Afleveringen
-
This week on Dragon News Bytes, Eli Woodward, Steven Campbell, and newly minted Head of Product Will Baxter dive into the rapidly shifting operational landscape. From extortion groups leveraging vishing to bypass corporate perimeters from the inside out, to the industrialization of localized phishing via LLMs, the team breaks down the TTPs you need to hunt for right now. Plus, a hard look at the reality of automated vulnerability hunting and a preview of Team Cymru’s packed summer infrastructure defense tour.
Topics Covered:
The Call is Coming from Inside the House (Group Pink): Analysis of Unit 42’s latest tracking of CLCRI 1147 (Pink). The team details how this group utilizes vishing as a front door, jumps into SharePoint and OneDrive for data exfiltration, and leverages compromised internal accounts to extort victims via Microsoft Teams.The Residential Proxy Identity Crisis: A deep dive into the explosion of residential proxy networks—including consumer TV "super boxes" and compromised home media servers. Will Baxter breaks down why the industry must shift from viewing IP addresses as static endpoints to applying zero-trust identity principles at the network layer.TA4922’s Linguistic Expansion: Reviewing Proofpoint’s data on a Chinese-speaking cybercrime group expanding targeting into Europe and South Africa. The catalyst? Using LLMs to seamlessly localize payroll and tax lures, erasing historical cultural barriers to entry.Agentic SecOps — From Explanation to Action: A critical discussion on Anthropic’s expanded Mythos access via Project Glasswing and Google’s Big Sleep/CodeMender frameworks. The team challenges listeners on the shifting role of the human analyst: when AI handles discovery and patching, where does human accountability sit?Events & Community:
RISEx DC: June 11 in Washington DC, USRISEx New York: June 16 in New York City, USUnderground Economy: September 7th -9th in Strasbourg, France🔗 to register: https://www.team-cymru.com/events/underground-economy-2026
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward and Stephen Campbell break down a chaotic week of critical breaches, the accelerating weaponization of AI by both defenders and adversaries, and long-term state-sponsored espionage. From the massive educational data breach impacting Instructure to a Mexican water utility targeted via AI-generated frameworks, the team explores how the threat landscape is evolving at scale.
Topics & References
Part 1: The Canvas/Instructure Breach & Shiny Hunters
Massive Educational Impact: Around May 1st, Instructure notified potential victims of a breach impacting nearly 9,000 institutions.The Scope: Shiny Hunters claimed responsibility for accessing over 275 million records, including names, emails, and student IDs.Widespread Reach: The platform serves 41% of US higher education institutions, alongside K-12 schools and government agencies.Infrastructure Analysis: The team discusses Push Security's research into Shiny Hunters' phishing panels and how Team Cymru is utilizing NetFlow to uncover additional targets.Part 2: The Double-Edged Sword of AI
Defensive "Vibe Coding": Eli Woodward shares how analysts are using tools like Claude, Gemini, and Team Cymru's new MCP servers to automate complex CTI workflows and rapidly query telemetry.Trust But Verify: The hosts emphasize that while AI acts as a powerful analyst assistant, LLMs still require human oversight to prevent hallucinations.Part 3: Adversary AI in Critical Infrastructure
Dragos OT Report: An adversary with no prior IoT experience successfully targeted a Mexican government water utility's IT environment.Automated Frameworks: The attacker utilized commercial LLMs (Claude and ChatGPT) to generate custom Python frameworks for reconnaissance and lateral movement into OT-adjacent systems.The Outcome: While no OT disruption occurred, vast amounts of sensitive government data were stolen, showcasing the low barrier to entry AI provides for complex intrusions.Part 4: APT-29's "Easter Bunny" Espionage
Labs 52 Report: An analysis of a sophisticated, secretive implant dubbed "Easter Bunny," attributed to APT-29 (Cozy Bear/SVR).Long-Term Stealth: The malware ties back to a 2019 incident, demonstrating the SVR's dedication to long-term, stealthy persistence against diplomatic and government entities.Events & Community:
RISEx Frankfurt: May 28th in Frankfurt, Germany
🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
RISEx Chicago: June 3rd in Chicago, IL
🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026
RISEx New York: June 16 in New York City, US
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
RISEx DC: June 11 in Washington DC, US
Underground Economy: September 7th -9th in Strasbourg, France
🔗 to register: https://www.team-cymru.com/events/underground-economy-2026
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
Zijn er afleveringen die ontbreken?
-
This week on Dragon News Bytes, Eli Woodward and Will Baxter welcome Stephen Campbell, Team Cymru's new Senior Threat Intel Advisor, to the show. The team breaks down an intense week of AI-assisted supply chain compromises, the expanding blast radius of Iranian cyber operations, and the operational security (OPSEC) failures of rival ransomware gangs. Plus, the hosts issue a strong call to action for the CTI industry: stop burning valuable intelligence methods just for blog clicks.
Topics & References
Part 1: The Pace of Business and AI-Assisted Discovery
SAP Package Compromise: Team PCP is actively targeting the software supply chain, highlighted by a recent compromise within the SAP cloud ecosystem.AI as a Discovery Engine: Threat actors are continuously deploying agents to hunt for low-hanging fruit, such as unhardened software package libraries.The Linux "Copy Fail" (CVE 2026-31431): An AI-focused research company discovered a new local privilege escalation vulnerability in Linux.The Business Reality: The rapid pace of shipping products and integrating AI models creates vulnerabilities at scale.Part 2: The Expanding Target Space
Iranian Cyber-Kinetic Threats: Due to resource constraints, Iranian threat actors are deploying a "spray and pray" methodology targeting any Western-aligned organization.Sector Impact: The risk has heavily expanded beyond the defense sector into financial and healthcare organizations, as seen with the Handala group targeting healthcare in Minnesota.Terrorism as a Service: An alleged Iranian-linked Telegram contact offered an undercover journalist cryptocurrency to carry out street-level vandalism in London.Part 3: Ransomware Drama and Industry OPSEC
Zero APT vs. CryBit: The ransomware group Zero APT faced a massive data leak in retaliation from a rival group known as CryBit.Creating a "Flail-X": Defenders can leverage these threat actor OPSEC mistakes and internal disputes to impose higher operational costs and friction on adversaries.Stop Burning Intelligence: The hosts criticized the CTI industry trend of publishing sensitive adversarial infrastructure and methods publicly for blog traffic, urging professionals to use trusted channels like ISACs instead.Events & Community
RISEx Frankfurt: May 28th in Frankfurt, Germany
🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
RISEx Chicago: June 3rd in Chicago, IL
🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026
RISEx New York: June 16 in New York City, US
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
RISEx DC: June 11 in Washington DC, US
Underground Economy: September 7th -9th in Strasbourg, France
🔗 to register: https://www.team-cymru.com/events/underground-economy-2026
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward, Will Baxter, and Will Thomas return from RISE Dublin to cut through the AI hype and discuss the realities of automated threat hunting. From the zero-day discovery capabilities of the Claude "Mythos" model to China’s emerging equivalent, the team explores how AI is acting as a massive force multiplier for adversaries.
We also break down a critical CI/CD pipeline poisoning incident impacting developers, and discuss why the traditional CTI analyst role is rapidly evolving into a CTI engineering function.
Topics & References
Part 1: The AI Zero-Day Engine (Mythos) vs. The Basics
Automated Exploitation: AI models like "Mythos" aren't changing the MITRE ATT&CK framework; they are simply a faster engine for finding zero-days and running automated penetration testing.
The Defense Reality: The rise of AI-driven zero-days means defense must double down on the basics. The critical questions remain: How good is your asset inventory? Are you detecting scans? Can you spot weird outbound VPN traffic?.
Part 2: China’s Cyber Superpower Status & The Tianfu Cup
A Peer Adversary: Dutch intelligence recently stated publicly that China’s cyber power is now on par with the US. China is developing its own "stable model" equivalent to Mythos.
Industrialized Intelligence: By feeding data from domestic zero-day competitions like the Tianfu Cup into large language models, China is positioning itself to industrialize vulnerability discovery.
Part 3: CI/CD Poisoning & The Developer Target
Bitwarden & Checkmarks Compromise: A significant supply chain incident occurred when a threat actor, "Team PCP", poisoned a CI/CD pipeline.
The "Naive Coder" Risk: Attackers are moving away from average users and targeting the admins and developers who hold "the keys to the kingdom," maximizing the downstream blast radius.
Part 4: Blue Team Engineering & Guardrails
The Rise of the CTI Engineer: The industry is pivoting from analysts to CTI engineers. To effectively leverage AI, teams must build and maintain automated pipelines using tools like GitHub Actions.
Product Requirements Documents (PRDs): Defenders must institute strong PRDs and guardrails before spending a single token on new AI apps to ensure sustainable, secure infrastructure.
Events & Community:
RISEx Sydney: May 6 in Sydney, Australia
🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026
RISEx Frankfurt: May 28th in Frankfurt, Germany
🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
RISEx Chicago: June 3rd in Chicago, IL
🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026
RISEx New York: June 16 in New York City, US
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
RISEx DC: June 11 in Washington DC, US
Underground Economy: September 7th -9th in Strasbourg, France
🔗 to register: https://www.team-cymru.com/events/underground-economy-2026
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward and Ben Archie cut through the noise of inflated hacktivist claims and break down the relentless evolution of state-sponsored operations. From a critical look at the Wall Street panic surrounding Anthropic's new AI model to the latest social engineering playbooks utilized by North Korean threat actors, the team explores how adversaries are adapting and how defenders can use data to maintain the high ground.
Topics & References
Part 1: The Data Advantage & The Mythos Panic
The Data Ocean Problem: Identifying crucial insights within massive datasets is a historic problem, noted even in CIA memos from the 1980s. Today, practitioners are using Python and API enrichment to prioritize threats and bring large volumes of data down into usable pieces of information.
The Mythos Model Panic: Anthropic recently released a new model called Mythos, causing misplaced panic on Wall Street over the future of cybersecurity.
Project Glasswing: The primary concern is that this model will enable the rapid identification and exploitation of unknown vulnerabilities in mass. Project Glasswing aims to give certain vendors and researchers a head start on defending against this before it becomes publicly and commercially available.
Part 2: Geopolitics & Exaggerated Claims
Iranian Hacktivist Bounties: The Department of State's Rewards for Justice program placed a five million dollar bounty on information leading to the identification or arrest of individuals associated with Iranian groups Handala and Parjyan Afsar Reha Borna.
Exaggerated UAE Breaches: Handala claimed to breach three major UAE organizations: the Dubai courts, the Dubai Land Department, and the Dubai Roads and Transport Authority. In reality, these claims are often highly exaggerated, typically resulting from the compromise of a shared file server rather than the core infrastructure of the targeted organizations.
Zion Siphon on VirusTotal: Darktrace reported a new malware dubbed "Zion Siphon" targeting Israeli water treatment and desalination plants. In a massive operational security failure, the actors uploaded the highly targeted script directly to VirusTotal.
Part 3: DPRK IT Workers & Fake Recruiters
Stolen Identities & Evolving OPSEC: U.S. nationals were recently sentenced for helping North Korean IT workers pose as U.S.-based employees to steal identities and secure jobs at over a hundred American companies. These actors are also pivoting to South American platforms like Workana, masquerading as Colombian contractors with Spanish language skills.
Sapphire Sleet Targeting Crypto: Microsoft reported on a North Korean cluster dubbed Sapphire Sleet (overlapping with APT 38) targeting crypto and finance workers on macOS devices via LinkedIn.
The Fake Zoom SDK: During the fake interview process, the DPRK recruiters send a bogus Zoom SDK update on the day of the call to gain access to the victim's system.
Events & Community
RISEx Sydney: May 6 in Sydney, Australia
🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026
RISEx Frankfurt: May 28th in Frankfurt, Germany
🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
RISEx Chicago: June 3rd in Chicago, IL🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026
RISEx New York: June 16 in New York City, US
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
RISEx DC: June 11 in Washington DC, US
Underground Economy: September 7th -9th in Strasbourg, France
🔗 to register: https://www.team-cymru.com/events/underground-economy-2026
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli W. and Will B. break down a fast-moving week in cybersecurity—from AI-driven supply chain attacks and Iranian targeting of critical infrastructure to North Korean IT worker scams, new edge-device zero-days, and the takedown of an APT28 router botnet.
Topics:
The NPM Poisoning Epidemic & The AI Accelerant
Axios Backdoor: The team discusses ongoing NPM package exploitation, specifically highlighting the Axios package. Axios sees over 100 million weekly downloads, and at least two backdoored versions have been live recently. Unit 42 published an updated threat brief confirming the attack hit over 10 sectors across five geographic regions.
The AI Factor: Will Baxter attributes this spike in supply chain attacks to the operationalization of AI. AI makes reviewing codebases for vulnerable packages incredibly easy for attackers.
LLMs as Exploit Developers: Eli Woodward recalls an NSA prediction that LLMs would become great exploit code developers and malware analysis engines. The rapid pace of this AI evolution is forcing defensive teams to adapt quickly without the benefit of increased headcounts.
Critical Infrastructure Under Siege by Iranian Actors
Joint Advisory on PLC Exploitation: A joint advisory from the FBI, CISA, NSA, EPA, DOE, and Cyber Command formally attributes ongoing PLC exploitation to the Cyber Avengers. This group is the IRGC Cyber Electronic Command, also tracked as Shahid Kavev Group, Hydro Kitten, Storm 084, and UNK5691.
Targeted Sectors: The actors are escalating targeting against Rockwell Automation and Allen Bradley PLCs in wastewater, energy, and government facilities.
Massive Exposure: The advisory highlights traffic on ports 44818, 2222, 102, and 502. Team Cymru’s platform identified an alarming 49,000 devices exposed on the internet with port 44818 open.
Edge Devices, Zero-Days, and CISA Guidance
FortiClient EMS Zero-Day: CISA published information on a FortiClient EMS zero-day, with approximately 2,000 exposed instances currently on the internet.
Edge Device Safety: CISA also released new edge device safety guidance. The hosts emphasize that patching edge devices and having good identity management is the bare minimum expectation for organizations.
Unmasking the DPRK IT Worker Ecosystem
The "Lucky Guys" Site: Independent researcher ZachXBT uncovered "luckyguys.site", a platform used by DPRK IT workers to send money back to the regime. These workers are easily making $1 million per month.
Team Cymru Platform Analysis: Eli Woodward used the Team Cymru platform to analyze the infrastructure, finding a massive amount of Astral VPN usage and traffic from Russian ASNs (ASI and Trans Telecom).
Operational Security Failures: The workers used the password "123456" for their platform, exposing Slack chat identities and conversations via an investigative site.
APT 28 Botnet Takedown
Router Hijacking: The US DOJ, FBI, and NCSC helped take down a network of TP-Link and MikroTik routers compromised by APT 28 (also known as Unit 26165 or Storm 2754).
Botnet Scale: The botnet leveraged known vulnerabilities in these small office/home office (SOHO) devices and peaked at 18,000 unique IPs in December 2025.
Events
RISE Ireland: April 14 -25 in Dublin, Ireland
RISEx Sydney: May 6 in Sydney, Australia
register: https://shorturl.at/OyfTj RISEx Frankfurt: May 28th in Frankfurt, Germany
register: https://shorturl.at/twbj6 RISEx Chicago: June 3rd in Chicago, IL
register: https://shorturl.at/kd4SCRISEx New York: June 16 in New York City, US
register: https://shorturl.at/atb2mUnderground Economy: September 7th -9th in Strasbourg, France
register: https://shorturl.at/mw1yEFirstCon26 (Denver): Eli W. will be presenting two sessions.
register: https://www.first.org/conference/2026/registration-optionsDisclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward and Will Baxter are joined by Ben Archie to break down a high-velocity week of supply chain compromises and surging regional threats. We cover the explosive growth of ransomware in the APJ region, the North Korean state-actor hijack of the Axios NPM package, and the TrueConf zero-day exposing Southeast Asian governments. Plus, we discuss how the recent Anthropic Claude code leak could weaponize package management and the frightening implications of AI on personal data extortion.
Topics & References:
Part 1: The APJ Threat Landscape & TrueConf Zero-Day
Ransomware Surge: APJ is currently the fastest-growing region for ransomware, marking a 59% year-on-year increase and accounting for 64% of global incidents.
Healthcare Under Fire: The Dragonforce ransomware group recently claimed a breach of the Australian health management system, underscoring massive third-party risks across the country's health sector.
TrueConf Zero-Day (CVE-2026-3502): A critical vulnerability in video conferencing software is being abused to compromise on-prem servers and push Havoc malware to connected endpoints. This supply chain attack heavily targets Southeast Asian government networks and was recently added to the CISA KEV catalog.
Part 2: Supply Chain Nightmares & The Axios Compromise
The Axios NPM Hijack: Attackers compromised the NPM publishing account of Axios' lead maintainer, releasing two malicious legacy versions (1.14.1 and 0.30.40). The threat actors injected a phantom runtime dependency without altering the source code, and the packages remained live for roughly two to three hours before NPM yanked them.
Attribution: Microsoft has attributed the Axios NPM compromise infrastructure to Sapphire Sleet, a known North Korean state actor.
Shiny Hunters Target Cisco: The group claims to have breached Cisco’s internal development environment using credentials stolen during the Trivy GitHub compromise. They allege the theft of AWS keys and over three million Salesforce records, setting an extortion deadline of April 3.
Part 3: Threat Actor Drama & AI Privacy Risks
Ransomware Soap Opera: Threat groups like Team PCP and The Comm are engaging in public trash-talk, echoing previous incidents where The Comm publicly dumped an Oracle EBS zero-day to humiliate Klopp.
Anthropic Claude Code Leak: The team discusses how leaked source code could lower the barrier to entry for attackers, allowing them to better understand package management prioritization and weaponize AI models for supply chain attacks.
Handala Hack & AI Extortion: Iranian activist group Handala breached the personal email of FBI Director Kash Patel. This sparks a broader discussion on the future of personal extortion, warning that attackers could soon use LLMs to scrape and weaponize the intimate, sensitive data users dump into AI mental health and companion apps.
Events & Community:
RISE Ireland: April 14 -25 in Dublin, Ireland
🔗 to register: https://go.team-cymru.com/rise-ireland
RISEx Sydney: May 6 in Sydney, Australia
🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026
RISEx Frankfurt: May 28th in Frankfurt, Germany
🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
RISEx New York: June 16 in New York City, US
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
Underground Economy: September 7th -9th in Strasbourg, France
To be hosted at the Council of Europe, expecting 600-700 attendees.
FirstCon26 (Denver): Eli Woodward will be presenting two sessions.
🔗 to register: https://www.first.org/conference/2026/registration-options
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward and Will Baxter break down a relentless wave of CI/CD pipeline compromises. The team dives into the rapid-fire attacks by Team PCP, the emergence of Citrix Bleed 3.0, and the psychological warfare tactics of Iranian-aligned hacktivists. Plus, we explore why English-speaking ransomware actors are ditching encryption entirely in favor of "Exfil and Extort" models.
Topics & References
Part 1: The CI/CD Pipeline Blitz & Team PCP
The Team PCP Blitz: A new group has claimed responsibility for five major incidents in a single week, including compromises of Trivy, React Native, LightLLM, and Telnyx.
AI-Enabled Supply Chain Attacks: The duo discusses the "Hacker Clawbot" proof of concept and how AI is likely being used to rapidly identify and weaponize common software packages.
The CTI Shift: Cyber Threat Intelligence teams must now broaden their perspective to include enterprise architecture and software supply chain workflows.
Part 2: Edge Warfare: Citrix Bleed 3.0
CVE-2026-3055: A new critical Citrix vulnerability is actively being exploited in the wild.
The "Memory Cough" Technique: Attackers are repeatedly hitting vulnerable endpoints to scrape memory bit-by-bit until they gather enough to gain full access.
Edge vs. MFA: The widespread success of MFA has forced attackers to pivot aggressively toward edge device exploitation as their primary initial access vector over the last five years.
Part 3: Iranian Geopolitical Hacking & Hacktivist Playbooks
High-Profile Leaks: Discussion on the Lockheed Martin data leak and the hacking of FBI Director Cash Patel’s personal email.
The "Hacktivist BS" Playbook: Eli breaks down how opportunistic actors use scary videos and exaggerated propaganda to spin minor MSP breaches into massive national incidents.
Handala & Wipers: Opportunistic attacks tied to the Handala group are utilizing stealers and new wiper variants to impact organizations.
Part 4: The Death of Encryption?
Exfil and Extort: Google Threat Intelligence reports that 77% of incidents by English-speaking actors now involve data exfiltration without encryption.
The Backup Victory: As corporate backups become more resilient, attackers are finding that pure data theft and leak site pressure offer a better ROI than providing decrypters.
Events & Community
RISE Ireland: April 14 -25 in Dublin, Ireland
🔗 to register: https://go.team-cymru.com/rise-ireland
RISEx Sydney: May 6 in Sydney, Australia
🔗 to register:https://www.team-cymru.com/events/rise-sydney-2026
RISEx Frankfurt: May 28th in Frankfurt, Germany
🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
RISEx New York: June 16 in New York City, US
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
Underground Economy: September 7th -9th in Strasbourg, FranceTo be hosted at the Council of Europe, expecting 600-700 attendees. Registration will open first week of April
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymruSubscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnbDisclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward and Will Thomas dive into a packed week of vulnerability disclosures, APT campaigns, and geopolitical cyber fallout. From Iranian threat actors utilizing Starlink to bypass national internet blocks, to North Korean campaigns targeting developers with "Stoat Waffle" malware, the team unpacks the strategies adversaries are using to breach global enterprises. Plus, a look at Team Cymru's latest intel on tracking Beast ransomware infrastructure and an update on our upcoming global events.
Topics & References
Part 1: The Vulnerability Landscape
Cisco Secure Firewall RCE (CVE-2026-20131): An insecure deserialization flaw was added to the CISA KEV catalog on March 19th, with active exploitation tracked back to late January. The Interlock ransomware gang has been identified as a threat actor exploiting this vulnerability.
SharePoint On-Prem Pre-Auth RCE: Warlock Ransomware has targeted unpatched Microsoft SharePoint servers (2016 and 2019) in a major exfiltration and extortion campaign.
Part 2: APT Operations & Geopolitics
Handala (Void Manticore) & Starlink: Following the disruptive attack on medical tech company Stryker via Intune, Checkpoint released research showing Handala operators utilizing Starlink terminals to bypass Iran's national internet blackouts.
Operation Ghost Mail: Russia's APT 28 (Fancy Bear) is aggressively targeting Zimbra Webmail servers to compromise Ukrainian government operations.
Waterplum's "Stoat Waffle": A North Korean group is targeting Web3 and cryptocurrency developers with malicious Python, NPM, and JavaScript packages under the guise of "contagious interview" job offers.
Part 3: Supply Chain Threats & Intel Insights
Invisible Supply Chain Attacks: Aikido Security demonstrated how threat actors are using Unicode to hide disappearing text and malicious scripts in repositories.
Beast Ransomware Operations: Team Cymru's latest research highlights how Open Directories data combined with NetFlow can unmask ransomware actor infrastructure and target lists.
Events & Community:
NCAA March Madness Watch Party: March 27th in Atlanta, US
🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026
RISE Ireland: April 14 -25 in Doublim, Ireland
🔗 to register: https://go.team-cymru.com/rise-ireland
RISEx Sydney: May 6 in Sydney, Australia
🔗 to register:https://www.team-cymru.com/events/rise-sydney-2026
RISEx Frankfurt: May 28th in Frankfurt, Germany
🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
RISEx New York: June 16 in New York City , US
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
Underground Economy: To be hosted at the Council of Europe, expecting 600-700 attendees. Registration will open first week of April
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward and Will Thomas hold down the fort while Will Baxter is in Japan. The team breaks down a highly active week in the cyber world, covering critical unauthenticated vulnerabilities, the weaponization of foundational IT tools, and the staggering financial scale of nation-state operations. From Handala's devastating Intune wiper attacks to Shiny Hunters' 60-second data exfiltration capabilities, we explore the tactical shifts security teams need to prioritize right now.
Topics & References
Part 1: Critical RCEs & AI Bug Hunting
Veeam Backup RCE: A critical, unauthenticated remote code execution vulnerability was identified in Veeam backup and replication software. Threat groups like Fin7, Black Cat, Akira, and Fog Ransomware have historically targeted these systems, making immediate patching and network isolation essential.
Telnet D Exposure: Another unauthenticated pre-auth RCE was discovered in Telnet D (Port 23), reinforcing the dangers of leaving legacy remote access services exposed.
AI Supercharging Discovery: Anthropic partnered with Mozilla and used AI to find 22 vulnerabilities in Firefox in just two weeks—almost double the normal output in half the time.
Part 2: Cybercrime Speed & Vishing
Gone in 60 Seconds: Unit 42 research on Shiny Hunters (part of the Scattered Lapses Hunters Alliance) revealed the group moving from initial access to data exfiltration in under 60 seconds.
Salesforce Targeting: Attackers are using custom Data Loader apps and routing traffic through Tor nodes and Mullvad VPNs to siphon cloud data.
Automated Vishing (P1 Bot): Security researcher Ross Lazerwitz uncovered "P1 Bot", an AI-enabled voice phishing campaign that automates account takeovers using compromised 11 Labs accounts.
Part 3: Nation-State Disruptions
The Intune Wiper Nightmare: The pro-Iranian hacktivist group Handala successfully compromised Microsoft Intune administrator accounts at Stryker, a multinational medical device company. Attackers used the mobile device management (MDM) platform to remotely wipe thousands of employee devices, including the personal phones of the C-suite.
Middle East Espionage: Proofpoint and Checkpoint observed Chinese-linked APTs using spearfishing and PlugX malware to target Middle Eastern governments like Qatar.
DPRK's $800M IT Hustle: The US Treasury sanctioned individuals tied to North Korean IT worker operations, revealing they generated a massive $800 million in 2024 alone.
APT 28 Open Directory: Researchers found a RoundCube toolkit belonging to the GRU-affiliated APT 28 exposed in an open directory, which was being used to target Ukrainian government entities.
Events & Community
RSA Conference: March 23 in San Francisco
🔗 to register: https://www.rsaconference.com/usa
NCAA March Madness Watch Party: March 27th in Atlanta
🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026
RISEx New York: June 16 in New York City
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
Connect with Us
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week, the Dragon News Bytes team dives into a critical series of high-impact vulnerabilities and escalating geopolitical tensions. We start with a deep dive into the latest wave of JWT authentication bypasses before moving to the "Famous Sparrow" APT targeting South American telecommunications. The episode concludes with a sobering look at how Iranian cyber operations are morphing into kinetic strikes against regional infrastructure.
Topics & References:
Part 1: The JWT "Golden Key" Vulnerability
The team discusses a series of critical vulnerabilities in JSON Web Tokens (JWT) where public keys intended for encryption are being misused to gain full administrative access.
Will Baxter highlights the persistence of these flaws since early 2025, culminating in a CVSS 10.0 "open access" scenario.
Part 2: “Famous Sparrow” Operating in South America
Will Thomas breaks down a new Cisco Talos report on the likely China-nexus threat actor group "Famous Sparrow".
The group is targeting South American ISPs and telcos and is typically viewed as an initial access broker for China-nexus APTs.
Part 3: The Kinetic Reality of Iranian Cyber Ops
Eli Woodward discusses how Iran is launching purposeful kinetic strikes against AWS data centers in Bahrain and the UAE.
This shows Iran is considering commercial facilities as legitimate military targets, with a focus on key infrastructure across the region.
Events & Community:
NCAA March Madness Watch Party: March 27th in Atlanta
🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026
RISE Ireland (Dublin): April 14–15 at Stripe Dublin.
🔗 to register: https://go.team-cymru.com/rise-ireland
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
-
This week, the Dragon News Bytes team dives into a major international crackdown on "The Com," a decentralized cybercrime network. They also break down how AI is being used as a force multiplier for automated exploitation, a series of critical vulnerabilities in edge networking gear, and sophisticated new tactics from North Korean threat actors targeting air-gapped systems.
Topics & References:
Part 1: Law Enforcement Strikes Back with Project Compass: Europol led a year-long operation against "The Com" (also known as Scattered Spider or 764), resulting in 30 arrests and the identification of nearly 200 suspects across 28 countries.
Victim Safeguarding: Beyond arrests, the operation prioritized safeguarding victims—many of whom are minors—from the group’s brutal tactics of sextortion, harassment, and physical violence.
Part 2: The Edge Under Fire and AI-Augmented Pipelines: Amazon’s threat intelligence team recently detailed a Russian-speaking actor using commercial GenAI to automate a mass-exploitation pipeline targeting FortiGate. This targeting comes as multiple edge devices are suffering vulnerabilities:
Cisco Catalyst SD-WAN: A critical zero-day (CVE-2026-20127) was revealed to have been exploited in the wild for over three years, allowing attackers to establish rogue peers and maintain long-term persistence.
Juniper PTX Series: A 9.8 CVSS vulnerability in Junos OS Evolved’s anomaly detection framework has emerged, potentially allowing unauthenticated root-level takeover of core ISP routers.
Part 3: Advanced Persistent Threats (APTs), Ruby Jumper Campaign: North Korean group APT37 (ScarCruft) has introduced a new toolkit, including the "FootWine" and "ThumbSBD" implants, specifically designed to bridge air-gapped networks via infected USB drives.
Dohdoor & UAT-10027: Cisco Talos identified a new campaign targeting U.S. healthcare and education sectors using a novel DNS-over-HTTPS (DoH) backdoor to evade traditional detection.
Events & Community:
FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware.
🔗 to register: https://www.fsisac.com/events/2026-americas-spring
NCAA March Madness Watch Party: March 27th in Atlanta
🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026
RISE Ireland (Dublin): April 14–15 at Stripe Dublin.
🔗 to register: https://go.team-cymru.com/rise-ireland
RISEx Frankfurt: May 28th - Registrations will open March 6th
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
-
In this episode of Dragon News Bytes, Will Baxter and Eli Woodward sit down in person to dissect the "long game" of modern cyber espionage. We dive into the Dell RecoverPoint zero-day exploited by China-linked actors and why some threat actors are now sitting silent in networks for over a year before acting.
We also go full circle on the DPRK laptop farm saga, discussing the sentencing of a Ukrainian national who facilitated North Korean IT workers infiltrating U.S. businesses. Finally, we cover Interpol’s Operation Red Card 2.0, a massive crackdown on West African scam networks, and why Nigeria’s demographic shift makes it a critical region for defenders to watch over the next decade.
Topics & References:
Part 1: The One-Year Sleep – Dell Zero-Days & Grim Bolt
Dell RecoverPoint Exploitation: Discussion on the recent zero-day (CVE-2025-6201) and its active abuse by China-linked actors.
The Grim Bolt / Silk Taker Connection: Analyzing the infrastructure overlap between UN 6201 (Grim Bolt) and UN 5221 (Silk Taker/Brickstorm).
Operational Patience: Why threat actors are waiting 12+ months for logs to "age out" before taking action on objectives.
Hunter’s Field Note: Is one year of log retention enough? We discuss the shift toward 3-year "cold storage" for modern forensics.
Part 2: The Infrastructure of Deception – DPRK & Laptop Farms
The Sentencing of Alexander Didenko: The "back half" of the Christina Chapman case, involving a million-dollar scheme to host North Korean remote workers.
Webcam Forensics: How a security team used "Impossible Travel" alerts to activate a webcam and catch a laptop farm manager in the act.
Identity Theft at Scale: How thousands of fake accounts were created using stolen U.S. identities to bypass employment verification.
Part 3: Operation Red Card 2.0 & The Rise of Nigeria
Interpol Crackdown: An 8-week operation across 16 African countries resulting in 651 arrests and millions recovered from mobile money fraud.
The Demographic Shift: Why Nigeria’s projected population growth (set to surpass the U.S. by 2050) makes Nigeria a pivotal part in the cyber landscape defenders need to start taking notice of now.
Individual Impact: A reminder that while BEC hits corporations, these scams devastate individuals and families.
Events & Community:
FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware.
🔗 to register: https://www.fsisac.com/events/2026-americas-spring
RISE Ireland (Dublin): April 14–15 at Stripe Dublin.
🔗 to register: https://go.team-cymru.com/rise-ireland
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers. -
This week on Dragon News Bites, Will Baxter, Eli Woodward, and Will Thomas break down a week of high-velocity threats targeting the "foundational" layers of enterprise connectivity. From the long-term compromise of Singapore’s ISP infrastructure to the critical hijacking of Mobile Device Management (MDM) platforms, the team explores how state actors and financially motivated groups are bypassing the endpoint to live directly on the edge.
Part 1: The Telco Breach & The Attribution Maze
Singapore ISP Compromise: Four of Singapore's main ISPs suffered a long-term breach by a suspected China-nexus APT.
UNC3886 vs. Salt Typhoon: Will Thomas breaks down the tactical nuances between these groups. While Salt Typhoon strategically moves upstream via Cisco switches, UNC3886 utilizes zero-days and rootkits to target FortiGates, Juniper, and VMware.
The Global Trend: This follows last week's reporting on Norway being targeted, signaling a coordinated global focus on the telecommunications sector.
Part 2: MDM Hijacking — More Dangerous than a SIEM Breach?
European Commission Compromised: Attackers utilized a zero-day in Ivanti EPMM (formerly Mobile Iron) to breach the European Commission.
The Power of the MDM: The team discusses why an MDM compromise is a "nightmare scenario"—allowing attackers to track physical locations, deploy malicious apps, and snoop on encrypted chats like Signal.
The Geopolitical Connection: A clear trend is emerging of edge device exploitation targeting entities not geopolitically aligned with China.
Part 3: The Rise of Warlock & Edge Blitzing
Who is Warlock? A suspected Chinese-speaking ransomware group (tracked as Storm-2603) that deviates from the typical Russian-speaking model.
Targeting SmarterMail: Warlock is weaponizing vulnerabilities in SmarterTools/SmarterMail (an Exchange alternative). Ironically, the vendor itself was hit by its own unpatched system.
The MFA Shift: Eli Woodward notes that as MFA makes phishing harder, attackers have pivoted aggressively to edge device exploitation (Log4j, CenterStack, etc.) as the primary method for initial access.
Part 4: Payroll Pirates & SaaS Fraud
Social Engineering the Help Desk: Threat actors are chaining help desk social engineering with VDI session hijacking to divert direct deposits in HR SaaS platforms.
Red Flag Alert: Organizations should immediately investigate any direct deposit change that occurs within two hours of an MFA reset.
Events & Community:
RISE USA (San Francisco): February 18–19 at Stripe HQ.
🔗 to register: https://go.team-cymru.com/rise-usa-2026
Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity.
🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis
FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware.
🔗 to register: https://www.fsisac.com/events/2026-americas-spring
RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open.
🔗 to register: https://go.team-cymru.com/rise-ireland
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Topics & ReferencesDisclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Will Baxter and Will Thomas dive into a week defined by "Paradigm Shifts." We break down how top-tier state actors like Salt Typhoon are abandoning traditional phishing to live inside your edge infrastructure and how a new era of Agentic AI is creating a "One-Click RCE" nightmare for enterprise security teams.
Plus, we look at the "Wet Bandits" of the APT world—a state-aligned group that remains surprisingly easy to hunt—and discuss why the latest hoax from 0APT was a "Vibe-Op" designed specifically to waste your team's time.
Topics & References:
Part 1: The Edge is the New Endpoint
Salt Typhoon’s European Pivot: Norwegian intelligence (PST) confirms that Salt Typhoon is bypassing EDR entirely. They are now persisting inside edge gateways and telco infrastructure using the D-Knife Linux-based implant.
TGR-STA-1030 (The Shadow Campaigns): A state-aligned group targeting global ministries of finance. Their tradecraft includes using Mega[.]nz for C2 to blend in with legitimate business traffic.
Critical Takeaway: If your detection strategy assumes compromise starts on a laptop, you’ve already lost the battle. The "Metal Layer" of the network is the current battlefield.
Part 2: Emerging AI Threats & "Vibe-Ops"
OpenClaw & Agentic AI (CVE-2026-25253): We examine the birth of the "Agentic Supply-Chain Attack." Malicious AI "skills" are now being used to exfiltrate tokens via WebSocket hijacking.
0APT: Anatomy of a "Vibe-Op": Claims of a new ransomware operation targeting retail and healthcare turned out to be a low-capability hoax. We discuss why this was a "resource-drain operation" intended to panic security teams rather than a technical breach.
Operation Neusploit: Zscaler observes APT28 (Fancy Bear) weaponizing Microsoft RTF vulnerabilities (CVE-2026-21509) at "wartime tempo"—just days after the patch was released.
Hunter’s Field Notes (Immediate Action):
Hunt for D-Knife: Look for any Linux process on Cisco or Fortinet appliances spawning a shell, or outbound connections from management interfaces not tied to update daemons.
Mega[.]nz Monitoring: Flag high-volume uploads to Mega[.]nz from Server VLANs or Service Accounts. Ask, "why is a domain controller talking to Mega?"
AI Socket Hunting: Monitor for unfamiliar WebSocket (WS/WSS) connections initiated from workstations to external IPs during browser navigation windows.
Events & Community:
RISE USA (San Francisco): February 18–19 at Stripe HQ.
🔗 to register: https://go.team-cymru.com/rise-usa-2026
Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity.
🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis
FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware.
🔗 to register: https://www.fsisac.com/events/2026-americas-spring
RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open.
🔗 to register: https://go.team-cymru.com/rise-ireland
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward and Will Baxter are joined Will Thomas to break down a convergence of nation-state activity and critical infrastructure disruptions. We cover the FBI’s massive takedown of the RAMP cybercrime forum, the re-attribution of Poland’s energy sector cyberattack to Dragonfly, and a wave of critical sandbox escapes impacting developer and AI environments. Plus, we discuss how attackers are weaponizing physical snail mail for extortion and the strategic impact of Google’s latest disruption of the IPIDEA proxy infrastructure.
Topics & References:
Part 1: Major Infrastructure & Law Enforcement Actions
FBI Seizes RAMP Cybercrime Forum: A major blow to Russian-speaking initial access brokers (IABs). RAMP stood as a safe haven for ransomware groups like Black Cat and LockBit after other forums banned the activity.
Analyst Note: Expect forum migration and operational mistakes as these actors scatter to new homes.
Read more: https://shorturl.at/cURYo
Google Disrupts IPIDEA Infrastructure: A coordinated takedown of a massive residential proxy network leveraged by botnets (Kimwolf/AISURU) and fraud operations.
The Impact: This creates a short-term detection window for hunters as adversaries migrate to noisier fallback infrastructure.
Poland Energy Sector Re-attribution: CERT.PL has officially attributed the massive energy incident from late 2025 to Dragonfly (Energetic Bear) rather than Sandworm.
Critical Takeaway: Hitachi Energy confirmed no product flaws were used; the breach stemmed from default credentials and environmental misconfigurations.
Read more:
https://shorturl.at/I707p
Part 2: Emerging Vulnerabilities & Malware Campaigns
Critical Sandbox Escapes (CVE-2026-22709): Assumptions of "safe execution" are failing in developer tooling and AI environments. We break down the Grist-Core Pyodide escape and the popular vm2 NodeJS library bypass.
SolarWinds Web Help Desk RCE (CVE-2025-40551): An unauthenticated remote code execution vulnerability that serves as a high-impact lateral movement enabler.
Key TTPs
Whitelist bypass using malformed URIs containing /ajax/
Exploitation path includes:
/helpdesk/WebObjects/Helpdesk.woa/wo/ with wopage=LoginPref
Read more: https://tinyurl.com/y3x7vase
CVE-2026-21962: "AI Slop" or Exploit? ISC observed scanning activity targeting WebLogic with non-functional, AI-generated payloads, highlighting a new challenge in distinguish signal from noise.
Read more: https://tinyurl.com/yx52bkwa
TA584 Extortion Pivots: This initial access broker has tripled campaign volume, now using photos of physical snail mail customized with victim details to increase psychological pressure.
New Report: Voices of the Cybersecury strategist - A Benchmark Report for Security Leaders. Insights from leading CISOs, VPs, and Directors on navigating threat landscapes, allocating resources, and aligning security with business objectives.
Read the full report: https://tinyurl.com/4jxb3kc5
Events & Community:
RISE USA (San Francisco): February 18–19 at Stripe HQ.
🔗 to register: https://go.team-cymru.com/rise-usa-2026
Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity.
🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis
FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware.
🔗 to register: https://www.fsisac.com/events/2026-americas-spring
RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open.
🔗 to register: https://go.team-cymru.com/rise-ireland
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers. -
This week on Dragon News Bytes, Eli Woodward and Will Baxter dive into the shift from "cottage industry" cybercrime to an industrialized assembly line fueled by AI. We break down high-urgency RCEs in Cisco Unified Platforms, the massive comeback of the Kimwolf Botnet via IoT backdoors, and the "new SQL injection" taking over AI workflows: Prompt Injection. Plus, we discuss the weaponization of VS Code extensions by North Korean actors (Purple Bravo) and provide a full update on our upcoming global event schedule.
Topics & References:
Part 1: Patch Now: High-Urgency Threats & Evolving Infrastructure
Cisco Unified Platform RCE (CVE-2026-20045): A critical unauthenticated Remote Code Execution vulnerability granting root access to video and phone systems. Target URLs include /webcalling/Unity/ and /UCMuser.
Read more: https://arcticwolf.com/resources/blog/cve-2026-20045/
TP-Link VIGI & Edge Vulnerabilities: Critical flaws in VIGI cameras allow for remote takeover, highlighting the persistent risk in edge and IoT infrastructure.
Read more: https://securityaffairs.com/187110/hacking/critical-tp-link-vigi-camera-flaw-allowed-remote-takeover-of-surveillance-systems.html
Kimwolf Botnet Resurgence: Now exceeding two million devices, this botnet is scaling via pre-baked backdoors in consumer devices like TV boxes.
Read more: https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/
Part 2: Hacking the Human OS & AI Abuse
Help Desk Social Engineering: West African criminal groups are increasingly impersonating employees via phone calls to reset passwords for "payroll redirects."
The AI Prompt Injection Revolution: Described as the "new SQL injection," prompt injection is resetting years of input sanitization efforts. We discuss agentic browsers bypassing security controls and a Microsoft Teams bug used to steal user tokens.
DPRK (Purple Bravo) Targeting Developers: North Korean actors are weaponizing VS Code extensions and using tasks.json in the Evelyn Stealer malware to auto-execute when repositories are opened.
Events & Community:
SANS CTI Summit Happy Hour (Arlington, VA): Join Team Cymru and OpenCTI on January 26th.
RISE USA (San Francisco): February 18–19 at Stripe HQ.🔗 to register: https://go.team-cymru.com/rise-usa-2026
Brews and Briefings (Minneapolis): Late February session focused on DPRK threat activity.🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis
FS-ISAC Spring Summit (Orlando): March presentations on the latest fintech threats.🔗 to register: https://www.fsisac.com/events/2026-americas-spring
RISE Ireland (Dublin): April 14–15 at Stripe Dublin.🔗 to register: https://go.team-cymru.com/rise-ireland
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon News Bytes, Eli Woodward and Will Baxter break down the operational fires you need to fight now and the emerging AI threats targeting your internal guardrails. We cover the critical FortiSIEM zero-day RCE, the rise of AI prompt injection attacks across Microsoft Copilot and Salesforce, and the massive 58% year-over-year surge in ransomware victims. Plus, we discuss the strategic impact of the Red VDS infrastructure takedown and our upcoming global event schedule.
Topics & References:
Part 1: Emerging Threats
FortiSIEM Zero-Day RCE (CVE-2025-64155): Critical remote code execution via the pH monitor service. If you use FortiSIEM, restrict TCP port 7900 immediately.
Read more: https://horizon3.ai/attack-research/vulnerabilities/cve-2025-64155-fortinet-fortisiem/
Red VDS Infrastructure Takedown: Microsoft’s disruption of a major "bulletproof" virtual desktop service used for fraud and financially motivated phishing.
Ransomware Surge 2026: A 58% increase in publicly posted victims compared to 2024, with 124 active groups now tracked globally.
Part 2: Emerging AI Threats
AI Honeypot Findings: Discovery of automated scanning for Open LLM endpoints (Claude, ChatGPT, Ollama) originating from a single German source.
AI Prompt Injection Attacks: New research into malicious prompts embedded in links that can hijack AI agents in Microsoft Copilot, Salesforce, and ServiceNow to steal user tokens and secrets.
Read more:
https://appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/
https://www.varonis.com/blog/reprompt
The Three Pillars of AI Security: A strategic framework for defending from AI attacks, defending the AI your organization uses, and defending using AI tools.
Read more: https://www.pillar.security/blog/the-agent-security-paradox-when-trusted-commands-in-cursor-become-attack-vectors
Events & Community:
SANS CTI Summit Happy Hour (Arlington, VA): Join Team Cymru and OpenCTI on January 26th.
RISE USA (San Francisco): February 17–19 at Stripe HQ.🔗 to register: https://go.team-cymru.com/rise-usa-2026
Brews and Briefings (Minneapolis): Late February session focused on DPRK threat activity.🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis
FS-ISAC Spring Summit (Orlando): March presentations on the latest fintech threats.🔗 to register: https://www.fsisac.com/events/2026-americas-spring
RISE Ireland (Dublin): April 14–15 at Stripe Dublin.🔗 to register: https://go.team-cymru.com/rise-ireland
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
-
This week on Dragon Bytes, we break down the operational fires you need to fight now and the emerging threats you’ll be fighting tomorrow. We cover the critical "Ni8mare" RCE in n8n automation tools, the new "ClickFix" social engineering waves hitting hospitality, and the "Zombie" D-Link routers building massive botnets. Plus, we dive into China-linked UAT-7290 targeting telcos and why Black Cat ransomware is poisoning your Google search results.
Topics & References:
Part 1: Emerging Threats
The "Ni8mare" RCE (CVE-2026-21858): Critical unauthenticated remote code execution in n8n workflow automation tools.
Read more: Horizon3.ai Analysis
"ClickFix" Phishing Campaign: Fake "Blue Screen of Death" pages forcing users to run malicious PowerShell scripts. Currently targeting the European hospitality sector.
Read more: Computing.co.uk Report
"MongoBleed" (CVE-2025-14847): Unauthenticated memory leak in MongoDB exposing sensitive RAM data.
Read more: Rapid7 Advisory
"Ghost Tap" NFC Fraud: Android malware bridging the gap between cyber and physical payment terminal fraud.
Read more: Inetco Research
"ZombieAgent" AI Flaw: Embedding hidden text in documents to hijack AI agents via indirect prompt injection.
Read more: SecurityBrief Asia
GoBruteforcer Botnet: Golang-based malware targeting Linux servers to reach Web3/Crypto assets.
Read more: BleepingComputer
Part 2: Operational Fires
D-Link "Zombie" RCE (CVE-2026-0625): Active exploitation of legacy D-Link DSL routers to build residential botnets.
Read more: SC Media Report
APT Alert: UAT-7290: China-linked espionage group using "Operational Relay Boxes" (ORBs) to target Telecommunications and Defense sectors.
Read more: Infosecurity Magazine
Black Cat Ransomware SEO Poisoning: The ransomware gang is now poisoning search results for IT tools like "WinSCP" and "Notepad++".
Read more: News4Hackers
Supply Chain & Breaches:
Fake WinRAR Installers: Malwarebytes
Ledger / Global-e Breach: Ledger Support
NordVPN Breach Claim (Denied): NordVPN Blog
Connect with Us:
Subscribe to the Dragon News Bytes feed: Team Cymru
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
