April 11, 2026 • 5 min read
IT Security Roundup — April 11, 2026
Critical FortiClient EMS Zero-Day Actively Exploited
VULNERABILITY
Fortinet has issued emergency patches for CVE-2026-35616, a critical vulnerability in FortiClient Enterprise Management Server (EMS) with a CVSS score of 9.1. The flaw, classified as an improper access control vulnerability, enables unauthenticated attackers to execute unauthorized code on affected systems. watchTowr’s Attacker Eye sensors first detected exploitation attempts on March 31, several days before Fortinet published its advisory on April 4.
Affected versions include FortiClient EMS 7.4.5 through 7.4.6. Simo Kohonen from Defused Cyber and Nguyen Duc Anh have been credited with discovering and reporting the vulnerability. Organizations running FortiClient EMS are urged to apply the emergency hotfix immediately, as exploitation activity has been observed across multiple honeypot networks and is believed to be widespread.
Russian APT28 Group Compromises SOHO Routers for Espionage
CYBER ESPIONAGE
British security officials have revealed that APT28, a threat group linked to Russia’s military intelligence service (GRU), is conducting a broad cyber espionage campaign by compromising Small Office and Home Office (SOHO) routers. The group exploits vulnerabilities in older router firmware to gain persistent access, using the compromised devices as proxies to spy on traffic and infiltrate target networks.
Microsoft has published detailed technical analysis of the attack chain, which involves exploiting known vulnerabilities in routers from multiple manufacturers. The compromised routers are used to建立 a covert infrastructure that masks the origin of subsequent attacks. The campaign highlights the ongoing risk posed by unpatched consumer and small business network equipment when targeted by well-resourced state actors.
Dutch Healthcare Software Giant ChipSoft Hit by Ransomware
RANSOMWARE
ChipSoft, a Netherlands-based software company that provides patient record systems to the majority of Dutch healthcare facilities, was targeted by a ransomware attack on April 7. The company’s website and public-facing services went offline following the incident. Z-CERT, the Dutch healthcare cybersecurity response team, confirmed the attack and is coordinating the response.
The full extent of data compromise remains under investigation. Given ChipSoft’s central role in the Dutch healthcare IT infrastructure, the attack raises significant concerns about the cascading impact on hospital operations and patient data security across the Netherlands. The incident underscores the growing trend of ransomware groups targeting critical healthcare technology providers.
Iranian APT Actors Target US Industrial Control Systems
CRITICAL INFRASTRUCTURE
Iran-affiliated advanced persistent threat actors are actively exploiting internet-facing operational technology devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation and Allen-Bradley, across multiple US critical infrastructure sectors. The attackers manipulate project files and alter data on human-machine interfaces (HMIs) and supervisory control systems.
The campaign has resulted in PLC disruptions across energy, manufacturing, and water treatment facilities. Security agencies have issued advisories urging organizations with exposed OT devices to implement network segmentation, enforce strong authentication, and monitor for anomalous traffic on industrial control networks. The activity represents a significant escalation in targeting of American industrial systems by Iranian state-sponsored groups.
Fake Microsoft Support Site Distributes Password-Stealing Malware
MALWARE
Malwarebytes Labs researchers have identified a sophisticated phishing campaign using a fake Microsoft support website designed to trick users into downloading what appears to be a legitimate Windows update. The site, hosted at a domain mimicking Microsoft’s support infrastructure, instead delivers malware engineered to steal passwords, payment card details, and session credentials from infected systems.
The malware is particularly dangerous because the payload is designed to evade detection by both users and conventional security tools. The file appears legitimate in size, name, and metadata, allowing it to bypass many endpoint protection solutions. Users are advised to download updates only through Windows Update or the official Microsoft website, and to verify URLs carefully before downloading any software.
ZY Media Productions
IT • Music • Technology