In today’s cybersecurity news…
Hackers abuse Gemini AI for all attack stages, says Google
A report released yesterday from the Google Threat Intelligence Group confirms that threat actors from China, Iran, North Korea and Russia have used Gemini for “target profiling and open-source intelligence, generating phishing lures, translating text, coding, vulnerability testing, and troubleshooting.” They are also showing increased interest in using it for social engineering ClickFix campaigns. The report says that Gemini is used “from reconnaissance and phishing lure creation to command and control (C2) development and data exfiltration,” with specific actions including using an expert cybersecurity persona to request that Gemini automate vulnerability analysis and provide targeted testing plans in the context of a fabricated scenario. A link to the report is available in the show notes to this episode.
Apple patches decade-old possibly exploited iOS zero-day
This vulnerability affects “every iOS version since 1.0,” and has been used “in what the company calls an extremely sophisticated attack against targeted individuals.” Discovered by Google’s Threat Analysis Group, the CVE numbered vulnerability (CVE-2026-20700) dyld Apple’s dynamic linker, allowing attackers with memory write capability to execute arbitrary code. Brian Milbier, deputy CISO at Huntress, said, “This vulnerability represents a door that has been unlocked for over a decade.”
Acting CISA chief criticises potential DHS funding lapse
Speaking to the House Appropriations Subcommittee on Homeland Security on Wednesday, acting CISA leader Madhu Gottumukkala stated that another Department of Homeland Security shutdown would hamper CISA’s ability to respond to threats, offer services, develop new capabilities, and finish writing a key regulation. While the two sides battle it out, Gottumukkala said CISA planned to “designate 888 of its 2,341 employees as “excepted,” meaning they could continue to work during a shutdown, albeit without pay.”
Moscow moves to throttle Telegram and WhatsApp in favor of its own messaging app
Russia’s communications regulator, Roskomnadzor, confirmed on Tuesday that “it has deliberately slowed down the Telegram app, which has nearly 90 million local users, citing the company’s failure to comply with Russian law.” Russian users “began reporting widespread Telegram disruptions earlier this week, according to data from internet monitoring service Downdetector.” Meanwhile a separate report from Meta says Russia has also attempted to fully block WhatsApp messaging app on Thursday “in an effort to push users toward a state-backed alternative.” Users are being encouraged to switch to Max, a government-backed messaging platform.
(The Record and The Record)
Huge thanks to our episode sponsor, ThreatLocker
NYC explores using AI cameras to spot subway fare evaders
The New York Metropolitan Transportation Authority (MTA) is “testing subway gates that use cameras powered by artificial intelligence to collect data on people suspected of not paying fares.” This is of course generating concern among privacy advocates. Cubic, the manufacturer of the gates, reportedly said their product has cameras that record for five seconds when someone neglects to pay a fare. Artificial intelligence is used to produce a physical description of suspected fare evaders, they say, and the description is sent to the MTA.
AMOS infostealer targets macOS through a popular AI app
Researchers from Flare Security have released their 2026 Enterprise Infostealer Identity Exposure report, which highlights “the growing dominance of infostealers within the cybercrime economy and the expanding impact of identity exposure on organizations.” They state that infostealers like Atomic MacOS Stealer (AMOS) are more than standalone malware, and act as “foundational components of a mature cybercrime economy built around harvesting, trading, and operationalizing stolen digital identities.” They find success in a “highly opportunistic social engineering approach,” in which attackers continuously adapt to technology trends, abusing trusted platforms, popular software, search engines, and even emerging AI ecosystems to trick users into executing malware themselves. A link to the report is available in the show notes to this episode.
Conduent breach hits Volvo Group
An intrusion on the network of the technology services company Conduent that occurred on January 13, 2025, has impacted Volvo Group, with nearly 17,000 employees are affected. Volvo appears to have learned about the incident only in January 2026. Conduent provides printing/mailroom, document processing, payment integrity, and other back-office support services to Volvo Group as well as to other companies some of whom have also been affected by its data breach. An investigation into the attack on Conduent shows that the hackers “had access to its network since October 21, 2024,” taking PII, health insurance data, and medical information. This is the second third-party vendor-related data breach to hit Volvo Group in recent months, having suffered due to a breach at Miljödata, a Swedish IT company that had been hit by ransomware.
DOJ says Trenchant boss sold exploits to Russian broker
Trenchant is a U.S. based maker of hacking and surveillance tools and is a division of the U.S. defense contractor L3Harris. In October, Australian national Peter Williams, 39, “pleaded guilty to selling eight hacking tools that he stole from his employer, Trenchant, including software that takes advantage of flaws in other software to gain access to someone’s computer or device. Williams admitted to making more than $1.3 million in crypto from the sales between 2022 and 2025, per the Justice Department. Federal prosecutors said Williams sold the hacking tools to a Russian company, “which counts the Russian government among its customers.” In response to the prosecutors’ memorandum and request for a 9-year sentence, Williams submitted a letter to the judge explaining his decisions, saying that he regretted his actions.