Summary4 min read

SANS Stormcast – April 20, 2026

Host: Johannes B. Ullrich
Main Theme:
A concise rundown of critical cybersecurity developments, with a focus on fresh malware infections, newly exploited Windows Defender 0-days, an important FortiSandbox PoC, and a major update from NIST on the handling of vulnerability data.

Key Discussion Points & Insights

1. Lumma Stealer and Sectop RAT Walkthrough

[00:27] Pratt’s recent analysis covers a double infection vector involving both info stealing and remote access malware.
- Initial Infection: Users are lured by offers of "cracked" commercial software (e.g., Adobe products) for free.
- Technical Details:
  - Downloaded ZIP file is suspiciously small, but extracts to a large (800MB+) executable. The size is artificially padded with zeros:
    - "The executable is so large because it’s just padded with zeros and that of course is often used to prevent anti-malware products from scanning it.” — Johannes Ullrich [00:48]
  - Size mimicry may trick users expecting a large installer.
- Malware Chain:
  - Upon execution, installs Lumma Stealer (credential theft).
  - Then installs Sectop RAT (establishes persistent remote access):
    - "First credentials are being stolen and then persistent access is being provided by the Remote Access tool." — Johannes Ullrich [01:13]

2. Windows Defender Zero-Day Exploitation

[01:24] Huntress Labs reports active exploitation of three recent Windows Defender vulnerabilities, disclosed and provided with PoC code by 'Nightmare Eclipse':
- Undefend: Disables Windows Defender outright.
- Bluehammer: Remote Code Execution, now patched.
- Redsun: Remote Code Execution, still unpatched.
Implications:
- Only one (Bluehammer) has received a fix; Redsun remains exploitable with no patch.
- Exploits allow both disabling defenses and privilege escalation.
  - "Not too much you can do about this since there’s no patch available. Just be aware and well, hopefully if you are getting compromised, this information may help you figure out what happened." — Johannes Ullrich [02:23]

3. FortiSandbox OS Command Injection Vulnerability (PoC Released)

[02:39]
- Fortinet recently patched an OS command injection flaw in FortiSandbox.
- Now, a public proof-of-concept exploit is available.
Urgency:
- "Exploitation should be imminent if it’s not already ongoing. It’s a fairly straightforward and easy to execute exploit." — Johannes Ullrich [02:51]
- Strong advice to assume compromise for any unpatched FortiSandbox systems.

4. NIST NVD Update: Prioritization of Vulnerability Enrichment

[03:13]
- NIST acknowledges difficulty in keeping up with new vulnerability enrichment.
- Change: They will now focus on priority software for detailed enrichment:
  - Software used by the federal government.
  - Items in the "Known Exploited Vulnerabilities" list.
  - "Critical software:" Security-relevant, runs with elevated privileges, includes OT (industrial control systems).
- Impact:
  - Most widely used and important software should remain enriched.
  - Others may be covered by private sector vulnerability databases.
    - "Essentially they can’t do it for everything and it’s probably only going to get worse with a rush of vulnerabilities being discovered with new AI tools." — Johannes Ullrich [04:11]

Notable Quotes & Memorable Moments

On padded malware:
- “The executable is so large because it’s just padded with zeros and that of course is often used to prevent anti-malware products from scanning it.” — Johannes Ullrich [00:48]
On persistent access strategy:
- "First credentials are being stolen and then persistent access is being provided by the Remote Access tool." — Johannes Ullrich [01:13]
On the risk from unpatched vulnerabilities:
- "Not too much you can do about this since there’s no patch available. Just be aware and well, hopefully if you are getting compromised, this information may help you figure out what happened." — Johannes Ullrich [02:23]
On criticality of patching for FortiSandbox:
- "Exploitation should be imminent if it’s not already ongoing. It’s a fairly straightforward and easy to execute exploit." — Johannes Ullrich [02:51]
On NIST’s resource limits:
- "Essentially they can’t do it for everything and it’s probably only going to get worse with a rush of vulnerabilities being discovered with new AI tools." — Johannes Ullrich [04:11]

Timestamps

00:27 — Pratt’s reverse analysis on Lumma Stealer and Sectop RAT
01:24 — Discovery and exploitation of Windows Defender 0-days
02:39 — FortiSandbox (Fortinet) OS command injection vulnerability and PoC
03:13 — NIST’s adjusted vulnerability enrichment priorities
04:11 — Commentary on the growing challenge of keeping up with new vulnerabilities

Summary Flow & Utility

This episode offers a rapid but thorough appraisal of current cyber threats—emphasizing the practical risks of downloading pirated software, the dangers posed by unpatched Windows Defender vulnerabilities, the urgency for FortiSandbox users to patch immediately, and a candid assessment of NIST’s focus in vulnerability data management. The episode is fact-dense and pragmatic, equipping listeners with context and priorities for action, especially regarding immediate patching, awareness of novel attack chains, and realistic outlooks on vulnerability data completeness for security teams.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Monday, April 20, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Amsterdam, Netherlands, and this episode is brought to you by the Sans Edu Graduate Certificate Program in Cybersecurity Fundamentals in Diaries. Today we got another reverse analysis and forensics walkthrough by Pratt. Pratt is talking about lumastealer and Sectop Rat. The way this particular infection starts is sadly the common trick of offering commercial software for free. So basically the cracked version of various Adobe products. In this particular case, the user then downloads an actually suspiciously small zip file that then extracts into a rather large leg around around 800 MB executable. The executable is so large because it's just padded with Siros and that of course is often used to prevent anti malware products from scanning it. In this case, it may also make the particular executable more plausible because the user may expect a certain size executable for these products. Now, as the user then starts the executable, that's where lumastealer is first installed and then later top Rat. So first credentials are being stolen and then persistent access is being provided by the Remote Access tool. And then we have a series of postings by Huntress Labs to X that explain how they're seeing the three recent vulnerabilities in Windows Defender being exploited. All of these three vulnerabilities were discovered and proof of concept code was released by an individual that goes by the name of Nightmare Eclipse. The first vulnerability here is referred to as Undefend. This vulnerability just disables a Windows Defender. The second one, Bluehammer, is a remote code execution vulnerability that was patched this month. And the third one, Redsun, is the remote code execution vulnerability that has so far not been patched. So out of these three vulnerabilities, only one is patched. And one of the remaining unpatched vulnerabilities does allow remote code execution. And with that, essentially privilege escalation. Not too much you can do about this since there's no patch available. Just be aware and well, hopefully if you are getting compromised, this information may help you sort of figure out what exactly happened. Again, these are the two unpatched ones. One disables one Windows Defender. The second one is a privilege escalation vulnerability. Well, it was less than a week ago that we got an update for 40 sandbox from Fortinet and this was an arbitrary code execution vulnerability, an OSCommand injection vulnerability. We do have a proof of concept for this Vulnerability now. So exploitation should be imminent if it's not already ongoing. It's a fairly straightforward and easy to execute exploit. So definitely something that if you're running across a 40 sandbox system now that hasn't been patched yet, well assume compromise at this point. Well, I have been talking about this a couple times before and has been widely reported that NIST has had a real hard time keeping up with new vulnerabilities as they're being reported in order to add them not only to their NVD database but also to then add enrichments, essentially additional data that allows you to better deal with these vulnerabilities. NIST to some extent has now thrown in the towel and states that they're no longer going to attempt to enrich every single vulnerability being reported. Instead they're going to prioritize certain types of software and well, no surprise, they're mostly dealing with the federal government. So any software that is being used by the federal government will be prioritized. Also software that's already in the known exploited vulnerabilities list will be prioritized. And then there is a crew of software that they're defining as well critical software and there is actually an executive order defined as a little bit better. It's essentially software that's security relevant software that runs with elevated privileges and then also software that deals with operational technology. So ot essentially industrial control system software. This is no real big surprise and to some extent it may not really affect that much how you're using the nvd given that if software is used by the federal government, well there's a good chance others will use it too. Or if there is widely distributed, widely used software, then yes, the federal government usually uses it. So that should cover most of what I would consider important software that's worthwhile covering and spending the time time on actually adding all the details. We'll see how this all goes. And there have been a couple of other efforts like vulnerability database and such put out by the private sector that stated they'll step in there a little bit and provide their own enrichment so see where it falls out. And at this point at least we have a solid prioritization of what is being actually enriched. And well, essentially they can't do it for everything and it's probably only going to get worse with a rush of vulnerabilities being discovered with new AI tools. Well, and this is it for today. So thanks again for listening, thanks for liking and thanks for subscribing to this podcast and talk to you again tomorrow. Bye.