ThreatsDay Bulletin Highlights Trends

Recent threat landscape reveals attackers favoring misuse of legitimate tools over novel exploits, simplifying entry while extending dwell for data extraction. ThreatsDay Bulletin trends underscore cross-group technique sharing complicating attribution. Coverage spans Notepad command injection, Claude AI zero-click RCE, Taiwan APT surge, Node.js stealers, and more.

Notepad RCE Vulnerability

Microsoft patched CVE-2026-20841 (CVSS 8.8) in Windows Notepad allowing RCE via malicious Markdown links tricking users into executing remote files with user privileges. PoCs demonstrate cmd.exe or appinstaller URI triggers. Fixed in Patch Tuesday after May 2025 Markdown support addition.

Claude 0-Click RCE Flaw

Claude Desktop Extensions suffer CVSS 10.0 zero-click RCE via Google Calendar events triggered by prompts like “check events and take care of it.” Unsandboxed extensions chain connectors without boundaries, impacting 10k users/50 extensions. Anthropic declines fix.

Stealer Malware Rise

LTX Stealer uses obfuscated Inno Setup for Chromium/crypto theft, Supabase/Cloudflare C2. Marco Stealer targets browsers/wallets/cloud files, AES-256 exfil, anti-analysis. Both expand data grabs.

Ransomware and Scams

Coinbase Cartel claims 60+ data-theft victims sans encryption, UAE healthcare focus. 0APT fake 200 breaches for extortion. Pig-butchering scammer Daren Li sentenced 20 years for $73.6M fraud, fled.

Infrastructure Abuses

Crazy ransomware leverages Net Monitor/SimpleHelp RMM for persistence. GuLoader evolves with polymorphic evasion, cloud payload hosting. RenEngine/Foxveil loaders deliver stealers via games/Cloudflare.

ThreatsDay Bulletin trends indicate operational maturity prioritizing stealthy persistence over disruption, blending crime/espionage tactics. Defenders must monitor tool misuse, enforce baselines amid evolving baselines.