Summary4 min read

SANS Stormcast – April 13, 2026

Host: Johannes B. Ullrich
Main Topics: Obfuscated JavaScript Dropper; Numbers in Passwords; Adobe Acrobat 0-Day Patch; ClickFix Bypass in macOS

Episode Overview

In today’s episode, Johannes B. Ullrich delivers a concise, information-packed summary of the latest developments in cybersecurity. The main focus revolves around the analysis of sophisticated JavaScript malware delivering Formbook, trends in password selection and attacker behavior, an emergency zero-day patch from Adobe, and attackers’ response to Apple’s recent ClickFix protection in macOS.

Key Discussion Points

1. Obfuscated JavaScript Dropping Formbook (00:22)

Summary:
The episode starts with a highlight of Xavier’s analysis of a JavaScript-based malware dropper delivering Formbook.
Technical Detail:
- The JavaScript file was massively bloated (11MB) filled with non-malicious “ASMDB”—which is essentially a documentation database of assembly commands. This large and meaningless chunk was likely meant as a decoy or to hinder analysis.
- The actual malicious code was a smaller, less-obfuscated JavaScript segment that downloads three PNG files. These are not traditional images but encrypted PowerShell scripts designed to fetch and install Formbook.
Recommendation:
For those interested in the technical specifics of deobfuscation, Johannes points to Xavier’s detailed diary.
Notable Quote:

“First of all, it did contain 11 megabytes of JavaScript that was really just not used… But then there is a little bit of less obfuscated JavaScript that will then just download three PNG files... these PNG files are not images in a classical sense, but as encrypted PowerShell scripts.”
— Johannes B. Ullrich [00:22]

2. Numbers in Passwords and Attacker Trends (01:18)

Summary:
Jesse’s research offers an in-depth look at the use of numbers in passwords, especially years (e.g., “2026”), based on data from SANS honeypots.
Findings:
- Attackers often append years to passwords, mirroring common user habits (e.g., adding “2026” to their usual password).
- The most common digits are 0, 1, 2, 3—reflecting contemporary years.
- “2025” (last year) was frequently observed as the most common four-digit combination; “2026” is catching up as time advances.
- Attackers’ tools often lag behind the current year, and users likewise don’t immediately update passwords when the year changes.
- Other numeric sequences, like “12345,” remain popular targets.
- False positives: Sometimes, automation errors lead to command fragments (e.g., command line switches like “ping -c 10000”) being submitted in username/password fields.
Advice:
Do not use current years or obvious number sequences in passwords; attackers actively try these common patterns.
Notable Quote:

"Don't use your year or any sort of straight number sequences like 1, 2, 3, 4, 5 into your passwords. That's certainly something that attackers are looking for."
— Johannes B. Ullrich [02:43]

3. Adobe Emergency 0-Day Patch for Acrobat Reader (03:04)

Summary:
Adobe has released an emergency patch for a remote code execution vulnerability in Acrobat Reader, which is already seeing targeted exploitation.
Key Points:
- The vulnerability is being actively exploited, though attacks are still targeted and not yet widespread.
- Adobe released this patch outside their regular Tuesday cycle, indicating the urgency.
- Needing immediate attention: once a patch is public, wider exploitation attempts typically follow quickly.
Recommendation:
Patch immediately, even though broad attacks haven't begun yet.
Notable Quote:

“It's a remote code execution vulnerability, so definitely something that you must address quickly. […] That of course starts the race between patching and largest possible exploitation effect. So definitely get started on patching.”
— Johannes B. Ullrich [03:30]

4. ClickFix Bypass on macOS (04:11)

Summary:
Apple recently improved copy-paste commands in Terminal (ClickFix) to thwart social engineering attacks, but attackers swiftly found a workaround using AppleScript.
Key Details:
- Attackers now trick users into copying and pasting payloads into the Script Editor instead of Terminal.
- This new method avoids detection by the current ClickFix protections, which are Terminal-focused.
- Doing this is potentially even easier due to AppleScript URLs: anything starting with “AppleScript://” opens Script Editor with the provided code ready to paste.
- Highlights the ongoing “cat-and-mouse” game between vendor defenses and attacker ingenuity.
- Emphasized need for user education and improved endpoint monitoring.
Notable Quote:

“Instead of copy pasting into a terminal, they're now copy pasting into the script editor and apparently this is not detected by the current ClickFix protection... So it's actually even a little bit easier to convince a user to fall for this.”
— Johannes B. Ullrich [04:37]

5. Minor macOS Update 26-4-3 (05:14)

Update:
A new macOS update (26-4-3) released at the end of the week, but contains no additional security fixes.

Memorable Moments

The anecdote about attackers’ scripts inadvertently submitting command line fragments as passwords (02:14) provides a glimpse into how automation errors can skew analysis.
The emphasis on how the arms race between attackers and defenders often revolves around user behavior—evident in the password analysis and the ClickFix bypass.

Important Timestamps

| Time | Segment | |-----------|-----------------------------------------------------| | 00:22 | Obfuscated JavaScript dropping Formbook | | 01:18 | Analysis: Numbers in Passwords & Attacker Behavior | | 03:04 | Adobe Acrobat Reader 0-Day Emergency Patch | | 04:11 | macOS ClickFix Bypass: AppleScript Tactic | | 05:14 | Minor macOS Update (no security fixes) |

Conclusion

Johannes wraps up with his standard thanks and reminder to stay tuned for tomorrow’s episode, reinforcing the dynamic and fast-paced nature of security news. This episode is particularly valuable for its practical reminders on password security, importance of patching, and the never-ending cycle of attack and defense innovation.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Monday, April 13, 2026 edition of the sans Storm Centers Stormcast. My name is Johannes Ulrich, recording today from Stockheim, Germany, and this episode is brought to you by the SANS Edu Graduate Certificate program in penetration testing and ethical hacking. Got two diaries today to talk about. First one is by Xavier. Xavier did run into an interesting piece of JavaScript that ultimately dropped Formbook, but had some interesting obfuscation quirks. First of all, it did contain 11 megabytes of JavaScript that was really just not used. That JavaScript was ASMDB, which is a database of assembly commands, kind of a documentation essentially about these assembly commands sort of as a JavaScript file. So really meaningless, nothing malicious whatsoever. But then there is a little bit of less obfuscated JavaScript that will then just download three PNG files. Turns out these PNG files are not images in a classical sense, but as encrypted PowerShell scripts that will then download Formbook. So that's the here. In short, if you want to look at more details how to deobuscate these scripts, well then check out Xavier's great diary. And Jesse did a very nice and detailed analysis of the use of numbers in passwords being attempted against our honeypots. Now, the hypothesis behind this was something along the lines of users often selecting to add years like 2026 to their password. So maybe attackers are attempting the same thing. And that's definitely true. So the most common digits are 0, 1, 2, 3, in part because of, well, 20 as in 20 is currently used in years. Also of course the letter 2. Then in 25 and 26. He did also do a little heat map as to how this changed over time. And yes, 2025 was the most common found four digit combination in last year. It's still very common this year, but we are still at the beginning of 2026. And of course attackers don't always update their tools very quickly and that's probably to account for this delay kind of in them actually picking up on the password 2026. And of course users also typically don't change all their passwords at the beginning of the year, but throughout the years they update the passwords from 2025 to 2026. Other common passwords are of course, things like one and number sequences like this are commonly found that are not related to years. And there are a couple sort of, I would call them kind of false positives. What often happens is that attackers in careless scripts are submitting part of their script to the username or Password field, then if you have like for example a command line like ping C with a number, like an example that Jesse found 10,000, well that's then going to be picked up as a number in a password in this case. So yep, don't use your year or any sort of straight number sequences like 1, 2, 3, 4, 5 into your passwords. That's certainly something that attackers are looking for. Well, an untypical for Adobe Adobe did release an emergency update for Adobe Acrobat Reader. This vulnerability, as became known late last week, is already actively being exploited. It's a remote code execution vulnerability, so definitely something that you must address quickly. The vulnerability has so far only been targeting specific organizations, so it hasn't been widely exploited. But as always once a patch is released, that of course starts the race between patching and largest possible exploitation effect. So definitely get started on patching. Adobe is also expected to release updates on Tuesday with the usual patch Tuesday updates, but they decided that it's worth the effort here to actually release special updates a couple days earlier and on a weekend. And with the last major macOS update, Apple released an interesting fix for ClickFix and what it really involved is monitoring what a user may copy paste into terminal. Well, according to yamf, attackers have reacted and now came up with another sort of copy paste trick in order to bypass this particular countermeasure. Instead of copy pasting into a terminal, they're now copy pasting into the script editor and apparently this is not detected by the current click fix protection that was built into the latest Mac os. So it comes back down to user education on this one and maybe some additional detections and monitoring on the endpoints itself in order to detect any odd commands from being executed. But this one is actually even a little bit easier as Apple makes available the Apple script scheme. So any URL Starting with AppleScript will actually automatically open Script editor and then the rest of the URL will be posted or copied into the script editor. So it's actually even a little bit easier to convince a user to fall for this than it is with the classic click fix. And there was also a Minor update for macOS this week or end of this week. This weekend. This particular update, 26-4-3 does not contain any additional security fixes. Well, that's it for today. Thanks for listening, thanks for liking, thanks for subscribing and talk to you again tomorrow. Bye.