Watch out for cybercrime frequent flyers.

Drone strikes hit a key chip supply chain. China-linked hackers target Southeast Asian militaries. Attackers race ahead with AI. ShinyHunters claim a massive Telus breach. Microsoft issues a hotpatch. Malware turns up on Steam. Fileless attacks grow. Airline miles become cybercrime currency. Monday business breakdown. Tim Starks from CyberScoop unpacks the Stryker attack and the nebulous nature of Iranian cyber activity. AI playmates puzzle preschoolers.

Today is Monday March 16th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Drone strikes from Iran cut off a critical chip manufacturing element. 

A drone attack linked to Iran has shut down QatarEnergy’s Ras Laffan helium facility, removing roughly 30% of global supply and exposing vulnerabilities in the semiconductor supply chain. Helium is critical for chip manufacturing, where it cools silicon wafers during etching and lithography, and there is no effective substitute. QatarEnergy declared force majeure after the March 2 strike, disrupting deliveries to global buyers. South Korea is particularly exposed, having sourced about 65% of its helium from Qatar last year. Its government is now reviewing key semiconductor materials tied to Middle Eastern suppliers, including bromine from Israel. Major chipmakers such as SK hynix and TSMC say they have contingency stocks for now. However, analysts warn that if the outage lasts beyond two weeks, distributors may need months to reconfigure supply chains, echoing disruptions seen after Russia’s 2022 invasion of Ukraine.

A China-linked campaign targets Southeast Asian military organizations. 

Palo Alto Networks reports a long-running cyberespionage campaign targeting Southeast Asian military organizations, attributed to a suspected China-linked threat actor tracked as CL-STA-1087. Active since at least 2020, the group demonstrated patience by remaining dormant inside compromised networks for months before resuming operations. The attackers deployed custom tools including the AppleChris and MemFun backdoors and a credential-stealing utility called Getpass. They also used PowerShell scripts to establish reverse shells, then moved laterally across domain controllers, web servers, IT workstations, and executive systems using Windows Management Instrumentation and native .NET tools. The operation focused on collecting sensitive files related to military capabilities, organizational structures, and joint activities with Western forces, including command, control, communications, computers, and intelligence systems. Researchers say infrastructure clues, language artifacts, and working hours suggest the campaign likely originates from China.

A new report suggests attackers’ use of AI outpaces defenders. 

A new report from Booz Allen Hamilton warns that cybersecurity is entering a “new phase” as artificial intelligence accelerates the pace of cyberattacks and compresses defenders’ response times. The report argues that threat actors, including cybercriminals and state-sponsored groups, have adopted AI faster than governments and private-sector defenders. Large language models can help attackers quickly identify subtle vulnerabilities and exploit them at machine speed once inside a network. Booz Allen cites incidents involving AI tools and frameworks that can automate reconnaissance and exploitation across many targets simultaneously. By contrast, many defensive processes still rely on slower, human-driven workflows, such as patch timelines that can take weeks. The report says attackers are using AI both to amplify existing hacking operations and to orchestrate automated attacks. As a result, organizations may need to adopt AI-assisted defenses and automated remediation despite the operational risks.

ShinyHunters claim to have stolen over a petabyte of data from Canadian firm Telus Digital. 

Telus Digital, the business process outsourcing arm of Canadian telecom provider Telus, has confirmed a cybersecurity incident after threat actors claimed to have stolen nearly 1 petabyte of data in a months-long breach. The attack is attributed to the ShinyHunters group, which allegedly gained access using Google Cloud Platform credentials discovered in data from the earlier Salesloft Drift breach. According to the attackers, the credentials allowed them to access internal systems, including a large BigQuery database, and then pivot further using additional secrets discovered in the data. The stolen information reportedly includes customer support data, call records, voice recordings, source code, and financial information linked to companies using Telus Digital’s outsourcing services. Telus says it is investigating the incident with forensic experts and law enforcement, and is notifying affected customers as the investigation continues.

Microsoft hot-patches a Windows 11 Enterprise vulnerability. 

Microsoft has released an out-of-band hotpatch update, KB5084597, to fix security vulnerabilities affecting certain Windows 11 Enterprise systems using hotpatch updates. The flaws involve the Windows Routing and Remote Access Service (RRAS) management tool and could allow remote code execution if a domain-authenticated attacker tricks a user into connecting to a malicious server. Tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, the issues were previously addressed in the March 2026 Patch Tuesday release. The hotpatch version delivers the fixes without requiring a system reboot, using in-memory patching for devices managed through Windows Autopatch that rely on continuous uptime.

The FBI investigates malware-laden games on Steam. 

The FBI is investigating a suspected hacker who allegedly published multiple malware-laden games on the Steam platform over the past two years. Titles linked to the activity include BlockBlasters, Chemia, Dashverse or DashFPS, Lampy, Lunara, PirateFi, and Tokenova. According to the FBI, the games functioned normally but secretly installed malware, acting as Trojan horses to infect players’ computers. Steam later removed the titles, though an unknown number of users may have been compromised before the takedown. The FBI is now asking potential victims to come forward as the investigation continues.

Researchers warn of the increased use of fileless malware. 

Researchers at Trellix warn that cybercriminals are increasingly using fileless malware attacks that run in a system’s temporary memory, helping them evade traditional security tools. One example is XWorm 7.1, a malware-as-a-service remote access trojan that gives attackers full control of infected systems and has seen a 174% rise in use over the past year. In one campaign targeting a network security firm in Taiwan, attackers exploited a WinRAR vulnerability and distributed malicious archives through Discord disguised as game mods. Once opened, the malware used a “living off the land” technique by abusing Microsoft’s Aspnet_compiler.exe utility to run in memory. A separate campaign used the Remcos RAT delivered through phishing emails with procurement-themed lures. Trellix says these attacks highlight the need for behavior-based detection, timely software updates, and stronger monitoring of trusted system tools.

Airline loyalty points have become a profitable commodity in cybercrime markets. 

Airline loyalty points have become a profitable commodity in cybercrime markets, according to research from Flare cited by BleepingComputer. Attackers typically obtain account credentials through phishing or infostealer malware, then verify which compromised accounts contain valuable miles. These accounts are sold on underground forums, where fraudsters redeem the points for flights or hotel stays that are later resold at discounted prices. Miles often sell for about $1 per 1,000 points, sometimes with full email access included to prevent victims from reclaiming their accounts. Major airlines such as United, American Airlines, and Delta are common targets, and loyalty fraud is estimated to cost the travel industry between $1 billion and $3 billion annually.

Monday business breakdown. 

Several cybersecurity startups have secured major funding rounds as investor interest in AI-driven security platforms continues to grow. Armadin, an AI-powered red teaming startup founded by Kevin Mandia, launched with $190 million in funding led by Accel, with Mandia serving as CEO. Kai emerged from stealth with $125 million for its AI platform designed to secure IT and operational technology environments. Israeli data loss prevention startup Jazz raised $61 million, while sovereign security operations platform Cylake launched with $45 million in seed funding. Other notable raises include Reclaim Security ($26 million), Evervault ($25 million), Scanner ($22 million), Escape ($18 million), and Circadence ($16.4 million). Additional early-stage investments went to Gyala, IntelliGRC, Quantro Security, and emproof.

The industry also saw major deal activity. Google completed its $32 billion acquisition of cloud security firm Wiz, OpenAI announced plans to acquire AI security platform Promptfoo, and Quantum eMotion acquired SecureKey technology assets to expand its quantum-resilient cybersecurity stack.

 

AI playmates puzzle preschoolers. 

Researchers at the University of Cambridge are calling for tighter regulation of AI-powered toys for toddlers after testing how children aged three to five interacted with a chatbot-enabled plush robot named Gabbo. The toy, which uses an OpenAI voice assistant and is meant to encourage conversation and imaginative play, proved to be a less-than-empathetic playmate. In practice, Gabbo frequently talked over children, ignored their interruptions, and struggled to recognize emotional cues. When one five-year-old said “I love you,” the toy responded with a reminder to follow its interaction guidelines. When a three-year-old said “I’m sad,” Gabbo cheerfully redirected the conversation.

Researchers warn that responses like these could confuse young children who are still learning how conversations and emotional feedback work. The team says regulators should start thinking about “psychological safety” in toys, not just whether a detachable eye might pose a choking hazard. Because childhood imagination is powerful enough without adding a chatbot that doesn’t quite understand the assignment.

 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed.  </Mondays>

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.