April 27, 2026 Emerging Threats Weekly

kroll logo
Kroll
Apr 27, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

01:00 [SUPPLY CHAIN] Vercel Breach Traced To Compromised Context.Ai Oauth Access
The recent breach of Vercel, a major cloud platform used to build and deploy modern web applications, further highlights the supply-chain risks associated with trusted SaaS and AI tooling. Vercel develops widely used technologies including Next.js, Vercel AI SDK, Turborepo and the broader Vercel ecosystem, which collectively see tens of millions of downloads per week and supports a significant portion of modern web and CI/CD pipelines.

04:33 [VULNERABILITY] Apache ActiveMQ and Cisco SD-WAN Exploitation
Bleeping Computer reported that more than 6,400 internet-exposed Apache ActiveMQ servers are vulnerable to attacks exploiting CVE-2026-34197, a high-severity code injection flaw in the widely used message broker.

07:00 [SOCIAL ENGINEERING] Microsoft Teams and Quick Assist Abused in Helpdesk Impersonation Intrusions
Microsoft’s April 2026 Patch Tuesday release addressed a total of 168 security vulnerabilities across the Windows ecosystem, Microsoft Office, SharePoint, and Defender components. This month stands out not only for its size, but also for the presence of actively exploited and pre disclosed vulnerabilities, significantly increasing the likelihood of rapid adversary weaponization.

09:05 [RANSOMWARE] The Gentlemen Expands Through Affiliate-Led Attacks Tied To SYSTEMBC Infrastructure
Recent reporting on The Gentlemen Ransomware-as-a-Service operation shows a more mature affiliate model than many newer brands. A DFIR write-up says an affiliate already holding domain administrator access used layered tooling including Cobalt Strike, attempted SystemBC proxy deployment, and then distributed the encryptor through group policy for near-simultaneous execution across the domain.

10:36 [MALWARE] LOTUS Wiper Used Against Venezuelan Energy and Utility Organizations
A previously undocumented wiper called LOTUS that was used last year in targeted attacks against Venezuelan energy and utility organizations.

The attack chain invokes two preparatory batch scripts before the final wiper stage. Those scripts disable services, enumerate users, change passwords, log off sessions, disable network interfaces and begin destructive actions with diskpart, robocopy and fsutil before the final payload is launched.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.