Summary5 min read

Risky Bulletin: Russia's Signal Phishing Nets Thousands of Accounts

Podcast: Risky Bulletin
Host/Presenter: Claire Aird (prepared by Catalin Cimpanu)
Episode Date: March 23, 2026
Theme: Summary of the most pressing cybersecurity incidents and updates from the past week.

Episode Overview

This episode delivers a tightly packed roundup of major global cybersecurity news. The lead story details a Russian intelligence operation compromising thousands of Signal chat accounts via phishing, targeting sensitive groups across Europe. The bulletin then covers a wide range of significant developments in the threat landscape: from supply-chain malware in popular security tools to law enforcement operations against massive botnets, as well as regulatory fines, legal convictions, ransomware attacks, major data breaches, and emerging abuse of cloud and AI infrastructure.

Key Discussion Points & Insights

1. Russian Signal Phishing Campaign

Major Incident: Thousands of Signal accounts owned by government officials, military personnel, and journalists have been compromised in an intelligence operation attributed to Russian state actors.
Method: Attackers impersonated Signal support staff and solicited security codes from targets. They used these codes to link attackers’ devices to victims’ accounts, thereby intercepting their Signal communications.
Scope: Alerts were raised by the FBI, French, and Dutch authorities, signaling the attack’s broad reach across multiple countries.
Notable Quote:

“The campaign targeted government officials, military personnel and journalists. The attackers impersonated support staff and asked victims to share security codes.” — Claire Aird [00:23]

2. Supply Chain Attack on Trivi Vulnerability Scanner

Summary: Hackers compromised the open-source Trivi vulnerability scanner, embedding malware that harvested credentials.
Impact: Stolen credentials were used to spread a worm attacking the NPM JavaScript ecosystem.
Attribution: The financially motivated group “Team PCP” claimed responsibility.
Notable Quote:

“Hackers compromised ACWA securities tool Trivi and modified it to steal credentials.” — Claire Aird [01:03]

3. Law Enforcement Takedowns

- IoT Botnets Disabled

Botnets Involved: Isuru, Kimwoof, Jackskid, Mossad.
Action: US, Canadian, and German authorities seized command and control servers.
Impact: Services powered DDoS-for-hire campaigns, driving attacks at up to 30 Tbps.
Notable Quote:

“Some of their attacks generated traffic levels of up to 30 terabits per second.” — Claire Aird [01:33]

- Dark Web Marketplaces Closed

Europol Operation: Seized over 370,000 sites offering illegal content—child exploitation and cybercrime services.
Suspect: 35-year-old Chinese national, profiting €345,000 from site operations.

4. Insider Threats and Cybercrime Prosecution

North Korea IT Worker Case: Three Americans sentenced for providing US-based identities and infrastructure to North Korean IT operatives. One received prison due to active military service at the time.
Employer Extortion: North Carolina man, Cameron Currie, convicted of exfiltrating data from his employer and demanding $2.5 million in exchange for non-disclosure.

5. Malware & Botnet Innovations

New Android TV Botnet (“CEC Bot”): Capable of making TVs look powered off while using them for DDoS attacks. Propagates initially within local networks, indicating novel attack vectors in IoT home environments.
Notable Moment:

“Researchers from Nokia have written up CEC Bot, which uses control signals over HDMI to turn off connected TVs. Like other IoT malware, it appears to be initially spread via local network access through residential proxy networks.” — Claire Aird [03:10]
Clay Rat Spyware Arrest: Russian student apprehended for developing Android RAT (remote access Trojan) used in finance-focused attacks within Russia.

6. Major Data Breaches & Ransomware

Foster City, CA: Public services disrupted by ransomware; city considering declaring a state of emergency (serving 30k+ residents).
Navia Data Breach: 2.7M affected; stolen data includes Social Security numbers and health insurance info (breach occurred in December).

7. Regulatory Action

4chan Fined: UK’s digital regulator penalized 4chan £520,000 cumulatively for not implementing age verification, insufficient terms of service, and failing to assess content risks. 4chan has launched a US lawsuit contesting the jurisdiction.

8. New Tactics in Phishing and Abuse of Infrastructure

Microsoft Azure Monitor Abuse: Threat actors trigger fake alerts in Azure accounts to generate phishing emails sent from trusted Microsoft addresses, bypassing filters. Used for callback phishing campaigns.
Notable Quote:

“The authenticity of the emails bypasses filtering solutions. So far, the technique has been used for callback phishing campaigns.” — Claire Aird [05:02]
Tycoon 2FA Phishing Resilience: Even after infrastructure was taken down earlier in the month, operations and tactics quickly resumed, per CrowdStrike.

9. Major Security Updates

Google: Will require a 24-hour wait before first-time sideloading of apps on Android devices.
Oracle: Releases critical out-of-band patch (CVSS 9.8/10) for Identity Manager and Web Services Manager to fix remote unauthenticated code execution bug.
Notable Quote:

“The update addresses an unauthenticated remote code execution vulnerability in a shared component. It received a 9.8 out of 10 severity rating.” — Claire Aird [06:08]

10. Real-Time Exploitation of AI Server Vulnerabilities

Langflow AI: Fresh patch for a server-side code execution bug exploited within 20 hours of release, showing how rapidly attackers monitor and weaponize public vulnerability disclosures.

Select Timestamps for Key Segments

[00:23] Russia’s Signal phishing campaign and risks for government/military/journalist targets
[01:03] Trivi supply chain compromise and NPM ecosystem worm
[01:33] Botnet takedowns and scale of DDoS attacks
[03:10] Cutting-edge Android TV botnet functionality
[04:22] Foster City ransomware crisis
[05:02] Microsoft Azure Monitor phishing abuse
[06:08] Oracle’s emergency patch for critical middleware vulnerability

Notable Quotes

“The campaign targeted government officials, military personnel and journalists. The attackers impersonated support staff and asked victims to share security codes.” — Claire Aird [00:23]
“Hackers compromised ACWA securities tool Trivi and modified it to steal credentials.” — Claire Aird [01:03]
“Some of their attacks generated traffic levels of up to 30 terabits per second.” — Claire Aird [01:33]
“Researchers from Nokia have written up CEC Bot, which uses control signals over HDMI to turn off connected TVs.” — Claire Aird [03:10]
“The authenticity of the emails bypasses filtering solutions. So far, the technique has been used for callback phishing campaigns.” — Claire Aird [05:02]
“The update addresses an unauthenticated remote code execution vulnerability in a shared component. It received a 9.8 out of 10 severity rating.” — Claire Aird [06:08]

Overall Tone

The episode maintains a concise, informative, and urgent tone—delivering critical updates with a focus on practical impacts and ongoing risks, while also highlighting the evolving tactics of both threat actors and global defenders.

This summary covers all substantial discussion points and important details for those seeking a comprehensive briefing on the latest high-impact cybersecurity news presented in this Risky Bulletin edition.

Loading summary

Transcript1 lines

[00:00]
A
Foreign. Intelligence services compromised thousands of signal accounts. The Trivi vulnerability scanner is abused in a supply chain attack. Oracle issues an out of band patch for its fusion middleware. Then the FBI takes down the Isuru and Kimwulf botnets. This is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 23rd of March and this podcast episode is brought to you by Authentic in today's top story, thousands of signal accounts have been compromised by Russian intelligence services. The campaign targeted government officials, military personnel and journalists. The attackers impersonated support staff and asked victims to share security codes. These were used to link extra devices to the victim's account and intercept their communications. The FBI and French authorities issued alerts last week about the ongoing attacks. Dutch intelligence agencies issued a similar warning earlier this week. This month in other news, malware was added to a popular open source vulnerability scanner. Last week, hackers compromised ACWA securities tool Trivi and modified it to steal credentials. Those credentials were then used to spread a worm targeting the NPM ecosystem. A financially motivated group named Team PCP took credit for the attack. US authorities have seized the command and control service of four IoT botnets involved in large scale DDoS attacks. Servers for Isuru, Kimwoof, Jackskid and Mossad botnets were seized on Friday by authorities in the US, Canada and Germany. The botnets powered DDoS for hire services. Some of their attacks generated traffic levels of up to 30 terabits per second. Europol has seized a network of more than 370,000 dark websites offering child sex abuse material and cybercrime services. The sites were traced to a 35 year old Chinese national. The suspect allegedly made €345,000 from selling content through the sites. An international arrest warrant has been issued. Three Americans were sentenced last week for helping North Korean IT workers pretend to be in the U.S. the three provided their identities and hosted laptops at their premises. Alexander Paul Travis of Augusta, Georgia was sentenced to one year in prison while two others were ordered to forfeit their earnings from the scheme. Travis received a prison sentence because he was a member of the US army at the time. A jury has convicted a man from North Carolina for hacking and extorting a former employer. The incident took place in 2024 when Cameron Currie worked as a contracted IT data analyst for the unnamed company. Currie was found guilty of stealing the firm's data and then threatening to release it unless he was paid $2.5 million. Russian authorities have arrested a student accused of developing the Clay Rat Android spyware. The student from the city of Krasnada was detained after the malware was first spotted in the wild. The malware was used in campaigns to steal financial information from Russian organisations. A new Android TV botnet can make devices appear to be off while they're carrying out attacks. Researchers from Nokia have written up CEC Bot, which uses control signals over HDMI to turn off connected TVs. Like other IoT malware, it appears to be initially spread via local network access through residential proxy networks. It can then scan for other devices to compromise and carry out DDoS attacks. Foster City in California has shut down public services after a ransomware attack last week. Officials are considering declaring a state of emergency in order to receive help from state and federal agencies. The city has more than 30,000 residents and is located 20 miles south of San Francisco. Almost 2.7 million people have had their data stolen from American employee benefits and retirement funds management platform Navia. The stolen data included Social Security numbers and health insurance information. Notifications sent to affected people said the breach occurred in December, but no other details were provided. The UK's Communications Watchdoc has fined 4chan £450,000 for failing to implement an age verification system. An additional £70,000 was levied for failing to set up its terms of service and failing to assess the risks of its content. In August, 4chan sued the UK regulator in a US court challenging its jurisdiction. China has invited other nations to join a new international alliance to fight telecom and cyber fraud. The new international body will be headquartered in China and launch in September. Beijing says 20 countries have expressed an interest in joining. Threat actors are abusing the Microsoft Azure Monitor service to send phishing emails. The attackers intentionally trigger alerts in their own Azure accounts, causing legitimate email alerts to be sent from Microsoft. These emails are sent to a mailing list which includes the victims. The authenticity of the emails bypasses filtering solutions. So far, the technique has been used for callback phishing campaigns. The Tycoon 2 FA Phishing Service has restored its infrastructure after a law enforcement takedown at the beginning of the month. Phishing activity has now returned to pre takedown levels. According to CrowdStrike. The service didn't even bother to change its tactics. Google will require Android users to wait 24 hours before enabling app sideloading on their devices. The waiting period is enforced when the sideloading feature is enabled for the first time. The change will go live later this year. Oracle has released an out of band security update for its Identity Manager and Web Services Manager products. The update addresses an unauthenticated remote code execution vulnerability in a shared component. It received a 9.8 out of 10 severity rating. And finally, threat actors began exploiting a recent vulnerability in Langflow AI servers as soon as a patch was available. The vulnerability allows threat actors to run malicious code without needing to authenticate. Cloud security firm Sysdig spotted attacks just 20 hours after the patch was released. And that is all for this podcast edition. Today's show is brought to you by Authentic. Find them@goauthentic IO that's authentic with a T I K.