Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12

This Week at a Glance

Russian state-linked APT28 is exploiting SOHO routers in a widespread DNS hijacking campaign, threatening credential theft across global organizations. Meanwhile, a cluster of critical, maximum-severity vulnerabilities in ubiquitous software and hardware—from the Axios HTTP library to Samsung Exynos chips—demands immediate patching attention.

Top Vulnerabilities

This week’s critical vulnerabilities pose severe risks, including remote code execution (RCE) and sandbox escapes.

• CVE-2026-40175 (CVSS 10.0): The popular Axios HTTP client library is vulnerable to RCE prior to version 1.15.0. /advisory/cve/cve-2026-40175-axios-rce/
• CVE-2025-54328 (CVSS 10.0): A buffer overflow in SMS handling affects multiple Samsung Exynos processors (980, 990, etc.), allowing critical compromise. /advisory/cve/cve-2025-54328-samsung-exynos-sms-buffer-overflow/
• CVE-2026-4149 (CVSS 10.0): Sonos Era 300 speakers contain an SMB response vulnerability enabling remote code execution. /advisory/cve/cve-2026-4149-sonos-era-300-rce/
• CVE-2026-34208 (CVSS 10.0): SandboxJS versions before 0.8.36 are vulnerable to a sandbox escape via global object assignment. /advisory/cve/cve-2026-34208-sandboxjs-sandbox-escape/
• CVE-2026-39337 (CVSS 10.0): ChurchCRM before version 7.1.0 has a critical pre-authentication RCE vulnerability. /advisory/cve/cve-2026-39337-churchcrm-rce-vulnerability/

Data Breaches

• Hallmark: A breach exposed 1.7 million email addresses and associated account data. /breaches/breach/hallmark-breach-1-7m-emails-addresses-exposed-2026/
• My Lovely AI: Approximately 106,000 user accounts were exposed, including sensitive user prompts submitted to the AI service. /breaches/breach/my-lovely-ai-breach-exposes-106k-user-prompts/

Threat Intelligence

State-sponsored and criminal threat actors were highly active this week.

• APT28 Campaign: The Russian state-linked group is exploiting vulnerabilities in small office/home office (SOHO) routers to conduct global DNS hijacking, redirecting users to credential-stealing pages. /news/article/russian-state-linked-apt28-exploits-soho-routers-in-global-dns-hijacking-campaig/
• Storm-1175 Ransomware: The China-linked group is leveraging zero-day exploits to rapidly deploy Medusa ransomware against targets. /news/article/china-linked-storm-1175-exploits-zero-days-to-rapidly-deploy-medusa-ransomware/
• Supply Chain Compromise: A backdoored update for the Smart Slider 3 Pro WordPress plugin was distributed via the developer’s compromised servers. /news/article/backdoored-smart-slider-3-pro-update-distributed-via-compromised-nextend-servers/
• Dark Web Claims: Ransomware groups have claimed attacks on Amtrak (ShinyHunters), Mastercom (INC Ransom), and Conrep SA (Krybit), though these are currently unverified claims. /intel/claim/2026-04-12-amtrak-ransomware-claim-by-shinyhunters-april-2026/

Key Takeaway

The convergence of software supply chain and hardware vulnerabilities is creating a perfect storm. Critical flaws in foundational components like the Axios library (software) and Samsung Exynos chips (hardware) provide attackers with deep, persistent access points. This week underscores that security teams must expand their threat models beyond application-layer flaws to include the underlying libraries and hardware firmware in their asset management and patching cycles.