Three Buddy Problem - Episode 94: We discuss a mysterious, VM-obfuscated backdoor that lived undetected on a single U.K. machine for a year before disappearing, finding clues pointing to an elite-level APT intrusion that still evades broader industry coverage.

Plus, connecting the dots across AI-driven vulnerability discovery, Microsoft’s massive Patch Tuesday, Jensen Huang talks cybersecurity, Mythos dangers and Chinese chips, and the quiet erosion of CVE enrichment at NIST.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Timestamps:
0:00 – Intros + AI news whiplash
5:10 – Patch Tuesday breakdown: Microsoft's second-largest CVE release ever
7:32 – AI accelerating vulnerability discovery at record pace
10:00 – Frontier lab cyber models, fine-tuning, guardrail removal & KYC
12:37 – FreeBSD NFS bug: Opus 4.6 was already finding critical vulns
14:26 – Anthropic's infrastructure strain: Is Opus being nerfed?
21:05 – OpenAI's Trusted Access for Cyber vs. Anthropic's Mythos cabal
28:45 – SharePoint zero-day CVE-2026-32201: The endless Microsoft tax
34:36 – Adobe Acrobat zero-day: A rare, real, Russia-linked exploit in the wild
41:36 – VirusTotal mining: The golden age of threat intel hunting
50:03 – ZionSiphon: Vibe-coded OT malware targeting Israeli water infrastructure
55:04 – Paleontology of threat research: When do you publish? Who do you trust?
1:13:53 – Angry Spark: A one-machine, one-year backdoor raises eyebrows
1:49:25 – Jensen Huang vs. Dwarkesh Patel on Mythos, China and chips
2:14:32 – Chinese AI distillation: 24,000 fake Anthropic accounts, DeepSeek & the catch-up question

Links:

• Transcript
• Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulns
• ZDI: April 2026 Patch Tuesday Review
• Inside ZionSiphon: OT Malware Targeting Israeli Water Systems
• GenDigital: Chasing an Angry Spark
• MAD Bugs: Month of AI-Discovered Bugs (Calif)
• HackerOne: The Vulnerability Apocalypse is a Remediation Crisis
• OpenAI scaling up Trusted Access for Cyber (TAC) Program
• OpenAI Commits $10m in API credits for cybersecurity
• Anthropic: Introducing Claude Opus 4.7
• OpenAI confirms Axios developer tool compromise
• Jensen Huang x Jensen Huang on Nvidia’s AI Moat
• Anthropic: Detecting and preventing distillation attacks
• NIST Updates NVD Operations to Address Record CVE Growth
• Dreadnode Open-Source Tools to Measure AI Offense-Defense Gap
• LABScon 2026 Call for Papers
• Cyber-Paleontology in the Age of AI (Black Hat Asia 2026)
• Ekoparty Miami Schedule
• TLPBLACK

Three Buddy Problem - Episode 93: We discuss Anthropic's release of Claude Mythos Preview (an AI model so capable and dangerous they won't release it publicly) and debate the looming patching crisis, bug bounty extinction, possible US government nationalization of frontier labs, and why the NSA might not be thrilled about all this bug-fixing.

Plus, North Korea's six-month Drift Protocol con job, APT28's retro DNS hijacking campaign, and Microsoft's driver signing mess hitting WireGuard and VeraCrypt.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

00:00 — Opening banter
01:36 — Anthropic Mythos Preview + Project Glasswing
06:17 — USG reaction + Wall Street emergency meeting
10:54 — Mythos capabilities vs hype (technical reality check)
13:44 — PR stunt? Skepticism of Anthropic narrative
20:42 — The patching crisis + “defender advantage”
27:41 — Bug bounty model under threat from AI
33:37 — Mythos practical workflows
45:09 — Geopolitics, NSA angle, and nationalization discussion
01:40:18 — Fortinet zero-day + ongoing failures
01:42:39 — Drift Protocol heist ($285M) + long-term social engineering
01:44:07 — Revisiting XZ Utils / Jia Tan attribution
01:54:07 — Crypto security gaps + need for real CTI in blockchain
02:04:22 — APT28 DNS hijacking + router compromise campaign
02:18:57 — Microsoft driver signing meltdown + ecosystem impact

Links:

• Transcript
• TLPBLACK
• Claude Mythos Preview
• Accidental data leak reveals existence of Anthropic Mythos
• Project Glasswing
• System Card: Claude Mythos Preview
• Axios: OpenAI plans new product for cybersecurity use
• The $285M Drift Protocol Heist Was ‘6 Months in the Making’
• Drift Protocol - Incident Report
• US Treasury to share threat-intel with crypto companies
• Fortinet customers confront actively exploited zero-day
• Fortinet advisory: CVE-2026-35616 (exploited in the wild)
• SOHO router compromise leads to DNS hijacking
• APT28 exploit routers to enable DNS hijacking operations
• DOJ Conducts Court-Authorized Disruption of DNS Hijacking Network Controlled by a Russian Military
• Lumen on 'Frost Armada' Forest Blizzard DNS Hijacking
• WireGuard (Account Suspended)
• OSR on Microsoft Driver Signing Lockout
• Microsoft: Account Verification for Windows Hardware Program
• US Warns of Iran-Linked Cyber Hacks on Water, Energy Systems
• CISA bulletin: Iranian Hackers Exploiting PLCs Across US Critical Infrastructure
• Watch S4: The Bob Lazar Story
• YouTube: Dan Guido at [un]prompted

Three Buddy Problem - Episode 92: Costin walks through real-world ransomware incident response while Juanito makes the case for AI-generated operating systems that never run anyone else's code. Plus, debates on whether vulnerability research is cooked, why nobody should pay ransoms, and what the security industry looks like after the massive AI flood.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

0:00 – Introductory banter
2:00 – Costin's ransomware incident response work
3:30 – How attackers break in: Fortinet vulnerabilities everywhere
6:30 – Hunting for ransomware decryption keys
9:00 – Breaking into ransomware C2s and monitoring leak sites
12:00 – The ransom payment debate: should you ever pay?
16:00 – Why "don't pay the ransom" is overgeneralized
21:00 – How ransomware gangs price their demands
24:00 – The AI-pilling of the security industry
28:30 – Nicholas Carlini, Ptacek, and "vulnerability research is cooked"
35:00 – Towards a generative-first operating system
41:00 – Code factories, trusted computing, and killing dependencies
48:00 – Microsoft and Apple's AI positioning
56:00 – Chris St. Myers' "Cognitive Rust Belt" essay
1:18:00 – Choice, The Matrix, and the illusion of control
1:38:00 – Supply chain attacks, North Korea, and dependency sprawl

Links:

• Transcript
• Nicholas Carlini - Black-hat LLMs
• Ptacek: Vulnerability Research Is Cooked
• Chris St Myers: Why Organizations Are Confusing Temporary Friction with Permanent Safety
• Dan Geer: Children of the Magenta
• Calif: Month of AI-Discovered Bugs
• Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell
• Internet Bug Bounty Pauses Bug Bounty Program
• Node.js Bug Bounty Program Paused Due to Loss of Funding
• Elastic: How we caught the Axios supply chain attack
• Elastic tool: supply-chain-monitor
• Apple Will Push Out Rare ‘Backported’ Patches to iOS 18 Users
• WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware
• The Human-Machine Team
• Arsenal Recon Tool
• TLPBLACK

Three Buddy Problem - Episode 91: This week we dig into Google's new cyber threat disruption unit announced at RSAC, Kaspersky confirming Coruna is a direct evolution of Operation Triangulation, and a cascading supply chain compromise that chained through LiteLLM, Trivy, and Checkmarx into thousands of software pipelines.

Plus, VCs and the breathless AI hype, Apple's iOS 26.4 and silent patches, the FCC's ban on foreign-made routers, and Symantec catching an APT looking for Chinese military data.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

0:00 Intro & Pre-Show Banter
3:08 JAGS in San Francisco: RSAC week recap
6:05 Google Launches Cyber Disruption Unit — What's Actually New?
13:43 Why Separate Disruption Units Matter: ROI & Budget Justification
29:11 Haroon Meer's RSA Reality Check: The AI Hype Machine
32:37 The VC Ponzi Cycle & How Easy Money Hollowed Out Cybersecurity
47:32 ENT.ai & Tenex AI Hackathon at RSAC
53:08 Kaspersky Links Corona Exploit Kit to Operation Triangulation
1:08:09 Trenchant Cleanup & Lessons from Equation Group Burns
1:19:31 Apple iOS Patches, Hong Kong Device Passcode Law
1:27:53 Handala Hacks FBI Director Kash Patel's Personal Gmail
1:37:32 LeakBase Admin "Chucky" Arrested in Russia — FSB Gets the Data
1:45:38 Supply Chain Attacks: TeamPCP Hits LiteLLM & Trivy
2:04:34 FCC Bans Foreign-Made Routers — But What Do We Buy?

Links:

• Transcript
• TLPBLACK Solutions
• Google launches threat disruption unit at RSAC
• White House downplays cyber ‘letters of marque’ speculation
• Haroon Meer on RSAC 2026
• Kaspersky on Coruna/Triangulation Connection
• Apple Security Bulletin - iOS 26.4
• Reverse engineering Apple’s silent security fixes
• New Hong Kong Law on Phone/Laptop Passwords
• Iran-linked hackers breach FBI director's personal email
• US DOJ Disrupts Iranian Cyber Enabled Psychological Operations
• Official Statement on Stryker Network Disruption
• Russia arrests Leakbase admin
• Trivy ecosystem supply chain compromised (Advisory)
• Self-propagating malware poisons open source software and wipes Iran-based machines
• New Malware Targets Users of Cobra DocGuard Software
• FCC bans 'foreign made' consumer routers (PDF)

Three Buddy Problem - Episode 90: We remember GReAT teammate Sergey Mineev, the legendary malware hunter behind discoveries like Equation Group and Project Sauron (Remsec), including stories about his methods and why he was the best to ever do it.

Plus, another in-the-wild iOS exploit kit discovery and a long overdue conversation about Apple's responsibility to hundreds of millions of users on older iOS versions; the ProPublica Microsoft/FedRAMP bombshell, Interlock ransomware sitting on a Cisco zero-day, the White House AI policy framework, and Supermicro co-founder $2.5 billion AI chip smuggling bust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript
• Thinkst Canary
• Equation Group: The Crown Creator of Cyber-Espionage
• The Project Sauron APT
• Google: The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
• iVerify: Inside DarkSword - A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
• Lookout: Attackers Wielding DarkSword Threaten iOS Users
• Apple statement on Coruna, DarkSword
• Amazon discovers Interlock ransomware hitting enterprise firewalls
• Cisco Secure Firewall Management Center RCE Flaw
• CISA Urges Endpoint Management System Hardening After Stryker Attack
• Stryker statements on wiper network disruption
• Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.
• White House Unveils National AI Legislative Framework
• Supermicro Founder Charged with Diverting AI tech to China
• NEBULA:FOG 2026 | AI x Security Hackathon

Three Buddy Problem - Episode 89: We discuss Iran hacktivist group 'Handala' wiper attacks against US medical device maker Stryker, Microsoft Intune MDM tool abuse, and whether Iran's cyber retaliation is as scary as the headlines suggest.

Plus, ESET's discovery that Russia's APT28 original implant developers are back after years of silence, Dutch intelligence warnings on Russian campaigns targeting Signal and WhatsApp accounts, Apple finally patching Coruna exploit kit vulnerabilities for older iPhones, and Google sharing Coruna samples that raise new questions about the exploit kit's proliferation chain.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (raw, AI-generated)
• TLPBLACK Solutions
• Kim Zetter: Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped Systems
• Stryker Cyberattack Adds to Fears of New Front in Iran War
• Bloomberg: Cyberattack Hits Stryker; Pro-Iran Group Claims Credit
• Who is Handala? (Malpedia)
• Palo Alto: Increased Risk of Wiper Attacks
• CISA Advisories on Iran State-Sponsored Cyber Threat
• Russia state actors targets Signal and WhatsApp accounts
• Dutch intel report on Signal, WhatsApp targeting
• Signal responds to Dutch Intel report
• ESET: Resurgence of one of Russia’s most notorious APT groups
• Poland says foiled cyberattack on nuclear centre may have come from Iran
• Apple ships iOS 16.7.15 to cover 'Coruna' exploits
• Apple iOS 15.8.7 covers 'Coruna' exploit kit
• Detection Engineering #148
• NEBULA:FOG 2026 | AI x Security Hackathon
• Ekoparty Miami (May 21-22, 2026)
• PIVOTcon Agenda

Three Buddy Problem - Episode 88: We unpack the fallout from public documentation of the Coruna iOS exploit kit, the likely connection to the Peter Williams/Trenchant exploit sale to Russians, how it slipped from government hands into criminal use, and the widening use of zero-days by surveillance vendors and cybercriminals.

Plus, fresh signs of cyber-warfare activity tied to Iran and Israel, the FBI’s disclosure of a breach affecting internal surveillance systems, and the latest debate over AI, security tooling, and Anthropic’s public stumbles.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (raw, AI-generated)
• Thinkst Canary (how it works)
• Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
• iVerify Details First Known Mass iOS Attack
• Matthias Frielingsdorf on the mysterious Coruna iOS exploit kit discovery
• Matthias Frielingsdorf on Coruna (raw transcript)
• Coruna-related hashes on VirusTotal
• Kaspersky: No signs Coruna iPhone exploit kit made by US
• Azimuth unlocked the San Bernardino shooter’s iPhone for the FBI
• 2025 Zero-Days in Review (Google)
• FBI investigating ‘suspicious’ cyber activities on critical surveillance network
• Iranian Hacking Groups Go Dark Amid US, Israeli Military Strikes
• Interplay between Iranian Targeting of IP Cameras and Physical Warfare
• Israel says it knocked out Iran’s cyber warfare headquarters
• Amazon Bahrain facility targeted for U.S. military support
• Full transcript of Anthropic CEO Dario Amodei interview
• Codex Security (formerly Aardvark) now in research preview
• NEBULA:FOG 2026 | AI x Security Hackathon

Huntress threat intelligence analyst Greg Linares shares insights on the modern ransomware ecosystem, including how crews operate like businesses and why Akira, Medusa, RansomHub, and Qilin cause so much damage. Plus, signs of overlap between ransomware and nation-state activity, what “time to ransom” really means for defenders, and why techniques like ClickFix and credential theft keep working at scale.

The conversation also covers the surge in RMM tool abuse, how “living off the land” attacks can unfold without traditional malware, and the basic defenses smaller organizations can prioritize.

Links:

• TLPBLACK
• Transcript
• Huntress 2025 Cyber Threat Report
• Microsoft: Think before you Click(Fix)
• Akira Ransomware
• CISA: Protecting Against Malicious Use of Remote Monitoring and Management Software
• Ep9: The blurring lines between nation-state APTs and the ransomware epidemic
• Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines

Three Buddy Problem - Episode 87: We wake up to news of U.S./Israel military action against Iran and the expected fallout, including Tehran’s cyber capabilities and proxy risks. Plus: Anthropic’s clash with the Pentagon over AI use in warfare, market shockwaves from AI-driven security tools, mass layoffs tied to automation, Trenchant exec sentencing and sanctions in the exploit trade, and fresh questions around Cisco’s SD-WAN breach and supply-chain trust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Thinkst Canary
• Live updates: US and Israel strike Iran
• Episode 80: Hamid Kashfi on the situation in Iran
• ‘Incoherent’: Hegseth’s Anthropic ultimatum confounds AI policymakers
• Anthropic Claude AI Security Tool Wipes Out Over $15 Billion From Cybersecurity Stocks
• CrowdStrike CEO responds to stock price hit
• Designation of Zero-Day Exploits Broker for Theft of U.S. Trade Secrets
• Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools
• Trenchant Exec Who Sold Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison
• AWS says AI-augmented threat actor accesses FortiGate devices at scale
• Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
• Anthropic Claud Code Security
• Anthropic: Detecting and preventing distillation attacks
• GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use
• iPhone and iPad approved to handle classified NATO information
• Fortinet Achieves Certification for Secure Product Development
• Cisco SD-WAN threat hunting guide
• TLPBLACK
• NEBULA:FOG 2026 | AI x Security Hackathon
• RE//verse Conference

Three Buddy Problem - Episode 86: We dig into GitLab’s explosive look at North Korea’s “Contagious Interview” APT operation, the scale of fake IT worker infiltration, and what it means for companies chasing cheap talent.

Plus, a fresh batch of already-exploited Ivanti and Dell zero-days, the return of Apple’s shutdown logs, and thoughts on addictive AI coding agents affecting human purpose.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• TLPBLACK
• GitLab exposes North Korean malware tradecraft
• Beyond the Backdoor: How Contagious Interview Is Surgically Tampering with MetaMask Wallets (Seongsu Park)
• Critical Vulnerabilities in Ivanti EPMM Exploited
• Dell RecoverPoint for Virtual Machines Zero-Day
• Dell Bulletin - RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability
• Critical Dell bug exploited for two years
• OpenAI intros Lockdown Mode and Elevated Risk labels in ChatGPT
• OpenAI is rebranding Aardvark
• Anthropic Claude Code Security
• Jason Lang: Real Human Concerns In The Age of AI
• JAGS' batteries-included Claude Code SDLC config
• RE//verse Conference
• NEBULA:FOG 2026 | AI x Security Hackathon

Three Buddy Problem - Episode 85: Top stories this week include drone incursions over El Paso and the murky line between cartel activity, anti-drone tech testing, and full-blown hybrid warfare; updates on the Notepad++ supply chain fallout; Microsoft’s zero-day treadmill and AI-enabled attack surfaces; and Apple’s “extremely sophisticated” iOS exploits.

Plus, Europe’s growing appetite for offensive cyber, Palo Alto and the uncomfortable politics of cyber attribution, Singapore on telco intrusions, and the economics of end-of-life infrastructure.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Thinkst Canary - Customer Love
• What We Know About the El Paso Airspace Shutdown
• El Paso Closure Caused by Firing Anti-Drone Laser
• Notepad++ supply chain hack (new IOCs)
• Ukatemi: Notepad++ attack related samples
• Notepad's new Markdown powers served with a side of RCE
• Microsoft: Windows Notepad App RCE Vulnerability
• iOS 26.3 security advisory (exploited 0day)
• Estonian Foreign Intelligence Service annual report
• PSIRT | FortiGuard Labs High-Risk Advisory
• Germany prepares to attack cyber enemies
• Palo Alto chose not to tie China to hacking campaign for fear of retaliation
• The Shadow Campaigns: Uncovering Global Espionage (Palo Alto)
• Singapore .gov on nation-state telco hacks
• TLP-BLACK
• LABScon 2026

Three Buddy Problem - Episode 84: We process the cybersecurity fallout from the latest Epstein document dump, focusing on why redactions fail in the AI era and how quickly modern tools can unravel them. The conversation moves from sloppy redaction practices and exploit mythology to harder questions about ethics, accountability, and silence within the infosec community.

Plus, inside the Notepad++ supply-chain compromise attributed to a known Chinese APT, Microsoft’s security executive changes, Anthropic's AI-driven vulnerability discovery, China-linked network implants, and Lockdown Mode thwarting FBI investigators.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Thinkst Canary - Customer Love
• Transcript (unedited, AI-generated)
• Did a renowned hacker help Jeffrey Epstein get ‘dirt on other people'?
• DOJ releases details alleged talented hacker working for Jeffrey Epstein
• Claude Opus 4.6 \ Anthropic
• 0-Days \ red.anthropic.com
• JAGS' Claude Code SDLC config
• CERT-Ukraine on zero-day attacks via MS Office
• Executive security shuffle at Microsoft
• TLPBLACK: What we know about the Notepad++ supply chain attack
• Lotus Blossom APT targets critical infrastructure via Notepad++.
• Kaspersky: Notepad++ supply chain attack breakdown
• Validin: Exploring the C2 Infrastructure of the Notepad++ Compromise
• Hostinger server unauthorized access case: What happened with Notepad++ and how we resolved it
• Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
• Palo Alto Unit 42: The Shadow Campaigns - Uncovering Global Espionage
• FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled
• Court document: FBI Washington Post Lockdown Mode
• PIVOTcon
• TLP BLACK
• LABScon 2026
• Decipher podcast (Dennis Fisher)
• Detection Engineering newsletter (Zack Allen)

Three Buddy Problem - Episode 83: Poland's CERT documents a rare, explicit wiper attack on civilians in a NATO country, including detailed attribution of a Russian government op targeting the electric grid in the heart of winter. We examine why this crosses a long-avoided threshold, why attribution suddenly matters again, and what it says about pre-positioned access, vendor insecurity, and the shrinking gap between cyber operations and acts of war.

Plus, another Fortinet fiasco, a new batch of Ivanti zero-days under attack, an emergency patch from Microsoft and the return of the mysterious KasperSekrets account.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security (Use Cases)
• ESET DynoWiper update: Technical analysis and attribution
• Poland CERT on Russian wiper attacks
• Poland blames two Ukrainians allegedly working for Russia for railway blast
• Britain’s New Spy Chief Has a New Mission
• Two New Ivanti 0days Exploited
• Microsoft ships emergency Office patch to thwart attacks
• Analysis of Single Sign-On Abuse on FortiOS
• Fortinet PSIRT: Administrative FortiCloud SSO authentication bypass
• Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
• WhatsApp Strict Account Settings
• China Executes 11 People Linked to Cyberscam Centers in Myanmar
• Singapore to start caning for scammers
• Germany on hacking attacks: "We will strike back, including abroad"
• Acting CISA chief uploaded sensitive files into a public version of ChatGPT
• TLP BLACK
• LABScon 2026
• KasperSekrets

Three Buddy Problem - Episode 82: We parse news that China-linked VoidLink is a malware framework created entirely by AI and the collapsing line between elite APT operations and everyday threat actors.

Plus, a new Sean Heelan essay on low-cost exploit generation and why “AI guardrails” are mostly a comforting myth; AI slop overwhelming bug bounty programs; CISA's new Brickstorm YARA rules; and fresh research on a wiper-malware found in Russian attacks against Poland's electricity sector.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security (use cases)
• Sean Heelan on the coming industrialisation of exploit generation with LLMs
• VoidLink Shows AI-Generated Malware Has Begun
• LLMs in the SOC: Why Benchmarks Fail Security Operations Teams
• CISA advisory on BRICKSTORM backdoor
• Node.js — New HackerOne Signal Requirement
• AI slop security reports submitted to cURL
• Arctic Wolf on FortiGate attacks via SSO accounts
• New Cisco Remote Code Execution Vulnerability
• From Protest to Peril: Cellebrite Used Against Jordanian Civil Society
• Microsoft on multi‑stage AiTM phishing and BEC campaign abusing SharePoint
• Microsoft Gave FBI BitLocker Encryption Keys
• The Mastermind: Drugs. Empire. Murder. Betrayal
• Kim Zetter: Cyberattack on Poland’s energy grid used a wiper
• ESET on 'DynoWiper' malware

Three Buddy Problem - Episode 81: We dissect New York Times reporting on the "precision" of US cyber operations in Venezuela, the competing narratives around offensive cyber capabilities and "letters of marque" for private hackers. Plus, a mysterious failed cyber attack on Poland's power grid, internet blackouts in Iran (with fascinating DNS telemetry revealing Chinese bank traffic and Russian website spikes), and news of China's ban on US/Israeli cybersecurity software.

We also cover Check Point's research on "VoidLink" (is it a successor to ShadowPad?), Microsoft's threat intelligence sharing practices, and Google Project Zero's disclosure of zero-click vulnerabilities caused by AI-powered transcription features.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsor: Material Security
• Cyberattack in Venezuela Demonstrated Precision of U.S. Capabilities
• Massive cyberattack on Polish power system in December failed, minister says
• What happened in Poland? (Ruben Santamarta)
• Costin Raiu: What’s Happening in Iran?
• Verizon just had a big outage. Here’s what we know
• Beijing tells Chinese firms to stop using US and Israeli cyber products
• MS Patch Tuesday CVE-2026-20805 (exploited in the wild)
• VoidLink: The Cloud-Native Malware Framework
• Microsoft disrupts global cybercrime subscription service
• Project Zero: A 0-click exploit chain for the Pixel 9
• Joint statement from Google and Apple
• Sean Plankey re-nominated to lead CISA
• TLPBLACK
• DistrictCon Agenda
• Ekoparty Miami
• The Thinking Game (Full Documentary)

Three Buddy Problem - Episode 80: Researcher Hamid Kashfi returns to unpack Iran’s latest unrest, separating economic reality from propaganda while examining how information control, cyber pressure, and state surveillance are shaping events on the ground.

Plus, did cyber make the lights go out in Venezuela?

Cast: Hamid Kashfi, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsor: Material Security
• About Hamid Kashfi
• Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks
• Venezuela strike marks a turning point for US cyber warfare
• KittenBusters | CharmingKitten
• Comprehensive Threat Intelligence Report: Charming Kitten
• Between Three Nerds: The evolution of Iranian cyber espionage
• Trump says U.S. will hit Iran "very hard" if violence continues at protests
• Venezuelan oil giant PVDSA hit by cyberattack
• CIA cyberattacks targeting the Maduro regime didn’t satisfy Trump in his first term
• Antiy Report on cyber operations in Venezuela
• Nationwide internet blackout reported in Iran

Three Buddy Problem - Episode 79: We cover MongoBleed (CVE‑2025‑14847), exposed MongoDB deployments, and the sad realization that zero-day attacks are a normal, everyday occurrence. Plus, AI’s expanding role and misuse across products and workflows, proximity attacks against Bluetooth audio devices, spyware sanctions de-listings, and ransomware economics.

In a special mailbag segment, we give our book recommendations and respond to common questions from the listeners.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsored by Material Security
• MongoDB Server Security Update (Dec 2025)
• CVE Record: CVE-2025-14847
• Censys on MongoBleed
• European Space Agency hit by cyberattack
• Security pros plead guilty to ransomware
• US removes sanctions for three execs tied to spyware maker Intellexa
• Bluetooth Headphone Jacking: A Key to Your Phone
• Dan Geer Black Hat 2015 keynote
• Book Review: Infected - A Candid Look at VirusTotal’s Birth and Legacy
• Infected: From Side Project to Google: The Journey Behind VirusTotal
• The Human Factor (Inside the CIA's dysfunctional intelligence culture)
• A Killing Art: The Untold History of Tae Kwon Do
• Thou Shall Prosper: Ten Commandments for Making Money
• Cult of the Dead Cow (by Joseph Menn)
• The Nvidia Way: Jensen Huang and the Making of a Tech Giant
• From Third World to First: The Singapore Story
• Thinking in Systems (PDF)
• AI Superpowers: China, Silicon Valley, and the New World Order
• The Denial of Death: Ernest Becker
• Energy and Civilization: A History by Vaclav Smil
• DeepLearning.AI

Three Buddy Problem - Episode 78: We close out the year with a no-budget, no-permission awards show, spotlighting the cybersecurity stories that actually mattered.

Plus, a bizarre polygraph scandal at CISA, Chinese APT research dumps, ransomware pre-notification hiccups, foreign drone bans, and the growing gap between cyber theater and real operational value.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker Solutions
• Acting CISA director failed a polygraph
• LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
• Qianxin’s research on the CSDN watering hole attack
• ViciousTrap - Turning edge devices into honeypots en masse
• AyySSHush: Tradecraft of an emergent ASUS botnet
• Intellexa’s Global Corporate Web (Recorded Future)
• Frozen in transit: Secret Blizzard’s AiTM hits embassies in Russia
• GitHub - KittenBusters/CharmingKitten
• Bunnie Huang Black Hat keynote (YouTube)
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• DeepSeek Debates: Chinese Leadership On Cost, True Training Cost, Closed Model Margin Impacts
• Behind the Dismantling of Hezbollah
• Israel Secretly Recruited Iranian Dissidents to Attack Iran From Within
• Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
• Code Orange: Cloudflare resilience plan following recent incidents
• Apple SEAR: Memory Integrity Enforcement

Three Buddy Problem - Episode 77: New React2Shell data from Microsoft, fresh Apple and Cisco zero-days already in the wild, and state-linked campaigns from Russia and China that show a merging of espionage, crime, and infrastructure disruption.

Plus, the US government's push to enlist private firms in offensive hacking, letters of marque for cartels, new discovery of spyware used against journalists in Belarus, and Amazon catching North Koreans via keystroke latency.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• ThreatLocker Solutions
• Transcript (unedited, AI-generated)
• Trump Admin Turning to Private Firms in Cyber Offensive
• Microsoft on React2Shell
• React2Shell and OpenAI (shoutout Andrew MacPherson)
• Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw
• iOS 26.2 Security Patches
• Reporters Without Borders uncovers new spyware from Belarus
• Cisco Talos on Cisco 0day attacks
• Hack of Chinese state time center hints at U.S. advanced missile defense
• Amazon on Russian APT targeting Western critical infrastructure
• North Korean infiltrator caught in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location
• Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs
• Russian defense firms targeted by hackers using AI
• TLPBLACK looks back at 2025
• Inside Google's basement in Malaga: ChatGPT of Cybersecurity
• GitHub - xdanx/open-klara: Open KLara Project
• Gepetto Web

Three Buddy Problem - Episode 76: On the show this week, Costin walks through how a single Romanian documentary kick-started nationwide protests, exposing how corruption can be perfectly legal when the law itself is gamed, and why this moment feels different, darker, and more consequential than past flare-ups.

Plus, news on the React-to-Shell exploitation wave overwhelming the internet, why patching is structurally hard, and how APTs and criminals are converging on the same fragile dependency chain. Along the way, they take aim at Microsoft’s shrinking transparency, the limits of vendor trust, and what it really means when defenders are told (again) to just patch and pray.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker : A security platform that prevents ransomware
• The Anatomy of a React2Shell Compromise (TLPBLACK)
• CVE-2025-55182 Analysis Report (GreyNoise)
• Exploitation of Critical Vulnerability in React Server Components
• PeerBlight Linux Backdoor Exploits React2Shell (Huntress)
• Patch Tuesday round-up (ZDI)
• How Two Hackers Went From Cisco Academy to Cisco CVEs
• Two Men Linked to China’s Salt Typhoon Hacker Group Likely Trained in a Cisco ‘Academy’
• OpenAI on dual-use AI risks
• Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
• DOJ Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups
• Microsoft paying bounties for vulns in third-party code
• Cybersecurity 2026 Predictions (SentinelLABS)
• Dakota Cary is in the "anti-China Chorus"
• Comparing AI Agents to Cybersecurity Professionals in Real-World Penetration Testing
• Automated React2Shell vulnerability patching is now available - Vercel
• Computer Olympiad enters new era as IITPSA hands over to Thinkst Applied Research

Three Buddy Problem - Episode 75: We dig into a CVSS 10/10 unauthenticated RCE bug causing chaos across the internet and early signs that Chinese APTs are already launching exploits, the cascading patch chaos, and a long tail of malware intrusions to come.

Plus, commentary on Chrome’s telemetry collection, Microsoft and the "SFI success story," newest BRICKSTORM backdoor intrusions, the US national security strategy, Anthropic's AI popping smart-contract bugs, a secret FBI ransomware-hunting unit getting weird, and a pair of sad stories in the security community.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker — Meet the cybersecurity platform that prevents ransomware
• An essay by Vess
• RIP Stealth
• Google Goodbye to the Chrome Cleanup Tool
• US National Security Strategy (PDF)
• Critical Security Vulnerability in React Server Components (CVE-2025-55182)
• Chinese threat groups rapidly exploit React2Shell vuln
• AWS MadPot
• BRICKSTORM Backdoor (PDF)
• WARP PANDA: A New Sophisticated China-Nexus Adversary
• Meet Group 78, the secret US task force that fights cybercriminals
• Recorded Future: Intellexa’s Global Corporate Web
• Intellexa’s Prolific Zero-Day Exploits Continue
• To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware
• Apple, Google send new round of threat notifications to users around world
• Calisto Targets Reporters Without Borders in Phishing Campaign
• Anthropic AI agents find $4.6M in blockchain smart contract exploits
• Lazarus hack largest South Korean crypto exchange
• EU countries reach breakthrough on chat-scanning law despite intense pushback
• The Denial of Death - by Ernest Becker

Three Buddy Problem - Episode 74: We attempt to parse the rumor-fog around Microsoft’s CISO at CYBERWARCON and what it reveals about the company’s shifting posture on intel sharing, regulation, and its outsized grip on the security ecosystem. Plus, coverage of the Shai-Hulud npm supply-chain mess, CISA’s mobile spyware guidance, NSO’s legal contortions, a sharp new GRU-linked intrusion from Arctic Wolf.

We also discuss the FCC retreating on telco security rules, and the emerging AI arms race shaping how cloud giants hunt threats and how Washington misunderstands all of it.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Microsoft CISO LinkedIn comments
• Shai Hulud 2.0 Strikes Again
• Wiz: Sha1-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposed
• CISA guidance on mobile spyware on iOS, Android
• NSO Group argues WhatsApp injunction threatens existence
• Arctic Wolf: Russian APT targets U.S. Companies Supporting Ukraine
• FCC revokes telecom cybersecurity rules after Salt Typhoon hacks
• FCC Chairman statement on removing telco rules
• Amazon Is Using Specialized AI Agents for Deep Bug Hunting
• Anthropic CEO called to testify on AI cyber threats
• TLPBLACK
• Material Security (Book a demo)

Three Buddy Problem - Episode 73: The buddies react to Google’s release of Gemini 3 and its early performance, new Chrome interface changes landing on users’ machines, and major highlights from CYBERWARCON. We revisit the long-running debate over APT naming conventions, examine Amazon’s latest threat-intel reporting on Iranian activity, and walk through the Cloudflare outage that briefly knocked chunks of the internet offline.

Plus, new APT reports from ESET, Positive Technologies, and SecurityScorecard, and China's CN-CERT (now validated claim) that the U.S. government seized billions in Bitcoin tied to the Lubian mining-pool hack.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Material Security -- Stop Attacks, Secure Data
• Transcript (unedited, AI-generated)
• Why Microsoft Needs to Split Windows in Two
• CYBERWARCON agenda
• Amazon: Nation-state actors bridging cyber and kinetic warfare
• Cyber Warfare Startup Nabs Contracts to Give US Military Hackers AI Tools
• Fortinet documents 0day attacks
• Fortinet CVE-2025-64446 Under Active Attack
• Google Chrome zero-day exploited
• Cloudflare statement on outage on November 18, 2025
• Cloudflare just got faster and more secure, powered by Rust
• Russian alleged cyber-hacker faces extradition to US after arrest in Thailand
• Russian detained over connection to Void Blizzard attacks
• Positive Technologies: Attacks of the Striking Panda
• PlushDaemon compromises network devices for adversary-in-the-middle attacks
• PlushDaemon compromises supply chain of Korean VPN service
• ASUS Routers Hijacked in Global 'WrtHug' Operation
• Arkham on Bitcoin Chen Zhi seized funds
• US DOJ $15 Billion Bitcoin Indictment
• TLPBLACK
• PIVOTcon 2026
• RE//verse Conference
• The Age of Disclosure (Prime Video)
• Amazon.com: Bullshit Jobs

Three Buddy Problem - Episode 72: We unpack Anthropic’s conflicting self-promotion around the “first AI-orchestrated cyberattack” using Claude Code and the future of automated APT attacks.

Plus, Chinese cyber vendor KnownSec falls victim to data breach, fresh accusations that the U.S. stole billions in Bitcoin, Amazon warning about Cisco/Citrix zero-days, Google’s new Private AI Compute and Microsoft kernel zero-day marked as "actively exploited."

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security case studies
• TLPBLACK
• Anthropic: Disrupting the first reported AI-orchestrated cyber espionage campaign
• Anthropic report on AI-orchestreated APT campaign ()DF)
• Data breach at Chinese infosec firm reveals weapons arsenal
• Twitter thread on KnownSec breach details
• China Accuses US of Orchestrating $13 Billion Bitcoin Hack
• CISA finds federal agencies missing critical (exploited) vulns
• Amazon discovers APT exploiting Cisco and Citrix zero-days
• Amazon launches private AI bug bounty program
• Amazon Nova
• Microsoft Warns of Exploited Windows Kernel Zero-Day
• Google intros Private AI Compute tech
• Google paper on Private AI Computer (PDF)
• OpenAI CISO on NYTimes request for ChatGPT conversations
• UK transport and cyber-security chiefs investigate Chinese-made buses
• Ruter pen-tests Chinese electric buses
• DistrictCon
• CYBERWARCON
• DefCamp 2025

Three Buddy Problem - Episode 71: The buddies travel to Canada for a live recording at the Countermeasure conference, discussing the Google v FFmpeg open-source patching brouhana, ransomware negotiators charged and linked to ransomware attacks, the looming TP-Link ban in the U.S., and the discovery of LANDFALL, an APT attack caught using a Samsung mobile zero-day.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Material Security — We protect your company’s most valuable materials — the emails, files, and accounts that live in your Google Workspace & Microsoft 365 cloud offices.
• Transcript (unedited, AI-generated)
• FFmpeg complains about Google BigSleep AI
• Google v FFmpeg brouhaha
• Curl's Daniel Stenberg on a new breed of AI analyzers
• unit42.paloaltonetworks.com
• iOS 26.1 security updates
• U.S. agencies back banning TP-Link home routers on security grounds
• TLP BLACK

Plus, L3 Harris/Trenchant exec pleads guilty to selling exploits to Russian brokers, Kaspersky catches the return of HackingTeam using Chrome zero-day exploit chain, and news of a proposed law in Russia to force researchers to report vulnerabilities first to goverment agencies.

Cast: Dave Aitel (Technical Staff, OpenAI), Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Episode 70 Livestream - YouTube
• Aardvark: OpenAI’s agentic security researcher
• TBP episode on OpenAI’s Aardvark
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• Ex-US cyber intel exec pleads guilty to selling spy tools to Russian broker
• Ex-L3Harris Cyber Boss Pleads Guilty to Selling Trade Secrets to Russian Firm
• Kim Zetter: Former Trenchant Exec Sold Stolen Code to Russian Buyer Even After Learning that Other Code He Sold Was Being "Utilized" by Different Broker in South Korea
• How we linked ForumTroll APT to Dante spyware by Memento Labs
• CEO of spyware maker Memento Labs confirms one of its government customers was caught using its malware
• Russia's new vuln disclosure law proposal
• TBP Live in Ottawa
• Binding Hook Live
• State of Statecraft
• Ekoparty Miami

We also discuss calls for the US government to build a structured, lawful ecosystem for private-sector offensive operations to address existing chaos and market gaps.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Key IOCs for iPhone Spyware Cleaned With iOS 26 Update
• Exploitation of WSUS Remote Code Execution Vulnerability (CVE-2025-59287)
• Hamid Kashfi on CVE-2025-59287
• Pwn2Own Ireland results
• Hacking Lab Boss Charged with Seeking to Sell Secrets in Russia
• Court doc (Peter Williams case)
• Cyber Insurer Sues Policyholder’s Cyber Pros
• NSA Accused of Stealing Secrets from China's National Time Centre
• China's CN-CERT on alleged NSA espionage operation
• DanderSpritz documentation
• Building the US market for offensive cyber
• Netherlands Limits Intelligence-Sharing With US Amid Politicization, Russia Fears
• Agenda - Binding Hook Live
• Agenda - State of Statecraft
• TBP Live at Countermeasures (Ottawa)

In this special episode, we present Juan Andres Guerrero-Saade's LABScon 2025 keynote-day presentation on the state of cybersecurity and why this phase of our collective project has failed, and how to build something smarter, more sustainable, and deeply interconnected in its place.

Juanito traces the field’s evolution from chaos to consolidation, weaving in cybernetics, standardization, and the dawning coexistence of human and artificial evaluative power. The result is part philosophical sermon, part rallying cry, an invitation to reject the industry’s slave morality, rethink our tools, and steer the next era of defense with intention.

Links:

• Transcript (unedited, AI-generated)
• JAGS keynote: The intricacies of wartime cyber threat intelligence - Security Conversations
• LABScon - Security Research in Real Time
• JAGS on LinkedIn
• JAGS on Twitter
• The Consolation of Threat Intel (JAGS LABScon 2024 keynote)

Plus, an update on Oracle’s zero-day ransomware fiasco, Ivanti’s endless patch delays, the ethics of journalists enabling ransomware operations on leak sites, Europe’s latest failed push for Chat Control, and VirusTotal’s new pricing tiers.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Apple's new exploit-chain bounties
• Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits
• Paragon Strikes Again: UniCredit CEO Among the Targets
• NSO to be acquired by U.S. investors
• Oracle confirms exploited 0day - CVE-2025-61882
• Oracle Security Officer comms
• Oracle E-Business Suite CVE-2025-61882 Exploited in Extortion Attacks
• ZDI documents Ivanti 0days waiting for patches
• One-man spam campaign ravages EU ‘chat control’ bill
• VirusTotal new pricing tiers
• Tavis Ormandy Kaspersky 0day find

Plus, the TikTok–Oracle deal and the strange role Oracle now plays in U.S. national security; OpenAI’s Sora 2 launch and its implications for social media and human expression; Palo Alto’s “Phantom Taurus” APT report, a follow-up on Cisco’s ArcaneDoor disclosures, and the impact of the U.S. government shutdown on CISA.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Drone sightings prompt call for German police to gain shoot-down powers
• UK arrest following aerospace cyber incident
• Oracle Probes Hacks of Customers’ E-Business Suite After Extortion Campaign
• Oracle Critical Patch Update Advisory - July 2025
• Here is the email Clop attackers sent to Oracle customers
• Oracle statement from Chief Security Officer
• TikTok’s Algorithm to Be Secured by Oracle in Trump-Backed Deal
• Phantom Taurus: A New Chinese Nexus APT
• China Hackers Breached Foreign Ministers’ Emails
• Cisco Statement on Attacks Against Cisco Firewalls
• GreyNoise: 25,000 IPs Scanned Cisco ASA Devices in Early Sept
• KeyDrop.io

Plus, Cisco’s controversial handling of these disclosures, CISA's emergency deadlines for patching, the absence of IOCs and samples, and China’s long-term positioning. Plus, thoughts on the Secret Service SIM farm discovery in New York and evidence of Russians APTs Turla and Gamaredon collaborating to hit Ukraine targets.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
• Mandiant Brickstorm Scanner
• Cisco advisory: Continued Attacks Against Cisco Firewalls
• NCSC report on Cisco ASA bootkit in the wild
• U.S. government scrambles to stop new hacking campaign blamed on China
• US Secret Service Statement on SIM Farm Discovery
• NYTimes: Cache of Devices Capable of Crashing Cell Network Is Found Near U.N.
• Airport chaos: Ransomware hits airport check-in systems
• NCSC statement: Incident impacting Collins Aerospace
• Gamaredon X Turla collab

Cast: Aurora Johnson, Trevor Hilligoss, Ryan Naraine and Juan Andres Guerrero-Saade.

Links:

• Plunging China's internet toilets (LABScon)
• SpyCloud Labs

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Visi Stark.

Links:

• How the Infamous APT-1 Report Exposing China’s PLA Hackers Came to Be
• Mandiant APT1 Report
• A guide to U.S. allegations of China cyberspying
• The Vertex Project
• LABScon 2025
• Visi Stark on LinkedIn
• LABScon 2025: Plunging the Internet Toilets in China
• Aurora Johnson on Twitter
• Trevor Hilligoss

Plus, we debate Microsoft throttling MAPP access for Chinese vendors, the idea of “letters of marque” for cyber (outsourced offense: smart deterrent or Pandora’s box?), and dissect two case studies that blur APT and crimeware: PipeMagic’s CLFS zero-day and Russia-linked “Static Tundra” riding seven-year-old Cisco bugs.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Apple bulletin: iOS 18.6.2
• Apple discloses actively exploited zero-day affecting iOS, iPadOS and macOS
• UK drops demand for backdoor into Apple encryption
• Tulsi Gabbard on UK dropping Apple backdoor mandate
• Microsoft Curbs Early Notifications for Chinese Firms on Security Flaws
• Kaspersky report on PipeMagic
• Microsoft: Dissecting PipeMagic Backdoor Framework
• Cisco Talos on Static Tundra
• FBI advisory on end-of-life network devices
• SIM-Swapper, Scattered Spider Hacker Gets 10 Years
• Qubic Claims Majority Control of Monero Hashrate, Raising 51% Attack Fears
• State of Statecraft Call for Papers
• LABScon 2025 Speaker Roster
• Offensive AI Con
• Three Buddy Problem: LIVE in Canada

Plus: a deep dive on suspected MAPP leaks and Sharepoint zero-days, Singapore targeted by extremely sophisticated China-nexus hacking group, soft censorship in corporate threat-intel, and whether the U.S. should rethink how it fills its intelligence gaps.

Cast: Dakota Cary, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Dakota Cary on LinkedIn
• China’s Covert Capabilities -- Silk Spun From Hafnium
• HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem
• Microsoft Probing Whether Chinese Hackers Found Flaw Via MAPP
• Cybersecurity Law of the People’s Republic of China
• Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
• Fire Ant: Hypervisor-Level Espionage Targeting VMware ESXi & vCenter
• Singapore actively dealing with ongoing China cyberattack
• Iranians Targeted With Spyware in Lead-Up to War With Israel — all inside Iran and working either in the country’s technology sector or for the government.
• LABScon 2025
• Apple in China (book)

Plus, China's massive cyber capabilities pipeline, ‘theCom’ teenagers arrested in the UK after ransomware binge, and spyware attacks against Russian organizations.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• US Gov: Prolific Chinese state-sponsored contract hacker arrested
• Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
• Microsoft Exchange Server Attack Timeline
• YouTube: Orange Tsai on ProxyLogon
• Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace
• The Growing Role of Cyber Militias in China’s Network Warfare Force Structure
• NCA arrest four for attacks on M&S, Co-op and Harrods
• Four arrested by UK police over ransomware attacks on M&S, Co-op and Harrods
• Cyberattack deals blow to Russian firmware used to repurpose civilian drones for Ukraine war
• Cyberattack deals blow to Russian firmware used to repurpose civilian drones for Ukraine war
• Batavia spyware targeting Russian organizations
• Chainalysis: First-ever crypto seizure in Greece
• Ringzer0 COUNTERMEASURE — Three Buddy Problem discount code for training: CM25-3BUDDY
• LABScon 2025

Plus, thoughts on an academic paper on the vanishing art of Western companies exposing Western (friendly) APT operations, debate whether stealth or self-censorship is to blame, and the long-tail effects on cyber paleontology.

We also dig into Sean Heelan’s proof that OpenAI’s new reasoning model can spot a Linux kernel 0-day and the implications for humans in the bug-hunting chain.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Dutch intelligence agency outs 'Laundry Bear' Russian APT
• Russian gov hackers buying passwords from cybercriminals
• Microsoft: Russian actor Void Blizzard targets critical sectors for espionage
• Censys data on AyySSHush ASUS router botnet
• Czech Republic statement on Chinese hack
• Czech gov condemns Chinese hack on critical infrastructure
• NATO floats cybersecurity included in new spending target
• Mark your Google Calendar: APT41 innovative tactics
• The rise of responsible behavior: Western commercial reports on Western cyber threat actors
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• ASUS Botnet Tracker
• CISA: Logging Made Easy (LME)

Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

Links:

• Transcript (unedited)
• China's Volt Typhoon Exploiting Zero-Day in Servers Used by ISPs, MSPs
• Versa Director Zero-Day Exploitation - Black Lotus Labs
• CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability
• Google TAG: APT29 using same exploits as Intellexa, NSO Group
• Russia's APT29 Reusing Exploits From Spyware Merchants
• Official Pavel Durov charges (PDF)
• WSJ: Pavel Durov's iPhone was hacked by France, UAE
• Microsoft Calls EDR Summit
• NSA to Launch ‘No Such Podcast’
• LABScon 2024 Speakers
• APT29 / Midnight Blizzard

Plus, Chinese mobile OS vendor Xiaoimi caught disabling parts of its infrastructure -- including its global app store -- to thwart Pwn2Own contestants; and news of an addition to the LABScon 2024 keynote stage.

Hosts: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Links:

• WSJ: The Real Story of the Nord Stream Pipeline Sabotage
• MIVD - The Little Spy Agency That Can
• Iran behind Trump campaign hack
• Xiaomi Caught Patching, Unpatching Pwn2Own RCE Vuln
• Dakota Cary on Xiaomi Pwn2Own patch shenanigans
• Transcript (unedited)
• Territorial Dispute by Boldi

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International.

In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.

Links:

• Allison Miller on LinkedIn
• Cartomancy Labs
• Security Leaders Spooked by SEC Lawsuit Against SolarWinds CISO
• New SEC rule on breach disclosure (PDF)
• Follow Allison Miller on Twitter
• Sponsor: Binarly Supply Chain Security Platform

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors) and why network edge devices are a happy hunting ground for attackers.

Links:

• Nick Biasini on Twitter
• Cisco Talos Library of Reports
• Nick Biasini on LinkedIn
• Beyond the Veil of Surveillance: Private Sector Offensive Actors (PSOAs)
• US Gov Mercenary Spyware Clampdown Hits Cytrox, Intellexa

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they're often missing in their cybersecurity strategies.

Links:

• Allison Nixon on Twitter
• Allison Nixon - Unit 221B bio
• Las Vegas casino hackers rely on violent threats
• Crossing boundaries to facilitate extortion, encryption, and destruction

Ron is Director of Cyber Security Insights at Verve Industrial Protection, a critical infrastructure-focused organisation that sells services and products that work across IT and OT environments for effective cyber security, controls and management.

Links:

• Selena Larson Presentations
• Follow Selena on Twitter
• Selena Larson on Bringing New & Diverse People into the ICS Security Community
• ICS OSINT: An Attacker’s Perspective
• Selena Larson profile

Links:

• Matt Honea blog posts
• Safe Harbor Programs: Ensuring the Bounty Isn't on ...