Salt Typhoon IOCs, Google floats ‘cyber disruption unit’, WhatsApp 0-click

August 29th, 2025  |  2 hrs 24 mins

apt research, china, microsoft, nation-state, russia, zero-day

Three Buddy Problem - Episode 60: We dissect a fresh multi-agency Salt Typhoon advisory (with IOCs and YARA rules!), why it landed late, why the wall of logos matters (and doesn’t), and what’s actually usable for defenders: new YARA, tool hashes, naming ambiguity across reports, the mention of Chinese vendors, and a Dutch note that smaller ISPs were hit.

Plus, Costin details his hunting stack and philosophy (historic IOC/malware hoarding, fast pivots, and AI as analyst “wingman”) and a new Chinese APT report that may intersect with LightBasin and the murky PSOA world.

We also debate Google’s proposed “cyber disruption unit” versus Microsoft’s DCU (legal vs. “ethical” takedowns, PR, and business models); react to Anthropic’s report on real attacker use of Claude; note Amazon’s APT29 watering-hole disruption; and close on a fresh WhatsApp-to-ImageIO zero-click chain and practical phone OPSEC.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Russia hacks Ukraine war supply lines, Signal blocks Windows screenshots, BadSuccessor vuln disclosure debate

May 23rd, 2025  |  2 hrs 30 mins

apt research, china, microsoft, nation-state, russia, zero-day

Three Buddy Problem - Episode 47: We unpack a multi-agency report on Russia’s APT28/Fancy Bear hacking and spying on Ukraine war supply lines, CISA’s sloppy YARA rules riddled with false positives, the ethics of full-disclosure after Akamai dropped Windows Server “BadSuccessor” exploit details, and Sekoia’s discovery of thousands of hijacked edge devices repurposed as honeypots.

The back half veers into Microsoft’s resurrected Windows Recall, Signal’s new screenshot-blocking countermeasure, Japan’s fresh legal mandate for pre-emptive cyber strikes, and why appliance vendors like Ivanti keep landing in the headlines.

Along the way you get hot takes on techno-feudalism, Johnny Ive’s rumored AI gadget, and a lively debate over whether publishing exploit code ever helps defenders.

Cast: Costin Raiu, Juan Andres Guerrero-Saade and Ryan Naraine.

Careto returns, IDA Pro pricing controversy, crypto's North Korea problem

October 4th, 2024  |  1 hr 30 mins

careto, crypto, hexrays, ida pro, north korea, paragon, russia, spyware, virus bulletin, virustotal, yara

Three Buddy Problem Episode 15: Juanito checks in from Virus Bulletin with news on the return of Careto/Mask, a ‘milk-carton’ APT linked to Spain. We also cover the latest controversy surrounding IDA Pro's subscription model, a major new YARA update, and ongoing issues with VirusTotal's value and pricing. The conversation shifts to North Korean cyber operations, particularly the infiltration of prominent crypto companies, Tom Rid's essay on Russian disinformation results, and the US government's ICE department using commercial spyware from an Israeli vendor.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Ep11: Cyberwarfare takes an ominous turn

September 6th, 2024  |  1 hr 15 mins

china, cisa, doppelganger, gru, influence operations, north korea, russia, skills shortage, skripal, south korea, unit 29155, yara, zero-day

Three Buddy Problem - Episode 11: Russia's notorious GRU Unit 29155 (previously tied to assassinations, poisonings and coup attempts) now blamed for destructive cyberattacks for sabotage; FBI and DOJ take down 'Doppelganger' network spreading Russian propaganda; CISA's budget, staff, advisories and YARA rules; Influence Operations 2.0; prolific Chinese hackers and global bug-disclosure implications; North Korean hacking capabilities and 0day expertise.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Ep7: Crowd2K and the kernel, PKFail supply chain failures, Paris trains sabotage and Russian Olympic attacks

August 2nd, 2024  |  1 hr 10 mins

cyberwar, olympics, pkfail, russia

The 'Three Buddy Problem' Podcast Episode 7: In this episode, we try to close the book on the CrowdStrike Windows BSOD story, Microsoft VP David Weston’s technical documentation and issues around kernel access and OS resilience. We also discuss Binarly’s PKFail research, secure boot bypasses, Dan Geer and tech monoculture, software vendor liability issues and the need for inspectability in security mechanisms.

The conversation explores cyber angles to train service disruptions in Paris, the history of cyber operations targeting the Olympics, the lack of public acknowledgment and attribution of cyber operations by Western intelligence agencies, and the importance of transparency and case studies in understanding and discussing cyber operations.

Hosts: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh), Ryan Naraine (SecurityWeek)

Ep2: A deep-dive on disrupting and exposing nation-state malware ops

June 29th, 2024  |  1 hr 8 mins

apt, google, microsoft, nation-state, polyfill, russia, teamviewer

The 'Three Buddy Problem' Podcast Episode 2: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade go all-in on the discussion around Google Project Zero disrupting counter-terrorism malware operations. A deep dive on disruption vs exposure, the effects of US government sanctions on private mercenary hacking companies, hypocricy and the tricky relationship between malware researchers are the intelligence community, and the lack of 'success stories' from so-called benevolent malware.

We also discuss the implications of the TeamViewer breach by a skilled Russian APT, new Microsoft notifications to Midnight Blizzard victims and share thoughts on the Polyfill.io supply chain compromise.