Salt Typhoon IOCs, Google floats ‘cyber disruption unit’, WhatsApp 0-click

August 29th, 2025  |  2 hrs 24 mins

apt research, china, microsoft, nation-state, russia, zero-day

Three Buddy Problem - Episode 60: We dissect a fresh multi-agency Salt Typhoon advisory (with IOCs and YARA rules!), why it landed late, why the wall of logos matters (and doesn’t), and what’s actually usable for defenders: new YARA, tool hashes, naming ambiguity across reports, the mention of Chinese vendors, and a Dutch note that smaller ISPs were hit.

Plus, Costin details his hunting stack and philosophy (historic IOC/malware hoarding, fast pivots, and AI as analyst “wingman”) and a new Chinese APT report that may intersect with LightBasin and the murky PSOA world.

We also debate Google’s proposed “cyber disruption unit” versus Microsoft’s DCU (legal vs. “ethical” takedowns, PR, and business models); react to Anthropic’s report on real attacker use of Claude; note Amazon’s APT29 watering-hole disruption; and close on a fresh WhatsApp-to-ImageIO zero-click chain and practical phone OPSEC.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Russia hacks Ukraine war supply lines, Signal blocks Windows screenshots, BadSuccessor vuln disclosure debate

May 23rd, 2025  |  2 hrs 30 mins

apt research, china, microsoft, nation-state, russia, zero-day

Three Buddy Problem - Episode 47: We unpack a multi-agency report on Russia’s APT28/Fancy Bear hacking and spying on Ukraine war supply lines, CISA’s sloppy YARA rules riddled with false positives, the ethics of full-disclosure after Akamai dropped Windows Server “BadSuccessor” exploit details, and Sekoia’s discovery of thousands of hijacked edge devices repurposed as honeypots.

The back half veers into Microsoft’s resurrected Windows Recall, Signal’s new screenshot-blocking countermeasure, Japan’s fresh legal mandate for pre-emptive cyber strikes, and why appliance vendors like Ivanti keep landing in the headlines.

Along the way you get hot takes on techno-feudalism, Johnny Ive’s rumored AI gadget, and a lively debate over whether publishing exploit code ever helps defenders.

Cast: Costin Raiu, Juan Andres Guerrero-Saade and Ryan Naraine.

Thomas Rid joins the show: AI consciousness, TP-Link's China connection, trust in hardware security

April 25th, 2025  |  1 hr 33 mins

apt research, china, nation-state, north korea, spyware, surveillance, zero-day

Three Buddy Problem - Episode 43: Director of the Alperovitch Institute for Cybersecurity Studies Thomas Rid joins the show for a deep-dive into the philosophical and ethical considerations surrounding AI consciousness and anthropomorphism. We dig into the multifaceted implications of AI technology, particularly focusing on data privacy, national security, and the philosophical questions surrounding AI consciousness and rights.

Plus, TP-Link under US government investigation and the broader issues of consumer trust in hardware security, the need for regulation and inspectability of technology, and the struggles with patching network devices.

Cast: Thomas Rid, Juan Andres Guerrero-Saade and Ryan Naraine.

• Costin Raiu is away this week.

The Sophos kernel implant, 'hack-back' implications, CIA malware in Venezuela

November 3rd, 2024  |  1 hr 54 mins

apt research, china, edr, nation-state, sophos, zero-day

Three Buddy Problem Episode 19: We explore Ivan Kwiatkowski’s essay on the limits of threat intelligence, Sophos using kernel implants to surveil Chinese hackers, the concept of ‘hack-back’ and legal implications, geopolitical layers of cyber espionage, CIA malware in Venezuela, Vatican/Mossad mentioned in high-profile Italy hacks, and Canada bracing for .gov attacks from India.

Cast: Ryan Naraine (SecurityWeek), Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh).

Ep11: Cyberwarfare takes an ominous turn

September 6th, 2024  |  1 hr 15 mins

china, cisa, doppelganger, gru, influence operations, north korea, russia, skills shortage, skripal, south korea, unit 29155, yara, zero-day

Three Buddy Problem - Episode 11: Russia's notorious GRU Unit 29155 (previously tied to assassinations, poisonings and coup attempts) now blamed for destructive cyberattacks for sabotage; FBI and DOJ take down 'Doppelganger' network spreading Russian propaganda; CISA's budget, staff, advisories and YARA rules; Influence Operations 2.0; prolific Chinese hackers and global bug-disclosure implications; North Korean hacking capabilities and 0day expertise.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Ep9: The blurring lines between nation-state APTs and the ransomware epidemic

August 23rd, 2024  |  1 hr 6 mins

apt research, attribution, china, nation-state, ransomware, taiwan, xiaomi, zero-day

The 'Three Buddy Problem' Podcast Episode 9: On this episode, we look at the hacking scene in Taiwan, the sad state of visibility into big malware campaigns, the absence of APTs linked to the prolific MIVD Dutch intelligence agency, the blurring lines between big ransomware heists and nation-state actors caught using ransomware as a tool for sabotage and misattribution.

Plus, Chinese mobile OS vendor Xiaoimi caught disabling parts of its infrastructure -- including its global app store -- to thwart Pwn2Own contestants; and news of an addition to the LABScon 2024 keynote stage.

Hosts: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Danny Adamitis on an 'unkillable' router botnet used by Chinese .gov hackers

January 5th, 2024  |  34 mins 7 secs

china, danny adamitis, lumen technologies, volt typhoon

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.

Danny digs into the inner workings of the botnet, the global problem end-of-life devices becoming useful tools for malicious actors, and the things network defenders can do today to mitigate threats at this layer.

Dakota Cary on China's weaponization of software vulnerabilities

September 15th, 2023  |  55 mins 48 secs

apts, atlantic council, china, nation-state

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline.

In this episode, Cary expands on a new report -- 'Sleight of Hand' -- that delves into the changing legal landscape for vulnerability disclosure in China, the PRC's weaponization of software vulnerabilities, nation state-backed threat actors in China and that infamous Bloomberg 'rice grain' spy chip story.