Executive Summary
- Adobe Reader zero-day actively exploited since December 2025 via malicious PDFs with no patch available
- Russia’s APT28 (Forest Blizzard) harvesting Microsoft Office tokens from SOHO routers affecting global organizations
- EngageLab SDK vulnerability exposed 50 million Android users including 30 million cryptocurrency wallet holders
- Supply-chain attacks escalating: Smart Slider plugin hijacked to distribute backdoored WordPress/Joomla versions
- Targeted campaigns against NGOs, universities, and executives using new LucidRook malware and VENOM phishing platform
Top Threats Today
1. Adobe Reader Zero-Day PDF Exploit
Severity: CRITICAL Affected: Technology Finance Government
Threat actors have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The exploit is described as highly sophisticated and represents a significant risk as no patch is currently available. This affects all Adobe Reader users across industries who open untrusted PDF documents.
Recommended Action
- Immediately restrict PDF opening capabilities or disable JavaScript in Adobe Reader settings
- Monitor for suspicious Adobe Reader process execution and network connections
- Deploy sandboxing for all PDF processing workflows
- Watch for Adobe security advisory and patch immediately upon release
2. Russia’s APT28 Router-Based Credential Theft Campaign
Severity: CRITICAL Affected: Government Finance Technology
Russian military intelligence-linked APT28 (Forest Blizzard) is exploiting known vulnerabilities in older SOHO routers to conduct DNS manipulation attacks and harvest Microsoft Office authentication tokens at scale. The malware-less approach modifies DNS settings to intercept credentials from global organizations, representing a persistent espionage threat requiring immediate network hardening.
Recommended Action
- Audit and inventory all SOHO routers on corporate networks; prioritize replacement of unsupported models
- Apply all available firmware patches to routers immediately
- Implement DNS security monitoring and egress filtering for unauthorized DNS changes
- Enable MFA on all Microsoft Office accounts to mitigate token theft impact
- Review router access logs for suspicious DNS modification attempts
3. EngageLab SDK Vulnerability Exposing 50M Android Users
Severity: CRITICAL Affected: Technology Finance
A patched vulnerability in widely deployed EngageLab SDK allowed apps on the same device to bypass Android security controls, potentially exposing 50 million users and 30 million cryptocurrency wallet applications. The flaw enables inter-app communication bypass, creating elevated risk for financial and personal data theft on compromised devices.
Recommended Action
- Audit all deployed applications for EngageLab SDK integration
- Force update all applications using EngageLab SDK to patched versions
- Review device access logs for suspicious inter-app communications
- For cryptocurrency wallet users: rotate credentials and monitor for unauthorized transactions
- Communicate patch requirements to end users with enforcement deadline
4. Smart Slider Plugin Supply-Chain Compromise
Severity: CRITICAL Affected: Technology Retail Media
Attackers compromised the update system for Smart Slider 3 Pro plugin and pushed malicious versions containing multiple backdoors to WordPress and Joomla installations. This supply-chain attack potentially affects thousands of websites with persistent remote access capabilities for attackers.
Recommended Action
- Immediately audit all Smart Slider 3 Pro installations for version numbers and backdoor indicators
- Remove or disable the plugin pending security clearance
- Review web server logs for suspicious Smart Slider file access or PHP execution
- Check for web shells and unauthorized admin accounts on affected sites
- Restore from clean backups if compromise is confirmed
5. LucidRook Malware Targeting Taiwanese NGOs and Universities
Severity: HIGH Affected: Education Government
A previously undocumented threat cluster UAT-10362 is conducting spear-phishing campaigns against Taiwanese NGOs and universities to deploy LucidRook, a sophisticated Lua-based malware stager. This targeted campaign indicates organized reconnaissance and custom tooling development for specific geopolitical objectives.
Recommended Action
- Implement advanced email filtering with focus on spear-phishing indicators specific to your organization
- Conduct security awareness training emphasizing verification of sender identity before clicking links
- Deploy endpoint detection for Lua script execution and LucidRook IOCs
- Monitor for unusual process execution from email clients or browsers
Today’s Action Checklist
- ☐ URGENT: Disable or restrict Adobe Reader PDF opening; notify all users of zero-day risk
- ☐ URGENT: Audit and patch all SOHO routers; enable MFA on Microsoft accounts
- ☐ URGENT: Inventory EngageLab SDK usage and force application updates to patched versions
- ☐ URGENT: Audit Smart Slider 3 Pro plugin installations; remove or isolate until security confirmed
- ☐ Review DNS logs for unauthorized modifications or suspicious queries
- ☐ Deploy LucidRook and VENOM phishing IOCs to email and endpoint security systems
- ☐ Brief security team on BlueHammer Windows zero-day and validate patch status
- ☐ Verify credential theft protections in Chrome 146 Device Bound Session Credentials
- ☐ Monitor for supply-chain attack indicators across all third-party plugin/SDK deployments
- ☐ Review incident response procedures for state-sponsored APT activity