Real-World Cloud Attack Intelligence

In April 2026, Huge Networks, a Brazilian firm specializing in DDoS mitigation, was implicated in orchestrating massive DDoS attacks against Brazilian ISPs. An exposed archive revealed that a threat actor had root access to Huge Networks' infrastructure, utilizing it to build a botnet by exploiting vulnerabilities in TP-Link Archer AX21 routers, specifically CVE-2023-1389. The botnet conducted DNS amplification attacks, significantly impacting targeted ISPs. Huge Networks' CEO attributed the malicious activity to a security breach, suggesting a competitor's involvement to tarnish the company's reputation. This incident underscores the persistent threat posed by botnets leveraging IoT vulnerabilities, even years after patches are released. It highlights the critical need for organizations to secure their infrastructure and monitor for unauthorized access to prevent exploitation in large-scale cyberattacks.

In April 2026, an AI-driven analysis by cybersecurity firm Aisle uncovered 38 previously unknown vulnerabilities in OpenEMR, an open-source electronic health record platform utilized by over 100,000 healthcare providers globally. These vulnerabilities, ranging from medium to critical severity, included issues like missing authorization checks, cross-site scripting (XSS), SQL injection, path traversal, and session-related flaws. Exploitation of these vulnerabilities could have led to full database compromises, large-scale exfiltration of protected health information (PHI), and remote code execution on servers. ([darkreading.com](https://www.darkreading.com/vulnerabilities-threats/ai-finds-38-security-flaws-openemr?utm_source=openai)) The rapid identification and remediation of these flaws underscore the transformative impact of AI in vulnerability research, significantly reducing the time required for such analyses. However, this also highlights the growing challenge for security teams to triage and address the increasing volume of discovered vulnerabilities, emphasizing the need for robust and proactive cybersecurity measures in the healthcare sector.

In March 2026, a critical remote code execution (RCE) vulnerability, CVE-2026-3854, was identified in GitHub Enterprise Server. This flaw allowed attackers with push access to a repository to execute arbitrary code on the server by exploiting improperly sanitized push option values during git push operations. The vulnerability was reported by cloud security firm Wiz through GitHub's bug bounty program and was promptly addressed by GitHub, with patches released for affected versions. The discovery of CVE-2026-3854 underscores the evolving landscape of cybersecurity threats, particularly the role of AI in identifying vulnerabilities within closed-source binaries. This incident highlights the necessity for organizations to adopt proactive security measures and stay vigilant against emerging attack vectors facilitated by advanced technologies.

In April 2026, Anthropic's advanced AI model, Claude Mythos, demonstrated the capability to autonomously identify and exploit previously unknown vulnerabilities across major operating systems and web browsers. This revelation prompted Japan's financial authorities, including the Financial Services Agency and the Bank of Japan, to establish a task force aimed at mitigating potential cybersecurity threats to the nation's financial infrastructure. The task force's formation underscores the urgency of addressing AI-driven cyber risks in a sector heavily reliant on interconnected and legacy systems. The emergence of AI models like Claude Mythos signifies a paradigm shift in cybersecurity, where the speed and sophistication of potential attacks could outpace traditional defense mechanisms. Financial institutions worldwide are now compelled to reassess and fortify their security postures to counteract the evolving threat landscape posed by advanced AI capabilities.

In March 2026, a sophisticated cyber campaign was identified targeting enterprise administrators, DevOps engineers, and security analysts. The attackers employed SEO poisoning to manipulate search engine results, leading victims to GitHub repositories that impersonated legitimate administrative tools. These repositories hosted malicious MSI installers, which, upon execution, deployed EtherRAT—a Node.js-based backdoor. Notably, EtherRAT utilized Ethereum smart contracts to dynamically resolve command-and-control (C2) addresses, enhancing the malware's resilience and evasion capabilities. This incident underscores a strategic shift in cyberattack methodologies, combining social engineering with decentralized technologies to evade detection and maintain persistence. The use of blockchain for C2 infrastructure highlights the evolving tactics of threat actors, necessitating adaptive defense strategies to counter such innovative threats.

In November 2025, ABB disclosed a critical vulnerability (CVE-2018-1002208) in its Protection and Control IED Manager PCM600 software, versions 1.5 through 2.13. This flaw, stemming from the SharpZipLib component, allows attackers to execute arbitrary code by sending specially crafted messages to the system node. The vulnerability, known as 'Zip-Slip,' involves improper limitation of a pathname to a restricted directory, leading to path traversal issues. ABB has addressed this issue in PCM600 version 2.14 and recommends users update promptly. ([cyber.gc.ca](https://www.cyber.gc.ca/en/alerts-advisories/control-systems-abb-security-advisory-av25-719?utm_source=openai)) The disclosure underscores the persistent risks associated with third-party libraries in industrial control systems. Organizations must remain vigilant, ensuring timely updates and implementing robust security measures to protect critical infrastructure from evolving cyber threats.

In January 2026, ABB disclosed a critical vulnerability (CVE-2025-14510) in its Ability OPTIMAX software, widely used in industrial optimization. The flaw, stemming from an incorrect implementation of the authentication algorithm, affects versions 6.1, 6.2, 6.3.0 before 6.3.1-251120, and 6.4.0 before 6.4.1-251120. Exploitation could allow remote attackers to bypass authentication, potentially compromising confidentiality, integrity, and availability of industrial control systems. ([sentinelone.com](https://www.sentinelone.com/vulnerability-database/cve-2025-14510/?utm_source=openai)) This incident underscores the escalating risks in industrial control systems due to authentication vulnerabilities. With increasing integration of such systems into broader networks, the potential for unauthorized access and operational disruption grows, highlighting the need for robust security measures and timely patch management.

In April 2026, ABB disclosed a vulnerability (CVE-2025-3756) in the IEC 61850 communication stack used in its System 800xA and Symphony Plus products. An attacker with access to the IEC 61850 network could exploit this flaw by sending specially crafted packets, causing the PM 877, CI850, and CI868 modules to enter a fault state, or rendering the S+ Operations 61850 connectivity unavailable, leading to a denial-of-service condition. The overall functionality of the S+ Operations node remains unaffected; only the IEC 61850 communication function is impacted. Affected versions include AC800M (System 800xA) from 6.0.0x through 6.2.0006.0, Symphony Plus SD Series versions A_0 through B_0.005, Symphony Plus MR versions 3.10 through 3.52, and S+ Operations versions 2.1 through 3.3. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2025-3756?utm_source=openai)) This vulnerability underscores the critical importance of securing industrial control systems, especially those utilizing the IEC 61850 protocol. As cyber threats targeting operational technology environments continue to evolve, organizations must prioritize timely patching, network segmentation, and robust access controls to mitigate potential risks.

In April 2026, Google addressed a critical security vulnerability in the Gemini CLI, specifically affecting the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow. This flaw, assigned a CVSS score of 10.0, allowed unprivileged external attackers to execute arbitrary commands on host systems by injecting malicious content into Gemini configuration files. The vulnerability was particularly concerning in Continuous Integration (CI) environments where Gemini CLI operated in headless mode, automatically trusting workspace folders and potentially leading to remote code execution via malicious environment variables in the local .gemini/ directory. ([thehackernews.com](https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html?utm_source=openai)) The incident underscores the critical importance of securing CI/CD pipelines against supply chain attacks. As organizations increasingly rely on automated workflows, ensuring that tools like Gemini CLI do not implicitly trust unverified inputs is essential to prevent potential exploitation and maintain the integrity of development environments.

In November 2025, a critical authentication bypass vulnerability (CVE-2025-10571) was identified in ABB Ability Edgenius versions 3.2.0.0 and 3.2.1.1. This flaw allows unauthenticated attackers on adjacent networks to send specially crafted messages to the system node, enabling them to install and run arbitrary code, uninstall applications, and modify configurations of installed applications. The vulnerability has a CVSS v3.1 base score of 9.6, indicating its critical severity. ABB has released version 3.2.2.0 to address this issue and recommends immediate upgrading. ([library.e.abb.com](https://library.e.abb.com/public/6fed91aad9034910b99298c58e407979/7PAA022088_B_en_Edgenius%20Management%20Portal%20Authentication%20Bypass.pdf?x-sign=4U%2FLxIrP3%2FTAiNhR45U6GCkLpQhWbUhpnelc58Oz1NsjOPYafSbXv48t5cNUuiBc&utm_source=openai)) The discovery of this vulnerability underscores the increasing risks associated with edge computing platforms in industrial environments. As these systems often bridge IT and operational technology (OT) networks, their compromise can lead to significant operational disruptions and safety hazards. Organizations must prioritize securing such platforms to prevent unauthorized access and potential exploitation.

In April 2026, cybersecurity researchers identified a sophisticated Python-based backdoor framework named DEEP#DOOR targeting Windows systems. The attack initiates with an obfuscated batch script that disables Windows security features and extracts an embedded Python payload, establishing persistence through multiple mechanisms such as startup folder entries, registry run keys, and scheduled tasks. The malware communicates with attacker infrastructure via a public TCP tunneling service, enabling remote command execution and extensive surveillance capabilities, including keylogging, screenshot capture, and credential harvesting from browsers and cloud services. DEEP#DOOR employs advanced evasion techniques, including sandbox and virtual machine detection, to avoid detection and complicate incident response efforts. This incident underscores the evolving sophistication of threat actors who leverage fileless, script-driven intrusion frameworks that utilize native system components and interpreted languages like Python. The use of public tunneling services for command-and-control communications highlights a trend towards minimizing forensic footprints and blending malicious traffic with legitimate network activity, posing significant challenges for traditional detection methods.

In March 2026, ABB disclosed multiple vulnerabilities in its AWIN Gateways, specifically affecting firmware versions 2.0-0 and 2.0-1 on the GW100 rev.2, and versions 1.2-0 and 1.2-1 on the GW120. These vulnerabilities include authentication bypass by capture-replay (CVE-2025-13777), missing authentication for critical functions leading to remote device reboot (CVE-2025-13778), and unauthorized access to system configurations revealing sensitive details (CVE-2025-13779). Exploitation of these flaws could allow attackers to gain unauthorized access, disrupt device operations, and expose confidential information. ([library.e.abb.com](https://library.e.abb.com/public/3df44661342a482f9b39595fb1457446/4JNO000329_A_en%20Vulnerabilities%20in%20Embedded%20Webserver.pdf?x-sign=hpo%2FlHiVW9S%2FJFfI7on%2BhNiDyo6eVzQkPp6%2BJB4nbIGqiVRH4VpRTPwCRDjUFbLP&utm_source=openai)) The disclosure underscores the critical need for robust security measures in industrial control systems, as such vulnerabilities can have significant operational and safety implications. Organizations utilizing ABB AWIN Gateways should promptly apply the recommended firmware updates and review their network security protocols to mitigate potential risks.