Three Buddy Problem - Episode 94: We discuss a mysterious, VM-obfuscated backdoor that lived undetected on a single U.K. machine for a year before disappearing, finding clues pointing to an elite-level APT intrusion that still evades broader industry coverage.

Plus, connecting the dots across AI-driven vulnerability discovery, Microsoft’s massive Patch Tuesday, Jensen Huang talks cybersecurity, Mythos dangers and Chinese chips, and the quiet erosion of CVE enrichment at NIST.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Timestamps:
0:00 – Intros + AI news whiplash
5:10 – Patch Tuesday breakdown: Microsoft's second-largest CVE release ever
7:32 – AI accelerating vulnerability discovery at record pace
10:00 – Frontier lab cyber models, fine-tuning, guardrail removal & KYC
12:37 – FreeBSD NFS bug: Opus 4.6 was already finding critical vulns
14:26 – Anthropic's infrastructure strain: Is Opus being nerfed?
21:05 – OpenAI's Trusted Access for Cyber vs. Anthropic's Mythos cabal
28:45 – SharePoint zero-day CVE-2026-32201: The endless Microsoft tax
34:36 – Adobe Acrobat zero-day: A rare, real, Russia-linked exploit in the wild
41:36 – VirusTotal mining: The golden age of threat intel hunting
50:03 – ZionSiphon: Vibe-coded OT malware targeting Israeli water infrastructure
55:04 – Paleontology of threat research: When do you publish? Who do you trust?
1:13:53 – Angry Spark: A one-machine, one-year backdoor raises eyebrows
1:49:25 – Jensen Huang vs. Dwarkesh Patel on Mythos, China and chips
2:14:32 – Chinese AI distillation: 24,000 fake Anthropic accounts, DeepSeek & the catch-up question

Links:

• Transcript
• Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulns
• ZDI: April 2026 Patch Tuesday Review
• Inside ZionSiphon: OT Malware Targeting Israeli Water Systems
• GenDigital: Chasing an Angry Spark
• MAD Bugs: Month of AI-Discovered Bugs (Calif)
• HackerOne: The Vulnerability Apocalypse is a Remediation Crisis
• OpenAI scaling up Trusted Access for Cyber (TAC) Program
• OpenAI Commits $10m in API credits for cybersecurity
• Anthropic: Introducing Claude Opus 4.7
• OpenAI confirms Axios developer tool compromise
• Jensen Huang x Jensen Huang on Nvidia’s AI Moat
• Anthropic: Detecting and preventing distillation attacks
• NIST Updates NVD Operations to Address Record CVE Growth
• Dreadnode Open-Source Tools to Measure AI Offense-Defense Gap
• LABScon 2026 Call for Papers
• Cyber-Paleontology in the Age of AI (Black Hat Asia 2026)
• Ekoparty Miami Schedule
• TLPBLACK

Three Buddy Problem - Episode 93: We discuss Anthropic's release of Claude Mythos Preview (an AI model so capable and dangerous they won't release it publicly) and debate the looming patching crisis, bug bounty extinction, possible US government nationalization of frontier labs, and why the NSA might not be thrilled about all this bug-fixing.

Plus, North Korea's six-month Drift Protocol con job, APT28's retro DNS hijacking campaign, and Microsoft's driver signing mess hitting WireGuard and VeraCrypt.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

00:00 — Opening banter
01:36 — Anthropic Mythos Preview + Project Glasswing
06:17 — USG reaction + Wall Street emergency meeting
10:54 — Mythos capabilities vs hype (technical reality check)
13:44 — PR stunt? Skepticism of Anthropic narrative
20:42 — The patching crisis + “defender advantage”
27:41 — Bug bounty model under threat from AI
33:37 — Mythos practical workflows
45:09 — Geopolitics, NSA angle, and nationalization discussion
01:40:18 — Fortinet zero-day + ongoing failures
01:42:39 — Drift Protocol heist ($285M) + long-term social engineering
01:44:07 — Revisiting XZ Utils / Jia Tan attribution
01:54:07 — Crypto security gaps + need for real CTI in blockchain
02:04:22 — APT28 DNS hijacking + router compromise campaign
02:18:57 — Microsoft driver signing meltdown + ecosystem impact

Links:

• Transcript
• TLPBLACK
• Claude Mythos Preview
• Accidental data leak reveals existence of Anthropic Mythos
• Project Glasswing
• System Card: Claude Mythos Preview
• Axios: OpenAI plans new product for cybersecurity use
• The $285M Drift Protocol Heist Was ‘6 Months in the Making’
• Drift Protocol - Incident Report
• US Treasury to share threat-intel with crypto companies
• Fortinet customers confront actively exploited zero-day
• Fortinet advisory: CVE-2026-35616 (exploited in the wild)
• SOHO router compromise leads to DNS hijacking
• APT28 exploit routers to enable DNS hijacking operations
• DOJ Conducts Court-Authorized Disruption of DNS Hijacking Network Controlled by a Russian Military
• Lumen on 'Frost Armada' Forest Blizzard DNS Hijacking
• WireGuard (Account Suspended)
• OSR on Microsoft Driver Signing Lockout
• Microsoft: Account Verification for Windows Hardware Program
• US Warns of Iran-Linked Cyber Hacks on Water, Energy Systems
• CISA bulletin: Iranian Hackers Exploiting PLCs Across US Critical Infrastructure
• Watch S4: The Bob Lazar Story
• YouTube: Dan Guido at [un]prompted

Three Buddy Problem - Episode 92: Costin walks through real-world ransomware incident response while Juanito makes the case for AI-generated operating systems that never run anyone else's code. Plus, debates on whether vulnerability research is cooked, why nobody should pay ransoms, and what the security industry looks like after the massive AI flood.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

0:00 – Introductory banter
2:00 – Costin's ransomware incident response work
3:30 – How attackers break in: Fortinet vulnerabilities everywhere
6:30 – Hunting for ransomware decryption keys
9:00 – Breaking into ransomware C2s and monitoring leak sites
12:00 – The ransom payment debate: should you ever pay?
16:00 – Why "don't pay the ransom" is overgeneralized
21:00 – How ransomware gangs price their demands
24:00 – The AI-pilling of the security industry
28:30 – Nicholas Carlini, Ptacek, and "vulnerability research is cooked"
35:00 – Towards a generative-first operating system
41:00 – Code factories, trusted computing, and killing dependencies
48:00 – Microsoft and Apple's AI positioning
56:00 – Chris St. Myers' "Cognitive Rust Belt" essay
1:18:00 – Choice, The Matrix, and the illusion of control
1:38:00 – Supply chain attacks, North Korea, and dependency sprawl

Links:

• Transcript
• Nicholas Carlini - Black-hat LLMs
• Ptacek: Vulnerability Research Is Cooked
• Chris St Myers: Why Organizations Are Confusing Temporary Friction with Permanent Safety
• Dan Geer: Children of the Magenta
• Calif: Month of AI-Discovered Bugs
• Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell
• Internet Bug Bounty Pauses Bug Bounty Program
• Node.js Bug Bounty Program Paused Due to Loss of Funding
• Elastic: How we caught the Axios supply chain attack
• Elastic tool: supply-chain-monitor
• Apple Will Push Out Rare ‘Backported’ Patches to iOS 18 Users
• WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware
• The Human-Machine Team
• Arsenal Recon Tool
• TLPBLACK

Three Buddy Problem - Episode 91: This week we dig into Google's new cyber threat disruption unit announced at RSAC, Kaspersky confirming Coruna is a direct evolution of Operation Triangulation, and a cascading supply chain compromise that chained through LiteLLM, Trivy, and Checkmarx into thousands of software pipelines.

Plus, VCs and the breathless AI hype, Apple's iOS 26.4 and silent patches, the FCC's ban on foreign-made routers, and Symantec catching an APT looking for Chinese military data.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

0:00 Intro & Pre-Show Banter
3:08 JAGS in San Francisco: RSAC week recap
6:05 Google Launches Cyber Disruption Unit — What's Actually New?
13:43 Why Separate Disruption Units Matter: ROI & Budget Justification
29:11 Haroon Meer's RSA Reality Check: The AI Hype Machine
32:37 The VC Ponzi Cycle & How Easy Money Hollowed Out Cybersecurity
47:32 ENT.ai & Tenex AI Hackathon at RSAC
53:08 Kaspersky Links Corona Exploit Kit to Operation Triangulation
1:08:09 Trenchant Cleanup & Lessons from Equation Group Burns
1:19:31 Apple iOS Patches, Hong Kong Device Passcode Law
1:27:53 Handala Hacks FBI Director Kash Patel's Personal Gmail
1:37:32 LeakBase Admin "Chucky" Arrested in Russia — FSB Gets the Data
1:45:38 Supply Chain Attacks: TeamPCP Hits LiteLLM & Trivy
2:04:34 FCC Bans Foreign-Made Routers — But What Do We Buy?

Links:

• Transcript
• TLPBLACK Solutions
• Google launches threat disruption unit at RSAC
• White House downplays cyber ‘letters of marque’ speculation
• Haroon Meer on RSAC 2026
• Kaspersky on Coruna/Triangulation Connection
• Apple Security Bulletin - iOS 26.4
• Reverse engineering Apple’s silent security fixes
• New Hong Kong Law on Phone/Laptop Passwords
• Iran-linked hackers breach FBI director's personal email
• US DOJ Disrupts Iranian Cyber Enabled Psychological Operations
• Official Statement on Stryker Network Disruption
• Russia arrests Leakbase admin
• Trivy ecosystem supply chain compromised (Advisory)
• Self-propagating malware poisons open source software and wipes Iran-based machines
• New Malware Targets Users of Cobra DocGuard Software
• FCC bans 'foreign made' consumer routers (PDF)

Three Buddy Problem - Episode 90: We remember GReAT teammate Sergey Mineev, the legendary malware hunter behind discoveries like Equation Group and Project Sauron (Remsec), including stories about his methods and why he was the best to ever do it.

Plus, another in-the-wild iOS exploit kit discovery and a long overdue conversation about Apple's responsibility to hundreds of millions of users on older iOS versions; the ProPublica Microsoft/FedRAMP bombshell, Interlock ransomware sitting on a Cisco zero-day, the White House AI policy framework, and Supermicro co-founder $2.5 billion AI chip smuggling bust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript
• Thinkst Canary
• Equation Group: The Crown Creator of Cyber-Espionage
• The Project Sauron APT
• Google: The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
• iVerify: Inside DarkSword - A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
• Lookout: Attackers Wielding DarkSword Threaten iOS Users
• Apple statement on Coruna, DarkSword
• Amazon discovers Interlock ransomware hitting enterprise firewalls
• Cisco Secure Firewall Management Center RCE Flaw
• CISA Urges Endpoint Management System Hardening After Stryker Attack
• Stryker statements on wiper network disruption
• Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.
• White House Unveils National AI Legislative Framework
• Supermicro Founder Charged with Diverting AI tech to China
• NEBULA:FOG 2026 | AI x Security Hackathon

Three Buddy Problem - Episode 89: We discuss Iran hacktivist group 'Handala' wiper attacks against US medical device maker Stryker, Microsoft Intune MDM tool abuse, and whether Iran's cyber retaliation is as scary as the headlines suggest.

Plus, ESET's discovery that Russia's APT28 original implant developers are back after years of silence, Dutch intelligence warnings on Russian campaigns targeting Signal and WhatsApp accounts, Apple finally patching Coruna exploit kit vulnerabilities for older iPhones, and Google sharing Coruna samples that raise new questions about the exploit kit's proliferation chain.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (raw, AI-generated)
• TLPBLACK Solutions
• Kim Zetter: Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped Systems
• Stryker Cyberattack Adds to Fears of New Front in Iran War
• Bloomberg: Cyberattack Hits Stryker; Pro-Iran Group Claims Credit
• Who is Handala? (Malpedia)
• Palo Alto: Increased Risk of Wiper Attacks
• CISA Advisories on Iran State-Sponsored Cyber Threat
• Russia state actors targets Signal and WhatsApp accounts
• Dutch intel report on Signal, WhatsApp targeting
• Signal responds to Dutch Intel report
• ESET: Resurgence of one of Russia’s most notorious APT groups
• Poland says foiled cyberattack on nuclear centre may have come from Iran
• Apple ships iOS 16.7.15 to cover 'Coruna' exploits
• Apple iOS 15.8.7 covers 'Coruna' exploit kit
• Detection Engineering #148
• NEBULA:FOG 2026 | AI x Security Hackathon
• Ekoparty Miami (May 21-22, 2026)
• PIVOTcon Agenda

Three Buddy Problem - Episode 88: We unpack the fallout from public documentation of the Coruna iOS exploit kit, the likely connection to the Peter Williams/Trenchant exploit sale to Russians, how it slipped from government hands into criminal use, and the widening use of zero-days by surveillance vendors and cybercriminals.

Plus, fresh signs of cyber-warfare activity tied to Iran and Israel, the FBI’s disclosure of a breach affecting internal surveillance systems, and the latest debate over AI, security tooling, and Anthropic’s public stumbles.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (raw, AI-generated)
• Thinkst Canary (how it works)
• Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
• iVerify Details First Known Mass iOS Attack
• Matthias Frielingsdorf on the mysterious Coruna iOS exploit kit discovery
• Matthias Frielingsdorf on Coruna (raw transcript)
• Coruna-related hashes on VirusTotal
• Kaspersky: No signs Coruna iPhone exploit kit made by US
• Azimuth unlocked the San Bernardino shooter’s iPhone for the FBI
• 2025 Zero-Days in Review (Google)
• FBI investigating ‘suspicious’ cyber activities on critical surveillance network
• Iranian Hacking Groups Go Dark Amid US, Israeli Military Strikes
• Interplay between Iranian Targeting of IP Cameras and Physical Warfare
• Israel says it knocked out Iran’s cyber warfare headquarters
• Amazon Bahrain facility targeted for U.S. military support
• Full transcript of Anthropic CEO Dario Amodei interview
• Codex Security (formerly Aardvark) now in research preview
• NEBULA:FOG 2026 | AI x Security Hackathon

Huntress threat intelligence analyst Greg Linares shares insights on the modern ransomware ecosystem, including how crews operate like businesses and why Akira, Medusa, RansomHub, and Qilin cause so much damage. Plus, signs of overlap between ransomware and nation-state activity, what “time to ransom” really means for defenders, and why techniques like ClickFix and credential theft keep working at scale.

The conversation also covers the surge in RMM tool abuse, how “living off the land” attacks can unfold without traditional malware, and the basic defenses smaller organizations can prioritize.

Links:

• TLPBLACK
• Transcript
• Huntress 2025 Cyber Threat Report
• Microsoft: Think before you Click(Fix)
• Akira Ransomware
• CISA: Protecting Against Malicious Use of Remote Monitoring and Management Software
• Ep9: The blurring lines between nation-state APTs and the ransomware epidemic
• Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines

Three Buddy Problem - Episode 87: We wake up to news of U.S./Israel military action against Iran and the expected fallout, including Tehran’s cyber capabilities and proxy risks. Plus: Anthropic’s clash with the Pentagon over AI use in warfare, market shockwaves from AI-driven security tools, mass layoffs tied to automation, Trenchant exec sentencing and sanctions in the exploit trade, and fresh questions around Cisco’s SD-WAN breach and supply-chain trust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Thinkst Canary
• Live updates: US and Israel strike Iran
• Episode 80: Hamid Kashfi on the situation in Iran
• ‘Incoherent’: Hegseth’s Anthropic ultimatum confounds AI policymakers
• Anthropic Claude AI Security Tool Wipes Out Over $15 Billion From Cybersecurity Stocks
• CrowdStrike CEO responds to stock price hit
• Designation of Zero-Day Exploits Broker for Theft of U.S. Trade Secrets
• Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools
• Trenchant Exec Who Sold Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison
• AWS says AI-augmented threat actor accesses FortiGate devices at scale
• Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
• Anthropic Claud Code Security
• Anthropic: Detecting and preventing distillation attacks
• GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use
• iPhone and iPad approved to handle classified NATO information
• Fortinet Achieves Certification for Secure Product Development
• Cisco SD-WAN threat hunting guide
• TLPBLACK
• NEBULA:FOG 2026 | AI x Security Hackathon
• RE//verse Conference

Three Buddy Problem - Episode 86: We dig into GitLab’s explosive look at North Korea’s “Contagious Interview” APT operation, the scale of fake IT worker infiltration, and what it means for companies chasing cheap talent.

Plus, a fresh batch of already-exploited Ivanti and Dell zero-days, the return of Apple’s shutdown logs, and thoughts on addictive AI coding agents affecting human purpose.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• TLPBLACK
• GitLab exposes North Korean malware tradecraft
• Beyond the Backdoor: How Contagious Interview Is Surgically Tampering with MetaMask Wallets (Seongsu Park)
• Critical Vulnerabilities in Ivanti EPMM Exploited
• Dell RecoverPoint for Virtual Machines Zero-Day
• Dell Bulletin - RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability
• Critical Dell bug exploited for two years
• OpenAI intros Lockdown Mode and Elevated Risk labels in ChatGPT
• OpenAI is rebranding Aardvark
• Anthropic Claude Code Security
• Jason Lang: Real Human Concerns In The Age of AI
• JAGS' batteries-included Claude Code SDLC config
• RE//verse Conference
• NEBULA:FOG 2026 | AI x Security Hackathon

Three Buddy Problem - Episode 85: Top stories this week include drone incursions over El Paso and the murky line between cartel activity, anti-drone tech testing, and full-blown hybrid warfare; updates on the Notepad++ supply chain fallout; Microsoft’s zero-day treadmill and AI-enabled attack surfaces; and Apple’s “extremely sophisticated” iOS exploits.

Plus, Europe’s growing appetite for offensive cyber, Palo Alto and the uncomfortable politics of cyber attribution, Singapore on telco intrusions, and the economics of end-of-life infrastructure.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Thinkst Canary - Customer Love
• What We Know About the El Paso Airspace Shutdown
• El Paso Closure Caused by Firing Anti-Drone Laser
• Notepad++ supply chain hack (new IOCs)
• Ukatemi: Notepad++ attack related samples
• Notepad's new Markdown powers served with a side of RCE
• Microsoft: Windows Notepad App RCE Vulnerability
• iOS 26.3 security advisory (exploited 0day)
• Estonian Foreign Intelligence Service annual report
• PSIRT | FortiGuard Labs High-Risk Advisory
• Germany prepares to attack cyber enemies
• Palo Alto chose not to tie China to hacking campaign for fear of retaliation
• The Shadow Campaigns: Uncovering Global Espionage (Palo Alto)
• Singapore .gov on nation-state telco hacks
• TLP-BLACK
• LABScon 2026

Three Buddy Problem - Episode 84: We process the cybersecurity fallout from the latest Epstein document dump, focusing on why redactions fail in the AI era and how quickly modern tools can unravel them. The conversation moves from sloppy redaction practices and exploit mythology to harder questions about ethics, accountability, and silence within the infosec community.

Plus, inside the Notepad++ supply-chain compromise attributed to a known Chinese APT, Microsoft’s security executive changes, Anthropic's AI-driven vulnerability discovery, China-linked network implants, and Lockdown Mode thwarting FBI investigators.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Thinkst Canary - Customer Love
• Transcript (unedited, AI-generated)
• Did a renowned hacker help Jeffrey Epstein get ‘dirt on other people'?
• DOJ releases details alleged talented hacker working for Jeffrey Epstein
• Claude Opus 4.6 \ Anthropic
• 0-Days \ red.anthropic.com
• JAGS' Claude Code SDLC config
• CERT-Ukraine on zero-day attacks via MS Office
• Executive security shuffle at Microsoft
• TLPBLACK: What we know about the Notepad++ supply chain attack
• Lotus Blossom APT targets critical infrastructure via Notepad++.
• Kaspersky: Notepad++ supply chain attack breakdown
• Validin: Exploring the C2 Infrastructure of the Notepad++ Compromise
• Hostinger server unauthorized access case: What happened with Notepad++ and how we resolved it
• Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
• Palo Alto Unit 42: The Shadow Campaigns - Uncovering Global Espionage
• FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled
• Court document: FBI Washington Post Lockdown Mode
• PIVOTcon
• TLP BLACK
• LABScon 2026
• Decipher podcast (Dennis Fisher)
• Detection Engineering newsletter (Zack Allen)

Three Buddy Problem - Episode 83: Poland's CERT documents a rare, explicit wiper attack on civilians in a NATO country, including detailed attribution of a Russian government op targeting the electric grid in the heart of winter. We examine why this crosses a long-avoided threshold, why attribution suddenly matters again, and what it says about pre-positioned access, vendor insecurity, and the shrinking gap between cyber operations and acts of war.

Plus, another Fortinet fiasco, a new batch of Ivanti zero-days under attack, an emergency patch from Microsoft and the return of the mysterious KasperSekrets account.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security (Use Cases)
• ESET DynoWiper update: Technical analysis and attribution
• Poland CERT on Russian wiper attacks
• Poland blames two Ukrainians allegedly working for Russia for railway blast
• Britain’s New Spy Chief Has a New Mission
• Two New Ivanti 0days Exploited
• Microsoft ships emergency Office patch to thwart attacks
• Analysis of Single Sign-On Abuse on FortiOS
• Fortinet PSIRT: Administrative FortiCloud SSO authentication bypass
• Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
• WhatsApp Strict Account Settings
• China Executes 11 People Linked to Cyberscam Centers in Myanmar
• Singapore to start caning for scammers
• Germany on hacking attacks: "We will strike back, including abroad"
• Acting CISA chief uploaded sensitive files into a public version of ChatGPT
• TLP BLACK
• LABScon 2026
• KasperSekrets

Three Buddy Problem - Episode 82: We parse news that China-linked VoidLink is a malware framework created entirely by AI and the collapsing line between elite APT operations and everyday threat actors.

Plus, a new Sean Heelan essay on low-cost exploit generation and why “AI guardrails” are mostly a comforting myth; AI slop overwhelming bug bounty programs; CISA's new Brickstorm YARA rules; and fresh research on a wiper-malware found in Russian attacks against Poland's electricity sector.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security (use cases)
• Sean Heelan on the coming industrialisation of exploit generation with LLMs
• VoidLink Shows AI-Generated Malware Has Begun
• LLMs in the SOC: Why Benchmarks Fail Security Operations Teams
• CISA advisory on BRICKSTORM backdoor
• Node.js — New HackerOne Signal Requirement
• AI slop security reports submitted to cURL
• Arctic Wolf on FortiGate attacks via SSO accounts
• New Cisco Remote Code Execution Vulnerability
• From Protest to Peril: Cellebrite Used Against Jordanian Civil Society
• Microsoft on multi‑stage AiTM phishing and BEC campaign abusing SharePoint
• Microsoft Gave FBI BitLocker Encryption Keys
• The Mastermind: Drugs. Empire. Murder. Betrayal
• Kim Zetter: Cyberattack on Poland’s energy grid used a wiper
• ESET on 'DynoWiper' malware

Three Buddy Problem - Episode 81: We dissect New York Times reporting on the "precision" of US cyber operations in Venezuela, the competing narratives around offensive cyber capabilities and "letters of marque" for private hackers. Plus, a mysterious failed cyber attack on Poland's power grid, internet blackouts in Iran (with fascinating DNS telemetry revealing Chinese bank traffic and Russian website spikes), and news of China's ban on US/Israeli cybersecurity software.

We also cover Check Point's research on "VoidLink" (is it a successor to ShadowPad?), Microsoft's threat intelligence sharing practices, and Google Project Zero's disclosure of zero-click vulnerabilities caused by AI-powered transcription features.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsor: Material Security
• Cyberattack in Venezuela Demonstrated Precision of U.S. Capabilities
• Massive cyberattack on Polish power system in December failed, minister says
• What happened in Poland? (Ruben Santamarta)
• Costin Raiu: What’s Happening in Iran?
• Verizon just had a big outage. Here’s what we know
• Beijing tells Chinese firms to stop using US and Israeli cyber products
• MS Patch Tuesday CVE-2026-20805 (exploited in the wild)
• VoidLink: The Cloud-Native Malware Framework
• Microsoft disrupts global cybercrime subscription service
• Project Zero: A 0-click exploit chain for the Pixel 9
• Joint statement from Google and Apple
• Sean Plankey re-nominated to lead CISA
• TLPBLACK
• DistrictCon Agenda
• Ekoparty Miami
• The Thinking Game (Full Documentary)

Three Buddy Problem - Episode 80: Researcher Hamid Kashfi returns to unpack Iran’s latest unrest, separating economic reality from propaganda while examining how information control, cyber pressure, and state surveillance are shaping events on the ground.

Plus, did cyber make the lights go out in Venezuela?

Cast: Hamid Kashfi, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsor: Material Security
• About Hamid Kashfi
• Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks
• Venezuela strike marks a turning point for US cyber warfare
• KittenBusters | CharmingKitten
• Comprehensive Threat Intelligence Report: Charming Kitten
• Between Three Nerds: The evolution of Iranian cyber espionage
• Trump says U.S. will hit Iran "very hard" if violence continues at protests
• Venezuelan oil giant PVDSA hit by cyberattack
• CIA cyberattacks targeting the Maduro regime didn’t satisfy Trump in his first term
• Antiy Report on cyber operations in Venezuela
• Nationwide internet blackout reported in Iran

Three Buddy Problem - Episode 79: We cover MongoBleed (CVE‑2025‑14847), exposed MongoDB deployments, and the sad realization that zero-day attacks are a normal, everyday occurrence. Plus, AI’s expanding role and misuse across products and workflows, proximity attacks against Bluetooth audio devices, spyware sanctions de-listings, and ransomware economics.

In a special mailbag segment, we give our book recommendations and respond to common questions from the listeners.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsored by Material Security
• MongoDB Server Security Update (Dec 2025)
• CVE Record: CVE-2025-14847
• Censys on MongoBleed
• European Space Agency hit by cyberattack
• Security pros plead guilty to ransomware
• US removes sanctions for three execs tied to spyware maker Intellexa
• Bluetooth Headphone Jacking: A Key to Your Phone
• Dan Geer Black Hat 2015 keynote
• Book Review: Infected - A Candid Look at VirusTotal’s Birth and Legacy
• Infected: From Side Project to Google: The Journey Behind VirusTotal
• The Human Factor (Inside the CIA's dysfunctional intelligence culture)
• A Killing Art: The Untold History of Tae Kwon Do
• Thou Shall Prosper: Ten Commandments for Making Money
• Cult of the Dead Cow (by Joseph Menn)
• The Nvidia Way: Jensen Huang and the Making of a Tech Giant
• From Third World to First: The Singapore Story
• Thinking in Systems (PDF)
• AI Superpowers: China, Silicon Valley, and the New World Order
• The Denial of Death: Ernest Becker
• Energy and Civilization: A History by Vaclav Smil
• DeepLearning.AI

Three Buddy Problem - Episode 78: We close out the year with a no-budget, no-permission awards show, spotlighting the cybersecurity stories that actually mattered.

Plus, a bizarre polygraph scandal at CISA, Chinese APT research dumps, ransomware pre-notification hiccups, foreign drone bans, and the growing gap between cyber theater and real operational value.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker Solutions
• Acting CISA director failed a polygraph
• LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
• Qianxin’s research on the CSDN watering hole attack
• ViciousTrap - Turning edge devices into honeypots en masse
• AyySSHush: Tradecraft of an emergent ASUS botnet
• Intellexa’s Global Corporate Web (Recorded Future)
• Frozen in transit: Secret Blizzard’s AiTM hits embassies in Russia
• GitHub - KittenBusters/CharmingKitten
• Bunnie Huang Black Hat keynote (YouTube)
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• DeepSeek Debates: Chinese Leadership On Cost, True Training Cost, Closed Model Margin Impacts
• Behind the Dismantling of Hezbollah
• Israel Secretly Recruited Iranian Dissidents to Attack Iran From Within
• Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
• Code Orange: Cloudflare resilience plan following recent incidents
• Apple SEAR: Memory Integrity Enforcement

Three Buddy Problem - Episode 77: New React2Shell data from Microsoft, fresh Apple and Cisco zero-days already in the wild, and state-linked campaigns from Russia and China that show a merging of espionage, crime, and infrastructure disruption.

Plus, the US government's push to enlist private firms in offensive hacking, letters of marque for cartels, new discovery of spyware used against journalists in Belarus, and Amazon catching North Koreans via keystroke latency.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• ThreatLocker Solutions
• Transcript (unedited, AI-generated)
• Trump Admin Turning to Private Firms in Cyber Offensive
• Microsoft on React2Shell
• React2Shell and OpenAI (shoutout Andrew MacPherson)
• Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw
• iOS 26.2 Security Patches
• Reporters Without Borders uncovers new spyware from Belarus
• Cisco Talos on Cisco 0day attacks
• Hack of Chinese state time center hints at U.S. advanced missile defense
• Amazon on Russian APT targeting Western critical infrastructure
• North Korean infiltrator caught in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location
• Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs
• Russian defense firms targeted by hackers using AI
• TLPBLACK looks back at 2025
• Inside Google's basement in Malaga: ChatGPT of Cybersecurity
• GitHub - xdanx/open-klara: Open KLara Project
• Gepetto Web

Three Buddy Problem - Episode 76: On the show this week, Costin walks through how a single Romanian documentary kick-started nationwide protests, exposing how corruption can be perfectly legal when the law itself is gamed, and why this moment feels different, darker, and more consequential than past flare-ups.

Plus, news on the React-to-Shell exploitation wave overwhelming the internet, why patching is structurally hard, and how APTs and criminals are converging on the same fragile dependency chain. Along the way, they take aim at Microsoft’s shrinking transparency, the limits of vendor trust, and what it really means when defenders are told (again) to just patch and pray.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker : A security platform that prevents ransomware
• The Anatomy of a React2Shell Compromise (TLPBLACK)
• CVE-2025-55182 Analysis Report (GreyNoise)
• Exploitation of Critical Vulnerability in React Server Components
• PeerBlight Linux Backdoor Exploits React2Shell (Huntress)
• Patch Tuesday round-up (ZDI)
• How Two Hackers Went From Cisco Academy to Cisco CVEs
• Two Men Linked to China’s Salt Typhoon Hacker Group Likely Trained in a Cisco ‘Academy’
• OpenAI on dual-use AI risks
• Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
• DOJ Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups
• Microsoft paying bounties for vulns in third-party code
• Cybersecurity 2026 Predictions (SentinelLABS)
• Dakota Cary is in the "anti-China Chorus"
• Comparing AI Agents to Cybersecurity Professionals in Real-World Penetration Testing
• Automated React2Shell vulnerability patching is now available - Vercel
• Computer Olympiad enters new era as IITPSA hands over to Thinkst Applied Research

Three Buddy Problem - Episode 75: We dig into a CVSS 10/10 unauthenticated RCE bug causing chaos across the internet and early signs that Chinese APTs are already launching exploits, the cascading patch chaos, and a long tail of malware intrusions to come.

Plus, commentary on Chrome’s telemetry collection, Microsoft and the "SFI success story," newest BRICKSTORM backdoor intrusions, the US national security strategy, Anthropic's AI popping smart-contract bugs, a secret FBI ransomware-hunting unit getting weird, and a pair of sad stories in the security community.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker — Meet the cybersecurity platform that prevents ransomware
• An essay by Vess
• RIP Stealth
• Google Goodbye to the Chrome Cleanup Tool
• US National Security Strategy (PDF)
• Critical Security Vulnerability in React Server Components (CVE-2025-55182)
• Chinese threat groups rapidly exploit React2Shell vuln
• AWS MadPot
• BRICKSTORM Backdoor (PDF)
• WARP PANDA: A New Sophisticated China-Nexus Adversary
• Meet Group 78, the secret US task force that fights cybercriminals
• Recorded Future: Intellexa’s Global Corporate Web
• Intellexa’s Prolific Zero-Day Exploits Continue
• To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware
• Apple, Google send new round of threat notifications to users around world
• Calisto Targets Reporters Without Borders in Phishing Campaign
• Anthropic AI agents find $4.6M in blockchain smart contract exploits
• Lazarus hack largest South Korean crypto exchange
• EU countries reach breakthrough on chat-scanning law despite intense pushback
• The Denial of Death - by Ernest Becker

Three Buddy Problem - Episode 74: We attempt to parse the rumor-fog around Microsoft’s CISO at CYBERWARCON and what it reveals about the company’s shifting posture on intel sharing, regulation, and its outsized grip on the security ecosystem. Plus, coverage of the Shai-Hulud npm supply-chain mess, CISA’s mobile spyware guidance, NSO’s legal contortions, a sharp new GRU-linked intrusion from Arctic Wolf.

We also discuss the FCC retreating on telco security rules, and the emerging AI arms race shaping how cloud giants hunt threats and how Washington misunderstands all of it.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Microsoft CISO LinkedIn comments
• Shai Hulud 2.0 Strikes Again
• Wiz: Sha1-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposed
• CISA guidance on mobile spyware on iOS, Android
• NSO Group argues WhatsApp injunction threatens existence
• Arctic Wolf: Russian APT targets U.S. Companies Supporting Ukraine
• FCC revokes telecom cybersecurity rules after Salt Typhoon hacks
• FCC Chairman statement on removing telco rules
• Amazon Is Using Specialized AI Agents for Deep Bug Hunting
• Anthropic CEO called to testify on AI cyber threats
• TLPBLACK
• Material Security (Book a demo)

Three Buddy Problem - Episode 73: The buddies react to Google’s release of Gemini 3 and its early performance, new Chrome interface changes landing on users’ machines, and major highlights from CYBERWARCON. We revisit the long-running debate over APT naming conventions, examine Amazon’s latest threat-intel reporting on Iranian activity, and walk through the Cloudflare outage that briefly knocked chunks of the internet offline.

Plus, new APT reports from ESET, Positive Technologies, and SecurityScorecard, and China's CN-CERT (now validated claim) that the U.S. government seized billions in Bitcoin tied to the Lubian mining-pool hack.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Material Security -- Stop Attacks, Secure Data
• Transcript (unedited, AI-generated)
• Why Microsoft Needs to Split Windows in Two
• CYBERWARCON agenda
• Amazon: Nation-state actors bridging cyber and kinetic warfare
• Cyber Warfare Startup Nabs Contracts to Give US Military Hackers AI Tools
• Fortinet documents 0day attacks
• Fortinet CVE-2025-64446 Under Active Attack
• Google Chrome zero-day exploited
• Cloudflare statement on outage on November 18, 2025
• Cloudflare just got faster and more secure, powered by Rust
• Russian alleged cyber-hacker faces extradition to US after arrest in Thailand
• Russian detained over connection to Void Blizzard attacks
• Positive Technologies: Attacks of the Striking Panda
• PlushDaemon compromises network devices for adversary-in-the-middle attacks
• PlushDaemon compromises supply chain of Korean VPN service
• ASUS Routers Hijacked in Global 'WrtHug' Operation
• Arkham on Bitcoin Chen Zhi seized funds
• US DOJ $15 Billion Bitcoin Indictment
• TLPBLACK
• PIVOTcon 2026
• RE//verse Conference
• The Age of Disclosure (Prime Video)
• Amazon.com: Bullshit Jobs

Three Buddy Problem - Episode 72: We unpack Anthropic’s conflicting self-promotion around the “first AI-orchestrated cyberattack” using Claude Code and the future of automated APT attacks.

Plus, Chinese cyber vendor KnownSec falls victim to data breach, fresh accusations that the U.S. stole billions in Bitcoin, Amazon warning about Cisco/Citrix zero-days, Google’s new Private AI Compute and Microsoft kernel zero-day marked as "actively exploited."

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security case studies
• TLPBLACK
• Anthropic: Disrupting the first reported AI-orchestrated cyber espionage campaign
• Anthropic report on AI-orchestreated APT campaign ()DF)
• Data breach at Chinese infosec firm reveals weapons arsenal
• Twitter thread on KnownSec breach details
• China Accuses US of Orchestrating $13 Billion Bitcoin Hack
• CISA finds federal agencies missing critical (exploited) vulns
• Amazon discovers APT exploiting Cisco and Citrix zero-days
• Amazon launches private AI bug bounty program
• Amazon Nova
• Microsoft Warns of Exploited Windows Kernel Zero-Day
• Google intros Private AI Compute tech
• Google paper on Private AI Computer (PDF)
• OpenAI CISO on NYTimes request for ChatGPT conversations
• UK transport and cyber-security chiefs investigate Chinese-made buses
• Ruter pen-tests Chinese electric buses
• DistrictCon
• CYBERWARCON
• DefCamp 2025

Three Buddy Problem - Episode 71: The buddies travel to Canada for a live recording at the Countermeasure conference, discussing the Google v FFmpeg open-source patching brouhana, ransomware negotiators charged and linked to ransomware attacks, the looming TP-Link ban in the U.S., and the discovery of LANDFALL, an APT attack caught using a Samsung mobile zero-day.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Material Security — We protect your company’s most valuable materials — the emails, files, and accounts that live in your Google Workspace & Microsoft 365 cloud offices.
• Transcript (unedited, AI-generated)
• FFmpeg complains about Google BigSleep AI
• Google v FFmpeg brouhaha
• Curl's Daniel Stenberg on a new breed of AI analyzers
• unit42.paloaltonetworks.com
• iOS 26.1 security updates
• U.S. agencies back banning TP-Link home routers on security grounds
• TLP BLACK

We revisit the Chinese "cyber militia" discussion and the looming AI “dot-com bubble,” the value of owning infrastructure, Nvidia and export controls, China’s manufacturing edge, and the geopolitics of supply chains.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Live from Black Hat: Brandon Dixon
• PSIRT | FortiGuard Labs
• SonicWall Firewalls – SSLVPN Recent Threat Activity
• Cisco CVSS 1.0 RCE
• Margin Research: Cyber Militias Redux
• Russia Is Suspected to Be Behind Breach of Federal Court Filing System
• Russian hackers seized control of Norwegian dam
• Poland foiled cyberattack on big city's water supply
• EU Parliament pressing for agreement on chat scanning bill
• LABScon 2025

Plus, the future of SOC automation to AI-assisted pen testing, how agentic AI could transform the cyber talent bottlenecks and operational inefficiencies, geopolitical debates over backdoors in GPUs and the strategic implications of China’s AI model development.

Cast: Brandon Dixon, Juan Andres Guerrero-Saade, and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Brandon Dixon | LinkedIn
• Google 'Big Sleep' AI Issue Tracker
• XBOW - The road to Top 1: How XBOW did it
• Does “XBOW AI Hacker” Deserve the Hype?
• XBOW - Taking the Top Hacker in the US to New Heights: XBOW Raises $75M Series B
• NVIDIA: No Backdoors. No Kill Switches. No Spyware
• Nvidia reiterates its chips have no backdoors, urges US against location verification
• Google: Our Big Sleep agent makes a big leap
• Microsoft announces acquisition of RiskIQ
• RiskIQ attack surface management
• Brandon Dixon (SecurityConversations podcast)
• Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

We also revisit the ProPublica bombshell about Microsoft's "digital escorts" and U.S. government data exposure to Chinese adversaries and the company's "oops, we will stop" response. Plus, trusting Google's Big Sleep AI claims and a cautionary tale about AI agents gone rogue that wiped out a production database.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Three Buddy Problem LIVE at Black Hat
• TBP at Countermeasures 2025
• CODE WHITE GmbH ToolShell exploit
• Microsoft guidance for SharePoint vulnerability CVE-2025-53770
• Kaspersky on ToolShell: A story of five Sharepoint vulns
• Ryan's EkoParty keynote on Microsoft culture
• Microsoft Disrupting active exploitation of on-prem SharePoint flaws
• SentinelLabs on Sharepoint zero-day in-the-wild
• ESET on ToolShell: An all-you-can-eat buffet for threat actors
• Microsoft Stops Using China-Based Engineers for DoD Computer Systems
• AI coding platform goes rogue during code freeze and deletes entire company database
• Jason Lemkin: Replit goes rogue
• John Hultquist on Big Dream AI
• LABScon 2025

Cast: Juan Andres Guerrero-Saade, Costin Raiuand Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Russian APT Turla Caught Stealing From Pakistani APT
• Snowblind: The Invisible Hand of Secret Blizzard
• Microsoft: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog
• EpicTurla.com
• Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware
• Lookout Security research paper on Monokle spyware
• Parubets: How a programmer foiled his own FSB recruitment
• CISA/FBI guidance to repel Salt Typhoon
• US officials say they still have not expelled Chinese telco hackers
• Solana backdoored in supply chain hack
• Romania's top court annuls first round of presidential vote won by far-right candidate

Links:

• Microsoft’s embarrassing Recall
• Brad Smith CSRB testimony
• Inside Apple Private Cloud Compute
• LABScon - Security Research in Real Time
• Follow Costin Raiu (@craiu) / X
• Follow JAG-S (@juanandres_gs) / X
• Follow Ryan Naraine (@ryanaraine) / X

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Peculiar Ventures chief executive Ryan Hurst joins the show to talk about a career that spanned 20 years at Microsoft and Google, his work building the plumbing for encryption on the web, unsolved problems in BGP security, the hype and promise of AI, and Microsoft's ongoing cloud security hiccups.

Links:

• Projects - Peculiar Ventures
• Ryan Hurst on LinkedIn
• Binarly - AI-powered firmware security
• SandboxAQ