TL;DR

• [Geopolitics/Infrastructure] Iran-linked actors are actively disrupting U.S. critical infrastructure by exploiting internet-exposed PLCs, while Russian GRU operations compromise SOHO routers to perform DNS hijacking and adversary-in-the-middle attacks against remote users.
• [Vulnerabilities/Ransomware] Newly added CISA KEV flaws in Fortinet, Ivanti, Adobe Acrobat, and Microsoft Exchange are being rapidly weaponized—especially by Medusa-linked Storm-1175—against web-facing assets, compressing patch windows and driving ransomware risk.
• [Identity/AppSec] Threat actors are scaling identity compromise via two main tracks: SEO/malvertising plus AiTM token theft (Storm-2755 “payroll pirates”) and automated abuse of device-code authentication flows, while a critical third-party Android SDK bug exposes a largely invisible mobile attack surface.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Geopolitics/OT] Joint U.S. advisory (AA26-097A) warns Iran-affiliated actors are exploiting internet-exposed PLCs (incl. Rockwell/Allen‑Bradley), with confirmed operational disruption; prioritize eliminating direct exposure and validating OT remote-access boundaries.

• [Geopolitics/Edge Devices] U.S. agencies and Microsoft detail a router-compromise → DNS hijacking → adversary-in-the-middle chain associated with Russian GRU activity; the risk is “upstream compromise” that can undermine otherwise strong cloud controls, especially for remote users.

• [Vulnerabilities] CISA KEV additions this week reinforce two high-probability paths: internet-facing appliance/app exploitation (e.g., Fortinet SQLi CVE-2026-21643, Ivanti EPMM code injection CVE-2026-1340) and client-side/enterprise software weaponization (e.g., Adobe Acrobat CVE-2020-9715 / CVE-2026-34621, Microsoft Exchange CVE-2023-21529).

• [Ransomware] Microsoft links Storm-1175 to high-tempo Medusa operations that rapidly weaponize newly disclosed vulnerabilities against web-facing assets; expect short exploit-to-impact timelines where perimeter hygiene and patch SLAs lag.

• [Threat Actors/Identity] Microsoft reports Storm-2755 “payroll pirate” activity using SEO poisoning/malvertising + AiTM token/session theft (defender priority: block traffic acquisition + detect token replay and post-auth abuse), distinct from device-code phishing’s auth-flow abuse + automation (priority: constrain flow and alert on anomalous device-code sign-ins).

References

• (2026-04-07) Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

• (2026-04-07) NSA Supports FBI in Highlighting Russian GRU Threats Against Routers

• (2026-04-07) SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

• (2026-04-13) CISA Adds Seven Known Exploited Vulnerabilities to Catalog

• (2026-04-08) CISA Adds One Known Exploited Vulnerability to Catalog

• (2026-04-06) Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations

• (2026-04-09) Investigating Storm-2755: Payroll pirate attacks targeting Canadian employees

• (2026-04-06) Inside an AIenabled device code phishing campaign

Emerging Stories, Forecasts, Detection Opportunities and References...