CyberWire Daily

This week, we are joined by Martin Zugec, Technical Solutions Director from Bitdefender, sharing their work and findings on "EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company." Built for long-term espionage, the campaign uses DLL sideloading, in-memory execution, and abused Windows services to stay stealthy and persistent. We walk through how the multi-stage framework delivers a powerful backdoor with reconnaissance, lateral movement, data theft, and keylogging capabilities—and what this operation reveals about the evolving tactics defenders need to watch for. The research can be found here: EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company Learn more about your ad choices. Visit megaphone.fm/adchoices

The NSA reshuffles its cybersecurity leadership. A new report unmasks ICE’s latest surveillance system. CISA marks a milestone by retiring ten Emergency Directives. Trend Micro patches a critical vulnerability. Grok dials back the nudes, a bit. Cambodia extradites a cybercrime kingpin to China. Ghost Tap malware intercepts payment card data. Researchers disrupt a highly sophisticated VMware ESXi hypervisor exploit. European law enforcement arrest dozens of suspects linked to the international cybercriminal group Black Axe. Our guest is Sonali Shah, CEO of Cobalt, who says 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. After firing the experts, DOGE hangs a help wanted sign. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices, we are joined by Sonali Shah, CEO of Cobalt, talking about 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. Tune into the full conversation here. Selected Reading NSA cyber directorate gets new acting leadership (The Record) Inside ICE’s Tool to Monitor Phones in Entire Neighborhoods (404 Media) CISA Retires Ten Emergency Directives, Marking an Era in Federal Cybersecurity (CISA.gov) Trend Micro warns of critical Apex Central RCE vulnerability (Bleeping Computer) X pulls Grok images after UK ban threat over undress tool (The Register) Alleged cyber scam kingpin arrested, extradited to China (The Record) Chinese Hackers Use NFC-Enabled Android Malware to Steal Payment Information (GB Hackers) The Great VM Escape: ESXi Exploitation in the Wild (Huntress) Europol Leads Global Crackdown on Black Axe Cybercrime Gang, 34 Arrest (Infosecurity Magazine) US DOGE Service is hiring following mass workforce losses across the government (Gov Exec) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

The US withdraws from global cybersecurity institutions. A maximum-severity vulnerability called Ni8mare allows full compromise of a workflow automation platform. Cisco patches ISE. Researchers uncover a sophisticated multi-stage malware campaign targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia. The growing rift of defining AI risk. Microsoft gives 365 admins a one-month deadline to enable MFA. The Illinois Department of Human Services inadvertently exposed personal and protected health information of more than 700,000 residents. An Illinois man is charged with hacking Snapchat accounts to steal nudes. Our guest is Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, with insights on CISA 2015. Facial recognition that’s bear-ly controversial.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, for a conversation on CISA 2015 and its role in today’s cybersecurity and policy landscape. If you enjoyed this conversation, be sure to tune into the full interview on the next Caveat. Selected Reading US announces withdrawal from dozens of international treaties (The Record) US To Leave Global Forum on Cyber Expertise (Infosecurity Magazine) Max severity Ni8mare flaw lets hackers hijack n8n servers (Bleeping Computer) Cisco warns of Identity Service Engine flaw with exploit code (Bleeping Computer) CISA tags max severity HPE OneView flaw as actively exploited (Bleeping Computer) Threat Actors Exploit Commodity Loader in Targeted Email Campaigns Against Organizations (GB Hackers) Are Copilot prompt injection flaws vulnerabilities or AI limits? (Bleeping Computer) Microsoft to enforce MFA for Microsoft 365 admin center sign-ins (Bleeping Computer) Illinois state agency exposed personal data of 700,000 people (The Record) Oswego man Kyle Svara, 26, allegedly hired by college coach Steve Waithe to get Snapchat access codes from nearly 600 women: FBI (ABC7 Chicago) How facial recognition for bears can help ecologists manage wildlife (The Conversation) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Jaguar Land Rover reveals the fiscal results of last year’s cyberattack. A Texas gas station chain suffers a data spill. Taiwan tracks China’s energy-sector attacks. Google and Veeam push patches. Threat actors target obsolete D-Link routers. Sedgwick Government Solutions confirms a data breach. The U.S. Cyber Trust Mark faces an uncertain future. Google looks to hire humans to improve AI search responses. Our guest is Deepen Desai, Chief Security Officer of Zscaler, discussing what’s powering enterprise AI in 2026. AI brings creative cartography to the weather forecast. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices, we are joined by Deepen Desai, Chief Security Officer of Zscaler, discussing what’s powering enterprise AI in 2026. To learn more on this topic, be sure to check out Zscaler’s report here. Listen to the full conversation here. Selected Reading Jaguar Land Rover wholesale volumes plummet 43% in cyberattack aftermath (The Register) Major Data Breach Hits Company Operating 150 Gas Stations in the US (Hackread) Taiwan says China's attacks on its energy sector increased tenfold (Bleeping Computer) Google Patches High-Severity Chrome WebView Flaw CVE-2026-0628 in the Tag Component (Tech Nadu) Several Code Execution Flaws Patched in Veeam Backup & Replication (SecurityWeek) New D-Link flaw in legacy DSL routers actively exploited in attacks (Bleeping Computer) Sedgwick confirms breach at government contractor subsidiary (Bleeping Computer) FCC Loses Lead Support for Biden-Era IoT Security Labeling (GovInfoSecurity) Google Search AI hallucinations push Google to hire "AI Answers Quality" engineers (Bleeping Computer) ‘Whata Bod’: An AI-generated NWS map invented fake towns in Idaho (The Washington Post) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Grok’s non-consensual imagery draws scrutiny from the European Commission.  Researchers link several major data breaches to a single threat actor. The UK unveils a new Cyber Action Plan. A stealthy ClickFix campaign targets the hospitality sector. VVS Stealer malware targets Discord users. Covenant Health and AFLAC report data leaks. Google silences a critical Dolby flaw. Ilona Cohen, Chief Legal and Policy Officer at HackerOne discusses “What the SolarWinds Dismissal Really Means for CISOs: Less Personal Risk, More Scrutiny on Disclosures.” UK students enjoy a digital snow day.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ilona Cohen, Chief Legal and Policy Officer at HackerOne and former senior lawyer to President Obama, as she is discussing “What the SolarWinds Dismissal Really Means for CISOs: Less Personal Risk, More Scrutiny on Disclosures.” Selected Reading EU looking ‘very seriously’ at taking action against X over Grok (The Record) Grok's AI CSAM Shitshow (404 Media) Dozens of Major Data Breaches Linked to Single Threat Actor (SecurityWeek) UK Launches New Cyber Unit to Bolster Defences Against Cyber Threats (Infosecurity Magazine) Sophisticated ClickFix Campaign Targeting Hospitality Sector (SecurityWeek) New VVS Stealer Malware Targets Discord Users via Fake System Errors (Hackread) Covenant Health Notifying 480K Patients of 2025 Data Theft (Infosecurity) Aflac Notifies 22.6 Million People of June Data Theft Attack (Infosecurity) Critical Dolby leak in Android patched by Google (Techzine Global) Students bag extended Christmas break after cyber hit on school IT (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices