CyberWire Daily

This week, we are joined by Santiago Pontiroli, Threat Intelligence Research Lead from Acronis TRU team, discussing their work on "New year, new sector: Transparent Tribe targets India’s startup ecosystem." The Acronis Threat Research Unit uncovered a new campaign by Transparent Tribe showing the group has expanded beyond traditional government and defense targets to India’s startup ecosystem, especially cybersecurity and OSINT-focused firms. The attackers use startup-themed lures delivered via ISO files and malicious shortcuts to deploy Crimson RAT, a highly obfuscated tool capable of surveillance, data theft, and system control. Despite this shift, the campaign closely mirrors the group’s long-standing espionage tactics, suggesting startups are being targeted for their connections to government, law enforcement, and sensitive intelligence networks. The research and executive brief can be found here: New year, new sector: Transparent Tribe targets India’s startup ecosystem Learn more about your ad choices. Visit megaphone.fm/adchoices

Cloud data centers come under fire in wartime. A massive dark web intelligence database is exposed. Chinese hackers exploit a video conferencing zero-day. The intelligence community rolls out cyber modernization plans. React2Shell attacks spread at scale. Iowa sues UnitedHealth over the Change Healthcare breach. France moves to bar kids from social media. Researchers warn about hidden risks in power regulation. An insider extortion plot locks admins out of hundreds of servers. Our guest Brandon Karpf, friend of the show, with insights on the war in Iran. Espresso exploit exposes executive emails. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Brandon Karpf, friend of the show, discussing defending critical infrastructure against Iran. Selected Reading What Happens When Data Centers Become Military Targets? (GovInfo Security) Shared EnemShared Enemy: Inside a Chinese Dark Web Monitoring Database | UpGuardy: Inside a Chinese Dark Web Monitoring Database (UpGuard) TrueConf Zero-Day Exploited in Asian Government Attacks (SecurityWeek) ODNI tackles AI, threat hunting, app cybersecurity in year-one tech review (CyberScoop) React2Shell Exploited in Large-Scale Credential Harvesting Campaign (SecurityWeek) State AG Sues Change Healthcare in 2024 Ransomware Attack (GovInfo Security) French Senate passes bill that would ban children under 15 from social media (The Record) The silent dependency: DC power regulation in cyber‑physical security (NCC Group) Man admits to locking thousands of Windows devices in extortion plot (Bleeping Computer) The company's biggest security hole lived in the breakroom (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

A fake WhatsApp spreads spyware. The State Department pushes embassies to counter influence ops. Cisco patches critical bugs. CrystalRAT hits Telegram. A Texas hospital breach affects 250,000. HHS reshuffles IT oversight. China-linked spies target Europe. EvilTokens hijacks Microsoft accounts. Ransomware hits a North Dakota water plant. Sumedh Thakar, President and CEO of Qualys, discusses how cybersecurity is shifting toward managing real business risk. Tales of a tortoise's termination have been greatly exaggerated. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We will be sharing a series of interviews we held at RSAC 2026 over the next few weeks. Sumedh Thakar, President and CEO of Qualys, discusses how cybersecurity is shifting toward managing real business risk amid rapid technological change. If you enjoyed this interview, check out the full conversation here. Selected Reading WhatsApp notifies hundreds of users who installed a fake app made by government spyware maker (TechCrunch) Trump Officials Try to Fight Foreign Disinformation They Once Dismissed (The New York Times) Cisco Patches Critical and High-Severity Vulnerabilities (SecurityWeek) New CrystalRAT malware adds RAT, stealer and prankware features (Bleeping Computer) 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital (SecurityWeek) HHS Shuffles Internal Cyber, AI Oversight Back to CIO Office (GovInfo Security) European-Chinese geopolitical issues drive renewed cyberespionage campaign (CyberScoop) New EvilTokens service fuels Microsoft device code phishing attacks (Bleeping Computer) North Dakota water treatment plant reports March ransomware attack (The Record) World’s oldest tortoise caught in viral crypto death scam | St Helena (The Guardian) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Iran’s cyber campaign continues. North Korea targets the axios NPM package. Cisco suffers a Trivy-related breach. Claude’s code leak unveils broad capabilities. The DOD’s zero-trust efforts are slow-going. A proposed class action suit accuses Perplexity of oversharing. Google patches another Chrome zero-day. The FBI warns against using foreign-developed mobile apps. Christy Wyatt, CEO from Absolute Security, discussing why cyber risk is now a business continuity problem. A city circulates cameras to cultivate crime control. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We will be sharing a series of interviews we held at RSAC 2026 over the next few weeks. Christy Wyatt, CEO from Absolute Security, discussing why cyber risk is now a business continuity problem. If you enjoyed this conversation, tune in here to listen to the full interview. Selected Reading Iran's hackers are on the offensive against the US and Israel (Ars Technica) Cisco Source Code and AWS Keys Stolen in Trivy Supply Chain Attack (Beyond Machines) Claude Code's source reveals extent of system access (The Register) Pentagon's Zero Trust Push Faces a 2027 Reality Check (GovInfo Security) Perplexity AI Machine Accused of Sharing Data With Meta, Google (Bloomberg) Google fixes fourth Chrome zero-day exploited in attacks in 2026 (Bleeping Computer) FBI warns against using Chinese mobile apps due to privacy risks (Bleeping Computer) North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack (Google Cloud Blog) Silicon Valley city to give residents doorbells equipped with cameras (The Guardian) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Iranian-linked hackers warn of possible “irreparable” attacks on U.S. water systems. CISA pushes urgent fixes for a critical Citrix flaw. The Dutch Finance Ministry takes systems offline after a breach. Space Force may scrap next-gen GPS control software. Attackers exploit a Fortinet server bug. Lloyds exposes customer transaction data. AI and regulation reshape cyber careers. The FTC settles with a dating app over data sharing. Sam Rubin, SVP, Palo Alto Networks Unit 42 Consulting and Threat Intelligence, discusses Iran's shift to identity weaponization. Wikipedia wrestles with a wayward writer. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We will be sharing a series of interviews we held at RSAC 2026 over the next few weeks. Sam Rubin, SVP, Palo Alto Networks Unit 42 Consulting and Threat Intelligence, discussing Iran's shift to identity weaponization. If you enjoyed this conversation, tune in here to listen to the full conversation. Selected Reading Iranian Cyberthreats Test US Infrastructure Defenses (BankInfo Security) CISA tells federal agencies to patch Citrix NetScaler bug by Thursday (The Record) Dutch Ministry of Finance takes treasury systems offline amid cyber incident investigation (Security Affairs) After 16 years and $8 billion, the military's new GPS software still doesn't work (Ars Technica) Exploitation of Critical Fortinet FortiClient EMS Flaw Begins (SecurityWeek) Lloyds IT Glitch Exposed Data of Nearly 500,000 Banking Customers (Infosecurity Magazine) SANS Research: The Cybersecurity Talent Shortage Narrative Is Wrong. The Real Crisis Is Skills, and AI Just Rewrote the List. (Yahoo Finance) FTC Takes Action Against Match and OkCupid for Deceiving Users by Sharing Personal Data with Third Party (FTC) Business Briefing (N2K Pro) An AI Agent Was Banned From Creating Wikipedia Articles, Then Wrote Angry Blogs About Being Banned (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of CISO Perspectives. In the season finale of CISOP, Kim Jones is joined by N2K’s own Ethan Cook to reflect on the conversations that shaped this season. Together, they revisit standout moments from Kim’s interviews, unpacking their significance and getting Ethan’s fresh perspective on the cybersecurity workforce challenge—as someone viewing the industry from the outside. Since the mid-season reflection, Kim has explored a wide range of workforce issues, including skills mapping, talent identification, and the evolving strategies needed to close cybersecurity’s talent gap. Learn more about your ad choices. Visit megaphone.fm/adchoices

Iran-linked hackers claim a breach of the FBI director’s personal email. ShinyHunters hit the European Commission. F5 and Citrix warn of actively exploited flaws. A WordPress plugin exposes hundreds of thousands of sites. Infinity Stealer targets macOS users. A Russian APT adopts a new iOS exploit kit. Treasury weighs a cyber insurance backstop. DHS clears suspended CISA staff. Our guest is Brian Long, CEO and Co-Founder of Adaptive Security, discussing deepfake job hires and the new identity attack surface. Bureaucrats bless a black-box behemoth. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We will be sharing a series of interviews we held at RSAC 2026 over the next few weeks. Today, Dave Bittner is joined by Brian Long, CEO and Co-Founder of Adaptive Security, discussing deepfake job hires and the new identity attack surface. AI-generated identities are turning the hiring process into a new entry point for attackers. The solution isn’t spotting perfect fakes — it’s building stronger identity verification into hiring. Tune into the full conversation here. Selected Reading Iran-linked hackers breach FBI director's personal email, publish photos and documents European Commission confirms data breach after Europa.eu hack Hackers now exploit critical F5 BIG-IP flaw in attacks, patch now Critical Citrix NetScaler Vulnerability Exploited in the Wild - Infosecurity Magazine File read flaw in Smart Slider plugin impacts 500K WordPress sites New Infinity Stealer malware grabs macOS data via ClickFix lures Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit - SecurityWeek US Treasury Weighs Cyber Insurance Backstop - GovInfoSecurity DHS drops investigation into former acting CISA chief’s failed polygraph exam - Nextgov/FCW Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices