Week of April 21–27, 2026 | Published by S6 Tech
⚡ 60-SECOND VERSION
Biggest threat: ShinyHunters confirmed two breaches this week (ADT - 5.5 million records exposed, and Udemy - 1.4 million leaked publicly) using the same playbook: a phone call to one employee, then full SaaS data theft within hours.
Why it matters: No software was exploited. Attackers called employees pretending to be IT, captured single sign-on credentials, and walked into Salesforce. Any business with a help desk and an SSO login is in scope.
Do this now: Add a callback rule for credential and MFA reset requests - anyone calling IT for one gets a callback at the number on file before IT does anything (30 minutes, free).
📋 EXECUTIVE SUMMARY
1. Vishing has graduated from theory to industrial process. ADT confirmed a ShinyHunters breach this week - entry point was a single phone call that yielded an Okta SSO credential, then a Salesforce pivot. Have I Been Pwned verified 5.5 million records exposed; the attackers claim more than 10 million. Udemy followed days later with the same pattern, 1.4 million records publicly leaked. The attack chain bypasses every firewall and endpoint tool because the employee cooperates at every step.
2. Healthcare targeting hit its third consecutive week of elevated activity, with 9 victims spread across six different ransomware groups. That's no longer one campaign - it's a sector consensus. Small US and Canadian medical and dental practices are taking the brunt.
3. An Arkansas state crime lab breach - court calendars, defendant names, and the personnel directory of police and prosecutors - sets a new bar for what "sensitive client data" means. Any organization handling legal, medical, or investigative records should read this as a direct signal that you are valuable, regardless of size.
📊 METRICS & INTELLIGENCE
| Metric | This Week | What It Means |
|---|---|---|
| Total Disclosed Victims | 97 | Fourth straight week at this volume - a new normal, not a spike |
| ADT Records Exposed | 5.5M (HIBP-verified) | Names, addresses, phone numbers; partial DOB/SSN in subset; ShinyHunters claims 10M+ |
| Top Actor Share (Qilin) | 26.8% | Sharpest single-actor dominance since The Gentlemen's April 6 surge |
| Healthcare Hits | 9 (3rd elevated week) | Sector-wide pattern across six different actors - not one campaign |
| Manufacturing Hits | 12 | Steady targeting; supply-chain documents still the prize |
US-based organizations accounted for 22 victims (22.7%); the remainder spread across 31+ countries, including Pakistan, Ghana, Serbia, Peru, Indonesia, Saudi Arabia, and Egypt.
THREAT ACTOR MARKET SHARE — THIS WEEK
The top four actors now claim 62.9% of weekly activity - the highest concentration of 2026 to date.
🚨 ACTIVE CAMPAIGNS
ShinyHunters Vishing-to-SaaS Playbook 🏢
ADT (5.5M records) and Udemy (1.4M) confirmed in same week, same chain
What it does: An attacker calls an employee posing as IT support, walks them through a "verification" prompt, and captures their single sign-on (SSO) credentials - the master login that controls access to all of a user's connected business apps. ADT confirmed the entry point was an Okta SSO account; the attackers then pivoted into Salesforce and exfiltrated customer and corporate records. ADT detected the breach on April 20 and revoked access, but data was already gone. Udemy's leak (April 26) followed the same chain and includes names, addresses, phone numbers, and instructor payment details.
Why it matters: No malware, no software exploit. Every defensive tool you've bought - firewall, endpoint protection, MFA - gets bypassed by an employee who believes they're talking to IT. ADT explicitly confirmed customer security systems were NOT compromised, but the personal data exposure creates compound risk: attackers now know who has alarm systems, where they live, and how to reach them. If your business uses any cloud platform with employee logins (Salesforce, HubSpot, QuickBooks Online, Shopify), the attack chain works the same way.
Source: BleepingComputer (ADT, 5.5M), Have I Been Pwned (Udemy)
Arkansas State Crime Laboratory Breach 🏢
Court calendars, defendant names, law enforcement personnel directory leaked
What it does: A previously unknown threat actor calling itself kittykatkrew compromised a public-facing web portal at the Arkansas State Crime Laboratory and dumped its contents. The leak includes active court case calendars with defendant names, the personnel directory of prosecutors and police officials, and contact information for forensic analysts. The specific entry vulnerability has not been disclosed publicly.
Why it matters: This is not a ransomware operation aiming for a payday - it's a data dump, full stop. The leaked data creates risk of witness intimidation, case tampering, and targeted social engineering against the named law enforcement personnel. For private-sector readers, the broader signal is the more important one: any organization with a public-facing portal that holds sensitive third-party data - law firms with client portals, medical practices with patient portals, accounting firms with tax document portals - has the same exposure. The attackers don't need ransomware leverage when the data alone is the prize.
Source: Dark Web Informer
The Gentlemen Expand With Botnet Infrastructure 🏭
Check Point uncovers 1,570-host SystemBC proxy network feeding ransomware operations
What it does: Check Point researchers traced a Gentlemen ransomware attack back to a SystemBC proxy malware botnet - more than 1,570 corporate machines acting as relay points so attackers can route their traffic through trusted IPs and avoid geographic blocking. Once inside a victim, affiliates operate from a domain controller (the server that controls who can log into your entire network) with admin privileges and use Cobalt Strike alongside the proxy network for stealthy lateral movement.
Why it matters: Most SMBs detect intrusions by looking for traffic from suspicious foreign IPs. SystemBC defeats that - the attacker's traffic appears to come from a legitimate corporate machine somewhere else. Most affected hosts are in the US, UK, Germany, Australia, and Romania. If your firewall logs show outbound connections from any internal machine on unusual ports (especially 4001, 4002, 8080), investigate.
Source: BleepingComputer / Check Point Research
✅ JUST DO THIS
Add a Callback Rule for Credential and MFA Resets
⏱️ 30 minutes (policy + announcement) | 💰 Free
Why now: The ShinyHunters playbook works because no callback verification exists. The attacker calls IT pretending to be an employee or calls an employee pretending to be IT - and the request gets honored. A callback rule breaks the chain at step one. ADT, Udemy, and dozens of other ShinyHunters victims would have stopped this attack with one phone call to a number the attacker doesn't control.
| Step | How |
|---|---|
| 1. Write the rule | Any password reset, MFA reset, SSO unlock, or remote-access request gets verified by hanging up and calling the employee back at the number stored in HR records. No exceptions for executives, no exceptions for "urgent." |
| 2. Document the numbers | Pull employee phone numbers from HR into a list IT can reference. Update quarterly. Use only company-recorded numbers - never one provided in the request itself. |
| 3. Add a verbal code phrase | Pick a phrase real IT will use when initiating contact (something like "blue coffee Tuesday"). Share it at an all-hands - never by email. No phrase, no remote access. |
| 4. Test it | Within two weeks, run a friendly mock: have someone outside IT call requesting an MFA reset without the code phrase. The drill is the proof. |
Verify it worked: If your team grants the mock request, retrain. If they refuse and call back, you're protected.
🎯 THREAT ACTOR SPOTLIGHT
Eraleign (APT73) 🏭
11 victims this week (11.3%) - concentrated in emerging markets where most security blogs don't reach
Why this group, this week: Qilin claimed more victims (26 to Eraleign's 11), but Qilin already runs a familiar playbook - covered in detail two weeks ago. Eraleign is doing something different. Where Qilin and DragonForce fight over the US and Western Europe, Eraleign concentrates on places with thinner cybersecurity press coverage and weaker breach-disclosure laws: Saudi Arabia, Egypt, Peru, Mexico, Indonesia, Ghana, Serbia, Eastern Europe.
Target profile: Insurance carriers, healthcare networks, petroleum and energy operators, consumer goods distributors. Mid-market organizations in regions where local-language phishing has high success rates and victims have fewer options for recourse.
Known patterns (plain English):
- Local-language lures: Phishing emails arrive in fluent Arabic, Spanish, Portuguese, or Indonesian - often quoting real industry events or holidays. AI translation has erased the typo cues.
- Disclosure arbitrage: Victims in countries without mandatory breach reporting are slower to publicly acknowledge attacks, giving Eraleign more time to leverage stolen data before defenses adapt.
- Cross-region targeting: A single week's victim list spans four continents. The group rotates geographies faster than most defenders can build region-specific intel.
Defensive Priorities:
| # | Action | Plain English |
|---|---|---|
| 1 | Multilingual phishing training | If you have offices or staff in non-English regions, run phishing drills in their working language |
| 2 | Geographic login alerting | Set Microsoft 365 or Google Workspace to flag logins from unexpected countries |
| 3 | Backup verification | Confirm offline backups exist and that someone has actually tested restoring this quarter |
Also Active: Qilin remains the volume leader at 26 victims and continues hitting US manufacturing, healthcare, and finance. Medusa claimed Walman Optical (US, an EssilorLuxottica subsidiary). The Gentlemen posted 10 victims including Beaconhouse School System (Pakistan) - attackers claim 380,000+ student records across 8 countries; figure not independently verified. DragonForce (14 victims) targeted MassDevelopment, the Massachusetts state finance and development agency.
🏭 SECTOR TARGETING
Manufacturing - 12 victims 🏭
Threat actors: DragonForce, Qilin, The Gentlemen, Krybit
Notable incidents: Heinrich Kopp GmbH (Germany, electrical components), AOTCO Metal Finishing (US), Wm. Sopko & Sons (US), Longwood Engineering (US), Muller Technology (industrial machinery), TokyoHosoKogyo (Japan, construction), Cofaco Textiles (Peru), Narteks Tekstil (Turkey)
Data exposed: Production specifications, supplier contracts, proprietary designs
Healthcare - 9 victims 🏪 SMB PRIORITY
Threat actors: Eraleign (APT73), Qilin, INC Ransom, The Gentlemen, M3RX, Beast, Medusa
Notable incidents: Walman Optical (US, EssilorLuxottica subsidiary), Medika Plaza (Indonesia), Reddy Cardiology (US), Lessard Dental (Canada), Mid Florida Dermatology & Plastic Surgery (US), Dillon Family Medicine (US), Airdrie Physiotherapy (Canada)
Why the persistence: Six different actors hitting healthcare in one week - three weeks running. That's not coordination, it's consensus. Small practices have HIPAA exposure that creates payment pressure, plus often-outdated practice-management systems.
Professional Services - 8 victims 🏢
Threat actors: DragonForce, Brain Cipher, Qilin, Eraleign, INC Ransom
Notable incidents: Delon Hampton Engineering (US), Bridgeway Consulting (UK - attackers claim 500GB; not independently verified), Woodfields Consultants (architecture), J.G. Petrucci (US, real estate development), TLC Trial Team (US, legal)
Data exposed: Client files, NDAs, project documents, billing records
Education - 7 victims 🏢
Threat actors: The Gentlemen, Qilin
Notable incidents: Beaconhouse School System (Pakistan, attackers claim coverage of 380,000+ students across 8 countries - figure not independently verified), Colegio Notre Dame Campinas (Brazil), Istarpal (education sector)
⚠️ SMB Sector Alert: Medical and Dental Practices Under 50 Employees
Three weeks of elevated targeting. This week alone: Lessard Dental, Mid Florida Dermatology, Dillon Family Medicine, Airdrie Physiotherapy, Reddy Cardiology. If you operate a small practice in the US or Canada, the question is no longer whether your sector is being targeted - it's whether your specific configuration looks like the practices already hit. Check that MFA is on every patient-management login, backups are offline and tested, and your incident-response phone tree is current.
🏪 SMB REALITY CHECK
If you're under 50 employees with no dedicated security staff, here's what actually matters this week:
Two attacks confirmed this week - ADT (5.5 million records) and Udemy (1.4 million) - and both started with a phone call. The action in "Just Do This" above (the callback rule plus a verbal code phrase) is the one piece of homework that matters. It costs nothing, takes thirty minutes to write down, and breaks the exact chain that brought down two large, well-resourced companies in the same week.
If you run a medical or dental practice, consider this your second consecutive notice. The targeting isn't slowing. Spend an hour this week confirming MFA is enforced on every system that touches patient data and that a recent backup actually restores.
💡 Trust, but Verify the Caller
Your team is trained to be helpful. That's a feature, not a bug - until someone weaponizes it. The fix isn't to make people suspicious; it's to make verification routine. "I'll call you right back at the number we have on file" is a polite, friendly response that costs nothing and stops every version of this attack. Practice the line out loud once. It gets easier.
Your Stack, Your Actions:
| If You Use... | Do This | Time |
|---|---|---|
| Any SSO (Okta, Azure, Google) | Implement the callback rule and code phrase for all reset requests | 30 min |
| Salesforce, HubSpot, or any CRM | Review session timeout - set to 4 hours or less, not "never" | 10 min |
| ADT for physical security | Update access codes and authorized-contact info; brief staff on ADT-themed phishing | 15 min |
| Udemy account (anyone on team) | Reset password; check Have I Been Pwned for the email; change anywhere the password was reused | 5 min |
📞 When to Call for Help
If anyone on your team reports a phone call from "IT" or "Microsoft support" or "your bank" asking them to verify credentials, install software, or share a code - treat it as an active incident, not a near-miss. Call your IT provider before the employee touches anything else on their machine.
Safe to ignore this week: The Arkansas crime lab breach unless you're a law firm, court vendor, or handle legal matters; the Beaconhouse School breach unless you have business in Pakistan or South Asian education; most of the international financial-sector hits.
🔮 LOOKING AHEAD
AI Agents Are the Next Identity to Secure
Microsoft began publishing guidance this month on securing Copilot Studio agents - a clear signal that organizations are deploying autonomous AI agents with access to business data. These agents authenticate, access resources, and take actions on behalf of users. They are, in security terms, a new category of identity. And like every other identity that touched corporate systems before them - service accounts, API keys, OAuth tokens - they will become a target.
What's changing: AI agents are moving from experimental to production across the SaaS stack. Your accounting software, CRM, helpdesk tool, and document management system are all racing to add "AI assistants" that authenticate, query data, and take actions. Each one is a credential you didn't have to manage six months ago.
What to watch: Vendors announcing "AI agent" or "AI assistant" features that connect to your data. Permission scopes that read "full access" instead of being narrowly scoped to specific tasks. Agents that retain credentials indefinitely rather than re-authenticating per session.
Bottom line: Treat every AI agent that touches your systems as a privileged service account - documented, monitored, and scoped to minimum necessary permissions. The companies that catalog their AI agents now will spend Q3 fine-tuning. The companies that don't will spend Q3 finding out their friendly assistant had read access to their entire customer database.
📅 This Month's Priority
Build a one-page inventory of every AI agent or assistant connected to your business systems. For each: what data it can read, what actions it can take, who authorized the connection, and when it was last reviewed. If you can't fit the list on one page, you have more agents than oversight - fix that.
CLASSIFICATION: TLP:CLEAR
Sources: BleepingComputer (Apr 27), Have I Been Pwned (Apr 26–27), Dark Web Informer (Apr 23), Check Point Research, Microsoft Security Blog (Apr 18, Apr 20), Hackread (Apr 27), Ransomware.live API, RansomLook.io API
S6 RANSOMWARE SIGNAL
Your data is an asset. We guard it like one.
Intelligence cutoff: April 27, 2026 14:00 ET | Next edition: May 4, 2026