Facing a slow-burn confrontation.

CyberWire Daily – “Facing a Slow-Burn Confrontation”

Date: February 20, 2026
Host: Dave Bittner (N2K Networks)
Guest: James Turgal, VP of Global Cyber Risk and Board Relations at Optiv; former FBI

Episode Overview

This episode delivers a comprehensive snapshot of the day’s most pressing cybersecurity news, highlighting emerging threats across geopolitical, commercial, and technological landscapes. Topics include Russia’s escalating hybrid operations in Europe, a series of major cyber incidents in the US, novel malware and vulnerability discoveries, and an in-depth expert interview focusing on the current wave of AI-powered tax scams and IRS fraud.

Key News Stories & Analysis

1. Russian Hybrid Operations in Europe

[00:32]

Dutch intelligence agencies warn of Russia escalating hybrid operations across Europe, aiming for a “slow-burn confrontation” below the threshold of open war.
Noted increases since late 2023 in cyber attacks, sabotage, disinformation, espionage, and mapping of seabed infrastructure.
The Netherlands faced DDoS attacks, police system espionage, and critical infrastructure probing.
Russian risk tolerance reportedly rising, with more reliance on online-recruited low-level agents.
Urgent recommendations: bolster national cyber resilience and enhance public-private cooperation.

2. University of Mississippi Medical Center Ransomware Attack

[02:47]

Ransomware took down IT networks, electronic medical records, and statewide clinics.
Resulted in canceled patient appointments and elective surgeries. Emergency services ran under contingency protocols.
MedCom transfer system also affected but kept operating due to redundancies.
Investigation ongoing; variant and origin of ransomware still unknown.

3. PayPal Data Breach

[04:43]

Breach in Working Capital loan application exposed customer data (names, contact info, SSNs, DOB) for nearly six months in 2025.
Fix applied after discovery; PayPal offering credit monitoring and password resets.
Affected accounts saw limited unauthorized transactions, later refunded.

4. ATM Jackpotting on the Rise

[05:45]

FBI: Over $20 million lost by Americans due to ATM jackpotting in 2025 (700+ incidents).
Techniques exploit XFS software layer in ATMs, using malware (e.g., Plautus) and physical access.
FBI advises banks to audit ATM security, particularly for unauthorized storage use and anomalous processes.
Ongoing law enforcement action against criminal groups, e.g., Tren de Aragua members.

5. Trust Connect: New Malware-as-a-Service

[08:39]

Proofpoint identifies Trust Connect, a fake remote monitoring tool (MAS), advertised at $300/month.
Delivered via phishing “Meeting Invites” and “Tax Doc” lures, often alongside legitimate RMM tools.
Web dashboard allows attackers to control infected systems and drop payloads.
Proofpoint coordinated takedown of initial infrastructure; operators pivoted to “Doc Connect.”
Actors likely linked to prior Redline Stealer campaigns.

6. Android Malware Integrates Generative AI

[10:37]

ESET researchers document ‘PromptSpy’, first Android malware utilizing generative AI (Google’s Gemini).
Malware sends screen info to AI, receives custom instructions for persistence across devices.
Employs Android Accessibility services; core functions include spyware features: remote screen, credential interception, screenshots, etc.
Notable as a real-time, adaptive threat, even if current distribution is limited.

7. Critical Zero-Day in Grandstream VOIP Phones

[12:11]

Rapid7 discloses unauthenticated buffer overflow in Grandstream GXP 1600 VOIP phones.
Flaw enables remote code execution with root privileges, exposing device configurations and calls.
Vendor released necessary firmware patches.

8. IRS IT Staff Losses & Concerns

[13:11]

IRS cut 40% of IT staff and 80% of tech execs, broadest shakeup in 20 years.
Over 1,000 IT staff reassigned to frontline tax support, causing internal concern.
Treasury Inspector General warns about risks to tax law implementation for the 2026 season.
AI expected to supplement depleted staff.

Expert Interview: James Turgal on AI-Driven Tax Scams & IRS Fraud

[15:12–23:18]

Rise of AI in Tax Scams

[15:12]

Dave Bittner: “I can't help feeling like we're in a little different situation when it comes to this tax season because of the prevalence of AI scams. Is that an accurate perception on my part?”
James Turgal: “Oh, absolutely… AI is taking all types of fraud, specifically phishing and vishing… to an entirely new level.”

Modern Tactics Used by Scammers

[15:47]

Attackers use a three-pronged approach:
- Email scams (phishing)
- Voice scams (vishing)
- Fraudulent text messages (smishing)
Messages claim refunds are on hold or demand payment for supposed “back taxes,” using AI to simulate near-perfect language and escalate psychological pressure.
AI-driven interactions adapt tone in real time:

“If you are not sounding like you are… nervous, they'll up the tone… using words like, you know, ‘search warrant’ or ‘arrest warrant’…” – James Turgal [16:40]

Shift from Shotgun to Targeted Attacks

[17:52]

Attackers now leverage massive data lakes sourced from previous breaches to create detailed victim profiles, increasing targeting precision.

Guidance for Individuals

[18:56]

“Breathe in, breathe out, take a deep breath and understand that the fraud piece of this is a real thing… they need to be vigilant.”
IRS contacts ONLY via official mail—never email, call, or text.
Always verify sender’s address (should be IRS.gov); ignore messages demanding immediate payment; challenge callers with off-script questions (e.g., requesting physical address details) to expose AI scammers.
If a response “doesn't fit, then you immediately hang up because you know it's AI generated imposter.” – James Turgal [20:28]

Reporting & Resources

[21:00]

Report incidents at ic3.gov (FBI’s Internet Crime Complaint Center).
Report IRS phishing attempts at the official IRS phishing site.
“Even your local police departments are now trained in how to deal with this. But certainly at the federal level, you are absolutely not alone.” – James Turgal [21:53]

The Human Factor in Social Engineering

[22:08]

Traditional security tools (antivirus, ad blockers) are ineffective against these scams since they rely on social engineering across voice, text, and email, fueled by breached personal data.

Memorable Quotes

On AI’s role in fraud:

“AI is taking all types of fraud… to an entirely new level.”
– James Turgal [15:12]
On attacker adaptation:

“The AI is now smart enough to read the tone of the victim… they’ll up the tone using different words like ‘search warrant’ or ‘arrest warrant’.”
– James Turgal [16:40]
On vigilance:

“The IRS is only going to communicate with you via U.S. postal mail… If it doesn’t come from IRS.gov domain, it’s fraud.”
– James Turgal [19:56]
On overcoming isolation:

“There are a lot of resources out there… you are absolutely not alone.”
– James Turgal [21:53]

Notable Complaint: AI & DEI Grant Terminations

[22:56]

Authors Guild alleges NEH grants were canceled based on ChatGPT’s keyword analysis, using a “grudge list” of DEI-related terms.
Grants mentioning “LGBTQ, tribal, or Black” were targeted; terminations done with little or no human oversight.

Timestamps for Key Segments

Russia’s Hybrid Threats in Europe: [00:32–02:47]
Ransomware Hits Mississippi Medical Center: [02:47–04:10]
PayPal Data Breach: [04:43–05:45]
ATM Jackpotting Trends: [05:45–07:12]
Trust Connect Malware Analysis: [08:39–09:37]
Android AI Malware Discovery: [10:37–11:56]
Critical VOIP Vulnerability: [12:11–13:04]
IRS IT Workforce Issues: [13:11–14:40]
James Turgal Interview (AI tax scams): [15:12–23:18]
AI-Assisted DEI Grant Cancellations: [22:56–23:20]

Conclusion

This episode provides actionable context on evolving cyber threats—from state actors and organized crime to emerging, AI-driven social engineering campaigns. The James Turgal interview stands out, offering practical, clear-headed advice on navigating AI-enabled IRS scams during tax season—and highlighting the crucial role of public awareness and reporting.

CyberWire Daily – “Facing a Slow-Burn Confrontation”

Date: February 20, 2026
Host: Dave Bittner (N2K Networks)
Guest: James Turgal, VP of Global Cyber Risk and Board Relations at Optiv; former FBI

Episode Overview

Key News Stories & Analysis

1. Russian Hybrid Operations in Europe

[00:32]

Dutch intelligence agencies warn of Russia escalating hybrid operations across Europe, aiming for a “slow-burn confrontation” below the threshold of open war.
Noted increases since late 2023 in cyber attacks, sabotage, disinformation, espionage, and mapping of seabed infrastructure.
The Netherlands faced DDoS attacks, police system espionage, and critical infrastructure probing.
Russian risk tolerance reportedly rising, with more reliance on online-recruited low-level agents.
Urgent recommendations: bolster national cyber resilience and enhance public-private cooperation.

2. University of Mississippi Medical Center Ransomware Attack

[02:47]

Ransomware took down IT networks, electronic medical records, and statewide clinics.
Resulted in canceled patient appointments and elective surgeries. Emergency services ran under contingency protocols.
MedCom transfer system also affected but kept operating due to redundancies.
Investigation ongoing; variant and origin of ransomware still unknown.

3. PayPal Data Breach

[04:43]

Breach in Working Capital loan application exposed customer data (names, contact info, SSNs, DOB) for nearly six months in 2025.
Fix applied after discovery; PayPal offering credit monitoring and password resets.
Affected accounts saw limited unauthorized transactions, later refunded.

4. ATM Jackpotting on the Rise

[05:45]

FBI: Over $20 million lost by Americans due to ATM jackpotting in 2025 (700+ incidents).
Techniques exploit XFS software layer in ATMs, using malware (e.g., Plautus) and physical access.
FBI advises banks to audit ATM security, particularly for unauthorized storage use and anomalous processes.
Ongoing law enforcement action against criminal groups, e.g., Tren de Aragua members.

5. Trust Connect: New Malware-as-a-Service

[08:39]

Proofpoint identifies Trust Connect, a fake remote monitoring tool (MAS), advertised at $300/month.
Delivered via phishing “Meeting Invites” and “Tax Doc” lures, often alongside legitimate RMM tools.
Web dashboard allows attackers to control infected systems and drop payloads.
Proofpoint coordinated takedown of initial infrastructure; operators pivoted to “Doc Connect.”
Actors likely linked to prior Redline Stealer campaigns.

6. Android Malware Integrates Generative AI

[10:37]

ESET researchers document ‘PromptSpy’, first Android malware utilizing generative AI (Google’s Gemini).
Malware sends screen info to AI, receives custom instructions for persistence across devices.
Employs Android Accessibility services; core functions include spyware features: remote screen, credential interception, screenshots, etc.
Notable as a real-time, adaptive threat, even if current distribution is limited.

7. Critical Zero-Day in Grandstream VOIP Phones

[12:11]

Rapid7 discloses unauthenticated buffer overflow in Grandstream GXP 1600 VOIP phones.
Flaw enables remote code execution with root privileges, exposing device configurations and calls.
Vendor released necessary firmware patches.

8. IRS IT Staff Losses & Concerns

[13:11]

IRS cut 40% of IT staff and 80% of tech execs, broadest shakeup in 20 years.
Over 1,000 IT staff reassigned to frontline tax support, causing internal concern.
Treasury Inspector General warns about risks to tax law implementation for the 2026 season.
AI expected to supplement depleted staff.

Expert Interview: James Turgal on AI-Driven Tax Scams & IRS Fraud

[15:12–23:18]

Rise of AI in Tax Scams

[15:12]

Dave Bittner: “I can't help feeling like we're in a little different situation when it comes to this tax season because of the prevalence of AI scams. Is that an accurate perception on my part?”
James Turgal: “Oh, absolutely… AI is taking all types of fraud, specifically phishing and vishing… to an entirely new level.”

Modern Tactics Used by Scammers

[15:47]

Attackers use a three-pronged approach:
- Email scams (phishing)
- Voice scams (vishing)
- Fraudulent text messages (smishing)
Messages claim refunds are on hold or demand payment for supposed “back taxes,” using AI to simulate near-perfect language and escalate psychological pressure.
AI-driven interactions adapt tone in real time:

“If you are not sounding like you are… nervous, they'll up the tone… using words like, you know, ‘search warrant’ or ‘arrest warrant’…” – James Turgal [16:40]

Shift from Shotgun to Targeted Attacks

[17:52]

Attackers now leverage massive data lakes sourced from previous breaches to create detailed victim profiles, increasing targeting precision.

Guidance for Individuals

[18:56]

“Breathe in, breathe out, take a deep breath and understand that the fraud piece of this is a real thing… they need to be vigilant.”
IRS contacts ONLY via official mail—never email, call, or text.
Always verify sender’s address (should be IRS.gov); ignore messages demanding immediate payment; challenge callers with off-script questions (e.g., requesting physical address details) to expose AI scammers.
If a response “doesn't fit, then you immediately hang up because you know it's AI generated imposter.” – James Turgal [20:28]

Reporting & Resources

[21:00]

Report incidents at ic3.gov (FBI’s Internet Crime Complaint Center).
Report IRS phishing attempts at the official IRS phishing site.
“Even your local police departments are now trained in how to deal with this. But certainly at the federal level, you are absolutely not alone.” – James Turgal [21:53]

The Human Factor in Social Engineering

[22:08]

Traditional security tools (antivirus, ad blockers) are ineffective against these scams since they rely on social engineering across voice, text, and email, fueled by breached personal data.

Memorable Quotes

On AI’s role in fraud:

“AI is taking all types of fraud… to an entirely new level.”
– James Turgal [15:12]
On attacker adaptation:

“The AI is now smart enough to read the tone of the victim… they’ll up the tone using different words like ‘search warrant’ or ‘arrest warrant’.”
– James Turgal [16:40]
On vigilance:

“The IRS is only going to communicate with you via U.S. postal mail… If it doesn’t come from IRS.gov domain, it’s fraud.”
– James Turgal [19:56]
On overcoming isolation:

“There are a lot of resources out there… you are absolutely not alone.”
– James Turgal [21:53]

Notable Complaint: AI & DEI Grant Terminations

[22:56]

Authors Guild alleges NEH grants were canceled based on ChatGPT’s keyword analysis, using a “grudge list” of DEI-related terms.
Grants mentioning “LGBTQ, tribal, or Black” were targeted; terminations done with little or no human oversight.

Timestamps for Key Segments

Russia’s Hybrid Threats in Europe: [00:32–02:47]
Ransomware Hits Mississippi Medical Center: [02:47–04:10]
PayPal Data Breach: [04:43–05:45]
ATM Jackpotting Trends: [05:45–07:12]
Trust Connect Malware Analysis: [08:39–09:37]
Android AI Malware Discovery: [10:37–11:56]
Critical VOIP Vulnerability: [12:11–13:04]
IRS IT Workforce Issues: [13:11–14:40]
James Turgal Interview (AI tax scams): [15:12–23:18]
AI-Assisted DEI Grant Cancellations: [22:56–23:20]

Powered by Wave AI

Summary

CyberWire Daily – “Facing a Slow-Burn Confrontation”

Episode Overview

Key News Stories & Analysis

1. Russian Hybrid Operations in Europe

2. University of Mississippi Medical Center Ransomware Attack

3. PayPal Data Breach

4. ATM Jackpotting on the Rise

5. Trust Connect: New Malware-as-a-Service

6. Android Malware Integrates Generative AI

7. Critical Zero-Day in Grandstream VOIP Phones

8. IRS IT Staff Losses & Concerns

Expert Interview: James Turgal on AI-Driven Tax Scams & IRS Fraud

Rise of AI in Tax Scams

Modern Tactics Used by Scammers

Shift from Shotgun to Targeted Attacks

Guidance for Individuals

Reporting & Resources

The Human Factor in Social Engineering

Memorable Quotes

Notable Complaint: AI & DEI Grant Terminations

Timestamps for Key Segments

Conclusion

Summary

CyberWire Daily – “Facing a Slow-Burn Confrontation”

Episode Overview

Key News Stories & Analysis

1. Russian Hybrid Operations in Europe

2. University of Mississippi Medical Center Ransomware Attack

3. PayPal Data Breach

4. ATM Jackpotting on the Rise

5. Trust Connect: New Malware-as-a-Service

6. Android Malware Integrates Generative AI

7. Critical Zero-Day in Grandstream VOIP Phones

8. IRS IT Staff Losses & Concerns

Expert Interview: James Turgal on AI-Driven Tax Scams & IRS Fraud

Rise of AI in Tax Scams

Modern Tactics Used by Scammers

Shift from Shotgun to Targeted Attacks

Guidance for Individuals

Reporting & Resources

The Human Factor in Social Engineering

Memorable Quotes

Notable Complaint: AI & DEI Grant Terminations

Timestamps for Key Segments

Conclusion