Cybersecurity Radar — 2026-04-03

🔴 Critical Alerts

1. Chrome Zero-Day CVE-2026-5281 Actively Exploited — Fourth of the Year

Google has released an emergency security update patching 21 vulnerabilities in Chrome, including a zero-day (CVE-2026-5281) in the WebGPU Dawn component that is confirmed to be actively exploited in the wild. This marks the fourth Chrome zero-day patched in 2026. CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities (KEV) catalog on April 1, 2026, ordering federal agencies to patch and urging all users to update immediately.

• Affected: All Chrome desktop users across Windows, macOS, and Linux — an estimated 3.5 billion users globally
• Severity: Critical (active exploitation confirmed)
• Recommended Action: Update Chrome to the latest stable version immediately. Navigate to chrome://settings/help to force an update. Federal agencies face a mandatory KEV remediation deadline.

1 sources

cybersecuritynews.com

cybersecuritynews.com

2. Over 14,000 F5 BIG-IP APM Instances Exposed Amid Active RCE Exploitation

Internet security watchdog Shadowserver has identified more than 14,000 F5 BIG-IP APM instances exposed online as attackers actively exploit a critical-severity remote code execution (RCE) vulnerability in the product. The scale of exposure significantly widens the attack surface for organizations relying on BIG-IP for application delivery and access management.

• Affected: Organizations running exposed F5 BIG-IP APM instances — financial services, healthcare, government, and enterprise sectors at particular risk
• Severity: Critical (RCE, active exploitation in progress)
• Recommended Action: Immediately audit and restrict internet-facing BIG-IP APM instances. Apply available patches, enforce network-level access controls, and monitor for anomalous authentication activity.

Threat Landscape

1. Nation-State Shift: APT28 Exploiting Microsoft Office Vulnerability Against Government Targets

Security research has identified activity consistent with the Russian threat group APT28 targeting government and military entities using a Microsoft Office vulnerability, CVE-2026-21509. The telecom sector has also been a focal point, with Cyble's Telecommunications Sector Threat Landscape Report documenting 444 security incidents and 90 ransomware attacks against telecom companies in 2025 — reinforcing telecom networks as a strategic surveillance layer for nation-state operations. Russian cyber operations continue to be closely tied to geopolitical conflict, particularly in Europe and regions affected by the war in Ukraine.

2. Bashe (APT73) Claims 50 GB Data Theft From Government Agency

The Bashe ransomware group, also tracked as APT73, has listed a government agency on its data leak site, alleging theft of 50 GB of data including internal documents, emails, financial records, and personal information. The group continues to blend financially motivated ransomware activity with apparent state-aligned objectives — a pattern increasingly characteristic of 2026 threat actors operating in a blurred criminal-nation-state space.

3. AI-Driven Attack Evolution: Threat Actors Moving Beyond Malware Blocking

The Hacker News reported on April 1, 2026, that attackers are evolving beyond techniques that can be stopped by traditional malware blocking, with cybersecurity defenses struggling to keep pace. For years, cybersecurity has followed a "block malware, stop the attack" model — but adversaries are now pivoting to more sophisticated, behavior-based intrusion techniques that evade signature-based detection, placing new pressure on AI-driven and behavioral defense platforms.

Vulnerabilities & Patches

1. CVE-2026-5281 — Chrome WebGPU Dawn Component (Zero-Day, Active Exploit)

• CVE: CVE-2026-5281
• Affected Product: Google Chrome (all desktop platforms)
• Component: WebGPU Dawn
• Status: Patched in emergency update; CISA KEV-listed as of April 1, 2026
• Recommended Action: Update Chrome immediately

1 sources

cybersecuritynews.com

cybersecuritynews.com

2. Chrome April Update — 21 Total Vulnerabilities Addressed

Beyond CVE-2026-5281, Google's latest Chrome update patches 20 additional security flaws. While full CVE details for all 21 are not yet enumerated in available research, the breadth of the update underscores the importance of applying it without delay rather than staging or delaying deployment.

• Affected Product: Google Chrome (desktop)
• Patch Status: Available now via Chrome's automatic update mechanism

3. CVE-2026-21509 — Microsoft Office Vulnerability Exploited by APT28

• CVE: CVE-2026-21509
• Affected Product: Microsoft Office
• Threat Actor Exploiting: APT28 (Russia-linked)
• Targeted Sectors: Government, military
• Status: Under active exploitation; patch status should be verified against Microsoft's advisory
• Recommended Action: Ensure Microsoft Office is fully patched; monitor for suspicious document-based activity and lateral movement

Breaches & Incidents

1. Shadowserver: 14,000+ F5 BIG-IP Instances Exposed During Active RCE Attack Campaign

Shadowserver's latest scan data, surfaced via BleepingComputer on April 2, 2026, found over 14,000 internet-exposed F5 BIG-IP APM instances targeted by attackers exploiting a critical RCE vulnerability. The scope of exposure is described as significant, with organizations across enterprise, financial, and government sectors at risk. Incident response and patch verification activities are underway across affected organizations.

• Scope: 14,000+ exposed instances identified globally
• Impact: Potential for full remote compromise of affected systems
• Response Status: Ongoing — Shadowserver alerting affected organizations; patches available

2. Bashe / APT73 Claims Government Agency Breach — 50 GB Exfiltrated

As noted in the Threat Landscape section, Bashe (APT73) has published a claim on its leak site alleging exfiltration of 50 GB of sensitive government data, including emails, financial records, and personal information. The incident reflects a continued pattern in 2026 of ransomware groups targeting public sector entities with high-value data. The agency's response status and identity have not been publicly confirmed at time of publication.

• Scope: 50 GB alleged, including internal documents, emails, financial, and personal data
• Response Status: Not publicly confirmed

Industry & Policy

1. CISA Adds Chrome CVE-2026-5281 to Known Exploited Vulnerabilities Catalog

On April 1, 2026, CISA formally added CVE-2026-5281 to its Known Exploited Vulnerabilities (KEV) catalog, binding federal civilian executive branch (FCEB) agencies to remediation timelines and formally recommending all organizations prioritize the update. This is the fourth Chrome zero-day CISA has cataloged in 2026, signaling an accelerating cadence of browser-level exploitation.

2. CSIS Significant Cyber Incidents Timeline Updated

The Center for Strategic & International Studies (CSIS) updated its living Significant Cyber Incidents timeline as of this week, continuing to track state actions, espionage, and cyberattacks with losses exceeding one million dollars. The resource, updated within the past 48 hours, reflects ongoing incident activity relevant to geopolitical cyber operations in 2026.

3. Ransomware-Nation-State Convergence Dominates 2026 Policy Discussion

Industry analysts and policy commentators continue to highlight the collapse of the distinction between nation-state attacks and criminal ransomware activity in 2026. As noted in Security Week's analysis, ransomware gangs operating with state approval — particularly Russian groups targeting defense contractors — are simultaneously pursuing profit and geopolitical objectives. This convergence is reshaping compliance frameworks like CMMC and forcing organizations to treat ransomware response as a national security issue, not just an IT recovery problem.

What to Watch

• Chrome Zero-Day Exploitation Escalation: With CVE-2026-5281 now CISA KEV-listed and four Chrome zero-days exploited in 2026 to date, watch for threat actors chaining browser vulnerabilities with post-exploitation frameworks targeting enterprise environments — particularly in sectors slow to enforce managed browser update policies.
• F5 BIG-IP RCE Campaign Widening: Shadowserver's finding of 14,000+ exposed instances suggests the attack surface remains largely unpatched. Expect this campaign to intensify over the coming 48–72 hours as opportunistic actors move to exploit exposure windows before organizations fully remediate.
• APT28 / Microsoft Office CVE-2026-21509 Targeting: APT28's active exploitation of a Microsoft Office vulnerability against government and military entities warrants close monitoring for spear-phishing lures delivering malicious Office documents — particularly in defense-adjacent and NATO-member government organizations.

Reader Action Items

1. Patch Chrome now — no exceptions. Navigate to chrome://settings/help and verify you are on the latest stable version addressing CVE-2026-5281. Enforce managed update policies across all endpoints via your MDM or endpoint management platform. Apply this to all Chromium-based browsers (Edge, Brave, Opera) which may also require updates.

2. Audit and patch F5 BIG-IP APM instances immediately. If your organization runs BIG-IP APM, cross-reference your exposed instances against Shadowserver's alerts, apply the available RCE patch, and restrict internet-facing management interfaces to approved IP ranges until fully remediated.

3. Review Microsoft Office patch status and monitor for APT28 TTPs. Confirm CVE-2026-21509 is patched across your Office deployment. Enable enhanced logging for document macro execution and lateral movement indicators consistent with APT28 tradecraft, particularly if your organization operates in government, defense, or military supply chain sectors.