Texas hospital breach, CISA orders NetScaler patch, ISO file RAT warning - Cybersecurity Headlines

Summary4 min read

Cybersecurity Headlines – April 3, 2026

Host: Steve Prentiss | CISO Series

Episode Overview

This episode of Cybersecurity Headlines delivers top stories impacting the infosec landscape, focusing on major breaches, new malware tactics, urgent patch advisories, and evolving cybercriminal techniques. Key topics include a significant hospital data breach, federal vulnerability patch mandates, malware trends, and warnings about attacks leveraging popular messaging apps and real estate fraud.

Key Discussions and Insights

1. Nacogdoches Memorial Hospital Data Breach

[00:21–01:12]

Incident details:
- On January 31st, Nacogdoches Memorial Hospital in Texas experienced a breach affecting 257,000 individuals.
- A threat actor accessed internal networks likely compromising personal identifiable information (PII), medical and account numbers, health plan beneficiary numbers, and photographs.
- No suspects have been named; no claims of responsibility have emerged.
Quote:
- "A threat actor hacked into its internal network and information systems and likely accessed the information of 257,000 individuals..." — [Announcer, 00:37]

2. CISA Orders Patch for Citrix NetScaler Vulnerability

[01:12–01:39]

Federal urgency:
- CISA mandated all federal agencies patch the CVE-tagged Citrix NetScaler flaw by Thursday, due to reports of active exploitation.
- This critical vulnerability (severity score 9.3) impacts application delivery and authentication.
- Echoes issues similar to “CitrixBleed.”
Quote:
- "CISA has now ordered federal agencies to patch the CVE numbered bug by Thursday since reports of exploitation emerged over the weekend." — [Steve Prentiss, 01:15]

3. ISO-based Malware Campaign Deploys RATs & Miners

[01:48–02:27]

Attack summary:
- Elastic Security identified a campaign (“ref1695”) distributing remote access Trojans and crypto miners via fake installers since November 2023.
- Attackers use ISO files to bypass Microsoft Defender SmartScreen.
- Monetization happens through malware mining and cost-per-action fraud involving deceptive content “lockers.”
Quote:
- "These attacks leverage an ISO file as the infection vector to bypass Microsoft Defender smart screen protections." — [Steve Prentiss, 02:18]

4. Storm: A Next-Gen InfoStealer

[02:37–04:02]

Research insight:
- Varonis researchers warn of new “Storm” infostealer malware harvesting browser credentials, session cookies, and crypto wallets.
- Unique approach: stolen data remains encrypted until reaching attacker infrastructure, bypassing local endpoint detection.
- Sold “as-a-service” for less than $1,000/month, lowering the barrier for aspiring cybercriminals.
Quote:
- "...Storm instead sends encrypted files to its own infrastructure instead of decrypting them locally." — [Steve Prentiss, 03:40]

5. UK Advises on Surge in Messaging App Attacks

[04:02–04:33]

National warning:
- The UK National Cyber Security Centre (NCSC) raises concerns about escalating attacks, primarily by Russian actors, targeting high-risk individuals on WhatsApp and Signal.
- China-linked APT31 and Iranian groups (IRGC) named as emerging perpetrators.
- Sectors at risk: government, academia, journalism, politics, and law.
Quote:
- "This March 31 report from the NCSC raises the stakes a little by both confirming the increase in activity and also adding China state affiliated group APT31 and hackers linked to Iran's Islamic Revolutionary Guard Corps to the activities." — [Announcer, 04:18]

6. Hybrid Cybercrime: Exploiting Vacant Homes for Fraud

[04:33–05:35]

Technique evolution:
- Criminal tutorials teach identification and exploitation of vacant rental properties (via Zillow, Rightmove, Zoopla) for intercepting postal mail to enable ID theft and financial fraud.
- Recommendations for maintaining the appearance of occupancy to reduce detection.
Quote:
- "In some cases, threat actors even recommend physically maintaining abandoned properties to make them appear occupied, reducing the risk of drawing attention while using the address for fraudulent purposes." — [Announcer, 05:27]

7. Nissan Data Leak Tied to Third-Party Vendor

[05:40–06:25]

Incident context:
- Nissan confirms a vendor breach, not a direct attack, after Everest Hacking Group claimed to have stolen 910 GB of data via a dealership service provider.
- Stolen data allegedly includes customer, dealership, and auto loan records; no internal Nissan systems breached.
Quote:
- "Nissan reiterated that it had found no indication that Nissan systems were compromised or that any Nissan customer information was accessed or put at risk." — [Announcer, 06:20]

8. CERT-UA Impersonated in RAT Phishing Campaign

[06:27–07:33]

Details:
- Ukraine’s CERT-UA reports a phishing wave impersonating the agency to distribute “AgeWeeze” RAT, linked to group UAC-0255.
- Suspected targets: state entities, health, security, educational, financial, and software sectors.
- Attackers urged targets to install malicious “specialized software.”

Memorable Quotes

"Security controls fail when they break the business. Successful teams phase in protections gradually, starting with visibility, then moving to enforcement." — [Interspersed sponsor read, 03:17]
"If you've ever had trust issues with your security team, you have to join us today at 1pm Eastern Time." — [Announcer re: Super Cyber Friday, 07:09]

Notable Segments and Timestamps

Texas Hospital Data Breach: 00:21–01:12
CISA Citrix Patch Mandate: 01:12–01:39
ISO RAT & Crypto Miner Attacks: 01:48–02:27
Storm InfoStealer Techniques: 02:37–04:02
UK NCSC Messaging App Warning: 04:02–04:33
Vacant Home Exploitation Tutorial: 04:33–05:35
Nissan Third-Party Data Leak: 05:40–06:25
CERT-UA RAT Phishing Campaign: 06:27–07:33

Overall Tone

The episode maintains a brisk, fact-driven delivery characteristic of Cybersecurity Headlines. The tone is urgent but practical, emphasizing actionable information for security professionals and highlighting how evolving tactics and vulnerabilities are driving the threat landscape.

For more in-depth coverage and resources, visit CISOseries.com.

Loading summary

Transcript47 lines

[00:00]
Announcer
Before we get into the headlines, just a quick reminder that April is Trust
[00:04]
Steve Prentiss
Month at CISO Series, and we've got
[00:06]
Announcer
some fun events lined up in April to talk about trust in cybersecurity. So stay tuned to the end of
[00:12]
Steve Prentiss
this episode for more details from the
[00:15]
Narrator
CISO series, it's Cybersecurity Headlines.
[00:22]
Steve Prentiss
These are the cybersecurity headlines for Friday, April 3, 2026. I'm Steve Prentiss 250,000 people affected by data breach at Texas Hospital this incident
[00:37]
Announcer
occurred at Naca Doches Memorial Hospital in the city of NACA Doches, Texas on January 31st. Hospital representatives state that a threat actor hacked into its internal network and information systems and quote, likely accessed the information of 257,000 individuals, end quote with potentially compromised data including standard PII as well as medical record numbers, account numbers, health plan beneficiary numbers and photographs. The hospital has not named any potential
[01:07]
Steve Prentiss
suspects nor have any claims yet been made.
[01:12]
Announcer
CISA says patch Citrix netscaler bug by
[01:15]
Steve Prentiss
Thursday following up on a story we
[01:18]
Announcer
covered this week, CISA has now ordered
[01:20]
Steve Prentiss
federal agencies to patch the CVE numbered
[01:23]
Announcer
bug by Thursday since reports of exploitation
[01:26]
Steve Prentiss
emerged over the weekend.
[01:28]
Announcer
This vulnerability impacts Citrix NetSCALAR application delivery controllers used to manage traffic and authentication. It carries a severity score of 9.3 and has the hallmarks of Citrix bleed
[01:39]
Steve Prentiss
and Citrix bleed Two researchers uncover mining operation using Isolures Researchers from Elastic Security
[01:49]
Announcer
are warning of a financially motivated operation codenamed ref1695, which has been leveraging fake installers to deploy remote access Trojans at and cryptocurrency miners since November of 2023. In addition to crypto mining, the threat actor monetizes infections through cost per action fraud, directing victims to content locker pages under the guise of software registration. These attacks leverage an ISO file as
[02:19]
Steve Prentiss
the infection vector to bypass Microsoft Defender smart screen protections.
[02:24]
Announcer
A link to more details about this multi level attack technique is available in
[02:28]
Steve Prentiss
the show notes to this episode. New Storm infostealer remotely decrypts stolen credentials
[02:37]
Announcer
this particular warning comes from security researchers at Varonis who say this new stealer malware harvests browser credentials, session cookies and crypto wallets. Daniel Kelly, a senior security consultant at Varonis, says this new infosteeler represents a shift in how credential theft is developing. Whereas traditional info stealers used to decrypt browser credentials on the victim's machine, endpoint security tools adapted to flag such malicious behavior, Storm instead sends encrypted files to its own infrastructure instead of decrypting them locally. It is also available for enterprising cybercriminals for less than $1,000 per month, huge thanks to our sponsor ThreatLocker. Security controls fail when they break the business. Successful teams phase in protections gradually, starting with visibility, then moving to enforcement. That approach allows organizations to reduce risk without overwhelming IT teams or disrupting critical workflows. Learn more at threatlocker.com UK Security Centre warns of hackers increasing WhatsApp and Signal attacks this warning comes from the National Cybersecurity center based in the uk, which has seen growing malicious activity from Russia
[04:02]
Steve Prentiss
based actors using messaging apps to target high risk individuals. This includes people working in government and
[04:10]
Announcer
politics, academia, journalism and the legal profession. This has been an ongoing story for quite a while, but this March 31 report from the NCSC raises the stakes a little by both confirming the increase in activity and and also adding China state affiliated group APT31 and hackers linked to Iran's Islamic Revolutionary Guard Corps to
[04:31]
Steve Prentiss
the activities
[04:34]
Announcer
criminals taught to exploit vacant
[04:36]
Steve Prentiss
homes in hybrid cybercrime technique Online fraud
[04:41]
Announcer
tutorials are now teaching hackers how to exploit publicly available data, weak identity verification processes and operational gaps to identify and exploit vacant residential properties to intercept sensitive mail for the purposes of enabling identity
[04:57]
Steve Prentiss
theft and financial fraud.
[05:00]
Announcer
These real residential temporarily unoccupied properties can be used to receive mail without immediately
[05:07]
Steve Prentiss
alerting the rightful occupants.
[05:09]
Announcer
In the tutorial. Threat actors Learn how to search real
[05:12]
Steve Prentiss
estate platforms such as Zillow, rightmove or
[05:15]
Announcer
zoopla filtering for recently listed rental properties as well as older listings to identify properties that have remained unoccupied for extended
[05:23]
Steve Prentiss
periods, increasing their reliability as drop locations.
[05:28]
Announcer
In some cases, threat actors even recommend physically maintaining abandoned properties to make them appear occupied, reducing the risk of drawing
[05:35]
Steve Prentiss
attention while using the address for fraudulent purposes.
[05:41]
Announcer
Nissan says Stolen data came from third party vendor Japanese automaker Nissan has stated that recent claims of a data breach were related to information held by a third party vendor. This follows an announcement from the Everest Hacking Group, which said it had breached the file transfer system used by a company that offers services to Nissan and Infiniti dealerships across North America. The group claims to be in possession of 910gb of stolen data, including information on customers, dealerships and loans offered to car buyers. Nissan reiterated that it had found no indication that Nissan systems were compromised or that any Nissan customer information was accessed
[06:25]
Steve Prentiss
or or put at risk.
[06:28]
Announcer
Threat actors impersonate cert Ua to spread malware the Computer Emergency Response Team of Ukraine Certua has itself revealed details of a phishing campaign that once again has impersonated the agency, this time to distribute
[06:44]
Steve Prentiss
a rat called ageweeze.
[06:47]
Announcer
The campaign was carried out by a group known as UAC0255, which urged recipients to install specialized software. These recipients include state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. If you're listening to this on Friday morning, then there is still time to join us for our first Super Cyber Friday of Trust Month at 1pm today. The topic will be Hacking Trust in Leadership. We'll be spending an hour discussing how cybersecurity teams build internal trust, lose trust, and earn it back. If you've ever had trust issues with your security team, you have to join us today at 1pm Eastern Time.
[07:33]
Steve Prentiss
We'll help you get to a better place.
[07:36]
Announcer
If that sounds good to you, head on over to our events page@cisoseries.com to register. And if you have some thoughts on
[07:43]
Steve Prentiss
the news from today or about this
[07:44]
Announcer
show in general, please be sure to reach out to us@feedbackisoseries.com we would love
[07:50]
Steve Prentiss
to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:59]
Narrator
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.