ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories

The latest ThreatsDay Bulletin from The Hacker News (April 9, 2026) covers 20 active and emerging threats across botnets, old vulnerabilities finding new life, platform abuse, and multi-stage attack campaigns. This week's edition highlights a hybrid P2P botnet, a 13-year-old Apache RCE vulnerability now under active exploitation, and several stories that underscore a recurring theme: attackers leveraging trusted tools and platforms to avoid detection.

Headline Stories

Hybrid P2P Botnet (Masjesu)

Cybersecurity researchers uncovered Masjesu, a stealthy botnet that has been advertised as a DDoS-for-hire service via Telegram since its emergence in 2023. The botnet targets a wide range of IoT devices — routers, gateways, and embedded systems — across multiple CPU architectures. Its P2P command-and-control design makes it significantly more resilient to takedowns than traditional centralized C2 infrastructure, as there is no single point to sinkhole or seize.

Apache ActiveMQ RCE — CVE-2026-34197 (13-Year-Old Codebase)

CVE-2026-34197 is an RCE vulnerability in Apache ActiveMQ that exploits the Jolokia JMX bridge API to execute arbitrary remote commands. The flaw resides in code that has existed in ActiveMQ for over a decade, predating modern security practices. A researcher using Claude AI's code analysis capabilities reportedly helped surface this vulnerability by systematically reviewing the codebase for dangerous patterns.

Organizations running self-hosted or on-premise ActiveMQ instances should treat this as high priority and apply vendor patches immediately.

Adobe Reader Zero-Day

Also highlighted this week: the Adobe Acrobat Reader zero-day exploit that has been active since November 2025. The flaw allows attackers to bypass the Reader sandbox, fingerprint victim systems, and exfiltrate data to attacker-controlled servers — with no patch currently available. Full coverage here.

ComfyUI Cryptomining Botnet

Attackers have been targeting internet-exposed instances of ComfyUI — a popular open-source stable diffusion platform — to enlist servers into a cryptocurrency mining and proxy botnet. Exposed ComfyUI instances (which often run with elevated compute resources for AI workloads) are being commandeered for mining operations and as proxy relay nodes, effectively monetizing the victim's GPU resources.

Chaos Malware — New Cloud Variant

A new variant of the Chaos malware has been identified targeting misconfigured cloud deployments, marking an expansion of the botnet's targeting surface from traditional on-premise Linux servers to cloud-native infrastructure. The variant appears to exploit common cloud misconfigurations to gain initial access rather than relying on specific CVEs.

More Stories This Week

The full bulletin from The Hacker News covers 20 stories total, with additional coverage of:

• Bitter-linked hack-for-hire campaign targeting journalists in the MENA region
• Device code phishing attacks surging with new kit availability
• Continued exploitation of FortiClient EMS and Citrix NetScaler vulnerabilities
• North Korean social engineering operations targeting developer toolchains
• New browser-based credential theft techniques evading traditional defenses

Recurring Themes

This week's bulletin reinforces several trends that security teams should be tracking heading into Q2 2026:

1. Old code, new exploitation — CVE-2026-34197 joins a long list of vulnerabilities where attackers have found exploitable flaws in legacy code bases that organizations assumed were "safe" simply because they'd been running for years

2. Trust abuse — Attackers increasingly operate through platforms and tools users trust: Telegram for botnet C2, legitimate PDF viewers for exploit delivery, cloud APIs for exfiltration

3. IoT as infrastructure — DDoS-for-hire services continue to grow their botnet capacity by targeting IoT devices with weak default credentials and no automatic update mechanisms

4. AI-assisted vulnerability research — The Apache ActiveMQ CVE highlights how AI tools are being used both by defenders (to find bugs) and increasingly by adversaries to accelerate exploit development

Source: The Hacker News — ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories