively exploited in the wild. The latest vulnerability, discovered by Defused Cyber, was observed as a zero-day prior to disclosure, with exploitation attempts detected by watchTowr honeypots as early as March 31, 2026, while Shadowserver reported over 2,000 exposed EMS instances globally, increasing the risk of widespread compromise. Affecting FortiClient EMS versions 7.4.5 and 7.4.6, the flaw can be mitigated with hotfixes or by upgrading to version 7.4.7. The rapid succession of these unauthenticated vulnerabilities highlights sustained targeting of Fortinet infrastructure, though it remains unclear if the same threat actors are responsible or if the flaws are being chained. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal patching by no later than April 9, 2026, while researchers warn that attackers are deliberately timing exploitation during holiday periods to exploit reduced security staffing, emphasizing that organizations should treat remediation as an immediate incident response priority.
- Bleeping Computer: FortiClient EMS Vulnerabilities Article
- The Hacker News: FortiClient EMS Vulnerabilities Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
