Podcasts
CyberWire Daily
Ep 2514
The CyberWire Daily Podcast 3.23.26
Ep 2514 | 3.23.26

Policy drops and phishing pops.

Show Notes
Transcript

The White House rolls out its AI legislative framework. The FBI warns Iranian actors are using Telegram for command and control, while Russian operators phish Signal users. Authorities dismantle a massive fake CSAM network, Tycoon 2FA rebounds after disruption, VoidStealer debuts a stealthy Chrome key-theft trick, QNAP patches Pwn2Own flaws, and CISA orders urgent fixes for a critical Cisco firewall bug. Plus, our Monday business breakdown. Brandon Karpf and Maria Varmazis ponder the practicality of orbital data centers. One radio to rule the range.

Today is Monday March 23rd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Coming to you from San Francisco, the city by the other bay, at the RSAC ‘26 conference, where the badges are large, the coffee is essential, and just about every booth appears to have discovered the life changing magic of agentic AI.

This week we are attending presentations, walking the show floor to see what is new, what is improved, and what is now apparently autonomous, and sitting down with industry leaders to hear what is actually changing beneath the buzzwords.

We will bring you interviews, insights, and a few field reports from cybersecurity’s busiest gathering place. Glad you are with us.

The White House releases its legislative policy framework for AI. 

Last Friday the White House released their National Policy Framework for Artificial Intelligence Legislative Recommendations. The document outlines proposals for Congress to balance innovation, rights protections, and national competitiveness through a unified federal AI strategy. The framework emphasizes stronger safeguards for children, including age-assurance tools, limits on data use, and protections against exploitation and deepfake abuse. It calls for support for small businesses, infrastructure permitting reforms, and expanded federal technical capacity to assess national security risks from advanced AI systems. The plan also addresses intellectual property by encouraging courts to resolve disputes over training on copyrighted material and considering licensing mechanisms and protections against unauthorized digital replicas. It promotes First Amendment protections by limiting government pressure on platforms to alter lawful content. Additional recommendations include regulatory sandboxes, expanded access to federal datasets, workforce training initiatives, and federal preemption of burdensome state AI laws to avoid fragmented regulation while preserving certain state authorities.  

The FBI warns Iranian hackers are using Telegram for C2, and Russians are phishing Signal users.

The Federal Bureau of Investigation warned that Iranian hackers linked to the Ministry of Intelligence and Security are using Telegram as command-and-control infrastructure in malware campaigns targeting journalists, dissidents, and critics of the Iranian government worldwide. The activity is tied to the Handala and Homeland Justice threat groups, with Homeland Justice linked to the Islamic Revolutionary Guard Corps. Attackers rely on social engineering to deploy Windows malware that steals screenshots and files, leading to intelligence collection, data leaks, and reputational damage. The alert follows FBI seizures of four domains used to publish stolen data. Officials also highlighted a related Handala attack on Stryker that wiped roughly 80,000 managed devices. 

Separately, the Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency warn that Russian-linked actors are phishing Signal users by impersonating the platform’s support team. Attackers send urgent messages about suspicious activity to trick victims into sharing verification codes, clicking malicious links, or scanning QR codes. This can give attackers full account access, exposing chats and contacts. Officials stress the campaign relies on social engineering, not encryption flaws, and primarily targets journalists, activists, and other sensitive-information holders.

International law enforcement shut down a fake CSAM network. 

An international law enforcement effort led by Europol and German authorities dismantled more than 373,000 dark web sites tied to a cybercrime network built around the “Alice with Violence CP” platform. The operation, called Operation Alice, ran March 9 to March 19, 2026, and involved agencies from 23 countries. Investigators say a single operator managed hundreds of thousands of onion domains that posed as marketplaces for illegal material and cybercrime-as-a-service offerings, but primarily collected cryptocurrency without delivering services. Authorities seized over 100 servers, identified about 440 users, and issued an arrest warrant for a China-based suspect who allegedly earned more than €345,000. Officials warn the case shows how automation and anonymized hosting enable rapid scaling of dark web crime networks. 

The Tycoon phishing platform bounces back. 

The phishing-as-a-service platform Tycoon 2FA has quickly recovered after a coordinated disruption effort by Europol, Microsoft, and partners, according to CrowdStrike. Active since 2023, the subscription service enables attackers to bypass multi-factor authentication and conduct large-scale phishing campaigns. It accounted for 62% of phishing attempts blocked by Microsoft in 2025, generating more than 30 million malicious emails monthly and affecting roughly 96,000 victims. Authorities seized 330 domains in early March, briefly reducing activity to about 25% of normal levels, but operations soon returned to prior volumes. The platform’s tactics remain unchanged, supporting business email compromise, session-cookie theft, and cloud account takeover. Researchers say the disruption likely slowed customers temporarily but did not significantly weaken the service long term.

VoidStealer malware weaponizes a debugger‑based bypass. 

A new version of VoidStealer is the first observed in-the-wild malware to bypass Google Chrome Application-Bound Encryption (ABE) using a debugger-based technique that extracts the browser’s v20_master_key directly from memory. Unlike earlier methods, the approach avoids SYSTEM-level privilege escalation and browser code injection, reducing detection risk while still exposing cookies and credentials. The malware attaches to a hidden browser instance as a debugger, sets hardware breakpoints, and intercepts the key during normal decryption. It then decrypts protected data offline from browser databases, effectively undermining ABE protections for that profile. Researchers note the technique builds on open-source tooling and may spread to other infostealers. Defenders can detect activity by monitoring debugger attachments to browser processes, unusual memory-read behavior, and hidden browser launches from untrusted parents, which remain uncommon in legitimate environments. 

QNAP patches flaws uncovered at Pwn2Own. 

QNAP released patches for multiple vulnerabilities across its products, including four flaws in SD-WAN routers demonstrated at Pwn2Own Ireland 2025. The issues range from privilege escalation requiring physical access to information disclosure and administrator-level code execution risks. Researchers from Team DDOS chained related bugs to gain root access during the contest. QNAP also fixed critical flaws in QuNetSwitch and QVR Pro that could enable remote access or arbitrary code execution. The company said no active exploitation has been reported.

CISA orders federal agencies to patch a maximum severity Cisco flaw. 

The Cybersecurity and Infrastructure Security Agency ordered federal agencies to urgently patch CVE-2026-20131, a critical remote code execution flaw in Cisco Secure Firewall Management Center. The vulnerability allows unauthenticated attackers to execute Java code as root and has been exploited as a zero day by the Interlock ransomware group. CISA added it to the Known Exploited Vulnerabilities catalog with a three-day remediation deadline. Amazon Web Services reported attackers used the flaw for persistence, credential access, and lateral movement.

Monday business breakdown. 

Several cybersecurity startups announced major funding rounds and acquisitions, highlighting continued investor interest in AI-driven security platforms. Surf AI raised $57 million led by Accel to expand product development and enterprise adoption. Native secured $42 million, including a $31 million Series A led by Ballistic Ventures, while Bold Security and Onyx Security each raised $40 million. Qevlar AI added $30 million, and Tracebit raised $20 million for product expansion. Cleafy secured €12 million, and Manifold closed an $8 million seed round. Separately, K2 Integrity acquired Leviathan Security Group, and Connectus Business Solutions acquired I7 Technologies to expand regional support.

 

 

 

One radio to rule the range. 

NxGenComm has unveiled Phoenix, a software-defined radio device that aims to do for the battlefield what the smartphone did for your pocket, except with fewer selfies and more drone strikes. Built on military 5G foundations, Phoenix can shift roles on demand, acting as a communications hub, jammer detector, drone controller, or direction finder, sometimes all within a minute.

In a recent Army exercise, the 12-pound unit identified a hostile jammer, adjusted its waveform to restore connectivity, calculated the jammer’s location within five degrees, and dispatched a drone to confirm the target. From there, it could guide strikes or relay coordinates, all while fusing sensor data in real time.

The catch is procurement. Phoenix replaces multiple systems at once, which sounds efficient until each system belongs to a different office. The technology moves fast. Paperwork, less so.

 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed.  </Mondays>

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.