Jordan: A 27-year-old bug. Sitting inside one of the most hardened codebases on the planet. Missed by every auditor, every fuzzer, every security researcher who ever looked at it. An AI found it this week for under fifty dollars.

Alex: Welcome to Cleartext. It's Friday, April 10th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Big week. We've got Iranian state actors targeting thousands of exposed OT devices across U.S. critical infrastructure. The FBI just detailed how they dismantled APT28's router botnet. Adobe's been sitting on a zero-day since December. A ransomware attack just paralyzed hospitals across an entire country through one software vendor. And yes — we're going to spend serious time on that AI vulnerability research story, because it changes your threat model in ways that can't be overstated. Let's get into it.

Jordan: Start with Iran, because this is operationally urgent. Censys researchers published findings this week identifying roughly 3,900 internet-exposed devices in the crosshairs of Iranian government-linked campaigns. We're talking programmable logic controllers, OT systems, industrial control infrastructure — energy, water, U.S. government facilities. This isn't opportunistic. This is deliberate pre-positioning.

Alex: The phrase "pre-positioning" is doing a lot of work there, and it should. This is the kind of activity that doesn't necessarily produce a headline today. It produces a headline when geopolitical conditions change and someone decides to pull a trigger. For CISOs in energy and utilities, this is the moment to run an aggressive exposure assessment on internet-facing OT. Not next quarter. This week.

Jordan: The question I'd be asking my team is: do we actually know what's exposed? Most OT environments have accumulation debt — devices that got internet-accessible years ago for legitimate operational reasons and never got walked back. If you don't have a current, accurate inventory with network exposure mapped, that's your first problem.

Alex: And if you're briefing your board on geopolitical risk, this is your data point. Iranian state actors, named targets, specific device categories. That's not abstract threat intelligence. That's a procurement conversation about OT segmentation and a liability conversation about what happens if one of those 3,900 devices belongs to you.

Jordan: Pivot to Russia, because the FBI gave us a rare detailed look this week at Operation Masquerade — their takedown of APT28's router-based botnet infrastructure. Brett Leatherman, the FBI's cyber chief, described the access these compromised routers provided as "tremendous." That word is doing work. What made this campaign distinctive is propagation — APT28 wasn't just using routers as proxies. They were using them as launch points to move deeper into networks.

Alex: This is the edge device problem in its sharpest form. Routers are trusted. They're rarely monitored the way endpoints are. Firmware update cadences are often terrible. And they sit at the boundary of everything. If I'm a CISO hearing this story, I'm immediately asking: what's our router firmware posture enterprise-wide, including branch offices and remote infrastructure? And when did we last audit access controls on those devices?

Jordan: The GRU doesn't get "tremendous access" from a zero-day. They get it from default credentials, unpatched firmware, and configurations that nobody has reviewed in three years. The FBI did us a favor here by being specific about the vector. Use it.

Alex: Now the story I think matters most for your long-term threat modeling. Anthropic's Mythos research. This week it became public that Claude-based AI autonomously found and developed a working exploit for a 27-year-old vulnerability in OpenBSD's TCP stack. Two packets. Any server running it crashes. This bug survived decades of human code review, professional audits, fuzzing campaigns — OpenBSD's entire reputation is built on being hardened. And an AI found it for under fifty dollars.

Jordan: The number that I keep coming back to is the Firefox comparison. Prior AI models produced two successful exploits in a controlled test. Mythos produced 181. That's not incremental improvement. That's a different category of capability. And the economics are the part that should keep you up at night. A $20,000 discovery campaign. Under $50 for the specific run that found the bug. That's accessible to nation-states, well-funded criminal organizations, and increasingly, everyone else.

Alex: The implication for CISOs is this: the assumption that "hardened, well-reviewed code is probably fine" no longer holds at the confidence level it did. The attack surface isn't just your unpatched systems. It's your patched systems with bugs that human review never found. Your vulnerability management program was built for a world where finding novel bugs was expensive and slow. That world ended this week.

Jordan: The playbook shift is real. More aggressive patching cadences on foundational infrastructure. Deeper investment in runtime protection and anomaly detection — because if exploits are being generated at scale, you need to catch them behaviorally when signatures lag. And honestly, start having the conversation with your board about AI-accelerated offensive capabilities as a standing agenda item, not a one-time briefing.

Alex: Speaking of things that have been exploited longer than they should have been — Adobe Reader. A zero-day, actively exploited in the wild via malicious PDFs since at least December 2025. The first sample hit VirusTotal in November. That's four-plus months of undetected exploitation. EXPMON describes it as highly sophisticated. The delivery artifact was named "Invoice540.pdf." Classics never die.

Jordan: PDF is the universal attack surface. It's in every enterprise. It crosses every security boundary because people send PDFs for everything. Patch Adobe Reader across your environment immediately if you haven't already. And revisit your email gateway and endpoint controls around PDF handling. Sandboxing, restrictions on PDF JavaScript — these are not new controls, but a four-month undetected zero-day is a reminder of why they matter.

Alex: ChipSoft in the Netherlands. A ransomware attack on a major Dutch healthcare EHR vendor forced the company to take down digital services used by hospitals and patients across the entire country. The Dutch national healthcare cybersecurity center issued an advisory. This is the supply-chain ransomware scenario that every healthcare CISO has modeled and hoped wouldn't happen. It happened.

Jordan: The thing about healthcare is that the third-party dependency isn't just operational — it's clinical. When the EHR goes down, patient care degrades. Decisions get made without full information. That's not an IT problem. That's a patient safety problem. And it's exactly the argument for getting your board to treat third-party risk in healthcare as a tier-one liability issue, not a vendor management checkbox.

Alex: If you haven't run a tabletop on your critical healthcare software vendors going dark, this is your forcing function. And make sure your contracts have cyber incident notification requirements with teeth.

Jordan: Two quick ones before we wrap. VENOM — a new phishing-as-a-service platform specifically designed to target C-suite Microsoft credentials. Previously undocumented. Multiple industries. The commercialization of executive-targeted phishing is accelerating. If your executives are not on phishing-resistant MFA — hardware keys, passkeys — this is the week to close that gap.

Alex: And Treasury announced this week that it's extending its cyber threat intelligence sharing program to eligible digital asset firms. Same intelligence that traditional financial institutions receive, at no cost. For CISOs at banks or financial services firms that are expanding into digital assets, this is worth your attention. The regulatory perimeter around crypto is converging with traditional finance, and the intelligence sharing infrastructure is following.

Jordan: Also — Chrome 146 shipped Device Bound Session Credentials on Windows. DBSC cryptographically binds session cookies to specific devices, which directly breaks the infostealer-to-account-takeover pipeline. Stolen cookie becomes worthless if the device it was stolen from isn't present. If you're managing Chrome across an enterprise fleet, evaluate deployment. macOS support is coming in the next release.

Alex: The theme this week, if you step back, is that the economics of attacking you are getting better for your adversaries faster than the economics of defending are getting better for you. AI-accelerated exploit discovery. Fifty-dollar bug finds. Phishing-as-a-service for C-suite targeting. Router botnets providing nation-state level persistence. The velocity is increasing.

Jordan: The response isn't panic. It's precision. Know what's exposed. Audit your edge. Get your executives on phishing-resistant auth. Treat your third-party dependencies as extensions of your own risk surface. And start building the case internally that AI in offensive security is not a future threat — it's a present one that requires budget and attention now.

Alex: That's Cleartext for Friday, April 10th. If this episode was useful, share it with someone who needs it. We'll be back Monday. Stay sharp.