< Back
A man juggling a cube

Tags:

Threat intelligence
08 April 2026

Weekly Summary Cyberattacks 2-8 april

“NoVoice” Android Malware on Google Play Infects 2.3 Million Devices 

According to information dated March 31, 2026, a newly discovered Android malware called NoVoice has infected over 2.3 million devices through more than 50 apps on Google Play. Researchers identified the campaign but could not attribute it to a specific group. However, they noted similarities to the Triada Android trojan. The apps, which included cleaners, photo galleries, and games, appeared legitimate, required no suspicious permissions, and worked as advertised. Once installed, the malware attempted to gain root access by exploiting older Android vulnerabilities patched between 2016 and 2021. Analysts observed 22 different exploits used to gain root access. Once successful, the malware disables key security protections like SELinux and replaces critical system libraries with malicious versions that intercept system activity. It also ensures persistence by embedding itself deeply into the system, including areas unaffected by factory resets. A watchdog process continuously monitors and reinstalls the malware if anything is removed. Google has removed the malicious apps from Google Play following the report on the operation. Given that the malware relies on older vulnerabilities, updating to a device with recent security patches can effectively protect against this threat. Users are also advised to install apps only from trusted developers, even when using official app stores.

 

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants  

According to information dated April 3, 2026, a coordinated npm supply chain campaign leveraged 36 malicious packages masquerading as Strapi CMS plugins to target Linux-based Strapi environments, with evidence indicating a highly focused intrusion against a cryptocurrency payment platform rather than a broad opportunistic package-spam operation. Across the campaign, the operator deployed eight distinct payload variants in roughly 13 hours, suggesting a live attack-development session in which techniques were rapidly adjusted depending on what appeared to work against the intended target. The campaign began with aggressive Redis-based exploitation. Early packages attempted to abuse Redis CONFIG SET and SAVE to write malicious files into crontab locations, public uploads folders, SSH key directories, and other host-accessible paths. Mid-campaign payloads harvested .env files, full environment variable dumps, Strapi configuration files, Redis key listings, PostgreSQL connection strings, Docker and Kubernetes secrets, internal network configuration data, SSH keys, TLS keys, wallet-related files, and other sensitive artifacts. Later payloads showed increasingly precise knowledge of the victim infrastructure. Taken together, these details strongly indicate that the activity was aimed at compromising a known cryptocurrency payment platform’s Strapi-linked infrastructure, stealing credentials and secrets, enumerating payment-related databases, and maintaining persistent access for follow-on activity.  

 

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed  

According to information dated April 6, 2026, threat actors are actively exploiting a maximum-severity vulnerability in Flowise, an open-source AI agent-building platform, enabling remote code execution (RCE) and full system compromise. The flaw, tracked as CVE-2025-59528 with a CVSS score of 10.0, stems from a code injection issue in the CustomMCP node, which improperly parses user-supplied configuration data and executes JavaScript code without validation. This allows attackers to run arbitrary code within the Node.js runtime environment, granting access to sensitive modules such as child_process for command execution and fs for file system manipulation. Successful exploitation can lead to complete server takeover, including command execution, file access, and data exfiltration. Notably, exploitation requires only an API token, significantly lowering the barrier to attack and increasing risk to business operations and customer data. Although the vulnerability was disclosed in September 2025 and patched in version 3.0.6 of the Flowise npm package, it remains actively exploited in the wild, with VulnCheck reporting activity originating from a single Starlink IP address. Over 12,000 internet-exposed Flowise instances have been identified, presenting a large attack surface for opportunistic exploitation. This vulnerability is part of a broader pattern of security issues affecting Flowise, following previous actively exploited flaws such as CVE-2025-8943 (OS command RCE) and CVE-2025-26319 (arbitrary file upload). Security researchers emphasize that the prolonged public availability of the vulnerability, combined with widespread exposure and ongoing scanning activity, significantly increases the likelihood of successful attacks against unpatched systems, particularly among organizations using Flowise in production environments.  

 

Authorities Disrupt Router DNS Hijacks Used to Steal Microsoft 365 Logins  

According to information dated April 7, 2026, an international law enforcement operation supported by private sector partners has disrupted FrostArmada, a large-scale cyber campaign attributed to the Russian state-linked threat group APT28 (also known as Fancy Bear, Sofacy, Forest Blizzard, Strontium, Storm-2754, and Sednit). The campaign leveraged compromised SOHO routers (primarily from MikroTik and TP-Link, as well as some Nethesis and legacy Fortinet devices) to conduct DNS hijacking attacks aimed at intercepting authentication traffic and stealing Microsoft account credentials, including OAuth tokens. In this operation, attackers modified DNS settings on compromised routers, redirecting traffic to attacker-controlled virtual private servers acting as malicious DNS resolvers. Through DHCP propagation, these changes affected internal network devices, enabling adversary-in-the-middle (AitM) attacks. Victims attempting to access legitimate services were silently redirected to attacker-controlled proxies, where authentication data could be intercepted. Authorities and researchers recommend mitigation measures including firmware updates, replacing unsupported devices, auditing DNS configurations, restricting remote management exposure, and implementing certificate pinning through MDM-managed devices to detect interception attempts. The disruption represents a significant effort to dismantle a widespread DNS hijacking operation used for credential theft at scale.