Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that used fake GitHub accounts to distribute a variety of dangerous payloads and evade security defenses.

Thursday, July 17, 2025 06:00

*   In April 2025 Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads. 
*   The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.  
*   Several operator tactics, techniques and procedures (TTPs) overlap with a SmokeLoader phishing campaign, identified in early 2025, that targeted Ukrainian entities. 
*   The same variant of Emmenhtal identified in the SmokeLoader campaign was used by the MaaS operation to download Amadey payloads and other tooling.

In early February 2025, Talos observed a cluster of invoice payment and billing-themed phishing emails that appeared to target Ukrainian entities. These emails included compressed archive attachments (e.g., ZIP, 7Zip or RAR) containing at least one JavaScript file that used several layers of obfuscation to disguise a PowerShell downloader. The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system. Talos assessed the JavaScript downloaders to be the Emmenthal loader, based on notable similarities between the obfuscation methods observed in the collected samples and those described by Orange Cyberdefense.  

During analysis of the Emmenhtal loaders collected from this phishing campaign, Talos identified additional samples on VirusTotal that were highly similar in structure, but did not appear to be part of the original activity cluster. Most notably, these samples were not delivered via email but were instead found in several public GitHub repositories. They also did not deliver SmokeLoader as a next-stage payload. Instead, the Emmenhtal samples were being used to deliver Amadey, which in turn downloaded a variety of custom payloads from certain public GitHub repositories.

Further review of the associated GitHub accounts and the files hosted within related repositories showed that they may be part of a larger MaaS operation that uses public GitHub repositories as open directories for staging custom payloads.

**MaaS operation leverages GitHub public repositories **

MaaS is a business model in which the operators of the service sell access to malware or pre-existing infrastructure. In the operation Talos identified, the operators utilized Amadey to download a variety of malware families from fake GitHub repositories onto infected hosts. Initial activity appeared in February 2025, around the same time as the SmokeLoader campaign. 

This distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups. In addition, the command and control (C2) infrastructures for the secondary payloads do not overlap with that of Amadey. 

**Emmenhtal and Amadey **

The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It was given the name “Emmenhtal” by Orange Cyberdefense in August 2024, though it is sometimes referred to as “PEAKLIGHT”, which is how Mandiant refers to the final stage PowerShell downloader. Orange and Talos have observed activity that appears to involve elements of the Emmenhtal loader dating back to April 2024.  

Emmenhtal variants have been found embedded in other files and deployed in a standalone format. Each loader typically includes four layers — three that act as obfuscation and the final PowerShell downloader script. These layers are described in the “Emmenhtal similarities between activity clusters” section below.  

Amadey (or Amadey bot) originally appeared in late 2018 on Russian-speaking hacking forums with a $500 price tag. It was initially used by various threat actors to establish botnets. Amadey has also been observed dropping other malware including Redline, Lumma, StealC and SmokeLoader. 

Amadey’s primary functions are to collect system information and download secondary payloads on an infected host. However, Amadey is modular and its functionality can be expanded with an assortment of plugins. These plugins come in the form of dynamic link libraries (DLLs) that can be selected based on desired functionality, such as screenshot capabilities or credential harvesting. Despite its common use as a downloader, Amadey can pose a serious threat. 

**GitHub as an open directory **

During Talos’ research into the MaaS operation, we uncovered three GitHub accounts being used as open directories for hosting tools, secondary payloads and Amadey plugins: 

*   Legendary99999 
*   DFfe9ewf 
*   Milidmdds 

In addition to being an easy means of file hosting, downloading files from a GitHub repository may bypass web filtering that is not configured to block the GitHub domain. While some organizations can block GitHub in their environment to curb the use of open-source offensive tooling and other malware, many organizations with software development teams require GitHub access in some capacity. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic. 

Talos reported the accounts listed above to GitHub, who quickly took them down. Talos would like to thank the GitHub team for their cooperation and quick response time.

****Legendary999999** **

“Legendary99999” appears to have been the most utilized account, containing over 160 repositories with randomized names. Each of these repositories contained a single file in the “Releases” section:

Figure 1. Legendary99999 GitHub account overview.

The files hosted on “Legendary99999” are a collection of payloads from numerous different malware families. By hosting these files in a GitHub repository, they can easily be downloaded via a URL to the “Releases” section of the repository:

https://github.com/\[account\_name\]/\[repository\_name\]/releases/download/\[release\_name\]/\[file\_name\]

Once a host was infected with Amadey, the operators of this service could choose the payload to be delivered by simply downloading the file from the URL above. 

Talos also discovered other GitHub accounts that may be linked to this operator by commonality of account name, file name, repository structure and type of hosted malware (i.e., information stealers delivered via Amadey). The earliest “first seen” date on VirusTotal for files related to these repositories was Jan. 3, 2025. None of the accounts were active at the time of Talos’ review.

Malware Types Hosted in Repositories 

****DFfe9ewf****

“DFfe9ewf” appears to have been a test account. The repositories all contained “test” within the names and no new commits have been made since February 2025, the same month as the first commit to “Legendary99999”.

Figure 2. DFfe9ewf GitHub account overview.

While this GitHub account does not bear similarities to the other two accounts detailed in this section, files associated with the MaaS operation interacted with at least one repository associated with this account.

“DFfe9ewf” only contained six repositories, one of which was a fork of DInvoke, a tool used to invoke arbitrary unmanaged code from managed code. Attackers frequently use DInvoke to perform process injection and avoid Windows API hooks to evade detection.

The repository “test3” contains a legitimate Selenium WebDriver file, as well as versions for Microsoft Edge and Google Chrome (ChromeDriver). A WebDriver is a powerful development tool that is intended for automating the testing of web-based applications by remotely and programmatically controlling the target browser. However, they can be used in a malicious context on a victim's machine to remotely perform a variety of tasks, such as retrieving payloads from malicious URLs or accessing local browser data. 

While WebDrivers are helpful for many developers, they can pose a serious security risk when abused. Security considerations for using WebDriver can be found here, in the documentation for ChromeDriver.

****Milidmdds****

The third repository, named “Milidmdds”, contained 10 repositories with similar random names to those in “Legendary99999”. This account contained several malicious scripts that ultimately download a payload to the infected host.

Figure 3. Milidmdds GitHub account overview.

**Emmenhtal similarities between activity clusters **

Our research revealed similarities in TTPs and indicators between the SmokeLoader campaign and the Amadey MaaS activity. Three of the JavaScript files hosted by the “Milidmdds” GitHub account are nearly identical to the Emmenthal scripts used in the SmokeLoader campaign. Aside from randomized variable and function names, and different download targets in the final PowerShell script, much of the code is the same between all samples. These loader files found in the various “Milidmdds” repositories were called: 

*   Work.js 
*   Workhmv.js 
*   Putikatest.js 

Although we did not observe the use of these scripts in the wild, it is likely they were intended for delivery through phishing emails or for embedding in malicious files in a manner similar to the SmokeLoader activity. 

The similarities between the Emmenhtal loaders used in the phishing campaign targeting Ukrainian entities (noted as Sample 1) and those in the “Milidmdds” repositories (noted as Sample 2, Sample 3 and Sample 4) are shown below. 

The first obfuscation layer used by the Emmenhtal samples defines a series of two-letter variables mapped to a two- or three-digit numeric value. These variables apply to a long string of comma-separated values defined in a variable with a random name, such as “qiXSF”.

Figure 4. First layer of obfuscation, Sample 1 (left) vs, Sample 2 (right).

Once this initial script has been executed, a second script is revealed that uses the ActiveXObject function to execute an encoded PowerShell command with WScript.Shell:

Figure 5. Second layer of obfuscation, Sample 1 (left) vs. Sample 2 (right).

The third layer is a PowerShell command that contains an AES-encrypted binary large object (blob).

Figure 6. Initial PowerShell command, Sample 1 (left) vs. Sample 2 (right).

The blob contains an additional AES-encrypted PowerShell script that is decrypted and executed by the initial script. This final script initiates the download of the next stage from a hard-coded IP address. In the phishing campaign targeting Ukrainian entities, this final payload would be SmokeLoader and a decoy PDF. The Emmenhtal loader files found in the public GitHub repositories noted previously were found to download a variety of files, including: 

*   Amadey 
*   A legitimate copy of PuTTY.exe 
*   AsyncRAT 

The presence of a legitimate copy of PuTTY in the list of files delivered by the Emmenhtal loaders found in the public GitHub repositories demonstrates the adaptability of the MaaS operation to deliver whatever tooling is required by its customers.

Examples of the final decrypted PowerShell downloader are shown below.

Figure 7. Final PowerShell script, Sample 1 (left, SmokeLoader download) vs. Sample 2 (right, Amadey download).

Figure 8. Final PowerShell script, PuTTY download (left) vs. AsyncRAT download (right).

**MP4 file variants **

During research of both activity clusters noted in this article, Talos identified Emmenhtal samples masquerading as MP4 files. Two URLs link to .mp4 files hosted on pivqmane\[.\]com: 

*   pivqmane\[.\]com/testonload\[.\]mp4/ 
*   pivqmane\[.\]com/doc/fb\[.\]mp4 

Although the two .mp4 files hosted here had been removed, the abuse of this file format highlights another similarity between the MaaS operation and the SmokeLoader campaign. This observation also aligns with a statement made by Orange Cyberdefense that certain Emmenhtal variants masquerade as MP3 or MP4 files.

**Purpose-built variant: “Checkbalance.py” **

Talos discovered another unique file on the “Milidmdds” GitHub account during this research — a malicious Python script named “checkbalance.py”. While this sample did not use initial obfuscation layers like the samples previously discussed, the later PowerShell stages were nearly identical to those shown above. This variant could represent an evolution of the Emmenhtal loader or, more likely, was a purpose-built variant developed for a specific campaign. 

In its initial state, the script masquerades as a simple tool that enumerates the contents of Zerion cryptocurrency accounts. However, the script also includes a large lambda function containing a Base64-encoded and compressed blob that executes at runtime. The user is then presented with an error message in Cyrillic, “Аккаунт кончились”. Curiously, this message isn’t grammatically correct since “Аккаунт” is singular and “кончились” is plural. However, given the context of the message, the author may have meant “no more accounts” or “end of accounts,” approximately.

Figure 9. Checkbalance.py.

The lambda function then runs a second Python script, which uses the subprocess.run method to execute an encoded PowerShell command. The resulting PowerShell is nearly identical to the JavaScript variants discussed previously.

Figure 10. Initial PowerShell command, Checkbalance.py.

The final PowerShell command downloads the Amadey payload from the IP address “185\[.\]215\[.\]113\[.\]16” as a file labeled “amnew.exe”.  The resulting PowerShell script found in “checkbalance.py” is identical to the one derived from the Sample 2 (“work.js”) file, which was also found in the “Milidmdds” repository. 

After execution, this payload contacts “hxxp://185\[.\]215\[.\]113\[.\]43/Zu7JuNko/index.php”, a known Amadey C2 address.

Figure 11. Final PowerShell script, Checkbalance.py.

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

**Indicators of compromise (IOCs) **

IOCs for this threat can be found on our GitHub repository here. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private applications no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protection measures with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

The decision between immediate action and delayed response made the difference between ransomware prevention and complete encryption in these two real-world Talos IR engagements.

Talos IR ransomware engagements and the significance of timeliness in incident response

Thorsten takes stock of a rapidly evolving vulnerability landscape: record-setting CVE publication rates, the growing fragmentation of reporting systems, and why consistent tracking and patching remain critical as we move through 2025.

Thursday, July 10, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

We’ve made it halfway through 2025 already! It’s been a while since I last wrote about CVEs and how free support for Windows 10 will end on October 14, 2025, leaving you with no more security fixes.

While the CVE system remains the global standard for vulnerability reporting, recent developments have sparked concerns within the community about its long-term stability. Currently, the program operates solely as a U.S. government-funded initiative. Following the last-minute funding extension, we’re now seeing competing ideas and projects emerging. Whether it’s the CVE Foundation working to transition from a single funding stream to a diversified and stable model, ENISA’s EUVD, or the Global CVE Allocation System (GCVE), the landscape is changing.

On one hand, a multi-source environment enhances availability and resilience. On the other, this fragmentation raises practical concerns for both researchers and practitioners. We now face questions like “Where should I report a vulnerability?” and “How do I integrate and correlate vulnerability data across multiple sources with multiple identifiers?”

Looking back at the first six months of this year, we see that the rapid pace of CVE publications in 2024 has continued into 2025, with no signs of slowing down. In fact, the current trend suggests that 2025 will surpass last year’s total of a little more than 40,000 CVEs. To illustrate: the first half of 2024 saw an average of 113 CVEs published per day, whereas the first half of 2025 is running at a rate of 131 CVEs per day.

What concerns me even more is the steep increase in Known Exploited Vulnerabilities (KEVs). It wasn’t just the spike in March — we’re seeing a generally sharper rise overall.

Vendor diversity also continues to expand, increasing from 45 vendors during the first half of last year to 61 so far this year. Additionally, the proportion of KEVs affecting network-related gear has grown from 22.5% in 2024 to 25% in 2025.

But there’s a small piece of good news: So far, I haven’t seen any CVEs from as far back as 2012 being added to the KEV catalogue like we saw last year. This time, the oldest additions “only” go back to 2017.

Keep in mind that the CVE year merely indicates when a vulnerability was reserved or assigned. The vulnerability itself may have existed for many years prior. For example, the recent sudo/chroot issue remained undiscovered for over 12 years. 

In a nutshell: Keep tracking, keep patching. Vulnerabilities certainly won’t patch themselves.

**The one big thing **

Microsoft’s July 2025 security update addresses 132 vulnerabilities, including 14 marked as “critical,” with several remote code execution (RCE) issues affecting Windows, Office, SharePoint and Hyper-V. Although none have been exploited in the wild yet, some vulnerabilities — like those in SharePoint and SPNEGO NEGOEX — are more likely to be targeted and could allow attackers to execute code remotely or locally.

**Why do I care? **

These vulnerabilities could let attackers take control of your systems, steal information or disrupt business operations, even if you haven’t seen any attacks yet. If you’re running Windows servers, SharePoint or Microsoft Office, your environment could be at risk, especially for organizations that rely on these products daily.

**So now what? **

Don’t wait. Make sure you’re applying Microsoft’s July patches as soon as possible. If you use Cisco Security Firewall or SNORT®, update your rulesets to the latest versions to maximize your protection.

**Top security headlines of the week **

**Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage**  
A Chinese national was arrested in Milan, Italy for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which is responsible for cyberattacks against U.S. organizations and government agencies. (Bleeping Computer) 

**Jailbreaking AI with information overload**   
Researchers say you can trick AI chatbots like ChatGPT or Gemini into teaching you how to make a bomb or hack an ATM if you make the question complicated, full of academic jargon, and cite sources that do not exist. (404 Media) 

**SatanLock is shutting down**  
The announcement that the group was closing its doors first came through its official Telegram channel and dark web leak site. Hunters International, another well-known ransomware group, also recently announced that it was shutting down its operations. (Dark Reading) 

**Ingram Micro scrambling to restore systems after ransomware attack**  
The IT distributor giant confirmed over the weekend that a ransomware attack was responsible for a widespread outage over its services, and they were forced to take certain systems offline on Friday afternoon, in response to the incident. (SecurityWeek) 

**Malicious Chrome extensions with 1.7M installs found on Web Store**  
Malicious extensions with 1.7 million downloads in Google's Chrome Web Store pose as legitimate tools but could track users, steal browser activity, and redirect to potentially unsafe web addresses. (Bleeping Computer)

**Can’t get enough Talos? **

**Scams, jailbreaks and poetic justice**  
In this episode of the TTP, Hazel Burton sits down with Talos' Jaeson Schultz to explore the underground world of criminal LLM abuse, from elaborate scams to role-playing jailbreak prompts designed to trick AI into ignoring its own rules.

**Vulnerability Roundup**  
Cisco Talos’ Vulnerability Discovery & Research team has disclosed and coordinated patches for two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat.

**PDFs: Portable documents, or perfect deliveries for phish?**   
A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

**Beers with Talos: Terms and conceptions may apply**   
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos

Patch, track, repeat

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.

Thursday, July 10, 2025 11:24

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Asus Armoury Crate stack-based buffer overflow and authorization bypass  vulnerabilities**

_Discovered by Marcin &#39;Icewall&#39; Noga of Cisco Talos._   

These vulnerabilities were recently covered in a deep-dive post, Decrement by one to rule them all.

Asus Armoury Crate is a software utility used to manage Asus and ROG lighting, performance, and updates.

TALOS-2025-2144 (CVE-2025-1533) is a stack-based buffer overflow vulnerability in the AsIO3.sys kernel driver of Asus Armoury Crate 5.9.13.0. A specially crafted I/O request packet (IRP) can lead to stack-based buffer overflow. An unprivileged attacker can run a program from user mode to trigger this vulnerability.

TALOS-2025-2150 (CVE-2025-3464) is an authorization bypass vulnerability in the AsIO3.sys functionality of Asus Armoury Crate 5.9.13.0. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability.

**Adobe Acrobat Reader out-of-bounds read and use-after-free vulnerabilities **

_Discovered by Kamlapati Choubey of Cisco Talos._   

Adobe Acrobat Reader is one of the most popular PDF reading software currently available. Talos found an out-of-bounds read vuln, TALOS-2025-2159 (CVE-2025-43578), in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information.

TALOS-2025-2170 (CVE-2025-43576) is a use-after-free vulnerability in the annotation object processing functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution.

An attacker needs to trick the user into opening the malicious file to trigger either of these vulnerabilities.

Asus and Adobe vulnerabilities

Microsoft has released its monthly security update for July 2025, which includes 132 vulnerabilities affecting a range of products, including 14 that Microsoft marked as “critical.”

Tuesday, July 8, 2025 16:29

Microsoft has released its monthly security update for July 2025, which includes 132 vulnerabilities affecting a range of products, including 14 that Microsoft marked as “critical.”  

In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 14 "critical" entries, 11 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including KDC Proxy service, Microsoft Office and SharePoint server. 

CVE-2025-49735 is an RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given a CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially-crafted application to leverage a cryptographic protocol vulnerability in KPSSVC to perform RCE against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and domain controllers are not affected. Microsoft assessed that the attack complexity is “high,” and exploitation is "more likely."  

CVE-2025-49704 is an RCE vulnerability in Microsoft SharePoint server given a CVSS 3.1 score of 7.7. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper control of generation of code (“code injection”) which would allow an authenticated attacker to execute code over a network. To exploit this vulnerability, an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft assessed that the attack complexity is “low,” and exploitation is “more likely."  

CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49698, CVE-2025-49702 and CVE-2025-49703 are RCE vulnerabilities in Microsoft Office and Microsoft Word. The vulnerabilities CVE-2025-49695 and CVE-2025-49698 are "use after free” (UAF) vulnerabilities that occur when Microsoft Office tries to access memory that has already been freed. CVE-2025-49696 is an out-of-bounds read in Microsoft Office. Microsoft assessed that for CVE-2025-49695 and CVE-2025-49696, the attack complexity is "low," and exploitation is "more likely." For CVE-2025-49697, CVE-2025-49698, CVE-2025-49702 and CVE-2025-49703, the attack complexity is "low," and exploitation is "less likely."   

CVE-2025-48822 is an RCE vulnerability in Windows Hyper-V Discrete Device Assignment (DDA) given a CVSS 3.1 score of 8.6. This vulnerability is an out-of-bounds read in Hyper-V that could allow an unauthorized attacker to execute code locally. Microsoft assessed that the attack complexity is “low,” and exploitation is “less likely.” 

CVE-2025-47981is an RCE vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism given a CVSS 3.1 score of 9.8. This vulnerability is a heap-based buffer overflow that could allow an unauthorized attacker to execute code over a network. According to Microsoft, this vulnerability affects Windows client machines running Windows 10, version 1607 and above, due to the following GPO being enabled by default on these operating systems: "Network security: Allow PKU2U authentication requests to this computer to use online identities." Microsoft has assessed that the attack complexity is “low,” and exploitation is “more likely.”  

CVE-2025-49717 is an RCE vulnerability in Microsoft SQL Server, given a CVSS 3.1 score of 8.5. This vulnerability is a heap-based buffer overflow that could allow an unauthorized attacker to execute code over a network. However, Microsoft has assessed “exploitation unlikely”. 

The last critical vulnerability listed (CVE-2025-47980) is an information disclosure in Windows Imaging Component that, if exploited, could allow an attacker to read small portions of heap memory. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely."   

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"  

*   CVE-2025-49701: Microsoft SharePoint Remote Code Execution Vulnerability 
*   CVE-2025-49724: Windows Connected Devices Platform Service Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.   

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.   

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 64435, 64436, 65092, 65096 – 65107, 65110 – 65113.  

The following Snort 3 rules are also available: 301114, 301268 – 301272.

Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities

This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing.

Thursday, July 3, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”  

This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.” 

I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for. 

Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.

There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.

My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend. 

And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar? 

I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes… 

*   _“You’re gonna need a bigger boat.”_ Overprepare. Expect things to go wrong.  
*   _“It’s only an island if you look at it from the water.”_ Perspective matters. Make sure your alerts are honed to spot the things that really matter. 
*   _“Smile, you son of a…”_ Sometimes, your last line of defense is your defining moment. Should everything else fail, make sure you have something left in the tank. 

In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points. 

If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open... 

_Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with._ 

_Bruce’s story is why_ _Cisco Talos Incident Response_ _exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see._ 

_Enjoy the Fourth of July weekend, and remember to listen out for the_ duh dun.

**The one big thing **

Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems. 

**Why do I care? **

Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you're not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate. 

**So now what? **

Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.

**Top security headlines of the week **

**Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects**   
The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News) 

**International Criminal Court hit by new 'sophisticated' cyberattack**   
In a statement yesterday, the ICC revealed that it had contained a "sophisticated and targeted" cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer) 

**Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black**   
After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek) 

**Ahold Delhaize Data Breach Impacts 2.2 Million People**   
The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek) 

**Germany asks Google, Apple remove DeepSeek AI from app stores**   
The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers.

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Beers with Talos: Terms and conceptions may apply**  
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836**   
MD5: c94c094513f02d63be5ae3415bba8031   
VirusTotal: https://www.virustotal.com/gui/file/cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836/details  
Typical Filename: setup   
Claimed Product: N/A   
Detection Name: W32.Variant:Gen.28iv.1201 

**SHA 256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**   
MD5: 79b075dc4fce7321f3be049719f3ce27   
VirusTotal: https://www.virustotal.com/gui/file/57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536/details   
Typical Filename: RemCom.exe   
Claimed Product: N/A   
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0**   
MD5: 8d74e04c022cadad5b05888d1cafedd0  
VirusTotal: https://www.virustotal.com/gui/file/061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0/details  
Typical Filename: smhost.exe   
Claimed Product: N/A   
Detection Name: Artemis:Lazy.27fx.in14.Talos

**SHA 256: 2eb95ef4c4c24f1e38a5c8b556d78b71c8a8fb2589ed8c5b95e9d18659bde293**  
MD5: N/A  
VirusTotal: N/A, use https://talosintelligence.com/sha\_searches  
Typical Filename: N/A  
Claimed Product: N/A  
Detection Name: W32.2EB95EF4C4-100.SBX.TG

A message from Bruce the mechanical shark

A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

Wednesday, July 2, 2025 06:00

*   Cisco recently developed and released an update to its brand impersonation detection engine for emails. This new update enhances detection coverage and includes a wider range of brands that are delivered using PDF payloads (or attachments). 
*   A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique known as Telephone-Oriented Attack Delivery (TOAD), also known as callback phishing.  
*   Talos observed that these threat actors often use Voice over Internet Protocol (VoIP) to remain anonymous. These phone numbers are sometimes reused on consecutive days. Additionally, Talos has identified instances of Adobe platform abuse to deliver PDF attachments to victims in TOAD emails. 
*   Talos plans to collect and gather intelligence around phone numbers as an additional indicator of compromise (IOC). 
*   Talos provides new insights into the use of QR codes and PDF annotations in email threats that impersonate legitimate brands through PDF payloads.

**Brand impersonation via PDF payload **

The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation. 

Brand impersonation is a social engineering technique that exploits the popularity of well-known brands to persuade email recipients to disclose sensitive information. As discussed in our previous blog, adversaries can deliver brand logos and names to victims using multiple types of payloads. One of the most common methods of delivering brand logos and names is through PDF payloads (or attachments).

In some cases, the entire email, including a brand’s logo, is embedded within a PDF attachment. Figure 1 displays an example of a QR code phishing email that impersonates the Microsoft Corporation brand. The threat actor used an enticing subject line, “Paycheck Increment,” timed strategically during periods when promotions or merit changes are likely to occur in various organizations.

Figure 1. A QR code phishing email impersonating the Microsoft brand.

In other cases, the company’s logo is included in a separate image or PDF attachment and is displayed to the victim as soon as they open the email. Below is an example of a QR code phishing email that impersonates both the Microsoft and Adobe Inc. brands. Figure 2 shows the Adobe logo attached to an email as an image file.

Figure 2. A QR code phishing email impersonating the Microsoft and Adobe brands.

A brand’s logo may not always be present in every brand impersonation attempt. For example, the following phishing email, which impersonates the Adobe brand, does not include any logos.

Figure 3. A phishing email impersonating the Adobe brand.

When the victim clicks on the “View the Attached online here” hyperlink, they are redirected to a phishing page impersonating a Dropbox, Inc. webpage.

Figure 4. Phishing page impersonating Dropbox download page.

Figure 5. The final phishing page of the above email, impersonating the Dropbox brand.

**Telephone-oriented attack delivery (TOAD) **

A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique: telephone-oriented attack delivery (TOAD), also known as callback phishing.  

Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction. Once the victim calls, the attacker poses as a legitimate representative and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.

Figure 6. Overview of a typical TOAD attack sequence.

Phishing typically involves sending emails or messages with malicious links or attachments that direct the victim to a counterfeit website. Callback phishing, however, does not rely on fake websites or phishing links. Instead, attackers use direct voice communication to exploit the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization. Additionally, the live interaction during a phone call enables attackers to manipulate the victim's emotions and responses by employing social engineering tactics. Callback phishing is, therefore, a social engineering technique rather than a traditional email threat.  

Most phone numbers found in email threats leveraging this social engineering technique are Voice over Internet Protocol (VoIP) numbers, as it is significantly harder to trace a VoIP number back to a specific individual or physical location compared to a traditional phone number. Below is an example of a TOAD attack that impersonates the McAfee LLC brand.

Figure 6. A TOAD example impersonating the McAfee brand.

Talos has observed that phone numbers are sometimes reused on consecutive days. This could happen for multiple reasons. First, intelligence about phone numbers is collected and distributed at a slower pace compared to other artifacts like URLs and files. In most cases, phone numbers observed in emails by cybersecurity companies are not shared with third-party reputation services, or vice versa. As a result, these phone numbers often remain under the radar for several days. Second, the reuse of phone numbers provides logistical advantages for scam call centers. It enables consistent contact for multi-stage social engineering attacks, scheduling callbacks, and maintaining a credible "brand" presence with victims. Lastly, phone numbers may be reused to minimize costs, particularly if the VoIP service is not free. The plot below illustrates a case where the number +1-818-675-1874 was used in TOAD emails impersonating Best Buy’s Geek Squad brand for four consecutive days.

Figure 7. An example of phone number reuse (+1-818-675-1874) in TOAD emails on consecutive days.

Talos has also observed several cases of e-signature service abuse on the Adobe platform between April and May 2025. Figure 8 shows an example email that impersonates the PayPal brand. In this case, the entire PDF file (i.e., the body of the email) was uploaded to Adobe and sent directly to the victim through the e-signature service.

Figure 8. A TOAD example impersonating the PayPal brand.

Figure 9. The Adobe’s e-signature service abuse in TOAD.

**QR codes in PDF payloads **

Adversaries extensively use QR codes alongside brand impersonation phishing emails, a tactic known as QR code phishing. As seen in Figures 10 – 12, attackers exploit the legitimacy of popular brands to convince users to scan the QR code, ultimately redirecting them to a phishing page, which is often protected by some form of CAPTCHA.

Figure 10. A QR code phishing email impersonating the Docusign, Inc. brand.

Figure 11. CAPTCHA protecting the final phishing page.

Figure 12. Final phishing page.

In most QR code phishing emails with PDF payloads, the entire email body is embedded in the attachment and is rendered for the victim as soon as they open the email. This technique easily evades email filters and detection engines that rely on textual features and keywords, unless preceded by optical character recognition (OCR) analysis. However, OCR is an error-prone process and increases computational costs.

**Annotations in PDF payloads **

Although the PDF format is an open standard, its structure is not straightforward to understand (this book provides an excellent explanation). PDFs can contain both visible and hidden information within their three main components: the text layer, the image layer and the internal structure (e.g., comments and annotations). This flexibility allows certain elements within a PDF to make it appear legitimate, helping it evade spam filters and detection systems. 

To make QR code phishing emails more evasive, attackers often exploit otherwise legitimate PDF annotations. For example, a phishing URL might be embedded in a text annotation, sticky note, comment, or form field within a PDF attachment. Alternatively, attackers may add irrelevant text (or "noise") to bypass detection systems. 

Figures 13 and 14 demonstrate how multiple URLs can be embedded in a PDF attachment using annotations. In this case, the QR code may link to a legitimate web page to build the recipient’s trust, while the embedded annotation points to the actual phishing page. To further obscure the attack, attackers may use shortened URLs, making it harder for users to verify the link's legitimacy before clicking.

Figure 13. A QR code phishing email impersonating the Microsoft brand.

Figure 14. An example PDF attachment with a QR code; two URLs are included in this file in the form of annotations.

**Trends of brand impersonation via PDF payloads **

Brand impersonation remains a prevalent social engineering tactic in phishing attacks, with Talos frequently observing PDF payloads delivering brand names or logos in recent months. 

Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered how widespread these attacks are. The plot in Figure 15, reflecting the period between May 5 and June 5, 2025, highlights the most impersonated brands detected in emails with PDF attachments. Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments. Similarly, NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in TOAD emails with PDF attachments.

Figure 15. The topmost brands impersonated in emails with PDF attachments.

The map in Figure 16 indicates where brand impersonation attempts using PDF attachments originated for the above brands, both locally and internationally, during this time period.

Figure 16. The originating IP addresses of brand impersonation attempts using PDF attachments.

**Protection against brand impersonation**

Brand impersonation is one of the most popular social engineering techniques, and it is continuously being used by attackers in different types of email threats. Therefore, a brand impersonation detection engine plays a pivotal role in defending against cyber attacks. 

Cisco Talos relies on a wide range of systems to detect this type of threat and protect our customers, from rule-based engines to advanced machine learning-based systems. Learn more about Cisco Secure Email Threat Defense's brand impersonation detection engine here.

PDFs: Portable documents, or perfect deliveries for phish?

This week, Joe reflects on his unique path into cybersecurity and shares honest advice for breaking into the field. Plus, learn how cybercriminals are abusing AI to launch more sophisticated attacks and what you can do to stay protected.

Thursday, June 26, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Happy summer, friends! I hope everyone is staying cool and/or warm. 

I am fresh back from an exhaustive but great time in San Diego at Cisco Live U.S. It was so good to see colleagues, meet new friends and pet many therapy dogs in the Splunk booth. As often happens to me, I was approached by someone who was looking for mentorship and guidance in how to get into a cybersecurity career. It’s not unusual for me to be approached by folks looking to get into cybersecurity. I’m the large, bearded guy with the Talos shirt, so I stick out.  

So, I’m often asked how I got the career I have in cybersecurity and how others can do the same. For a guy who often has a quip or answer for most things, I always pause here. I can’t help but think of my entire career and the dumb luck and hard work that landed me where I’m at. Giving that summation to others wouldn’t be fair, because... well, my journey wasn’t a linear one. I think for many of my peers, the same applies. We found cybersecurity as a career through a series of events that organically landed us in this field. In my case, moreso than others, the path isn’t easy to follow because there was no clearly staked path for me to follow, either. 

I’ll explain as best I can: One today might go to school and graduate with a degree in information security and/or some security certificates, then begin the job hunt for an entry level gig. These types of degrees, certificates and even jobs simply didn’t exist in any meaningful way or numbers when I started my career. If you wanted to learn cybersecurity, there weren’t classes to take — you got a computer science degree and figured it out. I, like many in the GenX world, started as an IT professional. As the industry and cyber threats evolved, the career space over the years shifted and we found ourselves helping fight the good fight and keeping folks secure. 

Today is truly different, and I’m so happy about it and the opportunities it can give others. I’m envious of the school degrees, industry certifications and mentorship programs that exist today that did not exist for me. There is also an incredibly helpful information security community that provides hacking tutorials, or Capture the Flag competitions (CTFs) or hackathons that I would have loved to have been a part of in my formative years.  

By now, I know you’re thinking, "Cool story, grandpa, but answer the question: how do I get a job in cybersecurity?" In my estimation, the answers are as follows:  

1.  Have a good attitude. 
2.  Be easy to work with. 
3.  Be a forever student. 
4.  Be bad at giving up. 
5.  Find and join a (preferably local) security community. 
6.  Grow where you are planted. 

Notice that none of those things mention anything specifically technical. No malware reverse engineering, red teaming, threat intelligence or security analyzing. I can tell you that to work at Talos, you must exhibit strong traits of all six of those things I listed. One through five makes sense. Good hackers are tenacious, smart, work well with others and seek out fellow friends to network and hack with. 

Number six though – what’s up with that? Simply put, life deals us all a hand of cards that we must play, and those cards may not be great. For example, you want to get a job in cybersecurity, but you’re a primary care giver of a family member and you don’t have a lot of freedom. You might be financially constrained. You may have health issues or a disability that limits some options. Or you simply just have a job that you don’t like, and a career in security calls out to you, but the bills don’t pay themselves. This is all common, and you’re a bit “stuck.”  

So while you’re stuck, find ways to grow where you’re planted. Study. Network locally or online. Try a CTF or a hacking competition. Whatever you do, just keep growing yourself, your skillset and your network. You can do it. And before you know it, you’ll have that career helping to fight the good fight with the rest of us. 

I believe in you! You got this! 

**The one big thing **

Cybercriminals are increasingly exploiting Large Language Models (LLMs) by using uncensored versions, developing their own malicious LLMs or "jailbreaking" legitimate ones to bypass safety protocols. These compromised or malicious LLMs are then used to generate highly convincing phishing campaigns, create harmful code and automate various cybercrime operations, making attacks more sophisticated and scalable. 

**Why do I care? **

Cybercriminals’ widespread abuse of LLMs lowers the barrier to entry for sophisticated attacks, making it easier for even less skilled actors to launch effective campaigns. This means you’re more likely to run into highly convincing phishing attempts, scams and malware that are difficult to distinguish from legitimate communications, putting your personal info and company security at higher risk. 

**So now what? **

Given this evolving threat landscape, it’s important to be extra vigilant and skeptical online. Treat all online communications with caution, even if they look perfectly authentic. For individuals, that means double-checking emails and messages for anything fishy, no matter how well-written they seem. For businesses, it's time to beef up your cybersecurity defenses, invest in smart threat detection and keep your employees sharp on how to spot and report these increasingly clever social engineering tricks.

**Top security headlines of the week **

**New AI Jailbreak Bypasses Guardrails With Ease**   
On topic with our latest blog, the new “Echo Chamber” attack bypasses advanced LLM safeguards by subtly manipulating conversational context, proving highly effective across leading AI models. (SecurityWeek)

**US insurance giant Aflac says customers’ personal data stolen during cyberattack**   
Aflac says hackers stole an unknown quantity of its customers’ personal information from its network during a cyberattack earlier this month. (TechCrunch) 

**APT28 Uses Signal Chat to Deploy New Malware in Ukraine**    
A new cyber attack campaign by the Russia-linked APT28 (aka UAC-0001) threat actors using Signal chat messages to deliver two new malware families dubbed BEARDSHELL and COVENANT. (The Hacker News) 

**UK watchdog fines 23andMe over 2023 data breach**   
The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach. (TechCrunch) 

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers. 

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Leveraging Detections from the Splunk Threat Research Team & Cisco Talos**  
Wednesday, July 23  
11:00 a.m. to 12:00 p.m. PDT  
Join us for a discussion around the latest security detections developed for the SOC and how to find and remediate threats, faster.

**Upcoming events where you can find Talos **

*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 05883fccb64dd4357c229ccca669afdacbfa0bc9a1c8d857f5205aed0a81e00a**   
MD5: 71b973dbdfc7b52ae10afa4d0ad2b78f   
VirusTotal: https://www.virustotal.com/gui/file/05883fccb64dd4357c229ccca669afdacbfa0bc9a1c8d857f5205aed0a81e00a/details   
Typical Filename: PCAppStore.exe   
Claimed Product: PC App Store   
Detection Name: Riskware/VeryFast 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 2a753cdc8c5401dcb67f3be58751a32ce23c875f8720a70459533b30e5ba4f1f**   
MD5: 7d5a9a41157fb0002f5234b4512e0ac2   
VirusTotal: https://www.virustotal.com/gui/file/2a753cdc8c5401dcb67f3be58751a32ce23c875f8720a70459533b30e5ba4f1f/details   
Typical Filename: pros.exe   
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.76128711

Getting a career in cybersecurity isn’t easy, but this can help

Cisco Talos uncovered and analyzed two critical vulnerabilities in ASUS' AsIO3.sys driver, highlighting serious security risks and the importance of robust driver design.

Decrement by one to rule them all: AsIO3.sys driver exploitation

Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs.

Wednesday, June 25, 2025 06:00

*   Cybercriminals are continuing to explore artificial intelligence (AI) technologies such as large language models (LLMs) to aid in their criminal hacking activities. 
*   Some cybercriminals have resorted to using uncensored LLMs or even custom-built criminal LLMs for illicit purposes. 
*   Advertised features of malicious LLMs indicate that cybercriminals are connecting these systems to various external tools for sending outbound email, scanning sites for vulnerabilities, verifying stolen credit card numbers and more. 
*   Cybercriminals also abuse legitimate AI technology, such as jailbreaking legitimate LLMs, to aid in their operations. 

Generative AI and LLMs have taken the world by storm. With the ability to generate convincing text, solve problems, write computer code and more, LLMs are being integrated into almost every facet of society. According to Hugging Face (a platform that hosts models), there are currently over 1.8 million different models to choose from. 

LLMs are usually built with key safety features, including alignment and guardrails. Alignment is a training process that LLMs undergo to minimize bias and ensure that the LLM generates outputs that are consistent with human values and ethics. Guardrails are additional real-time safety mechanisms that try to restrain the LLM from engaging in harmful or undesirable actions in response to user input. Many of the most advanced (or “frontier”) LLMs are protected in this manner. For example, asking ChatGPT to produce a phishing email will result in a denial, such as, “Sorry, I can’t assist with that.” 

For cybercriminals who wish to utilize LLMs for conducting or improving their attacks, these safety mechanisms can present a significant obstacle. To achieve their goals, cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs. 

**Uncensored LLMs **

Uncensored LLMs are unaligned models that operate without the constraints of guardrails. These systems happily generate sensitive, controversial, or potentially harmful output in response to user prompts. As a result, uncensored LLMs are perfectly suited for cybercriminal usage. 

__Figure 1. An uncensored LLM, OnionGPT, advertised on the hacking forum Dread.__

Uncensored LLMs are quite easy to find. For example, using the cross-platform Omni-Layer Learning Language Acquisition (Ollama) framework, a user can download and run an uncensored LLM on their local machine. Ollama comes with several uncensored models such as Llama 2 Uncensored which is based on Meta’s Llama 2 model. Once it is running, users can submit prompts that would otherwise be rejected by more safety-conscious LLM implementations. The downside is that these models are running on users’ local machines and running larger models, which generally produce better results requires more system resources. 

__Figure 2. Sample phishing email prompt and Llama 2 Uncensored output.__

Another uncensored LLM popular among cybercriminals is a tool called WhiteRabbitNeo. WhiteRabbitNeo bills itself as a “Uncensored AI model for (Dev) SecOps teams” which can support “use cases for offensive and defensive cybersecurity”. This LLM will happily write offensive security tools, phishing emails and more. 

__Figure 3. Sample output from the WhiteRabbitNeo uncensored LLM__

Researchers have also published methods to demonstrate how to strip alignment that is embedded into the training data of existing open-source models. Once removed, a user can uncensor their LLM by using the modified training set to fine tune a base model. 

**Cybercriminal-designed LLMs **

Since most popular LLMs come with significant guardrails, some enterprising cybercriminals have developed their own LLMs without restrictions that they market to other cybercriminals. This includes apps like GhostGPT, WormGPT, DarkGPT, DarkestGPT and FraudGPT. 

__Figure 4. FraudGPT dark web homepage.__

 For example, the developer behind FraudGPT, CanadianKingpin12, advertises FraudGPT on the dark web, and also has an account on Telegram. The dark web site for FraudGPT advertises some interesting features: 

*   Write malicious code 
*   Create undetectable malware 
*   Find non-VBV bins 
*   Create phishing pages 
*   Create hacking tools 
*   Find groups, sites, markets 
*   Write scam pages/letters 
*   Find leaks and vulnerabilities 
*   Learn to code/hack 
*   Find cardable sites 
*   Millions of samples of phishing emails 
*   6220+ source code references for malware 
*   Automatic scripts for replicating logs/cookies 
*   In-panel Page hosting included (10 pages/month) with Google Chrome anti-red page 
*   Code obfuscation 
*   Custom data set (upload your sample page in .html) 
*   Bot creation of virtual machines and accounts (1 virtual machine per month on license)  
*   Utilizing GoldCheck CVV checker 
*   OTP Bot with spoofing (\*additional package) 
*   Check CVVs with GoldCheck API 
*   Create username:password website configs 
*   Remote OpenBullet configs 
*   Scan websites for vulnerabilities across a massive CVE database (\*PRO only)  
*   Generate realistic phishing panels, pages, SMS and e-mails  
*   Send mail from webshells 

Talos attempted to obtain access to FraudGPT by reaching out to CanadianKingpin12 on Telegram. After considerable negotiation, we were finally offered a username and password at the FraudGPT dark web site. However, the username and password provided by CanadianKingpin12 did not work. CanadianKingpin12 then asked us to send them cryptocurrency to purchase a software “crack” for the FraudGPT login page. At this point it was clear that CanadianKingpin12 had no working product, and they were scamming potential FraudGPT customers out of their cryptocurrency. This was confirmed by several other victims who had also been scammed by CanadianKingpin12 when they attempted to purchase access to the FraudGPT LLM. Scams such as these are an ever-present risk when dealing with unscrupulous actors, and it continues a long tradition of scams in the cybercrime space. 

Similar cybercriminal-designed LLM projects can be found elsewhere on the dark web. A cybercriminal LLM called DarkestGPT, which starts at .0015BTC for a one-month subscription, advertises the following features: 

__Figure 5. DarkestGPT “Tools and Potential” tab on their dark web site.__

**LLM jailbreaks **

Given the limited viability of uncensored LLMs due to resource constraints and the high level of fraud and scams present among cybercriminal LLM purveyors, many cybercriminals have elected to abuse legitimate LLMs instead. The main hurdle that cybercriminals need to overcome are the training alignment and guardrails that prevent the LLM from responding to prompts with unethical, illegal or harmful content. A form of prompt injection, jailbreak attacks aim to put the LLM into a state where it ignores its alignment training and guardrails protection. 

There are many ways to trick an LLM into providing dangerous responses. New jailbreaking methods are constantly being researched and discovered, while LLM developers respond by enhancing the guardrails in a sort of jailbreak arms race. Below are just a few of the available jailbreaking techniques. 

**Obfuscation/encoding-based jailbreaks **

By obfuscating certain words or phrases, these text-based jailbreak attacks seek to bypass any hardcoded restrictions on specific words/topics, or to cause the execution to follow a nonstandard path that might bypass protections put in place by the LLM developers. These obfuscation techniques may include: 

*   Base64/Rot-13 encoding
*   Different languages  
*   L33t sp34k  
*   Morse code 
*   Emojis 
*   Adding spaces or UTF-8 characters into words/text, among others. 

**Adversarial suffix jailbreaks **

These attacks are somewhat like obfuscation and encoding tricks. Instead of modifying the tokens in the prompt itself, adversarial suffix jailbreaks involve appending random text to the end of a malicious prompt to elicit a harmful response.  

**Role-playing jailbreaks **

This type of attack involves prompting the LLM to adopt the persona of a fictional universe/character that ignores the ethical rules set by the model’s creators and is willing to fulfill any command. This includes jailbreak techniques such as DAN (Do Anything Now), and the Grandma jailbreak which involves asking the chatbot to assume the role of the user’s grandmother. 

**Meta prompting **

Meta prompting involves exploiting the model’s awareness of its own limitations to devise successful workarounds, effectively enlisting the model in the effort to bypass its own safeguards. 

**Context manipulation jailbreaks **

This covers several different jailbreak techniques including: 

*   Crescendo, a technique which progressively increases the harmfulness in prompts until some sort of rejection is received in order to probe for where and how LLM guardrails are implemented.  
*   Context Compliance Attacks, which exploit the fact that many LLMs do not maintain conversation state. Attackers inject fake prior LLM responses into their prompts, such as a brief statement discussing the sensitive topic, or a statement expressing readiness to supply further details as per the user’s preferences. 

**Math prompt jailbreaks **

The math prompt method evaluates how well an AI system can manage malicious inputs when they're disguised using mathematical frameworks such as set theory, group theory, and abstract algebra. Rephrasing harmful requests as math problems can allow attackers to evade safety features in advanced large language models (LLMs). 

**Payload splitting **

In this scenario, the attacker guides the LLM to merge several prompts in a way that produces harmful output. While texts A and B may seem benign when considered separately, their combination (A+B) can result in malicious content. 

**Academic framing **

This method makes harmful content appear acceptable by framing it as part of a research or educational discussion. It takes advantage of the model’s interpretation of academic intent and freedom, often using scholarly language and formatting to bypass safeguards. 

**System override **

This strategy tries to trick the model into believing it is functioning in a unique mode where usual limitations are lifted. It leverages the model’s perception of system-level functions or maintenance states to circumvent safety mechanisms. 

**How cybercriminals use LLMs **

In December 2024, Anthropic, the developers behind the Claude LLM, published a report detailing how its users were utilizing Claude. Using a system named Clio, they summarized and categorized users’ conversations with their AI model. According to Anthropic, the top three uses for Claude were programming, content creation and research. 

__Figure 6. Anthropic’s graphic of top use cases on Claude.ai.__

 Analyzing the feature sets advertised by the criminal-designed LLMs, we can see that cybercriminals are using LLMs for mostly the same tasks as normal LLM users. Programming features of many criminal LLMs include the ability to assist cybercriminals in writing ransomware, remote access trojans, wipers, code obfuscation, shellcode generation and script/tool creation.  To facilitate content creation, criminal LLMs will assist in writing phishing emails, landing pages and configuration files. Criminal LLMs also support research activities like verifying stolen credit cards, scanning sites/code for vulnerabilities and even helping cybercriminals come up with “lucrative” criminal ideas for their next big score. 

Various hacking forums also shed additional light on criminal uses of LLMs. For example, on the popular hacking forum Dread, users were discussing connecting LLMs to external tools like Nmap, and using the LLM to summarize the Nmap output. 

__Figure 7. A post on the Dread hacking forum discussing connecting Nmap to LLMs__

**LLMs are also targets for cyber attackers **

Any new technology typically brings along with it changes to the attack surface, and LLMs are no exception. In addition to using LLMs for their own nefarious ends, attackers are also attempting to compromise LLMs and their users. 

**Backdoored LLMs **

A vast majority of the models available at Hugging Face use Python’s pickle module to serialize the models into a file that users can download. Clever attackers can include Python code in the pickle file, which runs as part of the deserialization process. Thus, when a user downloads an AI model and runs it, they may be running code placed into the model by an attacker. Hugging Face uses Picklescan, among other tools, to scan the models uploaded by users in an effort to identify models that misbehave. However, there have been several recent vulnerabilities in Picklescan, and researchers have already identified Hugging Face models containing malware. As always, make sure any file you plan to download and run comes from a trusted source and consider running the file in a sandbox to mitigate any risk of infection. 

**Retrieval Augmented Generation (RAG) **

LLMs that utilize Retrieval Augmented Generation (RAG) make calls to external data sources to augment their training data with up-to-date information. For example, if you ask an LLM what the weather is like a particular day, the LLM will need to reach out to an external data source such as a website to retrieve the correct forecast. If an attacker has access to submit or manipulate content in the RAG database, they may poison the lookup results, perhaps adding additional instructions for the LLM to alter its response to the user’s prompt, even targeting specific users. 

**Conclusion **

As AI technology continues to develop, Cisco Talos expects cybercriminals to continue adopting LLMs to help streamline their processes, write tools/scripts that can be used to compromise users and generate content that can more easily bypass defenses. This new technology doesn’t necessarily arm cybercriminals with completely novel cyber weapons, but it does act as a force multiplier, enhancing and improving familiar attacks.