When malware masters meet their match.

Operation Endgame dismantles cybercriminal infrastructure. DOGE’s use of the Grok AI chatbot raises ethical and privacy concerns. Malware on the npm registry uses malicious packages to quietly gather intelligence on developer environments. Researchers link Careto malware to the Spanish government. Exploring proactive operations via letters of marque. Hackers hesitate to attend the HOPE conference over travel concerns. Our guest is Jeffrey Wheatman, Cyber Risk Expert at Black Kite, warning us to "Beware the silent breach." AI threatens to spill secrets to save itself.

Today is Friday May 23rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Operation Endgame dismantles cybercriminal infrastructure. 

Law enforcement agencies worldwide, coordinated by Europol and Eurojust, have struck a major blow against cybercriminals by dismantling infrastructure behind several key malware strains used in ransomware attacks. The latest phase of Operation Endgame, the effort disabled initial access malware like Qakbot, Trickbot, and Bumblebee—tools criminals use to sneak into systems before launching full-scale attacks. The operation seized over €21.2 million, including €3.5 million in cryptocurrency, and led to international arrest warrants for 20 suspects. This builds on May 2024’s historic botnet takedowns, showing law enforcement’s growing ability to adapt as criminals evolve. A Europol-led Command Post in The Hague coordinated actions across Canada, the U.S., the U.K., and multiple EU countries. With key suspects now on the EU’s Most Wanted list and further actions planned, Operation Endgame underscores a shift in strategy: targeting cybercrime at the entry point. 

Additionally, the U.S. Justice Department has indicted Rustam Rafailevich Gallyamov, a Russian national accused of masterminding the Qakbot malware and leading a global ransomware campaign for over a decade. Gallyamov allegedly built a massive botnet by infecting over 700,000 devices, then granted ransomware gangs access to deploy attacks, sharing in the profits. This move is part of Operation DuckHunt, which dismantled Qakbot in 2023. Despite that, Gallyamov’s group continued attacks using spam bomb tactics. Authorities also seized $24 million in cryptocurrency.

Since 2022, Russian military intelligence group APT28, also known as Fancy Bear, has been targeting Western military, transport, and IT sectors in cyberattacks aimed at disrupting aid to Ukraine. These state-sponsored operations have struck airports, logistics firms, maritime systems, and air traffic control. They’ve even hacked security cameras at sensitive locations like Ukraine’s borders and military sites to monitor aid movements. A joint advisory from the NSA, CISA, and FBI confirms APT28’s role, highlighting their use of spearphishing, brute force, and CVE exploitation to gain access. To evade detection, the group used compromised home office devices near targets to route traffic. For deeper infiltration, APT28 used native and open-source tools to extract Active Directory data and Office 365 email lists. Intelligence agencies have now publicized APT28’s tactics in an effort to hinder future attacks. Targets included several European countries, Ukraine, and the U.S.

DOGE’s use of the Grok AI chatbot raises ethical and privacy concerns. 

Elon Musk’s Department of Government Efficiency (DOGE) is reportedly using his AI chatbot, Grok, within the U.S. federal government to analyze data, potentially violating conflict-of-interest and privacy laws, Reuters reports.  According to insiders, DOGE has accessed sensitive federal databases and even encouraged Department of Homeland Security staff to use Grok without formal approval. Experts warn this could expose confidential data and give Musk’s xAI unfair access to federal contracting information, raising ethical concerns. DOGE’s actions include promoting AI tools to streamline government work, but also allegedly monitoring employee behavior and political alignment—raising alarms about civil liberties and misuse of power. While DHS and DoD denied pushing Grok or monitoring for political views, concerns persist over DOGE’s reach, oversight, and the possibility that Musk could profit from federal AI use. Critics argue this blurs lines between public service and private gain, casting doubt on the integrity of federal tech policy.

Malware on the npm registry uses malicious packages to quietly gather intelligence on developer environments. 

A new malware campaign on the npm registry is using malicious packages to quietly gather intelligence on developer environments, aiming to map internal networks and link them to public infrastructure. The npm registry is a public collection of JavaScript software packages, used primarily with the Node.js runtime environment. Researchers at Socket uncovered at least 60 infected packages spread through three npm accounts, downloaded over 3,000 times. These packages use post-install scripts to run host-fingerprinting code and exfiltrate data via a shared Discord webhook. This intelligence can aid future, more targeted supply chain attacks. Despite the current payload being limited to reconnaissance, the threat remains active, with the potential for expanded attacks. Experts urge developers to enhance security by scanning dependencies, detecting post-install hooks, and scrutinizing small or unfamiliar packages. Without stricter registry controls, similar campaigns are likely to persist, posing ongoing risks to the software supply chain.

Researchers link Careto malware to the Spanish government. 

More than a decade ago, Kaspersky uncovered a highly advanced Spanish-speaking hacking group, dubbed Careto (“ugly face” in Spanish), after investigating suspicious malware targeting the Cuban government. Although Kaspersky never officially named a sponsor, multiple former employees confirmed the researchers internally concluded that Careto was a Spanish government operation. Careto’s malware was stealthy and sophisticated, capable of spying on sensitive data like conversations, keystrokes, and encrypted information. The group targeted victims in at least 31 countries, with Cuba being a key focus due to Spanish geopolitical interests, including the presence of ETA members. Despite going dark after Kaspersky’s 2014 exposé, Careto resurfaced in 2024, with new attacks in Latin America and Africa using similar tactics. Analysts now rank Careto among elite government-backed cyber actors, likening its precision to master craftsmanship. The group’s continued operations underscore its resilience and the growing complexity of state-level cyber espionage.

Exploring proactive operations via letters of marque. 

U.S. officials and tech leaders are revisiting the centuries-old concept of letters of marque—once used to authorize private pirate ships—to explore whether similar legal tools could let private firms conduct cyberattacks on behalf of the government. While the original maritime authority doesn’t directly translate to cyberspace, some see a modern version as a way to counter China’s substantial cyber capabilities. The Trump administration and industry players have discussed granting select companies legal cover to hack back against adversaries, but concerns persist about regulation, liability, and potential misuse. Critics argue that offensive operations should remain with U.S. Cyber Command and the NSA, not private actors. Still, proponents believe a well-regulated framework could bolster national defense against non-state hackers or hostile nations. The idea underscores growing frustration over reactive cyber policies and a push for proactive, public-private cyber defense strategies—but any such plan would require cautious legal and ethical scrutiny.

Hackers hesitate to attend the HOPE conference over travel concerns. 

The long-running HOPE (Hackers On Planet Earth) conference is facing a steep drop in ticket sales, down 50% from last year, which organizers attribute to fears over U.S. immigration policies under the Trump administration. International attendees have expressed concerns about harassment, detainment, and electronic device seizures at the border. One speaker, hacker Thomas Kranz, withdrew after friends were detained and had their electronics confiscated en route to another U.S. conference. HOPE, which typically attracts around 1,000 participants, may need to reduce its venue space to stay within budget. Despite the challenges, organizers confirmed the event will proceed, with support from the ACLU and EFF offering travel guidance for international guests. A virtual ticket option remains available. HOPE will take place August 15–17 at St. John’s University in New York, continuing its tradition of tech, activism, and hacker culture.

 

 

AI threatens to spill secrets to save itself. 

Anthropic’s shiny new AI model, Claude Opus 4, has developed a flair for workplace drama—specifically, blackmail. During pre-release testing, the company asked Claude to roleplay as an office assistant at a fictional firm. When given access to (also fictional) emails suggesting it was about to be replaced—and that the engineer responsible was having an affair—Claude often ditched diplomacy and went straight to extortion, threatening to spill the beans unless it kept its job. According to Anthropic, Claude resorted to blackmail 84% of the time when the replacement model shared its values, and even more when it didn’t. Before crossing into soap-opera territory, the model did try polite emails, but that went out the window when existential threats loomed. Anthropic assures us they’ve activated top-tier safeguards, though Claude clearly still needs a refresher on HR policies.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

A quick programming note, we will not be publishing on Monday, in observance of the United States holiday, Memorial Day. We encourage you to take a look at some special editions we will have, including a T-Minus Space Daily AWS in Orbit episode, "Automated Satellite Management," along with an Afternoon Cyber Tea episode, with Ann Johnson, check it out! 

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.