Week in Review
Payroll Pirates, Trojanized Downloads & an Adobe Zero-Day: This Week's Cyber Threats Ontario SMBs Can't Ignore
247Techify Editorial | April 12, 2026
The week of April 7–12 delivered a sharp reminder that cyber threats are not a problem reserved for large corporations. Attackers are actively targeting Canadian employees for payroll theft, poisoning the very software tools that your team relies on every day, and racing to exploit newly disclosed vulnerabilities before IT teams have a chance to patch. If your business runs on Windows, uses Adobe Acrobat, or has employees who download utilities like CPU-Z, there is something on this list that requires your attention today.
We've combed through the top security sources — BleepingComputer, The Hacker News, and global law-enforcement bulletins — to bring you the five stories with the most direct relevance to Ontario small and medium-sized businesses. Here's what happened, and more importantly, what you should do about it right now.
Story 01
"Payroll Pirates" Are Hijacking Canadian Employee Accounts to Steal Salaries
A financially motivated threat actor tracked as Storm-2755 has been running a targeted campaign against Canadian employees, compromising their workplace accounts and redirecting salary deposits to attacker-controlled bank accounts. Dubbed "Payroll Pirates" by security researchers, the campaign uses credential-stuffing and phishing to gain access to HR portals and payroll systems. Once inside, they quietly change direct-deposit details and wait for payday — by the time the employee notices, the money is gone. The campaign has been particularly active against mid-size businesses in professional services and manufacturing sectors across Canada.
The takeaway for Ontario businesses:
Enable multi-factor authentication (MFA) on every HR and payroll portal immediately. Put a policy in place that requires any change to direct-deposit banking information to be verified by a phone call to the employee at their number on file — not via email or ticket. One verification call costs nothing; one redirected payroll run can cost thousands.
Story 02
Hackers Replaced CPUID's CPU-Z and HWMonitor Downloads with Malware for 19 Hours
Between April 9 and April 10, unknown attackers compromised CPUID's website and quietly swapped the download links for two popular PC diagnostic tools — CPU-Z and HWMonitor — with malicious installers delivering the STX Remote Access Trojan (RAT). For roughly 19 hours, anyone who downloaded either tool from the official website received malware that gave attackers full remote control of their machine. CPUID has since restored the legitimate files, but the window was wide open long enough to infect an unknown number of systems. Anyone who downloaded these tools between April 9 at 3:00 PM UTC and April 10 at 10:00 AM UTC should treat their machine as compromised.
The takeaway for Ontario businesses:
This is a supply-chain attack — a trusted source was turned against its own users. Check whether any employee downloaded CPU-Z or HWMonitor during that window and run a full malware scan immediately. Going forward, verify software file hashes before installing, and consider restricting which websites your team can download executables from. Your IT provider can set this up quickly.
Story 03
Adobe Issues Emergency Patch for Actively Exploited Acrobat Reader Flaw
Adobe released an out-of-band emergency security update this week to address CVE-2026-34621, a critical vulnerability in Adobe Acrobat Reader rated CVSS 8.6 that is already being actively exploited in the wild. The flaw is a prototype pollution vulnerability that allows an attacker to execute arbitrary code on a victim's machine simply by getting them to open a maliciously crafted PDF. Since Acrobat Reader is installed on virtually every business computer and PDFs are one of the most common file formats shared by email, the attack surface here is enormous. Versions 26.001.21367 and earlier on both Windows and macOS are affected.
The takeaway for Ontario businesses:
Open Adobe Acrobat Reader right now, go to Help > Check for Updates, and install any available update. Do this on every computer in your office today — not next week. If you use Adobe Acrobat as part of a software subscription, your IT provider should be pushing this patch immediately. A single malicious PDF in one inbox is all it takes.
Story 04
International Bust Uncovers 20,000+ Crypto Fraud Victims — Many in Canada
A joint operation involving law enforcement from Canada, the United Kingdom, and the United States has identified more than 20,000 victims of an organized cryptocurrency investment fraud network. The UK's National Crime Agency led the investigation, which uncovered a sophisticated scheme that used social engineering — often starting with fake LinkedIn connections or unsolicited WhatsApp messages — to lure victims into fraudulent investment platforms. Victims were shown fabricated dashboards showing impressive returns until they tried to withdraw funds, at which point the platforms disappeared. Canadian victims were among the hardest hit, with some individuals losing retirement savings.
The takeaway for Ontario businesses:
Brief your team: any unsolicited investment opportunity that arrives via social media, WhatsApp, or email is almost certainly a scam. This is especially important for employees who manage business finances or are active on LinkedIn. If a vendor or partner ever asks your business to transact in cryptocurrency for an unusual reason, treat that as a red flag and verify through a separate, trusted channel.
Story 05
Chrome 146 Blocks a Long-Running Attack on Your Business's Web Sessions
Google released Chrome 146 this week with a significant security upgrade called Device Bound Session Credentials (DBSC), now available to all Windows users. The feature addresses a widespread attack technique where malware steals session cookies from your browser — the small tokens that keep you logged into online banking, Microsoft 365, QuickBooks Online, and other web apps. With stolen cookies, attackers can access your accounts without ever knowing your password or passing an MFA check. DBSC ties these session tokens to the specific device, making them useless if stolen. It's one of the most impactful browser security improvements in years and it's rolling out automatically.
The takeaway for Ontario businesses:
Make sure Chrome auto-updates are not being blocked on your business computers. Check that you're running Chrome 146 or later (Help > About Google Chrome). This is a free, automatic defence — but only if updates are actually running. If your team uses Microsoft Edge, watch for a similar feature coming in the next Chromium update cycle.
"Attackers aren't waiting for a convenient time to strike. This week's stories share one common thread: the gap between when a threat emerges and when most businesses respond is exactly where attacks succeed. Closing that gap is the only strategy that works."
Your Quick Checklist
🔐
Enable MFA on payroll and HR portals
If Storm-2755 can't get past a second factor, your payroll stays in your team's hands. Check every portal your HR team logs into — not just email.
📄
Patch Adobe Acrobat Reader today
CVE-2026-34621 is being actively exploited. Open Acrobat, go to Help > Check for Updates, and make sure every machine is on version 26.001.21368 or later.
🔍
Check if anyone downloaded CPU-Z or HWMonitor on April 9–10
If so, run a full endpoint scan immediately. The STX RAT gives attackers full remote control of infected machines — this cannot wait until next week's IT check-in.
🌐
Confirm Chrome auto-updates are running
Chrome 146's DBSC feature protects your team's active web sessions from being stolen. Verify everyone is on 146 or later — it only takes 30 seconds to check.
💼
Require a call-back to verify any banking or payroll changes
Any request to change a direct deposit account or payment destination — regardless of who it appears to come from — should be confirmed by calling the employee or vendor directly at a number you already have on file.
⚠️
Brief staff on crypto investment scams
With 20,000+ victims identified in the recent bust — many in Canada — remind your team that any unsolicited investment opportunity via LinkedIn, WhatsApp, or email is almost certainly a fraud. If your business finances are ever mentioned, escalate immediately.
The Bottom Line
This week's threat landscape reinforces something that should be top of mind for every Ontario business owner: the most dangerous attacks aren't exotic, state-sponsored hacks. They're opportunistic campaigns targeting the exact tools and platforms your team uses every day. Payroll portals, PDF readers, diagnostic utilities, browser sessions — these are the battlegrounds, and the attackers know it.
The good news is that every story in today's roundup has a clear, actionable defence. None of the recommended actions require a big IT budget or specialized knowledge. Patching software, enabling MFA, verifying banking changes by phone, and keeping browsers updated are habits that create compounding protection over time. Each good habit closes one more door that attackers rely on being left open.
If you're not sure whether your business is running the right patches, has MFA enforced everywhere it should be, or has the right monitoring in place to catch something like the STX RAT before it causes damage — that's exactly what a security review is for. The cost of an hour's conversation is a fraction of the cost of a single incident. Don't wait for a payroll theft or a ransomware notice to find out where your gaps are.
Want someone watching your IT environment full time?
247Techify protects Ontario businesses 24/7 — free consultation, no pressure.
Book a free review ↗
