The Angry Spark APT Mystery: A Year-Long Backdoor, One Victim, Zero Attribution

The AI-powered 10x patch tsunami has arrived. Now what?

(Presented by TLPBLACK [https://tlpblack.net]: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.) Three Buddy Problem - Episode 98: We dive back into the fast16 malware discovery with fresh speculation that it's targeting spherical implosion simulations for Iran's nuclear program, and wonder who on earth is qualified to confirm this. Plus, thoughts on OpenAI's new three-tier cyber access program, Microsoft's MDASH harness, the 10x Patch Tuesday tsunami, Cloudflare's 1,100 layoffs blamed on AI, and why frontier-lab guardrails may just be elaborate security theater. Cast: Juan Andres Guerrero-Saade [https://twitter.com/juanandres_gs], Ryan Naraine [https://twitter.com/ryanaraine] and Costin Raiu [https://twitter.com/craiu]. Timestamps: 0:00 - Introductory banter 3:19 - fast16 update: spherical implosion simulations? 9:01 - Manhattan Project precedent — why this matches Iran 12:28 - Who can actually reproduce the FAST 16 attack? 19:32 - Google GTIG's "AI-written" zero-day 22:13 - The rise of AI-backend "silent detections" 25:54 - Guardrails as security theater 38:47 - Are the 10x patch numbers real defense? 43:48 - OpenAI's Trusted Access tiers + Microsoft MDASH 53:35 - End of the ‘patch-and-pray’ model 57:50 - Sean Heelan: strict harnesses can make models worse 1:03:51 - Pwn2Own Berlin overflow and bug-density debate 1:12:24 - Cloudflare's 1,100 layoffs and AI as scapegoat 1:27:42 - RCS encryption, Android Intrusion Logging, Seedworm & Kazuar Links: * Transcript [https://docs.google.com/document/d/16b29x8ZTGr-NfA341wJKfRIp1OqLHSQOBMNriCgzV0E/edit?usp=sharing] * fast16 malware targeting spherical implosion simulations [https://x.com/rhizomaticthot/status/2054591007396913218] * fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet [https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/?utm_campaign=cloud-launch&utm_source=email-marketing&utm_medium=letsignit&utm_content=undefined&utm_term=undefined&gclid=undefined] * Cracking the Fast16 sabotage malware mystery [https://podcasts.apple.com/us/podcast/cracking-the-fast16-sabotage-malware-mystery/id1414525622?i=1000765508051] * GTIG on AI Exploit Generation Discovery [https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access] * iOS 26.5 Security Bulletin [https://support.apple.com/en-us/127110] * End-to-end encrypted RCS messaging hits beta [https://www.apple.com/newsroom/2026/05/end-to-end-encrypted-rcs-messaging-begins-rolling-out-today-in-beta/] * Android adds 'Intrusion Logging' feature [https://blog.google/security/whats-new-in-android-security-privacy-2026/] * Google: Log your Android device activity [https://support.google.com/android/answer/16927813?visit_id=639142077178356281-866636134] * Microsoft MDASH new multi-model agentic security system [https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/] * Daybreak | OpenAI for cybersecurity [https://openai.com/daybreak/] * Pwn2Own 2026 Capacity Overflow, Hackers Drop 0-Days Solo [https://awesomeagents.ai/news/pwn2own-berlin-2026-capacity-overflow/] * Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker [https://www.security.com/threat-intelligence/iran-seedworm-electronics] * Kazuar: Anatomy of a nation-state botnet (Microsoft) [https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/] * Ekoparty Miami [https://ekoparty.org/miami/] * LABScon 2026 [https://www.labscon.io/] * TLPBLACK [https://tlpblack.net/]

The disappointing death of big-game APT reporting

(Presented by TLPBLACK [https://tlpblack.net]: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.) Three Buddy Problem - Episode 97: We discuss the disappearing art of Windows APT paleontology, the absence of complex malware documentation, and why so much threat-intel research has slipped behind paywalls and into private rooms. Plus, a surge in AI-discovered bugs in Firefox and Chrome, a rough week for Linux security flaw disclosures, and the usual Ivanti and Palo Alto zero-day bulletins that ship without a single IOC. Cast: Juan Andres Guerrero-Saade [https://twitter.com/juanandres_gs], Ryan Naraine [https://twitter.com/ryanaraine] and Costin Raiu [https://twitter.com/craiu]. Timestamps: 0:00 - Introductory banter 1:17 - Inside TLP-Red: writing hashes by hand 3:57- fast16 fallout and the threat intel trust collapse 9:17 - The death of cyber paleontology on Windows 14:49 - Mobile is the new paleontology frontier 15:48 - When threat intel went private: the CrowdStrike effect 23:29 - Falling sideways into intelligence brokerage 36:05 -- AI, Easter eggs, and the loss of malware artistry 47:22 -- Will the Frontier Labs publish threat intel? 51:43 -- fast16 follow-up reports coming 1:09:38 - Mythos, Aardvark, and the patch tsunami 1:15:33 - CopyFail and the Linux reboot crisis 1:51:05 - UAPs, Pulitzers, last-ever LabsCon, and shoutouts Links: * Transcript [https://docs.google.com/document/d/1XD-WeRNLra07UXmgRpBaiGNFo0PPiSkw3PntcdnMdI8/edit?tab=t.0] * Where Have All the Complex Windows Malware and Their Analyses Gone? [https://r136a1.dev/2026/05/07/where-have-all-the-complex-malware-and-their-analyses-gone/] * AcidBox: Rare Malware Repurposing Turla Group Exploit [https://unit42.paloaltonetworks.com/acidbox-rare-malware/] * Google Chrome security update documentation [https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html] * Behind the Scenes Hardening Firefox with Mythos [https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/] * CVE-2026-0073 Android adbd TLS client-authentication bypass [https://barghest.asia/blog/cve-2026-0073-adb-tls-auth-bypass/] * Urgent patch for Android zero-click vuln [https://source.android.com/docs/security/bulletin/2026/2026-05-01] * CVE-2026-0300: PAN-OS zero-day exploited in the wild [https://security.paloaltonetworks.com/CVE-2026-0300] * Ivanti zero-day marked as exploited in the wild [https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US] * Copy Fail — CVE-2026-31431 [https://copy.fail/] * Yael Grauer wins a Pulitzer Prize [https://www.ap.org/media-center/press-releases/2026/ap-wins-pulitzer-prize-for-china-surveillance-reporting/] * AJ Vicens wins a Pulitzer Prize [https://www.reuters.com/investigations/charlie-kirk-purge-how-600-americans-were-punished-pro-trump-crackdown-2025-11-19/] * Pacific Rim – Darknet Diaries [https://darknetdiaries.com/episode/174/] * Fast16, Stuxnet, and the History of Cyber Espionage [https://www.youtube.com/watch?v=Nemom0_vCYU] * TLPBLACK [https://tlpblack.net/] * LABScon 2026 CFP [https://www.cvent.com/c/abstracts/0f2ae039-4175-42c2-a534-7f25ada9e539] * US Gov on UAP Encounters [https://www.war.gov/ufo/]

Cracking the Fast16 sabotage malware mystery

(Presented by TLPBLACK [https://tlpblack.net]: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.) Three Buddy Problem - Episode 96: We're joined by WIRED writer Andy Greenberg to dig into SentinelLabs' bombshell FAST16 research, a newly deciphered piece of sabotage malware that predates Stuxnet by five years and quietly tampered with physics modeling software likely tied to Iran's nuclear program. We discuss the attribution rabbit hole (NSA? Israel? someone else?), the eerie "spiritual warfare" implications of corrupting scientific calculations, and Antiy Labs' very dialectical Chinese rebuttal. Plus, what AI reverse-engineering means for the next decade of cyber paleontology. Cast: Andy Greenberg [https://x.com/a_greenberg], Juan Andres Guerrero-Saade [https://twitter.com/juanandres_gs], Ryan Naraine [https://twitter.com/ryanaraine] and Costin Raiu [https://twitter.com/craiu]. Timestamps: 0:00 - WIRED’s Andy Greenberg joins the show 1:53 - How the FAST16 scoop landed in Andy's lap 6:45 - JAGS sat on this sample for 7 years 10:33 - How Costin and the Kaspersky team missed the sabotage routine 15:20 - The "holy moly" moment: what FAST16 actually does 18:26 - Territorial Dispute, Shadow Brokers, and the driver list 24:11 - The targets: MOHID, PKPM, and LS-DYNA's link to Iran 28:13 - No C&C, no victims: a worm built for air-gapped networks 34:45 - Was this part of a larger anti-Iran toolkit? 37:55 - Attribution: NSA, Israel, or someone else entirely? 51:39 - What was the actual sabotage? Unanswered questions 55:48 - "Spiritual warfare": the psychological angle and trust in computers 1:20:05 - Equities, going public, and the case for AI-powered reversing 1:32:19 - Antiy Labs' Chinese rebuttal and the apparatchik tone 1:43:04 - Shoutouts: Sergey Mineev, LabsCon CFP, PivotCon, and Ekoparty Links: * Transcript [https://docs.google.com/document/d/1m0kgtQ17e-_mOUJbhVvwLAmn-khQck_vOudjMTh4IZ0/edit?tab=t.0#heading=h.f9h50gafamn5] * fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet [https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/] * Flame: A complex malware for targeted attacks [https://static.crysys.hu/v1/publications/files/skywiper] * Territorial Dispute – NSA's perspective on APT landscape [https://static.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf] * Newly Deciphered Sabotage Malware May Have Targeted Iran’s Nuclear Program - and Predates Stuxnet [https://archive.ph/ZsaH6] * Kim Zetter's Countdown to Zero Day [https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196] * An Unprecedented Look at Stuxnet, the World's First Digital Weapon [https://archive.ph/BOolM] * The Flame: Questions and Answers (Kaspersky) [https://securelist.com/the-flame-questions-and-answers/34344/] * SentinelLabs [https://www.sentinelone.com/labs/] * Andy Greenberg on X [https://x.com/a_greenberg] * TLPBLACK [https://tlpblack.net/] * Antiy Labs: “Psychological Warfare” to Show Off Cyber Capabilities [https://www.antiy.net/p/a-psychological-warfare-to-show-off-cyber-capabilities-a-comprehensive-analysis-of-sentinelones-exposure-of-fast16/] * Who’s Really Spreading through the Bright Star? [https://securelist.com/whos-really-spreading-through-the-bright-star/68978/] * LABScon 2026 CFP [https://www.cvent.com/c/abstracts/0f2ae039-4175-42c2-a534-7f25ada9e539] * Ekoparty Miami 2026 (Agenda) [https://ekoparty.org/schedule-miami-2026/] * PIVOTcon Agenda [https://pivotcon.org/#agenda] * Decipher: Fast16, Stuxnet, and the History of Cyber Espionage [https://www.youtube.com/watch?v=Nemom0_vCYU]

Mark Dowd on AI hacking, exploit chains, zero-day sales

(Presented by TLPBLACK [https://tlpblack.net]: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.) Three Buddy Problem - Episode 95: Vigilant Labs director Mark Dowd joins the show to shed light on the state of offensive research, the economics of the exploit market, and why "Mark Dowd in a box" isn't quite the threat the AI hype machine suggests. He talks through the daily stresses of running an offensive shop, how AI is reshaping vulnerability discovery, exploit development, and the pricing of full exploit chains. Plus, thoughts on Lockdown Mode and Apple's MIE, whether mitigations actually work or just push attackers toward less access, the rise of HarmonyOS and the Balkanization of device security, persistence, baseband attacks, GrapheneOS, and Samsung Knox. We discuss customer vetting and OpSec fears, policymakers who've never written an exploit, and the strange afterlife of The Art of Software Security Assessment, the 20-year-old book now possibly training data for the very tools coming for his job. Cast: Mark Dowd [https://x.com/mdowd], Juan Andres Guerrero-Saade [https://twitter.com/juanandres_gs], Ryan Naraine [https://twitter.com/ryanaraine] and Costin Raiu [https://twitter.com/craiu]. Timestamps: 0:00 Introductions 4:28 The origin story of Azimuth: why go offensive? 6:26 Stresses of running an offensive research business 12:10 "Mark Dowd in a box" — is AI an existential threat to vuln research? 16:13 Using AI in workflow: frontier models vs. local models 22:05 AI in bug-finding vs. exploit implementation 30:30 Watching AI tear through a firmware backdoor 38:23 Artificial guardrails and the "POC" wall 43:25 Will AI commoditize 0days? The high-end vs. low-end vendor split 57:30 How AI disrupts exploit chain pricing 1:05:18 Does persistence still matter? Should you reboot your phone? 1:09:33 Lockdown Mode, MIE, and Apple's "never been compromised" claim 1:14:25 Do mitigations really work, or are we stuck in an endless loop? 1:23:25 Android vs. iOS vs. Huawei's HarmonyOS Next 1:34:44 Exploit leaks, customer vetting, and OpSec fears 1:41:37 GrapheneOS, Samsung Knox and baseband attacks 1:53:56 Did the exploit market save us from encryption backdoors? 1:55:11 What does the threat-intel community get wrong about vuln research? Links: * Transcript [https://docs.google.com/document/d/1G2B7VetSNfxN9Lfb8f2Y1Vyy-uVBQPl_YSj_3ayVUxM/edit?usp=sharing] * Vigilant Labs [https://www.vigilantlabs.com/] * Mark Dowd at BlueHat: Inside the Zero Day Market [https://github.com/mdowd79/presentations/blob/main/bluehat2023-mdowd-final.pdf] * The Art of Software Security Assessment [Book] [https://www.oreilly.com/library/view/the-art-of/0321444426/] * Mark Dowd on X [https://x.com/mdowd] * Trenchant, Peter Williams, and the proliferation of a Shadow Brokers-level iOS exploit framework [https://securityconversations.com/episode/trenchant-peter-williams-and-the-proliferation-of-a-shadow-brokers-level-ios-exploit-framework/] * Apple: Memory Integrity Enforcement [https://security.apple.com/blog/memory-integrity-enforcement/] * Cost of Sandboxing Prompts Shift to Memory-Safe Languages [https://www.securityweek.com/cost-sandboxing-prompts-shift-memory-safe-languages-little-too-late/] * Dowd: Memory Corruption Mitigations Doing Their Job [https://threatpost.com/memory-corruption-mitigations-doing-their-job/124728/] * TLPBLACK [https://tlpblack.net/] * LABScon 2026 Call for Papers [https://www.labscon.io/] * Apple paying big bounty for wireless proximity-based attacks [https://security.apple.com/bounty/categories/]

The Angry Spark APT Mystery: A Year-Long Backdoor, One Victim, Zero Attribution

(Presented by TLPBLACK [https://tlpblack.net]: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.) Three Buddy Problem - Episode 94: We discuss a mysterious, VM-obfuscated backdoor that lived undetected on a single U.K. machine for a year before disappearing, finding clues pointing to an elite-level APT intrusion that still evades broader industry coverage. Plus, connecting the dots across AI-driven vulnerability discovery, Microsoft’s massive Patch Tuesday, Jensen Huang talks cybersecurity, Mythos dangers and Chinese chips, and the quiet erosion of CVE enrichment at NIST. Cast: Juan Andres Guerrero-Saade [https://twitter.com/juanandres_gs], Ryan Naraine [https://twitter.com/ryanaraine] and Costin Raiu [https://twitter.com/craiu]. Timestamps: 0:00 – Intros + AI news whiplash 5:10 – Patch Tuesday breakdown: Microsoft's second-largest CVE release ever 7:32 – AI accelerating vulnerability discovery at record pace 10:00 – Frontier lab cyber models, fine-tuning, guardrail removal & KYC 12:37 – FreeBSD NFS bug: Opus 4.6 was already finding critical vulns 14:26 – Anthropic's infrastructure strain: Is Opus being nerfed? 21:05 – OpenAI's Trusted Access for Cyber vs. Anthropic's Mythos cabal 28:45 – SharePoint zero-day CVE-2026-32201: The endless Microsoft tax 34:36 – Adobe Acrobat zero-day: A rare, real, Russia-linked exploit in the wild 41:36 – VirusTotal mining: The golden age of threat intel hunting 50:03 – ZionSiphon: Vibe-coded OT malware targeting Israeli water infrastructure 55:04 – Paleontology of threat research: When do you publish? Who do you trust? 1:13:53 – Angry Spark: A one-machine, one-year backdoor raises eyebrows 1:49:25 – Jensen Huang vs. Dwarkesh Patel on Mythos, China and chips 2:14:32 – Chinese AI distillation: 24,000 fake Anthropic accounts, DeepSeek & the catch-up question Links: * Transcript [https://docs.google.com/document/d/1wVB-Ec5EHYAOhsq2B8Zvf8XJju6ztX7blylz-6IvUHM/edit?usp=sharing] * Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulns [https://www.securityweek.com/microsoft-patches-exploited-sharepoint-zero-day-and-160-other-vulnerabilities/] * ZDI: April 2026 Patch Tuesday Review [https://www.zerodayinitiative.com/blog/2026/4/14/the-april-2026-security-update-review] * Inside ZionSiphon: OT Malware Targeting Israeli Water Systems [https://www.darktrace.com/blog/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems] * GenDigital: Chasing an Angry Spark [https://www.gendigital.com/blog/insights/research/chasing-an-angry-spark] * MAD Bugs: Month of AI-Discovered Bugs (Calif) [https://blog.calif.io/p/mad-bugs-month-of-ai-discovered-bugs] * HackerOne: The Vulnerability Apocalypse is a Remediation Crisis [https://www.hackerone.com/blog/continuous-threat-exposure-management-remediation-crisis] * OpenAI scaling up Trusted Access for Cyber (TAC) Program [https://openai.com/index/scaling-trusted-access-for-cyber-defense/] * OpenAI Commits $10m in API credits for cybersecurity [https://openai.com/index/accelerating-cyber-defense-ecosystem/] * Anthropic: Introducing Claude Opus 4.7 [https://www.anthropic.com/news/claude-opus-4-7] * OpenAI confirms Axios developer tool compromise [https://openai.com/index/axios-developer-tool-compromise/] * Jensen Huang x Jensen Huang on Nvidia’s AI Moat [https://www.youtube.com/watch?v=Hrbq66XqtCo] * Anthropic: Detecting and preventing distillation attacks [https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks] * NIST Updates NVD Operations to Address Record CVE Growth [https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth] * Dreadnode Open-Source Tools to Measure AI Offense-Defense Gap [https://dreadnode.io/research/mine-the-gap-open-source-tools-for-measuring-the-ai-offense-defense-gap/] * LABScon 2026 Call for Papers [https://www.labscon.io/cfp/] * Cyber-Paleontology in the Age of AI (Black Hat Asia 2026) [https://blackhat.com/asia-26/briefings/schedule/index.html#cyber-paleontology-in-the-age-of-ai-51494] * Ekoparty Miami Schedule [https://ekoparty.org/schedule-miami-2026/] * TLPBLACK [https://tlpblack.net/]