In today’s cybersecurity news…
Hackers target anti-government protestors
Researchers at Acronis discovered a cyberespionage campaign targeted supporters of recent anti-government protests in Iran. Since early January, the threat actors distributed malicious files bundled with authentic protest footage and reports, deploying a previously undocumented malware dubbed CRESCENTHARVEST. This operated as both an infostealer and a remote access trojan, obtaining credentials, browsing history, Telegram information, and executing commands. Given the intended targets and the sophistication in evading detection, the researchers suggest it is linked to an Iranian-aligned threat actor. Given ongoing internet blackouts in the country, the spike in peer-to-peer sharing of protest-related media has made this an effective distribution channel.
UK launches “lock the door” cybersecurity campaign
The UK government recently released its Cyber Security Longitudinal Survey, which shows that 82% of businesses experienced a cyber incident in the past year. This comes as 30% of businesses admit to following the government’s Cyber Essentials framework. In response, the UK will run a campaign across social media, business networks, radio, and podcasts to directly encourage SMEs to adopt these cybersecurity basics, which focus on patching software and maintaining strict access controls. The campaign will also point organizations to free online cybersecurity readiness checks, a 30-minute chat with NCSC advisors, and preview certification questions for Cyber Essentials.
Cellebrite linked to phone hack on Kenyan politician
Citizen Lab released a report claiming that it found signs that Kenyan authorities used Cellebrite’s phone-cracking software against human rights activist and presidential candidate Boniface Mwangi (ma-wan-gi) following his arrest in July. Mwangi was alerted to this intrusion when his phone no longer required a password to unlock. The researchers found evidence of data exfiltration from the phone, including plans for his presidential run. In response, Cellebrite said it “maintains a rigorous process for reviewing allegations of technology misuse.”
Pentagon is considering Anthropic as a supply chain risk
According to Pentagon sources speaking to Axios, the Department of War is considering naming Anthropic a supply chain risk, a category usually reserved for foreign adversaries. Currently Anthropic’s LLMs are the only once approved for use on classified information and have been verified as used in active military operations. The ban seems to be a response to continued negotiations with Anthropic on how the LLMs can be used by the Pentagon, with Anthropic holding a hard line against using it for mass surveillance of US citizens and for unmanned weapons development. Naming Anthropic a supply chain risk would cut it off from government contracts and government suppliers could not use Anthropic in their own workflows.
(Axios)
Huge thanks to our sponsor, Conveyor
Identity abuse behind most attacks
As is quickly becoming cliche, threat actors aren’t breaking in, they’re logging in. A new report from Palo Alto’s Unit 42 found that identity-based techniques were behind roughly two-thirds of all initial network access in 2025. Social engineering was the most common method, but compromised credentials, poor identity policies, insider threats, and good old brute force attacks were all in the mix. Vulnerability exploits accounted for roughly 22% of initial intrusions in the report. Most of the attacks Unit 42 responded to were financially motivated, with median payments up 87% on the year to $500,000.
Man arrested for not deleting files
Last week, a 40-year-old Dutch man contacted police, saying he had an image that could be related to an ongoing investigation. An officer responded, intending to send a secure upload link, but actually sent a download link to confidential documents. After realizing the error, police told the man to delete any documents. The man refused, saying he would if he “received something in return.” In true ‘mess around and find out’ energy, the police arrested the man, seized his data storage devices, and searched his home. No word on whether any charges will be filed, but a police statement said such behavior could constitute “computer trespassing.”
Backdoor discovered in Android firmware
Researchers at Kaspersky detailed a new Android malware called Keenadu. This malware was found distributed through compromised over-the-air firmware updated, embedded in system apps, third-party app stores, and through Google Play store apps. As this suggests, Keenadu comes in various forms, ranging from a malicious app with elevated privledges to a fully embedded firmware. Kaspersky found over 13,000 infected devices, located in Brazil, Germany, Japan, the Netherlands, and Russia. Keenadu came preinstalled on devices from multiple OEMs, with one Alldocube tablet showing a malicious firmware dating back to August 2023. While Keenadu can operate as a fully capable backdoor that can completely take over a device, operators are currently using it for ad fraud.
Polish police arrest Phobos suspect
Officers from Poland’s Central Bureau of Cybercrime Control arrested a 47-year-old man with suspected ties to the Phobos ransomware-as-a-service organization. This came as part of a larger Europol-led effort to target the group, dubbed Operation Aether. Authorities seized computers and phones and found credentials and server IP addresses linked to recent Phobos attacks. While Phobos isn’t in the news too much lately, back in 2024, the US Department of Justice linked Phobos to breaches at more than 1,000 global entities, receiving ransoms of over $16 million.
Apple expands RCS and memory protections
The latest beta of iOS 26.4 adds limited support for encrypted RCS messages. This is limited to messages between Apple devices at the moment, which already have access to end-to-end encrypted iMessage. The beta also updated Apple’s Memory Integrity Enforcement or MIE, allowing developers to opt into full protections with the feature. Since it was announced in September 2025, Apple only allowed for a Soft Mode for testing. MIE is meant as a defense against typical spyware attack paths, providing always-on memory protection across the kernel and userland processes.