
GoshDarn it, that’s advanced.
Researchers track ransomware they say is getting GoshDarn sophisticated. Zimbra patches a critical vulnerability affecting its Classic Web Client. A sophisticated vishing campaign targeting Microsoft 365 accounts. GigaWiper combines espionage capabilities with multiple destructive payloads. The EU sues member states over lax cybersecurity. The NSA revives TAO. A Puerto Rican agency exposes roughly a million Social Security numbers. A former ransomware negotiator heads to prison for assisting BlackCat. Our guest is Maxim Zavodchik, Senior Director of AI Security Research at Akamai, with insights on the upcoming MCP specification. Bad Wifi leaves a trophy up for grabs.
Today is Friday July 10th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Researchers track ransomware they say is getting GoshDarn sophisticated.
We’re a family show here, so in the interest of keeping things FCC-friendly, we’re substituting the name of this ransomware group with “GoshDarn.”
Researchers at Symantec say the latest version of the GoshDarn ransomware marks another step forward in attacker sophistication. The malware is the newest evolution of the Hyadina ransomware family, which dates back to 2022 through earlier Beast and Monster variants. In the observed attack, the operators used the remote access tool AnyDesk, then deployed a malicious kernel driver called PoisonX that carried a legitimate Microsoft signature. That allowed the attackers to disable endpoint security tools before installing credential theft utilities such as Mimikatz and NirSoft. After expanding their access and capturing administrator credentials, they encrypted victim systems and delivered a ransom demand. Researchers don’t yet know how the attackers gained initial access or obtained the signed driver, but they say the campaign highlights how ransomware operators continue refining their techniques, particularly by improving their ability to evade security defenses.
Zimbra patches a critical vulnerability affecting its Classic Web Client.
Zimbra is urging customers to immediately upgrade to version 10.1.19 to fix a critical stored cross-site scripting, or XSS, vulnerability affecting its Classic Web Client. The flaw can be triggered through a specially crafted email, potentially allowing attackers to steal session data, mailbox contents, and account settings when a message is opened. Although there is no evidence the vulnerability has been exploited in the wild, it was reported by Google’s Threat Analysis Group, which has a strong track record of identifying threats used by advanced nation-state actors. Zimbra has repeatedly been targeted by Russian-linked hacking groups in recent years, with multiple XSS vulnerabilities exploited to compromise governments and other high-value organizations. The latest advisory reinforces the importance of promptly patching internet-facing collaboration platforms.
A sophisticated vishing campaign targeting Microsoft 365 accounts.
Okta is warning organizations about a sophisticated voice phishing, or vishing, campaign targeting Microsoft 365 accounts. Active since April, the operation uses phone calls to convince employees they need to enroll a new Microsoft passkey, then directs them to convincing fake Microsoft Entra ID login pages hosted on attacker-controlled domains. Rather than relying on automated credential theft, the attackers guide victims through the login process in real time, adapting the phishing pages to match each organization’s multi-factor authentication requirements. Researchers believe the goal is to trick users into approving an attacker-controlled passkey, giving the threat actors persistent access to compromised accounts. The campaign has targeted organizations across multiple industries and highlights how attackers are increasingly exploiting users’ unfamiliarity with newer authentication technologies.
GigaWiper combines espionage capabilities with multiple destructive payloads.
Microsoft is warning about a sophisticated new malware platform called GigaWiper, a modular backdoor that combines espionage capabilities with multiple destructive payloads. Active since at least October 2025, the Go-based malware gives attackers persistent remote access while allowing them to trigger ransomware-like encryption, overwrite files, wipe entire disks, or even force systems to crash. Unlike traditional wipers that are built solely for destruction, GigaWiper blends backdoor functionality with on-demand sabotage tools, giving operators the flexibility to quietly gather information before launching a disruptive attack. Microsoft says the malware appears to share code with earlier destructive tools and may be linked to the developer behind Crucio ransomware. The combination of stealth, persistence, and destructive capabilities marks a notable evolution in wiper malware.
The EU sues member states over lax cybersecurity, and says Meta may have violated the Digital Services Act.
The European Commission has preliminarily concluded that Meta may have violated the Digital Services Act by using design features on Facebook and Instagram that encourage compulsive use. Regulators say Meta failed to adequately assess and mitigate the risks posed by features such as infinite scroll, autoplay, push notifications, and highly personalized recommendation systems, particularly for minors and other vulnerable users. The Commission also found that existing safeguards, including screen time tools and parental controls, are not effective enough to reduce excessive use. Officials say Meta should consider disabling some engagement-driven features by default and introducing stronger protections. These findings are preliminary, and Meta will have an opportunity to respond before a final decision is made. If the Commission ultimately confirms the violations, the company could face fines of up to six percent of its global annual revenue.
Additionally, the European Commission is increasing pressure on several member states over delays in implementing key cybersecurity laws. Ireland, Spain, France, and the Netherlands have been referred to the European Court of Justice for failing to fully adopt the European Union’s NIS2 Directive, which strengthens cybersecurity requirements for critical sectors such as energy, healthcare, transportation, and cloud services. The Commission is also launching separate enforcement actions against Spain, France, and Latvia over delays in implementing national enforcement measures for the Digital Operational Resilience Act, or DORA, which establishes cybersecurity standards for the financial sector. While most EU countries have now adopted the required legislation, the Commission says timely implementation is essential to improving cyber resilience and ensuring consistent security and incident response across the bloc.
The NSA revives TAO.
The National Security Agency has revived the name Tailored Access Operations, or TAO, for its elite offensive cyber unit, reversing a restructuring that had folded the group into a broader Office of Computer Network Operations. The change is part of a wider reorganization intended to improve the agency’s ability to respond to evolving cyber threats from countries including China and Russia. Former officials say restoring TAO also reunites developers and operators, a move expected to accelerate the creation and deployment of advanced cyber capabilities. TAO has long been associated with some of the NSA’s most sophisticated hacking operations and became widely known through leaks involving the Shadow Brokers. The agency says reviving the name honors TAO’s history while positioning the organization for future cyber missions.
A Puerto Rican agency exposes roughly a million Social Security numbers.
Investigative reporting from Centro de Periodismo Investigativo and ProPublica found that Puerto Rico’s Municipal Revenue Collection Center, or CRIM, inadvertently exposed the Social Security numbers of roughly one million people through its online property records system. Researchers discovered that attackers with basic technical knowledge could access sensitive data without authentication and alerted the agency in June. Although the vulnerability was quietly patched soon afterward, CRIM continues to deny that any confidential information was at risk and has not notified affected individuals or Puerto Rico’s central technology agency. The incident is the latest in a series of cybersecurity failures affecting Puerto Rico’s government. Security experts say many agencies have yet to fully implement cybersecurity standards required under a 2024 law, leaving critical systems vulnerable to future attacks.
A former ransomware negotiator heads to prison for assisting BlackCat.
A Florida cybersecurity professional who secretly worked with the BlackCat, or Alphv, ransomware gang has been sentenced to nearly six years in federal prison. Prosecutors say Angelo Martino abused his role as a ransomware negotiator to provide the hackers with confidential information about victims’ negotiating strategies, helping maximize ransom payments in exchange for a share of the proceeds. Authorities seized roughly $10 million in assets tied to Martino. He is the third former cybersecurity consultant sentenced in the case, underscoring the insider threat posed by trusted security professionals who betray their clients.
Bad Wifi leaves a trophy up for grabs.
A story shared by The Register proves that if you carry a laptop with an antenna sticking out of it, people will assume you know what you’re doing.
Professional red teamer Dahvid Schloss was testing the physical security of a Fortune 500 company while its offices were under construction, and the Wi-Fi was driving employees crazy. As he and his team wandered the building with conspicuous networking gear, no one questioned why they were there. Instead, they kept asking the same question: “Are you here to fix the Wi-Fi?”
Schloss eventually wandered into the marketing department, opened a display case, removed a trophy worth hundreds of thousands of dollars, slipped it into his backpack, answered “yes” when asked if he was fixing the Wi-Fi, and walked out.
No one noticed the missing trophy for two and a half weeks. He finally returned it by placing it on the conference table before delivering his security briefing.
The lesson is simple: people tend to trust anyone who looks like they belong. Sometimes, that’s all an attacker needs.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s lead producer is Liz Stokes. We’re mixed by Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.
