Malicious Prompts, Botnet Backdoors, and the Industrialization of Cybercrime

This week on Dragon News Bytes, Eli Woodward and Will Baxter dive into the shift from "cottage industry" cybercrime to an industrialized assembly line fueled by AI. We break down high-urgency RCEs in Cisco Unified Platforms, the massive comeback of the Kimwolf Botnet via IoT backdoors, and the "new SQL injection" taking over AI workflows: Prompt Injection. Plus, we discuss the weaponization of VS Code extensions by North Korean actors (Purple Bravo) and provide a full update on our upcoming global event schedule.

Topics & References:
‍

Part 1: Patch Now: High-Urgency Threats & Evolving Infrastructure

• Cisco Unified Platform RCE (CVE-2026-20045): A critical unauthenticated Remote Code Execution vulnerability granting root access to video and phone systems. Target URLs include /webcalling/Unity/ and /UCMuser.
  
  • Read more: Articwolf.com
• TP-Link VIGI & Edge Vulnerabilities: Critical flaws in VIGI cameras allow for remote takeover, highlighting the persistent risk in edge and IoT infrastructure.
  
  • Read more: securityaffairs.com

• Kimwolf Botnet Resurgence: Now exceeding two million devices, this botnet is scaling via pre-baked backdoors in consumer devices like TV boxes.
  
  • Read more: krebsonsecurity.com

Part 2: Hacking the Human OS & AI Abuse

• Help Desk Social Engineering: West African criminal groups are increasingly impersonating employees via phone calls to reset passwords for "payroll redirects."
  ‍
• The AI Prompt Injection Revolution: Described as the "new SQL injection," prompt injection is resetting years of input sanitization efforts. We discuss agentic browsers bypassing security controls and a Microsoft Teams bug used to steal user tokens.
  ‍
• DPRK (Purple Bravo) Targeting Developers: North Korean actors are weaponizing VS Code extensions and using tasks.json in the Evelyn Stealer malware to auto-execute when repositories are opened. 

Events & Community:
‍

• SANS CTI Summit Happy Hour (Arlington, VA): Join Team Cymru and OpenCTI on January 26th.
  
  
• RISE USA (San Francisco): February 18–19 at Stripe HQ.
  🔗 to register: https://go.team-cymru.com/rise-usa-2026
  
  
• Brews and Briefings (Minneapolis): Late February session focused on DPRK threat activity.
  🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis
  
  
• FS-ISAC Spring Summit (Orlando): March presentations on the latest fintech threats.
  🔗 to register: https://www.fsisac.com/events/2026-americas-spring
  
  
• RISE Ireland (Dublin): April 14–15 at Stripe Dublin.
  🔗 to register: https://go.team-cymru.com/rise-ireland

Connect with Us:
‍

• Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
• Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.