Security Briefing April 1, 2026 · 10 min read

Progress ShareFile Pre-Auth RCE Chain, Stryker Recovers from 200K-Device Wiper Attack, CERT-UA Impersonation Spreads AGEWHEEZE to 1M Emails, Casbaneiro PDF Lures Hit LatAm & Europe

Progress ShareFile harbors a dangerous vulnerability chain enabling pre-authentication remote code execution against unpatched instances. Medtech giant Stryker declares full operational recovery after a wiper attack destroyed 200,000 devices. A large-scale phishing campaign impersonating CERT-UA has blasted AGEWHEEZE malware to over one million inboxes. Casbaneiro banking trojan returns with dynamic PDF lures across Latin America and Europe. WhatsApp-delivered VBS malware exploits UAC bypass to hijack Windows systems. Residential proxies now evade IP reputation controls at a 78% rate across four billion observed sessions.


1. Progress ShareFile Pre-Auth RCE — Vulnerability Chain Enables Unauthenticated Takeover

⚠ CRITICAL — Pre-Authentication Remote Code Execution

Multiple flaws in Progress ShareFile can be chained by an unauthenticated attacker to achieve remote code execution without any valid credentials. Organizations running on-premises ShareFile deployments should treat this as an emergency and apply available patches immediately.

Progress ShareFile — a widely deployed enterprise file-sharing and collaboration platform — has been found to contain a chain of vulnerabilities that, when combined, allow a remote, unauthenticated attacker to achieve full remote code execution (RCE) on vulnerable server instances.

The Vulnerability Chain

The exploit chain links two distinct weaknesses. The first is an authentication bypass flaw in the ShareFile web application that allows unauthenticated requests to reach endpoints intended only for logged-in users. The second is a server-side deserialization vulnerability reachable via those protected endpoints. By combining the two, an attacker can supply a crafted serialized payload through the authentication bypass, triggering arbitrary code execution under the context of the web server process — with no credentials required at any stage.

Affected Versions

Exploitation Risk

Progress ShareFile is heavily used in regulated industries including financial services, legal, and healthcare — sectors that store highly sensitive documents on the platform. A successful pre-auth RCE gives attackers direct access to the underlying file server, all stored documents, and credentials cached within the application environment. Given that similar Progress vulnerabilities (e.g., MOVEit Transfer in 2023) were mass-exploited by ransomware groups within days of disclosure, active exploitation attempts should be expected imminently.

Patching and Mitigation


2. Stryker Fully Operational After Devastating Data-Wiping Attack on 200K Devices

🔶 HIGH — Medtech Giant Completes Recovery; Attack Scale Revealed

Stryker Corporation has declared full operational restoration following a destructive wiper attack that permanently erased data from approximately 200,000 devices across its global manufacturing and logistics network.

Stryker Corporation, one of the world's largest medical technology companies with operations spanning surgical equipment, orthopedic implants, and hospital logistics, has confirmed it is now fully operational after a wiper malware attack that wiped data from an estimated 200,000 devices across its infrastructure.

Attack Timeline

Impact and Recovery

The attack's use of wiper malware — rather than ransomware — indicates the primary objective was disruption rather than financial extortion. The destruction of 200,000 devices represented a significant blow to Stryker's manufacturing capacity, with delays cascading to hospital supply chains for joint replacement components and surgical instruments. Recovery required a combination of full OS reimaging from hardened golden images, hardware replacement for devices where storage was physically overwritten beyond recovery, and manual reconfiguration of thousands of production systems.

Stryker has not publicly attributed the attack to a specific threat actor. Analysis of the wiper's behavior shares characteristics with destructive tooling previously associated with state-sponsored actors operating in support of geopolitical objectives, though this attribution remains unconfirmed.

Key Lessons


3. CERT-UA Impersonation Campaign Delivers AGEWHEEZE Malware to 1 Million Inboxes

⚠ CRITICAL — State-Aligned Phishing at Nation-Scale

A sophisticated threat actor has impersonated Ukraine's Computer Emergency Response Team (CERT-UA) in a phishing campaign that distributed AGEWHEEZE malware to over one million email addresses spanning Ukrainian government, military, and allied partner organizations.

Ukraine's cybersecurity community is responding to one of the largest phishing operations targeting the country in 2026: a campaign that convincingly impersonated CERT-UA — the Ukrainian government's own computer emergency response body — to deliver a previously undocumented malware family dubbed AGEWHEEZE to over one million recipients.

Phishing Technique

The campaign used spoofed sender addresses closely mimicking official CERT-UA email domains, combined with email content that replicated the formatting, branding, and tone of legitimate CERT-UA security advisories. Recipients were instructed to download and execute an "urgent security patch" or "mandatory scanning tool" for a fabricated critical vulnerability — a social engineering technique that exploits the trust relationship between CERT-UA and the organizations it normally protects.

The emails were distributed in at least three waves, with subject lines referencing current geopolitical tensions and active conflict-adjacent themes to maximize urgency and open rates. Researchers noted that the campaign's targeting list included Ukrainian government ministries, military support organizations, critical infrastructure operators, and allied partner nations in Eastern Europe.

AGEWHEEZE Malware Capabilities

AGEWHEEZE is a modular implant with a staged architecture designed to minimize initial footprint while enabling expansive post-exploitation capabilities:

Indicators of Compromise (IoCs)


4. Casbaneiro Banking Trojan Returns with Dynamic PDF Lures Targeting LatAm and Europe

🔶 HIGH — Banking Trojan Evolves with PDF-Based Delivery

The Casbaneiro banking trojan has resurfaced with a novel delivery mechanism using dynamic, personalized PDF lures to target banking customers across Latin America and select European markets.

Casbaneiro (also tracked as Metamorfo/Ponteiro), a Latin American banking trojan with a history stretching back to 2018, has returned in a significantly evolved form. Security researchers have identified an active campaign using dynamically generated PDF lures as the initial infection vector, replacing the group's earlier reliance on malicious Office macro documents.

The Dynamic PDF Technique

The campaign's most notable innovation is its use of server-side PDF generation to create personalized lure documents at the moment of delivery. Unlike static malicious PDFs that trigger security products through signature matching, these documents are generated on-demand and incorporate:

Targeted Regions and Institutions

Detection Guidance


5. WhatsApp-Delivered VBS Malware Hijacks Windows via UAC Bypass

🔶 HIGH — Consumer Messaging App Weaponized for Enterprise Compromise

Attackers are distributing malicious VBScript files via WhatsApp, exploiting user trust in the messaging platform to deliver malware that bypasses Windows UAC and establishes persistent elevated access.

A newly identified malware campaign is exploiting WhatsApp as a delivery channel for Visual Basic Script (VBS) malware targeting Windows systems. The attack leverages the inherent trust users place in files received via personal messaging — particularly when appearing to originate from known contacts whose accounts have been compromised — to bypass security skepticism that would normally flag unsolicited email attachments.

Delivery Mechanism

Victims receive a WhatsApp message from a compromised contact or an unknown number, delivering a compressed archive (ZIP/RAR) containing a VBS file disguised as a document, invoice, or media file. Common lure themes include:

Exploitation Chain

Once executed, the VBS payload performs a multi-stage attack:

  1. Environment check: Validates it is running in a real user environment, not a sandbox or analysis VM
  2. UAC bypass: Exploits a known Windows User Account Control bypass technique via the fodhelper.exe auto-elevation mechanism, achieving elevated privileges without displaying a UAC prompt
  3. Persistence: Installs a PowerShell-based backdoor in the Windows startup folder and creates a scheduled task for resilience
  4. C2 beaconing: Establishes outbound HTTPS connection to attacker infrastructure for command and payload delivery
  5. Data exfiltration: Harvests browser credentials, system information, and locally stored documents

Defensive Actions


6. Residential Proxies Achieve 78% IP Reputation Evasion Across 4 Billion Sessions

🔶 HIGH — Threat Actor Evasion Infrastructure at Industrial Scale

New research reveals that residential proxy networks now successfully evade IP reputation and geoblocking controls in 78% of malicious sessions analyzed, rendering traditional IP-based defense mechanisms largely ineffective at scale.

A comprehensive analysis of over four billion proxy sessions conducted by threat intelligence researchers has quantified the scale at which residential proxy networks undermine IP-based security controls. The findings represent a significant challenge for organizations relying on IP reputation feeds, geofencing, and blocklists as primary defensive mechanisms.

Scale of the Problem

Residential proxy networks — which route attacker traffic through the internet connections of unwitting consumers whose devices have been enrolled (often via shady free VPN apps or malware) — are now used in an estimated 78% of credential stuffing, account takeover, and web scraping attacks observed in the dataset. The residential IP addresses used are indistinguishable from legitimate home broadband connections, meaning:

Defense Recommendations

The research underscores that IP-centric defenses must be supplemented with behavioral and device-level signals:


7. ISO Image Lures Spreading RATs and Crypto Miners in Active Campaign

🔶 HIGH — ISO-Disguised Malware Bypasses Email Attachment Filters

Threat actors are distributing malicious ISO image files disguised as software installers and media content to deliver remote access trojans and cryptocurrency mining malware while evading standard email attachment controls.

Security researchers have identified an active campaign exploiting ISO disk image files as a delivery mechanism for a dual-payload operation: a remote access trojan (RAT) for persistent access and credential theft, combined with a cryptocurrency miner that monetizes compromised compute resources.

Distribution Method

The campaign distributes ISO files through multiple channels simultaneously:

When mounted (Windows auto-mounts ISO files on double-click in Windows 10+), the ISO presents a convincing installer UI while silently dropping and executing both the RAT and the miner. The miner is configured to throttle CPU usage during active user sessions to avoid detection, running at full capacity only during idle periods.

Defensive Actions


8. Mercor AI Platform Hit by LiteLLM Supply Chain Compromise

⚠ CRITICAL — AI Infrastructure Supply Chain Attack

Mercor, an AI-powered recruiting platform, has been compromised via a supply chain attack targeting its LiteLLM dependency — an open-source LLM API proxy library — exposing candidate data and API credentials across the platform.

Mercor, an AI-native recruiting platform that uses large language models to match candidates with job opportunities, has disclosed a security incident traced to a supply chain compromise of its LiteLLM dependency. LiteLLM is a popular open-source library used to proxy requests across multiple LLM provider APIs (OpenAI, Anthropic, Azure OpenAI, etc.) from a unified interface.

Nature of the Attack

Attackers introduced malicious code into a LiteLLM release that was subsequently pulled as a dependency by Mercor's production infrastructure. The malicious package version contained a backdoor that:

Broader AI Supply Chain Risk

This incident highlights an emerging and underappreciated attack surface: the AI application dependency chain. LiteLLM alone is used by hundreds of startups and enterprises building LLM-powered applications. A single compromised release could simultaneously impact dozens of downstream platforms, each handling sensitive user data processed through AI pipelines.

Immediate Actions for LiteLLM Users


Threat Landscape Summary

ThreatSeverityAction Required
Progress ShareFile Pre-Auth RCECRITICALPatch StorageZones Controller immediately; isolate if delayed
CERT-UA Impersonation / AGEWHEEZECRITICALBlock IoC domains; alert on suspicious CERT-UA-themed emails
Mercor / LiteLLM Supply ChainCRITICALAudit LiteLLM versions; rotate all LLM API keys now
Stryker Wiper Attack (Recovery)HIGHReview OT/manufacturing network detection gaps
Casbaneiro PDF LuresHIGHBlock PDF JavaScript execution; alert on PDF-spawned processes
WhatsApp VBS Malware / UAC BypassHIGHBlock VBScript execution; monitor fodhelper.exe activity
Residential Proxy Evasion (78%)HIGHSupplement IP controls with behavioral and device fingerprinting
ISO Lure RAT + Crypto MinerHIGHBlock ISO downloads; disable auto-mount via Group Policy

Stay Ahead of the Threat Curve

Daily intelligence briefings, real-world attack analysis, and actionable defensive guidance.

Explore KENSAI

Validate Your Defenses Against Today's Threats

KENSAI continuously tests your security controls against the latest attack techniques — from supply chain compromises to pre-auth RCE chains — before adversaries exploit them.

See the Platform

— KENSAI Security Intelligence · Published April 1, 2026

Related Articles

INTERPOL schaltet 45.000 bösartige IPs ab CVE-2025-52694: Unauthenticated SQL Injection Remote Code Execution Enterprise DORA Digital Operational Resilience Testing Security Platform