The parallel war online.
Cyberwar shadows the US Israel attack on Iran. Hackers hijack Pakistani news broadcasts. President Trump orders all federal agencies to stop using AI technology from Anthropic. The Health Care Cybersecurity and Resiliency Act clears a hurdle. A new RAT streamlines double extortion attacks against Windows systems. CISA updates warnings on a zero-day targeting Ivanti Connect Secure devices. A North Korea-linked group targets air-gapped systems. Monday business breakdown. On our Afternoon Cyber Tea segment from Microsoft Security, host Ann Johnson speaks with Rob Suárez, Vice President and Chief Information Security Officer at CareFirst BlueCross BlueShield, about cybersecurity in healthcare. Tim Starks from CyberScoop has the latest goings on at CISA. Microsoft says the slop stops here.
Today is Monday March 2nd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Cyberwar shadows the US Israel attack on Iran.
The escalating conflict between the United States, Israel and Iran has unfolded alongside a parallel cyber campaign, marked by widespread disruptions, infrastructure targeting and mounting warnings of retaliation. After coordinated U.S. and Israeli airstrikes on February 28 killed Iranian Supreme Leader Ali Khamenei and other senior officials, Iran responded with missile and drone attacks on U.S. bases and Israel, causing limited casualties and damage.
In cyberspace, reported U.S.-Israeli operations disrupted Iranian news outlets, government services and Islamic Revolutionary Guard Corps communications, and allegedly included distributed denial-of-service attacks and deeper intrusions into energy and aviation systems. A prolonged nationwide internet blackout followed, though it remains unclear whether that outage stemmed from external cyber activity or internal government controls.
Iranian and pro-Iranian groups have since escalated activity, targeting Israeli industrial control systems, regional fuel infrastructure and U.S. and Israeli logistics providers. Security firms warn that reconnaissance and denial-of-service attacks may precede more destructive operations, including data-wiping malware and ransomware. While impact claims on all sides may be exaggerated, experts caution that cyber operations are now tightly integrated with kinetic conflict, raising risks for critical infrastructure across the region and in Western nations.
Hackers hijack Pakistani news broadcasts.
Several major Pakistani news channels, including Geo News, ARY News and Samaa TV, were disrupted on March 1, 2026, after hackers hijacked satellite broadcasts during peak evening programming. The breach occurred shortly after Iftar and continued into the widely watched 9 p.m. bulletins, displaying unauthorized anti-military messages urging citizens to oppose the armed forces. Geo News said it had been battling hacking attempts for nearly 24 hours before the intrusion. While authorities have not issued a formal statement, reports suggest retaliatory cyberattacks followed, allegedly targeting Indian media outlets. Investigations are ongoing.
President Trump orders all federal agencies to stop using AI technology from Anthropic.
President Trump ordered all federal agencies to stop using artificial intelligence technology from Anthropic, escalating a dispute over how its systems can support military operations. Defense Secretary Pete Hegseth designated Anthropic a “supply-chain risk to national security,” a rare label typically applied to foreign adversaries, effectively barring military contractors from working with the company. Anthropic said it would challenge the decision in court, calling it unprecedented and legally unsound.
The clash centers on the Pentagon’s demand for broad, unrestricted access to Anthropic’s A.I. models. The company refused to allow uses involving fully autonomous weapons or mass domestic surveillance. The directive could disrupt intelligence analysis at agencies such as the National Security Agency and the C.I.A., which rely on Anthropic’s Claude system, and force a transition to alternative A.I. providers.
Claude is experiencing a significant outage, with elevated error rates affecting users across web, mobile and API platforms. The incident was flagged on March 2, 2026, and appears to be widespread rather than confined to a specific region or service. Users may see failed requests, timeouts or inconsistent responses.
OpenAI said it has reached an agreement with the U.S. Department of Defense to deploy its large language models on classified military networks. CEO Sam Altman announced the deal shortly after President Trump ordered agencies to stop using rival Anthropic’s technology. Altman said the agreement includes prohibitions on domestic mass surveillance and requires human responsibility in the use of force, including autonomous weapons. It remains unclear how quickly OpenAI’s models can be integrated into classified Defense systems.
The Health Care Cybersecurity and Resiliency Act clears a hurdle.
A bipartisan group of senators has advanced the Health Care Cybersecurity and Resiliency Act, with the Senate Health, Education, Labor and Pensions Committee voting 22 to 1 to send the bill to the full Senate. The legislation aims to strengthen healthcare cybersecurity by requiring updated federal guidance, including support tailored to rural medical practices and improved coordination among agencies.
The bill would codify key elements of a proposed overhaul of the HIPAA Security Rule, mandating measures such as multifactor authentication, encryption and regular audits, including penetration testing. It also directs the Department of Health and Human Services to establish additional minimum standards based on emerging threats. The measure includes grants and training for under-resourced providers. Lawmakers say the bill could improve sector resilience, though its prospects in Congress remain uncertain.
A new RAT streamlines double extortion attacks against Windows systems.
Researchers have identified a new remote access trojan called Steaelite that streamlines double extortion attacks against Windows 10 and 11 systems. Marketed on cybercrime forums as “fully undetectable,” the malware combines ransomware, data theft, credential and cryptocurrency stealers, and live surveillance tools into a single browser-based control panel.
According to BlackFog, Steaelite begins harvesting browser-stored passwords, session cookies and tokens as soon as a victim connects, even before an operator issues commands. Its dashboard includes remote code execution, webcam and microphone access, keylogging, hidden Remote Desktop Protocol access and ransomware deployment. A built-in cryptocurrency clipper can swap wallet addresses during copy-paste operations. By integrating data exfiltration and encryption in one platform, Steaelite lowers the barrier for criminals to conduct double extortion attacks.
CISA updates warnings on a zero-day targeting Ivanti Connect Secure devices.
CISA has released updated technical details on RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to compromise Ivanti Connect Secure devices. The vulnerability was reportedly exploited since mid-December 2024 by a China-linked threat actor tracked by Mandiant as UNC5221.
RESURGE is a 32-bit Linux shared object file that acts as a passive command-and-control implant. Instead of beaconing out, it waits for specially crafted inbound TLS connections, using fingerprinting and a forged Ivanti certificate for authentication to evade detection. Once validated, it establishes encrypted mutual TLS sessions for covert access. The malware also includes log-tampering capabilities and boot-level persistence, allowing it to survive reboots. CISA warns the implant may remain dormant and urges administrators to use updated indicators of compromise to detect and remove infections.
A North Korea-linked group targets air-gapped systems.
Zscaler reports that North Korea-linked APT37, also known as ScarCruft and Ruby Sleet, has deployed five new tools in a campaign targeting air-gapped systems. The operation, discovered in December 2025, uses malicious LNK files to launch PowerShell scripts and in-memory payloads. A loader called RestLeaf retrieves shellcode from Zoho WorkDrive, ultimately deploying SnakeDropper, which installs a backdoored Ruby runtime for persistence.
SnakeDropper drops ThumbsBD, a backdoor that uses USB drives as bidirectional relays to exfiltrate data and receive commands, and VirusTask, which spreads via malicious shortcut files on removable media. Zscaler also observed an Android surveillance tool, FootWine. Researchers warn the toolkit is designed to bypass network isolation and recommend close monitoring of endpoints and physical access points.
Monday business breakdown.
Cybersecurity investment and consolidation continue across global markets, with multiple funding rounds and acquisitions announced this week.
Israeli exposure management firm Astelia raised $35 million in seed and Series A funding to expand its AI-driven analysis, partnerships and global teams. Lithuania-based compliance startup Copla secured €6 million to support product expansion and growth across the EU and beyond. Saudi GRC automation platform Solidrange raised $2.4 million to advance its AI-powered governance and compliance roadmap. In the U.S., Virginia-based AI assurance startup Hardshell closed $1.1 million in pre-seed funding to grow in regulated sectors such as healthcare and defense.
M&A activity was also active. Arctic Wolf acquired Sevco Security to strengthen exposure assessment capabilities. Booz Allen Hamilton agreed to acquire MSSP Defy Security. Valiant Solutions acquired Abile Group, QuickStart bought training platform IronCircle, and UK-based Littlefish Group acquired MSSP Stripe OLT.
Microsoft says the slop stops here.
Microsoft’s grand AI makeover of Windows 11 has earned it a nickname it probably didn’t workshop in Redmond: “Microslop.” The label, born of frustration over what many users see as AI ambition outpacing operating system polish, has spread briskly across social media. Microsoft cannot stop the meme everywhere, but it can try on its own turf.
Users discovered that the official Copilot Discord server automatically blocks messages containing “Microslop,” replacing them with a polite moderation warning. Predictably, this only inspired creativity. Variations like “Microsl0p” slipped past the filter in a classic internet game of cat and mouse. As users pushed the joke further, some accounts were restricted and parts of the server were locked down.
The episode underscores a broader tension. Copilot does offer genuinely useful features, but Microsoft’s AI-first strategy has left it juggling innovation, optics and an increasingly mischievous audience.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And that’s the CyberWire Daily, brought to you by N2K CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s lead producer is Liz Stokes. We’re mixed by Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.
