Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”.

Tuesday, August 5, 2025 09:00

*   Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”. 
*   100+ models of Dell Laptops are affected by this vulnerability if left unpatched. 
*   The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls.  
*   The ReVault attack can also be used as a physical compromise to bypass Windows Login and/or for any local user to gain Admin/System privileges. 

**Dell ControlVault overview **

Dell ControlVault is “a hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware.” A daughter board provides this functionality and performs these security features in firmware. Dell refers to the daughter board as a Unified Security Hub (USH), as it is used as a hub to run ControlVault (CV), connecting various security peripherals such as a fingerprint reader, smart card reader and NFC reader. 

Here is a photographic example of a USH board:  ​​​​

Picture of a USH Board running CV. 

This is the board in its natural environment:  

USH board (highlighted in orange) inside a Dell Latitude laptop. 

The current iterations of the product are called ControlVault3 and ControlVault3+. and can be found in more than 100 different models of actively-supported Dell laptops (see DSA-2025-053), mostly from the business-centric Lattitude and Precision series. These laptop models are widely used in the cybersecurity industry, government settings and challenging environments in their Rugged version. Sensitive industries that require heightened security when logging in (via smartcard or NFC) are more likely to find ControlVault devices in their environment, as they are necessary to enable these security features. 

**Findings **

Today, Talos is publishing five CVEs and their associated reports. The vulnerabilities include multiple out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050) an arbitrary free (CVE-2025-25215) and a stack-overflow (CVE-2025-24922), all affecting the CV firmware. We also reported an unsafe-deserialization (CVE-2025-24919) that affects ControlVault’s Windows APIs. 

**Impact **

With a lack of common security mitigations and the combination of some of the vulnerabilities mentioned above, the impact of these findings is significant. Let’s highlight two of the most critical attack scenarios we have uncovered. 

**Post-compromise pivot **

On the Windows side, a non-administrative user can interact with the CV  firmware using its associated APIs and trigger an Arbitrary Code Execution on the CV firmware. From this vantage point, it becomes possible to leak key material essential to the security of the device, thus gaining the ability to permanently modify its firmware. This creates the risk of a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system in the case of a Threat Actor’s post-compromise strategy. The following video shows how a tampered CV firmware can be used to “hack Windows” by leveraging the unsafe deserialization bug mentioned previously. 

0:00

/0:22

**Physical attack **

A local attacker with physical access to a user’s laptop can pry it open and directly access the USH board over USB with a custom connector. From there, all the vulnerabilities described previously become in-scope for the attacker without requiring the ability to log-in into the system or knowing a full-disk encryption password. While chassis-intrusion can be detected, this is a feature that needs to be enabled beforehand to be effective at warning of a potential tampering. 

Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint rather than only allowing a legitimate user’s.   

0:00

/0:07

**Mitigation **

To mitigate these attacks, Talos recommends the following: 

*   Keep your system up to date to ensure the latest firmware is installed. CV firmware can be automatically deployed via Windows Update, but new firmware usually gets released on the Dell website a few weeks prior. 
*   If not using any of the security peripherals (fingerprint reader, smart card reader and NFC reader) it is possible to disable the CV services (using the Service Manager) and/or the CV device (via the Device Manager).  
*   It is also worth considering disabling fingerprint login when risks are heightened (e.g., leaving one’s laptop unattended in a hotel room). Windows also provides Enhanced Sign-in Security (ESS), which may help mitigate some of the physical attacks and detect inappropriate CV firmware. 

**Detection **

To detect an attack, consider the following: 

*   Depending on your laptop model, chassis intrusion detection can be enabled in the computer’s BIOS. This would flag physical tampering and may require entering a password to clear the alert and restart the computer. 
*   In the Windows logs, unexpected crashes of the Windows Biometric Service or the various Credential Vault services could be a sign of compromise. 
*   Cisco customers using Cisco Secure Endpoint can be made aware of potential risks with the signature definition “bcmbipdll.dll Loaded by Abnormal Process”. 

**Conclusion **

These findings highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software. As Talos demonstrated, vulnerabilities in widely-used firmware such as Dell ControlVault can have far-reaching implications, potentially compromising even advanced security features like biometric authentication. Staying vigilant, patching your systems and proactively assessing risk are essential to safeguard your systems against evolving threats.

ReVault! When your SoC turns against you…

In 2023, Cisco Talos and partners created a special Backdoors & Breaches card deck to help NGOs improve their cybersecurity skills with practical, easy-to-use training tailored to their needs.

Monday, August 4, 2025 12:00

*   In 2023, Talos collaborated with NetHope and Cisco Crisis Response to create a customized Backdoors & Breaches expansion deck for international humanitarian organizations, addressing their unique cybersecurity challenges. 
*   The new expansion deck helps NGOs with constrained budgets improve proactive security and incident response skills through engaging tabletop exercises that are specific to their technical, political, and logistical challenges. 
*   Hundreds of expansion decks have been distributed to international NGOs, and Talos has received positive feedback for their practicality and relevance. 
*   Building on this success, we partnered with NGO-ISAC to develop a United States-specific deck for domestic NGOs, enhancing their cybersecurity preparedness.

**Humanitarian organizations and the cybersecurity landscape**

Hello friends! My name is Joe Marshall and I work at Cisco Talos as a cyber threat researcher and security strategist. Throughout my travels with Talos, I’ve met extraordinary individuals and organizations who fight injustices in a variety of ways: caring for children, feeding the unhoused, promoting democracy, protecting the environment, or resettling refugees who are fleeing from war. 

In moments of unimaginable crisis and pain, the international non-governmental organization (NGO) folks I met are on the front lines distributing aid, documenting human rights abuses, assisting first responders, and offering comfort to people who have had their worlds upended. I unabashedly admire and respect them. 

Unfortunately, international NGOs have historically struggled in cybersecurity. No matter an NGO’s size, limited donor and grant dollars mean that sustaining the organization competes with delivering aid, leaving little (if any) funding for cybersecurity. As a result, public sector offensive actors, mercenary spyware organizations, and state-sponsored actors take advantage of this to target or financially exploit these NGOs, even though they are assisting some of the most vulnerable people in the world. No one gets a pass in this modern era of cybercrime!

**Helping the helpers**

In 2023, the Cisco Crisis Response (CCR) team — a group that helps local agencies and communities prepare for, respond to, and sustainably rebuild from crises — approached my team at Talos with a rare opportunity to help incorporate cybersecurity into their work alongside their partner, NetHope.

NetHope is a humanitarian assistance organization that “helps our nonprofit Members effectively address the world’s most pressing challenges through collaboration, collective action and the smarter use of technology.” They also host the NetHope Global Summit, a yearly gathering of international NGOs to discuss technical issues and solutions to enable their member NGOs’ missions.

Before this project, I was not well-versed in the challenges of the NGO cybersecurity landscape or operating realities. Every business vertical is unique, and my first few meetings with NetHope forced me to confront the stark realities of the cybersecurity poverty line. With NGOs’ limited cybersecurity budgets, expertise, and resources, I knew our project had to have a low barrier to entry.

After much brainstorming, I suggested that we create an NGO-centric version of the popular cybersecurity tabletop exercise, “Backdoors & Breaches,” to keep workers’ incident response skills sharp.

**What is a tabletop exercise? **

A tabletop exercise (TTX) is a group thought experiment. The “Game Master” presents various scenarios and variables to their players, who are usually team leaders in their business, to see how they respond as a group. At a high level, TTXs are a way to help your team prepare for worst-case scenarios and cost-effectively develop plans and responses to a variety of incidents. As they say, “Fortune favors the prepared.”

For example, a hospital might want to conduct a TTX to develop and test incident response and data recovery if hackers were to attack their electronic health records. An electric utility company might conduct a TTX to test critical infrastructure restoration and coordination with emergency responders. And, of course, a humanitarian assistance organization may need to protect itself against cyber attacks to keep their life-saving work going!

**An introduction to Backdoors & Breaches**

Backdoors & Breaches is a card-based TTX developed and published under a GNU license by Black Hills Information Security. It’s a novel game designed to teach both technical and non-technical players cybersecurity incident response in a format similar to the popular Dungeons & Dragons roleplaying game. Here’s an example of gameplay at the RSA Conference, with the digital version of the game:

If you want to accommodate a specific technical aspect of security, like industrial control systems, the cloud, or threat hunting, you can modify Backdoors & Breaches with expansion decks. Customizing cards to reflect your team's unique circumstances can result in better buy-in and even a higher level of preparedness when a breach occurs.

**Talos and NetHope create a new expansion**

It was this potential customization that attracted me to making a new expansion deck for the international humanitarian community. The concept of Talos and NetHope adapting a cost-effective, portable, and easy-to-understand TTX to fit the limited cybersecurity budgets of typical NGOs was irresistible. To bring this vision to life, I assembled a diverse team of seasoned cybersecurity NGO professionals, technologists, and crisis response specialists who recognized the value in developing new cards.

The result was a new deck that seamlessly merged into the original Backdoors & Breaches game. These unique cards are modeled from real events and speak to the unique technical, political, and logistical challenges that humanitarian assistance organizations may face during cyber attacks. Here are some examples:

__Imagine that an angry mob raids your NGO’s office. You’re trying to do digital forensics, but your team is forced to leave the country! What do you do?__

We presented this new expansion at the NetHope Global Summit in 2023, where participants widely enjoyed it. We found that this expansion pack brought them together in ways the generic deck on its own likely wouldn’t have. Many people shared first-hand experiences with the stressful situations these cards presented, which led to authentic and open conversations on the best responses to the scenarios.

__Presenting the base deck and expansion pack at the 2023 NetHope Global Summit.__

Over the course of several summits, Talos and NetHope have given away hundreds of physical copies of the expansion, and we’ve received a lot of positive reception from the international NGO community. If you’re curious, you can also find the cards online here.

**The U.S. domestic NGO edition**

In a country as large as the United States, there are hundreds of domestic NGOs that operate solely within the country and local communities. The NGO Information Sharing and Analysis Center (NGO-ISAC) is a 501(c)(3) nonprofit organization that focuses on domestic civil society organizations.

Using the momentum of our Backdoors & Breaches international humanitarian expansion pack, Talos partnered with NGO-ISAC to create a new deck that reflects U.S.-specific NGO security situations.

__On-stage demonstration at the__ __Ford Foundation__ __for the NGO-ISAC Conference.__

If the NGO’s team is spread across the country and wants to play, that’s not a problem! Using this GitHub link you can instantiate and connect to a mini web server on your local computer. With a web sharing tool, you can stream it to any size audience and folks can play along virtually. You can easily use Python for this.

**Conclusion**

International and domestic NGOs are critical to aid delivery and civil society, but they’re heavily targeted by threat actors who seek to disrupt or exploit their missions. TTXs like Backdoors & Breaches lower the barrier to entry for organizations to have serious conversations about security posture and response, and NetHope and Talos’ custom expansions provide industry-specific scenarios to enrich the experience.

I feel very fortunate to have had the opportunity to volunteer and donate my time to help NGO workers and volunteers fight the good fight. Whether you’re a threat intelligence organization, an international NGO providing medical care to refugees, or a domestic food bank fighting hunger, Talos is with you.

Backdoors & Breaches: How Talos is helping humanitarian aid NGOs prepare for cyber attacks

San Francisco, California, 1st August 2025, CyberNewsWire

**San Francisco, California, August 1st, 2025, CyberNewsWire**

**Comp AI Raises $2.6M in Pre-Seed Funding to Revolutionize Enterprise Compliance with AI-Powered Automation**

Comp AI, an emerging player in the compliance automation space, today announced it has secured $2.6 million in pre-seed funding to accelerate its mission of transforming how companies achieve compliance with critical frameworks like SOC 2 and HIPAA. The funding round was co-led by OSS Capital and Grand Ventures, both bringing specialized expertise in backing innovative technology companies. OSS Capital, known for investing in open-source challengers including ProjectDiscovery, Plane, and Cal.com, joins Grand Ventures, which has a strong track record supporting developer and infrastructure platforms such as Astronomer, Payload, and Tembo. The round also includes participation from notable angel investors David Cramer, founder of Sentry, and Ben Tossell of Ben’s Bites.

**Addressing a Broken Industry**

Compliance frameworks like SOC 2, HIPAA, and ISO 27001 have become essential for securing enterprise contracts, but the traditional path to achieving certification remains manual, expensive, and time-consuming. Comp AI is positioning itself as a disruptive alternative by combining open-source collaboration with advanced agentic AI automation. Since emerging from stealth in April 2025, the company reports impressive early traction. Comp AI claims its first batch of customers has collectively saved over 2,500 hours on manual compliance work. The startup has also participated in Vercel’s Spring ’25 OSS initiative and attracted more than 3,500 companies to its pre-launch testing program. The founding team consists of experienced Silicon Valley entrepreneurs Mariano Fuentes, Lewis Carhart, and Claudio Fuentes, who bring firsthand experience with the compliance challenges facing startups. Having navigated SOC 2 compliance at their previous ventures, the trio identified significant inefficiencies in the current market landscape.

**Challenging Established Players**

Comp AI is directly challenging established compliance platforms, which the company characterizes as costly and labor-intensive solutions that still require founders to spend weeks on manual compliance management. The startup claims its AI-powered approach can automate up to 90% of the compliance process, resulting in what it describes as “instant product-market fit” and monthly growth exceeding 89%.

**Investment and Growth Plans**

The new funding will support Comp AI’s expansion across multiple fronts over the next three months:

*   **Open-source platform expansion**: Enabling security professionals and auditors to contribute control templates, framework mappings, and automation tools
*   **AI Agent Studio launch**: Moving from beta to general availability, this tool allows customers to deploy automated agents for evidence collection, risk assessments, and vendor onboarding

**Industry Recognition**

> The investment has drawn enthusiastic endorsements from both lead investors.”We have been blown away by Comp AI’s speed of execution and customer obsession. GRC has long been overdue for open source disruption, and Comp AI is delivering that in spades,” said Joseph Jacks, Founder of OSS Capital. Nathan Owen, General Partner at Grand Ventures, added: “GRC – specifically compliance (SOC 2, ISO 27001, GDPR, etc.) – has needed bold innovation for years, and Comp AI is leading the charge. Their platform isn’t an incremental improvement – it’s a complete reinvention.”

**Looking Forward**

According to the team, as Comp AI continues scaling its operations, the company is actively recruiting new team members. The funding round positions Comp AI to capitalize on the growing demand for streamlined compliance solutions as more companies seek to accelerate their path to enterprise readiness in an increasingly regulated business environment.

**About Comp AI**

Comp AI is a San Francisco-based startup founded in 2025 that’s revolutionizing how companies approach compliance certification. The company provides an AI-powered trust management platform that automates compliance for major frameworks, including SOC 2, HIPAA, GDPR, ISO 27001, and 25+ other regulatory standards.

**Mission**: To help **100,000 companies** achieve SOC 2, ISO 27001, and GDPR compliance by 2032, making enterprise-grade security accessible to companies of all sizes without the traditional $25K+ annual costs and complexity. Comp AI is positioned as “the Vercel of compliance” – offering a developer-friendly, modern alternative to legacy compliance platforms that are often slow, expensive, and built primarily for large enterprises.

**Contact**

**CEO, Founder**  
**Lewis Carhart**  
**Bubba AI, Inc.**  
**\[email protected\]**

Comp AI secures $2.6M pre-seed to disrupt SOC 2 market

This week Bill connects the hype of literary awards to cybersecurity conference season. We highlight key insights from the Q2 2025 IR Trends report, including phishing trends, new ransomware strains, and top targeted sectors. Finally, check out all the places Talos will be at Black Hat.

Thursday, July 31, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

This week the Booker Prize Longlist was released and it featured several books I’ve read this year a couple that are on my TBR (To Be Read), a couple that I had not heard of, and a couple that make me scratch my head and question why they would be included at all. It’s always exciting for me to see the Booker Longlist as it gives me an idea of how I’ve tapped into the literary fiction zeitgeist in first half of the year and what I may be tapping into in the back half of the year. That got me thinking about the cycle of staying up to date with the current threat landscape and the evolution of the threat actor behaviors and techniques and how Black Hat and DEF CON reside in a similar space for all of us in the cyber security space. Some of the new or interesting things that will come out will provide actionable insights, others will be a heaping serving of more of the same and while not trivial they will be super interesting and important, and finally some information will simply be all name and sizzle, but in the end full of sound and fury and signifying nothing.  

As a reader I’ve to understand that these lists, and the authors and books included in them, are there for various reasons and not all of them are on the merit of the narrative and the craft of writing. Early in my career it was hard to separate the things that came out of Summer Camp because I was so desperate to learn and so excited that I often couldn’t leverage my own experiences and separate the actionable from the detritus. Now I find that I don’t even have to expend much energy to move the firehose of information into the proper channels in my mind and then dive in and take what I’ve learned and apply it. Also trusting that if something that seems like empty sizzle is important – that I have team members that will keep me clued in and finding the needles in the never-ending field of haystacks.  

I hope you all have a tremendous time at Summer Camp, see a lot of old friends and make new ones and most importantly that you shower and use deodorant. Conference season is a marathon, it’s long, it’s arduous, it’s sweaty – be the hygienic change you want to see in the world.  

**The one big thing **

The Cisco Talos Incident Response Trends Q2 2025 report is out today, and as always it is packed with in-depth insights into recent attacker behavior. Phishing remains the top initial access vector, but interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities. Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware. Education was the most targeted industry vertical this quarter.

**Why do I care? **

The report contains details of how attackers are exploiting vulnerabilities and circumventing security tools. Examples include MFA installations with self-service options that allow attackers to register their own devices. We also saw stealthy tactics in ransomware attacks such as the use of PowerShell 1.0 (yes the original version from 2006) in what we’re calling “bring your own binary”.

**So now what? **

The report outlines actionable advice based on observed incidents,  
such as:

*   Proper configuration and monitoring of multi-factor authentication (MFA).
*   Importance of centralized logging
*   Steps to harden endpoint detection and response (EDR) systems.

These insights help prioritize mitigations that directly address real-world attack techniques. Download the report today.

**Top security headlines of the week ****Journalist Discovers Google Vulnerability That Allowed People to Disappear Specific Pages From Search**

By accident, journalist Jack Poulson discovered Google had completely de-listed two of his articles from its search results. “We only found it by complete coincidence,” Poulson told 404 Media. “I happened to be Googling for one of the articles, and even when I typed in the exact title in quotes it wouldn’t show up in search results anymore.” (404 media)

**ChatGPT, GenAI Tools Open to 'Man in the Prompt' Browser Attack**

A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. (DarkReading)

**Phishers Target Aviation Execs to Scam Customers**

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries (Krebs)

**Can’t get enough Talos? **

We have lots of videos to share, so queue them up and let’s get learning!

**Tales from the Frontlines**

Join the Cisco Talos Incident Response team to hear real-world stories from the frontlines of cyber defense. **Reserve your spot.**

**IR Trends Q2 2025**

Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy. **Read more.**

**Beers with Talos**

So You Wanna Be an Incident Commander? Meet Alex Ryan. Bill, Joe and Hazel chat with Alex about what it really takes to lead through the chaos of a cybersecurity incident, from coordinating stressed-out teams, fielding exec questions, and making sure people eat. **Listen here.**

**Upcoming events where you can find Talos **

Join us at hacker summer camp! **Read our Black Hat preview here.**

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**  
MD5: 906282640ae3088481d19561c55025e4  
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details  
Typical Filename: AAct\_x64.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Tool.Winactivator::1201  

**SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442**  
MD5: 7854b00a94921b108f0aed00f77c7833  
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details  
Typical Filename: winword.exe  
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote  
Detection Name: W32.0581BD9F0E.in12.Talos 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**  
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277  
Typical Filename: Rainmeter-4.5.22.exe  
Detection Name: Artemis!Trojan    

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query   
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe   
Detection Name: Win.Worm.Bitmin-9847045-0

The Booker Prize Longlist and Hacker Summer Camp

LLMs may serve as powerful assistants to malware analysts to streamline workflows, enhance efficiency, and provide actionable insights during malware analysis.

Using LLMs as a reverse engineering sidekick

Phishing remained the top initial access method in Q2 2025, while ransomware incidents see the emergence of new Qilin tactics.

Thursday, July 31, 2025 06:00

Phishing remained the top method of initial access this quarter, appearing in a third of all engagements – a decrease from 50 percent last quarter. Threat actors largely leveraged compromised internal or trusted business partner email accounts to deploy malicious emails, bypassing security controls and gaining targets’ trust. Interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities, such as engineering a financial payout or stealing proprietary data.   

Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Cisco Talos Incident Response (Talos IR) responded to Qilin ransomware for the first time, identifying previously unreported tools and tactics, techniques, and procedures (TTPs), including a new data exfiltration method. Our observations of Qilin activity indicate a potential expansion of the group and/or an increase in operational tempo in the foreseeable future, warranting this as a threat to monitor. Additionally, ransomware actors leveraged a dated version of PowerShell, PowerShell 1.0, in a third of ransomware and pre-ransomware engagements this quarter, likely to evade detection and gain more flexibility for their offensive capabilities.

This video discusses the biggest trends from the Q2 2025 Talos IR report

**Actors leverage compromised email accounts for phishing attacks aimed at credential harvesting   **

As mentioned above, threat actors used phishing for initial access in a third of engagements this quarter, a decrease from 50 percent last quarter when it was also the top observed initial access technique. However, last quarter featured a dominant voice phishing (vishing) campaign deploying Cactus and Black Basta ransomware that was significantly less present this quarter, potentially contributing to this decline.  

Threat actors largely leveraged compromised internal or trusted business partner email accounts to send malicious emails, which appeared in 75 percent of engagements where phishing was used for initial access. Using a legitimate trusted account affords an attacker numerous advantages, such as potentially bypassing an organization’s security controls as well as appearing more trustworthy to the recipient. For example, in one phishing engagement, the targeted organization’s users were victims of a phishing campaign sent from the compromised email address of a legitimate business partner. The phishing emails leveraged malicious links directing victims to a fake Microsoft O365 login page that prompted visitors to authenticate with MFA, likely so the attacker could steal users’ credentials and session tokens. 

We assess that credential harvesting was the end goal in the majority of phishing attacks this quarter, such as in the example highlighted above. Though the tactic of leveraging compromised valid email accounts is often associated with business email compromise (BEC) attacks, this observation suggests cybercriminals may consider brokering compromised credentials to be more reliably profitable than attempting to manipulate a target into making a financial payout. Further, not including a financial request in the email body likely makes an email less suspicious to a victim, potentially raising the chances of a successful attack. In one engagement, an attacker successfully compromised a user’s email account after the user clicked a link within a phishing email and provided their credentials to the phishing site. The adversary proceeded to send multiple internal spear phishing emails as the compromised user with a link to an internal SharePoint link, which then directed to a credential harvesting page that successfully tricked approximately a dozen additional users into entering their credentials.

**Ransomware trends **

Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware. 

**Qilin ransomware activity showcases previously unreported TTPs and suggests increased operational tempo    **

We responded to a Qilin ransomware incident for the first time this quarter, identifying tools and TTPs that have not been previously publicly reported. Specifically, we observed the operators leveraging a suspected custom compiled encryptor with hardcoded victim user credentials, Backblaze-hosted command and control (C2) infrastructure, and file transfer tool CyberDuck, an exfiltration method not previously associated with this threat actor or its affiliates. The threat actors likely leveraged stolen valid credentials to gain initial access, then used a combination of commercial remote monitoring and management (RMM) solutions to facilitate lateral movement and data staging, including TeamViewer, VNC, AnyDesk, Chrome Remote Desktop, Distant Desktop, QuickAssist, and ToDesk. To ensure persistent access until encryption was completed, the actors created an AutoRun entry in the Software registry Hive on each infected system to trigger the ransomware execution each time the system was rebooted and a scheduled task to silently relaunch Qilin at every new logon. These attack techniques ultimately led to a widespread infection requiring a complete rebuild of the Active Directory (AD) domain and password resets for all accounts.

**Looking forward:** Our analysis of Qilin activity this quarter indicates a potential expansion of the group of affiliates and/or an increase in operational tempo. In addition to this engagement, we saw additional Qilin ransomware activity kick off this quarter, but did not include it in our Q2 statistics as analysis was still ongoing after the quarter ended. Further, posts on the group’s data leak site show a doubling of disclosures since February 2025, suggesting this is a ransomware threat to monitor for the foreseeable future.

The North Korean state-sponsored cyber group Moonstone Sleet reportedly began deploying Qilin ransomware last February, and some security firms believe that affiliates from the RansomHub ransomware-as-a-service (RaaS) — whose data leak site went offline in early April 2025 — have also joined Qilin. After the RansomHub data leak site went offline, Qilin members were observed engaging with active RansomHub members and advertising an updated version of Qilin, likely in attempts to recruit new affiliates and expand operations.

**Ransomware actors leverage dated version of PowerShell to evade detection   **

In a third of ransomware and pre-ransomware engagements this quarter, threat actors leveraged PowerShell 1.0, an older version of the scripting language that is most up-to-date at version 7.4. Using this insecure version gives attackers numerous potential advantages as it lacks security features that newer versions have built in, such as script block logging, which logs the content of executed scripts, and transcription logging, which records all input/output in PowerShell sessions. It also lacks an antimalware scan interface (AMSI), which allows antivirus tools to scan PowerShell code before it's executed. Additionally, some endpoint detection and response (EDR) tools are designed to monitor behaviors typical of newer PowerShell versions, potentially enabling attackers to evade signature and behavior-based detections.   

We observed threat actors leveraging PowerShell 1.0 for both defense evasion and discovery in ransomware and pre-ransomware engagements this quarter. For example, in a Medusa ransomware engagement, we saw the adversary using PowerShell 1.0 to add the folder “C:\\Windows” to the exclusion list of the victim’s antivirus (AV) solution, meaning the AV would not scan or monitor anything under the core operating system directory, severely compromising defenses. In a pre-ransomware engagement, the adversary leveraged PowerShell 1.0 to bypass script execution policy restrictions with the command “-ExecutionPolicy Bypass” and monitor peer-to-peer file transfers in the victim network. Ultimately, this tactic can make adversaries’ activity quieter from a logging perspective and give them more flexibility in terms of what they can perform on the system. Therefore, organizations should enforce use of PowerShell 5.0 or greater on all systems.

**Targeting **

Education was the most targeted industry vertical this quarter, a shift from last quarter when we did not see any engagements targeting education organizations. This trend is in line with observations documented in our 2024 Year in Review report, where we noted that the education sector saw the most ransomware attacks during the month of April, with a high volume of attacks in May and June as well. Additionally, education was also the most targeted vertical in FY24 Q3 and FY24 Q4.

**Initial access **

As mentioned, the most observed means of gaining initial access was phishing, followed by valid accounts, then exploitation of public facing applications and brute force attacks.

**Recommendations for addressing top security weaknesses**

**Implement properly configured MFA and other access control solutions **

Over 40 percent of engagements this quarter involved MFA issues, including misconfigured MFA, lack of MFA, and MFA bypass. In multiple engagements, threat actors capitalized on MFA products that were configured to enable self-service, adding attacker-controlled devices as authentication methods to bypass this defense and establish a path of persistence. Talos IR recommends monitoring and alerting on the following for effective MFA deployment: abuse of bypass codes, registration of new devices, creation of accounts designed to bypass or be exempt from MFA, and removal of accounts from MFA.  

**Configure robust and centralized logging capabilities across the environment  **

A quarter of engagements involved organizations with insufficient logging capabilities that hindered investigative efforts. Understanding the full context and chain of events performed by an adversary on a targeted host is vital not only for remediation but also for enhancing defenses and addressing any system vulnerabilities for the future. To address this issue, Talos IR recommends organizations implement a Security Information and Event Management (SIEM) solution for centralized logging. In the event an adversary deletes or modifies logs on the host, the SIEM will contain the original logs to support a forensics investigation. Further, organizations should deploy a web application firewall (WAF) and enable flow logging for all endpoints across the environment for real-time threat monitoring and detection, which can facilitate a swifter response to potential incidents and enhanced context for investigative efforts. As highlighted last quarter and in a recent blog, a quick response time is a key variable that affects the severity and impact of cyber attacks. 

**Protect endpoint security solutions  **

Finally, in a slight increase from last quarter, a quarter of incidents involved organizations that did not have protections in place to prevent tampering with EDR solutions, enabling actors to disable these defenses. Talos IR strongly recommends ensuring endpoint solutions are protected with an agent or connector password and customizing their configurations beyond the default settings. Additional recommendations for hardening EDR solutions against this threat can be found in our 2024 Year in Review report.

**Top-observed MITRE ATT&CK techniques  **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note that this is not an exhaustive list.  

Key findings from the MITRE ATT&CK framework include:  

*   Adversaries leveraged a wider variety of techniques for credential access this quarter compared to last quarter, including kerberoasting, brute force attacks, credential harvesting pages, OS credential dumping, and adversary-in-the-middle attacks.
*   This was the second quarter in a row where phishing was the top initial access technique, with threat actors leveraging both vishing and malicious links.

Tactic  

Technique  

Example  

Reconnaissance (TA0043)  

T1593 Search Open Websites/Domains 

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. 

T1595.002 Active Scanning: Vulnerability Scanning 

Adversaries may run vulnerability scans against an organization’s public-facing infrastructure to identify potential vulnerabilities to exploit.   

Initial Access (TA0001) 

T1598.004  Phishing for Information: Spearphishing Voice   

Adversaries may use voice communications to elicit sensitive information that can be used during targeting. 

T1598.003 Phishing for Information: Spearphishing Link 

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. 

 T1078 Valid Accounts 

Adversaries may use compromised credentials to access valid accounts during their attack. 

T1190 Exploit in Public-Facing Application 

Adversaries may exploit a vulnerability to gain access to a target system. 

T1110 Brute Force   

Adversaries may systematically guess users’ passwords using a repetitive or iterative mechanism. 

Execution (TA0002)  

T1204 User Execution 

Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious file or link. 

T1059.001 Command and Scripting Interpreter: PowerShell 

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. 

T1047 Windows Management Instrumentation 

Adversaries may use Windows Management Instrumentation (WMI) to execute malicious commands during the attack. 

T1569 System Services   

Adversaries may abuse system services or daemons to execute commands or programs. 

Persistence (TA0003) 

T1556 Modify Authentication Process   

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. 

T1078 Valid Accounts 

Adversaries may obtain and abuse credentials of existing accounts, potentially bypassing access controls placed on various resources on systems within the network. 

T1053 Scheduled Task/Job   

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. 

Privilege Escalation (TA0004)   

T1484 Domain or Tenant Policy Modification   

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. 

T1055 Process Injection   

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. 

Defense Evasion (TA0005)  

T1562.001 Impair Defenses: Disable or Modify Tools 

Adversaries may disable or uninstall security tools to evade detection. 

T1070 Indicator Removal   

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. 

T1133 External Remote Services  

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. 

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control   

Adversaries may bypass UAC mechanisms to elevate process privileges on system. 

Credential Access (TA0006)  

T1003 OS Credential Dumping 

Adversaries may dump credentials from various sources to enable lateral movement. 

T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. 

T1110 Brute Force 

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

IR Trends Q2 2025: Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy

Cisco Talos is back at Black Hat with new research, threat detection overviews and opportunities to connect with our team. Whether you're interested in what we’re seeing in the threat landscape, detection engineering or real-world incident response, here's where and how to find us.

Wednesday, July 30, 2025 06:00

Cisco Talos is back at Black Hat with new research, threat detection overviews and opportunities to connect with our team. Whether you're interested in what we’re seeing in the threat landscape, detection engineering or real-world incident response, here's where and how to find us: 

**Visit us at the Cisco booth: 2726 **

We’ll have short, 15-minute booth talks throughout Wednesday and Thursday of Black Hat, with topics including: 

*   Talos Vulnerability Discovery Year in Review 
*   How to: Threat Intel 
*   Full Metal SnortML: Accelerating Machine Learning based Firewalls with FPGAs 
*   From CVE to Detection: A Rule Writer's Journey Through Modern Threats 

We also have these sessions as part of the wider conference agenda: 

**Lunch & Learn: Backdoors & Breaches **

**Lagoon KL, Level 2 | Wednesday, Aug 6, 12:05–1:30 PM**    
**Speaker: Joe Marshall** 

Join Joe and members of Talos as we discuss and develop incident response plans in real-time. We’ll use real scenarios over a game of Backdoors & Breaches, an incident response card game developed by Black Hills Information Security. Members from Talos Threat Intelligence will lead tables through the game over lunch and discuss recent threat trends. 

**Reserve your spot here** 

**Mandalay Bay I | Wednesday, Aug 6, 11:20–12:10 PM**    
**Speaker: Nick Biasini** 

Nick will explore how generative AI is shaping today’s threat landscape, from attackers using AI to enhance operations, to malware posing as AI tools, to efforts targeting the models themselves. The session will also cover how organizations can safely adopt GAI while defending against its misuse. 

**Learn more here** 

**Threat Briefing: ReVault! Compromised by Your Secure SoC **

**Oceanside C, Level 2 |  Wednesday, Aug 6, 10:20–11:00 AM**   
**Speaker: Philippe Laulheret** 

This talk introduces ReVault, a vulnerability affecting a widely used embedded security chip. Philippe will demonstrate how a low-privilege user can exploit the flaw to extract sensitive data, gain persistence at the firmware level, and compromise the host system.  

Learn more here 

**Visit the Splunk Booth: Threat Hunters Cookbook Launch **

**Splunk Booth 3046**

Our colleagues at Splunk will be launching their brand new _Threat Hunters Cookbook_ in hard copy. We’ve had a sneak preview, and trust us, this is a brilliant resource for those who want to use modelling and machine learning to conduct threat hunts that really get the best out of your efforts.  

If you're at the show, we’d love to hear what you’re working on, so stop by the Cisco booth (and grab yourself a Snorty while you’re at it). See you in Vegas!

Cisco Talos at Black Hat 2025: Briefings, booth talks and what to expect

International law enforcement agencies, including the FBI and Europol, have successfully seized the infrastructure of the notorious BlackSuit ransomware gang in Operation Checkmate. This article details the takedown, BlackSuit's origins, and the ongoing fight against evolving cyber threats.

International law enforcement has dealt a significant blow to cybercrime this week, successfully seizing the vital online infrastructure of the notorious BlackSuit ransomware gang. In a coordinated international operation dubbed “Operation Checkmate,” authorities specifically targeted and took control of the group’s .onion data leak sites and negotiation platforms, which had compromised hundreds of organisations globally in recent years.

The seizure has been confirmed as two of the BlackSuit domains (1, 2) now display a banner announcing their closure by law enforcement, marking a major victory against ransomware threats worldwide.

This operation involved strong collaboration among numerous agencies from various countries, including the United States Department of Homeland Security, the FBI, Europol, the UK’s National Crime Agency, and law enforcement from Germany, Ukraine, Lithuania, and Canada. Cybersecurity firm Bitdefender also played a key role.

****How BlackSuit Operated****

BlackSuit, which emerged in April/May 2023, used a “double-extortion” method to target a wide range of victims, including hospitals, schools, businesses, and government bodies. They showed no specific preference for industry or organisation size, targeting both large enterprises and small and medium-sized businesses (SMBs).

However, similar to its predecessor, Royal ransomware, it appears that groups within the Commonwealth of Independent States (CIS) were deliberately avoided.

Regarding attack tactics, first, they would break into computer networks, encrypting important files and making systems unusable. Then, they would steal sensitive data. If victims refused to pay the ransom, BlackSuit threatened to publish the stolen information on their leak sites, adding more pressure. These seized websites were essential for BlackSuit to communicate with victims and store stolen data, making it difficult for the gang to profit from their illegal activities now.

****A Threat That Keeps Growing****

Security experts believe BlackSuit likely evolved from earlier ransomware groups, possibly linked to the Royal ransomware gang or even the well-known Conti syndicate. BlackSuit itself is a rebrand of Royal ransomware, which was active from September 2022 to June 2023 and is known to have demanded over $500 million in ransoms from hundreds of organisations worldwide. Notable victims of BlackSuit include the Japanese company Kadokawa, Tampa Bay Zoo, and Octapharma, a blood plasma collection organisation.

While Operation Checkmate is a major success, cybersecurity experts warn that ransomware groups often reappear under new names. In fact, Cisco Talos threat intelligence reported on July 24, 2025, that evidence suggests some former BlackSuit members may have already rebranded as “Chaos ransomware,” operating since February 2025.

This new group reportedly uses similar attack methods, including double extortion, and targets systems across Windows, ESXi, Linux, and NAS. However, Operation Checkmate clearly demonstrates that international teamwork is a powerful tool against global cybercrime.

Operation Checkmate: BlackSuit Ransomware’s Dark Web Domains Seized

Get to know the real people behind cybersecurity’s front lines. In this week’s newsletter, sci-fi meets reality, humanity powers technology and a few surprises are waiting to be discovered.

Thursday, July 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Yesterday, Cisco Talos debuted the first Humans of Talos episode, where I interviewed Hazel Burton, a face and voice you’re probably familiar with. In our conversation, Hazel shared not just the story of how she found her way onto the team, but also the passions and hobbies that energize her work. Plus, she offered a sneak peek into what she’s most looking forward to at Black Hat this year! With future Humans of Talos episodes, you’ll get to learn not only about the people behind the research, but the people behind the communications, operations, and design, too.

My team chose to name the series “Humans of Talos” as a cheeky wink to the world of machine learning (ML) and a reminder that no matter how sophisticated our technology gets, it’s always our humanity that makes the difference. 

I'm a sci-fi nerd who loves a captive audience, so let’s consider Murderbot from Martha Wells’ “The Murderbot Diaries” (now a TV show starring Alexander Skarsgård). Designed as a security unit with both organic and mechanic parts, self-named Murderbot secretly hacks its own governor module and, instead of turning on humans, spends its free time watching soap operas like “The Rise and Fall of Sanctuary Moon." So relatable, right? What draws readers in isn’t its technical specs. It’s Murderbot’s dry humor, awkwardness, struggle with newfound autonomy, and the way it wrestles with what it means to care for others (even if it pretends not to). Despite its past, when it was treated as a piece of equipment rather than a living thing, Murderbot is both highly analytical and empathetic. Advanced technology is most powerful when paired with genuine human creativity and insight, and this is a balance we seek every day at Talos.

If cozy, found family sci-fi is more your vibe, take Lovey (aka Sidra) from Becky Chambers’ “A Long Way to a Small, Angry Planet” and “A Closed and Common Orbit.” Originally an AI managing a tunneling spaceship, Lovey is suddenly transferred into a human-like body kit and faces the challenge of living in a world she was never designed for, which is where her story really gets interesting. She has to learn everything from how to move and act to how to build friendships and find her own purpose. Learning to ask for help, make mistakes and trust the people around us is familiar to many of us in the cybersecurity community. No matter how advanced our tools become, it’s our willingness to learn from each other, collaborate and grow together that truly makes us stronger and better at our work.

So while Talos has practically always used ML in our work, I’ll always say that it is nothing without the humans behind it. We all share one mission: protecting our customers.

Tune into the next episode mid-August, and whether you’re streaming “Sanctuary Moon” or finding your place in the universe like Lovey, stay safe and secure out there!

**The one big thing **

Cisco Talos Incident Response (Talos IR) has identified a new ransomware-as-a-service (RaaS) group called Chaos, which is actively targeting organizations worldwide with sophisticated attacks involving phishing, remote management tool abuse, and double extortion tactics.  

We assess with moderate confidence that Chaos was likely formed by former members of the BlackSuit (Royal) gang. They use advanced encryption, anti-analysis techniques, and target both local and networked systems for maximum disruption. We believe the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, and the group uses the same name to create confusion.   

**Why do I care? **

Chaos is going after organizations of all sizes across verticals using techniques that can bypass common security measures, steal sensitive data and disrupt business operations. Even if you’re not a direct target, your company could be affected if you work with a business that is attacked, or if similar tactics are used against your sector.

**So now what? **

Review your organization’s security posture, especially around email, remote access and backup systems. Make sure you’re using multi-factor authentication, keeping software up-to-date and educating employees about phishing and social engineering.

**Top security headlines of the week **

**Microsoft rushes emergency patch for actively exploited SharePoint “ToolShell” bug**   
Malicious actors already have already pounced on the zero-day vulnerability in Microsoft Sharepoint Server, tracked as CVE-2025-53770, to compromise US government agencies and other businesses in ongoing and widespread attacks. (DarkReading) (Cisco Talos) 

**Europol sting leaves Russian cybercrime's “NoName057(16)” group fractured**   
National authorities have issued seven arrest warrants in total relating to the cybercrime collective known as NoName057(16), which recruits followers to carry out DDoS attacks on perceived enemies of Russia. (DarkReading) 

**Indian crypto exchange CoinDCX confirms $44M stolen during hack**   
On Saturday, CoinDCX co-founder and CEO Sumit Gupta disclosed in a post on X that an internal account was compromised during the hack. The executive assured that the incident did not affect customer funds and that all its customer assets remain secure. (TechCrunch) 

**Ryuk ransomware operator extradited to US, faces five years in federal prison**   
Justice Department officials said the operators received about 1,160 bitcoins — valued at more than $15 million at the time — in ransom payments from victim companies. (CyberScoop)

**Can’t get enough Talos? **

We have lots of videos to share, so queue them up and let’s get learning!

**SnortML in 60 seconds**   
Most detection engines rely on signatures, but when threats evolve or the exploit is brand new, these rules can fall short. **Enter SnortML!** 

**Humans of Talos: Hazel Burton**   
Okay, I know I hammered this into you in the intro, but Hazel is a delight to listen to, and she gives a lot of wonderful insights. **Watch here.**

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 
*   BlueTeamCon (Sept. 4 – 7) Chicago, IL

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection

**SHA 256: ee33aaa05be135969d86452a49a8e50a5313efdfc46ae2e7fc8a9af33556046c**   
MD5: 17e33efb1b100397c3a9908df7032da1   
VirusTotal: https://www.virustotal.com/gui/file/ee33aaa05be135969d86452a49a8e50a5313efdfc46ae2e7fc8a9af33556046c/details    
Typical Filename: tacticalrmm.exe   
Claimed Product: N/A   
Detection Name: W32.EE33AAA05B-95.SBX.TG

**SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442**   
MD5: 7854b00a94921b108f0aed00f77c7833   
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details    
Typical Filename: winword.exe   
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote   
Detection Name: W32.0581BD9F0E.in12.Talos

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**   
MD5: df11b3105df8d7c70e7b501e210e3cc3   
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details   
Typical Filename: DOC001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**   
MD5: 906282640ae3088481d19561c55025e4   
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details   
Typical Filename: AAct\_x64.exe   
Claimed Product: N/A   
Detection Name: PUA.Win.Tool.Winactivator::1201

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details   
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

BRB, pausing for a "Sanctuary Moon" marathon

Staff augmentation is a strategy for smart tech teams looking to launch something big. Trying to plug skill gaps or scale without the overhead? Collaborate with a trusted IT staff augmentation company.

The demand for skilled tech professionals shows no signs of slowing down in 2025. You may be running a startup with a tight runway or a large enterprise juggling multiple projects. It doesn’t matter. Getting the right tech talent is critical. IT staff augmentation comes to the rescue. It allows companies to scale their teams fast, fill skills gaps, and stay agile without the lengthy process of hiring full-time employees. It is like having a remote bench of seasoned developers, designers, and engineers.

The number of vendors is so huge. Then, who can you trust? Shall we go deeper and share with you the best IT staff augmentation firms in the USA as per their reputation, customer feedback, and tech capabilities? They have frontend rockstars, backend magicians, or full-stack geniuses; whichever talent you require, these companies can provide that.

****Innowise****

*   Founded: 2007
*   Headquarters: St. Petersburg, Florida
*   Team Size: 2500+ professionals globally

If you are looking for a reliable, fast-moving IT staff augmentation partner with deep expertise across technologies, Innowise is one of the top names to mention. They have been quietly building a reputation for delivering skilled developers and engineers. Whether you need to scale your JavaScript team, boost your .NET capacity, or bring in niche AI/ML talent, Innowise has experts ready to go.

Why companies love Innowise:

*   Global reach, local presence – The company is based in Europe. However, their US headquarters makes it easy for American clients to collaborate.
*   Top 3% talent – Every developer is rigorously tested and trained before joining client projects.
*   Industry versatility – They understand any domain, from healthcare and fintech to eCommerce and logistics.
*   Flexibility – You can scale up or down in days.

Innowise strikes a balance between cost-efficiency and premium quality. This makes them a top pick for US-based companies.

****Toptal****

*   Founded: 2010
*   Headquarters: San Francisco, CA
*   Known For: Exclusive network of top freelancers

Toptal has become synonymous with top-tier freelance talent. Their IT staff augmentation offering provides businesses with access to developers, designers, finance experts, and project managers. Toptal claims to only accept the top 3% of applicants. This means that you are getting highly skilled, pre-vetted professionals.

Why choose Toptal:

*   Impressive talent quality
*   Speedy onboarding (within 48 hours)
*   Great for urgent, high-stakes projects

Keep in mind that Toptal is on the pricier end. It is a better option for companies with bigger budgets, a need for hyper-specific skill sets, and the requirement to fix security vulnerabilities.

****Andela****

*   Founded: 2014
*   Headquarters: New York, NY
*   Strength: Diverse talent across Africa, Latin America, and beyond

Andela originally focused on African developers but has since expanded its global reach. Their staff augmentation model works particularly well for long-term projects. They have worked with bigger companies. GitHub, ViacomCBS, and Cloudflare are some of their most prominent customers.

Highlights:

*   Diversity-driven teams
*   Time zone alignment with US clients
*   Excellent onboarding process and cultural training

If you are looking for smart, cost-effective talent with strong communication skills, Andela is a solid pick.

****Cognizant Softvision****

*   Headquarters: Austin, TX
*   Parent Company: Cognizant
*   Strength: Deep enterprise integration

For mid-to-large enterprises that need to scale fast with minimal risk, Cognizant Softvision offers tech squads that integrate seamlessly with your internal teams. They are especially good for digital transformation projects, mobile app development, and cloud-native solutions.

What stands out:

*   Global delivery centers
*   Enterprise-ready engineers
*   Great for complex systems

If your company is on the Fortune 500 list or heading there, this one is worth considering.

****BairesDev****

*   Headquarters: San Francisco, CA
*   Talent Base: Latin America
*   Strength: Nearshore IT staff augmentation

BairesDev is one of the fastest-growing tech staffing providers in the US. They pull top developers from Latin America. This means shared time zones, strong cultural fit, and faster feedback loops. They’ve worked with big brands, from Google and Rolls-Royce to Pinterest.

Pros:

*   Flexible hiring models
*   Fluent English-speaking professionals
*   Cost-effective compared to US-based devs

They are an especially great fit if you are looking to scale fast without compromising quality or communication.

****EPAM Systems****

*   Founded: 1993
*   Headquarters: Newtown, PA
*   Strength: Deep technical know-how and enterprise scale

EPAM is a global giant in software engineering and digital product development. Their staff augmentation services are tailored to large-scale, complex projects, especially in regulated industries. So if you are working in healthcare, banking, and insurance, EPAM is a company that you can fully trust.

What makes EPAM stand out:

*   Massive global talent pool
*   Domain-specific expertise
*   Ideal for long-term engagements

If you are building something big and need a partner who can go the distance, EPAM delivers.

****N-iX****

*   Founded: 2002
*   Headquarters: Lviv, Ukraine (with US offices)
*   Team Size: 2000+
*   Strength: Mid-size businesses and tech startups

N-iX has a strong reputation for providing dedicated development teams and IT staff augmentation for US clients. Their talent comes primarily from Eastern Europe. You can get engineers, QA, UX/UI, and PM specialists from them.

Why clients like N-iX:

*   Transparent pricing
*   Agile-friendly teams
*   High retention rates

They are a good choice for startups and SMBs needing extra engineering muscle without burning through the runway.

****Scalable Path****

*   Headquarters: San Francisco, CA
*   Model: Freelance and team augmentation hybrid

Scalable Path offers strong tech teams through a hands-on matching process. Instead of just picking from a list, they help you design your ideal team and hand-select talent to meet those needs.

What’s nice:

*   High-touch matching process
*   Developers across many time zones
*   Great for growing digital products

The company is perfect if you are scaling a SaaS or building out your MVP and want quality over quantity.

Staff augmentation is no longer a trend. It is a core strategy for smart tech teams looking to launch something big. Whether you are trying to plug skill gaps, speed up delivery, or scale without the overhead of hiring full-time, working with a trusted IT staff augmentation company can make all the difference. So go ahead and pick a provider from the list.

(Top, Featured Photo by Christina @ wocintechchat.com on Unsplash)

Tag

#cisco