CISO Daily Digest: Windows Defender Exploit, SystemBC & Lotus Wiper (20260422)
Windows Defender turned into attacker tool via PoC exploits; SystemBC C2 reveals 1,570+ ransomware victims; BlackCat ransomware negotiator pleads guilty; Lotus Wiper targets Venezuelan energy grids; Microsoft patches ASP.NET Core privilege escalation; Mustang Panda deploys LOTUSLITE variant
Windows Defender Turned Into Attacker Tool โ Zero-Day PoCs Published
Security researchers published PoC exploits for zero-day vulnerabilities in Microsoft Defender that transform the antivirus engine into an offensive tool. The vulnerabilities โ for which no patches were immediately available โ allow attackers to abuse Defenderโs scanning engine for privilege escalation and code execution. The publication sparked urgent discussions about the security implications of complex security software attack surfaces.
๐ ๅ่่ณๆ๏ผ Dark Reading
ๆฌ้ฑๆดป่บๅจ่
๐ SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware
Analysis of a SystemBC command-and-control server exposed over 1,570 victims of โThe Gentlemenโ ransomware operation. The data reveals the groupโs global reach and the scale of their ransomware-as-a-service operations, making them one of the most active ransomware players in Q2 2026.
๐ Reference: The Hacker News
๐ BlackCat Ransomware Negotiator Pleads Guilty in Federal Court
A ransomware negotiator who facilitated BlackCat/ALPHV ransom payments pleaded guilty to conspiracy charges. The individual served as an intermediary between victims and the ransomware gang, negotiating payments and providing technical support. This marks the first successful prosecution of a ransomware negotiator.
๐ Reference: The Hacker News | Dark Reading
๐ Lotus Wiper Malware Targets Venezuelan Energy Systems
Security researchers identified a new wiper malware dubbed โLotusโ targeting Venezuelan energy sector infrastructure. The destructive malware is designed to overwrite critical system files and cause permanent damage to industrial control systems (ICS), raising concerns about state-sponsored cyberattacks on critical infrastructure.
๐ Reference: The Hacker News
๐ Mustang Panda Deploys New LOTUSLITE Variant Against Indian Banks & South Korea
The Chinese-linked Mustang Panda APT group deployed a new variant of the LOTUSLITE backdoor targeting Indian financial institutions and South Korean policy circles. The updated malware uses advanced evasion techniques and Microsoft Graph API for C2 communications.
๐ Reference: The Hacker News
๐ Microsoft Patches ASP.NET Core CVE-2026-40372 โ Privilege Escalation
Microsoft released a patch for CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core DataProtection. Affected environments require both upgrading and rotating cryptographic keys to fully remediate.
๐ Reference: The Hacker News
๐ Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution
A flaw in Cohereโs AI Terrarium sandbox environment was disclosed, enabling container escape and root code execution. The vulnerability allowed attackers to break out of the AI sandbox and access underlying infrastructure.
๐ Reference: The Hacker News