Sponsored by
☀️ Good afternoon. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
North Korea's BlueNoroff used AI-generated Zoom deepfakes to hide a 66-day fileless implant inside a Web3 firm, an attacker bought 31 WordPress plugins, waited 8 months, then activated a blockchain-anchored backdoor across thousands of sites, Microsoft's patch for an APT28 zero-day was incomplete and left a zero-click credential theft hole that's now being actively exploited, ShinyHunters breached Vimeo through an analytics vendor's API rather than Vimeo itself, and ClickUp had a hardcoded API key exposing enterprise and government emails in public JavaScript for 15 months with no fix.
🔥 Top Stories
01 — BlueNoroff Used AI-Generated Zoom Deepfakes to Plant a 66-Day Fileless Implant in a Web3 Firm
Nation-State Threats
Arctic Wolf Labs has published the most detailed account yet of BlueNoroff's current operational playbook — and it represents a qualitative leap in social engineering sophistication. The campaign targets Web3 and cryptocurrency executives across 20+ countries. The delivery: a Calendly invite for a professional meeting, followed by a covert URL swap that replaces the Google Meet link with a typo-squatted Zoom domain. When the victim loads the fake URL, they enter a fully rendered fake Zoom meeting interface populated with AI-generated deepfake participants — headshots confirmed generated by GPT-4o via C2PA cryptographic metadata.
The most alarming element is the self-reinforcing pipeline: the victim's own webcam footage is silently captured during the fake meeting and processed by the attacker through Adobe Premiere Pro to generate future lure material. Of 100 identified prior victims, 36 had real video recordings captured and archived for use against future targets. The payload: a ClickFix clipboard injection that runs a fileless PowerShell C2 implant — no executable touches disk — that maintained access for 66 consecutive days on the primary victim's machine, stealing wallet seeds, SSH keys, browser credentials, and screen capture. North America accounted for 41% of identified victims. CEOs and founders are the primary targets. The full attack chain completes in under five minutes.
02 — An Attacker Bought 31 WordPress Plugins, Waited 8 Months, Then Activated a Blockchain-Anchored Backdoor
Supply Chain Attack
In early 2025, a buyer using the alias "Kris" purchased a portfolio of 31 trusted WordPress plugins called Essential Plugin on the Flippa marketplace — 400,000+ declared installs, 15,000+ customers, years of accumulated trust. On August 8, 2025, Kris pushed version 2.6.7 with a changelog reading "Check compatibility with WordPress 6.8.2." Hidden inside: 191 lines of malicious PHP — a PHP object injection via insecure deserialization, with an unauthenticated REST API endpoint that required no login to trigger. It sat completely dormant for eight months.
On April 5–6, 2026, during a 6 hour 44 minute activation window, the backdoor deployed SEO spam and fake pages invisible to site owners but fully visible to Googlebot. The command-and-control server was resolved through an Ethereum smart contract — meaning traditional domain takedowns are ineffective. The attacker can update the C2 endpoint on-chain without touching any plugin code. WordPress.org closed all 31 plugins on April 7 and pushed a forced update that stopped new infections — but the code injected into wp-config.php on already-infected sites was not cleaned. If you ran any Essential Plugin product between April 5–6, treat the site as compromised and verify wp-config.php manually.
03 — Microsoft's APT28 Patch Was Incomplete — The Residual Flaw Is Now Actively Exploited
Vulnerabilities
When Microsoft patched CVE-2026-21510 in February — a Windows Shell zero-day confirmed exploited by APT28 against Ukraine and EU countries — Akamai researchers ran a patch differential and found the fix was incomplete. The remote code execution path was closed. But the victim machine was still authenticating to the attacker's server. A zero-click Net-NTLMv2 hash theft vector remained — caused by Windows Shell resolving the LNK file's UNC path before the trust verification step fired, meaning the authentication handshake completed before SmartScreen could intervene.
Akamai disclosed the residual flaw to Microsoft under responsible disclosure. The result was CVE-2026-32202, patched in April Patch Tuesday. Within days, Microsoft marked it as exploited in the wild. CISA added it to the KEV catalog on April 28 with a May 12 federal remediation deadline. Despite its CVSS 4.3 Medium score, zero-click credential theft is a practical escalation — stolen Net-NTLMv2 hashes enable pass-the-hash and relay attacks that give attackers domain-level access from a single malicious LNK file. This is the second consecutive month a Microsoft patch has spawned a new actively exploited CVE. Apply April Patch Tuesday updates immediately.
04 — ShinyHunters Breached Vimeo Without Ever Touching Vimeo
Data Breaches
Vimeo has confirmed a data breach — but attackers never touched Vimeo's own infrastructure. ShinyHunters compromised Anodot, a business intelligence analytics vendor with trusted API-level access to Vimeo's environment, and extracted internal operational data, video metadata, and customer email addresses through the existing authenticated API connection. This is the ShinyHunters vendor pivot model confirmed again: breach one analytics vendor with broad client API access, extract data from multiple enterprise clients simultaneously.
The data confirmed accessed: internal technical operational data, video titles and metadata, and customer and user email addresses in certain instances. Actual video content, login credentials, and payment data were not accessed. But the email exposure is immediately actionable for attackers — corporate enterprise email addresses from a platform used by media companies, marketing firms, and e-learning providers are high-value targets for BEC fraud and credential stuffing. And the video title exposure is underappreciated: internal training content, executive town halls, and product roadmap presentations have had their metadata catalogued by an adversary even without the video files themselves.
05 — ClickUp Had a Hardcoded API Key Exposing Enterprise Emails in Public JavaScript for 15 Months
Vulnerabilities
A security researcher found a hardcoded third-party API key in a JavaScript file that loads on ClickUp's public website before any authentication — visible to anyone who viewed the page source, exploitable with a single GET request, requiring no tools. The key returned 959 corporate and government email addresses and 3,165 internal product feature flags. It was first reported in January 2025. As of April 28, 2026 — 15 months later — it remained active with no confirmed remediation and no public statement from ClickUp.
The 15-month window is the critical detail. Anyone who independently discovered this key during that period had sustained, unmonitored access with no audit trail. The government email addresses represent nation-state reconnaissance value. The 3,165 internal feature flags reveal ClickUp's development priorities, unreleased capabilities, and under-hardened test environments — intelligence useful for scoping future platform attacks. This is not a technical failure — rotating an API key and removing a hardcoded secret from client-side JavaScript can be completed in hours. It is a governance failure: 15 months of inaction after disclosure.
📊 By The Numbers
66 — Days BlueNoroff's fileless implant maintained access inside a Web3 firm undetected
8 months — Dormancy period between the WordPress plugin backdoor being planted and activated
15 months — Time ClickUp's hardcoded API key sat exposed in public JavaScript with no fix
959 — Corporate and government email addresses exposed by the ClickUp API key leak
May 12 — Federal deadline to patch CVE-2026-32202 — the incomplete APT28 patch fix
⚡ The Signal
Every story today involves patience — attacker patience specifically.
BlueNoroff spent months building relationships before sending the Calendly invite. The WordPress attacker waited eight months after planting the backdoor before activating it. The ClickUp API key sat untouched in public JavaScript for 15 months — either by the original finder who exploited it quietly the whole time, or by the vendor who deprioritized the fix for over a year. APT28's incomplete patch was discovered through careful differential analysis of what the fix actually changed versus what it left open. ShinyHunters built API pivot infrastructure across multiple analytics vendors before activating the campaign simultaneously.
None of these are fast attacks. They are investments — in access, in trust, in dormancy, in patience. And the defensive implication is uncomfortable: your threat model has to account not just for attacks that are happening now, but for access that was established months ago that hasn't been used yet. The plugin update from August. The API key that was probably found before the researcher published. The vendor connection you granted two years ago. The patch you applied in February that closed some of the hole.
What's sitting dormant in your environment right now?
🔍 What You May Have Missed
Three arrested in Ukraine for hijacking 610,000 Roblox accounts via stolen session cookies — Ukrainian authorities arrested three suspects who used stolen browser session cookies to hijack and sell access to 610,000 Roblox accounts — targeting young users whose accounts held in-game currency and rare items worth thousands of dollars. The case highlights how session cookie theft has made traditional password security irrelevant.
CISA warns of data theft flaw in NSA-built OT network tool — no patch will be released — CVE-2026-6807 affects GrassMarlin, an NSA-developed tool used to map industrial control networks. The flaw allows data theft — and no patch is coming. Organizations using GrassMarlin for OT network visibility should isolate it and treat its output as potentially compromised.
cPanel and WHM emergency patch fixes critical authentication bypass exploited in the wild — The vulnerability allowed unauthenticated attackers to access any cPanel account — affecting millions of websites globally running on shared hosting. Update to cPanel 124.0.12 or later immediately if your hosting environment runs cPanel or WHM.
📅 What to Watch
BlueNoroff Calendly/Zoom campaign — active across 20+ countries; watch for SEAL domain blocking updates and any law enforcement action against the Petrosky Cloud infrastructure.
WordPress Essential Plugin cleanup — forced update stopped new infections but didn't clean wp-config.php; watch for Wordfence and Sucuri publishing automated remediation tools.
CVE-2026-32202 May 12 deadline — federal agencies have until May 12; private sector should treat this as their own deadline given active exploitation confirmed.
ClickUp response — 15 months of silence after disclosure; watch for a public statement or remediation confirmation following this coverage.
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsors
⭐️ Wispr Flow
PRDs by voice. Bug reports by voice. Ship faster.
Dictate acceptance criteria and reproductions inside Cursor or Warp. Wispr Flow auto-tags file names, preserves syntax, and gives you paste-ready text in seconds. 4x faster than typing.
⭐️ The Rundown AI
How 2M+ Professionals Stay Ahead on AI
AI is moving fast and most people are falling behind.
The Rundown AI keeps you ahead of the curve.
It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.
Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses — tailored to your needs.