Research Saturday
Recent Episodes
This week, we are joined by Shaked Reiner, Security Principal Security Researcher at CyberArk, who is discussing their research on"Agents Under Attack: Threat Modeling Agentic AI." Agentic AI empowers LLMs to take autonomous actions, like browsing the web or executing code, making them more useful—but also more dangerous. Threats like prompt injections and stolen API keys can turn agents into attack vectors. Shaked Reiner explains how treating agent outputs like untrusted code and applying traditional security principles can help keep them in check.
China’s new cyber arsenal revealed.
Today we are joined by Crystal Morin, Cybersecurity Strategist from Sysdig, as she is sharing their work on "UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell." UNC5174, a Chinese state-sponsored threat actor, has resurfaced with a stealthy cyber campaign using a new arsenal of customized and open-source tools, including a variant of their SNOWLIGHT malware and the VShell RAT. Sysdig researchers discovered that the group targets Linux systems through malicious bash scripts, domain squatting, and in-memory payloads, indicating a high level of sophistication and espionage intent. Their evolving tactics, such as using spoofed domains and fileless malware, continue to blur attribution and pose a significant threat to research institutions, critical infrastructure, and NGOs across the West and Asia-Pacific regions.
Crafting malware with modern metals.
This week, we are joined by Nick Cerne, Security Consultant from Bishop Fox, to discuss "Rust for Malware Development." In pursuit of simulating real adversarial tactics, this blog explores the use of Rust for malware development, contrasting it with C in terms of binary complexity, detection evasion, and reverse engineering challenges. The author demonstrates how Rust's inherent anti-analysis traits and memory safety features can create more evasive malware tooling, including a simple dropper that injects shellcode using lesser-known Windows APIs. Through hands-on comparisons and decompiled output analysis, the post highlights Rust’s growing appeal in offensive security while noting key OPSEC considerations and tooling limitations.
Zach Edwards from Silent Push is discussing their work on "New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks." Silent Push analysts uncovered significant infrastructure used by the Lazarus APT Group, linking them to the $1.4 billion Bybit crypto heist through the domain bybit-assessment[.]com registered just hours before the attack. The investigation revealed a pattern of test entries, VPN usage, and fake job interview scams targeting crypto users, with malware deployment tied to North Korean threat actor groups like TraderTraitor and Contagious Interview. The team also identified numerous companies being impersonated in these scams, including major crypto platforms like Coinbase, Binance, and Kraken, to alert potential victims.
Breaking barriers, one byte at a time.
This week, we are joined by Jon Williams, Vulnerability Researcher from Bishop Fox, discussing "Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware." Bishop Fox researchers reverse-engineered the encryption protecting SonicWall SonicOSX firmware, enabling them to access its underlying file system for security research. They presented their process and findings at DistrictCon Year 0 and released a tool called Sonicrack to extract keys from VMware virtual machine bundles, facilitating the decryption of VMware NSv firmware images. This research builds upon previous work, including techniques to decrypt static NSv images and reverse-engineer other encryption formats used by SonicWall.
