ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More

April's ThreatsDay Bulletin from The Hacker News lands with a full threat docket: a newly disclosed Microsoft Defender privilege escalation zero-day, a wave of brute-force attacks hitting SonicWall and FortiGate edge devices, a 17-year-old Excel vulnerability finally added to CISA's Known Exploited Vulnerabilities (KEV) list, a fake Ledger app that drained $9.5 million from cryptocurrency holders, and the unmasking of a broad cybercrime ecosystem called Triad Nexus. Here's the full breakdown.

Microsoft Defender Zero-Day: RedSun

The most urgent item in this week's bulletin is a new, unpatched Microsoft Defender privilege escalation zero-day codenamed RedSun, disclosed by the same researcher — operating as "Chaotic Eclipse" — who previously released the BlueHammer exploit after a disagreement with Microsoft's disclosure process.

According to security researcher Will Dormann, who verified the claims:

"This works 100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled."

Microsoft has responded with an out-of-band Antimalware Platform update (version 4.18.26030.3011) that addresses the flaw. The update is distributed via Windows Security rather than a standard Patch Tuesday release:

1. Open Windows Security
2. Navigate to Virus & threat protection
3. Select Protection Updates → Check for updates

This disclosure pattern — researcher releasing a public exploit after Microsoft's handling of a prior vulnerability — is becoming an increasingly visible dynamic. The BlueHammer release (April 6, 2026) was similarly motivated by researcher frustration with the disclosure process.

SonicWall and FortiGate Brute-Force Surge

Security researchers detected a sharp rise in brute-force attempts targeting SonicWall and FortiGate edge access devices between January and March 2026. The attacks were notable for their geographic concentration: 88% of attempts appeared to originate from the Middle East.

Barracuda Networks, which tracked the campaign, warned:

"Attackers are aggressively scanning and testing perimeter devices for weak or exposed credentials. Even when attacks fail, persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise."

Most attempts were blocked by security tools or directed at invalid usernames, but the volume indicates that VPN and edge device credential stuffing remains a primary initial access technique. Administrators should:

• Enforce account lockout policies on SonicWall and FortiGate management interfaces
• Rotate credentials and audit for default or weak passwords
• Restrict management UI access to known IP ranges
• Enable multi-factor authentication where supported

17-Year-Old Excel RCE Added to CISA KEV

CISA has added an old Microsoft Office remote code execution vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, with a remediation deadline of April 28, 2026 for Federal Civilian Executive Branch (FCEB) agencies. The vulnerability, which spans multiple Office versions including Word and Excel, can be triggered via the preview pane or by opening a malicious document — no macros required.

Microsoft's April 2026 Patch Tuesday addressed multiple remote code execution bugs in Office. The addition to KEV confirms active exploitation in the wild. Any organization still running unpatched Office versions should prioritize this update, particularly those whose employees routinely receive attachments via email.

April 2026 Patch Tuesday: 167 Flaws, 2 Zero-Days

Microsoft's April Patch Tuesday addressed 167 vulnerabilities including 2 zero-days. The release represents the second-largest monthly patch batch on record. Key highlights:

Administrators should prioritize the SharePoint zero-day patch and the Office RCE fixes given active exploitation of both vulnerability classes.

Fake Ledger App Drains $9.5M in Cryptocurrency

A fraudulent Ledger hardware wallet app slipped through Apple's App Store review process and remained live long enough to steal $9.5 million in cryptocurrency from more than 50 victims between April 7–13, 2026.

The malicious app was published by "SAS Software Company" under a developer account belonging to "Leva Heal Limited." Victims who downloaded it and entered their seed phrases — believing it to be a legitimate Ledger companion app — gave attackers full access to their wallets.

Apple has since removed the macOS app from the App Store, but questions persist about how it passed the company's review process. The incident underscores the risks of relying solely on platform review as a security gate for financial applications.

Key recommendations for cryptocurrency holders:

• Only install Ledger Live from the official Ledger website
• Never enter your seed phrase into any app, regardless of its apparent legitimacy
• Verify app publisher identity against the official vendor's website before installation

Triad Nexus: A Cybercrime Ecosystem Built for Scale

Threat researchers have published new analysis on Triad Nexus, a sprawling cybercrime infrastructure that has operated as the backbone of online scams, money laundering, and illicit gambling since at least 2020. The group is notable for its operational security:

• Geographic fencing to avoid detection in certain jurisdictions
• Front company laundering to acquire accounts at Amazon, Cloudflare, Google, and Microsoft
• Using legitimate cloud infrastructure to host malicious operations while avoiding sanctions lists

Triad Nexus is not a ransomware gang or an APT — it functions more like a criminal infrastructure provider, enabling a range of fraud and cybercrime operations to run under legitimate-looking cloud accounts.

Quick Hits

Source: The Hacker News ThreatsDay Bulletin, BleepingComputer Microsoft Patch Tuesday coverage