Monthly Cyber Threat Intelligence Report: April 2026
April 2026 monthly cyber threat intelligence summary from System Force IT: major incidents, emerging malware families, the vulnerability landscape, and ransomware activity. Identity-based attacks, supply-chain compromise and ransomware-as-a-service continue to dominate; 756 ransomware victims claimed in April, with the United States and the business-services sector carrying the largest share.
What's inside
- Identity-based attacks dominated the April incident set, with credential compromise via SSO and OAuth driving major breaches at ADT and Vercel.
- Supply-chain compromise continues to scale as a delivery mechanism for high-impact intrusions, evidenced by the Vercel OAuth attack and a North Korean laptop-farm operation that touched over 100 organisations.
- Ransomware is industrialising further: 756 claimed victims in April, with Qilin, LockBit variants and ShinyHunters actively recruiting affiliates and refining double-extortion playbooks.
- Critical national infrastructure and business-services sectors remain the highest-pressure targets, with the United States carrying the largest share of declared incidents.
- Unpatched vulnerabilities in widely deployed Cisco, Fortinet, Adobe, Chrome and Apache products (several scoring above CVSS 9.0) remain the primary technical entry point and warrant immediate patching review.
The April 2026 edition of the System Force IT Monthly Cyber Threat Intelligence Report covers the most significant cyber incidents, emerging malware families, vulnerability disclosures and ransomware activity observed during the month. The report is intended for business owners, IT leaders and risk managers who need a concise monthly briefing without wading through fragmented vendor advisories.
April was characterised by a continued shift towards identity-driven attacks, large-scale supply-chain compromises and increasingly commercial ransomware operations. Notable incidents included a French government breach affecting more than 11 million users, a Vercel supply-chain compromise via OAuth, an insider-style laptop-farm operation attributed to North Korean operators with reach into 100+ organisations, an ADT breach driven by SSO compromise, and the dismantling of a $20 million global phishing network.
On the technical side, critical vulnerabilities were disclosed across Cisco, Fortinet, Adobe, Chrome and Apache, several scoring above CVSS 9.0. Ransomware activity reached 756 claimed victims in the month, with Qilin, LockBit variants and ShinyHunters the most active groups. The recommended response remains consistent and unglamorous: enforce multi-factor authentication, patch quickly, deploy and monitor EDR, maintain tested immutable backups, and continue staff awareness training.