Click, Call, Compromise: Inside the Latest Loader Campaigns

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Microsoft researchers Kelsey Clapp and Anna Seitz to examine two major cybercrime campaigns. The team unpacks Storm 2561’s use of SEO poisoning to distribute Trojanized software like SilentRoute and Bumblebee, stealing VPN credentials and paving the way for ransomware brokers. 

They also dive into Storm 1811’s ReadBed malware, a loader deployed through bold social engineering tactics, such as fake IT help desk calls via Teams, that enable lateral movement and ransomware deployment. The discussion highlights how modern threat actors exploit trust, extend attack chains, and continually evolve their techniques, underscoring the importance of vigilance, strong security controls, and verifying before trusting.

In this episode you’ll learn:     

• How Storm 2561 uses SEO poisoning to trick users into downloading Trojanized software

• The role of trust, urgency, and habit in social engineering tactics

• Practical steps organizations can take to block these threats and strengthen defenses

Some questions we ask:    

• Why are initial access loaders such a big risk for organizations?

• How are threat actors using fake IT help desk calls to gain access?

• What steps should defenders take to cut off these entry points?

  
  

Resources: 

View Anna Seitz on LinkedIn

View Kelsey Clapp on LinkedIn 

View Sherrod DeGrippo on LinkedIn 

Related Microsoft Podcasts:

• Afternoon Cyber Tea with Ann Johnson

• The BlueHat Podcast

• Uncovering Hidden Risks    

  
  

Discover and follow other Microsoft podcasts at microsoft.com/podcasts 

Get the latest threat intelligence insights and guidance at Microsoft Security Insider

The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.