April 20, 2026 Emerging Threats Weekly

kroll logo
Kroll
Apr 20, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

01:12 [MALWARE] A Coordinated Campaign Used 108 Chrome Extensions to Steal Sessions and User Data
Cybersecurity researchers have identified a coordinated campaign involving 108 malicious Google Chrome extensions operating under a shared C2 infrastructure at cloudapi[.]stream. The extensions were presented as legitimate productivity tools, games and utilities, but were designed to harvest sensitive browser data including cookies, session tokens and user identity information.

02:31 [VULNERABILITY] Microsoft April Patch Tuesday Includes an Exploited SharePoint Flaw and a Publicly Disclosed Defender Issue
Microsoft’s April 2026 Patch Tuesday release addressed a total of 168 security vulnerabilities across the Windows ecosystem, Microsoft Office, SharePoint, and Defender components. This month stands out not only for its size, but also for the presence of actively exploited and pre disclosed vulnerabilities, significantly increasing the likelihood of rapid adversary weaponization.

03:40 [VULNERABILITY] Adobe Acrobat and Reader Zero-Day Was Reportedly Exploited for Months Before Patching
Adobe’s CVE-2026-34621 emerged as one of the week’s highest-priority document-handling vulnerabilities. Researcher Haifei Li is credited with discovering the exploit in use, describing the attack as “a highly sophisticated, fingerprinting-style PDF exploit.” Security Affairs reported that CISA added the flaw to KEV after Adobe issued emergency updates, while Haifei Li notes finding samples of the exploit in use for at least the past four months.

04:56 [THREAT ACTOR] APT37 Used Facebook and Telegram to Deliver a Trojanized PDF Viewer
Secondary reporting this week described a new APT37 campaign that starts with social engineering on Facebook and then shifts victims to Telegram for follow-up interaction. Bit Life Media, citing analysis from Genians Security Center, said the actor-built trust through tailored conversations before offering purportedly confidential military or weapons-related documents.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.