Fresh active‑threat cluster

A cluster of active cyber incidents this week hit crypto wallets, office software, cloud networks and WordPress sites at the same time. (bleepingcomputer.com) The clearest dollar loss came from a fake Ledger Live app for macOS that appeared in Apple’s App Store and stole about $9.5 million from 50 victims between April 8 and April 13, according to blockchain investigator ZachXBT and reporting confirmed by BleepingComputer. Victims were prompted to enter seed phrases, which gave the attacker control of wallets holding Bitcoin, Ethereum, Solana, Tron and XRP. (bleepingcomputer.com) Apple removed the app after user reports, but BleepingComputer said the listing had already cycled through fake version updates from 1.0 to 5.0 in about two weeks under the publisher name “Leva Heal Limited,” which was not tied to Ledger. The stolen funds were routed through more than 150 KuCoin deposit addresses and a mixing service that ZachXBT labeled “AudiA6.” (bleepingcomputer.com) On the enterprise side, Google Cloud’s Mandiant said APT41 used web shells on Apache Tomcat servers, then moved to memory-loaded malware and exfiltrated data to Microsoft OneDrive and, in some cases, through compromised Google Workspace accounts. Google said organizations in Italy, Spain, Taiwan, Thailand, Turkey and the United Kingdom were among those hit, with the web shells active since at least 2023. (cloud.google.com) WordPress administrators were dealing with a separate stream of risk. Wordfence reported 153 vulnerabilities disclosed in 117 plugins and 23 themes during the week of April 6 to April 12, and BleepingComputer reported that attackers hijacked Smart Slider 3 Pro updates on April 7 to push a backdoored version 3.5.1.35 to some sites. (wordfence.com, bleepingcomputer.com) The Smart Slider compromise mattered because the malicious update kept the plugin working while adding hidden administrator access, credential theft and remote command execution, according to PatchStack findings cited by BleepingComputer. The vendor said only Pro version 3.5.1.35 was affected and urged users to move to 3.5.1.36 or roll back to 3.5.1.34 and earlier. (bleepingcomputer.com) Microsoft also shipped Excel security fixes on March 10, 2026 for CVE-2026-26108, a remote-code-execution flaw in file parsing, and those patches resurfaced older questions about how spreadsheet files can be used as malware carriers. Microsoft’s Office 2016 bulletin lists the fix in KB5002718, and Office Online Server received the same vulnerability patch in KB5002846. (support.microsoft.com, support.microsoft.com) The Telegram piece of the picture is older but still relevant to current scam infrastructure. Elliptic said Huione Guarantee, a Telegram-based Chinese-language marketplace tied to scam services, had processed more than $27 billion before Telegram shut it down in May 2025, and Tudou Guarantee later handled more than $12 billion before appearing to wind down in January 2026. (elliptic.co, elliptic.co) Elliptic’s earlier January 2025 estimate for Huione alone was at least $24 billion, which shows why claims about a single “$21 billion Telegram black market” often depend on when the count was taken and which marketplace is being measured. What has stayed consistent is the product list: money-laundering services, stolen data and scam tooling sold through Telegram channels. (elliptic.co, elliptic.co) Taken together, the week’s incidents showed the same pattern in four different places: trusted distribution channels, from app stores to plugin updates to cloud accounts, were used to move theft or espionage closer to the victim. The fixes were straightforward on paper — remove the fake app, patch Office, update or roll back the plugin, rotate compromised accounts — but each case started by borrowing the look of something legitimate. (bleepingcomputer.com, cloud.google.com, bleepingcomputer.com, support.microsoft.com)