剣 KENSAI
← All posts · security · 2026-04-02

谷歌修补2026年第四个Chrome零日漏洞,中国APT利用TrueConf零日漏洞,EvilTokens钓鱼即服务攻击Microsoft 365,CERT-UA冒充活动传播AGEWHEEZE远控木马


🔴 Chrome Zero-Day CVE-2026-5281 — Fourth Exploited Flaw This Year

⚠️ CRITICAL — Update Chrome Immediately

CVE-2026-5281 is a use-after-free vulnerability in Chrome's Dawn WebGPU implementation. Google confirms active exploitation in the wild. Update to version 146.0.7680.177 or later.

Google has released emergency out-of-band updates to fix yet another Chrome vulnerability being exploited in active attacks. CVE-2026-5281 resides in Dawn, the cross-platform implementation of the WebGPU standard that powers Chrome's graphics rendering pipeline.

The use-after-free weakness can be exploited by attackers to trigger browser crashes, data corruption, or — in the worst case — arbitrary code execution. Google has withheld technical details to give users time to update.

2026 Chrome Zero-Day Scorecard

CVEComponentTypePatched
CVE-2026-2441CSSFontFeatureValuesMapIterator InvalidationFebruary
CVE-2026-3909Skia 2D GraphicsOut-of-bounds WriteMarch
CVE-2026-3910V8 JavaScript EngineInappropriate ImplementationMarch
CVE-2026-5281Dawn (WebGPU)Use-After-FreeApril 1

Four zero-days in three months is a concerning pace. In all of 2025, Google patched eight Chrome zero-days total. At the current rate, 2026 is on track to significantly exceed that number. Organizations should implement automatic Chrome update policies and consider browser isolation for high-risk users.


🇨🇳 Operation TrueChaos — China-Nexus APT Exploits TrueConf Video Conferencing Zero-Day

⚠️ CRITICAL — Patch TrueConf Server to 8.5.3+

CVE-2026-3502 allows attackers who control a TrueConf server to distribute arbitrary executables to all connected clients via the auto-update mechanism. Active exploitation confirmed since January 2026.

CheckPoint Research has uncovered a campaign they call Operation TrueChaos, in which a China-nexus threat actor exploited a zero-day vulnerability in TrueConf video conferencing servers to push malicious software updates to government agencies in Southeast Asia.

TrueConf is a self-hosted video conferencing platform used by over 100,000 organizations, including military forces, government agencies, oil and gas corporations, and air traffic management companies. The vulnerability is particularly dangerous because TrueConf clients trust server-provided updates without proper validation.

Attack Chain

  1. Attacker compromises a centrally managed government TrueConf server
  2. Replaces the legitimate update package with a malicious executable
  3. All connected TrueConf clients automatically download and execute the payload
  4. DLL sideloading delivers reconnaissance tools (tasklist, tracert)
  5. UAC bypass via iscicpl.exe escalates privileges
  6. Persistence established via scheduled tasks
  7. Network traffic points to Havoc C2 framework infrastructure

Attribution

CheckPoint attributes the campaign to a Chinese-nexus threat actor with moderate confidence, based on:

  • Use of Alibaba Cloud and Tencent for C2 infrastructure
  • TTPs consistent with known Chinese APT groups
  • Victimology focused on Southeast Asian government entities
  • Overlap with Amaranth Dragon, a previously documented Chinese threat cluster that also deploys Havoc implants

The vulnerability affects TrueConf versions 8.1.0 through 8.5.2. A patch was released in version 8.5.3 in March 2026. Organizations running on-premises TrueConf servers should treat this as a priority patch.


🎣 EvilTokens — Device Code Phishing-as-a-Service Hits Microsoft 365 at Scale

🟠 HIGH — Global Campaign Targeting Enterprise M365 Accounts

A new phishing kit called EvilTokens enables mass exploitation of Microsoft's OAuth device code authorization flow. Most-targeted countries: US, Canada, France, Australia, India, Switzerland, UAE.

Security researchers at Sekoia have documented a new phishing-as-a-service kit called EvilTokens, sold on Telegram and under active development. The kit commoditizes device code phishing — a technique that abuses OAuth 2.0's device authorization flow to hijack Microsoft 365 accounts.

How It Works

  1. Victim receives an email with a PDF, HTML, DOCX, or SVG attachment containing a QR code or link
  2. Link leads to a phishing page impersonating Adobe Acrobat, DocuSign, or SharePoint
  3. Page displays a verification code and prompts the user to "verify identity" at Microsoft
  4. Victim authenticates at the legitimate Microsoft device login page
  5. Attacker receives both access token and refresh token for persistent access

What Attackers Get

  • Full access to email, OneDrive files, Teams data
  • SSO impersonation across Microsoft services
  • Persistent access via refresh tokens that survive password changes
  • Business email compromise (BEC) capability for financial fraud

The technique is particularly dangerous because the victim authenticates on Microsoft's legitimate login page — there's no credential interception to detect. The kit has been used by multiple threat actors including Russian groups (Storm-237, UTA032) and the ShinyHunters data extortion group. The developer has announced plans to expand support for Gmail and Okta phishing pages.


🇺🇦 CERT-UA Impersonation Blasts 1 Million Emails With AGEWHEEZE RAT

Ukraine's Computer Emergency Response Team (CERT-UA) has disclosed a phishing campaign where attackers impersonated the agency itself to distribute a remote access trojan called AGEWHEEZE. The threat actor, tracked as UAC-0255 (self-identified as "Cyber Serp"), claims to have sent the malicious emails to 1 million ukr.net mailboxes.

Campaign Details

  • Delivery: Emails spoofing CERT-UA from incidents@cert-ua[.]tech
  • Payload: Password-protected ZIP archive (CERT_UA_protection_tool.zip) hosted on Files.fm
  • Malware: AGEWHEEZE — a Go-based RAT communicating over WebSockets
  • Targets: Ukrainian government organizations, medical centers, security firms, educational institutions, financial institutions

AGEWHEEZE Capabilities

  • Command execution and file operations
  • Clipboard modification and screenshot capture
  • Mouse and keyboard emulation
  • Process and service management
  • Persistence via scheduled tasks, Registry modification, or Startup directory
  • C2 communication over WebSockets to 54.36.237[.]92

CERT-UA reports the campaign was largely unsuccessful, with only a few educational institution devices compromised. Analysis of the phishing site revealed it was likely generated using AI tools, with a comment in the HTML source reading "With Love, CYBER SERP" in Russian.


📋 Quick Hits

  • Claude Code Source Leaked via npm: Anthropic confirmed that internal source code for Claude Code — nearly 2,000 TypeScript files and 512,000+ lines — was inadvertently published in npm package version 2.1.88 due to a source map packaging error. No customer data was exposed. The version has been pulled.
  • Hasbro Hit by Cyberattack: Toy giant Hasbro is investigating a cyberattack, assessing whether files were compromised. No ransomware group has claimed responsibility yet.
  • DeepLoad Malware in ClickFix Attacks: A new malware called DeepLoad is being distributed through ClickFix social engineering attacks. It steals credentials, installs malicious browser extensions, and can spread via USB drives.
  • NoVoice Android Malware: Over 50 malicious apps on Google Play infected 2.3 million Android devices with the NoVoice malware before being removed.
  • FBI Warns on Chinese Mobile Apps: The FBI issued a public warning against using Chinese-developed mobile apps due to data security risks, though it did not name specific applications.

🛡️ Recommended Actions

  1. Chrome: Force-update to version 146.0.7680.177+ across all managed endpoints. Enable automatic updates if not already configured.
  2. TrueConf: Upgrade all TrueConf Server instances to version 8.5.3 immediately. Hunt for poweriso.exe, 7z-x64.dll, and suspicious artifacts in %AppData%\Roaming\Adobe\.
  3. Microsoft 365: Implement Conditional Access policies that restrict device code authentication. Monitor for anomalous token grants. Review Azure AD sign-in logs for device code flow activity.
  4. CERT-UA Phishing: Block 54.36.237[.]92 and cert-ua[.]tech. Ukrainian organizations should alert staff about the impersonation campaign.
  5. Android: Audit installed apps against the NoVoice indicator list. Consider MDM policies restricting sideloading and unverified Play Store apps.

Stay Ahead of the Threat Curve

Get daily security intelligence delivered with zero noise.

Explore KENSAI →

KENSAI Security Briefing — 2026年4月2日
Compiled from BleepingComputer, The Hacker News, SecurityWeek, CheckPoint Research, Sekoia, and CERT-UA intelligence feeds.

All posts · Permalink