TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories

[email protected] (The Hacker News) · 2026-04-23 · Read original ↗

ATT&CK techniques detected

22 predictions
T1190Exploit Public-Facing Application
99%
“feed false data to a single - point - of - failure verification network ( a 1 - of - 1 dvn setup ). this tricked the ethereum contract into releasing funds based on a phantom token ' burn ' on the source chain. " it ' s worth noting that tradertraiter was attributed to the mega b…”
T1195.001Compromise Software Dependencies and Development Tools
95%
“. " cve - 2026 - 27174 saw exploitation that ended in a metasploit php / meterpreter / reverse _ tcp staged payload. " other vulnerabilities that have witnessed exploitation efforts include cve - 2025 - 22952, an ssrf in elestio memos, and cve - 2024 - 57046, an authentication by…”
T1486Data Encrypted for Impact
92%
“and handala, " constitute a coordinated, mois - aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles. " - ransomware infighting escalates the krybit ransomware group has hacked the website of rival r…”
T1204.002Malicious File
89%
“has been found to leverage a loader to deliver gh0st rat trojan and cloverplus adware, an unwanted software designed to install advertising components and change browser behavior, such as startup pages and pop - up ads, per splunk. - macos stealth execution abuse in a new analysi…”
T1204.002Malicious File
88%
“signed intel utility ( iastorhelp. exe ) by abusing the. net appdomainmanager mechanism, effectively turning a trusted binary into a stealthy execution container, " cyfirma said. " this approach allows malicious code to be executed within a trusted environment. it bypasses conven…”
T1176.001Browser Extensions
87%
“suspected organizer of the network has been detained in the northern city of zhytomyr, and nearly 20, 000 fraudulent online profiles that were used in information operations have been blocked. the suspect is believed to have sold more than 3, 000 fake telegram accounts each month…”
T1098.004SSH Authorized Keys
85%
“reconnaissance, andimplant an ssh backdoor by injecting the attacker ' s public key into ~ /. ssh / authorized _ keys, deliver an information stealer, and spread the xworm remote access trojan ( rat ). the packages published under the " @ fairwords " scope have also been found to…”
T1090.003Multi-hop Proxy
81%
“by exploiting human curiosity, " cyberproof said. " the primary objective of a silent subject campaign is to gain initial access through social engineering, leading to credential compromise, unauthorized access, and potential lateral movement within targeted environments, especia…”
T1566.002Spearphishing Link
71%
“credential rce chain vulncheck said it ' s seeing active exploitation of the apache activemq jolokia remote code execution chain that strings together cve - 2026 - 34197 and cve - 2024 - 32114. " cve - 2024 - 32114 removes authentication from the jolokia endpoint entirely on acti…”
T1176Software Extensions
66%
“suspected organizer of the network has been detained in the northern city of zhytomyr, and nearly 20, 000 fraudulent online profiles that were used in information operations have been blocked. the suspect is believed to have sold more than 3, 000 fake telegram accounts each month…”
T1055.001Dynamic-link Library Injection
60%
“[. ] net ). " for $ 800 to $ 2, 000 per month, subscribers upload an arbitrary windows executable and receive a multi - stage deployment package that attempts automatic dll sideloading, in - memory amsi and etw interference, silent uac elevation via cmstplua, and windows defender…”
T1195.001Compromise Software Dependencies and Development Tools
60%
“reconnaissance, andimplant an ssh backdoor by injecting the attacker ' s public key into ~ /. ssh / authorized _ keys, deliver an information stealer, and spread the xworm remote access trojan ( rat ). the packages published under the " @ fairwords " scope have also been found to…”
T1090.003Multi-hop Proxy
57%
“5g modems. the phones are enrolled via an unsigned android apk package downloaded from the proxysmart website, with sms send and receive capability included. modems are managed through modemmanager, an open - source usb dongle management tool. the proxysmart service is written in…”
T1090.002External Proxy
57%
“by exploiting human curiosity, " cyberproof said. " the primary objective of a silent subject campaign is to gain initial access through social engineering, leading to credential compromise, unauthorized access, and potential lateral movement within targeted environments, especia…”
T1587Develop Capabilities
56%
“. " cve - 2026 - 27174 saw exploitation that ended in a metasploit php / meterpreter / reverse _ tcp staged payload. " other vulnerabilities that have witnessed exploitation efforts include cve - 2025 - 22952, an ssrf in elestio memos, and cve - 2024 - 57046, an authentication by…”
T1204.002Malicious File
49%
“[. ] net ). " for $ 800 to $ 2, 000 per month, subscribers upload an arbitrary windows executable and receive a multi - stage deployment package that attempts automatic dll sideloading, in - memory amsi and etw interference, silent uac elevation via cmstplua, and windows defender…”
T1584.005Botnet
42%
“at a time when international gateways were effectively blocked or inaccessible ; therefore, attributing this chain collapse to ' a simple cyber attack from beyond the borders ' is not only unconvincing but also reveals the traces of deep - seated sabotage embedded within the equi…”
T1195.003Compromise Hardware Supply Chain
41%
“at a time when international gateways were effectively blocked or inaccessible ; therefore, attributing this chain collapse to ' a simple cyber attack from beyond the borders ' is not only unconvincing but also reveals the traces of deep - seated sabotage embedded within the equi…”
T1592Gather Victim Host Information
35%
“leak site in the conventional sense, but a post - exfiltration service layer, " flare said. " it is trying to reassure both suppliers and buyers that the platform can solve the most frustrating part of data theft, which is that a large percentage of exfiltrated material is too no…”
T1657Financial Theft
33%
“and handala, " constitute a coordinated, mois - aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles. " - ransomware infighting escalates the krybit ransomware group has hacked the website of rival r…”
T1218System Binary Proxy Execution
32%
“signed intel utility ( iastorhelp. exe ) by abusing the. net appdomainmanager mechanism, effectively turning a trusted binary into a stealthy execution container, " cyfirma said. " this approach allows malicious code to be executed within a trusted environment. it bypasses conven…”
T1055.001Dynamic-link Library Injection
32%
“has been found to leverage a loader to deliver gh0st rat trojan and cloverplus adware, an unwanted software designed to install advertising components and change browser behavior, such as startup pages and pop - up ads, per splunk. - macos stealth execution abuse in a new analysi…”

Summary

You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes. The supply chain is messy. Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems behind apps is easier than breaking the apps themselves. The exploits are simple but still work