DISCARDED: Tales From the Threat Research Trenches

Send us fan mail!Hello to all our Cyber Panda Bears! In this extra-packed episode of Discarded, host Selena Larson and guest host, Sarah Sabotka reunite with Staff Threat Researcher Mark Kelly to dive deep into China-aligned espionage activity—this time with a focus on Taiwan’s semiconductor ecosystem and the strange, stealthy tools threat actors are using to get in.Mark walks us through Proofpoint’s latest research on custom malware (yes, “Voldemort” is back), threat clusters with pun-filled names like UNK_SparkyCarp and UNK_DropPitch, and why Taiwan’s chip industry has become such a hot target. From design and manufacturing to financial analysts and supply chains, Chinese state-aligned actors are getting more creative—and more persistent.We also unpack: The “Phish & Chips” campaign and how it fits into China’s broader geopolitical strategy Why pop culture references like Voldemort and Mr. Robot keep showing up in espionage infrastructureAttribution headaches, including Proofpoint’s tracking of multiple unattributed threat clusters with UNK designators How AI, LLMs, and adversary-in-the-middle phishing are influencing espionage tactics The use of RMM tools and spoofed MacOS folders for stealth Why basic backdoors are making a strategic comeback A threat intel team’s deep love for vegetables, puns, and report titlesWhether you're tracking state-sponsored cyber activity, curious about weird malware names, or just here for the expert banter, this episode has you covered.Resources Mentioned:Phish & Chips: Chinese Espionage Activity Targeting Taiwan's Semiconductor EcosystemFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Joe Wise, a Senior Threat Researcher at Proofpoint, dives into the world of mid-tier eCrime actors, focusing on TA2541, TA558, and the enigmatic TA582. He reveals how TA2541 and TA558 maintain consistent targeting lures while TA582 showcases a multilayered approach with regional flavors, like vintage car sales and fake speeding tickets. The conversation highlights the complexity of TA582’s attack chains and evolving payloads, alongside the collaboration dynamics in the cybercrime ecosystem that resemble an 'Ocean's Eleven' scenario.

In this engaging discussion, Greg Lesnewich, a Staff Threat Researcher at Proofpoint, dives into the complexities of threat attribution. He shares a lighthearted rant on the frustrations of identifying cybercriminals, focusing on TA829 (RomCom) and the tricky GreenSec cluster. Greg unpacks malware tactics, particularly the elusive TransferLoader, and the challenges of distinguishing between cyber e-crime and espionage. The conversation concludes with humorous comparisons of e-crime groups to pop icons, leaving listeners both entertained and enlightened.

Send us fan mail!Hello to all our Cyber Pals! In this episode of Discarded, host Selena Larson and co-host Sara Sabotka are joined by Saher Naumaan and Greg Lesnewich, teammates on the espionage threat research team at Proofpoint to unravel the multifaceted—and often bizarre—world of North Korean cyber operations. The team explores:What sets DPRK’s threat actors apart from other nation-state groupsA closer look at North Korea’s cyber and physical support for Russia in UkraineHow cyber activity plays a central role in North Korea’s national strategy—not just a supporting oneThe phishing-heavy tactics of groups like TA427 (“Old Reliable”) and the emergence of oddball clusters like “Contagious Interview” and “UNK RageQuit”How North Korean actors blur the lines between espionage and financially motivated cybercrimeThe murky world of North Korean IT workers infiltrating global tech companies under false identities—raising critical questions about workplace exposure, ethics, and potential defectionsThe surprising ways some of these operatives sabotage themselves, including infections with common malware that expose their digital behaviorAnd yes, a Microsoft spoofing campaign actually using Comic SansNorth Korean cyber activity is evolving fast and they explain why it deserves far more attention than it gets.  Resources Mentioned:https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-fronthttps://spycloud.com/blog/spycloud-march-cybercrime-update/https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdfFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Masked Vigilantes!  In this episode of Discarded, host Selena Larson and co-host Tim Kromhardt are joined by James Emery-Callcott, a Security Researcher on Proofpoint’s Emerging Threats team, for an insider’s look at the technical, tactical, and collaborative forces shaping modern network detection.James takes us behind the curtain of rule writing, CVE coverage, and malware detection, breaking down how signatures are developed, validated, and deployed to protect against a constantly shifting threat landscape. From the fading heyday of exploit kits to the rise of infostealers and ClickFix, we explore how detections evolve—and why the most persistent threats often hinge on the fundamentals of networking.You’ll also hear how the team maps detection rules to frameworks like MITRE ATT&CK and CISA KEV, using metadata tags to reduce alert fatigue and prioritize real-world risks. James shares why this kind of tagging isn’t just technical polish—it’s operational gold.But detection doesn’t happen in a vacuum. James explains how the community—through Discord chats, support tickets, and collaborative research—plays a vital role in surfacing false positives, sharing POCs, and suggesting metadata improvements. Bonus highlights include:Why writing reliable detection rules is still too nuanced for AIThe anatomy of a CVE rollout (and the surprising role of an Xbox controller)Signature performance testing and hardware challengesWhy older vulnerabilities still matterA sneak peek at a free Suricata training series in the worksWhether it’s a shoutout to Tony for pushing tagging innovation or a nod to students eager to get started, the message is clear: everyone can contribute to better detection. Resources Mentioned:CrazyHunter: https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.htmlhttps://www.proofpoint.com/us/blog/threat-insight/emerging-threats-updates-improve-metadata-including-mitre-attck-tagsFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Stars! Join host Selena Larson, and guest host, Sarah Sabotka, as they sit down with Alex Pinto, Associate Director of Threat Intelligence at Verizon Business and the lead author behind the industry-defining Verizon Data Breach Investigations Report (DBIR). Together, they unpack the most pressing findings from the brand new VZDBIR, offering a behind-the-scenes look at how the reports are built—and what they reveal about today’s rapidly evolving threat landscape.Alex shares how the editorial strategy behind the DBIR helps translate raw data from 100+ contributors into actionable insights and compelling narratives. The conversation dives into: The surge in zero-day vulnerabilities and growing threats tied to network edge devicesWhy third-party risk is skyrocketing, and what that means for vendor relationshipsHow ransomware groups are maturing and reinvesting like modern businessesThe alarming rise of credential abuse via MFA-bypassing phishing kits and information stealersWhy identity is now the primary target—and how defenders can introduce friction without killing usabilityThe limitations of current threat categorization and whether full attack chain visualizations should be nextWhether you're here for the acronyms, the insights, or just want to win at cyber threat bingo, this episode is a must-listen for anyone navigating the modern security landscape.🎧 Tune in to hear why “DBIR Day” matters—and how this year’s findings may be more personal than ever. Resources Mentioned:https://www.verizon.com/business/resources/reports/dbir/For more information about Proofpoint, check out our website.

Send us fan mail!Hello to all our Cyber Spring Chickens! Join host Selena Larson, and guest host, Sarah Sabotka, as they chat with Saher Naumaan, Senior Threat Researcher at Proofpoint, for a deep dive into how modern espionage and cybercrime are increasingly blurring lines.At the center of the conversation is ClickFix—a fast-evolving social engineering technique originally used by cybercriminals but now adopted by espionage actors across at least three countries in just 90 days. We explore: how threat actors are borrowing each other’s tactics, techniques, and procedures (TTPs), creating “muddled attribution” as espionage groups mimic high-volume e-crime methodshow these techniques are being tailored to target high-value, often non-technical individualswhat defenders can do in the face of increasingly sophisticated psychological attacks Resources Mentioned:https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfixhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscapehttps://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/ For more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Spring Chickens! Join host Selena Larson and guest hosts, Tim Kromphardt and Sarah Sabotka, both Senior Threat Researchers at Proofpoint. These top sleuths crack open Proofpoint’s new Human Factor series and explore one of the most deceptively dangerous tactics in a threat actor’s playbook: the benign conversation.What exactly is a benign conversation—and why is it anything but harmless? Whether it’s a simple “Do you have a minute?” or a seemingly legit job offer, these messages are often the opening moves in complex social engineering attacks used for fraud, malware delivery, and even nation-state espionage.The team dives into:The top five fraud-related benign conversation themes, including the rise of advanced fee fraudReal-world examples of job scams, gift card requests, and a Taylor Swift-themed lureThe difference between financially motivated lures and espionage-style social engineeringHow Iranian and North Korean threat actors are perfecting the art of trust-building through impersonation and tailored messagesTOAD scams (Telephone-Oriented Attack Delivery) and the power of fear and urgencyThe critical role of spoofing in making these attacks believableThe human toll and psychological manipulation behind scams like pig butchering—and why acknowledging the abuse behind them mattersFrom hijacked contact forms and fake antivirus invoices to AI-generated phone calls and scam compounds, this episode blends serious security insight with Friday vibes and candid discussion. Whether you're a seasoned threat analyst or just here for the “lure-palooza,” you’ll walk away with a sharper eye for red flags—and a deeper understanding of the evolving cyber threat landscape. Resources Mentioned:🔍 [Read the full report] https://www.proofpoint.com/us/resources/threat-reports/human-factor-social-engineering For more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!Hello to all our Cyber Cherry Blossoms! Join host Selena Larson and guest host, Tim Kromphardt, a Senior Threat Researcher, as they chat with Andrew Couts, Senior Editor, Security and Investigations at WIRED.Andrew shares insights into his work overseeing cybersecurity coverage and investigative reporting, collaborating with newsrooms, and uncovering the hidden threats lurking in the digital world.We dive into how cybersecurity and privacy reporting has evolved, the growing risks posed by data collection and surveillance, and the challenges of informing the public around security experimentation. We also discuss:Recent investigations on ad tech, police drone surveillance, and the unintended consequences of data trackingThe rise of "pig butchering" scams and the difficulties in shutting them downHow the Freedom of Information Act (FOIA) serves as a powerful tool for uncovering hidden government actionsThe real-world dangers journalists face when reporting on cybercriminals—such as swatting and online retaliationThe double-edged sword of privacy—how encryption and digital anonymity can both protect individuals and make it harder to track cybercriminalsJoin us for a fascinating deep dive into the world of digital security, investigative journalism, and the real-life implications of living in an era where our data is constantly at risk. Resources Mentioned:Leveling Up Your Cybersecurity–WIRED Guidehttps://www.wired.com/story/phone-data-us-soldiers-spies-nuclear-germany/https://www.wired.com/story/the-age-of-the-drone-police-is-here/https://www.wired.com/story/starlink-scam-compounds/https://www.wired.com/story/alan-filion-torswats-swatting-arrest/https://www.wired.com/story/no-lives-matter-764-violence/ (Content warning: self-harm, violence) https://www.wired.com/story/the-wired-guide-to-protecting-yourself-from-government-surveillance/https://www.wired.com/story/how-to-take-photos-at-protests/ For more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and

Send us fan mail!Hello to all our Remote Cyber Pals! Join host Selena Larson and guest host, Tim Kromphardt, a  Senior Threat Researcher, as they chat with Staff Threat Researcher, Ole Villadsen, from Proofpoint. They explore the broader shift from traditional malware to commercially available tools that fly under the radar and how cybercriminals are increasingly abusing Remote Monitoring and Management (RMM) tools (sometimes called Remote Access Software) to gain initial access in email-based attacks.   Topics Covered:The growing use of such tools like ScreenConnect, Atera, and NetSupport in cyberattacksHow threat actors are shifting from traditional malware loaders to commercially available toolsTA583’s adoption of RMM tools as a primary attack methodThe role of social engineering in phishing lures, including Social Security scamsThe impact of cybersecurity influencers and scam-baiting YouTubers on threat awarenessThe ongoing arms race between cybercriminals and defendersFrom stealthy intrusions to shifting cybercrime trends, this conversation uncovers the critical threats organizations face in 2025. Resources Mentioned: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice For more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!