Podcasts
CyberWire Daily
Ep 2536
The CyberWire Daily Podcast 4.22.26
Ep 2536 | 4.22.26

The leak was only a matter of time.

Show Notes
Transcript

Mythos leaks. The DOD preps a more aggressive cyber strategy. A former FBI cyber official urges homicide charges for hospital ransomware deaths. Lotus Wiper targeted the Venezuelan energy and utilities sector. Over 1,300 SharePoint servers remain unpatched against a spoofing vulnerability. The Harvester APT group deploys a new Linux version of its GoGra backdoor. A new LOTUSLITE backdoor targets India’s banking sector. The Mirai botnet exploits discontinued routers. Our guest is Brian Vecci, Field CTO at Varonis, discussing how organizations can safely adopt AI and autonomous agents. A satirical startup sells clean-room clones.

Today is Wednesday April 22nd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Mythos leaks. 

In news that should shock almost noone, a small group of unauthorized users gained access to Anthropic’s unreleased Mythos AI model, despite the company’s efforts to restrict it to vetted partners because of its potential cybersecurity risks. According to a person familiar with the situation and materials reviewed by Bloomberg News, the users accessed the model through a third-party contractor environment and online investigative techniques, including scanning unsecured resources like GitHub. Anthropic says Mythos can identify and exploit vulnerabilities across major operating systems and web browsers, which is why it is being distributed only through its limited Project Glasswing testing program. The company stated it is investigating the reported access and has no evidence that its core systems were affected. While the group reportedly used Mythos for benign experiments rather than cyberattacks, the incident highlights how difficult it can be to contain powerful AI tools and raises concerns about whether other unauthorized parties may also have access. 

Mozilla says Anthropic’s Claude Mythos Preview identified 271 vulnerabilities in Firefox, though only three received CVE designations in Firefox 150, suggesting most were lower-severity issues. Mozilla noted the bugs were within the reach of elite human researchers, not entirely novel flaw classes. Palo Alto Networks reported the model performed roughly a year’s pentesting work in under three weeks, highlighting growing enterprise risk from advanced AI-driven security tooling. 

The DOD preps a more aggressive cyber strategy. 

The Defense Department is preparing a new cyber strategy aimed at aligning military cyber operations with the Trump administration’s more aggressive approach to digital adversaries. Officials say the plan will integrate cyber capabilities across all warfighting domains, strengthen operations below the threshold of armed conflict, and advance the Cyber Command 2.0 effort to modernize cyber forces. The strategy builds on the White House blueprint calling for expanded offensive and defensive cyber actions to impose costs on adversaries and improve coordination with industry. 

Senior Defense Department officials told lawmakers a roughly $1.5 trillion budget request prioritizes expanded cyber forces and digital warfare capabilities to counter increasingly disruptive nation-state threats. The proposal includes $20.5 billion for cyberspace operations, supports the Cyber Command 2.0 restructuring effort, and funds zero trust architecture and infrastructure protection. Officials said cyber is now central to military modernization and deterrence, alongside $58.5 billion for AI and command-and-control initiatives, while workforce shortages and organizational coordination remain ongoing challenges.

A former FBI cyber official urges homicide charges for hospital ransomware deaths. 

A former FBI cyber division official urged the Justice Department to consider felony homicide charges when ransomware attacks on hospitals contribute to patient deaths, arguing penalties should match the severity of harm. Cynthia Kaiser also called for possible terrorism designations for groups that repeatedly target healthcare providers and urged Congress to restore funding for state and local cybersecurity programs facing cuts. Lawmakers and experts warned that reduced support for the Cybersecurity and Infrastructure Security Agency could weaken ransomware defenses, citing workforce losses and the suspension of its Pre-Ransomware Notification program, which previously warned thousands of organizations of imminent attacks and helped prevent billions in damages. Witnesses said continued funding, information-sharing authorities, and defensive investments remain critical despite some progress against ransomware threats in recent years.

Lotus Wiper targeted the Venezuelan energy and utilities sector. 

Kaspersky researchers warn that a previously undocumented wiper malware called Lotus Wiper has targeted the energy and utilities sector in Venezuela in a destructive campaign likely intended to permanently disable systems. The attack used two batch scripts to weaken defenses, coordinate execution across networks, and retrieve the final payload, which deletes restore points, overwrites physical drives, and systematically erases files. The absence of ransom demands suggests a targeted, nonfinancial motive. Kaspersky reported no attribution but noted the activity coincided with regional geopolitical tensions in late 2025 and early 2026. The execution chain relied on legacy Windows features and network-based triggers, indicating prior access and familiarity with the victim environment before deployment. 

Over 1,300 SharePoint servers remain unpatched against a spoofing vulnerability. 

More than 1,300 internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing vulnerability previously exploited as a zero-day and still used in active attacks. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, and allows unauthenticated attackers to conduct network spoofing through improper input validation without user interaction. Successful exploitation could expose sensitive information and enable data modification, though not disrupt availability. Microsoft released patches in April 2026, but Shadowserver reported limited remediation progress. The Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal civilian agencies to apply fixes within two weeks, warning the issue poses significant risk to government networks and is a common attack vector.

The Harvester APT group deploys a new Linux version of its GoGra backdoor. 

Researchers report that the Harvester advanced persistent threat group has deployed a new Linux version of its GoGra backdoor that uses Microsoft Graph API and Outlook mailboxes as covert command-and-control infrastructure to evade detection. Symantec linked the malware to earlier Windows campaigns based on shared code and identical errors, indicating expanding cross-platform tooling. The backdoor uses social engineering with disguised document files for delivery, persistence via systemd autostart entries, and encrypted email-based tasking and data exfiltration. Initial samples were submitted from India and Afghanistan, consistent with Harvester’s historical focus on South Asia. Analysts observed no confirmed victims but assessed the campaign as targeted espionage activity leveraging legitimate cloud services to bypass perimeter defenses and maintain stealth.

A new LOTUSLITE backdoor targets India’s banking sector. 

Researchers at Acronis identified a new LOTUSLITE backdoor variant targeting India’s banking sector, delivered through DLL sideloading using a legitimate Microsoft-signed executable. The malware communicates with a dynamic DNS command-and-control server over HTTPS and supports remote shell access, file operations, and session control, indicating espionage activity rather than financial crime. Code similarities confirm continuity with earlier LOTUSLITE builds. Analysts assess moderate-confidence links to Mustang Panda, noting a shift from earlier delivery methods and a geographic pivot from U.S. government targets to India’s financial sector.

The Mirai botnet exploits discontinued D-Link DIR-823X routers. 

The Mirai botnet is actively exploiting CVE-2025-29635, a command injection flaw in discontinued D-Link DIR-823X routers, according to Akamai. The vulnerability allows attackers to execute malicious commands through crafted POST requests, enabling payload delivery via shell scripts with typical Mirai features such as XOR encoding and hardcoded infrastructure. The affected devices no longer receive updates, and D-Link has advised retiring them. Researchers also observed targeting of TP-Link and ZTE routers, highlighting continued widespread reuse of Mirai source code in opportunistic botnet campaigns.

 

A satirical startup sells clean-room clones. 

Malus.sh offers, for a modest fee and a straight face, to “liberate” software from its licenses by using AI to recreate functionally identical versions without the legal baggage. It is both satire and, inconveniently, a real business that actually delivers clean-room style rewrites, inspired by the classic IBM BIOS cloning playbook, now automated at machine speed. Its creators say the point was to make the threat tangible, not theoretical. The joke lands because it works.

The project highlights a growing tension in open source: AI can now reproduce software faster than communities can maintain it, raising awkward questions about attribution, ethics, and sustainability. Critics warn these rewrites strip away the invisible infrastructure of open source, maintenance, security fixes, and shared stewardship. In that sense, Malus is less a prank than a proof of concept, and possibly a preview.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.