A

You're listening to the Cyberwire network, powered by N2K.

B

And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. EDU MSSI.

A

DHS reassigns cyber to immigration duties A massive DDoS attack disrupts several major gaming platforms Discord refuses ransom after a third party support system breach. Researchers examine chaos ransomware and creative log poisoning web intrusions. The FCC reconsiders its telecom data breach disclosure rule. Experts warn of teen recruitment and pro Russian hacking operations. Ukraine's Parliament approves the establishment of cyber forces. Troy Hunt criticizes data breach injunctions as empty gestures. Our guest today is Sarah Graham from the Atlantic Council's Cyber Statecraft initiative, discussing their report Mythical Beasts diving into the Depths of the Global Spyware Market and Spy Dog's secret Site goes off Leash Today is Thursday, October 9th, 2025. I'm Maria Var, and this is your Cyber Wire Intel Briefing. Hi everyone. Thank you for joining me today. I'm standing in for Dave Buettner. He'll be back tomorrow. Let's get into it. The Department of Homeland Security has reassigned hundreds of national security employees, including cybersecurity specialists from the Cybersecurity and Infrastructure Security Agencies Agency, better known as cisa, to support President Trump's deportation initiatives. Current and former employees say that the reassignments, which are described as mandatory, come with threats of dismissal for refusal and often involve sudden relocations. Many of those moved had focused on protecting federal systems from nation state cyber attacks. Their transfers to agencies such as Immigration and Customs Enforcement and and Customs and Border protection have disrupted CISA's core mission, particularly within its capacity building and international engagement divisions. Staff morale has reportedly plummeted amid a climate of fear and censorship. Critics warn that the shift leaves the United States more vulnerable to cyber threats as major hacks continue to target government networks. DHS officials defend the moves as routine personnel alignment to meet agency priorities. Earlier this week, a massive DDoS attack disrupted several major gaming platforms, including Steam, Xbox, PlayStation, Riot Games and Epic Games. The coordinated assault, reportedly powered by the Airsuru Botnet reached record levels of 29.69 terabits per second, overwhelming servers and causing widespread outages across the industry. Riot Games confirmed that while its internal systems remained secure, Riot the flood of network traffic severely affected gameplay for League of Legends and Valorant users. Services have since been restored, but experts warn that the scale and simultaneity of this event reveal growing vulnerabilities in global gaming infrastructure. Discord says it will not pay a ransom to threat actors that are claiming to have stolen data on five and a half million users through its Zendesk support system, according to a report from Bleeping Computer. Discord disputes the hackers figures, stating that only about 70,000 users had government ID photos exposed, and emphasized that Discord itself was not breached. The attackers, on the other hand, alleged that they accessed a compromised support agent account with an outsourced provider stealing 1.6 terabytes of data, including user IDs, emails and partial payment details. For its part, Discord dismissed those claims as part of an extortion attempt and reaffirmed that no internal systems were compromised. The hackers reportedly demanded up to $5 million and threatened to leak the data after failed negotiations. Bleeping Computer could not verify the authenticity of the stolen data samples. Researchers at Fortinet examine Chaos ransomware, which resurfaced in 2025 with the new C variant, its first version not written in. Net, marking a major evolution in the malware's capabilities. Dubbed Chaos C, the strain combines encryption with destructive behavior, deleting large files entirely instead of encrypting them and then hijacking clipboard data to steal cryptocurrency payments. The malware disguises itself as a fake utility, silently executes its payload and employs multiple encryption methods including AES, RSA and xor. Its Clipboard hijacking feature replaces Bitcoin wallet addresses with attacker controlled ones redirecting potential payments. This Chaos variant reflects a broader shift from traditional ransomware to hybrid extortion and destruction, signaling chaos developers growing focus on financial theft and operational impact over simple data encryption and in other new research findings elsewhere. An investigation by Huntress details a hands on compromise that began in August 2025 with log poisoning, also called log injection. On a public phpmyadmin panel, the actor planted a one liner PHP web shell reminiscent of China Chopper, controlled it with Ant Sword and then installed Nezah, which is a monitoring tool used peer to run commands. The sequence ended with Ghost Remote Access Trojan or Ghost Rat. Huntress reports likely more than 100 victims, most frequently in Taiwan Japan, South Korea and Hong Kong. The access path involved weak defaults and exposed admin interf, highlighting real world risk from test stacks and outdated packages. Huntress suggests that defenders harden public apps, enforce authentication, monitor for Web shells, and detect suspicious service creation and execution paths. The Federal Communications Commission, better known as the FCC, will revisit its 2024 data breach disclosure rule that requires telecom providers to notify customers within 30 days. A 6th Circuit panel had upheld this rule, rejecting claims from the industry groups that it exceeded FCC authority and violated the Congressional Review Act. After those groups sought a rehearing, the FCC asked to suspend the case while it reexamines the order. A court then granted abeyance requiring Progress reports every 60 days. The arrest of two 17 year olds in the Netherlands has raised alarms about nation state hackers recruiting teenagers for espionage. The teens were detained for collecting WI fi data near Europol and other sensitive sites and were reportedly approached on telegram by pro Russian operatives. Dutch intelligence tipped police to the activity, which officials link to Russia's hybrid tactics. Security analysts say that this case underscores a growing pattern, and that is that threat actors are grooming teens on Telegram discord and gaming platforms to perform low skill digital tasks, from network scanning to credential theft. Experts warn that young recruits, who are often unaware of the consequences here, are being manipulated into aiding cyber operations. Dutch Prime Minister Dick Schoof called the trend extremely worrying, urging vigilance from parents and educators. Ukraine's parliament has approved in the first reading a bill to establish cyber forces within its military, reflecting the growing role of cyber warfare in its conflict with Russia. Backed by 255 lawmakers, the new command will defend Ukraine's digital infrastructure and report directly to the commander in chief and president. The cyber forces will recruit reservists, conduct training and operate under the General Staff's Cyber Directorate, aligning operations with NATO standards. Final approval awaits a second reading and presidential signature. Security researcher Troy Hunt argues that court injunctions following major data breaches like those granted to Hwl Ebsworth and Qantas are the legal equivalent of offering thoughts and prayers. In his analysis, Hunt notes that such orders don't detect hackers or Prevent leaks. After H.W.L. ebsworth's injunction against Russia's AlphaV group, the attackers ignored it and dumped the data anyway. Hunt says that these injunctions mainly restrict journalists, researchers and services like have I been pwned? Rather than the criminals themselves. While companies use them to appear proactive and protect shareholder interests, they offer little real defense for victims or transparency about compromised information. Stick around after the break where Dave Bittner sits down with Sarah Graham discussing their work and findings on mythical beasts diving into the depths of the global spyware market and Spy Dog's secret Psych goes off leash.

B

At Talas, they know cyber security can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas. T H A L E S Learn more@talasgroup.com Cyber what's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence, collection of flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started at vanta.com cyber that's V-A-N-T a.com cyber.

A

Sarah Graham is from the Atlantic Council's Cyber Statecraft Initiative, or CSI, and she is discussing their work and findings on mythical beasts diving into the depths of the global spyware market with Dave Buettner. Here's their conversation.

C

So spyware can be defined in a few different ways, but in our report and this second published report we have here, we take a relatively narrow scope to how we're defining spyware as a type of malicious software that enables the unauthorized remote access of a target device for the purposes of intrusion and surveillance. And so oftentimes folks will ask us why isn't the scope broader? Or did you include something like stalkerware or ad tech? And we really keep a relatively narrow definition here focused on that unauthorized remote access specifically for the purposes of surveillance.

B

Well, can you paint a picture of this market for us here? I mean, who are the key players and how do they tend to operate?

C

Sure. So in terms of the marketplace, in recent years there's been A lot of great reporting by different organizations, including Citizen Lab and Amnesty Tech, about the harms coming out of the spyware industry. But in contrast, there's been a relative lack of transparency about what's happening within the marketplace. We oftentimes see headlines about big players such as the NSO Group, but there's a lot of other players, small, medium sized and more than just vendors. So our report is really trying to turn to look at the marketplace as a whole and understand the supply chain of different vendors, holding companies, investors and the like across the marketplace at a global scale.

B

Well, who are some of the key players here?

C

Yeah, so in our report we really take a look at the global scale of the spyware market, but hone in on a few particular areas of interest. On first turn, one of our major trends that we identified in the original report and see holding consistent with data from this past year are that the majority of identified entities are domiciled in Israel, India and Italy. But something I really want to point out, and we see as a trend emerging in this updated data set, is that there has been a significant increase within our sample of US Based investors that continue to disproportionately fund capabilities. And really we want to highlight this because it really undermines the important US government action that we've seen in the past 18 months to two years on spyware, in contrast with the investors from the US who continue to invest in these types of technologies.

B

Yeah, can we dig into that a little bit? What, what insights can you provide as to what's driving that market investment from.

C

From the US So to start with a bit of data, we see with the data from this past year, a total of 31 total US investors that we were able to identify. And this that we find is particularly remarkable given that some of the entities that US Investors are investing in are actually listed on the US Entity list. So, for example, Candiru, listed on the entity list, has investment from US Firms, including Integrity Partners, as well as a few other venture capital firms and pension funds coming out of different states. So we're seeing that there's investment from a wide range of investors into a wide range of different spyware vendors, not only including Candiru, but Cognant and a few others as well. And to your question of what's really driving this, our data doesn't necessarily answer that question, but something that my fantastic co author Jen Roberts continues to point out as we've dug into this data is there has to be a reason investors invest when they see the potential for profit despite US Policy actions such as the entity list, there obviously must be some expectation that there is a future profit to be had here.

B

Yeah. Well, help us understand how these commercial spyware vendors differ from traditional state intelligence operations.

C

One thing that we get asked about quite a bit is how do these spywares differ and how are they useful to governments for national security? And there's a strong sense that there's some political will to put controls on these technologies, despite the fact that they are used for permissioned uses in state national security operations. But there is interest to preserve that limited use, and the ability to do so really hinges on these sorts of transparency efforts with data sets like the ones that we've created here to ensure and maintain the integrity of those capabilities for those narrowly defined and permissioned use cases.

B

Well, one of the things you uncover in the report here digs into the government's role both as buyers and regulators of this.

C

Sure. So the government, the state plays a different role in different jurisdictions here. And so I can give you a few examples. As I mentioned at the start, what we do observe and see consistent is that three jurisdictions in particular, India, Italy and Israel, have a lot of activity within their boundaries. And what is something that we see is consistent amongst these three is that it's a relatively permissive environment with some sort of state involvement. This varies. We see in the Indian cluster that this is most common in the sort of hack for hire market. In Italy. There's a much older history of spyware with quite a bit of overlap with state entities, whether that's as buyers, but also as regulators, which as you can imagine, can oftentimes create some either implicit or explicit conflicts of interest and can really make transparency efforts and ultimately any meaningful regulation quite challenging.

B

Why is it so difficult to hold these spyware companies accountable? I mean, is it as simple as the fact that they're offshore from our own local regulators?

C

It's a million dollar question. I think a lot of people would like to know the answer to this. I can point out to a few things. One trend that we see in all of our reporting has been this feature of shifting vendor identities. So that might be really subtle name changes or total rebrands of different entities that make it really difficult to track consistency in their activity. These entities have a lot of smart folks involved, and so strategic jurisdictional hopping is something that they certainly partake in. And we see this in a few different examples. For example, we know from a court case that Quadream established a presence in Cyprus to avoid European export controls. And so as you can imagine this sort of limited ability to consistently track is a huge barrier. And that actually highlights one of our second key trends in this report around the role of resellers and brokers, which I'd be happy to talk about a bit more, too.

B

Well, yeah, let's dig into it. What can you share about that?

C

Yeah, what we find with our updated data sample is a large number of what we're calling resellers and brokers. These are sort of partners within the marketplace, and that can be unrelated to the development of spyware, but they contribute some sort of technical or business need for the vendor. So this could be something like marketing services, the provision of telecommunications intercept devices, or creating access to some sort of regional market that an original vendor might not have otherwise been able to easily enter and sell to interested buyers. And so through access to public data sources, we've been able to identify a larger share of these entities and have come to identify more and more that in this expanded and opaque marketplace, these types of intermediary entities are playing a pretty crucial role to limiting transparency.

B

Yeah, can we talk about that? I mean, one of the things that it strikes me is that these spyware companies give a lot of nation states plausible deniability. Right? I mean, to what degree is that an element here?

C

Certainly there's plausible deniability sort of up and down the supply chain. You could imagine all the way through at the end, use of surveillance, plausible deniability in terms of how particular information is gained. But there's also plausible deniability upwards on the supply chain. And I think these brokers and resellers play a really crucial role to that, whether it's mere overlap only of business officers, or whether that's some sort of larger overlap between, for example, the original vendor and setting up some sort of satellite office in another state to gain access to that market. Some examples that we really dug into in the report are around the Mexican spyware ecosystem. And with some recent transparency reporting, we've been able to see how there were layers and layers of plausible deniability through the creation of contracts that only very subtly indicate, perhaps, that these technologies were being sold to different state agencies.

B

Where do we stand with policymakers here in the US Is there any broad agreement on the place that spyware is.

C

Intended to play with the new administration? It's actually still relatively early, within the tenure of four years, and we haven't seen any public indications of change to the current status quo of the US policy perspective on these issues. But I think something to point out is that the absence of any change suggests at least that at minimum the current trajectory, which has in the past included this effort through listing vendors on the entity list, issuing sanctions and visa restrictions. Given that these things have not necessarily been pulled back, is some sort of signal that this might continue, this sort of policy action might continue.

B

So to what degree should regular people be concerned about this for our listeners? Is this high level espionage kind of thing or does it affect people in their day to day lives in terms.

C

Of targeting with spyware? Our report doesn't go into this in great detail and I would really encourage listeners to go and check out some organizations that really give a lot of context and color to these sorts of targeted surveillance intrusions coming from organizations like I mentioned of Citizen Lab or Amnesty Tech. But that doesn't deny the fact that we all can take some personal steps in our personal digital footprint and securing that What I think does matter though for most Americans is what I talked about with U.S. investments. When we dig into this a bit more in detail, we actually found that a few different pension funds, for example, are invested in spyware companies. If I'm recalling correctly, I believe a pension fund out of New Jersey and Washington State state are included in this. And while that might not be something that an everyday person is aware of, being able to have some context over where your finances are being invested into is certainly a first step in understanding what's going on and how entangled these sorts of ecosystems actually are.

A

That was Dave Bittner sitting down with Sarah Graham on the Atlantic Council's Cyber Statecraft initiative, discussing their work and finding on mythical beasts diving into the depths of the global spyware market. When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.

C

Learn more@WhatsApp.com this episode is brought to you by Indeed.

B

When your computer breaks, you don't wait.

C

For it to magically start working again.

B

You fixed the problem, so why wait to hire the people your company desperately needs?

A

Use Indeed sponsored jobs to hire top.

B

Talent fast and even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast.

A

Terms and conditions appreciate In Derbyshire, the spy Dog spy pups and Spy Cat books, which are all wholesome tales of gadget wielding pets solving crimes. Well, they've been abruptly recalled after a web address printed in the back of the books started leading somewhere far less child friendly. And the site for these books, which was once home to bonus content, was taken over by a third party who replaced puppies and paw prints with explicit material. Yikes. Yeah. Publisher Puffin and author Andrew Cope expressed horror, urging everyone not to visit the link and vowing swift action through quote, appropriate channels. Schools, meanwhile, are treating the incident like a national security emergency, emailing parents, removing books, and issuing return immediately orders. For now, it seems Spy Dog's latest mission is an undercover operation in digital damage control. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com hey CyberWire listeners. As we near the end of the year and yeah, can you believe we're almost there already? It is the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry next year. And we'd love to help you achieve those goals. We've got some unique end of year opportunities, complete with special incentives to launch 2026, so tell your marketing team to reach on out to us. Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our Executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm your host Maria Varmazes, in for Dave Bittner. Thanks for listening. We'll see you tomorrow.

B

Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity it all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more@cid.datatribe.com.