← Back to Blog
Security Briefing 4 min read 2026-04-10

Security Briefing, April 10 2026: Chrome DBSC, Adobe Reader Zero-Day, LucidRook, VENOM, and the EngageLab SDK Flaw

The signal this morning is brutally clear: attackers are still winning through session theft, document exploits, targeted credential phishing, and supply-chain dependencies. Defenders finally have one good piece of news from Chrome, but the rest of the brief is a reminder that identity and endpoint hygiene still decide the day.


Top line: One browser hardening move, one live PDF zero-day, two high-end intrusion campaigns, one massive Android SDK exposure, and more patch pressure on perimeter gear.


1. Chrome 146 raises the bar against cookie theft

Google rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows. The feature cryptographically binds short-lived session credentials to hardware-backed keys, which means infostealers can no longer steal a cookie on one machine and replay it somewhere else with the same reliability.

That matters because cookie theft has become the fastest way around passwords and MFA. Chrome is not fixing malware infections, but it is making post-compromise session hijacking harder and more expensive.

Why it matters


2. Adobe Reader zero-day is being abused through malicious PDFs

Researchers say a previously unknown Adobe Reader zero-day has been exploited since at least December 2025 through weaponized PDF files. The samples reportedly execute obfuscated JavaScript, collect local information, contact a remote server, and may prepare the path for later code execution or sandbox escape.

That is ugly because PDF remains one of the most trusted file formats in enterprise workflows. When a live exploit sits inside an "invoice" or industry document, normal user training is not enough.

Why it matters


3. LucidRook targets NGOs and universities in Taiwan

Cisco Talos-linked reporting describes LucidRook as a modular Lua-based malware used in spear-phishing attacks against Taiwanese NGOs and universities. The malware uses staged delivery, DLL sideloading, obfuscation, and external Lua bytecode to stay flexible while reducing forensic visibility.

The interesting part is not just the malware family. It is the operator discipline. This looks like a campaign built for targeted access and quiet collection, not noisy smash-and-grab crimeware.

Why it matters


4. VENOM is turning executive Microsoft logins into a product

Abnormal’s research on the closed-access VENOM phishing-as-a-service platform shows a sharp focus on C-suite targets. The kit impersonates SharePoint notifications, hides target data in URL fragments, uses QR delivery to push victims onto mobile devices, and captures credentials through adversary-in-the-middle and device-code flows.

This is the part defenders should stop sugarcoating: if you still rely on standard MFA and weak conditional access for executives, you are playing a losing game.

Why it matters


5. EngageLab SDK flaw exposed the Android supply-chain blast radius

Microsoft disclosed details of a patched EngageLab SDK vulnerability that could let a malicious app bypass app-boundary assumptions and access private data from other apps using the same SDK. Microsoft says the affected footprint included more than 50 million installs, including 30 million crypto-wallet installs.

There is no public evidence of active exploitation, but the lesson is obvious. Third-party mobile SDKs are now part of the attack surface whether product teams like it or not.

Why it matters


6. Patch watch: Palo Alto Networks and SonicWall

SecurityWeek also flagged fresh high-severity fixes from Palo Alto Networks and SonicWall. The exact product risk differs by deployment, but the pattern is the same as always: exposed edge products keep attracting privileged attackers because perimeter gear is still one of the fastest ways to turn a small foothold into administrator control.


What security teams should do today

  1. Prioritize identity hardening: accelerate passkeys or FIDO2 for executives and admins.
  2. Isolate risky document handling: sandbox or detonate untrusted PDFs before they reach users.
  3. Hunt for stealthy intrusion chains: watch for LNK plus archive execution, DLL sideloading, and odd FTP egress.
  4. Review mobile dependencies: inventory third-party SDKs and force urgent updates where security fixes already exist.
  5. Patch perimeter systems fast: especially remote management, firewall, and VPN-facing products.

Sources tracked for this briefing: BleepingComputer, The Hacker News, and SecurityWeek reporting published on April 9 to April 10, 2026.

Reduce the window attackers rely on

KENSAI helps teams spot exposed attack paths, weak identity controls, and vulnerable internet-facing assets before they turn into an incident.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team