April 02, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Fake Google Security site uses PWA app to steal credentials, MFA codes – Bleeping Computer

Using a fake Google Account security page, a recent phishing campaign was discovered delivering a web-based app designed to steal “one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims’ browsers”. The campaign uses social engineering and Progressive Web App (PWA) features to convince users that they are interacting with a legitimate Google webpage. The threat actors use the domain (google-prism[.]com) and have users follow a four-step process that gives permissions and allows the installation of malware. Once installed the malware can exfiltrate contacts, real time GPS data, and clipboard contents. Read full article.

2. UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware – The Hacker News

Recent social engineering attacks targeting European financial institutions has been attributed to the Russian linked threat actor, UAC-0050 (DaVinci Group). According to researchers, the attack mimicked a Ukrainian judicial domain “to deliver an email containing a link to a remote access payload.” The attack begins with a spear-phishing email designed to look urgent and legitimate. It uses legal-themed language to pressure the recipient into acting. The email includes a link that directs the target to download a compressed file hosted on PixelDrain, a file-sharing service. If the victim opens the fake “PDF,” the malicious file runs and installs an MSI package for Remote Manipulator System (RMS). Article here.

3. Predator spyware hooks iOS SpringBoard to hide mic, camera activity – Bleeping Computer

Surveillance firm, Intellexa, utilizes a single hook function (‘HiddenDot::setupHook()’) inside Springboard that prevents sensor activity updates in IOS products. This activity had been acknowledged previously, but the way the firm carried it out was not well understood. Recent research by Jamf analyzed Predator samples and was able to document the hiding process. The malware does not exploit IOS vulnerabilities but instead leverages “previously obtained kernel-level access to hijack system indicators that would otherwise expose its surveillance operation”. This information has helped address previously existing gaps in understanding the exploitation techniques used by commercial spyware. Read more here.

4. APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 – The Hacker News

Since 2024, Chinese aligned threat group (Silver Dragon) has been observed operating within the umbrella of APT41 and targeting organizations throughout Europe and Southeast Asia. Silver Dragon gains its initial access by exploiting public-facing internet servers and delivering phishing emails that contain malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, which allows the malware processes to blend into normal system activity. The group’s operations appear to specifically target government organizations. On compromised systems, they deploy Cobalt Strike beacons to maintain persistence, along with GearDoor, a backdoor that uses Google Drive as its command-and-control (C2) channel. Read here.

6. SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks – The Hacker News

On February 22, 2026, Scattered Lapsus$ Hunters (SLH) posted on their Telegram Channel stating, “if you are female and want to make some money via calling for us hit up”. The group is offering women $500-$1000 per call to help desks, with a provided written script. The recruitment seems to be an effort by the group to sidestep the “traditional” attacker profiles that IT help desk staff are trained to recognize, thereby making their impersonation attempts more convincing and effective. SLH’s primary objective is to target help desks and call centers as entry points into organizations, further highlighting the intent behind their new recruitment strategy. Read full article.

7. Poland’s nuclear research centre targeted by cyberattack – Bleeping Computer

On March 12, Poland’s National Centre for Nuclear Research (NCBJ) claimed hackers had targeted their IT infrastructure but were blocked before accessing information. The organization stated that its early-detection security systems and internal procedures prevented a breach and allowed IT staff to rapidly secure the targeted systems. The attack has not been formally attributed to any group. While Polish authorities say early indicators suggest a possible connection to Iran, they warn that the evidence could represent a false-flag attempt meant to take advantage of ongoing global tensions. Read full article.

8. SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains – The Hacker News

SloppyLemming, a threat activity cluster, has been linked to two separate attack chains that delivered malware to government agencies and critical infrastructure operators in Pakistan and Bangladesh between January 2025 and January 2026. The first attack delivered PDF lure documents to victims that once open installed his application installed a package that included a legitimate Microsoft .NET file (NGenTask.exe) and a malicious file (mscorsvc.dll). The malicious file used a technique called DLL sideloading to run. It then decrypted and launched a custom 64-bit shellcode implant. The second attack deployed Excel documents that contained malicious macros that deliver “keylogger malware”. Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.