FBI botnets/appliance/router/iOS/AI/EDR/Windows zero-days (BlueHammer/Fortinet/Flowise/FortiClient/ClamAV/Flatpak/NetScaler/Docker)

Key Questions

What router brands were targeted by APT28 hackers?

APT28 (Fancy Bear) targeted SOHO routers like MikroTik, TP-Link, and Ubiquiti, compromising over 18,000 devices to steal tokens. This created a global spy network for credential theft.

What is the BlueHammer Windows vulnerability?

BlueHammer is an unpatched Windows zero-day local privilege escalation (LPE) exploit publicly released by a disgruntled researcher. It combines time-of-check to time-of-use flaws, with Microsoft urged to patch urgently.

How does the Docker CVE-2026-34040 work?

This flaw allows attackers to bypass security controls and take over hosts in Docker environments. It enables full host compromise from containers, highlighting the need for immediate patching.

What is the Flowise vulnerability being exploited?

Flowise's CVE-2025-59528 (CVSS 10) is a critical RCE flaw actively exploited by attackers. Along with Langflow, it poses high risks to AI/dev tools, requiring patch and hunt strategies.

What Fortinet vulnerabilities were targeted?

Attackers exploited zero-days in Fortinet FortiClientEMS (CVE-2026-35616 & CVE-2026-21643) and other products for RCE, bypassing authentication. Hot patches are available, with EDR monitoring critical.

What is Citrix NetScaler Bleed3?

CVE-2026-3055 (CVSS 9.3) is a memory disclosure flaw in Citrix NetScaler ADC/Gateway, actively exploited alongside SharePoint RCE. It contributes to a 56% surge in exploits.

What Chrome vulnerability is in the wild?

Chrome CVE-2026-5281 is being exploited, part of multiple zero-days including iOS, Android, and Windows. Patching and threat hunting are essential amid rising exploit activity.

Why are router hacks by Russian actors significant?

Russian hackers like APT28 hijacked routers for password and Microsoft token theft, affecting thousands globally. This botnet activity stresses the need for firmware updates and zero-trust on appliances.

APT28 routers; BlueHammer LPE; Fortinet RCE; Flowise/Langflow/ClamAV OpenClaw CVE-2025-20128 zero-click RCE; Flatpak sandbox leak; Chrome exploited; 56% exploits surge, patch critical.

Sources (81)

Updated Apr 8, 2026

FBI botnets/appliance/router/iOS/AI/EDR/Windows zero-days (BlueHammer/Fortinet/Flowise/FortiClient/ClamAV/Flatpak/NetScaler/Docker)

Key Questions

What router brands were targeted by APT28 hackers?

What is the BlueHammer Windows vulnerability?

How does the Docker CVE-2026-34040 work?

What is the Flowise vulnerability being exploited?

What Fortinet vulnerabilities were targeted?

What is Citrix NetScaler Bleed3?

What Chrome vulnerability is in the wild?

Why are router hacks by Russian actors significant?

Russian Hackers Turned Your Home Router Into a Global Spy Network

Docker Flaw (CVE-2026-34040) Lets Attackers Bypass Security Controls and Take Over Hosts

Disgruntled researcher drops “BlueHammer” Windows zero-day LPE exploit

Attackers exploit critical Flowise flaw CVE-2025-59528 for remote code execution

Marquis Ransomware Attack Spurs Litigation Against SonicWall, Class Actions

CVE-2026-35616 & CVE-2026-21643 - Fortinet FortiClientEMS: Overview & Takeaways - NetSPI

March 2026 Threat Report: Critical CVEs

Disgruntled researcher leaks worrying Windows zero-day security flaw

New Chaos Malware Variant found Exploiting Misconfigurations in the Cloud

Britain's internet routers under attack from Russian 'cyberspies', experts say - The Mirror

Russian government hackers broke into thousands of home routers to steal passwords

Russia Hacked Routers to Steal Microsoft Office Tokens

A Disgruntled Researcher, a Leaked Zero-Day, and Microsoft’s Recurring Patch Tuesday Headache

Windows zero-day vulnerability 'BlueHammer' exploit code released

Attackers Target Zero-Day Flaw in Fortinet Security Software

Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited

Experts published unpatched Windows zero-day BlueHammer - Security Affairs

Critical Android Flaw Allows Zero-Interaction Denial-of-Service Attacks

Google Issues Zero-Day Attack Alert For 3.5 Billion Chrome Users: What It Means and Why You Should Update Now - Genuineport IT Solutions

Researcher Released Windows Defender 0-Day Exploit Code, Allowing Attackers to Gain Full Access | Cryptika Cybersecurity

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Researchers find 50 ‘dangerous’ Android apps that are secretly hijacking phones: Who is at risk - The Times of India

A Two-Year-Old Fortinet Bug Is Now Under Active Attack — and Thousands of Systems Remain Exposed

Android flaw lets hackers unlock phones in under a minute

Critical Dgraph Database Flaw Allowed Attackers to Bypass Authentication

CVE-2026-34838 (CVSS 10): Critical RCE Flaw Uncovered in GroupOffice CRM

Keycloak Under Siege: Patch Now to Stop Token Theft and Account Takeovers

Apple issues warning to millions of iPhone users over cyberattack

Krebs on Security – In-depth security news and investigation

Apple issues rare iOS patch as DarkSword exploit spreads - MSN

CISA Adds TrueConf Vulnerability to KEV Catalog Following Active ...

New Progress ShareFile Bugs Let Attackers Take Over Servers ...

This week reveals Mirax Android trojan for hire targeting 700+ finance apps ...

Weaponized Event Logs: Exploiting Apache Spark History Server (CVSS 8.8) #cybersecurity

New FortiClient EMS flaw exploited in attacks, emergency patch released

FBI Warns iPhone And Android Users—Do Not Install These Apps

Google issues emergency Chrome update after new zero-day exploit

WhatsApp malware alert: Simple file can hack your PC, says Microsoft

CVE Alert: CVE-2026-5534 – itsourcecode – Online Enrollment System

Joomla's "public=true" Nightmare: Full Disclosure & Mitigation (CVE-2023-23752) #cybersecurity

Kaspersky Finds New Variant of SparkCat Trojan on App Store and Google Play

CVE Alert: CVE-2026-5526 – Tenda – 4G03 Pro

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Chrome vulnerability: Google Warns of Zero-Day Vulnerability in Chrome

Zero Day Dispatch: Inside the Underground Market for Unpatchable Flaws

New WhatsApp Attacks—Microsoft Shares Critical Warning For Users

U.S. CISA adds a flaw in TrueConf Client to its Known Exploited Vulnerabilities catalog

Apple issues warning to millions of iPhone users over sophisticated attack stealing data: Act now

New Progress ShareFile Flaws Expose Servers to Unauthorized ...

CVE-2025-66483: IBM Aspera Shares Auth Bypass Flaw - SentinelOne

Armis State of Cyberwarfare Report: AI-Powered Cyber Attacks Accelerate ...

Texas hospital breach, CISA orders NetScaler patch

14000+ F5 BIG-IP APM Instances Exposed Online as Attackers Exploit ...

vSphere and BRICKSTORM Malware: A Defender's Guide

Gigabyte warns users Control Center flaw could let hackers hijack your files

Critical RCE in Wazuh Cluster - CVE-2026-25769 | TryHackMe Wazuh Full Walkthrough 2026

Cisco fixes critical IMC auth bypass present in many products

Experts find flaw in TrueConf video conferencing tool used by governments, military

ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories

Cisco IMC Flaw Grants Unauthenticated Admin Access

You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)

Weekly Vulnerabilities Report: AI, VMware, ICS & EV Flaws

Cyberattacks on France Are Rising—Here’s What the AIDE Data Shows - GCA | Global Cyber Alliance

Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks

Cisco Warns of Critical IMC Vulnerability Enabling Authentication Bypass

Patch to protect iOS 18 holdouts from DarkSword is out

WhatsApp on Windows users targeted in new campaign, warns Microsoft

Eclypsium Detects F5 BIG-IP Remote Code Execution Vulnerability (CVE-2025-53521)

Apple Is Breaking Its Own Rules To Protect iPhone Users From A Dangerous iOS 18 Hack

Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass