DISCARDED: Tales From the Threat Research Trenches

Send us fan mail!
Hello to all our Cyber Daffodils! Host Selena Larson, and guest Host, Tim Kromphardt, sit down with Stuart Del Caliz, Senior Threat Detection Engineer at Proofpoint, to unpack the stealthy world of backdoors, malware detection, and the “secret signals” threat actors use to stay hidden.
From magic packets and port knocking to sophisticated backdoors like BPFdoor, Stuart shares how attackers design covert communication methods—and how defenders work to uncover them without overwhelming security teams with noise. The conversation blends deep technical insight with real-world analogies (think speakeasy knocks and undercover “internet cops”) to make complex detection strategies easier to understand.

You’ll also hear:
How detection engineers balance accuracy and performance when writing IDS/IPS signatures
Why some advanced malware can remain undetected for years—and whether we’re simply not seeing it
How historic leaks like Shadow Brokers still influence modern attack techniques
The role of “pattern matching” in identifying evolving malware behaviors
How file metadata and revoked certificates can reveal threats hiding in plain sight
Why community collaboration and feedback loops are critical to stronger detections
Whether you’re a security practitioner or deep in the trenches, this episode offers a closer look at the craft of detection engineering—and the constant challenge of writing high-fidelity detections against increasingly evasive threat techniques.

Resources Mentioned:

https://community.emergingthreats.net/
https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/
https://www.wired.com/story/nsa-hacking-tools-stolen-hackers/
https://github.com/x0rz/EQGRP

For more information about Proofpoint, check out our website.
 

Subscribe & Follow:
Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!
Hello to all our Cyber Pals! Guest host Sarah Sabotka sits down with Senior Threat Researcher Jared Peck to unpack one of the most dynamic and persistent cybercrime groups operating today: TA2725, also known as “Grana.”
From its roots in Latin America to its global reach, TA2725 stands out for its adaptability—and its relentless pursuit of financial gain. Jared shares how the group evolved from a high-volume malware operator into a multifaceted threat actor running phishing, fraud, and malware campaigns simultaneously. The conversation dives into how Grana targets regions like Brazil and Mexico, why their tactics shift across geographies, and what makes their operations uniquely complex.
You’ll also hear:
How threat actors “graduate” to official TA designations (and why it’s a big win for researchers)

The impact of law enforcement disruptions on major malware operations like Grandoreiro

Why Latin America’s banking infrastructure shapes cybercrime tactics differently

The rise (and fall) of RMM tools in TA2725’s playbook

What clues reveal whether activity comes from one group—or an entire cybercrime “service” ecosystem
Whether you’re in cybersecurity or just curious about how modern cybercrime operates, this episode offers a fascinating look at a threat actor that refuses to stay in one lane—and what that means for organizations worldwide.

For more information about Proofpoint, check out our website.
 
Subscribe & Follow:
Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!
Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Tommy Madjar, Senior Threat Researcher from Proofpoint, to unpack one of the strangest malware investigations of the year: TrustConnect RAT.
What started as a seemingly legitimate remote management tool quickly unraveled into a bizarre, fast-evolving ecosystem of “vibe-coded” malware. TrustConnect masqueraded as a polished RMM platform—complete with fake testimonials, inflated customer counts, and even an extended validation (EV) code-signing certificate to appear trustworthy. But beneath the surface? Sloppy AI-generated web panels, exposed administrative pages, and a backend that literally labeled infected machines as “victims.”
Tommy walks through how the team discovered the malware, why attackers are increasingly building their own fake RMM platforms instead of abusing legitimate ones, and how the use of EV certificates helped the malware evade detection across security tools. 
The conversation also dives into:
The explosion of legitimate RMM abuse in cybercrime

How AI-assisted “vibe coding” is lowering the barrier to entry for malware development

The surprising operational security failures that exposed both the malware author and their customers

Connections to past crimeware activity and possible ties to known actors

The rapid evolution of the “Connect” malware family, including newly spotted variants

How Proofpoint disrupted the operation by working with partners to revoke certificates and take down infrastructure

Along the way, the team explores a broader theme: what happens when threat actors move fast with AI—but don’t fully understand security fundamentals? 

Resources Mentioned:
https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat
For more information about Proofpoint, check out our website.
 
Subscribe & Follow:
Stay ahead of emerging threats, and subscribe! Happy hunting!

Send us fan mail!

Hello to all our Cyber Pals! Host Selena Larson and co-host, Sarah Sabotka, chat with Kyle Cucci, and Dr. Chris Wakelin, Threat Researchers from Proofpoint. They unpack how artificial intelligence is shaping modern malware analysis and detection workflows. 
The conversation explores how large language models are already embedded in day-to-day security operations—from accelerating rule creation and tooling development to helping analysts quickly interpret complex malware behavior.
Drawing on real-world examples from the team’s work, the episode highlights both the promise and the limitations of AI in cybersecurity. Chris and Kyle share how AI can streamline tedious reverse-engineering tasks, compare malware variants, and surface insights faster—while emphasizing the ongoing need for expert validation, thoughtful prompting, and a human-in-the-loop approach to ensure accuracy and reliability.
We also discuss:
Practical ways AI is used today to support malware reverse engineering and detection development

Prompting strategies that help reduce hallucinations and improve analysis outcomes

The role of MCP (model context protocol) and emerging agentic AI concepts in security tooling

Indicators and characteristics of AI-assisted malware development

Real-world examples of prompt injection attempts within malicious code

Whether AI-generated malware meaningfully changes defender workflows or primarily increases speed and scale

How defenders and threat actors alike are leveraging the same AI capabilities across the threat landscape
Ultimately, this episode offers a balanced look at AI’s growing influence in cybersecurity—showing how intelligent tools can amplify analyst effectiveness while reinforcing that expertise and critical thinking remain central to effective malware defense.

Send us fan mail!
Hello to all our Cyber Pals! Host Selena Larson and co-host, Sarah Sabotka, chat with Dr. Bob Hausmann, Lead Cognitive Scientist of Human Risk Management at Proofpoint. They have a timely conversation on whether cybersecurity training actually works and what it takes to make it effective.
They unpack why traditional annual training and phishing simulations often fall short, and how insights from cognitive psychology can help organizations design awareness programs that truly change behavior. Drawing on Dr. Bob’s recent research, the conversation explores just-in-time nudges, microlearning, and how understanding attention, memory, and emotion can make security guidance more actionable in the moments that matter most.
In this episode, they cover:
Why once-a-year security training shows little impact on real-world behavior

How just-in-time nudges work and where they fit into security awareness programs

The role of cognitive load, attention, and repetition in learning and memory

How amygdala hijack and emotional manipulation factor into phishing success

Why foundational knowledge is critical for nudges to be effective

The difference between education-driven nudges and punitive approaches to training

Practical ways organizations can design training that fits into everyday workflows

This episode offers a research-backed, human-centered look at security awareness—showing why better outcomes depend less on blaming users and more on designing training that works with the brain, not against it.

Resources Mentioned:
https://www.proofpoint.com/us/blog/security-awareness-training/cybersecurity-nudges-cautionary-tale

For more information about Proofpoint, check out our website.
 

Subscribe & Follow:
Stay ahead of emerging threats, and subscribe! Happy hunting!