The Defensive Line Podcast

The Defensive Line Weekly is a podcast version of our weekly Substack intelligence summary — the security stories that matter most for blue teamers and security leaders, with clear implications and practical defensive actions. AI voices are used, but the content is human curated and written with the support of AI.Topic 1: Helpdesk Impersonation Continues to Succeed* CrowdStrike — Cordial Spider adversary profile* CrowdStrike — Snarky Spider adversary profile* Google / Mandiant GTIG — Expansion of ShinyHunters SaaS data theft* Unit 42 / RH-ISAC — Extortion in the enterprise: defending against BlackFile attacks* CyberScoop — CrowdStrike names Cordial Spider and Snarky SpiderTopic 2: cPanel & WHM and CopyFailcPanel / WHM CVE-2026-41940* watchTowr Labs — cPanel WHM authentication bypass* cPanel vendor advisory — 28 April 2026* Censys — The cPanel situation* Help Net Security — cPanel zero-day exploited* Rapid7 — CVE-2026-41940 ETRCopyFail CVE-2026-31431* Wiz Research — CopyFail Linux privilege escalation* Ubuntu security advisory* AlmaLinux blog* Red Hat CVE advisory* Microsoft Security Blog — CopyFail cloud and Kubernetes impact* CERT-EU SA 2026-005Topic 3: Three Supply Chain Attacks in One Week* SentinelOne — Week 18 supply chain roundup* Aikido Security — PyTorch Lightning PyPI compromise* Socket — PyTorch Lightning compromised* The Hacker News — Poisoned Ruby gems and Go modules* The Hacker News — PyTorch Lightning supply chain* The Register — SAP npm supply chainHonourable Mentions* TRM Labs — North Korea 2026 crypto theft* Arctic Wolf — BlueNoroff ClickFix and AI-generated Zoom lures* NCSC — AI-driven patch wave warning* Fortinet PSIRT FG-IR-26-100* Fortinet PSIRT FG-IR-26-112* The Register — Gemini CLI critical RCE This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

Story 1: Vercel Breached via AI Tool OAuth Token Sprawl* Vercel Security Bulletin* Hudson Rock / InfoStealers* The Register* Push Security* VaronisStory 2: BlackFile Extortion Targets Retail and Hospitality* RH-ISAC / Unit 42 Joint Report* BleepingComputerStory 3: The Gentlemen Ransomware Scales Fast* Check Point Research* BleepingComputer* The Hacker NewsHonourable MentionsBitwarden CLI / TeamPCP Supply Chain* Socket* BleepingComputer* The Hacker NewsChina-Nexus Covert Networks Advisory* NCSC Advisory* NCSC CEO Keynote — CyberUK 2026Kyber Post-Quantum Ransomware* Rapid7NCSC Passkeys Endorsement* NCSCVulnerability Roundup* CVE-2026-33825 (Microsoft Windows Defender) — actively exploited* CVE-2026-33626 (LMDeploy) — exploited within 12 hours of advisory* Cisco Catalyst SD-WAN Manager — actively exploited📰 Full written edition: https://thedefensiveline.substack.com/p/the-defensive-line-weekly-18-1926📬 Subscribe to The Defensive Line on Substack for weekly actionable security intelligence, written for and by blue teamers. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

The Defensive Line Weekly is a curated weekly intelligence briefing for blue teamers and security leaders — produced as both a written Substack newsletter and this podcast. Each week we cut through the noise to the stories that actually matter for defenders, with clear implications and practical defensive actions.Topic 1: QEMU Virtual Machines Weaponised to Blind EDR* Sophos X-Ops — QEMU abused to evade detection and enable ransomware delivery* BleepingComputer — Payouts King ransomware uses QEMU VMs to bypass endpoint securityTopic 2: Helpdesk Impersonation to Data Exfiltration* Microsoft Threat Intelligence — Cross-tenant helpdesk impersonation data exfiltration human-operated intrusion playbookTopic 3: Windows and Defender Zero-Days* Huntress — via Twitter/X* BleepingComputer — Recently leaked Windows zero-days now exploited in attacks* BleepingComputer — New Microsoft Defender RedSun zero-day PoC grants SYSTEM privileges* The Hacker News — Three Microsoft Defender zero-daysHonourable Mentions* Darktrace — Inside ZionSiphon: OT malware targeting Israeli water systems* Ox Security — MCP supply chain advisory: RCE vulnerabilities across the AI ecosystem* Aonan Guan — Comment-and-control: prompt injection credential theft via Claude, Gemini, Copilot* BleepingComputer — ATHR vishing platform uses AI voice agents for automated attacks* Dark Reading — Tycoon 2FA hackers adopt device code phishing This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

The Defensive Line Weekly is a curated weekly intelligence briefing for blue teamers and security leaders — delivered as both a Substack newsletter and this podcast. Each week, Carter and Lizzie go deep on the stories that matter, with clear context and practical defensive actions.Topic 1 — APT28 Hijacks Home Routers to Steal Microsoft 365 Tokens* Microsoft Security Blog — SOHO Router Compromise* NCSC UK Advisory* IC3 / FBI Public Service Announcement* Krebs on SecurityTopic 2 — Adobe Acrobat Reader Zero-Day* BleepingComputer — Adobe Reader zero-day exploited since December* The Hacker NewsTopic 3 — AI Industrialises Phishing: EvilTokens, VENOM, Device-Code Campaigns* Sekoia TDR — EvilTokens* Microsoft Security Blog — AI-enabled device code phishing* BleepingComputer — VENOM campaignHonourable Mentions* Joint FBI/CISA Advisory — CyberAv3ngers via The Hacker News* Tenable — CyberAv3ngers profile* Microsoft — Storm-1175 / Medusa ransomware* BleepingComputer — CPUID supply chain attack* The Record — ChipSoft ransomware / Dutch hospitals* The Hacker News — Drift $285M DPRK theft This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

The Defensive Line Weekly is a podcast version of the weekly Defensive Line Substack intelligence summary — covering the biggest cybersecurity stories of the week, what they mean for defenders, and what to do next. Each episode features AI voices with Carter (intelligence analyst) and Lizzie (blue teamer) in conversation.Story 1: Supply Chain — TeamPCP & Axios/DPRK* CERT-EU: European Commission Cloud Breach — Trivy Supply Chain* NVISO: The Axios npm Supply Chain Incident — Fake Dependency, Real BackdoorStory 2: TA416 — OAuth Phishing Against EU Diplomatic Missions* Proofpoint: I’d Come Running Back to EU Again — TA416 Resumes European Government EspionageStory 3: Microsoft — AI Accelerates Cyberattacks* Microsoft Security Blog: Threat Actor Abuse of AI Accelerates — From Tool to Cyberattack Surface This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

Main StoriesTeamPCP PyPI Supply Chain — LiteLLM & Telnyx* Wiz Research disclosure (LiteLLM): https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign* BleepingComputer (Telnyx): https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio/* Telnyx security notice: https://telnyx.com/resources/telnyx-python-sdk-supply-chain-security-notice-march-2026Citrix NetScaler CVE-2026-3055* Citrix security bulletin: https://support.citrix.com/external/article/CTX696300/netscaler-adc-and-netscaler-gateway-secu.html* NCSC advisory: https://www.ncsc.gov.uk/news/vulnerabilities-affecting-citrix-netscaler-adc-gateway* watchTowr reconnaissance disclosure: M-Trends 2026* Google/Mandiant M-Trends 2026: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026Honourable MentionsIran/Pay2Key healthcare* Cybersecurity Dive: https://www.cybersecuritydive.com/news/iran-linked-ransomware-operation-targeted-us-healthcare-provider/815652/* Unit 42 Iranian cyber escalation brief: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/ClickFix / Infiniti macOS* Malwarebytes: https://www.malwarebytes.com/blog/threat-intel/2026/03/infiniti-stealer-a-new-macos-infostealer-using-clickfix-and-python-nuitkaAitM TikTok for Business* Push Security: https://pushsecurity.com/blog/tiktok-phishingIran / FBI Director Patel email* The Record: https://therecord.media/fbi-confirms-theft-of-directors-personal-emails-iran-groupCoruna iOS exploit kit* SecurityWeek: https://www.securityweek.com/coruna-ios-exploit-kit-likely-an-update-to-operation-triangulation/Vulnerability RoundupF5 BIG-IP APM — CVE-2025-53521 (CISA KEV)* The Hacker News: https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.htmlPTC Windchill — CVE-2026-4681 (CISA KEV)* SecurityWeek: https://www.securityweek.com/cisa-flags-critical-ptc-vulnerability-that-had-german-police-mobilized/Langflow* Dark Reading: https://www.darkreading.com/vulnerabilities-threats/critical-flaw-langflow-ai-platform-under-attackLangChain / LangGraph* The Hacker News: https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.htmlNewsletter* The Defensive Line Weekly #14 (22–29 March 2026): https://open.substack.com/pub/thedefensiveline/p/the-defensive-line-weekly-14-2229?r=27vsgo&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

The Defensive Line Weekly podcast is the audio version of the weekly Defensive Line Substack intelligence summary — the same stories, the same analysis, built for blue teamers and security leaders who want actionable intelligence on the go.Story 1: Trivy Compromised, CanisterWorm Spreads* Wiz Research — Trivy Compromised: TeamPCP Supply Chain Attack* BleepingComputer — Trivy Vulnerability Scanner Breach Pushed Infostealer via GitHub Actions* The Hacker News — Trivy Supply Chain Attack Triggers Self-Propagating Worm* Elastic Security Labs — TeamPCP Container Attack ScenarioStory 2: Interlock Ransomware Exploited Cisco FMC for 36 Days* AWS Security Blog — Amazon Threat Intelligence Teams Identify Interlock Ransomware Campaign* The Register — Amazon, Cisco Firewall Zero-Day, Ransomware* BleepingComputer — Interlock Ransomware Exploited Secure FMC Flaw in Zero-Day Attacks Since JanuaryStory 3: Nordstrom’s Email Trust Broken via SSO Compromise* BleepingComputer — Nordstrom’s Email System Abused to Send Crypto Scams to CustomersHonourable MentionsDarkSword iOS Exploit Kit* Google Threat Intelligence Group — DarkSword iOS Exploit Chain* BleepingComputer — New DarkSword iOS Exploit Used in Infostealer Attack on iPhonesAPT28 OPSEC Blunder* Ctrl-Alt-Intel — FancyBear ExposureDPRK Fake IT Workers* The Register — Researchers Lift the Lid On DPRK Fake IT Worker OperationIran/Handala — Intune Hardening Guidance* The Register — Microsoft Intune Lockdown Guidance Post-StrykerRussian Intelligence Targeting Signal* IC3 PSA — Russian Intelligence Targeting Commercial Messaging AppsVulnerability Roundup* The Hacker News — Critical Langflow Flaw CVE-2026-33017* BleepingComputer — Oracle Pushes Emergency Fix for Critical Identity Manager RCE Flaw* BleepingComputer — ConnectWise Patches New Flaw Allowing ScreenConnect Hijacking* The Hacker News — CISA Flags Apple, Craft CMS, Laravel Bugs* BleepingComputer — Russian APT28 Military Hackers Exploit Zimbra Flaw in Ukrainian Govt Attacks* The Register — Unknown Attackers Exploit Yet Another SharePoint Critical Flaw This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

A podcast version of the weekly Defensive Line Substack Intelligence Summary — focused on what matters, why it matters, and what defenders should do next. Handala wipes Stryker (management plane)* https://www.bleepingcomputer.com/news/security/medtech-giant-stryker-offline-after-iran-linked-wiper-malware-attack/* https://therecord.media/stryker-tells-sec-unknown-timeline-recovery* https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/* https://www.recordedfuture.com/blog/the-iran-war-what-you-need-to-knowGlassWorm (developer supply chain)* https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html* https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories/* https://www.bleepingcomputer.com/news/security/new-phantomraven-npm-attack-wave-steals-dev-data-via-88-packages/Chrome zero-days* https://www.bleepingcomputer.com/news/google/google-fixes-two-new-chrome-zero-days-exploited-in-attacks/Notable mentionsStorm-2561 (fake V-P-N installers via S-E-O poisoning)* https://go.theregister.com/feed/www.theregister.com/2026/03/13/vpn_clients_spoofed/* https://www.bleepingcomputer.com/news/security/fake-enterprise-vpn-downloads-used-to-steal-company-credentials/CL-STA-1087 (China espionage)* https://unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/Vulnerability roundup* https://go.theregister.com/feed/www.theregister.com/2026/03/12/cisa_n8n_rce/* https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-n8n-rce-flaw-exploited-in-attacks/* https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-flaws-exposing-backup-servers-to-rce-attacks/ This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

Episode Summary: Episode 8 of The Defensive Line Weekly covers a week dominated by the cyber dimension of the Iran conflict, with MuddyWater pre-positioned in U.S. critical infrastructure and physical drone strikes on A.W.S data centres. We also examine InstallFix — a ClickFix evolution targeting developers via cloned tool installation pages — and a Microsoft oh-auth protocol abuse that turns legitimate Entra ID endpoints into phishing launchers. Notable mentions cover the Coruna iOS exploit kit, record zero-day exploitation data from Google's GTIG, the LexisNexis cloud breach, and a vulnerability roundup.Main Stories1. Iran Conflict Cyber Update — MuddyWater, Camera Exploitation, and AWS StrikesIran-linked threat group MuddyWater (attributed to Iran’s MOIS) has been embedded in multiple U.S. organisations since early February 2026, deploying the Dindoor and Fakeset backdoors and exfiltrating data via Rclone to Wasabi cloud storage. Check Point Research reported exploitation of patched Hikvision and Dahua camera CVEs across the Middle East. Drone strikes physically damaged four AWS data centres in the UAE and Bahrain.Sources:* Symantec/Carbon Black — Iran Cyber Threat Activity* Check Point Research — Iranian IP Camera Targeting* BleepingComputer — AWS Data Centre Drone Strikes* BleepingComputer — NCSC UK Advisory* AttackIQ — Operation Epic Fury Emulation2. ClickFix Evolves into InstallFix — Developer Tool Lures Deliver Infostealers and RansomwarePush Security disclosed InstallFix, a ClickFix variant that clones legitimate developer tool installation pages (e.g., Claude Code) to trick developers into pasting malicious install commands. Distribution is via Google Ads malvertising, hosted on legitimate platforms (Cloudflare Pages, Squarespace). Payloads include Amatera, Lumma, and macOS SHub infostealers. Ransomware group Velvet Tempest (Termite) has adopted the technique to deploy CastleRAT.Sources:* Push Security — InstallFix Disclosure* BleepingComputer — Fake Claude Code Install Guides* Malwarebytes — Fake CleanMyMac / SHub Stealer* BleepingComputer — Termite / CastleRAT ClickFix* DeliverTo — Claude Code InstallFix Test Payload3. Microsoft OAuth Error-Flow Abuse — Trusted Login URLs Redirect to Phishing and MalwareMicrosoft Defender researchers disclosed a campaign abusing the OAuth 2.0 error redirection mechanism to redirect victims from legitimate Microsoft Entra ID endpoints to attacker infrastructure. Lures include e-signature requests, meeting invitations, and password resets. Outcomes include AitM credential theft (EvilProxy) and malware delivery via ZIP/LNK/HTML smuggling. Targeting government and public-sector organisations.Sources:* Microsoft — OAuth Redirection Abuse* BleepingComputer — Microsoft OAuth Error-Flow* Malwarebytes — OAuth Redirect AnalysisNotable MentionsCoruna — Spyware-Grade iOS Exploit Kit Enters Criminal UseGoogle GTIG disclosed Coruna, a 23-exploit iOS kit (covering iOS 13.0–17.2.1). The kit has moved from a surveillance vendor customer to Russian espionage (UNC6353, Ukraine watering-hole attacks) to Chinese financially motivated actors (UNC6691, crypto theft). CISA added three exploited CVEs to KEV on 5 March 2026. Coruna does not work on iOS 17.3+.Sources:* Google GTIG — Coruna iOS Exploit Kit* BleepingComputer — Coruna Crypto Theft* iVerify — Coruna Tracking* BleepingComputer — CISA KEV CorunaShrinking Patch Windows — GTIG Zero-Day Report and Zero Day ClockGoogle GTIG tracked 90 zero-days exploited in 2025 (up 15%), with enterprise appliances and edge devices representing a record 48%. Zero Day Clock shows mean time-to-exploit has crossed the one-week threshold; 67.2% of exploited CVEs in 2026 are zero-days.Sources:* Google GTIG — 2025 Zero-Day Review* Zero Day Clock* BleepingComputer — Zero-Day RecordLexisNexis Data Breach — React2Shell Exploited to Pillage AWSThreat actor FulcrumSec exploited an unpatched React frontend (React2Shell) to pivot into LexisNexis’s AWS environment. A single ECS task role with broad Secrets Manager read access enabled exfiltration of 53 secrets, 3.9 million records, and ~400,000 cloud user profiles including ~118 .gov accounts.Sources:* BleepingComputer — LexisNexis Data Breach* The Register — LexisNexis Breach DetailsVulnerability Roundup* Cisco Catalyst SD-WAN — CVE-2026-20122 and CVE-2026-20128 now actively exploited (continuation from last week’s CVE-2026-20127, CVSS 10.0). ACSC Hunt Guide | Cisco Advisory* VMware Aria Operations — CVE-2026-22719, unauthenticated RCE, CISA KEV, CVSS 8.1. Workaround script available. BleepingComputer | Broadcom Advisory* Qualcomm Android Zero-Day — CVE-2026-21385, integer overflow in Qualcomm Graphics, 235 chipsets affected, under limited active exploitation. Prioritise 2026-03-05 patch level. BleepingComputerWatchlist: Signed Malware via Stolen EV CertificateMicrosoft reported malware signed with a stolen Extended Validation code-signing certificate, impersonating workplace apps to deploy RMM tools as persistent backdoors.Source: MicrosoftSubscribe* Podcast: Available on all major podcast platforms — search The Defensive Line Weekly* Newsletter: thedefensiveline.substack.com This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

Cisco Catalyst S.D-WAN (CVE-2026-20127)* NCSC-UK Advisory — Exploitation of Cisco Catalyst SD-WANs — https://www.ncsc.gov.uk/news/exploitation-cisco-catalyst-sd-wans* BleepingComputer — Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/* The Hacker News — Cisco SD-WAN zero-day CVE-2026-20127… — https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html* The Record — Five Eyes warn hackers exploit Cisco SD-WAN — https://therecord.media/five-eyes-warn-hackers-exploit-cisco-sd-wanGRIDTIDE (UNC2814) — Google Sheets API C2* Google Threat Intelligence — Disrupting GRIDTIDE, a global espionage campaign — https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign* BleepingComputer — Chinese cyberspies breached dozens of telecom firms, govt agencies — https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/* The Hacker News — Google disrupts UNC2814 / GRIDTIDE… — https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html* The Record — China cyber-espionage: Google disrupts… — https://therecord.media/china-cyber-espionage-google-disruptScattered LAPSUS$ Hunters (S.L.H) — Paid helpdesk vishing* Dataminr — SLH recruiting women for vishing — https://www.dataminr.com/resources/intel-brief/slh-recruiting-women-for-vishing/* The Hacker News — SLH offers $500–$1,000 per call to recruit… — https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html* The Register — Scattered Lapsus Hunters female recruits… — https://go.theregister.com/feed/www.theregister.com/2026/02/26/scattered_lapsus_hunters_female_recruits/* BleepingComputer — Diesel Vortex phishing campaign targets freight & logistics — https://www.bleepingcomputer.com/news/security/diesel-vortex-phishing-campaign-targets-freight-logistics/Honourable mentions* Symantec/Broadcom — Lazarus + Medusa ransomware — https://www.security.com/threat-intelligence/lazarus-medusa-ransomware* BleepingComputer — North Korean Lazarus linked to Medusa ransomware attacks — https://www.bleepingcomputer.com/news/security/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks/* The Hacker News — Lazarus Group uses Medusa ransomware… — https://thehackernews.com/2026/02/lazarus-group-uses-medusa-ransomware-in.html* The Record — Ukraine cyberattacks guiding Russian missile strikes — https://therecord.media/ukraine-cyberattacks-guiding-russian-missile-strikes* BleepingComputer — Ransomware payment rate drops to record low despite attack surge — https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-despite-attack-surge/* The Record — Ransomware payments (Chainalysis)… — https://therecord.media/ransomware-payments-chainalysis-cybercrime* The Register — Ransomware: Chainalysis… — https://go.theregister.com/feed/www.theregister.com/2026/02/27/ransomware_chainalysis/ This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

Episode 6 of The Defensive Line Weekly examines how attackers are increasingly exploiting legitimate infrastructure to bypass defences: a Russian-aligned threat actor abuses Microsoft’s real authentication pages to harvest SSO credentials, China-nexus espionage actors exploit hardcoded credentials in Dell’s backup platform after eighteen months of silent access, and a financially motivated group uses AI to compromise over 600 FortiGate devices at scale. The episode also covers Google’s first Chrome zero-day of 2026, critical vulnerabilities in widely used VS Code extensions affecting over 128 million downloads, and a new ClickFix variant that uses DNS queries to deliver malware payloads — bypassing the PowerShell monitoring that defenders have hardened against.Stories Covered1. Microsoft Entra Device Code Vishing — Storm-2372A Russian-aligned threat actor (Storm-2372) has been running an active campaign since August 2024, abusing Microsoft’s legitimate device authorisation grant flow to harvest authenticated sessions across SSO-connected applications. Victims are socially engineered via phishing emails and vishing calls into entering device codes on the genuine microsoft.com/devicelogin page — granting attackers access without stealing passwords or bypassing MFA directly.Source: Microsoft Security Blog2. Dell RecoverPoint Zero-Day — CVE-2026-22769CISA added a maximum-severity hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines to its Known Exploited Vulnerabilities catalogue on 18 February 2026. Suspected China-nexus espionage actors have actively exploited the flaw since at least mid-2024 — an eighteen-month window — deploying custom malware families against backup and disaster recovery infrastructure.Sources: The Register, SecurityWeek3. AI-Augmented Threat Actor Compromises FortiGate Devices at ScaleAmazon Threat Intelligence reported a Russian-speaking, financially motivated actor who used commercial generative AI to compromise more than 600 FortiGate devices across 55+ countries between 11 January and 18 February 2026. The attack relied on exposed admin interfaces and weak credentials — no new vulnerability was required. Post-compromise activity included Active Directory credential theft and targeting of Veeam backup infrastructure, consistent with pre-ransomware sequencing.Source: AWS Security Blog4. Chrome Zero-Day CVE-2026-2441 Under Active ExploitationGoogle released emergency updates on 19 February 2026 for the first Chrome zero-day exploited in attacks in 2026 — a use-after-free vulnerability in Chrome’s CSS implementation discovered by Google’s Threat Analysis Group. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue. The fix is available in Chrome version 134.0.7323.88 and later, across Windows, macOS, and Linux.Source: BleepingComputer5. Critical Vulnerabilities in Popular VS Code ExtensionsOX Security reported high to critical vulnerabilities across four popular Visual Studio Code extensions collectively exceeding 128 million downloads — including Live Server (remote file exfiltration), Code Runner (remote code execution), Markdown Preview Enhanced (JavaScript execution), and Microsoft Live Preview (XSS to file exfiltration). Three of the four extensions had unresponsive maintainers despite disclosure in mid-2025.Source: OX Security6. ClickFix Attacks Evolve to Use DNS for Payload DeliveryMicrosoft and Huntress disclosed a new ClickFix variant using DNS TXT records to deliver malware payloads — the first known use of DNS as a ClickFix delivery channel. The variant uses the legitimate nslookup command instead of PowerShell or mshta, evading security tools that monitor those execution paths. Recent campaigns delivered ModeloRAT, a remote access trojan for Windows.Sources: BleepingComputer, Dark ReadingBased on The Defensive Line Weekly intelligence summary for 15–22 February 2026. Subscribe at thedefensiveline.substack.com This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

Episode summaryThis episode looks at a shift in initial access: attackers increasingly win by exploiting trust relationships rather than pure exploit chains. We cover how A-I platforms, messaging and meeting workflows, software updates, and browser extensions are becoming a new perimeter—and what to do about it.Topics and sourcesAdversarial A-I moving from experimentation to operational tooling* GTIG quarterly A-I threat tracker (Q4 2025)* Source link: https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use* Edge devices and the “human layer” beating perimeter controls* GTIG report on threats to the defence industrial base* Source link: https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base* Telegram compromise + meeting-tool impersonation leading to ClickFix execution* Mandiant / Google Threat Intelligence Group reporting on North Korean activity targeting crypto firms* Source link: https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering* Notepad++ update infrastructure compromise (selective targeting)* DomainTools analysis of Notepad++ update mechanism compromise* Source link: https://dti.domaintools.com/research/lotus-blossom-and-the-notepad-supply-chain-espionage-campaign* Malicious Chrome extensions posing as A-I assistants* LayerX research into malicious extensions and browser DOM scraping* Source link: https://layerxsecurity.com/blog/aiframe-fake-ai-assistant-extensions-targeting-260000-chrome-users-via-injected-iframes/ This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

This week covers five stories showing attackers exploiting well-understood defensive gaps. Shadow Campaigns breached 70+ organisations across 155 countries using conventional techniques. DKnife framework compromises edge devices for persistent traffic interception. A real-world attack used a decade-old forensic driver to disable 59 security products. Critical Google Looker vulnerabilities enable RCE against business intelligence platforms. GlassWorm malware spread via compromised developer accounts targeting the software supply chain. The common thread: edge exposure, patch lag, credential compromise, and driver signature gaps remain exploitable at scale.Topics Covered1. Shadow Campaigns: Asia-Based Threat Actor Breaches 70+ OrganisationsPalo Alto Networks Unit 42 disclosed a coordinated global espionage operation targeting government agencies and critical infrastructure. Unit 42 report at least 70 organisations breached, with broader reconnaissance and targeting activity observed across 155 countries. The threat actor (TGR-STA-1030) focused on diplomatic communications, trade negotiations, military operations, and rare earth minerals intelligence between 2025 and early 2026.Key Points:Conventional techniques: edge exposure, patch lag, account compromiseTight correlation between cyber operations and geopolitical eventsCustom malware loader “DiaoYu.exe” checked for only 5 endpoint security productsPrimary targeting: governments and ministries with spillover to critical infrastructureSources:Palo Alto Networks Unit 42BleepingComputer2. DKnife: China-Nexus Framework Hijacks Edge Device TrafficCisco Talos disclosed DKnife, an adversary-in-the-middle framework used to compromise edge devices and network gateways for persistent monitoring. Active since at least 2019, the framework enables SSL/TLS interception, HTTP header injection, DNS manipulation, and secondary malware delivery.Key Points:Persistence through infrastructure rather than endpointsTransforms compromised edge devices into persistent collection platformsTraditional EDR won’t detect traffic manipulation at gateway levelAttributed to China-nexus threat actorSources:Cisco TalosBleepingComputerThe Hacker News3. Attackers Use Forensic Driver to Terminate EDR in Real-World IncidentHuntress documented a real-world attack where threat actors used a legitimate but long-revoked EnCase forensic driver to disable 59 endpoint security products during an active intrusion. The driver’s certificate expired in 2010 and was revoked, yet Windows still loads it.Key Points:Attack chain: compromised SonicWall VPN credentials → reconnaissance → EDR killer deploymentBYOVD (Bring Your Own Vulnerable Driver) attack exploiting Windows driver signature enforcement gapAttack disrupted before ransomware deploymentDemonstrates endpoint security alone is insufficientSources:HuntressDark Reading4. Critical Google Looker Vulnerabilities Enable RCE and Data AccessTenable disclosed critical vulnerabilities in Google Looker (CVE-2025-12743) enabling remote code execution and unauthorised access to internal databases. Looker is used by more than 60,000 organisations across 195 countries. Google patched cloud-hosted instances; self-hosted deployments require manual updates.Key Points:RCE chain allows arbitrary command execution and full system compromiseBusiness intelligence platforms concentrate access to sensitive data across organisationsCloud instances patched automatically; self-hosted require manual interventionCompromise can enable credential theft, data exfiltration, and lateral movementSources:Google Cloud Security BulletinTenableDark ReadingSecurityWeek5. GlassWorm Returns via Compromised Developer AccountSocket documented a GlassWorm malware campaign that compromised an established Open VSX publisher account to distribute self-replicating infostealer malware through trusted developer extensions. Four established extensions with 22,000+ combined downloads were updated with malicious versions on 30 January 2026.Key Points:Targets macOS developers, stealing NPM credentials, GitHub tokens, Git credentials, cryptocurrency walletsSelf-propagating: uses stolen credentials to compromise additional packages and extensionsBypasses security heuristics by using established publisher accounts with multi-year historyDemonstrates sophisticated supply chain attack vectorSources:SocketDark ReadingSecurityWeekSubscribeSubstack Newsletter: The Defensive Line WeeklyPodcast: Subscribe for weekly actionable security intelligence This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

Coverage period: 27 January–2 February 2026Episode summary: This episode covers four critical security stories including industrialised vishing campaigns targeting approximately 100 organisations, a vendor-managed SSO zero-day demonstrating dependency risk, wiper attacks on Polish energy infrastructure, and critical SolarWinds Web Help Desk vulnerabilities.Stories Covered1. Match Group Breach Validates SSO Vishing IndustrialisationShinyHunters breached Match Group (Tinder, Match.com, Meetic, OkCupid, Hinge) via vishing campaign targeting Okta SSO credentials. Campaign targeting ~100 organisations using voice phishing with domains like matchinternal[.]com. Compromised AppsFlyer marketing analytics, Google Drive, and Dropbox accounts.Sources:* BleepingComputer: Match Group breach* The Register: ShinyHunters Match Group* Recorded Future News: Bumble Match breaches2. Fortinet FortiCloud SSO Zero-Day Affects Fully Patched DevicesCVE-2026-24858 (CVSS 9.4) authentication bypass in FortiCloud SSO affecting FortiOS, FortiManager, FortiAnalyzer. Vulnerability in vendor cloud infrastructure, not customer devices. Exploitation via malicious accounts cloud-noc@mail[.]io and cloud-init@mail[.]io. Fortinet mitigated via server-side changes; patches in development.Sources:* BleepingComputer: Fortinet blocks exploited FortiCloud SSO zero-day* Fortinet PSIRT advisory3. Russia-Aligned DynoWiper Attack Targets Polish Energy InfrastructureSandworm (GRU-affiliated) deployed DynoWiper malware against 30+ Polish energy facilities on 29 December 2025. Initial access via default credentials and absence of MFA on OT interfaces. DynoWiper execution blocked at combined heat/power plant serving 500,000 customers.Sources:* CERT Polska incident report* Dragos analysis* ESET Research: Sandworm DynoWiper* The Hacker News* BleepingComputer: Sandworm Poland power grid4. SolarWinds Web Help Desk Critical VulnerabilitiesSix vulnerabilities in Web Help Desk, including four critical (CVSS 9.8) unauthenticated RCE and authentication bypass flaws. Fixed in version 2026.1. History of exploitation and patch bypasses.Sources:* SolarWinds Release Notes* SolarWinds Security Advisories* BleepingComputer: SolarWinds Web Help Desk RCE* The Hacker NewsKey Defensive Takeaways* Deploy passkeys for all external SSO access to prevent AitM credential theft* Eliminate default credentials and enforce phishing-resistant MFA on all OT interfaces* Patch immediately: SolarWinds Web Help Desk* Review authentication logs for indicators of FortiCloud SSO compromise* Implement defence in depth for critical infrastructure—endpoint protection, network segmentation, least privilegeFull intelligence summary: The Defensive Line Weekly: 27 January–2 February 2026 This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

20–26 January 2026Episode OverviewThis week’s episode covers five critical security stories: industrialised voice phishing targeting SSO credentials, GitLab MFA bypass creating supply chain risk, AWS CodeBuild misconfiguration exposing the AWS Console supply chain, email threat research confirming the shift from malware to identity compromise, and sobering findings from Bank of England red team assessments showing what actually works against major financial institutions.Hosts:* Carter – Intelligence Analyst covering threat landscape and attacker behaviour* Lizzie – Blue Team Expert providing practical defensive guidanceTopics Covered1. Industrialised Voice Phishing and AitM Campaigns* Vishing kits enabling real-time AitM attacks now sold as-a-service* ShinyHunters claimed breaches via vishing campaigns targeting Okta, Microsoft, Google SSO* Microsoft documented multi-stage campaigns against energy sector with over 600 internal phishing emails* Key takeaway: AitM credential theft is fully commoditised—SSO consolidation creates high-value targets2. GitLab MFA Bypass (CVE-2025-0199)* Critical authentication bypass allowing account takeover without second factors* GitLab repositories contain source code, secrets, API keys, deployment credentials* Compromise of privileged accounts creates genuine supply chain risk for software vendors* Key takeaway: Patch immediately—this is emergency patching with no workarounds3. AWS CodeBuild Supply Chain Misconfiguration* CodeBreach vulnerability: two-character regex error in AWS CodeBuild pipelines* Missing regex anchors allowed bypassing security filters and triggering privileged builds* Affected AWS JavaScript SDK powering AWS Console—installed in ~66% of cloud environments* Key takeaway: CI/CD platforms are high-value targets where small configuration errors create catastrophic risk4. Sublime Security 2026 Email Threat Research* Email threats shifted from malware delivery to identity compromise* Attackers increasingly abuse trusted platforms (file-sharing services) to host phishing pages* Significant increase in AitM-capable phishing kits and QR code phishing* Key takeaway: Identity is the new perimeter—protecting credentials and sessions matters more than blocking malware5. Bank of England CBEST Red Team Findings* 13 threat intelligence-led penetration tests of major UK financial institutions* Red teams achieved full compromise using publicly available exploits and commodity phishing* Five weaknesses: weak passwords/plaintext storage, unpatched systems, poor monitoring, inadequate segmentation, successful social engineering* Key takeaway: Authentication strength and detection effectiveness determine blast radius—not perimeter hardeningKey Defensive Actions* Deploy passkeys for all external access to cryptographically prevent AitM token theft* Enforce phishing-resistant MFA via Conditional Access policies with authentication strengths* Patch GitLab immediately to address CVE-2025-0199 MFA bypass* Audit CI/CD webhook configurations and regex patterns for misconfigurations* Eliminate plaintext credential storage and enforce proper secrets management* Segment critical assets and restrict lateral movement paths* Implement mail filtering with behavioural analysis for trusted platform abuseSubscribeFor weekly actionable security intelligence written for and by blue teamers:* Newsletter: The Defensive Line on Substack* Podcast: Available on all major platformsThis podcast is AI-generated and based on our weekly newsletter. We’re improving the format every week—your feedback helps. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

Episode OverviewThis week’s episode covers five critical security stories: authentication failures in enterprise platforms, regulatory enforcement driving security improvements, supply chain attacks on automation tools, Russian hacktivist DDoS campaigns, and browser extension malware campaigns.Hosts:* Carter – Intelligence Analyst covering threat landscape and attacker behaviour* Lizzie – Blue Team Expert providing practical defensive guidanceTopics Covered1. ServiceNow AI Agent Vulnerability (CVE-2025-12420)* Critical flaw affecting 85% of Fortune 500 companies* Three combined failures: universal credentials, email-only authentication, excessive permissions* 2.5-month silent patching window before public disclosure* Key takeaway: AI features need purpose-built authentication, not retrofitted legacy controls2. French Telecoms Fined €42 Million* FREE MOBILE and FREE fined after 16-year-old breached VPN* 24 million subscriber records compromised* CNIL explicitly called out weak authentication and absent detection* Key takeaway: Regulators now treat inadequate security controls as serious GDPR violations3. n8n Supply Chain Attack* Malicious npm packages targeting n8n workflow automation platform* Attackers impersonated legitimate integrations to steal OAuth credentials* At least 9 malicious packages identified with thousands of downloads* Key takeaway: Automation platforms are credential vaults requiring strict supply chain controls4. NCSC Warning on Russian Hacktivist DDoS* NoName057(16) targeting UK organisations including OT systems* Shift from website disruption to operational technology represents escalation* Groups coordinate through public Telegram channels* Key takeaway: DDoS defences must cover all internet-facing services, not just websites5. Browser Extension Malware Campaigns* Two overlapping campaigns: enterprise targeting (2,300+ users) and GhostPoster (840,000+ installs)* GhostPoster evaded all major browser stores for five years* Extensions block incident response and enable session hijacking* Key takeaway: Browser extension allowlisting is the only reliable controlKey Defensive Actions* Deploy phishing-resistant MFA on all remote access paths (FIDO2, passkeys, certificates)* Apply least privilege to credentials, API keys, and service accounts* Treat automation platforms like identity providers with appropriate controls* Implement browser extension allowlisting for all users, prioritising privileged accounts* Do security changes proactively under control, not rushed after breachesSubscribeFor weekly actionable security intelligence written for and by blue teamers:* Newsletter: The Defensive Line on Substack* Podcast: Available on all major platforms (well, only Spotify for now)This podcast is AI-generated and based on our weekly newsletter. We’re improving the format every week—your feedback helps. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com

The Defensive Line, episode 1. Read by AI, but it's actually not that bad. This is just the introduction, with the first full episode coming soon. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com