Barry Cheevers

Cyber Threat Landscape Today

A daily briefing on the top active cyber threats

Last updated 20 April 2026 at 09:05 UTC
Today’s top 10 1221 articles analysed 1083 unique stories
Threat type
Industry
  1. 1

    AVEVA Pipeline Simulation

    OT/ICS Vulnerability CISA Advisories · 16 April 2026, 12:00 UTC
    0.70 Medium

    The following versions of AVEVA Pipeline Simulation are affected: Pipeline Simulation <=2025_SP1_build_7.1.9497.6351 CVSS Vendor Equipment Vulnerabilities v3 9.1 AVEVA AVEVA Pipeline Simulation Missing Authorization Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United Kingdom Vulnerabilities Expand All + CVE-2026-5387 The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters, training configuration, and training...

    T1059: Command and Scripting Interpreter T1068: Exploitation for Privilege Escalation T1557: Adversary-in-the-Middle CVE-2026-5387 Energy Government Technology Critical Infrastructure Manufacturing United Kingdom United States
    Download STIX
  2. 2

    Horner Automation Cscape and XL4, XL7 PLC

    Credential Theft OT/ICS Vulnerability CISA Advisories · 16 April 2026, 12:00 UTC
    0.70 Medium

    The following versions of Horner Automation Cscape and XL4, XL7 PLC are affected: Cscape v10.0 XL7 PLC v15.60 XL4 PLC v16.32.0 CVSS Vendor Equipment Vulnerabilities v3 9.1 Horner Automation Horner Automation Cscape and XL4, XL7 PLC Weak Password Requirements Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-6284 An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and...

    T1059: Command and Scripting Interpreter T1110: Brute Force CVE-2026-6284 Government Critical Infrastructure Manufacturing United States
    Download STIX
  3. 3

    Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

    Zero-Day Exploitation APT Watering Hole Vulnerability Mandiant Blog · 03 March 2026, 14:00 UTC
    0.65 Medium

    We then retrieved the complete exploit kit when it was later used in broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China. Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.

    T1059: Command and Scripting Interpreter T1189: Drive-by Compromise T1027: Obfuscated Files or Information T1190: Exploit Public-Facing Application CVE-2024-23222 CVE-2022-48503 CVE-2023-43000 Finance Technology Retail Manufacturing China
    Download STIX
  4. 4

    Microsoft security advisory – April 2026 monthly rollup (AV26-352) - Update 1

    Exploitation Malware Vulnerability Canadian Centre for Cyber Security · 17 April 2026, 19:53 UTC
    0.64 Medium

    Included were critical updates for the following products: .NET 10.0 installed on Linux .NET 10.0 installed on Mac OS .NET 10.0 installed on Windows .NET 8.0 installed on Linux .NET 8.0 installed on Mac OS .NET 8.0 installed on Windows .NET 9.0 installed on Linux .NET 9.0 installed on Mac OS .NET 9.0 installed on Windows Azure Logic Apps Azure Monitor Agent Microsoft .NET Framework Microsoft .NET Framework 3.5 AND 4.8.1 Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 Microsoft 365 Apps for Enterprise...

    T1059: Command and Scripting Interpreter CVE-2026-32201 CVE-2026-33825 Technology
    Download STIX
  5. 5

    What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure

    APT MFA Bypass Data Breach Disinformation Malware Vulnerability Tenable Blog · 09 April 2026, 20:28 UTC
    0.63 Medium

    An Iran-affiliated threat group has evolved from defacing water utility displays to deploying custom ICS malware and exploiting Rockwell Automation PLCs across multiple U.S. The group has escalated from exploiting default credentials on Israeli-made PLCs (2023) to deploying a custom ICS malware platform called IOCONTROL (2024) to actively exploiting CVE-2021-22681, a critical authentication bypass in Rockwell Automation controllers, across U.S. Cyber Command jointly warned that Iranian-affiliated advanced persistent threat actors are actively exploiting internet-facing programmable logic controllers across U.S.

    T1059: Command and Scripting Interpreter CVE-2021-22681 Finance Energy Government Technology Telecommunications Critical Infrastructure Israel Iran
    Download STIX
  6. 6

    April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs

    Zero-Day Vulnerability CrowdStrike Blog · 20 April 2026, 09:05 UTC
    0.62 Medium

    April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs

    T1190: Exploit Public-Facing Application
    Download STIX
  7. 7

    Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign

    APT Malware Vulnerability Mandiant Blog · 25 February 2026, 14:00 UTC
    0.61 Medium

    Introduction Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions.

    T1071: Application Layer Protocol T1068: Exploitation for Privilege Escalation T1053: Scheduled Task/Job Government Technology Telecommunications China
    Download STIX
  8. 8

    Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)

    Phishing Palo Alto Unit 42 · 17 April 2026, 22:35 UTC
    0.60 Medium

    Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders. The post Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) appeared first on Unit 42 .

    T1566: Phishing Iran
    Download STIX
  9. 9

    Meta and PortSwigger drive offensive security further to find what others miss

    Vulnerability Help Net Security · 20 April 2026, 08:13 UTC
    0.59 Medium

    Meta Bug Bounty and PortSwigger have formed a partnership to help security researchers sharpen their skills, collaborate more closely, and improve vulnerability discovery. The initiative combines Meta’s bug bounty program with PortSwigger’s Burp Suite, reflecting a shared focus on improving both tooling and education for the global security community. “By joining forces, we’re not just offering resources; we’re building bridges between communities,” Meta Bug Bounty said.

    T1059: Command and Scripting Interpreter Education
    Download STIX
  10. 10

    Nginx UI security advisory (AV26-360)

    Exploitation Vulnerability Canadian Centre for Cyber Security · 16 April 2026, 15:06 UTC
    0.59 Medium

    Serial number: AV26-360 Date: April 16, 2026 On April 10, 2026, Nginx UI published a security advisory to address a critical vulnerability in the following product: Nginx UI – version v2.3.5 and prior Open-source reporting indicates that the CVE-2026-33032 vulnerability is being exploited in the wild. The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates, when available. Nginx UI - CVE-2026-33032 NVD - CVE-2026-33032 Detail

    T1059: Command and Scripting Interpreter CVE-2026-33032
    Download STIX

Intelligence sources

54 sources were queried for today’s briefing. Sources are weighted by credibility (0–100) when ranking threats.

NCSC UK 95

UK government's National Cyber Security Centre. Advisories are based on classified threat intelligence and vetted by a national authority mandated to protect UK critical infrastructure. Scoring reflects direct government backing and the rigorous publication process.

advisory uk government
CISA Advisories 95

US Cybersecurity and Infrastructure Security Agency — the primary US government authority on cyber threats. Advisories undergo inter-agency review and are operationally actionable; the Known Exploited Vulnerabilities (KEV) catalogue reflects confirmed in-the-wild exploitation.

advisory us government
CISA Current Activity 93

CISA's near-real-time alert channel for active threats. Typically published within hours of confirmed exploitation; slightly lower than the main advisory feed because posts are shorter and less fully attributed, but timeliness is very high.

advisory us government
Canadian Centre for Cyber Security 92

Canada's national cyber authority and a member of the Five Eyes intelligence partnership. Advisories benefit from shared intelligence and are thoroughly vetted before publication, giving strong reliability for both North American and cross-allied threats.

advisory ca government
CERT-FR (ANSSI) 91

French national CERT operated by ANSSI (Agence nationale de la sécurité des systèmes d'information). Rigorous editorial and technical review process; strong coverage of European and francophone threat actors, and early disclosure on threats affecting French critical infrastructure.

advisory fr government
BSI Germany 91

Germany's Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). Well-resourced national authority with strong European industrial threat coverage; publications are technically thorough and benefit from EU-wide information sharing.

advisory de government
JPCERT/CC 90

Japan's Computer Emergency Response Team. Primary national CERT for Japan and highly reliable for APT campaigns affecting Asia-Pacific organisations. Frequently publishes early technical analysis of threats targeting Japanese critical infrastructure and supply chains.

advisory jp government
Google Project Zero 90

Elite vulnerability research team credited with discovering some of the most significant zero-days in recent years across browsers, operating systems, and hardware. Responsible disclosure process is rigorous; publications include deep technical analysis. Score reflects research quality and historical impact.

research vulnerability
Cisco Talos Blog 88

One of the world's largest commercial threat intelligence teams, backed by telemetry from hundreds of millions of Cisco devices globally. Research is technically rigorous, peer-reviewed internally, and frequently cited by national CERTs. Strong across network, email, and endpoint threats.

research vendor threat-intel
Mandiant Blog 88

Leading incident response firm with deep expertise in nation-state actor attribution. Reports are grounded in real intrusion data from hundreds of breach investigations annually. Widely considered the industry authority on APT tracking and campaign attribution.

research vendor threat-intel
Krebs on Security 88

Brian Krebs's independent investigative security journalism. Many of the most consequential breach disclosures and cybercrime investigations of the last decade first surfaced here. Known for meticulous sourcing, direct engagement with threat actors, and consistent accuracy.

news journalism blog
Palo Alto Unit 42 87

Threat intelligence and incident response arm of Palo Alto Networks. Large research team with broad telemetry across cloud, network, and endpoint. Consistent track record on ransomware attribution, nation-state campaigns, and cloud threat analysis.

research vendor threat-intel
CrowdStrike Blog 87

Endpoint telemetry across tens of thousands of organisations worldwide. Industry leader in adversary naming and tracking (e.g. FANCY BEAR, COZY BEAR). Technical depth is consistently high; particularly authoritative on nation-state intrusion sets and big-game-hunting ransomware.

research vendor threat-intel
Check Point Research 86

Long-established vendor research team with strong output on malware reverse engineering, campaign tracking, and mobile threats. Publications are technically thorough and frequently reference novel attack techniques; strong coverage of Middle Eastern and financially motivated threat actors.

research vendor threat-intel
Microsoft Security Blog 86

Microsoft Threat Intelligence (MSTIC) has visibility across over one billion devices and a large volume of enterprise email and cloud infrastructure. Regularly uncovers nation-state APT activity and zero-days. Authoritative for Windows, Azure, and identity-based threats.

research vendor
Schneier on Security 85

Bruce Schneier's independent analysis blog. Highly credible expert commentary from one of the most cited security practitioners of the last 30 years. Valuable for contextualising geopolitical cyber threats, policy developments, and cryptographic issues. Lower volume but consistently high signal.

blog expert
SANS Internet Storm Center 85

Community-driven internet threat monitoring run by SANS Institute. Daily handler diaries provide ground-level analysis of emerging threats and exploitation attempts observed across distributed sensors. Strong 20-year track record; particularly reliable for early warning on novel attack techniques.

advisory research
Red Canary Blog 85

Managed detection and response provider with strong depth in MITRE ATT&CK-mapped threat analysis. Publishes the annual Threat Detection Report — one of the most widely cited practical threat summaries in the industry. Consistently strong on initial access, persistence, and lateral movement techniques.

research threat-intel
Elastic Security Labs 84

Elastic's security research team produces detailed malware analysis and detection engineering content grounded in Elastic's broad telemetry. Known for thorough reverse engineering write-ups and YARA/EQL rule publications. Technically rigorous and increasingly prominent.

research vendor
ESET WeLiveSecurity 84

ESET's research arm has historically produced some of the most technically detailed analysis of Eastern European APT activity (e.g. Turla, Sandworm, Sednit). Strong malware reverse engineering output; publications are peer-reviewed and include novel findings rather than rehashing public reports.

research vendor
Sophos X-Ops 84

Combined research unit merging Sophos Labs, SophosAI, and managed detection telemetry. Well-regarded for detailed ransomware playbooks and attacker behaviour analysis drawn from active incident response cases. Good cross-sector visibility with particular strength on SMB-targeted threats.

research vendor
Proofpoint Threat Intelligence 84

Leading email security vendor with unparalleled phishing, BEC (business email compromise), and email-borne malware telemetry. Threat actor tracking is especially strong for financially motivated groups. Consistently among the first to document new phishing campaigns and initial access brokers.

research vendor threat-intel
SentinelOne Blog 83

Endpoint security vendor with growing research output. Good technical malware analysis and coverage of novel EDR evasion techniques; SentinelLabs team publishes detailed nation-state and ransomware research. Slightly lower score reflects a shorter research track record than some peers.

research vendor
Huntress Labs Blog 83

Managed security provider focused on SMB and mid-market organisations. Particularly valuable for tracking threats that bypass enterprise-focused intelligence — commodity ransomware, opportunistic attackers, and techniques targeting under-resourced IT environments. Research is grounded in active incident response.

research vendor threat-intel
The Washington Post Technology 83

The Washington Post's technology coverage consistently breaks significant cyber and privacy stories, particularly those intersecting with policy, government, and US national security. Its investigative capacity gives it strong credibility for major breach reporting.

news mainstream us broadsheet
Graham Cluley 82

Well-established independent security journalist and former Sophos researcher. Known for accurate, clearly sourced reporting and a long track record of responsible disclosure coverage. Lower volume than trade publications but consistently well-verified before publishing.

news journalism blog expert
BleepingComputer 82

Fast-moving news outlet specialising in practical Windows security, ransomware, and malware. Frequently first to break incident news with direct communication from threat actors and victims. Strong community-driven verification; editorial standards are good for breaking news, though depth of analysis varies.

news journalism
Recorded Future News 82

Threat intelligence vendor with a large data aggregation platform covering open, dark web, and technical sources. Strong geopolitical cyber context and ransomware tracking. Score reflects editorial quality of the blog arm rather than the platform itself.

news threat-intel
Tenable Blog 82

Market leader in vulnerability management. Authoritative on CVE scoring, patch urgency, and exposure prioritisation. Tenable Research is consistently reliable for assessing the real-world exploitability of newly disclosed vulnerabilities and their severity in cloud and enterprise contexts.

research vendor vulnerability
BBC News Technology 82

BBC's technology news feed. The UK's most-trusted public broadcaster; covers major cyber incidents, data breaches, and digital policy at a level accessible to a general audience. High editorial standards and broad readership make it a strong signal for stories that have reached mainstream public awareness.

news mainstream uk
WIRED Security 82

WIRED's dedicated security section. Sits at the intersection of mainstream journalism and informed tech analysis — readable by a general tech-interested audience while still covering incidents with some depth. Strong track record on breach investigations, surveillance, and cyberwarfare stories.

news mainstream journalism
The New York Times Technology 82

New York Times technology section. One of the world's most widely read news outlets; covers major cyber incidents, data breaches, and digital privacy stories for a mass audience. Articles are written for general readers with no assumed technical knowledge, making them a strong signal for stories that have reached true mainstream awareness.

news mainstream us journalism
SecurityWeek 80

Long-running independent security industry publication. Good breadth across vulnerability disclosures, breaches, and geopolitical incidents. Respected for balanced reporting; slightly lower credibility weight than specialist research blogs because articles are news-led rather than deeply analytical.

news journalism
Qualys Security Blog 80

Vulnerability management vendor with broad scan telemetry across cloud and enterprise environments. Research team focuses on patch analysis and CVE impact assessment. Useful for understanding real-world exposure to newly disclosed vulnerabilities at population scale.

research vendor vulnerability
Securelist (Kaspersky) 80

Kaspersky's threat research portal. Technically high-quality malware analysis and APT research, particularly strong on Russian-speaking threat actors. Credibility score reflects research quality; note that some organisations apply their own weighting adjustments based on vendor geopolitical considerations.

research vendor
Malwarebytes Labs 80

Consumer and SMB-focused security research. Useful for tracking commodity malware campaigns, widespread phishing, and opportunistic attacks affecting a broad user base. Lower score than enterprise threat intel teams reflects narrower analytical scope, not a reliability concern.

research vendor
The Record (Recorded Future) 80

Investigative security journalism outlet backed by Recorded Future's intelligence platform. Strong on ransomware, government cyber operations, and policy. Good editorial independence from its parent; credibility reflects solid journalism standards with some dependence on vendor context.

news journalism
The Guardian Technology 80

The Guardian's technology section. Combines investigative journalism with accessible tech coverage; known for breaking data privacy and surveillance stories. Good for incidents affecting consumers, businesses, or government that have crossed into public awareness.

news mainstream uk
Politico Cybersecurity 80

Politico's dedicated cybersecurity policy vertical. Covers US government cyber policy, legislation, and high-profile incidents from a political and public policy angle. Accessible to policy-minded readers; strong for stories where cyber incidents intersect with government, regulation, or national security debate.

news mainstream us policy
The Telegraph Technology 79

The Daily Telegraph's technology section. Mainstream UK national newspaper covering major cyber incidents and data breaches from a consumer and business perspective. Good for stories affecting UK companies and government — written for a general audience rather than security professionals.

news mainstream uk journalism
TechCrunch 79

Technology news publication with broad consumer and business readership. Covers data breaches, hacks, and privacy incidents in accessible language. Particularly good at translating security incidents into business and consumer impact terms. Wider audience than specialist security blogs.

news mainstream journalism
NBC News Technology 79

Major US broadcast network with a sizeable digital newsroom. Covers consumer- facing cyber stories — breaches affecting millions, scam warnings, privacy controversies — at a level accessible to a general audience. Good for US- centric incidents that reach primetime TV news.

news mainstream us broadcast
The Hacker News 78

High-traffic cybersecurity news aggregator. Good breadth of coverage and fast publication. Score is moderate because a proportion of content is vendor-sponsored or PR-driven, which requires context when assessing significance. Useful for breadth signal rather than deep analytical weight.

news journalism
Cyber Scoop 78

US-focused publication covering cyber policy, government cyber operations, and regulatory developments. Strong on CISA, NSA, and FBI-adjacent stories; a good source for policy-informed threat context. Slightly lower analytical depth than specialist research blogs.

news journalism
Dark Reading 78

Established B2B security trade publication with broad threat coverage. Useful for tracking industry-wide awareness of emerging threats and vendor perspectives. Moderate credibility weight reflects variable analytical depth and a high volume of sponsored content alongside editorial articles.

news journalism
ZDNet Security 78

ZDNet's security section bridges technical and business audiences. While some articles are technical in detail, the majority are written for IT managers and business decision-makers rather than security researchers. Good for high-profile breach and ransomware stories that affect enterprises broadly.

news mainstream journalism
Sky News Technology 77

Sky News technology feed. Reliable UK broadcast journalism; covers high-profile cyber incidents and data breaches as they affect the general public. Slightly lower than BBC/Guardian due to less depth of investigative tech coverage, but strong breadth and fast publication.

news mainstream uk
ABC News Technology 77

ABC News US technology headlines. Mainstream broadcast news outlet covering technology stories at a level accessible to the widest possible audience. Particularly good for stories about consumer data breaches, high-profile arrests, and government cyber-related announcements.

news mainstream us journalism
Infosecurity Magazine 76

UK-based trade publication with global coverage. Solid editorial process and useful for European threat context. Lower credibility weight reflects that the publication is primarily news-led with limited original technical research.

news journalism
Help Net Security 76

Industry news aggregator with a mix of original analysis and vendor-submitted content. Good volume and consistent editorial standards. Scored at the lower end of the journalism tier because a significant portion of content is contributed by vendors rather than independently researched.

news journalism
The Independent Technology 76

UK-based digital broadsheet with a broad technology section. Covers consumer cyber incidents, privacy stories, and scam warnings. Provides useful UK and European perspective alongside the US-heavy sources in this tier. Accessible writing style suited to a general audience.

news mainstream uk broadsheet
Exploit Database 75

Offensive Security's public archive of proof-of-concept exploit code. Essential for tracking weaponised vulnerabilities — the presence of a working exploit significantly increases the operational risk of a CVE. Lower credibility score reflects its role as a repository rather than an editorial source; content is not reviewed for accuracy of attribution or impact claims.

vulnerability exploit research
Engadget 75

Consumer technology news outlet. Covers security and privacy incidents that directly affect everyday technology users — phone vulnerabilities, smart home security, platform data breaches. Written entirely for a non-technical audience.

news mainstream consumer
Mashable Tech 72

Consumer-oriented tech publication with a younger audience. Covers scam alerts, privacy tool recommendations, and major breach stories in plain language. Lower credibility than broadsheets due to lighter editorial standards, but useful for consumer-facing security warnings that reach non-technical readers.

news mainstream us digital

How this page is generated

Collection

Items are gathered daily from a curated list of government advisories, vendor research blogs, and established security journalism sources. All sources are fetched via RSS/Atom feeds.

Deduplication

Near-identical stories reported by multiple sources are merged into a single entry. The primary source shown is the most credible outlet that covered the story.

Ranking

Each item is scored across six dimensions: recency, source credibility, corroboration, severity signals, breadth of impact, and actionability. Weights are configurable and fully transparent.

Enrichment

CVE identifiers, MITRE ATT&CK techniques, affected countries, sectors, malware families, and threat actors are extracted using rule-based analysis of the source text.

Disclaimer & Limitations

This page is generated automatically from publicly available sources and is intended for informational purposes only. It does not constitute professional security advice.

ATT&CK technique mappings, threat actor attribution, and affected country/sector classifications are best-effort analytical outputs derived from keyword matching. They may be incomplete, incorrect, or out of date. Always refer to the original source and consult qualified security professionals before taking action.

No classified, proprietary, or non-public information is used. All sources are publicly available. Source terms of service and attribution requirements apply.