Cybersecurity Reading List - Week of 2025-08-25

And now we enter the belly of the beast.

Summer is in its full effect in the United States as many of us return from the surface of the sun Hacker Summer Camp in Las Vegas (covered in a separate post here). Post-BlackHat and DEF CON also arrives with an abundance of gifts for practitioners and researchers: the publication of tons of new research. As always, the items linked below aren’t intended to be a round-up but rather what caught attention internally, having stood out from the rest. 

The rest of the year looms, but not without hope. 

There are some signs that spending freezes are easing up and hiring may be easing up. Even in this heat, that’s cold comfort for those in the middle of the job hunt. It’s never been harder or more filled with frustration, dead ends, and deeper hazards like identity theft or financial scams. If you’re in a place to help, try to do what you can. 

If you’re still on the hunt, keep pushing, and get through however you can. 

Podcasts

Adversary Universe from Crowdstrike – Live at Black Hat: What’s AI Really Capable Of? – 33min – Good, grounded (but relatively upbeat) perspective on AI capabilities for both defenders and attackers. Also some interesting recent attack campaigns seen, including one with convincing multi-persona smishing threads (no evidence of AI in this latter, yet). 

CyberWire Research Saturday – Beyond the smoke screen – 22min- Excellent interview with Dr. Renee Burton of Infoblox Threat Threat Intel detailing their extensive work on the VexTrio cybercriminal group. They gave a great BlackHat briefing on this topic, and the interview is similarly compelling in both technical and behavioral aspects.

Prompt||GTFO – Youtube playlists for episodes one, two, three – ~90min each – Fascinating series of “prompt pits” in which mostly infosec practitioners get together to share use cases and experiences with AI, with a strict “no slides” rule, demos only. Not an endorsement of AI, but interesting to see how practitioners are using it, and most views involved are pretty reasonable and experience-driven. 

Articles

Infoblox – VexTrio Origin Story, Unmasked, and Inside the Robot – A three-part investigation highlighting world class-level research by Infoblox Threat Intel into the evolution, behavior, and technology of a major adtech-related spam and scam actor. Highly recommended to read all three in order to get a better idea of what you end up looking at in the wild. 

Analyst1 – Ransomware Diaries Volume 7: “I Had to Take the Guilt For Everyone” – The Kaseya Hacker Breaks His Silence – Jon DiMaggio’s DEF CON talk with Jon Fokker gripped a full theater for an hour, and the accompanying blog post is even better. There are few investigators on his level, and even fewer storytellers.

Wunderwuzzi – Claude Code: Data Exfiltration with DNS (CVE-2025-55284) – Okay. So. I’m trying to be less adversarial towards GenAI, really I am. But when you allowlist a bunch of bash commands for your autonomous agent and include DNS lookups, you clear a direct path for a long-known and well-researched data exfiltration and command & control method. And then I have to get all mad and shouty again. 

RiskyBulletin – Hackers sabotage Iranian ships at sea, again – “According to an analysis of the leaked files, the group hacked the company’s network, identified all maritime communications terminals in its MySQL database, and then deployed malicious code to each ship’s satellite terminal that wiped its disk storage.” 

TechCrunch – North Korean spies posing as remote workers have infiltrated hundreds of companies, says CrowdStrike – What I can’t decide is if the seeming overwhelming success of this campaign is down to good execution on the part of DPRK or the sad, sad state of enterprise security, especially whenever it causes friction in hiring processes.

Cofense – Spain TLD’s Recent Rise to Dominance – Anecdotally I’d been seeing .es show up in my investigators more lately even before reading this, and once the article crossed my desk it made more sense. 

Research Papers and Reports

Greynoise Intelligence – Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities – Greynoise looked backward and found that in 80% of cases, a spike in attempted attacks on a particular technology presaged a CVE release for that technology within six weeks. Excellent work and findings, worth reading the full report. Also covered by Research Saturday interviewing Greynoise VP of Data Science Bob Rudis (30min). 

RecordedFuture – Cloud Threat Hunting and Defense Landscape – In which Insikt Group lays out five prominent attack vectors threatening cloud environments, including details on common misconfigurations as well as logging and hunting internally.

CAIDA – Hunting in the Dark: Metrics for Early Stage Traffic Discovery – “Using a metric for discoverability, we model the ability of defenders to measure Crackonosh traffic as the malware population decreases, evaluate the strength of various detection methods, and demonstrate how different darkspace sizes affect both the ability to track the malware, but enable emergent behaviors by exploiting attacker mistakes.”

arXiv – Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition – Results of wide-scale competitive testing across several dozen agents and models, with an eye to evaluating attack transferability and common vulnerabilities. Some significant findings, including limited correlation between size, robustness, or inference-time, meaning that the “better” and “bigger” models didn’t do better than the bargain basement models. 

Tools and Resources

CSO Online – CISA releases Thorium, an open-source, scalable platform for malware analysis – Curious to see where this goes, relative to NSA’s Ghidra.

Entertaining Reading

Wikipedia – The Berners Street Hoax – “Hook spent six weeks sending between a thousand and four thousand letters to tradespeople and businesses ordering deliveries of their goods and services to 54 Berners Street, Westminster, at various times on 27 November 1810.”