Threat Briefing: April 17, 2026

Recent threat intelligence reveals a surge in attacks exploiting trusted platforms to bypass security controls. Over 100 malicious Chrome extensions were found harvesting credentials and session tokens, while a separate campaign used fake Obsidian plugins to deploy a RAT targeting finance and crypto users, demonstrating how easily legitimate tools can be weaponized.

On the enforcement side, Operation PowerOFF dismantled 53 DDoS-for-hire services used by tens of thousands of cybercriminals. Meanwhile, the rise of EDR-killer tools using BYOVD techniques is enabling ransomware attackers to disable endpoint protections at the kernel level, underscoring the need for layered defenses and proactive monitoring.

• 100+ Malicious Chrome Extensions Caught Stealing Data – Over 100 Chrome extensions, disguised as tools like Telegram clients and gaming apps, were found harvesting Google credentials and hijacking Telegram sessions. Users should uninstall any suspicious extensions and secure their accounts immediately. The Hacker News
• Obsidian Exploited to Deploy RAT Against Crypto and Finance Users – A social engineering campaign tricked victims via LinkedIn and Telegram into accessing a malicious Obsidian vault, which executed a RAT called PHANTOMPULSE through trusted plugins. The attack leveraged AI-generated backdoors and blockchain-based command-and-control to evade detection. The Hacker News
• Operation PowerOFF Takes Down 53 DDoS-for-Hire Sites – A 21-country operation seized 53 domains tied to DDoS-for-hire services, disrupting infrastructure used by over 75,000 cybercriminals. Four individuals were arrested, and law enforcement issued warnings to known participants. CyberScoop
• Fake Claude Website Used to Distribute PlugX RAT – A spoofed Anthropic Claude website lured users to download a ZIP file posing as a pro version of Claude, which silently installed the PlugX RAT alongside the real app. The campaign highlights the growing risk of AI-themed phishing and social engineering. SecurityWeek
• EDR-Killer Tools Are Making Ransomware Harder to Stop – Nearly 90 EDR-killer tools are now available on underground markets, using BYOVD techniques to disable endpoint protections at the kernel level. Experts recommend layered defenses and credential monitoring, as traditional blocklists alone are insufficient. Dark Reading