Qilin dominated ransomware at 23.10% while small businesses bore 71.12% of attacks. BlackFile, BlueNoroff, GopherWhisper, Sapphire Sleet, TGR-STA-1030, and UNC6692 drove a mix of financially motivated and state-linked campaigns centered on data theft and advanced intrusion techniques. Actively exploited vulnerabilities targeted Cisco SD-WAN, Microsoft Windows and Defender, Apache ActiveMQ, and Zimbra, while AgingFly, FIRESTARTER, GoGra, Lotus Wiper, Ngate, and Snow represented threats spanning backdoors, loaders, wipers, and modular espionage toolkits.
Report Links
Download Threat Brief For April 16-30 2026
Byer-Nichols Threat Brief Podcast April 16-30 2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 23.10% | 1 | 1 |
| The Gentlemen | 7.61% | 2 | 1 |
| INC Ransom | 6.25% | 6 | 6 |
| DragonForce | 5.16% | 1 | 4 |
| Coinbase Cartel | 4.08% | 10 | 8 |
Ransomware activity is led by Qilin at 23.10%, significantly outpacing all other groups and extending its streak as the dominant operator. The Gentlemen held second with steady pressure through high-visibility data leaks, while INC Ransom maintained a consistent mid-tier position. DragonForce showed fluctuation from prior rankings, continuing to blend ransomware with hacktivist-style operations, and Coinbase Cartel climbed from the bottom of the top ten with a string of financially motivated attacks targeting cryptocurrency-adjacent organizations. Overall, activity remains spread across several groups with one clear leader and a competitive mid-tier.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| Manufacturing | 15.22% | 1 | same |
| Technology | 14.40% | 2 | same |
| Financial Services | 14.40% | 4 | 4 -> 3 |
| Retail | 12.23% | 5 | 5 -> 4 |
| Construction | 11.61% | 4 | 4 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 42.93% | 1 | unchanged |
| UK | 5.16% | NEW | |
| Canada | 4.89% | 5 | 5 -> 3 |
| Germany | 4.89% | 2 | 2 -> 4 |
| Australia | 2.72% | NEW |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 71.12% | 76.08% | +6.97% |
| Mid-Market (501-5000) | 20.16% | 17.29% | −14.24% |
| Large Enterprise (5000+) | 8.72% | 6.63% | −23.97% |
Trending Adversaries
This period highlights a mix of financially motivated and state-linked threat actors, including groups like BlackFile and UNC6692 alongside more established operators such as BlueNoroff and Sapphire Sleet. Their presence reflects continued activity across both cybercrime and espionage campaigns, with an emphasis on data theft, financial targeting, and advanced intrusion techniques. BlueNoroff and Sapphire Sleet maintained North Korea's persistent focus on cryptocurrency and financial sector infiltration, while BlackFile and GopherWhisper pursued opportunistic ransomware and credential-harvesting operations. TGR-STA-1030 and UNC6692 round out the list with stealthy, espionage-oriented campaigns targeting critical infrastructure and government networks.
- BlackFile
- BlueNoroff
- GopherWhisper
- Sapphire Sleet
- TGR-STA-1030
- UNC6692
Trending and Actively Exploited Vulnerabilities
Exploitation this period is concentrated on widely used enterprise systems, especially Cisco SD-WAN and Microsoft products, along with platforms like Zimbra, ActiveMQ, and cPanel, highlighting risk across core infrastructure and web services. Multiple Cisco Catalyst SD-WAN Manager flaws are being chained for initial access and lateral movement, while Microsoft Windows and Defender vulnerabilities are under active exploitation in both targeted and opportunistic campaigns. Priorities: patch Cisco SD-WAN and Microsoft products on emergency timelines, restrict management-plane exposure, monitor for post-exploitation activity on web-facing platforms, and review cPanel and ActiveMQ configurations.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2025-29635 | D-Link | DIR-823X |
| CVE-2025-32975 | Quest | KACE Systems Management Appliance (SMA) |
| CVE-2025-48700 | Synacor | Zimbra Collaboration Suite (ZCS) |
| CVE-2026-20122 | Cisco | Catalyst SD-WAN Manager |
| CVE-2026-20128 | Cisco | Catalyst SD-WAN Manager |
| CVE-2026-20133 | Cisco | Catalyst SD-WAN Manager |
| CVE-2026-32202 | Microsoft | Windows |
| CVE-2026-33825 | Microsoft | Defender |
| CVE-2026-34197 | Apache | ActiveMQ |
| CVE-2026-41940 | WebPros | cPanel & WHM and WP2 (WordPress Squared) |
Trending Malware
AgingFly
AgingFly is a C# backdoor used in targeted attacks against Ukrainian government agencies and hospitals, delivered through phishing emails posing as humanitarian-aid offers. Once triggered, it uses malicious LNK files, HTA scripts, and a multi-stage loader to establish persistence and pull down additional payloads. The malware focuses heavily on credential theft, using tools like ChromElevator and ZAPiDESK to extract browser and WhatsApp data. It also supports remote command execution, lateral movement, and encrypted C2 communications, making it a high-risk espionage and data-theft tool.
FIRESTARTER
FIRESTARTER is a backdoor observed alongside other advanced threats. Detailed public reporting remains limited. It is highlighted in the context of broader threat-actor toolsets, suggesting it plays a role in stealthy remote access and command execution within compromised environments. While specifics are sparse, its inclusion among high-end malware families indicates elevated operational risk, particularly when paired with other modular implants.
GoGra
GoGra is a Linux backdoor used by advanced threat actors expanding their toolsets. It appears in reporting alongside ransomware and destructive malware campaigns, implying its role in persistence, remote control, and staging follow-on operations. Its deployment in high-impact environments suggests attackers use it to maintain long-term access and support broader intrusion objectives, including data theft or disruptive actions.
Lotus Wiper
Lotus Wiper is a destructive malware recently used against energy and utilities organizations, including attacks on Venezuela's energy sector. It typically arrives via batch-script-based delivery, then proceeds to corrupt or delete critical system files to render systems inoperable. Its operational goal is disruption rather than espionage, making it a serious threat to industrial and critical-infrastructure environments.
Ngate
Ngate is an Android banking trojan targeting users in Brazil by impersonating the legitimate HandyPay app and distributing itself through malicious websites and social-engineering lures. Once installed, it abuses Android's accessibility services to capture screen content, intercept SMS messages, and hijack banking sessions in real time. The malware also deploys a modular plugin system, allowing attackers to push new capabilities such as credential theft, transaction manipulation, and remote device control. Ngate's focus on financial fraud, combined with its ability to bypass traditional app-store defenses, makes it a high-risk threat for mobile banking users in the region.
Snow
Snow is a custom malware toolkit used by UNC6692 and delivered through social-engineering lures on Microsoft Teams that drop a malicious AutoHotKey loader. Once active, it deploys components like SNOWBELT, SNOWGLAZE, and SNOWBASIN to establish persistence, steal credentials, and enable remote control. The toolkit abuses headless Microsoft Edge sessions, rogue Chromium extensions, and scheduled tasks to stay hidden on compromised hosts. It also routes C2 and exfiltration through AWS S3, Heroku WebSockets, and LimeWire, helping the operation blend into normal cloud traffic and making Snow a stealthy, high-risk foothold for follow-on activity.
Top News
- Alleged Silk Typhoon hacker extradited to US for cyberespionage
- Americans lost over $2.1 billion to social media scams in 2025, per U.S. Federal Trade Commission
- China's Apple App Store infiltrated by crypto-stealing wallet apps
- Feuding Ransomware Groups 0APT and KryBit Leak Each Other's Data
- New npm supply-chain attack self-spreads to steal auth tokens
- North Korea's Lazarus suspected of stealing US$290 million in KelpDAO cyberattack
- Ransomware negotiator pleads guilty to BlackCat scheme, Scattered Spider hacker pleads guilty to crypto theft charges
- Supply chain attacks hit Checkmarx and Bitwarden developer tools
Contributors
Written by Jeremy Nichols, Director, Security Programs & Strategy at SecureSky
Executive Summaries and Adversary Bios by Geoff Rehmet, Cybersecurity Architect
Produced and Distributed By Phish Tank Digital