The Canvas Breach, AI-Enabled Intrusions, and APT-29's Easter Bunny

The Canvas Breach, AI-Enabled Intrusions, and APT-29's Easter Bunny

This week on Dragon News Bytes, Eli Woodward and Stephen Campbell break down a chaotic week of critical breaches, the accelerating weaponization of AI by both defenders and adversaries, and long-term state-sponsored espionage. From the massive educational data breach impacting Instructure to a Mexican water utility targeted via AI-generated frameworks, the team explores how the threat landscape is evolving at scale. Topics & References Part 1: The Canvas/Instructure Breach & Shiny Hunters * Massive Educational Impact: Around May 1st, Instructure notified potential victims of a breach impacting nearly 9,000 institutions. * The Scope: Shiny Hunters claimed responsibility for accessing over 275 million records, including names, emails, and student IDs. * Widespread Reach: The platform serves 41% of US higher education institutions, alongside K-12 schools and government agencies. * Infrastructure Analysis: The team discusses Push Security's research into Shiny Hunters' phishing panels and how Team Cymru is utilizing NetFlow to uncover additional targets. Part 2: The Double-Edged Sword of AI * Defensive "Vibe Coding": Eli Woodward shares how analysts are using tools like Claude, Gemini, and Team Cymru's new MCP servers to automate complex CTI workflows and rapidly query telemetry. * Trust But Verify: The hosts emphasize that while AI acts as a powerful analyst assistant, LLMs still require human oversight to prevent hallucinations. Part 3: Adversary AI in Critical Infrastructure * Dragos OT Report: An adversary with no prior IoT experience successfully targeted a Mexican government water utility's IT environment. * Automated Frameworks: The attacker utilized commercial LLMs (Claude and ChatGPT) to generate custom Python frameworks for reconnaissance and lateral movement into OT-adjacent systems. * The Outcome: While no OT disruption occurred, vast amounts of sensitive government data were stolen, showcasing the low barrier to entry AI provides for complex intrusions. Part 4: APT-29's "Easter Bunny" Espionage * Labs 52 Report: An analysis of a sophisticated, secretive implant dubbed "Easter Bunny," attributed to APT-29 (Cozy Bear/SVR). * Long-Term Stealth: The malware ties back to a 2019 incident, demonstrating the SVR's dedication to long-term, stealthy persistence against diplomatic and government entities. Events & Community: RISEx Frankfurt: May 28th in Frankfurt, Germany 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026 [https://www.team-cymru.com/events/rise-frankfurt-2026] RISEx Chicago: June 3rd in Chicago, IL 🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026 [https://www.team-cymru.com/events/rise-chicago-2026] RISEx New York: June 16 in New York City, US 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026 [https://www.team-cymru.com/events/rise-new-york-city-2026] RISEx DC: June 11 in Washington DC, US Underground Economy: September 7th -9th in Strasbourg, France 🔗 to register: https://www.team-cymru.com/events/underground-economy-2026 [https://www.team-cymru.com/events/underground-economy-2026] Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru [https://www.linkedin.com/company/team-cymru] Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb [ https://www.team-cymru.com/dnb] Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

AI Supply Chain Exploits, Cyber-Kinetic Threats, and the FUD-X

This week on Dragon News Bytes, Eli Woodward and Will Baxter welcome Stephen Campbell, Team Cymru's new Senior Threat Intel Advisor, to the show. The team breaks down an intense week of AI-assisted supply chain compromises, the expanding blast radius of Iranian cyber operations, and the operational security (OPSEC) failures of rival ransomware gangs. Plus, the hosts issue a strong call to action for the CTI industry: stop burning valuable intelligence methods just for blog clicks. Topics & References Part 1: The Pace of Business and AI-Assisted Discovery * SAP Package Compromise: Team PCP is actively targeting the software supply chain, highlighted by a recent compromise within the SAP cloud ecosystem. * AI as a Discovery Engine: Threat actors are continuously deploying agents to hunt for low-hanging fruit, such as unhardened software package libraries. * The Linux "Copy Fail" (CVE 2026-31431): An AI-focused research company discovered a new local privilege escalation vulnerability in Linux. * The Business Reality: The rapid pace of shipping products and integrating AI models creates vulnerabilities at scale. Part 2: The Expanding Target Space * Iranian Cyber-Kinetic Threats: Due to resource constraints, Iranian threat actors are deploying a "spray and pray" methodology targeting any Western-aligned organization. * Sector Impact: The risk has heavily expanded beyond the defense sector into financial and healthcare organizations, as seen with the Handala group targeting healthcare in Minnesota. * Terrorism as a Service: An alleged Iranian-linked Telegram contact offered an undercover journalist cryptocurrency to carry out street-level vandalism in London. Part 3: Ransomware Drama and Industry OPSEC * Zero APT vs. CryBit: The ransomware group Zero APT faced a massive data leak in retaliation from a rival group known as CryBit. * Creating a "Flail-X": Defenders can leverage these threat actor OPSEC mistakes and internal disputes to impose higher operational costs and friction on adversaries. * Stop Burning Intelligence: The hosts criticized the CTI industry trend of publishing sensitive adversarial infrastructure and methods publicly for blog traffic, urging professionals to use trusted channels like ISACs instead. Events & Community RISEx Frankfurt: May 28th in Frankfurt, Germany 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026 [https://www.team-cymru.com/events/rise-frankfurt-2026] RISEx Chicago: June 3rd in Chicago, IL 🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026 [https://www.team-cymru.com/events/rise-chicago-2026] RISEx New York: June 16 in New York City, US 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026 [https://www.team-cymru.com/events/rise-new-york-city-2026] RISEx DC: June 11 in Washington DC, US Underground Economy: September 7th -9th in Strasbourg, France 🔗 to register: https://www.team-cymru.com/events/underground-economy-2026 [https://www.team-cymru.com/events/underground-economy-2026] Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru [https://www.linkedin.com/company/team-cymru] Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb [https://www.team-cymru.com/dnb] Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

The AI Zero-Day Engine, China’s Cyber Rise, and CI/CD Poisoning

This week on Dragon News Bytes, Eli Woodward, Will Baxter, and Will Thomas return from RISE Dublin to cut through the AI hype and discuss the realities of automated threat hunting. From the zero-day discovery capabilities of the Claude "Mythos" model to China’s emerging equivalent, the team explores how AI is acting as a massive force multiplier for adversaries. We also break down a critical CI/CD pipeline poisoning incident impacting developers, and discuss why the traditional CTI analyst role is rapidly evolving into a CTI engineering function. Topics & References Part 1: The AI Zero-Day Engine (Mythos) vs. The Basics Automated Exploitation: AI models like "Mythos" aren't changing the MITRE ATT&CK framework; they are simply a faster engine for finding zero-days and running automated penetration testing. The Defense Reality: The rise of AI-driven zero-days means defense must double down on the basics. The critical questions remain: How good is your asset inventory? Are you detecting scans? Can you spot weird outbound VPN traffic?. Part 2: China’s Cyber Superpower Status & The Tianfu Cup A Peer Adversary: Dutch intelligence recently stated publicly that China’s cyber power is now on par with the US. China is developing its own "stable model" equivalent to Mythos. Industrialized Intelligence: By feeding data from domestic zero-day competitions like the Tianfu Cup into large language models, China is positioning itself to industrialize vulnerability discovery. Part 3: CI/CD Poisoning & The Developer Target Bitwarden & Checkmarks Compromise: A significant supply chain incident occurred when a threat actor, "Team PCP", poisoned a CI/CD pipeline. The "Naive Coder" Risk: Attackers are moving away from average users and targeting the admins and developers who hold "the keys to the kingdom," maximizing the downstream blast radius. Part 4: Blue Team Engineering & Guardrails The Rise of the CTI Engineer: The industry is pivoting from analysts to CTI engineers. To effectively leverage AI, teams must build and maintain automated pipelines using tools like GitHub Actions. Product Requirements Documents (PRDs): Defenders must institute strong PRDs and guardrails before spending a single token on new AI apps to ensure sustainable, secure infrastructure. Events & Community: RISEx Sydney: May 6 in Sydney, Australia 🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026 [https://www.team-cymru.com/events/rise-sydney-2026] RISEx Frankfurt: May 28th in Frankfurt, Germany 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026 [https://www.team-cymru.com/events/rise-frankfurt-2026] RISEx Chicago: June 3rd in Chicago, IL 🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026 [https://www.team-cymru.com/events/rise-chicago-2026] RISEx New York: June 16 in New York City, US 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026 [https://www.team-cymru.com/events/rise-new-york-city-2026] RISEx DC: June 11 in Washington DC, US Underground Economy: September 7th -9th in Strasbourg, France 🔗 to register: https://www.team-cymru.com/events/underground-economy-2026 [https://www.team-cymru.com/events/underground-economy-2026] Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru [https://www.linkedin.com/company/team-cymru] Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb [https://www.team-cymru.com/dnb] Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

Hacktivist Hoaxes, DPRK Zoom Exploits, and Defending with AI

This week on Dragon News Bytes, Eli Woodward and Ben Archie cut through the noise of inflated hacktivist claims and break down the relentless evolution of state-sponsored operations. From a critical look at the Wall Street panic surrounding Anthropic's new AI model to the latest social engineering playbooks utilized by North Korean threat actors, the team explores how adversaries are adapting and how defenders can use data to maintain the high ground. Topics & References Part 1: The Data Advantage & The Mythos Panic * The Data Ocean Problem: Identifying crucial insights within massive datasets is a historic problem, noted even in CIA memos from the 1980s. Today, practitioners are using Python and API enrichment to prioritize threats and bring large volumes of data down into usable pieces of information. * The Mythos Model Panic: Anthropic recently released a new model called Mythos, causing misplaced panic on Wall Street over the future of cybersecurity. * Project Glasswing: The primary concern is that this model will enable the rapid identification and exploitation of unknown vulnerabilities in mass. Project Glasswing aims to give certain vendors and researchers a head start on defending against this before it becomes publicly and commercially available. Part 2: Geopolitics & Exaggerated Claims * Iranian Hacktivist Bounties: The Department of State's Rewards for Justice program placed a five million dollar bounty on information leading to the identification or arrest of individuals associated with Iranian groups Handala and Parjyan Afsar Reha Borna. * Exaggerated UAE Breaches: Handala claimed to breach three major UAE organizations: the Dubai courts, the Dubai Land Department, and the Dubai Roads and Transport Authority. In reality, these claims are often highly exaggerated, typically resulting from the compromise of a shared file server rather than the core infrastructure of the targeted organizations. * Zion Siphon on VirusTotal: Darktrace reported a new malware dubbed "Zion Siphon" targeting Israeli water treatment and desalination plants. In a massive operational security failure, the actors uploaded the highly targeted script directly to VirusTotal. Part 3: DPRK IT Workers & Fake Recruiters * Stolen Identities & Evolving OPSEC: U.S. nationals were recently sentenced for helping North Korean IT workers pose as U.S.-based employees to steal identities and secure jobs at over a hundred American companies. These actors are also pivoting to South American platforms like Workana, masquerading as Colombian contractors with Spanish language skills. * Sapphire Sleet Targeting Crypto: Microsoft reported on a North Korean cluster dubbed Sapphire Sleet (overlapping with APT 38) targeting crypto and finance workers on macOS devices via LinkedIn. * The Fake Zoom SDK: During the fake interview process, the DPRK recruiters send a bogus Zoom SDK update on the day of the call to gain access to the victim's system. Events & Community * RISEx Sydney: May 6 in Sydney, Australia 🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026 [https://www.team-cymru.com/events/rise-sydney-2026] * RISEx Frankfurt: May 28th in Frankfurt, Germany 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026 [https://www.team-cymru.com/events/rise-frankfurt-2026] * RISEx Chicago: June 3rd in Chicago, IL🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026 [https://www.team-cymru.com/events/rise-chicago-2026] * RISEx New York: June 16 in New York City, US 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026 [https://www.team-cymru.com/events/rise-new-york-city-2026] * RISEx DC: June 11 in Washington DC, US * Underground Economy: September 7th -9th in Strasbourg, France 🔗 to register: https://www.team-cymru.com/events/underground-economy-2026 [https://www.team-cymru.com/events/underground-economy-2026] Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru [https://www.linkedin.com/company/team-cymru] Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb [https://www.team-cymru.com/dnb] Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

AI Supply Chain Attacks, Iranian PLC Exploits, and DPRK IT Workers

This week on Dragon News Bytes, Eli W. and Will B. break down a fast-moving week in cybersecurity—from AI-driven supply chain attacks and Iranian targeting of critical infrastructure to North Korean IT worker scams, new edge-device zero-days, and the takedown of an APT28 router botnet. Topics: The NPM Poisoning Epidemic & The AI Accelerant Axios Backdoor: The team discusses ongoing NPM package exploitation, specifically highlighting the Axios package. Axios sees over 100 million weekly downloads, and at least two backdoored versions have been live recently. Unit 42 published an updated threat brief confirming the attack hit over 10 sectors across five geographic regions. The AI Factor: Will Baxter attributes this spike in supply chain attacks to the operationalization of AI. AI makes reviewing codebases for vulnerable packages incredibly easy for attackers. LLMs as Exploit Developers: Eli Woodward recalls an NSA prediction that LLMs would become great exploit code developers and malware analysis engines. The rapid pace of this AI evolution is forcing defensive teams to adapt quickly without the benefit of increased headcounts. Critical Infrastructure Under Siege by Iranian Actors Joint Advisory on PLC Exploitation: A joint advisory from the FBI, CISA, NSA, EPA, DOE, and Cyber Command formally attributes ongoing PLC exploitation to the Cyber Avengers. This group is the IRGC Cyber Electronic Command, also tracked as Shahid Kavev Group, Hydro Kitten, Storm 084, and UNK5691. Targeted Sectors: The actors are escalating targeting against Rockwell Automation and Allen Bradley PLCs in wastewater, energy, and government facilities. Massive Exposure: The advisory highlights traffic on ports 44818, 2222, 102, and 502. Team Cymru’s platform identified an alarming 49,000 devices exposed on the internet with port 44818 open. Edge Devices, Zero-Days, and CISA Guidance FortiClient EMS Zero-Day: CISA published information on a FortiClient EMS zero-day, with approximately 2,000 exposed instances currently on the internet. Edge Device Safety: CISA also released new edge device safety guidance. The hosts emphasize that patching edge devices and having good identity management is the bare minimum expectation for organizations. Unmasking the DPRK IT Worker Ecosystem The "Lucky Guys" Site: Independent researcher ZachXBT uncovered "luckyguys.site", a platform used by DPRK IT workers to send money back to the regime. These workers are easily making $1 million per month. Team Cymru Platform Analysis: Eli Woodward used the Team Cymru platform to analyze the infrastructure, finding a massive amount of Astral VPN usage and traffic from Russian ASNs (ASI and Trans Telecom). Operational Security Failures: The workers used the password "123456" for their platform, exposing Slack chat identities and conversations via an investigative site. APT 28 Botnet Takedown Router Hijacking: The US DOJ, FBI, and NCSC helped take down a network of TP-Link and MikroTik routers compromised by APT 28 (also known as Unit 26165 or Storm 2754). Botnet Scale: The botnet leveraged known vulnerabilities in these small office/home office (SOHO) devices and peaked at 18,000 unique IPs in December 2025. Events RISE Ireland: April 14 -25 in Dublin, Ireland RISEx Sydney: May 6 in Sydney, Australia * register: ⁠https://shorturl.at/OyfTj ⁠ [https://shorturl.at/OyfTj ⁠] RISEx Frankfurt: May 28th in Frankfurt, Germany * register: ⁠https://shorturl.at/twbj6 ⁠ [https://shorturl.at/twbj6 ⁠] RISEx Chicago: June 3rd in Chicago, IL * register: ⁠https://shorturl.at/kd4SC⁠ [https://shorturl.at/kd4SC⁠] RISEx New York: June 16 in New York City, US * register: ⁠https://shorturl.at/atb2m⁠ [⁠https://shorturl.at/atb2m⁠] Underground Economy: September 7th -9th in Strasbourg, France * register: ⁠https://shorturl.at/mw1yE⁠ [https://shorturl.at/mw1yE⁠] FirstCon26 (Denver): Eli W. will be presenting two sessions. * register: ⁠https://www.first.org/conference/2026/registration-options⁠⁠ [https://www.first.org/conference/2026/registration-options⁠⁠] Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.