A

You're listening to the Cyberwire Network powered by N2K. These days, attackers rarely start with a bang. They start quietly. A leaked credential, A stolen session cookie, A lookalike domain that shouldn't exist. That's where Nord Stellar comes in. Nord Stellar is a threat exposure management platform that helps organizations see what attackers already know about them. Turns into an incident. It brings together data breach monitoring, dark web monitoring, attack surface management and cyber squatting detection in a single platform. That means visibility into leaked credentials and malware logs, insight into brand impersonation attempts, and a clear picture of exposed Internet facing assets. And shadow it for CISOs. It's a way to reduce response costs, prioritize real risk and communicate clearly with the board. For security teams, it's real time alerts, contextual intelligence and faster investigations without the noise. Most companies only react after the damage is done. Don't wait until your data is already for sale. Protect your business today with Nord Stellar. Learn more@nordstellar.com CyberWire Daily don't forget to mention CyberWire 10 for an exclusive offer. GPS jamming hits the Strait of Hormuz An Iran linked threat actor uses AI to target Iraqi government officials. Activists leak thousands of DHS contract records. A Hawaii cancer center suffers a data breach. Google patches over 100 Android vulnerabilities. A new report tallies the scale of third party breaches. An Ms. Agent AI framework flaw allows full system compromise. On today's Threat vector segment, Evan GordonKer, director of AI security and DPRK operations at Palo Alto Networks Unit 42, joins David Moulton to unpack North Korea's hiring scams and tire tech turns Tattletail.

B

Foreign

A

March 3, 2026 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. Shipping through the Strait of Hormuz has nearly stalled following the start of US and Israeli strikes against Iran on February 28, as military attacks and widespread GPS and automatic identification systems, or AIs, disruptions raise safety risks. According to Maritime Intelligence from windward, more than 1100 ships from Iranian, Emirati, Qatari and Omani waters have experienced electronic interference with vessels falsely appearing inland or at sensitive sites like a nuclear power plant. The firm identified 21 new clusters of AIs jamming, with most incidents involving signal jamming rather than spoofing. Maritime authorities have labeled the threat critical, warning that degraded positioning data increases the risk of collisions, groundings or oil spills. As the conflict expands, analysts say broader attacks could further escalate electronic interference and navigational danger in the region. Amazon confirmed drone strikes damaged three AWS data centers in the UAE and one in Bahrain, disrupting cloud services across the Middle East. The company says facilities in the AWS Middle East UAE region and ME Central One and the AWS Middle East Bahrain region sustained structural damage, power disruptions and in some cases water damage from fire suppression efforts. Two UAE facilities were directly struck and a nearby strike affected infrastructure in Bahrain. Three availability zones remain significantly impaired or affected by localized power issues. Amazon is restoring physical infrastructure and pursuing software based recovery paths. Customers have been advised to activate disaster recovery plans and migrate workloads to other regions. The United Kingdom's National Cybersecurity center also warned of heightened Iranian cyber risk amid the conflict. An Iran linked threat actor targeted Iraqi government officials by impersonating Iraq's Ministry of Foreign affairs and using AI assisted malware. Zscaler Threat Labs detected the campaign in January of this year and tracks the actor as dust specter, attributing it to Iran with medium to high confidence. Government related infrastructure in Iraq was compromised to host malicious payloads. Researchers identified previously undocumented malware including Split Drop, Twin Task, twintalk and a Net remote access Trojan called ghostform. One attack chain used a password protected RAR archive, delivering a dropper that deployed DLLs for command execution and data exfiltration. A second chain consolidated capabilities into a single binary using Google Forms lures and in Memory powershell execution. Threat labs observed emojis and unusual Unicode patterns in the code, suggesting generative AI tools were used in development. Activists calling themselves Department of Peace claim they breached the Department of Homeland Security and leaked thousands of contract records. The nonprofit DDoS Secrets published data Sunday tied to contracts between DHS, Immigration and Customs Enforcement and more than 6,000 companies. Named firms include defense contractors Andarel and L3Harris Raytheon, surveillance provider Palantir and tech companies Microsoft and Oracle. The hackers say the data came from DHS's Office of Industry Partnership, which procures private sector technology. Security researcher Mika Lee organized the records into a searchable website listing contract amounts and contractor contact details. DHS and ICE did not respond to requests for comment. The group said it acted in response to the killings of two protesters and to expose companies supporting DHS operations, including immigration enforcement and deportations. The University of Hawaii says a ransomware attack on its cancer center's epidemiology division exposed data tied to nearly 1.2 million individuals. The August 2025 breach affected research files, including names, Social Security numbers, driver's license numbers and health data from long running epidemiological studies and public records. Clinical operations and student records were not impacted. The attackers encrypted systems, delaying recovery, and the university says it paid for a decryption tool and the secure destruction of stolen data. Google has released March Android security updates addressing 129 vulnerabilities, including an actively exploited zero day in a Qualcomm display component. The flaw involves an integer overflow in Qualcomm's graphics sub component that can lead to memory corruption. Google says there are indications of limited targeted exploitation. Qualcomm disclosed the issue in February, noting it affects 235 chipsets and that customers were notified earlier that month. The March bulletin also patches 10 critical flaws in Android's system framework and kernel components, including one that could allow remote code execution without user interaction. Google issued two patch levels with broader fixes in the March 5 release. Pixel devices receive updates immediately, while other vendors may face delays. Elsewhere, researchers have disclosed a high severity Google Chrome flaw that lets malicious extensions hijack the browser's Gemini Live AI panel and inherit elevated privileges. The bug was discovered by Palo Alto Networks Unit 42. Rogue extensions could abuse Chrome's extension network rules to intercept traffic to the embedded Gemini Live panel and inject their own JavaScript. Because Gemini live is tightly integrated with Chrome and can access screenshots, local files, cameras and microphones, a compromised panel could grant extensions access beyond their intended permissions. Researchers say this could have enabled webcam or microphone activation, file access or phishing content injection. Google patched the issue in January with Chrome 143 stable updates. The case highlights how deeply integrated AI features can expand the browser threat model. A new report from Black Kite finds third party breaches affected more than 433 million individuals across 136 verified incidents in 2025. Underscoring the expanding blast radius of supply chain attacks, the firm identified an average of 5.2 named downstream victims per breached vendor, totaling 719 companies. Vendors also reported 26,000 additional unnamed corporate victims, suggesting the total impact may be higher. Software service providers accounted for 28% of breaches, with healthcare, education and financial services mostly affected. Downstream detection and disclosure delays were significant, with a median 10 days to detect intrusions and 73 days to notify customers. Black Kite also found widespread critical vulnerabilities and exposed credentials among major vendors, warning that traditional third party risk management is failing to keep pace with evolving threats. A high severity flaw in the open source model Scope Ms. Agent framework allows attackers to execute arbitrary operating system commands through crafted input. The issue stems from the framework's shell tool, which relies on an unsafe regex based blacklist to filter dangerous commands. Researchers say attackers can inject malicious content into prompts or other data sources, tricking the agent into generating and executing attacker influenced shell commands. Successful exploitation could lead to full host compromise, data exfiltration and persistence. The vendor has not responded to coordination. Coming up after the break from today's Threat Vector segment, Evan Gordonker and David Moulton unpack North Korea's hiring scams and tire tech turns tattletail. Stay with us. Maybe that's an urgent message from your CEO. Or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppel.com that's.p p e l.com. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SOC 2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. Or that's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance, take the time to check out Vanta. Get started@vanta.com cyber. Evan Gordonker is Director of AI Security and DPRK Operations at Unit 42 Operations. On today's threat Vector segment, he joins David Moulton to unpack North Korea's hiring scams.

C

Hi, I'm David Moulton, host of the Threat Vector podcast where we break down cybersecurity threats, resilience and the industry trends that matter most. What you're about to hear is a snapshot of my conversation with Evan Gordiker, consulting director at Unit 42, who focuses on AI security and disrupting North Korean state sponsored operations. Here's something that should get your attention. North Korea is running a billion dollar hiring scam and your organization is probably being targeted Right now. Thousands of North Korean Workers are landing legitimate remote jobs at global companies, funneling 80% of their wages directly back to the regime to fund weapons programs. This isn't theoretical. Evans team has caught North Korean operators juggling three or four jobs simultaneously. Armed with hundreds of fake identities, AI generated headshots, and real time deepfake technology that can mask their appearance or even change their accents during video interviews. So before we started the podcast, you and I were talking about how this focus for you with the North Koreans and especially the IT workers was a passion project. Is that time that you spent in Japan something that influences the fact that you decided to assign extra work? You know, in addition to the proactive security consulting that you do with our clients, you also pick this up. It's too important to ignore. What is it that drew to you?

B

I think it's a very human threat, that there are humans in the cycle that are affected by this, starting with the North Koreans themselves. These are people that realize they're good at technology. They pass a math test when they're in about middle school age, and if they're good, they get trained up on English, they get trained up on computer science. And to me, it's really fascinating that it's. They're being coerced into this work as well. And there have been some defectors that have talked about this, where there's just this chain of victims that follow straight from the top of the North Korean regime, and then just victim, victim, victim, victim. And along the way, there are a few people that profit, but most of all, the people that profit are the leaders of the North Korean regime. I think it's fascinating how they stack up all of these victims, and yet the program is so successful that even though we've been talking about it for years, even though the FBI has been trying to disrupt it for years, it's still just as successful as ever.

C

So you talked about this as something that's been going on for years. I'm curious if you can give us a snapshot of how this has shifted in scope and sophistication over the years. And has generative AI helped accelerate the program? Has it changed it remarkably? You know, just give us a picture of what you're seeing there.

B

Yeah, the North Koreans have really made this a mechanized operation insofar as there are people who are dedicated to doing interviews, for instance, who are dedicated to finding accomplices on the ground, who are dedicated to doing the actual job. And they vary in quality. But what you'll find across the whole spectrum here is that they all are very, very reliant on generative AI. And it's getting to a point where they're using it in very clever ways. But from the very beginning, they've been very reliant on using it to write their emails, to write their code to. Now they're using it to do deep fakes. Real time video deep fakes, real time audio deep fakes. Just the other day, there was reports that people are using it to change their accents. The North Korean accent is fairly distinctive. And now they're using it in real time to change their accent. And so I expect this to continue in perpetuity. It's not a vulnerability that is going away, and it's a huge place where money is being made for the regime.

C

Evan, DPRK IT worker threat has evolved quite a bit since security community first began talking about it. And we need to talk about how the DPRK IT workers are moving past some old assumptions, embracing new tactics to embed themselves within organizations.

B

So when we think about how the DPRK IT worker threat has evolved, we're seeing a focus towards more use of accomplices. They're using accomplices during the interview stage, they're using accomplices during the application stage. They're using accomplices to even get people into offices. So there's this assumption that I come across a lot where it's like, hey, we don't really hire remote workers, so we're safe. And what we found is that that's not necessarily true. For one, the North Koreans love to get in through the contracting angle. And sometimes business is such that you do need to hire like 10 people to work on a front end app because leadership tells you, we want this in two weeks from now. And so often big companies have the muscle to be able to surge in talent. And that's really where they get you, is like you're surging in talent for engineering work. And, you know, maybe seven out of those 10 people could well be North Koreans. We have seen real instances of that exact count. The other thing is they're able to pay people now to go sit in an office and fire up a zoom, give that zoom remote control and just have somebody work on their laptop on someone else's behalf. And what the North Koreans are doing is they're hiring people in the United States and around the world to just go, go into offices and pass verifications. But then once they're there, they're enabling remote access. And that's where the exfiltration happens. That's where some of the wage theft occurs.

C

So let's look ahead a little bit. How do you see this IT worker threat evolving in the next few years?

B

Yeah, I'd expect more of the same. It's going to be higher pace, it's going to be higher volume. They're going to still go after more jobs now. They'll be going after we've seen them expand out of just remote jobs, for instance, to proliferate into hybrid jobs in person jobs. I'd expect that to continue because for them this is a necessity. They make their money, they're surviving off of this. And for the individuals that are perpetrating the scam, this is they are judged on how much money they're able to bring in and necessarily they will be creative about this. So expect the threat to stick around for a long time and expect it to get more accelerated and more targeted. That doesn't mean that there's nothing to do about it. I think a lot of the collaboration we haven't built the muscle to talk amongst teams, to talk amongst companies, to talk amongst industries, and even to talk amongst countries about this threat. So building that muscle of saying, hey, here are some network indicators that you should watch out for and be able to share that with someone who's able to share it widely in an anonymized context might be really helpful towards preventing one attacker from being able to have six jobs around the country to just keeping them limited to one at a time, for instance, so we can slow down the volume. And really I think there's an opportunity for us to just improve our baseline detections, especially in the HR space because frankly it's going to be a space that is increasingly targeted as AI proves out that our hiring model is in some ways just fundamentally vulnerable.

C

If this got your attention, don't wait. Listen to the full episode now in your Threat Vector feed. It's called the Billion Dollar Hiring Scam Funding North Korea and it's live now. Thanks for listening. Stay secure. Goodbye for now.

A

Be sure to check out the complete Threat Vector podcast wherever you get your favorite shows. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com

B

foreign.

A

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. And finally, your car's tire pressure sensors may be keeping tabs on more than your air pressure, researchers have shown. They can also help track your movements. Academics from Spain, Switzerland, and Luxembourg found that tire pressure monitoring systems, now mandatory worldwide, broadcast a unique identifier in plain text. Using five roadside receivers costing about 100 bucks each, the team collected more than 6 million TPMS messages from roughly 20,000 vehicles over 10 weeks. Because the identifier does not change during a tire's lifetime, researchers could match signals to specific cars and infer movement patterns, vehicle type, and even driving behavior. They warn that low cost equipment and unencrypted transmissions make large scale tracking feasible. In theory, attackers could also spoof flat tire alerts to force vehicles to stop turning a safety feature into a surveillance tool. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year. Make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Most security Conferences Talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in Live Hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert LED sessions, practical case studies and technical deep dives focused on real world implementation. Whether your Blue Team, Red Team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from theory to execution.