Summary5 min read

Cybersecurity Today with David Shipley

Episode Title: Russian State Hackers Go After iOS Devices
Date: March 30, 2026

Episode Overview

In this episode, host David Shipley dives into a series of significant new threats in the cybersecurity landscape, focusing on advanced attacks against Apple devices, persistent espionage in telecom networks, aggressive software supply chain breaches, and escalating cyber operations targeting healthcare amid global geopolitical tensions. Listeners receive practical advice and crucial context about how threat actors are evolving and what it means for defenders.

Key Discussion Points & Insights

1. Mac Users Targeted: Infinity Stealer Malware

[00:19 - 02:45]
- A new info-stealing malware, Infinity Stealer, is targeting Mac users via a sophisticated Click Fix campaign.
- Attackers craft fake web pages (e.g., mimicking security checks) and trick users into running commands in Terminal, thus installing the malware themselves.
- Infinity Stealer is compiled from Python using the open-source tool Nuitka, making detection and analysis much harder.
- Once installed, it takes screenshots, steals browser credentials, raids keychains, targets crypto wallets, and sends data via Telegram.
- Quote (01:48):
  "Threats to macOS are becoming more advanced and more targeted. The days of Macs don't get malware are truly and well behind us." — David Shipley

2. Russian State Hackers Exploit iOS Devices

[02:46 - 06:10]
- Russian group TA446 (aka Callisto, Cold River, Star Blizzard, FSB-linked) launched a new campaign using the Dark Sword iOS exploit kit.
- Attack distributes spear-phishing emails posing as think tank invitations, delivering Ghostblade malware via Dark Sword.
- First observed targeting Apple devices and iCloud accounts by this group.
- Dark Sword exploit kit was leaked on GitHub—now even unskilled hackers can deploy it.
- Apple has started sending rare lock screen notifications directly to older devices, urging immediate updates.
- A related kit, Corona, is still targeting devices running iOS 13 and above.
- Quote (05:00):
  "What was once an elite nation-state capability is now circulating in the open for all the consumer grade cybercriminal gangs." — David Shipley
- Advice: Immediate software updates advised when prompted.

3. China-Linked Espionage in Telecom Networks

[06:11 - 08:32]
- Rapid7 uncovers a stealthy campaign by the Redmention group using a Linux kernel-level backdoor, BPFdoor, targeting telecom infrastructure worldwide.
- The implant avoids detection by not opening ports or using visible C2 channels; stays quietly persistent for long-term espionage.
- Parallels drawn to other China-affiliated actors (Volt Typhoon, SALT Typhoon), with evolving tactics and extended strategic timelines.
- Quote (07:22):
  "The access this kind of implant provides can mean visibilities into signaling systems, subscriber data, communications, metadata and other high-value infrastructure." — Christian Beek, Rapid7

4. Supply Chain Attack: Team PCP Hits Python's PyPI

[08:33 - 11:36]
- Team PCP, a prolific supply chain threat group, compromised the popular Telnix package on PyPI, slipping credential-stealing malware into over 740,000 monthly downloads.
- Attackers used two backdoored versions, hiding a malicious payload via steganography in WAV audio files.
- On import, secrets such as SSH keys, cloud tokens, crypto wallets are exfiltrated.
- On Kubernetes, attackers attempt cluster penetration and privileged pod deployment.
- Researchers advise immediate removal of affected versions (4.87.1, 4.87.2) and comprehensive secret rotation.
- Quote (10:54):
  "While the legitimate SDK functions carry on as normal, nothing looks broken. Everything is compromised." — David Shipley
- Advice: Only version 4.87.0 is clean; incident demonstrates severity and complexity of modern software supply chain attacks.

5. Iranian Operations: Embarrassment, Intimidation, and Healthcare Attacks

[11:37 - 17:47]
- Handala, a pro-Iranian group, breached the personal email of FBI Director Kash Patel—publicly embarrassing but no government data compromised.
- Primary intent: Symbolic attacks to demonstrate reach, boost morale, and intimidate, rather than inflict strategic damage.
- Escalation observed: Deliberate targeting of the healthcare sector, including:
  - Attack on Stryker (US medical technology giant), disrupting surgeries (including pediatric cases).
  - Pay2Key (Fox Kitten): Attacked an unnamed US healthcare provider, encrypting systems without extortion or data theft.
    - Aimed for simple disruption, not financial gain.
- Attribution of these groups is growing complex, as ransomware-as-a-service models blur lines between state and criminal activity.
- Quote (16:21):
  "Healthcare with its complex systems, 24 hour round the clock operational pressure under-resourced security teams is exactly the kind of environment where defenders and defenses can slip." — David Shipley
- Stat: DigiCert reports nearly 5,800 cyberattacks by ~50 Iranian-linked groups since recent hostilities escalated.

Notable Quotes & Memorable Moments

(01:48) “The days of Macs don't get malware are truly and well behind us.” — David Shipley
(05:00) “What was once an elite nation-state capability is now circulating in the open for all the consumer grade cybercriminal gangs.” — David Shipley
(07:22) "The access this kind of implant provides can mean visibilities into signaling systems, subscriber data, communications, metadata and other high-value infrastructure." — Christian Beek, Rapid7
(10:54) “While the legitimate SDK functions carry on as normal, nothing looks broken. Everything is compromised.” — David Shipley
(16:21) “Healthcare with its complex systems, 24 hour round the clock operational pressure under-resourced security teams is exactly the kind of environment where defenders and defenses can slip.” — David Shipley
On overall strategy: "Intimidation is the strategy.” — Michael Smith, DigiCert (17:10)

Timestamps for Key Segments

[00:19] Introduction & Infinity Stealer Mac Malware
[02:46] Russian State-Backed iOS Attacks and Dark Sword
[06:11] China-Linked BPFdoor and Persistent Telecom Espionage
[08:33] Team PCP Supply Chain Attack on Python PyPI
[11:37] Iranian Groups—Symbolic Email Hacks & Healthcare Attacks
[16:21] DigiCert Trends, Threat Landscape Summary

Language & Tone

Consistently urgent, direct, and pragmatic; technical details are made accessible for a broad audience but retain specificity and nuance. Shipley often leverages memorable, pithy summaries to emphasize risks and strategic shifts.

Final Takeaways

Update Apple devices promptly when prompted, especially to counter Dark Sword and related threats.
Monitor software dependencies and practice strict supply chain hygiene due to escalating supply chain attacks.
Healthcare organizations must raise their vigilance and bolster defenses proactively against targeted, disruptive attacks.
Cyber adversaries are growing bolder and more sophisticated, and even once-elite tools are becoming widely available.

Useful for listeners who missed the episode—a comprehensive breakdown of all major threats and practical implications discussed.

Loading summary

Transcript3 lines

[00:01]
A
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST
[00:19]
B
Mac users under attack Russian state hackers go after iOS devices China linked espionage keeps burrowing deeper into telecom network Prolific supply chain Threat group hits again and Iran's cyber operations take a deliberate aim at healthcare this is Cybersecurity Today and I'm your host David Shipley coming to you for the first time ever from Seoul, South Korea. Let's get started. Mac users There's a new info stealing malware coming after you, and it's using a technique we've covered a lot over the past few months on the show. Researchers at Malwarebytes have documented a new macOS malware campaign called Infinity Stealer. It arrives via Click Fix, the social engineering technique where attackers build fake web pages, often mimicking routine things like a cloudflare human verification check or a software update and instruct targets to complete verification or fix a flaw by copying a command and pasting it into the Windows run or on a Mac in terminal, victims do all the work. They run the malware attackers never have to break down a single security door because it was opened for them. Most of the Qlik Fix stories we've covered have targeted Windows users. This one is aimed squarely at Mac users, and what makes it notable isn't just what it steals, it's how it's built. Infinity Stealer is a python based payload compiled using an open source tool called Nudica, which converts the code into a native binary that makes it significantly harder to detect and analyze than typical python based threats. No obvious bytecode layer for security tools to grab onto. Malwarebytes says this is the first documented macOS campaign combining click fix with this kind of compiled python payload. Once running, it takes screenshots, pulls credentials from Chrome and Firefox, raids the macOS keychain, targets cryptocurrency wallets, and hunts for plain tech secrets in common developer files. Everything gets sent back to the attackers with a telegram notification fired off to confirm the job is done. Malwarebytes is clear about the direction of travel. Threats to macOS are becoming more advanced and more targeted. The days of Macs don't get malware are truly and well behind us. And that's not the only bad news for Apple users this week. Russian state sponsored hackers have a new weapon and it's aimed at your iPhone. Proofpoint has disclosed details of a targeted spear phishing campaign by the threat group known as TA 446, also tracked as Callisto, Cold river and Star Blizzard, a group assessed to be affiliated with Russia's Federal security service, the FSB. The campaign uses the recently disclosed Dark Sword iOS exploit kit to target iPhones. The attack arrives as a fake discussion invitation email spoofing the Atlantic Council, a well known Western think tank and designed to deliver a data miner malware called Ghostblade via the Dark Sword exploit kit. Among their targets was a prominent Russian opposition politician and political director of the Anti Corruption Foundation. The targeting this campaign was also notably wider than TA446's usual operations, spanning government think tanks, higher education, financial and legal entities. Proofpoint notes that this is the first time they've observed TA446 going after Apple devices and iCloud accounts. Until now, the group was known primarily for credential harvesting through phishing and WhatsApp targeted attacks. Dark Sword has changed that equation, and here's what makes this broader than just one Russian hacking group's new use of a toolkit Dark Sword has leaked on GitHub. A plug and play version is now publicly available and researchers at Lookout say it's accessible enough that even unskilled threat actors can deploy it. What was once an elite nation state capability is now circulating in the open for all the consumer grade cybercriminal gangs. Apple is taking the threat seriously. The company has begun sending lock screen notifications directly to iPhones and iPads running older versions of iOS, warning users of active web based attacks and urging them to update immediately. That's an unusual step. Apple doesn't typically push that kind of direct warning to devices that way, and it signals the company considers this threat broad enough to warrant it. Dark Sword targets iPhones running iOS versions 18.4 through 18.7. A separate kit called Corona, which Kaspersky is linked to Operation Triangulation Espionage campaigns that first surfaced in 2023 targets older versions going back to iOS 13. If your iPhone or iPad is prompting you to update, get on it. There's new evidence that the full extent of China linked hacking of critical infrastructure is still being uncovered, and there's a reason these groups have well earned the title Advanced Persistent threat. Researchers at Rapid7 have published a report detailing a new espionage campaign targeting telecom networks across multiple countries, reports Cybersecurity dive the threat actor tracked as Red mentioned, has been quietly embedding itself inside telecom infrastructure using a stealthy Linux based backdoor called BPF Door, and the goal here is long term persistence, not smash and grab. BPF Door is a malicious version of Berkeley Packet Filter, and it operates at the kernel level deep inside the operating system. What makes it particularly hard to catch is what it doesn't do. It doesn't open listening ports. It doesn't use visible command and control channels. It just sits there waiting, invisible to most detection Systems. Christian Beek, VP of Cyber Intelligence at Rapid7, was direct about what's at stake in telecom networks. Specifically, the access this kind of implant provides can mean visibilities into signaling systems, subscriber data, communications, metadata and other high value infrastructure. Exactly the kind of intelligence and access a nation state would want to quietly collect over a long period of time. Redmention shares characteristics with other China Nexus actors. Volt Typhoon was caught positioning itself inside US networks as a potential contingency tied to Taiwan SALT Typhoon spent years inside major US telecom firms harvesting communications data on political and military figures. Rapid7 says. Red mention follows a similar playbook, but the mechanisms have evolved and the strategic timeline is even longer. Rapid7 says it has been working with government partners and national emergency response teams to share its findings. If you're thinking you've been hearing a lot about a hacker group called Team PCP lately, you'd be right. We've been talking about them a lot. They've been on a tear, and our latest story shows this group continues to be both clever and extremely dangerous. Team PCP has now compromised the Telnics package on the Python package index, or PyPy, uploading backdoored versions that deliver credentials stealing malware hidden inside a WAV audio file. The attack was spotted by application security firms Aikito Socket and Endor Labs and attributed to Team pcp based on the same exfiltration, fingerprint and RSA key seen in their previous operations. This group has hit Telnyx, Light, LLM and Aqua Security's Trivia scanner in recent weeks. Supply chain attacks like these work because developers trust these tools and install them. Team PCP is exploiting that trust systematically. If the Telnix name isn't familiar, the package is the official Python SDK that lets developers integrate Telnix communication services, VoIP, SMS, WhatsApp, fax IoT into their applications. It pulls over 740,000 downloads a month. That's a significant blast radius for a supply chain attack. The mechanics of this attack are worth diving into. Team PCP published two backdoored versions, 4.87.1 and 4.87.2. The first had a non functioning payload. They fixed it an hour later with the second. The malicious code sits inside a core client file and triggers automatically the moment the package is imported. While the legitimate SDK functions carry on as normal, nothing looks broken. Everything is compromised. On Linux and macOS, the payload downloads what appears to be a WAV audio file ringtone WAV from a remote server. Using steganography, malicious code is embedded inside the file's audio data frames. Without touching the actual sound, it's extracted, decrypted, and executed entirely in memory. From there it goes after SSH keys, credentials, cloud tokens, cryptocurrency, wallets, environmental variables, and other secrets. If Kubernetes is running, it goes further, enumerating cluster secrets and attempting to deploy privileged pods across nodes to reach underlying host systems. On Windows, a different WAV file drops a persistent executable into the startup folder. Researchers are clear version 4.87.0 is clean. Anyone running 4.87.1 or 4.8.7 2 should treat any systems as fully compromised and rotate all secrets immediately and comprehensively. Remember, Aqua Security struggled to rotate these credentials in a way that actually booted the attackers out. And now Iran because there's a lot happening on the cyber front as the conflict with the United States and Israel continues to escalate, we'll start with the headline that grabbed the most attention Last week, a pro Iranian hacking group known as handallah claimed credit for breaching a personal email account belonging to FBI Director Kash Patel, posting what appeared to be old photographs, a resume and personal documents, most of them a decade old. The FBI confirmed the breach, noting the information was historical in nature and contained no government data. Let's be direct and clear on this one. Unless Kash Patel is deeply unhappy with old photos of himself with a cigar circulating online, this is not a national security crisis. Handela's MO is still mostly splashly and symbolic, designed to embarrass, to signal reach and to boost morale among supporters. The FBI's own statement noted the Trump administration is taking this group seriously, offering up to $10 million for information leading to the identification of Handala members. Now here's where things get more serious. There's mounting evidence that Iranian linked groups are deliberately targeting the healthcare sector, and that is not a coincidence. Two recent attacks tell that story clearly. The first is the group Handala and the attack on Stryker, the largest US medical technology company. Stryker continues to recover from the March 11 attack, with most manufacturing back up and running at the end of last week, Hondala claimed the attack on Stryker was retaliation for suspected US strikes that killed Iranian schoolchildren. The HANDELA attack on Stryker has resulted in surgeries, including for children being cancelled. The second story involves a separate Iran linked ransomware group called Pay to Key, also tracked as Fox Kitten, which targeted an unnamed US healthcare provider. Investigators from Halcyon and Beasley Security found the attackers gained access through a compromised administrative account, then encrypted it. And here's the notable part. They didn't steal any data and they didn't demand a ransom. No extortion, just destruction. Cynthia Kaiser, senior vice president at Halcyon, was clear about what the pattern suggests. Together with a striker attack, this points to a deliberate focus on the medical sector. It's not just about them being targets of opportunity. Pay to Key has an interesting history worth noting. The group first emerged in 2020 targeting Israeli firms. By 2024, the FBI, CISA and the Department of Defense issued a joint advisory about them. And in 2025 they began promoting themselves as a ransomware as a service offering on Russian underground forums, which has muddied the attribution picture. As Check Point Research told Cybersecurity Dive, it's no longer straightforward to say every Pay to Key attack is is an Iranian state backed operation. The lines there are getting blurry. Zoom out further and the scale of what's happening becomes much clearer. Researchers at DigiCert have tracked nearly 5,800 cyber attacks mounted by close to 50 different groups tied to Iran since the conflict began. The targets are overwhelmingly US and Israeli organizations, with some spillover into Bahrain, Kuwait, Qatar and the broader region. The important context here is that most of the attacks have been thankfully relatively minor, easily blocked by most organizations with current security practices and robust security teams. But they still impose real costs. Even when they fail, they're forcing security teams to respond, stay on top of patching and maintain high levels of vigilance. And for organizations with outdated defenses, small under resourced teams, the calculus is changing. Michael Smith of Digicert put it plainly, these attacks are a way of telling people in other countries that Iran can still reach out and touch them. Intimidation is the strategy. A bigger, harder truth is high volume, low sophistication attacks still find gaps. Healthcare with its complex systems, 24 hour round the clock operational pressure under resource security teams is exactly the kind of environments where defenders and defenses can slip. And the evidence is growing that Iranian linked groups are exploiting that. That's cybersecurity Today for Monday, March 30, 2026. If you missed the weekend show, we have a great recap on RSAC 2026 as well as a great feature interview with Bill O' Connell from Commvault on the evolving role of the CISO and Time Magazine's new award for CISO of the Year. And before we go, a special shout out to our listeners in Ireland who pushed us into the top three for their country on Apple's ranking for tech news podcasts this past weekend. A thousand thanks. If today's show was useful, please take a moment to like it. Subscribe and leave a rating or review wherever you get your podcasts. It makes a real difference in helping new listeners find us. Please keep sharing the show with others. We'd love to reach even more people this year. I'll be back on the news desk on Wednesday with the latest headlines. Take care. Stay safe.
[18:43]
A
We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performance, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to data centers. Book a demo@meter.com CST that's M-E T E R.com/CST.