Several significant cybersecurity stories emerged this week that warrant attention despite being overshadowed by higher-profile disclosures. This roundup covers the Iran-linked attack on medical technology giant Stryker, a leaked Windows zero-day exploit, a law firm breach with a $13 million ransom demand, a suspected 10-petabyte theft from China's national supercomputing center, and two active macOS malware campaigns.
Iran-Linked Attack Disrupts Stryker Manufacturing
Medical technology company Stryker — which posted $25 billion in revenue in 2025 — confirmed that a cyberattack caused "global disruption" to its Microsoft environment, impacting order processing, manufacturing, and shipping operations across the company's global footprint.
The attack was claimed by Handala, a threat actor widely assessed by security researchers as a cover identity for Void Manticore, an Iranian state-sponsored group operating under Iran's Ministry of Intelligence and Security (MOIS). Handala claimed responsibility via Telegram posts, asserting they wiped more than 200,000 devices and exfiltrated 50 terabytes of data.
Independent attribution remains unconfirmed at this stage, but Void Manticore's operational signature — wiper-focused attacks against Western commercial targets with high geopolitical visibility — matches the claimed attack profile. The group previously targeted Israeli infrastructure and logistics companies with destructive wiper payloads before pivoting to Western targets in 2025.
Stryker has not confirmed the device wipe claim or exfiltration volume, but acknowledged the disruption's operational impact in a statement to stakeholders.
BlueHammer Windows Zero-Day Exploit Published
An unpatched Windows local privilege escalation zero-day tracked as BlueHammer had its proof-of-concept exploit published publicly on GitHub on April 2, 2026 by a researcher using the handles "Chaotic Eclipse" and "Nightmare Eclipse." The publication was framed as an act of frustration after Microsoft allegedly failed to respond meaningfully within the researcher's self-imposed disclosure window.
Technical details of BlueHammer:
- Chains a TOCTOU (time-of-check to time-of-use) race condition with path confusion in Windows Defender's signature update system
- Successful exploitation provides access to the SAM (Security Account Manager) database
- Enables credential hash theft and full administrator access via pass-the-hash
- Affects patched Windows 10, Windows 11, and Windows Server — the underlying technique survives standard patch deployment
- Recompiling the PoC defeats current Defender signature detection, leaving the privilege escalation vector undetected
Microsoft has not confirmed acknowledgment or assigned a CVE at time of writing. Security teams running Windows environments should monitor for LOLBAS (living-off-the-land binaries) execution patterns involving Defender processes and anomalous SAM database access events as potential exploitation indicators.
Jones Day Confirms Breach and $13M Ransom Demand
Global law firm Jones Day — with offices in 43 cities across 19 countries — confirmed that hackers accessed files for 10 clients following a phishing attack. The intrusion has been attributed to Silent Ransom Group (SRG, also known as Luna Moth), a threat actor that specifically targets law firms due to the highly sensitive nature of legal industry data.
SRG demanded a $13 million ransom. When negotiations broke down, the group posted samples of stolen data online on March 30, 2026.
This is Jones Day's second significant breach in five years — the firm was previously caught up in the 2021 Accellion supply chain hack that affected thousands of organizations globally. FBI intelligence reports have previously warned that SRG specifically targets law firm partners, and the Jones Day breach targeted partner Greg Castanias through a directed spear-phishing campaign.
The breach raises persistent questions about cybersecurity standards in the legal industry, where attorney-client privilege and case strategy documents represent extremely high-value targets for extortion and intelligence collection.
Internet Bug Bounty Paused — AI Floods Open Source
The Internet Bug Bounty (IBB) program — which has funded open-source security research since 2012, awarding over $1.5 million to researchers — announced a pause on all payouts effective March 27, 2026.
HackerOne, which administers the program, cited a structural imbalance: AI-assisted vulnerability research is now generating far more bug reports than open-source maintainers can feasibly remediate. The program's purpose is undermined when the discovery rate outpaces the fix rate by a widening margin.
The practical data point: Anthropic's Claude found 22 Firefox vulnerabilities in two weeks, 14 rated high-severity, all previously missed by human fuzzers. Node.js subsequently paused its own bug bounty program after losing IBB funding. Google has implemented policies rejecting AI-assisted submissions. The Linux Foundation secured $12.5 million in emergency funding to address the resulting maintainer burden.
FlamingChina Claims 10-Petabyte Theft from Chinese Supercomputing Center
A group calling itself FlamingChina claims to have stolen 10 petabytes of data from China's National Supercomputing Center (NSCC) in Tianjin, one of China's primary high-performance computing facilities serving approximately 6,000 clients including defense agencies, aerospace research institutions, and universities.
According to the group's claims, entry was gained through a compromised VPN domain, with data exfiltration conducted over approximately six months via botnet-style automated extraction. Data samples surfaced on Telegram as early as February 6, 2026. CNN reported on the breach on April 8.
The alleged stolen data inventory includes:
- Missile schematics and ballistic trajectory simulations
- Aircraft aerodynamics research from AVIC (Aviation Industry Corporation of China)
- Aerospace structural modeling from COMAC (Commercial Aircraft Corporation of China)
- Nuclear fusion experiment data
- Classified defense documents
The Chinese government has not confirmed or denied the breach. Independent security researchers note that the claimed 10-petabyte exfiltration volume is "unfathomable in storage cost terms alone" — suggesting either gross exaggeration of the volume or an extraordinarily resourced operation. Verification of the data samples is ongoing.
Two Active macOS Malware Campaigns
Two separate active campaigns targeting macOS users were reported this week:
Atomic Stealer via ClickFix Script Editor
A new variant of Atomic Stealer (AMOS) is being distributed via a ClickFix technique that abuses Script Editor — a trusted, pre-installed macOS application — to bypass Apple's recently implemented Terminal execution warnings. The technique exploits user trust in a signed, legitimate Apple application to execute malicious code without triggering new macOS security prompts.
Targets include Keychain data, browser credentials (Chrome, Safari, Firefox), cryptocurrency wallet seeds and keys, browser cookies, and credit card data stored in browsers.
Infiniti Stealer via Cloudflare-Themed Fake CAPTCHA
A separate campaign delivers Infiniti Stealer through a fake Cloudflare CAPTCHA ClickFix page. The payload is a Python-based infostealer compiled with Nuitka (a Python-to-native compiler) to evade detection by signature-based security tools. Exfiltrated data is sent to a Telegram command-and-control channel and includes browser credentials, Keychain data, cryptocurrency wallets, developer secrets (SSH keys, API tokens), and screenshots.
Both campaigns exploit the same fundamental weakness: user compliance with "verification" prompts that instruct the victim to paste a command into a terminal or run a script. Security awareness training targeting ClickFix-style social engineering remains the most effective defense.
Sources: SecurityWeek · Help Net Security · Bloomberg · CNN · BleepingComputer