Apr 25, 2026

Email 1:

Subject: Risky Bulletin: There are now SIM-Farm-as-a-Service providers

Summary: Security firm Infrawatch has uncovered a web panel called ProxySmart linked to 94 SIM farms across 17 countries. ProxySmart is among the first SIM-Farm-as-a-Service providers that lowers technical barriers for criminals to manage mobile proxy botnets, social media bot farms, and censorship evasion services. It includes features like an Android app installed on SIM farm devices, an API for modem management, a web control panel, and anti-fingerprinting tools. This service reflects the growing market for malicious residential proxies and SIM farm operations, signaling law enforcement may need to prioritize SIM farm identification and disruption. Additionally, other news highlights include breaches involving Anthropic’s Mythos AI agent, the German Bundestag president’s Signal account hacked by Russian spies, cryptocurrency thefts from Sri Lanka and Volo DeFi, and various other cyber incidents. The newsletter also detailed privacy and policy developments, arrest news, threat intelligence, and vulnerability patches.

Email 2:

Subject: China’s hackers hide in plain sight through hijacked home routers, allies warns

Summary: A joint advisory from the UK’s National Cyber Security Centre (NCSC-UK) and international partners warns that Chinese state-sponsored hacking groups are increasingly using large proxy networks made of hijacked consumer devices like home routers, internet cameras, NAS devices to conceal their operations and evade detection. Notably, the FBI disrupted the massive “Raptor Train” botnet linked to the Chinese Flax Typhoon group and also the “KV-Botnet” used by Volt Typhoon. Traditional IP blocking is less effective against these constantly changing botnets, prompting recommendations for multifactor authentication, network mapping, dynamic threat feeds, zero-trust controls, and strict verification. Other news covered include US arrests in Myanmar cyber scam compounds, the US government accusing China of large-scale theft of AI intellectual property, discovery of pre-Stuxnet malware called Fast16, UK Biobank health data breach sold online in China, a hack of Indian media giant by Afghan-aligned group, and recent cybersecurity incidents around the world.

Email 3:

Subject: Fed Agency Firewall Infected With ‘Firestarter’ Backdoors

Summary: A US federal agency discovered the “Firestarter” backdoor malware infecting Cisco ASA and Firepower firewall devices even after software patches were applied. Firestarter exploits two vulnerabilities patched by Cisco in September 2025 (CVE-2025-20333 and CVE-2025-20362), but can survive firmware updates and reboots by embedding persistence in the device boot sequence. Researchers and agencies including CISA and the UK’s NCSC published a joint report detailing the malware, which serves as a command-and-control channel for remote access. The group behind Firestarter is linked to the earlier “ArcaneDoor” campaign, believed to be China-based. Additional cybersecurity industry updates include vulnerability patches, new AI-driven threats, ransomware insights, and conferences focused on AI risk.

Email 4:

Subject: FIRESTARTER malware remained on Cisco devices after patches were applied | The CyberWire 4.24.26s

Summary: Expert analysis reveals that the FIRESTARTER malware, employed by a state-sponsored APT, persists on Cisco ASA and Firepower devices despite patches released in September 2025. The malware uses sophisticated persistence techniques that allow it to survive upgrades, device reboots, and termination attempts unless the device undergoes a hard power cycle or reimaging. The US CISA and UK’s NCSC collaborated on a technical report describing the threat. Cisco associates the malware with the prior “ArcaneDoor” espionage campaign linked to China. Meanwhile, open-source AI models are approaching the capabilities of the restricted Mythos cybersecurity AI agent. The Trump administration announced plans to counter industrial-scale theft of US AI intellectual property, primarily attributed to Chinese actors. The briefing also covers various cybersecurity news, including supply chain attacks, new malware discoveries, and government sanctions related to cybercrime.

Stay Well!