<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">CVE-2026-4946 is a command injection vulnerability in which the {@execute} annotation directive parsed from user-authored comments is also applied </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/c700WjSbIRyOW4uplJpKouQBTPT60paoBnwnOQ0RdA0=451" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/QMd5p0A0zZF3s07qBA0xreJtOu0QlHJZ2yKrPNmLc5U=451" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=29ceb944-2e75-11f1-8741-a5c7a3f8f20d%26pt=campaign%26t=1775135172%26s=a7cad739ae465203d36dcf02645b55ab385e78c479778ffef7060b02c06c33d9/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/mw2-D1CsbAekW9WwY3hJWC4_prfTw9e8_JaSXqMhr6c=451"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-04-02</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🔓</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FmJeGkR/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/txjXH3I3Qx9L3dWca4np4EKUJ1ytN-xvK_gNj7e1o1k=451">
<span>
<strong>Lloyds Data Security Incident Impacts 450,000 Individuals (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A faulty software update deployed by Lloyds Banking Group on March 12 exposed mobile banking transaction data to other users for under five hours. Of 1.67 million users logged in during that time, 447,936 had their transactions exposed. Up to 114,182 clicked through to individual transactions, potentially viewing sort codes, account numbers, and National Insurance numbers.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftakeonme.org%2Fcves%2Fcve-2026-4946%2F%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/dCvc2UPob14Tc4BQmaVC9GABiu909Lr-OsbTIrvST6o=451">
<span>
<strong>CVE-2026-4946: NSA Ghidra Auto-Analysis Annotation Command Execution (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
CVE-2026-4946 (CVSS 8.8, CWE-78) is a command injection vulnerability in NSA Ghidra versions prior to 12.0.3, in which the {@execute} annotation directive parsed from user-authored comments is also applied to auto-generated comments derived from analyzed binaries, including CFStrings extracted from Mach-O files by CFStringAnalyzer. A threat actor can embed {@execute} payloads directly into compiled binaries that render as innocuous clickable labels, such as "View License," in the Listing view, with no confirmation dialog, thereby triggering arbitrary command execution via ProcessBuilder when an analyst clicks them. Malware analysts, incident responders, and vulnerability researchers should upgrade to Ghidra 12.0.3 immediately, as this attack vector specifically targets forensic environments and can pivot from an analyzed sample to a full compromise of the analyst workstation, including SSH key exfiltration, secondary payload delivery, and persistent backdoors.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftechcrunch.com%2F2026%2F04%2F01%2Fhasbro-hacked-may-take-several-weeks-to-recover%2F%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/aPslmL4kH2F3I4-Z6-tfHtp1xZaixc47IT_jYWBSEbA=451">
<span>
<strong>Hasbro says it was hacked, and may take 'several weeks' to recover (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Hasbro filed an SEC disclosure on April 1 confirming a cyberattack detected on March 28. The company took systems offline and is running continuity plans to keep orders and shipments moving. Hackers may still be inside the network as Hasbro is still "implementing measures to secure" operations.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🧠</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ffortgale.com%2Fblog%2Fdefence%2Foperation-storming-tide%2F%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/o301ybm2HBelpyT2Y10Fbe4htGFVytLnx-Y9xZdL6QI=451">
<span>
<strong>Operation Storming Tide: A massive multi-stage intrusion campaign (15 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Mora_001, a Russian-nexus threat actor previously attributed to SuperBlack ransomware, was linked by Fortgale IR to a coordinated multi-group campaign ("Storming Tide") targeting Fortinet perimeter appliances via CVE-2024-55591 and CVE-2025-24472, establishing persistent VPN tunnels via the forticloud-sync service account before entering months-long dormancy to evade detection. The attack chain progressed from Matanbuchus 3.0 (MaaS loader using ChaCha20+Protobuf C2) to Astarion RAT (RSA-encrypted, in-memory PowerShell execution) and SystemBC (SOCKS5 proxy for C2 obfuscation), with RClone staged for exfiltration to S3-compatible storage — marking the first publicly documented Matanbuchus-to-SystemBC delivery chain. Defenders should hunt for the forticloud-sync/forticloud-tech accounts on FortiGate devices, monitor for jli.dll DLL side-loading under java.exe in C:\ProgramData\USOShared, and treat JavaUpdate or JavaMainUpdate scheduled tasks as high-confidence compromise indicators. IOCs include C2 IPs 213.226.113[.]74 and 86.106.143[.]137 and domain www[.]ndibstersoft[.]com.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fphishu.net%2Fblogs%2Fblog-calendar-event-phishing-in-the-phishu-framework.html%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/rBH55R4toqtwmXFDbmXwSsn5biSzaySAnVbCgcmGcoY=451">
<span>
<strong>Calendar Event Phishing in the PhishU Framework (5 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Calendar invites bypass users' skepticism towards emails by appearing as native Outlook or Gmail events, complete with title, time, location, and reminders. The PhishU Framework introduces a premium Calendar Event Invite template featuring a dedicated editor, AI-generated content, ICS delivery via text/calendar with method=REQUEST, and embedded tracked links within the event body. After a campaign concludes, built-in training displays the exact invite the recipient received, including organizer info and suspicious domains, in a calendar-style view. This provides operators with a streamlined workflow for authoring, delivery, and remediation, eliminating the need to manually create ICS files.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fsecurelist.com%2Fcrystalx-rat-with-prankware-features%2F119283%2F%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/oC4ainPPQIWTDbXRkEsXC6dVfWdf-i0H5vyOSMsnaU4=451">
<span>
<strong>A laughing RAT: CrystalX combines spyware, stealer, and prankware features (5 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Security Researcher GReAT discovered CrystalX RAT, a Go-based MaaS Trojan promoted via private Telegram chats that combines a keylogger, WebSocket-based C2, credential stealer, crypto clipper injected through Chrome DevTools Protocol, VNC, microphone/webcam capture, and a "Rofl" prankware module into a single tiered-subscription platform. Implants are compressed with zlib and encrypted with ChaCha20, and the malware actively patches AmsiScanBuffer, EtwEventWrite, and MiniDumpWriteDump to evade detection and complicate forensic analysis. Defenders should block C2 domains webcrystal[.]lol, webcrystal[.]sbs, and crystalxrat[.]top, and hunt for malicious extensions dropped to %LOCALAPPDATA%\Microsoft\Edge\ExtSvc and ChromeElevator invocations from %TEMP%\svc[rndInt].exe.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🧑💻</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ffandf.co%2F4lNh2jf%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/fUcv_Ni9eYkfeoDDtJkMk33cJYcGjkjZUsEWAK5Rf5M=451">
<span>
<strong>Security teams can't protect what they can't see. (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
And manual session review doesn't scale. <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ffandf.co%2F4lNh2jf/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/hft_SmPSbbZcPh3kaicMHGTuWBXzLFU4FHXg02C-ZwM=451" rel="noopener noreferrer nofollow" target="_blank"><span>Teleport Session Analysis</span></a> delivers complete automated session visibility across infrastructure, summarizing, classifying, and flagging activity. Replay sessions, investigate incidents, and prove compliance faster, at scale.
<p></p>
<p><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ffandf.co%2F4lNh2jf/2/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/8bfYIGgsGyf25WVXrVxxEW4bIMNUHdV4litEvl6dP80=451" rel="noopener noreferrer nofollow" target="_blank"><span>Explore session analysis.</span></a>
</p>
</span></span></div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fcisco-ai-defense%2Fdefenseclaw%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/wTOg0RvB-rONDpIcZgueA5MVwXL1BpQGIenv9bydSvU=451">
<span>
<strong>DefenseClaw (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
DefenseClaw is a Cisco AI Defense governance layer for OpenClaw agentic AI deployments that enforces a scan-before-run policy across skills, MCP servers, plugins, and generated code, blocking HIGH/CRITICAL findings automatically while logging all outcomes to a SQLite audit store with SIEM export. It ships three runtimes — a Python CLI, a Go gateway, and a TypeScript OpenClaw plugin — covering pre-admission scanning via skill-scanner/mcp-scanner/aibom, a CodeGuard static analysis engine (hardcoded secrets, command injection, unsafe deserialization, SQLi, path traversal), and a runtime guardrail proxy that intercepts LLM prompts and tool calls for secrets, PII, C2 patterns, and prompt injection. SIEM integration supports Splunk HEC and OTLP export to Jaeger, Grafana, and Datadog. An optional NVIDIA OpenShell sandbox adds Linux namespace, Landlock, and seccomp-BPF isolation.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fdepthfirst.com%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/veFhJVta9mkGu1gGJE-FKRZL5d1aSKd8UmCU4MmVGvM=451">
<span>
<strong>Depthfirst (Product Launch)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Depthfirst is an applied AI lab targeting software and infrastructure security. They have launched Dfs-mini1, a security model trained on smart contract vulnerabilities.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fthecnical%2Fcybermind%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/NA0LYjkmrZuZYLxdQvLdz7_BE_Tg1bJCVd4T7LkAUgE=451">
<span>
<strong>CyberMind (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
CyberMind is an open-source, AI-powered cybersecurity CLI tool built for Kali Linux professionals, ethical hackers, penetration testers, and bug bounty hunters. It connects to a powerful multi-provider AI backend powered by 9 AI providers and 25+ models running in parallel delivering the fastest possible response every time.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🎁</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frmoskovy.github.io%2Fposts%2Fwho-runs-clop-ransomware-investigation%2F%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/Pg8jMSL2WKm0k-JntzoIhzyNdjOt0mVx42Qr5FENIFc=451">
<span>
<strong>Who Runs Cl0p? Inside the Most Elusive Ransomware Operation in the World (17 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
An independent investigation cross-referencing confidential sources, cybercrime forum data, dossier records, and law enforcement filings named four key Cl0p personnel: operator j0nny (alias b1shop), developer Andrei Vladimirovich Tarasov (AELS/Lavander/CrazyMark, builder of the Angler Exploit Kit traffic distribution system), initial access buyer Likhogray Maxim Alexandrovich (Baddie, who purchased network access under a Royal ransomware cover), and DarkGate developer RastaFarEye, whose loader infrastructure shares overlaps with Cl0p clusters documented by Group-IB. Forum post correlation analysis between j0nny and Loader developer Orlylyly showed a statistically significant five-month lag (r = 0.2453, p = 0.0078), consistent with a supplier-operator relationship, with Orlylyly's last post occurring 48 hours before Cl0p's first MOVEit Transfer victims appeared. The investigation portrays Cl0p as a deliberately compartmentalized criminal organization that pays legal fees for arrested members, routes access purchases through cover identities, and maintains long-term relationships with developers across multiple ransomware ecosystems.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2F2026%2F04%2F01%2Famazon_security_boss_ai_efficiency%2F%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/n2SynVUjDjNhfUY9y8OZSktDwzYucUXvw1QJvU_FzBM=451">
<span>
<strong>Amazon security boss: AI makes pentesting 40% more efficient (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Amazon CISO CJ Moses told The Register that AI tools reduce pentesting costs by over 40% in human and operational expenses. Amazon isn't laying off security staff; it's maintaining the same headcount while expanding services, but AI now handles ongoing post-launch vulnerability testing, highlighting chains of exploits for humans to review. Moses emphasizes a strict limit on AI autonomy: humans must approve any decision to exploit a discovered vulnerability, comparing AI decision-making to that of a 7-year-old.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.sciencedaily.com%2Freleases%2F2026%2F04%2F260401071933.htm%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/YdslOcu43w6VyOQoQU6CZmiN1yCwNLlbJQBWnvhFPhA=451">
<span>
<strong>A 200-year-old light trick just transformed quantum encryption (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Researchers at the University of Warsaw demonstrated a quantum key distribution (QKD) system using the temporal Talbot effect, a 19th-century optical phenomenon in which light pulses self-reconstruct under dispersion in fiber, to achieve high-dimensional time-bin encoding across 2D and 4D superpositions on existing city fiber infrastructure. The design requires only a single-photon detector rather than a complex interferometer tree, eliminating the need for frequent calibration and reducing both cost and complexity, while still allowing all photon-detection events to remain useful. A security vulnerability shared by many standard QKD protocols was identified and resolved through a receiver modification, and the updated security proof was published in Physical Review Applied.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">⚡</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fopensource.googleblog.com%2F2026%2F03%2Fopentitan-shipping-in-production.html%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/xW91u-Q8_btTg_zeDrV4o7Bd2N8OJPQoA4MjLfVJw20=451">
<span>
<strong>OpenTitan shipping in production (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Google's OpenTitan, the first open-source silicon Root of Trust with SLH-DSA post-quantum secure-boot support, began shipping in commercial Chromebooks via Nuvoton, with datacenter deployment and a second-generation ML-DSA/ML-KEM part already in development.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FOqtlHL/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/BwLhm_VjpC1S3dVNleJGNCUW5ePbVdVHI0VtYa46Edk=451">
<span>
<strong>Google Drive ransomware detection now on by default for paying users (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Google's AI-powered Drive ransomware detection is now generally available and enabled by default for all business, enterprise, education, and frontline Workspace licenses.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.bitdefender.com%2Fen-us%2Fblog%2Fhotforsecurity%2Fredline-malware-developer-extradited%3Futm_source=tldrinfosec/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/jIyCwKqLBoSVKQRIAl8inN0876S6KXoMuN3uwLLhn18=451">
<span>
<strong>Alleged RedLine malware developer extradited to United States (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Armenian national Hambardzum Minasyan appeared in federal court in Austin, facing up to 30 years on charges of access device fraud, CFAA conspiracy, and money laundering for his alleged role in developing and distributing RedLine, an infostealer deployed across 150+ countries.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/Pf_SAN8gURXAhgWrIgZrZtRIhl4DSrf1or81cfZ6ZEM=451" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/omnKTs9-7klr0rqDjqUwNnkp7AVV9hhxnrBwXHT1FAE=451" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? 📰
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/pu9avJjxn9CU0zJQf5Ff8YASu3y-zvx7Gpfu-jFzDAI=451"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? 💼
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/cqV1GOuWaGCk98q1LW1byI5IQRqh_39hHvsq_ossUS8=451" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/a8B4dg4IShZn9VDgmjUvfwMzJWeqM0BY3DlOAbDLP4I=451" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/su2SOFKPuQduScCvgv5TQwAKcWkR4_A-bJ2BQ1Mqqio=451" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/H-U6gb8cChx-izDhT53uG-SdsyN8T2_V8Cfu9-eFIfQ=451"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/6C3zAo73dIvHk2TGk6JIX7YqOarmgBaYpV6tf9TMjDw=451"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/8qDhRVZ1Tsdf8Di8biZfYBr_Mg0jerlQhECczSsyrx8=451"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/LAAOgc_Obb-9R_wKa_l1uH2b-d0NlLtdRM2q44pGl0A=451">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=29ceb944-2e75-11f1-8741-a5c7a3f8f20d%26pt=campaign%26pv=4%26spa=1775134824%26t=1775135172%26s=8d866a94cada7a2d594c5da41a70d54b79eb5271aac9c9571fe1278bb63da33e/1/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/lWE8uPoVvKCTNSV4s239B649DF7BnZSpgBo15Xn7SqU=451">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019d4e4d2884-68dad2d7-231d-499f-97a2-ff71a7b80096-000000/yuXDw420i_6agDGA3UYoR2BhWebV4i5QXb4bLvn_a6E=451" style="display: none; width: 1px; height: 1px;">
</body></html>