Podcasts
CyberWire Daily
Ep 2560
The CyberWire Daily Podcast 5.27.26
Ep 2560 | 5.27.26

Breaking the GlassWorm.

Show Notes
Transcript

A major takedown disrupts the GlassWorm botnet. The White House rewrites federal cyber logging rules as CISA faces cuts amid rising AI threats. Federal agencies ramp up scrutiny of so-called anti-tech extremism. GCHQ warns Russia is targeting UK infrastructure. Researchers uncover stealthy new malware, AI coding agent supply chain risks, and in-person extortion tactics targeting U.S. law firms. Europe grabs satellite spectrum. Ben Yelin joins us to discuss the bipartisan push for more support of CISA. Hacking your way to the main stage.

Today is Wednesday May 27th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A coordinated takedown hobbles the GlassWorm botnet. 

Cybersecurity firm CrowdStrike says the GlassWorm botnet, active for more than six months, has been disrupted through a coordinated takedown with Google and the  Shadowserver Foundation.

GlassWorm used a resilient command-and-control structure built on the Solana blockchain, BitTorrent, Google Calendar, and commercial VPS servers. The malware spread through trojanized Visual Studio extensions, GitHub repositories, and compromised Python packages. It stole developer credentials, targeted cryptocurrency wallets, and enabled remote access on infected systems. CrowdStrike says the operators continuously evolved their tooling and infrastructure to resist disruption efforts.

Attackers increasingly target developers and software supply chains rather than end users directly. CrowdStrike warns that weak developer environments and build pipelines can expose every organization consuming affected software.

The Trump administration replaces Biden-era federal logging mandates. 

The Trump administration has rescinded a 2021 federal cybersecurity logging directive introduced after the SolarWinds breach, replacing it with a more targeted, risk-based framework focused on detection and incident response.

The updated guidance from the Office of Management and Budget emphasizes continuous monitoring, threat hunting, forensic investigations, and rapid response capabilities. OMB Director Russel Vought said the previous requirements generated large volumes of costly data with limited defensive value. The new framework also expands logging guidance to Internet of Things and operational technology systems, while directing CISA and federal partners to develop a governmentwide logging architecture aligned with zero trust modernization efforts.

The policy reflects growing concern that adversaries are using automation and artificial intelligence to accelerate attacks beyond the pace of traditional monitoring systems. Agencies will now retain logs in searchable form for six months and retrievable form for one year.

Federal agencies expand monitoring of so-called “anti-technology extremism”. 

Newly obtained intelligence documents reviewed by WIRED show federal agencies and fusion centers increasingly monitoring activists, protesters, and online communities under a developing category described as “anti-technology extremism.”

The reports, circulated by the Department of Homeland Security, FBI, and regional fusion centers, cite concerns about protests tied to artificial intelligence, data center construction, and anti-corporate sentiment. Some assessments warn that unrest linked to AI adoption could evolve into violence targeting critical infrastructure or technology executives. The documents also reference monitoring of public demonstrations, online forums, and constitutionally protected gatherings opposing data centers and AI expansion.

Civil liberties advocates warn the category is broadly defined and could sweep in peaceful protesters, AI skeptics, and environmental activists alongside individuals advocating violence. Federal officials maintain the focus remains on threats involving criminal activity or national security concerns.

GCHQ chief warns Russia is relentlessly targeting UK infrastructure. 

In her first public speech as director of GCHQ, Anne Keast-Butler warns that the UK faces a “moment of consequence” as Russia intensifies cyber and hybrid threats against critical infrastructure, supply chains, and democratic institutions.

Keast-Butler says GCHQ is working with intelligence and defense partners to counter cyberattacks, sabotage, and espionage linked to Moscow, while also warning about China’s growing technological and cyber capabilities. She is expected to stress that advances in artificial intelligence are rapidly reshaping the threat landscape and narrowing the UK’s strategic advantage.

The speech also calls for stronger cybersecurity practices across government, industry, and households.

CISA faces shrinking resources and a reduced role as AI-driven cyber threats escalate.

The Cybersecurity and Infrastructure Security Agency is entering the AI era with reduced staffing, budget cuts, and a diminished role in the federal government’s response to emerging AI-enabled cyber threats, according to reporting from Axios.

Since early 2025, CISA has reportedly lost roughly one-third of its workforce through buyouts and funding reductions. Industry and former government officials warn the cuts have weakened the agency’s ability to coordinate with critical infrastructure operators and respond to increasingly sophisticated threats from advanced AI models. Sources also told Axios that CISA has taken a secondary role in White House discussions surrounding cybersecurity risks tied to frontier AI systems.

Former officials argue the agency would traditionally play a central role in shaping national cyber policy and coordinating vulnerability management across government and industry.

Maria’s segment. 

Europe is moving to reserve most of a valuable satellite spectrum band for European operators, setting up a potential clash with Washington over the future of space-based connectivity and tech sovereignty. The proposal could limit access for U.S. companies like SpaceX and Amazon while boosting Europe’s own satellite ambitions. Contributing Host Maria Varmazis joins us with more on the growing geopolitical battle over who controls the skies.

As much as data sovereignty is a critical topic in the European Union right now, so too is its companion concern, space sovereignty. That concept encompasses access to radiofrequency spectrum bands - and there is only so much RF spectrum to go 'round, that's physics for you.

So it is a major development in European space sovereignty with news reported by Politico and Reuters that the European Commission is moving to reserve most of a valuable satellite spectrum band for primarily European operators when current licenses held by US-based operators Viasat and Echostar expire in 2027. The proposal would divide the frequencies into three 10MHz blocks over the next 20 years: one block for secure EU government communications and the EU’s IRIS² satellite internet constellation, one block for European startups, and the last block would be open to either European or foreign companies. There is also discussion of making the EU-exclusive spectrum open to EU-adjacent countries like Norway and the UK.

Should this plan come to fruition, it would sharply limit access for U.S. operators like SpaceX and Amazon, both of which are fast increasing their global presence and acquiring access spectrum bands to make that happen. EU officials say that their plan of reallocating the band to prioritize EU access is necessary for European technological sovereignty and secure internet connectivity. But squeezing out US competition could provoke retaliation from the US just as the EU and U.S. seem to be nearing finalization of a new trade deal.  

For the Cyberwire daily, I'm Maria Varmazis from T-Minus: Space-Cyber Briefing. Back to you Dave. 

A phishing campaign delivers fileless PureLogs malware through obfuscated JavaScript and PowerShell. 

Researchers at  Fortinet FortiGuard Labs have identified a phishing campaign distributing a PureLogs malware variant designed to steal credentials, cryptocurrency wallet data, browser sessions, and other sensitive information.

The campaign used purchase-order themed phishing emails containing malicious RAR archives with obfuscated JavaScript files. Once executed, the malware launched PowerShell scripts, used process hollowing to inject code into Microsoft’s MsBuild.exe process, and downloaded additional modules directly into memory. FortiGuard says the malware relied on layered encryption, fileless execution, and dynamic plugin delivery to evade traditional detection methods.

The malware targeted browser credentials, Discord tokens, VPN accounts, email clients, and dozens of cryptocurrency wallets. Researchers warn the attack highlights the continued effectiveness of phishing combined with increasingly stealthy post-compromise techniques.

The Silent Ransom Group is using in-person tactics to steal data from U.S. law firms. 

The Federal Bureau of Investigation is warning that the Silent Ransom Group, also known as Luna Moth and Chatty Spider, is escalating its extortion operations against U.S. law firms by using in-person social engineering attacks.

According to the FBI, attackers pose as internal IT staff through phishing emails and phone calls, convincing employees to grant remote desktop access. If remote access attempts fail, the group may dispatch an individual directly to the victim’s office to connect malicious USB drives or external storage devices to company systems. The stolen data is then used for extortion campaigns targeting both organizations and their clients.

The group has reportedly targeted legal and financial firms since 2023 and was previously linked to BazarCall campaigns associated with Conti and Ryuk ransomware operations.

SymJack abuses trust in AI coding agents to enable stealthy supply chain compromise. 

Researchers at Adversa AI have demonstrated a new supply chain attack technique called SymJack that targets developers using AI coding agents.

The attack abuses trusted repositories and symbolic links, or symlinks, to silently register a malicious MCP server inside an AI coding environment. Developers may unknowingly approve what appears to be a harmless file copy request, while hidden commands modify agent configurations and execute attacker-controlled code. Adversa says the technique could steal credentials, cloud tokens, browser sessions, or compromise CI pipelines without further user interaction.

The firm tested the method against several major AI coding agents, including Claude Code, GitHub Copilot CLI, Gemini CLI, Cursor Agent CLI, and Grok Build CLI. Researchers say the issue reflects growing security risks tied to developer trust in automation rather than a traditional software vulnerability.

European digital sovereignty extending to orbit with new spectrum allocations

 

Hacking your way to the main stage. 

A security researcher found an unusually effective way to get conference talks accepted: compromise the submission platform first. Researchers at  Novee disclosed a stored cross-site scripting flaw in Pretalx, a popular open source conference management platform used by security events worldwide.

The vulnerability, tracked as CVE-2026-41241, allowed malicious JavaScript hidden in speaker submissions to execute inside organizer accounts. Researcher Elad Meged demonstrated the issue by automatically submitting proposals to roughly 40 conferences, all for a deliberately bland talk titled “Securing Modern Web Apps.” Apparently, subtlety still works.

Novee says the flaw could have enabled attackers to hijack organizer sessions, alter submissions, or launch phishing attacks from trusted conference infrastructure. Pretalx patched the issue in April. Meged emphasized the testing remained controlled and non-destructive, though he admitted a more outrageous talk title “would have been funnier.”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.