Cybersecurity Reading List - Week of 2025-05-19

May as well. 

No, I really mean it: we have to endure May as well? Oof, buddies, oof.

The horrors persist, but so do the little treats, and the wins that make you dance at your desk. We’ve got a few of those coming at DomainTools Investigations (DTI). But once the dancing is done, we still have to sit back down and do the work; pouring through research, grinding through logs, immersing ourselves into countless records, a hundred cases of watching expected connections fall flat only for an unexpected finding to relight that hunter’s spark within. 

I hope the rest of you dance at your desks as well. It’s not that I’m worried about looking silly doing it alone, I just don’t want you to miss a good time. And if I can’t dance while hunting through DNS, it’s not my kind of resolution. 

As usual, quotes are in quotation marks, comments by me in italics.

Recommended Cybersecurity Podcasts

Maltego – Human Element – Our friends at Maltego launched a new podcast hosted by CTO Ben April, with the first episode guest being Unit 221B founder James Lance. Ben is one of my favorite people to talk technology with, so I recommend subscribing to Human Element ASAP. Find it wherever you get your podcasts. 

This Week in Machine Learning – CTIBench: Evaluating LLMs in Cyber Threat Intelligence with Nidhi Rastogi – Excellent, well-grounded conversation on the advantages and disadvantages of large language models in cyber threat intelligence. All about realistic performance evaluation, no hype.

Must-Read Cybersecurity Articles and Blog Posts

Qualys – Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations – Good, brief post from Qualys threat researchers on LockBit insights gleaned from the recent dump. Worth your time.

Citizen Lab – Uyghur Language Software Hijacked to Deliver Malware – Few orgs have had the kind of impact on world freedom and human rights that Citizen Lab does, and this report does not disappoint. Technical and behavioral indicators are abundant for further hunting.  

Cofense – Using Blob URLs to Bypass SEGs and Evade Analysis – The HTTP call is coming from inside the house. Or the computer. Blob URLs are locally generated, circumventing a few different defense techniques, and so are a natural staging point for phishing pages.

Proofpoint – CoGUI Phish Kit Targets Japan with Millions of Messages – Finding it interesting that Japan seems to be getting hit harder than usual right now, especially the financial sector. Great writeup by Proofpoint on the CoGUI campaign. 

IC3/FBI – Phishing Domains Associated with LabHost PhaaS Platform Users (PDF link) – domain list CSV – List hasn’t been entirely validated, but there’s 42,000 starting points for your next hunt. 

NextGov – Salt Typhoon hacks to influence final round of DARPA’s AI-cyber competition – “Kathleen Fisher, director of the Information Innovation Office at DARPA, told Nextgov/FCW at the RSAC Conference in San Francisco, California that that DARPA is ‘100% inspired by the Salt Typhoon and Volt Typhoon stories, and needing to make the critical infrastructure software more robust from all those stories.’” 

PenTest Partners – Exploiting Copilot AI for Sharepoint – One of those worst-case scenarios for defenders: once you lose control of sensitive enterprise data to an agent, it’s gone for good. Teachable moment for organizations looking to incorporate LLMs at that level. 

Blood in the Machine – Four Bad AI Futures Take Root – Grim opinion-ish piece on four generative AI stories that landed last week and appear poised to cause significant collateral damage. Black Mirror imaginations meet Torment Nexus self-awareness.

Latest Cybersecurity Research Papers, Reports, and Books

NCSC – Impact of AI on cyber threat from now to 2027 – “This report builds on NCSC Assessment of near-term impact of AI on cyber threat published in January 2024. It highlights the assessment of the most significant impacts on cyber threat from AI developments between now and 2027. It focuses on the use of AI in cyber intrusion. It does not cover wider threat [sic] enabled by AI, such as influence operations. AI and its application to cyber operations is changing fast. Technical surprise is likely.” – Light reading for your evening. Hoping we see TRADOC’s Mad Scientist Laboratory lean in on a fiction contest around this concept to pull in some more unorthodox possibilities.

Tools and Other Resources

Jellybyte – local LLM-powered threat intelligence lab.