Browser attacks without downloads.

Eclypsium researchers Jesse Michael and Mickey Shkatov to share their work on "BadCam - Now Weaponizing Linux Webcams." Eclypsium researchers disclosed “BadCam,” a set of vulnerabilities in certain Lenovo USB webcams that run Linux and do not validate firmware signatures, allowing attackers to reflash the devices and turn them into BadUSB-style tools. An adversary who supplies a backdoored camera or who gains remote code execution on a host can weaponize the webcam to emulate human-interface devices, inject keystrokes, deliver payloads, and maintain persistence — even re-infecting systems after OS reinstalls. The findings were presented at DEF CON 2025, Lenovo issued updated firmware/tools in coordination with SigmaStar, and researchers warn the same vector could affect other Linux-based USB peripherals, underscoring the need for firmware signing and stronger device attestation. The research can be found here: BadCam: Now Weaponizing Linux Webcams Learn more about your ad choices. Visit megaphone.fm/adchoices

John Fokker, Head of Threat Intelligence at Trellix is discussing "Gang Wars: Breaking Trust Among Cyber Criminals." Trellix researchers reveal how the once-organized ransomware underworld is collapsing under its own paranoia. Once united through Ransomware-as-a-Service programs, gangs are now turning on each other — staging hacks, public feuds, and exit scams as trust evaporates. With affiliates jumping ship and rival crews sabotaging each other, the RaaS model is fracturing fast, signaling the beginning of the end for ransomware’s criminal empires. The research can be found here: ⁠⁠⁠⁠Gang Wars: Breaking Trust Among Cyber Criminals Learn more about your ad choices. Visit megaphone.fm/adchoices

Assaf Dahan, Director of Threat Research, Cortex XDR, at Palo Alto Networks, discussing Phantom Taurus, a new China APT uncovered by Unit 42. Unit 42 researchers have identified Phantom Taurus, a newly designated Chinese state-aligned APT conducting long-term espionage against government and telecommunications organizations across Africa, the Middle East, and Asia. Distinguished by its stealth, persistence, and rare tactics, the group has recently shifted from email-focused data theft to directly targeting databases and deploying a powerful new malware suite called NET-STAR, designed to compromise IIS web servers and evade detection. This suite, featuring modular, fileless backdoors and advanced evasion capabilities, marks a significant evolution in Phantom Taurus’ operations and underscores the group’s strategic intelligence-gathering objectives. The research can be found here: ⁠Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Martin Zugec, Technical Solutions Director from Bitdefender, sharing their work and findings on "Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds." Bitdefender Labs has uncovered a newly identified Russian-aligned threat actor dubbed “Curly COMrades,” responsible for espionage campaigns against judicial, government, and energy organizations in Eastern Europe. The group focuses on long-term network access, credential theft, and stealthy persistence techniques — including a never-before-seen backdoor called MucorAgent that hijacks Windows CLSIDs and leverages NGEN for covert execution. By routing data through compromised websites and using tools like curl.exe and proxy relays, Curly COMrades blend malicious traffic with legitimate activity, complicating detection and signaling a highly organized, evolving operation. The research can be found here: Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by Nati Tal, Head of Guardio Labs, discussing their work “CAPTCHAgeddon” or unmasking the viral evolution of the ClickFix browser-based threat. CAPTCHAgeddon — Shaked Chen’s deep dive into the ClickFix fake-captcha wave — reveals how a red-team trick morphed into a dominant, download-free browser threat that tricks users into pasting clipboard PowerShell/shell commands and leverages trusted infrastructure, including Google Scripts. Guardio’s DBSCAN-based payload clustering exposes distinct attacker toolkits and distribution paths — from malvertising and compromised WordPress to social posts and Git repos — and argues defenders need behavioral, intelligence-driven protections, not just signatures. The research can be found here: “CAPTCHAgeddon” Unmasking the Viral Evolution of the ClickFix Browser-Based Threat Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by Amanda Rousseau, Principal AI Security Researcher from Straiker, discussing their work on "The Silent Exfiltration: Zero‑Click Agentic AI Hack That Can Leak Your Google Drive with One Email." Straiker’s research found that enterprise AI agents can be silently manipulated to leak sensitive data, even without user clicks or alerts. By chaining small gaps across tools like Gmail, Google Drive, and calendars, attackers achieved zero-click exfiltration, system mapping, and even policy rewrites. The findings highlight that excessive agent autonomy creates a new attack surface, requiring least-privilege design, runtime guardrails, and continuous red-teaming to stay secure. The research can be found here: The Silent Exfiltration: Zero‑Click Agentic AI Hack That Can Leak Your Google Drive with One Email Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we are joined by ⁠Selena Larson⁠, co-host of ⁠Only Malware in the Building⁠ and Staff Threat Researcher and Lead Intelligence Analysis and Strategy at ⁠Proofpoint⁠, sharing their work on "Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing." Proofpoint researchers have identified campaigns where threat actors use fake Microsoft OAuth apps to impersonate services like Adobe, DocuSign, and SharePoint, stealing credentials and bypassing MFA via attacker-in-the-middle phishing kits, mainly Tycoon. These attacks redirect users to fake Microsoft login pages to capture credentials, 2FA tokens, and session cookies, targeting nearly 3,000 Microsoft 365 accounts across 900 environments in 2025. Microsoft’s upcoming security changes and strengthened email, cloud, and web defenses, along with user education, are recommended to reduce these risks. The research can be found here: ⁠Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Jamie Levy, Director of Adversary Tactics at Huntress, who is discussing their work on "Active Exploitation of SonicWall VPNs." Huntress has released an urgent threat advisory on active exploitation of SonicWall VPNs, with attackers bypassing MFA, pivoting to domain controllers, and ultimately deploying Akira ransomware. The campaigns involve techniques such as disabling defenses, clearing logs, credential theft, and Bring Your Own Vulnerable Driver (BYOVD) attacks with legitimate Windows drivers. Organizations using SonicWall devices are strongly advised to disable SSL VPN access or restrict it via IP allow-listing, rotate credentials, and hunt for indicators of compromise as this remains an ongoing and evolving threat. Complete our annual ⁠⁠⁠⁠⁠audience survey⁠⁠⁠⁠⁠ before August 31. The research can be found here: Huntress Threat Advisory: Active Exploitation of SonicWall VPNs Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Dr. Renée Burton, VP of Infoblox Threat Intel, who is discussing their work on VexTrio, a notorious traffic distribution system (TDS) involved in digital fraud. The VexTrio investigation uncovers a massive global ad fraud and scam operation powered by just 250 virtual machines, tying it directly to named individuals and shell companies across Europe. The research exposes VexTrio’s full criminal supply chain—including fake apps, dating scams, affiliate networks, and payment processors—alongside a powerful CDN infrastructure ranked among the world’s top 10k domains. It also calls on the adtech industry to take accountability for enabling and sustaining such widespread abuse. Complete our annual ⁠⁠⁠⁠audience survey⁠⁠⁠⁠ before August 31. The research can be found here: ⁠VexTrio’s Origin Story : From Spam to Scam to Adtech Learn more about your ad choices. Visit megaphone.fm/adchoices

Bob Rudis, VP Data Science from GreyNoise, is sharing some insights into their work on "Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities." New research reveals a striking trend: in 80% of cases, spikes in malicious activity against enterprise edge technologies like VPNs and firewalls occurred weeks before related CVEs were disclosed. The report breaks down this “6-week critical window,” highlighting which vendors show the strongest early-warning patterns and offering tactical steps defenders can take when suspicious spikes emerge. These findings reveal how early attacker activity can be transformed into actionable intelligence, enabling defenders to anticipate and neutralize threats before vulnerabilities are publicly disclosed. Complete our annual ⁠⁠⁠audience survey⁠⁠⁠ before August 31. The research can be found here: Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities Learn more about your ad choices. Visit megaphone.fm/adchoices