Double-edged threat. [Research Saturday]

Today we are joined by Justin Albrecht, Principal Researcher at Lookout, discussing "Attackers Wielding DarkSword Threaten iOS Users." DarkSword is a highly sophisticated iOS exploit chain discovered by Lookout that targets iPhones (iOS 18.4–18.6.2), enabling near zero-click compromise and rapid theft of sensitive data, including credentials and cryptocurrency wallet information. Likely deployed by a Russia-linked threat actor (UNC6353) against Ukrainian users, it uses watering hole attacks on compromised websites and operates in a “hit-and-run” fashion—exfiltrating data within minutes before wiping traces. The campaign highlights a growing secondary market for advanced exploits, allowing financially motivated groups to access powerful tools once reserved for state actors, significantly expanding the mobile threat landscape. The research and executive brief can be found here: ⁠Attackers Wielding DarkSword Threaten iOS Users Learn more about your ad choices. Visit megaphone.fm/adchoices

Five Eyes agencies issue agentic AI guidance. A federal database leaks Social Security numbers. A stealthy worm poisons open source packages. OT firms are sidelined from frontier cyber models. The FBI warns of a surge in cyber-enabled cargo theft. Officials flag likely election interference as security programs face cuts. Researchers uncover a covert Python backdoor. Ubuntu’s site takes Iranian-linked DDoS fire. Cyber pros are sentenced in a ransomware case. Our guest is Andrew Carr, Global Head of Threat Management at Booz Allen, discussing how AI is accelerating cyberattacks. OpenAI joins the invitation-only club. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices we are joined by ⁠Andrew Carr⁠, Global Head of Threat Management at ⁠Booz Allen Hamilton⁠, discussing how AI is accelerating cyberattacks and reshaping cybersecurity defenses. If you enjoyed this conversation be sure to check out the full interview here. Selected Reading Careful Adoption of Agentic AI Services (CISA)  Careful adoption of agentic AI services (Cyber.gov.au) Medicare portal exposed health providers’ Social Security numbers (The Washington Post) Open-source registries hit by 'Mini Shai-Hulud' supply chain attacks (Developer) OT Cybersecurity Frozen Out by Frontier Labs (OTToday) FBI Warns of Surge in Hacker-Enabled Cargo Theft (SecurityWeek) Breach Roundup: US Cyber Command Flags Election Threats (Gov Infosecurity) Sophisticated Deep#Door Backdoor Enables Espionage, Disruption (SecurityWeek) Pro-Iran group turns Ubuntu DDoS into shakedown (The Register) Two Americans Who Attacked Multiple U.S. Victims Using ALPHV BlackCat Ransomware Sentenced to Prison (United States Department of Justice) OpenAI locks GPT-5.5-Cyber behind velvet rope (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

A critical Linux flaw dubbed “Copy Fail” raises alarm. The House moves to extend Section 702. The White House pushes back on expanded Mythos access. cPanel and SonicWall rush out security patches. Researchers warn AI agents may leak credentials. Smishing targets key industries. Ukrainian police arrest suspects in a massive Roblox account theft scheme. Our guest is Jamie Moles, technical manager at ExtraHop, discussing how the pace of vibe coding is creating major AI blind spots. Honeypot hijinks get halted by curious clicks.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Jamie Moles, technical manager at ExtraHop, discussing how the pace of vibe coding is creating major AI blind spots. Selected Reading Copy Fail (Copy.Fail) House extends a controversial spy tool, but Senate path is unclear ahead of deadline (NPR) White House Opposes Anthropic’s Plan to Expand Access to Mythos Model (WSJ) Critical Authentication Vulnerability in cPanel and WHM (Beyond Machines) Security Advisory: Firmware Update Required — Gen 6, Gen 7, and Gen 8 Firewalls (Sonic Wall) Phishing the agent: Why AI guardrails aren’t enough (Okta) Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns (Group-IB Blog) Ukrainian police detain hackers suspected of stealing thousands of Roblox accounts for resale (The Record) I accidentally made law enforcement shut down their stresser honeypot (lina's blog) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

OpenAI and Anthropic brief Congress on cyber-capable AI. The GAO flags improper DOGE access to Treasury payment systems. Greece moves to end online anonymity. CISA orders agencies to patch an exploited Windows zero-day. Researchers uncover ransomware that destroys data instead of encrypting it. State CISOs report falling confidence. Neurodivergent cyber pros cite inclusion gaps. Police arrest a 19-year-old alleged Scattered Spider member. Our guest is Chris Boehm, Zero Networks’ Field Chief Technology Officer, on minimizing your blast radius. AI lowers the bar and lengthens the line in the courtroom.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Chris Boehm, Zero Networks’ Field Chief Technology Officer, discussing "One Compromised System and BOOM, Meet Your Blast Radius." Selected Reading OpenAI, Anthropic brief House Homeland Security on AI cyber threats (Axios) Scoop: White House workshops plan to bring back Anthropic (Axios) GAO report on DOGE payments access ‘just the tip of the iceberg’ (Federal News Network) Greece to ban anonymity on social media (Euractiv) CISA orders feds to patch Windows flaw exploited as zero-day (Bleeping Computer) Broken VECT 2.0 ransomware acts as a data wiper for large files (Bleeping Computer) State CISOs Report Lower Confidence Across the Public Sector Cyber Ecosystem, 2026 NASCIO-Deloitte Survey Finds (NASCIO) Neurodivergence in the Cybersecurity Workforce (ISC2) Teen charged in Chicago was part of international ‘Scattered Spider’ hacker group, feds say (Chicago Tribune) People Using AI to Represent Themselves in Court Are Clogging the System (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Conflict in the Middle East disrupts the circuit board supply chain. The Supreme Court considers arguments on geofence searches. A new report highlights Chinese digital transnational repression. The NCSC protects HDMI and DisplayPort links. Tennessee bans cryptocurrency ATMs. Researchers expose a financially motivated subgroup of North Korea’s Lazarus Group. Medtronic confirms a ShinyHunters data breach. Tim Starks, from CyberScoop discusses telecom vulnerabilities. A helpful AI deletes everything.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We welcome back Tim Starks, Senior Reporter for CyberScoop, discussing telecom vulnerabilities. Selected Reading Iran war disrupts the circuit board supply chain, raises costs for tech firms (Reuters) Iranian hackers expose personal details of thousands of US Marines in Middle East (Metro) Supreme Court signals location data searches should require a warrant (The Record) Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression (The Citizen Lab) NCSC launches SilentGlass, a plug-in device to secure HDMI and DisplayPort links (Security Affairs) Tennessee becomes second state to ban cryptocurrency ATMs over scam concerns (The Record) BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector (Arctic Wolf) Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak (SecurityWeek) Claude-powered AI coding agent deletes entire company database in 9 seconds — backups zapped, after Cursor tool powered by Anthropic's Claude goes rogue (Tom's Hardware) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

The race for AI dominance has created a dangerous imbalance between business velocity and cyber resilience. In this episode, host Caleb Tolin is joined by Joe Hladik, Head of Rubrik Zero Labs, and Staff Security Researcher Amit Malik to break down the findings of their latest report on agentic adoption. The discussion centers on the Agentic Paradox. This is the technical reality that tools designed to automate high-level tasks are inherently built to find the most efficient path around obstacles, including existing security policies. A primary focus is implementing a three-layer framework for AI Operations. This model targets the Tool Layer, where agents interact with databases; the Cognitive Layer, which serves as the LLM brain; and the critical Identity Layer. The conversation explores stories in which agents, without malicious intent, have caused catastrophic data loss simply by following an optimized logic path. These instances prove that agents need not be sentient to be destructive when they lack proper human-in-the-loop checkpoints. Technical hurdles of Identity Resilience are also addressed, specifically the explosion of non-human identities that spin up and down like elastic cloud infrastructure. The episode examines the fear index regarding job security, noting that 92% of leaders fear for their roles post-breach. Joe and Amit join Caleb to explore the evolution of personal liability for CISOs and the urgent need to move from basic visibility to deep observability. This is a forward-looking briefing for leaders who recognize that, in an era of autonomous routines, the human must remain the ultimate command-and-control center. What You’ll Learn Define the agentic paradox to understand why AI efficiency naturally compromises traditional security guardrails. Implement a three-layer framework to secure the tool, cognitive, and identity components of AI. Transition from basic visibility to deep observability to track autonomous decision-making in real time. Mitigate prompt injection risks by auditing the input and output flows of the cognitive layer. Utilize ephemeral containers to sandbox agentic tools and prevent unauthorized database alterations. Manage the elasticity of non-human identities to maintain control over rapidly spinning AI agents. Anchor AI operations with human-in-the-loop checkpoints to ensure integrity during high-stakes executions. Episode Highlights Defining the Agentic Identity and Autonomous Routines Revenue vs. Resilience: The Drivers of AI Urgency The Three-Layer Framework for Agentic Defense Shadow AI and the Rise of Invisible Insider Threats The Context Gap: Why Rolling Back AI Actions is Hard The CISO Fear Index and Personal Liability Post-Breach Visibility vs. Observability in Elastic Identity Environments Learn more about your ad choices. Visit megaphone.fm/adchoices

The Supreme Court weighs geofence warrants. Iran leans toward quieter cyber ops. Researchers unpack Fast16 sabotage malware. Microsoft tracks an Outlook outage. Snow malware moves deep inside networks. Itron reports a breach. SMS blasters hit Canada. Italy extradites an accused hacker to the U.S. Monday business brief. Our guest is Mick Coady, Field CTO of Elisity, on how hospitals can best defend against ransomware attacks. Meta’s relentlessly watchful eye turns inward.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Mick Coady, former head of cybersecurity for hospitals and Field CTO of Elisity, on how hospitals can defend against ransomware attacks, both online and through devices, including patient monitors, HVAC systems, and any device connected to the Internet. Selected Reading Ingenious? Orwellian? Or both? Supreme Court considers constitutionality of 'geofence' warrants (NPR) Iran’s cyber threat may be less ‘shock and awe’ than ‘low and slow,’ officials say (The Record) Newly Deciphered Sabotage Malware May Have Targeted Iran’s Nuclear Program—and Predates Stuxnet | WIRED (Wired) Microsoft says Outlook.com outage is causing sign‑in failures (Bleeping Computer) Threat actor uses Microsoft Teams to deploy new “Snow” malware (Bleeping Computer) American utility firm Itron discloses breach of internal IT network (Bleeping Computer) Toronto police seize 'SMS blasters,' a cybercrime weapon never before seen in Canada (National Post) Italy Decides to Extradite Chinese Man Wanted by US for Hacking (Bloomberg) Artemis emerges from stealth with $70 million in funding. (The Cyber Wire) Meta staff protest surveillance software on work PCs • The Register (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.   Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes. Adam Marrè, CISO from Arctic Wolf, sits down to share his story of rising through the ranks. After 9/11 he decided he wanted to make a difference in the world, and so he chose to go into the FBI. There he learned the skills that got him to where he is today. In his time at the FBI, he was able to do what he loved, which was working with computers while gaining more knowledge on cybersecurity, and he became computer forensic certified. Ultimately, he needed a change in the end and decided to leave the FBI. He was able to learn the leadership skills he needed to move past that career path and follow a new dream. He is now able to share his passion with the world and help people understand security to help protect themselves as well as helping people finding success in their careers and in their lives. We thank Adam for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Juliana Testa, Senior Security Engineer from 7AI, sharing their work on "Quish Splash - When the QR Code Is the Weapon: A Multi-Wave Phishing Campaign That Slipped Past Every Filter." A large-scale “quishing” campaign used QR codes embedded in image attachments to hide phishing URLs, allowing 28 out of 33 emails to bypass SPF, DKIM, DMARC, and Microsoft Defender and land directly in inboxes. Each recipient received a unique QR code and tracking ID, defeating traditional detection methods and enabling attackers to scale the campaign to over 1.6 million emails across multiple organizations while shifting execution to less-secure mobile devices. The attack was ultimately uncovered through AI-driven alerting combined with human analysis and threat hunting, highlighting a major blind spot in email security and the need for QR code inspection, mobile protections, and tighter auto-reply controls. The research and executive brief can be found here: Quish Splash - When the QR Code Is the Weapon: A Multi-Wave Phishing Campaign That Slipped Past Every Filter. Learn more about your ad choices. Visit megaphone.fm/adchoices

Locked Shields wraps another year. Open models challenge Mythos. CISA tracks FIRESTARTER inside a federal agency. The White House targets foreign AI model extraction. Microsoft lets admins remove Copilot. Treasury sanctions a Cambodian scam-compound senator. Breeze Cache rushes a patch. Researchers downplay OT malware hype, while NIST pushes for better OT visibility. Our guest is Eric Russo, Director, SOC Defensive Security at Barracuda, discussing the risks posed by employees downloading pirated software. Con artists charge crypto for counterfeit clearance. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Eric Russo, Director, SOC Defensive Security at Barracuda, discussing the risks posed by employees downloading pirated or cracked software onto corporate devices. You can learn more here. Selected Reading Locked Shields 2026: 41 Nations Strengthen Cyber Resilience in World's Biggest Exercise (SecurityWeek) Open source models can find bugs as well as Mythos (The Register) CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March (The Record) Trump Administration Vows Crackdown on Chinese Companies 'Exploiting' AI Models Made in US (SecurityWeek) Microsoft now lets admins uninstall Copilot on enterprise devices (Bleeping Computer) US sanctions Cambodian senator for millions earned through scam compounds (The Record) Cloudways Patches Actively Exploited File Upload Flaw in Breeze Cache Plugin (Beyond Machines) Dragos: Despite AI use, new malware targeting water plants is ‘hype’ (CyberScoop) NIST cyber center to launch OT ‘visibility’ project (Federal News Network) Crypto scam lures ships into Strait of Hormuz, falsely promising safe passage (Ars Technica) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices