← Back to Threat Briefs

Cyber Threat Brief — April 13 2026

⚠️ This report is AI-generated. Always validate findings.

1. Adobe Acrobat/Reader Prototype Pollution RCE — CVE-2026-34621

TL;DR: Adobe issued an emergency out-of-band patch (APSB26-43, April 11) for a prototype pollution flaw in the Acrobat JavaScript engine exploited in the wild since at least December 2025 via Russian-language oil/gas lure PDFs. CVSS 8.6, Priority 1.

What’s New:

  • CVE-2026-34621 now assigned to the previously unpatched zero-day tracked by EXPMON/Haifei Li (disclosed April 9); advisory CVSS revised from AV:N to AV:L on April 12
  • Exploit chain: malicious PDF → embedded JS (>10 KB) → prototype pollution → util.readFileIntoStream() local file read → RSS.addFeed() exfil to C2, receives second-stage JS for RCE
  • Known lure: Invoice540.pdf (SHA-256 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f), C2 169.40.2.68:45191, UA string Adobe Synchronizer
  • Affected: Acrobat Reader DC ≤ 26.001.21367 (fix: 26.001.21411), Acrobat 2024 ≤ 24.001.30356 (fix: 24.001.30362 Win / 24.001.30360 macOS)
  • Indicators in malicious PDFs: JS blobs >10 KB, multiple stream objects with identical checksums, executable content embedded in stream objects

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
SHA-256 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377fHash (lure PDF)T1204.002EDR, email gateway, AVBlock
169.40.2.68:45191IP:Port (C2)T1071.001Firewall, proxy, Zeek conn.logBlock
UA string Adobe Synchronizer in non-Adobe network trafficNetworkT1071.001Proxy logsHunt — not a legitimate Adobe UA
AcroRd32.exe / Acrobat.exe making outbound connections to non-Adobe IPsProcess-NetworkT1204.002EDR, Sysmon EID 3Alert
PDF files with embedded JS >10 KB and util.readFileIntoStream callsFile contentT1059.007Email gateway, sandboxBlock/quarantine
RSS.addFeed() calls in PDF JavaScriptFile contentT1041Sandbox detonation logsAlert — rarely used legitimately

Detection

SourceRuleGap
Splunk ESCUNone specific to CVE-2026-34621Need: AcroRd32.exe spawning network connections to non-Adobe IPs; PDF email attachment with JS >10 KB
ElasticSuspicious PDF Reader Child Process (partial)Gap: no coverage for util.readFileIntoStream abuse or RSS.addFeed exfil
SigmaNone specificNeed: proc_creation_win_acrobat_reader_suspicious_network.yml for Reader outbound to non-Adobe destinations

Sources: Adobe APSB26-43 · The Hacker News · Help Net Security · SecurityWeek

2. APT28 FrostArmada — SOHO Router DNS Hijacking at Scale

TL;DR: Microsoft, NCSC-UK, and Lumen disclosed APT28/Forest Blizzard hijacking DNS on 5,000+ SOHO routers (MikroTik, TP-Link) to intercept M365 authentication tokens via AitM since August 2025. DOJ disrupted the US portion (Operation Masquerade) on April 7; Black Lotus Labs published IOCs.

What’s New:

  • Campaign codename FrostArmada (Lumen Black Lotus Labs); sub-group Storm-2754 handles router exploitation
  • Technique: exploit known vulns (e.g., CVE-2023-50224 on TP-Link WR841N) → modify DHCP/DNS settings to actor-controlled resolvers → downstream devices inherit poisoned DNS → targeted domain lookups (M365 login, email) redirected to AitM infrastructure → credential/token harvest
  • Tool: legitimate dnsmasq utility on actor VPS for DNS forwarding with selective poisoning on port 53
  • Scale: 200+ organizations, 5,000+ consumer devices, 18,000+ unique IPs at peak (Dec 2025), 120+ countries; primarily government, defense, law enforcement
  • DOJ Operation Masquerade: FBI sent commands to compromised US routers to reset DNS settings and block re-access, spanning 23+ US states
  • NCSC-UK advisory (April 7) includes VPS banner patterns, router models, domains, IPs, and MITRE ATT&CK mapping
  • IOCs continuously updated: Black Lotus Labs GitHub

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
FrostArmada IOC IP list (Black Lotus Labs GitHub)IP addresses (malicious DNS resolvers)T1584.001Firewall, DNS logs, router configsBlock — check all SOHO router DNS settings against this list
DNS queries to non-ISP/non-corporate resolvers from SOHO segmentsNetworkT1557.002DNS logs, NetFlow, Zeek dns.logHunt — SOHO devices should use corporate or known-good resolvers
dnsmasq banner on port 53 from unexpected IPsNetworkT1583.003Network scanning, Shodan/CensysHunt — actor VPS infrastructure fingerprint
DHCP-assigned DNS servers not matching corporate policyConfigurationT1557.002DHCP logs, endpoint DNS config auditAlert — primary detection for downstream compromise
Invalid/mismatched TLS certificates on M365 or email login pagesNetworkT1557.002Proxy TLS inspection, browser cert logsAlert — AitM indicator
CVE-2023-50224 exploitation attempts on TP-Link WR841NNetworkT1190IDS/IPS, router logsBlock

Detection

SourceRuleGap
Splunk ESCUNone specific to FrostArmadaNeed: DNS resolver configuration drift detection on endpoints; DHCP DNS mismatch alerting
ElasticNone specificGap: no SOHO DNS hijack detection; need DNS resolver validation rule
SigmaNone specificNeed: net_dns_config_change_suspicious_resolver.yml for non-corporate DNS resolver assignment

Sources: Microsoft Security Blog · NCSC-UK Advisory · Lumen FrostArmada · DOJ Press Release · FBI IC3 PSA · Black Lotus Labs IOCs · Krebs on Security

Status Updates

  • CVE-2026-35616 (FortiClient EMS): Federal KEV deadline passed April 9; exploitation ongoing since March 31; only hotfix available — full fix 7.4.7 still pending. Original brief.
  • CVE-2026-1340 / CVE-2026-1281 (Ivanti EPMM): Federal KEV deadline passed April 11; mass exploitation continues; Ivanti RPM detection tool available for IOC scanning. Original brief.
  • CVE-2026-4681 (PTC Windchill): Still no patch; German police physically notifying affected orgs; CISA ICS advisory ICSA-26-085-03 active. Original brief.
  • CVE-2025-53521 (F5 BIG-IP APM / BRICKSTORM): UNC5221 exploitation ongoing; federal deadline passed March 30. Original brief.
  • CVE-2026-3055 (Citrix NetScaler): Active exploitation via SAMLRequest and /wsfed/passive paths; Metasploit module available; federal deadline passed April 2. Original brief.