In the span of four days, the U.S. government announced two parallel sets of agreements with frontier AI companies that together define the two tracks Washington wants to run simultaneously—test AI for national security risks before the public ever sees it, and deploy AI directly on the military's most classified networks.

The Center for AI Standards and Innovation — CAISI, the entity under the Department of Commerce's National Institute of Standards and Technology that inherited the remit of the former AI Safety Institute — announced new agreements with Google DeepMind, Microsoft, and Elon Musk's xAI. These build on renegotiated agreements with Anthropic and OpenAI that date to 2024, updated to reflect directives from Commerce Secretary Howard Lutnick and America's AI Action Plan.

Under the CAISI agreements, the three companies will hand over their frontier AI models to government evaluators before those models are publicly released. The evaluations probe for national security-relevant capabilities and risks.

To conduct a thorough assessment, developers frequently provide CAISI with models that have reduced or removed safety guardrails — a design choice that allows evaluators to probe what a model can do at its ceiling, not what it will do under commercial safety controls. Evaluators from across the federal government participate, coordinated through the CAISI-convened TRAINS Taskforce, an interagency body focused specifically on AI national security concerns.

CAISI said it has completed more than 40 such evaluations to date. The agreements explicitly support testing in classified environments and were drafted with the flexibility to adapt rapidly as AI capabilities continue advancing.

"Independent, rigorous measurement science is essential to understanding frontier AI and its national security implications," said CAISI Director Chris Fall. "These expanded industry collaborations help us scale our work in the public interest at a critical moment."

Listen to: Charting the AI Frontier in Cybersecurity with Ryan Davis

Fall was appointed to lead CAISI after Collin Burns — a former Anthropic researcher — was reportedly removed from the director role after just four days. The personnel transition at CAISI's top reflects a broader institutional pivot. Under the Biden administration, the AI Safety Institute focused on safety standards, definitions, and voluntary guardrails. Under Trump, CAISI has shifted its emphasis toward AI acceleration and national security capability assessment. The substance of what the evaluators do — probe powerful models before release — has not changed. The framing of why they do it has.

The latest announcement comes four days after the Department of War (formerly Department of Defense) announced agreements with eight frontier AI companies to deploy their models directly on the military's classified networks for operational use.

The companies cleared are SpaceX, OpenAI, Google, NVIDIA, Reflection, Microsoft, Amazon Web Services, and Oracle. The networks in question are classified at Impact Level 6, covering secret-level data, and Impact Level 7, which refers to the most highly restricted national-security systems. The stated objectives are data synthesis, situational awareness enhancement, and warfighter decision support.

The Department of War announcement carries one conspicuous absence that dominates coverage of what it actually means. Anthropic is not on the list. The company that first deployed AI models on Pentagon classified systems — via a Palantir integration under the Maven Smart System contract — is excluded after a dispute over the guardrails governing military and surveillance use of its AI.

Also read: Australia Establishes AI Safety Institute to Combat Emerging Threats from Frontier AI Systems

The Pentagon had previously branded Anthropic a "supply chain risk," a designation typically reserved for foreign entities posing national security concerns. A March 2026 federal injunction reversed that designation, but it did not restore Anthropic's position as a Pentagon AI vendor. Palantir has pulled its Claude models from its DoD platforms accordingly.

The exclusion has strategic implications that extend beyond one company's contract status. Anthropic's recently released Mythos model — described by Treasury Secretary Scott Bessent as representing a step change in large language model capability — has generated significant attention from U.S. officials and financial sector executives about its potential to supercharge adversarial cyber operations.

The fact that Mythos is not among the models being assessed for classified military use, while simultaneously being cited by senior officials as a capability milestone that warrants concern, creates a gap in the government's stated AI security posture that is difficult to characterize as anything other than a policy contradiction.

Organisations worldwide are being urged to prepare for a vulnerability patch wave, as security experts warn that advances in artificial intelligence (AI) could rapidly expose long-standing weaknesses across software systems. The warning comes from National Cyber Security Centre (NCSC), which says businesses must act now to strengthen their environments before a surge of critical updates arrives. In a blog, Chief Technology Officer Ollie Whitehouse highlighted that years of accumulated technical debt are now becoming a major cybersecurity risk. Technical debt refers to unresolved flaws and compromises in software that arise when organisations prioritise speed or short-term delivery over long-term resilience. According to Whitehouse, artificial intelligence is accelerating the problem. Skilled attackers are increasingly able to use AI tools to identify and exploit vulnerabilities at scale, forcing what the NCSC describes as a “correction” across the technology ecosystem. This is expected to trigger a vulnerability patch wave, with a high volume of security updates affecting open source, commercial, proprietary, and software-as-a-service platforms.

Prioritising External Attack Surfaces

As part of preparing for the vulnerability patch wave, the NCSC advises organisations to first focus on their external attack surfaces. Internet-facing systems, cloud services, and exposed infrastructure present the highest risk when new vulnerabilities are disclosed. The guidance recommends a perimeter-first approach. Organisations should secure outward-facing technologies before moving deeper into internal systems. This reduces the likelihood that attackers can exploit newly discovered weaknesses during the vulnerability patch wave. Where resources are limited, priority should be given to patching systems that are directly exposed to the internet. Critical security infrastructure should follow next. However, the NCSC cautions that patching alone will not solve every issue. Legacy and end-of-life systems remain a major concern. Many of these technologies no longer receive security updates, leaving organisations vulnerable even during a vulnerability patch wave. In such cases, businesses may need to replace outdated systems or bring them back into supported environments, especially if they are externally accessible.

Preparing for Faster and Large-scale Patching

The expected vulnerability patch wave will require organisations to rethink how they manage updates. The NCSC is urging businesses to prepare for faster, more frequent, and large-scale deployment of security patches, including across supply chains. Several key measures have been recommended:

• Enable automatic updates wherever possible to reduce operational burden
• Adopt secure “hot patching” to apply fixes without service disruption
• Ensure internal processes support rapid and large-scale updates
• Use risk-based prioritisation models such as Stakeholder Specific Vulnerability Categorisation (SSVC)

Whitehouse noted that organisations must be ready to accelerate patching timelines when critical vulnerabilities are actively exploited, particularly those affecting internet-facing systems. At the core of this approach is an “update by default” policy. This means applying software updates as quickly as possible, ideally through automated processes. While this may not always be feasible for safety-critical or operational technology systems, the NCSC says it should form the foundation of modern vulnerability management strategies.

Beyond Vulnerability Patch Wave: Addressing Systemic Risks

The NCSC emphasises that the vulnerability patch wave is only part of a broader cybersecurity challenge. Patching addresses immediate risks, but it does not eliminate the underlying causes of technical debt. Technology vendors are being encouraged to build more secure systems from the outset. This includes adopting memory safety and containment technologies such as CHERI, which can reduce the likelihood of exploitable vulnerabilities. For organisations operating critical services, strengthening cybersecurity fundamentals is equally important. Frameworks such as Cyber Essentials and sector-specific resilience models can help reduce the impact of breaches and improve overall security posture. Additional guidance has also been issued for high-risk environments, covering areas such as privileged access workstations, cross-domain security architecture, and threat detection through observability and proactive hunting.

Organisations Urged to Act Now

The NCSC has made it clear that preparation cannot be delayed. The anticipated vulnerability patch wave is expected to impact organisations of all sizes and sectors. Businesses are advised to review their vulnerability management processes, assess their exposure, and ensure their supply chains are also ready to respond. Larger organisations, in particular, are encouraged to seek assurance from both commercial and open-source partners. As Whitehouse concluded, readiness for the vulnerability patch wave will depend on proactive planning, strong fundamentals, and the ability to respond quickly at scale.

India’s top intelligence agency arrested a suspected key conspirator accused of supplying fraudulently obtained SIM cards to cybercriminal networks, as part of the agency’s ongoing anti-cybercrime initiative, Operation Chakra-V.

According the Central Bureau of Investigation (CBI), the suspect was apprehended in the North Eastern city of Guwahati after allegedly evading authorities since August 2025. Investigators say the accused played a central role in procuring and distributing illegally issued mobile SIM cards that were later used in a range of cyber-enabled fraud schemes.

Also read: CBI Files Chargesheet Against 30 Including Two Chinese Nationals in ₹1,000 Cr Cyber Fraud Network

The law enforcement agencies are now increasingly focusing on the infrastructure that enables digital crime rather than only the individuals carrying out the scams. Fraudulently acquired SIM cards are a valuable tool for cybercriminals because they can be used to create anonymous accounts, bypass identity checks, receive one-time passwords (OTPs), and operate scam call centers with reduced traceability.

The CBI said its broader investigation uncovered a network involving Point of Sale (POS) agents who allegedly issued SIM cards using fake or improperly verified customer identities. These SIM cards were then reportedly supplied to criminals linked to fake “digital arrest” extortion scams, fraudulent loan offers, and investment fraud operations.

Authorities stated that searches were previously conducted at around 45 locations across eight Indian states, resulting in the arrest of 10 accused POS agents. The latest suspect is believed to have acted as an aggregator within the network.

Also read: India Dismantles ‘Phishing SMS Factory’ Infrastructure Sending Lakhs of Fraud Messages Daily

Investigators allege the accused transferred nearly ₹67 lakh through multiple bank accounts to procure approximately 10,000 illegally issued SIM cards. Evidence related to courier shipments used for distributing the cards has also reportedly been recovered, suggesting a structured logistics chain behind the operation.

From a cybersecurity perspective, the case underscores how telecom identity abuse remains a critical threat vector. Even sophisticated fraud campaigns often depend on simple enablers such as fraudulent SIM issuance, mule bank accounts, and compromised identity records.

The CBI said investigations into additional conspirators are ongoing. As cyber fraud grows more industrialized, dismantling support networks like these may prove just as important as arresting the scammers who interact directly with victims.

Also read: 12 Lakh SIM Cards Cancelled, over 3 Lakh IMEI Numbers Blocked as Centre Intensifies Crackdown on Cybercrime

The UAE Cyber Security Council has raised concerns over widespread data exposure, revealing that nearly 25 percent of publicly accessible files contain sensitive personal data. The warning comes as part of its ongoing awareness efforts, urging individuals and organisations to strengthen basic cybersecurity practices. In its latest advisory under the “Cyber Pulse” campaign, the Council highlighted that poor file-sharing habits continue to expose users to avoidable cyber risks. The findings point to a growing gap between the use of cloud platforms and the understanding of how to secure shared data.

Public Files and Sensitive Personal Data at Risk

The Council’s findings show that a significant portion of files shared openly online contain sensitive personal data such as identification details, financial records, or login information. This raises concerns about how easily such data can be accessed by unintended users. The issue is not limited to publicly shared files. According to the Council, between 68 percent and 77 percent of privately shared files may also be accessible to unintended recipients due to weak access controls or misconfigured sharing settings. This highlights a broader problem where users assume that private sharing automatically ensures security. In many cases, improper permissions or link-based access can lead to unintentional exposure of sensitive personal data.

Cyber Security Council Highlights Encryption as Critical Safeguard

The UAE Cyber Security Council emphasized that encryption remains one of the most effective ways to protect sensitive personal data. Files that are encrypted before being shared or stored online are significantly less vulnerable to unauthorized access. The advisory noted that cloud storage platforms do not guarantee automatic protection of data. Without encryption, sensitive files remain exposed if access controls are bypassed or misconfigured. Alongside encryption, secure account management plays a key role in reducing risk. Weak passwords, reused credentials, and lack of authentication measures continue to be major contributors to data exposure incidents.

Key Cybersecurity Practices Recommended

To address the risks associated with exposed sensitive personal data, the Cyber Security Council outlined several essential cybersecurity practices. Users are advised to use strong and regularly updated passwords and enable two-factor authentication across all accounts. Avoiding public links when sharing sensitive files is also critical, as these links can be easily forwarded or accessed without proper restrictions. The Council stressed the importance of reviewing privacy settings and managing access permissions carefully. Monitoring file usage and access logs can help identify unusual activity and prevent misuse. Additional measures include deleting unused files and inactive sharing links, securing Wi-Fi networks, and keeping devices and software up to date. Users are also encouraged to review application permissions and limit access to only necessary services. When accessing files over public networks, the use of virtual private networks can provide an added layer of security. Regular data backups and secure database management on cloud platforms are also recommended to prevent data loss and unauthorized access.

Awareness Remains Key to Reducing Exposure

The Cyber Security Council noted that many cases involving sensitive personal data exposure are the result of simple, preventable mistakes. Lack of awareness around basic cybersecurity practices continues to be a major factor. The “Cyber Pulse” campaign, now in its second year, aims to address this gap by promoting safer digital behaviour among individuals and organisations. The initiative forms part of broader national efforts to build a secure and resilient digital environment. By encouraging users to adopt stronger security measures and understand the risks of improper file sharing, the Council aims to reduce the exposure of sensitive personal data and improve overall cybersecurity hygiene. The latest findings serve as a reminder that while technology platforms continue to evolve, the responsibility to secure data often lies with users. Simple steps such as enabling encryption, managing access, and reviewing shared content can significantly reduce the risk of data exposure.

Law enforcement agencies across Europe, the United States, and other partner nations cracked down on the commercial DDoS-for-hire ecosystem, targeting both operators and customers of services used to knock websites offline.

The coordinated effort led to the seizure of 53 domains, four arrests, 25 search warrants, and warning notices sent to more than 75,000 people suspected of using so-called “booter” or “stresser” platforms.

A Crackdown on DDoS-for-Hire

DDoS-for-hire platforms allow customers to pay relatively small fees to launch distributed denial-of-service attacks against websites, gaming services, businesses, and public infrastructure. In fact, AI-driven threat intelligence company Cyble, in a new research report released today said, DDoS was the primary mode of attack during the ongoing Iran-Israel and U.S. conflict. Cyble recorded a 140% increase in DDoS attacks targeting Israeli entities after September 2025, and at the height of the conflict, saw 40 DDoS attacks per day.

These DDoS-for-hire services often market themselves as legitimate stress-testing tools, but authorities say they are widely abused for harassment, extortion, and disruption.

The latest enforcement wave is part of the long-running international initiative known as "Operation PowerOFF," which has previously dismantled multiple booter services and disrupted related infrastructure.

Read: DDoS-for-Hire Empire Dismantled as Poland Arrests Four, U.S. Seizes Nine Domains

U.S. Authorities Seize Key Infrastructure

The U.S. Department of Justice said investigators in Alaska seized infrastructure linked to eight DDoS-for-hire domains, including services branded as Vac Stresser and Mythical Stress, both of which allegedly advertised the ability to launch tens of thousands of attacks per day. Investigators also searched backend servers tied to the platforms.

Officials did not immediately identify those behind the services, but said the action was intended to disrupt the technical backbone used to power attacks globally.

75,000 Users Contacted Directly

In one of the more unusual aspects of the operation, authorities contacted more than 75,000 suspected users directly through warning emails and letters.

Law enforcement agencies appear to be using deterrence alongside takedowns—sending a message that paying for DDoS attacks leaves a trail and may bring legal consequences.

Security experts say the tactic could be particularly effective against younger or low-level offenders who use these platforms for gaming disputes, personal retaliation, or vandalism without fully understanding the legal risks.

Investigators said they identified around three million criminal accounts connected to the wider DDoS-for-hire ecosystem. The sheer number of accounts shows how industrialized cybercrime services have become. Instead of building botnets or malware, users can simply rent attack capability on demand.

DDoS attacks overwhelm a target with traffic, often causing websites, applications, or networks to crash. While sometimes dismissed as nuisance attacks, they can disrupt hospitals, financial institutions, government portals, and emergency services.

Recent years have also seen DDoS attacks used as smokescreens to distract security teams while other intrusions unfold.

Read: Europol Issues Public Alert: ‘We Will Never Call You’ as Phone and App Scams Surge

A Persistent Cat-and-Mouse Game

Despite repeated takedowns, booter services often reappear quickly under new names, new domains, or relocated hosting providers. Researchers have found that while seizures can significantly reduce traffic in the short term, the market has proven resilient over time.

That means operations like PowerOFF may need to combine arrests, infrastructure seizures, financial disruption, and user deterrence to have lasting impact.

Ukrainian cyber defenders reported a newly intensified cyber campaign that is targeting Ukraine’s healthcare system and local government agencies, with attackers deploying increasingly sophisticated malware and social engineering tactics.

In a fresh advisory, the CERT-UA said the activity—linked to a threat cluster tracked as UAC-0247—spiked between March and April 2026, with clinical hospitals, emergency services, and municipal bodies bearing the brunt of the attacks.

UAC-0247 Used Humanitarian Aid Lures as Entry Point

The campaign begins with phishing emails disguised as offers of humanitarian assistance—a tactic designed to exploit trust during wartime conditions. Victims are urged to click on links that appear legitimate, sometimes backed by convincingly crafted fake websites or compromised third-party resources.

Behind the scenes, however, the links trigger a multi-stage infection chain that ultimately gives attackers remote control over the victim’s system.

Once clicked, victims download an archive containing a malicious shortcut file. This file activates a built-in Windows tool to execute remote code, initiating a sequence that includes decoy documents to avoid suspicion.

Also read: Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks

The attack escalates quickly. Malicious executables are deployed via scheduled tasks, injecting code into legitimate system processes such as RuntimeBroker.exe to evade detection.

Recent campaigns show an evolution in sophistication, with attackers introducing multi-stage loaders and custom executable formats. Payloads are often encrypted and compressed, making analysis and detection more difficult.

At later stages, attackers deploy reverse shell tools—including variants resembling “RAVENSHELL”—to establish encrypted communication with command-and-control servers and execute remote commands.

Persistent Access and Remote Control

To maintain long-term access, attackers install a custom backdoor known as AGINGFLY, a C#-based malware designed for full remote system control. The tool enables:

• Command execution
• File exfiltration
• Screenshot capture
• Keylogging

Unlike conventional malware, AGINGFLY dynamically retrieves and compiles its command logic from remote servers, making it more adaptable and harder to detect.

Complementing this is a PowerShell-based tool dubbed SILENTLOOP, which helps maintain persistence and retrieves command server addresses—sometimes even pulling them from Telegram channels.

Credential Theft and Lateral Movement

Once inside a network, attackers move quickly to expand access. CERT-UA observed tools like CHROMELEVATOR being used to extract browser credentials, while ZAPIXDESK targets WhatsApp data.

The attackers also conduct internal reconnaissance using both custom scripts and publicly available tools such as RUSTSCAN. For stealthy movement across networks, tunneling tools like LIGOLO-NG and CHISEL are deployed.

In at least one case, attackers went further—embedding the XMRIG cryptocurrency miner inside a modified version of the legitimate WireGuard application, highlighting a secondary motive of financial gain.

Military Targets Also in Scope

The campaign isn’t limited to civilian infrastructure. CERT-UA noted an incident in March where individuals connected to Ukraine’s defense sector were targeted via the Signal platform.

Attackers distributed a trojanized version of software used by FPV drone operators, packaged as a seemingly legitimate update. In reality, the download triggered a DLL side-loading attack that installed the AGINGFLY backdoor.

CERT-UA recommends reducing exposure by restricting the execution of high-risk file types such as LNK, HTA, and JavaScript files. The agency also urges organizations to limit the use of native Windows tools like mshta.exe and PowerShell where possible, as these are frequently abused in attacks.

Goldman Sachs is taking a cautious approach toward a new artificial intelligence model from Anthropic, warning that its advanced capabilities could introduce significant cybersecurity risks—even as they explore its long-term potential.

The model, known as "Mythos," has sparked concern across the financial sector due to its ability to identify and exploit software vulnerabilities at a level that could reshape both cyber defense and cybercrime.

“Hyperaware” of AI-Driven Cyber Risks

Answering a query during a recent earnings call, Goldman Sachs CEO David Solomon said the bank is closely monitoring the risks associated with emerging AI systems including LLMs and the disruptive Mythos model from Anthropic.

“We’re hyperaware,” Solomon said, referring to the cybersecurity implications of next-generation AI tools.

He added that Goldman is actively working with Anthropic and cybersecurity partners to better understand how such models could impact financial systems and cyber defenses.

Cybersecurity has long been at the core of our business. And we have for a very, very long time, put enormous resources forward," Solomon added.

"With the help of the US government and the model publishers, we are very focused on supplementing our cyber and infrastructure resilience," he said. "And this is part of our ongoing capabilities that we have been investing in and are accelerating our investment in."

The comments reflect the current mindset of major financial institutions, which are increasingly treating advanced AI not just as a productivity tool, but as a potential security disruptor.

Also read: AI Legal Risks: Lisa Fitzgerald on Why Businesses Must Vet AI Use Cases

Why Mythos is Raising Concerns

Unlike earlier AI systems, Mythos is designed to autonomously discover and exploit vulnerabilities in software environments. Anthropic has acknowledged that the model can “find and exploit sophisticated vulnerabilities” and, in some cases, outperform human experts.

This capability has triggered concern among cybersecurity community, who are divided and warn that such tools could lower the barrier for cyberattacks. In practical terms, even individuals without deep technical expertise could potentially use AI to identify weaknesses in operating systems, applications, or enterprise infrastructure.

Anthropic itself has taken an unusually cautious stance. The company has restricted access to Mythos and opted not to release it publicly, citing fears of misuse.

Instead, the model is being shared as a preview to 11 organizations under a controlled initiative dubbed "Project Glasswing." The organizations includes JPMorgan, Apple, Google, Microsoft, Nvidia and Goldman Sachs, among other. The initiative aims at strengthening defenses before rolling out wider deployment.

Financial Sector on High Alert

The concerns are not limited to Goldman Sachs. Discussions involving top U.S. financial leaders—including regulators and central banking officials—have reportedly taken place to assess the risks posed by such AI systems.

Banks are particularly vulnerable due to their complex mix of modern and legacy systems, which could provide fertile ground for AI-driven vulnerability discovery and exploitation.

At the same time, industry leaders see a dual-edged reality where attackers could benefit first, defenders may eventually use similar tools to identify and patch weaknesses faster.

Balancing Risk and Opportunity

Despite the warnings, Solomon struck a measured tone about the future of AI in business. He noted that the technology has the potential to significantly improve efficiency and transform operations across industries.

"Whenever you have acceleration of your technology, there are going to be be bumps, and there are going to be risk issues," Solomon said answering a seperate query during the call. "But the power of the technology, the ability to use it in an enterprise, to remake processes, to create efficiency, and also create more capacity to invest the growth — I can't find a CEO that's not talking about that."

This tension—between innovation and risk—sits at the center of the current debate around advanced AI systems like Mythos.

A Turning Point for Cybersecurity

The emergence of models capable of autonomously identifying and exploiting vulnerabilities marks a potential inflection point for cybersecurity.

Experts suggest that the rapid evolution of AI could accelerate both offensive and defensive capabilities, creating a race between attackers and defenders. In the short term, however, the concern is that powerful tools may be easier to weaponize than to secure.

For financial institutions like Goldman Sachs, however, the strategy seems to be to engage early, understand the risks, and prepare defenses before such technologies become widely accessible.

An international operation, coordinated between the FBI Atlanta Field Office and Indonesian law enforcement agencies has led to a taken down of a major phishing infrastructure that enabled cybercriminals worldwide to steal credentials and attempt fraud exceeding $20 million.

The crackdown targeted a cybercrime ecosystem built around the “W3LL phishing kit,” a tool designed to replicate legitimate login pages and harvest user credentials at scale. Authorities say the platform allowed attackers to compromise thousands of accounts and carry out widespread financial fraud.

More Than a Phishing Tool

Investigators describe W3LL not as a single piece of malware, but as a fully developed “phishing-as-a-service” operation. For a relatively low cost of around $500, cybercriminals could purchase access to the kit and launch highly convincing phishing campaigns with minimal technical expertise.

The service was supported by an underground marketplace known as W3LLSTORE, where stolen credentials were bought and sold. Between 2019 and 2023, more than 25,000 compromised accounts were traded through the platform.

Even after the marketplace was shut down, the operation continued through private and encrypted channels, allowing it to evolve and remain active.

Also read: New Phishing Kit ‘FishXProxy’ Aims To Be ‘Ultimate Powerful Phishing Kit’

Built for Corporate Account Takeovers

According to research by Group-IB, the W3LL ecosystem was specifically designed to target corporate environments, particularly business email systems such as Microsoft 365.

The toolkit included a range of capabilities beyond simple phishing pages, forming an end-to-end attack chain. These included tools for:

• Sending large-scale phishing emails
• Harvesting and validating email accounts
• Hosting malicious infrastructure
• Managing stolen credentials

Group-IB estimates that around 500 threat actors were actively using W3LL tools, turning the platform into a structured cybercrime network rather than a loose collection of attackers.

Bypassing Multi-Factor Authentication

One of the most dangerous aspects of the W3LL kit was its use of adversary-in-the-middle (AitM) techniques. This allowed attackers to intercept login sessions in real time, capturing not just usernames and passwords but also authentication tokens.

As a result, even accounts protected by multi-factor authentication (MFA) could be compromised, giving attackers persistent access to corporate systems.

Security researchers say this capability made W3LL particularly effective in business email compromise (BEC) attacks—one of the most financially damaging forms of cybercrime today.

Global Scale and Impact

The phishing kit was used in attacks targeting organizations across multiple industries, including finance, healthcare, manufacturing, and IT services.

Data suggests that tens of thousands of corporate accounts were targeted globally, with a significant concentration of victims in the United States, followed by Europe and Australia.

Between 2023 and 2024 alone, the infrastructure was linked to more than 17,000 phishing attempts worldwide.

Arrest and Infrastructure Seizure

As part of the operation, authorities seized domains and infrastructure used to distribute the phishing kit and facilitate credential theft. Indonesian police also detained the suspected developer behind the platform, identified only as “G.L.”

Officials say this marks a significant step in targeting not just users of cybercrime tools, but the developers who enable large-scale attacks.

On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript's most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea's Lazarus Group, and the scale of the fallout is considerably larger than initially understood.

The attack was confirmed as North Korean state-sponsored on when Google Threat Intelligence Group published its attribution, identifying the responsible actor as UNC1069 — a financially motivated North Korea-nexus group active since at least 2018 and tracked by Mandiant, now part of Google. ThreatBook independently reached the same conclusion, attributing the campaign to Lazarus Group based on long-term APT tracking data and overlapping infrastructure artifacts.

Between March 31, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named plain-crypto-js into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, with packages that typically have over 100 million and 83 million weekly downloads, respectively.

npm is the world's largest software registry — the system JavaScript developers use to download and install code libraries their applications depend on. A postinstall hook is a script that executes automatically, silently, the moment a developer runs npm install. The attackers exploited both to devastating effect.

How the Attack Was Staged

Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled ProtonMail account. The threat actor used the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, npm automatically executed an obfuscated JavaScript dropper named setup.js in the background.

The dropper, tracked by GTIG as SILKBELL, dynamically checks the target system's operating system and delivers platform-specific payloads.

On Windows, it copies PowerShell to a renamed binary and downloads a PowerShell script to the user's Temp directory.

On macOS, it downloads a native Mach-O binary to /Library/Caches/com.apple.act.mond. On Linux, it drops a Python backdoor to /tmp/ld.py.

After successfully dropping each payload, the dropper attempts to delete itself and revert the modified package.json. This acts as an anti-forensic cleanup step designed to remove evidence of the postinstall hook entirely.

The platform-specific payloads deploy a backdoor tracked by GTIG as WAVESHAPER.V2 — a C++ backdoor that collects system information, enumerates directories, and executes additional payloads, connecting to the command-and-control server at sfrclak[.]com:8000/6202033. GTIG's attribution to UNC1069 rests specifically on WAVESHAPER.V2 being an updated version of WAVESHAPER, a backdoor previously used by this group, combined with infrastructure overlap across past UNC1069 campaigns.

All payload variants use the same anachronistic user-agent string — an Internet Explorer 8 string on Windows XP — which is highly anomalous in 2026 and a reliable detection indicator. The C2 path /6202033, when reversed, reads 3-30-2026, the date of the attack.

The Blast Radius

The malicious axios versions were removed within a few hours, but axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week, enabling rapid exposure, with observed execution in 3% of affected environments.

Mandiant CTO Charles Carmakal framed the downstream risk in serious terms. Carmakal said the blast radius of the axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it, and warned that the secrets stolen over the past two weeks will enable more software supply chain attacks, SaaS environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.

He noted awareness of hundreds of thousands of stolen credentials, with a variety of actors across varied motivations behind these attacks.

GTIG Chief Analyst John Hultquist said North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency, and that given the popularity of the compromised package, the full breadth of the incident is still unclear but far-reaching impacts are expected.

Huntress identified approximately 135 compromised devices. However, the true number affected during the three-hour window remains under investigation.

What Defenders Should Do Now

Any engineering team that ran npm install between 00:21 UTC and approximately 03:20 UTC on March 31 should treat their environment as potentially compromised.

Defenders should check for RAT artifacts at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), and /tmp/ld.py (Linux); downgrade to axios 1.14.0 or 0.30.3; remove plain-crypto-js from node_modules; audit CI/CD pipeline logs for the affected window; rotate all credentials on any system where RAT artifacts are found; and block egress to sfrclak[.]com.

Ukraine's frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. The Computer Emergency Response Team of Ukraine, CERT-UA, disclosed on Sunday, that between March 26 and 27, attackers distributed emails falsely attributed to CERT-UA, urging recipients to download a password-protected archive named either "CERT_UA_protection_tool.zip" or "protection_tool.zip". The file was made available for download from Files.fm file-sharing service and installed what the messages described as specialized protective software. The phishing emails were targeted at a broad cross-section of Ukrainian institutions including government organizations, medical centers, security companies, educational institutions, financial institutions and software development firms. Supporting the phishing campaign, attackers had registered and populated a counterfeit website at cert-ua[.]tech — a domain created on March 27, just one day into the distribution window. The look-a-like website had content lifted directly from the official CERT-UA website at cert[.]gov[.]ua, alongside fabricated instructions for downloading the malicious "protection tool." The executable file inside those archives was not protective software. CERT-UA classified it as AGEWHEEZE, a full-featured Remote Access Trojan (RAT) written in the Go programming language. A RAT is malware that gives an attacker complete remote control over an infected machine: not just file access, but live screen viewing, keyboard and mouse emulation, command execution, process and service management, clipboard reading and writing, and the ability to shut down, restart, or lock the device entirely. AGEWHEEZE's command set is exhaustive and purpose-built for persistent, covert control. It supports screen capture and real-time input emulation, full file system operations including read, write, delete, rename, and directory creation, process killing, service control, autorun management, terminal access, and the ability to open arbitrary URLs on the victim machine. AGEWHEEZE establishes persistence through the Windows registry startup key, the Startup directory, or a scheduled task, creating entries named "SvcHelper" or "CoreService" depending on the infection path. All communications to its command-and-control server route over WebSocket connections to a server hosted on infrastructure belonging to French cloud provider OVH. That command-and-control server carried its own revealing details. On port 8443, a web page titled "The Cult" displayed an authentication form. Buried in the HTML source of that page, investigators found Russian-language text reading: "Membership suspended. Your access to the Cult has been blocked. Contact the administrator to restore it." The self-signed SSL certificate on the server was created on March 18, with "TVisor" listed in the Organization field, matching the internal package name found inside the malware itself: "/example.com/tvisor/agent. Attribution arrived quickly and from the attackers themselves. A review of the AI-generated fake website at cert-ua[.]tech uncovered a line embedded in the HTML code reading: "With Love, CYBER SERP — https://t[.]me/CyberSerp_Official." [caption id="attachment_110836" align="aligncenter" width="600"] Fake website and HTML code embedding CyberSerp details. (Source: CERT-UA)[/caption] On March 28, the day after the campaign launched, the Telegram channel referenced in that code published a message claiming responsibility for the attack, eliminating any ambiguity about attribution. CERT-UA created the tracking identifier UAC-0255 for this activity. The agency assessed the cyberattack as "unsuccessful." No more than a few personal devices belonging to employees of educational institutions were identified as infected. CERT-UA said its specialists provided methodological and practical assistance to affected parties, and acknowledged Ukrainian electronic communications providers for their contribution to delivering cyber threat information to subscribers and maintaining national cyber incident response infrastructure. CERT-UA itself has previously documented campaigns by multiple threat groups — including UAC-0002, UAC-0035, and the group tracked here as UAC-0252 — that similarly weaponize government branding. In this case, the attackers targeted the cyber defense agency whose name carries the highest authority in Ukrainian information security communications, turning that trust directly against the institutions that rely on it. CERT-UA noted that the development of artificial intelligence significantly simplifies the execution of cyber threats. The attackers' own use of an AI-generated phishing site is a direct illustration of that warning, the cyber defense agency explained. It recommended that organizations reduce their attack surface by configuring standard operating system protections including Software Restriction Policies and AppLocker, and deploying specialized endpoint protection tools. Full indicators of compromise including file hashes, network indicators, and host-based artifacts are available in the CERT-UA advisory.

Also read: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

It takes a single page load on a compromised Ukrainian government site, no tap, no download, no warning — and an iPhone running iOS 18.4 through 18.6.2 hands over its messages, photos, passwords, Telegram history, iCloud files, and cryptocurrency wallet keys to an attacker halfway across the world, then erases every trace of the intrusion within minutes.

That is DarkSword. And it has already spread to at least four countries.

On Wednesday, Google Threat Intelligence Group (GTIG), mobile security firm Lookout and device integrity company iVerify published coordinated research disclosing a new iOS full-chain exploit kit they named DarkSword — a name taken directly from a variable buried inside the malware's own code: const TAG = "DarkSword-WIFI-DUMP". The three organizations collaborated across separate discovery threads, with each contributing distinct pieces of a deeply alarming picture.

DarkSword in the Hands of Spyware Vendors and State Actors

GTIG tracked DarkSword deployments since at least November 2025, identifying multiple distinct threat actors — including commercial surveillance vendors and suspected state-sponsored groups — deploying the same exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The chain leverages six vulnerabilities across iOS 18.4 through 18.7, and all six have now been patched in iOS 26.3, though most arrived in earlier updates. Apple was notified by GTIG in late 2025.

Studying the Exploit Chain

The exploit chain's entry point for Ukrainian targets sits inside two compromised websites, novosti[.]dn[.]ua, a news portal, and 7aac[.]gov[.]ua, a Ukrainian government domain. Both sites contained an invisible malicious iframe injected by attackers, which silently loaded exploit code hosted on a server in Estonia. That server only delivered the payload to devices having Ukrainian IP addresses — a deliberate geofencing technique that reduces exposure, frustrates researchers, and increases the operational window before detection.

Once Safari loaded the iframe, DarkSword executed a disciplined, multi-stage attack entirely in JavaScript — a design choice that is itself significant. There is no binary implant, no Mach-O library injected into processes, no traditional malware artifact that endpoint detection logic would expect to find.

The chain breaks out of WebKit's WebContent sandbox, uses WebGPU to inject into a background media process called mediaplaybackd, builds arbitrary kernel read-write access from there, and then uses that access to lift sandbox restrictions across the device's most privileged processes — including configd, wifid, securityd, and UserEventAgent.

The final payload orchestrator, pe_main.js, then injects targeted data-theft modules into each of these processes before staging everything in accessible filesystem locations and exfiltrating the complete collection to a command-and-control server. The staged files are then deleted and the process exits cleanly.

The entire dwell time on a victim device measures in minutes. GTIG has identified three distinct malware families delivered following successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

What DarkSword steals covers almost every surface of a modern iPhone. SMS and iMessage content, call history, address book, WiFi passwords, Safari browsing history and cookies, location history, health data, photos, iCloud Drive, emails, saved passwords, WhatsApp and Telegram message histories, and the complete list of installed applications.

Most unusually for a state-adjacent espionage tool, DarkSword specifically targets cryptocurrency wallets like Coinbase, Binance, Kraken, Kucoin, Ledger, Trezor, MetaMask, and Exodus, among others. Lookout assesses this as evidence of a financially motivated dimension to the threat actor's operations, distinct from conventional cyber espionage.

The Six Vulnerabilities Underneath DarkSword

DarkSword's power derives from chaining six distinct flaws across different layers of iOS, each one unlocking the next stage of access.

[caption id="attachment_110322" align="aligncenter" width="486"] The six vulnerabilities exploited at various levels of the exploit chain. (Image source: GTIG)[/caption]

The remote code execution stage exploited two memory corruption vulnerabilities in JavaScriptCore — the JavaScript engine that powers WebKit and Safari. The first, CVE-2025-31277, formed the foundation of the earliest observed DarkSword deployments targeting iOS 18.4 and 18.5.

A second JavaScriptCore memory corruption bug, CVE-2025-43529, was added in a later iteration of the kit targeting iOS 18.6, giving operators redundant entry points across a wider version range. Both bugs enable an attacker to corrupt memory through a malicious webpage alone, requiring no interaction from the victim beyond the page load itself.

Alongside either RCE exploit, DarkSword chains CVE-2026-20700, a Pointer Authentication Code (PAC) bypass in dyld — the dynamic linker responsible for loading code into Apple processes. PAC is a hardware-level security feature Apple introduced specifically to prevent attackers from hijacking code execution; bypassing it is a prerequisite for the deeper access DarkSword achieves. The remaining three vulnerabilities handle the sandbox escape and privilege escalation stages, progressively dismantling iOS security boundaries until the attacker holds unrestricted kernel read-write access across the entire device.

Apple addressed the vulnerabilities on a rolling basis rather than in a single emergency patch, reflecting the staggered pace at which researchers discovered each flaw. CVE-2025-31277 and CVE-2025-43529 received fixes in iOS 26.1 and iOS 26.2 respectively, while CVE-2026-20700 and the remaining privilege escalation vulnerabilities were closed with iOS 26.3.

The final complete remediation, covering all six DarkSword vulnerabilities, landed in iOS 18.7.3 for devices on the iOS 18 branch. The gap between the earliest known DarkSword deployment in November 2025 and the final patch in iOS 26.3 represents a window of roughly four months during which the full chain operated against unpatched devices.

The Evolution of DarkSword Under Various Threat Actors

The infrastructure analysis by Lookout revealed an important link to a prior campaign. The delivery domain cdncounter[.]net shares nameservers, registrar, registration date, and IP resolution overlap with uacounter[.]com, a domain GTIG previously tied to UNC6353 — a suspected Russian espionage group that also used the earlier Coruna iOS exploit kit against Ukrainian targets. The same Ukrainian government domain that hosted DarkSword delivery code had previously distributed Coruna. GTIG has now observed UNC6353 incorporating DarkSword into its watering hole campaign repertoire alongside its previous toolkit.

Also read: How Russia-Linked Spies Turned Everyday Websites into Surveillance Traps aka ‘Watering Hole’

Perhaps the most significant finding across all three research publications is not the sophistication of any single vulnerability, but what the proliferation of DarkSword across multiple unrelated threat actors reveals about the commercial exploit market. Code comments written in Russian appear in the early infrastructure stages; code in subsequent exploit stages switches to English — consistent with a tool built by one developer and sold or transferred to multiple buyers. References to iOS 17.4.1 and 17.5.1 in portions of the code indicate this kit evolved from an earlier version, suggesting an ongoing commercial development and distribution pipeline rather than a one-time build.

Lookout states the threat actor likely gained access to an exploit and post-exploitation toolkit built by a third party. The nation-state grade iOS zero-day chains, which were once assumed exclusive to Tier 1 commercial surveillance vendors supplying governments, now circulate in a secondary market accessible to actors with narrower resources and mixed motives, including financial crime.

Devices running iOS 18.7.3 or iOS 26.3 and later are not vulnerable. Google has added DarkSword delivery domains to Safe Browsing. For devices that cannot be updated immediately, Apple's Lockdown Mode reduces the available attack surface.

When a Latvian pensioner picked up a call from what appeared to be the State Police, the voice on the other end knew her bank, her account, and exactly what to say to make her afraid — because the people on the other end of the line had done this hundreds of times before.

Latvian and Ukrainian law enforcement agencies, on Wednesday, jointly announced the dismantling of an organized criminal network that used vishing — voice-based phishing, where callers impersonate trusted authorities over the phone — to defraud citizens across the European Union.

The joint operation, exposed the full machinery of a modern social engineering fraud which included call center operators in Ukraine, money mules across Latvia and illicit cryptocurrency exchangers laundering the proceeds through Riga's streets.

Vishing is a variant of phishing where attackers manipulate victims verbally rather than through malicious links or attachments. The technique exploits trust in authority figures — police officers, bank staff — rather than technical vulnerabilities.

Also read: Smishing and Vishing in 2025: How Cybercriminals Are Using AI to Fool You

Latvia's State Police Cybercrime Unit, which consolidated 35 separate criminal cases involving fraud committed in 2023 and 2024, estimates the network defrauded Latvian residents of approximately €2 million.

Investigators identified more than 170 money mules — people used to receive and move stolen funds — of whom 90 have been designated as suspects. Thirteen call center operators have been detained, including Latvian-speaking participants in the scheme.

The Vishing Ring's Playbook

The operational playbook was precise and repeatable. Callers impersonated Latvian State Police officers and bank employees, informing victims that loans had been fraudulently taken out in their names or that suspicious financial activity had been detected on their accounts. They then invited victims to "help expose the fraudsters" — a social engineering technique that shifts the victim into an active, cooperative role and suppresses skepticism.

To facilitate this, operators instructed victims to install AnyDesk — a remote desktop access tool — on their computers or mobile devices, and to log in to their online banking. AnyDesk is a legitimate IT support tool that, once installed by a victim, gives a remote operator full visual and interactive access to the device.

On the Ukrainian side, the Cyber Police Department of the National Police of Ukraine disclosed that two Ukrainian nationals — residents of Ivano-Frankivsk in their early 20s — traveled to Latvia where they recruited local individuals to open bank accounts across European countries. Those account holders transferred control of their cards to the criminal group for a small fee, creating the drop account infrastructure through which stolen funds were moved.

Drop accounts are bank accounts controlled by third parties and used to receive and launder illicit transfers, deliberately creating distance between the fraudsters and the money.

More than 20 Latvian victims sustained confirmed financial losses exceeding €300,000 in connection with the Ukraine-linked component of the network alone. Ukrainian investigators, alongside the Latvian Cybercrime Department, conducted searches at the suspects' residences in Ivano-Frankivsk, seizing mobile phones and computer equipment as evidence. Europol's liaison officers coordinated information exchange between the two countries throughout the investigation.

Beyond the call center operators and money mules, investigators in Latvia identified illicit cryptocurrency exchangers — unlicensed operators in Riga who converted the stolen funds into digital assets, further distancing the proceeds from their origin. One such exchanger received a custodial sentence exceeding six years. Three members of the broader criminal group received three-year custodial sentences each in Latvia.

The group's leader was apprehended in Germany in 2024 through joint action with Estonian law enforcement and was subsequently convicted in Estonia. Two other members fled to Ukraine following arrests elsewhere in the EU — and were detained in Ivano-Frankivsk on March 12, 2026, following cross-border coordination between Latvian, Ukrainian, and Eurojust authorities.

Assets subject to financial restraint in Latvia now total €829,650.

The operation fits a well-documented regional pattern. Previous Eurojust-coordinated enforcement actions uncovered Ukrainian call centers recruiting participants from Latvia, Lithuania, and the Czech Republic, compensating operators with up to 7% of proceeds and offering bonuses of cash, vehicles, or apartments to high performers who exceeded €100,000 in stolen funds.

Also read: Authorities Shutter €100M Crypto-Fraud Ring that Ran Across Europe

What makes this case technically significant for enterprise security teams is not the sophistication of the malware — there was none. The attack surface was entirely human. Remote access tools like AnyDesk are present in countless corporate environments as legitimate support software. When a caller with authoritative framing persuades an employee — or an employee's family member — to grant remote access to a device connected to corporate infrastructure, the consequences can extend well beyond the individual victim's bank account.

Latvia's State Police urged residents never to install remote access software at the instruction of an unsolicited caller and never to disclose banking credentials or one-time authentication codes under any circumstances, noting that methods used by these fraudsters are sophisticated and cynical.

The U.S.-based MedTech giant Stryker in an update shared late Thursday night confirmed that its supply chain has been impacted adversely with no timeline in place for a full restoration due to the cyberattack claimed by Iran-linked hacker collective - the Handala group. While Stryker maintained that the root of the global disruption is an intrusion in its Microsoft environment, it now added that the incident is contained to its "own internal systems" and not spilled over to its customers. "Our connected products are not impacted and are safe to use," the update said. Based on reports on several social media platforms, Handala allegedly used data wiper malware in this campaign, in accordance to its regular modus operandi. However, Stryker reiterated that no malware or ransomware was detected on its systems, as of now.

Also read: Who Is Handala — The Iran-Linked Ghost Group That Just Wiped 200K Stryker Devices

Even though Stryker claims negligible impact on its connected products, the MedTech firm admitted disruption to its supply chain.

"This incident has caused disruptions to order processing, manufacturing and shipping," Stryker said.

This is not the worrying part alone. The fact that there is no definitive timeline that Stryker foresees for its resumption, is. In an 8-K filing to the U.S. SEC, the company said:

"The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions. While the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known."

The full scope of financial and material impact is yet to be determined too. Stryker added that although the timeline to get up and running is blurry at this point, it "has business continuity measures in place to continue to support its customers and partners."

CISA Joins Investigation

While the company responds and conducts its own assessment, CISA said it was following the due process of investigating the incident as well. “We are working shoulder-to-shoulder with our public- and private‑sector partners as we continue to uncover relevant information and provide technical assistance for the targeted attack on Stryker, while steadfastly standing at the ready to defend our nation’s critical infrastructure,” CISA acting director Nick Andersen told The Cyber Express. “As with all cyber incidents, we have launched an investigation into this matter.”

The Israel Connect of Stryker, The Real Reason?

And while the world calls this an attack on a U.S.-based company - a country that has supported Israel in the ongoing West Asia war - the actual reason could be debated. Why? Because half a decade ago Stryker acquired OrthoSpace, Ltd., a privately held company headquartered in Caesarea, Israel, in an all cash transaction. What does this imply? Not to jump to conclusions, but all the companies with trade and links to Israel may be carrying targets on their back. Updated March 14, 10:35 AM ET: For adding CISA acting director Nick Andersen's comments.

A new planning and zoning permit phishing scam is raising concerns across the United States as cybercriminals impersonate city and county officials to trick individuals and businesses into paying fraudulent permit fees. The warning, issued by the FBI, highlights how attackers are exploiting publicly available government data to make phishing emails appear legitimate. The scam targets people who have active applications for planning and zoning permits, particularly those involved in land-use projects or property development. By using accurate permit details, criminals create convincing emails that pressure victims to transfer money for fake administrative fees.

Planning and Zoning Permit Phishing Scam Targets Active Applications

Unlike generic phishing attempts that rely on vague messages, this scam is highly targeted. Criminals gather information from publicly available sources related to planning and zoning permit applications, including property addresses, application numbers, and the names of local officials. Armed with this data, they send emails to applicants posing as planning and zoning board representatives. The emails typically claim that additional fees are required to process or approve the permit. Victims are instructed to make payments through wire transfers, peer-to-peer payment services, or cryptocurrency—methods that are difficult to trace or recover once the money is sent. What makes this planning and zoning permit phishing scam particularly effective is its timing. Emails may arrive while applicants are actively communicating with local government offices about their permits, making the fraudulent request appear routine.

Why the Zoning Permit Scam Looks So Real

The success of this planning and zoning permit phishing scam lies in its attention to detail. Many phishing campaigns fail because they are poorly written or obviously suspicious. This one is different. The fraudulent emails often contain:

• Accurate property addresses and zoning case numbers
• Names of real city or county officials
• Professional language mirroring official government correspondence
• Attachments such as PDF invoices listing itemized fees

The emails may also use formatting and visual elements that resemble legitimate municipal communications, including references to regulatory compliance or planning commission procedures. However, a key red flag is the email domain. While the sender’s name may resemble a government official, the email address often originates from non-government domains such as “@usa.com” instead of official municipal domains. Another tactic involves discouraging verification. Victims may be told to request payment instructions through email rather than by phone, supposedly to maintain an “audit trail.” In reality, this discourages them from contacting the city office directly.

Public Data and Trust

This planning and zoning permit phishing scam highlights a broader cybersecurity issue—how publicly accessible government data can be weaponized. Permit records and zoning applications are often publicly available to maintain transparency in local governance. But criminals are increasingly exploiting this information to craft targeted attacks. In this case, the scam works because it combines accurate data with institutional trust. Most applicants assume that communications about permit fees will come from government offices, and the emails mimic that expectation convincingly. The result is a form of government impersonation phishing that is harder for victims to detect than traditional scams.

Lessons from the Planning and Zoning Permit Phishing Scam

The rise of this planning and zoning permit phishing scam offers several lessons for businesses, property owners, and local governments. First, legitimate-looking emails should never be trusted solely based on branding or professional formatting. Attackers can easily replicate logos, signatures, and official language. Second, payment requests, especially those involving wire transfers or cryptocurrency—should always be verified through official channels. Experts recommend contacting the relevant city or county office directly using the phone number listed on the government’s official website rather than responding to an email. Applicants should also carefully examine the sender’s domain and watch for subtle misspellings or unusual characters.

Reporting Permit Payment Fraud

Authorities are urging victims of the planning and zoning permit phishing scam to report incidents to the FBI’s Internet Crime Complaint Center (IC3). Reports should include details such as:

• The sender’s email address and date of the message
• Any phone numbers included in the communication
• The project’s scheduled hearing date, if applicable
• The amount requested and the payment method demanded

Reporting these scams helps investigators identify patterns and disrupt criminal networks running permit payment fraud schemes. The emergence of the planning and zoning permit phishing scam is another reminder that cybercriminals are increasingly exploiting real-world processes—not just digital vulnerabilities. When administrative systems move online and data becomes public, attackers adapt quickly. For applicants and businesses, the safest approach remains simple: verify first, pay later. In today’s threat landscape, even a routine permit email deserves a second look.

As the world prepares to celebrate International Women’s Day on March 8, The Cyber Express takes the opportunity to celebrate the achievements of the women trailblazers of the realm of cybersecurity. We proudly present the “Top 50 Women in Cybersecurity to Watch in 2026.”   This special recognition to Women in Cybersecurity highlights influential professionals who are driving innovation, strengthening cyber resilience, and shaping the future of digital security across industries.  This year’s International Women’s Day theme, “Give to Gain,” stresses on meaningful progress towards gender equality, which requires intentional contributions from governments, organizations, and individuals. When institutions invest in women’s safety, leadership, and opportunities, the impact extends far beyond workplace representation — strengthening innovation, improving decision-making, and building more resilient societies. 

Women in Cybersecurity: Progress and Persistent Challenges 

Within cybersecurity, women continue to expand their presence in a field that has historically been male dominated. According to the latest available data, women currently make up about 22% of the global cybersecurity workforce, a significant increase from just 11% in 2017. Today, one in four cybersecurity professionals is a woman, and projections suggest that by 2031, women could represent nearly one-third of the cybersecurity workforce.  Despite this progress, challenges remain. In the United States, women still hold less than 20% of cybersecurity roles, and a gender pay gap of around 5% persists in the sector. Career growth also continues to present obstacles, with nearly half of women in cybersecurity reporting challenges in professional advancement, while almost one-third say they have experienced workplace discrimination at some point in their careers.  Even so, women across the cybersecurity ecosystem are making remarkable contributions — from leading security operations and shaping national cyber policies to advancing threat intelligence, digital forensics, and cyber resilience strategies. Their work is not only protecting organizations and critical infrastructure but also inspiring the next generation of security professionals.  Keeping this in mind, The Cyber Express’ “Top 50 Women Leaders in Cybersecurity to Watch in 2026” recognizes professionals whose leadership, expertise, and impact are helping redefine the cybersecurity landscape. Their journeys reflect the spirit of International Women’s Day on 8 March — demonstrating that when we support and empower women in cybersecurity, the entire digital ecosystem stands to gain. 

Top 50 Women Leader in Cybersecurity | IWD Special by The Cyber Express 

Name	Designation	Company Name
Celia Mantshiyane	Group Chief Information Security Officer	FirstRand
Radhika Bajpai	CISO	Russell Investments
Holly Foxcroft	Cyber Security Business Partner - BISO	OneAdvanced
Dr Sheeba Armoogum	Associate Professor in Cybersecurity	University of Mauritius
Irene Corpuz	Founding Partner, Head of Governance & Communications	Women in Cyber Security Middle East
Patricia "Patty" Voight	Executive Managing Director; CISO and Tech Risk Management	Webster Bank
Alya Al Marzooqi	Group Digital Risk Management and Compliance Manager	ADNOC Group
Sakshi Porwal	Global Chief Information Security Officer & Cybersecurity Consulting Practice Head	Compunnel Inc.
Rona Michele Spiegel, CISSP	Senior Manager, Security and Trust, Mergers and Acquisitions	Autodesk
Dr Priyanka Sunder	Co-Founder & Chief Human Risk Intelligence Officer	Secure Mojo
Lauren Dana Rosenblatt	Vice President, Chief Information Security Officer (CISO)	PSEG
Sheeba Sultan Hasnain	Chairwoman & CIO	SENTIENTE
Dr. Meetali Sharma	Director - Risk, Compliance and Information Security	SDG Corporation
Kylie Watson	Head of Cyber Security, ANZ/ASEAN/Japan/India/GC/Middle East/Africa	DXC Technology
Catherine Rowe	Chief Information Security Officer	Reserve Bank of Australia
Maryam Bechtel	General Manager, Chief Information Security Officer (CISO)	TAL Australia
Sofia Scozzari	CEO (Chief Executive Officer) and Founder	Hackmanac
Archana Venugopal	Senior Vice President & Chief Information Secuirty Officer National aCommodity& Derivates Exchange	National Commodity & Derivative Exchange Of India Limited
Shivani Arni	Enterprise CISO	Mahindra Group
Cindy (Monceaux) Hoots	Chief Digital Officer & CIO	AstraZeneca
Jae Evans	EVP, Oracle Cloud Infrastructure and Global CIO	Oracle
Sheila Jordan	Chief Digital Technology Officer	Honeywell
Maria Demaree	Senior Vice President, Enterprise Business and Digital Transformation & CIO	Lockheed Martin
Heide Young	Manager Cyber Strategy & Engagement	NEOM
Eman Al Awadhi	Vice President – Network and Cyber Security	Expo City Dubai
Julia Dudenko	Group CISO	Haniel
Anne Neuberger	Deputy National Security Advisor, Cyber & Emerging Tech	National Security Council, The White House
Kris Lovejoy	Global Head of Strategy	Kyndryl
Ramya Ganesh	Cybersecurity XDR Leader	Cisco
Jane Teh	Founder and CEO	VortiQ[x]
Nasrin Rezai	SVP, Chief Information Security Officer	Verizon
Laura Deaner	Chief Information Security Officer	The Depository Trust & Clearing Corporation (DTCC)
Mignona Coté	SVP Chief Information Security Officer	Infor
Noopur Davis	Global CISO. Chief Product Privacy Officer. Corporate EVP.	Comcast
Teresa Zielinski	Vice President, CISO	GE Vernova
Andrea Abell	Chief Information Security Officer	Eli Lilly and Company
Deneen DeFiore	Vice President & Chief Information Security Officer	United Airlines
Elizabeth Joyce	EVP & Global CISO	State Street
Mary Rose Martinez	Chief Information Security Officer and Vice President of Infrastructure	Marathon Petroleum Corporation
Marnie (Huss) Wilking	VP Chief Security Officer	Booking.com
Hannah Suarez 🇵🇸	CISO	Loyalty Status Co
Annie (Anne) Haggar	Deputy Chief of Staff	Australian Government
Sujata Misra	GM - Network Infra and Security Leader	Brigade Group
Bonnie Butlin	Co-Founder and Executive Director	Security Partners' Forum
Gurdeep Kaur	Chief Operating Officer	Suraksha Catalyst
Vandana Verma	President	InfoSec Girls
Mansi Thapar	Global Head – Cyber Security & Infra	Apollo Tyres
Rosalia Hajek	CISO	Topgolf Callaway Brands
Carmen Marsh	President & CEO	United Cybersecurity Alliance (Europe, US, Middle East & Japan)
Lisa Fitzgerald	Partner	Norton Rose Fulbright

 

When Australia's cyber watchdog issued a fresh advisory on INC Ransom, security teams worldwide are bound to take note — not because INC is new, but because the group's business model has quietly made it one of 2025's most relentless forces targeting the very networks societies depend on to survive.

Australia's Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), published the advisory warning that INC Ransom's affiliate model now enables a broad range of threat actors to target critical infrastructure — from healthcare systems to government networks — with minimal technical skill of their own.

INC Ransom operates as a Ransomware-as-a-Service (RaaS) group. It is a criminal franchise model where core developers build and maintain the ransomware platform, then lease it to "affiliates" who carry out the actual attacks in exchange for a cut of the ransom. Think of it as a dark-web franchise. The brand, tools, and infrastructure belong to INC; the break-ins happen through hired hands.

As of mid-2025, more than 200 victims appeared on INC's data leak site, and in July 2025, INC ranked as the most deployed ransomware based on victim postings. That scale does not happen by accident. It reflects a deliberate expansion through affiliates who carry existing access and expertise from other groups.

Also read: Cyberattack on ControlNET: INC Ransom Group Claims Breach of Building Technology Provider

Prime Focus on Healthcare

Healthcare organizations bore the brunt of INC's activity between January and August 2025, with education, technology, and government entities also ranking among the top victim sectors.

"Since January 2025, the ACSC has observed INC Ransom affiliates target Australian Health Care sector entities using compromised accounts. Upon initial access, affiliates have conducted privilege escalation by creating admin level accounts and moving laterally within victim networks," the advisory said. In June, the Tongan Ministry of Health (MoH) ICT environment was attacked by a ransomware that impacted core services and disrupted the national health care network. ACSC said, this was also the work of INC ransomware group as was an attack on a healthcare sector entity further down south in New Zealand. "Many of the organisation’s servers and endpoint devices had been encrypted, and a large amount of data was stolen. INC Ransom claimed responsibility for this incident, and published the dataset on its DLS (data leak site)," ACSC confirmed.

Exploits Known Vulnerabilities

INC affiliates do not reinvent the wheel. They exploit known, unpatched vulnerabilities in widely deployed enterprise software. Documented entry points include CVE-2023-3519 in Citrix NetScaler — a remote code execution flaw patched in July 2023 — CVE-2023-48788, a SQL injection vulnerability in Fortinet Endpoint Management Server, and CVE-2024-57727, a SimpleHelp RMM path traversal flaw added to CISA's Known Exploited Vulnerabilities catalog in February 2025.

INC Ransom also used CitrixBleed (CVE-2023-4966), a vulnerability in Citrix NetScaler ADC and Gateway appliances that lets threat actors bypass multifactor authentication and hijack legitimate user sessions. In practical terms, an attacker does not need stolen credentials. They can walk through the front door using a session that already has authorization.

Once inside, INC affiliates follow a disciplined playbook. They archive data with 7-Zip before exfiltrating it via MegaSync, use AES encryption, and drop ransom notes printed directly to network printers. The group then applies double extortion — encrypting systems while threatening to publish stolen data publicly unless the victim pays.

In one high-profile case, INC Ransom claimed a breach of the Pennsylvania Office of the Attorney General in August 2025, stating it removed more than 5 terabytes of data and hinted at access to federal networks. The office refused to pay.

Also read: Ahold Delhaize USA Confirms Data Stolen in 2024 Cyberattack

The group's reach does not stop at U.S. borders. INC Ransom targeted Alder Hey Children's NHS Foundation Trust in the U.K., claiming to have obtained large-scale patient records, donor reports, and procurement data. This pattern of targeting public-sector healthcare — institutions with constrained security budgets and life-critical dependencies — reflects a calculated predatory strategy.

Microsoft Threat Intelligence tracks significant INC affiliate activity through a group it calls Vanilla Tempest, which adopted INC Ransom as its primary payload in August 2024 after previously using BlackCat, Quantum Locker, Zeppelin, and Rhysida. The fluidity between groups showcases a core feature of the RaaS model where affiliates shop for the most effective tools and swap them out when law enforcement pressure mounts.

Australia now mandates that organizations with annual turnover above $3 million, as well as critical infrastructure operators, report ransomware or extortion payments within 72 hours — a regulatory shift designed to erode the financial incentives that sustain groups like INC.

The ACSC advisory recommends network defenders prioritize patching of internet-facing systems, implement phishing-resistant multifactor authentication, segment networks to limit lateral movement, and monitor for unusual use of legitimate administrative tools such as PowerShell and Remote Desktop Protocol (RDP).

Given that INC ransomware elements have also been linked to the development of Lynx ransomware — a derivative group — the threat footprint extends well beyond INC's own branding. Defenders who neutralize INC today may face the same code under a different name tomorrow.

iPhone and iPad running iOS 26 can now handle restricted NATO information without special software, though security experts warn consumer devices create new attack surfaces.

Apple announced Thursday that iPhone and iPad became the first consumer mobile devices approved to handle classified NATO information up to the restricted level, following extensive security testing by Germany's Federal Office for Information Security.

The certification enables NATO personnel across all member nations to use standard iOS 26 and iPadOS 26 devices for restricted data without requiring specialized software, containerization or additional security layers—a milestone no other consumer device manufacturer has achieved.

Germany's BSI conducted exhaustive technical assessments, comprehensive testing and deep security analysis to verify Apple's built-in platform security capabilities met NATO nations' operational and assurance requirements. The devices now appear on NATO's Information Assurance Product Catalogue, formally recognizing that Apple's hardware-software integration provides adequate protections for restricted classified information.

Also read: NATO Faces Escalating Cyberthreats: From Espionage to Disinformation

"Secure digital transformation is only successful if information security is considered from the beginning in the development of mobile products," said Claudia Plattner, BSI's president. The certification builds on Apple's previous approval to handle classified German government data using native iOS and iPadOS security measures without third-party modifications.

Apple stressed that its security architecture differs fundamentally from traditional approaches requiring bespoke solutions. "Prior to iPhone, secure devices were only available to sophisticated government and enterprise organizations after a massive investment in bespoke security solutions," said Ivan Krstić, Apple's vice president of Security Engineering and Architecture. "Instead, Apple has built the most secure devices in the world for all its users, and those same protections are now uniquely certified under assurance requirements for NATO nations."

The certification relies on Apple's integrated security features including hardware-based encryption through the Secure Enclave processor, biometric authentication via Face ID, Memory Integrity Enforcement preventing code injection attacks, and comprehensive device encryption that protects data at rest and in transit. These capabilities operate across Apple's custom silicon, operating system and applications without requiring users to enable special modes or install government-specific software.

NATO's "restricted" classification represents the alliance's lowest tier for classified information, covering data requiring protection but not meeting thresholds for confidential, secret or top secret designations. Restricted information typically includes operational planning details, logistics coordination and administrative documents that could aid adversaries if disclosed but would not directly compromise critical security operations.

The approval marks a pragmatic shift in how governments balance security requirements against operational flexibility. NATO personnel can now use familiar consumer devices rather than specialized hardened phones that typically cost thousands of dollars per unit, offer limited functionality and create friction in daily workflows. The consumer device approval potentially saves member nations substantial procurement costs while improving user adoption.

However, security experts note that consumer devices certified for government use introduce considerations absent from purpose-built secure communications platforms. Unlike specialized government phones designed exclusively for classified communications, iPhones and iPads run consumer applications, connect to public networks and integrate with cloud services creating expanded attack surfaces.

A cryptography professor at a known U.S. University, told The Cyber Express that he would still want to be cautious on this since in the past few years, Apple's security architecture has been proven to have consumer threats, including nation-state adversaries targeting NATO countries. "The question isn't whether Apple has good security—they do. It's whether consumer devices designed for billions of users can adequately protect against targeted attacks by adversaries specifically hunting for NATO intelligence," he said.

Also read: Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

The certification also raises questions about long-term support and update requirements. Consumer devices receive operating system updates for limited periods before Apple designates them obsolete. Government security requirements typically demand decades-long support commitments that conflict with consumer product lifecycles where devices become outdated within five years.

Apple has not disclosed whether NATO members negotiated extended support agreements, how the company will handle security vulnerabilities discovered in iOS 26 after consumer support ends, or whether classified data handling requires organizations to prevent users from installing consumer applications that could introduce risks.

The announcement follows Apple's decade-long effort to gain U.S. government security clearances. The U.S. Department of War (formerly know as Department of Defense) approved iPhones for handling certain classified information in 2013-14, though those implementations required mobile device management software and container applications separating classified data from personal use—requirements NATO's certification explicitly eliminates.

Despite concerns, the NATO approval represents validation that Apple's security-by-design approach can meet rigorous government standards for protecting sensitive information, potentially encouraging other consumer technology manufacturers to prioritize security architecture capable of government certification rather than relying on post-hoc security layers.

The Federal Trade Commission (FTC) takes its stand around age verification technologies and children’s online privacy. In a new policy statement released Wednesday, the agency clarified that it will not bring enforcement actions under the Children’s Online Privacy Protection Rule (COPPA Rule) against website and online service providers that collect and use personal data solely for age verification technologies, provided strict safeguards are followed. This move signals a practical shift in how regulators are approaching the complex balance between privacy compliance and real-world child safety online.

FTC Encourages Adoption of Age Verification Technologies

The new FTC policy statement aims to remove regulatory uncertainty that has long discouraged platforms from implementing age verification technologies. Under the COPPA Rule, operators must obtain verifiable parental consent before collecting personal information from children under 13. However, determining whether a user is a child often requires collecting some form of personal data—creating a compliance dilemma for companies. By clarifying its enforcement stance, the FTC is effectively encouraging platforms to adopt stronger age verification technologies rather than relying on outdated self-reported age gates that are easy for children to bypass. “Age verification technologies are some of the most child-protective technologies to emerge in decades,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. “Our statement incentivizes operators to use these innovative tools, empowering parents to protect their children online.” The policy reflects the reality that children’s internet usage has dramatically expanded since COPPA was first enacted in 1998. Today’s digital ecosystem includes social platforms, gaming environments, streaming services, and AI-driven applications—many of which were unimaginable when the law was originally written.

Why Age Verification Technologies Are Becoming Essential

The FTC’s position comes at a time when policymakers globally are questioning whether existing frameworks are sufficient to protect minors online. Several U.S. states have already begun introducing regulations requiring platforms to implement age verification technologies. The core issue is simple: platforms cannot protect children if they cannot reliably identify them. Traditional age-gating methods—such as asking users to enter their date of birth—have proven ineffective. More advanced age verification technologies now use biometric estimation, identity verification tools, or secure third-party validation systems to improve accuracy. However, these tools often require temporary collection of personal data, which previously raised concerns about COPPA violations. The FTC’s updated enforcement approach attempts to resolve this contradiction.

Conditions Platforms Must Follow Under the FTC Policy

While the FTC is offering flexibility, the policy is far from a free pass. Platforms must comply with several strict conditions when using age verification technologies, including:

• Using collected data strictly for age verification purposes
• Deleting the information promptly after verification
• Implementing strong security safeguards
• Providing clear transparency to parents and children
• Sharing data only with trusted third-party providers capable of maintaining confidentiality
• Ensuring the verification method produces reasonably accurate results

Importantly, the FTC emphasized that operators must still comply with all other COPPA requirements when handling children’s data. This structured approach suggests the agency is trying to promote responsible innovation rather than loosen privacy protections.

A Practical but Transitional Regulatory Shift

The FTC also confirmed that it plans to review the COPPA Rule to formally address age verification technologies, indicating that this policy statement may be a transitional step toward broader regulatory updates. From an industry perspective, the decision removes a key barrier that has slowed adoption of modern child-safety controls. Many platforms have hesitated to deploy stronger verification tools due to fears of enforcement risk. At the same time, privacy advocates are likely to closely monitor how companies implement these technologies—particularly around biometric data and third-party verification vendors. Ultimately, the FTC’s message is clear: identifying children online is becoming a regulatory expectation, not just a technical option. As digital environments grow more difficult, age verification technologies are increasingly positioned as a foundational layer of online safety. The challenge ahead will be ensuring these tools protect children without creating new privacy risks, a balance regulators and technology providers will need to navigate carefully in the coming years.