Here are today’s top cybersecurity stories for Monday, April 13, 2026.
Storm-2755 “Payroll Pirate” Attacks Target Canadian Employees
A financially motivated threat actor tracked as Storm-2755 is hijacking Canadian employee accounts to divert salary payments to attacker-controlled bank accounts. The group uses malvertising, SEO poisoning, and adversary-in-the-middle phishing to steal Microsoft 365 session tokens and bypass multi-factor authentication. Where social engineering of HR staff fails, Storm-2755 directly manipulates SaaS payroll platforms such as Workday to change direct deposit details. Microsoft Security Blog
Adobe Patches Actively Exploited Acrobat Reader Zero-Day CVE-2026-34621
Adobe released emergency updates for a critical prototype-pollution vulnerability in Acrobat Reader (CVE-2026-34621, CVSS 8.6) that has been under active exploitation since at least December 2025. Opening a malicious PDF triggers arbitrary code execution in the context of the current user. Patched versions are Acrobat DC v26.001.21411 and Acrobat 2024 v24.001.30362 for Windows and macOS. The Hacker News | Help Net Security
Operation Atlantic: 20,000+ Crypto Fraud Victims Identified Across Canada, UK, and US
A joint operation led by the UK’s National Crime Agency — with the US Secret Service, Ontario Provincial Police, and Ontario Securities Commission — identified more than 20,000 victims of cryptocurrency “approval phishing” fraud and froze over $12 million in criminal proceeds. Investigators mapped more than $45 million in total fraud globally. Fraudsters trick victims into granting access to their cryptocurrency wallets rather than stealing credentials directly. BleepingComputer
CPUID Website Breached — Trojanized CPU-Z and HWMonitor Installers Deliver STX RAT
Attackers compromised a secondary API at CPUID.com and replaced download links for CPU-Z and HWMonitor with malicious installers deploying the STX RAT via DLL sideloading. The exposure window lasted approximately six hours on April 9–10, with over 150 users downloading compromised builds across retail, manufacturing, consulting, and telecom sectors. CPUID restored legitimate downloads and has confirmed the API vulnerability is closed. BleepingComputer | Help Net Security
North Korea’s APT37 Uses Facebook Friendship Lures to Deploy RokRAT
The North Korean threat actor APT37 (ScarCruft) ran a multi-stage social engineering campaign in which operatives built Facebook friendships with targets, moved conversations to Messenger, then delivered a trojanized Wondershare PDFelement installer containing the RokRAT remote access trojan. The malware uses Zoho WorkDrive as its command-and-control channel and supports screenshots, remote command execution, host reconnaissance, and evasion of security tools including Qihoo 360. The Hacker News
New Chaos Botnet Variant Expands to Misconfigured Linux Cloud Servers, Adds SOCKS5 Proxy
Researchers flagged a new Chaos botnet variant observed in March 2026 that pivots from router and IoT targets to misconfigured Linux cloud servers. The variant adds a SOCKS5 proxy function triggered by a StartProxy command from its C2 server, allowing operators to route malicious traffic through compromised infrastructure to mask attacker origins during reconnaissance and credential-stuffing campaigns. The Hacker News
CrowdStrike 2026 Global Threat Report: Average eCrime Breakout Time Falls to 29 Minutes
CrowdStrike’s 2026 Global Threat Report documents average eCrime breakout time — the interval between initial access and lateral movement — falling to 29 minutes. Separately, Mandiant’s M-Trends 2026 report shows adversary hand-off times from initial compromise to human operator involvement have collapsed to 22 seconds. Both reports reflect the increasing automation of post-exploitation activity across criminal and nation-state threat actors. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
