This briefing covers threat intelligence for April 14, 2026. The primary threat landscape features two critical Microsoft vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog, including a newly disclosed SharePoint Server input validation flaw (CVE-2026-32201) and a legacy Office Excel remote code execution vulnerability (CVE-2009-0238) seeing renewed exploitation. Malware distribution activity remains elevated with 50 malicious URLs identified across multiple campaigns. The ClearFake/NetSupport campaign continues aggressive distribution through compromised infrastructure, utilizing multiple domains for redundancy. Mozi botnet activity persists with numerous IoT-targeting URLs distributing multi-architecture payloads. Organizations should prioritize patching Microsoft SharePoint and Office products while implementing enhanced monitoring for ClearFake social engineering tactics and IoT device compromise attempts.
Two Microsoft vulnerabilities added to CISA Known Exploited Vulnerabilities catalog requiring immediate attention
Critical input validation vulnerability in SharePoint Server allowing unauthorized attackers to perform spoofing attacks over network. Active exploitation confirmed by CISA KEV listing. Immediate patching required for all SharePoint deployments.
Remote code execution vulnerability in Microsoft Office Excel triggered by malformed objects in specially crafted files. Despite age (2009), CISA KEV addition indicates renewed active exploitation in the wild. Attackers gain complete system control if users open weaponized Excel files.
Aggressive social engineering campaign distributing NetSupport RAT through ClearFake fake browser update infrastructure across multiple domains
35+ malicious URLs identified distributing ClearFake fake update pages leading to NetSupport RAT deployment. Campaign utilizes domains including inform2tunleaven.in.net, kazan-saddle.in.net, xelvarinox.in.net, pra6lixon.in.net, and latat-long.digital with systematic naming conventions (mon1-check, api2-route, node3-core, etc.) suggesting automated infrastructure. Common URI pattern: /05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google
Continued Mozi botnet activity targeting IoT devices with multi-architecture ELF payloads
14 malicious URLs distributing Mozi botnet payloads targeting IoT devices. Payloads compiled for multiple architectures (MIPS 32-bit, ARM) indicating broad IoT device targeting. Distribution URLs hosted on compromised devices across various IP ranges. Shell script downloaders (bin.sh) facilitate initial compromise and subsequent payload retrieval.
Miscellaneous malware distribution infrastructure identified
Multiple shell scripts (w2.sh, telnet.sh, jg.sh) hosted on 94.156.152.67:83 distributing Mirai botnet components. Scripts utilize wget user-agent for automated payload retrieval. Additional Mirai payload distribution observed at 196.251.107.133/bins/pay.
Domain cloudstorage-hub.com hosting executable and batch file payloads (8dacc96a6f17691cdbd7f9eacf910b0137af51f0.exe, get-launcher.php). Domain name suggests legitimate cloud storage impersonation for social engineering.