TL;DR

• [Geopolitics/Infrastructure] Iran-linked actors are actively disrupting U.S. critical infrastructure by exploiting internet-exposed PLCs, while Russian GRU operations compromise SOHO routers to perform DNS hijacking and adversary-in-the-middle attacks against remote users.
• [Vulnerabilities/Ransomware] Newly added CISA KEV flaws in Fortinet, Ivanti, Adobe Acrobat, and Microsoft Exchange are being rapidly weaponized—especially by Medusa-linked Storm-1175—against web-facing assets, compressing patch windows and driving ransomware risk.
• [Identity/AppSec] Threat actors are scaling identity compromise via two main tracks: SEO/malvertising plus AiTM token theft (Storm-2755 “payroll pirates”) and automated abuse of device-code authentication flows, while a critical third-party Android SDK bug exposes a largely invisible mobile attack surface.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Geopolitics/OT] Joint U.S. advisory (AA26-097A) warns Iran-affiliated actors are exploiting internet-exposed PLCs (incl. Rockwell/Allen‑Bradley), with confirmed operational disruption; prioritize eliminating direct exposure and validating OT remote-access boundaries.

• [Geopolitics/Edge Devices] U.S. agencies and Microsoft detail a router-compromise → DNS hijacking → adversary-in-the-middle chain associated with Russian GRU activity; the risk is “upstream compromise” that can undermine otherwise strong cloud controls, especially for remote users.

• [Vulnerabilities] CISA KEV additions this week reinforce two high-probability paths: internet-facing appliance/app exploitation (e.g., Fortinet SQLi CVE-2026-21643, Ivanti EPMM code injection CVE-2026-1340) and client-side/enterprise software weaponization (e.g., Adobe Acrobat CVE-2020-9715 / CVE-2026-34621, Microsoft Exchange CVE-2023-21529).

• [Ransomware] Microsoft links Storm-1175 to high-tempo Medusa operations that rapidly weaponize newly disclosed vulnerabilities against web-facing assets; expect short exploit-to-impact timelines where perimeter hygiene and patch SLAs lag.

• [Threat Actors/Identity] Microsoft reports Storm-2755 “payroll pirate” activity using SEO poisoning/malvertising + AiTM token/session theft (defender priority: block traffic acquisition + detect token replay and post-auth abuse), distinct from device-code phishing’s auth-flow abuse + automation (priority: constrain flow and alert on anomalous device-code sign-ins).

References

• (2026-04-07) Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

• (2026-04-07) NSA Supports FBI in Highlighting Russian GRU Threats Against Routers

• (2026-04-07) SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

• (2026-04-13) CISA Adds Seven Known Exploited Vulnerabilities to Catalog

• (2026-04-08) CISA Adds One Known Exploited Vulnerability to Catalog

• (2026-04-06) Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations

• (2026-04-09) Investigating Storm-2755: Payroll pirate attacks targeting Canadian employees

• (2026-04-06) Inside an AIenabled device code phishing campaign

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Emerging Stories, Forecasts, Detection Opportunities and References...