DISCARDED: Tales From the Threat Research Trenches

Proofpoint

DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more.Welcome to DISCARDED

  1. 9h ago

    OMITB: Trusting the wrong package.

    Send us fan mail! Hello to all our Cyber Pals! This week, we present a special replay of "Only Malware in the Building," the podcast that our host, Selena Larson, also co-hosts! Enjoy! Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Selena Larson⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Proofpoint⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ intelligence analyst and host of their podcast ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠DISCARDED⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by her co-hosts ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠N2K Networks⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ and ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Keith Mularski⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, former FBI cybercrime investigator and now Chief Global Ambassador at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Qintel⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. This week, our hosts dive into the evolving threat of software supply chain attacks and the growing risks facing the open-source ecosystem. As developers increasingly rely on third-party packages and AI-powered coding tools, attackers are finding new ways to abuse trusted software to reach a wider range of targets. The discussion explores why these attacks are becoming more common, what recent incidents reveal about the state of software security, and what organizations can do to better protect themselves. Sources:  ⁠ Shai-Hulud worm returns stronger and more automated than ever before⁠ ‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack⁠ What We Learned: Axios NPM Supply Chain Compromise Emergency Briefing Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise

    38 min
  2. Jun 23

    From Phishing to Court Cases: How Microsoft Fights Back Against Hackers

    Send us fan mail! Hello to all our Cyber Pals! Host Selena Larson is joined by Sean Farrell, Assistant General Counsel at Microsoft's Digital Crimes Unit (DCU), to pull back the curtain on how major cyber crime takedowns actually happen and how Microsoft uses civil lawsuits, criminal referrals, and global partnerships to disrupt some of the most damaging cyber crime operations in the world. They discuss: What DCU does and Sean's path from FBI to AWS to MicrosoftHow civil claims like the CFAA and RICO are used to seize infrastructureThe Fox Tempest takedown and its ties to Rhysida ransomwareThe global disruption of the Tycoon 2FA phishing-as-a-service operationHow targets get chosen, and civil vs. criminal actionWhy naming victims changes the public narrative on cyber crimeArrests tied to Octo Tempest/Scattered SpiderThe risks of AI-generated sloppiness in legal and threat intel workDisrupting cyber crime isn't about ending it for good, it's about raising the cost of doing business until bad actors run out of road. Resources Mentioned: https://www.microsoft.com/en-us/corporate-responsibility/customer-security-trust/digital-crimes-unit https://blogs.microsoft.com/on-the-issues/2026/05/19/disrupting-fox-tempest-a-cybercrime-service/ https://www.proofpoint.com/us/blog/threat-insight/disruption-targets-tycoon-2fa-popular-aitm-phaas For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    52 min
  3. Jun 9

    Diving Into the DBIR: Vulnerabilities, AI, and Supply Chain

    Send us fan mail! Hello to all our Cyber Pals! Host Selena Larson is joined by guest host Sarah Sabotka as they chat with returning guest: Alex Pinto, Associate Director of Threat Intelligence at Verizon Business, and the architect behind the Verizon Data Breach Investigations Report.  Alex joins hosts Selena Larson and Sarah Sabatka to break down the most important findings from this year's report — and there's a lot to unpack. From vulnerabilities overtaking credential abuse as the leading initial access vector, to the sobering reality that organizations are patching more but getting worse outcomes, this year's DBIR paints a complex picture of a threat landscape under pressure. The team also digs into the rise of pretexting and voice-based social engineering, what the data actually says about GenAI and threat actors (spoiler: mostly reinventing the wheel — for now), and why third-party and supply chain compromises are quietly becoming one of the biggest stories in security. They discuss: The VERIS framework and why standardization in threat intelligence mattersRansomware taxonomy, data extortion, and why classification is still a headachePretexting vs. phishing — and why they require completely different defensesVulnerability exploitation as the new number one initial access vectorPatching capacity and why outcomes are getting worse despite more effortWhat the DBIR data actually shows about GenAI usage by threat actorsThird-party and supply chain breaches — up 60% year over yearShadow AI and the emerging DLP problem no one's fully ready forA sneak peek at Verizon's upcoming cost-of-a-data-breach reportThe DBIR drops once a year — make sure you're getting the most out of it with this breakdown straight from the source, all 121 nutritious, fiber-rich pages of it. Resources Mentioned: 2026 DBIR For more information about Proofpoint, check out our website. Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    1h 5m
  4. May 12

    A Device Code Explosion: The New Era of AI-Enabled Phishing

    Send us fan mail! Hello to all our Cyber Sunbeams! Host Selena Larson is joined by guest host, Sarah Sabotka as they chat with Jake Gionet to unpack one of the fastest-growing threats in today’s cyber landscape: device code phishing. What started as a niche technique used in red team exercises has quickly evolved into a widely adopted method for account takeover—fueled by publicly available phishing kits and accelerated by AI-assisted tooling. The trio breaks down how device code phishing works, why it’s suddenly everywhere, and how attackers are exploiting legitimate authentication flows to bypass traditional defenses. They also explore the rise of “phishing-as-a-service” platforms like Evil Tokens, the surprising lack of sophistication behind many campaigns, and how AI is both enabling attackers and exposing their mistakes. Along the way, they dig into real-world examples, threat actor missteps, and the blurry line between innovation and imitation in cybercrime. If you’ve been hearing the buzz around device code phishing and want a clear, grounded explanation—without the hype—this episode delivers. Plus, practical insights on what defenders should actually focus on as these techniques continue to evolve. Resources Mentioned: https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    53 min
  5. Apr 28

    Champagne with Our Campaigns: A 100th Episode Happy Hour

    Send us fan mail! Hello to all our Cyber Pals, Cyber Centaurs, Cyber Stars, and listeners who have been with us for 100 episodes! It’s our 100th episode—and we’re raising a glass to celebrate. 🥂 Host Selena Larson is joined by long-time guest hosts, Sarah Sabotka and Tim Kromphardt, and honorary host, VP of Proofpoint Threat Research Daniel Blackford, for this commemorative episode of Discarded! We reflect on the journey so far, revisit standout moments, and look ahead to what’s next in cybersecurity. From unforgettable guests and inside jokes to real lessons learned from years of tracking threat actors, this episode is part celebration, part reflection, and part unfiltered cyber chat. We dig into: Favorite podcast guests and the insights that stuck with usThe reality vs. hype of AI in cybersecurity (and what’s actually useful)How threat actors are evolving—and where they’re… notThe surprising truth about targeting, myths in the industry, and why attackers don’t need to be sophisticated to be effectiveBehind-the-scenes looks at the tools and research we’re building right nowPlus, we answer listener questions, share a few laughs (and a few drinks), and talk about what the next 100 episodes might hold. Whether you’ve been with us since episode one or just discovered the show, this milestone episode is a thank-you to our listeners—and a reminder that cybersecurity is as much about people as it is about technology. Cheers to 100 episodes. 🍾 Resources Mentioned: https://www.nytimes.com/2026/04/04/technology/ai-chatbots-teen-roleplay.html For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    1 hr
  6. Apr 14

    Magic Packets & Stealth Backdoors: The Art of Detection Engineering

    Send us fan mail! Hello to all our Cyber Daffodils! Host Selena Larson, and guest Host, Tim Kromphardt, sit down with Stuart Del Caliz, Senior Threat Detection Engineer at Proofpoint, to unpack the stealthy world of backdoors, malware detection, and the “secret signals” threat actors use to stay hidden. From magic packets and port knocking to sophisticated backdoors like BPFdoor, Stuart shares how attackers design covert communication methods—and how defenders work to uncover them without overwhelming security teams with noise. The conversation blends deep technical insight with real-world analogies (think speakeasy knocks and undercover “internet cops”) to make complex detection strategies easier to understand. You’ll also hear: How detection engineers balance accuracy and performance when writing IDS/IPS signaturesWhy some advanced malware can remain undetected for years—and whether we’re simply not seeing itHow historic leaks like Shadow Brokers still influence modern attack techniquesThe role of “pattern matching” in identifying evolving malware behaviorsHow file metadata and revoked certificates can reveal threats hiding in plain sightWhy community collaboration and feedback loops are critical to stronger detectionsWhether you’re a security practitioner or deep in the trenches, this episode offers a closer look at the craft of detection engineering—and the constant challenge of writing high-fidelity detections against increasingly evasive threat techniques. Resources Mentioned: https://community.emergingthreats.net/ https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/ https://www.wired.com/story/nsa-hacking-tools-stolen-hackers/ https://github.com/x0rz/EQGRP For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    34 min
  7. Mar 26

    Regional Threats, Global Impact: A TA2725 Case Study

    Send us fan mail! Hello to all our Cyber Pals! Guest host Sarah Sabotka sits down with Senior Threat Researcher Jared Peck to unpack one of the most dynamic and persistent cybercrime groups operating today: TA2725, also known as “Grana.” From its roots in Latin America to its global reach, TA2725 stands out for its adaptability—and its relentless pursuit of financial gain. Jared shares how the group evolved from a high-volume malware operator into a multifaceted threat actor running phishing, fraud, and malware campaigns simultaneously. The conversation dives into how Grana targets regions like Brazil and Mexico, why their tactics shift across geographies, and what makes their operations uniquely complex. You’ll also hear: How threat actors “graduate” to official TA designations (and why it’s a big win for researchers) The impact of law enforcement disruptions on major malware operations like Grandoreiro Why Latin America’s banking infrastructure shapes cybercrime tactics differently The rise (and fall) of RMM tools in TA2725’s playbook What clues reveal whether activity comes from one group—or an entire cybercrime “service” ecosystemWhether you’re in cybersecurity or just curious about how modern cybercrime operates, this episode offers a fascinating look at a threat actor that refuses to stay in one lane—and what that means for organizations worldwide. For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    38 min
4.9
out of 5
56 Ratings

About

DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more.Welcome to DISCARDED

You Might Also Like