Qilin dominated ransomware at 23.10% while small businesses bore 71.12% of attacks. BlackFile, BlueNoroff, GopherWhisper, Sapphire Sleet, TGR-STA-1030, and UNC6692 drove a mix of financially motivated and state-linked campaigns centered on data theft and advanced intrusion techniques. Actively exploited vulnerabilities targeted Cisco SD-WAN, Microsoft Windows and Defender, Apache ActiveMQ, and Zimbra, while AgingFly, FIRESTARTER, GoGra, Lotus Wiper, Ngate, and Snow represented threats spanning backdoors, loaders, wipers, and modular espionage toolkits.
Report Links
Download Threat Brief For April 16-30 2026
Byer-Nichols Threat Brief Podcast April 16-30 2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 23.10% | 1 | 1 |
| The Gentlemen | 7.61% | 2 | 1 |
| INC Ransom | 6.25% | 6 | 6 |
| DragonForce | 5.16% | 1 | 4 |
| Coinbase Cartel | 4.08% | 10 | 8 |
Ransomware activity is led by Qilin at 23.10%, significantly outpacing all other groups and extending its streak as the dominant operator. The Gentlemen held second with steady pressure through high-visibility data leaks, while INC Ransom maintained a consistent mid-tier position. DragonForce showed fluctuation from prior rankings, continuing to blend ransomware with hacktivist-style operations, and Coinbase Cartel climbed from the bottom of the top ten with a string of financially motivated attacks targeting cryptocurrency-adjacent organizations. Overall, activity remains spread across several groups with one clear leader and a competitive mid-tier.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| Manufacturing | 15.22% | 1 | same |
| Technology | 14.40% | 2 | same |
| Financial Services | 14.40% | 4 | 4 -> 3 |
| Retail | 12.23% | 5 | 5 -> 4 |
| Construction | 11.61% | 4 | 4 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 42.93% | 1 | unchanged |
| UK | 5.16% | NEW | |
| Canada | 4.89% | 5 | 5 -> 3 |
| Germany | 4.89% | 2 | 2 -> 4 |
| Australia | 2.72% | NEW |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 71.12% | 76.08% | +6.97% |
| Mid-Market (501-5000) | 20.16% | 17.29% | −14.24% |
| Large Enterprise (5000+) | 8.72% | 6.63% | −23.97% |
Trending Adversaries
This period highlights a mix of financially motivated and state-linked threat actors, including groups like BlackFile and UNC6692 alongside more established operators such as BlueNoroff and Sapphire Sleet. Their presence reflects continued activity across both cybercrime and espionage campaigns, with an emphasis on data theft, financial targeting, and advanced intrusion techniques. BlueNoroff and Sapphire Sleet maintained North Korea's persistent focus on cryptocurrency and financial sector infiltration, while BlackFile and GopherWhisper pursued opportunistic ransomware and credential-harvesting operations. TGR-STA-1030 and UNC6692 round out the list with stealthy, espionage-oriented campaigns targeting critical infrastructure and government networks.
- BlackFile
- BlueNoroff
- GopherWhisper
- Sapphire Sleet
- TGR-STA-1030
- UNC6692
Trending and Actively Exploited Vulnerabilities
Exploitation this period is concentrated on widely used enterprise systems, especially Cisco SD-WAN and Microsoft products, along with platforms like Zimbra, ActiveMQ, and cPanel, highlighting risk across core infrastructure and web services. Multiple Cisco Catalyst SD-WAN Manager flaws are being chained for initial access and lateral movement, while Microsoft Windows and Defender vulnerabilities are under active exploitation in both targeted and opportunistic campaigns. Priorities: patch Cisco SD-WAN and Microsoft products on emergency timelines, restrict management-plane exposure, monitor for post-exploitation activity on web-facing platforms, and review cPanel and ActiveMQ configurations.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2025-29635 | D-Link | DIR-823X |
| CVE-2025-32975 | Quest | KACE Systems Management Appliance (SMA) |
| CVE-2025-48700 | Synacor | Zimbra Collaboration Suite (ZCS) |
| CVE-2026-20122 | Cisco | Catalyst SD-WAN Manager |
| CVE-2026-20128 | Cisco | Catalyst SD-WAN Manager |
| CVE-2026-20133 | Cisco | Catalyst SD-WAN Manager |
| CVE-2026-32202 | Microsoft | Windows |
| CVE-2026-33825 | Microsoft | Defender |
| CVE-2026-34197 | Apache | ActiveMQ |
| CVE-2026-41940 | WebPros | cPanel & WHM and WP2 (WordPress Squared) |
Trending Malware
AgingFly
Lightweight backdoor used for stealthy persistence and data exfiltration.
AgingFly is a minimalist backdoor designed for long-term stealth rather than noisy initial compromise. It establishes persistence through registry modifications and scheduled tasks, then quietly exfiltrates targeted files, credentials, and system reconnaissance data over encrypted HTTPS channels that blend with normal web traffic. Its small footprint and limited command set make it difficult to detect with behavioral analysis tools, and it has been observed in campaigns targeting government contractors and defense-adjacent organizations. AgingFly's operators appear to prioritize patience over speed, maintaining access for weeks or months before acting on collected intelligence.
FIRESTARTER
Loader malware designed to deploy additional payloads and enable lateral movement.
FIRESTARTER is a multi-stage loader that serves as the initial foothold in complex intrusion chains, downloading and executing secondary payloads based on environment profiling. It uses encrypted C2 channels and domain-fronting techniques to evade network-level detection, and can deploy ransomware, infostealers, or remote-access trojans depending on operator objectives. FIRESTARTER has been linked to campaigns leveraging phishing emails with weaponized Office documents and has shown the ability to fingerprint endpoint security products before selecting evasion-appropriate payloads. Its modular architecture makes it a versatile tool for both financially motivated and espionage-oriented operations.
GoGra
Information stealer targeting credentials, browser data, and system details.
GoGra is a Go-based infostealer that harvests browser-stored credentials, session cookies, cryptocurrency wallet data, and system configuration details. Written in Go for cross-platform compatibility, it compiles to a single binary that runs on Windows, macOS, and Linux without additional dependencies. GoGra exfiltrates collected data via Telegram bot APIs or HTTP POST requests to attacker-controlled infrastructure, and uses basic obfuscation to avoid signature-based detection. Its simplicity and ease of deployment have made it popular in underground markets, where it is sold as a turnkey credential-harvesting solution with minimal setup required.
Lotus Wiper
Destructive malware focused on wiping files and disrupting systems.
Lotus Wiper is a destructive malware variant designed to render systems inoperable by overwriting critical files, corrupting partition tables, and destroying backup catalogs. Unlike ransomware, it makes no attempt at extortion -- its sole purpose is operational disruption and data destruction. Lotus Wiper has been deployed in geopolitically motivated campaigns targeting energy, transportation, and government sectors, often delivered through compromised supply-chain update mechanisms. Its execution is fast and thorough, typically completing file destruction within minutes of activation and leaving minimal opportunity for incident-response teams to intervene before damage is done.
Ngate
Network-focused malware used for remote access and command execution.
Ngate is a network-centric implant that provides attackers with remote command execution and proxy capabilities on compromised hosts. Originally observed targeting Android devices via NFC relay attacks, recent variants have expanded to Windows environments where they establish persistent reverse-shell connections through DNS tunneling and ICMP covert channels. Ngate enables operators to pivot through compromised networks while avoiding traditional firewall rules, and its traffic patterns are deliberately designed to mimic legitimate network management protocols. The implant supports modular plugins for port scanning, credential sniffing, and lateral movement, making it a capable post-exploitation toolkit.
Snow
Modular malware capable of adapting payloads for espionage or financial theft.
Snow is a modular malware framework that adapts its payload configuration based on the value of the compromised target. For high-value networks -- government, defense, or critical infrastructure -- it deploys espionage modules focused on document theft, keylogging, and screenshot capture. For commercial targets, it shifts to financial theft modules including banking trojan overlays and cryptocurrency clipboard hijacking. Snow's modular loader communicates with C2 infrastructure using steganographic techniques, embedding commands within image files hosted on legitimate cloud services. This dual-purpose design and evasive communication make Snow a particularly dangerous and adaptable threat across sectors.
Top News
- Alleged Silk Typhoon hacker extradited to US for cyberespionage
- Americans lost over $2.1 billion to social media scams in 2025, per U.S. Federal Trade Commission
- China's Apple App Store infiltrated by crypto-stealing wallet apps
- Feuding Ransomware Groups 0APT and KryBit Leak Each Other's Data
- New npm supply-chain attack self-spreads to steal auth tokens
- North Korea's Lazarus suspected of stealing US$290 million in KelpDAO cyberattack
- Ransomware negotiator pleads guilty to BlackCat scheme, Scattered Spider hacker pleads guilty to crypto theft charges
- Supply chain attacks hit Checkmarx and Bitwarden developer tools
Contributors
Written by Jeremy Nichols, Director, Security Programs & Strategy at SecureSky
Executive Summaries and Adversary Bios by Geoff Rehmet, Cybersecurity Architect
Produced and Distributed By Phish Tank Digital