Is interim the new permanent?

The NSA reshuffles its cybersecurity leadership. A new report unmasks ICE’s latest surveillance system. CISA marks a milestone by retiring ten Emergency Directives. Trend Micro patches a critical vulnerability. Grok dials back the nudes, a bit. Cambodia extradites a cybercrime kingpin to China. Ghost Tap malware intercepts payment card data. Researchers disrupt a highly sophisticated VMware ESXi hypervisor exploit. European law enforcement arrest dozens of suspects linked to the international cybercriminal group Black Axe. Our guest is Sonali Shah, CEO of Cobalt, who says 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. After firing the experts, DOGE hangs a help wanted sign.

Today is Friday January 9th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The NSA reshuffles its cybersecurity leadership. 

The National Security Agency is reshuffling leadership within its cybersecurity directorate as it continues to wait for a Senate-confirmed chief, a vacancy that has stretched more than nine months. David Imbordino, currently the directorate’s deputy chief, is expected to step in as acting head at the end of the month. Holly Baroody, now serving in the United Kingdom, is slated to return this summer as acting deputy. The NSA declined to confirm personnel changes.

The directorate has lacked permanent leadership since early last year, following the departure of its top officials. Greg Smithberger, who has been leading in an acting role, will retire soon. Established in 2019 to improve intelligence sharing and collaboration on cyber threats, the directorate has played a visible role in election security and public advisories, including a recent malware warning with U.S. and Canadian partners.

Leadership uncertainty remains across the agency, pending confirmations for senior roles at NSA and U.S. Cyber Command.

A new report unmasks ICE’s latest surveillance system. 

U.S. Immigration and Customs Enforcement has purchased access to a powerful surveillance system that allows agents to monitor neighborhoods, track individual mobile phones over time, and infer where people live and work, according to documents obtained by 404 Media. The system, built by data broker Penlink, relies on commercially sourced location data from hundreds of millions of phones and, under ICE’s internal legal analysis, can be queried without a warrant.

The tool allows users to draw geographic perimeters, identify devices present, and trace their movements across cities or the country. Civil liberties advocates warn this creates a sweeping surveillance dragnet with few safeguards, particularly amid ICE’s mass deportation efforts. Critics argue the agency is exploiting legal loopholes to bypass Fourth Amendment protections, despite Supreme Court limits on telecom-based location tracking. ICE and DHS declined to address detailed questions, while Penlink says its products use lawful data to support criminal investigations.

CISA marks a milestone by retiring ten Emergency Directives. 

The Cybersecurity and Infrastructure Security Agency (CISA) announced it has formally retired ten Emergency Directives issued between 2019 and 2024, the largest number closed at one time. The move reflects that the directives have fulfilled their purpose of addressing urgent cyber risks facing Federal Civilian Executive Branch agencies. CISA determined that required remediation actions are complete, or that the risks are now covered under Binding Operational Directive 22-01, which focuses on known exploited vulnerabilities.

Several directives tied to specific vulnerabilities were retired because those issues are now tracked through CISA’s Known Exploited Vulnerabilities catalog. Others were closed because their objectives were met and the threat landscape has changed. Acting Director Madhu Gottumukkala said the milestone highlights strong collaboration across federal agencies and CISA’s ongoing focus on rapid risk reduction and Secure by Design principles to strengthen federal cybersecurity.

Trend Micro patches a critical vulnerability. 

Trend Micro has patched a critical vulnerability in its Apex Central on-premises management console that could allow unauthenticated attackers to execute code with SYSTEM privileges. Tracked as CVE-2025-69258, the flaw enables low-complexity remote code execution through malicious DLL injection, without user interaction. The issue was reported by Tenable and affects systems exposed to the internet. Trend Micro urges customers to apply Critical Patch Build 7190 immediately, which also fixes two denial-of-service flaws, and to review access controls and perimeter security.

Grok dials back the nudes, a bit. 

Grok, the AI chatbot developed by xAI, has restricted its image-generation feature to paying subscribers after mounting backlash in the UK over its misuse on X. Previously, any user could prompt Grok to generate images, which led to widespread abuse, including the creation of sexualized and non-consensual images of real people, sometimes minors. UK ministers and regulators warned the feature may violate the Online Safety Act, prompting threats of bans or boycotts if X failed to act.

Safeguarding minister Jess Phillips called the tool’s use “an absolute disgrace,” while Prime Minister Keir Starmer said the situation was “completely unacceptable” and warned that all options remain on the table. Regulators, including Ofcom and the Information Commissioner’s Office, are now examining potential legal and data protection violations.

Cambodia extradites a cybercrime kingpin to China. 

Cambodian authorities have arrested and extradited Chen Zhi, head of the Prince Group conglomerate, to China, marking a major blow to Southeast Asia’s sprawling online scam industry. Chen, once a prominent Cambodian businessman with interests spanning banking, real estate, and aviation, is accused by U.S. and UK authorities of masterminding a multibillion-dollar scam empire linked to online fraud, money laundering, and human trafficking. In October, Chen and dozens of Prince Group–linked entities were sanctioned, while the U.S. Department of Justice seized roughly $15 billion in bitcoin tied to his accounts and the UK confiscated high-value London properties. Experts say the arrest represents Cambodia’s most significant action yet against elite scam operators, but note that extraditing Chen to China likely prevents wider scrutiny of alleged political and business complicity that could have emerged in Western courts.

Ghost Tap malware intercepts payment card data. 

Security researchers report that Chinese-linked threat actors are running an aggressive campaign distributing NFC-enabled Android malware dubbed “Ghost Tap,” designed to intercept and remotely relay payment card data. According to researchers at Group-IB, the malware is tied to groups including TX-NFC and NFU Pay and is spread through social engineering that tricks victims into installing malicious APKs disguised as legitimate financial apps.

Once installed, the malware relays NFC card data from a victim’s phone to attacker-controlled devices, enabling contactless fraud worldwide. Distribution and sales are handled through subscription-based channels on Telegram, complete with tiered pricing and customer support. Researchers say the campaign reflects a highly professionalized criminal operation, highlighting growing risks to mobile payment systems and the need for stronger endpoint security and user awareness.

Researchers disrupt a highly sophisticated VMware ESXi hypervisor exploit. 

Huntress reports disrupting a highly sophisticated intrusion in December 2025 that leveraged VMware ESXi hypervisor exploits, likely following initial access through a compromised SonicWall VPN. According to the Huntress Tactical Response team, the attackers used a stolen Domain Admin account to move laterally, deploy a custom ESXi “VM escape” toolkit, and attempt full hypervisor compromise, activity often associated with ransomware campaigns.

The exploit chain abused multiple ESXi vulnerabilities later disclosed by VMware in March 2025, enabling attackers to break out of a guest virtual machine and install a stealthy backdoor on the host. The toolkit supported 155 ESXi builds, suggesting long-term development, possibly as a zero-day, and contained simplified Chinese artifacts pointing to a well-resourced developer in a Chinese-speaking region. Huntress and its SOC stopped the attack before impact, underscoring that basic controls like VPN security and aggressive ESXi patching remain critical despite advanced attacker tradecraft.

European law enforcement arrest dozens of suspects linked to the international cybercriminal group Black Axe. 

European law enforcement agencies have arrested nearly three dozen suspects linked to the international cybercriminal group Black Axe in a coordinated multinational operation. With support from Europol, Spanish National Police and German authorities detained 34 people across Spain, seizing cash and freezing bank accounts tied to the group’s activities. Investigators say the Spain-based network caused nearly €6 million in fraud losses and was involved in business email compromise, romance scams, phishing, extortion, and related cyber-enabled crimes.

Black Axe originated in West Africa and has evolved into a global operation, generating billions annually, according to law enforcement estimates. Authorities say the group recruited money mules in high-unemployment areas to launder proceeds. Europol said the arrests significantly disrupted operations and highlighted the value of cross-border cooperation against fragmented, transnational cybercrime networks.

 

After firing the experts, DOGE hangs a help wanted sign. 

After shedding hundreds of thousands of federal workers, including many technologists, the Trump administration is back on the job market, cheerfully asking what could possibly go wrong. The newly minted U.S. DOGE Service, born from the rebranding of the U.S. Digital Service under Donald Trump, is recruiting again, pitching “massive impact” and civic duty after a year of mass firings and agency shutdowns.

DOGE’s short-term operatives became infamous for cutting contracts, accessing sensitive systems, and dismantling agencies, while the quieter, permanent USDS staff kept working on things like passport renewals and veterans’ benefits. Meanwhile, other administration-backed teams, including a White House design studio and a new U.S. Tech Force, are also hiring, even as earlier tech corps already exist.

DOGE’s legacy remains unsettled. Promised savings never materialized, spending rose, and many operatives departed after Elon Musk stepped back. Still, the help-wanted signs are up, optimism included.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.