April 7, 2026 Emerging Threats Weekly

kroll logo
Kroll
Apr 7, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

01:12 [SUPPLY CHAIN] North Korea-Linked Axios NPM Compromise Spreads Cross-Platform Malware
Continuing from last week’s reporting of a supply chain attack against “Trivy,” reports of additional supply chain attacks against code packages in repositories has been reported.

02:31 [CAMPAIGN] Fake CERT-UA Infrastructure Distributes AGEWHEEZE RAT to Ukrainian Institutions
Attackers impersonated the Ukrainian cyber agency in phishing emails and through a cloned websites. The targets included government organizations, medical centers, educational institutions, financial institutions, security companies and software development firms across Ukraine.

03:40 [VULNERABILITY] FortiClient EMS CVE-2026-21643 Is Under Active Exploitation
A critical SQL injection flaw in FortiClient EMS 7.4.4, is being actively exploited in the wild. Fortinet assigned the issue a CVSS score of 9.1, and the reporting says the flaw enables unauthenticated remote command execution against exposed servers.

04:56 [VULNERABILITY] F5 reclassifies BIG-IP APM Flaw CVE-2025-53521 as Exploited Pre-Auth RCE
The Stack reported this week that CVE 2025 53521, a critical vulnerability in F5’s BIG IP Access Policy Manager, is now being actively exploited. The issue was originally patched last October 2025 as a denial of service flaw, but it has since been reclassified as a pre authentication remote code execution vulnerability.

06:07 [MALWARE] XLoader Sharpens Obfuscation and Hides Real C2 Among Decoys
Zscaler researchers, tracking XLoader builds, write that the stealer is now up to version 8.7, continuing the family’s evolution from FormBook. Since version 8.1. changes to obfuscation within the sample affect how encrypted functions are reconstructed, how constants are hidden and how automated analysis can reliably extract parameters.

07:35 [MALWARE] CrystalX RAT Emerges as MaaS Blending Surveillance, Theft and Prankware
an active campaign promoting CrystalX RAT in private Telegram chats as a malware-as-a-service offering. The malware appears to have evolved from or been rebranded from “Webcrystal RAT,” with promotion expanding to new Telegram and YouTube channels advertising a tiered subscription model.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.