Podcasts
CyberWire Daily
Ep 2537
The CyberWire Daily Podcast 4.23.26
Ep 2537 | 4.23.26

Your signal is showing.

Show Notes
Transcript

Researchers expose covert telecom surveillance campaigns. Lawmakers push new national privacy rules. China-linked actors hide inside compromised device networks. A ransomware forum leak reveals a criminal marketplace. GopherWhisper blends into cloud services for espionage. Attackers poison AI with hidden web prompts. Apple patches lingering notification data. macOS admin tools become attacker pathways. CISA orders urgent fixes for a Microsoft Defender zero-day, and their Director nominee withdraws. Our guests today are Johnny Hand and Dustin Childs, hosts of TrendAI's AI Security Brief podcast. A meteorological mystery meets market manipulation.

Today is Thursday April 23rd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Researchers uncover covert surveillance campaigns exploiting telecom signaling weaknesses. 

Security researchers have uncovered two covert surveillance campaigns exploiting telecom signaling weaknesses to track individuals’ locations worldwide.

Citizen Lab reports the operators posed as legitimate cellular providers and abused access to global signaling systems to query subscriber location data. The campaigns exploited vulnerabilities in Signaling System 7, or SS7, and in Diameter, a newer protocol sometimes deployed without full protections. Researchers identified repeated use of infrastructure linked to 019Mobile, Tango Networks U.K., and Airtel Jersey. One campaign also used SIMjacker-style hidden SMS commands against a high-profile target.

Continued signaling-layer abuse shows global mobile infrastructure still enables covert tracking at scale, creating persistent exposure for executives, activists, and government officials despite known risks.

Lawmakers look to expand nationwide privacy protections. 

House Republicans have introduced two coordinated bills aimed at expanding nationwide privacy protections and strengthening consumer control over financial and personal data.

The SECURE Data Act would establish a national privacy and data security standard, create rights to access, delete, and limit use of personal data, and require consent for processing sensitive information. It would also impose disclosure and minimization requirements on companies and data brokers, with enforcement by the Federal Trade Commission and state attorneys general. The GUARD Financial Data Act would modernize the Gramm-Leach-Bliley Act by requiring opt-in consent before sharing sensitive financial data and allowing customers, including former customers, to access or delete stored information.

The proposals signal a coordinated effort to reshape U.S. privacy governance and increase accountability for organizations handling sensitive consumer and financial data.

China-linked threat actors increasingly use covert networks of compromised devices. 

International cybersecurity agencies warn that China-linked threat actors are increasingly using covert networks of compromised devices to disguise their operations and evade detection.

The UK National Cyber Security Centre, part of GCHQ, and 15 international partners released joint guidance describing how attackers exploit vulnerable edge devices such as home routers and smart devices to route malicious traffic, steal data, and maintain persistent access to critical sectors. The advisory also highlights “indicator of compromise extinction,” where forensic clues disappear quickly, complicating detection and response.

Experts say defenders must shift toward intelligence-driven monitoring and stronger baseline protections as attackers scale infrastructure designed to obscure attribution and persistence across global networks.

A leaked database provides a look inside a Russian cybercrime forum. 

A leaked database from the RAMP cybercrime forum is offering rare insight into how ransomware operations function as structured criminal marketplaces rather than isolated attacks.

According to Comparitech’s analysis, the leak includes records spanning November 2021 through January 2024, covering 7,707 users, 1,732 forum threads, more than 340,000 IP logs, and nearly 1,900 private conversations. The forum supported access sales to compromised corporate networks, ransomware-as-a-service recruitment, and deal negotiations in private messages. Listings targeted organizations across more than 20 countries, with the United States appearing in 40 percent of identified cases.

The data illustrates how specialization across access brokers, malware operators, and affiliates enables ransomware campaigns to scale faster and become harder for defenders to disrupt.

GopherWhisper uses legitimate cloud platforms to conduct espionage. 

Researchers have identified a previously undocumented threat actor called GopherWhisper using legitimate cloud platforms to conduct espionage against government targets.

According to ESET, the group has operated since at least 2023 and deployed a Go-based malware toolkit against a Mongolian government entity, compromising 12 systems and likely dozens more victims globally. The toolset includes multiple backdoors that use Slack, Discord, and the Microsoft Graph API through Microsoft 365 Outlook for command and control, plus a custom exfiltration utility that uploads stolen data to File.io. Analysis of command activity patterns and metadata linked the activity to China.

Blending command traffic into trusted enterprise services complicates detection and enables persistent access across sensitive government environments.

Attackers use indirect prompt injection techniques to manipulate LLMs. 

Researchers warn that attackers are actively using indirect prompt injection techniques to manipulate large language model, or LLM, agents through hidden instructions embedded in ordinary websites.

Forcepoint X-Labs reports threat actors concealed commands in web content using hidden text, metadata, and styling tricks that AI agents can read but users cannot see. Telemetry identified ten live cases in April 2026 involving actions such as API key theft, fraudulent payment attempts, denial-of-service behavior, and data deletion commands. Researchers say the technique exploits LLMs’ inability to distinguish between data and instructions when processing external content.

Organizations deploying AI assistants or coding agents may face new risks if models execute hidden web instructions as trusted commands during routine browsing or automation tasks.

Apple fixes a notification logging flaw. 

Apple has released security updates for iPhones and iPads to fix a notification logging flaw that allowed deleted app notifications to remain stored on devices.

The vulnerability, tracked as CVE-2026-28950, affected Notification Services and was addressed with improved data redaction in iOS and iPadOS updates. Signal confirmed the flaw enabled authorities to recover message notification content even after the Signal app was deleted, though Apple said it has no evidence of active exploitation.

Residual notification data can expose sensitive communications even after apps are removed, highlighting risks in mobile notification storage.

Researchers highlight vulnerable macOS admin features. 

Researchers at Cisco Talos warn that attackers can exploit built-in macOS administrative features to move laterally and execute code across enterprise environments without traditional malware.

The study shows adversaries can repurpose native capabilities such as Remote Application Scripting, AppleScript, Spotlight metadata, and common utilities including SSH, socat, netcat, and SNMP to deliver payloads, transfer tools, and maintain persistence. Techniques include storing malicious code in Finder metadata and using legitimate interprocess communication channels that evade typical endpoint detection telemetry. Researchers say these “living off the land” methods exploit gaps in macOS monitoring compared with Windows environments.

Growing enterprise macOS adoption increases exposure to stealthy attacks that blend into normal system activity and bypass conventional detection controls.

CISA orders feds to patch a Microsoft Defender privilege escalation vulnerability, and their Director nominee withdraws. 

CISA has ordered U.S. federal agencies to patch a Microsoft Defender privilege escalation vulnerability exploited in ongoing zero-day attacks within two weeks.

Tracked as CVE-2026-33825, the flaw allows low-privileged local attackers to gain SYSTEM access on unpatched devices. Microsoft released fixes on April 14, and Huntress reported evidence of hands-on-keyboard intrusion activity linked to the vulnerability. CISA added the issue to its Known Exploited Vulnerabilities catalog with a May 7 remediation deadline.

Additionally, Sean Plankey has withdrawn his nomination to lead the Cybersecurity and Infrastructure Security Agency after more than a year without Senate confirmation.

Plankey notified Homeland Security leadership and the White House that the Senate would not advance his nomination, which had been pending since March 2025 despite clearing committee review. His withdrawal follows reported opposition tied to an unrelated Coast Guard shipbuilding dispute and comes amid broader leadership turnover at CISA.

 

A meteorological mystery meets market manipulation. 

French authorities are investigating unusual temperature spikes at a Paris airport weather sensor after anomalies aligned with roughly $34,000 in prediction-market payouts.

Météo France filed a complaint following two brief readings above 22 degrees Celsius at Charles de Gaulle Airport on April 6 and April 15, each resolving Polymarket wagers in bettors’ favor. Meteorologist Paul Marquis said nearby stations showed no matching changes and concluded physical intervention with a heating device was the most plausible explanation. Polymarket later switched its Paris temperature data source to Le Bourget Airport.

Markets that rely on a single physical sensor create incentives to influence that sensor, turning routine weather instrumentation into an unexpectedly lucrative target for creative “forecasting.”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.