Summary4 min read

Cybersecurity Headlines – April 9, 2026

Host: Rich Stroffelino, CISO Series
Main Theme:
A rapid-fire breakdown of the day's most significant cybersecurity incidents and trends—ransomware in Dutch healthcare, ongoing APT28 (Fancy Bear) operations, a major CIA cyber unit escalation, hack-for-hire revelations, botnet developments, AI-driven vulnerability discovery, NHS Scotland domain compromise, and emergency National Guard cyber response in Minnesota.

Key Discussion Points & Insights

1. Ransomware Disrupts Dutch Healthcare Software Vendor ChipSoft

Timestamp: 00:18

Incident: ChipSoft, whose patient record solutions serve 80% of Dutch healthcare, was hit by ransomware.
Scope: At least 11 hospitals went offline from ChipSoft systems after the attack.
Response: No group has claimed responsibility; unclear if ransom negotiations are underway.
Notable Quote:

"The Netherlands computer emergency response team said it received a notification of a ransomware attack on the company as of April 7th." (00:18)
Assessment: Highlights healthcare sector’s vulnerability and large-scale impact of vendor compromise.

2. APT28 (Fancy Bear) Operations: Disruption and Innovation

Timestamp: 01:18

Recent Disruption:
- The FBI, Microsoft, and Lumen’s Black Lotus Labs launched "Operation Masquerade" to counter Russian APT28’s exploitation of TP-Link and Mikrotik routers.
- Over 200 organizations and 5,000 devices affected.
- US government agencies reportedly unaffected.
- Quote:
  
  "The parties worked to reset DNS settings to prevent APT28 from using the routers as a means for further access." (01:39)
Ongoing Threat:
- Trend Micro discovered APT28’s new spear phishing technique using the “Prismex” malware suite.
- Combines steganography, COM hijacking, cloud service abuse.
- Targets include Ukrainian government/critical infrastructure, with NATO partnership data involved.
- Quote:
  
  "They're still keeping busy... a spear phishing campaign by the group that used a new malware suite called Prismex." (02:10)

3. CIA Elevates Cyber Espionage Operations

Timestamp: 02:39

Change: CIA’s Center for Cyber Intelligence, formerly subordinate to the Directorate of Digital Innovation, elevated to a “full mission center” in October 2025.
Implication: Leadership now reports directly to CIA Director John Ratcliffe.
Reasoning: Marked as a top strategic priority; elevation typically signals urgent focus.
Quote:

"The move enhances the CIA's ability to deliver the best intelligence on foreign cyber threats to policymakers, ensure that no target is beyond the reach of our capabilities, and drive continued improvement of cyber tradecraft." – CIA spokesperson Liz Lyons (02:54)
Observation: No public announcement, possibly due to then-government shutdown; Congress briefed.

4. Bitter Hack-for-Hire Campaign Tied to Indian Interests

Timestamp: 03:41

Actors: The "Bitter" group, suspected Indian-government links.
Methods: Targeted civil society in the Middle East and North Africa via spear phishing with "ProSpy" spyware, often through fake social media accounts.
Notable Detail:
- ProSpy first detailed by ESET during attacks on UAE residents.

5. The Mashesu Botnet: DDoS-as-a-Service, Stealth Techniques

Timestamp: 04:29

Discovery: Trellix researchers report an IoT botnet since at least 2023, marketed via Telegram (400+ subscribers).
Operation:
- Main infections in Vietnam, with traces in Brazil, India, Iran, Kenya, Ukraine.
- Uses rapid process forking, executable renaming, process termination, and locking to disguise and secure botnet control.
Notable Quote:

"It obfuscates its presence by forking processes and dynamically renaming the original executable path every 15 minutes in order to appear as a regular system component." (04:47)

6. AI Model “Claude” Finds Decade-Old Apache Bug

Timestamp: 05:18

Vulnerability: ActiveMQ Classic suffered from an unauthenticated remote code execution (RCE) flaw, undiscovered for 13 years.
Discovery: Researchers using Anthropic’s Claude model chained multiple modular bugs for exploit; no credentials required in some cases.
Quote:

"Researchers mostly used Claude to find the flaw, which they said remained undiscovered because it used multiple components developed independently over that time." (05:40)
Implication: AI-enabled vulnerability hunting poised to change security research.

7. NHS Scotland Subdomains Serve Illicit Content

Timestamp: 06:00

Discovery: Ex-engineer Nick Hatter found NHS domains distributing porn and pirated sports streams.
Context: Believed linked to legacy Kilmacombs surgery facility websites; possibly DNS or WordPress compromise.
Scope: No evidence of wider NHS network intrusion.
Quote:

"These compromised domains were for a legacy site administered by local general practitioners and showed no evidence of compromise to the broader NHS system." (06:22)

8. Minnesota Calls National Guard After Local Government Cyberattack

Timestamp: 06:42

Incident: Governor Tim Walz deployed National Guard to support Winona County after significant cyber disruption (likely ransomware).
Response: FBI, state IT, and county working to restore operation.
Unclear Tie: Unknown if incident is linked to Winona’s January ransomware attack.
Quote:

"The Guard will help ensure vital municipal services continue without interruption." (06:48)

Notable Quotes & Memorable Moments

On CIA’s strategy:

"This type of elevation occurs when a director deems something a huge strategic priority." (03:13)
On future of AI in vuln research:

"AI finds vulnerability might not be a headline in the near future, but this seemed like a good preview..." (05:56)

Timestamps for Key Segments

Dutch healthcare ransomware: 00:18
APT28 router operation stall: 01:18
APT28 Prismex campaign: 02:10
CIA cyber division elevation: 02:39
Bitter hack-for-hire campaign: 03:41
Mashesu botnet report: 04:29
Claude discovers Apache bug: 05:18
NHS Scotland illicit domains: 06:00
Minnesota National Guard deployment: 06:42

This episode delivers pointed, rapid insights into critical cybersecurity happenings across healthcare, government, espionage, and AI-driven security research. Rich Stroffelino maintains an authoritative yet concise tone, distilling each story into its most salient details for professionals to stay informed, alert, and proactive.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Thursday, April 9, 2026. I'm Rich Stroffelino Ransomware knocks Dutch healthcare vendor offline the attack impacted the Dutch software vendor Chipsoft, which provides patient record software to 80% of Dutch healthcare facilities. The Netherlands computer emergency response team said it received a notification of a ransomware attack on the company as of April 7th. Local news outlet NOS reports 11 hospitals have pulled Chipsoft's software offline after the attack. No group has claimed responsibility, and it's unclear whether Chipsoft is in negotiations over a ransom. APT28 is keeping busy Remember that warning from the UK's National Cybersecurity center about a campaign by APT28, aka Fancy Bear or Forest Blizzard, that was targeting TP Link and Microtik routers? Well, a joint operation from the FBI, Microsoft and Lumen's Black Lotus Labs put up a roadblock to the operation, dubbed Operation Masquerade. The parties worked to reset DNS settings to prevent APT28 from using the routers as a means for further access. A report from Microsoft said the espionage Network impacted over 200 organizations and 5,000 customer devices, although Lumen said it found no evidence that US government agencies were impacted. Don't worry about APT 28, though. They're still keeping busy. Trend Micro released a report on a spear phishing campaign by the group that used a new malware suite called Prismex. This combines advanced steganography, component object model hijacking and legitimate cloud service abuse for command and control. The campaign targeted organizations in Ukraine, including government entities and critical infrastructure, and included details on NATO partnerships. CIA quietly elevated its Cyber espionage division. Since 2015, the CIA's center for Cyber Intelligence resided within the Directorate of Digital Innovation. However, recorded future news confirmed that as of October 2025, CIA Director John Ratcliffe elevated the unit into a full mission center. CIA spokesperson Liz Lyons said the move enhances the CIA's ability to deliver the best intelligence on foreign cyber threats to policymakers, ensure that no target is beyond the reach of our capabilities, and drive continued improvement of cyber tradecraft. This will see the center's leadership report directly to Radcliffe. According to a former intelligence officer speaking to recorded Future News. This type of elevation occurs when a director deems something a huge strategic priority. There is no public announcement of the move last fall, possibly due to the government shutdown, but Congress was informed about the change. The Bitter Truth about Hack for Hire Campaign A joint report from AccessNow, Lookout and SMEX details a hack for hire campaign by a group with suspected links to the Indian government. Known as Bitter, this campaign targeted civil society members in the Middle east and North Africa with spyware. This campaign has been active since at least 2022, using spear phishing through fake social media accounts to install Android ProSpy spyware. Details on ProSpy were first released last year by ESET, which profiled its use on United Arab Emirates residents. And now a huge thanks to our sponsor for today Vanta Risk and regulation ramping up and customers expect proof of security just to do business Vanta's automation brings compliance and customer trust together on one AI powered platform. So whether you're Preparing for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO that's V A N T A.com CISO details on the Mashesu Botnet Researchers at Trellix released a report on this botnet active since at least 2023. The operators advertise the botnet on Telegram to both Chinese and English speakers offering DDoS as a service. The botnet enrolls IoT devices primarily in Vietnam, but also showing activity in Brazil, India, Iran, Kenya and Ukraine. It obfuscates its presence by forking processes and dynamically renaming the original executable path every 15 minutes in order to appear as a regular system component. It also terminates wget and curl processes and locks out temporary folders to prevent infection by other botnets. Right now, the Telegram channel for mashesu has over 400 subscribers, but researchers estimate its customer base to be much larger. Claude finds teenage Apache bug With Anthropic's Mythos preview model, we'll likely see an explosion of fairly complex exploit chains using some very old bugs. But you don't need to wait for mythos. Access Horizon 3 AI published details on a remote code execution bug in Apache ActiveMQ Classic, effectively hiding in plain sight for the past 13 years. This allows for an attacker to use ActiveMQ's API to trigger a management operation that can fetch a remote config file or run OS commands. In some versions, no credentials are needed when chained to another API vulnerability, effectively turning this into an unauthenticated remote code execution flaw. Researchers mostly used Claude to find the flaw, which they said remained undiscovered because it used multiple components developed independently over that time. AI finds vulnerability might not be a headline in the near future, but this seemed like a good preview of what Mythos and other models are increasingly making commonplace NHS Scotland Domains serving illicit content Former cybersecurity engineer Nick Hatter discovered multiple domains operated by Scotland's healthcare provider that served illicit content, mostly porn and illegal sports streams. These links appeared to have been created back in January and were associated with the new surgery facility in Kilmacombs. The spokesperson for the NHS Greater Glasgow and Clyde said these compromised domains were for a legacy site administered by local general practitioners and showed no evidence of compromise to the broader NHS system. Hatter also found compromised primary domains for another GP in the Shetland Isles. It's not clear how the domains were compromised, but Hatter believes a DNS attack or a compromised WordPress setup were the most likely culprits. Minnesota calls in the National Guard after cyber attack Minnesota governor Tim Walz sent in the National Guard to Winona county, citing a cyberattack that caused significant disruption. The Guard will help ensure vital municipal services continue without interruption. Back on January 23rd, Winona county officials said they had suffered a ransomware attack, but Walz's executive order this week does not say if this is related to the incident that occurred this past week. County officials are working with the FBI and State IT services to recover how does the business determine what counts as success for a ciso? What warrants a raise in salary? We're getting down to brass tacks on this week's episode of Defense in Depth. Look for the episode how should we measure the performance of a ciso? Wherever you get your podcasts and if you have some thoughts about the news from today or about the show in general, be sure to reach out to us feedbackisoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Rich Stroffeliano, reminding you to have a super sparkly day.
[07:10]
A
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.