Weekly Threat Intel Report — 2026-W17

TL;DR

The week of 20–26 April 2026 was anchored by a coordinated international advisory from CISA, the UK NCSC, and partner agencies on China-nexus covert networks of compromised edge devices, accompanied by a malware analysis of the FIRESTARTER backdoor that persists on Cisco ASA and Firepower Threat Defense appliances across firmware updates and security patches. On the criminal side, Scattered Spider suffered a significant law-enforcement blow when senior member Tyler Robert Buchanan ("Tylerb") pleaded guilty to wire fraud conspiracy and aggravated identity theft, while ShinyHunters publicly squeezed home-security provider ADT, which confirmed a data breach. The software supply chain remained a top story: same-day, same-C2 compromises hit the Bitwarden CLI npm package and Checkmarx KICS developer tooling, and CISA issued an alert on a March-2026 compromise of the axios npm package. CISA also added twelve CVEs to the Known Exploited Vulnerabilities catalog this week, and a critical RCE in Bomgar RMM (CVE-2026-1731) is being mass-exploited to push ransomware. New extortion crews BlackFile and The Gentlemen continued to scale, and a previously unreported cluster (UNC6692) was observed using Microsoft Teams to deploy a custom malware suite called Snow.

Notable Activity by Actor

Scattered Spider — senior member pleads guilty

KrebsOnSecurity reported on 21 April that Tyler Robert Buchanan, a 24-year-old British national and senior Scattered Spider member tracked online as "Tylerb," pleaded guilty to wire fraud conspiracy and aggravated identity theft. Buchanan admitted his role in the summer-2022 smishing wave that compromised at least a dozen major technology companies and resulted in tens of millions of dollars in losses. The plea is a notable milestone for international law-enforcement action against the wider "Com"-adjacent English-speaking criminal ecosystem, but it does not appear to have meaningfully slowed the broader Scattered Spider–style social-engineering tradecraft, which continues to be replicated by adjacent crews (see BlackFile, below).

ShinyHunters — ADT confirms breach

ADT confirmed a data breach on 24 April after ShinyHunters threatened to publish stolen data unless a ransom was paid (BleepingComputer). ShinyHunters has matured during 2025–2026 from a credential-database trader into a full data-extortion brand with overlapping infrastructure across multiple SaaS-targeting campaigns. The ADT incident reinforces that the group continues to favor public extortion over encryption-based ransomware.

Contagious Interview — fake-job lures go worm-like

DarkReading (22 April) reported that the DPRK-aligned Contagious Interview campaign is now propagating in a worm-like fashion: a compromised developer repository serves as the infection vector, delivering remote access trojans to subsequent developers who clone or interact with the project. This is a meaningful evolution — earlier iterations relied largely on direct recruiter outreach via LinkedIn or contractor platforms; embedding the lure in real, third-party developer projects extends reach and complicates detection.

Emerging Threats

China-nexus covert networks and FIRESTARTER

The week's most consequential government release was the joint CISA/NCSC advisory AA26-113A, Defending Against China-Nexus Covert Networks of Compromised Devices, published 23 April with input from international partners and the UK Cyber League. The advisory describes a sustained shift in tradecraft toward chains of compromised edge devices — routers, firewalls, and remote-access appliances — used as covert relay infrastructure to mask malicious activity inside trusted network paths.

Accompanying the advisory, CISA published malware analysis report AR26-113A on FIRESTARTER, a custom backdoor recovered from a forensic investigation. According to CISA and BleepingComputer's reporting (24 April), FIRESTARTER targets Cisco Firepower and Secure Firewall devices running ASA or FTD software and is engineered to survive firmware updates and security patches — a property that, if confirmed in the wild at scale, would render routine patch cycles inadequate as a remediation strategy. NCSC's parallel posts on 23 April urge organizations to map and baseline edge-device traffic (especially VPN and remote-access flows) and to apply dynamic threat-feed filtering that includes covert-network indicators.

Software supply chain — a bad week for developer tooling

Three separate supply-chain incidents converged this week:

• Bitwarden CLI (npm) was briefly compromised after attackers pushed a malicious @bitwarden/cli package containing a credential-stealing payload capable of spreading to other projects (BleepingComputer, 23 April).
• Checkmarx KICS Docker images, VSCode extensions, and Open VSX extensions were compromised to harvest data from developer environments (BleepingComputer, 23 April).
• Sophos researchers (24 April) confirmed that the Bitwarden and Checkmarx incidents share a command-and-control domain and likely a common operator.
• CISA separately alerted on 20 April that two axios npm packages (axios@1.14.1 and axios@0.30.4) published 31 March 2026 were malicious supply-chain implants.

Unit 42 published a broader retrospective on 24 April analyzing the npm threat landscape after the Shai Hulud event, observing wormable malware, CI/CD persistence, and increasingly multi-stage payload chains. Red Canary's April Intelligence Insights echoed this, with "poisoned packages and pipeline perils" as the headline.

Vulnerabilities and KEV churn

CISA added twelve CVEs to the Known Exploited Vulnerabilities catalog across two updates:

• 20 April (eight CVEs): PaperCut NG/MF (CVE-2023-27351), JetBrains TeamCity (CVE-2024-27199), Kentico Xperience (CVE-2025-2749), Quest KACE Systems Management Appliance (CVE-2025-32975), and others.
• 24 April (four CVEs): Samsung MagicINFO 9 Server (CVE-2024-7399), SimpleHelp (CVE-2024-57726, CVE-2024-57728), and a D-Link DIR-823X command-injection (CVE-2025-29635).

DarkReading (21 April) reported a surge of in-the-wild exploitation of CVE-2026-1731, a critical RCE in Bomgar RMM, with attackers using it both to deploy ransomware directly and to leapfrog into downstream supply chains. A new Linux local-privilege escalation flaw, Pack2TheRoot, in the PackageKit daemon also surfaced (BleepingComputer, 24 April). On the ICS side, CISA published more than a dozen advisories — notable highlights include Siemens SINEC NMS authorization-bypass and authentication-bypass issues, Siemens Industrial Edge Management, an Intrado 911 Emergency Gateway flaw (CVE-2026-6074, CVSS 9.8), and the Hangzhou Xiongmai XM530 IP camera authentication bypass.

New criminal brands and tradecraft

• BlackFile (BleepingComputer, 24 April) — a financially motivated crew active since February 2026, hitting retail and hospitality with vishing-driven data theft and extortion.
• The Gentlemen (DarkReading, 22 April) — a rapidly scaling ransomware operation that researchers describe as more sophisticated than its branding implies.
• UNC6692 / Snow (BleepingComputer, 25 April) — a tracked cluster using Microsoft Teams social engineering to deploy a custom suite combining a malicious browser extension, a tunneler, and a backdoor.
• Trigona ransomware operators were observed using a new custom command-line exfiltration tool (BleepingComputer, 23 April).

Cisco Talos's Q1 2026 IR Trends report (22 April) noted that phishing returned as the top initial-access vector for the first time since Q2 2025, accounting for over a third of engagements where initial access could be determined. A separate Talos blog (21 April) called out the continued exploitation of MFA weaknesses and the use of valid credentials launched from trusted accounts. DarkReading (24 April) documented an influx of AI-personalized phishing as the leading attacker technique. The DFIR Report's 22 April analysis of an exposed "Bissa Scanner" server provided rare visibility into an AI-assisted mass-exploitation operation, with Claude Code and OpenClaw embedded into the operator's daily workflow — a concrete, observed instance of attackers using LLM tooling to scale.

Defender Takeaways

1. Treat edge devices as the new crown jewels. The CISA/NCSC FIRESTARTER advisory makes clear that firmware updates alone are not sufficient to remediate ASA/FTD compromises. Baseline outbound traffic from VPN and remote-access appliances, hunt for unexpected long-haul connections, and validate appliance integrity with vendor tooling — not just by checking the version banner.
2. Audit your npm and developer-tooling pipelines. Pin and verify versions of axios, @bitwarden/cli, Checkmarx KICS images and extensions, and use tooling that flags unexpected post-install scripts or new C2-like network egress from developer workstations and CI runners.
3. Patch the new KEV entries promptly. PaperCut, JetBrains TeamCity, SimpleHelp, Samsung MagicINFO, Kentico, Quest KACE, and the new Bomgar RMM CVE-2026-1731 are all on attacker shopping lists now.
4. Harden the help desk and the phone. With Scattered Spider's tradecraft now broadly imitated (BlackFile, others), require call-back verification, ban out-of-band password and MFA resets, and instrument vishing detection for IT and finance staff.
5. Plan for AI-assisted attackers. Treat the DFIR Report's "Bissa Scanner" findings as a directional signal: expect faster recon, better-tailored phishing, and more capable mass-exploitation campaigns. Prioritize controls — phishing-resistant MFA (e.g., passkeys), least privilege, and EDR coverage — that don't degrade against higher-volume, higher-quality attacks.
6. Don't ignore the social platforms. UNC6692's use of Microsoft Teams for delivery is a reminder that collaboration tools are delivery channels. External-tenant policies, link rendering, and Teams-aware EDR detections matter.

Sources

• CISA, Defending Against China-Nexus Covert Networks of Compromised Devices (AA26-113A), 23 April 2026 — https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a
• CISA, FIRESTARTER Backdoor (AR26-113A), 23 April 2026 — https://www.cisa.gov/news-events/analysis-reports/ar26-113a
• UK NCSC, Defending against China-nexus covert networks of compromised devices, 23 April 2026 — https://www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-of-compromised-devices
• BleepingComputer, Firestarter malware survives Cisco firewall updates, 24 April 2026 — https://www.bleepingcomputer.com/news/security/firestarter-malware-survives-cisco-firewall-updates-security-patches/
• KrebsOnSecurity, 'Scattered Spider' Member 'Tylerb' Pleads Guilty, 21 April 2026 — https://krebsonsecurity.com/2026/04/scattered-spider-member-tylerb-pleads-guilty/
• BleepingComputer, ADT confirms data breach after ShinyHunters leak threat, 24 April 2026 — https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/
• DarkReading, DPRK Fake Job Scams Self-Propagate in 'Contagious Interview', 22 April 2026 — https://www.darkreading.com/cyberattacks-data-breaches/dprk-fake-job-scams-self-propagate-contagious-interview
• BleepingComputer, Bitwarden CLI npm package compromised, 23 April 2026 — https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/
• BleepingComputer, New Checkmarx supply-chain breach affects KICS, 23 April 2026 — https://www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
• Sophos News, Supply chain attacks hit Checkmarx and Bitwarden developer tools, 24 April 2026 — https://www.sophos.com/en-us/blog/supply-chain-attacks-hit-checkmarx-and-bitwarden-developer-tools
• CISA, Supply Chain Compromise Impacts Axios Node Package Manager, 20 April 2026 — https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager
• Unit 42, The npm Threat Landscape: Attack Surface and Mitigations, 24 April 2026 — https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
• CISA, KEV updates, 20 & 24 April 2026 — https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog | https://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalog
• DarkReading, Surge in Bomgar RMM Exploitation, 21 April 2026 — https://www.darkreading.com/cyberattacks-data-breaches/surge-bomgar-rmm-exploitation-demonstrates-supply-chain-risk
• BleepingComputer, New BlackFile extortion group, 24 April 2026 — https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs/
• DarkReading, 'The Gentlemen' Rapidly Rises to Ransomware Prominence, 22 April 2026 — https://www.darkreading.com/threat-intelligence/gentlemen-rapidly-rise-ransomware
• BleepingComputer, Threat actor uses Microsoft Teams to deploy new 'Snow' malware, 25 April 2026 — https://www.bleepingcomputer.com/news/security/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware/
• BleepingComputer, Trigona ransomware attacks use custom exfiltration tool, 23 April 2026 — https://www.bleepingcomputer.com/news/security/trigona-ransomware-attacks-use-custom-exfiltration-tool-to-steal-data/
• BleepingComputer, New 'Pack2TheRoot' flaw gives hackers root Linux access, 24 April 2026 — https://www.bleepingcomputer.com/news/security/new-pack2theroot-flaw-gives-hackers-root-linux-access/
• Cisco Talos, IR Trends Q1 2026, 22 April 2026 — https://blog.talosintelligence.com/ir-trends-q1-2026/
• Cisco Talos, Phishing and MFA exploitation, 21 April 2026 — https://blog.talosintelligence.com/phishing-and-mfa-exploitation-targeting-the-keys-to-the-kingdom/
• The DFIR Report, Bissa Scanner Exposed: AI-Assisted Mass Exploitation, 22 April 2026 — https://thedfirreport.com/2026/04/22/bissa-scanner-exposed-ai-assisted-mass-exploitation-and-credential-harvesting/
• DarkReading, AI Phishing Is No. 1 With a Bullet for Cyberattackers, 24 April 2026 — https://www.darkreading.com/cyber-risk/ai-phishing-no-1-cyberattackers
• Red Canary, Intelligence Insights: April 2026, 23 April 2026 — https://redcanary.com/blog/threat-intelligence/intelligence-insights-april-2026/