A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST

B

Elite iOS exploit Kit Karuna goes mass market FBI wiretapping tools again hacked by Chinese linked threat actors Microsoft have a new click fix trick with Windows Terminal AWS data centers in the Middle east targeted in ongoing war and Iranian hackers becoming increasingly active and skilled. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. A new and highly sophisticated iOS X blade kit dubbed Karuna has been uncovered in a series of targeted cyber attacks. Originally reported by Bleeping Computer, this spyware grade toolkit has been used in both espionage and financially motivated attacks, marking a troubling shift in how these tools are being deployed. The Karuna Exploit kit contains 23 separate iOS exploits, including five complete exploit chains that leveraged advanced non public techniques to bypass security protections in iOS versions ranging from 13 to 17, essentially covering devices running software released from 2019 to late 2023. Google's Threat Intelligence Group, or GTIG, first detected the Karuna kit in February 2025, initially spotting its use by a surveillance vendor's client in a highly targeted operation. However, the toolkit has since spread, and by late 2025 it appeared on malicious websites linked to cryptocurrency scams. GTIG attributed this activity to a financially motivated Chinese threat group known as UNC6691. The Karuna kit is capable of selecting specific exploit chains based on the target device's iOS version, allowing attackers to take advantage of vulnerabilities in WebKit bypass security measures like pointer authentication code and escalate privileges to gain deeper control of affected devices. Notably, the kit was also found to stop its activity if Apple's lockdown mode or private browsing features were enabled, an important reminder of how valuable these protections can be. One particularly alarming aspect of the Corona kit is its final payload, a stager loader called Plasma Loader tracked as Plasma Grid, which targets popular cryptocurrency wallet apps like Metamask, Fantom, and Uniswap. The malware attempts to steal critical data such as wallet recovery phrases and sensitive account information by luring victims to fake finance and cryptocurrency websites. According to GTIG researchers, stolen data is encrypted and sent to command and control servers, which use a domain generation algorithm for resilience against takedown attempts. While the exact circumstances of Karuna's proliferation remain unclear, experts believe it represents a broader trend of advanced spyware tools once used nearly exclusively by nation states and surveillance vendors falling into the hands of cybercriminals. Mobile security firm Iverify called Karuna a quote, clear example, end quote, of how sophisticated capabilities once reserved for high value targets like government officials are now being weaponized against everyday people. This evolution in the mobile threat landscape highlights why staying vigilant about software updates and enabling features like lockdown mode is more critical than ever. The FBI is currently investigating a potential cybersecurity breach involving one of its most important internal platforms, raising concerns about threats to sensitive law enforcement data. The incident, which occurred in February centered around the FBI's digital collection system network, reports the Record. The system supports wiretaps, packages, 10 register surveillance tools and other intelligence gathering mechanisms used for criminal and national security investigations. The breach was reportedly discovered on February 17 when irregular network activity was detected. In a statement to the Record, an FBI spokesperson confirmed that they had identified and addressed suspicious activities on FBI networks and had leveraged all technical capabilities to respond. The investigation has now expanded to include the White House, the Department of Homeland Security and the National Security Agency. While the affected system is described as unclassified, it does store sensitive information related to ongoing investigations and surveillance operations. According to a letter sent to Congress, the attackers may have gained access via an Internet service provider used as a vendor by the FBI. This raises significant concerns about the security of third party vendors and the potential vulnerabilities they introduce into these critical national security and law enforcement systems. This breach is the latest in a series of cyber attacks targeting US federal agencies. In 2024, Chinese state sponsored hackers connected to the Salt Typhoon operation were discovered to have breached systems used by U.S. law enforcement agencies for for wiretaps. More recently, the U.S. marshals Service and federal court systems have also fallen victim to cyber attacks, including ransomware and other data breaches. While few details of the February incident have been disclosed, it underscores the importance of securing critical systems and vendor relationships against both nation state hackers and cybercriminals. The FBI's efforts to contain and investigate this breach highlight the ongoing challenges agencies face in protecting sensitive information and systems against increasingly persistent and sophisticated adversaries. This story also highlights why so many cybersecurity and privacy advocates push back regularly against any notion of government backdoors into encryption services used by the regular public. As such capabilities can be abused and, even more worrisome, hijacked by these very same hostile nation states or potentially by criminal groups. Microsoft has revealed details of a new twist on the sophisticated click fix social engineering campaign. This time, criminals are exploiting the Windows Terminal app as part of an elaborate attack chain to deploy the Luma Stealer malware. The campaign, first observed in February 2026, underscores how attackers are leveraging legitimate tools to bypass security defenses and compromise unsuspecting users. Instead of relying on the traditional method of tricking users into pasting malicious commands into the Windows Run dialog box, the attackers employed an interesting evolution. They instructed targets to instead use the Windows X I shortcut to launch the Windows Terminal app WT exe, a program often used by IT professionals for administrative tasks. This strategy made the attack meet appear more legitimate and bypassed some existing detections designed to flag suspicious run dialog abuse. Once users opened Windows Terminal and pasted a specially crafted hex encoded XOR compressed command from a Qlik Fix lure page, the attack began. The command spawned additional terminal and PowerShell instances, ultimately invoking a PowerShell process to decode the malicious script. From there, the attack unfolded in the usual stages. Number one, a zip payload and a renamed seven zip binary were downloaded with the binary extracting the zip file's contents. Additional payloads were then retrieved and persistence was established using scheduled tasks. Microsoft Defender exclusions were configured to evade detection. Machine and network data were then exfiltrated and the Loomis Stealer malware was deployed by injecting malicious code into Chrome EXE and MsEdge EXE processes, allowing the attackers to harvest sensitive browser data such as save credentials. A second attack pathway was also detected involving the use of a batch script to write and execute a Visual Basic script via msbuild exe. This method abused living off the land binaries to further evade detection. The campaign also incorporated techniques like connecting to crypto blockchain RPC endpoints and leveraging ether hiding for further obfuscation. The lumastealer malware targeted high value browser artifacts including stored login credentials, and exfiltrated the stolen informations to attacker controlled infrastructure. This campaign demonstrates the increased use of legitimate tools by threat actors to execute complex attacks while evading traditional detection mechanisms. These kinds of attacks also don't look like the kinds of phishing that many people have been trained on for many years. By asking people to validate that they're human or fix a problem, they can get users to execute these commands with surprising effectiveness. And now we turn to cyber related coverage for the ongoing Iran war. Iranian state sponsored hacking group Muddy Water, also known as Seed Worm, has been linked to a series of sophisticated cyber attacks targeting US And Israeli networks, according to new research from Broadcom, Symantec and Carbon Black. Threat Hunting Teams. The group, affiliated with Iran's Ministry of Intelligence and Security, has been observed infiltrating networks of US Banks, airports, nonprofit organizations and the Israeli branch of a software company. The campaign, which reportedly began in early February, has escalated in the wake of the recent US And Israeli military strikes on Iran. Muddy Water is using new tools in these attacks, including a previously unknown back door dubbed din door, which relies on the Deno JavaScript runtime. Additionally, a Python based backdoor called fakeset has been identified on the networks of a US airport and a nonprofit downloaded from servers belonging to the American cloud storage company Backblaze. Notably, these attacks highlight advanced tactics such as leveraging cloud storage services like Wasabi and Backblaze for data exfiltration, Symantec and Carbon Black researchers noted that digital certificates used in these attacks have also been linked to other Muddy Water malware families, reinforcing the attribution to the Iranian state sponsored group. This latest revelation is part of a broader wave of cyberattacks tied to the ongoing Middle east conflict. In recent months, Iranian linked groups and their proxies have ramped up offensive cyber operations targeting critical infrastructure in Gulf states like the uae, Qatar and Bahrain as well as Israel. Here's a quick recap of known recent activity. First, Wiper campaigns In Israel Multiple wiper malware campaigns have been launched against Israeli energy, financial, government and utility sectors. Iran's wiper arsenal includes over 15 malware families such as Zero, Clear, Meteor and Dustman. Second, surveillance system exploits Iranian aligned threat actors have increased their targeting of vulnerable surveillance cameras in Israel and in Gulf nations. These attacks are suspected to assist military operations and even in missile and drone targeting, according to checkpoint researchers. And that makes sense. This is the exact same playbook that Israel and the United States used in the targeted killing of Iran's Supreme Leader by hacking into Tehran's traffic camera network. And it's not just Iranian hacktivists and other nation state folks getting involved. Pro Russian linked hacktivists are also ramping up in support of Iran. Groups like Handela Hack and 313team have targeted industrial control systems and government portals in the Middle East. Meanwhile, Z Pentest, a pro Russian hacktivist group, have claimed responsibility for compromising US based ics, SCADA systems and CCTV networks during Operation Epic Fury. This news comes amidst other news reports that Russia is providing Iran with targeting information to help in its efforts. Experts warn that these developments illustrate the growing maturity of Iran's cyber capabilities. Rather than relying on cutting edge zero day exploits, Iranian operators are employing repeatable proven tactics like credential theft, social engineering and exploitation of known vulnerabilities. The focus for them right now is maintaining persistence in enterprise environments and leveraging cloud infrastructure as part of their operations. As the Middle east remains a geopolitical flashpoint, folks like the Canadian center for Cybersecurity and others including cisa, have issued advisories and warnings about the Iranian threat on the cyber front and warning that it may increasingly target critical infrastructure in retaliation for the ongoing military action. Organizations are urged to adopt a proactive stance in their cybersecurity strategies that includes strengthening monitoring capabilities where possible, limiting exposure to the Internet and restricting remote access to operational technology ot systems, particularly any of these vulnerable cctv, IP camera connected systems, implementing phishing resistant multi factor authentication, segmenting networks and maintaining good validated backups and regularly updating applications including firewalls and other edge devices. In the words of Adam Myers, head of counter Advisory Operations at crowdstike, quote, Western organizations should continue to remain on a high alert for potential cyber responses. As the conflict continues, activity may escalate beyond hacktivism into more destructive operations. On that note, last week Iranian drones struck three Amazon Web Services data centers located in the United Arab Emirates and Bahrain, sparking global online service outages. As reported by Futurism, the attacks have drawn significant concern as they mark what experts believe to be the first time American big tech infrastructure has been directly targeted in a military operation. According to Amazon, the strikes caused significant damage to their infrastructure, disrupting power delivery and even triggering fire suppression systems that resulted in further water damage. Iranian state affiliated media claim that Microsoft facilities were also targeted. Though no disruptions have been reported by Microsoft to date, the attacks highlight the growing risks faced by data centers, which are increasingly being recognized as critical infrastructure on the modern battlefield. The Middle east has become a hotspot for US Hyperscalers. Companies like Amazon, Microsoft and Google operate large scale cloud computing platforms in the region. This growing presence puts American assets in the region at greater risk. Patrick Murphy, executive director of the Geopolitical Unit at Hilco Global, pointed out that the attacks represent a shift in focus for Iran and its proxies. Historically, oil fields were the primary target in the region, but now these strikes demonstrate that these data centers are viewed as equally important to their respective countries and may be potentially more vulnerable. Experts warn that fortifying data centers against attacks could prove challenging as vital components like turbines, air conditioning units and other exposed systems can be easily targeted. The incident also underscores the growing importance of data centers in the global economy, particularly with the rise of artificial intelligence. Companies like OpenAI and Nvidia are investing heavily in the Middle east, driven by the increased demand for computing power required to support advanced AI systems. However, as these facilities become more critical, they also become more valuable to hit. Amazon has acknowledged the risks posed by the ongoing geopolitical instability in the region and has urged clients to migrate workloads out of the Middle east to other AWS regions as a precaution. The company stated that the broader operating environment in the Middle east remains unpredictable and it is working to restore the damaged facilities. The incident serves as a stark reminder that as technology evolves, so too does the nature of modern warfare. Data centers, once seen as mere enablers of the digital economy, are emerging as strategic national assets that require the same level of protection as traditional critical infrastructure like energy and water systems. We covered the opening Cyber Impacts tied to the Iran War in Saturday's Month in Review panel discussion. It's well worth a listen if you're following the conflict and the evolution of cyber warfare. That's Cybersecurity Today for Monday, March 9, 2026. I've been your host, David Shifley. Thanks for listening and thanks for your continued support. Please keep leaving reviews, ratings and sharing the show with others. We'd love to continue to reach even more people and we need your help. To the listener who left a recent review complimenting my pronunciation of Venezuela's state owned oil company pedavasa, thank you and thank you for the tip on improving how I pronounce Caracas. Thanks so much. Have a wonderful week. Stay safe.

A

And finally, we'd like to thank our sponsor Meter for their support in bringing you this podcast. Meter delivers full stack networking, infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices to warehouses to large campuses, all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST. It.