(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 91: This week we dig into Google's new cyber threat disruption unit announced at RSAC, Kaspersky confirming Coruna is a direct evolution of Operation Triangulation, and a cascading supply chain compromise that chained through LiteLLM, Trivy, and Checkmarx into thousands of software pipelines.

Plus, VCs and the breathless AI hype, Apple's iOS 26.4 and silent patches, the FCC's ban on foreign-made routers, and Symantec catching an APT looking for Chinese military data.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

0:00 Intro & Pre-Show Banter

Links:

• Transcript
• TLPBLACK Solutions
• Google launches threat disruption unit at RSAC
• White House downplays cyber ‘letters of marque’ speculation
• Haroon Meer on RSAC 2026
• Kaspersky on Coruna/Triangulation Connection
• Apple Security Bulletin - iOS 26.4
• Reverse engineering Apple’s silent security fixes
• New Hong Kong Law on Phone/Laptop Passwords
• Iran-linked hackers breach FBI director's personal email
• US DOJ Disrupts Iranian Cyber Enabled Psychological Operations
• Official Statement on Stryker Network Disruption
• Russia arrests Leakbase admin
• Trivy ecosystem supply chain compromised (Advisory)
• Self-propagating malware poisons open source software and wipes Iran-based machines
• New Malware Targets Users of Cobra DocGuard Software
• FCC bans 'foreign made' consumer routers (PDF)

(Presented by Thinkst Canary: Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With zero admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 90: We remember GReAT teammate Sergey Mineev, the legendary malware hunter behind discoveries like Equation Group and Project Sauron (Remsec), including stories about his methods and why he was the best to ever do it.

Plus, another in-the-wild iOS exploit kit discovery and a long overdue conversation about Apple's responsibility to hundreds of millions of users on older iOS versions; the ProPublica Microsoft/FedRAMP bombshell, Interlock ransomware sitting on a Cisco zero-day, the White House AI policy framework, and Supermicro co-founder $2.5 billion AI chip smuggling bust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript
• Thinkst Canary
• Equation Group: The Crown Creator of Cyber-Espionage
• The Project Sauron APT
• Google: The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
• iVerify: Inside DarkSword - A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
• Lookout: Attackers Wielding DarkSword Threaten iOS Users
• Apple statement on Coruna, DarkSword
• Amazon discovers Interlock ransomware hitting enterprise firewalls
• Cisco Secure Firewall Management Center RCE Flaw
• CISA Urges Endpoint Management System Hardening After Stryker Attack
• Stryker statements on wiper network disruption
• Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.
• White House Unveils National AI Legislative Framework
• Supermicro Founder Charged with Diverting AI tech to China
• NEBULA:FOG 2026 | AI x Security Hackathon

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 89: We discuss Iran hacktivist group 'Handala' wiper attacks against US medical device maker Stryker, Microsoft Intune MDM tool abuse, and whether Iran's cyber retaliation is as scary as the headlines suggest.

Plus, ESET's discovery that Russia's APT28 original implant developers are back after years of silence, Dutch intelligence warnings on Russian campaigns targeting Signal and WhatsApp accounts, Apple finally patching Coruna exploit kit vulnerabilities for older iPhones, and Google sharing Coruna samples that raise new questions about the exploit kit's proliferation chain.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (raw, AI-generated)
• TLPBLACK Solutions
• Kim Zetter: Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped Systems
• Stryker Cyberattack Adds to Fears of New Front in Iran War
• Bloomberg: Cyberattack Hits Stryker; Pro-Iran Group Claims Credit
• Who is Handala? (Malpedia)
• Palo Alto: Increased Risk of Wiper Attacks
• CISA Advisories on Iran State-Sponsored Cyber Threat
• Russia state actors targets Signal and WhatsApp accounts
• Dutch intel report on Signal, WhatsApp targeting
• Signal responds to Dutch Intel report
• ESET: Resurgence of one of Russia’s most notorious APT groups
• Poland says foiled cyberattack on nuclear centre may have come from Iran
• Apple ships iOS 16.7.15 to cover 'Coruna' exploits
• Apple iOS 15.8.7 covers 'Coruna' exploit kit
• Detection Engineering #148
• NEBULA:FOG 2026 | AI x Security Hackathon
• Ekoparty Miami (May 21-22, 2026)
• PIVOTcon Agenda

(Presented by Thinkst Canary: Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With zero admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 88: We unpack the fallout from public documentation of the Coruna iOS exploit kit, the likely connection to the Peter Williams/Trenchant exploit sale to Russians, how it slipped from government hands into criminal use, and the widening use of zero-days by surveillance vendors and cybercriminals.

Plus, fresh signs of cyber-warfare activity tied to Iran and Israel, the FBI’s disclosure of a breach affecting internal surveillance systems, and the latest debate over AI, security tooling, and Anthropic’s public stumbles.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (raw, AI-generated)
• Thinkst Canary (how it works)
• Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
• iVerify Details First Known Mass iOS Attack
• Matthias Frielingsdorf on the mysterious Coruna iOS exploit kit discovery
• Matthias Frielingsdorf on Coruna (raw transcript)
• Coruna-related hashes on VirusTotal
• Kaspersky: No signs Coruna iPhone exploit kit made by US
• Azimuth unlocked the San Bernardino shooter’s iPhone for the FBI
• 2025 Zero-Days in Review (Google)
• FBI investigating ‘suspicious’ cyber activities on critical surveillance network
• Iranian Hacking Groups Go Dark Amid US, Israeli Military Strikes
• Interplay between Iranian Targeting of IP Cameras and Physical Warfare
• Israel says it knocked out Iran’s cyber warfare headquarters
• Amazon Bahrain facility targeted for U.S. military support
• Full transcript of Anthropic CEO Dario Amodei interview
• Codex Security (formerly Aardvark) now in research preview
• NEBULA:FOG 2026 | AI x Security Hackathon

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Matthias Frielingsdorf (co-founder and VP of Research at iVerify) joins the show to discuss the mysterious US government connection to 'Coruna', an iOS exploit kit fitted with 23 exploits across five full chains targeting iPhones iOS 13 through 17.2.1.

We talk about a "gut feeling" connecting this to the L3 Trenchant/Peter Williams exploit sale scandal, how a nation-state-grade exploit kit ended up in the hands of a Chinese cybercrime group chasing crypto wallets, and what it means that criminal organizations are now deploying iPhone zero-days at scale.

Matthias walks through what iVerify can and can't do on Apple's locked-down platform, why he thinks Apple needs to give defenders more access, the Lockdown Mode debate, the thorny issue of sample sharing in the research community, and practical advice for everyday iPhone users facing a threat landscape that just got a lot more complicated.

Links:

• Raw Transcript
• Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
• iVerify Details First Known Mass iOS Attack
• Coruna: Inside the Nation-State-Grade iOS Exploit Kit (iVerify)
• Wired: A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals
• Lockdown Mode or Nothing
• Zero-day reality check: iOS exploitation
• About Lockdown Mode (Apple)
• Charlie Miller on hacking iPhones, Macbooks
• TLPBLACK

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Huntress threat intelligence analyst Greg Linares shares insights on the modern ransomware ecosystem, including how crews operate like businesses and why Akira, Medusa, RansomHub, and Qilin cause so much damage. Plus, signs of overlap between ransomware and nation-state activity, what “time to ransom” really means for defenders, and why techniques like ClickFix and credential theft keep working at scale.

The conversation also covers the surge in RMM tool abuse, how “living off the land” attacks can unfold without traditional malware, and the basic defenses smaller organizations can prioritize.

Links:

• TLPBLACK
• Transcript
• Huntress 2025 Cyber Threat Report
• Microsoft: Think before you Click(Fix)
• Akira Ransomware
• CISA: Protecting Against Malicious Use of Remote Monitoring and Management Software
• Ep9: The blurring lines between nation-state APTs and the ransomware epidemic
• Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines

(Presented by Thinkst Canary: Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With zero admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 87: We wake up to news of U.S./Israel military action against Iran and the expected fallout, including Tehran’s cyber capabilities and proxy risks. Plus: Anthropic’s clash with the Pentagon over AI use in warfare, market shockwaves from AI-driven security tools, mass layoffs tied to automation, Trenchant exec sentencing and sanctions in the exploit trade, and fresh questions around Cisco’s SD-WAN breach and supply-chain trust.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Thinkst Canary
• Live updates: US and Israel strike Iran
• Episode 80: Hamid Kashfi on the situation in Iran
• ‘Incoherent’: Hegseth’s Anthropic ultimatum confounds AI policymakers
• Anthropic Claude AI Security Tool Wipes Out Over $15 Billion From Cybersecurity Stocks
• CrowdStrike CEO responds to stock price hit
• Designation of Zero-Day Exploits Broker for Theft of U.S. Trade Secrets
• Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools
• Trenchant Exec Who Sold Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison
• AWS says AI-augmented threat actor accesses FortiGate devices at scale
• Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
• Anthropic Claud Code Security
• Anthropic: Detecting and preventing distillation attacks
• GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use
• iPhone and iPad approved to handle classified NATO information
• Fortinet Achieves Certification for Secure Product Development
• Cisco SD-WAN threat hunting guide
• TLPBLACK
• NEBULA:FOG 2026 | AI x Security Hackathon
• RE//verse Conference

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 86: We dig into GitLab’s explosive look at North Korea’s “Contagious Interview” APT operation, the scale of fake IT worker infiltration, and what it means for companies chasing cheap talent.

Plus, a fresh batch of already-exploited Ivanti and Dell zero-days, the return of Apple’s shutdown logs, and thoughts on addictive AI coding agents affecting human purpose.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• TLPBLACK
• GitLab exposes North Korean malware tradecraft
• Beyond the Backdoor: How Contagious Interview Is Surgically Tampering with MetaMask Wallets (Seongsu Park)
• Critical Vulnerabilities in Ivanti EPMM Exploited
• Dell RecoverPoint for Virtual Machines Zero-Day
• Dell Bulletin - RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability
• Critical Dell bug exploited for two years
• OpenAI intros Lockdown Mode and Elevated Risk labels in ChatGPT
• OpenAI is rebranding Aardvark
• Anthropic Claude Code Security
• Jason Lang: Real Human Concerns In The Age of AI
• JAGS' batteries-included Claude Code SDLC config
• RE//verse Conference
• NEBULA:FOG 2026 | AI x Security Hackathon

(Presented by Thinkst Canary: Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With zero admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 85: Top stories this week include drone incursions over El Paso and the murky line between cartel activity, anti-drone tech testing, and full-blown hybrid warfare; updates on the Notepad++ supply chain fallout; Microsoft’s zero-day treadmill and AI-enabled attack surfaces; and Apple’s “extremely sophisticated” iOS exploits.

Plus, Europe’s growing appetite for offensive cyber, Palo Alto and the uncomfortable politics of cyber attribution, Singapore on telco intrusions, and the economics of end-of-life infrastructure.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Thinkst Canary - Customer Love
• What We Know About the El Paso Airspace Shutdown
• El Paso Closure Caused by Firing Anti-Drone Laser
• Notepad++ supply chain hack (new IOCs)
• Ukatemi: Notepad++ attack related samples
• Notepad's new Markdown powers served with a side of RCE
• Microsoft: Windows Notepad App RCE Vulnerability
• iOS 26.3 security advisory (exploited 0day)
• Estonian Foreign Intelligence Service annual report
• PSIRT | FortiGuard Labs High-Risk Advisory
• Germany prepares to attack cyber enemies
• Palo Alto chose not to tie China to hacking campaign for fear of retaliation
• The Shadow Campaigns: Uncovering Global Espionage (Palo Alto)
• Singapore .gov on nation-state telco hacks
• TLP-BLACK
• LABScon 2026

(Presented by Thinkst Canary: Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With zero admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.)

Three Buddy Problem - Episode 84: We process the cybersecurity fallout from the latest Epstein document dump, focusing on why redactions fail in the AI era and how quickly modern tools can unravel them. The conversation moves from sloppy redaction practices and exploit mythology to harder questions about ethics, accountability, and silence within the infosec community.

Plus, inside the Notepad++ supply-chain compromise attributed to a known Chinese APT, Microsoft’s security executive changes, Anthropic's AI-driven vulnerability discovery, China-linked network implants, and Lockdown Mode thwarting FBI investigators.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Thinkst Canary - Customer Love
• Transcript (unedited, AI-generated)
• Did a renowned hacker help Jeffrey Epstein get ‘dirt on other people'?
• DOJ releases details alleged talented hacker working for Jeffrey Epstein
• Claude Opus 4.6 \ Anthropic
• 0-Days \ red.anthropic.com
• JAGS' Claude Code SDLC config
• CERT-Ukraine on zero-day attacks via MS Office
• Executive security shuffle at Microsoft
• TLPBLACK: What we know about the Notepad++ supply chain attack
• Lotus Blossom APT targets critical infrastructure via Notepad++.
• Kaspersky: Notepad++ supply chain attack breakdown
• Validin: Exploring the C2 Infrastructure of the Notepad++ Compromise
• Hostinger server unauthorized access case: What happened with Notepad++ and how we resolved it
• Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
• Palo Alto Unit 42: The Shadow Campaigns - Uncovering Global Espionage
• FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled
• Court document: FBI Washington Post Lockdown Mode
• PIVOTcon
• TLP BLACK
• LABScon 2026
• Decipher podcast (Dennis Fisher)
• Detection Engineering newsletter (Zack Allen)