Martin delves into how threat actors exploit chaos, offering insights from Talos' 2024 Year in Review on how to fortify defenses against evolving email lures and frequently targeted vulnerabilities, even amidst economic disruption.

Thursday, April 10, 2025 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

If there’s one thing that threat actors love, it’s chaos. Headlines in the news that provoke an emotional response make excellent phishing lures because the intense feelings invoked by a provocative subject line cause our critical thinking faculties to be bypassed. Without cautious reflection, we’re likely to engage with bait, fall for the lure and “click the link” rather than pausing to ask ourselves what the headline’s writer is trying to achieve. 

Economic disruption also works in the bad guys’ favor. In budgetary crises, investments in cyber defenses may be postponed or the hiring of sorely needed additional team members delayed. Alternatively, an end-of-life device that is still functional despite obsolescence and many unpatched vulnerabilities may get an additional year of operation before replacement. 

In such a climate, security teams are often asked to do more with less. However, security can be improved simply by getting the basics right and addressing gaps that don’t require investment. Patching might be time-consuming, but it doesn’t require extra budget. Prioritize removing the most exploited vulnerabilities as listed in our 2024 Year in Review report. Next, review your MFA implementation, ensuring that it is deployed everywhere throughout the organization and that it can’t be bypassed. 

When times are tough, focus on getting the basics right and fixing what can be fixed without needing costly investment. Each vulnerability fixed, each weakness remediated helps move the security posture forwards and makes your organization a tougher target for the bad guys who in turn are more likely to seek easier quarry.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine the evolution of email lures and the nature of the most frequently targeted vulnerabilities.

**Why do I care? **

In a world of limited resources, effective defense requires identifying areas that are more likely to be targeted by threat actors and prioritizing shoring up these areas. Not all vulnerabilities or systems are exploited equally, and remediating the most frequently exploited vulnerabilities maximizes security effectiveness. 

**So now what? **

Educate users on the types of social engineering that threat actors are currently using in email lures. Social engineering is not static but constantly changing to try and outwit unwary targets. 

Exploitation of the Shellshock series of vulnerabilities should not be continuing for over 10 years since disclosure. Aggressively identify systems within your IT estate that are vulnerable to this attack and urgently patch them.

**Top security headlines of the week **

**Hackers strike Australia's largest pension funds.** A series of coordinated attacks has reportedly led to criminals compromising in excess of 20,000 pension accounts and stealing funds. (Reuters) 

**Ireland Plans 300-Strong Military Cyber Command**. The Irish armed forces are creating a Joint Cyber Defence Command to support defensive and offensive cyber operations. (Irish Times) 

**Baltimore City Falls Victim to Vendor Fraud.** Two payments totaling $1.5 million were reportedly paid to a fraudulent bank account that had been swapped for a contractor’s genuine account. (CBS News) 

**CISA Warns of Vulnerabilities in ICS Software**. The US Cybersecurity & Infrastructure Agency released advisories relating to five series vulnerabilities in Industrial Control Systems software. (CISA)

**Can’t get enough Talos?**

*   **Unraveling the U.S. toll road smishing scams.** Talos has observed a widespread and ongoing smishing campaign since October 2024 that targets toll road users in the U.S. Read the blog here.
*   **Beers with Talos: 2024 Year in Review.** Joe, Hazel, Bill and Dave break down 2024 Year in Review and discuss how and why cybercriminals are learning on attacks based in stealth and simplicity. Listen here.
*   **The TTP Ep 10 (Part 1).** Peeling back the layers of the threats that dominated 2024. Watch now.
*   **The TTP Ep 10 (Part 2).** Ransomware groups, and why we're seeing more identity attacks. Watch now.

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA   
*   PIVOTcon (May 7 – 9) Malaga, Spain   
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA   
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**     
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details   
Typical Filename: VID001.exe     
Detection Name: Simple\_Custom\_Detection

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe   
Detection Name: Simple\_Custom\_Detection  

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**      
MD5: 71fea034b422e4a17ebb06022532fdde      
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe     
Detection Name: Coinminer:MBT.26mw.in14.Talos   

**SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b**   
MD5: f5e908f1fac5f98ec63e3ec355ef6279   
VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details   
Typical Filename: IMG001.exe   
Detection Name: Win.Dropper.Coinminer::tpd

Threat actors thrive in chaos

Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.

Thursday, April 10, 2025 10:30

*   Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.  
*   We observed that the campaign targets people across several states in the U.S. according to the domain names used in the smishing messages. 
*   Talos assesses with moderate confidence that the toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by “Wang Duo Yu”, according to the intelligence obtained by Talos. 

**Toll road smishing attacks **

Since the middle of Oct. 2024, Talos has seen ongoing smishing attacks impersonating U.S toll road automatic payment services (such as E-ZPass) with the intent of financial theft. The actors have so far sent SMS messages to individuals in about eight states in the U.S., including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois and Kansas. Talos identified these states via spoofed domains containing the states’ two-letter abbreviations that we observed in the SMS messages. 

The actors send an SMS notification for an outstanding bill claiming that the potential victim owes a small amount of money, under $5 USD. They warn of potential late fees, prompting victims to visit a spoofed domain for the payment.  

Sample phishing SMS messages. 

When the victim visits the domain, they are prompted to solve a fake image-based CAPTCHA, after which it redirects the victims to a fake webpage with the legitimate toll service's logo. This webpage prompts the victims to enter their name and ZIP code to view their fake bill. The fake bill displays the victim's name with a message showing that they owe approximately $4 and warning of a $35 late payment fee. 

After the victim views their fake bill, they click the “Proceed Now” button which redirects them to another fake webpage. This site prompts the victim to enter their name, address, phone number and credit card information, which the threat actor eventually steals. Due to the limited visibility of the threat actor phishing infrastructure, Talos is unsure if there are any further payloads delivered to the victims' devices. 

In April 2024, FBI’s Internet Crime Complaint Center (IC3) warned about a similar toll road smishing campaign where the threat actor used the same brand impersonation technique but with a slight difference in the SMS message language, monetary values and formatting. 

Targeting toll road users in multiple states indicates the likelihood of the threat actor leveraging user information publicly leaked from large databases. For example, the threat actor behind the 2024 National Public Data leak released billions of records publicly which were then shared on private Telegram channels for further abuse. However, Talos currently does not have any evidence to suggest that the toll road smishing campaign is fueled by the National Public Data leaks.  

**Phishing infrastructure **

Talos observed that the actors have used several typosquatted domains in the SMS phishing messages to convince the potential victims to visit them. These typosquatted phishing domains were created during Oct. and Nov. 2024 and were observed resolving to one of the following IP addresses: 45\[.\]152\[.\]115\[.\]161 and 82\[.\]147\[.\]88\[.\]22.  

As of March 2025, Talos is still seeing new domains registered by the threat actors for the toll road scams, implying that the campaign is ongoing. During our research period, these newly registered domains resolved to the IP address 43\[.\]156\[.\]47\[.\]209. 

**Smishing kits likely used in the U.S. toll road scams **

Talos assesses with moderate confidence that multiple threat actors are operating the toll road smishing campaign by leveraging a smishing kit developed by the actor known as “Wang Duo Yu", according to the intelligence obtained by Talos. 

We have observed similar smishing kits being used by the organized cybercrime group known as the "Smishing Triad." This group has conducted large-scale smishing attacks targeting mail services in multiple countries, including the United States Postal Service (USPS), as well as the financial and commercial sectors previously reported by Resecurity. 

Talos discovered references to specific phishing kits that are targeting toll systems in the DY Tongbu Telegram channel on "老王同步源码开发教学" translated to "Lao Wang Synchronized Source Code Development Tutorial."  

Public Lao Wang Synchronized Source Code Development Tutorial Telegram channel.

The Telegram channel shared details about a phishing module that allegedly spoofs the Massachusetts MassDOT's EZDriveMA toll system, as well as a phishing module that targets customers of the North Texas Toll Authority. At the time of publication, the Telegram channel had more than 4,400 subscribers. 

Further investigation has revealed that the developer, 王多余 (translated to Wang Duo Yu), has developed a similar smishing kit and operates the Lao Wang Synchronized Source Code Development Tutorial Telegram channel from two separate accounts. The pictures shown below display screenshots of the two telegram accounts related to Wang Duo Yu. 

Two telegram accounts related to Wang Duo Yu. 

Additionally, we noticed that the developer has created a YouTube channel where they upload tutorial videos. These videos cover topics such as "How to Build a PMTA Mail Server," "Setting Up an Automatic EPUSD Payment and Vending System," "Creating a Pagoda Panel Website (宝塔面板)," "Building the Simplest and Safest Node Using Native Tools," and "Using the X-UI Panel to Set Up a VMess+WS+TLS+Web or VLess+WS+TLS+Web Node."  Each video guides users on building basic web services or mail servers. 

Wang Duo Yu’s YouTube channel. 

There are also some private video links that cannot be found elsewhere. Talos found one such video on a Chinese forum. To access the post with the video link, users need special permissions in that forum. 

Wang Duo Yu’s YouTube channel with private video. 

We also observed Wang Duo Yu promoting their smishing kits business and tutorials on other Telegram channels, also offering personal lessons that include full-stack development, mail server setup and Telegram bot development. The threat actor offers a two-hour lesson each day and provides one-on-one instruction via remote desktop, charging ¥5888 (converting to approx. US $806 at time of publication) per class. 

Wang Duo Yu marketing the kits in telegram channels. 

One of the Telegram channels shown in the above picture is called, “向前论坛,” translating to " Xiangqian Forum,” of which Wang Duo Yu is a moderator. Wang Duo Yu posted articles in this forum to increase subscribers, promoted their own teaching courses, and provided links and discount codes for purchasing VPS and domains. 

Wang Duo Yu selling the VPS and cloud services through his website. 

We also found an additional website selling the VPS and cloud services, confirmed to be owned by Wang Duo Yu.  The “wangduoyu\[.\]vip” website was active from 2022 to 2023. 

Wang Duo Yu’s shop website. 

Wang Duo Yu’s shop DNS resolved IPs and active periods of time. 

We observed that Wang Duo Yu offers the toll smishing kit source code for sale and provides services to assist in setting up the whole system. In a forum post, they stated that anyone interested can reach out to their personal Telegram account "@wangduofish". The post also includes hidden content only visible to users with VIP access. 

Wang Duo Yu’s post includes hidden content only visible with VIP access. 

Wang Duo Yu has crafted and designed specific smishing kits and has been selling access to these kits on their Telegram channels. The kits are available with different infrastructure options, priced at US $50 each for a full-feature development, $30 each for proxy development (when the customer has a personal domain and server), $20 each for version updates, and $20 for all other miscellaneous support. The threat actor also offers updated releases for multiple source code versions. The offers on the Telegram channel revealed that the smishing kits and source code primarily target large public-facing entities with a large end-userbase, such as toll road operators, banks and postal services. 

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

Unraveling the U.S. toll road smishing scams

Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft has marked as “critical”.

Tuesday, April 8, 2025 14:53

Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”. 

In this month's release, none of the included vulnerabilities have been observed by Microsoft to be exploited in the wild. The eleven "critical” entries are all remote code execution (RCE) vulnerabilities, four of which have been marked as "Exploitation more likely". 

Two of the “critical” vulnerabilities listed affect components of the Windows Remote Desktop Services. 

CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in components of the Remote Desktop Gateway Service. Both vulnerabilities were given a CVSS 3.1 score of 8.1. To successfully exploit these an attacker could connect to a system with the Remote Desktop Gateway role and trigger a race condition to create a use-after-free scenario, potentially allowing arbitrary code to be executed. Microsoft has assessed that the attack complexity is “high”, and exploitation is “More likely”.

CVE-2025-26663 is an RCE vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) and has been given a CVSS 3.1 score of 8.1. This could be exploited by an attacker by sending a specially crafted LDAP call to trigger a use-after-free vulnerability, allowing arbitrary code to be executed in the context of the LDAP service. An attacker could initiate this by sending a victim an email or message containing a malicious link. Microsoft has assessed that exploitation is “more likely” and that the attack complexity is “high”.

CVE-2025-26670 is a RCE vulnerability in the Lightweight Directory Access Protocol (LDAP) Client and has been given a CVSS 3.1 base score of 8.1. An attacker could exploit this vulnerability by sending sequential specially crafted LDAP requests to a vulnerable LDAP server. Successful exploitation would require an attacker to win a race condition, which could result in a use-after-free that would allow for arbitrary code execution. Microsoft states that exploitation of this vulnerability is “More likely” and that the attack complexity is “high”.

CVE-2025-26686 is an RCE vulnerability in Windows TCP/IP and has been given a CVSS 3.1 base score of 7.5. Due to improperly locked memory in Windows TCP/IP, this vulnerability could allow an attacker to execute arbitrary code over a network. To exploit this an attacker must wait for a user to initiate a connection and send a DHCPv6, to which the attacker would reply with a DHCPv6 response containing a fake IPv6 address. Successful exploitation requires the attacker to win a race condition and make several preparations in the target environment beforehand. Due to this complexity Microsoft has determined that exploitation is "Less likely".

CVE-2025-27491 is an RCE vulnerability in Windows Hyper-V and has a CVSS 3.1 base score of 7.1. An attacker with guest privileges on a network could exploit this by convincing a victim to click a link to a malicious site.  Microsoft has determined that exploitation of this vulnerability is “Less likely” and that the attack complexity is “high”.

CVE-2025-29791 is an RCE vulnerability in Microsoft Excel and has a CVSS 3.1 base score of 7.8. An attacker could exploit this by sending a specially crafted document to a victim that triggers a type confusion when opened. Once triggered, the type confusion could lead to arbitrary code execution. Microsoft has assessed that exploitation of this vulnerability is "Less likely".

CVE-2025-27752 is another RCE vulnerability in Microsoft Excel and has a CVSS 3.1 score of 7.8. This is a heap overflow vulnerability and can be exploited by an attacker to locally execute arbitrary code. It has been assessed that exploitation of this vulnerability is considered "Less likely".

CVE-2025-27745, CVE-2025-27748 and CVE-2025-27749 are RCE vulnerabilities in Microsoft Office and all have a CVSS 3.1 base score of 7.8. These could be exploited by an attacker by triggering a use-after-free scenario, allowing for the execution of arbitrary code. Microsoft has determined that exploitation for each is considered "Less likely".

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that exploitation is "More likely":

*   CVE-2025-27472 - Windows Mark of the Web Security Feature Bypass Vulnerability  
    
*   CVE-2025-27727 - Windows Installer Elevation of Privilege Vulnerability  
    
*   CVE-2025-29792 - Microsoft Office Elevation of Privilege Vulnerability  
    
*   CVE-2025-29793 - Microsoft SharePoint Remote Code Execution Vulnerability  
    
*   CVE-2025-29794 - Microsoft SharePoint Remote Code Execution Vulnerability  
    
*   CVE-2025-29809 - Windows Kerberos Security Feature Bypass Vulnerability  
    
*   CVE-2025-29812 - DirectX Graphics Kernel Elevation of Privilege Vulnerability  
    
*   CVE-2025-29822 - Microsoft OneNote Security Feature Bypass Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58316, 58317, 64432, 64746 - 64757, 64760 - 64762. There are also these Snort 3 rules: 301176 - 301179.

Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities

From Talos' 2024 Year in Review, here are some findings from the top targeted network device  vulnerabilities. We also explore how threat actors are moving away from time sensitive lures in their emails. And finally we reveal the tools that adversaries most heavily utilized last year.

Tuesday, April 8, 2025 06:50

Over the next few weeks, we’re breaking down the most critical sections of our 2024 Year in Review.

This week, we examine the most frequently targeted vulnerabilities—particularly those affecting network infrastructure. We also detail a noticeable shift in adversary behavior, as threat actors move away from time-sensitive lures in phishing campaigns. Finally, we highlight the tools most commonly leveraged by attackers last year and provide guidance on how to detect their presence in your environment.

**Download the** **full report** **for a deeper understanding of these trends and actionable steps to strengthen your defenses.**

Only have 60 seconds? Here's a roundup for you on this topic:

Year in Review: Key vulnerabilities, tools, and shifts in attacker email tactics

Want to know the most notable findings in Talos' Year in Review directly from our report's authors? Watch our two part video series.

Monday, April 7, 2025 09:51

**🎥 Talos Year in Review 2024: Part 1 & 2 – Watch Now!**

Another year, another mountain of malicious telemetry to sift through. I spoke with a few of Talos' Year in Review authors, freshly out of the sandbox, to discuss the how's and why's of our biggest findings.

👉 **Part 1:** The major theme of 2024, top vulnerabilities, email threats and adversary tooling

  
👉 **Part 2:** Ransomware groups, and why we're seeing more identity attacks

Whether you’re here for the hard data or the dry humor, we’ve got you covered. We break down what mattered most in 2024 — and what’s on the radar for 2025.

Download Talos' full 2024 Year in Review today.

Year in Review: In conversation with the report's authors

Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files.

Thursday, April 3, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter. 

They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had _Starry Night_, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty. 

If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out: 

Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There's more content coming out every week this month. Oh, you can also download the report itself here, which is useful. 

Here’s a two-minute animated overview. Watch those bad boy bar charts come to life. 

The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f\*\*\*\*\*s." Part 2 is coming out tomorrow, April 4th. 

This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”). 

A couple of the report’s top findings: 

*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases. 
*   Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.

**The one big thing **

Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Why do I care? **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. 

**So now what? **

Ways our customers can detect and block this threat are listed in this dedicated blog post.

**Top security headlines of the week**

**Gootloader Malware Resurfaces in Google Ads for Legal Docs**: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading) 

**UK threatens £100K-a-day fines under new cyber bill:** The tech secretary revealed the landmark legislation's full details for first time. (The Register) 

**Hacker linked to Oracle Cloud intrusion threatens to sell stolen data**: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive) 

**WordPress attackers hide malware in overlooked plugins directory**: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)

**Can’t get enough Talos? **

I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings: 

*   **CNET:** Phishing Emails Aren't as Obvious Anymore. Here's How to Spot Them
*   **The Register**: Ransomware crews add 'EDR killers' to their arsenal - and some aren't even malware
*   **SiliconANGLE**: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
*   **CyberScoop:** Identity lapses ensnared organizations at scale in 2024

**Upcoming events where you can find Talos**

*   RSA (April 28 – May 1) San Francisco, CA  
*   PIVOTcon (May 7 – 9) Malaga, Spain  
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** **9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376  Typical Filename: c0dwjdi6a.dll   VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

**SHA 256:** **5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1**   
MD5: 3e10a74a7613d1cae4b9749d7ec93515    
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1   
Typical Filename: IMG001.exe    
Claimed Product: N/A    
Detection Name: Win.Dropper.Coinminer::1201 

**SHA256:** **47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**  
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos

One mighty fine-looking report

In this podcast, Joe, Hazel, Bill and Dave break down Talos' Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

Monday, March 31, 2025 07:00

Joe, Hazel, Bill and Dave break down Talos' Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

The team also provide insights into some of the topics of the report, including the top-targeted vulnerabilities of the year, network-based attacks, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. 

Listen below:

For the full report, head to blog.talosintelligence.com/2024yearinreview

Beers with Talos: Year in Review episode

Download Talos' 2024 Year in Review now, and access key insights on the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks.

Monday, March 31, 2025 05:53

Welcome to Cisco Talos’ 2024 Year in Review, available for download now. This report is powered by threat telemetry from over 46 million global devices across 193 countries and regions, amounting to more than 886 billion security events per day.  

Explore key insights in topics including the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. With Talos' informed analysis and recommendations, you can strategically prioritize your defenses to stay ahead in 2025. 

**2024's Threat Actor Playbook: Stealth and Simplicity **

This year, cybercriminals leaned heavily on stealth and efficiency, favoring straightforward techniques over complex malware and zero-day exploits. Here's more that stood out: 

*   Identity-based attacks were particularly noteworthy, accounting for 60% of Cisco Talos Incident Response cases. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors. 
*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of cases. They also targeted education entities more than any other sector in 2024, a trend in line with previous years.  
*   Based on Cisco Duo data, identity and access management (IAM) applications were most frequently targeted in MFA attacks, accounting for nearly a quarter of related incidents.  
*   Threat actor use of AI and machine learning largely fell short of industry projections, with actors relying on these technologies to enhance their techniques rather than aid in the creation of new ones. 

Want some quick insights? Here’s a two-minute overview of key findings: 

**Stay informed **

Download Talos’ 2024 Year in Review today, and bookmark our landing page to access forthcoming exclusive interviews with Talos experts, videos, podcasts and more.

Available now: 2024 Year in Review

Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.

Friday, March 28, 2025 06:00

*   Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024. 
*   The file names use Russian words related to the movement of troops in Ukraine as a lure. 
*   The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor. 
*   The second stage payload uses DLL side loading to execute the Remcos payload. 
*   Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Phishing campaign using the invasion of Ukraine as a theme **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.  

Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host.  

Below are some examples of file names used in this campaign: 

Original Name 

Translation 

3079807576 (Шашило О.В)/ШАШИЛО Олександр Віталійович.docx.lnk 

3079807576 (Shashilo O.V)/SHASHILO Oleksandr Vitaliyovich.docx.lnk 

3151721177 (Рибак С.В)/РИБАК Станіслав Вікторович.docx.lnk 

3151721177 (Rybak S.V)/RYBAK Stanislav Viktorovich.docx.lnk 

3407607951 (Жолоб В.В)/ЖОЛОБ Владислав Вікторович.docx.lnk 

3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovich.docx.lnk 

3710407173 (Гур'єв П.А)/ГУР'ЄВ Павло Андрійович.docx.lnk 

3710407173 (Gur'ev P.A)/GUR'EV Pavlo Andriyovich.docx.lnk 

Вероятное расположение узлов связи, установок РЭБ и расчетов БПЛА противника. ЮГ КРАСНОАРМЕЙСКА.docx.lnk 

Probable location of communication nodes, electronic warfare installations and enemy UAV calculations. SOUTH OF THE RED ARMY.docx.lnk 

ГУР'ЄВ Павло Андрійович.docx.lnk 

GUR'EV Pavlo Andriyevich.docx.lnk 

Координаты взлетов противника за 8 дней (Красноармейск).xlsx.lnk 

Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk 

Позиции противника запад и юго-запад.xlsx.lnk 

Positions of the enemy west and southwest.xlsx.lnk 

РИБАК Станіслав Вікторович.docx.lnk 

RYBAK Stanislav Viktorovich.docx.lnk 

ШАШИЛО Олександр Віталійович.docx.lnk 

SHASHILO Oleksandr Vitaliyevich.docx.lnk 

The translation for these names shows the intent of this campaign in using a war-related theme. We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region of conflict. 

These files contain metadata indicating only two machines were used in creating the malicious shortcut files. As we mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for their campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this threat group. 

The LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy file which is shown to the user after the infection occurs as a way to disguise the compromise.  

The PowerShell code uses the cmdlet Get-Command to indirectly execute the functions to download and execute the payload, which could be an attempt to bypass string-based detection by antivirus solutions.  

The servers used in this campaign are based out of Germany and Russia, and at the time of our assessment, all of them return HTTP error 403 when attempting to download the payload files.  

That indicates that either the files were taken offline, or access to the file is being restricted. Gamaredon is known to restrict access to their payload servers only to victims located in Ukraine. We have found evidence in public sample databases that these servers were still hosting the files for specific regions while returning access denied errors in our tests, like this sample available in the "Any.run” public sandbox: 

*   https://app.any.run/tasks/f9dc0beb-b125-478d-9091-739d2e3325be 

**Network infrastructure associated with Campaign **

The servers used in this campaign are mostly hosted in two Internet Service Providers (ISP): GTHost and HyperHosting: 

IP 

ASN 

ISP 

146\[.\]185\[.\]233\[.\]96 

63023 

gthost 

146\[.\]185\[.\]233\[.\]101 

63023 

gthost 

146\[.\]185\[.\]239\[.\]45 

63023 

gthost 

80\[.\]66\[.\]79\[.\]91 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]195 

60602 

hyperhosting 

81\[.\]19\[.\]131\[.\]95 

63023 

ispipoceanllc 

80\[.\]66\[.\]79\[.\]159 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]200 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]155 

60602 

hyperhosting 

146\[.\]185\[.\]239\[.\]51 

63023 

gthost 

146\[.\]185\[.\]233\[.\]90 

63023 

gthost 

146\[.\]185\[.\]233\[.\]97 

63023 

gthost 

146\[.\]185\[.\]233\[.\]98 

63023 

gthost 

146\[.\]185\[.\]239\[.\]47 

63023 

gthost 

146\[.\]185\[.\]239\[.\]56 

63023 

gthost 

146\[.\]185\[.\]239\[.\]33 

63023 

gthost 

146\[.\]185\[.\]239\[.\]60 

63023 

gthost 

These servers are used to distribute the payload and the decoy document, but Talos found evidence of at least one server being used as the Command and Control (C2) server for the Remcos backdoor. 

We have also found evidence of an interesting artifact in the DNS resolution for some of these servers. Even though all the communication with these servers is done directly via the IP address, the reverse DNS record for some of these IPs show an invalid entry that is quite unique: 

Figure: Reverse DNS resolution for Gamaredon's campaign. Modeled using Crime Mapper (by @UK\_Daniel\_Card) 

While this doesn't necessarily mean the attackers manually changed these records, it did help uncover at least two additional IPs matching the characteristics of the other servers in this campaign: 

**DLL sideloading used to load Remcos backdoor **

Gamaredon has previously been known to use custom scripts and tools in their attack chains, but Talos has observed the use of Remcos backdoor as an alternative tool in their campaigns. 

Once the ZIP payload is downloaded from the servers, it is extracted to the %TEMP% folder and executed. The binary which is executed is a clean application which in turn loads the malicious DLL via DLL sideloading method. This file is actually a malicious loader which decrypts and executes the final Remcos payload from encrypted files found within the ZIP. 

The PowerShell files we observed downloading the ZIP files contain hints of various applications being abused for DLL side loading, and they contain a mix of clean and malicious files: 

*   DefenderUpdate/DPMHelper.exe 
*   DefenderUpdate/DZIPR.exe 
*   DefenderUpdate/IDRBackup.exe 
*   DefenderUpdate/IUService.exe 
*   DefenderUpdate/madHcCtrl.exe 
*   DefenderUpdate/palemoon.exe 
*   Drvx64/Compil32.exe 
*   Drvx64/IsCabView.exe 
*   Drvx64/TiVoDiag.exe 
*   Drvx64/WiseTurbo.exe 
*   SecurityCheck/Mp3tag.exe 
*   SysDrive/AcroBroker.exe 
*   SysDrive/DPMHelper.exe 
*   SysDrive/IsCabView.exe 
*   SysDrive/palemoon.exe 
*   SysDrive/SbieSvc.exe 
*   SysDrive/steamerrorreporter64.exe 
*   SysDrive/TiVoDiag.exe 
*   SysDrive/vmhost.exe 

We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution. 

The payload binary is a typical Remcos backdoor which is injected into Explorer.exe. It communicates with the C2 server 146\[.\]185\[.\]233\[.\]96 on port 6856: 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for this threat:  

Snort 2: 64707, 64708 

Snort 3:  301171 

**Indicators of Compromise **

IOCs for this threat can be found in our GitHub repository here.

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime.

Thursday, March 27, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

Howdy friends! One of things I learned early on in cyber security is that crime does, in fact, pay. It can pay **very** well, actually. If it didn’t, we wouldn’t have ransomware cartels raking in obscene amounts of money year after year. Ransomware victims pay ransoms with cryptocurrency — typically Bitcoin. A criminal who has their ill-gotten BTC gains then needs to introduce it into a banking system that lets them spend that crypto currency with no questions asked.  

You might be unsurprised to learn that that isn’t as easy as it sounds, but it’s also not a new problem. In the 1980s, South American drug cartels had a similar issue. They were making obscene amounts of money and had massive piles of cash. However, one cannot show up and start dropping massive amounts of money buying very expensive things without drawing legal attention. Plus, it turns out, cash was the preferred way to bribe corrupt officials. As a result, they found legal and banking loopholes, and less than reputable financial practices in the U.S and in other countries to inject ill-gotten money into a legitimate banking system where they could access the funds.  

This is called money laundering, and it is at the heart of every successful organized crime organization. Money Laundering 101 is done in three basic steps: Placement, Layering, and Integration.  

1.  **Placement:** You need to get your money into the financial system(s). 
2.  **Layering:** You need to move the money around so it’s harder to trace and to link it to the crime.  
3.  **Integration:** Now that the connection to the crime is obfuscated, you can spend that money. You can invest it, buy expensive cars, or whatever. That money is now in someone else’s pocket. I used to joke that Ferrari dealerships don’t exactly accept cryptocurrency, but it turns out that joke is now on me. More and more businesses now accept cryptocurrency as a direct means of payment it seems.  

We often think of the crime of ransomware attacks at the point of impact and victimization, but rarely do we think of the reverse — the money that is paid out that flows back into the cartel and its affiliates. Cryptocurrency is _fantastic_ for money laundering. It lags far behind regulatory standards, is largely anonymous, and can be “mixed” and directed to decentralized exchanges where Know Your Customer (KYC) and Anti-Money Laundering (AML) controls are not applied.  

So why am I bringing this up? Well, law enforcement attacking money laundering infrastructure really works. If you can impact how criminals launder their money, you put the brakes on the crime itself happening. After all, what good are the spoils of crime If you can’t do anything with it? 

My fear is that regulatory climates have shifted, which will allow laundering to more easily happen. Time will tell if I’m right, and I don’t want to be.

**The one big thing **

I’m a huge fanboy for clever evasion tactics. Cascading Style Sheets (CSS) evasion tactics in spam emails is just a wicked cool trick. Game knows game, and I have to say, this is super smart. Spam filters play a constant cat and mouse game against adversaries. It goes to show that the threat actors are always innovating neat tricks to exploit victims. 

**Why do I care? **

Spam emails account for a massive threat footprint, especially in enterprise email security. Any attack that sneaks malicious spam emails through a spam filter is worth paying attention to. 

**So now what? **

Knowing is half the battle. Time to look at your email defenses and shore them up. Consider an email proxy service or something similar to help augment your email threat defense.

**Top security headlines of the week **

**Airport outages:** Malaysia PM says country rejected $10 million ransom demand (The Record) 

**Satellites!** I am an absolute sucker for space hacking. ENISA released a great guide on securing commercial space assets. (ENISA)  

**One-click phishing attacks:** Google hastily patched a Chrome zero-day vulnerability exploited by an APT. (Dark Reading) 

**Can’t get enough Talos? **

*   Patch Tuesday was a doozy this time. Check out our blog post here. 
*   Also, keep your eyes peeled: Talos’ 2024 Year in Review will be available for download on Monday, Mar. 31. 

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1, 2025) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15, 2025) Arlington, VA 
*   Cisco Live U.S. (June 8 – 12, 2022) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**   
MD5: ff1b6bb151cf9f671c929a4cbdb64d86    
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query   
Claimed Product: Endpoint-Collector   
Detection Name: W32.File.MalParent     

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**     
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca    
Typical Filename: VID001.exe    
Claimed Product: N/A      
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0    
Typical Filename: c0dwjdi6a.dll     
Claimed Product: N/A      
Detection Name: Trojan.GenericKD.33515991   

**SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Simple\_Custom\_Detection

Source

TALOS