In this week’s roundup, we lead with our latest webcast exploring why advanced security teams are moving beyond traditional EDR to defend the hypervisor itself as attackers increasingly operate at the infrastructure layer, then dive into ShinyHunters leaking stolen Rockstar Games analytics data following a third‑party compromise, the emergence of a new highly stealthy Winnti‑linked Linux backdoor designed to harvest cloud credentials with zero detections, new research showing how just three ransomware gangs now account for 40% of all attacks as the ecosystem continues to consolidate into fewer but more effective operations, and a law‑enforcement success as the FBI’s Atlanta field office dismantled a global $20M phishing network that fueled credential theft and large‑scale fraud worldwide. Read on!
Webinar On Demand: Why Advanced Security Teams Are Shifting Beyond EDR at the Hypervisor
If you missed our live BrightTALK session with Nathan Montierth, Solutions Engineer & Threat Intelligence Lead at Vali Cyber, the recording is now available on demand! In this one-hour talk, Nathan breaks down why traditional EDR tools are increasingly falling short against today's most sophisticated threat actors — including Scattered Spider, UNC5221, and Akira — who are bypassing endpoint defenses entirely by leveraging valid credentials, abusing administrative tooling, and targeting the hypervisor layer where critical workloads live. When attackers operate at or near the hypervisor, endpoint telemetry can be incomplete, misleading, or simply too late. The session covers how these intrusions unfold, why the virtualization layer is becoming a preferred attack surface, and what preemptive security controls at the hypervisor level actually look like in practice.
"The fact that zero engines detected the malware points to the frailty of signature-based detections. While the malware exhibits many behavioral techniques from the MITRE ATT&CK Framework, it wasn't initially detected by scanning engines. Behavioral detection is key, particularly on Linux systems where credential stealers can be so stealthy."
On APT41 Targets Linux Cloud Servers With New Winnti Backdoor
Ari Saperstein, Manager of Global Channel Technical Enablement:
"For years we have allowed the hypervisor to operate as if it is a completely secure "appliance"; attackers have shown us that this is NOT the case. Hypervisors can be vulnerable for a number of reasons to a growing number of attacks. ZeroLock's Defense-in-Depth defends against vulnerabilities, some even before they are realized. Organizations should be talking to their trusted solutions partners to help close the gaps in their defenses."
On Webinar on Demand: Why Advanced Security Teams are Shifting Beyond EDR
Stolen Rockstar Games analytics data leaked by extortion gang
Stolen Rockstar Games analytics data was leaked by the ShinyHunters extortion gang after attackers exploited stolen authentication tokens from a compromised third‑party analytics provider, granting access to Snowflake‑hosted internal telemetry including in‑game revenue and purchase metrics, player behavior tracking, online service monitoring, and customer support analytics for GTA Online and Red Dead Online, highlighting how modern extortion campaigns increasingly weaponize supply‑chain access and cloud integrations to expose sensitive operational insight without breaching core systems or player accounts.
APT41 Targets Linux Cloud Servers With New Winnti Backdoor
Previously undocumented Winnti malware tied to the China‑linked APT41 group has surfaced as a stealthy Linux backdoor targeting cloud workloads across AWS, Azure, Google Cloud, and Alibaba Cloud, using an ELF‑based implant with zero initial detections that harvests cloud credentials via instance metadata services while hiding command‑and‑control traffic inside SMTP port 25 and typosquatted domains, illustrating a continuing shift toward cloud‑native tradecraft designed to evade traditional monitoring and quietly convert infrastructure into long‑term credential theft and lateral‑movement platforms.
Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month
Just three ransomware operations—Qilin, Akira, and Dragonforce—were responsible for 40% of all publicly reported ransomware attacks in March 2026 out of 672 total incidents tracked by Check Point, highlighting a clear consolidation trend as these groups expand ransomware‑as‑a‑service ecosystems, absorb displaced affiliates, accelerate full attack chains to under an hour, and increasingly target Windows, Linux, and ESXi environments, while overall activity remains heavily concentrated in US‑based organizations and fewer gangs drive a disproportionate share of global impact.
FBI Atlanta takes down global $20M phishing network
FBI Atlanta, working with Indonesian law enforcement, dismantled a global phishing‑as‑a‑service operation built around the W3LL phishing kit, seizing infrastructure and detaining the alleged developer after investigators linked the platform to more than $20 million in attempted fraud, the sale of over 25,000 compromised accounts through an underground marketplace, and large‑scale credential theft campaigns that used adversary-in-the-middle techniques to bypass multi‑factor authentication and fuel worldwide account takeovers, underscoring how professionalized phishing ecosystems have evolved into full‑service cybercrime operations.
-Apr-15-2026-06-52-39-0011-PM.png?upscale=true&width=1120&upscale=true&name=Copy%20of%20WTR%20Newsletter%20Email%20Header%20(1)-Apr-15-2026-06-52-39-0011-PM.png)
.png?upscale=true&width=1120&upscale=true&name=BT%20Webinar%20Cover%20(3).png)
.png?upscale=true&width=520&upscale=true&name=Untitled%20design%20(9).png)
