Podcasts
CyberWire Daily
Ep 2580
The CyberWire Daily Podcast 6.25.26
Ep 2580 | 6.25.26

Gone with the command.

Show Notes
Transcript

International operation disrupts Amadey and StealC malware infrastructure. Australian spy chief warns nation-state hackers are prepositioning for future sabotage. Stealthy new backdoor may be tied to initial access broker. Researchers uncover "Cordyceps" supply chain flaw. Iran-linked MuddyWater disguises espionage as ransomware attack. Cal Water says Handala's hacking claims were overstated. Report says Russia continued using Cellebrite phone-cracking tools after the ban. Chinese cybersecurity firm unveils AI tools to rival Anthropic's Mythos. DraftKings hacker is sentenced to eighteen months. Our guest is Erich Kron, CISO Advisor at KnowBe4, sharing the details of the CAPY program. And more Than Meets the Eye-P.

Today is June 25th, 2026. I’m Maria Varmazis on the mic for vacationing Dave Bittner. And this is your CyberWire Intel Briefing.

International operation disrupts Amadey and StealC malware infrastructure.

Europol announced yesterday that a major law enforcement and industry operation disrupted infrastructure used by two leading strains of malware, Amadey and StealC. The operation focused on the cybercriminal supply chain, as Amadey and StealC are frequently used to stage additional attacks. Microsoft used AI-assisted analysis to determine that the two strains of malware relied on the same infrastructure, then used the RICO Act to obtain legal basis to disrupt more than 200 command-and-control servers.

The effort was also assisted by ESET, BitSight, Lumen, IBM X-Force, Proofpoint, and Mitsui Bussan Secure Directions (MBSD), as well as law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States. The operation follows last week's disruption of the SocGolish malware operation by Dutch police.

Australian spy chief warns nation-state hackers are prepositioning for future sabotage.

Australia's top intelligence official is warning that nation-state hackers have infiltrated a critical infrastructure provider, stealing administrator credentials and mapping networks so they could disrupt services at a time of their choosing. ASIO Director-General Mike Burgess said the intrusion was detected and attributed before any damage occurred, but warned that cyber sabotage is becoming a growing national security concern. While he did not identify the country responsible, Burgess said one nation-state in particular is aggressively targeting energy, communications, and defense-related infrastructure across the region to establish persistent access for potential future conflicts.

Stealthy new backdoor may be tied to initial access broker.

Symantec and Carbon Black have published a report on a new backdoor that surfaced in April 2026. The malware, tracked as "Backdoor.Mistic," may be tied to Woodgnat, an initial access broker that peddles to ransomware gangs.

The researchers note, "The stealth of the backdoor is also notable, as is the fact that Woodgnat is also possibly behind the development of ModeloRAT, indicating a group that is quite highly skilled at the development of stealthy remote access tools. This indicates it is a group that should be actively tracked as it could continue to develop custom tools, as well as widen the pool of ransomware actors it works with."

Researchers uncover "Cordyceps" supply chain flaw affecting hundreds of major code repositories.

Researchers at Novee Security have disclosed a new class of software supply chain weaknesses, dubbed "Cordyceps," that affects CI/CD workflows used by major open-source projects. After scanning roughly 30,000 high-impact repositories, the team identified 654 potentially vulnerable projects and confirmed more than 300 as fully exploitable. The flaws could allow attackers—even those with only a free GitHub account—to hijack build pipelines, steal credentials, inject malicious code, or compromise software releases. The researchers say the issue stems from insecure GitHub Actions workflow configurations rather than GitHub itself, and warn that AI coding assistants may inadvertently propagate these insecure patterns across the software ecosystem.

Iran-linked MuddyWater disguises espionage as ransomware attack.

Researchers at NCC Group say the Iran-linked hacking group MuddyWater is increasingly disguising espionage campaigns as ransomware attacks to complicate attribution and distract defenders. In a recently analyzed intrusion, the attackers posed as members of the Chaos ransomware operation, using Microsoft Teams social engineering, credential theft, and remote access tools to establish long-term access before exfiltrating data and demanding a ransom. Researchers believe the extortion was largely a smokescreen, with the real objective being intelligence collection and persistent network access on behalf of Iran's Ministry of Intelligence and Security.

Cal Water says Handala's hacking claims were overstated.

California Water Service (Cal Water) has completed its investigation into claims made by the Iranian hacktivist group Handala, concluding that the hackers overstated their access and did not have the ability to disrupt OT systems. Handala, which is likely backed by the Iranian government, said it could have physically disrupted the water supply after gaining access to industrial control systems, but decided not to do so. Cal Water retained Mandiant to investigate the incident, and the cybersecurity firm found that the hackers had only compromised two IT user accounts belonging to third-party service providers.

Cal Water stated, "The investigation determined that the threat actor accessed one active customer’s online Cal Water account using stolen user credentials. The customer account did not provide access to the billing system, and no payment information was compromised. The threat actor also accessed an external, third-party web site related to a GPS location correction tool; however, the website does not contain any confidential or sensitive information."

Report says Russia continued using Cellebrite phone-cracking tools after ban.

A new investigation by Citizen Lab has found that Russian authorities continued using Cellebrite's mobile forensic tools months after the Israeli company halted sales to Russia in 2021. Researchers say the software was used to extract data from the phone of imprisoned opposition politician Andrei Pivovarov, with the evidence later used in his prosecution. The findings raise questions about vendors' ability to control previously deployed forensic tools after cutting ties with authoritarian governments. Cellebrite says any post-2021 use in Russia was unauthorized and involved legacy equipment no longer supported by the company.

Chinese cybersecurity firm unveils AI tools to rival Anthropic's Mythos.

Chinese cybersecurity company 360 Security Technology has unveiled two AI-powered security tools it says rival Anthropic's advanced Mythos system. One tool is designed to automatically discover software vulnerabilities, while the other automates cyber defense and incident response. The announcement comes as the United States restricts exports of Anthropic's cybersecurity AI over national security concerns. Note: Reuters says these claims are not independently verified. 360 Security Technology says its vulnerability-finding model has already uncovered more than 3,400 software flaws, framing the effort as a strategic response to what it sees as an intensifying AI-driven cybersecurity competition between the U.S. and China. 

DraftKings hacker is sentenced to eighteen months.

21-year-old Nathan Austad of Minnesota has been sentenced to 18 months in prison after pleading guilty to his role in a November 2022 hack of the DraftKings betting platform, BleepingComputer reports. Austad and two accomplices were accused of compromising 60,000 DraftKings user accounts and selling access to the accounts for hundreds of thousands of dollars. The two co-conspirators are already serving prison sentences. Austad was also ordered to pay $463,000 in forfeiture and over a million dollars in restitution.

 

Stay with us after the break, we are joined by Erich Kron, CISO Advisor at KnowBe4, who is sharing the details of the CAPY (Cyber Awareness Program for You) program that offers free cybersecurity training for families. And more Than Meets the Eye-P. Stick with us. 

Recently Dave Bittner sat down with Erich Kron, CISO Advisor at KnowBe4, as they discussed the details of CAPY, which is  the Cyber Awareness Program for You, it’s a program that offers free cybersecurity training for families. Here is their conversation.

That was  Dave Bittner and Erich Kron discussing CAPY, a program that offers free cybersecurity training for families. 

More Than Meets the Eye-P

If you're worried about the apps on your phone, researchers have a suggestion: maybe take a look at the ones on your TV, too.

After scanning more than 6,000 apps across LG and Samsung smart TVs, researchers found over 2,000 contained software that could monetize a user's residential internet connection by routing third-party traffic through the home network. Many of the apps appeared completely harmless—screensavers, clocks, fish tanks, and simple games—but were also functioning as residential proxy infrastructure behind the scenes.

Researchers say smart TVs are particularly attractive for this because they're always on, rarely monitored, and often treated more like furniture than computers. The report also notes that Amazon explicitly bans this category of software and Roku has reportedly blocked similar apps, while LG and Samsung have not established equivalent public policies.

The takeaway? Your smart TV may be smarter—and busier—than you think.

After all, nobody expects a clock app to tell time, display the weather, and moonlight as network infrastructure.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.