CyberWire Daily

The FBI warns of Kimsuky quishing. Singapore warns of a critical vulnerability in Advantech IoT management platforms. Russia’s Fancy Bear targets energy research, defense collaboration, and government communications. Malaysia and Indonesia suspend access to X. Researchers warn a large-scale fraud operation is using AI-generated personas to trap mobile users in a social engineering scam. BreachForums gets breached. The NSA names a new Deputy Director. Monday Biz Brief. Our guest is Sasha Ingber, host of the International Spy Museum's SpyCast podcast. The commuter who hacked his scooter.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Sasha Ingber, host of the International Spy Museum's SpyCast podcast, on the return of SpyCast to the N2K CyberWire network. Selected Reading North Korea–linked APT Kimsuky behind quishing attacks, FBI warns (Security Affairs)  Advantech patches maximum-severity SQL injection flaw in IoT products (Beyond Machines) Russia's APT28 Targeting Energy Research, Defense Collaboration Entities (SecurityWeek) Malaysia and Indonesia block X over deepfake smut (The Register) New OPCOPRO Scam Uses AI and Fake WhatsApp Groups to Defraud Victim (Hackread) BreachForums hacking forum database leaked, exposing 324,000 accounts (Bleeping Computer) Former NSA insider Kosiba brought back as spy agency’s No. 2 (The Record) Vega raises $120 million in a Series B round led by Accel. Reverse engineering my cloud-connected e-scooter and finding the master key to unlock all scooters (Rasmus Moorats) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes. Laura Hoffner, Executive Vice President at Concentric, shares her story about her time working as a Naval Intelligence Officer and supporting special operations around the globe for 12 years, to now, where she transitioned to the Naval Reserves and joined the Concentric team. Laura has known since she was in the seventh grade that she wanted to work with SEALs and work in intelligence, so she set her goals high and achieved them shortly after graduating college. She credits being a Naval Intelligence Officer to helping her get to where she is today and says how much she is enjoying working with Concentric, saying she's "ultimately just incredibly benefiting from unbelievable mentors at the company itself." We thank Laura for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Martin Zugec, Technical Solutions Director from Bitdefender, sharing their work and findings on "EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company." Built for long-term espionage, the campaign uses DLL sideloading, in-memory execution, and abused Windows services to stay stealthy and persistent. We walk through how the multi-stage framework delivers a powerful backdoor with reconnaissance, lateral movement, data theft, and keylogging capabilities—and what this operation reveals about the evolving tactics defenders need to watch for. The research can be found here: EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company Learn more about your ad choices. Visit megaphone.fm/adchoices

The NSA reshuffles its cybersecurity leadership. A new report unmasks ICE’s latest surveillance system. CISA marks a milestone by retiring ten Emergency Directives. Trend Micro patches a critical vulnerability. Grok dials back the nudes, a bit. Cambodia extradites a cybercrime kingpin to China. Ghost Tap malware intercepts payment card data. Researchers disrupt a highly sophisticated VMware ESXi hypervisor exploit. European law enforcement arrest dozens of suspects linked to the international cybercriminal group Black Axe. Our guest is Sonali Shah, CEO of Cobalt, who says 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. After firing the experts, DOGE hangs a help wanted sign. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices, we are joined by Sonali Shah, CEO of Cobalt, talking about 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. Tune into the full conversation here. Selected Reading NSA cyber directorate gets new acting leadership (The Record) Inside ICE’s Tool to Monitor Phones in Entire Neighborhoods (404 Media) CISA Retires Ten Emergency Directives, Marking an Era in Federal Cybersecurity (CISA.gov) Trend Micro warns of critical Apex Central RCE vulnerability (Bleeping Computer) X pulls Grok images after UK ban threat over undress tool (The Register) Alleged cyber scam kingpin arrested, extradited to China (The Record) Chinese Hackers Use NFC-Enabled Android Malware to Steal Payment Information (GB Hackers) The Great VM Escape: ESXi Exploitation in the Wild (Huntress) Europol Leads Global Crackdown on Black Axe Cybercrime Gang, 34 Arrest (Infosecurity Magazine) US DOGE Service is hiring following mass workforce losses across the government (Gov Exec) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

The US withdraws from global cybersecurity institutions. A maximum-severity vulnerability called Ni8mare allows full compromise of a workflow automation platform. Cisco patches ISE. Researchers uncover a sophisticated multi-stage malware campaign targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia. The growing rift of defining AI risk. Microsoft gives 365 admins a one-month deadline to enable MFA. The Illinois Department of Human Services inadvertently exposed personal and protected health information of more than 700,000 residents. An Illinois man is charged with hacking Snapchat accounts to steal nudes. Our guest is Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, with insights on CISA 2015. Facial recognition that’s bear-ly controversial.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, for a conversation on CISA 2015 and its role in today’s cybersecurity and policy landscape. If you enjoyed this conversation, be sure to tune into the full interview on the next Caveat. Selected Reading US announces withdrawal from dozens of international treaties (The Record) US To Leave Global Forum on Cyber Expertise (Infosecurity Magazine) Max severity Ni8mare flaw lets hackers hijack n8n servers (Bleeping Computer) Cisco warns of Identity Service Engine flaw with exploit code (Bleeping Computer) CISA tags max severity HPE OneView flaw as actively exploited (Bleeping Computer) Threat Actors Exploit Commodity Loader in Targeted Email Campaigns Against Organizations (GB Hackers) Are Copilot prompt injection flaws vulnerabilities or AI limits? (Bleeping Computer) Microsoft to enforce MFA for Microsoft 365 admin center sign-ins (Bleeping Computer) Illinois state agency exposed personal data of 700,000 people (The Record) Oswego man Kyle Svara, 26, allegedly hired by college coach Steve Waithe to get Snapchat access codes from nearly 600 women: FBI (ABC7 Chicago) How facial recognition for bears can help ecologists manage wildlife (The Conversation) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices