CRITICAL 1 min read 8 Apr 2026

NCSC UK Warning: APT28 Russian Hijacking & Frontier AI Vulnerability Surge

The NCSC UK has confirmed active Russian GRU (APT28) edge router hijacking, while the launch of Claude Mythos has triggered a massive discovery of unpatched zero-days in major OSes. Simultaneously, a new unpatched CUPS RCE chain has been found, and Storm-1175 is achieving sub-24h ransomware deployment via zero-day chaining.

Key findings
01
Russian APT28 Hijacking Edge Routers for Credential Theft
HIGH
[High] Confidence: High The NCSC UK has confirmed that Russian Unit 26165 (APT28) is actively compromising edge routers (Cisco, Ubiquiti, DrayTek) to overwrite DHCP/DNS settings.
APT28
02
EXTREME: Claude Mythos & Thousands of New Zero-Days
HIGH
[High] Confidence: High The release of Anthropic's Claude Mythos has led to the autonomous discovery of thousands of unpatched zero-day vulnerabilities in Linux, FreeBSD, and major browsers. Defensive initiative "Project Glasswing" has been launched with 40 partners to manage the response.
03
NEW: Linux CUPS Unauthenticated RCE Chain (CVE-2026-34980, CVE-2026-34981)
CRITICAL
[High] Confidence: High A high-severity unpatched RCE chain in CUPS (Common Unix Printing System) allows unauthenticated root access via shared queues. Action: Disable port 631 exposure immediately across all Linux assets.
CVE-2026-34980
04
Update: Storm-1175 (Medusa) Chaining zero-days
HIGH
[High] Confidence: High Storm-1175 is now achieving a "Time-to-Ransom" of <24 hours by chaining SmarterMail (CVE-2026-23760) and BeyondTrust (CVE-2026-1731) vulnerabilities. The group continues to disable endpoint security via registry tampering for rapid deployment.
CVE-2026-23760
05
UK Legal Sector: Systematic Targetting Escalates
HIGH
[High] Confidence: High Barnes Solicitors LLP (UK) has been listed by Play ransomware, confirming the ongoing trend of systemic targeting of the UK/EU legal and professional services sectors.

NCSC UK Warning: APT28 Russian Hijacking & Frontier AI Vulnerability Surge

Russian APT28 Hijacking Edge Routers for Credential Theft

Confidence: High

The NCSC UK has confirmed that Russian Unit 26165 (APT28) is actively compromising edge routers (Cisco, Ubiquiti, DrayTek) to overwrite DHCP/DNS settings. This enables "silent" credential harvesting from unsuspecting enterprise users by redirecting traffic to malicious infrastructure.

EXTREME: Claude Mythos & Thousands of New Zero-Days

Confidence: High

The release of Anthropic's Claude Mythos has led to the autonomous discovery of thousands of unpatched zero-day vulnerabilities in Linux, FreeBSD, and major browsers. Defensive initiative "Project Glasswing" has been launched with 40 partners to manage the response. This represents a paradigm shift in the volume of unmitigated risk.

NEW: Linux CUPS Unauthenticated RCE Chain (CVE-2026-34980, CVE-2026-34981)

Confidence: High

A high-severity unpatched RCE chain in CUPS (Common Unix Printing System) allows unauthenticated root access via shared queues. Action: Disable port 631 exposure immediately across all Linux assets.

Update: Storm-1175 (Medusa) Chaining zero-days

Confidence: High

Storm-1175 is now achieving a "Time-to-Ransom" of <24 hours by chaining SmarterMail (CVE-2026-23760) and BeyondTrust (CVE-2026-1731) vulnerabilities. The group continues to disable endpoint security via registry tampering for rapid deployment.

UK Legal Sector: Systematic Targetting Escalates

Confidence: High

Barnes Solicitors LLP (UK) has been listed by Play ransomware, confirming the ongoing trend of systemic targeting of the UK/EU legal and professional services sectors.

Why This Matters

We are witnessing a "perfect storm" of infrastructure risk: the network edge is being hijacked by state actors, foundational internal services (CUPS) are critically flawed, and frontier AI is accelerating the discovery of new vulnerabilities faster than manual patching can respond.

  • Recommended Actions
  • CUPS Mitigation: Block port 631 and disable CUPS discovery protocols immediately.
  • Critical Patching: Prioritize Fortinet FortiClient EMS and BeyondTrust updates.
  • Glasswing Alignment: Monitor Project Glasswing advisories for the Mythos-discovered zero-day batch releases.
  • DNS Audit: Verify integrity of all edge router DNS settings to detect GRU-linked redirection.

All findings grounded in A13E intelligence sweeps through 11:05 UTC 08 April 2026.

apt28cupscve-2026-23760cve-2026-34980cve-2026-35616mythosstorm1175

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed