In today’s cybersecurity news…
DarkSword emerges from suspected Russian hackers
Researchers from iVerify, Lookout, and Google identified a new iOS exploit kit called “DarkSword,” linked to suspected Russian-backed groups and targeting users in Ukraine and beyond. The kit can steal passwords, messages, and crypto wallets, and may impact millions of iPhones running older iOS versions, though vulnerabilities have since been patched by Apple. (CyberScoop)
“ShieldGuard” dismantled after malware discovery
Okta Threat Intelligence uncovered and helped dismantle “ShieldGuard,” a crypto scam posing as a browser extension that claimed to protect wallets but instead harvested sensitive data from platforms like Coinbase and Binance. The malware could capture wallet data, browsing activity, and execute remote code via command-and-control servers. Researchers linked the campaign to a broader network and worked with partners to remove the extension, shut down infrastructure, and cut off attacker access. (Infosecurity Magazine)
North Korea’s fake IT worker army rakes in $500M/year
Researchers at IBM X-Force and Flare Research report that North Korea runs a network of up to 100,000 fake IT workers across more than 40 countries, generating roughly $500 million a year for the regime. The operation uses recruiters, facilitators, and Western collaborators to place workers in remote tech jobs under stolen or fake identities. The researchers say these workers infiltrate companies, earn high salaries, and can access sensitive systems, highlighting a large-scale revenue and espionage pipeline tied to North Korea. (The Register)
CISA official: no uptick in cyber threats amid Iran war
Cybersecurity and Infrastructure Security Agency Acting Director Nick Andersen said the U.S. has not seen an increase in Iranian cyber activity despite recent military strikes, describing the threat landscape as “steady” while warning other actors remain active. Andersen added the agency is prioritizing faster vulnerability response timelines and monitoring AI-driven attacks, while continuing to work with Stryker following a cyberattack linked to the Iran-associated group Handala. (The Record)
Huge thanks to our sponsor, Adaptive Security
How SaaS apps enable massive breaches
A new report from Grip Security finds “shadow AI” embedded in SaaS apps is driving a surge in breaches, with a 490% increase in attacks and 80% involving sensitive data. Researchers say stolen OAuth tokens can let attackers exploit AI agents to access connected systems and trigger cascading compromises across organizations. The report points to the 2025 Salesloft Drift breach, which impacted more than 700 companies, as a model for how a single SaaS compromise can spread widely. Grip Security warns 2026 could see even larger incidents without better visibility and control over AI-enabled apps. (SecurityWeek)
US intelligence chief grilled on absence of election threats
US intelligence chief Tulsi Gabbard defended leaving foreign election threats out of this year’s global threat assessment and explained her presence at the FBI raid on Georgia’s 2020 election office. Gabbard said the omission reflects threat prioritization, not absence of risk. Lawmakers raised concerns about foreign influence, citing prior Iran, Russia, and China operations, and about Gabbard observing the FBI action at the president’s request. (The Record)
AI beats 99% of humans in hacking competitions
Israeli startup Tenzai tested an AI hacker in six elite capture-the-flag competitions, saying it outperformed 99% of 125,000 human participants. Using models from OpenAI and Anthropic, the AI was good at exploiting software vulnerabilities and manipulating AI apps. CEO Pavel Gurvich warns such capabilities are spreading beyond governments, raising risks and regulatory questions. (Forbes)
Amazon says Cisco firewall flaw abused weeks before disclosure
Ransomware group Interlock exploited a critical zero-day in Cisco Secure Firewall Management Center, 36 days before Cisco patched it on March 4th, according to Amazon CISO CJ Moses. The flaw let unauthenticated remote attackers execute Java code as root. Interlock’s toolkit collects detailed Windows and browser data, uses custom RATs and Java implants for persistence, and deploys legitimate software like ConnectWise to evade detection. The group has hit hospitals and municipal targets, using multiple redundant access methods to maintain control and pressure victims for ransom. (The Register)