Summary5 min read

Risky Bulletin: iOS 26 Change Deletes Clues of Old Spyware Infections

Podcast: Risky Bulletin
Host: risky.biz
Date: October 24, 2025
Reader: Claire Aird
Prepared by: Catalin Cimpanu

Episode Overview

This edition of the Risky Bulletin is packed with significant cybersecurity updates. The primary focus is a critical change in Apple’s iOS 26 that wipes security logs vital for detecting historic spyware infections. The bulletin also covers major developments worldwide: a crackdown on Pegasus spyware abuse in Poland, prolonged hospital ransomware fallout, and the active disabling of Starlink terminals at scam compounds. Key regulatory and policy shifts, corporate breaches, and newly discovered vulnerabilities round out the episode’s comprehensive overview.

Main Discussion Points & Insights

1. iOS 26 Update Obscures Spyware Traces

[00:07] Apple’s latest iOS 26 now overwrites rather than appends crucial shutdown log files on every boot.
- Previously, these logs stored evidence of infections by advanced spyware like Pegasus and Predator.
- Security firm Iverify warns this action "removes evidence that could have identified Pegasus and Predator spyware infections."
- Insight: This move could hinder forensic investigations into device compromise history.

2. Pegasus Spyware Scandal in Poland: Prosecutions Begin

[00:26] Two former Polish officials charged related to the Pegasus surveillance scandal:
- Michael Voz (Former Deputy Justice Minister): Accused of purchasing Pegasus with funds intended for crime victims.
- Daniel Carpeta (Former Deputy Anti-Corruption Chief): Charged with unlawfully sharing material obtained via Pegasus.
- A third official not charged due to new judicial immunity.
Under a previous government, Pegasus was employed to surveil political opponents.

3. Global Regulatory and Law Enforcement Actions

South Korea:
- [00:49] National cyber audits to assess over 1,600 government and critical infrastructure networks. Catalyst: Breaches at government systems and major telcos.
Canada:
- [01:00] Cryptocurrency exchange Cryptomas fined $177 million for anti-money laundering failures and facilitating Russian cybercrime activity.
United States (CISA):
- [01:10] Stakeholder Engagement Division at CISA laid off, 95 employees affected as part of government cutbacks.
- DHS Secretary Kristi Noem emphasized prioritizing critical infrastructure security over election security.
- [01:29] CSC 2.0 project warns of slipping cybersecurity posture in the US, with nearly 25% of key recommendations no longer implemented.
Presidential Pardon:
- [01:39] "US President Donald Trump has pardoned Binance CEO Changpeng Zhao," following money laundering charges. Binance’s ties with the Trump family’s World Liberty startup also noted.

4. Major Network Service Disruptions

[01:48] Russia blocks WhatsApp and Telegram across 34 regions (representing 40% of Russia), escalating previous restrictions. Rationale: platforms used for "extortion and recruiting saboteurs".

5. Corporate and Infrastructure Breaches

South Korea:
- [02:00] LGU Plus investigating server breach after hackers claimed to have stolen data from 9,000 servers. Previous investigation closed, now reopened after new government confirmation.
United States - L3Harris:
- [02:17] Former Trenchant General Manager Peter Williams charged for selling hacking and surveillance tool secrets to Russia for $1.3 million.
- News follows a whistleblower’s claim about unfair dismissal after tool leaks.
SpaceX Starlink Terminals:
- [02:35] Over 2,500 Starlink terminals shut down in Myanmar scam compounds post-military raids. Starlink became vital after landline internet was cut.
- Congress is reviewing SpaceX’s handling of these scam networks.

6. Ongoing Ransomware Fallout

[02:58] "A hospital in the US Virgin Islands has been offline for nearly five months due to a ransomware attack."
- The hospital’s CEO revealed up to $800,000/week in revenue losses.
- 85% of staff can now access records after months of restoration effort.
[03:09] UK Jaguar Land Rover attack may become the "UK’s costliest cyber attack" with losses estimated at £1.9 billion, affecting 5,000+ suppliers.

7. Data Policy, Vulnerabilities, and Patch News

TikTok Policy Changes:
- [03:27] Now allows data sharing with regulatory authorities (not just law enforcement) and removes promise to notify users of such requests. This change could allow agencies like ICE to access data without a court order (via administrative subpoena).
Microsoft Patch:
- [03:39] File Explorer previews disabled for internet-sourced files to block attacks stealing NTLM password hashes.
Newly Disclosed Vulnerabilities:
- [03:47] Zero-day in Lanscope endpoint manager (Motex, Japan) – attackers can hijack clients with crafted packets, now patched.
- Magento’s "Session Reaper" bug (patched September); only 38% of stores applied fix.
- MCP Server Exposure: AI hosting misconfig exposed admin credentials for 3,000+ servers due to Docker misconfiguration—potential for customer data leaks.
FIA Motorsports Portal Flaw:
- [04:13] Anyone could grant themselves admin rights and access personal and internal data about F1 driver licenses — "The vulnerability was fixed within a week."

Notable Quotes & Memorable Moments

On iOS Change:
- "A change to Apple’s iOS 26 is now deleting a crucial log that stored traces of spyware infections. Previously, data was appended to the shutdown log file, but that file is now being overwritten during every boot."
  — Claire Aird, [00:07]
On Pegasus Scandal:
- "Former Deputy Justice Minister Michael VOZ is accused of purchasing Pegasus spyware with funds earmarked for crime victims."
  — Claire Aird, [00:26]
On US Cybersecurity Posture:
- "America’s cybersecurity posture is slipping, according to the successor of the Cyberspace Solarium Commission... almost a quarter of recommendations previously made by the commission are no longer fully implemented."
  — Claire Aird, [01:29]
On Starlink Suspensions:
- "SpaceX has suspended more than 2,500 Starlink terminals in the vicinity of known scam compounds in Myanmar."
  — Claire Aird, [02:35]
On Prolonged Hospital Outage:
- "A hospital in the US Virgin Islands has been offline for nearly five months due to a ransomware attack... CEO Darlene A. Baptiste estimated the hospital has been losing up to $800,000 a week due to the outage."
  — Claire Aird, [02:58]
On TikTok Data Policy:
- "TikTok has updated its policies to allow sharing user data with regulatory authorities... TikTok has also removed its promise to notify users when their data has been requested."
  — Claire Aird, [03:27]

Key Segment Timestamps

iOS 26 deletes spyware clues: [00:07]
Poland Pegasus prosecutions: [00:26]
South Korea/Canada cybersecurity actions: [00:49–01:00]
US CISA layoffs & cybersecurity concerns: [01:10–01:29]
Trump pardons Binance CEO: [01:39]
Russia blocks WhatsApp/Telegram: [01:48]
LGU Plus breach & Starlink suspensions: [02:00–02:35]
USVI hospital ransomware, Jaguar Land Rover: [02:58–03:09]
TikTok/Microsoft/lanscope&MCP/Magento/FIA flaws: [03:27–04:13]

Summary

This Risky Bulletin episode offers a fast-paced, information-dense roundup of the week’s most pressing cybersecurity stories. The podcast underscores the far-reaching consequences of technical, legal, and policy choices—from Apple’s quietly destructive iOS change to high-profile prosecutions and persistent vulnerabilities. For practitioners, policymakers, and observers, the episode vividly illustrates the ongoing, multi-front battle to protect digital infrastructure.

Loading summary

Transcript1 lines

[00:04]
A
A change in iOS is deleting clues of old spyware infections Starlink disables 2,500 terminals at scam compounds, the Caribbean hospital is still down five months after a ransomware attack and officials are charged in Poland's Pegasus spyware scandal. This is the risky bulletin prepared by Catalyn Kimpanu and and read by me, Claire aird. Today is the 24th of October and this podcast episode is brought to you by Dropzone. In today's top story, a change to Apple's iOS 26 is now deleting a crucial log that stored traces of spyware infections. Previously, data was appended to the shutdown log file, but that file is now being overwritten during every boot. Security firm Iverify has warned that the change removes evidence that could have identified Pegasus and Predator spyware infections. In other news 2 former Polish government officials have been charged during an investigation into the country's spyware scandal. Former Deputy Justice Minister Michael VOZ is accused of purchasing Pegasus spyware with funds earmarked for crime victims. Former Deputy Anti Corruption Chief Daniel Carpeta has been charged with unlawfully sharing material obtained through Pegasus surveillance. A third official could not be charged because he's now a Constitutional court judge. Under the previous leadership, Polish government used Pegasus to spy on political opponents. The South Korean government will conduct cyber security audits of more than 1,600 IT networks. The audits will assess government networks and critical infrastructure operators. The announcement follows recent breaches of government systems and the country's two largest telcos. Canada has fined the Cryptomas cryptocurrency exchange $177 million for failing to follow anti money laundering regulations. The failed to report suspicious transaction reports. Last December, Krebs on Security reported that Kryptomas was acting as an intermediary for Russian crypto and cybercrime services. CISA has shut down a division that collaborated with the private sector and local governments to secure critical infrastructure. All 95 employees of the Stakeholder Engagement Division were laid off earlier this month at the start of the US Government shutdown. The layoffs will go into effect at the start of December20. DHS Secretary Kristi Noem previously told Congress the agency would prioritise securing critical infrastructure over election security. America's cybersecurity posture is slipping, according to the successor of the Cyberspace Solarium Commission. The CSC 2.0 project says almost a quarter of recommendations previously made by the commission are no longer fully implemented. The project blames the regression on cutbacks at CISA and and across the wider US Government. US President Donald Trump has pardoned Binance CEO Changpeng Zhao. Zhao pleaded guilty last year to money laundering after Binance failed to stem the flow of hacked funds through the platform. Earlier this year, Binance partnered with the Trump family's World Liberty startup to run its USD1 cryptocurrency. Russia is blocking access to WhatsApp and Telegram instant messaging services. Outages have been reported in 34 regions covering 40% of Russia. In August, the country's government began restricting WhatsApp and Telegram voice and video calls. Officials said access is being restricted due to the platforms being used for extortion and recruiting saboteurs. Another South Korean mobile operator is investigating a possible security breach. The hack of LGU plus first came to light in August when it was reported in the Frack Hacker Ezine. The hackers reportedly stole data from almost 9,000 servers. The company initially said it found no evidence of a breach. It reopened the investigation this week after the South Korean government confirmed a separate breach disclosed in the same frac article. The US government has charged a former L3Harris executive accused of stealing and selling trade secrets to Russia. The suspect was identified as former Trenchant general manager Peter Williams. Trenchant is a division of L3Harris that develops hacking and surveillance tools. The Department of Justice says Williams received $1.3 million for selling seven trade secrets to a buyer in Russia. News of the arrest comes after a former Trenchant employee came forward this week claiming he was unfairly fired following a leak of trenchant hacking tools. SpaceX has suspended more than 2,500 Starlink terminals in the vicinity of known Sky Scam compounds in Myanmar. The terminals were shut down the day after the military seized Starlink equipment during raids at the compounds. The company's equipment has become ubiquitous at scam compounds after authorities cut landlined Internet access. Last month, the U.S. congress Joint Economic Committee launched an investigation into Starlink's failure to disable terminals used for scamming. A hospital in the US Virgin Islands has been offline for nearly five months due to a ransomware attack. The Juan F? Loui hospital has been attempting to rebuild its computer systems since April this year. Around 85% of staff can now access the hospital's health record system. CEO Darlene A. Baptiste estimated the hospital has been losing up to $800,000 a week due to the outage. The ransomware attack on Jaguar Land Rover is expected to become the UK's costliest cyber attack. The financial impact is expected to reach 1.9 billion pounds, more than 5,000 UK organisations were affected the attack in August, many of which were Jaguar suppliers. TikTok has updated its policies to allow sharing user data with regulatory authorities. Previously, it only permitted the sharing of data with law enforcement. TikTok has also removed its promise to notify users when their data has been requested. According to Forbes, the new updates would make it easier for ICE to request user data without a court order. Using a process called an administrative subpoena, Microsoft has disabled previews in File Explorer for files downloaded from the Internet. The change was included in October's patch Tuesday. Microsoft says the change will block a new attack that can steal NTLM password hashes. Threat actors are exploiting a zero day vulnerability in the LanScope endpoint manager. Japanese vendor Motex released a patch on Monday after it received reports of attacks. The vulnerability lets attackers use crafted packets to take over the Landscope client. CISA has added the vulnerability to its Kev database. Meantime, hackers are now exploiting a Magento bug known as Session Reaper. The bug was patched in September and allows remote attackers to take over online stores. Sansex says only 38% of Magento stores have patched the bug. A misconfiguration in an AI hosting platform could have exposed credentials for more than 3,000 MCP servers. Git Guardian researchers have found a path traversal vulnerability that exposed admin creds for the Smithery platform. These could have been leveraged to retrieve customer information. The issue was traced back to a misconfiguration in a Docker build image. And finally, a flaw in the website of the governing body for International motorsports could have exposed the personal details of Formula One drivers. The FIA's site allowed any user to assign themselves administrative permissions. The portal stored internal correspondence and information on drivers applying for F1 licences. The vulnerability was fixed within a week and that is all for this podcast edition. Today's show was brought to you by our sponsor, DropZone. Find them at DropZone AI thanks to your company.