What happened in the ADT data breach of April 2026?

ADT disclosed a data breach affecting 5.5 million customers. ShinyHunters claimed responsibility. Exposed data reportedly includes customer names, addresses, email addresses, and service contract details. The breach vector has not been publicly confirmed.

Is CVE-2026-32202 being actively exploited?

Yes. Microsoft revised its advisory in April 2026 to confirm active exploitation of CVE-2026-32202, a Windows Shell spoofing vulnerability. Despite a CVSS score of 4.3, the flaw is being used in real-world attacks. The patch shipped with the April 2026 Patch Tuesday update.

What is the UNC6692 Snow malware campaign?

UNC6692 is a newly tracked threat actor that uses email bombing followed by Microsoft Teams social engineering for initial access. The group stages payloads via AWS S3 buckets and deploys custom malware — Snowbelt for persistence, Snowglaze for credential harvesting, and Snowbasin for command and control.

Who are ShinyHunters and what breaches are they linked to in 2026?

ShinyHunters is a threat actor group known for large-scale data theft and extortion. In April 2026, they claimed responsibility for breaches at both ADT (5.5M records) and Medtronic (9M records), publicly naming victims and threatening data leaks as part of their extortion strategy.

ShinyHunters Breaches ADT and Medtronic — 14.5M Records at Stake, Plus CVE-2026-32202 Exploited in the Wild

ShinyHunters compromised two major organizations in April 2026 — ADT (5.5 million customer records) and Medtronic (9 million records threatened) — while Microsoft quietly confirmed that a CVSS 4.3 Windows Shell flaw is being exploited in the wild. Severity scores measure theoretical impact; attackers measure opportunity.

In the News

ADT Breach Exposes 5.5 Million Customer Records

Home security giant ADT disclosed a data breach affecting 5.5 million customers. ShinyHunters has claimed responsibility for the compromise. Exposed data reportedly includes customer names, physical addresses, email addresses, and service contract details — the kind of information that enables targeted phishing, physical security reconnaissance, and identity fraud.

ADT has not publicly confirmed the initial access vector. ShinyHunters’ involvement suggests either credential-based access, exploitation of an internet-facing application, or a supply-chain entry point — all consistent with the group’s historical playbook. The group has publicly named ADT as a victim, following the extortion-first disclosure model that has become standard for data theft groups operating outside of traditional ransomware encryption.

The breach is significant beyond ADT’s consumer base. ADT provides physical security monitoring for commercial and enterprise customers. Organizations that integrate ADT systems into their physical security posture should assess whether service contract data, site addresses, or monitoring configurations were included in the exposed dataset.

What defenders should do: Audit third-party physical security vendor access to your network and data. Segment vendor connections. Monitor for credential abuse patterns associated with exposed email addresses. If your organization is an ADT commercial customer, assume your service contract details are compromised and review what those details reveal about your physical security configuration. (BleepingComputer)

Medtronic Confirms Breach After ShinyHunters Threatens 9M-Record Leak

Medtronic, one of the world’s largest medical device manufacturers, confirmed a data breach after ShinyHunters threatened to leak 9 million patient and employee records. The company acknowledged unauthorized access to systems containing personally identifiable information.

This is the second major ShinyHunters disclosure in April 2026. The group’s operational tempo — naming victims publicly and setting leak deadlines — indicates a mature extortion operation. For healthcare organizations and medical device OEMs, the breach underscores that supply-chain risk extends to device manufacturers who hold patient data as part of service, warranty, and device registration workflows.

The specific data types at risk have not been fully enumerated in public disclosures. Given Medtronic’s business — implantable cardiac devices, insulin pumps, surgical robotics — the PII involved likely includes patient medical identifiers, device serial numbers, and clinical contact information.

What defenders should do: Healthcare organizations that use Medtronic devices should review what PII they share with the manufacturer and whether that data is governed by a data processing agreement with breach notification obligations. Position data loss prevention and identity governance controls around medical device vendor integrations. Monitor for phishing campaigns that leverage Medtronic-branded lures — ShinyHunters’ public naming of victims reliably triggers follow-on social engineering by opportunistic actors. (SecurityWeek)

CVE-2026-32202: Windows Shell Spoofing Flaw Confirmed Exploited in the Wild

Microsoft revised its advisory for CVE-2026-32202 to confirm active exploitation. The vulnerability is a spoofing flaw in Windows Shell that allows an attacker to disguise a malicious file as a benign file type, bypassing visual indicators that users rely on to assess file safety. The CVSS base score is 4.3.

The low CVSS score reflects the requirement for user interaction — someone has to open the spoofed file. In practice, this is precisely the kind of flaw that threat actors chain with social engineering, phishing, or watering-hole delivery. The gap between the severity score and the real-world exploitation status is the entire argument for risk-based vulnerability prioritization over CVSS-only triage.

The patch shipped with the April 2026 Patch Tuesday update. Organizations that deferred or delayed April patching are exposed to an actively exploited vulnerability right now.

What defenders should do: Apply the April 2026 cumulative update. If patching is delayed, deploy endpoint detection rules that flag Windows Shell file-type mismatches — specifically, files where the extension does not match the file header or where Mark of the Web (MOTW) metadata has been stripped. Monitor for user-initiated execution of files from external sources (email attachments, browser downloads, USB media). (The Hacker News)

UNC6692 Abuses Microsoft Teams and AWS S3 to Deploy Custom Snow Malware

A newly tracked threat actor designated UNC6692 is running multi-stage intrusions that begin with email bombing, pivot to Microsoft Teams social engineering, and end with custom malware deployed via AWS S3 staging. The group’s malware family — Snowbelt (persistence), Snowglaze (credential harvesting), and Snowbasin (command and control) — indicates a well-resourced operation with custom tooling.

The attack chain starts with a high-volume email bomb — hundreds of subscription confirmation emails — designed to overwhelm the target’s inbox and create a pretext. UNC6692 operators then contact the victim via Microsoft Teams, posing as IT support offering to resolve the email flood. The social engineering leverages Teams’ trusted status within corporate environments: most organizations do not apply the same scrutiny to Teams messages that they apply to external email.

Once the victim grants access or executes a payload, the S3-staged Snowbelt implant establishes persistence. Snowglaze harvests credentials from browsers, credential stores, and cached tokens. Snowbasin handles C2 communication using HTTPS to blend with legitimate cloud traffic.

What defenders should do: Restrict external Teams communication to approved domains. Deploy collaboration security controls that flag unsolicited contact from external tenants. Monitor for anomalous S3 bucket connections from endpoints — especially buckets not associated with your organization’s AWS accounts. Endpoint detection should key on the behavioral chain: email bomb → Teams contact → payload execution. MITRE ATT&CK techniques: T1566.003 (Phishing via Service), T1204.002 (User Execution: Malicious File), T1071.001 (Application Layer Protocol: Web Protocols). (SecurityWeek)

Today’s Deep Dive — PhantomRPC: Unpatchable Windows Privilege Escalation

Researchers disclosed PhantomRPC, a set of five privilege escalation techniques that exploit architectural flaws in the Windows RPC (Remote Procedure Call) subsystem. There is no CVE assigned because these are not traditional vulnerabilities — they are design-level issues in how Windows RPC handles authentication and impersonation. Microsoft has not committed to a fix timeline.

The core problem: Windows RPC allows certain services to impersonate the calling client’s security context. PhantomRPC demonstrates that an attacker with local, low-privilege access can manipulate RPC calls to escalate to SYSTEM — the highest privilege level on a Windows host. Five distinct exploit paths have been documented, each abusing a different RPC endpoint or impersonation mechanism.

This matters because RPC is foundational to Windows. It underpins Active Directory replication, service management, printer spooling, and dozens of other OS functions. Disabling RPC is not a viable mitigation in production environments. The attack surface is broad, and the absence of a patch means defenders must rely on compensating controls.

Detection: Monitor for unexpected token manipulation and impersonation events. Windows Event ID 4688 (Process Creation) with elevated token integrity levels from processes that should not be elevated is a starting signal. Sysmon Event ID 1 with IntegrityLevel: System from a parent process running at medium integrity is a high-fidelity indicator. Cross-reference with Event ID 4672 (Special Privileges Assigned) for service accounts that should not be acquiring SeImpersonatePrivilege dynamically.

Primary mitigation: Enforce least-privilege aggressively. Remove unnecessary local admin rights. Deploy privileged access management (PAM) to rotate and vault local administrator credentials. Application allowlisting limits which binaries can execute even if privilege escalation succeeds. EDR solutions with kernel-level telemetry can detect the token manipulation patterns that PhantomRPC relies on.

MITRE ATT&CK: T1134 (Access Token Manipulation), T1068 (Exploitation for Privilege Escalation). (SecurityWeek)

Detection Spotlight

This week’s detection targets the UNC6692 email bombing + Teams social engineering chain. The following Splunk SPL query identifies the email bomb precursor — a sudden spike in inbound emails to a single recipient within a short window — which is the first observable indicator before the Teams-based social engineering begins.

index=email sourcetype=o365:messageTrace
| bin _time span=10m
| stats count AS email_count dc(SenderAddress) AS unique_senders by RecipientAddress _time
| where email_count > 50 AND unique_senders > 30
| sort - email_count
| table _time RecipientAddress email_count unique_senders

What it catches: A single recipient receiving more than 50 emails from more than 30 unique senders within a 10-minute window. Legitimate mailing list subscriptions and newsletter sign-ups rarely produce this pattern from this many distinct senders simultaneously. UNC6692’s email bombing technique signs the victim up for dozens of legitimate mailing lists at once — the volume and sender diversity within a compressed time window is the distinguishing signal.

False positive rate: Low in most environments. Tune the threshold based on your organization’s normal email volume. Marketing teams or employees who register for conferences may trigger occasionally — correlate with Teams external contact events within 30 minutes of the email spike for higher confidence.

Follow-up: If this query fires, immediately check the recipient’s Teams activity for external contact requests. If an external user contacted the recipient via Teams within 30 minutes of the email spike, escalate as a probable UNC6692 intrusion attempt.

References

ADT data breach affects 5.5 million people — BleepingComputer
Medtronic hack confirmed after ShinyHunters threatens data leak — SecurityWeek
Microsoft confirms active exploitation of CVE-2026-32202 — The Hacker News
UNC6692 uses email bombing and social engineering to deploy Snow malware — SecurityWeek
No patch for new PhantomRPC privilege escalation technique in Windows — SecurityWeek
OpenSSH flaw allowing full root shell access lurked for 15 years — SecurityWeek
Critical CVE-2026-25874 leaves Hugging Face LeRobot exposed — The Hacker News
Researchers uncover 73 fake VS Code extensions on OpenVSX — The Hacker News
Chinese Silk Typhoon hacker extradited to US — The Hacker News
Spectrum Security emerges from stealth with $19 million — SecurityWeek
Checkmarx confirms GitHub repository data on dark web — The Hacker News
Germany suspects Russia behind Signal phishing targeting officials — SecurityWeek
Microsoft patches Entra ID role flaw enabling service principal takeover — The Hacker News

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.