Cybersecurity Radar — 2026-04-23

🔴 Critical Alerts

CISA Adds 8 Exploited Flaws to KEV — Federal Deadlines Today and May 4

CISA has added 8 actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, setting aggressive remediation deadlines: some federal agencies face a cutoff of April 23, 2026 (today), with a second wave due by May 4, 2026. The advisory covers flaws across multiple vendors and affects all Federal Civilian Executive Branch (FCEB) agencies, which are required by binding operational directive to patch within the specified windows. Non-federal organizations are strongly urged to treat this as high-priority remediation guidance.

Recommended Action: Federal agencies must patch immediately per BOD 22-01. All enterprises should cross-reference the KEV list and prioritize patching any affected systems.

Mirai-Based Botnet Exploiting D-Link DIR-823X Routers — CVE-2025-29635

A new Mirai-variant malware campaign reported on April 22, 2026 is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability in D-Link DIR-823X routers, to enlist devices into a growing botnet. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands on affected devices. Home and small-business routers are primary targets.

Recommended Action: D-Link DIR-823X owners should apply the latest firmware update immediately. Organizations should audit their network edge for vulnerable router models and consider network segmentation.

Threat Landscape

NGate Android Malware Returns — Now Abusing HandyPay App for NFC Credential Theft

Cybersecurity researchers have discovered a new iteration of the NGate Android malware family, which has evolved to abuse a legitimate application called HandyPay — replacing the previously observed NFCGate tool — to intercept and relay NFC payment data. The malware enables attackers to clone victims' contactless payment credentials and conduct fraudulent transactions remotely. Mobile banking customers and retail payment system users are at risk. This represents a significant escalation in NFC-based attack sophistication.

Recommended Action: Users should download apps only from official stores, enable Play Protect, and monitor banking alerts for unauthorized NFC transactions.

March 2026 Threat Landscape: 702 Ransomware Attacks, Surge in Access Broker Activity

Analysis published by Cyber Warriors Middle East (6 hours ago, sourcing CRIL data) confirms that March 2026 saw 702 ransomware attacks, with intensified data breach activity and an expanding underground market for initial access credentials. Key trends include a rise in access brokers selling network footholds, ransomware-as-a-service (RaaS) groups operating with near-enterprise efficiency, and a broadening of targeted sectors beyond traditional high-value industries.

AI Cybersecurity Risk Now a Board-Level Business Priority — Bain & Company

A new analysis from Bain & Company (published 1 day ago) frames AI-driven cybersecurity threats as "a business risk of the highest order, not a technology problem to be delegated downward." The report highlights the Claude Mythos incident as a wake-up call for C-suite executives, emphasizing that AI-enabled attack surfaces are expanding faster than defenses. Nation-state actors and criminal groups are increasingly leveraging AI to automate reconnaissance, phishing, and exploit development.

2 sources

thecyberexpress.com

thecyberexpress.com

bain.com

Claude Mythos and the AI Cybersecurity Wake-Up Call | Bain & Company

Vulnerabilities & Patches

CVE-2026-33825 (BlueHammer) — Windows Defender Privilege Escalation

CVE-2026-33825, dubbed "BlueHammer," is a Windows Defender zero-day that enables attackers to achieve SYSTEM-level access by abusing Defender's remediation logic. The vulnerability has been actively exploited in the wild. According to Krebs on Security (updated 2 days ago), analyst Will Dormann of Tharros confirmed that the public BlueHammer exploit code no longer works after installing Microsoft's latest patches. Satnam Narang of Tenable noted April marks the second-biggest Patch Tuesday ever for Microsoft by CVE count.

Recommended Action: Apply all April 2026 Microsoft patches immediately, prioritizing those addressing Defender and SharePoint.

CVE-2026-34621 — Adobe Zero-Day Exploited Since November 2025

An Adobe zero-day patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025, according to Tenable's Satnam Narang cited in Krebs on Security. The extended exploitation window prior to patching underscores risks from delayed vendor disclosure.

Recommended Action: Ensure all Adobe products are updated to the latest versions; audit systems for indicators of compromise dating back to late 2025.

CISA KEV — Multiple Windows Flaws Now Being Weaponized

In addition to the 8 newly added KEV entries, threat actors are actively exploiting recently leaked Windows security vulnerabilities to gain SYSTEM or elevated administrator privileges, per BleepingComputer (1 week ago, still relevant context for today's KEV deadline). The exploitation targets privilege escalation pathways across Windows environments.

Recommended Action: All organizations should prioritize Windows privilege escalation patches in this month's update cycle. Monitor for anomalous privilege use.

Breaches & Incidents

March 2026 Ransomware & Breach Activity — Scope and Scale

CRIL's analysis (published via The Cyber Express, 1 day ago) provides a comprehensive accounting of March 2026 threat activity: 702 ransomware attacks recorded, major data breaches across multiple sectors, significant access broker marketplace growth, and global risk indicators trending upward. The report characterizes the threat environment as one of sustained elevated intensity rather than a temporary spike, with no signs of abatement heading into Q2 2026.

U.S. Public Sector Under Sustained Siege in Q1 2026

Trend Micro's Q1 2026 threat intelligence report (published approximately 2 weeks ago, directly relevant to ongoing campaigns active today) documents the U.S. public sector as a primary target. Key findings: AI is lowering the barrier to sophisticated attacks; nation-state actors have demonstrated capability to penetrate the highest levels of U.S. government communications; and ransomware groups are "operating with the efficiency of professional enterprises." 66% of global IT leaders surveyed reported experiencing up to two breaches in the past year, up from prior years.

1 sources

thecyberexpress.com

thecyberexpress.com

Industry & Policy

CISA KEV Catalog Enforcement — Federal Deadline Pressure Intensifies

The addition of 8 exploited vulnerabilities to the KEV catalog with same-day or near-term deadlines signals an intensification of CISA's enforcement posture for federal agencies. The April 23 deadline (today) for a subset of the newly catalogued flaws represents one of the tightest remediation windows issued in recent months, reflecting the active exploitation status of these vulnerabilities.

AI Reframes Cybersecurity as a C-Suite Imperative

Bain & Company's analysis, published April 22, argues that AI-driven threats have permanently elevated cybersecurity from an IT function to a board-level business risk. The firm recommends organizations establish executive-level cyber risk ownership and invest in AI-native defense platforms rather than bolting AI onto legacy security stacks.

Ransomware Ecosystem Maintains "Elevated New Normal" Into 2026

GuidePoint Security's research characterizes the current ransomware environment as an "elevated new normal" — attack volumes that once would have represented crisis peaks are now the baseline. This normalization is reshaping how organizations must set risk tolerances and budget for incident response, with RaaS operations continuing to lower the skill threshold for would-be attackers.

What to Watch

• CISA KEV May 4 Deadline: Federal agencies and their supply chains must complete patching of the second wave of KEV-listed vulnerabilities before May 4, 2026. Non-federal organizations should treat this as a forcing function for their own remediation cycles.
• NFC Payment Malware Escalation: The NGate/HandyPay campaign signals that mobile NFC-based payment theft is growing more sophisticated. Expect copycat campaigns and variant malware targeting other legitimate payment apps in the near term.
• Nation-State + Ransomware Convergence: Multiple intelligence sources confirm the continued blurring of criminal ransomware operations and state-sponsored cyber activity. Organizations in defense, critical infrastructure, and government contracting chains should elevate their threat monitoring posture accordingly.

Reader Action Items

1. Patch Windows and Adobe systems today. The CISA KEV April 23 deadline is live. Prioritize CVE-2026-33825 (BlueHammer/Windows Defender), the April Patch Tuesday SharePoint zero-day, and CVE-2026-34621 (Adobe). Verify patch application with your endpoint management tooling before end of business.

2. Audit your router and IoT perimeter. If your organization or remote workers use D-Link DIR-823X routers, apply the latest firmware immediately to close CVE-2025-29635. Conduct a broader audit of unmanaged network edge devices, which remain a persistent blind spot for enterprise security teams.

3. Review mobile device policies and NFC exposure. The resurgence of NGate-variant malware targeting NFC payment apps warrants a review of mobile device management (MDM) policies. Ensure employees use only approved payment apps, enable app vetting through your MDM solution, and brief finance and HR teams on social engineering lures used to distribute mobile malware.