Cyber Intelligence Daily — Apr 23, 2026

Today is a day about infrastructure trust collapsing in three different directions at once. North Korea's Lazarus Group stole $290 million from KelpDAO not by breaking a smart contract but by poisoning the RPC nodes that verify whether transactions are real — its second nine-figure DeFi heist this month. Mozilla shipped Firefox 150 with 271 vulnerabilities found by Anthropic's restricted Claude Mythos model in a single pass, and on the same day Russian researchers reported unauthorized users had already bypassed Mythos's access controls. And a new malware strain called ZionSiphon, designed to manipulate chlorine dosing at Israeli desalination plants, is sitting one bug-fix away from being operational.

• CVE-2026-33825 — Microsoft Defender (antimalware platform versions before 4.18.26050.3011): patched April 14, now confirmed actively exploited; CISA added to KEV on April 23. Privilege-escalation flaw ("BlueHammer") that lets a low-privileged attacker extract SAM password hashes and escalate to SYSTEM. Federal patch deadline: May 6.
• CVE-2026-32201 — SharePoint Enterprise Server 2016 / 2019 / Subscription Edition: patched April 14, in KEV, actively exploited. Shadowserver counts 1,300+ internet-exposed servers still unpatched. CISA federal deadline: April 28.
• ZionSiphon malware — OT-focused malware targeting Mekorot and four Israeli desalination plants (Sorek, Hadera, Ashdod, Palmachim) plus Shafdan. Currently non-functional due to a string-comparison bug in the malware's own targeting logic; a fixed variant would be weaponized.
• Adobe emergency patch, CVSS 10.0 (SecurityLab Telegram) — Russian-language reporting flags an emergency Adobe fix with public exploit code in circulation. No vendor advisory URL confirmed in English-language press yet; treat as a watch item and verify against Adobe's PSIRT feed before acting.
• Cisco SD-WAN CVE-2026-20127 — Authentication bypass being chained with the older CVE-2022-20775 privilege escalation for persistence on SD-WAN systems. Subject of a fresh Five Eyes joint advisory.

Most crypto heists break the smart contract. This one broke the infrastructure that checks whether the smart contract is telling the truth.

On Saturday, attackers drained roughly $290 million from KelpDAO, a liquid restaking platform on Ethereum where users deposit ETH and receive a token called rsETH that can be used across other DeFi protocols. The damage radiated fast: Compound, Euler, and Aave were all affected, with Aave freezing new deposits and borrowing against rsETH as collateral. LayerZero's postmortem attributed the attack to North Korea's Lazarus Group, and laid out a mechanism that should make every cross-chain protocol architect sweat. The attackers compromised two RPC nodes — the servers that relay blockchain data — and used a DDoS attack to force failover onto the poisoned ones, which then convinced LayerZero's verifier to approve a fraudulent cross-chain transaction.

LayerZero placed responsibility squarely on KelpDAO's configuration, noting that the protocol had run a single-verifier setup despite prior warnings. In LayerZero's words, "a properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised."

What changes if this succeeds as a template: RPC poisoning could become the preferred entry point into DeFi, amid its ability to sidestep the hardened smart-contract attack surface entirely and instead target the softer operational layer — servers, failover logic, verifier trust. KelpDAO is Lazarus's second nine-figure DeFi theft this month, following the $285 million Drift Protocol attack on April 1, bringing the group's April haul above $575 million. According to Bitget's reporting, more than $13 billion was wiped from DeFi's total value locked in the 48 hours after the breach, and Jefferies has warned that heists of this magnitude could slow Wall Street's appetite for tokenization projects.

What failure looks like — and what to watch: If LayerZero's forced migration to multi-DVN configurations gets adopted quickly across major protocols, this becomes a painful but contained episode. If it doesn't, expect a third nine-figure heist before May, amid the playbook now being public.

The U.N. panel that tracked North Korean sanctions evasion before being disbanded estimated that illicit cyber activity funds roughly 40% of Pyongyang's weapons programs. $575 million in a month is not a rounding error on that equation.

The most important cybersecurity story of the week isn't a breach. It's a preview.

Since February, Mozilla has been running frontier AI models against the Firefox codebase. An earlier collaboration with Anthropic using Claude Opus 4.6 produced fixes for 22 security-sensitive bugs in Firefox 148. This week's Firefox 150 release includes fixes for 271 vulnerabilities identified by an early version of Claude Mythos Preview in a single evaluation pass. The public security advisory credits Claude with only three specific CVEs — CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758 — which means the remaining 268 are likely defense-in-depth fixes, hardening work, or bugs in code paths that didn't meet the bar for individual CVE assignment. Mozilla was careful to note that none of the bugs were beyond what a skilled human researcher could find. The point is that no human team could find 271 of them in a sprint.

What changes if this holds up: The bottleneck of software security shifts from finding bugs to fixing them and assigning them. Palo Alto Networks, one of the partners in Anthropic's restricted rollout program "Project Glasswing," reported getting roughly a year's worth of pentesting value in under three weeks. Launch partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. That list is a map of the companies who get to find the bugs first — and the ones who don't.

What failure looks like: The UK's AI Security Institute evaluated Mythos and found it could complete a 32-step corporate network attack simulation in three of ten attempts, chaining small vulnerabilities into full intrusions, reconstructing source code from compiled binaries, and building custom lateral-movement tooling. Anthropic declined to release the model publicly for exactly this reason. Then, per reporting from Xakep.ru, unauthorized users reached Mythos Preview on roughly the same day as the Project Glasswing announcement by guessing the model's URL through a third-party vendor environment. If that report holds up, the dual-use window opened on day one. Watch for two signals: whether other Glasswing partners publish Mythos-assisted findings (forcing emergency patches across the stack), and whether any malware family starts showing the fingerprints of autonomous vulnerability discovery in the wild.

Update Firefox. Then keep reading.

Most malware wants your data or your money. ZionSiphon wants to change the chlorine level in your tap water.

Darktrace's analysis, corroborated by SecurityWeek, BleepingComputer, and Hackread, documents a malware strain with hardcoded references to Mekorot, Israel's national water company, and four of Israel's five major desalination plants — Sorek, Hadera, Ashdod, and Palmachim — plus Shafdan, the country's central wastewater reclamation facility. On target match, ZionSiphon attempts to tamper with ICS configuration files, appending entries like Chlorine_Dose=10, Chlorine_Pump=ON, Chlorine_Flow=MAX, and RO_Pressure=80 (reverse osmosis pressure). Applied to a real system, those values could make water unsafe to drink.

What's keeping ZionSiphon from doing damage right now: its own targeting logic is broken. Darktrace found that the sample compares an encoded value against a transformation of the string "Israel" that never produces the expected result — so the comparison fails every time and the payload never activates. BleepingComputer summarized it bluntly: "all that's needed to unlock both [intent and damage] is to fix a minor verification error."

What to watch: the actors identified themselves as 0xICS in embedded strings, and the political messaging references Iran, Palestine, and Yemen. Darktrace has not formally attributed the malware to a state actor, but Iranian targeting of Israeli water infrastructure is a well-established pattern. A functional variant — one where someone debugs the string comparison — is the signal that turns this from an intelligence story into a crisis.

Internet-of-things devices used to get recruited into DDoS botnets. Now they're being recruited into targeting cells.

Risky Business reported a sudden spike in scanning activity targeting internet-exposed Hikvision and Dahua security cameras across Israel and surrounding countries — Qatar, Bahrain, Kuwait, the UAE, and Cyprus. The Iranian-linked actors behind the scans are hijacking the devices to gather street-level imagery, according to the reporting, for purposes including missile targeting support and post-strike damage assessment.

What changes if this becomes standard: cheap IP cameras become a kinetic intelligence asset. A convenience-store camera in Haifa is now a potential input to a targeting cell in Tehran, which collapses the distinction between "cyber hygiene" and "physical safety" for any operator near critical infrastructure. What failure looks like for defenders: continued exposure. The devices in question are often running firmware that hasn't been updated in years, on networks that were never segmented because nobody thought the camera in the parking lot mattered. If you run external cameras near critical infrastructure, segment them behind a VPN, patch them, or pull them off the public internet entirely. This is no longer hypothetical.

Russian specialist outlet Xakep reports that unidentified enthusiasts obtained access to Claude Mythos Preview — the restricted model Anthropic made available only to Project Glasswing partners — and, at least briefly, used it in ways that effectively bypassed its safety guardrails. Per Xakep, access was obtained through a third-party vendor environment by guessing the model's URL. In the context of the Firefox 150 story, where the same model's capabilities were described by the UK AI Security Institute as capable of autonomously completing multi-stage corporate network attacks, this is the more operationally significant detail of the week. English-language press has not picked up the bypass story as of publication. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Ukraine's national CERT published a fresh advisory on the UAC-0247 cluster (also tracked as UAC-0244) documenting a March–April surge against Ukrainian clinical hospitals, emergency services, municipal bodies, and operators of first-person-view drones. The toolset includes CHROMELEVATOR for browser credential extraction, ZAPIXDESK for WhatsApp data theft, RUSTSCAN for reconnaissance, LIGOLO-NG and CHISEL for tunneling, and a new backdoor called AGINGFLY delivered via DLL side-loading. The lure is humanitarian-aid-themed phishing. CERT-UA recommends restricting LNK, HTA, and JavaScript execution and limiting mshta.exe and PowerShell. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

A string-comparison bug is all that stands between a city's tap water and a political message; a model built to find vulnerabilities found 271 of them in one sitting and then got out of its own cage the same week; and two RPC nodes and a DDoS were enough to convince a cross-chain verifier that $290 million wasn't actually $290 million. The most consequential sentence in today's issue is the one nobody quoted: Lazarus stole half a billion dollars this month amid a shift away from attacking smart contracts, which should tell you where every other North Korean operator is about to start looking. Stay segmented.

Forward this to the one developer you know who still keeps production keys in a .env file on Vercel.