SANS StormCast Highlights Malware Techniques, Cisco Vulnerability, AMD Firmware Issue, and LLM Manipulation Risks

The June 16, 2026, SANS Internet Storm Center StormCast covered a malware analysis technique where a malicious payload was hidden in an MSI wallpaper file, encoded with a modified base64 scheme involving swapped characters (A’s replaced with symbols) and reversed string order. Didi demonstrated decoding tools and highlighted common pitfalls, such as dead ends in analysis, to educate viewers on overcoming similar challenges. Cisco released an advisory for a medium-severity (CVSS 6.5) arbitrary file write vulnerability in Catalyst SD-WAN Manager, requiring authenticated access for exploitation but already observed in limited wild attacks as of June 2026. AMD’s encrypted memory feature, designed to mitigate attacks like 'evil maid,' was found disabled on consumer CPUs despite BIOS settings indicating otherwise, following a firmware update that removed the functionality without user notification. Researchers from Cornell University revealed that large language models (LLMs) can be manipulated by altering small snippets (10–20 words) on high-traffic websites like Reddit or Wikipedia, leading to incorrect or malicious outputs in automated research agents. The segment also noted the feature’s prior functionality on AMD Pro Series and Epyc server CPUs, contrasting with its absence in consumer-grade hardware.