Risky Bulletin: Second iOS Hacking Framework Found in the Wild

Date: March 20, 2026
Host: Claire Aird
Prepared by: Catalin Cimpanu, Risky Business Media

Episode Overview

This episode delivers a packed roundup of critical cybersecurity news, highlighting a second professional iOS hacking framework identified in the wild, state-driven advances in secure communication, significant cyberattacks targeting public and private infrastructure, notable law enforcement and legislative updates, major data breaches, and several important software vulnerabilities and patches.

Key Topics & Insights

1. Second iOS Hacking Framework: Dark Sword

• [00:05]
  • A new professional iOS hacking toolkit called Dark Sword has been seen targeting Ukraine, Turkey, Malaysia, and Saudi Arabia.
  • Used for both espionage and financially motivated campaigns.
  • Investigated by Google, iVerify, and Lookout: the framework used at least six iOS exploits, all of which are now patched.
• Notable Quote:
  • “A second professional iOS hacking framework has been seen in the wild. The Dark Sword toolkit was used against targets in Ukraine, Turkey, Malaysia, and Saudi Arabia. It's been used in both espionage and financially motivated operations.” — Claire Aird [00:06]

2. Belgian Government's Secure Messaging App

• [00:24]
  • Beam app developed for internal government and military use.
  • Aims to replace foreign messaging apps like WhatsApp and Facebook Messenger for official communication.
  • Military and intelligence officials have already received access; civilian government workers to gain access next week.

3. Japanese Defence Forces Authorised for Offensive Cyber Operations

• [00:41]
  • Japan will authorize military and police to perform pre-emptive hacking from October, following a law passed in 2025.
  • Cabinet determined the law complied with Japan’s non-aggressive constitutional principles.

4. US Tech Firms Subpoenaed Over EU Communications

• [01:01]
  • US House Judiciary Committee subpoenas Amazon, Apple, Microsoft, and others for communications with EU authorities.
  • Focus: enforcement of the Digital Services Act amid U.S. concerns about EU censorship of Americans.

5. FBI Purchasing Data from Brokers

• [01:26]
  • FBI Director Kash Patel admits the agency purchases US citizens’ location and movement data from brokers—legal since current US law only bans warrantless collection directly from tech companies.

6. Massive Law Enforcement Tip Database Leak

• [01:46]
  • Hacker “Internet Yif Machine” exploited a vulnerability to breach P3 Global Intel and a Navigate360-managed platform.
  • Leaked 93+ GB of data to journalists and DDoS Secrets, exposing records sufficient to de-anonymise tipsters.

7. Intoxalock Breathalyser System Cyberattack

• [02:08]
  • Cyberattack disrupted Intoxalock car breathalysers in the US, preventing connection to central services.
  • People required by courts to use the devices have been unable to start their cars for two days.

8. Bitrefill Cryptocurrency Hack

• [02:25]
  • Suspected North Korean hackers breached Bitrefill (crypto gift cards & SIM top-ups).
  • Assets and customer records stolen; attackers tried to alter gift card stock.
  • Entry point traced to a compromised employee laptop; bears hallmarks of Lazarus and Blue Noroff groups.

9. Chinese Supply Chain Attacks on Crypto

• [02:50]
  • Chinese threat actors, fronting as the cybersecurity firm Wuhan Anshun, used supply chain attacks targeting Electron apps and browser plugins.
  • Stole millions by collecting private keys and seed phrases.
  • Disclosure followed a disgruntled employee’s leaks; Trust Wallet users lost $7m in December.

10. Additional Major Crypto Breaches

• [03:18]
  • Venus Protocol: $3.6M stolen via Flash Loan exploit; suffered $27M loss last September.

11. Iranian Group Handala Websites Seized

• [03:30]
  • US authorities seize sites used to leak data and offer bounties on officials.
  • Group retaliated for US attacks by breaching US medtech company Stryker and wiping over 200,000 systems.

12. Interlock Ransomware & Cisco Zero-Day

• [03:45]
  • Interlock ransomware group exploited a Cisco Firewall Zero Day for over a month (Jan–Mar 2026).
  • Exploit: unauthenticated, runs malicious code as root, enabled via serialized Java objects in Cisco Secure Firewall Management Console.

13. Apple Delivers First iOS Background Security Update

• [04:10]
  • Fixes low-severity Safari bug.
  • Uses Background Security Improvement System for silent, automatic patch deployment (system first used in 2019 for macOS).

14. AWS Kills S3 Bucket Squatting

• [04:24]
  • New AWS security feature ties S3 bucket names to account IDs and regions, preventing malicious re-registration of expired buckets.
  • Azure/Google Cloud have analogous protections.

15. GNU inetutils Telnet Daemon Vulnerability

• [04:36]
  • Major unpatched bug: allows remote unauthenticated RCE via memory overflow.
  • Second big bug for inetutils Telnet this year.

16. SharePoint and Zimbra Vulnerabilities Exploited

• [04:50]
  • RCE bug in SharePoint exploited in the wild; patched in January but just added to CISA KEV list.
  • Zimbra XSS vulnerability also added.

17. Ubiquiti UNIFI Critical Patch

• [05:03]
  • Ubiquiti patches path traversal flaw (severity: 10/10) in UNIFI Internet Gateway and Wi-Fi app.
  • Vulnerability could allow attackers to access config files and take over gateways.

Memorable Quotes & Moments

• On Dark Sword toolkit:
  “The Dark Sword toolkit was used against targets in Ukraine, Turkey, Malaysia, and Saudi Arabia.” — Claire Aird [00:06]
• On FBI’s data practices:
  “FBI Director Kash Patel has admitted the agency has resumed purchasing data about American citizens from private brokers.” — Claire Aird [01:26]
• On Intoxalock attack’s real-world impact:
  “They've been unable to start their cars for two days.” — Claire Aird [02:15]
• On AWS’s new S3 feature:
  “A new AWS security feature prevents S3 bucket squatting attacks.” — Claire Aird [04:24]

Segment Timestamps

• 00:05 – Dark Sword iOS hacking framework
• 00:24 – Belgian government's Beam app
• 00:41 – Japanese cyber operations law
• 01:01 – US tech companies subpoenaed by Congress
• 01:26 – FBI’s purchases of US citizens’ data
• 01:46 – Law enforcement tip database breach
• 02:08 – Intoxalock breathalyser cyberattack
• 02:25 – Bitrefill North Korean crypto breach
• 02:50 – Chinese supply chain attacks on crypto
• 03:18 – Additional crypto hacks (Venus Protocol)
• 03:30 – US seizes Handala websites
• 03:45 – Interlock ransomware exploits Cisco zero-day
• 04:10 – Apple iOS background security update
• 04:24 – AWS S3 bucket squatting prevented
• 04:36 – GNU Telnet daemon RCE vulnerability
• 04:50 – Microsoft SharePoint, Zimbra vulnerabilities
• 05:03 – Ubiquiti patch for critical UNIFI gateway flaw

Summary

The March 20th episode of Risky Bulletin is a dense and essential digest of cybersecurity’s top developments, from sophisticated state-backed hacking toolkits and legislative changes to large-scale data breaches and vital software patches. The episode serves cybersecurity professionals and enthusiasts by consolidating high-impact events with clarity, speed, and an unvarnished style faithful to the Risky Business brand.