[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights,
[00:03] Announcer: Intelligence for Defenders, Leaders, and Decision Makers.
[00:11] Announcer: Welcome to Prime Cyber Insights.
[00:13] Announcer: I'm Aaron, and today is April 3rd, 2026.
[00:17] Aaron Cole: And I'm Lauren.
[00:18] Aaron Cole: We begin today with a $285 million security failure in the decentralized finance space.
[00:26] Lauren Mitchell: The Solana-based exchange Drift Protocol confirmed that attackers linked to North Korea drained their platform on April 1st.
[00:34] Lauren Mitchell: This was not a smart contract bug, Lauren.
[00:37] Lauren Mitchell: It was a multi-week social engineering operation involving durable nonces.
[00:42] Aaron Cole: Exactly, Aaron.
[00:44] Aaron Cole: The attackers manipulated the Security Council into pre-signing authorizations,
[00:49] Aaron Cole: then deployed a fictitious asset called Carbon Vote Token at 0930 Pyongyang time.
[00:56] Aaron Cole: Because they held administrative control, they removed withdrawal limits
[01:00] Aaron Cole: and treated this fake token as legitimate collateral.
[01:04] Aaron Cole: It is a striding example of exploiting the governance layer rather than the code.
[01:09] Lauren Mitchell: Moving to government infrastructure, CEERTU is now attributing the European Commission cloud breach to the group Team PCP.
[01:18] Lauren Mitchell: We now know that 29 other union entities were also compromised.
[01:23] Aaron Cole: This is a direct consequence of the trivy supply chain attack we covered previously.
[01:28] Aaron Cole: Team PCP used a stolen AWS API key with management rights to breach the Commission's environment on March 10th.
[01:36] Aaron Cole: The group Shiny Hunters has already leaked a 90-gigabyte archive containing tens of thousands of internal files and email communications.
[01:45] Lauren Mitchell: It serves as a stark reminder that a single compromised developer tool can expose an entire political block.
[01:52] Lauren Mitchell: Moving to mobile security, McAfee researchers have uncovered no-voice malware on the Google Play Store.
[01:59] Aaron Cole: This is a particularly sophisticated threat, Aaron.
[02:02] Aaron Cole: It has infected 2.3 million devices across 50 applications.
[02:08] Aaron Cole: It operates as a rootkit, meaning a standard factory reset will not remove it.
[02:12] Aaron Cole: It replaces the system crash handler and stores payloads on the system partition to survive device wipes.
[02:19] Aaron Cole: The primary objective for NoVoice appears to be session hijacking.
[02:24] Aaron Cole: It injects code into apps like WhatsApp to clone account sessions onto the attacker's hardware.
[02:30] Aaron Cole: If you are running older Android firmware, the risk is severe, since it leverages kernel and GPU vulnerabilities that were patched in more recent versions.
[02:38] Aaron Cole: The common thread today is persistence, Aaron.
[02:42] Aaron Cole: Whether it is through durable nonces and DeFi, management-level API keys in the cloud, or root kits on mobile, defenders must look past the initial infection and focus on these deep persistence mechanisms.
[02:56] Lauren Mitchell: That concludes our briefing for today.
[02:58] Lauren Mitchell: I'm Aaron.
[02:59] Lauren Mitchell: For deeper technical analysis and further resources, visit PCI.neuralnewscast.com.
[03:04] Aaron Cole: And I'm Lauren.
[03:05] Aaron Cole: This has been Prime Cyber Insights.
[03:07] Aaron Cole: For informational purposes only.
[03:09] Aaron Cole: Neural Newscast is AI-assisted, human-reviewed.
[03:13] Aaron Cole: View our AI Transparency Policy at neuralnewscast.com.
[03:17] Aaron Cole: Stay resilient.
[03:18] Announcer: This has been Prime Cyber Insights on Neural Newscast.
[03:22] Announcer: Intelligence for Defenders, Leaders, and Decision Makers.