DISCARDED: Tales From the Threat Research Trenches

Send us fan mail!Hello to all our Cyber Daffodils! Host Selena Larson, and guest Host, Tim Kromphardt, sit down with Stuart Del Caliz, Senior Threat Detection Engineer at Proofpoint, to unpack the stealthy world of backdoors, malware detection, and the “secret signals” threat actors use to stay hidden.From magic packets and port knocking to sophisticated backdoors like BPFdoor, Stuart shares how attackers design covert communication methods—and how defenders work to uncover them without overwhelming security teams with noise. The conversation blends deep technical insight with real-world analogies (think speakeasy knocks and undercover “internet cops”) to make complex detection strategies easier to understand.You’ll also hear:How detection engineers balance accuracy and performance when writing IDS/IPS signaturesWhy some advanced malware can remain undetected for years—and whether we’re simply not seeing itHow historic leaks like Shadow Brokers still influence modern attack techniquesThe role of “pattern matching” in identifying evolving malware behaviorsHow file metadata and revoked certificates can reveal threats hiding in plain sightWhy community collaboration and feedback loops are critical to stronger detectionsWhether you’re a security practitioner or deep in the trenches, this episode offers a closer look at the craft of detection engineering—and the constant challenge of writing high-fidelity detections against increasingly evasive threat techniques.Resources Mentioned:https://community.emergingthreats.net/https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/https://www.wired.com/story/nsa-hacking-tools-stolen-hackers/https://github.com/x0rz/EQGRPFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Pals! Guest host Sarah Sabotka sits down with Senior Threat Researcher Jared Peck to unpack one of the most dynamic and persistent cybercrime groups operating today: TA2725, also known as “Grana.”From its roots in Latin America to its global reach, TA2725 stands out for its adaptability—and its relentless pursuit of financial gain. Jared shares how the group evolved from a high-volume malware operator into a multifaceted threat actor running phishing, fraud, and malware campaigns simultaneously. The conversation dives into how Grana targets regions like Brazil and Mexico, why their tactics shift across geographies, and what makes their operations uniquely complex.You’ll also hear:How threat actors “graduate” to official TA designations (and why it’s a big win for researchers)The impact of law enforcement disruptions on major malware operations like GrandoreiroWhy Latin America’s banking infrastructure shapes cybercrime tactics differentlyThe rise (and fall) of RMM tools in TA2725’s playbookWhat clues reveal whether activity comes from one group—or an entire cybercrime “service” ecosystemWhether you’re in cybersecurity or just curious about how modern cybercrime operates, this episode offers a fascinating look at a threat actor that refuses to stay in one lane—and what that means for organizations worldwide.For more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Tommy Madjar, Senior Threat Researcher from Proofpoint, to unpack one of the strangest malware investigations of the year: TrustConnect RAT.What started as a seemingly legitimate remote management tool quickly unraveled into a bizarre, fast-evolving ecosystem of “vibe-coded” malware. TrustConnect masqueraded as a polished RMM platform—complete with fake testimonials, inflated customer counts, and even an extended validation (EV) code-signing certificate to appear trustworthy. But beneath the surface? Sloppy AI-generated web panels, exposed administrative pages, and a backend that literally labeled infected machines as “victims.”Tommy walks through how the team discovered the malware, why attackers are increasingly building their own fake RMM platforms instead of abusing legitimate ones, and how the use of EV certificates helped the malware evade detection across security tools. The conversation also dives into:The explosion of legitimate RMM abuse in cybercrimeHow AI-assisted “vibe coding” is lowering the barrier to entry for malware developmentThe surprising operational security failures that exposed both the malware author and their customersConnections to past crimeware activity and possible ties to known actorsThe rapid evolution of the “Connect” malware family, including newly spotted variantsHow Proofpoint disrupted the operation by working with partners to revoke certificates and take down infrastructureAlong the way, the team explores a broader theme: what happens when threat actors move fast with AI—but don’t fully understand security fundamentals? Resources Mentioned:https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-ratFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Pals! Host Selena Larson and co-host, Sarah Sabotka, chat with Kyle Cucci, and Dr. Chris Wakelin, Threat Researchers from Proofpoint. They unpack how artificial intelligence is shaping modern malware analysis and detection workflows. The conversation explores how large language models are already embedded in day-to-day security operations—from accelerating rule creation and tooling development to helping analysts quickly interpret complex malware behavior.Drawing on real-world examples from the team’s work, the episode highlights both the promise and the limitations of AI in cybersecurity. Chris and Kyle share how AI can streamline tedious reverse-engineering tasks, compare malware variants, and surface insights faster—while emphasizing the ongoing need for expert validation, thoughtful prompting, and a human-in-the-loop approach to ensure accuracy and reliability.We also discuss:Practical ways AI is used today to support malware reverse engineering and detection developmentPrompting strategies that help reduce hallucinations and improve analysis outcomesThe role of MCP (model context protocol) and emerging agentic AI concepts in security toolingIndicators and characteristics of AI-assisted malware developmentReal-world examples of prompt injection attempts within malicious codeWhether AI-generated malware meaningfully changes defender workflows or primarily increases speed and scaleHow defenders and threat actors alike are leveraging the same AI capabilities across the threat landscapeUltimately, this episode offers a balanced look at AI’s growing influence in cybersecurity—showing how intelligent tools can amplify analyst effectiveness while reinforcing that expertise and critical thinking remain central to effective malware defense.

Send us fan mail!Hello to all our Cyber Pals! Host Selena Larson and co-host, Sarah Sabotka, chat with Dr. Bob Hausmann, Lead Cognitive Scientist of Human Risk Management at Proofpoint. They have a timely conversation on whether cybersecurity training actually works and what it takes to make it effective.They unpack why traditional annual training and phishing simulations often fall short, and how insights from cognitive psychology can help organizations design awareness programs that truly change behavior. Drawing on Dr. Bob’s recent research, the conversation explores just-in-time nudges, microlearning, and how understanding attention, memory, and emotion can make security guidance more actionable in the moments that matter most.In this episode, they cover:Why once-a-year security training shows little impact on real-world behaviorHow just-in-time nudges work and where they fit into security awareness programsThe role of cognitive load, attention, and repetition in learning and memoryHow amygdala hijack and emotional manipulation factor into phishing successWhy foundational knowledge is critical for nudges to be effectiveThe difference between education-driven nudges and punitive approaches to trainingPractical ways organizations can design training that fits into everyday workflowsThis episode offers a research-backed, human-centered look at security awareness—showing why better outcomes depend less on blaming users and more on designing training that works with the brain, not against it.Resources Mentioned:https://www.proofpoint.com/us/blog/security-awareness-training/cybersecurity-nudges-cautionary-taleFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Rich Gonzalez, Director of Emerging Threats at Proofpoint, to kick off 2026 with a behind-the-scenes look at how emerging threats are detected, tracked, and turned into real-world protections for defenders.They explore what it really takes to keep pace with an always-on threat landscape, from rapid response to newly released proof-of-concepts, to why certain vulnerabilities like Log4j continue to dominate attacker activity years later. The conversation also digs into alert fatigue, the realities of SOC burnout, and where automation and AI can genuinely help versus where trust, accuracy, and human judgment still matter most.In this episode, they cover:How Proofpoint’s Emerging Threats team monitors global attacker behavior and delivers fast, high-confidence detectionsWhat happens behind the scenes when a proof-of-concept drops (especially during holidays)Why some CVEs remain “evergreen” targets and never truly go awayThe balance between speed and accuracy in rule writing without overwhelming SOC teamsWhere AI and machine learning are being used today to reduce tedious work and improve triageThe risks of over-automation, hallucinations, and untrusted intelligence in security workflowsWhat’s coming in 2026, including more frequent rule releases and more detection coverageThis episode offers a candid, practitioner-driven view of modern threat detection—highlighting why adaptability, transparency, and human expertise remain essential as defenders head into 2026.

Send us fan mail!Hello to all our Cyber Elves! Host Selena Larson chats with Daniel Blackford, Vice President of Threat Research at Proofpoint, for an end-of-year look at how the cyber threat landscape evolved—and what defenders should be preparing for in 2026.They reflect on how the second half of 2025 brought meaningful shifts in attacker behavior, with familiar techniques becoming more professionalized and new malware emerging alongside identity-focused attacks. The conversation also explores why attribution is getting harder, how law enforcement disruptions are reshaping cybercrime ecosystems, and where AI is genuinely helping defenders versus introducing new risks.In this episode, they cover:How attacker tactics “proliferated” in 2025 rather than fully reinventedThe return of new malware families alongside loaders and backdoorsWhy identity, social engineering, and legitimate tools (RMMs, device code phishing) remain top attack vectorsThe real-world impact of law enforcement takedowns like Operation EndgameHow shared tooling and services are blurring attribution across threat actorsPractical, no-hype perspectives on AI, machine learning, and defender workflowsWhat organizations should focus on now to stay resilient in 2026This episode offers a grounded, experience-driven perspective on what actually mattered in 2025—and why strong fundamentals, layered defenses, and adaptability remain the best preparation for whatever comes next.Resources Mentioned:https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logisticshttps://www.proofpoint.com/us/blog/threat-insight/operation-endgame-quakes-rhadamanthyshttps://www.proofpoint.com/us/blog/threat-insight/security-brief-venomrat-defangedhttps://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-ru-2025-1022.pdfhttps://www.microsoft.com/en-us/research/wp-content/uploads/2025/01/lee_2025_ai_critical_thinking_survey.pdfFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Happy Holidays to all our Cyber Pals!Host Selena Larson, and co-guest ho-ho-ho hosts, Tim Kromphardt & Sarah Sabotka unwrap the surprising (and sometimes clever) ways cybercriminals use seasonal themes to trick both consumers and enterprises.From fake party invites and too-good-to-be-true discounts to holiday-flavored malware and RMM delivery, the team breaks down how threat actors capitalize on increased spending, lower vigilance, and year-end business pressure. They share real examples—like “free Christmas tree” scams, fake travel itineraries, smishing campaigns, and even malware hidden behind a Christmas caroling invitation.You’ll also hear:🎁 Why holiday-themed lures work so well🎁 How scammers tailor their tactics to shifting consumer behavior 🎁 The rise of SMS scams, malvertising, and SEO-poisoned shopping searches 🎁 What enterprises should watch for as employees mix work and personal activity 🎁 Why energy drinks are (shockingly) a hot commodity in cargo theft schemes 🎁 Practical tips to stay safe—whether you’re holiday shopping or closing year-end invoicesBefore you head off for vacation, join us for a fun, insightful, and very festive breakdown of the seasonal threats that might be landing under your digital tree this year.For more information about Proofpoint, check out our website.Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Squirrels!Host Selena Larson, and guest host, Tim Kromphardt sit down with Tony Robinson — Senior Security Research Engineer and “rule magician” from Proofpoint’s Emerging Threats team. Tony shares the story behind IoT Hunter, an open-source tool he created to automate writing detection rules for Internet of Things (IoT) vulnerabilities.From routers and smart cameras to industrial control systems, Tony breaks down how IoT Hunter helps researchers and defenders cover hundreds of CVEs — from long-forgotten exploits to newly discovered zero-days.The trio dives into:Why IoT devices remain a major attack vector for threat actors and botnetsWhat kinds of vulnerabilities IoT Hunter detects (and how it’s not AI)The surprising persistence of outdated frameworks like Boa HTTPdReal-world examples of IoT exploitation — from ransomware via smart cameras to botnets made of toastersPractical steps anyone can take to secure home and small business devicesThis episode uncovers the risks and realities behind our increasingly connected world — and how automation and community collaboration are helping defenders keep up.Resources Mentioned:community.emergingthreats.nethttps://community.emergingthreats.net/t/iot-hunter-public-release/3024https://community.emergingthreats.net/t/cybersecurity-awareness-month-iot-and-soho-devices/3095For more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Squirrels! Can hackers make great public servants? Host Selena Larson, and co-guest hosts, Sarah Sabotka and Tim Kromphardt sit down with Andrew Brandt, Founder and Executive Director of Elect More Hackers — a nonprofit on a mission to get more cybersecurity and tech-minded thinkers into elected office.Together, they explore how hackers and technologists can bring their problem-solving mindset into civic life — from teaching digital safety at local libraries to advising lawmakers on cyber hygiene, data privacy, and AI policy. Andrew unpacks why infosec professionals are uniquely equipped to tackle systemic issues like the “enshittification” of online platforms, the right-to-repair movement, and the privacy nightmare of “smart” cars.The conversation dives into the surprising cybersecurity gaps in government, how social engineering and lobbying overlap, and why civic engagement shouldn’t stop at voting. You’ll also hear how even small acts — like community outreach or helping shape local school tech policies — can lead to smarter, safer public systems.Whether you’re a hacker or a policy nerd this episode will inspire you to plug in locally, build trust, and maybe even run for office yourself.🎙️ Tune in to learn:Why hackers and technologists make great problem-solvers in politicsHow policies like right-to-repair and data privacy affect everyonePractical ways cybersecurity professionals can engage civically — even without running for officeThink civic engagement isn’t for you? Think again — this conversation shows how even small actions from tech-minded thinkers can create big change.Resources Mentioned:🔗 Learn more: electmorehackers.comFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!