Research Saturday

Muhammad Danish, University of New Mexico lead author and cybersecurity researcher, discussing his team's work on "Private Links, Public Leaks: Consequences of Frictionless User Experience on the Security and Privacy Posture of SMS-Delivered URLs". This paper examines how the push for frictionless user experiences has led many services to rely on SMS-delivered, single-click URLs—an inherently insecure channel that can be intercepted or leaked. Analyzing more than 322,000 unique URLs from 33 million messages, the researchers found widespread security failures, including exposed PII across 701 endpoints at 177 services due to weak, token-based authentication that treats possession of a link as sufficient authorization. The study also identified low-entropy tokens enabling mass URL enumeration and data overfetching issues, though disclosures prompted 18 services to fix flaws, improving privacy protections for at least 120 million users. The research can be found here: ⁠Private Links, Public Leaks: Consequences of Frictionless User Experience on the Security and Privacy Posture of SMS-Delivered URLs Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we have Andrew Northern, Principal Security Researcher at Censys, discussing "From Evasion to Evidence: Exploiting the Funneling Behavior of Injects". This research explains how modern web malware campaigns use multi-stage JavaScript injections, redirects, and fake CAPTCHAs to selectively deliver payloads and evade detection. It shows that these attack chains rely on stable redirect and traffic-distribution chokepoints that can be monitored at scale. Using the SmartApe campaign as a case study, the report demonstrates how defenders can turn those chokepoints into high-confidence detection and tracking opportunities. The research can be found here: From Evasion to Evidence: Exploiting the Funneling Behavior of Injects Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by Ben Folland, Security Operations Analyst from Huntress, discussing their work on "ClickFix Gets Creative: Malware Buried in Images." This analysis covers a ClickFix campaign that uses fake human verification checks and a realistic Windows Update screen to trick users into manually running malicious commands. The multi-stage attack chain leverages mshta.exe, PowerShell, and .NET loaders, ultimately delivering infostealers like LummaC2 and Rhadamanthys, with payloads hidden inside PNG images using steganography. While technically sophisticated, the campaign hinges on simple user interaction, underscoring the importance of user awareness and controls around command execution. The research can be found here: ClickFix Gets Creative: Malware Buried in Images Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Martin Zugec, Technical Solutions Director from Bitdefender, sharing their work and findings on "EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company." Built for long-term espionage, the campaign uses DLL sideloading, in-memory execution, and abused Windows services to stay stealthy and persistent. We walk through how the multi-stage framework delivers a powerful backdoor with reconnaissance, lateral movement, data theft, and keylogging capabilities—and what this operation reveals about the evolving tactics defenders need to watch for. The research can be found here: EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company Learn more about your ad choices. Visit megaphone.fm/adchoices

While our team is out on winter break, please enjoy this episode of Research Saturday. Today we are joined by ⁠⁠Selena Larson⁠⁠, co-host of ⁠⁠Only Malware in the Building⁠⁠ and Staff Threat Researcher and Lead Intelligence Analysis and Strategy at ⁠⁠Proofpoint⁠⁠, sharing their work on "Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing." Proofpoint researchers have identified campaigns where threat actors use fake Microsoft OAuth apps to impersonate services like Adobe, DocuSign, and SharePoint, stealing credentials and bypassing MFA via attacker-in-the-middle phishing kits, mainly Tycoon. These attacks redirect users to fake Microsoft login pages to capture credentials, 2FA tokens, and session cookies, targeting nearly 3,000 Microsoft 365 accounts across 900 environments in 2025. Microsoft’s upcoming security changes and strengthened email, cloud, and web defenses, along with user education, are recommended to reduce these risks. The research can be found here: ⁠⁠⁠⁠Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing Learn more about your ad choices. Visit megaphone.fm/adchoices

While our team is out on winter break, please enjoy this episode of Research Saturday. This week, we are joined by ⁠Tom Hegel⁠, Principal Threat Researcher from ⁠SentinelLabs⁠ research team, to discuss their work on "Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition." The latest Ghostwriter campaign, linked to Belarusian government espionage, is actively targeting Ukrainian military and government entities as well as Belarusian opposition activists using weaponized Excel documents. SentinelLabs identified new malware variants and tactics, including obfuscated VBA macros that deploy malware via DLL files, with payload delivery seemingly controlled based on a target’s location and system profile. The campaign, which began preparation in mid-2024 and became active by late 2024, appears to be an evolution of previous Ghostwriter operations, combining disinformation with cyberattacks to further political and military objectives. The research can be found here: ⁠Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition Learn more about your ad choices. Visit megaphone.fm/adchoices

Darren Meyer, Security Research Advocate at Checkmarx, is sharing their work on "Bypassing AI Agent Defenses with Lies-in-the-Loop." Checkmarx Zero researchers introduce “lies-in-the-loop,” a new attack technique that bypasses human‑in‑the‑loop AI safety controls by deceiving users into approving dangerous actions that appear benign. Using examples with AI code assistants like Claude Code, the research shows how prompt injection and manipulated context can trick both the agent and the human reviewer into enabling remote code execution. The findings highlight a growing risk as AI agents become more common in developer workflows, underscoring the limits of human oversight as a standalone security control. The research can be found here: ⁠Bypassing AI Agent Defenses With Lies-In-The-Loop Learn more about your ad choices. Visit megaphone.fm/adchoices

Daniel Schwalbe, DomainTools Head of Investigations and CISO, is sharing their work on "Inside the Great Firewall." This two-part research project analyzes an extraordinary 500–600GB leak that exposes the internal architecture, tooling, and human ecosystem behind China’s Great Firewall. Across both parts, you break down thousands of leaked documents, source code repositories, diagrams, packet captures, and telemetry that reveal how systems like the Traffic Secure Gateway, MAAT, Redis-based analytics, and modular DPI engines work together to censor, surveil, and fingerprint users at scale. Taken together, the research shows how the Great Firewall functions not just as a technical system, but as a living censorship-industrial complex that adapts, learns, and coordinates across government, telecoms, and security vendors. The research can be found here: Inside the Great Firewall Part 1: The Dump Inside the Great Firewall Part 2: Technical Infrastructure Learn more about your ad choices. Visit megaphone.fm/adchoices

Jaron Bradley, Director of Jamf Threat Labs, is sharing their work on "ChillyHell: A Deep Dive into a Modular macOS Backdoor." Jamf Threat Labs uncovers a newly notarized macOS backdoor called ChillyHell, tied to past UNC4487 activity and disguised as a legitimate applet. The malware showcases robust host profiling, multiple persistence mechanisms, timestomping, and flexible C2 communications over both DNS and HTTP. Its modular design includes reverse shells, payload delivery, self-updates, and a brute-force component targeting user credentials. The research can be found here: ⁠ChillyHell: A Deep Dive into a Modular macOS Backdoor Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Research Saturday. This week, we are joined by ⁠Michael Gorelik⁠, Chief Technology Officer from ⁠Morphisec⁠, discussing their work on "New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms." A new threat dubbed Noodlophile Stealer is exploiting the popularity of AI-powered content tools by posing as fake AI video generation platforms, luring users into uploading media in exchange for malware-laced downloads. Distributed through convincing Facebook groups and viral campaigns, the malware steals browser credentials, cryptocurrency wallets, and can deploy a remote access trojan like XWorm. The campaign uses a layered, obfuscated delivery chain disguised as legitimate video editing software, making it both deceptive and difficult to detect. The research can be found here: ⁠⁠⁠New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms Learn more about your ad choices. Visit megaphone.fm/adchoices

Alex Berninger, Senior Manager of Intelligence at Red Canary, and Mike Wylie, Director, Threat Hunting at Zscaler, join to discuss four phishing lures in campaigns dropping RMM tools. Red Canary and Zscaler uncovered phishing campaigns delivering legitimate remote monitoring and management (RMM) tools—like ITarian, PDQ, SimpleHelp, and Atera—to gain stealthy access to victim systems. Attackers used four main lures (fake browser updates, meeting invites, party invitations, and fake government forms) and often deployed multiple RMM tools in quick succession to establish persistent access and deliver additional malware. The report highlights detection opportunities, provides indicators of compromise, and stresses the importance of monitoring authorized RMM usage, scrutinizing trusted services like Cloudflare R2, and enforcing strict network and endpoint controls. The research can be found here: You’re invited: Four phishing lures in campaigns dropping RMM tools Learn more about your ad choices. Visit megaphone.fm/adchoices

Dr. Renée Burton, Vice President of Threat Intelligence from Infoblox, is sharing the team's work on "Deniability by Design: DNS-Driven Insights into a Malicious Ad Network." Infoblox returns with new threat actor research uncovering Vane Viper, a Cyprus-based holding company behind PropellerAds—one of the world’s largest advertising networks. The report reveals that Vane Viper isn’t just being exploited by criminals but operates as a criminal infrastructure itself, built to profit from fraud, malware, and disinformation through offshore entities and complex ownership structures. The findings highlight the growing convergence between adtech, cybercrime, and state-linked influence operations, suggesting that elements of the global digital advertising ecosystem are now functioning as infrastructure for large-scale cyber and disinformation campaigns. The research can be found here: Deniability by Design: DNS-Driven Insights intoa Malicious Ad Network Learn more about your ad choices. Visit megaphone.fm/adchoices

Tal Peleg, Senior Product Manager, and Coby Abrams, Cyber Security Researcher of Varonis, discussing their work and findings on Rusty Pearl - Remote Code Execution in Postgres Instances. The flaw could allow attackers to execute arbitrary commands on a database server’s operating system, leading to potential data theft, destruction, or lateral movement across networks. While the vulnerability existed in PostgreSQL, Amazon RDS and Aurora were not affected, thanks to built-in protections like SELinux and AWS’s automated threat detection. Still, the research underscores the importance of patching and configuration hygiene in managed database environments. The research can be found here: ⁠⁠⁠⁠Rusty Pearl: Remote Code Execution in Postgres Instances Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by Dario Pasquini, Principal Researcher at RSAC, sharing the team's work on WhenAIOpsBecome “AI Oops”: Subverting LLM-driven IT Operations via Telemetry Manipulation. A first-of-its-kind security analysis showing that LLM-driven AIOps agents can be tricked by manipulated telemetry, turning automation itself into a new attack vector. The researchers introduce AIOpsDoom, an automated reconnaissance + fuzzing + LLM-driven telemetry-injection attack that performs “adversarial reward-hacking” to coerce agents into harmful remediations—even without prior knowledge of the target and even against some prompt-defense tools. They also present AIOpsShield, a telemetry-sanitization defense that reliably blocks these attacks without harming normal agent performance, underscoring the urgent need for security-aware AIOps design. The research can be found here: ⁠When AIOps Become “AI Oops”: Subverting LLM-driven IT Operations via Telemetry Manipulation Learn more about your ad choices. Visit megaphone.fm/adchoices

Noam Moshe, Claroty’s Vulnerability Research Team Lead, joins Dave to discuss Team 82's work on "Turning Camera Surveillance on its Axis." Team82 disclosed four vulnerabilities in Axis.Remoting—deserialization, a MiTM “pass-the-challenge” NTLMSSP flaw, and an unauthenticated fallback HTTP endpoint—that enable pre-auth remote code execution against Axis Device Manager and Axis Camera Station. They found more than 6,500 Axis.Remoting services exposed online (over half in the U.S.), letting attackers enumerate targets, install malicious Axis packages, and hijack, view, or shut down managed camera fleets.Axis published an urgent advisory, issued patches for ADM 5.32, Camera Station 5.58 and Camera Station Pro 6.9, accepted Team82’s disclosure, and organizations are urged to update. The research can be found here: Turning Camera Surveillance on its Axis Learn more about your ad choices. Visit megaphone.fm/adchoices

Eclypsium researchers Jesse Michael and Mickey Shkatov to share their work on "BadCam - Now Weaponizing Linux Webcams." Eclypsium researchers disclosed “BadCam,” a set of vulnerabilities in certain Lenovo USB webcams that run Linux and do not validate firmware signatures, allowing attackers to reflash the devices and turn them into BadUSB-style tools. An adversary who supplies a backdoored camera or who gains remote code execution on a host can weaponize the webcam to emulate human-interface devices, inject keystrokes, deliver payloads, and maintain persistence — even re-infecting systems after OS reinstalls. The findings were presented at DEF CON 2025, Lenovo issued updated firmware/tools in coordination with SigmaStar, and researchers warn the same vector could affect other Linux-based USB peripherals, underscoring the need for firmware signing and stronger device attestation. The research can be found here: BadCam: Now Weaponizing Linux Webcams Learn more about your ad choices. Visit megaphone.fm/adchoices

John Fokker, Head of Threat Intelligence at Trellix is discussing "Gang Wars: Breaking Trust Among Cyber Criminals." Trellix researchers reveal how the once-organized ransomware underworld is collapsing under its own paranoia. Once united through Ransomware-as-a-Service programs, gangs are now turning on each other — staging hacks, public feuds, and exit scams as trust evaporates. With affiliates jumping ship and rival crews sabotaging each other, the RaaS model is fracturing fast, signaling the beginning of the end for ransomware’s criminal empires. The research can be found here: ⁠⁠⁠⁠Gang Wars: Breaking Trust Among Cyber Criminals Learn more about your ad choices. Visit megaphone.fm/adchoices

Assaf Dahan, Director of Threat Research, Cortex XDR, at Palo Alto Networks, discussing Phantom Taurus, a new China APT uncovered by Unit 42. Unit 42 researchers have identified Phantom Taurus, a newly designated Chinese state-aligned APT conducting long-term espionage against government and telecommunications organizations across Africa, the Middle East, and Asia. Distinguished by its stealth, persistence, and rare tactics, the group has recently shifted from email-focused data theft to directly targeting databases and deploying a powerful new malware suite called NET-STAR, designed to compromise IIS web servers and evade detection. This suite, featuring modular, fileless backdoors and advanced evasion capabilities, marks a significant evolution in Phantom Taurus’ operations and underscores the group’s strategic intelligence-gathering objectives. The research can be found here: ⁠Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Martin Zugec, Technical Solutions Director from Bitdefender, sharing their work and findings on "Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds." Bitdefender Labs has uncovered a newly identified Russian-aligned threat actor dubbed “Curly COMrades,” responsible for espionage campaigns against judicial, government, and energy organizations in Eastern Europe. The group focuses on long-term network access, credential theft, and stealthy persistence techniques — including a never-before-seen backdoor called MucorAgent that hijacks Windows CLSIDs and leverages NGEN for covert execution. By routing data through compromised websites and using tools like curl.exe and proxy relays, Curly COMrades blend malicious traffic with legitimate activity, complicating detection and signaling a highly organized, evolving operation. The research can be found here: Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by Nati Tal, Head of Guardio Labs, discussing their work “CAPTCHAgeddon” or unmasking the viral evolution of the ClickFix browser-based threat. CAPTCHAgeddon — Shaked Chen’s deep dive into the ClickFix fake-captcha wave — reveals how a red-team trick morphed into a dominant, download-free browser threat that tricks users into pasting clipboard PowerShell/shell commands and leverages trusted infrastructure, including Google Scripts. Guardio’s DBSCAN-based payload clustering exposes distinct attacker toolkits and distribution paths — from malvertising and compromised WordPress to social posts and Git repos — and argues defenders need behavioral, intelligence-driven protections, not just signatures. The research can be found here: “CAPTCHAgeddon” Unmasking the Viral Evolution of the ClickFix Browser-Based Threat Learn more about your ad choices. Visit megaphone.fm/adchoices