Agentic Overload: The Rise of AI Exploits and the "Wet Bandit" APT

This week on Dragon News Bytes, Will Baxter and Will Thomas dive into a week defined by "Paradigm Shifts." We break down how top-tier state actors like Salt Typhoon are abandoning traditional phishing to live inside your edge infrastructure and how a new era of Agentic AI is creating a "One-Click RCE" nightmare for enterprise security teams.

Plus, we look at the "Wet Bandits" of the APT world—a state-aligned group that remains surprisingly easy to hunt—and discuss why the latest hoax from 0APT was a "Vibe-Op" designed specifically to waste your team's time.
‍

Topics & References:

Part 1: The Edge is the New Endpoint

• Salt Typhoon’s European Pivot: Norwegian intelligence (PST) confirms that Salt Typhoon is bypassing EDR entirely. They are now persisting inside edge gateways and telco infrastructure using the D-Knife Linux-based implant.

• TGR-STA-1030 (The Shadow Campaigns): A state-aligned group targeting global ministries of finance. Their tradecraft includes using Mega[.]nz for C2 to blend in with legitimate business traffic.

• Critical Takeaway: If your detection strategy assumes compromise starts on a laptop, you’ve already lost the battle. The "Metal Layer" of the network is the current battlefield.

Part 2: Emerging AI Threats & "Vibe-Ops"

• OpenClaw & Agentic AI (CVE-2026-25253): We examine the birth of the "Agentic Supply-Chain Attack." Malicious AI "skills" are now being used to exfiltrate tokens via WebSocket hijacking.

• 0APT: Anatomy of a "Vibe-Op": Claims of a new ransomware operation targeting retail and healthcare turned out to be a low-capability hoax. We discuss why this was a "resource-drain operation" intended to panic security teams rather than a technical breach.

• Operation Neusploit: Zscaler observes APT28 (Fancy Bear) weaponizing Microsoft RTF vulnerabilities (CVE-2026-21509) at "wartime tempo"—just days after the patch was released.

Hunter’s Field Notes (Immediate Action):

• Hunt for D-Knife: Look for any Linux process on Cisco or Fortinet appliances spawning a shell, or outbound connections from management interfaces not tied to update daemons.
• Mega[.]nz Monitoring: Flag high-volume uploads to Mega[.]nz from Server VLANs or Service Accounts. Ask, "why is a domain controller talking to Mega?"
• AI Socket Hunting: Monitor for unfamiliar WebSocket (WS/WSS) connections initiated from workstations to external IPs during browser navigation windows.

Events & Community:

• RISE USA (San Francisco): February 18–19 at Stripe HQ.
  
  • 🔗 to register: https://go.team-cymru.com/rise-usa-2026
• Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity.
  
  • 🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis
• FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware.
  
  • 🔗 to register: https://www.fsisac.com/events/2026-americas-spring
• RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open.
  
  • 🔗 to register: https://go.team-cymru.com/rise-ireland

Connect with Us:

• Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
• Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.