Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache
ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache
NEWS

ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache

This week's ThreatsDay Bulletin from The Hacker News covers 20 active threats including a hybrid P2P DDoS botnet, a 13-year-old Apache ActiveMQ RCE flaw...

Dylan H.

News Desk

April 9, 2026
4 min read

The latest ThreatsDay Bulletin from The Hacker News (April 9, 2026) covers 20 active and emerging threats across botnets, old vulnerabilities finding new life, platform abuse, and multi-stage attack campaigns. This week's edition highlights a hybrid P2P botnet, a 13-year-old Apache RCE vulnerability now under active exploitation, and several stories that underscore a recurring theme: attackers leveraging trusted tools and platforms to avoid detection.

Headline Stories

Hybrid P2P Botnet (Masjesu)

Cybersecurity researchers uncovered Masjesu, a stealthy botnet that has been advertised as a DDoS-for-hire service via Telegram since its emergence in 2023. The botnet targets a wide range of IoT devices — routers, gateways, and embedded systems — across multiple CPU architectures. Its P2P command-and-control design makes it significantly more resilient to takedowns than traditional centralized C2 infrastructure, as there is no single point to sinkhole or seize.

Apache ActiveMQ RCE — CVE-2026-34197 (13-Year-Old Codebase)

CVE-2026-34197 is an RCE vulnerability in Apache ActiveMQ that exploits the Jolokia JMX bridge API to execute arbitrary remote commands. The flaw resides in code that has existed in ActiveMQ for over a decade, predating modern security practices. A researcher using Claude AI's code analysis capabilities reportedly helped surface this vulnerability by systematically reviewing the codebase for dangerous patterns.

DetailInfo
CVECVE-2026-34197
ProductApache ActiveMQ
Attack VectorRemote — via Jolokia API
ImpactRemote code execution
Age of Vulnerable Code13+ years

Organizations running self-hosted or on-premise ActiveMQ instances should treat this as high priority and apply vendor patches immediately.

Adobe Reader Zero-Day

Also highlighted this week: the Adobe Acrobat Reader zero-day exploit that has been active since November 2025. The flaw allows attackers to bypass the Reader sandbox, fingerprint victim systems, and exfiltrate data to attacker-controlled servers — with no patch currently available. Full coverage here.

ComfyUI Cryptomining Botnet

Attackers have been targeting internet-exposed instances of ComfyUI — a popular open-source stable diffusion platform — to enlist servers into a cryptocurrency mining and proxy botnet. Exposed ComfyUI instances (which often run with elevated compute resources for AI workloads) are being commandeered for mining operations and as proxy relay nodes, effectively monetizing the victim's GPU resources.

Chaos Malware — New Cloud Variant

A new variant of the Chaos malware has been identified targeting misconfigured cloud deployments, marking an expansion of the botnet's targeting surface from traditional on-premise Linux servers to cloud-native infrastructure. The variant appears to exploit common cloud misconfigurations to gain initial access rather than relying on specific CVEs.

More Stories This Week

The full bulletin from The Hacker News covers 20 stories total, with additional coverage of:

  • Bitter-linked hack-for-hire campaign targeting journalists in the MENA region
  • Device code phishing attacks surging with new kit availability
  • Continued exploitation of FortiClient EMS and Citrix NetScaler vulnerabilities
  • North Korean social engineering operations targeting developer toolchains
  • New browser-based credential theft techniques evading traditional defenses

Recurring Themes

This week's bulletin reinforces several trends that security teams should be tracking heading into Q2 2026:

  1. Old code, new exploitation — CVE-2026-34197 joins a long list of vulnerabilities where attackers have found exploitable flaws in legacy code bases that organizations assumed were "safe" simply because they'd been running for years

  2. Trust abuse — Attackers increasingly operate through platforms and tools users trust: Telegram for botnet C2, legitimate PDF viewers for exploit delivery, cloud APIs for exfiltration

  3. IoT as infrastructure — DDoS-for-hire services continue to grow their botnet capacity by targeting IoT devices with weak default credentials and no automatic update mechanisms

  4. AI-assisted vulnerability research — The Apache ActiveMQ CVE highlights how AI tools are being used both by defenders (to find bugs) and increasingly by adversaries to accelerate exploit development


Source: The Hacker News — ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories

Related Reading

  • Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack
  • GlassWorm Escalates: 72 Malicious Open VSX Extensions Use
  • TA446 Deploys DarkSword iOS Exploit Kit in Targeted
#Threat Intelligence#The Hacker News#Apache ActiveMQ#Botnet#CVE-2026-34197#IoT Security#Weekly Roundup

Related Articles

Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack

Threat actors are deploying the Nexcorium Mirai botnet variant by exploiting CVE-2024-3721 in TBK DVR devices and targeting end-of-life TP-Link Wi-Fi...

5 min read

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...

4 min read

North Korean Hackers Publish 108 Malicious Packages in PolinRider Campaign

Threat actors linked to North Korea's Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist,...

4 min read
Back to all News