In Episode 363 of The 443 Podcast, Corey Nachreiner speaks with Kristen Yang, Cybersecurity Analyst & Investigations Lead, about the threats security teams should be paying closest attention to right now. The conversation reinforces an uncomfortable truth for defenders: many successful attacks still begin with ordinary security gaps, even as AI is making it easier for more attackers to move faster and operate with greater sophistication. 

That combination should concern every security team. 

For all the attention given to advanced exploits and elite adversaries, many breaches still start with familiar weaknesses: exposed services, weak credentials, incomplete visibility, legacy systems, and assets that fall outside normal monitoring. Attackers do not always need an original technique. In many cases, they simply need a door that should have been closed already. 

The real problem is not always missing tools. It is uneven defense. 

One of the clearest themes in the discussion is that organizations often invest in the right security controls but fail to apply them consistently. One overlooked server, one unmanaged endpoint, one exposed internet-facing asset, or one poorly monitored device can create the conditions for a serious incident. 

That is what makes modern defense so fragile. 

Security is rarely broken everywhere. It is broken in the place that matters most. 

An organization may have strong protection across most of its environment, but attackers do not need most of the environment to be vulnerable. They need one weak point that gives them a foothold, enables lateral movement, or lets them remain unnoticed long enough to do real damage. 

Defenders who understand offense are better prepared to spot trouble 

Kristen’s background helps explain why this matters. She describes moving from SOC analyst work into offensive security training and red team exercises to better understand how attackers get in and what traces they leave behind. That perspective now informs her work leading investigations and helping direct the response during major incidents. 

That is an important advantage. 

Strong investigations are not just about collecting alerts. They are about interpreting attacker behavior. Teams that understand offensive tradecraft are often better positioned to distinguish between normal activity, suspicious behavior, and the early stages of a real compromise. In practice, that can be the difference between dismissing a signal as noise and catching an attack before it escalates. 

Living off the land is still one of the biggest defensive challenges 

When the discussion turns to defense evasion, one tactic stands out: living off the land. 

It remains one of the most practical problems defenders face because it relies on legitimate system tools that administrators already use. PowerShell is the classic example. Certutil is another. Rather than dropping obviously malicious binaries into an environment, attackers use native tools to execute commands, download content, or move through systems in ways that can appear routine at first glance. 

That creates a deeper challenge than simple malware detection. 

A suspicious PowerShell command on its own may not look extraordinary. The same activity combined with unusual authentication behavior, credential misuse, or unexpected network connections tells a very different story. That is why context matters as much as visibility. Modern defense depends on the ability to correlate signals, not just collect them. 

AI is doing more than accelerating attackers. It is expanding who can attack effectively. 

The conversation also touches on one of the most important realities in cybersecurity right now: defenders need to understand how AI and large language models work, how organizations are using them, and what new risks they introduce. 

That is not theoretical anymore. 

AI is not only making attackers more efficient. It is lowering the skill threshold required to carry out more convincing, scalable, and adaptive attacks. Tasks that once demanded stronger technical expertise can now be accelerated or partially automated, giving less capable actors access to more advanced workflows. 

Just as important, AI systems are becoming attack surfaces themselves. As organizations embed AI into products, workflows, and decision-making, they introduce new trust relationships and new opportunities for abuse. Issues like prompt injection are only one part of the problem. The larger concern is that manipulated AI outputs can influence users, trigger downstream actions, or introduce risk into systems that were never designed with these failure modes in mind. 

That changes the security equation. Defenders are no longer only protecting people, endpoints, identities, and applications. They are increasingly being asked to secure AI-enabled workflows that can be manipulated, abused, or turned into indirect pathways for malicious activity. 

The value of the SOC is not visibility alone. It is judgment. 

Kristen also describes her role in guiding investigations, leading response efforts during major incidents, and researching emerging threats to improve detections, alerting structures, threat profiles, and tabletop exercises for the SOC team. 

That is a useful reminder of what mature security operations should actually deliver. 

A SOC is not valuable simply because it can see more data. It becomes valuable when it can translate visibility into sound investigative judgment and practical response. Threat research, stronger detections, improved alerting logic, and realistic preparedness exercises all help narrow the gap between seeing activity and understanding what it means. 

That is the difference between noisy monitoring and effective security operations. 

The fundamentals still matter because attackers still benefit when they fail 

For all the focus on AI, red teaming, and evolving tradecraft, the broader lesson remains grounded in fundamentals. Attackers continue to succeed because environments are inconsistent, visibility is incomplete, and preventable exposure remains common. 

That is why organizations cannot afford to treat core security practices as solved problems. Asset visibility, strong authentication, disciplined patching, tighter administrative controls, and scrutiny of internet-facing systems remain some of the most important defenses available, not because they are new, but because attackers still benefit when they are missing. 

The threat landscape may be evolving quickly, but the conditions that allow attacks to succeed are often frustratingly familiar. 

What security teams should take from this 

Episode 363 is a reminder that cybersecurity is not a choice between focusing on fundamentals and preparing for what comes next. Defenders need both. 

They need to close the ordinary gaps attackers still exploit every day. They also need to understand how tradecraft is evolving, how defense evasion continues to mature, and how AI is reshaping both attacker capability and enterprise risk. 

The organizations best positioned to respond will be the ones that stay disciplined on the basics while building a sharper understanding of how modern attacks actually unfold. 

Because right now, attackers do not need a perfect opportunity. 

They just need the one weakness no one thought would matter. 

WatchGuard telemetry identified some malicious files being downloaded by victims, and almost all of them originated in Venezuela, indicating a possible malicious campaign targeting companies in this country. 

The malicious files are distributed via phishing emails that have a SVG file with a filename in Spanish, generally indicating invoices, receipts, or budgets. 

SVG stands for Scalable Vector Graphics, a file format for two-dimensional vector images. It allows images to be scaled without loss of quality, making it ideal for web graphics like logos and illustrations.  

If an SVG file is opened in a text editor, it has XML code. It has already been observed that some phishing emails were distributed with SVG  containing malicious code. 

Figure 1. Example of a malicious SVG file 

When these malicious SVGs are opened, they communicate with a URL that downloads the malicious artifact. 

 

Figure 2. Network communication when a malicious SVG file is opened 

A recent campaign distributing malicious SVG files in Spanish was observed last year; the target was victims in Colombia, and the files had fake portals impersonating Colombia's judicial system. 

Initial Vector

As mentioned earlier, the campaign starts with phishing, delivering malicious SVG files that are used to download the malware. 

Figure 3. Events showing that the phishing email was opened by the victim

This campaign uses ja.cat to shorten URLs from legitimate domains that have a vulnerability that allows redirects to any URL, so they point to the original domain where the malware is downloaded. The domains affected by the URL redirection are from Brazil.

Figure 4. Network connections are established when the SVGs used in the campaign are opened 

The URLs used in the malicious campaign are in the format https://<domain>/public.php?token=<16_digit_token>

Artifact Analysis

The artifact is a Windows Executable written in Go 

Figure 5. Information about the analyzed artifact 

At the start of execution, the malware executes a routine that retrieves the address of various export functions. Among these functions are LoadLibraryExA and LoadLibraryExW, which are used to load some important DLLs. These DLLs are dynamically loaded to avoid detection. 

Figure 6. Routine of instruction made by malware at the start 

Some of the export functions loaded by the malware are SetErrorMode, to prevent the display of the Windows Error Reporting dialog, and RtlAddVectoredExceptionHandler, to register a VEH, which can be used by malware to control how exceptions are handled and ensure that the payload remains active in case of errors. 

It also loads functions associated with threads, such as CreateWaitableTimerExW, which creates a waitable timer object, allowing synchronization between processes that can be used by functions executed in parallel, like threads. 

We can see timeBeginPeriod used to request a minimum timer resolution for periodic timers, allowing applications to achieve higher accuracy in timing operations. It’s used to restore the previous timer resolution and avoid potential negative impacts on system performance and power usage.   

Figure 7. Windows APIs called during execution 

One important DLL loaded during runtime is ws2_32.dll, which is responsible for network communication. It starts using WSAGetOverlappedResult to retrieve the results of an overlapped operation on the specified socket. 

Another DLL is powrprof.dll, which uses the PowerREgisterSuspendResumeNotification function. It is used to register itself to receive notification when the system is suspended or resumed. This can be used by malware to monitor if the system is suspended and execute certain actions, because in this state, security solutions may be less active in monitoring. 

Figure 8. Call to PowerRegisterSuspendResumeNotification

The malware gets system environment variables, including GODEBUG and DEBUG_HTTP2_GOROUTINES, which are specific to the Go language. 

 Figure 9. Calls to get system environments 

SystemFunction036, which is an alias for the RtlGenRandom function that generates pseudo-random numbers in Windows operating systems, is also used. It is accessed through the Advapi32.dll library and requires dynamic linking using LoadLibrary and GetProcAddress functions. 

 Figure 10. Call to SystemFunction036 and start of a thread 

These actions are the same observed in a SecurityScorecard report, which links these actions to BianLian ransomware. 

BianLian ransomware is a developer, deployer, and data extortion cybercriminal group that has been active since 2022. It was observed attacking critical structure in US and Australia, but the group targets multiple industries and has tactics and techniques that have been evolving. 

One of the most interesting things that we saw in the analyzed artifacts is the utilization of the function wine_get_version, which is used to detect if the system is running in Wine. 

Figure 11. Call to wine_get_version 

There is a routine that makes byte operations using a value loaded from a location in the Thread Local Storage (TLS) at the start of the execution, and the result is the address of the function that will be called in a thread. 

Figure 12. Routine instructions that call different functions in a thread 

In the code, we can also observe anti-debugging techniques to make the analysis more difficult. 

Figure 13. Anti-debugger technique in the malware code 

Another BianLian characteristic observed in the analyzed artifacts is the use of AES functions implemented in Assembly to accelerate encryption. 

Figure 14. Use of AES functions in the malware code 

Indicators of Compromise 

Domains: 

contabilidad[.]icu 

documentodigital[.]cloud 

getpdfdigital[.]cloud 

soportedigital[.]cloud 

What This Campaign Reveals About Evolving Ransomware Delivery 

This campaign is a strong reminder that even seemingly harmless file types like SVGs can be used to deliver serious threats. In this case, malicious SVG attachments were used to initiate a phishing chain that led to malware delivery associated with BianLian activity.  

Organizations should treat unexpected image attachments with caution, strengthen email and endpoint defenses, and monitor for suspicious outbound connections. As attackers continue to evolve their delivery methods, understanding how ransomware reaches victims is critical to stopping it earlier in the attack chain. 

In Episode 362 on The 443 Podcast, Marc and Corey unpack three stories that point to a hard truth for defenders: cyber threats are becoming more disruptive, more deceptive, and more scalable.  

From a major attack affecting medical technology giant Stryker, to a once-legitimate Chrome extension turned malicious, to Microsoft’s latest findings on how threat actors are using AI across the attack lifecycle, the message is clear. Attackers are moving faster, operating smarter, and finding new ways to exploit trust at scale. 

How Cyber Conflict Can Spill Into the Private Sector 

Stryker’s network disruption is one of the clearest recent reminders that cyber incidents tied to geopolitical tensions can create serious consequences for private sector organizations. When a company with global operations and ties to critical healthcare infrastructure experiences widespread disruption, the impact reaches far beyond a routine IT outage. Even if an attack does not directly target patients or frontline care, the downstream consequences can still be severe. 

That is what makes this story so significant. It reflects a broader reality that security teams have been warning about for years: cyber conflict is no longer confined to governments, defense agencies, or explicitly political targets. Private organizations that sit close to essential services, healthcare ecosystems, supply chains, or national infrastructure are increasingly exposed to the fallout. 

For defenders, the lesson is straightforward. Resilience planning can no longer focus only on ransomware or data theft. Organizations also need to prepare for destructive attacks, large-scale operational disruption, and incidents where business continuity becomes the primary security challenge. 

A Malicious Chrome Extension Is a Warning About Browser-Based Risk 

Another development underscores how easily trusted software can become attack infrastructure. 

Researchers uncovered suspicious behavior tied to a Chrome extension called Shotbird, which had originally been legitimate. After a transfer of ownership around mid-February, the extension was quickly weaponized. It reportedly registered infected browsers with command-and-control infrastructure, regularly checked in for scripts to execute, stripped browser protections such as content security policy headers and X-Frame-Options, and injected fake update notifications designed to trick users into running malware themselves.  

That matters because it highlights a serious weakness in how many people think about browser extensions. Users often assume that software distributed through an official marketplace is inherently trustworthy, especially if it was legitimate at one point. But trust in these ecosystems can change quickly. A transfer of ownership, a malicious update, or weak validation at the marketplace level can turn an ordinary tool into an attack vector almost overnight.  

The social engineering angle makes the risk even sharper. In this case, the extension did not rely only on quietly dropping malware. It used fake Chrome update prompts and click-fix style instructions to manipulate users into executing malicious commands manually. That tactic helps attackers bypass some of the protections browsers place on traditional executable downloads.  

The broader takeaway is that browser extensions should not be treated as harmless productivity tools. They can carry powerful permissions, interact deeply with web content, and become a quiet but highly effective foothold for attackers. Security teams need clearer policies around extension use, stronger browser visibility, and tighter controls over what users are allowed to install. 

Threat Actors Are Already Operationalizing AI Across the Attack Lifecycle 

The third development may have the broadest long-term implications. 

According to Microsoft’s latest threat intelligence findings, threat actors are already using AI in practical ways throughout the attack lifecycle. The observed activity includes reconnaissance, phishing and social engineering, malware development, operational persistence, post-compromise analysis, and identifying the most effective paths for lateral movement and data theft. In some cases, attackers are also using AI-enabled malware that invokes AI models during execution, not just during development.  

This is important because it moves the conversation past theory. The industry has been talking for some time about how AI could accelerate attacker workflows, lower the barrier to entry, and increase the scale of cybercrime. What these findings show is that this shift is already happening. Attackers are not waiting for fully autonomous systems to mature. They are using AI right now to work faster, appear more credible, and make their operations more efficient.  

The examples also reveal how fragile some current AI safeguards still are. Simple jailbreak prompts that frame the user as a trusted security analyst or student were reportedly enough to elicit guidance that should have been blocked. That points to a hard truth defenders and AI vendors need to confront: prompt-based safety controls alone are not going to be enough. Natural language is too flexible, and attackers are too motivated to rely on basic guardrails as a long-term solution.  

The security concern here is not just smarter phishing emails or cleaner malware scripts. It is the compounding effect of AI across the full attack chain. When reconnaissance is faster, payload development is easier, communications look more human, and post-compromise decisions become more efficient, the overall speed and volume of attacks can rise dramatically. 

The Bigger Shift Behind All Three Stories 

What ties these developments together is not just attacker creativity. It is attacker efficiency. 

Cybercriminals and state-linked groups are finding more ways to weaponize trust, whether that trust exists in healthcare-adjacent operations, browser marketplaces, or AI systems themselves. At the same time, modern attacks are becoming easier to scale. AI assistance reduces friction. Social engineering remains effective. Trusted platforms continue to offer new openings. And every one of those changes gives defenders less time to detect and respond. 

That is why these stories matter beyond their individual headlines. They point to a threat environment where the challenge is no longer just blocking one malware family or one phishing lure. The real challenge is defending against attack chains that are faster, more adaptive, and more capable of turning ordinary business dependencies into security liabilities. 

What This Means for Defenders 

Security teams should treat these developments as a signal to tighten core controls now, not later. 

That starts with reducing blind trust in common platforms and workflows. Browser extensions should be governed more strictly. Administrative and user access should be reviewed with a stronger focus on abuse prevention. Detection and response programs should be built to correlate activity across identity, browser, endpoint, and network layers rather than viewing each alert in isolation. 

It also means preparing for a future where AI is embedded on both sides of the fight. Attackers are already using it to improve speed and effectiveness. Defenders need to match that with stronger visibility, smarter automation, and faster operational follow-through. 

The organizations that adapt best will not be the ones with the most tools. They will be the ones that reduce exposure early, validate trust continuously, and respond fast when normal-looking activity starts behaving abnormally.