A state intelligence-linked threat actor is conducting an active password-spraying campaign against Microsoft 365 environments across the Gulf, impacting 300+ organizations in three distinct attack waves on March 3, 13, and 23 — each separated by exactly 10 days. Targets include government, municipalities, technology, transportation, and energy. A state-sponsored actor deployed BRICKSTORM kernel implants and passive backdoors targeting VMware vSphere/vCenter/ESXi for long-term espionage below the guest OS layer. The Coruna iOS exploit kit was confirmed to contain an updated kernel exploit from the Operation Triangulation campaign. Apple expanded DarkSword patches to iOS 18.7.7 for older devices. Malicious npm packages masquerading as Strapi community plugins were identified across four sock puppet accounts.

Links & Resources

• https://thehackernews.com/2026/04/iran-nexus-password-spraying-m365-israel-uae.html
• https://www.cybersecurity-review.com/news-april-2026/
• https://www.securityweek.com/brickstorm-vmware-vsphere-kernel-implants/
• https://thehackernews.com/2026/04/malicious-strapi-npm-plugins.html
• https://www.securityweek.com/coruna-operation-triangulation-kernel-exploit/
• https://thehackernews.com/2026/04/fortinet-forticlient-ems-cve-2026-35616-zero-day.html
• https://thehackernews.com/2026/04/apple-darksword-ios-18-7-7-patches.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog