Research Saturday

This week, we are joined by Jamie Levy, Director of Adversary Tactics at Huntress, who is discussing their work on "Active Exploitation of SonicWall VPNs." Huntress has released an urgent threat advisory on active exploitation of SonicWall VPNs, with attackers bypassing MFA, pivoting to domain controllers, and ultimately deploying Akira ransomware. The campaigns involve techniques such as disabling defenses, clearing logs, credential theft, and Bring Your Own Vulnerable Driver (BYOVD) attacks with legitimate Windows drivers. Organizations using SonicWall devices are strongly advised to disable SSL VPN access or restrict it via IP allow-listing, rotate credentials, and hunt for indicators of compromise as this remains an ongoing and evolving threat. Complete our annual ⁠⁠⁠⁠⁠audience survey⁠⁠⁠⁠⁠ before August 31. The research can be found here: Huntress Threat Advisory: Active Exploitation of SonicWall VPNs Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Dr. Renée Burton, VP of Infoblox Threat Intel, who is discussing their work on VexTrio, a notorious traffic distribution system (TDS) involved in digital fraud. The VexTrio investigation uncovers a massive global ad fraud and scam operation powered by just 250 virtual machines, tying it directly to named individuals and shell companies across Europe. The research exposes VexTrio’s full criminal supply chain—including fake apps, dating scams, affiliate networks, and payment processors—alongside a powerful CDN infrastructure ranked among the world’s top 10k domains. It also calls on the adtech industry to take accountability for enabling and sustaining such widespread abuse. Complete our annual ⁠⁠⁠⁠audience survey⁠⁠⁠⁠ before August 31. The research can be found here: ⁠VexTrio’s Origin Story : From Spam to Scam to Adtech Learn more about your ad choices. Visit megaphone.fm/adchoices

Bob Rudis, VP Data Science from GreyNoise, is sharing some insights into their work on "Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities." New research reveals a striking trend: in 80% of cases, spikes in malicious activity against enterprise edge technologies like VPNs and firewalls occurred weeks before related CVEs were disclosed. The report breaks down this “6-week critical window,” highlighting which vendors show the strongest early-warning patterns and offering tactical steps defenders can take when suspicious spikes emerge. These findings reveal how early attacker activity can be transformed into actionable intelligence, enabling defenders to anticipate and neutralize threats before vulnerabilities are publicly disclosed. Complete our annual ⁠⁠⁠audience survey⁠⁠⁠ before August 31. The research can be found here: Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities Learn more about your ad choices. Visit megaphone.fm/adchoices

Nicolás Chiaraviglio, Chief Scientist from Zimperium's zLabs, joins to discuss their work on "Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed." Zimperium’s zLabs team has been tracking an evolving banker trojan dubbed DoubleTrouble, which has grown more sophisticated in both its distribution and capabilities. Initially spread via phishing sites impersonating European banks, it now uses malicious APKs hosted in Discord channels, and boasts features like screen recording, keylogging, UI overlays, and app blocking—all while heavily abusing Android’s Accessibility Services. Despite advanced obfuscation and dynamic evasion techniques, Zimperium’s on-device detection tools have successfully identified both known and previously unseen variants, helping protect users from credential theft, financial fraud, and device compromise. Complete our annual ⁠⁠audience survey⁠⁠ before August 31. The research can be found here: ⁠Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Eric Woodruff, Chief Identity Architect at Semperis, discussing "nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications". Semperis researchers identified a critical authentication flaw known as nOAuth in 9 out of 104 tested SaaS applications integrated with Microsoft Entra ID. This low-complexity but severe vulnerability allows attackers with just a user’s email address and access to an Entra tenant to impersonate users, exfiltrate data, and move laterally within affected apps—with no viable defense or detection available to customers. The findings spotlight ongoing risks tied to improper use of email claims in authentication and emphasize the urgent need for SaaS vendors to adopt secure OpenID Connect practices and remediate vulnerable applications. Complete our annual ⁠audience survey⁠ before August 31. The research can be found here: nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are pleased to be joined by George Glass, Associate Managing Director of Kroll's Cyber Risk business, as he is discussing their research on Scattered Spider and their targeting of insurance companies. While Scattered Spider has recently turned its attention to the airline industry, George focuses on the broader trend of the group’s industry-by-industry approach and what that means for defenders across sectors. George and Dave discuss the group’s history, their self-identification as a cartel, and their increasingly aggressive tactics, including the use of fear-based social engineering, physical threats, and the recruitment of insiders at telecom providers. They also examine how organizations—especially those with vulnerabilities similar to past targets—can proactively defend against this threat and prepare an effective response if their industry becomes the next focus. Complete our annual ⁠audience survey⁠ before August 31. Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by Selena Larson, Threat Researcher at Proofpoint, and co-host of Only Malware in the Building, as she discusses their work on "Amatera Stealer - Rebranded ACR Stealer With Improved Evasion, Sophistication." Proofpoint researchers have identified Amatera Stealer, a rebranded and actively developed malware-as-a-service (MaaS) variant of the former ACR Stealer, featuring advanced evasion techniques like NTSockets for stealthy C2 communication and WoW64 Syscalls to bypass user-mode defenses. Distributed via ClearFake web injects and the ClickFix technique, Amatera leverages multilayered PowerShell loaders, blockchain-based hosting, and creative social engineering to compromise victims. With enhanced capabilities to steal browser data, crypto wallets, and other sensitive files, Amatera poses a growing threat in the wake of disruptions to competing stealers like Lumma. Complete our annual audience survey before August 31. The research can be found here: Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Research Saturday. This week we are joined by ⁠Silas Cutler⁠, Principal Security Researcher at ⁠Censys⁠, asking the important question of "Will the Real Volt Typhoon Please Stand Up?" The FBI's disruption of the KV Botnet in December 2023, attributed to the Chinese threat group Volt Typhoon, targeted infected systems but did not affect the botnet's control infrastructure. Despite law enforcement efforts and technical exposure, the botnet's infrastructure has remained largely stable, with only changes in hosting providers, raising questions about whether another party operates the botnet. Censys scanning data from 2024 shows a shift in the botnet's control servers, indicating a response to disruption attempts, while the botnet's operators have shown limited efforts to obscure their infrastructure. The research can be found here: ⁠Will the Real Volt Typhoon Please Stand Up? Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by Kyle Lefton, Security Researcher from Akamai, who is diving into their work on "Two Botnets, One Flaw - Mirai Spreads Through Wazuh Vulnerability." Akamai researchers have observed active exploitation of CVE-2025-24016, a critical RCE vulnerability in Wazuh, by two Mirai-based botnets. The campaigns highlight how quickly attackers are adapting proof-of-concept exploits to spread malware, underscoring the urgency of patching vulnerable systems. One botnet appears to target Italian-speaking users, suggesting regionally tailored operations. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. You can find our survey here. The research can be found here: ⁠Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability Learn more about your ad choices. Visit megaphone.fm/adchoices

Dustin Childs, Head of Threat Awareness at Trend Micro Zero Day Initiative, joins to discuss their work on "ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains." The research explores two critical vulnerabilities (ZDI-23-1527 and ZDI-23-1528) that could have enabled attackers to hijack the Microsoft PC Manager supply chain via overly permissive SAS tokens in WinGet and official Microsoft domains. While the issues have since been resolved, the findings highlight how misconfigured cloud storage access can put trusted software distribution at risk. The post also includes detection strategies to help defenders identify and mitigate similar threats. The research can be found here: ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, Dave is joined by ⁠Ziv Karliner⁠, ⁠Pillar Security⁠’s Co-Founder and CTO, sharing details on their work on "New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents." Vibe Coding - where developers use AI assistants like GitHub Copilot and Cursor to generate code almost instantly - has become central to how enterprises build software today. But while it’s turbo-charging development, it’s also introducing new and largely unseen cyber threats. The team at Pillar Security identified a novel attack vector, the ⁠"Rules File Backdoor"⁠, which allows attackers to manipulate these platforms into generating malicious code. It represents a new class of supply chain attacks that weaponizes AI itself, where the malicious code suggestions blend seamlessly with legitimate ones, bypassing human review and security tools.  The research can be found here: ⁠New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Michael Gorelik, Chief Technology Officer from Morphisec, discussing their work on "New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms." A new threat dubbed Noodlophile Stealer is exploiting the popularity of AI-powered content tools by posing as fake AI video generation platforms, luring users into uploading media in exchange for malware-laced downloads. Distributed through convincing Facebook groups and viral campaigns, the malware steals browser credentials, cryptocurrency wallets, and can deploy a remote access trojan like XWorm. The campaign uses a layered, obfuscated delivery chain disguised as legitimate video editing software, making it both deceptive and difficult to detect. The research can be found here: ⁠⁠New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by John Hammond, Principal Security Researcher at Huntress, who is sharing his PoC and research on "CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild." A critical 9.0 severity vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox is being actively exploited in the wild, allowing remote code execution via hardcoded cryptographic keys in default configuration files. Huntress researchers observed compromises at multiple organizations and confirmed hundreds of vulnerable internet-exposed servers, urging immediate patching or manual machineKey updates. Mitigation guidance, detection, and remediation scripts have been released to help users identify and secure affected installations. The research can be found here: ⁠CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Deepen Desai, Zscaler's Chief Security Officer and EVP of Cyber and AI Engineering, taking a dive deep into Mustang Panda’s latest campaign. Zscaler ThreatLabz uncovered new tools used by Mustang Panda, including the backdoors TONEINS, TONESHELL, PUBLOAD, and the proxy tool StarLoader, all delivered via phishing. They also discovered two custom keyloggers, PAKLOG and CorKLOG, and an EDR evasion tool, SplatCloak, highlighting the group's focus on surveillance, persistence, and stealth in cyberespionage operations.4o. The research can be found here: Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1 Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, Dave speaks with Max Gannon of Cofense Intelligence to dive into his team's research on "The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders." Threat actors continuously develop new tactics, techniques, and procedures (TTPs) to bypass existing defenses. When defenders identify these methods and implement countermeasures, attackers adapt or create more sophisticated approaches. This research explores how cybercriminals are leveling up their credential phishing tactics using Precision-Validated Phishing, a technique that leverages real-time email validation to ensure only high-value targets receive the phishing attempt. The research can be found here: The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders⁠⁠⁠⁠⁠ Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Lucija Valentić, Software Threat Researcher from ReversingLabs, who is discussing "Atomic and Exodus crypto wallets targeted in malicious npm campaign." Threat actors have launched a malicious npm campaign targeting Atomic and Exodus crypto wallets by distributing a fake package called "pdf-to-office," which secretly patches locally installed wallet software to redirect crypto transfers to attacker-controlled addresses. ReversingLabs researchers discovered that this package used obfuscated JavaScript to trojanize specific files in targeted wallet versions, enabling persistence even after the malicious package was removed. This incident highlights the growing threat of software supply chain attacks in the cryptocurrency space and underscores the need for vigilant monitoring of both open-source repositories and local applications. The research can be found here: ⁠⁠Atomic and Exodus crypto wallets targeted in malicious npm campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by ⁠Shaked Reiner⁠, Security Principal Security Researcher at ⁠CyberArk⁠, who is discussing their research on"Agents Under Attack: Threat Modeling Agentic AI." Agentic AI empowers LLMs to take autonomous actions, like browsing the web or executing code, making them more useful—but also more dangerous. Threats like prompt injections and stolen API keys can turn agents into attack vectors. Shaked Reiner explains how treating agent outputs like untrusted code and applying traditional security principles can help keep them in check. The research can be found here: ⁠Agents Under Attack: Threat Modeling Agentic AI Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by Crystal Morin, Cybersecurity Strategist from Sysdig, as she is sharing their work on "UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell." UNC5174, a Chinese state-sponsored threat actor, has resurfaced with a stealthy cyber campaign using a new arsenal of customized and open-source tools, including a variant of their SNOWLIGHT malware and the VShell RAT. Sysdig researchers discovered that the group targets Linux systems through malicious bash scripts, domain squatting, and in-memory payloads, indicating a high level of sophistication and espionage intent. Their evolving tactics, such as using spoofed domains and fileless malware, continue to blur attribution and pose a significant threat to research institutions, critical infrastructure, and NGOs across the West and Asia-Pacific regions. The research can be found here: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Nick Cerne, Security Consultant from Bishop Fox, to discuss "Rust for Malware Development." In pursuit of simulating real adversarial tactics, this blog explores the use of Rust for malware development, contrasting it with C in terms of binary complexity, detection evasion, and reverse engineering challenges. The author demonstrates how Rust's inherent anti-analysis traits and memory safety features can create more evasive malware tooling, including a simple dropper that injects shellcode using lesser-known Windows APIs. Through hands-on comparisons and decompiled output analysis, the post highlights Rust’s growing appeal in offensive security while noting key OPSEC considerations and tooling limitations. The research can be found here: Rust for Malware Development Learn more about your ad choices. Visit megaphone.fm/adchoices

Zach Edwards from Silent Push is discussing their work on "New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks." Silent Push analysts uncovered significant infrastructure used by the Lazarus APT Group, linking them to the $1.4 billion Bybit crypto heist through the domain bybit-assessment[.]com registered just hours before the attack. The investigation revealed a pattern of test entries, VPN usage, and fake job interview scams targeting crypto users, with malware deployment tied to North Korean threat actor groups like TraderTraitor and Contagious Interview. The team also identified numerous companies being impersonated in these scams, including major crypto platforms like Coinbase, Binance, and Kraken, to alert potential victims. The research can be found here: Silent Push Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices