Podcasts
CyberWire Daily
Ep 2522
The CyberWire Daily Podcast 4.2.26
Ep 2522 | 4.2.26

The WhatsApp impostor.

Show Notes
Transcript

A fake WhatsApp spreads spyware. The State Department pushes embassies to counter influence ops. Cisco patches critical bugs. CrystalRAT hits Telegram. A Texas hospital breach affects 250,000. HHS reshuffles IT oversight. China-linked spies target Europe. EvilTokens hijacks Microsoft accounts. Ransomware hits a North Dakota water plant. Sumedh Thakar, President and CEO of Qualys, discusses how cybersecurity is shifting toward managing real business risk. Tales of a tortoise's termination have been greatly exaggerated.

Today is Thursday April 2nd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A fake WhatsApp version installs spyware. 

WhatsApp says roughly 200 users, mostly in Italy, were targeted with spyware through a fake iPhone version of its messaging app.

According to a statement shared with TechCrunch, the company linked the malicious unofficial client to Italian spyware maker SIO and logged affected users out after detection. WhatsApp urged users to delete the app and reinstall the official version. Spokesperson Margarita Franklin said user roles remain unclear.

Fake mobile clients remain an effective delivery method for government surveillance spyware and signal continued targeting activity in Italy. WhatsApp also said it plans legal action to halt the alleged campaign and protect affected users in the region.

The State Department directs U.S. embassies to counter foreign influence campaigns. 

The State Department has ordered U.S. embassies worldwide to counter foreign influence campaigns as officials warn anti-American narratives are gaining ground internationally.

According to current and former officials cited by the New York Times, the directive followed concerns about messaging from adversaries including Russia, China, and Iran, especially after U.S. military actions involving Venezuela and Iran. The administration is also restoring limited broadcasts from Voice of America, Radio Free Asia, and Radio Free Europe/Radio Liberty after earlier shutdowns tied to legal and political disputes over alleged censorship claims.

Weakened counter-disinformation infrastructure can create openings for adversaries to shape global perceptions of U.S. policy and alliances. Officials say diplomats are now being encouraged to coordinate with Pentagon information operations and challenge false claims online as part of renewed messaging efforts.

Cisco patches two critical and six high-severity vulnerabilities. 

Cisco has released patches for two critical and six high-severity vulnerabilities affecting enterprise networking and management products.

The most serious issues include CVE-2026-20160 in Smart Software Manager On-Prem, which allows root-level command execution through an exposed internal service, and CVE-2026-20093, which enables attackers to change administrator passwords via crafted requests. Additional flaws affect Evolved Programmable Network Manager and Integrated Management Controller deployments across multiple server platforms.

Successful exploitation could allow attackers to gain administrative control or access sensitive data across widely deployed infrastructure. Cisco says it has no evidence of active exploitation.

New CrystalRAT malware is being promoted on Telegram. 

Researchers report a new malware-as-a-service platform called CrystalRAT is being promoted on Telegram with tools for remote access, data theft, and device surveillance.

According to Kaspersky, the malware appeared in January with tiered subscriptions and marketing on Telegram and YouTube. CrystalRAT shares similarities with WebRAT, including Go-based code and panel design. Its features include command execution, file transfers, browser data theft, keylogging, microphone and video capture, and clipboard hijacking of cryptocurrency wallet addresses. The platform also supports anti-analysis protections and encrypted communications with command-and-control infrastructure.

Subscription-based malware lowers barriers for entry-level threat actors and expands access to surveillance-grade tooling. Researchers say prank-style disruption features may also distract victims while data theft occurs.

A Texas hospital breach affects a quarter million people. 

Nacogdoches Memorial Hospital says a January network breach exposed personal and health information belonging to more than 250,000 individuals.

The Texas hospital reported that attackers accessed internal systems on January 31 and may have obtained sensitive data including Social Security numbers, medical record numbers, and contact information. Officials say there is no evidence of misuse so far. The organization secured its network and notified law enforcement but did not identify a responsible threat actor.

Healthcare breaches expose high-value identity and medical data that can enable fraud and long-term identity risks for victims.

HHS dials back Biden-era IT changes. 

The Department of Health and Human Services is restructuring its technology leadership, shifting cybersecurity and enterprise IT authority back to its Office of the Chief Information Officer.

HHS reversed a 2024 change that expanded the Office of the National Coordinator for Health Information Technology, or ONC, into a department-wide technology policy role under the name Assistant Secretary for Technology Policy/ONC. The agency restored ONC’s narrower focus on health IT standards and interoperability, while returning cybersecurity, artificial intelligence, cloud, and data operations oversight to the CIO office. Officials said the move reinforces statutory enterprise IT responsibilities across the department.

This matters because centralized oversight could strengthen internal cybersecurity coordination and governance across HHS systems, though experts say the change is unlikely to immediately affect broader healthcare-sector cybersecurity risks.

A China-linked cyberespionage group targets European diplomatic and government organizations. 

Researchers report a China-linked cyberespionage group has resumed targeting European diplomatic and government organizations after shifting focus elsewhere in recent years.

According to Proofpoint, the group known as TA416, also tracked as Twill Typhoon and Mustang Panda, began renewed activity in mid-2025 targeting individuals and mailboxes tied to NATO and European Union delegations. The campaign coincided with rising EU–China tensions over trade, rare earth exports, and the Russia–Ukraine war. Researchers also observed new targeting of Middle Eastern diplomatic entities following the start of the Iran conflict.

Shifting geographic targeting by state-aligned actors signals evolving intelligence priorities and continued credential-harvesting and malware delivery risks for diplomatic networks. Researchers observed repeated use of PlugX backdoor delivery techniques.

The EvilTokens phishing kit hijacks Microsoft accounts. 

Researchers at Sekoia report a phishing-as-a-service kit called EvilTokens is enabling attackers to hijack Microsoft accounts using device code phishing techniques.

The toolkit is sold via Telegram and targets employees with lures disguised as financial documents, meeting requests, or shared files from services like DocuSign or SharePoint. Victims are redirected to legitimate Microsoft device login pages after entering attacker-supplied verification codes, allowing threat actors to obtain access and refresh tokens. These tokens enable persistent access to email, files, Teams data, and single sign-on across Microsoft services.

Device code phishing bypasses traditional credential theft defenses and supports automated business email compromise activity at scale across multiple countries, including the United States and France.

A North Dakota water treatment plant suffers a ransomware attack. 

Officials in Minot, North Dakota, say a ransomware attack struck a city water treatment plant but did not disrupt water safety or system operations.

According to city officials, the intrusion was discovered March 14 and affected a server that was quickly disconnected. Staff operated systems manually for about 16 hours while monitoring pressure and safety conditions. Officials said attackers left only a message on a screen, with no ransom demand or direct contact reported. The FBI is reviewing the message as part of an investigation.

Water utilities remain frequent cyberattack targets, with recent campaigns linked to criminal groups and nation-state actors highlighting ongoing risks to critical infrastructure resilience.

Tales of a tortoise's termination have been greatly exaggerated. 

For a brief and sorrowful moment, I believed Jonathan the giant tortoise, age 194 and still fond of bananas, had passed away.

Multiple outlets reported his death after an X account posing as his longtime veterinarian claimed the world’s oldest known land animal had died on Saint Helena. According to reporting later confirmed by the Guardian, the real veterinarian does not use X, and the impersonator was soliciting cryptocurrency donations. Officials on the island verified Jonathan was in fact asleep under a tree and very much alive.

The governor reports Jonathan is still grazing, still fond of bananas, and still ignoring global drama with admirable discipline. If there’s a lesson here, it may be to verify sources and then take a nap.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.