The Internet Storm Center observed a sharp rise in automated port‑scanning activity on April 3, targeting common services such as RDP, SMB, and SSH across multiple regions. In parallel, analysts identified a previously unseen Windows droper that downloads and executes additional payloads via a heavily obfuscated PowerShell chain. Early telemetry shows the droper is being distributed through compromised legitimate installers and phishing attachments.

Defenders should prioritize tightening inbound firewall rules to block unused ports and enable rate‑limiting on exposed services. Deploy endpoint detection that can flag anomalous PowerShell behavior, enforce strict application whitelisting, and ensure all Windows systems are patched against the latest privilege‑escalation exploits. Rapidly updating IDS/IPS signatures with the ISC‑provided IOCs will help curb the spread before the droppers achieve broader footholds.