Byer-Nichols Threat Brief for December 16-31 2025

Season: 2 | Episode: 62

Published: January 2, 2026

By: Phish Tank Digital

This threat intelligence brief provides a comprehensive analysis of the global cybersecurity landscape during the final two weeks of 2025. It highlights Qilin as the most dominant ransomware threat, noting a specific surge in attacks against the manufacturing sector and small businesses. The report identifies a dangerous shift toward stealthier intrusion methods, such as DNS manipulation and the use of sophisticated backdoors like ToneShell. It also details the active exploitation of network edge devices from major vendors like Fortinet and Cisco. While the summary warns of evolving malware like Cellik and GachiLoader, it concludes with notable defensive victories, including Interpol-led arrests and the successful decryption of multiple ransomware strains.

Link: Byer-Nichols Threat Brief for December 16-31 2025

Keywords:

Episode Transcript

Download SRT file

00:00:00 - 00:00:03

[MUSIC PLAYING]

00:00:03 - 00:00:07

Welcome to The Deep Dive.

00:00:07 - 00:00:12

You know, if you, like us, were watching the usual flow

00:00:12 - 00:00:15

of threat intel reports and saw them slow down

00:00:15 - 00:00:17

near the end of 2025, you might have thought

00:00:17 - 00:00:20

the bad guys were taking a long winter vacation.

00:00:20 - 00:00:20

Right.

00:00:20 - 00:00:22

Maybe a break for security teams, too.

00:00:22 - 00:00:23

Exactly.

00:00:23 - 00:00:25

But if you actually looked beneath the surface,

00:00:25 - 00:00:28

the data told a, well, a much more intense story.

00:00:28 - 00:00:29

It really did.

00:00:29 - 00:00:32

We saw a huge volume of active exploitation,

00:00:32 - 00:00:36

a lot of successful attacks, and just a serious number

00:00:36 - 00:00:39

of victims right up until midnight on New Year's Eve.

00:00:39 - 00:00:42

So today, we're going to cut through that manufactured

00:00:42 - 00:00:46

quiet and zero in on the final two weeks of December 2025.

00:00:46 - 00:00:49

And our mission here is to really analyze the source

00:00:49 - 00:00:52

material you shared and give you a precise picture

00:00:52 - 00:00:54

of who was targeted, how they were hit,

00:00:54 - 00:00:56

and what the most cutting edge malware out there is right now.

00:00:56 - 00:00:58

But before we dives into all of that,

00:00:58 - 00:01:00

I think we should pause for a second,

00:01:00 - 00:01:02

because there was a huge success story right

00:01:02 - 00:01:03

at the end of the year.

00:01:03 - 00:01:05

The defenders are not standing still.

00:01:05 - 00:01:07

Oh, that's such a critical piece of context.

00:01:07 - 00:01:10

You're talking about the massive interpol action.

00:01:10 - 00:01:11

Yeah, exactly.

00:01:11 - 00:01:15

It resulted in the decryption of six major ransomware strains

00:01:15 - 00:01:19

and hundreds of related arrests all over the world.

00:01:19 - 00:01:22

It proves that these law enforcement efforts are working

00:01:22 - 00:01:24

and that the whole industrialized ransomware model

00:01:24 - 00:01:26

is under enormous pressure.

00:01:26 - 00:01:29

But that pressure is precisely why this deep dive

00:01:29 - 00:01:30

is so important.

00:01:30 - 00:01:31

Exactly.

00:01:31 - 00:01:35

We have to understand how the remaining highly motivated groups

00:01:35 - 00:01:39

are pivoting away from those big clumsy, mass scale attacks

00:01:39 - 00:01:43

and toward these incredibly sophisticated, stealthy tactics.

00:01:43 - 00:01:45

Tactics designed specifically to bypass the defenses

00:01:45 - 00:01:46

we already have in place.

00:01:46 - 00:01:47

That's it.

00:01:47 - 00:01:49

So this dive will give you the crucial knowledge

00:01:49 - 00:01:52

you need to navigate that exact shift.

00:01:52 - 00:01:53

OK, so let's unpack this by starting

00:01:53 - 00:01:56

with the most visible threat out there.

00:01:56 - 00:01:58

Ransomware.

00:01:58 - 00:02:00

If we look at the leaderboard for activity in late December,

00:02:00 - 00:02:02

Quillen is still the undisputed king.

00:02:02 - 00:02:03

Still at the top.

00:02:03 - 00:02:06

This is the third consecutive period they've held that spot,

00:02:06 - 00:02:09

dominating with almost what, 21% of all activity.

00:02:09 - 00:02:11

On Quillen is the perfect example of what you just

00:02:11 - 00:02:12

called industrialized cybercrime.

00:02:12 - 00:02:13

It really is.

00:02:13 - 00:02:15

We're talking about an operation that

00:02:15 - 00:02:17

functions like a well-oiled corporation,

00:02:17 - 00:02:20

not just some loose collective of hackers.

00:02:20 - 00:02:22

They listed well over 1,000 victims

00:02:22 - 00:02:25

on their leak sites by the end of December.

00:02:25 - 00:02:26

1,000?

00:02:26 - 00:02:29

That just shows an incredible ability to scale attacks.

00:02:29 - 00:02:29

It does.

00:02:29 - 00:02:34

And they're followed by the perennial lockbit at around 14.5%.

00:02:34 - 00:02:36

But the really significant move is safe pay jumping

00:02:36 - 00:02:38

into that number three position.

00:02:38 - 00:02:41

Right, accounting for almost 12% of known victims.

00:02:41 - 00:02:42

A huge jump.

00:02:42 - 00:02:44

That scaling is fascinating.

00:02:44 - 00:02:48

But for me, the real insight is in who they targeted.

00:02:48 - 00:02:51

The data shows a massive strategic pivot,

00:02:51 - 00:02:53

manufacturing just soared from fourth place,

00:02:53 - 00:02:54

all the way to number one.

00:02:54 - 00:02:57

Claiming over 17% of the victims,

00:02:57 - 00:03:00

with construction and retail filling out the top three.

00:03:00 - 00:03:02

That feels like a very calculated move.

00:03:02 - 00:03:02

It is.

00:03:02 - 00:03:05

Financial services, which used to be the gold standard

00:03:05 - 00:03:08

for ransomware profits, actually dropped all the way

00:03:08 - 00:03:08

down to fifth place.

00:03:08 - 00:03:09

So what did that tell us?

00:03:09 - 00:03:11

Well, it suggests two things.

00:03:11 - 00:03:13

First, financial institutions are probably getting better

00:03:13 - 00:03:15

at detection and prevention.

00:03:15 - 00:03:17

But second, these criminals have realized

00:03:17 - 00:03:20

the critical and often less defended nature

00:03:20 - 00:03:21

of the physical supply chain.

00:03:21 - 00:03:25

You take down a manufacturer or a construction firm

00:03:25 - 00:03:27

and the impact is immediate.

00:03:27 - 00:03:28

Exactly.

00:03:28 - 00:03:30

Immediate disruptive financial consequences.

00:03:30 - 00:03:32

It makes some ideal targets.

00:03:32 - 00:03:35

And geographically, the USA is still the main target,

00:03:35 - 00:03:38

absorbing over 42% of attacks.

00:03:38 - 00:03:40

But that pressure is spreading, isn't it?

00:03:40 - 00:03:41

It is.

00:03:41 - 00:03:43

Germany has climbed up to the number two spot

00:03:43 - 00:03:46

and we even saw Spain emerge as a new entry in the top five.

00:03:46 - 00:03:47

It's definitely going global.

00:03:47 - 00:03:51

Okay, but we have to talk about the most shocking statistic

00:03:51 - 00:03:52

in the entire brief.

00:03:52 - 00:03:53

And that's victim size.

00:03:53 - 00:03:55

Yes, this is the one.

00:03:55 - 00:03:58

We talk endlessly about these huge Fortune 500 breaches.

00:03:58 - 00:04:00

But the data shows the overwhelming focus

00:04:00 - 00:04:02

is on small and mid-market businesses.

00:04:02 - 00:04:03

Now, small are we talking?

00:04:03 - 00:04:04

Small businesses.

00:04:04 - 00:04:07

So organizations with 500 employees or less,

00:04:07 - 00:04:11

they accounted for a massive 83.11% of all victims

00:04:11 - 00:04:12

in this period.

00:04:12 - 00:04:13

Let's just sit with that number.

00:04:13 - 00:04:14

83%.

00:04:14 - 00:04:17

That's, I mean, that's basically four out of every five victims.

00:04:17 - 00:04:18

It is.

00:04:18 - 00:04:22

And it completely reframes the risk profile for everyone.

00:04:22 - 00:04:24

To put it in context, large enterprises

00:04:24 - 00:04:29

of 5,000 or more employees, they were just over 3% of victims.

00:04:29 - 00:04:30

It's just 3%.

00:04:30 - 00:04:32

So this isn't a problem that's just confined

00:04:32 - 00:04:34

to national critical infrastructure.

00:04:34 - 00:04:36

The threat is focused squarely on entities

00:04:36 - 00:04:39

who often rely on third party security providers.

00:04:39 - 00:04:42

Which means the mass exploitation methods are working.

00:04:42 - 00:04:43

They're working.

00:04:43 - 00:04:46

And any security leader listening needs to understand

00:04:46 - 00:04:50

that if you have subsidiaries or partners in that size bracket,

00:04:50 - 00:04:52

they are their primary vulnerability.

00:04:52 - 00:04:53

They are the bullseye.

00:04:53 - 00:04:56

That context sets us up perfectly for the next question.

00:04:56 - 00:04:59

If these targets are mostly smaller businesses,

00:04:59 - 00:05:02

the attackers aren't using massive zero-day exploits

00:05:02 - 00:05:03

every time.

00:05:03 - 00:05:05

So where are the common entry points?

00:05:05 - 00:05:07

Where are defenders failing at the perimeter?

00:05:07 - 00:05:08

Well, the training adversaries

00:05:08 - 00:05:12

were tracking groups like Evasive Panda, Mustang Panda.

00:05:12 - 00:05:13

They're all showing a clear pivot

00:05:13 - 00:05:16

toward stealthier longer-term intrusions.

00:05:16 - 00:05:17

Oh, less noise.

00:05:17 - 00:05:19

A lot less noise.

00:05:19 - 00:05:22

They're avoiding brute force and instead relying

00:05:22 - 00:05:25

on techniques that abuse fundamental network processes

00:05:25 - 00:05:26

and trust.

00:05:26 - 00:05:28

Things like DNS manipulation, which

00:05:28 - 00:05:32

is notoriously hard to spot, and very aggressive EDR evasion.

00:05:32 - 00:05:37

And for anyone less familiar, what makes EDR evasion so potent right now?

00:05:37 - 00:05:40

So EDR is your endpoint detection and response.

00:05:40 - 00:05:44

It's the software looking for malicious activity on a computer.

00:05:44 - 00:05:47

But these new methods, they often operate entirely in memory

00:05:47 - 00:05:51

or use techniques designed to look like legitimate system processes.

00:05:51 - 00:05:52

So the EDR just can't see it?

00:05:52 - 00:05:53

Exactly.

00:05:53 - 00:05:55

If it can't see the malicious activity

00:05:55 - 00:05:57

or can't tell it apart from benign behavior,

00:05:57 - 00:05:58

it's basically useless.

00:05:58 - 00:06:00

And that's coupled with things like authentication

00:06:00 - 00:06:03

in the middle or A-DEM attacks, which are especially in cities now

00:06:03 - 00:06:06

with a huge push for multifactor authentication.

00:06:06 - 00:06:07

Precisely.

00:06:07 - 00:06:10

A-DEM targets the moment after a user successfully logs in,

00:06:10 - 00:06:13

usually by intercepting their session tokens.

00:06:13 - 00:06:15

So MFA confirms who you are at log in.

00:06:15 - 00:06:19

But the A-DEM attack just steals the active session by passing MFA completely,

00:06:19 - 00:06:22

which makes abusing trust channels like fishing

00:06:22 - 00:06:26

with academic lures or compromising software updates incredibly effective.

00:06:26 - 00:06:31

And we can see the results of that reflected directly in the vulnerability data.

00:06:31 - 00:06:34

The surge in exploited flaws wasn't on user workstations.

00:06:34 - 00:06:39

It was overwhelmingly targeting network edge devices and management platforms.

00:06:39 - 00:06:42

This is the specific actionable stuff defenders need to hear.

00:06:42 - 00:06:43

It is.

00:06:43 - 00:06:46

We saw high impact exploitation hitting firewalls

00:06:46 - 00:06:49

from major vendors, Fortigate, watch guard fire box,

00:06:49 - 00:06:51

Sonic wall appliances.

00:06:51 - 00:06:52

This is a front door.

00:06:52 - 00:06:53

Front door.

00:06:53 - 00:06:57

But not just firewalls, infrastructure managers like HP OneView,

00:06:57 - 00:07:01

various Cisco products, even trusted components like ASUS Live Update

00:07:01 - 00:07:03

and MongoDB databases.

00:07:03 - 00:07:05

This way, it hasn't the perimeter always been a target.

00:07:05 - 00:07:07

What makes this different from say three years ago?

00:07:07 - 00:07:09

The difference is really twofold.

00:07:09 - 00:07:11

Sophistication and accessibility.

00:07:11 - 00:07:16

Three years ago, a lot of edge breaches were due to simple, unpatched CVEs.

00:07:16 - 00:07:20

Now we're seeing targeted exploitation of complex, high-privileged systems

00:07:20 - 00:07:21

that control the entire network.

00:07:21 - 00:07:23

So when you compromise the firewall itself,

00:07:23 - 00:07:27

you gain immediate high-trust access to the internal network.

00:07:27 - 00:07:30

It dramatically increases the blast radius

00:07:30 - 00:07:33

and makes lateral movement so much easier.

00:07:33 - 00:07:38

The low-what here is that defenders need to treat their edge devices

00:07:38 - 00:07:39

like they treat their domain controllers.

00:07:39 - 00:07:40

Absolutely.

00:07:40 - 00:07:43

Patch aggressively, restrict those management interfaces

00:07:43 - 00:07:47

and make sure your critical systems are properly segmented away

00:07:47 - 00:07:48

from that vulnerable edge.

00:07:48 - 00:07:51

That level of sophistication is exactly what we see

00:07:51 - 00:07:54

when we look at the new malware families emerging.

00:07:54 - 00:07:55

The brief details.

00:07:55 - 00:07:59

Six new strains using just wildly innovative methods

00:07:59 - 00:08:02

across mobile, Mac, and Windows.

00:08:02 - 00:08:04

Yeah, let's start with the non-traditional platforms.

00:08:04 - 00:08:06

On the Android side, we're seeing Selic.

00:08:06 - 00:08:10

It's an incredibly capable remote access Trojan, a RAT.

00:08:10 - 00:08:12

So it gives the attacker total control of the device.

00:08:12 - 00:08:13

Total control.

00:08:13 - 00:08:14

Yeah.

00:08:14 - 00:08:17

Key logging, screen streaming, mic and camera access,

00:08:17 - 00:08:18

full-file system control.

00:08:18 - 00:08:20

It's advanced by where, no question.

00:08:20 - 00:08:23

But the real innovation is its industrialization.

00:08:23 - 00:08:24

What do you mean by that?

00:08:24 - 00:08:28

It's sold on the dark web for as little as $150 on a subscription model.

00:08:28 - 00:08:31

And it features a one-click APK builder.

00:08:31 - 00:08:32

One-click.

00:08:32 - 00:08:36

This tool lets even low-skilled actors bundle the RAT

00:08:36 - 00:08:39

into legitimate applications that are selected directly

00:08:39 - 00:08:41

from the Google Play Store.

00:08:41 - 00:08:43

So you pick a popular trusted app, hit a button,

00:08:43 - 00:08:45

and the malware is just packaged right in?

00:08:45 - 00:08:46

Exactly.

00:08:46 - 00:08:48

It dramatically shortens the infection chain

00:08:48 - 00:08:51

and relies on the trust people already have in those apps.

00:08:51 - 00:08:53

It just lowers the barrier to entry

00:08:53 - 00:08:55

for mobile crime significantly.

00:08:55 - 00:08:56

OK, so what about Mac OS?

00:08:56 - 00:08:59

On Mac OS, we have the Mac Sync Stealer.

00:08:59 - 00:09:01

And this one is all about stealth.

00:09:01 - 00:09:04

It disguises itself as a legitimate code

00:09:04 - 00:09:08

signed and even Apple notarize Swift application.

00:09:08 - 00:09:10

Hold on, notarization is Apple's system design

00:09:10 - 00:09:12

to prevent exactly this.

00:09:12 - 00:09:14

How is it getting past gatekeepers?

00:09:14 - 00:09:15

They found a loophole.

00:09:15 - 00:09:18

The attackers are continuously and frequently

00:09:18 - 00:09:21

resigning and re-notarizing the malware package.

00:09:21 - 00:09:22

I'm just doing it over and over again.

00:09:22 - 00:09:23

Rapidly.

00:09:23 - 00:09:26

So they can stay ahead of Apple's revocation efforts.

00:09:26 - 00:09:28

This allows the malware to appear fully trusted

00:09:28 - 00:09:30

and legitimate when a user tries to run it.

00:09:30 - 00:09:33

It targets credentials, API keys,

00:09:33 - 00:09:36

and it's really focused on scraping crypto wallet data.

00:09:36 - 00:09:38

It just confirms that Mac OS is no longer

00:09:38 - 00:09:39

some niche target.

00:09:39 - 00:09:41

It's a high-value environment.

00:09:41 - 00:09:43

And it demands sophisticated evasion.

00:09:43 - 00:09:45

OK, let's turn to Windows and botnets,

00:09:45 - 00:09:47

because this is where the advanced network evasion

00:09:47 - 00:09:49

really gets interesting.

00:09:49 - 00:09:53

The Mustang Panda Group has replaced its old favorite plug

00:09:53 - 00:09:56

X with a backdoor called Tone Shell.

00:09:56 - 00:09:56

Right.

00:09:56 - 00:09:59

And here is the truly concerning part of the brief.

00:09:59 - 00:10:03

Tone Shell's key innovation is a technique called fake TLS.

00:10:03 - 00:10:04

Fake TLS.

00:10:04 - 00:10:07

It's engineered to disguise its command and control traffic

00:10:07 - 00:10:10

by making the malicious communication look functionally

00:10:10 - 00:10:13

identical to legitimate encrypted traffic.

00:10:13 - 00:10:15

It doesn't just use encryption.

00:10:15 - 00:10:18

It mimics the entire TLS handshake and session flow.

00:10:18 - 00:10:21

So it bypasses firewalls and network monitoring

00:10:21 - 00:10:22

that are looking for weird traffic patterns.

00:10:22 - 00:10:23

Exactly.

00:10:23 - 00:10:25

If that technique is working at scale,

00:10:25 - 00:10:28

it fundamentally undermines the security assumptions

00:10:28 - 00:10:31

baked into almost every network security tool we use.

00:10:31 - 00:10:32

That is a huge problem.

00:10:32 - 00:10:32

It is.

00:10:32 - 00:10:36

And beyond fake TLS, the obfuscation is extreme.

00:10:36 - 00:10:38

It uses AES 128 with something called

00:10:38 - 00:10:41

AXIM register-based decryption.

00:10:41 - 00:10:45

That is a low-level CPU technique used specifically

00:10:45 - 00:10:48

to make analysis and absolute nightmare for researchers.

00:10:48 - 00:10:50

OK, moving on, we have GatchyLoader,

00:10:50 - 00:10:52

which seems to be a big platform shift.

00:10:52 - 00:10:56

Yeah, a newly discovered Node.js-based malware family.

00:10:56 - 00:10:58

The shift to Node.js shows attackers

00:10:58 - 00:11:00

are diversifying their toolkits.

00:11:00 - 00:11:02

It's spreading through a huge campaign

00:11:02 - 00:11:03

called the YouTube Ghost Network.

00:11:03 - 00:11:04

And what's its trick?

00:11:04 - 00:11:08

It uses previously unseen PE injection techniques.

00:11:08 - 00:11:11

The Node.js part establishes persistence in seconds,

00:11:11 - 00:11:14

and then a highly effective PE injector executes code

00:11:14 - 00:11:16

directly inside a legitimate program.

00:11:16 - 00:11:17

It makes it look like the good guys

00:11:17 - 00:11:18

are doing the dirty work.

00:11:18 - 00:11:20

And quickly, let's touch on the botnet threat

00:11:20 - 00:11:23

Rondodox and the InfoSteeleer-Sanesteeleer.

00:11:23 - 00:11:26

Rondodox links right back to our talk about edge devices.

00:11:26 - 00:11:30

It's a botnet that compromises routers, DVR, CCTV systems

00:11:30 - 00:11:33

by exploiting old, often neglected vulnerabilities.

00:11:33 - 00:11:35

And Sanesteeleer is a Windows InfoSteeleer

00:11:35 - 00:11:37

that operates entirely in memory.

00:11:37 - 00:11:39

To avoid file-based detection.

00:11:39 - 00:11:40

Right.

00:11:40 - 00:11:43

The good news is the early samples have weak evasion.

00:11:43 - 00:11:44

But the warning is clear.

00:11:44 - 00:11:47

If the developers add the kind of encryption

00:11:47 - 00:11:49

and obfuscation we see in ToneShop,

00:11:49 - 00:11:52

it could become extremely dangerous very fast.

00:11:52 - 00:11:56

That is a massive amount of new threat surface to process.

00:11:56 - 00:11:58

So let's connect the dots for everyone listening.

00:11:58 - 00:12:00

What are the key trends here?

00:12:00 - 00:12:02

If we pull back to the big picture,

00:12:02 - 00:12:05

the data shows two clear overriding trends.

00:12:05 - 00:12:08

First, you have the hyperindustrialization of the attack

00:12:08 - 00:12:11

focused on mass exploiting smaller organizations,

00:12:11 - 00:12:12

which we see with Quillin.

00:12:12 - 00:12:13

And the second trend.

00:12:13 - 00:12:16

A wide spread sophisticated move to bypass the network

00:12:16 - 00:12:19

perimeter by exploiting edge devices

00:12:19 - 00:12:21

and using these advanced evasion techniques,

00:12:21 - 00:12:24

like fake TLS and the Maxink Notarization bypass.

00:12:24 - 00:12:27

The focus has moved from breaking down the front door

00:12:27 - 00:12:29

to just silently operating inside the walls.

00:12:29 - 00:12:32

But as we said at the start, the brief also highlighted

00:12:32 - 00:12:34

some clear effective pushback.

00:12:34 - 00:12:35

That's right.

00:12:35 - 00:12:37

Defenders and law enforcement are very active.

00:12:37 - 00:12:40

We saw a confirmation that Amazon disrupted Russian GRU

00:12:40 - 00:12:42

hackers who were attacking edge devices.

00:12:42 - 00:12:44

And the US seized the E-note crypto exchange

00:12:44 - 00:12:46

for laundering ransomware payments.

00:12:46 - 00:12:48

So the fight back is working.

00:12:48 - 00:12:50

Those disruptions are vital.

00:12:50 - 00:12:54

But defense still comes down to core security principles,

00:12:54 - 00:12:56

just adapted for this new reality.

00:12:56 - 00:12:59

And the source brief gives four critical recommendations

00:12:59 - 00:13:01

for you, the listener.

00:13:01 - 00:13:03

First, hardened identity controls.

00:13:03 - 00:13:07

Absolutely vital with the rise of 8M and credential theft.

00:13:07 - 00:13:10

If session tokens are the new target,

00:13:10 - 00:13:14

our defenses have to be stronger than just a basic MFA log in.

00:13:14 - 00:13:16

Second, you have to shift your detection

00:13:16 - 00:13:17

to focus on behavior.

00:13:17 - 00:13:21

File-based detection is failing against this new stuff.

00:13:21 - 00:13:24

And third, secure your DNS infrastructure

00:13:24 - 00:13:25

and retain those logs.

00:13:25 - 00:13:28

That's crucial for spotting those stealthy manipulation

00:13:28 - 00:13:28

attempts.

00:13:28 - 00:13:29

Exactly.

00:13:29 - 00:13:32

And finally, prepare for DDoS style attacks.

00:13:32 - 00:13:34

While we focused on stealth, brute force disruption

00:13:34 - 00:13:36

is still a popular tool for ransomware groups

00:13:36 - 00:13:37

to apply pressure.

00:13:37 - 00:13:40

So those concrete steps, plus aggressive patching

00:13:40 - 00:13:43

of those critical edge devices, is what's required right now.

00:13:43 - 00:13:45

That's what the data is telling us, yes.

00:13:45 - 00:13:47

We've covered a huge amount of ground today.

00:13:47 - 00:13:50

The unnerving fact that 83% of ransomware victims

00:13:50 - 00:13:54

are small businesses, the advanced stealth of fake TLS,

00:13:54 - 00:13:56

and the, well, the shocking ease of deploying

00:13:56 - 00:13:59

Selic on Android using legitimate Google Play apps.

00:13:59 - 00:14:02

And that raises an important final question for you,

00:14:02 - 00:14:05

the listener, to really think about as you plan your strategy

00:14:05 - 00:14:06

for 2026.

00:14:06 - 00:14:07

Go on.

00:14:07 - 00:14:11

Given the success of malware like Max Sink and Selic,

00:14:11 - 00:14:13

in exploiting the appearance of legitimacy

00:14:13 - 00:14:16

using code signing, official notarization,

00:14:16 - 00:14:19

the Play Store, how reliable is the concept

00:14:19 - 00:14:20

of a trusted channel anymore?

00:14:20 - 00:14:21

That's a great question.

00:14:21 - 00:14:24

What metrics beyond a simple digital signature

00:14:24 - 00:14:27

must defenders and users rely on next to judge

00:14:27 - 00:14:29

if an app or an update is truly safe?

00:14:29 - 00:14:32

Something that pushes us all to think beyond simple validation.

00:14:32 - 00:14:34

Thank you for joining us for this crucial deep dive

00:14:34 - 00:14:36

into the latest threat intelligence.

00:14:36 - 00:14:38

We'll see you next time.

00:14:38 - 00:14:41

Reach out to us at jbuyer.com for comments and questions.

00:14:41 - 00:14:43

00:14:43 - 00:14:46

And if you'd be so kind, please rate and review us

00:14:46 - 00:14:47

in your podcast app.

00:14:47 - 00:14:49

[Music]