Espionage in the airwaves.
The Secret Service dismantles an illegal network. Jaguar Land Rover (JLR) extends the shutdown production plants. The EU probes tech giants over online scams. Iranian APT Nimbus Manticore expands operations in Europe. North Korean Kimsuky deploys a shortcut-based espionage campaign. Github and Ruby Central roll out supply-chain security upgrades. Lastpass warns of macOS ClickFix campaign using fake GitHub repos. AT&T’s CISO warns hackers mimic Salt Typhoon's unconventional tactics. CISO Perspectives host Kim Jones previews the upcoming season. An attorney pays $10K for AI hallucinations.
Today is Tuesday September 23rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The Secret Service dismantles an illegal network.
The Secret Service announced it dismantled a clandestine communications network in the New York region that was capable of disabling the cellular system as world leaders gathered for the U.N. General Assembly, the New York Times reports. Investigators seized more than 100,000 SIM cards and 300 servers across multiple sites within 35 miles of U.N. headquarters. Officials said the system could send 30 million texts per minute anonymously, disrupt emergency services, and support encrypted communication. Analysis has already revealed ties to at least one foreign nation and links to known criminals, including cartel members. While there is no evidence it directly threatened the U.N. conference, experts suggested the scale and sophistication point to state-backed espionage. The operation followed threats made to senior U.S. officials earlier this year. Multiple agencies are now investigating, with officials warning similar networks may exist elsewhere.
Jaguar Land Rover (JLR) extends the shutdown production plants.
Jaguar Land Rover (JLR) has extended the shutdown of its Solihull and Halewood plants until at least October 1, leaving production idle for a month following a major cyberattack. The company, working with the UK’s National Cyber Security Centre and law enforcement, says it is prioritizing a safe restart, but the disruption could cost an estimated £2.2 billion ($2.9 billion) in revenue and £150 million ($202 million) in profits. Reports suggest JLR may lack adequate cyber insurance, potentially deepening losses. The crisis has triggered layoffs in its supply chain, which employs more than 100,000 workers, raising concerns for local businesses that depend on the plants. Experts warn that without emergency government support, the prolonged disruption could be one of the worst crises in JLR’s history.
The EU probes tech giants over online scams.
The European Union is pressing Apple, Google, Microsoft, and Booking to prove they are doing enough to stop online scams. Regulators issued formal information requests under the Digital Services Act, focusing on fraudulent apps, manipulated search results, and fake accommodation listings. The inquiry highlights growing concern about criminal activity online and could open the door to official investigations. If found lacking, the companies risk fines of up to six percent of global annual revenue.
Iranian APT Nimbus Manticore expands operations in Europe.
Check Point Research reports that Iranian threat actor Nimbus Manticore, also tracked as UNC1549 and Smoke Sandstorm, is intensifying attacks on European defense, telecom, and aviation sectors. Recent campaigns target Denmark, Sweden, and Portugal with spear-phishing from fake recruiters directing victims to fraudulent career portals. Each target receives unique credentials, enabling precise victim tracking and strong operational security. The group employs a sophisticated DLL side-loading chain, deploying evolving tools like the MiniJunk backdoor and MiniBrowse stealer. These payloads leverage valid code-signing, obfuscation, and multi-stage sideloading to evade analysis. Nimbus Manticore’s activity reflects nation-state tradecraft: stealthy delivery, resilient infrastructure, and custom implants like Minibike, which continues to evolve. Analysts warn this campaign signals a mature, well-resourced adversary aligned with Iran’s strategic priorities.
North Korean Kimsuky deploys a shortcut-based espionage campaign.
Researchers at Logpresso report that in July 2025, North Korea–linked threat actor Kimsuky launched a new espionage campaign using malicious shortcut files. The operation spreads through compressed archives disguised as official or sensitive documents, luring victims to execute hidden shortcuts. These trigger mshta.exe, which retrieves encrypted payloads from command-and-control servers, then installs multi-stage scripts and DLLs. The malware harvests browser data, wallet extensions, Telegram sessions, certification files, documents, and keystrokes, transmitting them in encrypted fragments. It also maintains persistence, avoids virtual machines, and executes remote commands. Researchers note this attack demonstrates advanced tradecraft, with obfuscation, encryption, and reflective DLL injection enabling long-term access and intelligence collection. The campaign highlights Kimsuky’s continued focus on covert surveillance and credential theft across multiple sectors.
Github and Ruby Central roll out supply-chain security upgrades.
GitHub is introducing stricter defenses after multiple large-scale supply-chain attacks, including “s1ngularity,” “GhostAction,” and “Shai-Hulud,” which spread from GitHub to NPM and compromised thousands of accounts. To reduce risk, GitHub will require two-factor authentication for local publishing, shorten token lifetimes, deprecate older authentication methods, and expand trusted publishing. These changes aim to minimize token misuse and strengthen publishing workflows. Meanwhile, Ruby Central is tightening governance of the RubyGems ecosystem following recent malicious gem campaigns, temporarily limiting admin access to staff while transitioning toward a more transparent, community-driven model. Together, the moves highlight growing recognition that ecosystem security requires both stronger platform safeguards and active developer participation. Documentation and migration guides will accompany GitHub’s rollout to ease adoption.
In related news, researchers at Socket Threat Research discovered a malicious npm package named “fezbox” that used QR codes to deliver cookie-stealing malware. Masquerading as a utility library, the package fetched a JPG image containing a dense QR code, which unpacked an obfuscated payload. The malware targeted credentials stored in cookies, then exfiltrated usernames and passwords via HTTPS. To evade detection, the code reversed embedded URLs and strings. Before removal, fezbox was downloaded at least 327 times, highlighting continued supply-chain risks in open-source ecosystems.
Lastpass warns of macOS ClickFix campaign using fake GitHub repos.
LastPass is warning of a campaign targeting macOS users through fake GitHub repositories impersonating more than 100 popular apps, including 1Password, Dropbox, Robinhood, and SentinelOne. The sites push Atomic Stealer (AMOS) malware through “ClickFix” attacks, where users are tricked into pasting malicious commands into Terminal. AMOS, sold as malware-as-a-service, now includes a backdoor for persistent access. Attackers use search engine optimization and mass-created GitHub repos to evade takedowns and boost visibility. Victims who execute the curl-based command unknowingly install the payload. LastPass advises downloading software only from official vendor sites and warns that automated repository creation makes these attacks difficult to contain. The campaign highlights rising threats to macOS users from well-orchestrated supply-chain deception.
AT&T’s CISO warns hackers mimic Salt Typhoon's unconventional tactics.
AT&T’s chief information security officer warns that hackers are increasingly copying Salt Typhoon, the Chinese group behind last year’s telecom breaches. Speaking at Google’s Cyber Defense Summit, Rich Baich said attackers now hunt for weak points outside traditional endpoint detection, exploit platforms without logging, and use “living off the land” tactics with legitimate administrative tools. These methods, combined with careful evasion of forensic probes, make intrusions harder to detect. Former NSA cyber chief Rob Joyce added that stronger defenses in common technologies are forcing adversaries to innovate with chained exploits and stealthy tradecraft. Security leaders stress that defenders must adapt, expanding protections beyond conventional endpoints and anticipating how attackers may turn everyday tools into attack vectors.
An attorney pays $10K for AI hallucinations.
A California attorney has learned the hard way that AI isn’t a substitute for reading the fine print—or in this case, the fine cases. Amir Mostafavi submitted an appeal brief in which 21 of 23 citations were either fabricated or misquoted, courtesy of his AI “co-authors.” Judge Lee Smalley Edmon was unimpressed, sanctioning him with a $10,000 fine and a reminder that lawyers must actually read their sources. Mostafavi, who admitted he hadn’t fact-checked the AI’s work, argued ignorance, but the court disagreed. While the judge noted there’s nothing wrong with using AI in law, delegating due diligence to a chatbot is not a winning defense. The cautionary tale adds to a growing list of legal professionals discovering that hallucinated case law doesn’t hold up in court.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
