Rudd takes the helm at NSA and Cyber Command. A watchdog probes alleged Social Security data mishandling. Patch Tuesday lands. Governments brace for cyber fallout from Iran. BeatBanker spreads via a fake Starlink app. InstallFix targets developers. ZombieZIP hides malware in archives. And DHS reassigns CBP officials in a FOIA secrecy dispute. Ben Yelin unpacks Anthropic’s lawsuit against the Pentagon. AI eyewear leads to awkward exposures.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Our guest today is Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies and Caveat cohost talking about Anthropic suing the Pentagon. You can read more on the topic here. 

Selected Reading

Senate approves Joshua Rudd as dual-hat leader of Cyber Command, NSA (POLITICO)

Whistleblower claims ex-DOGE member says he took Social Security data to new job (Washington Post)

Microsoft Patches 83 Vulnerabilities (SecurityWeek)

Adobe Patches 80 Vulnerabilities Across Eight Products (SecurityWeek)

Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities (SecurityWeek)

ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Moxa, Mitsubishi Electric (SecurityWeek)

Iran war will bring wave of 'low-level cyber activity,' says intelligence group (StateScoop)

New BeatBanker Android malware poses as Starlink app to hijack devices (Bleeping Computer)

Fake Claude Code install guides push infostealers in InstallFix attacks (Bleeping Computer)

New 'Zombie ZIP' technique lets malware slip past security tools (Bleeping Computer)

DHS Ousts CBP Privacy Officers Who Questioned ‘Illegal’ Orders (WIRED)

Meta sued over AI smart glasses' privacy concerns, after workers reviewed nudity, sex, and other footage (TechCrunch)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian hackers target Signal and WhatsApp. Permit scammers impersonate local officials. Anthropic sues over a Pentagon blacklist. The White House moves to restore fraud victims. ShinyHunters target Salesforce data. Ericsson reports a breach. macOS users face ClickFix malware. AWS credentials are phished. And CISA warns of an exploited Ivanti flaw. Our guest is Brian Baskin, Threat Researcher at Sublime Security, discussing tax season employee impersonation scams. Who fact-checks the fact-checkers? 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Our guest today is Brian Baskin, Threat Researcher at Sublime Security, discussing how tax season employee impersonation scams are conducted and what to look out for as we prepare our returns.

Selected Reading

Russia targets Signal and WhatsApp accounts in cyber campaign (AIVD)

FBI warns of phishing attacks impersonating US city, county officials (Bleeping Computer)

Anthropic sues Trump administration over Pentagon blacklist (CNBC)

White House floats Victims Restoration Program for millions affected by cyber fraud (The Record)

CybercrimeHundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign (SecurityWeek)

Ericsson US discloses data breach after service provider hack (Bleeping Computer)

Fake CleanMyMac Site Uses ClickFix Trick to Install SHub Stealer on macOS (Hackread)

Behind the console: Active phishing campaign targeting AWS console credentials (Datadog Security Labs)

CISA: Recently patched Ivanti EPM flaw now actively exploited (Bleeping Computer)

AI fake-news detectors may look accurate but fail in real use, study finds (Tech Xplore)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. 

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Show Notes:

Cybersecurity has continued to grow and mature as a field over the past decade which has given rise to numerous degree pathways across dozens of collegiate institutions; however, the value of these degrees has continued to be a topic of debate. In this episode of CISO Perspectives, host ⁠Kim Jones⁠ sits down with Dr. Lara Ferry, the Vice President of Research at Arizona State University, to explore higher education's role in cyber. Throughout the conversation, Lara and Kim will discuss the challenges facing degree programs, the disconnects between organizations and institutions, and how the gap can be better addressed.

Want more CISO Perspectives?:

Check out a companion ⁠⁠blog post⁠⁠ by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Israel claims a strike on Iran’s cyber warfare headquarters. The Trump administration releases a new national cyber strategy.  DHS shakes up its IT and cybersecurity leadership. Velvet Tempest uses ClickFix to drop loaders and RATs. Researchers uncover a Linux cryptocurrency clipboard hijacker. The DOJ brings a Ghanaian romance scammer to justice. Online advertising enables government tracking. Monday business breakdown. Our guest is Jon France, CISO from ISC2, sharing some insights and findings from their 2025 ISC2 Cybersecurity Workforce Study. An Apple II app gets audited by AI. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Joining us today is Jon France, CISO from ISC2, sharing some insights and findings from their 2025 ISC2 Cybersecurity Workforce Study. For further detail, you can also check out ISC2’s just released Women in Cybersecurity report.

Selected Reading

Iranian cyber warfare HQ allegedly hit by Israel | brief (SC Media)

Iran internet blackout reaches 6th day as rights groups call for end to digital shutdown (The Record)

The long-awaited Trump cyber strategy has arrived (CyberScoop)

DHS CISO, deputy CISO exit amid reported IT leadership overhaul (FedScoop)

Termite ransomware breaches linked to ClickFix CastleRAT attacks (Bleeping Computer)

ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered Via Bincrypter-Based Loader (Cyble)

Ghanaian Pleads Guilty to Role in $100m Romance Scam (Infosecurity Magazine)

The Government Uses Targeted Advertising to Track Your Location. Here's What We Need to Do. (Electronic Frontier Foundation)

Zurich Insurance Group intends to acquire UK cyber insurer Beazley for approximately $11 billion. (N2K Pro Business Briefing)

Microsoft Azure CTO says Claude found vulns in Apple II code (The Register)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.  

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this special Reporter’s Notebook, Maria Varmazis⁠⁠⁠⁠, host here at N2K CyberWire, takes listeners behind the scenes of our three-part series on Cyber Coalition 2025 in Tallinn, Estonia. After exploring real-time incident response, cross-border coordination, and the broader stakes of collective cyber defense, this episode offers a more personal, behind-the-scenes look at how the reporting came together.

Hosted by the NATO Cooperative Cyber Defense Centre of Excellence, the exercise brought together allied military, government, and industry teams inside NATO’s secure cyber range. Here, Maria reflects on moments that didn’t make the final cut — the atmosphere inside the facilities, the pace of covering a live exercise, and the small, human details that added texture to the larger story.

If you haven’t yet, be sure to listen to all three episodes of the series to hear the full story from the ground at Cyber Coalition 2025.

Episode one can be found ⁠⁠here⁠⁠.

Episode two can be found ⁠here⁠. 

Episode three can be found ⁠⁠here⁠⁠. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes.

Anna Belak, Director of Thought Leadership at Sysdig, shares her story from physics to cyber. Anna explains how she went into college with the thinking of getting a physics degree and then for her PhD decided to switch to material science and engineering. Both were not something she enjoyed and ultimately decided to go into cyber. She shares some advice on how you should never limit yourself to your degree, as well as always learning new skills and honing in on skills you already have. She say's by doing these things it will make you into a unicorn, meaning if you are good at one thing and teach yourself to be good at something else, you will become that much more valuable. Anna hopes she makes an impact with the people she works with, she hopes they will want to work with her even long after she leaves a company. We thank Anna for sharing her story.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by Marcelle Lee, cybersecurity consultant and researcher, discussing "CTI tradecraft: Investigating a mobile scareware campaign." She details how a routine click on a Google News story led to a mobile scareware pop-up—and a deeper investigation into a broader campaign.

Using free tools like Censys, URLScan, VirusTotal, and CyberChef, she pivoted from two domains to uncover more than 100 related domains, shared infrastructure, and links to questionable antivirus apps in the Google Play Store. The findings are mapped to the MITRE ATT&CK framework, showing how freely available resources can power meaningful, actionable threat intelligence.

The research can be found here:

• ⁠CTI tradecraft: Investigating a mobile scareware campaign

Learn more about your ad choices. Visit megaphone.fm/adchoices

Iran’s MuddyWater breaches multiple U.S. organizations. The FBI probes a breach of wiretap management systems. A China-linked threat actor targets South American telecoms. Cisco patches critical firewall flaws. CISA flags actively exploited bugs in Hikvision cameras and Rockwell industrial systems. A House committee advances the controversial KIDS online safety bill. The FBI arrests a suspect accused of stealing millions in seized crypto from the U.S. Marshals Service. Ben Yelin and Ethan Cook unpack the dispute between Anthropic and the Pentagon. Wikimedia worm wreaks widespread wiki woes. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today, we’re bringing you a featured conversation from our Caveat podcast, where Ben Yelin sits down with N2K Lead Analyst Ethan Cook to unpack the fallout between the Pentagon and Anthropic, what led to the deal unraveling, and what it means as the government pivots to a similar AI contracting agreement with OpenAI. You can listen to their full conversation here and catch new episodes of Caveat featuring Dave and Ben every Thursday with special appearances by Ethan.

Selected Reading

Iranian APT Hacked US Airport, Bank, Software Company (SecurityWeek)

Tech Giants, Washington Rally for Anthropic in Pentagon Feud (GovInfo Security)

FBI investigates breach of surveillance and wiretap systems (Bleeping Computer)

Chinese state hackers target telcos with new malware toolkit (Bleeping Computer)

Cisco Patches 48 Firewall Vulnerabilities with Two CVSS 10 Flaws (Hackread)

CISA Flags Hikvision Camera & Rockwell Logix Vulnerabilities as Actively Exploited (SOCRadar)

House panel marks up kids digital safety act amid Democrat backlash (The Record)

US contractor's son arrested over alleged $46M crypto theft (The Register)

Wikipedia hit by self-propagating JavaScript worm that vandalized pages (Bleeping Computer)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Show Notes:

As the cybersecurity industry has grown, the field has struggled to answer the question: do certifications matter? In this episode of CISO Perspectives, host ⁠Kim Jones⁠ sits down with N2K's own, ⁠Simone Petrella, to answer this question and discuss why the value of certifications continue to be debated. Throughout the conversation, Simone and Kim will discuss the challenges associated with certifications, and how the industry can adjust the ways it sees and utilizes them.

Got cybersecurity, IT, or project management certification goals?

For the past 25 years, N2K's practice tests have helped more than half a million professionals reach certification success. Grow your career and reach your goals faster with N2K’s full exam prep of practice tests, labs, and training courses for Microsoft, CompTIA, PMI, Amazon, and more at n2k.com/certify.

Want more CISO Perspectives?

Check out a companion ⁠⁠blog post⁠⁠ by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Unit 42 is tracking more than 60 active hacktivist groups and Iran-linked threat actors right now. What are they actually doing, what should you believe, and what should you do about it?

In this episode of Threat Vector, David Moulton sits down with Justin Moore, Senior Manager of Threat Intelligence Research at Unit 42, and Andy Piazza, Senior Director of Threat Intelligence at Unit 42, to walk through the Unit 42 Iran Threat Brief and what the observed activity means for defenders.

You'll learn:

- What Unit 42 is actually observing from groups like Handala Hack, FAD Team, and Dark Storm, and what claims remain unverified

- Why Iran's reduced internet connectivity changes the threat picture in ways that aren't obvious

- What dispersed operators and proxy groups mean for organizations far outside the Middle East

- Which defensive actions matter most against the TTPs and IOCs Unit 42 has documented

- How to handle hacktivist claims that may be exaggerated or false

Justin Moore brings nine years of intelligence officer experience plus senior threat intel roles at Mandiant, Google, and TikTok before joining Unit 42. Andy Piazza has more than 20 years in security operations and threat intelligence, including leading IBM X-Force's global threat intel team.

Read the threat brief from Unit 42: 

- Escalation of Cyber Risk Related to Iran (March 2026)

- Escalation of Cyber Risk Related to Iran (June 2025)

This episode is essential listening if you're: a CISO assessing current exposure, a threat analyst tracking Iran-linked groups, or a security leader who needs to explain the actual observed risk to your board.

Related Episodes:

- Inside the Mind of State-Sponsored Cyberattackers

- Frenemies With Benefits

- From Policy to Cyber Interference

#Cybersecurity #ThreatIntelligence

About Threat Vector

Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends.

The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers.

Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization.

Palo Alto Networks

Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile.⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠http://paloaltonetworks.com.⁠

Learn more about your ad choices. Visit megaphone.fm/adchoices

Hacktivist activity surges in the Middle East. Defense tech firms distance themselves from Claude. International law enforcement take down the Leakbase cybercrime forum. A pair of Cisco SD-WAN vulnerabilities are under active exploitation. Google releases an urgent Chrome security update. Age-verification is put under the microscope. TikTok is leaving end-to-end encryption out of your DMs. Our guest is Daniel Barbu, Director of EMEA Security from Adobe, discussing fostering a human‑centered, enablement‑driven, and collaborative approach to AI. Clever code catches cardiac clues.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today on our Industry Voices segment, we are joined by ⁠Daniel Barbu⁠, Director of EMEA Security from ⁠Adobe⁠, discussing how fostering a human‑centered, enablement‑driven, and collaborative approach to AI through the security guild, trainings, and other initiatives. Tune into the full conversation here.

Selected Reading

Retaliatory Hacktivist DDoS Activity Following Operation Epic Fury/Roaring Lion (Radware)

Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Palo Alto Networks)

Unit 42's Iran Threat Brief: What We're Seeing (Threat Vector podcast special edition by Palo Alto Networks)

Defense tech companies are dropping Claude after Pentagon's Anthropic blacklist (NBC)

Sen. Wyden Warns of Mass Surveillance Amid Pentagon's Fight With Anthropic (Gizmodo)

Sprawling FBI, European operation takes down Leakbase cybercriminal forum (The Record)

Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild (SecurityWeek) 

Google Rolls Out Emergency Chrome Update to Patch 10 Critical Security Vulnerabilities (GB Hackers)

Hackers Expose The Massive Surveillance Stack Hiding Inside Your “Age Verification” Check (Techdirt)

TikTok says it won't encrypt DMs claiming it puts users at risk (BBC)

WiFi signals can measure heart rate—no wearables needed - News (UCSC)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices