It’s easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn’t just patching fast, but watching smarter and staying alert for what you don’t expect.
Here’s a quick look at this week’s top threats, new tactics, and security stories shaping

⚡ Weekly Recap: F5 Breached, Linux Rootkits, Pixnapping Attack, EtherHiding & More

Plus: US government cybersecurity staffers get reassigned to do immigration work, a hack exposes sensitive age-verification data of Discord users, and more.

Research published this week indicates that North Korean scammers are trying to trick US companies into hiring them for architectural design work, using fake profiles, résumés, and Social Security numbers to pose as legitimate workers. The hustle fits into longstanding campaigns by the hermit kingdom to steal billions of dollars from organizations around the world using careful planning and coordination to pose as professionals in all different fields.

Under pressure from the Department of Justice, Apple removed a series of apps from its iOS App Store this month related to monitoring US Immigration and Customs Enforcement activity and archiving content related to ICE's actions. As more apps are removed, multiple developers told WIRED this week that they aren't giving up on fighting Apple over the decisions—and many are still distributing their apps on other platforms in the meantime.

WIRED examined increasing warnings from software supply chain security researchers that the proliferation of AI-generated software in codebases will create an even more extreme version of the code transparency and accountability issues that have come up with widespread integration of open source software components. And Apple announced expansions of its bug bounty program this week, including a maximum $2 million payout for certain exploit chains that could be abused to distribute spyware, and additional bonuses for exploits found in Apple's Lockdown Mode or in beta versions of new software.

But wait, there's more! Each week, we round up the security and privacy news we didn’t report in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The notorious spyware vendor NSO Group, known for developing the Pegasus malware, has faced financial issues since losing a long legal battle against the secure messaging platform WhatsApp as well as a lawsuit filed by Apple. Now, the company, which has long had Israeli ownership, has been purchased by a group of US-based investors led by movie producer Robert Simonds, who helped finance _Happy Gilmore_, _Billy Madison_, _The Pink Panther_, _Hustlers_, and _Ferrari_, among many other films. The deal is reportedly worth “several tens of millions of dollars” and is close to completion. Israel’s Defense Export Control Agency (DECA) within the Ministry of Defense will need to approve the sale. Use of mercenary spyware has increased within some US federal government agencies since the beginning of the Trump administration.

**Top US Cybersecurity Workers Reassigned to Immigration Roles**

Hundreds of national security and cybersecurity specialists who work in the US Department of Homeland Security have faced mandatory reassignment in recent weeks to roles related to President Donald Trump’s mass deportation agenda. Bloomberg reports that affected workers are largely senior staffers who are not union eligible. Workers who refuse to move roles will reportedly be dismissed. Members of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) who have faced reassignment reportedly worked on “issuing alerts about threats against US agencies and critical infrastructure.” For example, CISA’s Capacity Building team has faced a number of reassignments, which could hinder access to emergency recommendations and directives for high-value federal government assets. Workers have been moved to agencies including Immigration and Customs Enforcement, Customs and Border Protection, and the Federal Protective Service.

**Hack Exposes Sensitive Discord User Data**

A recent breach of a third-party customer service provider used by the communication platform Discord included a trove of data from more than 70,000 Discord users that contained identification documents as well as selfies, email addresses, phone numbers, some home location information, and more. The data was collected as part of age verification checks, a mechanism that has long been criticized for centralizing users’ sensitive information. 404 Media reports that the breach was perpetrated by attackers who are attempting to extort Discord. “This is about to get really ugly,” the hackers wrote in a Telegram channel on Wednesday while posting the stolen data.

**ICE Buys Vehicles That Use Fake Cell Towers for Phone Surveillance**

US Immigration and Customs Enforcement inked a $825,000 contract in May with TechOps Specialty Vehicles (TOSV), a Maryland-based company that manufactures equipment and vehicles for law enforcement. The company provides products including rogue cellphone towers that are used for phone surveillance and sometimes called “stingrays” or “cell-site simulators.” Public records reviewed by TechCrunch show that the agreement describes how the company “provides Cell Site Simulator (CSS) Vehicles to support the Homeland Security Technical Operations program” and is a modification for “additional CSS Vehicles.” TOSV also began a similar $818,000 contract with ICE in September 2024, prior to the start of the Trump administration. In an email to TechCrunch, TOSV president Jon Brianas declined to share details about the contracts but confirmed that the company does provide cell-site simulators. The company does not manufacture them itself, he said.

'Happy Gilmore' Producer Buys Spyware Maker NSO Group

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The…

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The flaw was used to steal data. Update your app now to stay protected.

WhatsApp has revealed it has patched a serious security vulnerability in its apps for Apple devices that was used to secretly compromise the iPhones and Macs of “specific targeted users.”

The bug, identified as CVE-2025-55177, was discovered by WhatsApp’s internal security team. The company explained in its official advisory that the flaw was part of a sophisticated attack chain that linked two separate vulnerabilities. This is a zero-click attack method, which does not require a victim to click on a link, open a file, or take any other action for their device to be compromised.

The flaw itself was a case of “incomplete authorisation of linked device synchronisation messages,” the advisory explains. This allowed an unrelated user to force a target’s device to process content from a malicious web address.

When paired with a separate Apple flaw, CVE-2025-43300 (which Apple had already fixed), in how it handles images, this attack chain could be used to install a malicious program and steal data without any user interaction. It is worth noting that the flaw affects WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS before version 2.25.21.78, and WhatsApp for Mac before version 2.25.21.78. WhatsApp confirmed it had sent notifications to “less than 200” users it believed had been affected.

According to a statement from the National Cybersecurity Agency (NCSA) in Qatar, the severity of this flaw lies in its mechanism for processing synchronisation messages between linked devices, which could allow a hacker to gain initial access to a victim’s device.

> #Meta, the owner of the famous chat app #WhatsApp, has announced the existence of a critical vulnerability in the app. The severity of this flaw lies in the mechanism for processing synchronization messages between linked devices, allowing an attacker to send a crafted… pic.twitter.com/dYIwdij0gP
> 
> — Qatar Tribune (@Qatar\_Tribune) August 30, 2025

Amnesty International’s Security Lab, led by Donncha Ó Cearbhaill, described the pair of bugs as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May, and was capable of stealing data from a user’s device, including messages. In a post on X, Cearbhaill also shared necessary tips, advising people to update their devices or perform a factory reset.

(X.com)

While it’s not yet clear who is behind this latest attack, it is not the first time that WhatsApp users have been targeted by advanced spyware. In 2019, the messaging app sued the spyware maker NSO Group for a hacking campaign that compromised more than 1,400 users with its Pegasus spyware. A US court later ordered the company to pay WhatsApp $167 million in damages.

This new incident shows the ongoing threat of government spyware and malware. It also emphasises why users should always keep their apps and operating systems updated, as these updates often contain critical security patches to protect against such sophisticated attacks.

WhatsApp 0-Day Exploited in Attacks on Targeted iOS and macOS Users

There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-8f93-j3fx-72f3: CRI-O has Potential High Memory Consumption from File Read

Thorsten takes stock of a rapidly evolving vulnerability landscape: record-setting CVE publication rates, the growing fragmentation of reporting systems, and why consistent tracking and patching remain critical as we move through 2025.

Thursday, July 10, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

We’ve made it halfway through 2025 already! It’s been a while since I last wrote about CVEs and how free support for Windows 10 will end on October 14, 2025, leaving you with no more security fixes.

While the CVE system remains the global standard for vulnerability reporting, recent developments have sparked concerns within the community about its long-term stability. Currently, the program operates solely as a U.S. government-funded initiative. Following the last-minute funding extension, we’re now seeing competing ideas and projects emerging. Whether it’s the CVE Foundation working to transition from a single funding stream to a diversified and stable model, ENISA’s EUVD, or the Global CVE Allocation System (GCVE), the landscape is changing.

On one hand, a multi-source environment enhances availability and resilience. On the other, this fragmentation raises practical concerns for both researchers and practitioners. We now face questions like “Where should I report a vulnerability?” and “How do I integrate and correlate vulnerability data across multiple sources with multiple identifiers?”

Looking back at the first six months of this year, we see that the rapid pace of CVE publications in 2024 has continued into 2025, with no signs of slowing down. In fact, the current trend suggests that 2025 will surpass last year’s total of a little more than 40,000 CVEs. To illustrate: the first half of 2024 saw an average of 113 CVEs published per day, whereas the first half of 2025 is running at a rate of 131 CVEs per day.

What concerns me even more is the steep increase in Known Exploited Vulnerabilities (KEVs). It wasn’t just the spike in March — we’re seeing a generally sharper rise overall.

Vendor diversity also continues to expand, increasing from 45 vendors during the first half of last year to 61 so far this year. Additionally, the proportion of KEVs affecting network-related gear has grown from 22.5% in 2024 to 25% in 2025.

But there’s a small piece of good news: So far, I haven’t seen any CVEs from as far back as 2012 being added to the KEV catalogue like we saw last year. This time, the oldest additions “only” go back to 2017.

Keep in mind that the CVE year merely indicates when a vulnerability was reserved or assigned. The vulnerability itself may have existed for many years prior. For example, the recent sudo/chroot issue remained undiscovered for over 12 years. 

In a nutshell: Keep tracking, keep patching. Vulnerabilities certainly won’t patch themselves.

**The one big thing **

Microsoft’s July 2025 security update addresses 132 vulnerabilities, including 14 marked as “critical,” with several remote code execution (RCE) issues affecting Windows, Office, SharePoint and Hyper-V. Although none have been exploited in the wild yet, some vulnerabilities — like those in SharePoint and SPNEGO NEGOEX — are more likely to be targeted and could allow attackers to execute code remotely or locally.

**Why do I care? **

These vulnerabilities could let attackers take control of your systems, steal information or disrupt business operations, even if you haven’t seen any attacks yet. If you’re running Windows servers, SharePoint or Microsoft Office, your environment could be at risk, especially for organizations that rely on these products daily.

**So now what? **

Don’t wait. Make sure you’re applying Microsoft’s July patches as soon as possible. If you use Cisco Security Firewall or SNORT®, update your rulesets to the latest versions to maximize your protection.

**Top security headlines of the week **

**Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage**  
A Chinese national was arrested in Milan, Italy for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which is responsible for cyberattacks against U.S. organizations and government agencies. (Bleeping Computer) 

**Jailbreaking AI with information overload**   
Researchers say you can trick AI chatbots like ChatGPT or Gemini into teaching you how to make a bomb or hack an ATM if you make the question complicated, full of academic jargon, and cite sources that do not exist. (404 Media) 

**SatanLock is shutting down**  
The announcement that the group was closing its doors first came through its official Telegram channel and dark web leak site. Hunters International, another well-known ransomware group, also recently announced that it was shutting down its operations. (Dark Reading) 

**Ingram Micro scrambling to restore systems after ransomware attack**  
The IT distributor giant confirmed over the weekend that a ransomware attack was responsible for a widespread outage over its services, and they were forced to take certain systems offline on Friday afternoon, in response to the incident. (SecurityWeek) 

**Malicious Chrome extensions with 1.7M installs found on Web Store**  
Malicious extensions with 1.7 million downloads in Google's Chrome Web Store pose as legitimate tools but could track users, steal browser activity, and redirect to potentially unsafe web addresses. (Bleeping Computer)

**Can’t get enough Talos? **

**Scams, jailbreaks and poetic justice**  
In this episode of the TTP, Hazel Burton sits down with Talos' Jaeson Schultz to explore the underground world of criminal LLM abuse, from elaborate scams to role-playing jailbreak prompts designed to trick AI into ignoring its own rules.

**Vulnerability Roundup**  
Cisco Talos’ Vulnerability Discovery & Research team has disclosed and coordinated patches for two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat.

**PDFs: Portable documents, or perfect deliveries for phish?**   
A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

**Beers with Talos: Terms and conceptions may apply**   
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos

Patch, track, repeat

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.

Thursday, July 10, 2025 11:24

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Asus Armoury Crate stack-based buffer overflow and authorization bypass  vulnerabilities**

_Discovered by Marcin &#39;Icewall&#39; Noga of Cisco Talos._   

These vulnerabilities were recently covered in a deep-dive post, Decrement by one to rule them all.

Asus Armoury Crate is a software utility used to manage Asus and ROG lighting, performance, and updates.

TALOS-2025-2144 (CVE-2025-1533) is a stack-based buffer overflow vulnerability in the AsIO3.sys kernel driver of Asus Armoury Crate 5.9.13.0. A specially crafted I/O request packet (IRP) can lead to stack-based buffer overflow. An unprivileged attacker can run a program from user mode to trigger this vulnerability.

TALOS-2025-2150 (CVE-2025-3464) is an authorization bypass vulnerability in the AsIO3.sys functionality of Asus Armoury Crate 5.9.13.0. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability.

**Adobe Acrobat Reader out-of-bounds read and use-after-free vulnerabilities **

_Discovered by Kamlapati Choubey of Cisco Talos._   

Adobe Acrobat Reader is one of the most popular PDF reading software currently available. Talos found an out-of-bounds read vuln, TALOS-2025-2159 (CVE-2025-43578), in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information.

TALOS-2025-2170 (CVE-2025-43576) is a use-after-free vulnerability in the annotation object processing functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution.

An attacker needs to trick the user into opening the malicious file to trigger either of these vulnerabilities.

Asus and Adobe vulnerabilities

This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing.

Thursday, July 3, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”  

This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.” 

I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for. 

Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.

There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.

My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend. 

And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar? 

I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes… 

*   _“You’re gonna need a bigger boat.”_ Overprepare. Expect things to go wrong.  
*   _“It’s only an island if you look at it from the water.”_ Perspective matters. Make sure your alerts are honed to spot the things that really matter. 
*   _“Smile, you son of a…”_ Sometimes, your last line of defense is your defining moment. Should everything else fail, make sure you have something left in the tank. 

In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points. 

If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open... 

_Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with._ 

_Bruce’s story is why_ _Cisco Talos Incident Response_ _exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see._ 

_Enjoy the Fourth of July weekend, and remember to listen out for the_ duh dun.

**The one big thing **

Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems. 

**Why do I care? **

Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you're not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate. 

**So now what? **

Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.

**Top security headlines of the week **

**Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects**   
The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News) 

**International Criminal Court hit by new 'sophisticated' cyberattack**   
In a statement yesterday, the ICC revealed that it had contained a "sophisticated and targeted" cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer) 

**Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black**   
After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek) 

**Ahold Delhaize Data Breach Impacts 2.2 Million People**   
The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek) 

**Germany asks Google, Apple remove DeepSeek AI from app stores**   
The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers.

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Beers with Talos: Terms and conceptions may apply**  
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836**   
MD5: c94c094513f02d63be5ae3415bba8031   
VirusTotal: https://www.virustotal.com/gui/file/cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836/details  
Typical Filename: setup   
Claimed Product: N/A   
Detection Name: W32.Variant:Gen.28iv.1201 

**SHA 256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**   
MD5: 79b075dc4fce7321f3be049719f3ce27   
VirusTotal: https://www.virustotal.com/gui/file/57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536/details   
Typical Filename: RemCom.exe   
Claimed Product: N/A   
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0**   
MD5: 8d74e04c022cadad5b05888d1cafedd0  
VirusTotal: https://www.virustotal.com/gui/file/061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0/details  
Typical Filename: smhost.exe   
Claimed Product: N/A   
Detection Name: Artemis:Lazy.27fx.in14.Talos

**SHA 256: 2eb95ef4c4c24f1e38a5c8b556d78b71c8a8fb2589ed8c5b95e9d18659bde293**  
MD5: N/A  
VirusTotal: N/A, use https://talosintelligence.com/sha\_searches  
Typical Filename: N/A  
Claimed Product: N/A  
Detection Name: W32.2EB95EF4C4-100.SBX.TG

A message from Bruce the mechanical shark

This week, Joe reflects on his unique path into cybersecurity and shares honest advice for breaking into the field. Plus, learn how cybercriminals are abusing AI to launch more sophisticated attacks and what you can do to stay protected.

Thursday, June 26, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Happy summer, friends! I hope everyone is staying cool and/or warm. 

I am fresh back from an exhaustive but great time in San Diego at Cisco Live U.S. It was so good to see colleagues, meet new friends and pet many therapy dogs in the Splunk booth. As often happens to me, I was approached by someone who was looking for mentorship and guidance in how to get into a cybersecurity career. It’s not unusual for me to be approached by folks looking to get into cybersecurity. I’m the large, bearded guy with the Talos shirt, so I stick out.  

So, I’m often asked how I got the career I have in cybersecurity and how others can do the same. For a guy who often has a quip or answer for most things, I always pause here. I can’t help but think of my entire career and the dumb luck and hard work that landed me where I’m at. Giving that summation to others wouldn’t be fair, because... well, my journey wasn’t a linear one. I think for many of my peers, the same applies. We found cybersecurity as a career through a series of events that organically landed us in this field. In my case, moreso than others, the path isn’t easy to follow because there was no clearly staked path for me to follow, either. 

I’ll explain as best I can: One today might go to school and graduate with a degree in information security and/or some security certificates, then begin the job hunt for an entry level gig. These types of degrees, certificates and even jobs simply didn’t exist in any meaningful way or numbers when I started my career. If you wanted to learn cybersecurity, there weren’t classes to take — you got a computer science degree and figured it out. I, like many in the GenX world, started as an IT professional. As the industry and cyber threats evolved, the career space over the years shifted and we found ourselves helping fight the good fight and keeping folks secure. 

Today is truly different, and I’m so happy about it and the opportunities it can give others. I’m envious of the school degrees, industry certifications and mentorship programs that exist today that did not exist for me. There is also an incredibly helpful information security community that provides hacking tutorials, or Capture the Flag competitions (CTFs) or hackathons that I would have loved to have been a part of in my formative years.  

By now, I know you’re thinking, "Cool story, grandpa, but answer the question: how do I get a job in cybersecurity?" In my estimation, the answers are as follows:  

1.  Have a good attitude. 
2.  Be easy to work with. 
3.  Be a forever student. 
4.  Be bad at giving up. 
5.  Find and join a (preferably local) security community. 
6.  Grow where you are planted. 

Notice that none of those things mention anything specifically technical. No malware reverse engineering, red teaming, threat intelligence or security analyzing. I can tell you that to work at Talos, you must exhibit strong traits of all six of those things I listed. One through five makes sense. Good hackers are tenacious, smart, work well with others and seek out fellow friends to network and hack with. 

Number six though – what’s up with that? Simply put, life deals us all a hand of cards that we must play, and those cards may not be great. For example, you want to get a job in cybersecurity, but you’re a primary care giver of a family member and you don’t have a lot of freedom. You might be financially constrained. You may have health issues or a disability that limits some options. Or you simply just have a job that you don’t like, and a career in security calls out to you, but the bills don’t pay themselves. This is all common, and you’re a bit “stuck.”  

So while you’re stuck, find ways to grow where you’re planted. Study. Network locally or online. Try a CTF or a hacking competition. Whatever you do, just keep growing yourself, your skillset and your network. You can do it. And before you know it, you’ll have that career helping to fight the good fight with the rest of us. 

I believe in you! You got this! 

**The one big thing **

Cybercriminals are increasingly exploiting Large Language Models (LLMs) by using uncensored versions, developing their own malicious LLMs or "jailbreaking" legitimate ones to bypass safety protocols. These compromised or malicious LLMs are then used to generate highly convincing phishing campaigns, create harmful code and automate various cybercrime operations, making attacks more sophisticated and scalable. 

**Why do I care? **

Cybercriminals’ widespread abuse of LLMs lowers the barrier to entry for sophisticated attacks, making it easier for even less skilled actors to launch effective campaigns. This means you’re more likely to run into highly convincing phishing attempts, scams and malware that are difficult to distinguish from legitimate communications, putting your personal info and company security at higher risk. 

**So now what? **

Given this evolving threat landscape, it’s important to be extra vigilant and skeptical online. Treat all online communications with caution, even if they look perfectly authentic. For individuals, that means double-checking emails and messages for anything fishy, no matter how well-written they seem. For businesses, it's time to beef up your cybersecurity defenses, invest in smart threat detection and keep your employees sharp on how to spot and report these increasingly clever social engineering tricks.

**Top security headlines of the week **

**New AI Jailbreak Bypasses Guardrails With Ease**   
On topic with our latest blog, the new “Echo Chamber” attack bypasses advanced LLM safeguards by subtly manipulating conversational context, proving highly effective across leading AI models. (SecurityWeek)

**US insurance giant Aflac says customers’ personal data stolen during cyberattack**   
Aflac says hackers stole an unknown quantity of its customers’ personal information from its network during a cyberattack earlier this month. (TechCrunch) 

**APT28 Uses Signal Chat to Deploy New Malware in Ukraine**    
A new cyber attack campaign by the Russia-linked APT28 (aka UAC-0001) threat actors using Signal chat messages to deliver two new malware families dubbed BEARDSHELL and COVENANT. (The Hacker News) 

**UK watchdog fines 23andMe over 2023 data breach**   
The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach. (TechCrunch) 

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers. 

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Leveraging Detections from the Splunk Threat Research Team & Cisco Talos**  
Wednesday, July 23  
11:00 a.m. to 12:00 p.m. PDT  
Join us for a discussion around the latest security detections developed for the SOC and how to find and remediate threats, faster.

**Upcoming events where you can find Talos **

*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 05883fccb64dd4357c229ccca669afdacbfa0bc9a1c8d857f5205aed0a81e00a**   
MD5: 71b973dbdfc7b52ae10afa4d0ad2b78f   
VirusTotal: https://www.virustotal.com/gui/file/05883fccb64dd4357c229ccca669afdacbfa0bc9a1c8d857f5205aed0a81e00a/details   
Typical Filename: PCAppStore.exe   
Claimed Product: PC App Store   
Detection Name: Riskware/VeryFast 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 2a753cdc8c5401dcb67f3be58751a32ce23c875f8720a70459533b30e5ba4f1f**   
MD5: 7d5a9a41157fb0002f5234b4512e0ac2   
VirusTotal: https://www.virustotal.com/gui/file/2a753cdc8c5401dcb67f3be58751a32ce23c875f8720a70459533b30e5ba4f1f/details   
Typical Filename: pros.exe   
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.76128711

Getting a career in cybersecurity isn’t easy, but this can help

Cisco Talos uncovered and analyzed two critical vulnerabilities in ASUS' AsIO3.sys driver, highlighting serious security risks and the importance of robust driver design.

Decrement by one to rule them all: AsIO3.sys driver exploitation

"Hello pervert" sextortion emails are going through some changes and the price they're demanding has gone up considerably.

Every so often the sextortion emails that start with “Hello pervert” get a redesign.

You may have received one yourself: The emails claim that the sender has been watching your online behavior and caught you red-handed doing activities that you would like to keep private.

The email usually starts with “Hello pervert” and then goes on to claim that you have been watching porn. The sender often says they have footage of what you were watching and what you were doing while watching it.

To stop the sender from spreading the incriminating footage to your email contact list, you are asked to pay them money. The overall tone is threatening, manipulative, and designed to provoke fear and urgency.

We know these emails are a big problem. We see thousands of people visiting our website a week looking to find information on sextortion emails like these. And now we’re seeing a new version with some features we haven’t seen in the past. Interestingly, just as the cost of food, travel, and—well—living has gone up, so has the amount of money that the scammers ask for in the email.

This most recent email we’ve seen also gives away the probable origin of the emails.

With all that we thought it would be interesting to take a closer look.

> “Hello pervert, I’ve sent thіs message from your **Microsoft** account.
> 
> I want to іnform you about a very bad sіtuatіon for you. However, you can benefіt from іt, іf you wіll act wіsely.
> 
> Have you heard of Pegasus? Thіs іs a spyware program that іnstalls on computers and smartphones and allows hackers to monіtor the actіvіty of devіce owners. It provіdes access to your webcam, messengers, emaіls, call records, etc. It works well on Androіd, іOS, macOS and Wіndows. I guess, you already fіgured out where I’m gettіng at.
> 
> It’s been a few months sіnce I іnstalled іt on all your devісes because you were not quіte choosy about what lіnks to clіck on the іnternet. Durіng thіs perіod, I’ve learned about all aspects of your prіvate lіfe, but one іs of specіal sіgnіfіcance to me.
> 
> I’ve recorded many vіdeos of you jerkіng off to hіghly controversіal рorn vіdeos. Gіven that the “questіonable” genre іs almost always the same, I can conclude that you have sіck рerversіon.
> 
> I doubt you’d want your frіends, famіly and co-workers to know about іt. However, I can do іt іn a few clіcks.
> 
> Every number іn your contact Iіst wіll suddenly receіve these vіdeos – on WhatsApp, on Telegram, on Instagram, on Facebook, on emaіl – everywhere. It іs goіng to be a tsunamі that wіll sweep away everythіng іn іts path, and fіrst of all, your former lіfe.
> 
> Don’t thіnk of yourself as an іnnocent vіctіm. No one knows where your рerversіon mіght lead іn the future, so consіder thіs a kіnd of deserved рunіshment to stop you.
> 
> I’m some kіnd of God who sees everythіng. However, don’t panіc. As we know, God іs mercіful and forgіvіng,  and so do I. But my merсy іs not free.
> 
> Transfer **1650$** to my Lіtecoіn (LTC) wallet: **{redacted}**
> 
> Once I receіve confіrmatіon of the transactіon, I wіll рermanently delete all vіdeos compromіsіng you, unіnstall Pegasus from all of your devіces, and dіsappear from your lіfe. You can be sure – my benefіt іs only money. Otherwіse, I wouldn’t be wrіtіng to you, but destroy your lіfe wіthout a word іn a second.
> 
> I’ll be notіfіed when you open my emaіl, and from that moment you have exactly **48 hours** to send the money. If cryptocurrencіes are unchartered waters for you, don’t worry, іt’s very sіmple. Just google “crypto exchange” or “buy Litecoin” and then іt wіll be no harder than buyіng some useless stuff on Amazon.
> 
> I strongly warn you agaіnst the followіng:  
> \* Do not reply to thіs emaіl. I’ve sent іt from your Mіcrosoft account.
> 
> \* Do not contact the polіce. I have access to all your devісes, and as soon as I fіnd out you ran to the cops, vіdeos wіll be publіshed.
> 
> \* Don’t try to reset or destroy your devісes. As I mentіoned above: I’m monіtorіng all your actіvіty, so you eіther agree to my terms or the vіdeos are рublіshed.
> 
> Also, don’t forget that cryptocurrencіes are anonymous, so іt’s іmpossіble to іdentіfy me usіng the provіded address.
> 
> Good luck, my perverted frіend. I hope thіs іs the last tіme we hear from each other.
> 
> And some frіendly advіce: from now on, don’t be so careless about your onlіne securіty.”

**Spoofing your email address**

One clever trick the scammers use is saying they’ve sent the email from your Microsoft account. The sender spoofs your email address, in the hope that it makes you think your device may indeed be compromised.

However, it’s easy for scammers to spoof (use a fake) email address because the email system doesn’t check if the sender is real. That’s why it’s important to be cautious. Even if an email looks like it’s from someone you know, or even yourself, it could be from a scammer.

If you’re technically savvy, taking one look at the authentication results in the email header would reveal that the email failed because the IP address does not match the domain.

However, we can assume that most people receiving the email wouldn’t think to do this, and so the email spoofing might well work to add legitimacy to the email.

**Encoding errors**

Looking at the source of the email, we got a little insight into its origin.

The intro of the email shows the repeated use of “=D1=96” and some other encoding errors. In fact, the whole text is riddled with encoding errors, which typically appear when Cyrillic or other non-Latin characters are misinterpreted as UTF-8 or quoted-printable, or when text is generated or processed by automated systems not properly handling character sets.

The sequence =D1=96 is the quoted-printable encoding for the Unicode character U+0456, which is the Cyrillic letter “i”. This encoding error strongly points towards the writer’s native language being one that uses the Cyrillic script, which is predominantly used in Eastern European and Central Asian countries, with Russian being the most prominent language using it.

These errors also tell us that this scammer doesn’t use the most sophisticated tools. Although the awkward sentence structures and repetitive language are consistent with automated text generation or translation, they are classic signs of a low-effort, high-volume campaign—not the kind where an AI has been used to add personalization or a more natural voice.

**Price hike**

Back in April, the price that scammers were asking victims to pay for being a “pervert” was $1200, and in May it was $1450.

This time we’re asked to pay no less than $1650.

There could be several reasons for this. Maybe the costs of the operation have gone up. Or the scammers feel the value of their threat and its consequences have increased.

Scammers often start with what seems a “reasonable amount” to them and, if successful, incrementally increase it for future victims. This allows them to gauge the maximum amount that people are willing to pay to avoid the threatened consequences.

I’m happy to report that both the mentioned Litecoin wallets are empty. Let’s keep it that way.

**How to spot a sextortion email**

Once you’re aware of them, it’s easy to recognize these emails. Remember that not all of the below characteristics might be included in the email you receive, but all of them are red flags in their own right.

*   They often look as if they were sent from your own email address.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email the scammer claims to have used Pegasus or some Trojan to spy on you through your own computer.
*   The scammer says they know your password and may even offer one as “proof”. This password is likely to have been stolen in a separate data breach and is unrelated to the sextortion email itself.
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**How to react to sextortion emails**

First and foremost, never reply to emails of this kind. It may tell the sender that someone is reading the emails sent to that address and so they will repeatedly try other methods to defraud you.

*   Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.
*   Do not open unsolicited attachments. Especially when the sender’s address is suspicious or even your own.
*   If the email includes a password, make sure you are not using it anymore and if you are, change it as soon as possible.
*   If you are having trouble organizing your passwords, have a look at a password manager.
*   For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

Sextortion emails often contain passwords that have been stolen in another data breach and posted online. If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and you’ll get a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#asus