Sandboxes, Seizures, and the Industrialization of Cybercrime

This week on Dragon News Bytes, Eli Woodward and Will Baxter are joined Will Thomas to break down a convergence of nation-state activity and critical infrastructure disruptions. We cover the FBI’s massive takedown of the RAMP cybercrime forum, the re-attribution of Poland’s energy sector cyberattack to Dragonfly, and a wave of critical sandbox escapes impacting developer and AI environments. Plus, we discuss how attackers are weaponizing physical snail mail for extortion and the strategic impact of Google’s latest disruption of the IPIDEA proxy infrastructure.

Topics & References:

Part 1: Major Infrastructure & Law Enforcement Actions

• FBI Seizes RAMP Cybercrime Forum: A major blow to Russian-speaking initial access brokers (IABs). RAMP stood as a safe haven for ransomware groups like Black Cat and LockBit after other forums banned the activity.

• Analyst Note: Expect forum migration and operational mistakes as these actors scatter to new homes.

• Read more: https://shorturl.at/cURYo

• Google Disrupts IPIDEA Infrastructure: A coordinated takedown of a massive residential proxy network leveraged by botnets (Kimwolf/AISURU) and fraud operations.

• The Impact: This creates a short-term detection window for hunters as adversaries migrate to noisier fallback infrastructure.

• Poland Energy Sector Re-attribution: CERT.PL has officially attributed the massive energy incident from late 2025 to Dragonfly (Energetic Bear) rather than Sandworm.

• Critical Takeaway: Hitachi Energy confirmed no product flaws were used; the breach stemmed from default credentials and environmental misconfigurations.

• Read more: 

• https://shorturl.at/I707p

Part 2: Emerging Vulnerabilities & Malware Campaigns

• Critical Sandbox Escapes (CVE-2026-22709): Assumptions of "safe execution" are failing in developer tooling and AI environments. We break down the Grist-Core Pyodide escape and the popular vm2 NodeJS library bypass.

• SolarWinds Web Help Desk RCE (CVE-2025-40551): An unauthenticated remote code execution vulnerability that serves as a high-impact lateral movement enabler.

• Key TTPs

• Whitelist bypass using malformed URIs containing /ajax/

• Exploitation path includes:

/helpdesk/WebObjects/Helpdesk.woa/wo/ with wopage=LoginPref

• Read more: https://tinyurl.com/y3x7vase
  

• CVE-2026-21962: "AI Slop" or Exploit? ISC observed scanning activity targeting WebLogic with non-functional, AI-generated payloads, highlighting a new challenge in distinguish signal from noise.

• Read more: https://tinyurl.com/yx52bkwa

• TA584 Extortion Pivots: This initial access broker has tripled campaign volume, now using photos of physical snail mail customized with victim details to increase psychological pressure. 

• New Report: Voices of the Cybersecury strategist - A Benchmark Report for Security Leaders. Insights from leading  CISOs, VPs, and Directors on navigating threat landscapes, allocating resources, and aligning security with business objectives.

• Read the full report: https://tinyurl.com/4jxb3kc5

Events & Community:

• RISE USA (San Francisco): February 18–19 at Stripe HQ.

• 🔗 to register: https://go.team-cymru.com/rise-usa-2026

• Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity.

• 🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis

• FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware.

• 🔗 to register: https://www.fsisac.com/events/2026-americas-spring

• RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open.

• 🔗 to register: https://go.team-cymru.com/rise-ireland

Connect with Us:

• Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru

• Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
  Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.