iPhone exploits go mainstream.

DarkSword targets iPhones for indiscriminate exploitation. Cybercrime and the Iran war. The FBI confirms purchasing commercially available location data. The DHS secretary nominee gets grilled on CISA funding. A Zimbra Collaboration Suite vulnerability is being used in targeted espionage. A new Android malware targets sensitive data stored in user notes. AWS warns of ongoing Interlock ransomware activity. Tracking pixels grab more than they should. Perry Carpenter and Mason Amadeus from The FAIK Files podcast speak with Hany Farid about the real-world harms of synthetic media. Do Boomers balance breaches better?

Today is Thursday March 19th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

DarkSword targets iPhones for indiscriminate exploitation. 

A newly discovered iPhone hacking technique called DarkSword marks a shift from rare, targeted attacks to large-scale, indiscriminate exploitation. Researchers at Google, iVerify, and Lookout found the tool embedded in compromised websites, allowing attackers to silently hack iPhones that simply visit those pages. It primarily affects devices running older versions of iOS 18, which still account for roughly a quarter of iPhones.

DarkSword can extract sensitive data including passwords, messages, photos, and even cryptocurrency wallet credentials. It uses “fileless” methods, hijacking legitimate system processes to avoid detection, and operates in a quick “smash-and-grab” fashion before disappearing after a reboot.

The tool has been linked to Russian espionage campaigns and earlier attacks in multiple countries, but its code was left exposed online, making it easy for other hackers to reuse. Researchers warn this reflects a growing market where advanced iPhone exploits are being widely shared, increasing risks for everyday users, not just high-value targets.

Cybercrime and the Iran war. 

Has cybercrime activity surged since the start of the Iran war? Well, that depends on who you ask. Akamai reports a 245 percent increase in attacks, particularly targeting banking and fintech sectors. Most activity involves reconnaissance and infrastructure scanning, including spikes in botnet traffic, credential harvesting, and distributed denial of service preparation. While some attacks originated from Iran, many were routed through Russia and China, often via proxy services used by hacktivists.

Researchers also observed increased activity from pro-Russian groups and Iran-linked actors like Handala, which claimed a destructive attack on a US medical firm. Despite this, CISA reports no significant rise in nation-state threats, noting a steady overall landscape. The findings highlight how geopolitical conflict is expanding the cyberattack surface, with both state-linked and criminal groups exploiting the situation.

The FBI confirms purchasing commercially available location data. 

The FBI has confirmed it is purchasing commercially available location data to track individuals, according to Director Kash Patel’s Senate testimony yesterday. This marks a shift from 2023, when the agency said it was not actively buying such data. Officials say the practice complies with existing laws and has produced useful intelligence.

The disclosure raises concerns among lawmakers, who argue it bypasses warrant requirements established by the Supreme Court. Proposed legislation would require warrants for such purchases, while others defend the practice as a necessary tool for law enforcement.

The DHS secretary nominee gets grilled on CISA funding. 

Senator Markwayne Mullin, nominee for DHS secretary, faced questions over whether he would restore staffing and funding cuts at the Cybersecurity and Infrastructure Security Agency (CISA). Lawmakers highlighted that the agency’s workforce was reduced by about one third and its budget significantly cut under current leadership. Mullin did not commit to reversing those changes, instead emphasizing the need to recruit “the right people” and ensure mission readiness without specifying staffing levels.

Senators warned that rising geopolitical tensions, including conflict with Iran, could increase cyber threats, underscoring the need for a fully resourced cyber defense agency. Critics argued that recent cuts have weakened national cybersecurity, citing program reductions and disruptions at CISA. Mullin is expected to advance to a full Senate confirmation vote.

A Zimbra Collaboration Suite vulnerability is being used in targeted espionage. 

CISA has added a critical Zimbra Collaboration Suite vulnerability, CVE-2025-66376, to its Known Exploited Vulnerabilities catalog, citing active exploitation. The flaw is a stored cross-site scripting issue in Zimbra’s Classic UI that allows attackers to embed malicious code in emails. When opened, the code executes within the user’s session, enabling data theft, session hijacking, and broader system compromise.

Researchers report the flaw has been used in targeted espionage, including a campaign attributed to Russian-linked group APT28 against a Ukrainian government agency. The attack required no links or attachments, relying entirely on malicious HTML email content.

CISA has ordered federal agencies to patch by April 1, 2026, urging immediate updates or discontinuation of the platform if unpatched.

A new Android malware targets sensitive data stored in user notes. 

Perseus is a new Android malware that targets sensitive data stored in user notes, including passwords, recovery phrases, and financial details. Disguised as IPTV apps in unofficial app stores, it exploits sideloading habits to infect devices and gain full control using Android Accessibility Services.

Researchers at ThreatFabric report that Perseus can capture screenshots, perform overlay attacks, and remotely control devices, with a focus on financial and crypto apps, particularly in Turkey and Italy. Notably, it systematically scans note-taking apps, a rare capability. The malware reflects a broader trend of attackers exploiting pirated streaming apps to distribute banking trojans and steal personal data.

AWS warns of ongoing Interlock ransomware activity. 

The Interlock ransomware group has been exploiting a critical zero-day flaw, CVE-2026-20131, in Cisco Secure Firewall Management Center since January, according to AWS. The vulnerability allows unauthenticated attackers to execute code as root, giving full system control.

AWS observed attackers using the flaw for initial access, then deploying scripts, custom remote access tools, and a memory-resident webshell to maintain stealthy persistence. They also installed backup access via remote management software.

The campaign highlights the risks of zero-day exploits, where attacks occur before patches are available, reinforcing the need for layered defenses and continuous monitoring alongside rapid patching.

Tracking pixels grab more than they should. 

A new analysis from Jscrambler finds that TikTok and Meta tracking pixels collect far more data than typical ad attribution requires, raising privacy and security concerns. Beyond tracking user behavior, these pixels gather personal information such as emails, phone numbers, and addresses, then convert them into persistent identifiers that can be re-linked to individuals.

The research shows the pixels also capture detailed commerce data, including product selections, pricing, and checkout activity, often without businesses fully realizing the scope. In some cases, sensitive data is collected before or despite user consent and may even be transmitted insecurely.

This creates potential violations of privacy laws like GDPR and CCPA, while also exposing businesses to competitive risks, as the collected data can enhance ad targeting for larger rivals.

 

 

Do Boomers balance breaches better? 

Baby Boomers, it turns out, approach cyberattacks a bit like a surprise storm, best handled by waiting for official instructions rather than running outside with an umbrella. Research from KnowBe4 shows older users are more likely to “wait and see” after a major data breach, while younger generations rush to check if they’ve been exposed.

But here’s the twist. The same Boomers who hesitate in a crisis are far more disciplined behind the scenes. They are more likely to use unique passwords and install updates, quietly doing the cybersecurity equivalent of eating their vegetables.

Younger users, meanwhile, know the rules but often ignore them. Despite their caution, older adults remain frequent scam targets, suggesting that good habits help, but timing and awareness still matter just as much as strong passwords.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.