Dave Bittner

You're listening to the cyberwire network. Powered by n2k.

Podcast Host / Interviewer

Identity is a top attack vector. In our interview with Kavitha Mariapan from Rubrik, she breaks down why 90% of security leaders believe that identity based attacks are their biggest threat. Throughout this conversation we explore why recovery times are getting longer, not shorter, and what resiliency will look like in this AI driven world. If you're struggling to get a handle on identity risk, this is something you should tune into. Check out the full interview@thecyberwire.com Rubrik. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform, fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppl.com that's d o p e l.com. Malicious Chrome extensions pose as AI tools Google says nation states are increasingly abusing its Gemini artificial intelligence tool. Data extortion group World Leaks deploys a new malware tool called Rusty Rocket, An Atlanta healthcare provider data breach affects over 625,000 Apple patches, an iOS zero day that's been around since version 1.0. A government shutdown would furlough more than half of CISA's staff. Dutch police arrest the alleged seller of the Joker OTP phishing automation service. Our guest is Simon Horsewell, senior fraud specialist at Entrust, discussing evolving romance scams ahead of Valentine's Day and fun with filters provides fuel for fishers. It's Thursday, February 12, 2026. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great, as always to have you with us. Researchers have identified 30 malicious Chrome extensions posing as AI tools that have been installed by more than 300,000 users. Discovered by browser security firm LayerX and dubbed the AI Frame Campaign, the extensions share the same code structure and communicate with infrastructure under the domain Tapnetic Pro. While the most popular extension, Gemini AI Sidebar previously had 80,000 users and has been removed, several others remain on the Chrome Web Store with tens of thousands of installs. The extensions load AI features through remote iframes, allowing operators to change functionality without store review. They harvest browsing data and in at least 15 cases Target Gmail by extracting visible email content, including drafts and and transmit it to external servers. Some also enable remote voice capture using the Web Speech API. Users are advised to remove affected extensions and reset passwords if compromised. Google says nation state hacking groups are increasingly using its Gemini AI tool to accelerate reconnaissance, malware development and targeting. In a new report, Google's Threat Intelligence Group, or gtig, detailed activity by groups linked to China, Iran and North Korea. Chinese actors used Gemini to gather information on individuals in Pakistan and analyze vulnerabilities. Iran's APT42 used it to craft phishing Personas, translate lures and support malware developer. A North Korean group targeting the defense sector leveraged Gemini to synthesize open source intelligence and and profile technical roles. GTIG also observed malware called Honest Q that uses the Gemini API to generate C code for follow on payloads. Google says it disrupted some activity but acknowledges actors continue targeting similar victims. Large language models are helping threat groups scale reconnaissance and move from research to active targeting faster, according to GTIG. Accenture Cybersecurity says the data extortion group WorldLeaks has deployed a previously unseen malware tool called Rusty Rocket to enhance its attacks. According to Accenture, Rusty Rocket is written in Rust and targets both Microsoft Windows and Linux systems. The tool enables stealthy data exfiltration and traffic proxying through heavily obfuscated, multilayered encrypted tunnels, blending malicious activity with legitimate network traffic. It also requires a pre encrypted configuration at runtime. A guardrail, researchers say, makes it difficult to detect and monitor world leaks. Active since early 2025, steals sensitive data and threatens to publish it rather than encrypting files, the group has claimed victims, including Nike. Accenture says Rusty Rocket supports persistence and long term data theft. Increasingly, stealthy tooling complicates traditional detection. Accenture recommends monitoring anomalous outbound traffic and strengthening segmentation and testing defenses. Apollo Md, a healthcare physician and practice management provider based in Atlanta, disclosed that a May 22 to May 23, 2025 cyber attack exposed sensitive data belonging to over 626,000 individuals, according to the company's notice and the U.S. department of Health and Human Services breach portal accessed files contained personally identifiable information and protected health information, including names, birth dates, diagnostic and treatment details, insurance data and in some cases, Social Security numbers. By September of last year, Apollo MD had notified affiliated practices and and begun mailing letters offering free credit monitoring. The company has not identified a responsible threat actor, although the Keelin ransomware group listed Apollo MD on its leak site in June of last year. Apple has patched a zero day vulnerability that affects every iOS version since 1.0 and was used in what the company described as an extremely sophisticated attack against targeted individuals discovered by Google's Threat Analysis Group. The flaw resides in Dyld, Apple's dynamic linker, and allows an attacker with memory write capability to execute arbitrary code. Apple said the issue may have been exploited as part of a chain on versions prior to iOS 26. Security researchers noted the vulnerability could be combined with WebKit flaws addressed in iOS 26.3 to enable zero click or one click device compromise. Apple also fixed other issues, including bugs that could grant root access or expose sensitive data, but said the zero day was the only vulnerability confirmed exploited in the wild. More than half of CISA's 2,341 employees would be furloughed if Congress fails to extend Department of Homeland Security funding by Friday, Acting Director Madhu Gadamukkala told lawmakers CISA plans to designate 888 employees as accepted to maintain 247 operations, respond to imminent threats and share urgent vulnerability information. But most proactive cybersecurity work would pause, Ghatamukala warned. A funding lapse would delay deployment of cybersecurity services to federal agencies and and weaken timely guidance to infrastructure operators. Strategic planning, new capability development, training and work on mandated cyber incident reporting rules would halt. Lawmakers remain divided over broader Department of Homeland Security policy disputes, raising the risk of a shutdown during what officials describe as a sensitive period for federal cyber defense efforts. Staying with cisa, the agency published an advisory outlining key lessons from its response to a real world compromise at a federal civilian Executive branch agency. The incident stemmed from exploitation of a known geo server vulnerability, giving threat actors remote access, persistence and lateral movement across systems. CISA mapped observed tactics, techniques and procedures using the MITRE attack framework and provided indicators of compromise to help defenders detect similar activity. The advisory emphasizes swift patching of critical vulnerabilities, maintaining and exercising incident response plans, and centralized logging for effective detection. It also includes mitigation recommendations to improve an organization's preparedness and resilience against sophisticated post compromise activity. CISA encourages all organizations to apply these lessons and use the associated technical details in the advisory to to strengthen their security posture. Dutch police have arrested a 21 year old man for allegedly selling the Joker OTP Phishing automation service, a tool designed to intercept one time passwords and hijack online accounts. The arrest follows a three year investigation that dismantled the Joker OTP phishing as a service operation in April of last year, including prior arrests of its developer and a co developer. Authorities say the platform caused at least $10 million in losses across more than 28,000 attacks in 13 countries. Sold via Telegram license keys, the tool automated calls to victims posing as legitimate companies while prompting them to enter one time passwords sent during login attempts. Targets included PayPal, Venmo, Coinbase, Amazon and Apple users. Police have identified dozens of buyers and say the investigation remains ongoing. Coming up after the break, Simon Horsewell from Entrust discusses evolving romance scams ahead of Valentine's Day and fun with filters provides fuel for fishers Stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

Dave Bittner

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored Jobs to find the right people with the right skills. Skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, Sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

Podcast Host / Interviewer

Simon Horsewell is Senior Fraud Specialist at Entrust. I recently caught up with him over on the Hacking Humans podcast to discuss evolving romance scams for Valentine's Day. So today we are talking about romance scams. Being that it is right around Valentine's Day, I would love to start off with some high level stuff here. My understanding is that romance scams go way back before we actually had an Internet. This is as long as people have been in love, there have been people trying to scam each other and use it as a way of doing that. Is that an accurate perception?

Simon Horsewell

Yeah, I think that's fair. As long as people have had the ability to take advantage of one another, then unfortunately they have.

Podcast Host / Interviewer

So what are we Seeing here today, when it comes to romance scams, what is the current, let's call it, state of the art.

Simon Horsewell

Yeah. So what we're seeing now, people reaching out to. Well, we see fraudsters reaching out to people via social media platforms. So this could be using dating apps with a view to getting them off the dating apps and into private messaging service. Or it could be on Instagram or Facebook or one of those other social media platforms that are a lot broader and that can make the trouble, that can make the problem a bit harder to spot because those platforms aren't necessarily geared up to monitor certain patterns of behavior.

Podcast Host / Interviewer

Can you walk us through the playbook? I mean, how does something like this begin and what happens as they progress?

Simon Horsewell

So initially someone will reach out to you. They're not going to be an ugly person.

Podcast Host / Interviewer

Right.

Simon Horsewell

This is going to be someone who is probably like a 10, a nine somewhere sort of unbelievable where you're like, wow.

Podcast Host / Interviewer

And someone way out of my league.

Simon Horsewell

Right. We're not, nor you personally, but like us as a people. Right. These are going to be people that are objectively good looking. Yeah. They will reach out to you out of the blue and they'll say, hey, look, I just stopping by, I saw you like this, or I saw you were into this, or I just saw your profile and I thought, I just wanted to say hello because you look friendly.

Podcast Host / Interviewer

Right.

Simon Horsewell

Or you looked beautiful. But what will then progress from there is a really intense period of the relationship. So normal relationships progress, you know, various different speeds. But one of the hallmarks of this particular trend, this scam, is that it will go straight up to 100 and it won't lay off the gas. It will be very intense. You will have the most attentive person ever. They will find every, everything you say amusing. You will have no disagreements as long as you're not talking about not giving money, let's put it that way. Everything's going to be the best thing they've ever heard or they're going to think that you are the only thing that they think of all day long. They will not miss a call, they will not miss a message. And they will. Yeah, we see this technique called love bombing. For those of you who aren't familiar with it, love bombing is when you, you, you basically just spam someone with affection. You're constantly telling them how important they are to you, how much you miss them, how you dream of being together. You're sending poems, you're sending stories, you're sending songs. Just, just really intense. But over a Very short period of time. And this is all to progress and accelerate the relationship to the point where the victim is emotionally invested. And then it's very, very difficult for them to pull away.

Podcast Host / Interviewer

How much time is there typically between this period of time where they're building the relationship and then when the ask comes for something, for money, for something out of the ordinary?

Simon Horsewell

Well, it can vary. It really can vary. In some cases, it can be sort of a couple of weeks. But in other cases, we've known this to go on for a few years. But with the use of AI now, it's relatively simple. We live these lives online, and if you've never met someone in person, it can be very easy to fall into this trap. Some victims have reported the fact that the tone changes when they're talking to this person over a period of years. That. That's generally not the case. Right. If you're talking to a genuine person, they tend to be the same person. But this is, you know, considered to be fraudsters sharing these victims with other people. Or if you like, if you think of it in terms of the business, I've got someone who goes out and does the research and initiates the contact, and then they pull them in. Then I give them to somebody else to keep them warm. And then later on down the line, when it's required, I have my closer. So that kind of pattern, this is why it can feel like sometimes you're talking to a different person or the. The tone changes. Likelihood is you may have been sold on your. Your profile, as it were, may have been sold on to somebody else to go to the next stage. So it can be any period of time, but it does have some hallmarks to it that you can look out for that will let you know that you're trapped in this situation.

Podcast Host / Interviewer

What sorts of things should people be on the lookout for?

Simon Horsewell

Well, as I say, this intense period right at the beginning, this is someone who can never meet you in person because the person they presented to you doesn't exist. So look out for the fact that you can't meet this person in real life. Now, it could be that from the beginning, the scenario they've given you is that they work overseas and that they can't be with you in person, otherwise they would. Or they work all the time, or they're constantly traveling. Some excuse that is baked into the scenario from the beginning, which means that seeing them in person is going to be very difficult, and we should just put that to the back burner for the time being. Now, most of the time, you know, you can have a long distance relationship and it can work, but you're on the assumption that you're eventually going to meet. And if the person on the other end is never going to do that and has never got that intention, then you're working under false pretenses.

Podcast Host / Interviewer

Now my understanding here is that when someone gets drawn into something like this, it's very hard for them to admit that they've been taken. First of all, does that match your research? And I guess the second question is if you suspect your loved one is involved with something like this, what's the best way to try to break the spel?

Simon Horsewell

Yeah, it's very difficult. It's very difficult because these are social manipulation. That's how these scams work. They manipulate the individual, the target. Quite often we're seeing people that are, well, they're being targeted based on things that they put out on social media. So fraudsters now can find out an awful lot about you, build a profile and then they kind of know what buttons are going to work through tried and tested means. So it can be very difficult. Once someone's caught in this, or as the, the phrase that I'm hearing, quite a lot of, the phrase that we're using, quite a lot is, is breaking the spell. You have banks that are trying to warn people about these payments saying like, you know, we, we have seen this before, this is going to be a scam. And again, the fraudsters have got that as part of their script. So they'll be saying like, don't worry, the bank is going to tell you this, but I just need you to put this money in this location or I need you to buy this amount of crypto by this time because of the intensity of the relationship, the attentiveness that they're giving the victim, the fact that they are making it for the victim feel incredibly real and the dream relationship. The victim is emotionally invested and it's not a case of not, not being able to admit it. It's a ca. Yeah, it's, they're so emotionally invested that they, they, they can't get away from this. It is everything to them. They, they are in love. It is very real for them. So the fact that other people are coming along and waving bits of evidence or, you know, trying to pull them away from it, the fraudsters know what they're doing when they're creating this scenario. It's very difficult for loved ones to pull them away. The fraudsters know what the regular objections are going to be and almost counterattack them before they happen. So trying to isolate that person more and more from their support network, from their family, from their loved ones, from their friends. Discrediting the warning signs that banks will put up and a bank can't stop you spending your money. They're not allowed to do that, but it's in their interest to warn you.

Podcast Host / Interviewer

Several times to hear the full length version of my conversation with Simon Horsewell from Entrust, Be sure to check out the Hacking Humans podcast Wherever you get your favorite shows, The world moves fast, your workday even faster. Pitching products, drafting reports, analyzing data. Microsoft 365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint, and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365 copilot. And finally, chances are you've seen this Instagram trend inviting users to ask ChatGPT to create a caricature of me and my job based on everything you know about me. The results are playful, detailed and now widely shared, using the platform's Add Yours feature. According to Josh Davies of Fortra, that harmless fun may be doing more than boosting engagement. With more than 2 million images posted, public profiles now neatly link faces, job roles and evidence of large language model. Use a banker here, a developer there, an engineer in between. For a threat actor, it could be reconnaissance at scale, Davies notes. The real risk is not the caricature itself, but what it implies. If users entered sensitive work data into a public LLM, that information may sit in prompt history outside corporate controls. Combine that with doxing, credential reuse and phishing, and account takeover becomes plausible. The trend, he argues, spotlights shadow AI, data leakage and the quiet security cost of oversharing. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email To CyberWire Garage N2K Senior Producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Kaltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Dave Bittner

Foreign.

Podcast Host / Interviewer

If you only attend one cyber security conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.