CyberWire Daily

Today we are joined by Ben Folland, Security Operations Analyst from Huntress, discussing their work on "ClickFix Gets Creative: Malware Buried in Images." This analysis covers a ClickFix campaign that uses fake human verification checks and a realistic Windows Update screen to trick users into manually running malicious commands. The multi-stage attack chain leverages mshta.exe, PowerShell, and .NET loaders, ultimately delivering infostealers like LummaC2 and Rhadamanthys, with payloads hidden inside PNG images using steganography. While technically sophisticated, the campaign hinges on simple user interaction, underscoring the importance of user awareness and controls around command execution. The research can be found here: ClickFix Gets Creative: Malware Buried in Images Learn more about your ad choices. Visit megaphone.fm/adchoices

Who turned out the lights in Venezuela? The European Space Agency confirms a series of cyberattacks. Dutch police nab the alleged operator of a notorious malware testing service. The U.S. and allies issue new guidance on OT security. Researchers warn of automated exploitation of a critical Hewlett-Packard Enterprise OneView flaw. TamperedChef cooks up trojanized PDF documents to deliver backdoor malware. A bluetooth vulnerability puts devices at risk. Cisco patches a maximum-severity zero-day exploited since November. Jen Easterly heads up RSAC. Our guest is Zak Kassas from Ohio State University, discussing GPS alternatives. Vintage phones face modern problems. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today Maria Varmazis from T-Minus pace sits down with Zak Kassas from the Ohio State University to discuss the study “Navigating the Arctic Circle with Starlink and OneWeb LEO Satellites”.This conversation is a preview of tomorrow’s Deep Space episode from T-Minus Space Daily. Selected Reading Cyberattack in Venezuela Demonstrated Precision of U.S. Capabilities (The New York Times) Sensitive European Space Agency Data Leaked to the Dark Web by String of Cyberattacks (IBTimes UK) Operation Endgame: Dutch Police Arrest Alleged AVCheck Operator (Hackread) CISA, Allies Sound Alarm on OT Network Exposure (GovInfo Security) RondoDox botnet exploits critical HPE OneView bug (The Register) TamperedChef Malvertising Campaign Drops Malware via Fake PDF Manuals (Infosecurity Magazine) WhisperPair Attack Leaves Millions of Bluetooth Accessories Open to Hijacking (SecurityWeek) Cisco finally fixes AsyncOS zero-day exploited since November (Bleeping Computer) Former CISA Director Jen Easterly Appointed CEO of RSAC (SecurityWeek) iPhone 4 makes comeback — but experts warn of security risks (New York Post) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Verizon hit by a major wireless outage. Poland blocks an attack on its power grid. A massive database of French citizens exposed. Microsoft shuts down a cybercrime-as-a-service operation. The UK backs away from digital ID plans. California probes Grok deepfakes. The FTC settles with GM over location data. Palo Alto Networks patches a serious firewall flaw. Plus, John Serafini of HawkEye on modern signals intelligence, and federal agents seize devices from a Washington Post reporter. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today Maria Varmazis sits down with John Serafini, Founder and CEO of Hawkeye 360, on T-Minus to discuss commercial signals intelligence, advanced RF signal processing, and Hawkeye 360’s recent acquisition of Innovative Signal Analysis alongside its Series E funding. To hear the full conversation, check out the episode on T-Minus. Selected Reading Verizon Says Service Restored After Thousands Affected by Outage (Bloomberg) Poland says it repelled major cyberattack on power grid, blames Russia (The Record) Massive breach leaks 45 million French records: demographic, healthcare, and financial data all leaked, here's what we know (TechRadar) Criminal Subscription Service Behind AI-Powered Cyber-Attacks Taken Out By Microsoft (Infosecurity Magazine) Government drops plans for mandatory digital ID to work in UK (BBC News) Attorney General Bonta Launches Investigation into xAI, Grok Over Undressed, Sexual AI Images of Women and Children | State of California (Department of Justice) FTC bans GM from selling drivers' location data for five years (Bleeping Computer) Palo Alto Networks warns of DoS bug letting hackers disable firewalls (Bleeping Computer) FBI executes search warrant at Washington Post reporter’s home (Washington Post) US cargo tech company publicly exposed its shipping systems and customer data to the web (TechCrunch) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch Tuesday fallout, China sidelines Western security vendors, and a critical flaw puts industrial switches at risk of remote takeover. A ransomware attack disrupts a Belgian hospital, crypto scams hit investment clients, and Eurail discloses a data breach. Analysts press Congress to go on offense in cyberspace, and Sean Plankey gets another shot at leading CISA. In our Threat Vector segment, David Moulton sits down with Ian Swanson, AI Security Leader at Palo Alto Networks about supply chain security. And, an AI risk assessment cites a football match that never happened. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment AI security is no longer optional, it’s urgent. In this segment of Threat Vector, David Moulton sits down with Ian Swanson, former CEO of Protect AI and now the AI Security Leader at Palo Alto Networks. Ian shares how securing the AI supply chain has become the next frontier in cybersecurity and why every enterprise building or integrating AI needs to treat it like any other software pipeline—rife with dependencies, blind spots, and adversaries ready to exploit them. You can catch the full conversation here and listen to new episodes of Threat Vector every Thursday on your favorite podcast app. Selected Reading Patch Tuesday, January 2026 Edition (Krebs on Security) Adobe Patches Critical Apache Tika Bug in ColdFusion (SecurityWeek) Chrome 144, Firefox 147 Patch High-Severity Vulnerabilities (SecurityWeek) Fortinet Patches Critical Vulnerabilities in FortiFone, FortiSIEM (SecurityWeek) Exclusive: Beijing tells Chinese firms to stop using US and Israeli cybersecurity software, sources say (Reuters) Critical OpenSSH flaw exposes Moxa industrial switches to remote takeover (Beyond Machines) Cyberattack forces Belgian hospital to transfer critical care patients (The Record) Betterment confirms data breach after wave of crypto scam emails (Bleeping Computer) Passports, bank details compromised in Eurail data breach (The Register) Lawmakers Urged to Let US Take on 'Offensive' Cyber Role (Bank InfoSecurity) Sean Plankey re-nominated to lead CISA (CyberScoop) Police chief admits misleading MPs after AI used in justification for banning Maccabi Tel Aviv fans (BBC News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Stolen Target source code looks real. CISA pulls the plug on Gogs. SAP rushes patches for critical flaws. A suspected Russian spy emerges in Sweden, while Cloudflare threatens to walk away from Italy. Researchers flag a Wi-Fi chipset bug, a long-running Magecart skimming campaign, and a surge in browser-in-the-browser phishing against Facebook users. Mandiant releases a new Salesforce defense tool, and NIST asks how to secure agentic AI before it secures itself. Our guests are Christine Blake and Madison Farabaugh from Inside the Media Minds. Plus, a Dutch court says seven years is still the going rate for a USB-powered cocaine plot. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Christine Blake and Madison Farabaugh from W2 Communications and hosts of Inside the Media Minds podcast on their show joining the N2K CyberWire network. You can listen to the latest episode of Inside the Media Minds today and catch new installments every month on your favorite podcast app. Selected Reading Target employees confirm leaked code after ‘accelerated’ Git lockdown (Bleeping Computer) Fed agencies urged to ditch Gogs as zero-day makes CISA list (The Register) SAP's January 2026 Security Updates Patch Critical Vulnerabilities (SecurityWeek) Sweden detains ex-military IT consultant suspected of spying for Russia (The Record) Cloudflare CEO threatens to pull out of Italy  (The Register) One Simple Trick to Knock Out the Wi-Fi Network (GovInfo Security) Google's Mandiant releases free Salesforce access control checker (iTnews) Global Magecart Campaign Targets Six Card Networks (Infosecurity Magazine) Facebook login thieves now using browser-in-browser trick (Bleeping Computer) NIST Calls for Public to Help Better Secure AI Agents (GovInfo Security) Appeal fails for hacker who opened port to coke smugglers (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices