Real-World Cloud Attack Intelligence

In November 2025, Microsoft disclosed CVE-2025-60710, a privilege escalation vulnerability in the Windows Task Host component affecting Windows 11 and Windows Server 2025. This flaw allows local attackers with basic user permissions to gain SYSTEM privileges through low-complexity attacks, potentially leading to full control over compromised devices. The vulnerability arises from improper link resolution before file access, commonly referred to as 'link following'. On April 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-60710 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. This inclusion underscores the critical need for organizations to apply the available patches promptly to mitigate potential security risks.

In March 2026, security researchers uncovered a sophisticated adware campaign orchestrated by Dragon Boss Solutions LLC, a company claiming to engage in 'search monetization research.' The campaign involved digitally signed software that, under the guise of legitimate applications, deployed payloads with SYSTEM privileges to disable antivirus protections across thousands of endpoints. This operation leveraged an unregistered update domain, allowing potential attackers to hijack the update mechanism and push malicious payloads to over 25,000 infected systems worldwide, including those within critical infrastructure sectors such as education, utilities, government, and healthcare. This incident underscores the evolving nature of adware threats, which are increasingly adopting advanced techniques to escalate privileges and disable security measures. The exploitation of unregistered domains in software update mechanisms highlights a significant supply chain vulnerability, emphasizing the need for organizations to scrutinize third-party software components and ensure the integrity of their update processes to prevent similar attacks.

In August 2025, a malicious actor acquired the EssentialPlugin suite, comprising over 30 WordPress plugins, and embedded dormant backdoors into their codebase. These backdoors remained inactive until April 2026, when they were activated to inject spam content and redirects into websites using the compromised plugins. This supply chain attack affected thousands of sites, exploiting the trust placed in widely-used plugins to distribute malware. The incident underscores the critical need for vigilance in monitoring third-party software components and the potential risks associated with software supply chain vulnerabilities. As attackers increasingly target trusted software providers to distribute malicious code, organizations must implement robust security measures to detect and mitigate such threats.

In March 2026, a critical vulnerability (CVE-2026-33032) was discovered in Nginx UI, a web-based management interface for the Nginx web server. This flaw allowed unauthenticated remote attackers to invoke Model Context Protocol (MCP) tools without credentials, enabling actions such as restarting Nginx, and creating, modifying, or deleting configuration files. The root cause was an unprotected '/mcp_message' endpoint that, due to an empty default IP whitelist treated as 'allow all,' permitted unrestricted access. Exploitation of this vulnerability could lead to complete server takeover, allowing attackers to intercept traffic, harvest credentials, and disrupt services. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-33032?utm_source=openai)) The vulnerability was actively exploited in the wild, with approximately 2,600 publicly exposed instances identified, primarily in China, the United States, Indonesia, Germany, and Hong Kong. ([thehackernews.com](https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html?utm_source=openai)) A patch was released in version 2.3.4 on March 15, 2026, addressing the issue by adding the missing authentication check to the '/mcp_message' endpoint. ([securityaffairs.com](https://securityaffairs.com/190841/hacking/cve-2026-33032-severe-nginx-ui-bug-grants-unauthenticated-server-access.html?utm_source=openai))

In March 2026, a sophisticated cyberattack targeted Ukrainian local governments and hospitals, deploying a new malware family named 'AgingFly.' The attack began with phishing emails offering humanitarian aid, leading recipients to compromised or fake websites. These sites delivered malicious files that, once executed, initiated a multi-stage infection process. The final payload, AgingFly, enabled attackers to steal authentication data from Chromium-based browsers and the WhatsApp messenger, and provided remote control capabilities over infected systems. CERT-UA attributed these attacks to the threat actor group UAC-0247. This incident underscores the evolving tactics of cyber adversaries, including the use of AI-generated content and advanced multi-stage malware delivery mechanisms. Organizations, especially those in critical sectors, must remain vigilant against such sophisticated social engineering attacks and enhance their cybersecurity defenses accordingly.

In Q4 2025, a significant phishing campaign known as "Curriculum-vitae-catalina" targeted HR personnel globally. Attackers sent emails disguised as job applications, with subjects like "Resume" or "Attached Resume," containing malicious attachments named "Curriculum Vitae-Catalina.exe." When executed, these files installed the Backdoor.MSIL.XWorm malware, granting remote control over infected systems. The campaign unfolded in two waves: the first in October affecting regions including Russia, Western Europe, South America, and Canada; the second in November impacting other areas. The attack subsided by December. Regions with historically high email threat rates, such as Southern Europe, South America, and the Middle East, reported the highest infection rates. In Africa, the malware also spread via USB devices connected to ICS computers. ([securelist.com](https://securelist.com/industrial-threat-report-q4-2025/119392/?utm_source=openai)) This incident underscores the evolving sophistication of phishing attacks targeting industrial control systems (ICS). The widespread distribution and rapid propagation of Backdoor.MSIL.XWorm highlight the critical need for enhanced email security measures and user awareness training to mitigate such threats.

In October 2025, threat actors began exploiting n8n, a widely-used AI workflow automation platform, to conduct sophisticated phishing campaigns. By creating malicious webhooks on n8n's trusted infrastructure, attackers were able to bypass traditional security filters and deliver malware or perform device fingerprinting through automated emails. This abuse allowed them to distribute malicious payloads and gather sensitive information from targeted devices. ([thehackernews.com](https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html?utm_source=openai)) The exploitation of legitimate automation platforms like n8n underscores a growing trend where attackers leverage trusted services to evade detection. This incident highlights the need for organizations to scrutinize third-party integrations and enhance monitoring of automated workflows to prevent similar abuses. ([blog.talosintelligence.com](https://blog.talosintelligence.com/the-n8n-n8mare/?utm_source=openai))

In 2025, Red Canary analyzed over 110,000 threats across more than 4.5 million identities, endpoints, and cloud assets, revealing significant shifts in the cyber threat landscape. Key findings include a surge in identity-related attacks, with adversaries targeting credentials through info stealers, consent phishing, and OAuth abuse. Browsers have become primary attack vectors, serving as both the main workspace for users and a conduit for malicious payloads via compromised extensions and token theft. Additionally, the abuse of Remote Monitoring and Management (RMM) tools has escalated, with adversaries leveraging these tools for unauthorized access and control. ([redcanary.com](https://redcanary.com/blog/threat-detection/2026-threat-detection-report/?utm_source=openai)) These trends underscore the evolving tactics of cyber adversaries and the necessity for organizations to implement layered security controls. The interconnected nature of identity compromise, browser exploitation, and social engineering highlights the importance of comprehensive defense strategies combining device trust, user authentication, and behavioral monitoring to mitigate these emerging threats. ([redcanary.com](https://redcanary.com/resources/videos/secops-weekly-inside-the-2026-threat-detection-report/?utm_source=openai))

In March 2026, the threat actor group TeamPCP executed a sophisticated supply chain attack, compromising widely used developer tools including Aqua Security's Trivy, Checkmarx's KICS, and the LiteLLM Python package. By exploiting stolen credentials, they injected credential-stealing malware into these tools, leading to the exfiltration of sensitive data such as API keys, cloud service credentials, and source code from numerous organizations. The attack unfolded rapidly over a span of five days, with each compromised tool serving as a vector to infiltrate the next, demonstrating the cascading risks inherent in supply chain vulnerabilities. This incident underscores the critical importance of securing the software supply chain, especially as attackers increasingly target trusted development tools to gain unauthorized access. Organizations must implement robust security measures, including regular credential rotation, stringent access controls, and continuous monitoring of CI/CD pipelines, to mitigate the risks associated with such attacks.

In April 2026, Microsoft released a substantial Patch Tuesday update addressing 167 vulnerabilities across its product suite, marking it as the second-largest patch release in the company's history. This update included two zero-day vulnerabilities: CVE-2026-32201, a spoofing flaw in Microsoft SharePoint Server that was actively exploited in the wild, and CVE-2026-33825, an elevation of privilege issue in Microsoft Defender that had been publicly disclosed prior to patching. Additionally, eight critical vulnerabilities were addressed, affecting components such as Windows Internet Key Exchange (IKE) Service Extensions and Microsoft Word. The prevalence of elevation of privilege vulnerabilities, accounting for 57% of the patches, underscores the critical need for organizations to prioritize these updates to mitigate potential security risks. ([notebookcheck.net](https://www.notebookcheck.net/Microsoft-April-2026-Patch-Tuesday-fixes-167-vulnerabilities-and-two-zero-days.1274388.0.html?utm_source=openai)) The urgency of this update is heightened by the active exploitation of CVE-2026-32201 and the public disclosure of CVE-2026-33825, which could lead to increased targeting by threat actors. Organizations are advised to promptly apply these patches to protect their systems from potential attacks leveraging these vulnerabilities. ([notebookcheck.net](https://www.notebookcheck.net/Microsoft-April-2026-Patch-Tuesday-fixes-167-vulnerabilities-and-two-zero-days.1274388.0.html?utm_source=openai))

In early 2026, security researchers observed a significant increase in the use of EDR (Endpoint Detection and Response) killers employing the Bring Your Own Vulnerable Driver (BYOVD) technique. This method involves attackers introducing legitimate, signed drivers with known vulnerabilities into target systems to disable security defenses. ESET's analysis identified nearly 90 unique EDR killer tools exploiting 35 vulnerable drivers, enabling ransomware groups to neutralize security measures before deploying their payloads. The proliferation of these tools, available through underground marketplaces and public proof-of-concept exploits, has heightened concerns among cybersecurity professionals. ([darkreading.com](https://www.darkreading.com/vulnerabilities-threats/edr-killer-ecosystem-expansion-requires-stronger-byovd-defenses/?utm_source=openai)) The current relevance of this incident lies in the evolving threat landscape, where the commodification of EDR killers has made sophisticated attack techniques accessible to a broader range of cybercriminals. This trend underscores the urgent need for organizations to implement robust defenses against BYOVD attacks, including monitoring for unauthorized driver installations and enhancing endpoint security measures. ([darkreading.com](https://www.darkreading.com/vulnerabilities-threats/edr-killer-ecosystem-expansion-requires-stronger-byovd-defenses/?utm_source=openai))

In April 2026, security researchers identified critical prompt injection vulnerabilities in Microsoft Copilot and Salesforce Agentforce, which could allow attackers to exfiltrate sensitive data. In Microsoft's case, malicious code inserted into SharePoint forms could trigger Copilot to send customer data to unauthorized emails. Similarly, Salesforce's Agentforce was susceptible to prompt injections via public-facing lead forms, enabling unauthorized access to CRM data. Both companies have since patched these vulnerabilities. ([darkreading.com](https://www.darkreading.com/cloud-security/microsoft-salesforce-patch-ai-agent-data-leak-flaws/?utm_source=openai)) This incident underscores the persistent threat of prompt injection attacks in AI systems, highlighting the need for robust input validation and security measures to prevent unauthorized data access and exfiltration.