In today’s cybersecurity news…
New DarkSword exploit hits GitHub
A newer version of the DarkSword iPhone hacking toolkit has been leaked on GitHub, making it easy for attackers to target devices running older iOS versions. Researchers say the exploits don’t require much skill to deploy and can steal messages, contacts, and passwords. Apple has issued patches and says updated devices aren’t at risk, but with roughly a quarter of iPhones still on outdated software, hundreds of millions of devices could be vulnerable. (TechCrunch)
Gemini AI agents scour the dark web
Google launched Gemini AI agents in public preview to monitor the dark web, analyzing up to 10 million posts daily to identify threats relevant to specific organizations. The system builds a profile of a customer, scans dark web activity for data leaks, initial access broker activity, and insider threats, and generates prioritized alerts with context from human analysts tracking 627 threat groups. Accuracy is reported at 98%, reducing false positives that are common in traditional monitoring. Gemini agents can also automate threat investigation and response within Google Security Operations. (The Register)
Trivy supply chain attack expands
Aqua Security’s Trivy supply chain attack has expanded with new compromised Docker images. On March 19th, Trivy v0.69.4 was infected with credential-stealing malware via GitHub Actions. Researchers from Socket found further compromised images uploaded on March 22nd without official releases. The malware contained typosquatted C2 domains and exfiltration files linked to the TeamPCP threat group, which has expanded operations to worms, ransomware, crypto mining, and destructive attacks. Organizations using Trivy are advised to review recent activity, though Aqua Security’s commercial products are said to remain unaffected. (Infosecurity Magazine)
The phone call is the new phishing email
Mandiant reports a rise in voice-based phishing attacks, where hackers impersonate employees or IT staff over the phone to gain access, accounting for 11% of incidents in 2025. Traditional email phishing dropped to 6%. Exploited software vulnerabilities remain the top entry point at 32%. Tech, finance, and healthcare were the most targeted sectors, with attackers increasingly combining social engineering and zero-day exploits. (CyberScoop)
Huge thanks to our sponsor, ThreatLocker
Initial access handoff shrinks
Mandiant along with Google Threat Intelligence Group also reports that cyberattacks are accelerating, with the time between initial access and handoff to secondary attackers dropping to just 22 seconds in 2025, down from more than 8 hours in 2022, indicating tighter coordination and automation. Median dwell time rose to 14 days, and 40% of incidents involved data theft. High-tech firms were the most targeted, and researchers identified 714 new malware families. (SecurityWeek)
Russia-linked malware operation collapses
Russia-linked Android spyware operation ClayRat appears to have collapsed months after its October launch, following security flaws and the arrest of its suspected developer in Krasnodar. ClayRat was designed for espionage and remote device control, targeting Russian users via phishing sites and fake apps mimicking WhatsApp, TikTok, and Google Photos. Researchers at Solar said the malware’s failure was driven by technical errors, weak obfuscation, and predictable distribution. At its peak, over 600 samples were in circulation, but by December all command servers were offline. Law enforcement is now pursuing its operators. (The Record)
Trio-Tech subsidiary hit by ransomware
Semiconductor services firm Trio-Tech reported that a subsidiary in Singapore which encrypted files on its network suffered a ransomware attack on March 11th. That subsidiary took systems offline, launched an investigation with third-party cybersecurity experts, and notified law enforcement. While it was first deemed non-material, leaked stolen data led management to classify it as a potentially material cybersecurity event. The Gunra ransomware group claimed responsibility. Trio-Tech is working with its cyber insurance provider while investigating the full scope. (SecurityWeek)
Mazda discloses security breach
Mazda Motor Corporation disclosed a security breach detected in December that exposed 692 employee and business partner records. The attackers exploited a vulnerability in a warehouse management system for parts from Thailand, which contained no customer data… but exposed information included user IDs, names, emails, company names, and partner IDs. Mazda says it’s strengthened security, applied patches, and increased monitoring, and no misuse has been reported. No ransomware group has claimed responsibility. (BleepingComputer)
CISOs debate human role in AI-powered security
At RSAC, security leaders from companies including Google Cloud, Vodafone, and PayPal said traditional “human in the loop” AI oversight doesn’t scale for modern cyber defense. Instead, they favor automated, AI-driven systems with humans “on the loop” for guidance and risk evaluation. Execs emphasized that AI is already widely used for tasks like fraud detection and workflow automation, but data security, prompt injection, and governance are new risks. The consensus: AI security needs strong data controls, clear risk frameworks, and industry collaboration, with humans shifting from direct control to oversight. (Dark Reading)