Pipeline Peril, Citrix Bleed 3.0, and the Hacktivist Playbook

This week on Dragon News Bytes, Eli Woodward and Will Baxter break down a relentless wave of CI/CD pipeline compromises. The team dives into the rapid-fire attacks by Team PCP, the emergence of Citrix Bleed 3.0, and the psychological warfare tactics of Iranian-aligned hacktivists. Plus, we explore why English-speaking ransomware actors are ditching encryption entirely in favor of "Exfil and Extort" models.

Topics & References

Part 1: The CI/CD Pipeline Blitz & Team PCP

• The Team PCP Blitz: A new group has claimed responsibility for five major incidents in a single week, including compromises of Trivy, React Native, LightLLM, and Telnyx.

• AI-Enabled Supply Chain Attacks: The duo discusses the "Hacker Clawbot" proof of concept and how AI is likely being used to rapidly identify and weaponize common software packages.

• The CTI Shift: Cyber Threat Intelligence teams must now broaden their perspective to include enterprise architecture and software supply chain workflows.

Part 2: Edge Warfare: Citrix Bleed 3.0

• CVE-2026-3055: A new critical Citrix vulnerability is actively being exploited in the wild.

• The "Memory Cough" Technique: Attackers are repeatedly hitting vulnerable endpoints to scrape memory bit-by-bit until they gather enough to gain full access.

• Edge vs. MFA: The widespread success of MFA has forced attackers to pivot aggressively toward edge device exploitation as their primary initial access vector over the last five years.

Part 3: Iranian Geopolitical Hacking & Hacktivist Playbooks

• High-Profile Leaks: Discussion on the Lockheed Martin data leak and the hacking of FBI Director Cash Patel’s personal email.

• The "Hacktivist BS" Playbook: Eli breaks down how opportunistic actors use scary videos and exaggerated propaganda to spin minor MSP breaches into massive national incidents.

• Handala & Wipers: Opportunistic attacks tied to the Handala group are utilizing stealers and new wiper variants to impact organizations.

Part 4: The Death of Encryption?

• Exfil and Extort: Google Threat Intelligence reports that 77% of incidents by English-speaking actors now involve data exfiltration without encryption.

• The Backup Victory: As corporate backups become more resilient, attackers are finding that pure data theft and leak site pressure offer a better ROI than providing decrypters.

Events & Community

• RISE Ireland: April 14 -25 in Dublin, Ireland

• 🔗 to register: https://go.team-cymru.com/rise-ireland

• RISEx Sydney: May 6 in Sydney, Australia

• 🔗 to register:https://www.team-cymru.com/events/rise-sydney-2026

• RISEx Frankfurt: May 28th in Frankfurt, Germany

• 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026

• RISEx New York: June 16 in New York City, US

• 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026

• Underground Economy: September 7th -9th in Strasbourg, FranceTo be hosted at the Council of Europe, expecting 600-700 attendees. Registration will open first week of April

Connect with Us:

• Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
• Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.