Research Saturday

Today we are joined by Selena Larson, Threat Researcher from Proofpoint research team and co-host of Only Malware in the Building, talking about their work on "(Don't) TrustConnect: It's a RAT in an RMM hat." Proofpoint uncovered TrustConnect, a malware-as-a-service platform posing as a legitimate remote monitoring and management (RMM) tool, but actually functioning as a remote access trojan (RAT) sold to cybercriminals for $300/month. The operation used a fake business website, legitimate-looking certificates, and branded installers (like fake Microsoft Teams or Zoom apps) to trick victims, while providing attackers with full remote control, file transfer, and surveillance capabilities. Although parts of its infrastructure were disrupted, the threat actor quickly rebounded with new variants, highlighting both the resilience of the operation and its deep ties to the broader cybercriminal ecosystem abusing RMM tools. The research and executive brief can be found here: (Don't) TrustConnect: It's a RAT in an RMM hat Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Santiago Pontiroli, Threat Intelligence Research Lead from Acronis TRU team, discussing their work on "New year, new sector: Transparent Tribe targets India’s startup ecosystem." The Acronis Threat Research Unit uncovered a new campaign by Transparent Tribe showing the group has expanded beyond traditional government and defense targets to India’s startup ecosystem, especially cybersecurity and OSINT-focused firms. The attackers use startup-themed lures delivered via ISO files and malicious shortcuts to deploy Crimson RAT, a highly obfuscated tool capable of surveillance, data theft, and system control. Despite this shift, the campaign closely mirrors the group’s long-standing espionage tactics, suggesting startups are being targeted for their connections to government, law enforcement, and sensitive intelligence networks. The research and executive brief can be found here: New year, new sector: Transparent Tribe targets India’s startup ecosystem Learn more about your ad choices. Visit megaphone.fm/adchoices

Omer Ninburg, CTO of Novee Security, joins us on this episode of Research Saturday to discuss their work on "From PDF to Pwn: Scalable 0day Discovery in PDF Engines and Services Using Multi-Agent LLMs." Historically, Portable Document Formats – the immutable, localized PDF – was once considered a “safe” component inside enterprise environments. That is no longer the case. To demonstrate how PDF services and engines can be exploited, the team at Novee used their proprietary, multi-agent LLM system to uncover vulnerability patterns, and systematically scale them into a broad discovery campaign across two PDF vendor ecosystems. The research uncovered 16 verified vulnerabilities across client-side PDF viewers, embedded plugins, and server-side PDF services. The research and executive brief can be found here: ⁠From PDF to Pwn: Scalable 0day Discovery in PDF Engines and Services Using Multi-Agent LLMs Hacker-Trained AI Discovers 16 New 0-Day Vulnerabilities in PDF Engines Learn more about your ad choices. Visit megaphone.fm/adchoices

Yuval Avrahami from Wiz joins to share their work on "CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild." Wiz Research uncovered “CodeBreach,” a critical supply chain vulnerability caused by a subtle misconfiguration in AWS CodeBuild pipelines that allowed attackers to take over key GitHub repositories, including the widely used AWS JavaScript SDK that powers the AWS Console. By exploiting an unanchored regex filter, unauthenticated attackers could trigger privileged builds, steal credentials, and potentially inject malicious code into software used across a majority of cloud environments. AWS has since remediated the issue and introduced stronger safeguards, but the incident highlights a growing trend of attackers targeting CI/CD pipelines where small misconfigurations can lead to massive downstream impact. The research can be found here: CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Or Eshed, Co-Founder and CEO from LayerX Security, discussing their work on "How We Discovered A Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts." Researchers uncovered a coordinated campaign of 16 malicious browser extensions posing as ChatGPT productivity tools while secretly stealing user accounts. The extensions intercept ChatGPT session authentication tokens and send them to attacker-controlled servers, allowing threat actors to impersonate users and access their conversations, files, and connected services like Google Drive or Slack. The findings highlight how AI-focused browser extensions are creating a new attack surface, emphasizing the need for organizations to closely monitor and restrict third-party AI tools. The research can be found here: ⁠⁠⁠How We Discovered A Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by Marcelle Lee, cybersecurity consultant and researcher, discussing "CTI tradecraft: Investigating a mobile scareware campaign." She details how a routine click on a Google News story led to a mobile scareware pop-up—and a deeper investigation into a broader campaign. Using free tools like Censys, URLScan, VirusTotal, and CyberChef, she pivoted from two domains to uncover more than 100 related domains, shared infrastructure, and links to questionable antivirus apps in the Google Play Store. The findings are mapped to the MITRE ATT&CK framework, showing how freely available resources can power meaningful, actionable threat intelligence. The research can be found here: ⁠CTI tradecraft: Investigating a mobile scareware campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by Dr. Renée Burton, Vice President of Infoblox Threat Intel, discussing "Parked Domains and Direct Search: An Underreported Security Risk." Parked domains are no longer harmless ad pages — new research finds that in today’s “direct search” or zero-click parking ecosystem, more than 90% of visits to certain parked lookalike domains lead to scams, malware, or deceptive content, often hidden behind layers of traffic distribution systems and device fingerprinting. The report details three previously unpublished domain portfolio actors who weaponize typosquatting, DNS manipulation — including rare “double fast flux” techniques highlighted in a 2025 advisory from Cybersecurity and Infrastructure Security Agency — and even misconfigured name server records to evade detection and funnel real users toward malicious advertisers. Beyond malvertising, some parked lookalike domains collect misdirected email, fuel business email compromise, and exploit outdated links — including those surfaced by generative AI — underscoring how a simple typo can expose users and enterprises to significant risk. The research can be found here: Parked Domains Become Weapons with Direct Search Advertising Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we have Tomer Bar, VP of Security Research at SafeBreach Labs, discussing their work on "Prince of Persia: A Decade of Iranian Nation-State APT Campaign Activity under the Microscope". In this first installment of SafeBreach’s deep dive into the Iranian-linked APT known as “Prince of Persia,” originally exposed by Palo Alto Networks Unit 42, researchers reveal that the group never truly went dark after 2022—but instead evolved. Led by Tomer, the investigation uncovers new variants of Foudre and Tonnerre malware, expanded campaign scale, active C2 infrastructure through late 2025, and a shift toward Telegram-based command-and-control. The research provides rare, sustained visibility into nearly a decade of Iranian nation-state cyber operations, offering fresh indicators of compromise and insight into how the group continues to refine its tooling, obfuscation, and targeting. The research can be found here: Prince of Persia, Part 1: A Decade of Iranian Nation-State APT Campaign Activity under the Microscope Learn more about your ad choices. Visit megaphone.fm/adchoices

Today we have Ziv Mador, VP of Security Research from LevelBlue SpiderLabs discussing their work on "SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp." Researchers at LevelBlue SpiderLabs have identified a new Brazilian banking Trojan dubbed Eternidade Stealer, spread through WhatsApp hijacking and social engineering campaigns that use a Python-based worm to steal contacts and distribute malicious MSI installers. The Delphi-compiled malware targets Brazilian victims, profiles infected systems, dynamically retrieves its command-and-control server via IMAP email, and deploys banking overlays to harvest credentials from financial institutions and cryptocurrency platforms. The campaign reflects the continued evolution of Brazil’s cybercrime ecosystem, combining WhatsApp propagation, geofencing, encrypted C2 communications, and process injection to maintain stealth and persistence. The research can be found here: SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp Learn more about your ad choices. Visit megaphone.fm/adchoices