Adversary Universe Podcast

He’s back, and he’s ready to talk botnet takeovers.Tillmann Werner, VP of Intelligence Production at CrowdStrike, returns to the podcast to discuss CrowdStrike’s coordinated takeover of the Glassworm botnet. Glassworm was a global threat targeting software developers through the open-source supply chain. This infection vector stood out — open-source ecosystems are based on trust, and adversaries are learning they can reach a vast pool of victims by compromising the supply chain. Some open-source libraries get 100 million downloads per week.Glassworm was described as an “unkillable” botnet. Resilience was built into its design, which relied on four different command-and-control channels. This made the takeover complicated because a botnet can’t be taken over until all command-and-control mechanisms are suppressed.“Once it’s down, you gotta make sure it’s down,” said Adam, who calls Tillmann the “bot slayer.”In this episode, they get into the details: what Glassworm was after, how its unknown operators strengthened its infrastructure, and the planning and execution behind the takeover. Tillmann and his team facilitated the process by conducting extensive technical analysis, understanding Glassworm’s evolution, and spotting the opportunity to disrupt it. They worked with partners across the private and public sectors, as well as internally at CrowdStrike, to do it safely and avoid disrupting critical systems.Come for the behind-the-scenes details, and stay for the debate around baking the perfect pizza in this episode of the Adversary Universe podcast. Learn more in our blog: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/.

CrowdStrike research into AI coding assistants reveals a new, subtle vulnerability surface: When DeepSeek-R1 receives prompts the Chinese Communist Party (CCP) likely considers politically sensitive, the likelihood of it producing code with severe security flaws increases by up to 50%. Stefan Stein, manager of the CrowdStrike Counter Adversary Operations Data Science team, joined Adam and Cristian for a live recording at Fal.Con 2025 to discuss how this project got started, the methodology behind the team’s research, and the significance of their findings. The research began with a simple question: What are the security risks of using DeepSeek-R1 as a coding assistant? AI coding assistants are commonly used and often have access to sensitive information. Any systemic issue can have a major and far-reaching impact. It concluded with the discovery that the presence of certain trigger words — such as mentions of Falun Gong, Uyghurs, or Tibet — in DeepSeek-R1 prompts can have severe effects on the quality and security of the code it produces. Unlike most large language model (LLM) security research focused on jailbreaks or prompt injections, this work exposes subtle biases that can lead to real-world vulnerabilities in production systems. Tune in for a fascinating deep dive into how Stefan and his team explored the biases in DeepSeek-R1, the implications of this research, and what this means for organizations adopting AI.

In the Asia Pacific and Japan (APJ) region, a burgeoning set of threat actors is emerging with a different language set, distinct tools, and an ecosystem where they interact with adversaries across the threat landscape.The CrowdStrike 2025 APJ eCrime Landscape Report explores the trends and issues facing organizations operating in this part of the world. For example, criminal groups in APJ are focused on opportunistic big game hunting and primarily target organizations in manufacturing, technology, industrials and engineering, financial services, and professional services. The sale of phishing kits is popular, with some going for up to $1 million. These threat actors prefer phishing, spam campaigns, and remote access toolkits to enable their operations. And they often find them on thriving Chinese-language marketplaces, which enable the sale of illicit services. While Eastern Europe is typically known as a hotbed of eCrime activity, the APJ region is one to watch. Tune in to hear Adam and Cristian discuss the key adversaries operating in the region, the threats that stand out to them, and how defenders can stay safe. Read the report: 2025 APJ eCrime Landscape Report Watch on YouTube: https://youtu.be/97javj3hmAA

This week’s episode arrives as Adam and Cristian are gearing up for Fal.Con, CrowdStrike’s annual event taking place next week in Las Vegas. They’ll be recording a live episode on some fascinating LLM research presented at the show, so stay tuned for that in a couple of weeks.Amid their prep, they took the time to sit down for a conversation starting with a simple prompt: What are today’s security leaders and practitioners talking about? Their discussion sheds light on the industries hardest hit by nation-state and eCrime activity and explores why some sectors, like technology and telecommunications, are seeing a sharp spike in targeted intrusions while others are facing an increase in cybercrime.Tune in to learn about shifts in Chinese cyber activity, what happens when an adversary sees another adversary in a target environment, and whether modern tech innovations will drive changes in cyber espionage.

In the first half of 2025 alone, cloud intrusions were up 136% compared to all of 2024. China was a big driver — CrowdStrike saw a 40% year-over-year surge in intrusions from suspected cloud-conscious China-nexus threat actors. In the government sector, interactive intrusions increased 71%, and targeted intrusion activity jumped 185%. The CrowdStrike OverWatch threat hunting team has a firsthand look at how adversaries are changing their techniques. In the CrowdStrike 2025 Threat Hunting Report, published today, the team shares observations, trends, and shifts seen in its threat hunting and adversary engagements over the past 12 months. In this episode, Adam and Cristian dive deep into the report’s key findings and put them into context. They explore why the use of malware is going down (and why it won’t go away), unpack the rise in government intrusions, and explain the role of generative AI (GenAI) in today’s threat landscape. They examine the rise of prolific adversaries such as SCATTERED SPIDER and FAMOUS CHOLLIMA and discuss the techniques organizations can use to stop them. Below are more key stats from this year’s report: 73% of all interactive intrusions were eCrime 81% of interactive intrusions were malware-free In the first half of 2025, voice phishing (vishing) attacks surpassed the total number seen in 2024 FAMOUS CHOLLIMA insiders infiltrated 320+ companies in the last 12 months — a 220% year-over-year increase — by using GenAI throughout hiring and employment Download the report to learn more. Links: 📃 Threat Hunting Report: https://www.crowdstrike.com/resources/reports/threat-hunting-report/ 🎧 Our site: https://www.crowdstrike.com/en-us/resources/adversary-universe-podcast/

You asked, and we answered. This episode of the Adversary Universe podcast takes a deep dive into questions from our listeners. What did you want to know? Well, a lot about adversaries, but also about career paths and the threat intel space. Tune in to hear the answers to questions like: • How did you break into the threat intelligence space?• Who is the first adversary CrowdStrike tracked? • Who is an adversary that keeps you up at night and why?• What was a jaw-dropping moment you experienced in tracking adversaries?• If you didn’t work in infosec, what would your dream job be? Thanks to everyone who submitted questions. We’d love to continue hearing from you. 💼 Careers at CrowdStrike: https://www.crowdstrike.com/en-us/careers/

Would you rather have an adversary profile you based on your AI chat history or tell your AI chatbot to forget everything it knows about you? That’s one of many questions Adam and Cristian explore in this episode on how adversaries are integrating AI into cyberattacks. These days, it seems AI is everywhere — and that includes the adversary’s toolbox. Adam and Cristian describe multiple forms of malware that use AI in different ways, from identifying text in photos to writing code. And while these attacks still require humans to stitch all the pieces together, there is a growing concern that adversaries will continue to improve. Tune in to learn how adversaries are baking AI into their tools, and about Adam’s latest adventures in baking bread, in this episode of the Adversary Universe podcast.