Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 9 stories across 6 topic areas, including: Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks; Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms; Lessons for organizations from the Verizon 2026 Data Breach Investigations Report.

Krebs on Security · May 25 · Relevance: █████████░ 9/10

Why it matters to CISOs: The dismantling of Stark Industries-linked bulletproof hosting infrastructure used by Russian intelligence agencies directly reduces adversary capacity for EU-targeted cyberattacks and influence operations—a significant law enforcement milestone with implications for threat modeling against Russian-nexus actors.

📖 Read full article

The Hacker News · May 25 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Lazarus Group's deployment of a memory-only RAT targeting financial institutions signals continued North Korean state-sponsored focus on financial sector intrusions, with fileless execution techniques designed to evade endpoint detection tools common in enterprise environments.

📖 Read full article

Help Net Security · May 25 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: The annual DBIR remains the most empirically grounded benchmark for breach causation trends, giving CISOs data-backed ammunition to justify security investment priorities and program strategy to boards and executives.

📖 Read full article

Wired Security · May 25 · Relevance: ██████░░░░ 6/10

Why it matters to CISOs: AI-accelerated exploit development is compressing the window between vulnerability discovery and weaponization, forcing CISOs to rethink patch velocity assumptions and invest in predictive exposure management rather than reactive patching cycles.

📖 Read full article

BleepingComputer · May 25 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A PhaaS platform capable of bypassing MFA by abusing OAuth device code authentication is a direct threat to enterprise M365 environments—CISOs should assess conditional access policies and device code flow restrictions immediately given the FBI's active warning.

📖 Read full article

Help Net Security · May 25 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: With 65% of senior decision-makers using unapproved AI tools despite knowing the risks, CISOs face a top-down shadow AI problem that cannot be solved through employee-level policy enforcement alone—this reframes the governance challenge as an executive risk conversation.

📖 Read full article

BankInfoSecurity · May 25 · Relevance: ██████░░░░ 6/10

Why it matters to CISOs: Conflicting signals from White House executive orders—tightening KYC requirements while easing fintech oversight—create compliance uncertainty for financial sector CISOs who must navigate overlapping and potentially contradictory regulatory obligations.

📖 Read full article

BankInfoSecurity · May 25 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Zscaler's acquisition of Symmetry Systems signals a strategic market move to unify AI model visibility, agentic identity governance, and zero trust controls—CISOs evaluating their AI security architecture and vendor consolidation strategies should track how this reshapes the DSPM and AI governance landscape.

📖 Read full article

The Hacker News · May 25 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A coordinated cross-ecosystem supply chain attack spanning npm, PyPI, and Crates.io with 34 malicious packages across 384 versions poses immediate risk to enterprise development pipelines—security teams should audit developer environments and dependency inventories now.

📖 Read full article

Alex: Welcome to Cleartext. It's Monday, May 25th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We've got a packed show today. Dutch authorities just made the biggest takedown of Russian-linked cyber infrastructure we've seen in years. Lazarus Group has a new toy that your EDR probably can't see. The FBI is actively warning about a phishing service that's eating Microsoft 365 environments for lunch. We'll talk about the new Verizon DBIR, the AI bug hunting arms race, a supply chain attack hitting three package ecosystems simultaneously, and why your C-suite might be your biggest shadow AI problem. Plus a quick look at Zscaler's latest acquisition play. Jordan, let's start with the Netherlands.

Jordan: Yeah, this is a big one. Dutch authorities arrested two individuals who co-owned hosting companies that had taken over the infrastructure of Stark Industries Solutions, a provider the EU had already sanctioned for being a staging ground for Russian intelligence cyber operations. Eight hundred servers seized. This wasn't some symbolic law enforcement action. This was dismantling active operational infrastructure used for cyberattacks, influence operations, and disinformation campaigns targeting the EU.

Alex: And what makes this particularly interesting from a strategic perspective is that Krebs actually profiled these hosting companies back in 2025. So the intelligence community and the journalism community had visibility into this for over a year before enforcement caught up. That gap between identification and action is something CISOs should think about when they're assessing how long adversary infrastructure persists.

Jordan: Exactly. And the practical implication here is that if you're running threat models against Russian-nexus actors, particularly if you're operating in Europe or you have significant EU exposure, this takedown genuinely degrades adversary capacity. Not permanently, they'll rebuild. But eight hundred servers is not trivial to replace, especially the relationships and the routing and the reputation those IPs had built up over time. It creates a window of reduced capability.

Alex: For CISOs with European operations, this is the kind of event you want to brief your board on. Not because it changes your security posture overnight, but because it demonstrates that the enforcement landscape in Europe is getting more aggressive. And that has implications for how you think about geopolitical risk in your threat model. It's also worth noting that the EU sanctions regime is now showing teeth. Sanctions aren't just diplomatic signals anymore. They're becoming predicate offenses that lead to arrests and infrastructure seizures.

Jordan: Which brings a nice segue to the second state-sponsored story. Lazarus Group, North Korea's premier cyber unit, is deploying a new cross-platform memory-only RAT called RemotePE against financial institutions and crypto firms. Fox-IT, which is NCC Group's subsidiary, published the research. The attack chain uses two loaders, DPAPILoader and RemotePELoader. The clever bit is DPAPILoader uses Windows' own Data Protection API to decrypt its payloads, which means the decryption keys are tied to the machine and user context. If you're doing offline forensics or trying to detonate this in a sandbox that doesn't have the right DPAPI context, you're not going to see the payload.

Alex: And the memory-only execution means there's nothing on disk for traditional endpoint tools to scan. This is precisely the kind of technique that exposes gaps between organizations that have invested in behavioral detection and memory scanning versus those still relying primarily on file-based detection. If you're a CISO in financial services or anywhere near cryptocurrency operations, this should trigger an immediate conversation with your detection engineering team about coverage for fileless execution chains, particularly ones abusing legitimate Windows APIs.

Jordan: The cross-platform nature is also worth flagging. RemotePE isn't just a Windows problem. If you've got mixed environments, and most financial institutions do, you need to think about this holistically. Lazarus doesn't care about your org chart. They care about where the money is.

Alex: Let's shift to something that should be an action item for literally every CISO listening. The FBI issued an active warning about Kali365, a phishing-as-a-service platform targeting Microsoft 365 accounts. Jordan, walk us through the mechanism.

Jordan: So Kali365 abuses OAuth device code authentication flows. This is the flow where you see a code on one device and enter it on another to authenticate. The attack tricks users into entering an attacker-controlled device code, which then gives the attacker a session token. Here's the critical part: this bypasses MFA entirely. You've authenticated, you've completed your second factor, and the attacker gets the resulting session token. Your MFA did exactly what it was supposed to do, and it didn't matter.

Alex: This is a board-level conversation because most boards have been told that MFA is the cornerstone of their identity security strategy. And it is. But this is a concrete example of a commodity service, not a nation-state tool, a service anyone can buy, that renders MFA insufficient on its own. The action items are clear. Review your conditional access policies in Entra ID. Specifically, look at whether you've restricted device code flows. Most organizations have no reason to allow device code authentication broadly. Restrict it to the specific scenarios where it's actually needed, managed conference room devices, that sort of thing.

Jordan: And if you haven't deployed token binding or continuous access evaluation in your M365 environment, this is your wake-up call. The FBI doesn't issue warnings about phishing kits that aren't working. This thing is effective at scale.

Alex: Alright, let's talk about the Verizon 2026 DBIR. It's out. If you haven't read it yet, clear some time this week. Jordan, what's your read?

Jordan: The DBIR remains the single most useful empirical dataset we have for understanding how breaches actually happen versus how we think they happen. And every year, it humbles us. I won't spoil the full report because CISOs should actually read it, but the value here is in using the data to pressure-test your own assumptions. If you're spending sixty percent of your budget on a threat category that accounts for ten percent of actual breaches, the DBIR is the document that helps you have that conversation with your CFO.

Alex: And I'd add, for those of you preparing board presentations this quarter, the DBIR is the most credible external source you can cite. Boards respond to empirical data, especially when it comes from a source they recognize. Use it to validate your program priorities or, frankly, to justify pivoting spend where the data says the actual risk is.

Jordan: Now let's talk about something that should change how you think about patch management timelines. Wired published a piece on the AI bug hunting arms race, and the headline number is striking. Anthropic's Mythos model has reportedly found thousands of critical bugs. This isn't theoretical anymore. AI-powered vulnerability discovery is operating at production scale.

Alex: The implication for CISOs is that the window between vulnerability discovery and weaponization is compressing. If AI can find bugs faster, it can also be used to develop exploits faster. Your patch velocity assumptions from even two years ago may be dangerously stale. If you were comfortable with a thirty-day patch cycle for critical vulnerabilities, you need to revisit that.

Jordan: The defenders are using these tools too. That's the arms race part. But the asymmetry still favors attackers because they only need one exploit, and defenders need to patch everything. The strategic response isn't just faster patching. It's predictive exposure management. Understanding which of your assets are most likely to be targeted based on what AI-assisted discovery is finding in the wild.

Alex: Staying on the offensive threat side, TrapDoor. This is a coordinated supply chain attack that's been active since May 22nd, so just three days. Thirty-four malicious packages across three hundred eighty-four versions spanning npm, PyPI, and Crates.io simultaneously. This is credential-stealing malware targeting developer environments.

Jordan: The multi-ecosystem coordination is what elevates this. We've seen malicious packages in npm. We've seen them in PyPI. Hitting three ecosystems simultaneously with a coordinated campaign suggests a well-resourced actor with a broad targeting mandate. This isn't opportunistic. This is planned.

Alex: If you have development teams, and you do, your Monday morning action item is an audit of recently added dependencies across all three ecosystems. Talk to your engineering leads. Make sure your software composition analysis tooling is flagging these specific packages. And if you don't have a policy requiring review of new dependencies before they enter your build pipeline, this is the incident that justifies creating one.

Jordan: Now for the story that made me laugh and then immediately made me concerned. TrustedTech published research showing sixty-five percent of senior decision-makers are using unapproved AI tools. Compared to thirty-one percent of regular employees. The C-suite is your biggest shadow AI problem.

Alex: This completely inverts the governance model most CISOs have built. We've been writing acceptable use policies aimed at employees. We've been doing awareness training for rank and file. And it turns out the executives, who approved those policies, are the ones most aggressively violating them. This is not a policy enforcement problem. This is a culture and incentive problem at the top of the organization.

Jordan: And you can't exactly put your CEO through a mandatory training module and expect behavior change. The approach has to be different. You need to make the approved tools as frictionless as the shadow ones, and you need to frame the risk in terms executives care about. Not abstract data leakage. Concrete scenarios. Your board presentation draft just went into a model trained on the internet. Your M&A target list is now in a third-party's training data.

Alex: This is honestly one of the most important governance conversations CISOs will have this year. You need executive sponsors who understand the risk, and you need to be willing to have uncomfortable conversations with your peers in the C-suite.

Jordan: Quick hit on the Zscaler-Symmetry acquisition. Zscaler is buying Symmetry Systems to add AI model visibility, agentic identity governance, and zero trust controls specifically for AI workloads.

Alex: This is a clear signal that the DSPM market is converging with AI governance. If you're evaluating vendors in either space, watch this integration closely. The ability to track AI data lineage and govern agentic identities, meaning AI systems that act autonomously with their own credentials, is going to become a table-stakes requirement in the next twelve to eighteen months.

Jordan: And finally, a brief note on the conflicting executive orders around financial services regulation. One tightens KYC, the other eases fintech oversight. If you're a CISO in financial services, work closely with your compliance team to understand which interpretation your regulators are going to land on. Don't wait for clarity. Start mapping both scenarios now.

Alex: Alright, Jordan, let's look at the week ahead. What's the thread connecting today's stories?

Jordan: The theme I keep coming back to is the acceleration of adversary capability and the compression of response timelines. Whether it's AI finding bugs faster, phishing-as-a-service commoditizing MFA bypass, or supply chain attacks coordinating across three ecosystems in seventy-two hours, the speed of the threat landscape is outpacing the organizational processes most of us have in place. The Dutch takedown is encouraging, but it's one action against an entire ecosystem of adversary infrastructure.

Alex: Agreed. And the shadow AI story connects to that because it shows that the acceleration isn't just external. Our own organizations are moving faster than our governance frameworks can keep up with, and the pressure is coming from the top. This week, I'd watch for DBIR-driven conversations to start shaping budget discussions as we head into planning season. I'd also keep a close eye on TrapDoor. Three days old and already spanning three ecosystems. That campaign is going to expand.

Jordan: And patch your conditional access policies for device code flows. Today. Not after your next change window. Today.

Alex: That's our show for Monday, May 25th. Show notes and links to every story we covered are at cleartext.fm. I'm Alex Chen.

Jordan: I'm Jordan Reeves. Stay sharp. We'll see you tomorrow.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-25.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.