China's chatbot sends tech stocks into tailspin.

Today is Monday January 27th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Chinese AI startup DeepSeek shakes up the market.

U.S. tech stocks took a hit Monday after Chinese AI startup DeepSeek unveiled its R1 model, a ChatGPT competitor developed at a fraction of the cost of American AI models. While U.S. companies like Meta and OpenAI spend billions on AI development, DeepSeek claimed to have trained R1 for just $5.6 million, sparking investor concerns about the sustainability of U.S. tech spending and dominance in AI.

The announcement sent shockwaves through markets, with Nvidia shares dropping 12% and the Nasdaq falling 2.3%. Analysts questioned whether DeepSeek’s breakthrough is as transformative as it appears or if the market overreacted. Critics noted that the model, while cost-effective, hasn’t proven it can match the industrial-grade capabilities of American AI.

DeepSeek’s rise also highlights China’s AI progress despite U.S. chip restrictions. As earnings reports loom, tech companies’ responses to DeepSeek’s challenge could fuel further market volatility. Investors remain cautious but intrigued. 

DeepSeek’s platform reportedly strained under the load of its new-found popularity, with outages reported.

Trump freezes cyber diplomacy funding and puts a vital U.S.-EU data-sharing agreement at risk. 

The Trump administration’s move to remove Democratic members from the Privacy and Civil Liberties Oversight Board (PCLOB) threatens the Transatlantic Data Privacy Framework (TDPF), a vital U.S.-EU data-sharing agreement. The EU relies on PCLOB to ensure U.S. intelligence agencies’ data collection aligns with European privacy standards. A weakened or non-functional PCLOB could undermine trust in the TDPF, forcing U.S. companies to adopt alternative, less feasible mechanisms under GDPR, potentially disrupting transatlantic business operations.

Meanwhile, the U.S. State Department froze nearly all foreign aid, including cyber diplomacy funding, following an executive order from Trump. This halt affects the Bureau of Cyberspace and Digital Policy, established to advance U.S. tech diplomacy. The freeze jeopardizes initiatives like cyber response efforts in Costa Rica and digital infrastructure projects. Critics warn these moves weaken U.S. credibility on privacy and cyber diplomacy, raising concerns about long-term consequences for international cooperation and commerce.

A trojanized RAT targets script kiddies. 

A Trojanized version of the XWorm Remote Access Trojan (RAT) builder has infected over 18,000 devices globally, targeting novice users through GitHub, Telegram, and other platforms. The malware exfiltrates browser credentials, Discord tokens, and system data while maintaining persistence via registry manipulation and anti-detection features. Researchers disrupted the botnet using its own kill switch, though many devices remain infected. Experts emphasize proactive defenses like Endpoint Detection and Response (EDR), blocking known Indicators of Compromise (IoCs), and educating users to prevent future attacks.

UnitedHealth Group nearly doubles its data breach victim count. 

UnitedHealth Group (UHG) has confirmed that a ransomware attack on Change Healthcare in 2024 impacted 90 million more customers than initially reported, bringing the total to nearly 190 million. Compromised data includes health insurance, billing, Social Security numbers, and banking details, accessed via a Citrix portal lacking multi-factor authentication. The attack, led by the BlackCat ransomware group, resulted in a $22 million ransom payment. UHG claims no evidence of data misuse so far, with breach notifications largely completed. This breach surpasses the 2015 Anthem incident as the largest healthcare data breach in U.S. history.

U.K. telecom giant TalkTalk investigates a data breach. 

U.K. telecom giant TalkTalk is investigating a data breach after a hacker, “b0nd,” claimed to have stolen personal data of over 18.8 million customers, including names, emails, IPs, phone numbers, and PINs. TalkTalk disputes the figure, stating it is “significantly overstated,” as they currently have 2.4 million customers. The breach reportedly involves CSG’s Ascendon platform, used for subscription management, but no financial data was stored there. TalkTalk previously faced scrutiny for weak cybersecurity after a 2015 breach. Investigations continue.

Researchers uncover a critical flaw in Meta’s Llama Stack AI framework. 

Researchers at Oligo uncovered a critical flaw in Meta’s Llama Stack AI framework, enabling attackers to execute remote code on servers hosting AI apps. The vulnerability, tied to misuse of the PyZMQ library for message handling, allowed untrusted data to be processed without validation, exposing systems to malware deployment. The bug, tracked as CVE-2024-50050, received a critical severity score of 9.3 but was rated lower by Meta. Meta quickly patched the issue in version 0.0.41, and PyZMQ improved its documentation.

Attackers leverage hidden text salting in emails. 

Cisco Talos observed a rise in email threats leveraging hidden text salting, a technique used to evade email parsers, spam filters, and detection engines by embedding invisible text in email HTML. Threat actors misuse CSS and HTML features to conceal content, making it difficult for detection systems to parse. Techniques include inserting zero-width characters, hiding text with CSS properties, or adding misleading content to confuse language detection and file parsers. These methods have been used in phishing campaigns impersonating brands like Wells Fargo, Norton LifeLock, and Harbor Freight.

Experts recommend advanced filtering systems to detect suspicious CSS usage and abnormal HTML structures. 

The “FlowerStorm” phishing framework targets multiple brands to steal customer credentials. 

The “FlowerStorm” phishing framework, active since June 2024, targets multiple brands to steal customer credentials. Uncovered by CloudSEK, this Phishing-as-a-Service (PhaaS) platform enables large-scale adversary-in-the-middle (AiTM) attacks by dynamically adapting phishing pages with customized URLs and realistic backgrounds based on victims’ email domains. Hosted on Cloudflare’s workers.dev platform, FlowerStorm enhances legitimacy and employs obfuscated JavaScript to evade detection. Victims are lured to generic webmail pages that impersonate brands, exfiltrating credentials to remote servers. FlowerStorm’s rise coincides with a surge in phishing, including a 692% increase during the 2024 holiday season.

A critical zero-day hits SonicWall VPN appliances. 

A critical zero-day vulnerability (CVE-2025-23006) affecting SonicWall’s Secure Mobile Access (SMA) 1000 Series VPN appliances is being actively exploited by hackers, prompting urgent warnings. The flaw, rated 9.8/10 in severity, impacts over 2,300 internet-exposed devices, mainly in the U.S., Germany, and Hong Kong. SonicWall and Microsoft urge users to apply the hotfix immediately. 

Swedish authorities seized a cargo ship suspected of damaging a key fiber optic cable. 

Swedish authorities have seized the cargo ship Vezhen, suspecting its involvement in damaging a key fiber optic cable between Sweden and Latvia. The cable, owned by the Latvian State Radio and Television Center (LVRTC), was damaged on January 26. While Vezhen’s proximity to the site raises suspicion, involvement is unconfirmed. This incident follows several recent cable disruptions in the Baltic Sea, raising fears of sabotage, potentially linked to Russia’s “shadow fleet.” NATO and EU nations, already on high alert, have deployed warships and surveillance to safeguard undersea infrastructure. Investigations into similar incidents, including Finland’s Christmas Day cable damage allegedly caused by a tanker dragging its anchor, remain ongoing. NATO is advancing plans to deploy submarine drones for cable monitoring, while the UK recently intercepted a suspected Russian spy ship near its waters, heightening regional tensions.

Freezing out crypto-kidnappers. 

David Balland is co-founder of Ledger, a prominent French company specializing in secure hardware wallets for cryptocurrencies. When Balland and his wife were kidnapped and held for ransom, Nicolas Bacca, co-founder and former CTO of Ledger, knew he had to act. As the ransom demanded was in cryptocurrency, Bacca saw an opportunity to help authorities neutralize the financial aspect of the crime. “I thought about how I could contribute,” he explained, “and decided to focus on freezing the funds quickly once the hostages were freed.”

Bacca assembled a specialized team, including legal expert Sarah Compani, with strong ties to platforms like Tether and KuCoin, and SEAL 911, a group skilled in rapid cryptocurrency interventions. Together, they created a system capable of sending freeze requests to multiple platforms within minutes. Coordination was key—every move had to be perfectly timed.

When the moment came, the plan worked. A significant portion of the funds was frozen, denying the kidnappers access. This groundbreaking effort, Bacca said, could become a model for future cases, creating a new standard for tackling crypto-related crimes. Despite challenges like managing decentralized mixers, Bacca remains optimistic. “Every effort counts,” he said, confident that such coordinated responses can reshape how authorities handle these complex situations.

 

Today, I’m joined by Halcyon’s CEO and Co-founder Jon Miller to talk about trends in ransomware and some background on Brain Cipher. Also, the British Museum experiences an unexpected shutdown by a former IT worker. We’ll be right back.

Welcome back.

The British Museum defends its artefacts from IT attacks. 

And finally, the British Museum had an unexpected plot twist when a disgruntled IT contractor allegedly trespassed, shutting down parts of its network and forcing some galleries and exhibits to close. Think of it as the museum’s own version of a heist movie—minus the daring escape. Police swooped in to arrest the man, who’s now out on bail, leaving the museum scrambling to reboot both its systems and its schedule.

Visitors with tickets were prioritized, but temporary exhibitions like Silk Roads and Picasso: Printmaker were put on pause. The museum apologized to ticket holders, offering refunds or rescheduling options.

It’s not every day the Rosetta Stone takes a backseat to an IT meltdown, but the British Museum is working hard to get back to its regularly scheduled program—minus the surprise IT drama.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed.  </Mondays>

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.