On April 14, 2026, Microsoft releases its monthly security update cycle. This Patch Tuesday warrants direct attention from every patch management team and every operations team running Windows infrastructure. The maximum severity is critical. The primary impact is remote code execution. The affected surface covers the most widely deployed platforms in enterprise environments simultaneously: all active Windows 11 versions, the entire still-supported Windows Server range from 2016 through 2025, Remote Desktop Services, Microsoft Office, and the .NET runtime. Thirteen product families are addressed in this cycle across three deployment priority tiers.

Seven families are classified priority one — immediate deployment. Windows 11, all active versions — 23H2, 24H2, 25H2, and 26H1 — receive critical patches with remote code execution impact. Windows Server 2025, 2022, 2019, and 2016 follow the same pattern: all rated critical, all with remote code execution impact, all priority one. Remote Desktop Services also land at critical severity with remote code execution impact and deserve specific attention beyond the standard label. The exploitation history of RDS vulnerabilities is well documented — BlueKeep and DejaBlue in 2019, both wormable, both actively exploited within weeks of disclosure. Any entity exposing RDS over the internet or through VPN concentrators should treat this component as the highest-urgency item in this cycle. Microsoft Office is priority one with critical severity — the exploitation vector is consistently phishing, the dominant initial access vector in campaigns targeting the financial sector. The .NET and .NET Framework entry is rated critical with denial of service impact: a vulnerability rated critical on .NET can crash or render unavailable any application or web service running on these runtimes without code execution — a direct availability risk that can be triggered remotely.

Three families are priority two — deployment within seven days: SQL Server with important severity and remote code execution impact, SharePoint with important severity and spoofing impact, and Azure components with important severity and elevation of privilege impact. Three families are priority three — standard cycle: Visual Studio, Dynamics 365, and System Center, all rated important.

Additionally, this April cycle introduces a kernel driver trust enforcement change for Windows 11 24H2, 25H2, 26H1, and Windows Server 2025: systems will no longer treat legacy cross-signed drivers as a blanket trust path. Environments with dependencies on older unsigned driver binaries should audit their driver inventory before deployment. All Windows 11 and Windows Server updates in this cycle are cumulative. Detailed CVE-level disclosure and CVSS scores will be available on the Microsoft Security Response Center from April 14.

Sources

• Help Net Security – April 2026 Patch Tuesday forecast: spring cleaning of a preview : https://www.helpnetsecurity.com/2026/04/10/april-2026-patch-tuesday-forecast/
• Zecurit – Patch Tuesday April 2026: security updates and CVE analysis : https://zecurit.com/endpoint-management/patch-tuesday/
• Microsoft Security Response Center – Security Update Guide : https://msrc.microsoft.com/update-guide/

Don't think, patch!

Your feedback is welcome.

Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

#RadioCSIRT #CyberSecurity #PatchTuesday #Microsoft #ThreatIntelligence #CTI #Windows #RDS #Office #dotNET

Since February 2026, a new ransomware group operating under the name Payload has been conducting active double extortion campaigns against organizations across multiple sectors and geographies. In less than two months of observed activity, the group has claimed twenty-six victims across seven countries, declared 2,603 gigabytes of exfiltrated data, and demonstrated a level of technical sophistication that places it well above opportunistic ransomware operations. The combination of ESXi-specific encryption logic, ETW patching, and a fully operational Tor-based infrastructure from the outset indicates either experienced operators or access to a mature toolkit.

Payload operates two distinct binaries sharing a common cryptographic scheme: Curve25519 ECDH combined with ChaCha20 for per-file key generation. The ESXi variant is a Linux ELF64 binary of approximately 39,904 bytes. Strings are RC4-obfuscated with the three-byte key FBI. Before any encryption activity, the binary performs an anti-debug check via /proc/self/status, then parses VMware's vmInventory.xml to enumerate all datastores and VMDK paths. Virtual machines are powered off via vim-cmd before encryption begins. Thread pool workers are named FBIthread-pool — a forensic artifact visible in standard process listing. The ransom note replaces the ESXi web management interface at /usr/lib/vmware/hostd/docroot/ui/welcome.txt.

The Windows variant, compiled on February 17, 2026, is derived from the Babuk codebase that leaked in September 2021, with HC-128 replaced by ChaCha20 and significant anti-forensic additions. Key capabilities include ETW patching of four ntdll.dll functions — EtwEventWrite, EtwEventWriteFull, EtwEventWriteTransfer, and EtwRegister — silently blinding EDR solutions that depend on ETW telemetry. The mutex MakeAmericaGreatAgain is a reliable operator fingerprint. The binary terminates thirty-four services including Veeam, Acronis, BackupExec, Symantec, and Sophos, wipes Windows event logs, deletes shadow copies, and self-deletes via NTFS alternate data stream without spawning a child process.

For detection: deploy the YARA rule published by Abdullah Islam covering the ESXi variant. Monitor for MakeAmericaGreatAgain mutex, .payload extension, and ETW function patches in ntdll.dll. Any EDR stack relying exclusively on ETW-based telemetry should be reviewed immediately. ESXi management interfaces must sit behind a dedicated management VLAN. Immutable or air-gapped backup storage remains the only reliable recovery path if encryption completes before detection.

Sources

• GBHackers – Payload ransomware hits Windows and ESXi with Babuk-style encryption : https://gbhackers.com/payload-ransomware/
• CyberSecurityNews – New Payload ransomware uses Babuk-style encryption against Windows and ESXi systems : https://cybersecuritynews.com/new-payload-ransomware-uses-babuk-style-encryption/
• CyberPress – Payload hits Windows and ESXi : https://cyberpress.org/payload-hits-windows-esxi/

Don't think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com

Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

#RadioCSIRT #CyberSecurity #Ransomware #ThreatIntelligence #CTI #Payload #ESXi #VMware #Windows

In this episode, a single artificial intelligence model became the subject of an emergency meeting between the US Treasury, the Federal Reserve, and the CEOs of America's largest systemically important financial institutions. That model is Claude Mythos Preview, developed by Anthropic. This marks the first time in American financial history that frontier AI capabilities have been treated at this regulatory level as a systemic risk event, rather than a sectoral technology concern.

Anthropic restricted access to Mythos to approximately forty partner organizations under Project Glasswing — including Microsoft, Google, Apple, and Amazon — citing the risk of exposing critical vulnerabilities at scale. The model's documented capabilities include autonomous identification and exploitation of flaws across all major operating systems and browsers, real-time payload construction, and functional exploit generation without human guidance. Anthropic is simultaneously engaged in litigation with the Pentagon, which has classified the organization as a supply chain risk.

Six risk vectors were identified in connection with Mythos: zero-day exploitation rated critical, systemic SIFI risk rated critical, algorithmic convergence rated high, DeFi and smart contract infrastructure exposure rated high, customer data exfiltration rated high, and cyber-insurance portfolio disruption rated medium. For security teams, the operational implication is direct: the traditional forty-eight to seventy-two hour window between CVE publication and weaponization is no longer the relevant threat timeline when autonomous exploit generation compresses that cycle to minutes.

Sources

• CNBC – Powell and Bessent convened Wall Street CEOs on Anthropic Mythos cyber risk : https://www.cnbc.com/2026/04/10/powell-bessent-us-bank-ceos-anthropic-mythos-ai-cyber.html
• Fortune – Bessent and Powell convened Wall Street leaders in an emergency meeting on Claude Mythos Preview : https://fortune.com/2026/04/10/bessent-powell-anthropic-mythos-ai-model-cyber-risk/
• Euronews – Why Anthropic's most powerful AI model Mythos Preview is too dangerous for public release : https://www.euronews.com/next/2026/04/08/why-anthropics-most-powerful-ai-model-mythos-preview-is-too-dangerous-for-public-release

Don't think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com Weekly
Newsletter: https://radiocsirtenglishedition.substack.com/

#RadioCSIRT #CyberSecurity #AI #ThreatIntelligence #CTI #ClaudeMythos #FinancialSector #Anthropic

🎧🎙️Large Language Models & Cybersecurity Claude 4.6, Project Glasswing & Claude Mythos Preview

Welcome to this special edition of RadioCSIRT ⚡️

🤖 Claude 4.6 Family — A Cybersecurity Perspective Claude Opus 4.6, Sonnet 4.6 and Haiku 4.5 share a context window of up to one million tokens, multimodal text/image support and extended thinking capabilities. Direct implications for SOC teams: complete code repository analysis, massive IOC correlation, attack chain reconstruction — but also a significant reduction in the entry barrier for producing high-quality offensive artifacts.

🔓 Economic Asymmetry of the Threat At five dollars per million tokens, Claude Opus 4.6 makes expert-level analytical reasoning accessible to a broad range of actors that previously required costly human expertise. The window between CVE publication and exploit availability is compressing. LLM-generated phishing lures no longer display the linguistic markers traditionally used for detection.

🔬 Project Glasswing — Restricted Access Anthropic launched Claude Mythos Preview under an access framework limited to approximately forty partner organizations (Microsoft, Google, Amazon confirmed), by invitation only, following prior consultation with US authorities. The European Commission publicly endorsed this restriction.

⚠️ Claude Mythos Preview — Documented Capabilities The model can autonomously identify and exploit flaws across all major operating systems and web browsers, and construct sophisticated payloads and exploits in real time at low cost. On April 7, 2026, Treasury Secretary Scott Bessent and Jerome Powell convened an emergency meeting with the CEOs of major US banks (Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, Wells Fargo) — the first meeting of this level motivated by the capabilities of a single AI model.

🎯 Identified Risk Vectors Six dimensions covered in this episode: zero-day exploitation, systemic SIFI risk, algorithmic convergence, DeFi/smart contract exposure, customer data exfiltration, impact on cyber-insurance portfolios.

⚖️ Regulatory and Legal Context Anthropic is in active litigation with the Pentagon, which classified the organization as a supply chain risk. The forty Glasswing partners constitute a new indirect attack surface. The AI Act, DORA and ENISA guidelines create a compliance framework that applies now to LLM deployments in high-risk contexts.

🛡️ Documented Defensive Use Cases Automatic generation of YARA/Sigma rules, alert enrichment, large-scale forensic analysis, assisted threat modeling, adversary simulation — the same capabilities serve both sides. LLMs remain analytical augmentation tools: human verification on high-impact operational outputs remains mandatory.

🔗 Sources

• Project Glasswing — Anthropic: https://www.anthropic.com/glasswing
• Claude Models — Overview and Pricing: https://platform.claude.com/docs/en/about-claude/models/overview

📩 Contact: radiocsirt@gmail.com

⚡️ We don't think, we patch!

#RadioCSIRT #Cybersecurity #LLM #Claude #Anthropic #Glasswing #Mythos #ThreatIntelligence #SOC #CERT #CISO #AI #CyberSecurity #ProjectGlasswing #ZeroDay #SIFI

We open this recap with the Winter Olympic Games in Milano Cortina, facing a wave of cyberattacks attributed to Russia. According to The Register, Italy’s Minister of Foreign Affairs confirmed the targeting of diplomatic offices and Olympic infrastructure. The defensive posture is further strained by supply chain tensions, as Cloudflare’s CEO threatened to withdraw pro bono protection services following a regulatory dispute with Italian authorities.

In France, ZDNet reported an espionage case in Gironde involving a clandestine interception station operated from a rented Airbnb property. Two Chinese nationals were charged. The seized equipment was designed for sniffing Starlink communications and intercepting military frequencies, illustrating direct risk at the physical communications layer.

We then move to active exploitation and emergency response requirements around Cisco Catalyst SD-wan. Australia’s cyber authorities published an alert on exploitation of Cisco SD-wan appliances. Cisa added CVE 2026 20127 and CVE 2022 20775 to the Known Exploited Vulnerabilities catalog and issued Emergency Directive twenty-six zero three, requiring immediate inventory, forensic artifact collection, patching, and compromise assessment, with a deadline of February twenty-seventh, twenty twenty-six. certfr confirmed active exploitation through alert certfr twenty twenty-six ALE zero zero two, and BleepingComputer reported exploitation activity dating back to twenty twenty-three.

On the malware front, multiple campaigns highlight attacker focus on routers, developers, and stealth tooling. Cisco Talos detailed the dismantling of the DKnife interception framework used since twenty nineteen. Talos also documented the Dohdoor backdoor campaign using DNS over HTTPS through Cloudflare, delivered via DLL sideloading and process hollowing, with EDR bypass techniques involving syscall unhooking in ntdll dot dll. Kaspersky GReAT reported Arkanix Stealer operating as Malware as a Service, with both Python and C plus plus implementations, AES GCM communications, and indications of LLM-assisted development.

Developer ecosystems remain a key battleground. Microsoft warned of fake Next dot js repositories used as job interview lures delivering in-memory JavaScript payloads, and GitLab banned one hundred thirty-one accounts linked to the Contagious Interview operation and the Wagemole scheme. Socket identified the SANDWORM underscore MODE campaign abusing at least nineteen malicious npm packages through typosquatting, including a module targeting AI coding assistants via malicious MCP server injection combined with prompt injection.

We also cover phishing at industrial scale. As reported by KrebsOnSecurity, the Starkiller phishing as a service platform dynamically loads real login pages and acts as a reverse proxy, relaying keystrokes, form submissions, and session tokens through attacker infrastructure, effectively defeating multi-factor authentication by capturing the full authentication flow.

Finally, critical vulnerabilities affected AI development environments. Check Point Research documented vulnerabilities in Anthropic’s Claude Code enabling command execution via project hooks, MCP consent bypass through project configuration, and clear-text exfiltration of Anthropic API keys by redirecting the ANTHROPIC underscore BASE underscore URL variable to an attacker-controlled endpoint. In parallel, Linux ecosystem updates included Linux seven point zero entering release candidate status, while incident response and law enforcement actions included Eurojust’s takedown of a fraudulent call centre in Dnipro.

All sources are available on https://www.radiocsirt.com/podcast/your-cybersecurity-news-for-saturday-february-28-2026-ep-71/

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website:https://www.radiocsirt.com
Weekly Newsletter:https://radiocsirtenglishedition.substack.com/