CyberWire Daily - Gone with the command.
Episode Date: June 25, 2026International operation disrupts Amadey and StealC malware infrastructure. Australian spy chief warns nation-state hackers are prepositioning for future sabotage. Stealthy new backdoor may be tied to ...initial access broker. Researchers uncover "Cordyceps" supply chain flaw. Iran-linked MuddyWater disguises espionage as ransomware attack. Cal Water says Handala's hacking claims were overstated. Report says Russia continued using Cellebrite phone-cracking tools after the ban. Chinese cybersecurity firm unveils AI tools to rival Anthropic's Mythos. DraftKings hacker is sentenced to eighteen months. Our guest is Erich Kron, CISO Advisor at KnowBe4, sharing the details of the CAPY program. And more Than Meets the Eye-P. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Erich Kron, CISO Advisor at KnowBe4, sharing the details of the CAPY (Cyber Awareness Program for You) program that offers free cybersecurity training for families. Selected Reading Three ‘cybercrime as a service’ operations undercut by Microsoft, law enforcement (The Record) Scaling cybercrime disruption through innovation and AI (Microsoft) Nation-state actors cracked critical Australian infrastructure to ‘cripple it at a time of their choosing’ (The Register) Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker (Security.com) Cordyceps: The Silent Parasite Consuming Your Supply Chain (Novee) Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Cyber Espionage (Infosecurity Magazine) Cal Water Finds No Evidence of OT Activity After Hackers Claimed They Could Disrupt Water Supply (SecurityWeek) Russia used Cellebrite phone-hacking tool to crack down on dissident after firm cut off country (The Record) China’s 360 says it has developed tools to match Anthropic’s Mythos (Reuters) DraftKings hacker 'Snoopy' sentenced to 18 months in prison (BleepingComputer) Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs (Spur Intelligence) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI is making fishing attacks faster, more convincing, and harder for people to spot,
and traditional security awareness and fishing training weren't designed for this level of attack.
Hawkshunt helps security teams prepare employees for the attacks they face every day,
with personalized fishing training that adapts to each employee and reduces risky behavior over time.
For IT and security leaders looking to strengthen their human layer of defense without adding more manual work, visit hoxhunt.com slash cyberwire to learn more.
That's hoxhunt.com slash cyberwire.
International operation disrupts amity and steel sea malware infrastructure.
Australian spy chief warns nation state hackers are pre-positioning for future sabotage.
Stealthy new backdoor may be tied to initial access broker.
Researchers uncover cordyceps supply chain flaw.
Iran-linked muddy water disguises espionage as ransomware attack.
Cal Water says Handelah's hacking claims were overstated.
Report says Russia continued using Celebrate phone hacking tools after the ban.
Chinese cybersecurity firm unveils AI tools to rival Anthropics mythos.
Draft King's hacker is sentenced to 18 months.
And our guest today is Eric Crone, CISO advisor at NoVore, sharing the details of the Cappy program.
And more than meets the IP.
Today is Thursday, June 25th, 2026.
I'm Maria Vermazzes on the mic for The Vacationing Dave Bidner.
And this is your Cyberwire Intel briefing.
Thanks for joining me today. Let's get started.
Europol announced yesterday that a major law enforcement and industry operation disrupted infrastructure
used by two leading strains of malware,
Emidae and SteelC.
The operation focused on the cybercriminal supply chain,
as MDE and SteelC are frequently used
to stage additional attacks.
Microsoft used AI-assisted analysis
to determine that the two strains of malware
relied on the same infrastructure,
then used the RICO Act
to obtain legal basis to disrupt more than 200
command and control servers.
The effort was also assisted by ESET, BitSite,
Lumen, IBM, X-Force, Proof-Point,
and Mitsui-Buson Secure Directions, or MBSD,
as well as law enforcement agencies from Canada, Denmark, Germany, the Netherlands,
the United States, and the United Kingdom.
The operation follows last week's disruption of the Salk-Golish Malware Operation by the Dutch Police.
Australia's top intelligence official is warning that nation-state hackers have infiltrated
a critical infrastructure provider, stealing administrator credentials and mapping networks
so they could disrupt services at a time of their choosing.
ASIO Director General Mike Burgess said the intrusion was detected and attributed before any damage occurred,
but warned that cyber sabotage is becoming a growing national security concern.
While he did not identify the country responsible, Burgess said one nation state in particular is aggressively targeting energy,
communications, and defense-related infrastructure across the region to establish persistent access for potential future conflicts.
Symantec and Carbon Black have published a report on a new backdoor that surfaced in April
26. The malware tracked as backdoor. Mystic may be tied to Woodnatt, which is an initial
access broker that peddles to ransomware gangs. The researchers note that the stealth of the
backdoor is also notable, as is the fact that Woodnatt is also possibly behind the development
of Modelo Rat, indicating a group that is quite highly skilled at the development of stealthy remote
access tools. This indicates it is a group that should be actively tracked, as it could continue
to develop custom tools, as well as widen the pool of ransomware actors that it works with.
Researchers at NoV security have disclosed a new class of software supply chain weaknesses
dubbed Cordyceps that affects CICD workflows used by major open source projects. After scanning
roughly 30,000 high-impact repositories, the team identified 654 potentially vulnerable
projects and confirmed more than 300 as fully exploitable. The flaws could allow attackers,
even those with only a free GitHub account, to hijack build pipelines, steal credentials,
inject malicious code, or compromise software releases. The researchers say the issue stems
from insecure GitHub actions workflow configurations rather than GitHub itself, and warns
that AI coding assistants may inadvertently propagate these insecure patterns across the software
ecosystem. Researchers at NCC groups say the Iran-linked hacking group Muddy Water is increasingly
disguising espionage campaigns as ransomware attacks to complicate attribution and distract defenders.
In a recently analyzed intrusion, the attackers posed as members of the chaos ransomware operation
using Microsoft Teams, social engineering, credential theft, and remote access tools to
establish long-term access before exfiltrating data and demanding a ransom. Researchers believe the
extortion was largely a smokescreen, with the real objective being intelligence collection
and persistent network access on behalf of Iran's Ministry of Intelligence and Security.
California Water Service, better known as Cal Water, has completed its investigation into claims
made by the Iranian hacktivist group, Handala, concluding that the hackers overstated their access
and did not have the ability to disrupt OT systems. Handala, which is likely backed by the Iranian
and government said it could have physically disrupted the water supply after gaining access to
industrial control systems, but decided not to do so. Cal Water retained Mandiant to investigate
the incident, and the cybersecurity firm found that the hackers had only compromised two IT
user accounts belonging to a third-party service provider. Cal Water retained Mandant to investigate
the incident, and the cybersecurity firm found that the hackers had only compromised two IT
user accounts belonging to third-party service providers.
Calwater stated, the investigation determined that the threat actor accessed one active
customer's online Calwater account using stolen user credentials.
The customer account did not provide access to the billing system and no payment
information was compromised.
The threat actor also accessed an external third-party website related to a GPS location
correction tool.
However, the website does not contain any confidential or sensitive information.
A new investigation by Citizen Lab has found that Russian authorities continued using
Celebrates Mobile Forensic Tools months after the Israeli company halted sales to Russia in
2021.
Researchers say the software was used to extract data from the phone of imprisoned opposition
politician Andrei Pvovarov, with the evidence later used in his prosecution.
The findings raise questions about vendors' ability to control previously deployed forensic
tools after cutting ties with authoritarian governments.
Celebrite says any post-2021 use in Russia was unauthorized and involved legacy equipment no longer supported by the company.
Chinese cybersecurity company 360 security technology has unveiled two AI-powered security tools that it says rival Anthropics advanced mythos system.
One tool is designed to automatically discover software vulnerabilities, while the other automates cyber defense and incident response.
The announcement comes as the United States restricts exports of anthropopsylvania.
cybersecurity AI over national security concerns. We should note that Reuters says that these claims
are not independently verified. For its part, 360 security technology says its vulnerability
finding model has already uncovered more than 3,400 software flaws, framing the effort as a
strategic response to what it sees as an intensifying AI-driven cybersecurity competition between
the United States and China. 21-year-old Nathan Ostad of Minnesota has been sentenced to 18,
months in prison after pleading guilty to his role in a November 2022 hack of the Draft King's
betting platform, all according to a new report from bleeping computer.
Ostad and two accomplices were accused of compromising 60,000 draft king's user accounts and
selling access to the accounts for hundreds of thousands of dollars.
The two co-conspirators are already serving prison sentences to pay $463,000 in forfeiture
and over a million dollars in restitution.
Stay with us after the break.
We are joined by Eric Crone, CISO advisor at Know Before, who is sharing the details of
the CAPE or Cyber Awareness Program for you that offers free cybersecurity training for families.
And more than meets the IP.
Stick with us.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one.
mobile application security incident last year, and 92% of responders reported threat levels
have increased in the past two years. Guard Square delivers the highest level of security for your
mobile apps without compromising performance, time to market, or user experience. Discover how
Guard Square provides industry-leading security for your Android and iOS apps at www.orgadscore.com.
What's the one thing in business that's spreading as fast as AI?
AI risk.
Every new tool your team signs up for.
Every vendor that turns on AI features, every new integration, each one creates another
opportunity for something to go wrong.
And most security programs just weren't built for AI's pace of growth.
Enter Vanta.
Vanta is the number one agenetic trust platform, used by more than 16,000 fast-moving
companies like RAM, Cursor, and Harvey to help ensure they're always audit ready.
And now, Vanta is helping companies watch for the risks that show up between audits,
across vendors, AI tools, and their entire environment.
The Vanta agent works like a 24-7 GRC engineer in the background,
finding issues, drafting fixes, and cutting vendor assessment time by up to 50%.
Whether you're a fast-growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust.
Get started today at vanta.com slash cyber.
That's V-A-T-A dot com slash cyber.
Recently, Dave Bittner sat down with Eric Crone, C-S-O-Advisor at Know Before, as they discussed the details of CAPE,
which is the cyber awareness program for you.
And it's a program that offers free cybersecurity training for families.
Here's their conversation.
We've been doing like a home course for a long time.
And we realize that these scammers and stuff,
although we're known for business stuff,
they're going after people too at home.
And it's kind of our mission.
So what we started thinking about is more and more of these kids
are being faced with technology at younger, younger ages.
I mean, it's like everywhere.
They've got all kinds of power in their pocket.
And also, older people are having to deal with technology that they're not necessarily comfortable with.
And so we really wanted to help those folks out.
Well, describe to us what someone is going to encounter when they go visit this online hub.
Yeah, so the first thing that I think is awesome about this.
I mean, I really, really love it is you're not going to be asked to give like a bunch of
your information or sign up for anything or whatever. It's really just there for people to
look at different types of education that's available for folks and it's tailored towards kids or
some fun little stuff, animation, things like that, but also towards older folks as well.
So it's really just a nice portal you can go to and pick some of the things you want to learn
about, get to know a little more about and become a little bit more internet savvy.
Well, can you give us some examples of the types of things people can learn here?
Yeah, I mean, we're obviously talking about things like your credentials and how you deal with that.
We're talking about some of the different scams that are out there and how to recognize it.
Those are big ones.
I mean, essentially, we're giving people all that kind of information they know just to get up to speed.
Now, of course, these aren't super deep dives in everything.
I mean, we don't get into the technical psychology behind.
some of these scams that are going after people, you know.
But what we wanted to do is be quick and easy and something that they can digest.
And it's being updated now, which I really, really like.
We're constantly updating this as new things come out.
I was actually talking to one of the folks that helped build this out the other day.
And we were talking about how much they want to be doing more and more content in this.
And there's already quite a bit of content about all the different things that people face out there on the internet.
Well, one of the things that caught my eye is it's kind of fun for all ages, as they say.
You've got things there from the kids who are just starting out with their online journey for teens and even the adults.
This is really a place the whole family could get together and there's something there everyone can enjoy.
Yeah, 100%. And we've had a home course for many, many years.
Not a lot of people knew about it, but it was.
designed that people who used our services could take this and give it to their family and
stuff. But it was just kind of a generic overall covers everybody's single course that people could
run through. And that was okay. But I mean, honestly, we're at a point where there's more things
that more generations are facing more often these days. And we felt like it needed to be
broken up a little bit. So yeah, that's why we have it for kids and teens. I mean, we're all
exposed to different things online because we go to different places online. I don't necessarily
expect senior citizens to be worried about their Roblox account being taken over, right?
It's just, that's just not the area they go in. So it doesn't help necessarily to teach them about
scams that are around that and vice versa. You know, you're not going to give a, you know,
a young adult, a bunch of investment type stuff, you know, I mean, that just doesn't clear.
with them. So we wanted to make sure that it covers all of those different ranges.
Why was it important for this to be free? Oh, well, I mean, gatekeeping this stuff for the general
public is very unfortunate. And from the ground up, we designed this to be free, to not gather
information, to not do that, because we want people to go there and just watch this stuff. We want the friction
to be extremely low when people are connecting with this, right?
I mean, how many times have you gone somewhere
and you start along the path and it's asking you all these questions?
You've got to give it information and just abandon it.
You're like, no, I'm out of here, don't want to do this.
Well, I mean, we've all kind of been there, right?
It gets old.
Well, if we want people to actually ingest this and use it,
we felt like it should be free and easy for them.
What sort of feedback have you gotten so far?
I've gotten great feedback.
I'm out on the road quite a bit.
I talk mostly to technical people and at different conferences, employees and stuff too.
But those that are seeing this and hearing it absolutely love it.
They love the idea.
And again, it kind of goes back to our mission and what we do well, which is education.
Of course, our bread and butter is education in the workforce.
And of course, we're dealing with topics like AI and AI agents and dealing with securing those.
So we go much deeper on that side.
But on the flip side, those people that we're teaching in these organizations, they have family
at home.
And they have friends and we all have family and friends.
I mean, it's out there.
And these scams and these attacks are just getting worse and worse all the time.
And as a matter of fact, Dave, my wife.
wife and I, a friend of ours yesterday, we started seeing some really odd posts on Facebook from them.
And it was, it started off with, hey, I'm here with my uncle. He's not well, et cetera, et cetera,
wish us luck. You're like, okay, cool, you know. And like two hours later, we, we see this post pop up.
And it's like, hey, we've decided to pay for his treatments and he's in the hospital. And we need to
sell off some of his stuff. So here's a bunch of stuff for sale. I'm out of town with him right now.
if you want to leave a deposit, we will hold the item for you, then you can inspect it if you don't like you to get the money back.
But even my wife looked at that and went, this seems really, really weird that this would be going on, you know?
And then so she already keyed in on it, which I love that that makes me happy to know that she's seeing this stuff and going, wait a minute, you know, red flags are up.
And I showed her, you start looking through the pictures and all of the backgrounds of these different like razors and cars.
and, you know, UTV type stuff, it's all different.
Like the house in the background, the driveway is different.
And sure enough, we got to post today going, hey, someone to take it over my account.
So it's happening to everybody.
How did you go about behind the scenes mapping out the curriculum that you wanted to cover here?
Well, I'll tell you, that entirely goes to some of our coworkers here.
I am not a content person, but Anna Collard is the one.
I, her and I got on a phone call one time and chatted about this.
And we were talking about how great it would be because she knows I'm super passionate about this.
She was actually the founder of popcorn training, which is an organization that we acquired years ago for their content.
And they make amazing content.
So one thing leads to another, we get off that call and it seemed like no time later, she's like, check it out.
look what we got going.
And man, they just knocked it out.
It was impressive.
So they're actually the ones that kind of came up with the content,
looking around going, all right.
But they've been doing that for, you know, a decade and a half or so.
So they're not new to that.
Well, I have to say, Eric, I'm a big fan.
I mean, I think those of us in cybersecurity or those who are even adjacent to it,
you know, we often find ourselves playing that part with our family and friends of
being the one they come to for advice, for questions that they have.
And this is just another resource that we can share so that they can learn this stuff at their own pace.
Yeah, absolutely.
And I'll tell you, Dave, I'm almost 10 years now with No Before.
It'll be 10 years in July, which is a huge long time.
And I'm a very technical person in the background, but realize the human thing throughout the years.
But I'll tell you right now, the reason I'm with No Before and have been with No Before so long,
is our mission, which is to help people, essentially.
Yeah, sure, we got to keep the lights on,
and it's always nice to have a product to sell.
But our mission has always been to help the workforce,
to help organizations avoid this.
And to be able to branch out even more to doing it for the people at home,
the people that aren't even with the company
or have any subscription is fantastic.
And this is the stuff that motivates me,
and makes me feel great about working for No before for so long.
That was Dave Vittner and Eric Crone discussing Cappy,
a program that offers free cybersecurity training for families.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications
behave. And with Threat Locker DAC, defense against configurations, you get real assurance that
your environment is free of misconfigurations and clear visibility into whether you meet
compliance standards. Threat Locker is the simplest way to enforce zero-trust principles without the
operational pain. It's powerful protection that gives CISO's real visibility, real control,
and real peace of mind. Threat Locker makes zero-trust attainable, even for small security teams.
Thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
When you're a mid-sized business, you need every competitive advantage you can get.
Like an AI solution that works for you, not against you.
SAP Grow is built with AI embedded at its core, working across every system.
And it's ready to go from day one so you can hit the ground running.
Bring it with SAP Grow.
AI Cloud ERP for any size business.
And finally, if you are worried about the apps on your phone,
researchers have a suggestion for you.
Maybe it's time for you to take a look at the ones on your TV, too.
Yeah, after scanning more than 6,000 apps across LG and Samsung smart TVs,
researchers found over 2,000 contained software that could monetize a user's residential
internet connection by routing third-party traffic through the home network.
Many of the apps appeared completely harmless, things like screensavers, clocks, fish tanks,
and simple games, but were also functioning as residential proxy infrastructure behind the scenes.
Researchers say smart TVs are particularly attractive for this because they're often
always on, rarely monitored, and often treated more like furniture than as computers.
The report also notes that Amazon explicitly bans this category of softs.
software, and Roku has reportedly blocked similar apps, while LG and Samsung have not established
equivalent public policies. So the takeaway here for you is that your smart TV may be smarter
and busier than you think. After all, nobody expects a clock app to tell time, display the weather,
and moonlight as network infrastructure. And that's the Cyberwire Daily, brought to you by N2K Cyberwire.
For links to all of today's stories, check out our daily briefing at the
Cyberwire.com.
We'd love to know what you think of our podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill up the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound designed by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilphy is our publisher.
and I'm your host Maria Vermazas
in this week for Dave Bittner.
Thanks for listening. We'll see you tomorrow.
One of those media strategy people
clicking through slides, scrolling spreadsheets,
yes? Good. This is for you.
Because on Spotify, there's an audience that's different,
locked in, loyal, invested.
They're called fans.
Fans don't just listen to music.
They feel seen by it, like it belongs to them.
So when your brand shows up on Spotify,
that's who you're talking to.
and you're right next to artists like me, Lizzo.
So, are you ready to talk to fans?
Spotify Advertising, you're among fans.