Three Buddy Problem - Episode 88: We unpack the fallout from public documentation of the Coruna iOS exploit kit, the likely connection to the Peter Williams/Trenchant exploit sale to Russians, how it slipped from government hands into criminal use, and the widening use of zero-days by surveillance vendors and cybercriminals.

Plus, fresh signs of cyber-warfare activity tied to Iran and Israel, the FBI’s disclosure of a breach affecting internal surveillance systems, and the latest debate over AI, security tooling, and Anthropic’s public stumbles.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (raw, AI-generated)
• Thinkst Canary (how it works)
• Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
• iVerify Details First Known Mass iOS Attack
• Matthias Frielingsdorf on the mysterious Coruna iOS exploit kit discovery
• Matthias Frielingsdorf on Coruna (raw transcript)
• Coruna-related hashes on VirusTotal
• Kaspersky: No signs Coruna iPhone exploit kit made by US
• Azimuth unlocked the San Bernardino shooter’s iPhone for the FBI
• 2025 Zero-Days in Review (Google)
• FBI investigating ‘suspicious’ cyber activities on critical surveillance network
• Iranian Hacking Groups Go Dark Amid US, Israeli Military Strikes
• Interplay between Iranian Targeting of IP Cameras and Physical Warfare
• Israel says it knocked out Iran’s cyber warfare headquarters
• Amazon Bahrain facility targeted for U.S. military support
• Full transcript of Anthropic CEO Dario Amodei interview
• Codex Security (formerly Aardvark) now in research preview
• NEBULA:FOG 2026 | AI x Security Hackathon

Matthias Frielingsdorf (co-founder and VP of Research at iVerify) joins the show to discuss the mysterious US government connection to 'Coruna', an iOS exploit kit fitted with 23 exploits across five full chains targeting iPhones iOS 13 through 17.2.1.

We talk about a "gut feeling" connecting this to the L3 Trenchant/Peter Williams exploit sale scandal, how a nation-state-grade exploit kit ended up in the hands of a Chinese cybercrime group chasing crypto wallets, and what it means that criminal organizations are now deploying iPhone zero-days at scale.

Matthias walks through what iVerify can and can't do on Apple's locked-down platform, why he thinks Apple needs to give defenders more access, the Lockdown Mode debate, the thorny issue of sample sharing in the research community, and practical advice for everyday iPhone users facing a threat landscape that just got a lot more complicated.

Links:

• Raw Transcript
• Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
• iVerify Details First Known Mass iOS Attack
• Coruna: Inside the Nation-State-Grade iOS Exploit Kit (iVerify)
• Wired: A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals
• Lockdown Mode or Nothing
• Zero-day reality check: iOS exploitation
• About Lockdown Mode (Apple)
• Charlie Miller on hacking iPhones, Macbooks
• TLPBLACK

Huntress threat intelligence analyst Greg Linares shares insights on the modern ransomware ecosystem, including how crews operate like businesses and why Akira, Medusa, RansomHub, and Qilin cause so much damage. Plus, signs of overlap between ransomware and nation-state activity, what “time to ransom” really means for defenders, and why techniques like ClickFix and credential theft keep working at scale.

The conversation also covers the surge in RMM tool abuse, how “living off the land” attacks can unfold without traditional malware, and the basic defenses smaller organizations can prioritize.

Links:

• TLPBLACK
• Huntress 2025 Cyber Threat Report
• Microsoft: Think before you Click(Fix)
• Akira Ransomware
• CISA: Protecting Against Malicious Use of Remote Monitoring and Management Software
• Ep9: The blurring lines between nation-state APTs and the ransomware epidemic
• Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines

Three Buddy Problem - Episode 87: We wake up to news of U.S./Israel military action against Iran and the expected fallout, including Tehran’s cyber capabilities and proxy risks. Plus: Anthropic’s clash with the Pentagon over AI use in warfare, market shockwaves from AI-driven security tools, mass layoffs tied to automation, Trenchant exec sentencing and sanctions in the exploit trade, and fresh questions around Cisco’s SD-WAN breach and supply-chain trust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Thinkst Canary
• Live updates: US and Israel strike Iran
• Episode 80: Hamid Kashfi on the situation in Iran
• ‘Incoherent’: Hegseth’s Anthropic ultimatum confounds AI policymakers
• Anthropic Claude AI Security Tool Wipes Out Over $15 Billion From Cybersecurity Stocks
• CrowdStrike CEO responds to stock price hit
• Designation of Zero-Day Exploits Broker for Theft of U.S. Trade Secrets
• Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools
• Trenchant Exec Who Sold Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison
• AWS says AI-augmented threat actor accesses FortiGate devices at scale
• Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
• Anthropic Claud Code Security
• Anthropic: Detecting and preventing distillation attacks
• GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use
• iPhone and iPad approved to handle classified NATO information
• Fortinet Achieves Certification for Secure Product Development
• Cisco SD-WAN threat hunting guide
• TLPBLACK
• NEBULA:FOG 2026 | AI x Security Hackathon
• RE//verse Conference

Three Buddy Problem - Episode 86: We dig into GitLab’s explosive look at North Korea’s “Contagious Interview” APT operation, the scale of fake IT worker infiltration, and what it means for companies chasing cheap talent.

Plus, a fresh batch of already-exploited Ivanti and Dell zero-days, the return of Apple’s shutdown logs, and thoughts on addictive AI coding agents affecting human purpose.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• TLPBLACK
• GitLab exposes North Korean malware tradecraft
• Beyond the Backdoor: How Contagious Interview Is Surgically Tampering with MetaMask Wallets (Seongsu Park)
• Critical Vulnerabilities in Ivanti EPMM Exploited
• Dell RecoverPoint for Virtual Machines Zero-Day
• Dell Bulletin - RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability
• Critical Dell bug exploited for two years
• OpenAI intros Lockdown Mode and Elevated Risk labels in ChatGPT
• OpenAI is rebranding Aardvark
• Anthropic Claude Code Security
• Jason Lang: Real Human Concerns In The Age of AI
• JAGS' batteries-included Claude Code SDLC config
• RE//verse Conference
• NEBULA:FOG 2026 | AI x Security Hackathon

Three Buddy Problem - Episode 85: Top stories this week include drone incursions over El Paso and the murky line between cartel activity, anti-drone tech testing, and full-blown hybrid warfare; updates on the Notepad++ supply chain fallout; Microsoft’s zero-day treadmill and AI-enabled attack surfaces; and Apple’s “extremely sophisticated” iOS exploits.

Plus, Europe’s growing appetite for offensive cyber, Palo Alto and the uncomfortable politics of cyber attribution, Singapore on telco intrusions, and the economics of end-of-life infrastructure.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Thinkst Canary - Customer Love
• What We Know About the El Paso Airspace Shutdown
• El Paso Closure Caused by Firing Anti-Drone Laser
• Notepad++ supply chain hack (new IOCs)
• Ukatemi: Notepad++ attack related samples
• Notepad's new Markdown powers served with a side of RCE
• Microsoft: Windows Notepad App RCE Vulnerability
• iOS 26.3 security advisory (exploited 0day)
• Estonian Foreign Intelligence Service annual report
• PSIRT | FortiGuard Labs High-Risk Advisory
• Germany prepares to attack cyber enemies
• Palo Alto chose not to tie China to hacking campaign for fear of retaliation
• The Shadow Campaigns: Uncovering Global Espionage (Palo Alto)
• Singapore .gov on nation-state telco hacks
• TLP-BLACK
• LABScon 2026

Three Buddy Problem - Episode 84: We process the cybersecurity fallout from the latest Epstein document dump, focusing on why redactions fail in the AI era and how quickly modern tools can unravel them. The conversation moves from sloppy redaction practices and exploit mythology to harder questions about ethics, accountability, and silence within the infosec community.

Plus, inside the Notepad++ supply-chain compromise attributed to a known Chinese APT, Microsoft’s security executive changes, Anthropic's AI-driven vulnerability discovery, China-linked network implants, and Lockdown Mode thwarting FBI investigators.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Thinkst Canary - Customer Love
• Transcript (unedited, AI-generated)
• Did a renowned hacker help Jeffrey Epstein get ‘dirt on other people'?
• DOJ releases details alleged talented hacker working for Jeffrey Epstein
• Claude Opus 4.6 \ Anthropic
• 0-Days \ red.anthropic.com
• JAGS' Claude Code SDLC config
• CERT-Ukraine on zero-day attacks via MS Office
• Executive security shuffle at Microsoft
• TLPBLACK: What we know about the Notepad++ supply chain attack
• Lotus Blossom APT targets critical infrastructure via Notepad++.
• Kaspersky: Notepad++ supply chain attack breakdown
• Validin: Exploring the C2 Infrastructure of the Notepad++ Compromise
• Hostinger server unauthorized access case: What happened with Notepad++ and how we resolved it
• Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
• Palo Alto Unit 42: The Shadow Campaigns - Uncovering Global Espionage
• FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled
• Court document: FBI Washington Post Lockdown Mode
• PIVOTcon
• TLP BLACK
• LABScon 2026
• Decipher podcast (Dennis Fisher)
• Detection Engineering newsletter (Zack Allen)

Three Buddy Problem - Episode 83: Poland's CERT documents a rare, explicit wiper attack on civilians in a NATO country, including detailed attribution of a Russian government op targeting the electric grid in the heart of winter. We examine why this crosses a long-avoided threshold, why attribution suddenly matters again, and what it says about pre-positioned access, vendor insecurity, and the shrinking gap between cyber operations and acts of war.

Plus, another Fortinet fiasco, a new batch of Ivanti zero-days under attack, an emergency patch from Microsoft and the return of the mysterious KasperSekrets account.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security (Use Cases)
• ESET DynoWiper update: Technical analysis and attribution
• Poland CERT on Russian wiper attacks
• Poland blames two Ukrainians allegedly working for Russia for railway blast
• Britain’s New Spy Chief Has a New Mission
• Two New Ivanti 0days Exploited
• Microsoft ships emergency Office patch to thwart attacks
• Analysis of Single Sign-On Abuse on FortiOS
• Fortinet PSIRT: Administrative FortiCloud SSO authentication bypass
• Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
• WhatsApp Strict Account Settings
• China Executes 11 People Linked to Cyberscam Centers in Myanmar
• Singapore to start caning for scammers
• Germany on hacking attacks: "We will strike back, including abroad"
• Acting CISA chief uploaded sensitive files into a public version of ChatGPT
• TLP BLACK
• LABScon 2026
• KasperSekrets

Three Buddy Problem - Episode 82: We parse news that China-linked VoidLink is a malware framework created entirely by AI and the collapsing line between elite APT operations and everyday threat actors.

Plus, a new Sean Heelan essay on low-cost exploit generation and why “AI guardrails” are mostly a comforting myth; AI slop overwhelming bug bounty programs; CISA's new Brickstorm YARA rules; and fresh research on a wiper-malware found in Russian attacks against Poland's electricity sector.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security (use cases)
• Sean Heelan on the coming industrialisation of exploit generation with LLMs
• VoidLink Shows AI-Generated Malware Has Begun
• LLMs in the SOC: Why Benchmarks Fail Security Operations Teams
• CISA advisory on BRICKSTORM backdoor
• Node.js — New HackerOne Signal Requirement
• AI slop security reports submitted to cURL
• Arctic Wolf on FortiGate attacks via SSO accounts
• New Cisco Remote Code Execution Vulnerability
• From Protest to Peril: Cellebrite Used Against Jordanian Civil Society
• Microsoft on multi‑stage AiTM phishing and BEC campaign abusing SharePoint
• Microsoft Gave FBI BitLocker Encryption Keys
• The Mastermind: Drugs. Empire. Murder. Betrayal
• Kim Zetter: Cyberattack on Poland’s energy grid used a wiper
• ESET on 'DynoWiper' malware

Three Buddy Problem - Episode 81: We dissect New York Times reporting on the "precision" of US cyber operations in Venezuela, the competing narratives around offensive cyber capabilities and "letters of marque" for private hackers. Plus, a mysterious failed cyber attack on Poland's power grid, internet blackouts in Iran (with fascinating DNS telemetry revealing Chinese bank traffic and Russian website spikes), and news of China's ban on US/Israeli cybersecurity software.

We also cover Check Point's research on "VoidLink" (is it a successor to ShadowPad?), Microsoft's threat intelligence sharing practices, and Google Project Zero's disclosure of zero-click vulnerabilities caused by AI-powered transcription features.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsor: Material Security
• Cyberattack in Venezuela Demonstrated Precision of U.S. Capabilities
• Massive cyberattack on Polish power system in December failed, minister says
• What happened in Poland? (Ruben Santamarta)
• Costin Raiu: What’s Happening in Iran?
• Verizon just had a big outage. Here’s what we know
• Beijing tells Chinese firms to stop using US and Israeli cyber products
• MS Patch Tuesday CVE-2026-20805 (exploited in the wild)
• VoidLink: The Cloud-Native Malware Framework
• Microsoft disrupts global cybercrime subscription service
• Project Zero: A 0-click exploit chain for the Pixel 9
• Joint statement from Google and Apple
• Sean Plankey re-nominated to lead CISA
• TLPBLACK
• DistrictCon Agenda
• Ekoparty Miami
• The Thinking Game (Full Documentary)

Three Buddy Problem - Episode 80: Researcher Hamid Kashfi returns to unpack Iran’s latest unrest, separating economic reality from propaganda while examining how information control, cyber pressure, and state surveillance are shaping events on the ground.

Plus, did cyber make the lights go out in Venezuela?

Cast: Hamid Kashfi, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsor: Material Security
• About Hamid Kashfi
• Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks
• Venezuela strike marks a turning point for US cyber warfare
• KittenBusters | CharmingKitten
• Comprehensive Threat Intelligence Report: Charming Kitten
• Between Three Nerds: The evolution of Iranian cyber espionage
• Trump says U.S. will hit Iran "very hard" if violence continues at protests
• Venezuelan oil giant PVDSA hit by cyberattack
• CIA cyberattacks targeting the Maduro regime didn’t satisfy Trump in his first term
• Antiy Report on cyber operations in Venezuela
• Nationwide internet blackout reported in Iran

Three Buddy Problem - Episode 79: We cover MongoBleed (CVE‑2025‑14847), exposed MongoDB deployments, and the sad realization that zero-day attacks are a normal, everyday occurrence. Plus, AI’s expanding role and misuse across products and workflows, proximity attacks against Bluetooth audio devices, spyware sanctions de-listings, and ransomware economics.

In a special mailbag segment, we give our book recommendations and respond to common questions from the listeners.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Sponsored by Material Security
• MongoDB Server Security Update (Dec 2025)
• CVE Record: CVE-2025-14847
• Censys on MongoBleed
• European Space Agency hit by cyberattack
• Security pros plead guilty to ransomware
• US removes sanctions for three execs tied to spyware maker Intellexa
• Bluetooth Headphone Jacking: A Key to Your Phone
• Dan Geer Black Hat 2015 keynote
• Book Review: Infected - A Candid Look at VirusTotal’s Birth and Legacy
• Infected: From Side Project to Google: The Journey Behind VirusTotal
• The Human Factor (Inside the CIA's dysfunctional intelligence culture)
• A Killing Art: The Untold History of Tae Kwon Do
• Thou Shall Prosper: Ten Commandments for Making Money
• Cult of the Dead Cow (by Joseph Menn)
• The Nvidia Way: Jensen Huang and the Making of a Tech Giant
• From Third World to First: The Singapore Story
• Thinking in Systems (PDF)
• AI Superpowers: China, Silicon Valley, and the New World Order
• The Denial of Death: Ernest Becker
• Energy and Civilization: A History by Vaclav Smil
• DeepLearning.AI

Three Buddy Problem - Episode 78: We close out the year with a no-budget, no-permission awards show, spotlighting the cybersecurity stories that actually mattered.

Plus, a bizarre polygraph scandal at CISA, Chinese APT research dumps, ransomware pre-notification hiccups, foreign drone bans, and the growing gap between cyber theater and real operational value.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker Solutions
• Acting CISA director failed a polygraph
• LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
• Qianxin’s research on the CSDN watering hole attack
• ViciousTrap - Turning edge devices into honeypots en masse
• AyySSHush: Tradecraft of an emergent ASUS botnet
• Intellexa’s Global Corporate Web (Recorded Future)
• Frozen in transit: Secret Blizzard’s AiTM hits embassies in Russia
• GitHub - KittenBusters/CharmingKitten
• Bunnie Huang Black Hat keynote (YouTube)
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• DeepSeek Debates: Chinese Leadership On Cost, True Training Cost, Closed Model Margin Impacts
• Behind the Dismantling of Hezbollah
• Israel Secretly Recruited Iranian Dissidents to Attack Iran From Within
• Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
• Code Orange: Cloudflare resilience plan following recent incidents
• Apple SEAR: Memory Integrity Enforcement

Three Buddy Problem - Episode 77: New React2Shell data from Microsoft, fresh Apple and Cisco zero-days already in the wild, and state-linked campaigns from Russia and China that show a merging of espionage, crime, and infrastructure disruption.

Plus, the US government's push to enlist private firms in offensive hacking, letters of marque for cartels, new discovery of spyware used against journalists in Belarus, and Amazon catching North Koreans via keystroke latency.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• ThreatLocker Solutions
• Transcript (unedited, AI-generated)
• Trump Admin Turning to Private Firms in Cyber Offensive
• Microsoft on React2Shell
• React2Shell and OpenAI (shoutout Andrew MacPherson)
• Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw
• iOS 26.2 Security Patches
• Reporters Without Borders uncovers new spyware from Belarus
• Cisco Talos on Cisco 0day attacks
• Hack of Chinese state time center hints at U.S. advanced missile defense
• Amazon on Russian APT targeting Western critical infrastructure
• North Korean infiltrator caught in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location
• Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs
• Russian defense firms targeted by hackers using AI
• TLPBLACK looks back at 2025
• Inside Google's basement in Malaga: ChatGPT of Cybersecurity
• GitHub - xdanx/open-klara: Open KLara Project
• Gepetto Web

Three Buddy Problem - Episode 76: On the show this week, Costin walks through how a single Romanian documentary kick-started nationwide protests, exposing how corruption can be perfectly legal when the law itself is gamed, and why this moment feels different, darker, and more consequential than past flare-ups.

Plus, news on the React-to-Shell exploitation wave overwhelming the internet, why patching is structurally hard, and how APTs and criminals are converging on the same fragile dependency chain. Along the way, they take aim at Microsoft’s shrinking transparency, the limits of vendor trust, and what it really means when defenders are told (again) to just patch and pray.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker : A security platform that prevents ransomware
• The Anatomy of a React2Shell Compromise (TLPBLACK)
• CVE-2025-55182 Analysis Report (GreyNoise)
• Exploitation of Critical Vulnerability in React Server Components
• PeerBlight Linux Backdoor Exploits React2Shell (Huntress)
• Patch Tuesday round-up (ZDI)
• How Two Hackers Went From Cisco Academy to Cisco CVEs
• Two Men Linked to China’s Salt Typhoon Hacker Group Likely Trained in a Cisco ‘Academy’
• OpenAI on dual-use AI risks
• Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
• DOJ Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups
• Microsoft paying bounties for vulns in third-party code
• Cybersecurity 2026 Predictions (SentinelLABS)
• Dakota Cary is in the "anti-China Chorus"
• Comparing AI Agents to Cybersecurity Professionals in Real-World Penetration Testing
• Automated React2Shell vulnerability patching is now available - Vercel
• Computer Olympiad enters new era as IITPSA hands over to Thinkst Applied Research

Three Buddy Problem - Episode 75: We dig into a CVSS 10/10 unauthenticated RCE bug causing chaos across the internet and early signs that Chinese APTs are already launching exploits, the cascading patch chaos, and a long tail of malware intrusions to come.

Plus, commentary on Chrome’s telemetry collection, Microsoft and the "SFI success story," newest BRICKSTORM backdoor intrusions, the US national security strategy, Anthropic's AI popping smart-contract bugs, a secret FBI ransomware-hunting unit getting weird, and a pair of sad stories in the security community.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• ThreatLocker — Meet the cybersecurity platform that prevents ransomware
• An essay by Vess
• RIP Stealth
• Google Goodbye to the Chrome Cleanup Tool
• US National Security Strategy (PDF)
• Critical Security Vulnerability in React Server Components (CVE-2025-55182)
• Chinese threat groups rapidly exploit React2Shell vuln
• AWS MadPot
• BRICKSTORM Backdoor (PDF)
• WARP PANDA: A New Sophisticated China-Nexus Adversary
• Meet Group 78, the secret US task force that fights cybercriminals
• Recorded Future: Intellexa’s Global Corporate Web
• Intellexa’s Prolific Zero-Day Exploits Continue
• To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware
• Apple, Google send new round of threat notifications to users around world
• Calisto Targets Reporters Without Borders in Phishing Campaign
• Anthropic AI agents find $4.6M in blockchain smart contract exploits
• Lazarus hack largest South Korean crypto exchange
• EU countries reach breakthrough on chat-scanning law despite intense pushback
• The Denial of Death - by Ernest Becker

Three Buddy Problem - Episode 74: We attempt to parse the rumor-fog around Microsoft’s CISO at CYBERWARCON and what it reveals about the company’s shifting posture on intel sharing, regulation, and its outsized grip on the security ecosystem. Plus, coverage of the Shai-Hulud npm supply-chain mess, CISA’s mobile spyware guidance, NSO’s legal contortions, a sharp new GRU-linked intrusion from Arctic Wolf.

We also discuss the FCC retreating on telco security rules, and the emerging AI arms race shaping how cloud giants hunt threats and how Washington misunderstands all of it.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Microsoft CISO LinkedIn comments
• Shai Hulud 2.0 Strikes Again
• Wiz: Sha1-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposed
• CISA guidance on mobile spyware on iOS, Android
• NSO Group argues WhatsApp injunction threatens existence
• Arctic Wolf: Russian APT targets U.S. Companies Supporting Ukraine
• FCC revokes telecom cybersecurity rules after Salt Typhoon hacks
• FCC Chairman statement on removing telco rules
• Amazon Is Using Specialized AI Agents for Deep Bug Hunting
• Anthropic CEO called to testify on AI cyber threats
• TLPBLACK
• Material Security (Book a demo)

Three Buddy Problem - Episode 73: The buddies react to Google’s release of Gemini 3 and its early performance, new Chrome interface changes landing on users’ machines, and major highlights from CYBERWARCON. We revisit the long-running debate over APT naming conventions, examine Amazon’s latest threat-intel reporting on Iranian activity, and walk through the Cloudflare outage that briefly knocked chunks of the internet offline.

Plus, new APT reports from ESET, Positive Technologies, and SecurityScorecard, and China's CN-CERT (now validated claim) that the U.S. government seized billions in Bitcoin tied to the Lubian mining-pool hack.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Material Security -- Stop Attacks, Secure Data
• Transcript (unedited, AI-generated)
• Why Microsoft Needs to Split Windows in Two
• CYBERWARCON agenda
• Amazon: Nation-state actors bridging cyber and kinetic warfare
• Cyber Warfare Startup Nabs Contracts to Give US Military Hackers AI Tools
• Fortinet documents 0day attacks
• Fortinet CVE-2025-64446 Under Active Attack
• Google Chrome zero-day exploited
• Cloudflare statement on outage on November 18, 2025
• Cloudflare just got faster and more secure, powered by Rust
• Russian alleged cyber-hacker faces extradition to US after arrest in Thailand
• Russian detained over connection to Void Blizzard attacks
• Positive Technologies: Attacks of the Striking Panda
• PlushDaemon compromises network devices for adversary-in-the-middle attacks
• PlushDaemon compromises supply chain of Korean VPN service
• ASUS Routers Hijacked in Global 'WrtHug' Operation
• Arkham on Bitcoin Chen Zhi seized funds
• US DOJ $15 Billion Bitcoin Indictment
• TLPBLACK
• PIVOTcon 2026
• RE//verse Conference
• The Age of Disclosure (Prime Video)
• Amazon.com: Bullshit Jobs

Three Buddy Problem - Episode 72: We unpack Anthropic’s conflicting self-promotion around the “first AI-orchestrated cyberattack” using Claude Code and the future of automated APT attacks.

Plus, Chinese cyber vendor KnownSec falls victim to data breach, fresh accusations that the U.S. stole billions in Bitcoin, Amazon warning about Cisco/Citrix zero-days, Google’s new Private AI Compute and Microsoft kernel zero-day marked as "actively exploited."

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Material Security case studies
• TLPBLACK
• Anthropic: Disrupting the first reported AI-orchestrated cyber espionage campaign
• Anthropic report on AI-orchestreated APT campaign ()DF)
• Data breach at Chinese infosec firm reveals weapons arsenal
• Twitter thread on KnownSec breach details
• China Accuses US of Orchestrating $13 Billion Bitcoin Hack
• CISA finds federal agencies missing critical (exploited) vulns
• Amazon discovers APT exploiting Cisco and Citrix zero-days
• Amazon launches private AI bug bounty program
• Amazon Nova
• Microsoft Warns of Exploited Windows Kernel Zero-Day
• Google intros Private AI Compute tech
• Google paper on Private AI Computer (PDF)
• OpenAI CISO on NYTimes request for ChatGPT conversations
• UK transport and cyber-security chiefs investigate Chinese-made buses
• Ruter pen-tests Chinese electric buses
• DistrictCon
• CYBERWARCON
• DefCamp 2025

Three Buddy Problem - Episode 71: The buddies travel to Canada for a live recording at the Countermeasure conference, discussing the Google v FFmpeg open-source patching brouhana, ransomware negotiators charged and linked to ransomware attacks, the looming TP-Link ban in the U.S., and the discovery of LANDFALL, an APT attack caught using a Samsung mobile zero-day.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Material Security — We protect your company’s most valuable materials — the emails, files, and accounts that live in your Google Workspace & Microsoft 365 cloud offices.
• Transcript (unedited, AI-generated)
• FFmpeg complains about Google BigSleep AI
• Google v FFmpeg brouhaha
• Curl's Daniel Stenberg on a new breed of AI analyzers
• unit42.paloaltonetworks.com
• iOS 26.1 security updates
• U.S. agencies back banning TP-Link home routers on security grounds
• TLP BLACK

Plus, L3 Harris/Trenchant exec pleads guilty to selling exploits to Russian brokers, Kaspersky catches the return of HackingTeam using Chrome zero-day exploit chain, and news of a proposed law in Russia to force researchers to report vulnerabilities first to goverment agencies.

Cast: Dave Aitel (Technical Staff, OpenAI), Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Episode 70 Livestream - YouTube
• Aardvark: OpenAI’s agentic security researcher
• TBP episode on OpenAI’s Aardvark
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• Ex-US cyber intel exec pleads guilty to selling spy tools to Russian broker
• Ex-L3Harris Cyber Boss Pleads Guilty to Selling Trade Secrets to Russian Firm
• Kim Zetter: Former Trenchant Exec Sold Stolen Code to Russian Buyer Even After Learning that Other Code He Sold Was Being "Utilized" by Different Broker in South Korea
• How we linked ForumTroll APT to Dante spyware by Memento Labs
• CEO of spyware maker Memento Labs confirms one of its government customers was caught using its malware
• Russia's new vuln disclosure law proposal
• TBP Live in Ottawa
• Binding Hook Live
• State of Statecraft
• Ekoparty Miami

We also discuss calls for the US government to build a structured, lawful ecosystem for private-sector offensive operations to address existing chaos and market gaps.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Key IOCs for iPhone Spyware Cleaned With iOS 26 Update
• Exploitation of WSUS Remote Code Execution Vulnerability (CVE-2025-59287)
• Hamid Kashfi on CVE-2025-59287
• Pwn2Own Ireland results
• Hacking Lab Boss Charged with Seeking to Sell Secrets in Russia
• Court doc (Peter Williams case)
• Cyber Insurer Sues Policyholder’s Cyber Pros
• NSA Accused of Stealing Secrets from China's National Time Centre
• China's CN-CERT on alleged NSA espionage operation
• DanderSpritz documentation
• Building the US market for offensive cyber
• Netherlands Limits Intelligence-Sharing With US Amid Politicization, Russia Fears
• Agenda - Binding Hook Live
• Agenda - State of Statecraft
• TBP Live at Countermeasures (Ottawa)

In this special episode, we present Juan Andres Guerrero-Saade's LABScon 2025 keynote-day presentation on the state of cybersecurity and why this phase of our collective project has failed, and how to build something smarter, more sustainable, and deeply interconnected in its place.

Juanito traces the field’s evolution from chaos to consolidation, weaving in cybernetics, standardization, and the dawning coexistence of human and artificial evaluative power. The result is part philosophical sermon, part rallying cry, an invitation to reject the industry’s slave morality, rethink our tools, and steer the next era of defense with intention.

Links:

• Transcript (unedited, AI-generated)
• JAGS keynote: The intricacies of wartime cyber threat intelligence - Security Conversations
• LABScon - Security Research in Real Time
• JAGS on LinkedIn
• JAGS on Twitter
• The Consolation of Threat Intel (JAGS LABScon 2024 keynote)

Plus, an update on Oracle’s zero-day ransomware fiasco, Ivanti’s endless patch delays, the ethics of journalists enabling ransomware operations on leak sites, Europe’s latest failed push for Chat Control, and VirusTotal’s new pricing tiers.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Apple's new exploit-chain bounties
• Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits
• Paragon Strikes Again: UniCredit CEO Among the Targets
• NSO to be acquired by U.S. investors
• Oracle confirms exploited 0day - CVE-2025-61882
• Oracle Security Officer comms
• Oracle E-Business Suite CVE-2025-61882 Exploited in Extortion Attacks
• ZDI documents Ivanti 0days waiting for patches
• One-man spam campaign ravages EU ‘chat control’ bill
• VirusTotal new pricing tiers
• Tavis Ormandy Kaspersky 0day find

Plus, thoughts on how helping startups shape product strategy, what it takes to translate technical expertise into business impact, and how security culture has evolved since the early “hacker-to-enterprise” days. The conversation touches on defining your career beyond titles, how the perception of “cybersecurity” has changed over the years, and why the industry still has plenty of room for curiosity, reinvention, and good storytelling.

Links:

• Chris Eng on LinkedIn
• Chris Eng on Twitter
• Monoculture Considered Harmful
• Fired @stake CTO Says Microsoft Critique Was ‘Business as Usual’
• Microsoft Takes LSD to Test Vista Security
• Code Red (computer worm)

Plus, the TikTok–Oracle deal and the strange role Oracle now plays in U.S. national security; OpenAI’s Sora 2 launch and its implications for social media and human expression; Palo Alto’s “Phantom Taurus” APT report, a follow-up on Cisco’s ArcaneDoor disclosures, and the impact of the U.S. government shutdown on CISA.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Drone sightings prompt call for German police to gain shoot-down powers
• UK arrest following aerospace cyber incident
• Oracle Probes Hacks of Customers’ E-Business Suite After Extortion Campaign
• Oracle Critical Patch Update Advisory - July 2025
• Here is the email Clop attackers sent to Oracle customers
• Oracle statement from Chief Security Officer
• TikTok’s Algorithm to Be Secured by Oracle in Trump-Backed Deal
• Phantom Taurus: A New Chinese Nexus APT
• China Hackers Breached Foreign Ministers’ Emails
• Cisco Statement on Attacks Against Cisco Firewalls
• GreyNoise: 25,000 IPs Scanned Cisco ASA Devices in Early Sept
• KeyDrop.io

Plus, Cisco’s controversial handling of these disclosures, CISA's emergency deadlines for patching, the absence of IOCs and samples, and China’s long-term positioning. Plus, thoughts on the Secret Service SIM farm discovery in New York and evidence of Russians APTs Turla and Gamaredon collaborating to hit Ukraine targets.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
• Mandiant Brickstorm Scanner
• Cisco advisory: Continued Attacks Against Cisco Firewalls
• NCSC report on Cisco ASA bootkit in the wild
• U.S. government scrambles to stop new hacking campaign blamed on China
• US Secret Service Statement on SIM Farm Discovery
• NYTimes: Cache of Devices Capable of Crashing Cell Network Is Found Near U.N.
• Airport chaos: Ransomware hits airport check-in systems
• NCSC statement: Incident impacting Collins Aerospace
• Gamaredon X Turla collab

Cast: Aurora Johnson, Trevor Hilligoss, Ryan Naraine and Juan Andres Guerrero-Saade.

Links:

• Plunging China's internet toilets (LABScon)
• SpyCloud Labs

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Visi Stark.

Links:

• How the Infamous APT-1 Report Exposing China’s PLA Hackers Came to Be
• Mandiant APT1 Report
• A guide to U.S. allegations of China cyberspying
• The Vertex Project
• LABScon 2025
• Visi Stark on LinkedIn
• LABScon 2025: Plunging the Internet Toilets in China
• Aurora Johnson on Twitter
• Trevor Hilligoss

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Lindsay Freeman.

Links:

• LABScon Speaker 2025: Lindsay Freeman
• War Crimes for Fun and Profit (Lawfare)
• Mali: Army, Wagner Group Atrocities Against Civilians
• The Wagner Group’s Atrocities in Africa: Lies and Truth
• Massacres, Executions, and Falsified Graves: The Wagner Group’s Mounting Humanitarian Cost in Mali

Plus, Apple’s new Memory Integrity Enforcement in iPhone 17 and discussion on commercial spyware infections and the value of Apple notifications; concerns around Chinese hardware and surveillance equipment in US infrastructure; Silicon Valley profiting from China’s surveillance ecosystem; and controversy around a Huntress disclosure of an attacker’s operations after an EDR agent was mistakenly installed.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Salesforce advisory on Salesloft Drift hack
• Salesloft Drift Breach Tracker
• Mandiant Drift and Salesloft Application Investigations
• Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
• Large-Scale NPM Attack
• NPM attack failed, with almost no victims
• Chinese Hackers Pretended to Be a Top U.S. Lawmaker
• Czech cyber agency warns against using services and products that send data to China
• Apple Debuts Memory Integrity Enforcement (MIE)
• Huntress: An Attacker’s Blunder Gave Us a Look Into Their Operations
• LABScon 2025 Agenda

Plus, Costin details his hunting stack and philosophy (historic IOC/malware hoarding, fast pivots, and AI as analyst “wingman”) and a new Chinese APT report that may intersect with LightBasin and the murky PSOA world.

We also debate Google’s proposed “cyber disruption unit” versus Microsoft’s DCU (legal vs. “ethical” takedowns, PR, and business models); react to Anthropic’s report on real attacker use of Claude; note Amazon’s APT29 watering-hole disruption; and close on a fresh WhatsApp-to-ImageIO zero-click chain and practical phone OPSEC.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• NSA, Allies Report on Salt Typhoon
• UK and allies expose China tech companies
• Joint Advisory on Salt Typhoon (IOCs)
• Dutch providers targeted by Salt Typhoon
• Silent Control: The Hidden Penetration of MystRodX
• Google previews cyber ‘disruption unit'
• Anthropic report on misuse of Claude AI
• WhatsApp 0day exploited (iOS attack chain)
• RationalEdge - Intelligence Meets Accuracy
• LABScon Speakers 2025

Plus, we debate Microsoft throttling MAPP access for Chinese vendors, the idea of “letters of marque” for cyber (outsourced offense: smart deterrent or Pandora’s box?), and dissect two case studies that blur APT and crimeware: PipeMagic’s CLFS zero-day and Russia-linked “Static Tundra” riding seven-year-old Cisco bugs.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Apple bulletin: iOS 18.6.2
• Apple discloses actively exploited zero-day affecting iOS, iPadOS and macOS
• UK drops demand for backdoor into Apple encryption
• Tulsi Gabbard on UK dropping Apple backdoor mandate
• Microsoft Curbs Early Notifications for Chinese Firms on Security Flaws
• Kaspersky report on PipeMagic
• Microsoft: Dissecting PipeMagic Backdoor Framework
• Cisco Talos on Static Tundra
• FBI advisory on end-of-life network devices
• SIM-Swapper, Scattered Spider Hacker Gets 10 Years
• Qubic Claims Majority Control of Monero Hashrate, Raising 51% Attack Fears
• State of Statecraft Call for Papers
• LABScon 2025 Speaker Roster
• Offensive AI Con
• Three Buddy Problem: LIVE in Canada

We revisit the Chinese "cyber militia" discussion and the looming AI “dot-com bubble,” the value of owning infrastructure, Nvidia and export controls, China’s manufacturing edge, and the geopolitics of supply chains.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Live from Black Hat: Brandon Dixon
• PSIRT | FortiGuard Labs
• SonicWall Firewalls – SSLVPN Recent Threat Activity
• Cisco CVSS 1.0 RCE
• Margin Research: Cyber Militias Redux
• Russia Is Suspected to Be Behind Breach of Federal Court Filing System
• Russian hackers seized control of Norwegian dam
• Poland foiled cyberattack on big city's water supply
• EU Parliament pressing for agreement on chat scanning bill
• LABScon 2025

Plus, the future of SOC automation to AI-assisted pen testing, how agentic AI could transform the cyber talent bottlenecks and operational inefficiencies, geopolitical debates over backdoors in GPUs and the strategic implications of China’s AI model development.

Cast: Brandon Dixon, Juan Andres Guerrero-Saade, and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Brandon Dixon | LinkedIn
• Google 'Big Sleep' AI Issue Tracker
• XBOW - The road to Top 1: How XBOW did it
• Does “XBOW AI Hacker” Deserve the Hype?
• XBOW - Taking the Top Hacker in the US to New Heights: XBOW Raises $75M Series B
• NVIDIA: No Backdoors. No Kill Switches. No Spyware
• Nvidia reiterates its chips have no backdoors, urges US against location verification
• Google: Our Big Sleep agent makes a big leap
• Microsoft announces acquisition of RiskIQ
• RiskIQ attack surface management
• Brandon Dixon (SecurityConversations podcast)
• Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

Plus: a deep dive on suspected MAPP leaks and Sharepoint zero-days, Singapore targeted by extremely sophisticated China-nexus hacking group, soft censorship in corporate threat-intel, and whether the U.S. should rethink how it fills its intelligence gaps.

Cast: Dakota Cary, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Dakota Cary on LinkedIn
• China’s Covert Capabilities -- Silk Spun From Hafnium
• HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem
• Microsoft Probing Whether Chinese Hackers Found Flaw Via MAPP
• Cybersecurity Law of the People’s Republic of China
• Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats
• Fire Ant: Hypervisor-Level Espionage Targeting VMware ESXi & vCenter
• Singapore actively dealing with ongoing China cyberattack
• Iranians Targeted With Spyware in Lead-Up to War With Israel — all inside Iran and working either in the country’s technology sector or for the government.
• LABScon 2025
• Apple in China (book)

We also revisit the ProPublica bombshell about Microsoft's "digital escorts" and U.S. government data exposure to Chinese adversaries and the company's "oops, we will stop" response. Plus, trusting Google's Big Sleep AI claims and a cautionary tale about AI agents gone rogue that wiped out a production database.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Three Buddy Problem LIVE at Black Hat
• TBP at Countermeasures 2025
• CODE WHITE GmbH ToolShell exploit
• Microsoft guidance for SharePoint vulnerability CVE-2025-53770
• Kaspersky on ToolShell: A story of five Sharepoint vulns
• Ryan's EkoParty keynote on Microsoft culture
• Microsoft Disrupting active exploitation of on-prem SharePoint flaws
• SentinelLabs on Sharepoint zero-day in-the-wild
• ESET on ToolShell: An all-you-can-eat buffet for threat actors
• Microsoft Stops Using China-Based Engineers for DoD Computer Systems
• AI coding platform goes rogue during code freeze and deletes entire company database
• Jason Lemkin: Replit goes rogue
• John Hultquist on Big Dream AI
• LABScon 2025

Plus, ProPublica on Microsoft’s China‑based “digital escorts,” Google’s headline‑grabbing AI‑found SQLite zero‑day, and OpenAI’s new task‑running agents. Meanwhile, Ukraine’s hackers wiped a Russian drone maker, ransomware crippled a major vodka producer, and another Chrome zero‑day quietly underscored how routine critical exploits have become.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Europol targets NoName057(16) pro-Russian cybercrime network
• Europe's most wanted list
• UK sanctions Russian spies linked to Mariupol strikes
• Profile: GRU cyber and hybrid threat operations
• Lindsay Freeman: War Crimes for Fun and Profit
• Lindsay Freeman bio
• CISA: End-of-Train and Head-of-Train Remote Linking Protocol
• Background of train vulnerability (CVE-2025-1727)
• ProPublica on Microsoft “Digital Escorts”
• Google’s Big Sleep AI bug-finding claims
• EchoLeak (CVE-2025-32711)
• Russian vodka producer reports disruptions after ransomware attack
• Ukrainian Hackers Cripple IT Infrastructure of Russian Drone Manufacturer
• Another exploited Google Chrome zero-day
• Three Buddy Problem LIVE at Black Hat
• Ringzer0 COUNTERMEASURE

Plus, China's massive cyber capabilities pipeline, ‘theCom’ teenagers arrested in the UK after ransomware binge, and spyware attacks against Russian organizations.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• US Gov: Prolific Chinese state-sponsored contract hacker arrested
• Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
• Microsoft Exchange Server Attack Timeline
• YouTube: Orange Tsai on ProxyLogon
• Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace
• The Growing Role of Cyber Militias in China’s Network Warfare Force Structure
• NCA arrest four for attacks on M&S, Co-op and Harrods
• Four arrested by UK police over ransomware attacks on M&S, Co-op and Harrods
• Cyberattack deals blow to Russian firmware used to repurpose civilian drones for Ukraine war
• Cyberattack deals blow to Russian firmware used to repurpose civilian drones for Ukraine war
• Batavia spyware targeting Russian organizations
• Chainalysis: First-ever crypto seizure in Greece
• Ringzer0 COUNTERMEASURE — Three Buddy Problem discount code for training: CM25-3BUDDY
• LABScon 2025

Plus, the FBI’s claim that China’s “Salt Typhoon” has been “contained,” Iran’s Nobitex crypto-exchange breach (Predatory Sparrow torches $90 million and leaks the source code), Iranian cyber capabilities and sanctions avoidance.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Houken: Seeking a path by living on the edge with zero-days
• China-nexus APTs recon on top-tier targets
• French cybersecurity agency confirms government affected by Ivanti hacks
• Top FBI cyber official: Salt Typhoon ‘largely contained’
• Operation Blockbuster (Novetta)
• Israel-Iran cyberwar: Predatory Sparrow, vanishing crypto, bank hacks
• Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran’s Crypto Infrastructure
• cisagov/thorium

Hamid shares on-the-ground context, the buddies debate whether cyber operations can sway a shooting war, and everyone tries to gauge Iran’s true offensive muscle under sanctions.

Cast: Hamid Kashfi, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Pro-Israel hackers take credit for cyberattack on Iran's Bank Sepah
• Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War
• Codebreakers and Predatory Sparrow
• Iranian Exchange Nobitex: The $90M Exploit
• Iranian newspaper: Defense system was hacked
• Iranian state TV shows footage of Israeli drone
• Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
• Israeli Officials Warn Iran Is Hijacking Security Cameras to Spy
• LABScon - Security Research in Real Time
• Three Buddy Problem LIVE
• Hamid Kashfi: The curious case of Predatory Sparrow
• Glasshouse episode with Hamid Kashfi

Plus, Stealth Falcon’s new WebDAV zero-day, SentinelOne’s brush with Chinese APTs, Citizen Lab’s forensic takedown of Paragon’s iPhone spyware, and the sneaky Meta/Yandex trick that links Android web browsing to app IDs.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Israel-Iran war breaks out
• 'The magnet of threats'
• Mossad set up drone swarm base in Iran
• Stealth Falcon's Exploit of Microsoft Zero Day
• CVE-2025-33053 - WebDAV remote code execution
• CISA, Microsoft warn of Windows zero-day
• China-nexus Threat actors target SentinelOne
• Chinese Espionage Crews Circle SentinelOne
• Citizen Lab: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
• Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
• Dreadnode Offensive AI Conference
• LABScon Call for Papers

Plus, news on Ukraine’s hack of bomber-maker Tupolev, the industry’s never-ending APT naming mess, iVerify’s newly disclosed iMessage zero-click bug, fresh Qualcomm GPU exploits still unpatched on Android devices, and Cellebrite’s purchase of Corellium.

Cast: Ryan Naraine, Costin Raiu and Mikko Hypponen

• Juan Andres Guerrero-Saade is out this week at Sleuthcon.

Links:

• Transcript (unedited, AI-generated)
• Mikko Hyppönen pivots from infosec to drones inspired by war
• Mikko Hypponen Leaves Anti-Malware Industry to Fight Against Drones
• Anti-drone system | Sensofusion
• Ukraine's military intelligence claims cyberattack on Russian strategic bomber maker
• How Microsoft names threat actors
• CrowdStrike and Microsoft Unite to Deconflict Cyber Threat Attribution
• Qualcomm GPU driver 0days (exploitation detected)
• Chrome 0day exploited in the wild
• iVerify documents 'Nickname' iMessage exploitation
• Cellebrite to acquire mobile testing firm Corellium
• Hacker Chris Wade reveals the story of his presidential pardon, US government collaboration

Plus, thoughts on an academic paper on the vanishing art of Western companies exposing Western (friendly) APT operations, debate whether stealth or self-censorship is to blame, and the long-tail effects on cyber paleontology.

We also dig into Sean Heelan’s proof that OpenAI’s new reasoning model can spot a Linux kernel 0-day and the implications for humans in the bug-hunting chain.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Dutch intelligence agency outs 'Laundry Bear' Russian APT
• Russian gov hackers buying passwords from cybercriminals
• Microsoft: Russian actor Void Blizzard targets critical sectors for espionage
• Censys data on AyySSHush ASUS router botnet
• Czech Republic statement on Chinese hack
• Czech gov condemns Chinese hack on critical infrastructure
• NATO floats cybersecurity included in new spending target
• Mark your Google Calendar: APT41 innovative tactics
• The rise of responsible behavior: Western commercial reports on Western cyber threat actors
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• ASUS Botnet Tracker
• CISA: Logging Made Easy (LME)

The back half veers into Microsoft’s resurrected Windows Recall, Signal’s new screenshot-blocking countermeasure, Japan’s fresh legal mandate for pre-emptive cyber strikes, and why appliance vendors like Ivanti keep landing in the headlines.

Along the way you get hot takes on techno-feudalism, Johnny Ive’s rumored AI gadget, and a lively debate over whether publishing exploit code ever helps defenders.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Russian hackers hitting logistics companies supplying Ukraine
• CISA says Russian hackers targeting Ukraine war supply lines
• ViciousTrap: Turning edge devices into honeypots
• BadSuccessor: Abusing dMSA to escalate privileges in Active Directory
• Signal adds anti-screenshot to thwart Windows Recall
• Controversial Windows Recall gets security makeover
• Microsoft's International Criminal Court blockade
• Japan enacts active cyberdefense law
• UAE recruiting US personnel Displaced by DOGE

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Coinbase on $20m ransom demand
• SEC filing on Coinbase breach
• Coinbase Rogue Contractors Bribed to Leak Customer Data
• Ivanti 0day exploit chain (CVE-2025-4427 and CVE-2025-4428)
• Watchtowr blog on new Ivanti 0days
• CISA Known Exploited Vulnerabilities (KEV)
• 'Advanced Protection' comes to Android 16
• Europe launches it own vulnerability database

In the meantime, absorb this keynote presented by Juan Andres Guerrero-Saade (JAG-S) at CounterThreats 2023. It's a frank discussion on the role of cyber threat intelligence (CTI) during wartime and its importance in bridging information gaps between adversaries. Includes talk on the ethical challenges in CTI, questioning the impact of intelligence-sharing and how cyber operations affect real-world conflicts. He pointed to Ukraine and Israel as examples where CTI plays a critical, yet complicated, role. His message: cybersecurity pros need to be aware of the real-world consequences of their work and the ethical responsibility that comes with it.

Acknowledgment: Credit for the audio goes to CyberThreat 2023, SANS Institute, NCSC, and SentinelOne.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Keynote transcript
• The ethics and perils of APT research
• Recommended Talks
• The Lost APT Reports

Plus, fresh SentinelOne threat-intel notes, France’s attribution of GRU activity and a head-scratching $330 million Bitcoin heist.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• US government using obscure app to archive Signal messages
• Reuters photo of Mike Waltz phone
• US revokes Romania visa waiver program
• OpenSSH bug found by OpenAI 'Aardvark'
• JP Morgan Chase CISO: An open letter to third-party suppliers
• JPMorgan Chase CISO Fires Warning Shot Ahead of RSA Conference
• SentinelOne LABS on DPRK threat actor targeting
• Alexei Bulazel comments at RSA conference
• Google report on 0day exploitation in 2024
• Apple notifies new victims of spyware attacks across the world
• France attributes cyberattacks to Russia's military intelligence
• RT-Solar on ViPNet backdoor from 2021
• Kaspersky: Sophisticated backdoor mimicking secure networking software updates
• $330m Bitcoin heist

Plus, TP-Link under US government investigation and the broader issues of consumer trust in hardware security, the need for regulation and inspectability of technology, and the struggles with patching network devices.

Cast: Thomas Rid, Juan Andres Guerrero-Saade and Ryan Naraine. Costin Raiu is away this week.

Links:

• Transcript (unedited, AI-generated)
• Anthropic: Exploring AI model welfare, consciousness
• David Chalmers: Taking AI Welfare Seriously
• Sam Altman: AI privacy safeguards can’t be established before ‘problems emerge’
• TP-Link router pricing and China ties under US gov probe
• Bloomberg: TP-Link’s US Future Hinges on Claimed Split From China
• Verizon DBIR 2015 (full report)
• Mandiant M-Trends 2025 Report
• FBI seeking tips about China's 'Salt Typhoon' hackers
• North Korean Cryptocurrency Thieves Caught Hijacking Zoom ‘Remote Control’ Feature
• Dan Geer on the realpolitik of cybersecurity
• LABScon 2025 CFP is open
• Ransom War by Max Smeets

Plus, the effectiveness of Lockdown Mode, the rising costs of mobile exploits, Chris Krebs' exit from SentinelOne after a presidential executive order, and the value and effectiveness of security clearances.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• China names alleged NSA cyberattack agents
• WSJ: In Secret Meeting, China Acknowledged Role in U.S. Infrastructure Hacks
• Apple Quashes Two Zero-Days With iOS, MacOS Patches
• Apple bulletin - iOS 18.4.1 Security Vulnerabilities
• Android zero-days documented
• MITRE CVE Program Gets Last-Hour Funding Reprieve
• NIST Still Struggling to Clear Vulnerability Submissions Backlog in NVD
• EU issues US-bound staff with burner phones to avoid espionage
• Exploitation of CLFS zero-day leads to ransomware
• Google announces Sec-Gemini v1 cybersecurity model

We also discuss Microsoft touting AI's value in finding open-source bootloader bugs, Silent Push report on a RUssian APT impersonating the CIA, a backdoor in a popular Chinese robot dog, and Chinese dominance of the robotics market.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• National Security Agency chief ousted after far-right activist urged his removal
• Mandiant: China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability
• Ivanti security bulletin (CVE-2025-22457)
• Chinese APT exploits misdiagnosed RCE in Ivanti VPNs
• Another exploited 0day in Apple iOS
• Android version of Lockdown Mode coming
• Microsoft: Using AI to find open-source bootloader flaws
• Indiana University cybersecurity "safe" after FBI home searches
• Silent Push: Russians impersonate CIA to target Ukraine sympathizers
• Unitree Go1 robot dog backdoor documentation
• America is missing in the robotics race
• Automated AI Reverse Engineering with MCP for IDA and Ghidra
• Bunny Huang: Perspectives on trust in hardware supply chains

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• The Atlantic: The Trump admin accidentally texted me its war plans
• The Atlantic: Here are the attack plans shared on Signal
• Signal statement on SignalGate
• Our experts separate Signal from noise in the Trump team group chat
• Operation ForumTroll exploits zero-days in Google Chrome
• PuzzleMaker attacks with Chrome zero-day exploit chain
• Ten most mysterious APT campaigns that remain unattributed
• Operation FishMedley linked to i-SOON
• Chinese gov agency on mobile attacks by US intel agencies
• LabDookhtegan Telegram channel
• Tornado Cash sanctions removed
• Intrusion Truth
• Lab Dookhtegan archives on CyberScoop

Cast: Katie Moussouris, Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• China's MSS discloses Taiwan APTs
• Antiy report Taiwan's "Green Spot" attack group
• Citizen Lab on Paragon’s Proliferating Spyware Operations
• Operation Zero wants Telegram 1-click RCE exploits
• Operation Zero 0day Vulnerability Platform
• GitHub Action supply chain attack
• Blast radius of GitHub Action supply chain attack
• Windows .lnk shortcut exploit abused as zero-day
• Sean Plankey nominated to lead CISA
• Trump admin halts funding for two cybersecurity efforts
• CISA publishes Jen Easterley's calendars
• CISA statement on 'red-team' layoff reports

Plus, discussion on a Binarly technical paper with new approach to finding UEFI bootkits, Mandiant flagging custom backdoors on Juniper routers, and MEV 'sandwich attacks' front-running cryptocurrency transactions.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Microsoft Flags Six Active Zero-Days, Patches 57 Flaws
• Unpatched.ai discoveries
• Apple Ships iOS 18.3.2 to Fix Already-Exploited WebKit Flaw
• Apple iOS 18.3.2 and iPadOS 18.3.2 documentation
• Citizen Lab: Predator in the wires
• FreeType Zero-Day Being Exploited in the Wild
• CVE-2020-15999: FreeType Heap Buffer Overflow
• Mandiant : Ghost in the Juniper router
• Jun OS out-of-cycle security bulletin (CVE-2025-21590)
• Juniper Malware Removal Tool
• Binarly: UEFI Bootkit Hunting -- In-Depth Search for Unique Code Behavior
• Crypto Trader Loses $215,000 in MEV Sandwich Attack on Uniswap
• The Secretive World Of MEV, Where Bots Front-Run Crypto Investors For Big Profits
• Reuters journalist Raphael Satter loses overseas citizenship
• Yanis Varoufakis: Trump’s tariff chaos explained
• Technofeudalism: What Killed Capitalism (Yanis Varoufakis)

Plus, a dissection of ‘The Lamberts’ APT and connections to US intelligence agencies, attribution around ‘Operation Triangulation’ and the lack of recent visibility into these actors. We also discuss a fresh batch of VMware zero-days, China’s i-Soon ‘hackers-for-hire’ indictments, the Pangu/i-Soon connection, and a new wave of Apple threat-intel warnings about mercenary spyware infections.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Kim Zetter: Did Trump admin order a stand-down on Russia?
• Unraveling the Lamberts Toolkit (Securelist)
• VB2019: King of the hill: nation-state counterintelligence for victim deconfliction
• VB2018: Draw me like one of your French APTs
• Symantec: Who is Longhorn?
• VMware: Three new zero-days exploited
• Broadcom patches 3 VMware zero-days exploited in the wild
• DOJ indictments: i-Soon hackers for hire and APT27
• Unmasking I-Soon
• Catalan court orders former NSO Group execs be indicted for spyware abuses
• Apple sending 'mercenary spyware' threat notifications
• How Social Engineering Sparked a Billion-Dollar Supply Chain Cryptocurrency Heist
• Safe{Wallet] post-mortem on ByBit $1.4B crypto heist

We also cover the latest on the $1.4 billion ByBit hack pinned on the Lazarus Group and the malicious JavaScript supply chain attack at the center of the cryptocurrency heist. Plus, the ethical gray zones of tethered exploits via Cellebrite, the whiplash of AI-driven threat intel, and the looming pivot in U.S. cyber policy signaling a stand-down on Russia-focused ops.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• RE//verse Conference
• FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge
• FBI alert on $1.5b crypto heist
• CISA report on TraderTraitor
• Bybit launches bug bounty program
• Lazarus Bounty
• Cellebrite zero-day exploit used to target phone of Serbian student activist
• Trump administration retreats in fight against Russian cyber threats
• Hegseth orders Cyber Command to stand down on Russia planning

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• DistrictCon: Dissecting a QuaDream iOS zero-day
• Unpacking the UK government's secret iCloud backdoor demand
• U.K. orders Apple to let it spy on users’ encrypted accounts
• Apple Pulls Advanced Data Protection for New UK Users Amid Backdoor Demand
• Bybit Sees Over $4 Billion ‘Bank Run’ After Crypto’s Biggest Hack
• ByBit CEO explains crypto heist
• iVerify on Pegasus infections
• Is there a Pangu Team/i-SOON connection?
• Russian hackers actively targeting Signal Messenger
• How Russian APTs abuse Signal 'linked devices' for real-time spying
• Cisco Talos: In the midst of a Typhoon
• Satya Nadella: Reflections on a quantum computing breakthrough
• Taiwan wants to ban Fortinet, Zoom
• Pangu Team Bvp47 report

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Apple iOS 18.3.1 zero-day bulletin
• Apple Says iPhone USB Restricted Mode Exploited in ‘Extremely Sophisticated’ Attack
• Quarkslab: Analysis of USB Restricted Mode bypass (CVE-2025-24200)
• ZDI Patch Tuesday recap (exploited Windows 0days)
• The BadPilot campaign (Seashell Blizzard subgroup)
• Rapid7 on PostgreSQL zero-day linked to BeyondTrust 0days
• PostgreSQL 0day advisory (CVE-2025-1094)
• Google partial disclosure of high-risk flaw in AMD microcode
• AMD SEV Confidential Computing Vulnerability (CVE-2024-56161)
• Fortinet documents another exploited 0day
• Storm-2372 conducts device code phishing campaign
• CrowdStrike on malware naming schemes

From wormable exploits like Eternal Bue to the realities of AI-based spying, the episode offers a detailed look into how government oversight, private sector collaboration, and shifting market forces have reshaped the way we think about cybersecurity.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• UK orders Apple to let it spy on users’ iCloud data
• How to turn on Advanced Data Protection for iCloud
• Kim Zetter: US government disclosed 39 zero-days in 2023
• CISA alert on Trimble zero-day exploitation
• France VIGINUM report on foreign digital election interference

Beyond AI, we dig into some of the latest headlines; from a Chinese ‘backdoor’ in medical devices, problems with CISA’s backdoor bulletin, the risks of insecure IoT, phishing attacks on influencers, and ongoing battles over censorship in the VPN space. We also touch on WhatsApp catching spyware vendor Paragon Solutions and potential shifts in U.S. government policy on commercial mercenary hacking and surveillance companies.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• DeepSeek Privacy Policy
• White House evaluates effect of China AI app DeepSeek on national security
• Why ‘Distillation’ Has Become the Scariest Word for AI Companies
• Microsoft Probing If DeepSeek-Linked Group Improperly Obtained OpenAI Data
• U.S. Navy bans use of DeepSeek AI
• Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information
• ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator
• ScatterBrain: Deobfuscation library for PoisionPlug.SHADOW's ScatterBrain obfuscator
• CISA, FDA Warn of Dangerous Backdoor in Contec Patient Monitors
• CISA advisory: Contec CMS8000 contains a backdoor
• Contec CMS 8000 product manual
• NordVPN NordWhisper
• WhatsApp: Spyware company Paragon targeted users in two dozen countries
• X Phishing Campaign Targeting High Profile Accounts, Promoting Crypto Scams
• LABScon24: Follow the Money -- CCP’s Ownership of Firms Investing in the USA (Elly Rostoum)
• Binarly Post-Quantum Readiness Technology

Plus, the challenges of coordinating disclosures, the tough realities of intelligence work, and the complex landscape of nation-state attacks -- especially around Chinese threat actors and Western defenses.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Dennis Fisher.

• Ryan Naraine in on work travel.

Links:

• Transcript (unedited, AI-generated)
• DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright Spots
• CSRB report on Microsoft Exchange Online Intrusion
• Senator Ron Wyden on CSRB disbandment
• CISA CSRB: good riddance
• Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
• SonicWall confirms new 0day exploited in the wild
• The J-Magic Show: Magic Packets and Where to Find Them

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Court-Authorized Operation Removes PlugX Malware from Over 4,200 Infected U.S. Computers
• PlugX removal affidavit
• Sekoia -- PlugX worm disinfection campaign
• Jen Easterly: Building a secure by Design ecosystem
• Trump zeroes in on Sean Plankey to lead CISA
• Sean Plankey bio
• Biden cybersecurity executive order
• Biden executive order aims to shore up US cyber defenses
• Gravy Analytics accused of negligence over location data breach
• Tracking the mobile trackers (Costin Raiu) - YouTube
• Russia's largest platform for state procurement hit by cyberattack from pro-Ukraine group
• New Star Blizzard spear-phishing campaign targets WhatsApp accounts
• UK proposes ransomware payment ban
• Fortinet authentication bypass zero-day
• Fortinet: Deep dive into a Linux rootkit malware
• Bernardo Quintero's new book on VirusTotal (Spanish-language)

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Ivanti Connect Secure zero-day advisory
• Mandiant report on new Ivanti zero-day
• China Daily responds to Volt Typhoon attribution
• Japan warns about Chinese 'MirrorFace' attacks
• Who is MirrorFace?
• Natalie Silvanovich on new Samsung 0-click
• Kim Zetter: Anatomy of a Nuclear Scare
• Backdooring .gov backdoors via $20 domains
• APT32 poisoning GitHub, targeting Chinese security pros
• Ukraine wipes Russian ISP
• Russian internet provider confirms network ‘destroyed’ by Ukrainian hackers
• Mullvad: Quantum-resistant tunnels on desktop VPN
• Fundraiser for Marc Rogers
• CNN: Amit Yoran has died at 54

Plus, the US Treasury/BeyondTrust hack, the surge in 0day discoveries, a new variant of the Xdr33 CIA Hive malware, and exclusive new information on the Cyberhaven Chrome extension security incident.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• BeyondTrust statement on hack investigation
• U.S. Treasury says it was hacked by China-backed actors
• Another Palo Alto 0day exploited in the wild
• US telcos say they've evicted Salt Typhoon Chinese hackers
• Google: What is BeyondCorp?
• Introducing the MISP Threat Actor Naming Standard
• MISP: Recommendations on Naming Threat Actors
• New variant of the CIA HIVE attack kit
• Xdr33 Variant Of CIA's HIVE Attack Kit Emerges
• Savvy Seahorse connection to Cyberhaven incident
• US sanctions China's Integrity Technology over Flax Typhoon hacks
• Operation Aurora
• APT1 Exposing One of China’s Cyber Espionage Units

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• LITTLELAMB.WOOLTEA: Stealthy Network Edge Device Backdoor
• Palo Alto: Operation Lunar Peek
• Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
• “A Digital Prison”: Surveillance and the suppression of civil society in Serbia
• Cyberhaven breach reported. Employee phished and pushed malicious chrome extension
• GRU 29155 doing cyber operations
• How a Group of Israel-Linked Hackers Has Pushed the Limits of Cyberwar
• Sophos Used Custom Implants to Surveil Chinese Hackers Targeting Firewall Zero-Days
• Operation MiddleFloor: Unmasking the Disinformation Campaign Targeting Moldova's National Elections
• NSPX30: A sophisticated AitM-enabled implant evolving since 2005
• backdoor in upstream xz/liblzma leading to ssh server compromise
• PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem
• The Tech Coup - How to Save Democracy from Silicon Valley

Plus, thoughts on the US government’s controversial guidance on VPNs, Chinese reports on US intel agency hacking, TP-Link sanctions chatter, Mossad's dramatic exploding beeper operation and the ethical, legal, and security implications of escalating cyber-deterrence. Also, a mysterious BeyondTrust 0-day!

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Surveillance and the suppression of civil society in Serbia
• CISA: VPN and mobile device security guidance
• Costin Raiu: Staying safe from Pegasus, Chrysaor and other APT mobile malware (2024 update)
• Bitsight: The Aftermath of the Kaspersky Ban
• US Probes China-Founded Router Maker TP-Link
• Rob Joyce: Move away from TP-Link
• China report on US intelligence corporate hacking
• Foreign hackers need to face real consequences
• Israel's Mossad spent years orchestrating Hezbollah pager plot
• BeyondTrust 0day
• Sophos Firewall CVSS 9.8 bulletin

Plus, news on Turla piggybacking on cybercriminal malware to hit Ukraine, the return of Careto and the absence of IOCs, Claroty report on an Iran-linked cyberweapon targeting critical infrastructure, ethical considerations in cyberwarfare, and the implications of quantum computing on security and cryptocurrencies.

Cast: Juan Andres Guerrero-Saade, Costin Raiu and Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Turla using tools of other groups to attack Ukraine (Microsoft)
• EpicTurla.com: The lost reports
• Microsoft Recall screenshots credit cards and SSNs
• Stephan Casas: macOS applications quietly capturing screenshots
• CVE-2024-49138 - MS 0day exploited in the wild
• Sanctions hit Chinese company behind Sophos 0day attack
• SentinelLabs: Operation Digital Eye
• Careto APT’s recent attacks discovered
• Claroty: Inside a New OT/IoT cyberweapon
• Predatory Sparrow: cyber sabotage with a conscience?
• Willow, Google's state-of-the-art quantum chip
• What sucks in security? Research findings from 50+ security leaders

Cast: Juan Andres Guerrero-Saade, Costin Raiuand Ryan Naraine.

Links:

• Transcript (unedited, AI-generated)
• Russian APT Turla Caught Stealing From Pakistani APT
• Snowblind: The Invisible Hand of Secret Blizzard
• Microsoft: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog
• EpicTurla.com
• Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware
• Lookout Security research paper on Monokle spyware
• Parubets: How a programmer foiled his own FSB recruitment
• CISA/FBI guidance to repel Salt Typhoon
• US officials say they still have not expelled Chinese telco hackers
• Solana backdoored in supply chain hack
• Romania's top court annuls first round of presidential vote won by far-right candidate

We also cover news on a Firefox zero-day exploited on the Tor browser, the professionalization of ransomware, ESET's discovery of a Linux bootkit (we have a scoop on the origins of this!), Binarly research on connections to LogoFAIL, and major visibility gaps in the firmware ecosystem.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Honorary buddy: Steven Adair (Volexity)

Links:

• Transcript (unedited, AI-generated)
• Steven Adair on LinkedIn
• The Nearest Neighbor Wi-Fi Attack
• Detecting Compromise of Palo Alto Networks GlobalProtect Devices
• Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days
• Volexity Warns of 'Active Exploitation' of Zimbra Zero-Day
• RomCom exploits Firefox and Windows zero days in the wild
• Bootkitty: Analyzing the first UEFI bootkit for Linux
• Binarly: LogoFAIL Exploited to Deploy Bootkitty
• T-Mobile statement on Salt Typhooon
• LABScon24 Replay -- Cristina Cifuentes

• Binarly (https://binarly.io)
• Binary Risk Hunt (https://risk.binarly.io)

In this reboot of the Security Conversations interview series, Foundation Capital partner Sid Trivedi weighs in on major changes to the RSA Innovation Sandbox, the mandatory $5M uncapped SAFE investment for all 10 finalists, and red-flag concerns around discounts and pro-rata rights.

Also discussed: controversial pay-for-play dynamics involving CISOs and venture capital firms, ethical implications of CISOs taking advisory positions in startups, and the challenges of investing in seed-stage startups amidst a trend towards platformization.

Links:

• RSA’s Innovation Sandbox: Cybersecurity Startups Must Accept $5 Million Investment
• RSA Innovation Sandbox: $50 Million Annual Investment Program for Top 10 Finalists
• RSA Conference - How do SAFEs work?
• This VC Built A Cybersecurity Unicorn Machine. Then Came A Conflict Of Interest Mess.
• The Gili Ra’anan model: CISOs and VCs controversy
• Sid Trivedi bio
• Foundation Capital

We also cover two new Apple zero-days being exploited in the wild, the US Government’s demand that Google sell the Chrome browser, and the value of data in the context of AI.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript - (unedited, AI-generated)
• Russian APT WiFI Nearest Neighbor Attack
• Russian Spies Jumped From One Network to Another Via Wi-Fi
• Advisory: New exploited Apple zero-days
• NSA Director Wants Industry to Disclose Details of Telecom Hacks
• Microsoft's "Free" Plan to Upgrade Government Cybersecurity Was Designed to Box Out Competitors and Drive Profits
• Microsoft accuses Google of 'Shadow Campaigns'
• DOJ calls for breakup of Google and sale of Chrome
• DPRK IT Workers -- A Network of Active Front Companies and Their Links to China
• Be careful when coding with ChatGPT
• GSM-Symbolic: Understanding the Limitations of Mathematical Reasoning in Large Language Models
• PIVOTcon 2025

Plus, discussion on hina’s cyber capabilities, the narrative around “pre-positioning” for a Taiwan conflict, the blending of cyber and kinetic operations, and the long tail of Chinese researchers reporting Microsoft Windows vulnerabilities. The future of CISA is a recurring theme throughout this episode with some speculation about what happens to the agency under the Trump administration.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• CISA/Israel gov report on Iranian hacking operations
• Check Point: A deep-dive of Iran's WezRat malware
• Trend Micro report on Earth Estries
• FBI/CISA on China hacking US telcos
• US accuses China of vast cyberespionage against telecoms
• Volt Typhoon hackers hit SingTel in Singapore
• New Palo Alto firewall 0day attack
• CVE-2024-43450 - China reports Windows DNS Spoofing vuln

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• iPhones mysteriously rebooting themselves
• Apple quietly ships iPhone reboot code
• FBI on China hacking US presidential campaigns iPhones
• Chinese hackers Targeted Phones of Trump, Vance, Harris Campaigns
• Palo Alto: EDR Bypass Testing Reveals Threat Actor's Toolkit
• Palo Alto CVE-2024-5910 marked as exploited
• Toronto crypto company CEO kidnapped
• A list of known 'meatspace' crypto attacks
• North Korea crypto thieves targets macOS

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• Ivan Kwiatkowski: Threat intel truths inside
• JAG-S LABScon keynote
• Sophos Used Custom Implants to Surveil Chinese Hackers
• Sophos Pacific Rim report
• NCSC details ‘Pygmy Goat’ network backdoor
• NCSC 'Pygmy Goat' report
• Massive hack-for-hire scandal rocks Italian political elites – POLITICO
• Vatican, Israel implicated in Italy hacking scandal
• Wired on CIA hack of Venezuela military payroll system
• Is Now on VT!

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (AI-generated)
• White House TLP guidance
• Applin -- How an Indian startup hacked the world
• Burning Zero Days: FortiJump FortiManager Flaw
• Mandiant on FortiManager Zero-Day Exploitation
• Fortinet bulletin on new 0day exploitation
• Radiant Capital $50M cryptocurrency theft
• DPRK's Lazarus steals cryptocurrency with decoy MOBA game
• Apple opens Private Cloud Compute to security inspection
• Russians booted from Linux kernel driver maintenance
• Antiy paper responding to SentinelOne

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• ESET Israel wiper attacks
• ESET comment on Israel wiper incident
• Dakota Cary on China’s Volt Typhoon Influence Ops
• Volt Typhoon III (PDF)
• US Sanctions 12 Kaspersky Executives
• Kaspersky closing down its UK office
• MAPP vendor list
• VirusTotal
• Transcript (AI-generated)

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• NCSC exposé on SVR/APT29 history and tactics
• APT29 / Midnight Blizzard
• VIDEO: A Surprise Encounter With A Telco APT
• The Athens Affair - IEEE Spectrum — How some extremely smart hackers pulled off the most audacious cell-network break-in ever
• Wikipedia: The Athens Affair
• WSJ report on Salt Typhoon hacks
• In-the-wild zero-day counter
• Microsoft Confirms Exploited Zero-Day in Windows Management Console

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• VB abstract: The Mask has been unmasked again
• Discover IDA 9.0
• Binary Ninja
• Vertex Synapse
• YARA-X
• Microsoft on Star Blizzard disruption
• Tom Rid: The lies Russia tells itself
• North Korea caught targeting German missile manufacturer
• How North Korea infiltrated the crypto industry
• ICE signs $2M contract with spyware maker Paragon

(This episode is dedicated to the memory of Jeff Wade from Solis, who was an important part of the LABScon family.)

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• The Consolation of Threat Intel (JAG-S LABScon keynote)
• LABScon - Security Research in Real Time
• Windows Recall gets major security makeover
• David Weston on Windows Recall security reboot
• Critical Linux CUPS remote code execution
• How Israel Built Exploding Pagers — How Israel Built a Modern-Day Trojan Horse: Exploding Pagers
• Apple Suddenly Drops NSO Group Spyware Lawsuit
• CrowdStrike Overhauls Testing and Rollout Procedures
• Microsoft Redesigning EDR Vendor Access to Windows Kernel - SecurityWeek
• Kaspersky Sparks Outrage as UltraAV Takes Over Systems Without Consent
• Transcript (unedited, AI-generated)