Épisodes

  • When malware plays pretend.

    When malware plays pretend.
    Aug 9 2025
    Nicolás Chiaraviglio, Chief Scientist from Zimperium's zLabs, joins to discuss their work on "Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed." Zimperium’s zLabs team has been tracking an evolving banker trojan dubbed DoubleTrouble, which has grown more sophisticated in both its distribution and capabilities. Initially spread via phishing sites impersonating European banks, it now uses malicious APKs hosted in Discord channels, and boasts features like screen recording, keylogging, UI overlays, and app blocking—all while heavily abusing Android’s Accessibility Services. Despite advanced obfuscation and dynamic evasion techniques, Zimperium’s on-device detection tools have successfully identified both known and previously unseen variants, helping protect users from credential theft, financial fraud, and device compromise. Complete our annual ⁠⁠audience survey⁠⁠ before August 31. The research can be found here: ⁠Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed Learn more about your ad choices. Visit megaphone.fm/adchoices
    Voir plus Voir moins
    21 min
  • nOAuth-ing to see here.

    nOAuth-ing to see here.
    Aug 2 2025
    This week, we are joined by Eric Woodruff, Chief Identity Architect at Semperis, discussing "nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications". Semperis researchers identified a critical authentication flaw known as nOAuth in 9 out of 104 tested SaaS applications integrated with Microsoft Entra ID. This low-complexity but severe vulnerability allows attackers with just a user’s email address and access to an Entra tenant to impersonate users, exfiltrate data, and move laterally within affected apps—with no viable defense or detection available to customers. The findings spotlight ongoing risks tied to improper use of email claims in authentication and emphasize the urgent need for SaaS vendors to adopt secure OpenID Connect practices and remediate vulnerable applications. Complete our annual ⁠audience survey⁠ before August 31. The research can be found here: nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications Learn more about your ad choices. Visit megaphone.fm/adchoices
    Voir plus Voir moins
    24 min
  • Muddled Libra: From Spraying to Preying in 2025 [Threat Vector]

    Muddled Libra: From Spraying to Preying in 2025 [Threat Vector]
    Jul 26 2025
    Please enjoy this Special Edition episode of the Threat Vector podcast with an update on our previous Muddled Libra coverage. Muddled Libra is back and more dangerous than ever. In this episode of Threat Vector, David Moulton speaks with Sam Rubin and Kristopher Russo from Unit 42 about the resurgence of the threat group also known as Scattered Spider. They break down the group’s shift to destructive extortion, modular attack teams, and cloud-first tactics. Discover why traditional defenses fail, how attackers now exploit trusted tools, and what forward-leaning security leaders are doing to stay ahead. With real-world case studies, strategic advice, and insights from the front lines, this episode helps defenders understand today’s threat landscape and what’s coming next. Join the conversation on our social media channels: Website: ⁠⁠⁠⁠https://www.paloaltonetworks.com/ Threat Research: ⁠⁠⁠⁠https://unit42.paloaltonetworks.com/⁠⁠⁠⁠ Facebook: ⁠⁠⁠⁠https://www.facebook.com/LifeatPaloAltoNetworks/⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/company/unit42/⁠⁠⁠⁠ YouTube: @paloaltonetworks Twitter: ⁠⁠⁠⁠https://twitter.com/PaloAltoNtwks⁠⁠⁠⁠ About Threat Vector Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends. The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers. Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization. Palo Alto Networks Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile. ⁠http://paloaltonetworks.com Learn more about your ad choices. Visit megaphone.fm/adchoices
    Voir plus Voir moins
    36 min
  • Creeping like a spider.

    Creeping like a spider.
    Jul 19 2025
    This week, we are pleased to be joined by George Glass, Associate Managing Director of Kroll's Cyber Risk business, as he is discussing their research on Scattered Spider and their targeting of insurance companies. While Scattered Spider has recently turned its attention to the airline industry, George focuses on the broader trend of the group’s industry-by-industry approach and what that means for defenders across sectors. George and Dave discuss the group’s history, their self-identification as a cartel, and their increasingly aggressive tactics, including the use of fear-based social engineering, physical threats, and the recruitment of insiders at telecom providers. They also examine how organizations—especially those with vulnerabilities similar to past targets—can proactively defend against this threat and prepare an effective response if their industry becomes the next focus. Complete our annual ⁠audience survey⁠ before August 31. Learn more about your ad choices. Visit megaphone.fm/adchoices
    Voir plus Voir moins
    18 min
  • Click here to steal.

    Click here to steal.
    Jul 12 2025
    Today we are joined by Selena Larson, Threat Researcher at Proofpoint, and co-host of Only Malware in the Building, as she discusses their work on "Amatera Stealer - Rebranded ACR Stealer With Improved Evasion, Sophistication." Proofpoint researchers have identified Amatera Stealer, a rebranded and actively developed malware-as-a-service (MaaS) variant of the former ACR Stealer, featuring advanced evasion techniques like NTSockets for stealthy C2 communication and WoW64 Syscalls to bypass user-mode defenses. Distributed via ClearFake web injects and the ClickFix technique, Amatera leverages multilayered PowerShell loaders, blockchain-based hosting, and creative social engineering to compromise victims. With enhanced capabilities to steal browser data, crypto wallets, and other sensitive files, Amatera poses a growing threat in the wake of disruptions to competing stealers like Lumma. Complete our annual audience survey before August 31. The research can be found here: Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication Learn more about your ad choices. Visit megaphone.fm/adchoices
    Voir plus Voir moins
    25 min
  • Botnet’s back, tell a friend.

    Botnet’s back, tell a friend.
    Jul 5 2025
    Please enjoy this encore of Research Saturday. This week we are joined by ⁠Silas Cutler⁠, Principal Security Researcher at ⁠Censys⁠, asking the important question of "Will the Real Volt Typhoon Please Stand Up?" The FBI's disruption of the KV Botnet in December 2023, attributed to the Chinese threat group Volt Typhoon, targeted infected systems but did not affect the botnet's control infrastructure. Despite law enforcement efforts and technical exposure, the botnet's infrastructure has remained largely stable, with only changes in hosting providers, raising questions about whether another party operates the botnet. Censys scanning data from 2024 shows a shift in the botnet's control servers, indicating a response to disruption attempts, while the botnet's operators have shown limited efforts to obscure their infrastructure. The research can be found here: ⁠Will the Real Volt Typhoon Please Stand Up? Learn more about your ad choices. Visit megaphone.fm/adchoices
    Voir plus Voir moins
    20 min
  • A tale of two botnets.

    A tale of two botnets.
    Jun 28 2025
    This week we are joined by Kyle Lefton, Security Researcher from Akamai, who is diving into their work on "Two Botnets, One Flaw - Mirai Spreads Through Wazuh Vulnerability." Akamai researchers have observed active exploitation of CVE-2025-24016, a critical RCE vulnerability in Wazuh, by two Mirai-based botnets. The campaigns highlight how quickly attackers are adapting proof-of-concept exploits to spread malware, underscoring the urgency of patching vulnerable systems. One botnet appears to target Italian-speaking users, suggesting regionally tailored operations. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. You can find our survey here. The research can be found here: ⁠Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability Learn more about your ad choices. Visit megaphone.fm/adchoices
    Voir plus Voir moins
    22 min
  • Signed, sealed, exploitable.

    Signed, sealed, exploitable.
    Jun 21 2025
    Dustin Childs, Head of Threat Awareness at Trend Micro Zero Day Initiative, joins to discuss their work on "ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains." The research explores two critical vulnerabilities (ZDI-23-1527 and ZDI-23-1528) that could have enabled attackers to hijack the Microsoft PC Manager supply chain via overly permissive SAS tokens in WinGet and official Microsoft domains. While the issues have since been resolved, the findings highlight how misconfigured cloud storage access can put trusted software distribution at risk. The post also includes detection strategies to help defenders identify and mitigate similar threats. The research can be found here: ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains Learn more about your ad choices. Visit megaphone.fm/adchoices
    Voir plus Voir moins
    16 min