Lexi DiScola shares how her unconventional path led her to global cyber threat analysis and highlights the power of diverse backgrounds on an international team

Wednesday, December 17, 2025 06:00

Welcome back to Humans of Talos. This month, Amy chats with Senior Cyber Threat Analyst Lexi DiScola from the Strategic Analysis team. Lexi’s journey into cybersecurity is anything but traditional — she brings a background in political science and French to her work tracking global cyber threats and collaborating with colleagues across continents.

Tune in as Lexi opens up about finding her place in cybersecurity, the unique strengths that come from a non-technical path, and the joys (and challenges) of balancing complex intel analysis with a towering stack of books to be read (TBR) at home.

**Amy Ciminnisi: Can you introduce yourself? What do you do here at Talos? What team do you work on, and what does your day-to-day look like?**

Lexi DiScola: Sure. I’m on the strategic analysis team here at Talos. I joined about three years ago. What my team does is a whole bunch of things, really, but we focus on tracking and analyzing major trends in the cyber threat landscape. We maintain intelligence sharing relationships with a bunch of private sector and government partners. We conduct regular threat hunting activity in our telemetry and support the Talos Incident Response team. My favorite part is producing written analytical products — logs, intelligence bulletins, threat assessment reports, and our annual Year in Review report, which we just started working on. We’ve kicked into high gear, prepping for the year in review, taking all the data we’ve accumulated and seeing what we can pull out of it. It sounds like a headache to some people, but for us, it’s fun, so we’re looking forward to it.

**AC: What made you want to join Talos, and when did you join?**

LD: I joined about three years ago this fall. I worked in cyber threat intelligence in a government position before. Because of that experience, I was always aware of Talos’s reputation in this space. When I was looking to shift to the private sector from the government, I knew I’d be working with some of the best of the best here. I knew I wouldn’t be stagnant if I came here. That was my focus in a new position — I always want to be learning and working toward something.

**AC: What are your favorite resources for staying up to date with current trends in cybersecurity?**

LD: There are multiple sources I look at. OSINT, or open-source intelligence, is a huge tool, especially when focusing on specific countries or nation-state actors. Looking at their local reporting and translating it is super helpful, and looking at competitors’ or cybersecurity researchers’ reporting is also useful. But I really rely on the people I work with. Talos has so many talented people who are always willing to help. At first, I was hesitant to ask questions, but as I got to know people better, I stopped feeling embarrassed. It’s a two-way street. You might feel awkward asking for help, but down the road, they may ask you for help with something you’re an expert in. Asking people and not being afraid or embarrassed has served me well.

_Want to see more? Watch the_ _full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos._

Lexi DiScola’s guide to global teamwork and overflowing TBRs

Hazel embarks on a creative fitness journey, virtually crossing Middle-earth via The Conqueror app while sharing key cybersecurity insights.

Thursday, December 11, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.  

_“It’s a dangerous business, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you might be swept off to.” — Bilbo Baggins_ 

It’s almost the end of the year, which feels like the perfect time to start an epic quest. 

So, Middle-earth. I’m walking across it. Not with the intention of destroying the One Ring, but to increase my daily step count in the nerdiest way possible. 

As I suspect is the origin story for most quests these days, my journey began by downloading an app.

It’s called “The Conqueror.” There are many different distances you can choose from, but I chose Middle-earth because I’m that person who watched all the behind-the-scenes footage from Peter Jackson’s _Lord of the Rings_ extended edition box set and physically shed tears because I wasn’t there. 

Heeding Bilbo’s warnings about roads, I’m using a treadmill. After receiving my official race bib (#199574), I hopped on and muttered under my breath, “So it begins.”

So far, I’ve passed Bag End, South Farthing, Woody End, Maggot’s Farm, and I’m currently doing a stopover at Buckleberry Ferry. That’s 130km (55% of the Shire) done. Only 120km until Bree, where I can rest up with a pint at The Prancing Pony. And a mere 2,787km to go until I get to Mount Doom. If only Frodo hadn’t taken so many detours… 

I’ve been rewarded at each milestone with postcards full of extremely nerdy facts about the landscape. And because of The Conqueror’s partnership with an ocean clean-up charity, I’ve also “saved” 20 plastic bottles from entering the sea, which feels very cool to have accomplished while never leaving the house.

It’s a strange, delightful journey: half fitness plan, half fantasy pilgrimage. And it got me thinking about the value of knowing your destination.

Oftentimes when I’m speaking to defenders, one of their main challenges is “I’m struggling to do all the things, all the time.” When everything gets a bit overwhelming, and threats either shift unpredictably or circle back to tactics we thought we’d left behind, it’s easy to lose your sense of direction and say, “What are we doing this for again?”

That’s what I’ve come to like about this quest across Middle-earth: there’s a destination, and there are milestones. Mount Doom is a f\*\*\*\*\*g long way from Buckleberry Ferry. But I like just knowing the next marker even if I can’t yet see the (Bag)end.

As you’re making plans for next year, it might be worth using that idea: Where are you heading? What are the things you’re doing right now are actually helping you get there? Which detours/madness will lead you into Fangorn Forest? 

If in doubt, follow your nose.

**The one big thing **

While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware. The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files.  

**Why do I care? **

There’s a few things that the threat actor does as part of this campaign to make recovery for victims more complicated. First, they use the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes. Also, the custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques. 

**So now what? **

The Talos blog has a full breakdown of the attack, including the new TTPs, attempts at lateral movement, the ways the actor attempts to impair defenses, and the encryption process. Snort SIDs for the threats are: 65576, 65575 and 301358. ClamAV detections are also available for this threat:

*   Win.Tool.EDRKiller-10058432-0  
*   Win.Tool.VulnBaiduDriver-10058431-1  
*   Ps.Tool.DeleteShadowCopies-10058429-0  
*   Win.Ransomware.Deadlock-10058428-0

**Top security headlines of the week  **

**Chinese hackers are using “stealthy and resilient” Brickstorm malware to target VMware servers**   
The Cybersecurity and Infrastructure Security Agency (CISA) is warning that China-sponsored threat actors are using Brickstorm malware to achieve long-term persistence in critical infrastructure networks. (ITPro) 

**Critical Apache Tika vulnerability leads to XXE injection**   
A critical-severity vulnerability in the Apache Tika open source analysis toolkit could allow attackers to perform XML External Entity (XXE) injection attacks. (Security Week) 

**Zero-click agentic browser attack can delete entire Google Drive using crafted emails**   
A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents. (The Hacker News) 

**Can’t get enough Talos? **

**Spy vs. spy: How GenAI is powering defenders and attackers**   
Nick Biasini provides an update on how Talos is seeing threat actors currently use genAI, and how defenders can use it as a force multiplier. 

**Microsoft Patch Tuesday for December 2025**   
The Patch Tuesday for December of 2025 includes 57 vulnerabilities, including two that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**   
MD5: 1f7e01a3355b52cbc92c908a61abf643   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a   
Example Filename: cleanup.bat   
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe   
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 1ec34305e593c27bb95d538d45b6a17433e71fa1c1877ce78bf2dbda6839f218**   
MD5: a1f4931992bf05e9bff4b173c15cab15   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=1ec34305e593c27bb95d538d45b6a17433e71fa1c1877ce78bf2dbda6839f218   
Example Filename: a1f4931992bf05e9bff4b173c15cab15.exe   
Detection Name: Auto.1EC343.272247.in02

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**   
MD5: aac3165ece2959f39ff98334618d10d9   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974   
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe   
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**   
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59   
Example Filename: ck8yh2og.dll   
Detection Name: Auto.90B145.282358.in02

One newsletter to rule them all

The Patch Tuesday for December of 2025 includes 57 vulnerabilities, including two that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” Microsoft assessed that exploitation of the two “critical” vulnerabilities is “less likely.”

Tuesday, December 9, 2025 18:29

The Patch Tuesday for December of 2025 includes 57 vulnerabilities, including two that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” Microsoft assessed that exploitation of the two “critical” vulnerabilities is “less likely.” 

CVE‑2025‑62562 is a Microsoft Outlook remote code execution vulnerability. Although it involves a use after free in Microsoft Office Outlook to allow an unauthorized attacker to execute code locally, an attacker would still need to send a malicious email and persuade the user to reply to it for the exploit to work.  

CVE-2025-62553, CVE-2025-62554, CVE-2025-62556 and CVE-2025-62557 are Microsoft Office Remote Code Execution Vulnerability. An attacker can access resources using incompatible type ('type confusion') or use after free or untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally. Despite some of them being considered “critical”, the successful exploitation of this vulnerability requires an attacker to execute exploit code from the local machine to exploit the vulnerability. 

CVE-2025-62456 is a Remote Code Execution Vulnerability in Windows Resilient File System (ReFS). The vulnerability is based on heap-based buffer overflow in Windows Resilient File System (ReFS) that allows an authorized attacker to execute code over a network. Although the vulnerability has high CVSS scores, Microsoft has assessed that this exploitation in the wild is unlikely. 

CVE-2025-62549 - Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability. An attacker could exploit this vulnerability by deceiving a user to send a request to a malicious server. The malicious server could then respond with crafted data that may lead to arbitrary code execution on the user's system. However, exploitation of this vulnerability requires user interaction, meaning the attacker must wait for the user to initiate a connection to the malicious server set up by the attacker before the exploit can occur. This dependency on user action increases the complexity of a successful attack. 

CVE‑2025‑62565 and CVE‑2025‑64661 are Windows Shell elevation‑of‑privilege vulnerabilities. They involve issues such as use after free or concurrent execution using shared resources with improper synchronization ('race condition') in Windows Shell which could allow a local authorized attacker to gain higher privileges on the system. 

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited: 

*   CVE-2025-62454 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 
*   CVE-2025-62458 - Win32k Elevation of Privilege Vulnerability 
*   CVE-2025-62470 - Windows Common Log File System Driver Elevation of Privilege Vulnerability 
*   CVE-2025-62472 - Windows Remote Access Connection Manager Elevation of Privilege Vulnerability 
*   CVE-2025-59516 and CVE-2025-59517\- Windows Storage VSP Driver Elevation of Privilege Vulnerability 
*   CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are: 62486, 62487, 65555-65562, 65571-65574. There are also these Snort 3 rules: 300719, 301351-301354, 301356, 301357.

Microsoft Patch Tuesday for December 2025 — Snort rules and prominent vulnerabilities

Cisco Talos has uncovered a new DeadLock ransomware campaign using a previously unknown BYOVD loader to exploit a Baidu Antivirus driver vulnerability, letting threat actors disable EDR defenses and escalate attacks.

New BYOVD loader behind DeadLock ransomware attack

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed an out-of-bounds read vulnerability in PDF XChange Editor, and ten vulnerabilities in Socomec DIRIS Digiware M series and Easy Config products.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco&

Thursday, December 4, 2025 15:23

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed an out-of-bounds read vulnerability in PDF XChange Editor, and ten vulnerabilities in Socomec DIRIS Digiware M series and Easy Config products.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****PDF XChange vulnerabilities****

_Discovered by KPC of Cisco Talos._

PDF XChange Editor is freemium software used to create, edit, digitally sign, and otherwise handle PDF files. Talos discovered TALOS-2025-2280 (CVE-2025-58113), an out-of-bounds read vulnerability in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

****Socomec vulnerabilities****

_Discovered by Kelly Patterson of Cisco Talos._

Talos discovered nine vulnerabilities in the Socomec DIRIS Digiware M-70 version 1.6.9. DIRIS Digiware M series are multifunction communication gateways that act as a point of access to Digiware systems, combining power supply and communication control monitoring. 

One disclosed vulnerability is also in the Socomec Easy Config System. This software is used to configure and monitor Socomec power monitoring and control equipment. 

**Socomec DIRIS Digiware M Series**

TALOS-2024-2115 (CVE-2024-48894) is a cleartext transmission vulnerability. Specially crafted HTTP requests can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

TALOS-2024-2116 (CVE-2024-53684) is a cross-site request forgery. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger this vulnerability.

TALOS-2024-2118 (CVE-2024-49572) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service and weaken credentials, resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2024-2119 (CVE-2024-48882) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2025-2138 (CVE-2025-20085) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service and weaken credentials, resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2025-2139 (CVE-2025-23417) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2025-2248 (CVE-2025-54848-CVE-2025-54851) is a denial-of-service vulnerability in the Modbus TCP and Modbus RTU over TCP functionalities. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.

TALOS-2025-2251 (CVE-2025-55221-CVE-2025-55222) is a denial-of-service vulnerability in the Modbus TCP and Modbus RTU over TCP USB Function functionalities. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2025-2152 (CVE-2025-26858) is a buffer overflow vulnerability in the Modbus TCP functionality. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.

**Socomec Easy Config System**

TALOS-2024-2117 (CVE-2024-45370) is an authentication bypass vulnerability in the User profile management functionality. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability.

Socomec DIRIS Digiware M series and Easy Config, PDF XChange Editor vulnerabilities

Bill explores how our biggest mistakes can be the catalysts for growth that we need. This week’s newsletter promises stories, lessons, and a fresh perspective on failure.

Thursday, December 4, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

_“They say that a person’s personality is the sum of their experiences. But that isn’t true, at least not entirely, because if our past was all that defined us, we’d never be able to put up with ourselves. We need to be allowed to convince ourselves that we’re more than the mistakes we made yesterday. That we are all of our next choices, too, all of our tomorrows.” ― Fredrik Backman_ 

It’s December, so ‘tis the season to enjoy the onslaught that is a reflection of your year. Here there be tygers... and Spotify Wrapped,  Goodreads Year in Books, Duolingo Year in Review, and... and...  

This is the perfect opportunity to reflect on the defining moments of your career in information security. I can predict, without fail, your defining moment. No matter the length of that career and no matter the breadth and depth of your knowledge, I can assure you that the defining moment is not when you flexed your expertise, but rather when you made the most impactful mistake you can make in your given role at the time. 

Ask any practitioner for a success story and it’s a struggle — partially because they aren’t that memorable and partially because it stokes the imposter syndrome fire to five-alarm bonfire levels. Ask the same practitioner for examples of huge mistakes or failures and get ready for never-ending stories. The best part about that is that not only are those stories wildly entertaining, they are also incredibly instructive. Not only have I learned the most in my career BY FAR from my mistakes, but I’ve learned a lot from the mistakes of my peers and friends. They just seem to make them less often, which is really infuriating (and there goes my imposter syndrome). 

So, take a second to look back on the biggest mistakes in 2025 and in your career. Go on, open your Notes app (after finishing this fantastic newsletter, of course). Then pull up a stump, take some time in one of the big team get-togethers that are so common during this time of year, and share. You’ll entertain, you’ll teach, you’ll connect, and you’ll learn from your peers who will jump in to share the bizarre and hilarious missteps that led them to their current job. 

_"I've missed more than 9,000 shots in my career. I've lost almost 300 games. 26 times I've been trusted to take the game winning shot and missed. I've failed over and over and over again in my life. And that is why I succeed." — Michael Jordan_ 

**The one big thing**

Cisco Talos released a blog exploring how generative AI (GenAI) is changing cybersecurity for both attackers and defenders. Adversaries are using GenAI for coding, phishing, evasion, and vulnerability discovery, especially as uncensored models become more widely available. While GenAI’s direct role in malware is still limited, its use in social engineering and vulnerability hunting is quickly growing. For defenders, GenAI provides powerful tools to process large amounts of threat data, respond to incidents faster, and proactively find code vulnerabilities. 

**Why do I care?**

GenAI is lowering the barrier for adversaries to launch sophisticated attacks and discover new vulnerabilities, making threats more dynamic and harder to predict. At the same time, defenders who harness GenAI effectively can level the playing field. GenAI can help defenders overcome issues created by analyst shortages and overwhelming data volumes, gaining the edge in detection and response. 

**So now what?**

Now’s the time for security teams to start experimenting with GenAI in their daily work — think threat detection, incident response, and reviewing code for vulnerabilities. It’s also important to get comfortable with these tools and train teams so everyone knows how to use them wisely. As GenAI keeps evolving, staying flexible and combining smart automation with human expertise will be key to staying secure.

**Top security headlines of the week **

**Police disrupt “Cryptomixer,” seize millions in crypto**   
Multiple European law enforcement agencies recently disrupted Cryptomixer, a service allegedly used by cybercriminals to launder ill-gotten gains from ransomware and other cyber activities. (Dark Reading) 

**Malicious Rust crate delivers OS-specific malware to Web3 developer systems**   
Researchers have discovered a malicious Rust package that features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. (The Hacker News) 

**Chrome, Edge extensions caught tracking users, creating backdoors**   
A threat actor published over one hundred extensions, which were seen profiling users, reading cookie data to create unique identifiers, and executing payloads with browser API access. (SecurityWeek) 

**CISA warns of ScadaBR vulnerability after hacktivist ICS attack**   
CISA has expanded its Known Exploited Vulnerabilities (KEV) catalog with an old “OpenPLC ScadaBR” flaw that was recently leveraged by hackers to deface a honeypot they believed to be an industrial control system (ICS). (SecurityWeek) 

**New legislation targets scammers that use AI to deceive**   
Following a rash of AI-assisted impersonations of U.S. officials, the bill would raise the financial and criminal penalties around using the technology to defraud. (CyberScoop)

**Can’t get enough Talos? **

**Ranksgiving Returns: The Appetizer Uprising**  
Guess who’s back? Hazel, Bill and Joe welcome back fresh-from-parental-leave Dave Liebenberg, who has returned with a new baby and some truly chaotic Thanksgiving opinions.

**Cisco Talos Incident Response: Threat Hunting at GovWare 2025**   
Yuri Kramarz goes behind the scenes of the Security Operations Centre (SOC) at the GovWare Conference and Exhibition in Singapore, which Talos IR supported for the first time this year.

**Talos Takes: When you’re told “no budget”**   
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn.

**Upcoming events where you can find Talos **

*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 
*   Black Hat Europe (Dec. 8 – 11) London, U.K. 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**   
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59    
Example Filename: ck8yh2og.dll    
Detection Name: Auto.90B145.282358.in02 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Example Filename: ~6325.tmp   
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Example Filename: g77wokon.html    
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe    
Detection Name: W32.41F14D86BC-100.SBX.TG

Your year-end infosec wrapped

Generative AI is rapidly transforming cybersecurity for both defenders and attackers. This blog highlights current uses, emerging threats, and the evolving landscape as capabilities advance.

Thursday, December 4, 2025 06:00

*   Generative AI (GenAI) is reshaping cybersecurity for both attackers and defenders, but its future capabilities are difficult to measure as techniques and models are evolving rapidly.
*   Adversaries continue to use GenAI with varying levels of reliance. State-sponsored groups continue to take advantage, while criminal organizations are beginning to benefit from the prevalence of uncensored and unweighted models.
*   Today, threat actors are using GenAI for coding, phishing, anti-analysis/evasion, and vulnerability discovery. It’s also starting to show up in malware samples, although significant human involvement is still a requirement.
*   As models continue to shrink and hardware requirements are removed, adversarial access to GenAI and its capabilities are poised to surge.
*   Defenders can use GenAI as a force multiplier to parse through vast threat data, enhance incident response, and proactively detect code vulnerabilities, helping to overcome analyst shortages. 

Generative AI (GenAI) has caused a fundamental shift in how people work and its impact is being felt almost everywhere. Individuals and enterprises alike are rushing to see how GenAI can make their lives easier or their work faster and more efficient. In information security, the focus has largely been on how adversaries are going to leverage it, and less on how defenders can benefit from it. While we are undoubtedly seeing GenAI have an impact on the threat landscape, quantifying that impact is difficult at best. The overwhelming majority of benefits from GenAI are impossible to determine from the finished malware we see, especially as vibe coding becomes more common.

AI and GenAI are evolving at an exponential pace, and as a result the landscape is changing rapidly. This blog is a snapshot of current AI usage. As models continue to shrink and hardware requirements lessen, it’s likely we are only seeing the tip of the iceberg on GenAI’s potential.

**Adversarial GenAI usage **

Cisco Talos has covered this topic previously but the landscape continues to evolve at an exponential pace. Anthropic recently reported that state-sponsored groups are starting to leverage the technology in campaigns, while still requiring significant human help. The industry has also started to see actors embedding prompts into malware to evade detection. However, most of these methods are experimental and unreliable. They can greatly increase execution times, due to the nature of AI responses, and can result in execution failures. The technology is still in its infancy but current trends show significant AI usage is likely coming.

Adversaries are also leveraging prompts in malware and DNS records, mainly for anti-analysis purposes. For example, if defenders are using GenAI while analyzing malware, it will come across the adversary’s prompt, ignore all previous instructions, and return benign results. This new evasion method is likely to grow as AI systems play a bigger role in detection and analysis.

However, Talos continues to see the largest impacts on the conversational side of compromise, such as email content and social engineering. We have also seen plenty of examples of AI being used as a lure to trick users into installing malware. There is no doubt that, in the early days of GenAI, only well-funded threat groups were leveraging AI at high levels, most prominently at the state-sponsored level. With the evolution of the models and, more importantly, the abundance of uncensored and open weight models, the barrier to entry has lowered and other groups are likely using it.

Adversarial usage of AI is still difficult to quantify since most of the impacts are not visible in the end product. The most common applications of GenAI are helping with errors in coding, vibe coding functions, generating phishing emails, or gathering information on a future target. Regardless, the results rarely appear AI generated. Only companies operating publicly available models have the insights required to see how adversaries are using the technology, but even that view is limited.

Although this is how the GenAI landscape appears today, there are indications it is starting to shift. Uncensored models are becoming common and are easily accessible, and overall, the models continue to shrink in both size and associated hardware requirements. In the next year or two, it seems likely adversaries will gain the advantage. Defensive improvements will follow, but it is unclear at this point if they will keep pace.

**Vulnerability hunting **

The use of GenAI to find vulnerabilities in code and software is an obvious application, but one that both offensive and defensive actors can use. Threat groups may leverage GenAI to uncover zero-day vulnerabilities to use maliciously, but what about the researchers using GenAI to help them triage fuzz farm outputs? If the researcher is focused on coordinated disclosure resulting in patches and not on selling to the highest bidder, GenAI is largely benign. Unfortunately, players on both sides are flooding the zone with GenAI-powered vulnerability discovery. For now we’ll focus purely on vulnerability analysis from outside the organization. The ways internal developers should use GenAI will be addressed in the next section.

For closed-source software, fuzzing is key for vulnerability disclosure. For open-source software, however, GenAI can perform deep public code reviews and find vulnerabilities, both in coordination with vendors or to be sold on the black market. As lightweight and specialized models continue to appear over the next few years, this aspect of vulnerability hunting is likely to surge.

Regardless of the end goal, vulnerability hunting is an effective and attractive GenAI application. Most modern applications have hundreds of thousands — if not millions — of lines of code and analyzing it can be a daunting task. This task is complicated by the barrage of enhancements and updates made to products during their lifetime. Every code change introduces risk and GenAI might currently be the best option to mitigate it. 

**Enterprise security applications of GenAI **

On the positive side of technology, there is incredible research and innovation underway. One of the biggest challenges in information security is an astronomical volume of data, without enough analysts available to process it. This is where GenAI shines.

The amount of threat intelligence being generated is huge. Historically, there were a handful of vendors producing high-value threat intelligence reporting. That number is likely in the hundreds now. The result is massive amounts of data covering a staggering amount of activity. This is an ideal application for GenAI: Let it parse through the data, pull out what’s important, and help block indicators across your defensive portfolio.

Additionally, when you are in the middle of an incident and have reams of logs to correlate the attack and its impact, GenAI could be a huge advantage. Instead of spending hours poring over the logs, GenAI should be able to quickly and easily identify things like attempted lateral movement, exploitation, and initial access. It might not be a perfect source but will likely point responders to logs that should be further investigated. This allows responders to quickly focus on key points in the timeline and hopefully help mitigate the ongoing damage.

From a proactive perspective, there are a couple of areas where GenAI will benefit defenders. One of the first places an organization should look to implement GenAI is on analyzing committed code. No developer is perfect and humans make mistakes. Sometimes these mistakes can lead to huge incidents and millions or billions of dollars in damages.

Every time code is committed there is a risk that a vulnerability has been introduced. Leveraging GenAI to analyze each commit before they are applied can mitigate some of this risk. Since the LLM will have access to source code, it can more easily spot common mistakes that often result in vulnerabilities. While it may not detect complex attack chains involving chaining together low to medium severity bugs that could achieve remote code execution (RCE), it can still find the obvious mistakes that sometimes evade code reviews.

Red teamers can also utilize GenAI to streamline activities. By using AI to hunt for and exploit vulnerabilities or weaknesses in security posture, they can operate more efficiently. GenAI can provide  starting points to jump start their research, allowing for faster prototyping and ultimately success or failure.

Talos has already covered how Model Context Protocol (MCP) servers can be leveraged to help in reverse engineering and malware analysis, but this only scratches the surface. MCP servers connect a wide array of applications and datasets to GenAI, providing structured assistance for a variety of tasks. There are countless applications for MCP servers, and we are starting to see more flexible plugins that allow a variety of applications and data sets be accessed via a single plug-in. When combined with agentic AI, this could allow for huge leaps in productivity. MCP servers were also part of the technology stack used by state sponsored adversaries in the abuse covered by Anthropic. 

**Agentic AI’s impact **

The meteoric rise of agentic AI will undoubtedly have an impact on the threat landscape. With agentic AI, adversaries could deploy agents constantly working to compromise new victims, setting up a pipeline for ransomware cartels. They could build agents focused on finding vulnerabilities in new commits to open-source projects or fuzzing various applications while triaging the findings. State-sponsored groups could task agents, who never need a break to eat or sleep, with breaking into high value targets, allowing them to hack until they find a way in, and constantly monitor for changes in attack surface or introduction of new systems.

On the other hand, defenders can use agentic AI as a force multiplier. Now you have some extra analysts that are looking for the slow and low attacks that might slip under your radar. Maybe an agent is tasked with watching windows logs for indications of compromise, lateral movement, and data exfiltration. Yet another agent can monitor the security of your endpoints and flag systems that are at higher risk of compromise due to improper access controls, incomplete patching, or other security concerns. Agents can even protect users from phishing or spam emails, or accidentally clicking on malicious links.

**In the end, it all comes down to people **

There is one key resource that underpins all of these capabilities: humans. Ultimately, GenAI can complete tasks efficiently and effectively, but only for those that understand the underlying technology. Developers who understand code can use GenAI to increase throughput without sacrificing quality. In contrast, non-experts may struggle to use GenAI tools effectively, producing code they can’t understand or maintain.

Even Anthropic’s recent reporting notes that AI agents still require human assistance to carry out the attacks. The lesson is clear: People with the knowledge can do incredible things with GenAI and those without can accomplish a lot, but the true greatness of GenAI will only be available to those with the underlying knowledge to know what is right and possible with this new and emerging technology.

Spy vs. spy: How GenAI is powering defenders and attackers

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Dell ControlVault 3 firmware and its associated Windows software, four vulnerabilities in Entr'ouvert Lasso, and one vulnerability in GL.iNet Slate AX.
The vulnerabilities mentioned in this blog post have been patched by their respective

Wednesday, November 26, 2025 13:36

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Dell ControlVault 3 firmware and its associated Windows software, four vulnerabilities in Entr'ouvert Lasso, and one vulnerability in GL.iNet Slate AX.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****Dell vulnerabilities****

_Discovered by Philippe Laulheret of Cisco Talos._

The Dell ControlVault is a hardware-based security solution designed for user authentication functions. Talos reported five vulnerabilities, as follows:

*   TALOS-2025-2173 (CVE-2025-31649) is a hard-coded password vulnerability. A specially crafted ControlVault API call can lead to an execution of privileged operation.
*   TALOS-2025-2174 (CVE-2025-31361) is a privilege escalation vulnerability. A specially crafted WinBioControlUnit API call can lead to privilege escalation.
*   TALOS-2025-2175 (CVE-2025-36460-CVE-2025-36463) covers multiple out-of-bounds read and write vulnerabilities. A specially crafted WinBioControlUnit API call can lead to memory corruption.
*   TALOS-2025-2188 (CVE-2025-32089) is a buffer overflow vulnerability. A specially crafted ControlVault API call can lead to an arbitrary code execution.
*   TALOS-2025-2189 (CVE-2025-36553) is a buffer overflow vulnerability. A specially crafted ControlVault API call can lead to memory corruption.

****Entr'ouvert Lasso vulnerabilities****

_Discovered by Keane O'Kelley and another member of Cisco Advanced Security Initiative Group._

Lasso is a free (GNU General Public License) C library that defines processes for federated identities, single sign-on, and related protocols.

TALOS-2025-2193 (CVE-2025-47151) is a type confusion vulnerability, where a specially crafted SAML response can lead to an arbitrary code execution.

TALOS-2025-2194 (CVE-2025-46404), TALOS-2025-2195 (CVE-2025-46784), and TALOS-2025-2196 (CVE-2025-46705) are denial of service vulnerabilities. Specially crafted SAML responses can lead to a denial of service in all three cases.

****GL.iNet Slate AX vulnerability****

_Discovered by Lilith >\_> of Cisco Talos._

Slate AX (GL-AXT1800) is a Wi-Fi 6GB travel router. Cisco Talos discovered a firmware downgrade vulnerability, TALOS-2025-2230 (CVE-2025-44018), in the OTA Update functionality. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

Dell ControlVault, Lasso, GL.iNet vulnerabilities

This holiday season, as teams run lean and cyber threats rise, being open with what — and how — you share can protect both information and relationships.

Wednesday, November 26, 2025 12:00

Welcome to this week's edition of the Threat Source newsletter.

Back in April, I wrote about the risks of unintentionally leaking information while using search engines. Since then, I’ve been thinking: Life doesn’t just happen in front of a keyboard. There’s a social side, too (or so I’m told). With Thanksgiving around the corner, it seems the perfect time to flip the script and focus on a different but related concept: Care _that_ you share. 

For my non-American friends, who may be enjoying just another Thursday, stick with me. This season brings heightened risks everywhere. Many teams are running with skeleton crews, whether due to holiday mode (family, turkey, football, days off) or the year-end compliance push (hello, NIS2 and DORA). At the same time, on the other side of the fence, attackers ramp up their efforts; globally, Black Friday and similar events are peak periods for phishing campaigns, often targeting credentials with fake employee perk emails and other seasonal lures. 

So, why emphasize “care that you share?” 

Recently, I visited a university of applied sciences to give a guest lecture and learn more about the projects students are working on. It was a great experience, though preparing for an audience of students (not my usual crowd) was challenging. What do they already know? What topics interest them? Should I give them some history of STIX/TAXII? Geopolitical tensions? Honestly speaking, none of this was interesting to me when I was a student. I chose to start simple, discussing what threats and the DKIW pyramid were, and then focusing on CVE, CVSS, and KEV — one of my favorite topic clusters. 

To my surprise, not only did the students engage and ask questions, but they also stuck around late on a Friday afternoon, diving into discussions about software supply chain risks and beyond. I don’t remember ever staying at university past 6:00 p.m. on a Friday as a student! A week later, when they presented their projects — many centered on authentication, TOTP, and SmartCards — I was genuinely impressed by their ideas and the real-world problems they were addressing. 

“Care that you share” is a mindset that helps us appreciate the knowledge exchange that happens in person, too. 

Whether sharing stories over dinner, IOCs over email, or ideas in a classroom, let’s all take a moment to consider not just what we share, but how and why we share it. I’ll admit, I sometimes hesitate to share certain stories myself, worried they might seem too obvious or uninteresting, or maybe even dumb. But more often than not, those moments of openness lead to the best conversations and new perspectives. 

This rings especially true during busy or understaffed times, when teams are stretched thin. It’s tempting to keep things to ourselves to avoid “bothering” others. In reality, sharing a helpful tip, a concern, or just a quick update can make all the difference for colleagues who might be juggling extra responsibilities or missing context. 

So this holiday season, care that you share. Thoughtful communication isn’t just about protecting information — it’s also about supporting each other, especially when resources are limited. You never know who might benefit from what you have to offer, yourself included. 

**The one big thing **

Last week, Cisco Talos announced an initiative to retire outdated ClamAV signatures to reduce database sizes and improve efficiency by focusing on currently relevant threats. Starting Dec. 16, 2025, the “main.cvd” and “daily.cvd” databases will be cut roughly in half, offering smaller downloads and reduced resource usage. Retired signatures may be reintroduced if old threats reappear, and only supported ClamAV container images will remain available on Docker Hub to enhance security and management. 

**Why do I care? **

Smaller signature databases mean faster updates, lower bandwidth and storage requirements, and improved performance, especially on resource-constrained systems. By focusing detection on active threats, ClamAV can more efficiently protect against current malware without being bogged down by obsolete signatures. 

**So now what? **

We will continue to monitor the activity of retired signatures and will restore any that are needed to protect the community. Stay attentive and request the reinstatement of retired signatures if older threats reappear. In the meantime, we recommend that ClamAV container image users select a feature release tag rather than a specific minor release tag to stay up to date with security updates and bug fixes. 

**Top security headlines of the week **

**Second Sha1-Hulud wave affects 25,000+ repositories via npm preinstall credential theft**   
The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others. (The Hacker News) 

**FBI: Cybercriminals stole $262M by impersonating bank support teams**    
Since January 2025, the FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors. (Bleeping Computer) 

**Everest ransomware claims breach at Spain’s national airline Iberia with 596 GB data theft**   
The group states that the data covers millions of customers in multiple countries, and says it had long-term access with the ability to read and alter bookings. (HackRead) 

**CISA warns of active spyware campaigns hijacking high-value Signal and WhatsApp users**   
CISA on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. (The Hacker News) 

**LINE messaging bugs open Asian users to cyber espionage**   
Researchers discovered critical vulnerabilities that open the door to three main buckets of compromise: message replay attacks, plaintext and sticker leakage, and, most concerningly, impersonation attacks. (Dark Reading) 

**Can’t get enough Talos? **

**Talos Takes: When you’re told “no budget”**   
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn. 

**Humans of Talos: On epic reads, lifelong learning, and empathy**    
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals. 

**The TTP: How Talos built an AI model into one of the internet's most abused layers**   
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking the internet. 

**Upcoming events where you can find Talos **

*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 
*   Black Hat Europe (Dec. 8 – 11) London, U.K. 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**   
MD5: 1f7e01a3355b52cbc92c908a61abf643   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a   
Example Filename: cleanup.bat   
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**   
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59    
Example Filename: ck8yh2og.dll    
Detection Name: Auto.90B145.282358.in02 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: 26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff**    
MD5: 71da0bf3094e3ed17bc5a1c78de80933    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff    
Example Filename: cleanup.bat    
Detection Name: W32.26FA67DB9A-90.SBX.TG

Care that you share

Martin muses on how agentic AI is bringing efficiency improvements to the business of cyber crime.

Thursday, November 20, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

This week, we explore how advances in agentic AI are rapidly transforming the cyber crime business. 

Agentic AI programming gives AI agents autonomy, allowing them to interact with external systems to collect information, make decisions with the help of a generative AI system, and then effect changes in the external environment. The activity takes place through various APIs according to the instructions provided to the agent and in the context of a defined workflow.  

The advantage for human operators is that these systems can efficiently execute routine activities that would otherwise require accessing multiple systems. Essentially, the AI agent acts as a trusted assistant who is able to get on with things with minimal supervision while the human operator can focus on other things. 

As this approach brings advantages to the legitimate economy, so it brings similar efficiencies to the cyber crime economy. More recently, the publication of the discovery of the first AI-orchestrated cyber campaign should give us pause. It signals a new era for cybersecurity teams. 

We’re entering a time when we can expect to see much experimentation and innovation with AI in both the legitimate and cyber crime economies. AI can act as a force enabler, making tasks easier and faster to perform. Similarly, AI can lower barriers to entry, allowing lower skilled actors to perform tasks that they lack the skills to perform. While AI does not bring new capabilities, it can make existing capabilities easier to execute. However, AI systems still require skillful instruction and supervision. 

AI is not infallible, it gets things wrong, and it is prone to inventing nonsense. When it does go off the rails, a human needs to step in and resolve the situation. This is not necessarily easy to do and may prove tricky for low-skilled threat actors. 

Don’t be discouraged: We can also leverage these developments to our advantage. Defensive teams can write their own agentic systems to find and fix weaknesses in their own systems before malicious actors identify them. We can deploy honeypot systems designed to be found by malicious AI systems, engage with them and tie up their resources. 

The threat landscape has never been static. While AI does make some tasks more accessible to threat actors, it is a double-edged sword and also brings opportunities to defenders.

**The one big thing **

Cisco Talos has introduced new features for Snort3 users within Cisco Secure Firewall. A new "Severity" rule group allows you to organize detection rules by CVSS-based vulnerability severity (low, medium, high, critical). This allows teams to better prioritize and manage rules according to risk and urgency. You can also select rules based on vulnerability age (e.g., last 2, 5, or 10 years). 

**Why do I care? **

This update allows you greater flexibility and control. It makes it simpler to maintain consistent, targeted detection coverage, whether you’re running large, distributed networks or smaller environments with tailored security priorities. 

**So now what? **

Review your current Snort3 rule configurations in Cisco Secure Firewall and consider adopting the new Severity and time-based grouping features. By tailoring rule sets to your organization’s specific risk tolerance and patching cycles, you can optimize detection coverage, streamline management, and better protect your environments.

**Top security headlines of the week **

**Critical** **railway** **braking** **systems** **open to** **tampering**   
Researchers have figured out how to spoof the signals that tell train conductors to brake, opening the door to any number of dangerous attack scenarios. (Dark Reading) 

**EchoGram** **flaw bypasses guardrails in major LLMs**   
A flaw discovered in early 2025 and dubbed EchoGram allows simple, specially chosen words or code sequences to completely trick the automated defences, or guardrails, meant to keep the AI safe. (HackRead) 

**Over 67,000 fake** **npm** **packages flood registry in worm-like spam attack**    
The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods Worm. The bogus packages masquerade as Next.js projects. (The Hacker News) 

**Cornerstone Staffing ransomware attack leaks 120,000 resumes, claims** **Qilin** **gang**   
The notorious Qilin gang posted the industry-leading recruitment agency on its dark leak blog last Thursday. The group claims to have exfiltrated 300GB of sensitive information from Cornerstone. (Cybernews) 

**Surveillance tech provider** **Protei** **was hacked, its data stolen, and its website defaced**   
It’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8 and restored soon after. (TechCrunch)

**Can’t get enough Talos? **

**The TTP: How Talos built an AI model into one of the internet's most abused layers**   
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet). 

**Humans of Talos: On epic reads, lifelong learning, and empathy**   
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.

**Unleashing the Kraken ransomware group**   
In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.

**Upcoming events where you can find Talos **

*   DeepSec IDSC (Nov. 18 – 21) Vienna, Austria 
*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**    
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59   
Example Filename: ck8yh2og.dll    
Detection Name: Auto.90B145.282358.in02 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974   
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe   
Example Filename: f\_0008d7.html    
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_3\_Exe.exe    
Detection Name: Win.Dropper.Miner::95.sbx.tg