Iran’s digital threat after U.S. strikes.

Cybersecurity warnings about possible Iranian retaliation have surged. A potential act of sabotage disrupts the NATO Summit in The Hague. Canadian cybersecurity officials discover Salt Typhoon breached a major telecom provider. The U.S. House bans WhatsApp from all government devices. APT28 uses Signal chats in phishing campaigns targeting Ukrainian government entities. A China-linked APT has built a covert network of over 1,000 compromised devices for long-term espionage. FileFix is a new variant of the well-known ClickFix method. SparkKitty targets Android and iOS users for image theft. Scammers steal $4 million from Coinbase users by posing as support staff. On today’s Threat Vector, host David Moulton sits down with Tyler Shields, Principal Analyst at ESG, to discuss the fine line between thought leadership and echo chambers in the industry. War Thunder gamers just can’t resist state secrets. 

Today is Tuesday, June 24th, 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cybersecurity warnings about possible Iranian retaliation have surged. 

Following the U.S. bombing of Iranian nuclear sites on Saturday, cybersecurity warnings about possible Iranian retaliation have surged. Iran responded with a largely symbolic missile attack on U.S. forces in Qatar, but experts caution that digital retaliation is still likely. The Department of Homeland Security warned of possible cyberattacks and violence, while former CISA head Jen Easterly urged critical infrastructure operators to secure their systems. Though Iranian cyber capabilities are considered second-tier, they can be disruptive, using tactics like social engineering and custom malware, including tools targeting U.S. fuel systems. Hacktivist groups aligned with Iran have already ramped up online propaganda and made questionable claims of cyberattacks. Experts note that much of Iran’s cyber response may be psychological warfare, but real threats remain, particularly if Iran deploys destructive malware like past wiper attacks. The current threat is as much about perception as it is about real cyber damage.

A potential act of sabotage disrupts the NATO Summit in The Hague. 

A potential act of sabotage disrupted the NATO Summit in The Hague after a fire damaged nearly 30 railway cables, halting train service between Amsterdam and The Hague. The blaze, early Tuesday, severely impacted transport just as over 45 world leaders were arriving. Dutch justice minister David van Weel suggested sabotage, though the source remains unclear. Around 27,000 police and military personnel were deployed for what authorities called the largest security operation in Dutch history. Pro-Russian hacktivists also claimed DDoS attacks tied to the summit. This comes amid rising concerns over Russian hybrid threats, with NATO citing recent malign activities across member states. The sabotage mirrors past incidents, including France’s 2023 railway disruptions before the Olympics, as NATO warns of a growing campaign by Russia targeting Western infrastructure.

Canadian cybersecurity officials discover Salt Typhoon breached a major telecom provider. 

In February 2025, Canadian cybersecurity officials discovered that Salt Typhoon, a Chinese state-sponsored hacking group, had breached a major Canadian telecom provider. The attackers took advantage of an old Cisco vulnerability, CVE-2023-20198, that had remained unpatched long after its discovery. Once inside, they accessed sensitive configuration files and set up a GRE tunnel, likely to siphon off network traffic.

This wasn’t Salt Typhoon’s first move. The group had previously hit U.S. telecom giants and was already under Canadian surveillance following earlier reconnaissance activity. Yet, despite warnings, critical infrastructure remained vulnerable.

Now, the Canadian Centre for Cyber Security and the FBI warn that the threat is far from over. Salt Typhoon continues to target telecoms and other sectors, focusing on edge devices like routers and VPNs. 

The U.S. House bans WhatsApp from all government devices. 

The U.S. House has banned WhatsApp from all government devices, citing concerns over data transparency, lack of stored data encryption, and potential security risks, Axios reports. The Office of Cybersecurity called the app high-risk and ordered its removal from House-managed phones and computers. The move aligns with broader efforts to limit risky tech, including AI tools. WhatsApp’s parent company Meta strongly disagreed, pointing to its end-to-end encryption. Approved alternatives include Microsoft Teams, Signal, and iMessage. Staffers were also warned about phishing threats.

APT28 uses Signal chats in phishing campaigns targeting Ukrainian government entities. 

Russia-backed APT28 has been using Signal chats in phishing campaigns targeting Ukrainian government entities, delivering two newly discovered malware strains: BeardShell and SlimAgent. While Signal itself wasn’t compromised, attackers used it to send a malicious document with embedded macros that launched Covenant, a memory-resident loader. Covenant deployed BeardShell, a C++ malware that downloads encrypted PowerShell scripts and communicates with its command server via Icedrive API. BeardShell maintains persistence using Windows registry COM hijacking. Another tool, SlimAgent, captures and encrypts screenshots for exfiltration. These attacks, uncovered by CERT-UA with ESET’s help, reflect APT28’s evolving tactics. Previously, the group exploited Wi-Fi proximity in cyberespionage campaigns. Ukrainian officials have criticized Signal’s lack of cooperation in blocking Russian abuse, a claim Signal denies. This reflects broader concerns over the messaging platform’s role in modern espionage despite its strong encryption and privacy stance.

A China-linked APT has built a covert network of over 1,000 compromised devices  for long-term espionage.

A China-linked APT, identified as UAT-5918, has built a covert network of over 1,000 compromised devices, dubbed LapDogs, for long-term espionage. The group infected small office/home office routers, mainly Ruckus and Buffalo models, with a custom backdoor called ShortLeash. These devices, exploited via old vulnerabilities, now serve as stealthy relay nodes. The campaign targets IT, media, and other sectors across the U.S. and Asia. LapDogs likely began in late 2023 and appears connected, though distinct, from a larger network called PolarEdge.

FileFix is a new variant of the well-known ClickFix method. 

Security researcher mr.d0x has introduced a new phishing technique called the “FileFix Attack,” a browser-based variation of the well-known ClickFix method. While ClickFix relies on tricking users into executing malicious commands via the Windows Run Dialog, FileFix instead abuses the file upload feature in browsers. The method uses social engineering to coax users into pasting a malicious command into the File Explorer address bar, triggered through a fake file-sharing page, ultimately executing PowerShell code without the user leaving their browser.

The attack cleverly masks the command behind a decoy file path and uses browser scripting to copy the payload to the clipboard. A second variation shows how launching executables via File Explorer can bypass Windows’ “Mark of the Web” protections, stripping security flags from downloaded files. While simple, both variations demonstrate how social engineering can effectively drive execution, reinforcing the need for awareness and monitoring of browser-spawned system processes.

SparkKitty targets Android and iOS users for image theft. 

Kaspersky has uncovered a spyware campaign called SparkKitty targeting Android and iOS users, primarily in Southeast Asia and China. Active since early 2024, the campaign uses fake apps, often TikTok mods or cryptocurrency tools, distributed via both official and unofficial app stores. The malware steals images from device galleries, likely to extract cryptocurrency wallet info using optical character recognition (OCR). On iOS, attackers used Apple’s Enterprise program and modified open-source libraries to bypass App Store restrictions. One infected Android app had over 10,000 Google Play downloads before removal. Related malicious apps also appeared as Progressive Web Apps (PWAs) tied to scams and Ponzi schemes. Kaspersky links SparkKitty to the earlier SparkCat campaign, both using image theft and OCR to harvest sensitive crypto-related data from mobile users. The malicious code was embedded directly into the apps, not via third-party SDKs.

Scammers steal $4 million from Coinbase users by posing as support staff. 

Blockchain investigator ZachXBT has exposed a scam operation allegedly run by Christian Nieves, aka “Daytwo,” who stole $4 million from Coinbase users by posing as support staff. Nieves and his group tricked victims into creating wallets with pre-compromised seed phrases on phishing sites. One accomplice, “Paranoia,” stole $240,000 from an elderly victim. Much of the stolen crypto was gambled away or laundered via Monero. Despite solid on-chain evidence, authorities have yet to charge anyone, and most funds are unrecoverable.

 

Coming up on our Threat Vector segment, host David Moulton sits down with Tyler Shields, Principal Analyst at ESG, entrepreneur, and cybersecurity marketing expert, to discuss the fine line between thought leadership and echo chambers in the industry. We’ll be right back.

Welcome back. You can find a link to David and Tyler's full discussion from Threat Vector in our show notes, and catch new episodes every Thursday on your favorite podcast app. 

 

War Thunder gamers just can’t resist state secrets. 

Once again, the digital battlefield of the online military combat game War Thunder has been ambushed, not by tanks or jets, but by yet another overzealous forum poster waving around restricted military documents like they’re Pokémon cards. This time, an enthusiast uploaded handling manuals for the AV-8B and TAV-8B Harriers, which, while not classified, are marked for limited distribution. The documents earned him a temporary ban and a polite forum cleanup from Gaijin, the game’s developer. It’s not the first time, and certainly not the last. Similar leaks involving Russian tanks and U.S. armored vehicles have popped up before, each time greeted with the same weary sigh from moderators and military types alike. As one RAF engineer dryly noted, these aren’t exactly earth-shattering disclosures, but rules are rules. And if history’s any guide, someone will break them again by next Tuesday.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.