
The AI lock comes off.
The US restores exports of Anthropic’s most advanced AI models. Adobe and Citrix rush out critical patches. RustDuck emerges as a fast-evolving DDoS threat. The Gentlemen raise the stakes with a new EDR-killing exploit. Rocket lab bets big on Iridium. Researchers unveil browser-only ransomware. New Zealand faces questions about its cyber readiness. Iran’s long-running cyber espionage campaign is back in the spotlight. Our guest is Donald Codling, CISO and senior advisor to REGO on cybersecurity and data privacy matters, to discuss the importance of tying security by design to psychological safety and digital trust. VIP backstage access, courtesy of Claude.
Today is Wednesday July 1st 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The US lifts export restrictions on Anthropic’s most advanced AI models.
The US government has lifted export restrictions on Anthropic’s most advanced AI models, Claude Fable 5 and Mythos 5, allowing the company to restore access beginning Wednesday. The models were suspended on 12 June, just days after their release, over national security concerns that they could be used to identify and exploit software vulnerabilities. In a letter, Commerce Secretary Howard Lutnick said the restrictions were removed after Anthropic agreed to proactively detect and address security risks, collaborate with the government on future AI releases, and report malicious activity. The Commerce Department said it could reimpose restrictions if necessary. Anthropic had previously argued officials had not identified specific concerns, saying the government’s decision appeared to stem from a potential method of “jailbreaking” Fable 5 rather than broader security flaws.
Adobe patches seven maximum-severity vulnerabilities.
Adobe has released security updates addressing seven maximum-severity vulnerabilities affecting its ColdFusion web application platform and Campaign Classic marketing software. The flaws, all rated high priority because they are considered at elevated risk of exploitation, can be abused in low-complexity attacks without user interaction. Six vulnerabilities in ColdFusion could allow attackers to execute remote code on unpatched systems, while a separate flaw in on-premises Campaign Classic deployments could enable arbitrary code execution. Adobe says it is not aware of any active exploitation but urges customers to apply the updates within 72 hours. The company also announced it will move from monthly to twice-monthly security bulletins starting July 14, 2026, while continuing to issue emergency patches for actively exploited zero-day vulnerabilities when needed.
Researchers track an emerging DDoS botnet called RustDuck.
Researchers at QiAnXin’s XLab are tracking RustDuck, an emerging distributed denial-of-service (DDoS) botnet that is rapidly evolving from C to Rust, making it more resistant to analysis and detection. Since February 2026, the malware has targeted routers, cameras, Android devices, and exposed servers by exploiting weak credentials and numerous known vulnerabilities. RustDuck uses sophisticated anti-analysis techniques, including sandbox and debugger detection, and encrypts communications with modern cryptographic protocols to evade monitoring. Although still smaller than major botnets, researchers say its rapid technical evolution makes it a growing threat. Once installed, RustDuck can launch DDoS attacks, update itself, and rotate command-and-control infrastructure. XLab recommends securing internet-facing devices, disabling unnecessary remote access, replacing unsupported hardware, and monitoring for known indicators of compromise.
Citrix addresses vulnerabilities in NetScaler ADC and NetScaler Gateway.
Citrix has released security updates for NetScaler ADC and NetScaler Gateway addressing six vulnerabilities, including the HTTP/2 Bomb denial-of-service flaw and four high-severity memory-related bugs. Researchers at watchTowr warn that CVE-2026-8451, the latest in the CitrixBleed family, is particularly concerning because it could leak sensitive memory and potentially enable full device compromise under specific conditions. Citrix advises organizations using affected self-managed NetScaler deployments to apply the updates promptly and review whether vulnerable features are enabled.
The Gentlemen exploit vulnerable drivers.
Expel has detailed how the relatively new ransomware group The Gentlemen is using a previously unknown vulnerable driver in a bring-your-own-vulnerable-driver (BYOVD) attack to disable endpoint detection and response (EDR) tools before deploying ransomware. During an April 2026 incident, the group exploited a zero-day flaw in Kontron’s ktapi.sys driver to gain kernel-level access, bypass Windows security protections, and terminate protected security processes from vendors including Microsoft, SentinelOne, Palo Alto Networks, and ESET. Researchers say the group’s exploit chains together advanced techniques to evade modern defenses, highlighting an increasingly sophisticated approach to ransomware operations. Expel recommends enabling Windows Defender Application Control (WDAC), virtualization-based security, vulnerable driver blocklists, and Microsoft’s newer cross-signing protections to reduce BYOVD risks, while continuing to monitor for vulnerable drivers that may be abused in future attacks.
Rocket lab bets big on Iridium.
Rocket Lab is making one of the biggest bets in the commercial space industry yet, with plans to acquire satellite communications provider Iridium in an $8 billion deal. If it goes through, the combined company would build, launch, and operate its own satellite networks, a move that could reshape competition in space-based communications. Maria Varmazis joins us with what the deal means, and why security and resilience are part of the story.
Rocket Lab, widely viewed as the leading challenger to SpaceX in the global launch market, plans to acquire satellite communications provider Iridium Communications in a transaction valued at approximately $8 billion. The deal would combine Rocket Lab’s launch services and satellite manufacturing business with Iridium’s low Earth orbit communications network, globally coordinated L-band spectrum, and customer base spanning government, defense, aviation, maritime, and industrial sectors. The acquisition also moves Rocket Lab closer to SpaceX’s vertically integrated model, where a company can build satellites, launch them, and operate communications services on orbit.
Iridium’s network supports connectivity in remote and contested environments and provides an alternative positioning, navigation, and timing capability for situations where GPS signals may be degraded, jammed, or unavailable.
The two companies say should the deal be finalized in 2027, the acquisition would accelerate development of next-generation services, including direct-to-device communications and expanded government and national security applications. As governments and critical industries become more dependent on space-based networks, these systems are increasingly being viewed as essential infrastructure.
Researchers demonstrate a proof-of-concept browser-only ransomware attack.
Check Point researchers have demonstrated a proof-of-concept browser-only ransomware attack that encrypts files entirely within a Chromium browser using the legitimate File System Access API, without malware, exploits, or downloaded executables. The technique relies on users granting a website permission to access local folders, allowing malicious code running in a browser tab to overwrite files while evading traditional endpoint detection that focuses on files and processes. Researchers noted the initial concept was inspired by AI-generated code, though they developed the working proof of concept themselves. The attack has not been observed in real-world campaigns and affects Chromium-based browsers such as Chrome, Edge, and Brave, but not Firefox or Safari. Check Point recommends restricting browser file system permissions through enterprise policies, monitoring for mass file modifications, educating users about folder-access prompts, and maintaining offline or versioned backups.
Experts question New Zealand’s cyber readiness.
A New Zealand cybersecurity expert is warning the country is not prepared for a national cyber emergency following a series of significant breaches affecting the healthcare sector. Recent incidents involving Health New Zealand, Manage My Health, MediMap, and IntraCare mark the first cluster of highly significant cyber events in more than four years, according to the National Cyber Security Centre. Aura Information Security’s Patrick Sharp said he is particularly concerned about the potential for a highest-level, C1 cyber emergency that could severely disrupt essential services or compromise sensitive national data. He urged organizations to strengthen governance, implement multi-factor authentication, eliminate weak passwords, and regularly rehearse incident response plans. Sharp also noted that many business boards rarely discuss cybersecurity, leaving organizations ill-prepared to respond effectively to a major cyberattack.
Iran’s long-running cyber-enabled intellectual property theft campaigns draw renewed attention.
The recent arrest in Montenegro of an Iranian-Turkish national wanted by the FBI is drawing renewed attention to Iran’s long-running cyber-enabled intellectual property theft campaigns. According to Kim Zetter, authorities allege the suspect conducted attacks beginning in 2013 against more than 150 U.S. universities and other organizations on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), causing an estimated $3.4 billion in damages. The case echoes a 2018 U.S. indictment against members of the Iran-based Mabna Institute, accused of hacking hundreds of universities, government agencies, companies, and the United Nations to steal academic research and trade secrets. Prosecutors say the group compromised thousands of academic accounts through spear-phishing, ultimately stealing more than 31 terabytes of data. Researchers note Iran’s sustained focus on academic and technological espionage resembles China’s economic espionage campaigns, though Iran’s operations are generally considered less mature and sophisticated.
VIP backstage access, courtesy of Claude.
Security researcher Ian Carroll set out looking for music festival tickets and instead stumbled into what amounted to an all-access backstage pass to Front Gate Tickets’ backend. With help from Anthropic’s Claude Opus 4.7, Carroll bypassed a web application firewall, exploited a SQL injection flaw, and gained super-administrator privileges, giving him the ability to view customer and staff records and, in theory, issue unlimited VIP tickets to events like Bonnaroo, Lollapalooza, and South by Southwest. He resisted the temptation to become the world’s most popular festival guest and instead reported the flaw, which Front Gate says it patched within 24 hours, adding there is no evidence of exploitation or customer impact. Carroll says the episode highlights how AI can dramatically accelerate vulnerability discovery, even generating novel exploitation techniques on its own. The bigger lesson, he argues, is that some critical systems remain surprisingly fragile, held together with less engineering than optimism.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s lead producer is Liz Stokes. We’re mixed by Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.
