- This is an IT Support Group
- Posts
- π€ BlueHammer Is Still Unpatched, CPU-Z Went Malicious, and VMware's Exodus Accelerates
π€ BlueHammer Is Still Unpatched, CPU-Z Went Malicious, and VMware's Exodus Accelerates
Your weekly Tech tl;dr roundup π€
Stetson Blake
April 15, 2026
In partnership with
This is an IT Support Group
Wednesday Briefing π€
A Windows zero-day nobody's patching, CPU-Z downloads serving malware, and the VMware exodus picks up speed
GM IT pros!
Happy Wednesday! Here's what's worth knowing this week.
-Stetson
Tech News TL;DR
This week's IT and tech news in 5-minutes-ish or less
π LEAD STORY: BlueHammer Is Still Unpatched β and Microsoft Shrugged
Every Windows box in your fleet is vulnerable. Still.
On April 3rd, a researcher dropped a fully functional Windows local privilege escalation exploit on GitHub. It abuses the Windows Defender update process through Volume Shadow Copy to escalate any low-privileged user straight to NT AUTHORITY\SYSTEM. That's game over on any box it touches.
Microsoft's response? A Defender signature update. That's it. The signature is trivially bypassed, no CVE has been assigned, and no real patch exists. Two weeks later, it's still wide open.
If you're running any flavor of Windows β and let's be honest, you are β this one deserves a threat hunt. Check for unusual VSS activity and Defender update manipulation. And maybe file that MSRC feedback ticket one more time, louder. Cyderes Deep Dive
π LEAD STORY: CPU-Z and HWMonitor Were Serving Malware. Yes, Those CPU-Z and HWMonitor.
If you downloaded either tool recently, check your hashes.
The CPUID project β the people behind CPU-Z and HWMonitor, two tools that have lived on virtually every IT tech's USB toolkit since the Windows XP era β got compromised on April 10th. Attackers gained API access and swapped the official download links to serve malicious executables.
This wasn't a typosquatting domain or a fake Google ad. This was the real download page serving real malware. Supply chain attacks on trusted utilities are the kind that make you question every tool in your kit.
If anyone on your team grabbed a fresh copy in the last week, validate the hash against CPUID's known-good checksums (assuming they've published them post-incident). And maybe take this as your sign to finally stand up a vetted internal tool repo instead of downloading random EXEs every time you image a machine. Bleeping Computer
π LEAD STORY: Western Union Is Ripping Out VMware. They Won't Be the Last.
3,900 cores. 1,200 apps. One licensing bill too many.
Western Union has officially started migrating its entire fleet β 900 to 1,200 applications across 3,900 cores β from VMware to Nutanix. The reason is the same one you've been hearing from every VMware customer since Broadcom took over: the licensing costs are untenable.
The numbers tell the story. 70% of enterprise VMware customers are expected to migrate at least half their workloads by 2028. Only 19 VCSP partners remain in the US, down from hundreds. If you're an MSP still building on VMware, the question isn't whether to migrate β it's whether you're already behind.
The irony is that Broadcom keeps insisting the new model is "simpler." It is simpler. It's simpler to just leave. The Register
β‘ QUICK HITS
The rest of the chaos, speed-round style.
π¨ Citrix NetScaler Is Leaking Session Tokens in the Wild
CVE-2026-3055 (CVSS 9.3) β unauthenticated memory overread on NetScaler ADC/Gateway when configured as a SAML IDP. Attackers are actively harvesting active session tokens from memory. CISA added it to the KEV catalog on April 9th. If you're running NetScaler with SAML, this is a stop-what-you're-doing-and-patch situation. Rapid7
π£ VENOM Phishing Platform Is Eating C-Suites for Lunch
New Phishing-as-a-Service platform specifically targets executives β 60% of victims hold C-level titles. Uses Unicode-rendered QR codes to dodge scanners and proxies real-time Microsoft login flows to capture session tokens, cleanly bypassing MFA. This is what your users' "but I have MFA" confidence is up against. Abnormal AI
π‘οΈ ConnectWise Promises 15-Minute EDR Response SLA
ConnectWise launched "Modern Threat Protection" with an industry-first 15-minute SLA on Managed EDR response. Bold claim, especially when their own 2026 threat report says RMM tool abuse is up 277% year-over-year. The promise meets scary reality β MSPs will be watching closely to see if this holds up at scale. GlobeNewswire
π GitHub Copilot Will Train on Your Code Starting April 24th
Microsoft is updating GitHub's policy so Copilot Free, Pro, and Pro+ customer interaction data gets used for model training starting April 24th. Business and Enterprise tiers are exempt. If you're on a personal plan and prefer your code stays out of the training set, you've got nine days to opt out. The Register
That's the Wednesday briefing. Validate your tool downloads, threat-hunt for BlueHammer, and start that VMware migration conversation if you haven't already.
Stay paranoid. Stay patched. See you next Friday π€
Master Claude AI (Free Guide)
The professionals pulling ahead aren't working more. They're using Claude.
Our free guide will show you how to:
Configure Claude to be the perfect assistant
Master AI-powered content creation
Transform complex data into actionable strategies
Harness Claudeβs full potential
Transform your workflow with AI and stay ahead of the curve with this comprehensive guide to using Claude at work.