Full Report
The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week. Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws
Analysis Summary
# Morning News Roll-up April 02, 2026
## Overview
The latest ThreatsDay Bulletin highlights a rapid escalation in attack sophistication, focusing on pre-authentication exploit chains in enterprise storage, a massive rootkit campaign targeting older Android mobile devices, and official warnings regarding data security risks from foreign-developed applications.
## Top Stories
### Progress ShareFile Pre-Auth RCE Chain
- Summary: Researchers identified a critical exploit chain (CVE-2026-2699 and CVE-2026-2701) in Progress ShareFile. By bypassing authentication at the "/ConfigService/Admin.aspx" endpoint and leveraging an upload vulnerability, attackers can achieve remote code execution to deploy web shells on approximately 30,000 internet-facing instances.
- Source: hxxps://labs[.]watchtowr[.]com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/
### NoVoice Rootkit Campaign
- Summary: A sophisticated malware campaign named "NoVoice" has infected over 2.3 million Android devices via 50+ masqueraded apps. It utilizes a library of 22 exploits to gain root access, modify system libraries, and exfiltrate data from apps like WhatsApp. The campaign specifically targets older devices and implements checks to evade analysis.
- Source: hxxps://www[.]mcafee[.]com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
### FBI Warning on Foreign Mobile Apps
- Summary: The FBI issued a Public Service Announcement regarding the risks associated with mobile applications developed by foreign companies, specifically highlighting China. The warning focuses on the potential for data harvesting, surveillance, and the legal obligations of these companies to share user data with foreign governments.
- Source: hxxps://www[.]ic3[.]gov/PSA/2026/PSA260331
---
# Main Topic
Analysis of high-impact vulnerabilities and malware campaigns involving pre-authentication RCE chains and Android system-level persistence.
## Key Points
- **Weaponized Chains:** Attackers are increasingly "chaining" minor bugs (Auth Bypass + Arbitrary File Upload) to create high-impact Pre-Auth Remote Code Execution (RCE).
- **Persistence through Library Modification:** The NoVoice rootkit modifies system libraries on Android to ensure malicious code runs every time a user opens a legitimate app.
- **Vulnerability Recycling:** Old Android vulnerabilities (2016–2021) are still highly effective for mass-scale infections on unpatched or legacy hardware.
- **Evasion Tactics:** Modern malware like NoVoice now includes checks for Beijing/Shenzhen IP ranges to avoid local law enforcement scrutiny and more than 12 checks for debuggers/VPNs to frustrate analysts.
## Threat Actors
- **NoVoice Operators:** Associated with the Triada malware family; highly technical group focused on mobile data exfiltration and device control.
- **Unattributed Exploiters:** Threat actors actively scanning for the ~30,000 internet-facing Progress ShareFile instances.
## TTPs
- **T1210:** Exploitation of Remote Services (Progress ShareFile endpoints).
- **T1068:** Exploitation for Privilege Escalation (NoVoice gaining root via 22 different N-day exploits).
- **T1574.006:** Hijack Execution Flow: Dynamic Linker Hijacking (Modifying Android system libraries).
- **T1497:** Virtualization/Sandbox Evasion (Checking for emulators and debuggers).
- **Authentication Bypass:** Specifically targeting the `/ConfigService/Admin.aspx` endpoint.
## Affected Systems
- **Progress ShareFile:** Storage Zone Controller versions prior to 5.12.4.
- **Android OS:** Older versions susceptible to exploits patched between 2016 and 2021.
- **Targeted Mobile Apps:** WhatsApp and over 50 utility/gaming apps used as delivery vehicles.
- **Geographies:** High infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya.
## Mitigations
- **Update ShareFile:** Immediately upgrade Progress ShareFile Storage Zone Controller to version 5.12.4 or later.
- **Device Patching:** Enforce OS updates on mobile devices or retire hardware that no longer receives security patches.
- **App Vetting:** Remove apps identified in the NoVoice campaign and restrict users to official, verified developers.
- **Disable SELinux Monitoring:** Monitor for unauthorized attempts to disable SELinux or modify system libraries on Android devices.
## Conclusion
The current threat landscape is characterized by the reuse of old vulnerabilities against legacy systems and the creative chaining of new flaws in enterprise software. Identity and storage platforms remain primary targets for RCE. Organizations should prioritize patching internet-facing storage controllers and phase out legacy mobile hardware that can no longer defend against rootkit-level exploitation.