The Trump administration’s 2026 budget proposal calls for steep cuts to the Cybersecurity and Infrastructure Security Agency (CISA), reducing its funding by nearly $495 million and slashing more than 1,000 jobs—about 30% of the agency’s workforce.

If approved, the cuts would shrink CISA’s budget from $2.87 billion to $2.38 billion. The plan signals a narrower focus on protecting federal networks and critical infrastructure, while stripping back broader cyber defense initiatives.

Major Cuts Across Core Divisions

The proposed reductions hit nearly every major division:

• Cybersecurity Division: Down $216 million, undermining efforts to protect critical infrastructure and government systems.
  
• Integrated Operations Division: Down $46.2 million, reducing support to businesses and local governments.
  
• Stakeholder Engagement Division: Slashed by 62%, cutting $62.2 million and weakening collaboration with private-sector partners.
  
• National Risk Management Center: Down 73%, or $97.4 million—severely limiting the agency’s ability to analyze and predict cyber threats.

Procurement spending would also drop by nearly $69 million, curbing CISA’s ability to upgrade its cyber tools and systems.

Election Security Program on the Chopping Block

The administration is proposing to eliminate CISA’s Election Security Program entirely, cutting $39.6 million and 14 positions. This would dismantle the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which supports state and local officials in guarding against election-related cyber threats.

Workforce and Program Losses

Overall, the plan would cut CISA’s workforce from 3,294 to 2,324 employees. Key losses include:

• 218 jobs from Mission Support
  
• 204 from the Cybersecurity Division
  
• 327 from Integrated Operations
  
• 127 from Stakeholder Engagement

Programs like the Joint Cyber Defense Collaborative, Cyber Defense Education and Training, and the Joint Collaborative Environment would all take substantial funding hits, with cuts ranging from $14 million to $67 million.

Justification and Backlash

Homeland Security Secretary Kristi Noem defended the cuts, saying CISA needs to get “back to basics”—protecting critical infrastructure and federal networks. She argued that election security and disinformation monitoring fall outside the agency’s core responsibilities.

But critics say the timing couldn’t be worse. Cyber threats from foreign governments and criminal groups are on the rise, and many lawmakers are pushing back.

Senators Mark Warner, Richard Blumenthal, Elissa Slotkin, and Ron Wyden have all voiced concerns, warning that these cuts would weaken national cyber defenses and leave vital systems more vulnerable.

What’s Next

The budget still needs congressional approval. Lawmakers have until the end of September to finalize government spending or risk a shutdown.

Senate hearings on CISA’s leadership are scheduled for Thursday, and these proposed cuts are expected to be front and center in the debate.

As the conversation unfolds, the future of U.S. cybersecurity policy—and CISA’s role in it—hangs in the balance.

Cybersecurity researchers have uncovered a malware campaign using fake software installers to spread a powerful remote access tool. Masquerading as popular apps like LetsVPN and QQ Browser, the campaign is delivering a stealthy malware framework known as Winos 4.0.

First flagged by Rapid7 in February 2025, the operation relies on a loader called Catena to slip past antivirus defenses. The malware runs entirely in memory, making it harder to detect and remove.

Here’s how it works:

• Trojan installers: Users download what looks like a legitimate app, like QQ Browser, but it’s a trojanized NSIS installer.
  
• Memory-only payloads: Once executed, the Catena loader uses embedded shellcode to stage malware directly in memory.
  
• C2 communication: The malware then connects to attacker-controlled servers—mostly in Hong Kong—over obscure TCP and HTTPS ports to receive commands or updates.

Researchers believe the campaign is targeting Chinese-speaking users, possibly as part of a broader surveillance or cyber-espionage effort.

Winos 4.0, also known as ValleyRAT, is based on the Gh0st RAT framework. Written in C++, it’s a plugin-powered tool that can:

• Steal data
  
• Open remote shell access
  
• Launch DDoS attacks

Earlier versions of the malware were spread via phishing campaigns that impersonated Taiwanese tax authorities and gaming platforms.

In April 2025, the attackers adjusted their tactics. The new installers—posing as LetsVPN—run PowerShell commands to disable Microsoft Defender on all drives. They also deploy additional files that:

• Take a snapshot of active processes
  
• Look for Chinese antivirus software like 360 Total Security
  
• Reflectively load DLLs to connect with command-and-control servers

One dropped executable was even signed with a certificate tied to Tencent, though it had expired. That trick is meant to make the malware seem more legitimate and avoid raising red flags.

Despite checking for Chinese language settings, the malware still runs even if the environment isn’t a match—possibly hinting at incomplete development.

Experts suspect this is the work of Silver Fox, a known advanced persistent threat (APT) group. The infrastructure, tactics, and regional focus all point to their involvement.

This campaign is another reminder: always verify the source before downloading software. Even apps that look familiar can be hiding dangerous payloads.

Top U.S. banking associations are pressing the Securities and Exchange Commission to roll back a rule that forces public companies to disclose major cybersecurity breaches within four business days.

In a letter sent May 22, five major financial groups—including the American Bankers Association and the Securities Industry and Financial Markets Association—argued the rule clashes with existing laws aimed at protecting critical infrastructure and victims’ privacy.

At the center of the dispute is Item 1.05 of Form 8-K, a regulation rolled out in July 2023 under the SEC’s broader Cybersecurity Risk Management rules. It requires companies to publicly reveal “material” cyber incidents, like hacks or data breaches, on a strict deadline.

The banking industry says that’s a problem. According to the letter, the rule can disrupt how firms respond to attacks, interfere with law enforcement, and blur the lines between what must be shared publicly and what’s optional.

One key concern: threat actors may be using these public disclosures to pressure companies during ransomware attacks. The groups say that puts victims in an even tougher spot and could drive up insurance costs or legal risks.

There’s also a worry that the rule could have a chilling effect internally. If every incident might go public fast, employees could hesitate to flag problems or share sensitive details that are critical to stopping a breach.

Instead of public disclosures, the associations want the SEC to scrap the rule and stick with current frameworks that let companies alert investors without tipping off attackers or exposing vulnerabilities.

Their argument echoes growing pushback against overlapping federal cybersecurity rules. For example, the Cybersecurity and Infrastructure Security Agency is developing new reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). That proposal would give companies 72 hours to report major incidents—another tight window critics say could swamp firms with paperwork during a crisis.

The financial sector isn’t arguing against transparency. But it’s calling for more realistic timelines and coordination between regulators to avoid chaos when every second counts.

A cyberattack on Cellcom, a regional telecommunications provider based in Wisconsin, has disrupted phone and text services for thousands of customers across Wisconsin and Michigan’s Upper Peninsula since May 14. The company confirmed the incident on May 20, attributing the outage to a targeted cyberattack that affected its voice and SMS systems.

In a letter and accompanying video message, Cellcom CEO Brighid Riordan stated that the attack was confined to a specific segment of the network, separate from where sensitive customer data is stored. “We have no evidence that personal information related to you, your name, your addresses, your financial information, is impacted by this event,” Riordan assured customers.

Upon detecting the breach, Cellcom activated its incident response protocols, which included engaging external cybersecurity experts, notifying the FBI and Wisconsin state authorities, and initiating a comprehensive recovery strategy.

As of May 22, some services have been partially restored. Cellcom users reported the ability to make calls to other networks, although receiving calls from non-Cellcom numbers remains inconsistent. The company anticipates full service restoration by the end of the week but has not provided a specific timeline.

The outage has significantly impacted customers, including small business owners like Andy Tobias, whose window cleaning business suffered due to communication disruptions.

Cybersecurity experts emphasize that such incidents highlight the vulnerability of critical infrastructure. Dr. Tyler Baeten, an IT instructor at Fox Valley Technical College, noted, “This isn’t a Cellcom issue; this is part of the growing trend nationwide, where we’re seeing our infrastructure being targeted.”

To safeguard personal information, experts recommend using end-to-end encrypted communication platforms and freezing credit with major bureaus—Experian, Equifax, and TransUnion—to prevent identity theft.

Cellcom has pledged to compensate customers for the downtime, though specific details have not been disclosed. The company continues to work diligently to restore full services and has committed to transparent communication throughout the recovery process.