Cybersecurity Today with David Shipley

Episode Title: Russian State Hackers Go After iOS Devices
Date: March 30, 2026

Episode Overview

In this episode, host David Shipley dives into a series of significant new threats in the cybersecurity landscape, focusing on advanced attacks against Apple devices, persistent espionage in telecom networks, aggressive software supply chain breaches, and escalating cyber operations targeting healthcare amid global geopolitical tensions. Listeners receive practical advice and crucial context about how threat actors are evolving and what it means for defenders.

Key Discussion Points & Insights

1. Mac Users Targeted: Infinity Stealer Malware

• [00:19 - 02:45]
  • A new info-stealing malware, Infinity Stealer, is targeting Mac users via a sophisticated Click Fix campaign.
  • Attackers craft fake web pages (e.g., mimicking security checks) and trick users into running commands in Terminal, thus installing the malware themselves.
  • Infinity Stealer is compiled from Python using the open-source tool Nuitka, making detection and analysis much harder.
  • Once installed, it takes screenshots, steals browser credentials, raids keychains, targets crypto wallets, and sends data via Telegram.
  • Quote (01:48):
    "Threats to macOS are becoming more advanced and more targeted. The days of Macs don't get malware are truly and well behind us." — David Shipley

2. Russian State Hackers Exploit iOS Devices

• [02:46 - 06:10]
  • Russian group TA446 (aka Callisto, Cold River, Star Blizzard, FSB-linked) launched a new campaign using the Dark Sword iOS exploit kit.
  • Attack distributes spear-phishing emails posing as think tank invitations, delivering Ghostblade malware via Dark Sword.
  • First observed targeting Apple devices and iCloud accounts by this group.
  • Dark Sword exploit kit was leaked on GitHub—now even unskilled hackers can deploy it.
  • Apple has started sending rare lock screen notifications directly to older devices, urging immediate updates.
  • A related kit, Corona, is still targeting devices running iOS 13 and above.
  • Quote (05:00):
    "What was once an elite nation-state capability is now circulating in the open for all the consumer grade cybercriminal gangs." — David Shipley
  • Advice: Immediate software updates advised when prompted.

3. China-Linked Espionage in Telecom Networks

• [06:11 - 08:32]
  • Rapid7 uncovers a stealthy campaign by the Redmention group using a Linux kernel-level backdoor, BPFdoor, targeting telecom infrastructure worldwide.
  • The implant avoids detection by not opening ports or using visible C2 channels; stays quietly persistent for long-term espionage.
  • Parallels drawn to other China-affiliated actors (Volt Typhoon, SALT Typhoon), with evolving tactics and extended strategic timelines.
  • Quote (07:22):
    "The access this kind of implant provides can mean visibilities into signaling systems, subscriber data, communications, metadata and other high-value infrastructure." — Christian Beek, Rapid7

4. Supply Chain Attack: Team PCP Hits Python's PyPI

• [08:33 - 11:36]
  • Team PCP, a prolific supply chain threat group, compromised the popular Telnix package on PyPI, slipping credential-stealing malware into over 740,000 monthly downloads.
  • Attackers used two backdoored versions, hiding a malicious payload via steganography in WAV audio files.
  • On import, secrets such as SSH keys, cloud tokens, crypto wallets are exfiltrated.
  • On Kubernetes, attackers attempt cluster penetration and privileged pod deployment.
  • Researchers advise immediate removal of affected versions (4.87.1, 4.87.2) and comprehensive secret rotation.
  • Quote (10:54):
    "While the legitimate SDK functions carry on as normal, nothing looks broken. Everything is compromised." — David Shipley
  • Advice: Only version 4.87.0 is clean; incident demonstrates severity and complexity of modern software supply chain attacks.

5. Iranian Operations: Embarrassment, Intimidation, and Healthcare Attacks

• [11:37 - 17:47]
  • Handala, a pro-Iranian group, breached the personal email of FBI Director Kash Patel—publicly embarrassing but no government data compromised.
  • Primary intent: Symbolic attacks to demonstrate reach, boost morale, and intimidate, rather than inflict strategic damage.
  • Escalation observed: Deliberate targeting of the healthcare sector, including:
    • Attack on Stryker (US medical technology giant), disrupting surgeries (including pediatric cases).
    • Pay2Key (Fox Kitten): Attacked an unnamed US healthcare provider, encrypting systems without extortion or data theft.
      • Aimed for simple disruption, not financial gain.
  • Attribution of these groups is growing complex, as ransomware-as-a-service models blur lines between state and criminal activity.
  • Quote (16:21):
    "Healthcare with its complex systems, 24 hour round the clock operational pressure under-resourced security teams is exactly the kind of environment where defenders and defenses can slip." — David Shipley
  • Stat: DigiCert reports nearly 5,800 cyberattacks by ~50 Iranian-linked groups since recent hostilities escalated.

Notable Quotes & Memorable Moments

• (01:48) “The days of Macs don't get malware are truly and well behind us.” — David Shipley
• (05:00) “What was once an elite nation-state capability is now circulating in the open for all the consumer grade cybercriminal gangs.” — David Shipley
• (07:22) "The access this kind of implant provides can mean visibilities into signaling systems, subscriber data, communications, metadata and other high-value infrastructure." — Christian Beek, Rapid7
• (10:54) “While the legitimate SDK functions carry on as normal, nothing looks broken. Everything is compromised.” — David Shipley
• (16:21) “Healthcare with its complex systems, 24 hour round the clock operational pressure under-resourced security teams is exactly the kind of environment where defenders and defenses can slip.” — David Shipley
• On overall strategy: "Intimidation is the strategy.” — Michael Smith, DigiCert (17:10)

Timestamps for Key Segments

• [00:19] Introduction & Infinity Stealer Mac Malware
• [02:46] Russian State-Backed iOS Attacks and Dark Sword
• [06:11] China-Linked BPFdoor and Persistent Telecom Espionage
• [08:33] Team PCP Supply Chain Attack on Python PyPI
• [11:37] Iranian Groups—Symbolic Email Hacks & Healthcare Attacks
• [16:21] DigiCert Trends, Threat Landscape Summary

Language & Tone

Consistently urgent, direct, and pragmatic; technical details are made accessible for a broad audience but retain specificity and nuance. Shipley often leverages memorable, pithy summaries to emphasize risks and strategic shifts.

Final Takeaways

• Update Apple devices promptly when prompted, especially to counter Dark Sword and related threats.
• Monitor software dependencies and practice strict supply chain hygiene due to escalating supply chain attacks.
• Healthcare organizations must raise their vigilance and bolster defenses proactively against targeted, disruptive attacks.
• Cyber adversaries are growing bolder and more sophisticated, and even once-elite tools are becoming widely available.

Useful for listeners who missed the episode—a comprehensive breakdown of all major threats and practical implications discussed.