TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – April 8th, 2026

2026-04-08 · Read original ↗

ATT&CK techniques detected

24 predictions
T1068Exploitation for Privilege Escalation
99%
“post - compromise. concurrently, the warlock group, also known as water manaul, exploits unpatched microsoft sharepoint servers and uses a vulnerable " nseckrnl. sys " driver in byovd attacks to terminate security products at the kernel level, replacing previously used drivers, a…”
T1486Data Encrypted for Impact
98%
“/ 2026 / 04 / qilin - and - warlock - ransomware - use. html https : / / www. hendryadrian. com / ransom - agencavi - srl - mar - 2026 / https : / / www. hendryadrian. com / ransom - alarmco - mar - 2026 / https : / / www. hendryadrian. com / ransom - arca - service - mar - 2026 …”
T1190Exploit Public-Facing Application
98%
“flaw ( cwe - 284 ) enables an unauthenticated attacker to execute unauthorized code or commands via crafted requests, thereby bypassing api authentication and authorization. active exploitation of this vulnerability has been confirmed in the wild, with initial exploitation attemp…”
T1190Exploit Public-Facing Application
97%
“/ forticlient - ems - zero - day - cve - 2026 - 35616 / https : / / www. hendryadrian. com / new - forticlient - ems - flaw - exploited - in - attacks - emergency - patch - released / https : / / www. securityweek. com / fortinet - rushes - emergency - fixes - for - exploited - z…”
T1486Data Encrypted for Impact
97%
“: / / www. hendryadrian. com / ransom - von - weise - associates - mar - 2026 / https : / / www. hendryadrian. com / ransom - wal - consultant - mar - 2026 / https : / / www. hipaajournal. com / data - breaches - corewell - health - rocky - mountain - care /”
T1486Data Encrypted for Impact
96%
“https : / / www. hendryadrian. com / ransom - millerfoto - mar - 2026 / https : / / www. hendryadrian. com / ransom - muffett - mar - 2026 / https : / / www. hendryadrian. com / ransom - nanxun - enterprise - co - ltd - mar - 2026 / https : / / www. hendryadrian. com / ransom - n…”
T1486Data Encrypted for Impact
96%
“com / ransom - seeing - machines - jan - 2026 / https : / / www. hendryadrian. com / ransom - seram - spa - mar - 2026 / https : / / www. hendryadrian. com / ransom - service - star - freightways - mar - 2026 / https : / / www. hendryadrian. com / ransom - shwapno - mar - 2026 / …”
T1190Exploit Public-Facing Application
94%
“##world. com / news / apple - expands - updates - to - ios - 18 - devices - affected - by - darksword - exploit https : / / www. securitylab. ru / news / 570569. php https : / / www. securitylab. ru / news / 570747. php https : / / www. securitylab. ru / news / 571076. php https …”
T1486Data Encrypted for Impact
94%
“mar - 2026 / https : / / www. hendryadrian. com / ransom - grupo - coril - mar - 2026 / https : / / www. hendryadrian. com / ransom - hollu - systemhygiene - mar - 2026 / https : / / www. hendryadrian. com / ransom - jursaconsulting - apr - 2026 / https : / / www. hendryadrian. c…”
T1068Exploitation for Privilege Escalation
93%
“- zones - controller - cve - 2026 - 2699 / https : / / www. thehackerwire. com / cve - 2026 - 2701 - authenticated - rce - via - malicious - file - upload / qilin and warlock ransomware use vulnerable drivers to disable 300 + edr tools qilin and warlock ransomware operations are …”
T1486Data Encrypted for Impact
93%
“- 2026 / https : / / www. hendryadrian. com / ransom - chek - news - apr - 2026 / https : / / www. hendryadrian. com / ransom - chickasaw - holding - mar - 2026 / https : / / www. hendryadrian. com / ransom - dielco - mar - 2026 / https : / / www. hendryadrian. com / ransom - doc…”
T1190Exploit Public-Facing Application
88%
“##inet to all identified forticlient ems instances running versions 7. 4. 5 and 7. 4. 6. - if patching cannot be performed immediately, restrict network access to the forticlient ems management interface to only trusted ip addresses and administrative subnets using firewall rules…”
T1190Exploit Public-Facing Application
87%
“chain of vulnerabilities in progress sharefile storage zone controller branch 5. x, specifically version 5. 12. 3 and earlier, leading to pre - authenticated remote code execution ( rce ), resolved in version 5. 12. 4 on march 10, 2026. the first vulnerability, cve - 2026 - 2699,…”
T1525Implant Internal Image
78%
“##m roles and service account permissions in cloud and on - premise environments to enforce the principle of least privilege, ensuring applications only have the minimum access required. - integrate automated secret scanning tools into your ci / cd pipelines and source code repos…”
T1588.006Vulnerabilities
72%
“covers all critical infrastructure, including management servers, to proactively identify and prioritize patching before vulnerabilities are actively exploited. - deploy a web application firewall ( waf ) in front of critical web - based management interfaces to monitor, filter, …”
T1068Exploitation for Privilege Escalation
72%
“the malicious file ' msimg32. dll ', particularly in relation to dll side - loading events. - use your edr or siem to hunt for the presence or loading of the driver file ' rwdrv. sys ' or ' throttlestop. sys ' on endpoints. - use your edr or siem to hunt for the presence or loadi…”
T1525Implant Internal Image
58%
“selling access. organizations are advised to audit environments for least privilege, enable secret scanning, avoid ssh key reuse, implement imdsv2 enforcement on aws ec2 instances, and rotate credentials if compromise is suspected. severity : critical threat details and iocs miti…”
T1190Exploit Public-Facing Application
51%
“can set the ` network share location ` to a webroot directory ( e. g., ` c : \ inetpub \ wwwroot \ sharefile \ storagecenter \ documentum ` ) and then upload a zip file containing an aspx webshell to ` / upload. aspx ` with the ` unzip = true ` parameter. this upload requires cal…”
T1190Exploit Public-Facing Application
48%
“covers all critical infrastructure, including management servers, to proactively identify and prioritize patching before vulnerabilities are actively exploited. - deploy a web application firewall ( waf ) in front of critical web - based management interfaces to monitor, filter, …”
T1588.006Vulnerabilities
48%
“intelligence / darksword - ios - exploit - chain / https : / / cyberguy. com / security / darksword - leak - millions - iphone - users - risk / https : / / cyberinsider. com / apple - expands - darksword - protections - to - more - iphones - with - ios - 18 - 7 - 7 - update / htt…”
T1204.002Malicious File
44%
“com / darkstorm - infostealer - targeting - iphones https : / / securityonline. info / active - exploits - cisa - adds - craft - cms - apple - darksword - flaws - kev / https : / / securityonline. info / apple - ios - 18 - 7 - 7 - update - darksword - exploit - kit - fix / https …”
T1587.004Exploits
37%
“/ vuln / cve - 2025 - 31277 https : / / exploit - intel. com / vuln / cve - 2025 - 43510 https : / / exploit - intel. com / vuln / cve - 2025 - 43520 https : / / gbhackers. com / apple - ios - 18 - 7 - 7 - update - defend - against - darksword - exploit / https : / / gbhackers. c…”
T1587.004Exploits
31%
“com / darkstorm - infostealer - targeting - iphones https : / / securityonline. info / active - exploits - cisa - adds - craft - cms - apple - darksword - flaws - kev / https : / / securityonline. info / apple - ios - 18 - 7 - 7 - update - darksword - exploit - kit - fix / https …”
T1190Exploit Public-Facing Application
30%
“they are included in the scope of the vulnerability management program for frequent scanning and prioritized patching. https : / / buaq. net / go - 407240. html https : / / cyberveille. esante. gouv. fr / alertes / progress - sharefile - cve - 2026 - 2699 - 2026 - 04 - 03 https :…”

Summary

These are the top threats you should know about this week.