Risky Bulletin: iOS 26 Change Deletes Clues of Old Spyware Infections

Podcast: Risky Bulletin
Host: risky.biz
Date: October 24, 2025
Reader: Claire Aird
Prepared by: Catalin Cimpanu

Episode Overview

This edition of the Risky Bulletin is packed with significant cybersecurity updates. The primary focus is a critical change in Apple’s iOS 26 that wipes security logs vital for detecting historic spyware infections. The bulletin also covers major developments worldwide: a crackdown on Pegasus spyware abuse in Poland, prolonged hospital ransomware fallout, and the active disabling of Starlink terminals at scam compounds. Key regulatory and policy shifts, corporate breaches, and newly discovered vulnerabilities round out the episode’s comprehensive overview.

Main Discussion Points & Insights

1. iOS 26 Update Obscures Spyware Traces

• [00:07] Apple’s latest iOS 26 now overwrites rather than appends crucial shutdown log files on every boot.
  • Previously, these logs stored evidence of infections by advanced spyware like Pegasus and Predator.
  • Security firm Iverify warns this action "removes evidence that could have identified Pegasus and Predator spyware infections."
  • Insight: This move could hinder forensic investigations into device compromise history.

2. Pegasus Spyware Scandal in Poland: Prosecutions Begin

• [00:26] Two former Polish officials charged related to the Pegasus surveillance scandal:
  • Michael Voz (Former Deputy Justice Minister): Accused of purchasing Pegasus with funds intended for crime victims.
  • Daniel Carpeta (Former Deputy Anti-Corruption Chief): Charged with unlawfully sharing material obtained via Pegasus.
  • A third official not charged due to new judicial immunity.
• Under a previous government, Pegasus was employed to surveil political opponents.

3. Global Regulatory and Law Enforcement Actions

• South Korea:
  • [00:49] National cyber audits to assess over 1,600 government and critical infrastructure networks. Catalyst: Breaches at government systems and major telcos.
• Canada:
  • [01:00] Cryptocurrency exchange Cryptomas fined $177 million for anti-money laundering failures and facilitating Russian cybercrime activity.
• United States (CISA):
  • [01:10] Stakeholder Engagement Division at CISA laid off, 95 employees affected as part of government cutbacks.
  • DHS Secretary Kristi Noem emphasized prioritizing critical infrastructure security over election security.
  • [01:29] CSC 2.0 project warns of slipping cybersecurity posture in the US, with nearly 25% of key recommendations no longer implemented.
• Presidential Pardon:
  • [01:39] "US President Donald Trump has pardoned Binance CEO Changpeng Zhao," following money laundering charges. Binance’s ties with the Trump family’s World Liberty startup also noted.

4. Major Network Service Disruptions

• [01:48] Russia blocks WhatsApp and Telegram across 34 regions (representing 40% of Russia), escalating previous restrictions. Rationale: platforms used for "extortion and recruiting saboteurs".

5. Corporate and Infrastructure Breaches

• South Korea:
  • [02:00] LGU Plus investigating server breach after hackers claimed to have stolen data from 9,000 servers. Previous investigation closed, now reopened after new government confirmation.
• United States - L3Harris:
  • [02:17] Former Trenchant General Manager Peter Williams charged for selling hacking and surveillance tool secrets to Russia for $1.3 million.
  • News follows a whistleblower’s claim about unfair dismissal after tool leaks.
• SpaceX Starlink Terminals:
  • [02:35] Over 2,500 Starlink terminals shut down in Myanmar scam compounds post-military raids. Starlink became vital after landline internet was cut.
  • Congress is reviewing SpaceX’s handling of these scam networks.

6. Ongoing Ransomware Fallout

• [02:58] "A hospital in the US Virgin Islands has been offline for nearly five months due to a ransomware attack."
  • The hospital’s CEO revealed up to $800,000/week in revenue losses.
  • 85% of staff can now access records after months of restoration effort.
• [03:09] UK Jaguar Land Rover attack may become the "UK’s costliest cyber attack" with losses estimated at £1.9 billion, affecting 5,000+ suppliers.

7. Data Policy, Vulnerabilities, and Patch News

• TikTok Policy Changes:
  • [03:27] Now allows data sharing with regulatory authorities (not just law enforcement) and removes promise to notify users of such requests. This change could allow agencies like ICE to access data without a court order (via administrative subpoena).
• Microsoft Patch:
  • [03:39] File Explorer previews disabled for internet-sourced files to block attacks stealing NTLM password hashes.
• Newly Disclosed Vulnerabilities:
  • [03:47] Zero-day in Lanscope endpoint manager (Motex, Japan) – attackers can hijack clients with crafted packets, now patched.
  • Magento’s "Session Reaper" bug (patched September); only 38% of stores applied fix.
  • MCP Server Exposure: AI hosting misconfig exposed admin credentials for 3,000+ servers due to Docker misconfiguration—potential for customer data leaks.
• FIA Motorsports Portal Flaw:
  • [04:13] Anyone could grant themselves admin rights and access personal and internal data about F1 driver licenses — "The vulnerability was fixed within a week."

Notable Quotes & Memorable Moments

• On iOS Change:
  • "A change to Apple’s iOS 26 is now deleting a crucial log that stored traces of spyware infections. Previously, data was appended to the shutdown log file, but that file is now being overwritten during every boot."
    — Claire Aird, [00:07]
• On Pegasus Scandal:
  • "Former Deputy Justice Minister Michael VOZ is accused of purchasing Pegasus spyware with funds earmarked for crime victims."
    — Claire Aird, [00:26]
• On US Cybersecurity Posture:
  • "America’s cybersecurity posture is slipping, according to the successor of the Cyberspace Solarium Commission... almost a quarter of recommendations previously made by the commission are no longer fully implemented."
    — Claire Aird, [01:29]
• On Starlink Suspensions:
  • "SpaceX has suspended more than 2,500 Starlink terminals in the vicinity of known scam compounds in Myanmar."
    — Claire Aird, [02:35]
• On Prolonged Hospital Outage:
  • "A hospital in the US Virgin Islands has been offline for nearly five months due to a ransomware attack... CEO Darlene A. Baptiste estimated the hospital has been losing up to $800,000 a week due to the outage."
    — Claire Aird, [02:58]
• On TikTok Data Policy:
  • "TikTok has updated its policies to allow sharing user data with regulatory authorities... TikTok has also removed its promise to notify users when their data has been requested."
    — Claire Aird, [03:27]

Key Segment Timestamps

• iOS 26 deletes spyware clues: [00:07]
• Poland Pegasus prosecutions: [00:26]
• South Korea/Canada cybersecurity actions: [00:49–01:00]
• US CISA layoffs & cybersecurity concerns: [01:10–01:29]
• Trump pardons Binance CEO: [01:39]
• Russia blocks WhatsApp/Telegram: [01:48]
• LGU Plus breach & Starlink suspensions: [02:00–02:35]
• USVI hospital ransomware, Jaguar Land Rover: [02:58–03:09]
• TikTok/Microsoft/lanscope&MCP/Magento/FIA flaws: [03:27–04:13]

Summary

This Risky Bulletin episode offers a fast-paced, information-dense roundup of the week’s most pressing cybersecurity stories. The podcast underscores the far-reaching consequences of technical, legal, and policy choices—from Apple’s quietly destructive iOS change to high-profile prosecutions and persistent vulnerabilities. For practitioners, policymakers, and observers, the episode vividly illustrates the ongoing, multi-front battle to protect digital infrastructure.