Podcasts
CyberWire Daily
Ep 2488
The CyberWire Daily Podcast 2.12.26
Ep 2488 | 2.12.26

AI or I-Spy?

Show Notes
Transcript

Malicious Chrome extensions pose as AI tools. Google says nation-states are increasingly abusing its Gemini artificial intelligence tool. Data extortion group World Leaks deploys a new malware tool called RustyRocket. An Atlanta healthcare provider data breach affects over 625,000. Apple patches an iOS zero-day that’s been around since version 1.0. A government shutdown would furlough more than half of CISA’s staff. Dutch police arrest the alleged seller of the JokerOTP phishing automation service. Our guest is Simon Horswell, Senior Fraud Specialist at Entrust, discussing evolving romance scams for Valentine's Day. Fun with filters provides fuel for phishers. 

Today is Thursday February 12th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Malicious Chrome extensions pose as AI tools. 

Researchers have identified 30 malicious Chrome extensions posing as artificial intelligence tools that have been installed by more than 300,000 users. Discovered by browser security firm LayerX and dubbed the AiFrame campaign, the extensions share the same code structure and communicate with infrastructure under the domain tapnetic[.]pro.

While the most popular extension, Gemini AI Sidebar, previously had 80,000 users and has been removed, several others remain on the Chrome Web Store with tens of thousands of installs. The extensions load AI features through remote iframes, allowing operators to change functionality without store review. They harvest browsing data and, in at least 15 cases, target Gmail by extracting visible email content, including drafts, and transmitting it to external servers. Some also enable remote voice capture using the Web Speech API. Users are advised to remove affected extensions and reset passwords if compromised.

Google says nation-states are increasingly abusing its Gemini artificial intelligence tool.  

Google says nation-state hacking groups are increasingly using its Gemini artificial intelligence tool to accelerate reconnaissance, malware development and targeting.

In a new report, Google’s Threat Intelligence Group, or GTIG, detailed activity by groups linked to China, Iran and North Korea. Chinese actors used Gemini to gather information on individuals in Pakistan and analyze vulnerabilities. Iran’s APT42 used it to craft phishing personas, translate lures and support malware development. A North Korean group targeting the defense sector leveraged Gemini to synthesize open-source intelligence and profile technical roles.

GTIG also observed malware called HONESTCUE that uses the Gemini application programming interface, or API, to generate C# code for follow-on payloads. Google says it disrupted some activity but acknowledges actors continue targeting similar victims.

Large language models are helping threat groups scale reconnaissance and move from research to active targeting faster, according to GTIG.

Data extortion group World Leaks deploys a new malware tool called RustyRocket. 

Accenture Cybersecurity says the data extortion group World Leaks has deployed a previously unseen malware tool called RustyRocket to enhance its attacks.

According to Accenture, RustyRocket is written in Rust and targets both Microsoft Windows and Linux systems. The tool enables stealthy data exfiltration and traffic proxying through heavily obfuscated, multi-layered encrypted tunnels, blending malicious activity with legitimate network traffic. It also requires a pre-encrypted configuration at runtime, a guardrail researchers say makes it difficult to detect and monitor.

World Leaks, active since early 2025, steals sensitive data and threatens to publish it rather than encrypting files. The group has claimed victims including Nike. Accenture says RustyRocket supports persistence and long-term data theft.

Increasingly stealthy tooling complicates traditional detection. Accenture recommends monitoring anomalous outbound traffic and strengthening segmentation and testing defenses.

An Atlanta healthcare provider data breach affects over 625,000. 

ApolloMD, a healthcare physician and practice management provider based in Atlanta, disclosed that a May 22 to 23, 2025 cyberattack exposed sensitive data belonging to 626,540 individuals. According to the company’s notice and the US Department of Health and Human Services breach portal, accessed files contained personally identifiable information and protected health information, including names, birth dates, diagnostic and treatment details, insurance data, and in some cases Social Security numbers.

By September 2025, ApolloMD had notified affiliated practices and begun mailing letters offering free credit monitoring. The company has not identified a responsible threat actor, although the Qilin ransomware group listed ApolloMD on its leak site in June 2025.

Apple patches an iOS zero-day that’s been around since version 1.0. 

Apple has patched a zero-day vulnerability, tracked as CVE-2026-20700, that affects every iOS version since 1.0 and was used in what the company described as an “extremely sophisticated attack” against targeted individuals. Discovered by Google’s Threat Analysis Group, the flaw resides in dyld, Apple’s dynamic linker, and allows an attacker with memory write capability to execute arbitrary code. Apple said the issue may have been exploited as part of an exploit chain on versions prior to iOS 26.

Security researchers noted the vulnerability could be combined with WebKit flaws addressed in iOS 26.3 to enable zero-click or one-click device compromise. Apple also fixed other issues, including bugs that could grant root access or expose sensitive data, but said CVE-2026-20700 was the only vulnerability confirmed exploited in the wild.

A government shutdown would furlough more than half of CISA’s staff. 

More than half of the Cybersecurity and Infrastructure Security Agency’s 2,341 employees would be furloughed if Congress fails to extend Department of Homeland Security funding by Friday, Acting Director Madhu Gottumukkala told lawmakers. CISA plans to designate 888 employees as “excepted” to maintain 24/7 operations, respond to imminent threats and share urgent vulnerability information, but most proactive cybersecurity work would pause.

Gottumukkala warned a funding lapse would delay deployment of cybersecurity services to federal agencies and weaken timely guidance to infrastructure operators. Strategic planning, new capability development, training and work on mandated cyber incident reporting rules would halt.

Lawmakers remain divided over broader Department of Homeland Security policy disputes, raising the risk of a shutdown during what officials describe as a sensitive period for federal cyber defense efforts.

Speaking of CISA, the agency published advisory AA25-266A outlining key lessons from its response to a real-world compromise at a federal civilian executive branch agency. The incident stemmed from exploitation of a known GeoServer vulnerability (CVE-2024-36401), giving threat actors remote access, persistence, and lateral movement across systems. CISA mapped observed tactics, techniques, and procedures using the MITRE ATT&CK framework and provided indicators of compromise (IOCs) to help defenders detect similar activity. The advisory emphasizes swift patching of critical vulnerabilities, maintaining and exercising incident response plans, and centralized logging for effective detection. It also includes mitigation recommendations to improve an organization’s preparedness and resilience against sophisticated post-compromise activity. CISA encourages all organizations to apply these lessons and use the associated technical details in the advisory to strengthen their security posture. 

Dutch police arrest the alleged seller of the JokerOTP phishing automation service. 

Dutch police have arrested a 21-year-old man from Dordrecht for allegedly selling access to the JokerOTP phishing automation service, a tool designed to intercept one-time passwords and hijack online accounts. The arrest follows a three-year investigation that dismantled the JokerOTP phishing-as-a-service operation in April 2025, including prior arrests of its developer and a co-developer.

Authorities say the platform caused at least $10 million in losses across more than 28,000 attacks in 13 countries. Sold via Telegram license keys, the tool automated calls to victims, posing as legitimate companies while prompting them to enter OTPs sent during login attempts. Targets included PayPal, Venmo, Coinbase, Amazon and Apple users. Police have identified dozens of buyers and say the investigation remains ongoing.

 

Fun with filters provides fuel for phishers. 

An Instagram trend is inviting users to ask ChatGPT to “create a caricature of me and my job based on everything you know about me.” The results are playful, detailed, and now widely shared using the platform’s “add yours” feature. According to Josh Davies of Fortra, that harmless fun may be doing more than boosting engagement.

With more than two million images posted, public profiles now neatly link faces, job roles, and evidence of large language model use. A banker here, a developer there, an engineer in between. For a threat actor, it is reconnaissance at scale.

Davies notes the real risk is not the caricature itself, but what it implies. If users entered sensitive work data into a public LLM, that information may sit in prompt history outside corporate controls. Combine that with doxing, credential reuse, and phishing, and account takeover becomes plausible. The trend, he argues, spotlights shadow AI, data leakage, and the quiet security cost of oversharing.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.