A

You're listening to the Cyberwire Network powered by N2K. Cyber threats strike in minutes. Your analysis can't take weeks. That's where Velox Reverser from Booz Allen comes in. It's an autonomous malware reverse engineering and threat intelligence product that turns weeks of painstaking manual analysis into into minutes of AI powered insights. With Velox Reverser security teams can perform deep analysis to learn how malware works and how to stop it. It's an advanced product that works at machine speed if you need to outpace evolving adversaries and strengthen your defense at scale. Request a demo or start your 30 day free trial of Velox Reverser today at Boozallen.com Reverser. A China linked group exploits a critical Dell zero day for 18 months a Microsoft 365 copilot bug risk sensitive email oversharing A new Linux botnet leans on old school IRC for command and control Switzerland tightens critical infrastructure rules with mandatory cyber reporting astarion Iran Rat emerges as a custom post exploitation implant Researchers find serious flaws in popular PDF platforms A suspected Iranian aligned campaign targets protest supporters Notepad rolls out a double lock update fix A Spanish court orders NordVPN and ProtonVPN to block illegal football streams Our guest is Keith Milarski, former FBI Special Agent and Chief Global Ambassador at Q Intel, Reflecting on the 25th anniversary of notorious spy Robert Hanssen's arrest and Dutch defense flaunt F35 firmware freedom. It's Wednesday, february 18th, 2026. I'm dave buettner and this is your cyberwire intel brief. Thanks for joining us here today. It's great as always to have you with us. Google researchers say a China linked threat group has exploited a critical del0day for at least 18 months, deepening a long running espionage campaign. Google Threat Intelligence Group and mandiant report that UNC 6201, which overlaps with UNC 5221 or Silk Typhoon, exploited a vulnerability in Dell recover point for virtual machines since mid-2024. The flaw stems from a hard coded administrator password pulled from Apache Tomcat and carries a 10.0 CVSS severity score. Researchers say attackers used it for unauthenticated remote access with root level persistence. The group previously deployed Brickstorm malware, then replaced it with the more advanced Grim Bolt backdoor. Dell released a patch Tuesday. Officials warn the actors likely remain active in unpatched systems. Long dwell times, often exceeding 400 days, gave attackers room for sustained espionage. CISA, the NSA and Canadian Authorities have released detection guidance, but researchers caution the full scope remains unknown. Microsoft says a bug in Microsoft 365 copilot has been causing the AI assistant to summarize confidential emails since late January, bypassing organizations data loss prevention policies. The issue was first detected January 21st and affects the Copilot work tab chat feature. According to a service alert seen by bleeping computer, Copilot incorrectly read and summarized emails stored in Users Sent Items and Drafts folder, including messages with sensitivity labels meant to restrict automated access. Microsoft confirmed that a code issue allowed labeled items to be processed despite DLP policies. The company began rolling out a fix in early February and says it's monitoring deployment and contacting some affected users. Microsoft has not disclosed how many organizations were impacted or provided a final remediation timeline. The incident is currently classified as an advisory, suggesting limited scope, though the investigation remains ongoing. Security researchers have identified a new Linux botnet dubbed SSH Stalker that uses Internet Relay Chat for command and control. The research team at Flare discovered the operation through an SSH honeypot over a two month period. According to its report, SSH Stalker chains an SSH scanner with rapid staging to enroll compromised systems into IRC channels, enabling centralized control. The botnet exploits legacy Linux kernel vulnerabilities and appears optimized for scale. Flare observed nearly 7,000 fresh SSH scan results in January. Most activity originated from cloud hosting providers across the U.S. europe and Asia Pacific, suggesting opportunistic automation rather than dedicated nation state infrastructure. Researchers say the botnet maintains dormant persistence. It establishes access without launching distributed Denial of Service attacks or crypto mining. Despite having those capabilities, quiet footholds can signal staging for future operations. Flare recommends monitoring build tools, scanning for malware and reviewing cron jobs. Switzerland's National CyberSecurity center says 2025 marked a major shift driven by mandatory cyber attack reporting for critical infrastructure. According to its annual report for 2025, the NCSC processed nearly 65,000 voluntary incident reports and 222 mandatory reports after the new requirement took effect April 1. Under the revised Information Security act, organizations must report attacks within 24 hours. The Cybersecurity Hub, or CSH, expanded to about 1600 members and added multilingual reporting and secure information sharing. The agency also exchanged Data on over 4,600 incidents through the Malware Information Sharing platform and led cybersecurity operations for major national events. Parliament approved budget increases beginning in 2026. Mandatory reporting and expanded information sharing improve early warning and coordinated defense across critical sectors. NCSC says the measures strengthen Switzerland's National Cyber Strategy and Long Term Resilience. Huntress responded to a February 2026 intrusion that began with a click fix social engineering attack, a technique that surged last year. According to Huntress, ClickFix tricks users into copying and pasting malicious commands, bypassing traditional email security controls. In this case, it delivered Matanbukas 3.0, a malware as a service loader first advertised in 2021 and now priced up to $15,000 per month for a stealth DNS variant, Huntress says Matanbukas deployed a previously undocumented custom implant they named astarion Rat. The remote access Trojan used RSA encrypted command and control traffic disguised as telemetry and supported credential theft, SOX5 proxying, port scanning and reflective code loading. The operator moved laterally within 40 minutes, targeting a Windows server and domain controllers using PSEXEC rogue accounts and defender exclusions. Huntress assesses with medium confidence the goal was ransomware or data theft. Researchers have uncovered 16 vulnerabilities in PDF platforms from Foxit and Apprise that could have enabled account takeover and data theft. The flaws were identified by pen testing startup Novi in Aprise Webviewer and Foxit's PDF cloud services. According to Nov, the issues included one critical and four high severity bugs along with multiple medium severity findings. Vulnerability types ranged from cross site scripting and server side request forgery to path traversal and operating system command injection. Researchers demonstrated that specially crafted documents, URLs or messages could trigger arbitrary code execution and data exfiltration or persistent compromise, particularly when PDF viewers were embedded in authenticated enterprise applications. Both vendors say the vulnerabilities were responsibly disclosed and have been patched. Novi warns that widely embedded PDF components can become high impact attack surfaces if left unexamined. Researchers have uncovered a suspected Iranian aligned cyber espionage campaign targeting protest supporters with custom malware. A Cronus threat research unit says the campaign, dubbed Crescent Harvest, began shortly after January 9th and uses malicious Windows shortcut files disguised as protest images and videos. The files include Farsi language content framed as updates from Iran's rebellious cities. When executed, the malware uses DLL sideloading through a signed Google binary to deploy a remote access Trojan and information stealer. Capabilities include key logging, browser credential theft, telegram session exfiltration and command execution over HTTPs using JSON based command and control infrastructure links to a Latvia hosted server. Though attribution remains low confidence, Acronis assesses the campaign likely targets Farsi speaking Iranians supportive of protests as well as activists and journalists politically themed lures continue to enable long term surveillance of at risk communities. Notepad has strengthened its update security with a new double lock verification system following a recent supply chain compromise introduced in the latest version. The mechanism verifies both the signed installer hosted on GitHub and and a digitally signed XML file from notepadplusplus.org using XML digital signature. The update follows a six month campaign attributed to the China linked Lotus Blossom Group, which compromised the software's hosting provider starting in June of last year and redirected select users to malicious servers, Rapid7 reported the attackers deployed a custom backdoor called Chrysalis. Additional hardening steps include removing libcurl DLL to prevent DLL sideloading, eliminating insecure Curl SSL options, restricting plugin execution to trusted certificates, switching hosting providers and rotating credentials. Users are urged to upgrade and download installers only from the official website. A Spanish Court has ordered NordVPN and ProtonVPN to block 16 websites of illegally streaming football matches. The precautionary measures requested by La Liga and broadcaster Telefonica were issued without a hearing for the VPN providers and allowed no opportunity for appeal. The ruling applies to a dynamic list of IP addresses in Spain. La Liga argued that VPN services fall under the EU Digital Services regulation and facilitate access to pirated content by masking users geographic locations. The Court reportedly found VPNs to be an effective means of bypassing regional restrictions. ProtonVPN and NordVPN say they were not notified of the proceedings and question the lack of due process. NordVPN also argued that blocking domains is ineffective and that enforcement should target hosting providers and illegal content sources. Inst. Coming up after the break, Keith Milarsky reflects on the 25th anniversary of notorious spy Robert Hansen's arrest and Dutch defense flaunt F35 firmware freedom. Stay with us foreign. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Most security conferences talk about zero TR0 Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies, and technical deep dives focused on real world implementation. Whether your blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry, and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now@ZTW.com and take your Zero Trust strategy from theory to execution. Today marks the 25th anniversary of the arrest of Robert Hanssen, broadly known as the worst spy in the FBI's history. Keith Milarsky is a former FBI special agent and now chief global Ambassador at Q Intel, and he was present at Robert Hanson's arrest. Well, Keith, welcome back. It's always great to have you join us here. I want to start off with just a little history lesson for folks who may not be familiar with the saga of Robert Hanssen and your part in it. Let's start with the history. What are we talking about here?

B

Yeah, so Robert Hanssen was the most devastating spy in FBI history and one of the most devastating spies in US History. He spied for the Soviets and then the Russians for over 20 years. Yeah, over 20 years. He started first volunteering to the GRU, which is their military intelligence, in the early 1980s. And then circa 1985, he volunteered to the then KGB. And he just compromised so many sensitive intelligence operations, human sources, the tunnel that we tried to dig underneath the Soviet embassy at the time. So he was just utterly devastating. And he was an FBI agent. So I physically worked with him during my time when I worked in Washington.

A

D.C. well, tell us about that. You're working with someone in the agency. And is it fair to say that for certainly at the beginning you thought that this was just any other colleague?

B

Absolutely. There was nothing that in his behavior that would indicate that he was such a devastating spy. Now we knew that there was a spy that was going on because there were a number of operations that had been rolled up unexplained that there was a spy at the CIA named Robert, I mean, Aldrich Ames, who actually recently just passed away a couple weeks ago. And so once he was arrested, they debriefed him to see what he compromised. And then there was this whole big list of operations that Ames had no connection to. So that we knew that there was another spy in the U.S. intelligence community. But we didn't know where that was. Initially, we thought it was in the CIA. And we were investigating a CIA officer for a number of years that had connections to, let's say, 85% of those hundred, let's say, you know, operations that were compromised. So we thought we had the right guy. But then it turned out it really was not at the CIA. It was at the FBI, and it was Robert Hanssen.

A

What was your role then? I mean, this is 25 years ago. Today is the anniversary of his arrest. What was your experience level and role in the agency then?

B

So I was just a street agent on one of the counterintelligence squads at the Washington field office investigating, investigating the svr, which is the current Russian intelligence service. So we investigated the intelligence officers that were stationed under diplomatic cover at the embassy that would handle any penetrations into the US Government. So we were tracking the intelligence officers. We had seen that they were doing operational activity and other things that were indicative of agent handling, but we just didn't know who that was. One of the agents on my squad work with Mike Rochford, who, if you haven't read his story or saw him at the spy Museum, I recommend all listeners to go check out Mike Rochford. But he. At the end of the day, one of my squad mates and Mike Rochford put together an operation where we recruited a former KGB officer that actually was the Moscow handler of this penetration of the US Government that we were searching for. In that agent provided us basically the dossier and other materials to help us identify who this penetration was. So Mike led that operation, and we were able to get those materials and what we thought it was, the CIA officer. Now we got these materials. And so this was, I guess, circa the fall of 2000, so let's say November 2000. And we got all these materials that were passed, and they were all FBI documents. And we were like, wait a second. This doesn't appear like a penetration of the CIA. This appears like this is a penetration of the FBI. And two main pieces of evidence that we got there was. One was a tape recorded message between the penetration and the KGB handler that occurred many years ago, that it was a phone call that the KGB had recorded. And one of the analysts at headquarters had worked with Robert Hansen for many years, and he listened to that tape and he said, that's Bob Hansen. And so we were like, okay, now. Okay, now we have a problem. And this really sounds like Bob Hanson. And then we also got a trash bag that was used to wrap materials that the spy had passed. And we were able to extract a fingerprint from that, which came back to Bob Hanson. So now we knew Bob Hanson was the spy, and now we needed to prove it because we had all these other materials. And to try to get, like a former KGB officer to testify in trial, that's a little bit difficult. So really, Louis Free at the time was the FBI director. He's like, you have to arrest this guy. So my job and a lot of my squad was we were out with the SSGs, which is the FBI Special Surveillance Group. And we were following Hanson, you know, day to day, 24 hours a day, from November of 2000 until his eventual arrest. So just basically really learning the patterns. And then we had other groups that were putting microphones in his office. You may have saw the movie Breach, or read other material where Hanson was working at the State Department at the time that we identified. So we had to move him back to FBI headquarters where we had a little bit more control over him and his comings and goings, and we could do some searches and really see what he was doing to try to get that evidence.

A

Tell us about the day of his actual apprehension, lead us up to that moment, because you were there.

B

Yeah, so this was fascinating. So we had did a covert search and we had backed up his Palm Pilot, which was, you know, you and I remember, state of the art time. Yeah, exactly. Way back in the day. And Hansen loved technology, so he put everything in his Palm Pilot, including messages from the Russians to him. So we had identified new dead drop sites and new signal sites. So when we got those, I went out and did all the photographs of those sites. So the photographs that you see that were released by the FBI, yours truly took them. You could see my shadow in some of them. So I used to like to say I was in the shadows. But we knew that one of the dead drop sites was called Ellis, the codename Ellis, and that was at Foxstone park in Vienna, Virginia. So it was going to be underneath the bridge. And the signal site was this sign right at the beginning. So we knew that that was a dead drop site. And then in his Palm Pilot, he had on this date, February 18th, which was a Sunday. He had Ellis at 8pm was the time. So we thought, well, the dead drop is going to happen at 8pm on that Sunday. So, you know, the FBI director again was like, look, we want to catch him in the act. We want to get him dropping materials to the Russians. So. So we all prep for that. So my job was I was part of Arrest Team two. So we had two arrest teams. One that was more of our SWAT team, that was our main one that wanted to get. And then my team was the backup arrest team. And if he came out one end of the park, and then my team was to get the Russian, if the Russians were going to go and do the dead drop and drop materials or money. So we thought it was going to happen at 8pm at night. So this is how things just luck happens, you know. So we, we actually weren't going to get on site until 6:00pm, like, so we're like a couple hours early. But we decided really that we're going to get on site at 3 o'.

A

Clock.

B

So we were like, hey, let's just go out and do it. So Hanson had one of his friends over and he was going to take him to Dulles Airport. So we're following him. He drops him off at Dulles Airport. We think he's probably going to go back home because the drop isn't going to be until the evening. But he comes back and he veers off his normal way home. And he stops at Pike Plaza in Virginia there. And he pulls in to the parking lot and he gets out of his car and he pops his trunk. And we can see him that the SSGs and the surveillance are going around. We could see him wrapping the materials for the dead drop. And we're like, hey, this is happening now. This is game time. So your adrenaline starts running and rushing, and, you know, we have a plane up that's following him as well. And so we see him wrap it up, get back in his car and driving over to the park, and he parks a little bit away from it, and he starts walking into the park. And we had special train surveillance people in the park with, you know, eyes on the bridge. And they were in, you know, sniper ghillie suits so they could fit in. And so again, you know, your adrenaline is going. He goes in, you know, we hear that he placed the drop and then he starts walking back out. And as he's coming out of the park, walking back to his cars, that's where we get go take him down. And that's where we all just kind of swarmed in. And you can see in the videos the SWAT guys with the, with the machine guns there that we took him into custody and put handcuffs on him and finally arrested them.

A

Help me understand the feelings of you and your colleagues, because my guess would be there's a mix of a feeling of betrayal but that's balanced with professionalism, that this is part of the game. The espionage is part of the game that all nations play. Can you unpack that for us? Yeah.

B

It's a weird feeling, Dave, to be quite honest with you, because you work with a colleague and you think that everybody at the FBI or everybody in the intelligence community is doing the right thing for God and country wants to protect the American people. And then to have somebody that is betraying all your work to a enemy, a foreign country in compromising sources, people that you've convinced the spy for us, and then those people getting killed because their names are compromised to the Russians, that is a weird feeling that just people don't experience. So it's really hard to put those words except this sense of betrayal, but at the same time, that professionalism, that, look, we were very proud that we were finally able to identify him and bring him to justice because in another couple months he was going to retire and it would have been so much more difficult to be able to prosecute him or to bring him to justice. So it was this sense of betrayal, but also this great sense of achievement that we were able to uncover somebody that had been anonymous even to the Russians for 20 years. So your emotions go really across the spectrum.

A

Well, Keith, thank you so much for taking us back there. It's, I guess, an interesting thing to note in our nation's history. 25 years since the arrest of Robert Hanson.

B

Thanks, Dave. It's always a pleasure talking with you.

A

What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber. That's V A N T A dot com cyber. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation as attackers use AI to make their tactics more sophisticated. Doppel uses it to fight back, from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppel.com that's-o P E L.com. And finally, in what may be the most 2026 sentence uttered by a defense official, the Netherlands defense secretary has suggested that an F35 fighter jet can be jailbroken, just like an iPhone. Gies Tuenman made the remark on a Dutch podcast when asked whether European operators could modify the jet's software if the US ever decided to cool the transatlantic friendship. The F35, he noted, is a shared project with British engines and American components, implying mutual dependence. And if updates stopped, well, he hinted, creative solutions exist. Security experts were a bit less breathless. One researcher pointed out that unlike iPhones, F35s are not available on ebay, and the lack of a tinkering community makes public jailbreaks unlikely. The jet's software is tightly managed through Lockheed Martin's logistics system, with only Israel allowed to run custom code. Still, in an era of kill switch rumors and shifting alliances, the idea of rebooting a fighter jet like a smartphone carries a certain dark charm. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly. I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Foreign. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.