CyberWire Daily

A DOGE employee leaks private API keys to GitHub. North Korea’s “Contagious Interview” campaign has a new malware loader. A New Jersey diagnostic lab suffers a ransomware attack. A top-grossing dark web marketplace goes dark in what experts believe is an exit scam. MITRE launches a cybersecurity framework to address threats in cryptocurrency and digital financial systems. Experts fear steep budget cuts and layoffs under the Trump administration may undermine cybersecurity information sharing. A Maryland IT contractor settles federal allegations of cyber fraud. Kim Jones and Ethan Cook reflect on CISO perspectives. A crypto hacker goes hero and gets a hefty reward.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Today Kim Jones [https://www.linkedin.com/in/kimjones-cism/], host of CISO perspectives, sits down with N2K’s analyst Ethan Cook [https://www.linkedin.com/in/ethan-cook-766a24138/] to reflect on highlights from this season of CISO Perspectives [https://thecyberwire.com/podcasts/cso-perspectives/140/notes]. They revisit key moments, discuss recurring themes like the cybersecurity workforce gap, and get Ethan’s outsider take on the conversations. It’s all part of a special wrap-up to close out the season finale. If you like this conversation and want to hear more from CISO Perspectives, check it out here [https://thecyberwire.com/podcasts/cso-perspectives]. Selected Reading DOGE Employee exposes AI API Keys in source code, giving access to advanced xAI models [https://beyondmachines.net/event_details/doge-employee-exposes-ai-api-keys-in-source-code-giving-access-to-advanced-xai-models-k-l-q-0-o/gD2P6Ple2L] (Beyond Machines) DOGE Denizen Marko Elez Leaked API Key for xAI [https://krebsonsecurity.com/2025/07/doge-denizen-marko-elez-leaked-api-key-for-xai/] (Krebs on Security) North Korean Actors Expand Contagious Interview Campaign with New Malware Loader [https://www.infosecurity-magazine.com/news/north-korean-contagious-interview/] (Infosecurity Magazine) Avantic Medical Lab hit by ransomware attack, data breach [https://beyondmachines.net/event_details/avantic-medical-lab-reports-ransomware-attack-data-breach-b-j-f-o-b/gD2P6Ple2L] (Beyond Machines) Abacus Market Shutters After Exit Scam, Say Experts [https://www.infosecurity-magazine.com/news/abacus-market-shutters-exit-scam/] (Infosecurity Magazine) MITRE Unveils AADAPT Framework to Tackle Cryptocurrency Threats [https://www.securityweek.com/mitre-unveils-aadapt-framework-to-tackle-cryptocurrency-threats/] (SecurityWeek) How Trump's Cyber Cuts Dismantle Federal Information Sharing [https://www.bankinfosecurity.com/how-trumps-cyber-cuts-dismantle-federal-information-sharing-a-28964] (BankInfo Security) UK launches vulnerability research program for external experts [https://www.bleepingcomputer.com/news/security/uk-launches-vulnerability-research-program-for-external-experts/] (Bleeping Computer) Federal IT contractor to pay $14.75 fine over ‘cyber fraud’ allegations [https://therecord.media/federal-it-contractor-fined-over-cyber-fraud-allegations] (The Record) Crypto Hacker Who Drained $42,000,000 From GMX Goes White Hat, Returns Funds in Exchange for $5,000,000 Bounty [https://dailyhodl.com/2025/07/12/crypto-hacker-who-drained-42000000-from-gmx-goes-white-hat-returns-funds-in-exchange-for-5000000-bounty/] (The Daily Hodl) Audience Survey Complete our annual audience survey [https://www.surveymonkey.com/r/JDV3B73] before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

British and Romanian authorities make arrests in a major tax fraud scheme. The Interlock ransomware gang has a new RAT. A new vulnerability in Google Gemini for Workspace allows attackers to hide malicious instructions inside emails. Suspected Chinese hackers breach a major DC law firm.  Multiple firmware vulnerabilities affect products from Taiwanese manufacturer Gigabyte Technology. Nvidia warns against Rowhammer attacks across its product line. Louis Vuitton joins the list of breached UK retailers. Indian authorities dismantle a cyber fraud gang. CISA pumps the brakes on a critical vulnerability in American train systems. Our guest is Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center and former Deputy Assistant Director at the FBI’s Cyber Division, with insights on Scattered Spider. Hackers ransack Elmo’s World.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Today we are joined by Cynthia Kaiser [https://www.linkedin.com/in/cynthia-kaiser-cyber/], SVP of Halcyon’s [https://www.linkedin.com/company/halcyonai/] Ransomware Research Center and former Deputy Assistant Director at the FBI’s Cyber Division, discussing "Scattered Spider and Other Criminal Compromise of Outsourcing Providers Increases Victim Attacks [https://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks]." You can check out more from Halcyon here [https://explore.thecyberwire.com/halcyon]. Selected Reading Romanian police arrest 13 scammers targeting UK’s tax authority [https://therecord.media/romania-arrests-tax-fraud-ring-britain-hmrc] (The Record) Interlock Ransomware Unleashes New RAT in Widespread Campaign [https://www.infosecurity-magazine.com/news/interlock-ransomware-new-rat/](Infosecurity Magazine) Google Gemini flaw hijacks email summaries for phishing [https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-email-summaries-for-phishing/] (Bleeping Computer) Chinese hackers suspected in breach of powerful DC law firm [https://www.cnn.com/2025/07/11/politics/chinese-hackers-suspected-law-firm-hack](CNN Politics) Flaws in Gigabyte Firmware Allow Security Bypass, Backdoor Deployment [https://www.securityweek.com/flaws-in-gigabyte-firmware-allow-security-bypass-backdoor-deployment/] (Security Week) Nvidia warns of Rowhammer attacks on GPUs [https://www.theregister.com/2025/07/13/infosec_in_brief/](The Register) Louis Vuitton UK Latest Retailer Hit by Data Breach [https://www.infosecurity-magazine.com/news/louis-vuitton-uk-retailer-data/](Infosecurity Magazine) Indian Police Raid Tech Support Scam Call Center [https://www.infosecurity-magazine.com/news/indian-police-tech-support-scam/](Infosecurity Magazine) Security vulnerability on U.S. trains that let anyone activate the brakes on the rear car was known for 13 years — operators refused to fix the issue until now [https://www.tomshardware.com/tech-industry/cyber-security/security-vulnerability-on-u-s-trains-that-let-anyone-activate-the-brakes-on-the-rear-car-was-known-for-13-years-operators-refused-to-fix-the-issue-until-now](Tom's Hardware) End-of-Train and Head-of-Train Remote Linking Protocol [https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-10](CISA) Hacker Makes Antisemitic Posts on Elmo’s X Account [https://www.nytimes.com/2025/07/14/us/elmo-x-hack-antisemitism.html](The New York Times) Audience Survey Complete our annual audience survey [https://www.surveymonkey.com/r/JDV3B73] before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

Today we are joined by ⁠Selena Larson⁠ [https://www.linkedin.com/in/selenalarson/], Threat Researcher at ⁠Proofpoint⁠ [https://www.linkedin.com/company/proofpoint/], and co-host of ⁠Only Malware in the Building⁠ [https://thecyberwire.com/podcasts/only-malware-in-the-building], as she discusses their work on "Amatera Stealer - Rebranded ACR Stealer With Improved Evasion, Sophistication." Proofpoint researchers have identified Amatera Stealer, a rebranded and actively developed malware-as-a-service (MaaS) variant of the former ACR Stealer, featuring advanced evasion techniques like NTSockets for stealthy C2 communication and WoW64 Syscalls to bypass user-mode defenses. Distributed via ClearFake web injects and the ClickFix technique, Amatera leverages multilayered PowerShell loaders, blockchain-based hosting, and creative social engineering to compromise victims. With enhanced capabilities to steal browser data, crypto wallets, and other sensitive files, Amatera poses a growing threat in the wake of disruptions to competing stealers like Lumma. Complete our annual ⁠audience survey⁠ [https://www.surveymonkey.com/r/JDYLFZ5] before August 31. The research can be found here: * ⁠Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication [https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication] Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

Please enjoy this encore of Career Notes. Director of Google Cloud's Office of the CISO, MK Palmore, dedicated much of his life to public service and now brings his experience working for the greater good to the private sector. A graduate of the US Naval Academy, including the Naval Academy Prep School that he calls the most impactful educational experience of his life, MK commissioned into the US Marine Corps following his service academy time. He joined the FBI and that is where he came into the cybersecurity realm. MK is passionate about getting more diversity, equity and inclusion into industry. We thank MK for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

Fortinet patches a critical flaw in its FortiWeb web application firewall.  Hackers are exploiting a critical vulnerability in Wing FTP Server. U.S. Cyber Command’s fiscal 2026 budget includes a new AI project.  Czechia’s cybersecurity agency has issued a formal warning about Chinese AI company DeepSeek. The DoNot APT group targets Italy’s Ministry of Foreign Affairs. Mexico’s former president is under investigation for alleged bribes to secure spyware contracts. The FBI seizes a major Nintendo Switch piracy site. CISA releases 13 ICS advisories.  A retired US Army lieutenant colonel pleads guilty to oversharing classified information on a dating app. Our guest is Catherine Woneis, VP of Product at Fingerprint, to discuss how bots are being used to facilitate music royalty fraud. A federal judge is not impressed with a crypto-thief’s lack of restitution. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Today we are joined by Catherine Woneis [https://www.linkedin.com/in/valleycat/], VP of Product at Fingerprint [https://www.linkedin.com/company/fingerprintjs/], to discuss how bots are being used to facilitate music royalty fraud and how companies can protect themselves. Selected Reading Critical SQL injection vulnerability in Fortinet FortiWeb enables unauthenticated remote code execution [https://beyondmachines.net/event_details/critical-sql-injection-vulnerability-in-fortinet-fortiweb-enables-unauthenticated-remote-code-execution-f-e-i-9-a/gD2P6Ple2L] (Beyond Machines) Critical Wing FTCritical Wing FTP Server Vulnerability Exploited - SecurityWeekP Server Vulnerability Exploited [https://www.securityweek.com/critical-wing-ftp-server-vulnerability-exploited/](SecurityWeek) Cyber Command creates new AI program in fiscal 2026 budget [https://defensescoop.com/2025/07/07/cyber-command-fy26-budget-request-new-ai-program/](DefenseScoop) DeepSeek a threat to national security, warns Czech cyber agency [https://therecord.media/deepseek-security-czech-cyber-agency-warning] (The Record) Indian Cyber Espionage Group Targets Italian Government [https://www.infosecurity-magazine.com/news/indian-cyber-espionage-italian/](Infosecurity Magazine) Former Mexican president investigated over allegedly taking bribes from spyware industry [https://therecord.media/former-mexican-president-investigated-spyware-bribes] (The Record) Major Nintendo Switch Piracy Website Seized By FBI [https://kotaku.com/switch-2-piracy-nsw2u-roms-fbi-hack-emulator-zelda-1851786034] (Kotaku) CISA Releases Thirteen Industrial Control Systems Advisories [https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-releases-thirteen-industrial-control-systems-advisories] (CISA) Lovestruck US Air Force worker admits leaking secrets on dating app [https://www.theregister.com/2025/07/10/airman_admits_dating_app_leaks/] (The Register) Crypto Scammer Truglia Gets 12 Years Prison, Up From 18 Months [https://www.bloomberg.com/news/articles/2025-07-10/crypto-scammer-truglia-gets-12-years-prison-up-from-18-months](Bloomberg) Audience Survey Complete our annual audience survey [https://www.surveymonkey.com/r/JDV3B73] before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]