Google patches CVE-2026-5281, the fourth actively exploited Chrome zero-day this year. CheckPoint exposes Operation TrueChaos โ Chinese threat actors exploiting a TrueConf video conferencing zero-day (CVE-2026-3502) to backdoor Southeast Asian government agencies. EvilTokens device code phishing kit enables mass Microsoft 365 account hijacking. CERT-UA impersonation campaign blasts 1 million emails with AGEWHEEZE Go-based RAT.
CVE-2026-5281 is a use-after-free vulnerability in Chrome's Dawn WebGPU implementation. Google confirms active exploitation in the wild. Update to version 146.0.7680.177 or later.
Google has released emergency out-of-band updates to fix yet another Chrome vulnerability being exploited in active attacks. CVE-2026-5281 resides in Dawn, the cross-platform implementation of the WebGPU standard that powers Chrome's graphics rendering pipeline.
The use-after-free weakness can be exploited by attackers to trigger browser crashes, data corruption, or โ in the worst case โ arbitrary code execution. Google has withheld technical details to give users time to update.
| CVE | Component | Type | Patched |
|---|---|---|---|
| CVE-2026-2441 | CSSFontFeatureValuesMap | Iterator Invalidation | February |
| CVE-2026-3909 | Skia 2D Graphics | Out-of-bounds Write | March |
| CVE-2026-3910 | V8 JavaScript Engine | Inappropriate Implementation | March |
| CVE-2026-5281 | Dawn (WebGPU) | Use-After-Free | April 1 |
Four zero-days in three months is a concerning pace. In all of 2025, Google patched eight Chrome zero-days total. At the current rate, 2026 is on track to significantly exceed that number. Organizations should implement automatic Chrome update policies and consider browser isolation for high-risk users.
CVE-2026-3502 allows attackers who control a TrueConf server to distribute arbitrary executables to all connected clients via the auto-update mechanism. Active exploitation confirmed since January 2026.
CheckPoint Research has uncovered a campaign they call Operation TrueChaos, in which a China-nexus threat actor exploited a zero-day vulnerability in TrueConf video conferencing servers to push malicious software updates to government agencies in Southeast Asia.
TrueConf is a self-hosted video conferencing platform used by over 100,000 organizations, including military forces, government agencies, oil and gas corporations, and air traffic management companies. The vulnerability is particularly dangerous because TrueConf clients trust server-provided updates without proper validation.
iscicpl.exe escalates privilegesCheckPoint attributes the campaign to a Chinese-nexus threat actor with moderate confidence, based on:
The vulnerability affects TrueConf versions 8.1.0 through 8.5.2. A patch was released in version 8.5.3 in March 2026. Organizations running on-premises TrueConf servers should treat this as a priority patch.
A new phishing kit called EvilTokens enables mass exploitation of Microsoft's OAuth device code authorization flow. Most-targeted countries: US, Canada, France, Australia, India, Switzerland, UAE.
Security researchers at Sekoia have documented a new phishing-as-a-service kit called EvilTokens, sold on Telegram and under active development. The kit commoditizes device code phishing โ a technique that abuses OAuth 2.0's device authorization flow to hijack Microsoft 365 accounts.
The technique is particularly dangerous because the victim authenticates on Microsoft's legitimate login page โ there's no credential interception to detect. The kit has been used by multiple threat actors including Russian groups (Storm-237, UTA032) and the ShinyHunters data extortion group. The developer has announced plans to expand support for Gmail and Okta phishing pages.
Ukraine's Computer Emergency Response Team (CERT-UA) has disclosed a phishing campaign where attackers impersonated the agency itself to distribute a remote access trojan called AGEWHEEZE. The threat actor, tracked as UAC-0255 (self-identified as "Cyber Serp"), claims to have sent the malicious emails to 1 million ukr.net mailboxes.
incidents@cert-ua[.]techCERT_UA_protection_tool.zip) hosted on Files.fm54.36.237[.]92CERT-UA reports the campaign was largely unsuccessful, with only a few educational institution devices compromised. Analysis of the phishing site revealed it was likely generated using AI tools, with a comment in the HTML source reading "With Love, CYBER SERP" in Russian.
poweriso.exe, 7z-x64.dll, and suspicious artifacts in %AppData%\Roaming\Adobe\.54.36.237[.]92 and cert-ua[.]tech. Ukrainian organizations should alert staff about the impersonation campaign.Get daily security intelligence delivered with zero noise.
Explore KENSAI โKENSAI Security Briefing โ April 2, 2026
Compiled from BleepingComputer, The Hacker News, SecurityWeek, CheckPoint Research, Sekoia, and CERT-UA intelligence feeds.