Please enjoy this encore of Career Notes.

Laura Hoffner, Executive Vice President at Concentric, shares her story about her time working as a Naval Intelligence Officer and supporting special operations around the globe for 12 years, to now, where she transitioned to the Naval Reserves and joined the Concentric team. Laura has known since she was in the seventh grade that she wanted to work with SEALs and work in intelligence, so she set her goals high and achieved them shortly after graduating college. She credits being a Naval Intelligence Officer to helping her get to where she is today and says how much she is enjoying working with Concentric, saying she's "ultimately just incredibly benefiting from unbelievable mentors at the company itself." We thank Laura for sharing her story.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Martin Zugec, Technical Solutions Director from Bitdefender, sharing their work and findings on "EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company." Built for long-term espionage, the campaign uses DLL sideloading, in-memory execution, and abused Windows services to stay stealthy and persistent.

We walk through how the multi-stage framework delivers a powerful backdoor with reconnaissance, lateral movement, data theft, and keylogging capabilities—and what this operation reveals about the evolving tactics defenders need to watch for.

The research can be found here:

Learn more about your ad choices. Visit megaphone.fm/adchoices

The NSA reshuffles its cybersecurity leadership. A new report unmasks ICE’s latest surveillance system. CISA marks a milestone by retiring ten Emergency Directives. Trend Micro patches a critical vulnerability. Grok dials back the nudes, a bit. Cambodia extradites a cybercrime kingpin to China. Ghost Tap malware intercepts payment card data. Researchers disrupt a highly sophisticated VMware ESXi hypervisor exploit. European law enforcement arrest dozens of suspects linked to the international cybercriminal group Black Axe. Our guest is Sonali Shah, CEO of Cobalt, who says 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. After firing the experts, DOGE hangs a help wanted sign.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today on our Industry Voices, we are joined by Sonali Shah, CEO of Cobalt, talking about 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. Tune into the full conversation here.

Selected Reading

NSA cyber directorate gets new acting leadership (The Record)

Inside ICE’s Tool to Monitor Phones in Entire Neighborhoods (404 Media)

CISA Retires Ten Emergency Directives, Marking an Era in Federal Cybersecurity (CISA.gov)

Trend Micro warns of critical Apex Central RCE vulnerability (Bleeping Computer)

X pulls Grok images after UK ban threat over undress tool (The Register)

Alleged cyber scam kingpin arrested, extradited to China (The Record)

Chinese Hackers Use NFC-Enabled Android Malware to Steal Payment Information (GB Hackers)

The Great VM Escape: ESXi Exploitation in the Wild (Huntress)

Europol Leads Global Crackdown on Black Axe Cybercrime Gang, 34 Arrest (Infosecurity Magazine)

US DOGE Service is hiring following mass workforce losses across the government (Gov Exec)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The US withdraws from global cybersecurity institutions. A maximum-severity vulnerability called Ni8mare allows full compromise of a workflow automation platform. Cisco patches ISE. Researchers uncover a sophisticated multi-stage malware campaign targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia. The growing rift of defining AI risk. Microsoft gives 365 admins a one-month deadline to enable MFA. The Illinois Department of Human Services inadvertently exposed personal and protected health information of more than 700,000 residents. An Illinois man is charged with hacking Snapchat accounts to steal nudes. Our guest is Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, with insights on CISA 2015. Facial recognition that’s bear-ly controversial. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today we are joined by Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, for a conversation on CISA 2015 and its role in today’s cybersecurity and policy landscape. If you enjoyed this conversation, be sure to tune into the full interview on the next Caveat.

Selected Reading

US announces withdrawal from dozens of international treaties (The Record)

US To Leave Global Forum on Cyber Expertise (Infosecurity Magazine)

Max severity Ni8mare flaw lets hackers hijack n8n servers (Bleeping Computer)

Cisco warns of Identity Service Engine flaw with exploit code (Bleeping Computer)

CISA tags max severity HPE OneView flaw as actively exploited (Bleeping Computer)

Threat Actors Exploit Commodity Loader in Targeted Email Campaigns Against Organizations (GB Hackers)

Are Copilot prompt injection flaws vulnerabilities or AI limits? (Bleeping Computer)

Microsoft to enforce MFA for Microsoft 365 admin center sign-ins (Bleeping Computer)

Illinois state agency exposed personal data of 700,000 people (The Record)

Oswego man Kyle Svara, 26, allegedly hired by college coach Steve Waithe to get Snapchat access codes from nearly 600 women: FBI (ABC7 Chicago)

How facial recognition for bears can help ecologists manage wildlife (The Conversation)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Jaguar Land Rover reveals the fiscal results of last year’s cyberattack. A Texas gas station chain suffers a data spill. Taiwan tracks China’s energy-sector attacks. Google and Veeam push patches. Threat actors target obsolete D-Link routers. Sedgwick Government Solutions confirms a data breach. The U.S. Cyber Trust Mark faces an uncertain future. Google looks to hire humans to improve AI search responses. Our guest is Deepen Desai, Chief Security Officer of Zscaler, discussing what’s powering enterprise AI in 2026. AI brings creative cartography to the weather forecast.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

On today’s Industry Voices, we are joined by Deepen Desai, Chief Security Officer of Zscaler, discussing what’s powering enterprise AI in 2026. To learn more on this topic, be sure to check out Zscaler’s report here. Listen to the full conversation here.

Selected Reading

Jaguar Land Rover wholesale volumes plummet 43% in cyberattack aftermath (The Register)

Major Data Breach Hits Company Operating 150 Gas Stations in the US (Hackread)

Taiwan says China's attacks on its energy sector increased tenfold (Bleeping Computer)

Google Patches High-Severity Chrome WebView Flaw CVE-2026-0628 in the Tag Component (Tech Nadu)

Several Code Execution Flaws Patched in Veeam Backup & Replication (SecurityWeek)

New D-Link flaw in legacy DSL routers actively exploited in attacks (Bleeping Computer)

Sedgwick confirms breach at government contractor subsidiary (Bleeping Computer)

FCC Loses Lead Support for Biden-Era IoT Security Labeling (GovInfoSecurity)

Google Search AI hallucinations push Google to hire "AI Answers Quality" engineers (Bleeping Computer)

‘Whata Bod’: An AI-generated NWS map invented fake towns in Idaho (The Washington Post)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Grok’s non-consensual imagery draws scrutiny from the European Commission.  Researchers link several major data breaches to a single threat actor. The UK unveils a new Cyber Action Plan. A stealthy ClickFix campaign targets the hospitality sector. VVS Stealer malware targets Discord users. Covenant Health and AFLAC report data leaks. Google silences a critical Dolby flaw. Ilona Cohen, Chief Legal and Policy Officer at HackerOne discusses “What the SolarWinds Dismissal Really Means for CISOs: Less Personal Risk, More Scrutiny on Disclosures.” UK students enjoy a digital snow day. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today we are joined by Ilona Cohen, Chief Legal and Policy Officer at HackerOne and former senior lawyer to President Obama, as she is discussing “What the SolarWinds Dismissal Really Means for CISOs: Less Personal Risk, More Scrutiny on Disclosures.”

Selected Reading

EU looking ‘very seriously’ at taking action against X over Grok (The Record)

Grok's AI CSAM Shitshow (404 Media)

Dozens of Major Data Breaches Linked to Single Threat Actor (SecurityWeek)

UK Launches New Cyber Unit to Bolster Defences Against Cyber Threats (Infosecurity Magazine)

Sophisticated ClickFix Campaign Targeting Hospitality Sector (SecurityWeek)

New VVS Stealer Malware Targets Discord Users via Fake System Errors (Hackread)

Covenant Health Notifying 480K Patients of 2025 Data Theft (Infosecurity)

Aflac Notifies 22.6 Million People of June Data Theft Attack (Infosecurity)

Critical Dolby leak in Android patched by Google (Techzine Global)

Students bag extended Christmas break after cyber hit on school IT (The Register)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Venezuela blames physical attacks for blackout as cyber questions swirl. Trump reverses a chip technology sale over national security issues, and removes sanctions linked to Predator spyware. Greek officials say an air traffic shutdown was not a cyberattack. The U.S. Army launches a new officer specialization in AI and machine learning. The Kimwolf botnet infects more than two million devices worldwide. ZoomStealer uses browser extensions to grab sensitive online meeting data. The European Space Agency confirms a cybersecurity incident. Former lawmakers and cyber policy leaders warn that U.S. cyber defenses are slipping. On today’s Afternoon Cyber Tea host Ann Johnson welcomes Troy Hunt, founder of Have I Been Pwned. A researcher swipes left on white supremacy.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

On this segment of Afternoon Cyber Tea with host Ann Johnson, Ann is joined by Troy Hunt, founder of Have I Been Pwned, to explore what billions of breached records reveal about attacker behavior, human weakness, and the state of breach disclosure. To listen to Ann and Troy's full conversation, visit the episode page. You can catch new episodes of Afternoon Cyber Tea every other Tuesday on your favorite podcast app. 

Selected Reading

Trump suggests US used cyberattacks to turn off lights in Venezuela during strikes (POLITICO)

US Action in Venezuela Provokes Cyberattack Speculation (GovInfosecurity)

COMUNICADO | CORPOELEC denuncia ataque perpetrado contra el Sistema Eléctrico Nacional (MPPEE)

President Trump Orders Divestment in $2.9 Million Chips Deal to Protect US Security Interests (SecurityWeek)

Treasury removes sanctions for three executives tied to spyware maker Intellexa (The Record)

Greece says a radio failure that grounded flights is unlikely to be a cyberattack (WRAL.com)

US Army to Establish AI Officer Corps for High-Tech Military Management (ForkLog)

The Kimwolf Botnet is Stalking Your Local Network (Krebs on Security)

Zoom Stealer browser extensions harvest corporate meeting intelligence (Bleeping Computer)

European Space Agency Confirms Server Breach (Infosecurity Magazine)

Time to restore America’s cyberspace security system (CyberScoop)

Researcher Wipes White Supremacist Dating Sites, Leaks Data on okstupid.lol (Hackread)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes.

Chief Information Security Officer at Immuta, Michael Scott shares his story from working at a forgotten internet service provider to leading the security fight for major food chain restaurants. Michael explains how the different roles at various companies he has worked with paved his way to where he is now at Immuta. He works with a group of colleagues and he leads in a different style, describing that "It really is just a collection of a lot of, we call humble intellects" working with him. Michael attributes adversity to being a cornerstone of existence in the security community, and explains how that helps him keep up the fight. We thank Michael for sharing his story with us.

Learn more about your ad choices. Visit megaphone.fm/adchoices

While our team is out on winter break, please enjoy this episode of Research Saturday.

Today we are joined by ⁠⁠Selena Larson⁠⁠, co-host of ⁠⁠Only Malware in the Building⁠⁠ and Staff Threat Researcher and Lead Intelligence Analysis and Strategy at ⁠⁠Proofpoint⁠⁠, sharing their work on "Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing." Proofpoint researchers have identified campaigns where threat actors use fake Microsoft OAuth apps to impersonate services like Adobe, DocuSign, and SharePoint, stealing credentials and bypassing MFA via attacker-in-the-middle phishing kits, mainly Tycoon.

These attacks redirect users to fake Microsoft login pages to capture credentials, 2FA tokens, and session cookies, targeting nearly 3,000 Microsoft 365 accounts across 900 environments in 2025. Microsoft’s upcoming security changes and strengthened email, cloud, and web defenses, along with user education, are recommended to reduce these risks.

The research can be found here:

Learn more about your ad choices. Visit megaphone.fm/adchoices

While our team is out on winter break, please enjoy this episode of Cyber Things from our partners at Armis.

Welcome to Episode 2 of Cyber Things, a special edition podcast produced in partnership by Armis and N2K CyberWire in an homage to Stranger Things. Host ⁠Rebecca Cradick⁠, VP of Global Communications at ⁠Armis⁠, is joined by ⁠Curtis Simpson⁠, CISO at Armis, to dive deep into the rise of the “Hive Mind”: the collective, connected threat ecosystem where attackers share tools, data, and tactics across the dark web, evolving faster than ever through AI-powered reconnaissance and automation.

This is essential listening for anyone seeking to better understand how today’s adversaries no longer operate alone, but as a distributed learning network that observes, adapts, and strikes with speed and precision. Tune in now to learn how organizations can think upside down, harness AI, and build defenses that move at the speed of today’s threats - before the shadows reach your network.

Learn more about your ad choices. Visit megaphone.fm/adchoices