Salt Typhoon IOCs, Google floats ‘cyber disruption unit’, WhatsApp 0-click

Three Buddy Problem - Episode 60: We dissect a fresh multi-agency Salt Typhoon advisory (with IOCs and YARA rules!), why it landed late, why the wall of logos matters (and doesn’t), and what’s actually usable for defenders: new YARA, tool hashes, naming ambiguity across reports, the mention of Chinese vendors, and a Dutch note that smaller ISPs were hit.

Plus, Costin details his hunting stack and philosophy (historic IOC/malware hoarding, fast pivots, and AI as analyst “wingman”) and a new Chinese APT report that may intersect with LightBasin and the murky PSOA world.

We also debate Google’s proposed “cyber disruption unit” versus Microsoft’s DCU (legal vs. “ethical” takedowns, PR, and business models); react to Anthropic’s report on real attacker use of Claude; note Amazon’s APT29 watering-hole disruption; and close on a fresh WhatsApp-to-ImageIO zero-click chain and practical phone OPSEC.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• NSA, Allies Report on Salt Typhoon
• UK and allies expose China tech companies
• Joint Advisory on Salt Typhoon (IOCs)
• Dutch providers targeted by Salt Typhoon
• Silent Control: The Hidden Penetration of MystRodX
• Google previews cyber ‘disruption unit'
• Anthropic report on misuse of Claude AI
• WhatsApp 0day exploited (iOS attack chain)
• RationalEdge - Intelligence Meets Accuracy
• LABScon Speakers 2025