DigiCert’s Open-Source Intelligence (OSINT) Report – April 10 – April 16, 2026

Fake Claude Website Distributes PlugX RAT

(TLP: CLEAR) A recently observed campaign is leveraging a fraudulent Anthropic Claude website to distribute a trojanized installer that deploys the long-running PlugX remote access trojan (RAT). According to reporting, the threat actor created a spoofed Claude domain hosting a ZIP archive advertised as a “pro” version of the AI tool. The archive contains an MSI installer that convincingly mimics Anthropic’s legitimate installation flow and even installs the real Claude application, helping the operation evade user suspicion. When the user launches the app via the desktop shortcut, a VBScript dropper executes. It opens the legitimate Claude app in the foreground while silently deploying malware in the background. The script drops three files into the Windows Startup folder, including NOVUpdate.exe, a signed G DATA antivirus updater abused for DLL sideloading. This mechanism loads a PlugX variant that has been used in espionage campaigns for nearly a decade. Within seconds, NOVUpdate.exe initiates a TCP connection to a command-and-control server hosted on Alibaba Cloud. The VBScript writes a batch file to delete itself and the script, minimizing forensic evidence. Only the sideloading components and NOVUpdate.exe persist after infection. The campaign’s infection chain was previously observed in phishing emails using fake meeting invitations, indicating a multi-vector delivery strategy.

(TLP: CLEAR) Comments: PlugX has historical ties to Chinese state-aligned groups, widespread sharing of its source code complicates attribution. It is important to note that the operators effectively combine a proven sideloading technique with a timely AI-themed social engineering lure, exploiting the rising popularity of tools like Claude to increase victim engagement. Users should remain cautious when visiting trusted domains and validate the domain visited is truly who they say they are. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://www.securityweek.com/fake-claude-website-distributes-plugx-rat/

FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts

(TLP: CLEAR) On April 13, 2026, the FBI, in partnership with the Indonesian National Police, dismantled the infrastructure associated with W3LL, a globally distributed phishing operation responsible for over $20 million in attempted fraud. Authorities detained the alleged developer, identified as “G.L.,” and seized key domains tied to the scheme. W3LL operated as a full-service Phishing-as-a-Service (PhaaS) platform. First documented by Group-IB in September 2023, the W3LL Store served approximately 500 threat actors, offering the W3LL Panel phishing kit alongside tools specifically designed for Business Email Compromise (BEC) attack. The kit was commercially accessible at approximately $500. The platform also facilitated the sale of stolen credentials and unauthorized system access, including remote desktop connections, with over 25,000 compromised accounts estimated to have been sold between 2019 and 2023. From a technical standpoint, W3LL was primarily focused on harvesting Microsoft 365 credentials, employing Adversary-in-the-Middle (AitM) techniques to hijack session cookies and bypass multi-factor authentication. Despite the W3LL Store’s apparent shutdown in 2023, the operation persisted. The developer continued marketing the rebranded toolkit via encrypted messaging platforms, targeting more than 17,000 victims worldwide between 2023 and 2024. Notably, French firm Sekoia identified code reuse from W3LL in the Sneaky 2FA phishing kit indicating downstream proliferation of W3LL tradecraft across other threat actors.

(TLP: CLEAR) Comments: This takedown is a meaningful win, but the threat isn’t fully eliminated. The criminal tools have already been copied and shared by others, and this group has bounced back from setbacks before — so versions of their software are likely still out there being used. Companies that use two-step login verification (like a text message code) should make sure they’re using a stronger form of it that can’t be tricked by this type of attack.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://thehackernews.com/2026/04/fbi-and-indonesian-police-dismantle.html

Basic-Fit Data Breach Exposes Millions of Users Across Multiple Countries

(TLP: CLEAR) Basic-Fit, Europe’s largest budget fitness chain by club count, has confirmed a data breach affecting approximately 1 million members across multiple countries, with around 200,000 members in the Netherlands alone impacted by unauthorized access to its membership systems. The breach specifically targeted the system Basic-Fit uses to register member visits at its fitness clubs, not its broader infrastructure. The unauthorized access was stopped within minutes of detection, but not before threat actors had already downloaded a significant volume of member data. Franchise operations in six additional countries, which use a separate system, were confirmed unaffected.

Compromised data includes full names, home addresses, email addresses, phone numbers, dates of birth, bank account details, and membership information including subscription type, payment status, and recently visited gym locations. No identity documents or passwords were accessed. In compliance with GDPR obligations, Basic-Fit formally notified the Dutch Data Protection Authority of the breach, and all affected members have reportedly been directly informed. The threat actors responsible have not been identified, and investigations remain ongoing. This incident is part of a broader pattern: a wave of major data incidents has hit the Netherlands in 2026, including telecom firm Odido’s exposure of 6.2 million customers’ records. 

(TLP: CLEAR) Comments: This breach is more dangerous than it looks at first glance. Most people think of data breach as just an email and password being stolen. This one is worse — criminals walked away with your bank account number, home address, phone number, and the gyms you regularly visit. That combination is a goldmine for fraud and impersonation.

(TLP: CLEAR) Recommended best practices/regulations PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections.

Source: https://cybersecuritynews.com/basic-fit-data-breach/

Rockstar’s GTA Game Hacked – Attackers published 78.6 Million Records Online

(TLP: CLEAR) Rockstar Games confirmed a data breach after the notorious hacking group ShinyHunters exploited a third-party integration to access the company’s internal Snowflake data warehouse, ultimately leaking over 78.6 million records on April 14, 2026. The breach did not stem from a direct attack on Rockstar’s infrastructure. Instead, ShinyHunters leveraged Anodot, an AI-powered cloud cost monitoring and analytics SaaS platform that Rockstar uses to manage its digital infrastructure. Attackers extracted authentication tokens from Anodot’s systems, allowing them to impersonate a legitimate internal service and silently traverse into Rockstar’s connected Snowflake data warehouse. Critically, no vulnerability in Snowflake itself was exploited — the stolen tokens granted access that appeared entirely legitimate, initially evading detection. Anodot had flagged connectivity issues as early as April 4, noting its data collectors were offline across regions including Snowflake, Amazon S3, and Amazon Kinesis — suggesting the compromise was underway before Rockstar became aware. On April 11, ShinyHunters issued a ransom demand via their dark web leak site. When Rockstar declined to pay, the group published the full dataset. The leaked archive contains 78.6 million records described as a multi-domain analytics dataset covering GTA Online and Red Dead Online, including detailed revenue figures, platform metrics, and player activity data. No player passwords, payment details, personally identifiable information, source code, or GTA 6 development assets were part of the leak. ShinyHunters has previously breached Ticketmaster, AT&T, Microsoft, and Cisco using similar supply-chain vectors.

(TLP: CLEAR) Comments: ShinyHunters is not a one-off threat. This is a well-established criminal group with a long track record of high-profile breaches. Their continued success using the same method — compromising a supplier to reach the real target — suggests many organizations still haven’t closed this gap in their defenses.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://cybersecuritynews.com/malicious-telegram-download-site/