On April 20, 2026, threat intelligence monitoring identified significant activity across vulnerabilities and malware distribution networks. CISA added eight vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, including critical authentication bypass flaws in JetBrains TeamCity, Quest KACE SMA, and PaperCut NG/MF, alongside multiple Cisco Catalyst SD-WAN Manager vulnerabilities enabling credential theft and information disclosure. These additions indicate active exploitation in the wild and require immediate patching prioritization.
Concurrently, abuse.ch feeds documented 51 malicious URLs distributing diverse malware families, with ACRStealer/ClearFake dominating the landscape through 18 distinct distribution points. Additional threats include GuLoader delivering VIPKeylogger, Formbook loaders, AgentTesla, and IoT-targeting Mozi and Mirai botnets. The prevalence of encoded payloads, PowerShell scripts, and legitimate cloud services (Google Drive, Cloudflare R2) for malware hosting demonstrates sophisticated evasion techniques.
Organizations should immediately patch KEV-listed vulnerabilities, particularly those affecting enterprise collaboration and network management platforms. Security teams should enhance monitoring for the identified malware families and block the listed indicators at network perimeters. The combination of critical authentication bypasses and active malware distribution campaigns creates an elevated risk environment requiring heightened defensive posture.
Eight vulnerabilities added to CISA KEV catalog indicating active exploitation, with authentication bypass and credential exposure flaws affecting enterprise platforms
Quest KACE Systems Management Appliance contains an improper authentication vulnerability allowing attackers to impersonate legitimate users without valid credentials. This critical flaw in enterprise management infrastructure enables complete system compromise.
JetBrains TeamCity relative path traversal vulnerability allows attackers to perform limited administrative actions, potentially compromising CI/CD pipelines and source code repositories.
PaperCut NG/MF improper authentication vulnerability enables remote attackers to bypass authentication via SecurityRequestFilter class, affecting print management infrastructure across enterprises.
Cisco Catalyst SD-WAN Manager vulnerability allows authenticated local attackers to gain DCA user privileges by accessing credential files. This weakness in password storage affects network management security.
Cisco Catalyst SD-WAN Manager exposes sensitive information to unauthorized actors, allowing remote attackers to view sensitive data on affected systems without authentication.
Cisco Catalyst SD-WAN Manager incorrect use of privileged APIs enables attackers to upload malicious files to the local filesystem through API interface exploitation.
Synacor Zimbra Collaboration Suite cross-site scripting vulnerability allows attackers to execute arbitrary JavaScript within user sessions, potentially leading to credential theft and unauthorized email access.
Kentico Xperience path traversal vulnerability allows authenticated users' Staging Sync Server to upload arbitrary data to path-relative locations, potentially compromising web content management systems.
51 malicious URLs identified distributing multiple malware families including ACRStealer, GuLoader, VIPKeylogger, Formbook, and IoT botnets with sophisticated delivery mechanisms
Large-scale ACRStealer distribution campaign leveraging ClearFake infection chain across 18 unique domains using .in.net TLD infrastructure. Domains follow naming patterns (blasph-nimalo, rus5icabreast, hai1owhiten, pulp-turquoise, ra9ximer, to7ramil) suggesting coordinated infrastructure.
Multiple Google Drive URLs hosting encrypted GuLoader payloads delivering VIPKeylogger. Attackers leveraging legitimate cloud infrastructure (drive.google.com) to bypass security controls with encoded and encrypted payloads.
Multiple distribution points hosting ASCII-encoded VIPKeylogger payloads, including compromised WordPress sites and dedicated infrastructure. URLs include PowerShell scripts (update.ps1) and text files containing encoded payloads.
Formbook information stealer distributed via compromised Romanian domain (getamarin.ro) and encoded payloads on compromised WordPress infrastructure (crypto-corexchange.com). Includes direct EXE downloads and ASCII-encoded loader scripts.
AgentTesla information stealer distributed through compromised WordPress site (wisdomheart.org) using PowerShell script (update.ps1) delivery mechanism targeting credential theft.
Multiple IP addresses distributing Mozi and Mirai botnet payloads targeting IoT devices. Shell scripts (bin.sh) delivering 32-bit ELF MIPS architecture binaries indicating attacks on routers, cameras, and network devices.
PhantomStealer malware distributed via encoded payloads hosted on ensions.xyz and file-sharing platforms (yaso.su). Includes Base64-encoded variants designed to evade detection.
CrysomeRAT distributed through paste sites (pastee.dev) using ASCII-encoded payloads, providing attackers remote access capabilities to compromised systems.
Legitimate SyncroRMM installer hosted on Cloudflare R2 infrastructure (pub-ec5d868d10f548e792c0fd1c080190aa.r2.dev) potentially being abused for unauthorized remote management access.
Analysis of malware distribution methods reveals sophisticated evasion techniques including legitimate service abuse, multi-stage encoding, and diversified hosting infrastructure