The Angry Spark APT Mystery: A Year-Long Backdoor, One Victim, Zero Attribution

April 18th, 2026  |  2 hrs 35 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem - Episode 94: We discuss a mysterious, VM-obfuscated backdoor that lived undetected on a single U.K. machine for a year before disappearing, finding clues pointing to an elite-level APT intrusion that still evades broader industry coverage.

Plus, connecting the dots across AI-driven vulnerability discovery, Microsoft’s massive Patch Tuesday, Jensen Huang talks cybersecurity, Mythos dangers and Chinese chips, and the quiet erosion of CVE enrichment at NIST.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Timestamps:
0:00 – Intros + AI news whiplash
5:10 – Patch Tuesday breakdown: Microsoft's second-largest CVE release ever
7:32 – AI accelerating vulnerability discovery at record pace
10:00 – Frontier lab cyber models, fine-tuning, guardrail removal & KYC
12:37 – FreeBSD NFS bug: Opus 4.6 was already finding critical vulns
14:26 – Anthropic's infrastructure strain: Is Opus being nerfed?
21:05 – OpenAI's Trusted Access for Cyber vs. Anthropic's Mythos cabal
28:45 – SharePoint zero-day CVE-2026-32201: The endless Microsoft tax
34:36 – Adobe Acrobat zero-day: A rare, real, Russia-linked exploit in the wild
41:36 – VirusTotal mining: The golden age of threat intel hunting
50:03 – ZionSiphon: Vibe-coded OT malware targeting Israeli water infrastructure
55:04 – Paleontology of threat research: When do you publish? Who do you trust?
1:13:53 – Angry Spark: A one-machine, one-year backdoor raises eyebrows
1:49:25 – Jensen Huang vs. Dwarkesh Patel on Mythos, China and chips
2:14:32 – Chinese AI distillation: 24,000 fake Anthropic accounts, DeepSeek & the catch-up question

The Claude Mythos, Project Glasswing Shockwave

April 10th, 2026  |  2 hrs 34 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem - Episode 93: We discuss Anthropic's release of Claude Mythos Preview (an AI model so capable and dangerous they won't release it publicly) and debate the looming patching crisis, bug bounty extinction, possible US government nationalization of frontier labs, and why the NSA might not be thrilled about all this bug-fixing.

Plus, North Korea's six-month Drift Protocol con job, APT28's retro DNS hijacking campaign, and Microsoft's driver signing mess hitting WireGuard and VeraCrypt.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

0:00 — Opening banter
1:36 — Claude Mythos Preview, Project Glasswing Announcement
7:22 — Parsing the Hype: Is Mythos Really a Step Change?
11:31 — Costin's Take: Is This All a PR Stunt?
17:10 — The Patching Problem: What Happens After the Zero Days?
28:11 — Bug Bounty Programs Under Threat from AI
33:37 — What Will Companies Actually Do With Mythos?
45:09 — Geopolitics: Where Is the US Government? Nationalization Talk
53:01 — Source Code vs. Binary: The Real Limits of Mythos
1:00:01 — Model Recklessness, Guardrails and the Psychiatrist
1:06:17 — Fortinet: Another Zero Day, No Patch, No IOCs
1:09:08 — North Korean Drift Protocol Heist: $285 Million Stolen
1:24:39 — SOHO Router DNS Hijacking: APT28 and FBI Disruption
1:32:34 — Microsoft Suspensions Hit WireGuard, VeraCrypt, OSR
1:38:49 — Shout-Outs, Conferences & Closing

LLMs writing exploits, engineers losing skills, and a case for the generative OS

April 3rd, 2026  |  2 hrs 19 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK - High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 92: Costin walks through real-world ransomware incident response while Juanito makes the case for AI-generated operating systems that never run anyone else's code. Plus, debates on whether vulnerability research is cooked, why nobody should pay ransoms, and what the security industry looks like after the massive AI flood.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

0:00 – Introductory banter
2:00 – Costin's ransomware incident response work
3:30 – How attackers break in: Fortinet vulnerabilities everywhere
6:30 – Hunting for ransomware decryption keys
9:00 – Breaking into ransomware C2s and monitoring leak sites
12:00 – The ransom payment debate: should you ever pay?
16:00 – Why "don't pay the ransom" is overgeneralized
21:00 – How ransomware gangs price their demands
24:00 – The AI-pilling of the security industry
28:30 – Nicholas Carlini, Ptacek, and "vulnerability research is cooked"
35:00 – Towards a generative-first operating system
41:00 – Code factories, trusted computing, and killing dependencies
48:00 – Microsoft and Apple's AI positioning
56:00 – Chris St. Myers' "Cognitive Rust Belt" essay
1:18:00 – Choice, The Matrix, and the illusion of control
1:38:00 – Supply chain attacks, North Korea, and dependency sprawl

Google's Cyber Disruption Unit; Coruna is Triangulation, US Bans Foreign-Made Routers

March 28th, 2026  |  2 hrs 32 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK - High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 91: This week we dig into Google's new cyber threat disruption unit announced at RSAC, Kaspersky confirming Coruna is a direct evolution of Operation Triangulation, and a cascading supply chain compromise that chained through LiteLLM, Trivy, and Checkmarx into thousands of software pipelines.

Plus, VCs and the breathless AI hype, Apple's iOS 26.4 and silent patches, the FCC's ban on foreign-made routers, and Symantec catching an APT looking for Chinese military data.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

0:00 Intro & Pre-Show Banter
3:08 JAGS in San Francisco: RSAC week recap
6:05 Google Launches Cyber Disruption Unit — What's Actually New?
13:43 Why Separate Disruption Units Matter: ROI & Budget Justification
29:11 Haroon Meer's RSA Reality Check: The AI Hype Machine
32:37 The VC Ponzi Cycle & How Easy Money Hollowed Out Cybersecurity
47:32 ENT.ai & Tenex AI Hackathon at RSAC
53:08 Kaspersky Links Corona Exploit Kit to Operation Triangulation
1:08:09 Trenchant Cleanup & Lessons from Equation Group Burns
1:19:31 Apple iOS Patches, Hong Kong Device Passcode Law
1:27:53 Handala Hacks FBI Director Kash Patel's Personal Gmail
1:37:32 LeakBase Admin "Chucky" Arrested in Russia — FSB Gets the Data
1:45:38 Supply Chain Attacks: TeamPCP Hits LiteLLM & Trivy
2:04:34 FCC Bans Foreign-Made Routers — But What Do We Buy?

The greatest APT hunter of all time, Apple's exploit kit problem, Microsoft FedRAMP mess

March 20th, 2026  |  2 hrs 27 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by Thinkst Canary. Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 90: We remember GReAT teammate Sergey Mineev, the legendary malware hunter behind discoveries like Equation Group and Project Sauron (Remsec), including stories about his methods and why he was the best to ever do it.

Plus, another in-the-wild iOS exploit kit discovery and a long overdue conversation about Apple's responsibility to hundreds of millions of users on older iOS versions; the ProPublica Microsoft/FedRAMP bombshell, Interlock ransomware sitting on a Cisco zero-day, the White House AI policy framework, and Supermicro co-founder $2.5 billion AI chip smuggling bust.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Handala wiper attacks, APT28 implant devs are back, Signal's verification problems

March 13th, 2026  |  1 hr 44 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK - High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 89: We discuss Iran hacktivist group 'Handala' wiper attacks against US medical device maker Stryker, Microsoft Intune MDM tool abuse, and whether Iran's cyber retaliation is as scary as the headlines suggest.

Plus, ESET's discovery that Russia's APT28 original implant developers are back after years of silence, Dutch intelligence warnings on Russian campaigns targeting Signal and WhatsApp accounts, Apple finally patching Coruna exploit kit vulnerabilities for older iPhones, and Google sharing Coruna samples that raise new questions about the exploit kit's proliferation chain.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Trenchant, Peter Williams, and the proliferation of a Shadow Brokers-level iOS exploit framework

March 6th, 2026  |  1 hr 59 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by Thinkst Canary. Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 88: We unpack the fallout from public documentation of the Coruna iOS exploit kit, the likely connection to the Peter Williams/Trenchant exploit sale to Russians, how it slipped from government hands into criminal use, and the widening use of zero-days by surveillance vendors and cybercriminals.

Plus, fresh signs of cyber-warfare activity tied to Iran and Israel, the FBI’s disclosure of a breach affecting internal surveillance systems, and the latest debate over AI, security tooling, and Anthropic’s public stumbles.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Threat Hunter Greg Linares on the modern ransomware playbook

March 3rd, 2026  |  49 mins 48 secs

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK - High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Huntress threat intelligence analyst Greg Linares shares insights on the modern ransomware ecosystem, including how crews operate like businesses and why Akira, Medusa, RansomHub, and Qilin cause so much damage. Plus, signs of overlap between ransomware and nation-state activity, what “time to ransom” really means for defenders, and why techniques like ClickFix and credential theft keep working at scale.

The conversation also covers the surge in RMM tool abuse, how “living off the land” attacks can unfold without traditional malware, and the basic defenses smaller organizations can prioritize.

War in Iran, Anthropic v Pentagon, Trenchant zero-day sanctions, AI stock market shocks

February 28th, 2026  |  2 hrs 8 mins

ai, apt research, cyberespionage, cyberwar, nation-state, ransomware, zero-day

(Presented by Thinkst Canary. Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 87: We wake up to news of U.S./Israel military action against Iran and the expected fallout, including Tehran’s cyber capabilities and proxy risks. Plus: Anthropic’s clash with the Pentagon over AI use in warfare, market shockwaves from AI-driven security tools, mass layoffs tied to automation, sentencing and sanctions in the exploit trade, and fresh questions around Cisco’s SD-WAN breach and supply-chain trust.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

GitLab doxxes North Korea .gov hackers; fresh Ivanti zero-days; AI addiction and human purpose

February 20th, 2026  |  2 hrs 16 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK - High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 86: We dig into GitLab’s explosive look at North Korea’s “Contagious Interview” APT operation, the scale of fake IT worker infiltration, and what it means for companies chasing cheap talent.

Plus, a fresh batch of already-exploited Ivanti and Dell zero-days, the return of Apple’s shutdown logs, and thoughts on addictive AI coding agents affecting human purpose.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.