April Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Investigation data

Having access to data during a digital forensics and incident response investigation helps the team find answers to questions about what happened during a cyber event. Team members recently investigated an event where having comprehensive data made a substantial difference in the outcome of the investigation.

In early February, team members investigated what appeared to be an unauthorized access event that stemmed from a virtual private network (VPN), but they soon realized that they were dealing with known exploited vulnerability CVE-2025-48983. The remote code execution flaw was a critical vulnerability, with a score of 9.9, in the mount service of Veeam Backup & Replication. The threat actors gained access using stolen active directory credentials for a low-level privileged account. 

The client had SentinelOne's deep visibility module, which gathers every network connection that the system makes and receives. The detailed telemetry data helped the team prove that this particular vulnerability was indeed exploited. Team members could see the network connections one second before the actual execution. From there, they could see the VPN access, the backup mount service hosted on port 6170 on the Veeam server, the creation of the local user account, the harvesting of actual credentials out of the backups, and the installation of Oracle VirtualBox and how the threat actors used it to create a virtual machine from one of the backups of the domain controller. The high level of visibility allowed the team to learn what happened during the attack and mitigate the risks associated with it.

From the data gathered, the team determined that the threat actors were initial access brokers. Initial access brokers gain access to environments and escalate privileges to the domain administrator. Then, they leave the environment and sell that access to a larger ransomware operator who conducts the exploit at a later time. The team, along with the client, contained the environment and eradicated the threat actors before they could cause any further harm.

Notable vulnerabilities

As many as 4,811 newly disclosed vulnerabilities were reported in February. That's a large number for the month, and the team expects the number to keep increasing in future months. Of those 4,811, 13 zero-day vulnerabilities were actively exploited on eight different products, including Notepad++, and six of those 13 vulnerabilities were tied directly to Microsoft. Proof-of-concept codes were released online for four of the vulnerabilities, increasing the possibility that threat actors may exploit the products. 

As a monthly trend, the vulnerability management team discussed the vulnerability that affects Notepad++ and the WinGUp Updater, versions 8.8.9 and earlier. This attack started in July 2025 when a Chinese nation-state group exploited the Notepad++ vulnerability as a complex supply chain attack, made up of three different attack chains. This download of code without integrity check vulnerability occurs because WinGUp Updater does not cryptographically verify what's being installed, meaning that it doesn't run a check to verify whether a file has been modified. As a result, the threat actor can place a malicious file on the infrastructure that a consumer can unwittingly download and run with the WinGUp Updater. On Feb. 10, the proof-of-concept code was posted online, and the Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on Feb. 12. Notepad++ recommends that all users upgrade to version 8.9.1.

During Microsoft Patch Tuesday in February, 59 reported vulnerabilities were addressed, which is a relatively low number of vulnerabilities. Five of those were critical vulnerabilities, and six were zero-day exploits, including privilege elevation, security feature bypass, and denial-of-service vulnerabilities. 

In March, 82 reported vulnerabilities were addressed during Microsoft Patch Tuesday. Of those 82, eight were critical vulnerabilities, including remote code execution and privilege elevation flaws. There were no zero-day vulnerabilities for the month.

Credential theft and measures for prevention

Threat actors primarily gain initial access to networks by logging in with stolen credentials. Stolen credentials allow threat actors to bypass traditional security controls and evade detection to ultimately take over accounts, steal data, deploy ransomware, and take other malicious actions to seek their objectives. The security operations center (SOC) team discussed two methods recently used in credential thefts. The methods aren't new, but they are increasing in frequency due to the surge of artificial intelligence (AI)-enabled attacks. 

• Lumma malware. This malware variant steals sensitive data such as passwords and bank account information. Threat actors spread the malware through phishing emails, fake downloads, malicious ads, and trojanized installers. The malware establishes persistence by adding files to the startup folder, making registry operation changes, and creating scheduled tasks. From there, it conducts system profiling, extracts login data from apps and browsers, and performs clipboard monitoring. The malware then sends the data to attack the command-and-control server, resulting in an account takeover and credential compromise. The team emphasized that users should reset credentials on all compromised accounts.

• AI-enabled phishing. For years, threat actors have used phishing emails to trick victims into clicking on malicious attachments or going to fake websites where they can steal credentials. But phishing emails were often identifiable as fakes due to poor grammar and awkward language. Today, with AI, phishing has evolved. The emails are quite believable to targeted victims, as threat actors now use web scraping data to personalize the substance of the emails and generative AI to write convincing email text.

The team offered several preventative measures to keep threat actors from successfully stealing credentials with Lumma malware and phishing. A comprehensive prevention program should include endpoint hardening, email and web security, identity protection, and user and access controls. The team recommends patching, enforcing multifactor authentication, disabling browser-stored passwords, and blocking unapproved apps and extensions, among other measures. Also, since AI-enabled phishing is so prevalent, organizations should offer updated user training to help employees identify and block phishing attempts generated by threat actors using AI.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our SOC, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.