April brought a critical Adobe Reader zero-day, campaigns abusing the Claude brand to push malware, and a phishing wave reviving a nine-year-old Office bug. The picture is roughly what you’d expect: noisy, opportunistic, and uncomfortably reliant on basic hygiene gaps. 

Adobe Acrobat Reader zero-day, exploited since December 

On April 11, Adobe released an emergency advisory for CVE-2026-34621, a prototype-pollution flaw in Acrobat and Acrobat Reader on Windows and macOS. Successful exploitation leads to remote code execution and only requires opening a malicious PDF. 

Researcher Haifei Li flagged the bug after a sample was uploaded to his platform (EXPMON); the earliest in-the-wild PDF dates to at least December 2025 – meaning attackers had at least four months of free use. Malware analysts noted that the lures were Russian-language documents themed around oil and gas supply disruption, suggesting a targeted operation.  

Two campaigns abusing the Claude brand 

April brought a noticeable uptick in malware riding on the Claude brand, in two flavours. 

The more visible one was malvertising. Throughout most of April, searching for “claude code install” on Google – and later in the month, “claude desktop install” – reliably returned a sponsored result above the legitimate Anthropic page. The ads pointed to convincing lookalike sites that mimicked Anthropic’s documentation and instructed users to paste a shell command into their terminal – the same install pattern as the official flow, but with the download URL swapped for attacker-controlled infrastructure. The pasted command pulled and executed an infostealer that harvested browser credentials, session cookies, and crypto wallet data. Sponsored placements would get pulled within hours or days, but new ones kept appearing almost daily under fresh advertiser accounts. 

Separately, Zscaler documented a campaign exploiting buzz around the accidental Claude Code source-code leak. A threat actor published trojanised GitHub repositories advertised as the leaked source. Archives delivered Vidar v18.7 and GhostSocks, and the malicious repos ranked well in search results for several days. 

CVE-2017-0199 phishing wave hitting Lithuania 

At the end of April we tracked a phishing wave aimed at Lithuanian organisations, using weaponized Excel documents that exploit CVE-2017-0199, a nine-year-old Office/WordPad logic flaw in OLE2Link handling. The lure was a Lithuanian-language invoice (“Sąskaita faktūra 6336111.xls”) sent to publicly available Lithuanian e-mail addresses, dropping a FormBook payload – a similar campaign was documented by Fortinet in June 2025. We recorded over 100 such e-mails across different sectors, which suggests broad spray rather than targeted selection. All messages sent to Microsoft-hosted mailboxes were quarantined, but we also observed the same phishing landing in personal Gmail inboxes of Lithuanian recipients, where Defender protections didn’t apply. A 2017 CVE still landing in 2026 suggests the operators are betting on a long tail of Lithuanian users running outdated, unpatched Office installs. 

What else happened in April 2026? 

Iranian APT targeting US PLCs. CISA reported on April 7 that threat actors linked to Iran’s IRGC Cyber Electronic Command had been targeting internet-exposed Rockwell/Allen-Bradley PLCs across US public administration, water, and energy since at least March – HMI/SCADA tampering, project-file extraction, and in some cases operational disruption. 

Venice flood pumps, allegedly. A group calling itself “Infrastructure Destruction Squad” claimed administrative access to the San Marco flood-defence pumping system on April 12 and offered root access for $600 on Telegram. Truth of the claim is unclear, but the public-safety angle is what makes it worth tracking. 

FortiClient EMS auth bypass. Fortinet pushed an emergency weekend update on April 5 for CVE-2026-35616, a critical improper access-control flaw allowing unauthenticated RCE. Over 2,000 exposed instances were identified globally, mostly in the US and Germany. 

SharePoint zero-day (CVE-2026-32201). Microsoft’s April Patch Tuesday included one actively exploited zero-day – a SharePoint spoofing flaw used to view or alter information on internet-connected SharePoint servers. CISA flagged active exploitation and reconnaissance the same week. 

Looking ahead 

• Verify install commands before pasting. Copy-paste install flows (bash/PowerShell one-liners) are easy to spoof from a sponsored ad. Confirm the download URL matches the vendor’s documented domain before running anything from a search result – and not just the top-level domain, but the full path. 

• Enforce Office ASR rules. The campaign against Lithuanians landing in 2026 mostly points to outdated, unpatched Office on the receiving end – but patching alone shouldn’t be the line of defense. Protected View, blocking child processes from Office apps, and ASR rules catch the next OLE or macro trick regardless of patch state. 

April was mostly familiar tradecraft with fresh polish. The Adobe zero-day was the real new entry; fake install flows and a 2017 CVE in phishing we’ve seen before. What changes is the volume and the brand being abused. 

References 

• CERT-EU – Cyber Brief 26-05 (April 2026) 
• BleepingComputer – Hackers exploiting Acrobat Reader zero-day flaw since December 
• Malwarebytes – Fake Claude site installs malware that gives attackers access to your computer 
• Zscaler – Anthropic Claude Code leak lure delivers Vidar and GhostSocks 
• Fortinet – How a malicious Excel file (CVE-2017-0199) delivers the FormBook payload 
• CISA – Iranian state-sponsored cyber actors targeting OT/ICS (AA26-097A) 
• Security Affairs – Hackers claim control over Venice San Marco anti-flood pumps 

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.