CyberWire Daily Summary: Iran’s Digital Threat after U.S. Strikes
Release Date: June 24, 2025
Host: N2K Networks

1. Iran’s Digital Retaliation Following U.S. Strikes

In the wake of the U.S. bombing of Iranian nuclear sites on Saturday, cybersecurity experts have raised alarms about potential Iranian retaliation in the digital realm. Dave Bittner highlights that while Iran responded with a symbolic missile attack on U.S. forces in Qatar, the cyber threat remains significant.

“Iran responded with a largely symbolic missile attack on US forces in Qatar, but experts caution that digital retaliation is still likely.” – Dave Bittner [02:30]

The Department of Homeland Security has issued warnings about possible cyberattacks and associated violence. Former CISA head Jenn Easterly emphasized the urgency for critical infrastructure operators to bolster their cybersecurity measures.

“Critical infrastructure operators must secure their systems against potential Iranian cyber threats.” – Jenn Easterly [04:15]

Although Iran's cyber capabilities are deemed second-tier, their tactics—such as social engineering and custom malware targeting U.S. fuel systems—can still cause substantial disruption. Activist groups aligned with Iran have intensified online propaganda, blurring the lines between psychological warfare and actual cyber threats. Experts warn that Iran might deploy destructive malware similar to past wiper attacks, making the current threat a blend of perception and potential cyber damage.

2. Sabotage Disrupts NATO Summit in The Hague

A significant act of sabotage occurred during the NATO summit in The Hague when a fire damaged nearly 30 railway cables, effectively halting train services between Amsterdam and The Hague. This incident happened as over 45 world leaders were arriving, creating a major security concern.

“A potential act of sabotage disrupted the NATO summit in the Hague after a fire damaged nearly 30 railway cables.” – Dave Bittner [05:50]

Dutch Justice Minister David van Weil suggested sabotage as the likely cause, although the exact source remains unidentified. In response, approximately 27,000 police and military personnel were deployed in what was termed the largest security operation in Dutch history. Pro-Russian hacktivists claimed responsibility, attributing the disruption to DDoS attacks aimed at the summit.

This event aligns with NATO's increasing concerns over Russian hybrid threats, reminiscent of previous incidents like France's 2023 railway disruptions before the Olympics. NATO officials have since cautioned about a growing campaign by Russia targeting Western infrastructure.

3. Salt Typhoon Breaches Canadian Telecom Provider

In February 2025, Canadian cybersecurity officials uncovered that Salt Typhoon, a Chinese state-sponsored hacking group, had breached a major Canadian telecom provider. The attackers exploited an outdated Cisco vulnerability that remained unpatched despite known threats.

“Salt Typhoon took advantage of an old Cisco vulnerability that had remained unpatched long after its discovery.” – Dave Bittner [08:20]

Once inside the network, the group accessed sensitive configuration files to establish a GRE tunnel, likely intended to siphon off network traffic. This wasn’t Salt Typhoon’s first intrusion; the group had previously targeted U.S. telecom giants and was under Canadian surveillance for earlier reconnaissance activities. Despite these warnings, critical infrastructure remains vulnerable.

Authorities from the Canadian Center for Cybersecurity and the FBI have cautioned that the threat persists, with Salt Typhoon continuing to target telecoms and other sectors, particularly focusing on edge devices like routers and VPNs.

4. US House Prohibits WhatsApp on Government Devices

The U.S. House of Representatives has officially banned the use of WhatsApp on all government-issued devices due to concerns over data transparency, insufficient encryption, and associated security risks.

“The Office of Cybersecurity called the app high risk and ordered its removal from house managed phones and computers.” – Dave Bittner [09:50]

This decision is part of broader efforts to restrict the use of potentially risky technologies, including certain AI tools. Meta, WhatsApp’s parent company, disputed the ban by emphasizing its end-to-end encryption features. Approved alternatives now include Microsoft Teams, Signal, and iMessage. Additionally, government staffers have been cautioned against potential phishing threats associated with WhatsApp usage.

5. APT28 Exploits Signal for Phishing Campaigns Against Ukraine

APT28, a Russian-backed advanced persistent threat group, has been leveraging Signal chats in sophisticated phishing campaigns targeting Ukrainian government entities. The group disseminates malicious documents embedded with macros that deploy advanced malware.

“APT28 has been using Signal chats in phishing campaigns targeting Ukrainian government entities.” – Dave Bittner [11:15]

The malicious documents initiate the download of Covenant, a memory-resident loader that further deploys Beardshell—a C malware variant designed to retrieve encrypted PowerShell scripts and communicate with command and control servers via the IceDrive API. Beardshell maintains persistence through Windows Registry COM hijacking. Additionally, another tool, Slim Agent, captures and encrypts screenshots for data exfiltration.

These evolving tactics, uncovered by Cert UA with assistance from ESET, demonstrate APT28’s adaptability in cyber espionage. Previously, the group exploited Wi-Fi proximity in their campaigns. Ukrainian officials have criticized Signal for not effectively mitigating such abuses, while Signal maintains that its strong encryption and privacy measures are vital, despite challenges posed by espionage activities.

6. China-Linked APT UAT5918 Constructs Espionage Network

A China-linked advanced persistent threat group, identified as UAT5918, has established a covert network comprising over 1,000 compromised devices, referred to as "lapdogs," for long-term espionage purposes.

“UAT5918 has built a covert network of over 1,000 compromised devices dubbed lapdogs for long-term espionage.” – Dave Bittner [12:40]

The group primarily infected small office and home office (SOHO) routers, notably Ruckus and Buffalo models, utilizing a custom backdoor named Shortleash. These devices, exploited through outdated vulnerabilities, now function as stealthy relay nodes. The espionage campaign targets sectors such as IT and media across the U.S. and Asia, with indications that the lapdogs initiative began in late 2023. While related to the larger PolarEdge network, UAT5918 operates distinctly within it.

Security researcher Mr. Dox provided insights into this operation, underscoring the persistent threat posed by state-sponsored espionage networks.

7. FileFix: A Novel Phishing Technique

Security researcher Mr. Dox has introduced "FileFix," a browser-based phishing method that represents an evolution of the traditional ClickFix technique.

“FileFix abuses the file upload features in browsers to execute PowerShell code without the user leaving their browser.” – Dave Bittner [13:05]

Unlike ClickFix, which tricks users into executing malicious commands via the Windows Run dialog, FileFix employs social engineering to persuade users to paste a malicious command into the File Explorer address bar. This command triggers PowerShell code execution seamlessly within the browser environment. The attack cleverly disguises the command behind a decoy file path and utilizes browser scripting to copy the payload to the clipboard.

A second variation of FileFix demonstrates how launching executables via File Explorer can bypass Windows’ web protection measures by stripping security flags from downloadable files. These variations highlight the escalating sophistication of social engineering tactics, emphasizing the critical need for enhanced user awareness and stringent monitoring of browser-generated system processes.

8. Spark Kitty Spyware Targets Mobile Users in Southeast Asia and China

Kaspersky has uncovered a spyware campaign named Spark Kitty, which targets Android and iOS users primarily in Southeast Asia and China. Active since early 2024, the campaign distributes malicious apps masquerading as legitimate tools, such as TikTok mods or cryptocurrency applications, through both official and unofficial app stores.

“Spark Kitty steals images from device galleries to extract cryptocurrency wallet information using optical character recognition.” – Dave Bittner [14:00]

On iOS devices, attackers exploit Apple's Enterprise program and modified open-source libraries to circumvent App Store restrictions. One particularly malicious Android app amassed over 10,000 downloads on Google Play before its removal. Similar threats have emerged as progressive web apps linked to scams and Ponzi schemes. Kaspersky associates Spark Kitty with the earlier Spark Cat campaign, noting that both utilize image theft and OCR to harvest sensitive crypto-related data from mobile users. Importantly, the malicious code is embedded directly into the apps rather than being introduced via third-party SDKs, indicating a more targeted and deliberate approach.

9. Coinbase Users Lose $4 Million to Phishing Scam

Blockchain investigator ZackxBT has exposed a sophisticated scam orchestrated by Christian Neves, also known as DayTwo, which resulted in the theft of $4 million from Coinbase users. Neves and his associates impersonated Coinbase support staff to deceive victims into creating wallets with pre-compromised seed phrases on phishing websites.

“Neves and his group tricked victims into creating wallets with pre-compromised seed phrases on phishing sites.” – Dave Bittner [14:35]

An accomplice, known as Paranoia, specifically targeted an elderly victim, stealing $240,000. Much of the stolen cryptocurrency was subsequently gambled away or laundered using Monero. Despite clear on-chain evidence, law enforcement authorities have yet to file charges, and the majority of the funds remain unrecoverable. This case underscores the persistent risks associated with phishing attacks and the challenges in prosecuting cybercriminals in the cryptocurrency space.

10. Threat Vector Interview: Thought Leadership vs. Echo Chambers in Cybersecurity Marketing

In the Threat Vector segment, host David Moulton engages in a deep conversation with Tyler Shields, Principal Analyst at ESG, about the delicate balance between genuine thought leadership and the formation of echo chambers within the cybersecurity industry.

“Thought leadership could be simple definitions of something if the audience doesn't understand that, or it could be very deep research that pushes the boundaries.” – Tyler Shields [16:33]

Tyler Shields emphasizes that true thought leadership revolves around providing unique and valuable insights to the audience, rather than merely recycling existing ideas. He advocates for pushing boundaries and innovating within marketing strategies to foster genuine engagement and trust.

“When you're doing thought leadership from a marketing vantage point, it's about providing value to someone else.” – Tyler Shields [17:39]

Shields discusses the challenges faced by security professionals in articulating new ideas without falling into the trap of repetitive echo chambers. He encourages both individuals and corporations to embrace forward-thinking approaches, even at the risk of making mistakes, as long as these attempts are grounded in thorough research and genuine intent to add value.

“I love to push the boundaries. I love companies that recognize their brand can help and back those pushes and become innovative and forward thinking.” – Tyler Shields [18:01]

Looking ahead five years, Shields predicts that the biggest challenges for security marketers will involve maintaining uniqueness and providing exceptional value amidst a crowded and evolving market landscape.

“Their marketing should be highly successful by being very aggressive and trying things and letting things fly.” – Tyler Shields [20:01]

The interview underscores the importance of authenticity and innovation in cybersecurity marketing to avoid becoming trapped in unproductive echo chambers.

11. War Thunder Gamers Leak Military Documents

The digital battlefield of the online military combat game War Thunder has faced another breach, not from cyberattacks but from overzealous forum participants sharing restricted military documents.

“An enthusiast uploaded handling materials for the AV8B and TAV8B Harriers, leading to a temporary ban and forum cleanup.” – Dave Bittner [21:30]

While the documents shared were not classified, they were marked for limited distribution, resulting in the offender receiving a temporary ban and prompting a thorough cleanup by the game's developers. Similar incidents involving disclosures of Russian tanks and U.S. armored vehicles have occurred previously, eliciting mixed reactions from moderators and military personnel. An RAF engineer succinctly commented on the matter:

“These aren't exactly earth-shattering disclosures, but rules are rules.” – RAF Engineer [22:00]

The recurring nature of such leaks suggests that as long as the game remains popular, moderators will continue to face challenges in enforcing distribution policies.

Conclusion

The June 24, 2025 episode of CyberWire Daily delivered a comprehensive overview of pressing cybersecurity threats and incidents, ranging from state-sponsored cyber retaliation and sophisticated phishing campaigns to innovative malware tactics and insider threats within digital communities. The in-depth discussions, particularly the Threat Vector segment, provided valuable insights into the evolving landscape of cybersecurity marketing and its challenges. As cyber threats continue to adapt and proliferate, the importance of proactive defense measures, informed marketing strategies, and community vigilance remains paramount.

For more detailed information on the topics covered, please refer to the full transcript or listen to the episode directly through your preferred podcast platform.