Threat Intelligence Trojanized TestDisk installer, Microsoft binary tapped for illicit ScreenConnect deployment April 20, 2026 Share By SC Staff (Adobe Stock Images) Attacks launching a malicious TestDisk installer and exploiting a Microsoft-signed binary for DLL side-loading have enabled the clandestine injection of the ConnectWise ScreenConnect remote monitoring and management software as part of a search engine optimization poisoning campaign, according to GBHackers News . Installing the fake TestDisk installer, a Microsoft Setup binary refashioned as a loader, from a spoofed website promoted in the search results triggers the signed Microsoft binary to search for a companion DLL within its working directory before loading an illicit autorun.dll, reported Palo Alto Networks Unit 42 researchers. Such a DLL downloads not only the official TestDisk software but also other malware components, including the trojanized ScreenConnect client, which allows threat actors to transfer files, execute commands, and achieve lateral movement. Initial access could also be harnessed for credential harvesting, data exfiltration, and ransomware deployment activities. Combating such a threat requires more rigorous tracking of access to testdisk[.]div and other download infrastructure, as well as atypical DLLs loaded by binaries signed by Microsoft. SC Staff Related Threat Intelligence Multiple other companies purportedly breached by ShinyHunters, over 9M record leak warned SC Staff April 20, 2026 Hacking operation ShinyHunters has claimed to have compromised nine major brands, including fast fashion retailer Zara, convenience store chain 7-Eleven, and cruise line operator Carnival Corporation, while warning that it would release over 9 million records with personally identifiable information and internal data should the demanded ransom remain unpaid by Apr. 21, Cybernews reports. Threat Intelligence Nearly $300M stolen from Kelp DAO cross-chain bridge heist SC Staff April 20, 2026 Cybernews reports that major liquid restaking protocol Kelp DAO had 116,500 rsETH, or almost $292 million, stolen following an attack against its LayerZero-powered cross-chain bridge on Apr. 18, surpassing the over $280 million losses recorded from the crypto heist against Solana-based decentralized finance exchange Drift Protocol. Phishing Tycoon 2FA relinquishes crown to similar PhaaS platforms SC Staff April 20, 2026 Last month's takedown of over 300 active domains used by the Tycoon 2FA phishing-as-a-service platform, which was once the most prolific PhaaS kit, has prompted threat actors to transfer to the Mamba 2FA, Sneaky 2FA, and EvilProxy platforms that have since integrated Tycoon 2FA's tools, according to SecurityWeek. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting Corruption Deauthentication Attack Denial of Service Dictionary Attack Domain Hijacking Drive-by Download Google Hacking Hybrid Attack Password Cracking You can skip this ad in 5 seconds