Aviatrix Threat Research Center

In April 2026, an international law enforcement operation, in collaboration with private companies, successfully disrupted 'FrostArmada,' a cyber espionage campaign orchestrated by the Russian state-sponsored group APT28 (also known as Fancy Bear or Forest Blizzard). The campaign involved compromising small office/home office (SOHO) routers, primarily from MikroTik and TP-Link, to alter DNS settings and redirect traffic through attacker-controlled servers. This allowed APT28 to intercept authentication traffic and steal Microsoft 365 credentials and OAuth tokens. At its peak in December 2025, FrostArmada infected 18,000 devices across 120 countries, targeting government agencies, law enforcement, IT and hosting providers, and organizations operating their own servers. The operation to neutralize the malicious infrastructure was supported by Microsoft, Lumen's Black Lotus Labs, the FBI, the U.S. Department of Justice, and the Polish government. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/authorities-disrupt-dns-hijacks-used-to-steal-microsoft-365-logins/?utm_source=openai)) This incident underscores the evolving tactics of state-sponsored threat actors in exploiting network infrastructure vulnerabilities to conduct large-scale credential theft. The use of DNS hijacking via compromised routers highlights the need for organizations to secure network devices, implement robust monitoring, and adopt zero-trust principles to mitigate such sophisticated attacks.

In April 2026, security researchers identified active exploitation of a critical remote code execution (RCE) vulnerability, CVE-2025-59528, in Flowise, an open-source platform for building AI agents and large language model (LLM) workflows. This flaw, residing in the CustomMCP node, allows attackers to execute arbitrary JavaScript code without security validation, leading to potential full system compromise. Despite a patch being available since September 2025, many instances remain unpatched, exposing organizations to significant risks. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/max-severity-flowise-rce-vulnerability-now-exploited-in-attacks/?utm_source=openai)) The exploitation of this vulnerability underscores the persistent threat posed by unpatched software in widely used AI development tools. Organizations leveraging Flowise must prioritize immediate updates to mitigate potential breaches and safeguard sensitive data. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/max-severity-flowise-rce-vulnerability-now-exploited-in-attacks/?utm_source=openai))

In April 2026, over a dozen companies experienced data theft attacks following a breach at a SaaS integration provider, leading to the theft of authentication tokens. The majority of these attacks targeted Snowflake, a cloud-based data platform. Snowflake detected unusual activity in a small number of customer accounts linked to a specific third-party integration and promptly initiated an investigation, securing the affected accounts and notifying impacted customers. The attacks did not involve any vulnerability or compromise of Snowflake's systems. The ShinyHunters extortion group claimed responsibility for the attacks, stating they had stolen data from dozens of companies and were demanding ransom payments to prevent the release of the stolen data. The group also attempted to steal data from Salesforce but were thwarted by AI detection mechanisms. This incident underscores the critical importance of securing third-party integrations and the growing threat posed by sophisticated cybercriminal groups like ShinyHunters.

In early April 2026, the China-based cybercriminal group Storm-1175 executed a series of high-velocity attacks targeting vulnerable internet-facing systems across sectors such as healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States. By exploiting a combination of zero-day and N-day vulnerabilities, including CVE-2025-10035 in Fortra's GoAnywhere MFT and CVE-2026-23760 in SmarterMail, the group rapidly gained initial access. Post-compromise activities involved deploying web shells, creating new user accounts, and utilizing remote monitoring and management tools like SimpleHelp and MeshAgent for persistence and lateral movement. Within as little as 24 hours, Storm-1175 exfiltrated data and deployed Medusa ransomware, leading to significant operational disruptions for the affected organizations. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/?utm_source=openai)) This incident underscores the increasing sophistication and speed of financially motivated threat actors in exploiting newly disclosed vulnerabilities. The rapid transition from initial access to ransomware deployment highlights the critical need for organizations to promptly apply security patches, monitor for unauthorized activities, and implement robust incident response strategies to mitigate such high-tempo cyber threats.

In March 2026, Iranian-affiliated Advanced Persistent Threat (APT) actors initiated cyberattacks targeting internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) within U.S. critical infrastructure sectors, including Government Services, Water and Wastewater Systems, and Energy. These attacks involved unauthorized access to PLCs, manipulation of project files, and alteration of data displayed on Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) systems, leading to operational disruptions and financial losses. This incident underscores the escalating cyber threat landscape, particularly in the context of geopolitical tensions. Organizations must prioritize securing internet-facing operational technology assets to mitigate risks associated with state-sponsored cyber activities.