Convergence Without Coordination

34:2513 scenes9 speakersBriefing

01 Cold Open: Five Threats, One Pattern

Chapters

01Cold Open: Five Threats, One Pattern

02Sponsor

03Fortinet FortiClientEMS: Control-Plane Compromise

04CISA Deadline and Regulatory Stakes

05LiteLLM Supply Chain: The Persistence Problem

06LiteLLM: AI Pipeline Exposure

07Drift Protocol: DPRK Crosses Into HUMINT

08Following the Two Hundred Eighty-Five Million

09Convergence: The Attribution Problem

10Qilin BYOVD: Killing EDR at the Kernel

11EvilTokens and AI-Augmented Phishing

12Pay2Key Revival and Iranian Timing

13Synthesis: The Gaps Between Layers

Speakers

ModeratorThreatDefenseIntelRegulatoryIndustryAiGeopoliticalCrypto

▶01Cold Open: Five Threats, One Pattern00:00

HalilNorth Korean operatives ran a six-month intelligence operation — in-person meetings, a fake trading firm, a million-dollar credibility deposit — before stealing two hundred eighty-five million dollars in twelve minutes. That is not hacking. That is espionage.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilToday we have five major threats converging in a seventy-two hour window. Fortinet FortiClientEMS — two pre-auth zero-days, public exploits already out, CISA deadline Friday. LiteLLM supply chain — a hidden persistence mechanism that survives the patch. Drift Protocol — DPRK tradecraft that crossed from cyber into human intelligence. Qilin ransomware — killing EDR at the kernel level with a ninety-five percent success rate. And EvilToken phishing — AI-generated lures bypassing secure email gateways at scale.

HalilThe common thread across all five? Adversaries exploiting the gaps between defensive layers. That is the story today. Alex, Lena, James, Elena, Arjun, Viktor, Pierre, Sofia — all at the table. Let's go.

▶02Sponsor01:33

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03Fortinet FortiClientEMS: Control-Plane Compromise02:42

HalilAlex. FortiClientEMS. Two CVEs, both pre-auth. How bad is this really?

AlexIt's a nightmare. Both CVE 2026 21643 and CVE 2026 35616 are pre-authentication RCE. Public PoCs exist. CVSS nine point eight on the SQL injection one — and for once, that score is not inflated.

HalilWalk me through the mechanics.

AlexCVE 2026 21643 is essentially a one-liner. You inject SQL via the Site HTTP header into a specific API endpoint — multi-tenant mode, no authentication required. Bishop Fox confirmed you get PostgreSQL superuser access directly.

JamesAnd superuser on PostgreSQL means RCE via COPY TO PROGRAM. It chains immediately.

AlexExactly. The second CVE, 35616, is an API auth bypass — you spoof the X-SSL-CLIENT-VERIFY header to SUCCESS and the system trusts you. Defused caught this being exploited in the wild before any PoC was public. Someone had their own zero-day.

HalilSix days between first exploitation and the hotfix dropping.

AlexSix days. And we're looking at two thousand to four thousand internet-facing instances — Shadowserver, FOFA, Hunter all confirm it. US and Germany heavily represented.

LenaThe exposure numbers matter less than what EMS actually is. This isn't a web server. EMS manages endpoints — it has pre-existing trust relationships across the entire enterprise.

AlexRight. Own EMS and you own the ability to push configurations to every managed endpoint. It's SolarWinds-class control-plane access.

JamesIf you're running versions 7.4.4 through 7.4.6 and you're internet-facing — stop listening to this podcast. Go firewall those management ports right now. TCP 8080, 10443, 8443. Then come back.

HalilJames, what's the four-hour playbook for orgs that can't patch immediately?

JamesHour zero to one: network isolation. Restrict those management ports to source IP whitelist only — your SOC subnets, your jump boxes. Nothing else inbound.

JamesHour one to two: turn logging to debug level. You're hunting for anomalous X-SSL-CLIENT-VERIFY headers and SQL injection patterns in the Site header — apostrophes, hex-encoded injection, OR one equals one.

AlexAnd hunt child processes from FCTScheduler.exe and Apache.exe. EMS should never spawn PowerShell. If you see that, assume breach.

JamesIf you find suspicious activity — do not shut the server down. Network-isolate it, take a memory dump, then rotate every credential EMS can touch.

▶04CISA Deadline and Regulatory Stakes05:58

HalilSofia — CISA has issued a binding directive. April 11. What happens to federal agencies that miss it?

Dr.This is not advisory. Under FISMA, agency heads must report missed remediation deadlines to Congress and OMB within fifteen days. CISA has the authority to remove non-compliant systems from the network entirely.

HalilCareer-limiting consequences?

Dr.Career-ending, potentially. Inspector General investigations are triggered. This isn't a checkbox exercise — post the Cyber Incident Reporting for Critical Infrastructure Act of 2022, CISA's enforcement posture has hardened significantly.

PierreAnd the financial exposure compounds. Two thousand to four thousand exposed instances — if even a fraction are federal, and EMS-as-control-plane gets weaponized across those fleets, the downstream IR costs dwarf the patching inconvenience.

Dr.Pierre is right. For EU entities under NIS2, a confirmed EMS compromise that exposes personal data triggers a twenty-four hour early warning obligation plus full notification at seventy-two hours. Penalties up to two percent of global turnover.

HalilSo the deadline is Friday. The clock is running. Let's move.

▶05LiteLLM Supply Chain: The Persistence Problem07:22

HalilArjun. LiteLLM. Ninety-seven million monthly downloads. Tell me why this is worse than initial reporting.

Dr.So, the headline was supply chain attack on a popular AI library. The real story is the persistence mechanism. TeamPCP dropped a file called litellm_init.pth into Python's site-packages directory.

HalilA dot-pth file. Why does that matter?

Dr.Because any dot-pth file in site-packages executes on every Python interpreter startup — before your code runs, before your security tools load. And standard pip uninstall does not remove it.

JamesHmm.

Dr.I mean, think about what that means. Organizations that removed the package — versions 1.82.7 and 1.82.8 — and called it done? They're still backdoored. Every Python process on that machine is still executing attacker code.

LenaThat's the part that gets underreported. The remediation guidance that circulated initially was incomplete. Remove the package, rotate credentials, move on. That's not enough.

Dr.Right. You need to manually hunt: find slash, name litellm_init.pth. If that file exists anywhere on your system, you are still compromised. Full stop.

AlexWhat did the payload actually do once it had execution?

Dr.Three-stage payload. First: credential harvesting — AWS, GCP, Azure keys, environment variables, SSH keys, Kubernetes service account tokens. Second: systemd backdoor running every fifty minutes contacting C2. Third: Kubernetes cluster infiltration — reading secrets, deploying privileged pods.

AlexSo if LiteLLM ran in a containerized environment—

Dr.Assume cluster compromise. The ARMO analysis confirmed pod deployment across all nodes. This isn't one machine — it's your entire orchestration layer.

PierreLet me put a number on the blast radius. Fifteen to forty thousand organizations, ninety-seven million monthly downloads — when you model cascade effects into cloud workloads, we're talking one hundred fifty to four hundred thousand cloud environments touched. This is a mass credential-theft event.

HalilPierre, at what point does this become a systemic risk — not just individual org incidents?

PierreWell, honestly, we may already be past that threshold. LiteLLM sits at a chokepoint in AI infrastructure. If stolen credentials were retained, attackers have persistent access to AI pipelines across hundreds of enterprises. That's not individual incidents — that's ongoing industrial espionage.

▶06LiteLLM: AI Pipeline Exposure12:15

HalilArjun, I want to push on the AI-specific risk. Could attackers have intercepted LLM API calls? Modified model outputs?

Dr.So — the immediate payload was credential theft, not pipeline manipulation. But here's the thing: the credentials they harvested include LLM provider API keys. If attackers retained cloud access, they could have persistent interception capability on inference requests.

AlexThe dot-pth file executes on every Python startup. Every inference call, every logging event — the architecture was there for comprehensive prompt and output logging.

Dr.Exactly. We don't have evidence of prompt exfiltration in the confirmed payloads. But the attack surface was perfectly positioned for it. Any org running LiteLLM in a RAG or fine-tuning pipeline — you need to audit what your AI system could touch.

HalilTraining data poisoning — realistic concern here?

Dr.Less likely with this specific payload. But the lateral movement into datastores — if those datastores feed training pipelines — yes, that's a downstream risk that most security teams aren't even modeling yet.

JamesActionable: for anyone who ran affected versions in Kubernetes — you're doing a full environment rebuild. Not a patch, not a credential rotation. Rebuild. The systemd backdoor plus the pod infiltration means your trust boundaries are gone.

Dr.And for EU entities — the confirmed credential exfiltration to the C2 servers meets the GDPR Article 33 threshold. You don't need confirmed database access. The credential theft itself triggers the seventy-two hour notification obligation if those credentials touched personal data processing systems.

HalilWhat's the notification exposure under NIS2 for essential entities?

Dr.Twenty-four hour early warning, seventy-two hour full notification. Penalties up to two percent global turnover or ten million euros — and dual NIS2 plus GDPR obligations can compound. Document everything before you notify.

▶07Drift Protocol: DPRK Crosses Into HUMINT14:35

HalilLet's talk about Drift Protocol. Lena — attribution confidence. How solid is the DPRK link?

LenaMedium-high. Mandiant forensic investigation linked this to the October 2024 Radiant Capital hack. SEAL 911 corroborated. On-chain forensics traced fund flows to the same infrastructure.

HalilSame unit?

LenaSame operational unit. Fifty-three million from Radiant in October 2024. Two hundred eighty-five million from Drift in March 2026. Six-month gap between operations — classic DPRK pacing. They don't rush.

Dr.And what's significant here is the doctrinal shift. Swift attacks, Bangladesh Bank — those were penetration and exfiltration. Drift is institutionalized infiltration. Six months of face-to-face meetings using hired non-Korean intermediaries at crypto conferences.

LenaThe intermediary piece is what I keep coming back to. DPRK has used front companies before. Remote IT worker schemes since at least 2018. But systematic use of third-party intermediaries for in-person social engineering at this scale — that is an operational security evolution.

Dr.It mirrors Cold War technological penetration operations. The Singapore Summit lesson applied to cyberspace — if direct contact risks attribution, outsource the handshake.

HalilA million-dollar deposit to establish credibility. That's not a budget a freelance threat actor has.

LenaExactly. Six-month operations with travel coordination across multiple countries, a fake quantitative trading firm, legitimate capital deployed — this requires state backing. This is not improvisation.

Dr.And Taylor Monahan's research suggests this unit has embedded personnel in over forty DeFi projects over approximately seven years. The tradecraft is now industrialized.

HalilLena, how confident are you in that forty-plus figure?

LenaModerate confidence. It's Monahan's OSINT correlations — Mandiant and CrowdStrike haven't independently confirmed the number. But the order of magnitude feels right given what we know about the IT worker pipeline.

▶08Following the Two Hundred Eighty-Five Million17:03

HalilViktor. Follow the money. Where did two hundred eighty-five million dollars go in twelve minutes?

ViktorSo — they converted stolen assets to approximately two hundred sixty-four million in ETH via Jupiter DEX on Solana, then bridged to Ethereum. About nineteen thousand nine hundred ETH moved through Chainflip, Raydium, Orca, and Meteora. SOL directed toward Hyperliquid and Binance.

HalilThat speed — is that automated?

ViktorThis is not a person clicking. This is automated laundering infrastructure. The wallet was created eight days before the attack with test transfers — classic pre-operational staging. Same peel-chain structure we saw in the Ronin Bridge heist.

LenaWhich tracks. This is the same unit that did Ronin, Bybit — they iterate on the laundering infrastructure between operations.

ViktorRight. And here's where it gets infuriating. Circle had a six-hour window to freeze USDC during the attack. The funds moved through Circle's own Cross-Chain Transfer Protocol — over one hundred transactions, two hundred thirty million in USDC bridged without intervention.

HalilCircle had frozen wallets days earlier in an unrelated civil case.

ViktorThe capability existed. ZachXBT documented this in real time. Circle chose — or failed — to act during a six-hour window while a state-sponsored heist was in progress.

Dr.That is a policy and governance failure, not a technical one. And it matters beyond this incident — it signals to DPRK that the stablecoin infrastructure will not respond in time.

ViktorExactly. This is the eighteenth DPRK-linked crypto theft in 2026. Over three hundred million stolen year-to-date by North Korean actors alone. Cumulative since 2017 — six point five to seven billion dollars. Cryptocurrency is their primary state revenue stream.

PierrePierre's number validates. That's above one hundred fifty percent of what traditional extortion generates for them. The Drift exploit pushes their 2026 total above six hundred million.

HalilWhat's recoverable at this point?

ViktorHonestly? If any portion is sitting on KYC exchanges like Binance, there is a narrow window. But given the Hyperliquid routing and the bridge speed — most is already deeply obfuscated. The trail doesn't disappear, but it becomes exponentially harder with every hop.

▶09Convergence: The Attribution Problem19:54

HalilElena, earlier you suggested a triangular relationship — DPRK skills, Iranian political will, Russian criminal infrastructure. Viktor's on-chain analysis didn't find that. Where do you land now?

Dr.I overreached. Viktor's forensics showed clean separation in the laundering chains. No on-chain overlap between Pay2Key and DPRK wallet clusters. The triangular thesis doesn't hold for these specific operations.

ViktorRight. What you see is Pay2Key recruiting on Russian forums — that's market behavior. They're buying infrastructure, not coordinating operations. Different thing.

Dr.And that's the more interesting pattern, actually. Three independent actors — DPRK doing long-horizon crypto theft, Iran doing geopolitically-timed pressure operations on Israeli infrastructure, Russian criminal groups providing the commodity infrastructure. Convergence without coordination.

LenaThat's the right framing. They're all adopting identical tradecraft — synthetic identities, credential-based access, trust exploitation — because these methods work against current defensive architectures. Not because they're talking to each other.

HalilAnd that's actually harder to defend against.

LenaMuch harder. When tradecraft becomes commoditized, you can't attribute your way to a defense. You have to fix the defensive gaps the tradecraft exploits.

Dr.And our attribution frameworks were built for a world where distinct actors had distinct fingerprints. When everyone's using the same playbook — synthetic identities, long-horizon infiltration — those frameworks start breaking down.

AlexFrom a technical standpoint — I'm less interested in who is doing it and more interested in the fact that the same defensive gaps keep getting exploited. The gap between package managers and persistence. Between identity verification and trust. Fix those gaps and the attribution question becomes less urgent.

HalilThat tension — attribution versus defensive architecture — we'll come back to that in the synthesis.

▶10Qilin BYOVD: Killing EDR at the Kernel22:06

HalilQilin and Warlock ransomware. Bring Your Own Vulnerable Driver — they're killing EDR before encryption starts. Alex, how does this work?

AlexSo Qilin operators load rwdrv.sys and hlpdrv.sys — legitimate but vulnerable kernel drivers — then use them to terminate EDR processes at ring zero. Kernel level. The EDR never sees it coming.

JamesAnd they're suppressing ETW — Event Tracing for Windows — at the same time. So your logging infrastructure is blind. You're executing entirely in memory with no telemetry.

AlexNinety-five percent EDR kill rate once the driver loads. That number is not hype — Talos confirmed it. And eighty to ninety percent of enterprises haven't deployed the controls that actually stop this.

HalilJames — Microsoft's Vulnerable Driver Blocklist. Does it cover these drivers?

JamesPartial. rwdrv.sys is on the blocklist. hlpdrv.sys is inconsistent — it's used legitimately by some system tools, so coverage is hit-or-miss. Do not rely on the blocklist alone.

AlexAnd they're using Halo's Gate for syscall recovery — indirect syscalls that evade user-mode hooks. So your traditional EDR instrumentation is largely useless here.

JamesWhich is why HVCI and WDAC are the only reliable mitigations. Hypervisor-Protected Code Integrity — Memory Integrity in Windows settings — blocks unsigned kernel drivers entirely. WDAC driver allow-listing creates an explicit whitelist. Default deny everything else.

HalilAnd eighty to ninety percent of enterprises haven't deployed these.

JamesYeah. Legacy drivers, compatibility concerns — I understand why. But right now, with this threat active, the calculus has changed. Enable HVCI via Intune or CSP: DeviceGuard HVCI equals one. If you have legacy drivers, audit mode first. But move.

AlexHunt Sysmon Event ID 6 for rwdrv.sys, hlpdrv.sys, gmer.sys, procexp.sys variants. Alert on kernel driver loads outside approved hashes. ETW is suppressed, so pivot to hardware-backed events — Event ID 4673, Privileged Service Call.

PierreThe financial case for deploying HVCI is straightforward. Per-incident cost triples — four hundred fifty thousand dollar baseline IR goes to one point seven five to two point eight five million when EDR is neutralized. Containment fails sixty to seventy percent of the time. The HVCI deployment cost is rounding error by comparison.

▶11EvilTokens and AI-Augmented Phishing25:10

HalilEvilTokens phishing campaign. Three hundred forty-four organizations compromised. Arjun — is the AI angle real or is this vendor hype?

Dr.It's both, honestly. The AI component is real — Sekoia and Microsoft both confirm it's using generative AI to craft hyper-personalized lures targeting victims by role. RFPs for procurement teams. Invoices for finance. That's more than keyword stuffing.

AlexBut the core innovation isn't the AI. It's the OAuth Device Code flow abuse.

Dr.Exactly. Microsoft's Device Code Grant flow was designed for printers and IoT devices — it's being weaponized to bypass MFA entirely. You get a ninety-day persistent token. No credentials stolen, no password required.

HalilSo what does the AI actually add?

Dr.Accessibility. Scale. Your sophisticated APT has been doing hyper-targeted phishing for years. EvilTokens democratizes that to script-kiddie level — Telegram-based affiliate distribution at five hundred to fifteen hundred dollars per license. The volume threat just exploded.

LenaOver one thousand phishing domains by March 23rd. Sekoia tracked that. Unique AI-generated templates for every target means your signature-based email gateway heuristics break down.

JamesThe mitigation is clear: restrict or disable OAuth Device Code Authentication flow in Microsoft Entra ID — that's Microsoft's identity platform. Audit Conditional Access policies today. Look for bulk device code redemptions from single IPs, geographic impossibilities in sign-in logs.

HalilThree hundred forty-four organizations. How many are still compromised without knowing it?

Dr.Well — ninety-day token lifetime with no password involved means no password rotation triggers detection. If you haven't audited device code grants in your Entra logs, you could have active adversary-controlled sessions right now.

JamesTreat any token obtained outside standard interactive browser sessions as potentially adversary-controlled. That's the working assumption until you've audited.

▶12Pay2Key Revival and Iranian Timing27:39

HalilPay2Key ransomware targeting US healthcare. Elena — is the timing coincidental?

Dr.Almost certainly not. The February attack on the US healthcare provider occurred during documented US-Iran military tensions. Check Point Research tracked Iranian APT password-spraying over three hundred Israeli Microsoft 365 organizations in the same window — including municipalities, which they assessed as military-related intelligence gathering.

HalilBattle damage assessment.

Dr.Classic doctrine. When kinetic tensions spike, Tehran increases cyber operations as a pressure release valve. The healthcare targeting is dual-purpose — demonstrate reach into civilian critical infrastructure, and gather real-time situational awareness that HUMINT can't provide when cities are on alert.

LenaHalcyon calls Pay2Key Iranian government-linked. The attribution has historical depth. But the current recruitment on Russian criminal forums since 2025 — that's market behavior, not alliance building.

Dr.Right. Operational proximity through criminal infrastructure, not state coordination. The distinction matters for attribution frameworks.

HalilSofia — the healthcare organization. No data exfiltration confirmed. HIPAA implications?

Dr.So — Halcyon's joint report with Beazley noted no data exfiltration detected. That is a critical legal distinction. Under HIPAA 45 CFR section 164.404, breach notification applies when PHI is accessed, acquired, used, or disclosed in an unauthorized manner.

Dr.Encryption-only, no exfiltration — if the covered entity can demonstrate PHI remained encrypted with FIPS 140-2 compliant encryption throughout, the safe harbor provision may apply. No breach notification required.

HalilBut they still have to do the risk assessment.

Dr.Mandatory. The section 164.402(2) four-factor assessment — nature and extent of PHI, who accessed it, whether it was actually acquired or viewed, extent of mitigation. You cannot simply declare no breach. Document everything. The analysis must exist on paper.

PierreAnd from an insurance perspective — the Beazley involvement signals active claims assessment. The encryption safe harbor saves on regulatory exposure, but the business interruption costs from a three-hour encryption event at a healthcare provider are material regardless of notification obligations.

▶13Synthesis: The Gaps Between Layers30:27

HalilLet me pull the threads together. Five threats today. One pattern underneath all of them.

HalilFortinet — attackers exploiting the gap between internet-facing management infrastructure and the fleet it controls. LiteLLM — exploiting the gap between package removal and actual persistence. Drift — exploiting the gap between identity verification and human trust. Qilin — exploiting the gap between EDR and the kernel. EvilTokens — exploiting the gap between authentication protocols and how they're actually used.

LenaAnd the convergence without coordination point matters here. DPRK, Iran, criminal ransomware groups — they're not sharing tradecraft. They're independently discovering that these gaps work. That's what commoditized exploitation looks like.

Dr.Which means fixing individual vulnerabilities isn't sufficient. The defensive architecture itself has to close those gaps — or adversaries will keep finding their way through them regardless of who is doing the attacking.

AlexFrom a technical standpoint, the immediate priorities are clear. FortiClientEMS: patch or firewall right now. LiteLLM: hunt for that dot-pth file — pip uninstall is not enough. BYOVD: deploy HVCI. These are the three actions that reduce your exposure in the next seventy-two hours.

JamesI'd add EvilTokens to that list. Disable Device Code flow in Entra ID if you don't have a documented use case for it. The ninety-day token lifetime means you may already have active sessions you don't know about.

HalilWhat are we watching tomorrow?

LenaCISA's April 11 FortiClientEMS deadline. Whether agencies comply. Whether we see confirmed exploitation escalate before Friday.

ViktorCircle's response to the USDC freeze failure. If there's no policy change announced, that six-hour window becomes the new standard expectation for DPRK operations — and they will design around it.

Dr.And whether the LiteLLM incident prompts PyPI to implement mandatory maintainer verification for packages above a download threshold. Ninety-seven million monthly downloads and no secondary verification required — that's a platform governance failure waiting to be fixed.

HalilThe adversaries are patient. They map the gaps, they invest in trust, they wait. The question is whether our defensive architecture can close gaps faster than they find new ones. Right now, based on today's briefing — we're not winning that race. But we know exactly where to start.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Tue28Apr

Grid in the Crosshairs: Cisco SD-WAN, Gemini CLI, and Two Deadlines Expiring Today

30:4311 sc

Sun26Apr

Correction Day: The LAPSUS$ Claim Falls Apart, Signal Phishing Is Real

29:2910 sc

Sat25Apr

Pay or Leak: The 48-Hour Clock, Two CVEs You Must Patch, and DeFi's Governance Confession

29:1912 sc

Fri24Apr

Shai-Hulud: The Worm That Ate the Pipeline