SANS Stormcast Thursday, April 2nd, 2026: Script Removing ADS/MotW; Google Chrome 0-Day; iOS/iPadOS 18 Update; - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast Daily Cyber Security Podcast

Episode Title: Script Removing ADS/MotW; Google Chrome 0-Day; iOS/iPadOS 18 Update
Host: Johannes B. Ullrich
Date: April 2, 2026

Episode Overview

In this concise, information-packed episode, Johannes B. Ullrich delivers a rapid update on the latest critical cybersecurity issues. Topics include a clever malware persistence technique targeting Windows’ alternate data streams, a critical 0-day in Google Chrome’s WebGPU (Dawn) component, a significant iOS/iPadOS 18 patch triggered by the Dark Sword campaign, and a dangerous cross-site request forgery (CSRF) flaw in ASUS routers. Security pros will find actionable insights and a frank assessment of risks affecting both enterprise and consumer systems.

Key Discussion Points and Insights

1. Malicious Script Evades Detection by Removing Zone Identifier (Mark of the Web)

[00:24] Xavier (SANS team) analyzed a malicious script that achieves persistence by dropping a file, then proactively removing its “zone identifier,” also known as Mark of the Web (MotW).
The zone identifier is a Windows alternate data stream (ADS) marking files downloaded from the internet, commonly used by security analysts as a red flag.
By removing MotW via a simple PowerShell command, attackers lower the chances of the file being flagged during incident response or threat hunting.
- Quote: “By removing this indicator using a quick PowerShell command, the attacker is decreasing the chance of the file being discovered.”
  — Johannes B. Ullrich [01:04]

2. Google Chrome 0-Day: Use-After-Free in Dawn (WebGPU)

[01:12] Google Chrome issued updates fixing 21 vulnerabilities, including a 0-day reportedly exploited in the wild.
The exploited flaw is a use-after-free in Dawn, Chrome’s WebGPU implementation component — a recurring target.
- Quote: “The exploited vulnerability is a use after free vulnerability in Dawn. Dawn is the component in Google Chrome that implements WebGPU … not the first time that we had a critical vulnerability in Dawn.”
  — Johannes B. Ullrich [01:28]
Highlight: Attackers are increasingly targeting browser GPU components for sophisticated exploits.

3. iOS/iPadOS 18 Update due to 'Dark Sword' Attack

[01:43] Apple released a fast-tracked update to iOS/iPadOS 18 (now version 18.1.1), prompted by the expansion of the ‘Dark Sword’ attack.
‘Dark Sword’ represents advanced exploitation techniques formerly limited to state actors but now appearing in wider criminal use, often via malicious websites.
The update fixes 25 vulnerabilities, reaching as far back as the iPhone XR (released circa 2016), which still lacks some modern hardware countermeasures.
- Quote: “The trigger for this update was yet again the Dark Sword attack … These older devices don't have some of the more modern sort of countermeasures; they're particularly vulnerable to these types of exploits.”
  — Johannes B. Ullrich [02:03]
Recommendation: Prompt updates are strongly advised, especially for those with older devices.

4. ASUS Routers: CSRF Vulnerability

[02:45] ASUS patched a cross-site request forgery vulnerability in its router firmware.
Classroom application: Ullrich notes this is a textbook attack, discussed in SANS courses due to its prevalence in home routers.
- Exploitation entails a victim visiting a malicious website that silently reconfigures their router via the CSRF flaw.
- Quote: “Placing an exploit like this on a random website may yield results in catching a couple of vulnerable or badly configured routers.”
  — Johannes B. Ullrich [03:01]
Impact: Attacker can change router settings without user interaction or awareness.
Action: Users are urged to update router firmware promptly.

Notable Quotes & Memorable Moments

On MotW evasion:
“By removing this indicator using a quick PowerShell command, the attacker is decreasing the chance of the file being discovered.”
— Johannes B. Ullrich [01:04]
On Chrome’s Dawn vulnerabilities:
“Not the first time that we had a critical vulnerability in Dawn.”
— Johannes B. Ullrich [01:32]
On ‘Dark Sword’ in the wild:
“These vulnerabilities used to be more the domain of more sort of state sponsored malware, but now is more widely used … particularly these older devices … are particularly vulnerable to these types of exploits.”
— Johannes B. Ullrich [02:08]
On ASUS router CSRF risk:
“Attacker is able to essentially reconfigure your router without the user actually noticing anything bad happening.”
— Johannes B. Ullrich [03:13]

Timestamps for Key Segments

00:24 — Malicious script removes Windows zone identifier (MotW/ADS)
01:12 — Google Chrome 0-day use-after-free in Dawn (WebGPU)
01:43 — iOS/iPadOS 18.1.1 update and Dark Sword attack details
02:45 — ASUS router CSRF vulnerability and real-world examples

Tone and Language

Johannes maintains a focused, concise, and practical tone, balancing technical explanation with actionable advice for all listeners. The language is clear and informative, speaking directly to both IT admins and broader security-aware audiences.

Summary:
This episode highlights evolving attacker sophistication—especially for endpoint and browser threats—and reinforces the necessity of rapid patching for both software and everyday home devices. Listeners are urged to remain vigilant for novel persistence techniques, to update Chrome and Apple devices immediately, and to not overlook home routers as critical security infrastructure.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Thursday, April 2, 2026 edition of the Sands United Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Orlando, Florida and this episode is brought to you by the Sans edu Graduate Certificate Program in Industrial Control Systems Security. And Xavier today looked at an interesting malicious script that in order to obtain persistence, did write a file to the filesystem, but then removed the zone identifier from the file. I've talked about this quite often already. The mark of the web that appears to be the intent here. The zone identifier is an alternate data stream in Windows that is used to mark a file that was downloaded from the Internet. And of course in instant response, if you're looking for suspicious files, that's often an indicator that an analyst may be looking for. So by removing this indicator using a quick PowerShell command, the attacker is decreasing the chance of the file being discovered. And Google released updates for Google Chrome. This update fixes 21 different vulnerabilities. One of these vulnerabilities is already being exploited. The exploited vulnerability is a use after free vulnerability in Dawn. Dawn is the component in Google chrome that implements WebGPU. So that's the component that is being attacked here. And not the first time that we had a critical vulnerability in dawn. And Apple has done it again. Apple has released another operating System update for iOS 18. We are now up to iOS 1/1/18 as well as iPadOS 18. The trigger for this update was yet again the Dark Sword attack. This is an attack that uses vulnerabilities that used to be more the domain of more sort of state sponsored malware, but now is more widely used and it can be found on various websites that then affect these vulnerable devices. Since particularly these older devices don't have some of the more modern sort of countermeasures, well, they're particularly vulnerable to these types of exploits. This update does not just fix vulnerabilities that are part of the Dark Sword exploit kit, but fixes a total of 25 different vulnerabilities. So certainly worthwhile updating. And yes, this goes all the way back to the iPhone XR which was released approximately 10 years ago and ASUS fixed a cross site request forgery vulnerability in its routers. We actually just talked about this type of vulnerability and routers in class yesterday because one place where these cross site requests forgery vulnerabilities are routinely being exploited is these type of home routers because, well, there are plenty of them out there. And so placing an exploit like this on a random website may yield results in catching a couple of vulnerable or badly configured routers. Using this vulnerability, attacker is able to essentially reconfigure your router without the user actually noticing anything bad happening. Well, and this is it for today. Thanks for listening, thanks for subscribing, thanks for liking this podcast, and any comments, as always, are more than welcome and talk to you again tomorrow. Bye.