[AMER] CISA’s analysis of FIRESTARTER on a federal Cisco Firepower ASA device showed that suspicious perimeter activity had persisted despite patching, forcing investigators to validate device telemetry, malware artefacts and post-exploitation traces. The case underlines the evidential difficulty of appliance compromises, where persistence, degraded logging and network-edge visibility gaps can complicate timeline reconstruction and confidence in remediation (Source: Security Affairs, 25-04-2026).

[EMEA] German officials investigated a Signal phishing campaign targeting Bundestag President Julia Klöckner and other political figures, with Russia suspected of using compromised accounts to approach high-value contacts. Investigators must correlate device sessions, messaging metadata, account-recovery artefacts and social-engineering lures to distinguish account takeover from impersonation and map the campaign’s operational reach (Source: Euronews, 26-04-2026).

[APAC] Researchers reported that China-linked GopherWhisper used legitimate cloud and collaboration services in attacks against government targets, including activity focused on Mongolia. The campaign’s Go-based backdoors, loaders and service-abuse patterns give investigators multiple attribution signals, but also require careful separation of adversary-controlled infrastructure from ordinary third-party platform traffic (Source: SecurityWeek, 25-04-2026).

[APAC] Singapore police arrested a 26-year-old man accused of leaking the forthcoming Avatar Aang film after allegedly accessing a media server where the unreleased project was stored. The investigation turns on server-access logs, file-transfer evidence and account attribution, highlighting how intellectual-property cases increasingly depend on preserving platform records before deletion, sharing or secondary distribution obscures the original breach path (Source: Cybernews, 25-04-2026).

[AMER] ADT confirmed a data breach after ShinyHunters listed the security company on its leak site and claimed possession of customer personal information and internal corporate data. The incident places emphasis on validating attacker claims against internal access records, customer-data repositories and extortion-site material before notification decisions and evidential preservation steps are finalised (Source: BleepingComputer, 25-04-2026).

[AMER] Medtronic disclosed that an unauthorised party accessed data in certain corporate IT systems, while stating that products, patient safety, manufacturing, distribution and financial reporting systems were not identified as affected. The containment narrative now depends on evidence showing separation between corporate networks and operational environments, plus verification that data-access claims align with system logs and external extortion assertions (Source: Medtronic, 26-04-2026).

[AMER] Itron disclosed unauthorised access to part of its internal IT environment after detecting activity on 13 April and activating its cybersecurity response plan. The utility technology supplier’s filing shows the importance of early law-enforcement notification, external technical support and containment documentation when investigators must determine whether internal access created wider operational or customer-data exposure (Source: Security Affairs, 26-04-2026).

[Global] Attackers exploited CVE-2026-3844 in the Breeze Cache WordPress plugin, a critical arbitrary-file-upload flaw affecting versions up to and including 2.4.4 under specific configuration conditions. The exploitation pattern gives defenders clear triage points, including unexpected uploads, suspicious Gravatar-fetch activity, webshell artefacts and post-upload execution attempts across high-volume WordPress estates (Source: Security Affairs, 25-04-2026).

[AMER] CISA added SimpleHelp, Samsung MagicINFO and D-Link flaws to its Known Exploited Vulnerabilities catalogue after evidence of active exploitation, setting a short remediation window for affected federal systems. The additions sharpen prioritisation for investigators because remote-support tools, signage servers and routers can all produce weak logging, shared credentials or edge-device artefacts that disappear quickly after attacker cleanup (Source: Security Affairs, 25-04-2026).

[APAC] Singapore Police said a Malaysian man would be charged on 25 April after Anti-Scam Command and Clementi Police Division officers arrested him over suspected involvement in a government-official impersonation scam. Investigators traced the suspect through ground enquiries and follow-up work after the victim reported handing over S$21,000 under false claims of a money-laundering investigation (Source: Singapore Police Force, 25-04-2026).

[APAC] Malkajgiri cybercrime police in Telangana arrested five people linked to investment, digital and loan fraud cases during the preceding week. Officers also facilitated refunds of Rs 21.60 lakh to victims, showing how cyber-fraud investigations increasingly combine suspect identification, financial-transaction tracing and victim restitution alongside device and account evidence (Source: Telangana Today, 25-04-2026).

[EMEA] UK Cyber Essentials transition guidance highlighted that assessment accounts registered from 27 April 2026 move to the Danzell question set, while accounts registered by 26 April remain under the previous standard. The update increases focus on cloud services, MFA, backup documentation and recovery testing, giving assessors clearer evidence expectations around operational resilience rather than paper-only compliance (Source: Cyphere, 26-04-2026).

[AMER] CISA’s exploited-vulnerability updates reinforced the policy pressure on federal agencies to remediate actively exploited products within defined deadlines rather than relying on routine patch cycles. For evidence-led governance, the catalogue helps align vulnerability management records, exception decisions, compensating controls and post-exploitation review with a documented external risk trigger (Source: CISA, 25-04-2026).