← Back to Blog
Security Briefing4 min read2026-04-27

Security Briefing, April 27 2026: Snow Malware via Teams, Itron’s Utility Network Breach, FakeWallet on the App Store, and LMDeploy’s 13-Hour Warning

The pattern this morning is ugly and consistent: trusted support channels, trusted infrastructure, trusted app stores, and trusted AI tooling are all being turned into high-speed attack paths.


Top line: Four stories matter before most teams even finish standup: chat-based social engineering with domain-level consequences, a utility-sector internal network breach, App Store-delivered wallet theft, and an AI-serving flaw exploited inside half a day.


1. Snow malware turns Microsoft Teams helpdesk trust into a domain-compromise path

Google Mandiant says UNC6692 is mixing email bombing with fake Microsoft Teams helpdesk outreach to push victims into installing a bogus anti-spam patch. That patch drops the Snow toolset: SnowBelt for browser persistence, SnowGlaze for tunneling, and SnowBasin for command execution. From there the operators dump LSASS, move laterally, and exfiltrate Active Directory material. This is not ordinary phishing anymore. It is support-channel trust being weaponized for deep network access.


2. Itron’s internal IT breach is a critical-infrastructure warning even without confirmed customer impact

Itron disclosed unauthorized access to certain internal systems and says it has blocked the activity, launched an investigation, and currently sees no material operational disruption. That is good news, but not a reason for complacency. Itron sits inside utility technology for energy and water environments at global scale. When a vendor this embedded reports internal compromise, utilities and adjacent operators should read it as a segmentation, supplier-access, and response-readiness warning.


3. FakeWallet on Apple’s App Store shows trusted mobile distribution is still a live theft channel

Researchers found 26 FakeWallet apps on Apple’s App Store targeting crypto recovery phrases and private keys, including lookalikes for major wallets. In some cases the apps redirected users into trojanized wallet-install flows, with China-region App Store availability called out in reporting. The lesson is bigger than crypto: even trusted app stores can become delivery channels for credential and asset theft when brand mimicry and mobile trust are good enough.


4. Watchlist: LMDeploy proves AI exploit windows are collapsing

LMDeploy CVE-2026-33626, an SSRF flaw in an open-source LLM serving stack, was reportedly exploited within 12 hours and 31 minutes of disclosure. That should scare anyone shipping AI infrastructure like ordinary internal software. Advisories are now close enough to exploit prompts that patch latency itself becomes exposure.


What security teams should do today

  1. Re-verify every Teams-based support workflow and force out-of-band confirmation for urgent helpdesk requests.
  2. Review critical-infrastructure and internal-network segmentation assumptions, especially around suppliers and remote administration.
  3. Push mobile wallet hygiene guidance now and block risky install patterns where device management allows it.
  4. Patch AI-serving components fast and block metadata, loopback, and unnecessary egress from model infrastructure by default.

Sources


Bottom line: The pattern this morning is ugly and consistent: trusted support channels, trusted infrastructure, trusted app stores, and trusted AI tooling are all being turned into high-speed attack paths.

Find the trust breaks before they become incidents

KENSAI helps teams surface exposed attack paths across identity workflows, internal infrastructure, mobile software supply chains, and AI serving stacks before attackers turn trust into access.

Free Scan →

Stay sharp.

🗡️ KENSAI Security Team