Cybersecurity Reading List - Week of 2025-09-29

The days are getting shorter, and so is the news cycle. 

It’s A Lot. 

Bright spots emerge from the pattern, and one of the brightest in a while occurred last week for me - LABScon. SentinelOne and various sponsors manage to gather nearly two hundred of the top cybersecurity folks every year to talk and listen to each other, and I was honored to be admitted this year. The agenda itself is public and tells you enough to know just what kind of impact speakers can have: human rights investigators, harassment fighters, nation-state espionage mitigators, and more. 

While a lot of it was TLP:RED, one thing I’m confident in sharing is the week showed me a community of folks intent and determined on doing good for the world. Many are positioned to follow through on that in some way and are excited to talk about it to a full room or one-on-one with a complete stranger. 

It’s a posture I’m trying hard to carry back from con and out into the world.

On another note, something I’m seeing more of that I want to flag for folks: RecordedFuture published a great report on Stark Industries workarounds to deal with EU sanctions, and Brian Krebs expanded upon it with a great post as well. 

One of the common themes in conversation alongside harder research lately has been the intermediate and long-term ineffectiveness of many of our interventions targeting malicious actors, groups, and campaigns. Takedowns are momentarily gratifying - as I’ve said before, we need to celebrate the wins where we can - but do not seem to provide longitudinal benefits. What does effective long term disruption look like, and is it feasible? What are the models, and what are the realities?

For my part, I’ve been looking at bad actors’ activities before and after US OFAC and UK OFSI sanctions to understand both preparation and reaction. Emerging from technical observables like DNS and BGP is an opaque but solid understanding that bad actors are much better at reliability engineering and disaster recovery than we want to admit, from domain mirroring all the way up to anticipatory Autonomous System takeover. I’ve submitted a talk to CYBERWARCON on the topic (and hopefully it’s accepted!), but if folks reading this know of work around long-term disruption, cybersecurity-related sanctions research, or adjacent topics, I’d love to hear from you. Please shoot me an email at CSRL at domaintools[.]com. 

Podcasts

Microsoft Threat Intelligence - Stopping Domain Impersonation with AI - I know, I know, I’m tired of AI all the time too. But it’s timely and important to stay on top of. Good conversation, especially around how the problem is one of scale rather than sophistication.

Three Buddy Problem - I can’t choose between them, so you get all three Live from LABScon episodes. 

• Lindsay Freeman on tracking Wagner Group war crimes - Hearing Freeman talk about this was heartbreaking, but the work her group does around this topic is inspiring. Deep, dark OSINT
  
• Visi Stark shares memories of creating the APT1 report - If nothing else listen for the excellent and hilarious dynamic between the hosts and Stark, but also, the interview carries some great insights on the history and current state of affairs of analysis and threat intelligence.

• Aurora Johnson and Trevor Hilligoss on China's 'internet toilets' - Great interview on toxic online communities in China. Also, I second Juan on “Spycloud is ****ing awesome.” 

Articles

The Record - Ransomware gang takedowns causing explosion of new, smaller groups - Immediately thought of research we conducted with Analyst1 and Scylla Intel and presented at SLEUTHCON earlier this year. Of particular interest is the finding that disruption tends to result in smaller groups reconstituting around critical trust relationships. 

Infoblox - Deniability by Design: DNS-Driven Insights into a Malicious Ad Network - Incredibly good work by Infoblox weaving deep technical details and deep narrative into a systematic understanding of not just malicious adtech but the behavior behind it and thorough methods to fingerprint and track it. 

Morningstar - Unit 221B Raises $5M in Seed Funding To Convert Threat Intelligence into Real World Arrests - You love to see it. Congratulations to our friends at Unit 221B, who should have people throwing large piles of cash at them all the time, given how excellent their work is. 

Google TIG - Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors - Targeting profile prioritized “legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology.” Excellent writeup by TIG, as always.

Schneier - Surveying the Global Spyware Market - Schneier highlights two important points: that investment in spyware companies has risen lately, and the role of brokers and resellers that often go unnoticed in the chain. 

Koi Security - First Malicious MCP in the Wild - Thousands of downloads a week and it’s copying every email to the dev’s personal server. Because the S in MCP stands for Security!

CSO - Why domain-based attacks will continue to wreak havoc - The dangerousness of these attacks long predated AI, including at scale, but this is a pretty good review of some domain attacks to take note of and ensure you’ve worked into your defenses and simulations.

Group-IB - Mapping the Infrastructure and Malware Ecosystem of MuddyWater - Not always the biggest fan of Group-IB, but indicators are indicators, and there’s some good work here about how Muddy Water’s tradecraft is evolving.

Microsoft - Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service - Joint work between Microsoft DCU and Health-ISAC, highlighting the role RaccoonO365 has adopted in targeting the healthcare sector.

Research Papers and Reports

arXiv - Large Language Models for Security Operations Centers: A Comprehensive Survey - Not ground-breaking, but some valuable LLM/SOC fundamentals covered here.

Entertainment

GadgetReview - Massive Attack Turns Concert Into Facial Recognition Surveillance Experiment - Massive Attack hasn’t commented on data retention from the event, laying bare the ambiguity and lack of agency that goes unseen in all the other applications. A+