CyberWire Daily

Ismael Valenzuela, Arctic Wolf’s VP of Labs, Threat Research and Intelligence, discusses their work on "BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector." Arctic Wolf researchers uncovered a sophisticated campaign by North Korean threat group Lazarus Group subgroup BlueNoroff that targets cryptocurrency and Web3 executives through fake Zoom and Microsoft Teams meetings, using typo-squatted links, ClickFix-style attacks, and AI-generated deepfakes to steal credentials and cryptocurrency-related data.

The attackers built a self-reinforcing operation that captures victims’ webcam footage and Telegram sessions, then repurposes those assets alongside AI-generated images to create increasingly convincing fake meeting participants for future attacks. Researchers identified more than 100 victims across 20 countries, with the campaign primarily targeting CEOs, founders, investors, and senior leaders in the cryptocurrency, blockchain, and financial sectors as part of a long-running effort to steal digital assets and gain access to high-value networks.

The research and executive brief can be found here:

BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector

Learn more about your ad choices. Visit megaphone.fm/adchoices

Anthropic brings Mythos to the NSA. A Palantir executive emerges as a possible CISA pick. A Linux flaw is under active attack. Minecraft malware goes commercial. An npm package gets caught in the Miasma worm campaign. Researchers document the first AI-driven container escape. A browser supply-chain compromise and a university breach with unexpected victims. Our guest is Ashu Savani, Co-Founder at TryHackMe, discussing building high performing SOC & IR teams. The web becomes machine majority.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

On today’s Industry Voices segment, we are joined by Ashu Savani, Co-Founder from TryHackMe, discussing building high performing SOC & IR teams. You can listen to the full conversation here.

Selected Reading

US National Security Agency using Anthropic’s Mythos for cyber attacks (Financial Times)

Trump considers Palantir exec to lead CISA (The Record)

CISA Warns of Active Exploitation of Linux Container Escape Flaw (Beyond Machines)

Game Over: WeedHack - The Rise of Minecraft Malware-as-a-Service Campaigns (McAfee Blog)

Detecting Claude Cowork Insider Threat Activity (DTEX)

Trojanized ai-sdk-ollama Delivers Miasma, a Self-Replicating npm Worm via binding.gyp (Endor Labs)

Agentic threat actor hits the orchestration plane: AI agent-driven container escape (Sysdig)

You do surprise me.exe: An unexpected executable in Hola Browser (SOPHOS)

My SSN was exposed in a breach at Columbia—a school I have no connection with (Ars Technica)

‘Bots have now passed human traffic online,’ Cloudflare boss laments — says agentic traffic wasn’t expected to eclipse real people until next year (Tom's Hardware)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices

The Five Eyes issue a rare joint warning on China. Jen Easterly weighs in on Trump’s AI EO. Researchers warn everyday notifications can become AI attack vectors. IronWorm is a sophisticated Rust-based infostealer targeting software developers. Cisco patches a critical vulnerability in its Unified Communications Manager platform. Anthropic maps AI-enabled cyber activity to the MITRE ATT&CK framework. Authorities dismantle an online counterfeit identity marketplace. Our guest is Jason Kikta, CTO from Automox, discussing AI vulnerabilities, real risk, and the speed problem. An extortion crew is forced to open a customer support ticket.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today on our Industry Voices segment, we are joined by Jason Kikta, CTO from Automox, who is discussing AI vulnerabilities, real risk, and the speed problem. If you enjoyed this conversation, check out the full interview here. 

Selected Reading⁠

U.S. and intelligence allies issue rare joint warning about China (Washington Post)

Safeguarding Our Secrets (MI5)

Opinion | The Government Is Finally Taking A.I. Risk Seriously (New York Times)

CISA directive for AI executive order to be released this week, Andersen says (The Record)

Gemini Voice Assistant Hijacked via Messaging Notifications (SecurityWeek)

IronWorm: Shai-Hulud's rustier cousin (JFrog Security Research)

Cisco warns of critical Unified CM flaw with PoC exploit code (Bleeping Computer)

Mapping AI-enabled cyber threats: Insights from the LLM ATT&CK Navigator (Anthropic)

Police dismantles fake ID marketplace used by migrant smugglers (Bleeping Computer)

Over 1.4 Million Accounts Disrupted in Cybercrime Crackdown (SecurityWeek) 

'Dumbass' criminal breaks the 'first rule of ransomware club' (The Register)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.  

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices

AI oversight arrives at the White House. A Cyber Force gains momentum. Critical infrastructure comes under cyberattack. Acer faces zero-day trouble. A stock exchange executive gets spied on for months. HTTP/2 Bomb threatens web servers. Quantum’s classical side grows bigger. Britain's military chooses Starshield. Spain’s infamous hacker gets sentenced. Our guest is Benjamin Morrell, Vice President, Security Strategy at Coro Cybersecurity, discussing the role of MSPs. Meta’s productivity panopticon pauses for personal pitstops. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

On today’s Industry Voices, we are joined by Benjamin Morrell, Vice President, Security Strategy at Coro Cybersecurity, discussing the role MSPs are playing in cybersecurity. If you enjoyed this conversation be sure to check out the full conversation here. 

Selected Reading

Trump Signs Executive Order Seeking Oversight of A.I. Models (The New York Times)

New cyber force would cost up to $11 billion to start, commission says (The Record)

CISA Warns of Cyberattacks Targeting U.S. Tank Gauge Systems (GB Hackers)

Acer working to patch max severity zero-days in Wave 7 routers (Bleeping Computer)

Espionage Campaign Targeted Stock Exchange Executive for Five Months (Security.com)

'HTTP/2 Bomb' Exploit Knocks Web Servers Offline in Seconds (SecurityWeek)

The Classical Advances Needed to Make Quantum Computers Tick (IEEE)

Alcasec, "Robin Hood of Spanish Hackers," Jailed for 31 Months Over Data Theft (Hackread)

Exclusive: UK adopts SpaceX's Starshield for military operations, sources say (Reuters)

Meta will reportedly let employees take 30-minute breaks from its tracking program (Engadget)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.  

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices

A federal watchdog questions NIST over its vulnerability database backlog. Google patches an Android zero-day. Citizen Lab exposes a powerful location-tracking platform. Malware hides commands in Steam comments. Researchers spot AI-assisted malware development. Attackers compromise Red Hat’s npm namespace. DriveSurge spreads malware through ClickFix and fake updates. FreePBX patches a critical flaw. And Dashlane responds to a brute-force attack. Our guest is ⁠Laure Lydon⁠, Opening Chair for Infosecurity Europe and VP of Security and Infrastructure, Flo Health, sharing her expertise on digital health platforms. Meta’s AI support bot proves a bit too eager to help.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today, Maria Varmazis speaks with ⁠Laure Lydon⁠, Opening Chair for Infosecurity Europe and VP of Security and Infrastructure, Flo Health, sharing her expertise on privacy, security, and trust in digital health platforms, especially in sensitive areas like women's health. This interview is part of our partnership with Infosecurity Europe.

Selected Reading

Inspector general finds NIST mistakes have made vulnerability database ineffective (The Record)

Google fixes one actively exploited Android zero-day, 124 flaws (Bleeping Computer)

Uncovering Webloc: An Analysis of Penlink’s Ad-based Geolocation Surveillance Tech (The Citizen Lab)

GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure (Security Affairs)

Threat Actor Uses AI to Build EDR Evasion Tools (Infosecurity Magazine)

Attackers Hijack Red Hat npm Scope to Steal Cloud Secrets (Infosecurity Magazine)

Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks (Bleeping Computer)

Critical Hard-Coded Credentials Vulnerability in FreePBX User Control Panel (Beyond Machines)

Dashlane password manager users locked out by brute force attacks (Bleeping Computer)

Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked (404 Media)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices