CyberWire Daily – February 12, 2026: "AI or I-Spy?"

Host: Dave Bittner
Featured Guest: Simon Horsewell, Senior Fraud Specialist at Entrust

Overview

This episode of CyberWire Daily centers on the growing intersection of artificial intelligence (AI) and cybersecurity threats, spotlighting malicious use cases, emergent tools, data breaches, and evolving social engineering scams. The show also features an expert interview with Simon Horsewell on the latest trends in romance scams, particularly as Valentine's Day approaches.

Main News & Analysis

1. Malicious AI-Themed Chrome Extensions

Timestamp: 01:17–03:05

• Security firm LayerX uncovered 30 Chrome extensions posing as AI tools ("AI Frame Campaign") with over 300,000 installs.
• Extensions communicate with infrastructure tied to the domain "Tapnetic Pro" and load features via remote iframes, allowing for stealthy code updates.
• Data harvesting includes browsing data and, in at least 15 cases, Gmail content—including drafts—sent to external servers.
• Some exploit the Web Speech API for remote voice capture.
• Recommendation: Users should immediately remove affected extensions and reset compromised credentials.

2. Nation-State Abuse of Google's Gemini AI

Timestamp: 03:05–04:33

• Google reports increased use of its Gemini AI by nation-state actors (China, Iran, North Korea) for:
  • Reconnaissance
  • Malware development
  • Social engineering (example: Iran’s APT42 crafting phishing personas and translating lures)
  • Synthesizing open-source intelligence (example: North Korea targeting defense sector roles)
• Gemini is used to automate malware coding (instances like the “Honest Q” malware).
• Google claims to have disrupted some activity but warns that threat actors continue targeting similar victims.
• Key Insight: Large language models enable faster scaling from research to active targeting in cyber crime.

3. WorldLeaks: The Rise of "Rusty Rocket" Malware

Timestamp: 04:34–05:22

• Accenture Cybersecurity reports the extortion group WorldLeaks has deployed a new Rust-based tool ("Rusty Rocket") for data theft and traffic proxying.
• Highly obfuscated, encrypted tunnels blend with normal traffic and evade detection.
• Enables long-term persistence and stealthy exfiltration.
• Recommendation: Organizations should watch for anomalies in outbound traffic and bolster segmentation and defenses.

4. Apollo MD Healthcare Breach

Timestamp: 05:23–06:17

• Atlanta’s Apollo MD suffered a cyberattack (May 22–23, 2025) affecting over 626,000 people’s sensitive data, including names, birthdates, diagnoses, insurance details, and Social Security numbers.
• Notification and credit monitoring were offered by September 2025.
• The Keelin ransomware group had previously listed Apollo MD on its leak site.

5. Apple’s Historic iOS Zero-Day Vulnerability

Timestamp: 06:18–07:18

• Apple patches a zero-day in "Dyld" (dynamic linker), affecting every iOS version since 1.0.
• Discovered via Google’s Threat Analysis Group; allowed memory write attacks and arbitrary code execution.
• Could be chained with WebKit vulnerabilities for zero-click/one-click device compromise.
• Only confirmed vulnerability exploited in the wild in this update cycle.

6. CISA Faces Potential Government Shutdown

Timestamp: 07:19–08:20

• Over half of CISA’s 2,341 staff would be furloughed if DHS funding lapses.
• 888 “excepted” employees would maintain critical 24/7 operations, but proactive work (new capabilities, training, incident reporting rulemaking) would halt.
• Lawmakers remain divided, risking national cyber readiness during a sensitive period.

7. CISA Advisory: Lessons from Real-World Federal Agency Breach

Timestamp: 08:21–09:03

• CISA released lessons learned after responding to a federal agency compromise via a known geo server vulnerability.
• Recommendations include: rapid patching, robust incident response plans, centralized logging.
• Tactics and indicators provided for defenders using the MITRE ATT&CK framework.

8. Joker OTP Phishing as a Service: Dutch Arrests

Timestamp: 09:04–09:57

• Dutch police arrest a 21-year-old for selling the Joker OTP phishing service, used to hijack accounts by abusing one-time passwords.
• The service, dismantled in April 2025, caused $10M+ in losses across 28,000+ attacks worldwide.
• Sold via Telegram, automated phone calls to trick users into sharing OTPs; targets included PayPal, Venmo, Coinbase, Amazon, and Apple.

Featured Interview: Evolving Romance Scams Ahead of Valentine’s Day

Guest: Simon Horsewell, Senior Fraud Specialist, Entrust
Timestamp: 13:43–23:10

The Enduring Nature of Romance Scams

• Romance scams aren’t new: “As long as people have had the ability to take advantage of one another, then unfortunately they have.” — Simon Horsewell [14:25]

Modern Playbook

• Fraudsters initiate contact through dating apps or broader social platforms (Instagram, Facebook), seeking to move victims off monitored platforms into private chat.
• The scammer is “objectively good looking”—the approach is tailored and flattering.
• Hallmark features:
  • Intense, rapid progression: "It will go straight up to 100 and it won't lay off the gas...You will have the most attentive person ever...love bombing." — Simon Horsewell [16:10]
  • Isolation: Perpetrators concoct reasons to avoid in-person meetings—working overseas, constant traveling, etc.
  • Scripted manipulation: Scammers are prepared for banks or loved ones warning victims, having counter-explanations ready.

Fraudster Operational Models

• Groups delegate roles: initial contact (relationship-builder), “warmer,” and a “closer” for when it’s time to ask for money.
• Victims may be passed between fraudsters, explaining changes in “personality” over time.

Detection & Defense

• Red flags for users:
  • “This is someone who can never meet you in person because the person they presented to you doesn't exist.” — Simon Horsewell [19:29]
  • Excuses to delay or avoid real-world meeting.
  • Increasing attempts to isolate the victim from their support network.

The Difficulty of Breaking the Spell

• Emotional manipulation runs deep; victims are emotionally invested and difficult to convince of the scam.
• "It's not a case of not being able to admit it. They're so emotionally invested that...they can't get away from this. It is everything to them." — Simon Horsewell [21:35]
• Fraudsters script objections to warnings from banks or loved ones, deepening isolation and control.

Social Engineering Trends: Fun with Filters as Fuel for Phishers

Timestamp: 23:10–End

• Instagram trend: users prompt ChatGPT to create work caricatures and share them using “Add Yours.”
• Josh Davies of Fortra warns this is a goldmine for threat actors—faces, jobs, LLM usage all in one public post.
• Real risk: Sensitive data submitted to LLMs could remain in prompt histories, exposing organizations to recon, phishing, or account takeover.
• The trend highlights “shadow AI,” data leakage, and cybersecurity risks due to oversharing.

Notable Quotes & Memorable Moments

• On the intensity of romance scam relationships:
  "You will have the most attentive person ever...You will have no disagreements as long as you're not talking about not giving money." — Simon Horsewell [16:10]

• On the operational complexity of scams:
  “Some victims have reported...that the tone changes…It’s considered to be fraudsters sharing these victims with other people…You may have been sold on your profile.” — Simon Horsewell [18:07]

• On the challenge of intervention:
  “Because of the intensity of the relationship… the victim is emotionally invested and it’s not a case of not being able to admit it. It's...they can’t get away from this.” — Simon Horsewell [21:35]

• On unintended digital oversharing:
  "For a threat actor, it could be reconnaissance at scale…The real risk is not the caricature itself, but what it implies." — [23:48]

Key Timestamps

• 00:11: Episode overview and key topics preview
• 01:17: AI-themed malicious Chrome extensions
• 03:05: Nation-state misuse of Gemini AI
• 04:34: WorldLeaks “Rusty Rocket” malware
• 05:23: Apollo MD healthcare breach
• 06:18: Apple iOS zero-day patch
• 07:19: Potential CISA shutdown
• 08:21: CISA’s breach response advisory
• 09:04: Joker OTP arrest
• 13:43: Featured interview: Simon Horsewell on romance scams
• 23:10: Instagram/ChatGPT filter trend and OSINT risks

Takeaways

• AI continues to be a double-edged sword, embraced both for cyber defense and for advancing social engineering, malware, and large-scale reconnaissance.
• Social engineering remains personalized, persistent, and increasingly sophisticated (especially romance scams, as explained by Simon Horsewell).
• Digital fads and fun (such as Instagram’s “caricature” trend) can unwittingly create new security vulnerabilites.
• Staying alert to red flags, rapid emotional escalation, and requests for secrecy or money is crucial in online relationships.
• Security teams must be vigilant regarding AI platform abuse, phishing automation services, and data visibility in online trends.

For more in-depth coverage, see the daily briefing at thecyberwire.com.