Episodes

  • A QRazy clever scam.

    A QRazy clever scam.
    Apr 25 2026
    This week, we are joined by Juliana Testa, Senior Security Engineer from 7AI, sharing their work on "Quish Splash - When the QR Code Is the Weapon: A Multi-Wave Phishing Campaign That Slipped Past Every Filter." A large-scale “quishing” campaign used QR codes embedded in image attachments to hide phishing URLs, allowing 28 out of 33 emails to bypass SPF, DKIM, DMARC, and Microsoft Defender and land directly in inboxes. Each recipient received a unique QR code and tracking ID, defeating traditional detection methods and enabling attackers to scale the campaign to over 1.6 million emails across multiple organizations while shifting execution to less-secure mobile devices. The attack was ultimately uncovered through AI-driven alerting combined with human analysis and threat hunting, highlighting a major blind spot in email security and the need for QR code inspection, mobile protections, and tighter auto-reply controls. The research and executive brief can be found here: Quish Splash - When the QR Code Is the Weapon: A Multi-Wave Phishing Campaign That Slipped Past Every Filter. Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show More Show Less
    19 mins
  • A new breed of RAT.

    A new breed of RAT.
    Apr 18 2026
    Today we are joined by Dr. Darren Williams, Founder and CEO of BlackFog, to discuss his team's work on "Steaelite RAT Enables Double Extortion Attacks from a Single Panel." A new remote access trojan, Steaelite, is being marketed on underground forums as an all-in-one platform that combines remote access, credential theft, surveillance, and ransomware deployment through a single browser-based dashboard. Unlike traditional cybercrime toolchains, it merges data exfiltration and ransomware capabilities into one interface, with automated credential harvesting beginning as soon as a victim is infected. The tool signals a growing shift toward streamlined “double extortion” attacks, where data theft and encryption happen within the same system—raising the stakes for defenders to stop threats before data is exfiltrated. The research and executive brief can be found here: Steaelite RAT Enables Double Extortion Attacks from a Single Panel Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show More Show Less
    22 mins
  • A wolf in admin clothing.

    A wolf in admin clothing.
    Apr 11 2026
    Today we are joined by Selena Larson, Threat Researcher from Proofpoint research team and co-host of Only Malware in the Building, talking about their work on "(Don't) TrustConnect: It's a RAT in an RMM hat." Proofpoint uncovered TrustConnect, a malware-as-a-service platform posing as a legitimate remote monitoring and management (RMM) tool, but actually functioning as a remote access trojan (RAT) sold to cybercriminals for $300/month. The operation used a fake business website, legitimate-looking certificates, and branded installers (like fake Microsoft Teams or Zoom apps) to trick victims, while providing attackers with full remote control, file transfer, and surveillance capabilities. Although parts of its infrastructure were disrupted, the threat actor quickly rebounded with new variants, highlighting both the resilience of the operation and its deep ties to the broader cybercriminal ecosystem abusing RMM tools. The research and executive brief can be found here: (Don't) TrustConnect: It's a RAT in an RMM hat Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show More Show Less
    25 mins
  • Startup surge sparks spy interest.

    Startup surge sparks spy interest.
    Apr 4 2026
    This week, we are joined by Santiago Pontiroli, Threat Intelligence Research Lead from Acronis TRU team, discussing their work on "New year, new sector: Transparent Tribe targets India’s startup ecosystem." The Acronis Threat Research Unit uncovered a new campaign by Transparent Tribe showing the group has expanded beyond traditional government and defense targets to India’s startup ecosystem, especially cybersecurity and OSINT-focused firms. The attackers use startup-themed lures delivered via ISO files and malicious shortcuts to deploy Crimson RAT, a highly obfuscated tool capable of surveillance, data theft, and system control. Despite this shift, the campaign closely mirrors the group’s long-standing espionage tactics, suggesting startups are being targeted for their connections to government, law enforcement, and sensitive intelligence networks. The research and executive brief can be found here: New year, new sector: Transparent Tribe targets India’s startup ecosystem Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show More Show Less
    19 mins
  • When “safe” documents aren’t.

    When “safe” documents aren’t.
    Mar 28 2026
    Omer Ninburg, CTO of Novee Security, joins us on this episode of Research Saturday to discuss their work on "From PDF to Pwn: Scalable 0day Discovery in PDF Engines and Services Using Multi-Agent LLMs." Historically, Portable Document Formats – the immutable, localized PDF – was once considered a “safe” component inside enterprise environments. That is no longer the case. To demonstrate how PDF services and engines can be exploited, the team at Novee used their proprietary, multi-agent LLM system to uncover vulnerability patterns, and systematically scale them into a broad discovery campaign across two PDF vendor ecosystems. The research uncovered 16 verified vulnerabilities across client-side PDF viewers, embedded plugins, and server-side PDF services. The research and executive brief can be found here: ⁠From PDF to Pwn: Scalable 0day Discovery in PDF Engines and Services Using Multi-Agent LLMs Hacker-Trained AI Discovers 16 New 0-Day Vulnerabilities in PDF Engines Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show More Show Less
    21 mins
  • A subtle flaw, a massive blast radius.

    A subtle flaw, a massive blast radius.
    Mar 21 2026
    Yuval Avrahami from Wiz joins to share their work on "CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild." Wiz Research uncovered “CodeBreach,” a critical supply chain vulnerability caused by a subtle misconfiguration in AWS CodeBuild pipelines that allowed attackers to take over key GitHub repositories, including the widely used AWS JavaScript SDK that powers the AWS Console. By exploiting an unanchored regex filter, unauthenticated attackers could trigger privileged builds, steal credentials, and potentially inject malicious code into software used across a majority of cloud environments. AWS has since remediated the issue and introduced stronger safeguards, but the incident highlights a growing trend of attackers targeting CI/CD pipelines where small misconfigurations can lead to massive downstream impact. The research can be found here: CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show More Show Less
    17 mins
  • Your AI sidekick might be a spy.

    Your AI sidekick might be a spy.
    Mar 14 2026
    This week, we are joined by Or Eshed, Co-Founder and CEO from LayerX Security, discussing their work on "How We Discovered A Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts." Researchers uncovered a coordinated campaign of 16 malicious browser extensions posing as ChatGPT productivity tools while secretly stealing user accounts. The extensions intercept ChatGPT session authentication tokens and send them to attacker-controlled servers, allowing threat actors to impersonate users and access their conversations, files, and connected services like Google Drive or Slack. The findings highlight how AI-focused browser extensions are creating a new attack surface, emphasizing the need for organizations to closely monitor and restrict third-party AI tools. The research can be found here: ⁠⁠⁠How We Discovered A Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show More Show Less
    23 mins
  • The scareware rabbit hole.

    The scareware rabbit hole.
    Mar 7 2026
    This week we are joined by Marcelle Lee, cybersecurity consultant and researcher, discussing "CTI tradecraft: Investigating a mobile scareware campaign." She details how a routine click on a Google News story led to a mobile scareware pop-up—and a deeper investigation into a broader campaign. Using free tools like Censys, URLScan, VirusTotal, and CyberChef, she pivoted from two domains to uncover more than 100 related domains, shared infrastructure, and links to questionable antivirus apps in the Google Play Store. The findings are mapped to the MITRE ATT&CK framework, showing how freely available resources can power meaningful, actionable threat intelligence. The research can be found here: ⁠CTI tradecraft: Investigating a mobile scareware campaign Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show More Show Less
    28 mins