Adios 2025, you won’t be missed

Thursday, December 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

For us in America, we’re in the holiday doldrums and things slow and/or shut down until the new year. At Cisco, we shut down the last week of the year to reset and recharge, and I’ve grown to be quite fond of it. I’ve worked plenty of gigs where there were no holiday breaks, and now that I’m living that dream, I gotta tell ya, it’s a damn civilized way to live if you can get it.

It’s only natural for us to think on 2025 — what happened to us, what made the news, and with some trepidation (and maybe some hope) what lies in store for 2026.

I thought I’d summarize the notable things that come to mind for me:

1. Uncovering Qilin attack methods exposed through multiple cases
   Why this one? Quilin is one of the more aggressive cartels that I see in the ransomware space in 2025. On their dark web site, you can see a very active presence. When Talos crunches the numbers for the 2025 Year in Review, don’t be surprised if you see them at the top of the list as one of the more lucrative criminal cartels. Our blog post on this was outstanding — give it a read! (Also, our banner art is just great, if I do say so myself. Our design team is the best.) I think 2026 will see a heavy ransomware tempo. It is simply just too lucrative for the bad guys. Compounding this is the macro/micro world economy and good old fashioned geopolitical tensions. Everyone hold on tight.
2. Jaguar Land Rover posts heavy loss after cyber attack
   As someone who focuses on industrial control security, seeing a manufacturer getting hit so hard resonates with me. It proves the fragility that we see in this space, where operational and information technology mix to fulfill business imperatives, but at a real financial risk. This will be a case study of financial impacts cyber attacks can have on manufacturing with a heavily targeted vertical because the disruptions are costly and lucrative to ransomware actors. My bet is 2026 will see much more of this. No one wants to be the next Land Rover Jaguar. The bad guys know this, and there’s certainly blood in the water and the sharks have noticed.
3. Disrupting the first reported AI-orchestrated cyber espionage campaign
   Anthropic released a first of its kind report on a state-sponsored adversary using Claude to launch a full kill chain campaign against victims. I had a hard time with this report. It felt (and still feels) hyped to a degree. It’s an entirely plausible scenario, and I don’t want to imply it’s misleading! But the report doesn’t show its work. You can certainly see this being real, but it just misses the test for actual substantive intel. Still, it surely does make one wonder how much better AI attacks will get. The space is moving at blazing speed. Who’s to say what 2026 will show us for attacks and defense!

If you celebrate, enjoy the holidays. At the same time, I know this season can feel especially lonely for those of us who are missing loved ones. This year I lost my grandmother, and I am still processing the tremendous grief and loss for someone who helped raise me to be the man I am today. Find the time to spend with others and be kind to yourself. Resist the urge to isolate yourself. Use the holidays to invest in yourself and your health. I believe in you. I’ll see you all in 2026.

**The one big thing **

For this end-of-year Talos Takes episode — and Hazel’s last as host — we took a time machine back to 2015 to ask, “What would a defender from back then think of the madness we deal with in 2025?” Alongside Pierre, Alex, and yours truly, we reminisced about our own journeys, then got into the real meat: just how much ransomware has exploded (thanks, “as-a-service” model), why identity is now the main battleground, and how the lines between state-sponsored actors and APTs have blurred to the point of being almost meaningless.

**Why do I care? **

You don’t need me to tell you it’s a different world than it was ten years ago. The ransomware industry is bigger and nastier than ever, and attackers are more organized, more efficient, and more professionalized. The tools (and the stakes) keep changing, but burnout and complexity are constants. If you’re not keeping pace, you’re falling behind, and the attackers aren’t waiting up.

**So now what? **

Don’t panic, and don’t try to win it all alone. Double down on the basics, like identity and access management and keeping tabs on those “service accounts” that keep multiplying. Make sure your team is trained, supported, and has permission to step away from the keyboard once in a while. Don’t get distracted by AI; it is powerful, but it’s not a magic bullet. And maybe most important of all: Take care of yourself and your people. 2026 is going to bring more of the same (and some surprises), but if you stay grounded, curious, and human, you’ll be ready for whatever’s next.

**Top security headlines of the week **

Microsoft: Recent Windows updates break VPN access for WSL users
This known issue affects users who installed the KB5067036 October 2025 non-security update, released October 28th, or any subsequent updates, including the KB5072033 cumulative update released during this month’s Patch Tuesday. (Bleeping Computer)

French Interior Ministry confirms cyber attack on email servers
While the attack (detected overnight between Thursday, December 11, and Friday, December 12) allowed the threat actors to gain access to some document files, officials have yet to confirm whether data was stolen. (Bleeping Computer)

In-the-wild exploitation of fresh Fortinet flaws begins
The two flaws (CVE-2025-59718 and CVE-2025-59719 [CVSS score of 9.8]) are described as improper verification of cryptographic signature issues impacting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. (SecurityWeek)

Google to shut down dark web monitoring tool in February 2026
Google has announced that it’s discontinuing its dark web report tool in February 2026, less than two years after it was launched as a way for users to monitor if their personal information is found on the dark web. (The Hacker News)

Compromised IAM credentials power a large AWS crypto mining campaign
The activity, first detected on Nov. 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication. (The Hacker News)

**Can’t get enough Talos? **

Humans of Talos: Lexi DiScola
Amy chats with Senior Cyber Threat Analyst Lexi DiScola, who brings a political science and French background to her work tracking global cyber threats. Even as most people wind down for the holidays, Lexi is tackling the Talos 2025 Year in Review.

UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
Our analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack.

TTP: Talking through a year of cyber threats, in five questions
In this episode of the Talos Threat Perspective, Hazel is joined by Talos’ Head of Outreach Nick Biasini to reflect on what stood out, what surprised them, and what didn’t in 2025. What might defenders want to think about differently as we head into 2026?

**Upcoming events where you can find Talos **

We’ll be back in 2026 — see ya then!

**Most prevalent malware files from Talos telemetry over the past week **

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe
Detection Name: Win.Worm.Coinminer::1201

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376 Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename:ck8yh2og.dll
Detection Name: Auto.90B145.282358.in02

SHA256: 1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b
MD5: a8fd606be87a6f175e4cfe0146dc55b2
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b
Example Filename: 1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b.exe
Detection Name: W32.1AA70D7DE0-95.SBX.TG