The era of AI-powered attacks is here.

Google says AI-powered cybercrime has gone industrial scale. Two new Windows zero-days emerge. Signal threatens to leave Canada over lawful access legislation. Pentagon-linked influence operations shift to paid ads. Linux admins scramble to patch a new root-level flaw. FamousSparrow targets Azerbaijan’s energy sector. Cisco announces layoffs despite record revenue. An alleged Dream Market administrator faces cryptocurrency money laundering charges. Our guest is Cynthia Kaiser, SVP of Ransomware Research Center at Halcyon, discussing "Akira Ransomware Attacks in Under an Hour." The surveillance will continue until employee sentiment improves.

Today is Thursday May 14th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Google researchers report AI-driven cyber threats have evolved from experimental use into industrial-scale operations. 

Google Threat Intelligence Group reports that AI-driven cyber threats have evolved from experimental use into industrial-scale operations. According to GTIG, threat actors are now using generative AI for vulnerability discovery, malware development, defense evasion, and large-scale information operations. Researchers identified what they believe is the first AI-developed zero-day exploit, potentially intended for mass exploitation. AI-enabled malware such as PROMPTSPY demonstrates increasingly autonomous attack behavior, while adversaries linked to China, North Korea, and Russia are integrating AI into offensive workflows. Attackers are also targeting AI supply chains and using anonymized infrastructure to abuse large language models at scale. GTIG says AI remains a dual-use technology, serving both attackers and defenders. Google reports it is using AI tools like Big Sleep and CodeMender to identify vulnerabilities, automate fixes, and strengthen defenses against evolving threats.

Nightmare-Eclipse discloses two new Windows zero-days. 

An anonymous researcher known as Nightmare-Eclipse, also called Chaotic Eclipse, has disclosed two additional Windows zero-day vulnerabilities following Microsoft’s latest Patch Tuesday update. The flaws, dubbed YellowKey and GreenPlasma, reportedly enable BitLocker bypass and privilege escalation attacks. According to The Register, YellowKey requires physical access and a specially prepared USB drive to gain shell access to BitLocker-protected systems, raising concerns about stolen devices and data exposure. Security experts said organizations can partially mitigate the threat using BitLocker PINs and BIOS passwords. GreenPlasma includes partial exploit code that could eventually enable SYSTEM-level access, although researchers noted it still triggers User Account Control prompts in default configurations. These disclosures follow earlier leaks from Nightmare-Eclipse, including BlueHammer, RedSun, and UnDefend. Some previously leaked exploits were reportedly adopted quickly in real-world attacks, raising concerns about additional future disclosures.

Signal warns it may leave Canada over proposed lawful access legislation. 

Secure messaging platform Signal says it could withdraw from Canada if Bill C-22 forces changes that weaken user privacy or encryption protections.

Signal vice-president Udbhav Tiwari said the company has serious concerns about Ottawa’s proposed lawful access regime, which would require telecom and electronic service providers to support surveillance capabilities for law enforcement and the Canadian Security Intelligence Service. Signal warned that mandated system changes could introduce exploitable vulnerabilities and make encrypted platforms attractive targets for foreign adversaries and cybercriminals. The bill could also require certain providers to retain metadata for up to a year.

Privacy advocates and technology companies argue the legislation could fundamentally weaken end-to-end encryption and require permanent structural changes to secure communications systems. Canadian officials maintain the bill is “encryption-neutral.”

Pentagon-linked influence operations turn to paid advertising. 

A new analysis suggests Pentagon-linked online influence operations have shifted away from fake social media personas and toward paid promotion of quasi-news websites targeting audiences across the Middle East, Latin America, Russia, and Asia.

The report identifies a network of multilingual sites tied through shared infrastructure, advertising activity, and code patterns. Unlike earlier covert campaigns that relied on coordinated inauthentic behavior, the newer “gc_” network appears to amplify mostly factual, selectively framed content through advertising on X, Meta, and Google platforms. Researchers linked the sites to contractor General Dynamics Information Technology, which reportedly ran ads promoting the outlets.

The operation reflects an evolution in state-backed influence tactics. Instead of fabricated engagement or bot farms, the newer model appears designed to shape narratives through targeted distribution, selective framing, and reduced transparency around sponsorship.

Linux distributions rush patches for a new root-level privilege escalation. 

Linux distributions are deploying patches for a newly disclosed high-severity privilege escalation vulnerability that allows local attackers to gain root access on vulnerable systems.

Tracked as CVE-2026-46300 and nicknamed “Fragnasia,” the flaw affects Linux kernels released before May 13, 2026. Researcher William Bowling of Zellic said the bug stems from a logic error in the Linux XFRM ESP-in-TCP subsystem. According to Bowling, attackers can exploit the flaw to write arbitrary bytes into the kernel page cache of read-only files, enabling modification of protected binaries such as /usr/bin/su to obtain root shells. A proof-of-concept exploit has already been released publicly.

Fragnasia belongs to the broader “Dirty Frag” class of Linux privilege escalation vulnerabilities, which security researchers say can undermine core system protections. Administrators are being urged to patch immediately or disable affected kernel modules where possible.

China-linked FamousSparrow targets an Azerbaijani energy company. 

Researchers at Bitdefender Labs say the China-aligned threat group FamousSparrow targeted an Azerbaijani oil and gas company in a multi-wave intrusion campaign spanning late 2025 through early 2026.

According to the report, the attackers exploited the ProxyNotShell vulnerability to compromise a Microsoft Exchange server and deploy the SNAPPYBEE, or Deed RAT, backdoor through DLL sideloading. In later stages, the group introduced Terndoor malware and a rootkit-enabled driver to gain deeper system control, steal administrator credentials, and move laterally across the network using Remote Desktop Protocol and Impacket tools. Researchers said the attackers repeatedly regained access through the same unpatched Exchange vulnerability despite remediation efforts.

The campaign highlights how advanced threat actors maintain persistence by repeatedly exploiting unresolved entry points while adapting malware and evasion techniques over time.

Cisco announces layoffs amidst record revenue. 

Cisco says it will cut fewer than 4,000 jobs as part of a broader restructuring tied to its push into artificial intelligence, networking, and other strategic growth areas.

In a memo titled “Our Path Forward,” CEO Chuck Robbins praised employees for delivering record quarterly revenue of $15.8 billion and double-digit growth, even amid supply chain pressures and intensifying competition. The company said the restructuring is intended to realign resources around AI infrastructure and future investments. Cisco also said affected employees will receive severance support and one year of access to Cisco training and certification programs.

For workers impacted by the cuts, the announcement lands amid strong financial performance, underscoring the uncertainty many technology employees face as companies redirect spending toward AI-focused priorities and operational restructuring.

An alleged Dream Market administrator is indicted over cryptocurrency money laundering. 

U.S. prosecutors have indicted Owe Martin Andresen, a German national accused of serving as the primary administrator of the now-defunct Dream Market darknet marketplace and laundering millions in criminal proceeds.

According to the indictment, Andresen allegedly controlled cryptocurrency wallets tied to Dream Market after the platform shut down in 2019 under law enforcement pressure. Investigators say he moved funds from dormant marketplace wallets into consolidated accounts beginning in 2022, then used cryptocurrency to purchase gold bars shipped to Germany. Authorities allege he laundered more than $2 million between 2023 and 2025. During coordinated searches in Germany, investigators reportedly seized roughly $1.7 million in gold bars and identified additional bank accounts and cryptocurrency holdings.

The case highlights how law enforcement agencies continue tracing cryptocurrency transactions years after darknet marketplaces disappear, targeting the financial infrastructure that supports transnational cybercrime and narcotics trafficking.

The surveillance will continue until employee sentiment improves. 

A growing industry known as “emotion AI” promises employers something managers have apparently dreamed of for centuries: not just productive workers, but cheerful, agreeable ones too.

In a sweeping look at workplace surveillance, The Atlantic’s Ellen Cushing describes software that analyzes faces, voices, emails, and chat messages to measure emotions like attentiveness, positivity, and frustration. Some systems monitor call-center tone, truck-driver fatigue, or employee friendliness, while others score job candidates during interviews. One fast-food headset assistant is even named Patty, because nothing says “human connection” quite like being emotionally evaluated by a branded chatbot during the lunch rush.

Researchers and privacy advocates warn the technology often rests on shaky science and can misread context, culture, disability, or simple concentration as negativity. Still, companies continue adopting these tools as workplace analytics expand from measuring what employees do to measuring how pleasantly they appear to do it.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.