North Korean hackers deploy PylangGhost malware through fake crypto job interviews targeting blockchain professionals with phishing and remote access tools.

A new series of cyber attacks is targeting professionals in the crypto and blockchain industries using fake recruitment scams, according to new research by Cisco Talos. The attackers, linked to a North Korea-aligned group known as Famous Chollima, are impersonating legitimate companies to trick victims into installing malware disguised as video drivers.

The group has been active since at least mid-2024, previously known for tactics like fake developer job postings and fraudulent interview processes. This latest development shows the operation evolving in sophistication, now with a new Python-based malware called PylangGhost, a variant of the previously identified GolangGhost trojan.

****Real Jobseekers, Fake Companies****

Victims are approached by fake recruiters offering positions at companies that appear to be in the crypto sector. Targets are often software developers, marketers and designers with cryptocurrency experience.

Once contact is made, the victim is directed to a fake skill-assessment page designed to look like it belongs to a real company, including well-known names like Coinbase, Robinhood, Uniswap and others.

These pages use the React framework and closely mimic real corporate interfaces. After filling out personal information and completing the test, applicants are told they must record a video introduction for the hiring team. To do so, they’re asked to install “video drivers” by copying and pasting commands into their terminal.

That step downloads the malware.

****How the Malware Works****

According to Cicso Talos’ blog post, if the victim follows instructions on a Windows or MacOS system, a malicious ZIP file is pulled down. It contains the Python-based PylangGhost trojan and related scripts. The malware then unpacks itself, runs in the background and gives attackers remote access to the victim’s machine.

Screenshot of MacOS instructions prompting the user to copy, paste and run a malicious command line script (Image via Cisco Talos)

The Python version functions almost identically to its Go-based counterpart. It installs itself to run every time the system starts, collects system info, and connects to a command and control server. Once active, it can receive and execute remote commands, harvest credentials, and steal browser data, including passwords and crypto wallet keys.

According to Talos, it targets more than 80 different browser extensions, including widely used password managers and digital wallets like MetaMask, 1Password, NordPass and Phantom.

The malware uses RC4 encryption for communication with its server. Though the data stream is encrypted, the encryption key is sent along with the data, limiting the security of that method. Still, the setup helps it blend in with regular traffic and makes detection harder.

The goal of this operation is twofold. First, it allows attackers to gather sensitive personal data from real jobseekers. Second, it opens the door for fake employees to be placed inside real companies, which could lead to long-term infiltration and access to valuable financial data or software infrastructure.

Only a small number of victims have been confirmed so far, mostly in India. Linux users are not affected in this particular campaign. No Cisco customers appear to have been impacted at this time.

Talos notes that the malware’s development does not seem to involve AI code generation, and the structure of both the Python and Go versions suggests the same developers created both.

****Stay Safe****

If you’re applying for roles in crypto or tech, be cautious with job listings that ask you to install software or run terminal commands as part of an interview. Legitimate companies will not require this.

Cybersecurity teams should review employee onboarding processes, especially for remote hires, and educate staff about these types of social engineering attacks. Monitoring for unexpected outbound connections or strange ZIP downloads can also help catch early signs of compromise.

N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam

In this edition, Thor shares how a week off with a new car turned into a crash course in modern vehicle tech. Surprisingly, it offers many parallels to cybersecurity usability.

Wednesday, June 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

June 9 was Whit Monday — a bank holiday here in Germany — so I decided to take the whole week off. It turned out to be the perfect opportunity to try out a brand new car. Little did I know, I was about to get a crash course in modern vehicle technology (and a few unexpected life lessons).

There’s an EU regulation that requires new cars to come equipped with “Advanced Vehicle Systems,” which include features like driver drowsiness and attention warnings, lane-keeping systems and intelligent speed assistance. I hadn’t swapped cars in over a decade, so I was blissfully unaware of just how intrusive these systems could be. 

While I generally appreciate technology that makes our life safer, these features gave me a tough time. The car seemed to beep at me constantly, so much so that the beeping itself became a distraction. Instead of focusing on the road, I found myself trying to decipher what each alert meant. After a few kilometers, I had to pull over and consult the manual just to figure out how to disable these “helpful” assistants. 

Problem solved? Not quite. Every time I turned off and restarted the car, the systems re-enabled themselves. Disabling the lane-keeping assistant was just a button press, but turning off the “intelligent” speed assistant required a convoluted sequence: six menu clicks, a long press then a short click. I had to dig out the manual every time. 

You might think I’m just cutting corners, or that I should pay better attention to speed limits. But here’s the thing: Technology fails, and these systems are no exception. Sometimes the cameras miss speed signs, or worse, pick up the wrong ones. I’ve read about people putting stickers on their windshields to block the camera, only to discover the system then falls back to GPS data, which can be outdated or just plain wrong. On one occasion, it thought a car was on a 50 km/h road when the person was actually on the Autobahn directly next and parallel to the road, which famously has no speed limit. 

Some drivers try to muffle the alerts by gluing the speaker, but in modern cars, the system also lowers the radio volume to make sure you hear the alarm. Pulling the fuse would disable the emergency brake, too — not something I’m willing to risk, regardless of how insurance would feel about it.

I ended up learning two important lessons that week. The first was technical: I dove into the world of Controller Area Network (CAN) bus wiring, protocols, network gateways and tools like SavvyCAN to understand how these systems work... and maybe how to disable a few, purely for educational purposes. 

The second lesson hit me later, and it was more personal. In my job, I often preach about deploying multi-factor authentication (MFA) everywhere. My focus has always been on keeping out the bad guys, not on the user experience. I never understood why anyone would use apps to automatically accept authentication pushes — it seemed crazy to me. But after a a few days with the car, I finally saw things from the user’s perspective. Security tools can’t just be effective; they also have to be easy to use. Reducing friction, like using single sign-on or minimizing unnecessary clicks, matters just as much. Users also need to understand why these barriers are in place. 

Tomorrow is another holiday. Maybe I’ll spend it exploring Kali Linux 2025.2 and the latest CARsenal tools (formerly CAN Arsenal). Who knows? I might just tap a wire or two — for educational purposes only, of course.

**The one big thing **

Cisco Talos has discovered that the North Korean-aligned threat actor Famous Chollima has been actively targeting cryptocurrency and blockchain professionals (primarily in India) through sophisticated phishing campaigns. Previously known for using the GolangGhost trojan, they've now introduced a Python-based variant called PylangGhost, which retains the same capabilities. Recent campaigns have targeted Windows users with the Python version, while MacOS users are still being hit with the Golang-based variant.

**Why do I care? **

Even if you're not in the cryptocurrency or blockchain space, this campaign highlights how threat actors are constantly evolving their tools. It's a reminder that no matter how niche or localized an attack might seem, the techniques could easily be adapted to broader campaigns. Plus, if attackers succeed in these targeted efforts, stolen credentials could ripple across networks and platforms globally.

**So now what?**

Take this as your cue to double-check your defenses. Ensure your organization's security tools can detect Python and Golang-based malware, and educate your teams on recognizing phishing attempts, especially fake job offers. Stay proactive by monitoring emerging threats like PylangGhost, because even if you're not the target today, tomorrow isn’t a guarantee.

**Top security headlines of the week **

**AI Scraping Bots Are Breaking Open Libraries, Archives, and Museums**  
AI bots that scrape the internet for training data are hammering the servers of libraries, archives, museums and galleries, and are in some cases knocking their collections offline. (404 Media)

**Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web**  
Hackers leaked the personal data of 7.4 million people in Paraguay on the dark web. A cybercriminal group called "Cyber PMC" demanded $7.4 million, blaming government corruption and poor security. (Security Affairs)

**Trend Micro fixes critical vulnerabilities in multiple products**  
Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities. (Bleeping Computer)

**Can’t get enough Talos? **

**When legitimate tools go rogue**  
From LOLBins to open-source utilities like DonPAPI, threat actors are leveraging legitimate tools to evade detection and carry out attacks. Read the blog here.

**Microsoft Patch Tuesday for June 2025**   
Microsoft released its monthly security update last week, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.

**Upcoming events where you can find Talos **

*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe  
Claimed Product: N/A  
Detection Name: Simple\_Custom\_Detection

A week with a "smart" car

Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders.

Wednesday, June 18, 2025 06:09

Late one Tuesday night, Elena’s phone buzzed with an alert from her company’s SIEM. Her team had set up a rule to flag when certain system tools — whoami, nltest and nslookup—were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance Department. The time? 2:13 a.m.

Concerned, Elena logged in from home to investigate. Almost immediately, two more alerts appeared. One signaled that Mimikatz (a tool popular with threat actors to steal credentials) had been used on the same Finance machine. The other reported a PsExec download (a command line tool used to execute processes) on a domain controller.

Elena and her team began isolating systems and tracing the activity, determined to stop it before it spread any further. What first looked like routine system commands now clearly pointed to something more serious.

This story is a compartmentalized version of something we’re seeing more and more often in Cisco Talos Incident Response engagements: Rather than inventing their own tools, attackers are making use of familiar, legitimate software — just with a very different purpose. 

**What exactly are LOLBins?**

A big part of this trend revolves around “living off the land binaries,” or LOLBins. LOLBins are tools built into an operating system that attackers can use to carry out malicious actions without having to download or install any new software or utilities.

They’re especially concerning because they’re already installed, trusted, and frequently used for normal IT tasks, making them difficult to detect or block without disrupting operations.

Defenders can reference the “Living Off The Land Binaries, Scripts and Libraries” or LOLBAS project, which maintains a list of known LOLBins on GitHub.

**But it’s not just LOLBins…**

LOLBins were used often across Talos IR engagements in 2024, but we actually saw a wider variety of commercial and open-source tools used as well. Threat actors likely gravitate towards these because they can choose which tools best suit their needs best (or which commercial tools will blend into the victim environment). 

Take DonPAPI, for example. This is an open-source tool observed in several recent Talos IR engagements that automates credential dumping remotely on multiple Windows computers. It locates and retrieves Windows Data Protection API (DPAPI) protected credentials, a process also known as “DPAPI dumping.” DonPAPI searches for certain files, including Wi-Fi keys, RDP passwords and credentials saved in web browsers, to help authenticate and move laterally to identify other assets in the environment.

From an identity perspective, open-source tools like DonPAPI pose a significant risk to organizations based on their wide availability on code repositories like GitHub and their ease of installation. 

Here’s how this plays out in the field, using the top three examples of most used tools as observed in Cisco Talos’ 2024 Year in Review:

These tools weren’t built for attackers, but they’ve become some of the most common ingredients in ransomware and advanced persistent threat (APT) campaigns.

In a recent episode of The Talos Threat Perspective, one of our senior Talos IR consultants spoke about tools that were created for legitimate purposes (e.g., HRSword, REMCOS RAT and Cobalt Strike), but played a large part in the ransomware engagements investigated by Talos IR in 2025.

Lately, Talos has seen an increase in the use of remote monitoring and management (RMM) tools during attacks — the same kind of software IT teams and managed service providers rely on to access systems remotely. These tools are designed for legitimate use, but in the wrong hands, they become a stealthy way to maintain persistence on compromised systems without raising alarms.

One colleague shared a story that stuck with me: In some incidents, the attackers showed up with an entire toolkit of RMM software, testing each one to see which would slip through unnoticed (or not get blocked). Often, they’d use exactly the same tools already trusted by the target or their service provider, such as ScreenConnect or AnyDesk.

It’s like they arrived at the front door with a ring full of keys, trying each one until something clicked. And when the tool they use is something the environment already knows — already trusts — the question becomes: how do you spot the intruder when they’re using your own keys?

**How do you detect something that looks normal?**

Let’s go back to Elena. Her team stopped the attack not just because of the alert, but because they knew what should be running on that workstation. They had clear asset inventories and network behavior baselines, and they conducted continuous anomaly monitoring.

That’s really the heart of what works best when it comes to detecting these types of attacks:

*   Asset management: Know what’s installed and where. Know who owns what assets and what high-privileged accounts are for.
*   Behavioral baselining: Understand what “normal” looks like.
*   Continuous monitoring: Configure detections to catch known TTPs and subtle deviations from baselines.
*   Threat intel alignment: Use current trends like the DonPAPI surge to inform what you log and watch for. Talos’ blog and IR reports are great resources to keep up with industry trends.

**Bottom line**

Whether it’s PsExec, DonPAPI or TeamViewer, attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations.

Detecting malicious use of legitimate tools isn’t just about recognizing what’s running. It’s about asking why it’s running.

Sometimes, the only difference between a routine operation and a breach is the analyst who stopped to ask: “Why was that tool running at 2:13 a.m.?”

When legitimate tools go rogue

Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India.

Wednesday, June 18, 2025 06:00

*   In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities. 
*   In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns. 
*   The attacks are targeting employees with experience in cryptocurrency and blockchain technologies. 
*   Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users. 

Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.  

Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns. 

In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.” 

**Fake job interview sites mislead users to PylangGhost infection **

Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.  

This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application. 

Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.  

Figure 1. Examples of initial fake job sites.

Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.  

__Figure 2. Example of questions asked for an illegitimate Business Development Manager position at Robinhood.__

Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button. 

__Figure 3. A camera setup page displayed once questions are answered.__

Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.  

Figure 4. Windows instructions to copy, paste and execute a malicious command. 

Figure 5. MacOS instructions to copy, paste and execute a malicious command. 

Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.

__Figure 6. Command Shell, PowerShell or Bash instructions to download a payload.__

**PylangGhost - Python variant of GolangGhost **

As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute. 

The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run. 

Figure 7. The first stage simply unzips a Python distribution library and launches the RAT. 

 PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable. 

 The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.  

__Figure 8. ”nvidia.py” executes the main loop for communication with the C2 server__

 The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX. 

The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.  

Command 

Functionality 

qwer 

COMMAND\_INFORMATION - collect information about the infected system, username, OS version etc 

asdf 

COMMAND\_FILE\_UPLOAD - file upload 

zxcv 

COMMAND\_FILE\_DOWNLOAD - file download 

vbcx 

COMMAND\_OS\_SHELL - launch an OS shell for remote access and control of the infected system 

ghdj 

COMMAND\_WAIT - sleep for a number of seconds specified by the C2 server 

r4ys 

COMMAND\_AUTO - browser information stealing command 

89io 

AUTO\_CHROME\_GATHER\_COMMAND - subcommand of the browser information stealer command 

gi%# 

AUTO\_CHROME\_COOKIE\_COMMAND - subcommand of the browser information stealer command 

dghh 

COMMAND\_EXIT 

_Table 1. Commands and functionalities._

The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.  

“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.  

Finally, “util.py” handles the compression and decompression of files. 

**Comparison of Python and Golang modules **

To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.   

Module 

Python name 

Golang name 

Main function module 

nvidia.py 

cloudfixer.go 

Configuration module 

config.py 

config/constans.go 

Main command loop 

nvidia.py 

core/loop.go 

Command handlers 

command.py 

core/loop.go 

Browser Stealer functionality 

auto.py 

auto/\* modules 

File compression 

util.py 

util/compress.go 

Base64 message encoding 

command.py 

command/stackcmd.go 

Duplicate process check 

nvidia.py 

instance/check.go 

Communications protocol 

api.py 

transport/htxp.go 

_Table 2. Comparison of Python and Golang RAT module names._ 

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections available for this threat:

Win.Backdoor.PyChollima-10045389-0
Win.Backdoor.PyChollima-10045388-0
Win.Backdoor.PyChollima-10045387-0
Win.Backdoor.PyChollima-10045386-0
Win.Backdoor.PyChollima-10045385-0
Win.Backdoor.PyChollima-10045384-0

**IOCs **

The IOCs can also be found in our GitHub repository here.

**SHA256 **

a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py  
c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py  
0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py 
8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py 
5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py 
267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py 
7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py 
b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py 
fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py 
d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py 
b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee - command.py 
1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee - config.py 
ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e - config.py 
929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b - config.py 
127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 - config.py 
0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 - update.vbs 
c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 - update.vbs 
e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 - nvidiaRelease.zip 
28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df - vdriverWin.zip 
fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d - nvidiaRelease.zip 
d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd - nvidiaRelease.zip 

**C2 servers **

hxxp\[://\]31\[.\]57\[.\]243\[.\]29:8080 
hxxp\[://\]154\[.\]58\[.\]204\[.\]15:8080 
hxxp\[://\]212\[.\]81\[.\]47\[.\]217:8080 
hxxp\[://\] 31\[.\]57\[.\]243\[.\]190:8080

**Download host names **

api\[.\]quickcamfix\[.\]online   
api\[.\]auto-fixer\[.\]online   
api\[.\]quickdriverupdate\[.\]online   
api\[.\]camtuneup\[.\]online   
api\[.\]driversofthub\[.\]online   
api\[.\]drive-release\[.\]cloud   
api\[.\]vcamfixer\[.\]online   
api\[.\]nvidia-drive\[.\]cloud   
api\[.\]nvidia-release\[.\]us   
api\[.\]autodriverfix\[.\]online   
api\[.\]camdriversupport\[.\]com   
api\[.\]smartdriverfix\[.\]cloud   
api\[.\]drivercams\[.\]cloud   
api\[.\]camtechdrivers\[.\]com   
api\[.\]web-cam\[.\]cloud   
api\[.\]camera-drive\[.\]org   
api\[.\]nvidia-release\[.\]org 
api\[.\]fixdiskpro\[.\]online 
api\[.\]autocamfixer\[.\]online

**Fake job interview host names **

krakenhire\[.\]com  
yuga\[.\]skillquestions\[.\]com  
uniswap\[.\]speakure\[.\]com  
doodles\[.\]skillquestions\[.\]com  
www\[.\]hireviavideo\[.\]com  
kraken\[.\]livehiringpro\[.\]com  
quiz-nest\[.\]com  
www\[.\]smartvideohire\[.\]com  
www\[.\]talent-hiringstep\[.\]com  
provevidskillcheck\[.\]com  
skill\[.\]vidintermaster\[.\]com  
digitaltalent\[.\]review  
robinhood\[.\]ecareerscan\[.\]com  
evalswift\[.\]com  
livetalentpro\[.\]com  
quantumnodespro\[.\]com  
evalassesso\[.\]com  
parallel\[.\]eskillora\[.\]com  
coinbase\[.\]talentmonitoringtool\[.\]com  
uniswap\[.\]testforhire\[.\]com  
coinbase\[.\]talenthiringtool\[.\]com  
crosstheages\[.\]skillence360\[.\]com 
parallel \[.\] eskillprov \[.\] com 
assesstrack \[.\] com 
coinbase \[.\] talentmonitoringtool \[.\] com 
talent-hiringtalk\[.\]com 
uniswap\[.\]prehireiq\[.\]com 
fast-video-recording\[.\]com

Famous Chollima deploying Python version of GolangGhost RAT

Pentagon rules sharply limit US Marines and National Guard activity in Los Angeles, prohibiting arrests, surveillance, and other customary police work.

For the first time in decades, active-duty US Marines are rolling into Los Angeles—not for disaster relief or training drills, but to guard federal buildings during a protest crackdown that legal experts say threatens long-standing limits on military power at home.

The deployment, announced by President Donald Trump on Monday, involves more than 700 Marines from the 2nd Battalion, 7th Regiment of the 1st Marine Division, based at Camp Pendleton and Twentynine Palms. Mobilized under Title 10 orders, the Marines have been commanded to protect federal property and personnel from mounting protests over aggressive immigration raids and neighborhood sweeps. It is a rare and forceful use of federal military power on US soil.

The mobilization follows Trump’s June 7 order that federalized as many as 4,000 California national guardsmen, overriding the objections of state officials and igniting a high-stakes legal fight.

A US district judge on Thursday ordered Trump to return control of the guardsmen to the state of California, saying the takeover was unlawful, only likely to inflame tensions in the city, and had deprived the state of resources necessary “to fight fires, combat the fentanyl trade, and perform other critical functions.” The injunction was quickly stayed, however, by a federal appeals court, pending a hearing next week.

Protests began Friday in Westlake, an immigrant-heavy neighborhood near downtown LA, where residents rallied in response to sweeping ICE raids that targeted day laborers outside local businesses. Demonstrators marched, held signs, and chanted for several hours before tensions escalated after police declared an unlawful assembly and advanced on the crowd. LAPD officers and federal agents deployed a range of crowd control weapons, including batons, tear gas, pepper spray, and flash-bang grenades. Reports from journalists and observers describe nonviolent protesters—and members of the press—being struck by rubber bullets and stun devices during the crackdown.

Widespread protests are expected in LA and at some 2,000 other locations around the US this weekend.

While the president holds broad emergency powers, legal scholars say that without invoking the Insurrection Act—a statute that permits domestic troop deployments only in cases of a rebellion or civil rights violations—federal law sharply limits what active-duty forces can do. Marines may not act as a _posse comitatus_, or function as law enforcement. They're barred from conducting surveillance and, in general, crowd control, as well as _officially_ arresting people, and may otherwise only support police in narrowly defined ways, according to Defense Department rules.

Pentagon directives governing “civil disturbance operations” reinforce these limits. Federal troops are prohibited from arresting civilians, searching property, and collecting evidence. They may not conduct surveillance of US persons. That includes not just individuals but vehicles, locations, and “transactions.” They may not serve as undercover agents, informants, or interrogators. Unless a crime is committed by a service member or on military property, Title 10 forces are likewise banned from engaging in any kind of forensics for the benefit of civilian police—unless they are willing to put in writing that such evidence was obtained by consent.

US Northern Command, which oversees military support to nonmilitary authorities in the contiguous 48 states, said Friday that Marines would not conduct “arrests” but are authorized to "temporarily hold" people in "specific circumstances" until police arrive to make a _formal_ arrest. The clarification follows the emergence of a video showing Marines in LA detaining a civilian with plastic handcuffs before awaiting police—the first known instance of such an action during the current deployment.

There are numerous other scenarios in which the military can provide assistance to police, including by giving them “information” obtained “in the normal course” of their duties, unless applicable privacy laws prohibit it. Military members can also provide police with a wide variety of assistance so long as it’s in a “private capacity” and they’re off duty. Additionally, they can provide “expert advice,” so long as it doesn’t count as serving a function core to civilian police work.

The Department of Defense did not immediately respond to a request for comment; however, a staff member in the Office of the Under Secretary of Defense for Policy confirmed for WIRED by phone the current set of policies under which deployed federal troops must operate.

There is one major caveat to the military’s restrictions. During an “extraordinary emergency,” military commanders may take limited, immediate action to prevent massive destruction or to restore critical public services, but only so long as presidential approval is “impossible” to obtain in advance. And while military personnel are naturally expected to maintain order and discipline at all times, under no circumstances are they required to stand down when their lives, or the lives of others, are in immediate danger.

Still, enforcement of these rules in the field is far from guaranteed. Legal experts warn that adherence often varies in chaotic environments. Trump administration officials have also demonstrated a willingness to skirt the law. Last week, homeland security secretary Kristi Noem asked the Pentagon to authorize military assistance in conducting arrests and to deploy drone surveillance, according to a letter obtained by The San Francisco Chronicle—a move experts say directly contradicts standing legal prohibitions.

At a press conference on Thursday, Noem stated the federal government was on a mission to “liberate” Los Angeles from “socialists” and the “leadership” of California governor Gavin Newsom and LA mayor Karen Bass. US Senator Alex Padilla, who represents the citizens of California, was forcibly removed from the press conference after attempting to question Noem. Outside the press conference room, federal agents forced the senator to the ground, where he was temporarily placed in handcuffs.

Unlike the National Guard, which is well trained for domestic crowd control, active-duty Marines generally receive relatively little instruction in handling civil unrest. Those who do typically belong to military police or specialized security units. Nonetheless, the Marine Corps has published footage online showing various task forces training with riot-control tactics and “nonlethal” weapons. Constitutional concerns do not arise, however, when Marines face off against foreign mobs—such as in civilian zones during the Afghanistan war or on the rare occasion protesters breach the perimeter of a US embassy. And wartime rules of engagement are far more lenient than the rules of force by which Marines must adhere domestically.

In a statement on Wednesday, Northern Command confirmed the Marines had undergone training in all “mission essential tasks,” including “de-escalation” and “crowd control.” They will reportedly be accompanied by legal and law enforcement experts.

Constitutional experts warn that deploying military forces against civilian demonstrators blurs the line between law enforcement and military power, potentially setting a dangerous precedent for unchecked presidential authority. The risk deepens, they say, if federal troops overstep their legal bounds.

If lines are crossed, it could open a door that may not close easily—clearing the way for future crackdowns that erode Americans’ hard-won civil liberties.

_Updated 7:40 pm ET, June 13, 2025: This story has been updated to include details about the first known arrest in 2025 of a protester by US Marines._

Here’s What Marines and the National Guard Can (and Can’t) Do at LA Protests

In this week's edition, Bill explores the importance of self-awareness and building repeatable processes to better secure your environment.

Thursday, June 12, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

This week, I'm coming to you from Cisco Live in San Diego where I've just talked to a room that some of you may have been in, so writing this feels a bit surreal. It's really hard to try and write a cogent newsletter with all that's happening in the world, some directly outside my door. To purposefully butcher Charles Dickens, "It was the worst of times, it was the even worse times." Nevertheless, I'm persisting.  

I've had great conversations with so many smart people this week, but I was reminded once again that the most important tool you can leverage in protecting and securing your environment is knowing your environment and knowing yourself.  

Knowing your environment can and should be tooled and processed so that it can be repeatable. Continuing to know your environment requires constant vigilance and effort. Knowing yourself requires a level of introspection that is hard — and honestly, sometimes I just lift the rug and sweep my issues under it when I can't tackle that negativity.  

I'll give you an excellent example: every single thing I write would get flagged as AI. Everything. Why? I use an em dash (“—”) for roughly every four words I write — sometimes more, if I let it fly. It's clear that I could never go back to school successfully, despite the comedy gold that it would produce. For those of you old enough to remember “Back to School” with Rodney Dangerfield, I think you can imagine. I don't even want to talk about my kludgy code. Sure, it runs, but at what cost? 

So my advice? Do as I say, not as I do. Learn everything about your environment in a repeatable way, with a clear and documented process. Then analyze your own weaknesses in your work — let's not try to make miracles happen — and identify chances for you to learn, fill the gaps in your skill set and then do it all over again. The bad guys are really good at learning your environment; make it as hard for them as you can. 

**The one big thing **

Cisco Talos recently disclosed several vulnerabilities across various software, including catdoc, Parallel, NVIDIA and High-Logic FontCreator. While most vulnerabilities were patched by their respective vendors, catdoc posed an exception as the vendor was unreachable, prompting Talos to provide patches directly.

**Why do I care? **

These vulnerabilities highlight risks in widely used software, potentially exposing systems to attacks such as privilege escalation, memory corruption and data leaks. Understanding these risks is crucial to protect your systems. 

**So now what? **

If you use these programs, update them immediately with the latest patches to protect yourself.  If you're on a security team, grab the latest Snort rules to detect possible exploits and keep an eye out for suspicious activity.  And if you're a developer, take notes from these vulnerabilities to strengthen your own code and avoid similar pitfalls in your projects. Security is everyone’s job!

**Top security headlines of the week **

**NHS in England calls for blood donors after ransomware attack**  
The UK’s National Health Service (NHS) is calling for one million donors after a Qilin ransomware attack last summer caused a severe shortage of O-negative blood. (Cybernews) 

**Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack**  
North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders. (The Register) 

**Google fixes bug that could reveal users’ private phone numbers**   
A security researcher has discovered a bug that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, potentially exposing users to privacy and security risks. (TechCrunch) 

**SinoTrack GPS Devices Vulnerable to Remote Vehicle Control via Default Passwords**   
Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. (The Hacker News)

**Can’t get enough Talos? **

**Microsoft Patch Tuesday for June 2025**   
Microsoft has released its monthly security update, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.

**PathWiper targeting Ukrainian critical infrastructure**   
Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” Learn more.

**Upcoming events where you can find Talos **

*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1**   
MD5: 3e10a74a7613d1cae4b9749d7ec93515   
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
Typical Filename: IMG001.exe   
Claimed Product: N/A   
Detection Name: Win.Dropper.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection   

**SHA256 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F**   
MD5: 44d88612fea8a8f36de82e1278abb02f   
VirusTotal: https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection  
Typical Filename: eicar.com-42987   
Detection Name: eicarTestFile

Know thyself, know thy environment

Waymo driverless taxis capture troves of video footage in order to operate, but the company reveals very little about how much data is stored—and for how long.

Thousands of people across the United States poured into the streets this week to protest the Trump administration’s immigration policies, joining a nationwide wave of resistance that began in Los Angeles. One of the most widely shared images from the city, where federal authorities have sent almost 5,000 active-duty Marines and National Guard members, is of five Waymo robotaxis that were vandalized and set on fire. The incident has become one of the most recognizable symbols of the demonstrations so far, and prompted Waymo to temporarily shut off service in several parts of the city as well as parts of San Francisco on Monday.

The charred Waymo cars have also raised fresh questions about what kinds of technology authorities can use to surveil protesters and potentially collect evidence to make arrests. According to Waymo’s website, its latest driverless cars have 29 external cameras, providing “a simultaneous 360° view around the vehicle,” as well as an unknown number of internal ones.

Over the past several years, Waymo has repeatedly shared video footage with police after receiving formal legal requests. But it’s not clear how often the self-driving company, which is owned by Google’s parent organization Alphabet, complies with these demands. Unlike Google, Waymo doesn’t disclose the number of legal requests it receives nor how it responds to them. When police do obtain footage, they could also combine it with other technology—like face recognition or nonbiometric tools for finding and tracking people in videoclips—to identify possible criminal suspects.

Waymo spokesperson Sandy Karp tells WIRED that the company's general policy is to challenge data requests that are overly broad or lack sound legal basis, but it doesn’t disclose or comment on specific cases. Karp pointed to Waymo’s privacy policy, which acknowledges that the company may share user data to comply with laws and governmental requests. A separate support page for Waymo One, the dedicated app for its robotaxi service, notes that the company “may share certain data with law enforcement as needed to comply with legal requirements, enforce agreements, and protect the safety of you and others.”

It’s not clear how much, if any, of the video footage potentially captured by the burned Waymos in Los Angeles may have been destroyed along with the cars. Waymo doesn’t specify whether the data collected by its robotaxis is stored locally in the vehicle itself or externally in the cloud. The company previously told The Washington Post that “interior camera data” isn’t stored alongside the data from external cameras.

If any footage does still exist from the destroyed vehicles, Waymo doesn’t disclose how long it may remain available. Waymo’s website and privacy policy do not specify how long the company retains camera footage captured inside or outside its vehicles. For years, self-driving companies like Waymo retained large amounts of information collected by their cars for training purposes and to optimize the underlying technology. The company has generally been trending more recently toward deleting data sooner, WIRED previously reported, though it’s unclear whether some types may be stored longer than others.

Waymo declined to answer questions from WIRED about how many cameras are inside its vehicles, exactly how long footage is retained, and whether the company has ever turned over footage to US federal law enforcement or a branch of the military. Karp did note, however, that the company’s engineering team sometimes uses information from sensors, including video footage and other data, to run simulations aimed at improving its technology. She says Waymo also puts limits on both who can access data and how long it’s retained.

Waymo’s robotaxi service is currently available in the Phoenix metro area and parts of San Francisco, Los Angeles, and Austin, Texas. In the company’s relatively short time operating in US cities, it has shown a willingness to comply with requests for footage from law enforcement.

Officers working for the Mesa Police Department and the Chandler Police Department in Arizona have been requesting and using footage from Waymos for criminal investigations since 2016, or about as long as the vehicles have been in their towns, according to reporting from Phoenix’s ABC 15. Police told the news outlet in 2022 that they have used the footage for several cases, including an alleged road rage incident. (The individual pleaded guilty after being charged with disorderly conduct.)

In May 2022, two months after Waymo began limited robotaxi operations in San Francisco, Vice reported that a training document for San Francisco police explicitly told officers that “autonomous vehicles” have footage that could sometimes “help with investigative leads.”

As of 2023, Waymo had been issued at least nine search warrants in San Francisco and Arizona’s Maricopa County, its primary markets at the time, according to reporting from Bloomberg. One of the cases involved the murder of an Uber driver in 2021. While San Francisco police said they couldn’t identify a specific Waymo vehicle that was near the crime scene, an officer argued that there was “probable cause” that Waymo vehicles were “driving around the area” and had footage of the victim, possible suspects, and the crime scene, according to a search warrant viewed by Bloomberg. Waymo complied and provided footage, but it ultimately did not lead to the arrest of the suspect, who was convicted of the murder in 2023.

Last year, WIRED reported that Waymo had sued two individuals for allegedly vandalizing its vehicles in San Francisco and had camera footage from the cars of the alleged incidents. (One of the cases is ongoing; the other was dismissed last month.)

Waymo’s video-recording and data-collection practices aren’t unique. All vehicles with self-driving capabilities rely on a combination of lidar, radar, and video data in order to operate. Cruise, the now defunct self-driving-car venture run by General Motors, also reportedly gave camera footage to law enforcement upon request.

Private owners of camera-equipped vehicles can also voluntarily turn over camera footage to law enforcement. For example, police in Berkeley, California, have received at least two sets of footage from the owner of a Tesla Cybertruck who said their car was vandalized twice this year, according to documents obtained by WIRED via public record request.

_Additional reporting by Paresh Dave._

How Waymo Handles Footage From Events Like the LA Immigration Protests

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.

Wednesday, June 11, 2025 09:47

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except in the case of the catdoc zero-day vulnerabilities, which were patched by our researcher (patches found in this repository). This is an unusual case, because the vendor could not be reached to fix these high-risk bugs; our policy does not include fixing third-party vulnerabilities. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.      

**catdoc zero-day vulnerabilities **

_Discovered by Ali Rizvi-Santiago of Cisco Talos._    

The catdoc program pulls plain text content from Microsoft Word, Excel, PowerPoint and Rich Text Format files. The vendor was unreachable, Debian will be merging our patches into their distribution. https://github.com/Cisco-Talos/catdoc-talos-fixes/releases/tag/talos-fixes.2025-05

TALOS-2024-2128 (CVE-2024-48877) is a memory corruption vulnerability in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 

TALOS-2024-2131 (CVE-2024-52035) is an integer overflow vulnerability which exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95., and TALOS-2024-2132 (CVE-2024-54028) is an integer underflow vulnerability in the OLE Document DIFAT Parser functionality. A specially crafted malformed file can lead to heap-based memory corruption for either vulnerability, and an attacker can provide a malicious file as a trigger. 

**Parallel integer overflow vulnerability  **

_Discovered by KPC of Cisco Talos._    

Parallels is a desktop emulator for Mac computers that enables virtual Windows applications.

TALOS-2025-2160 (CVE-2025-31359) is a directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write to arbitrary files, potentially leading to privilege escalation.

There are three privilege escalation vulnerabilities in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740).

*   TALOS-2024-2126 (CVE-2024-36486): When an archived virtual machine is restored, the prl\_vmarchiver tool decompresses the file and writes the content back to its original location using root privileges. An attacker can exploit this process by using a hard link to write to an arbitrary file, potentially resulting in privilege escalation.
*   TALOS-2024-2124 (CVE-2024-54189): When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.
*   TALOS-2024-2123 (CVE-2024-52561): When a snapshot of a virtual machine is deleted, a root service verifies and modifies the ownership of the snapshot files. By using a symlink, an attacker can change the ownership of files owned by root to a lower-privilege user, potentially leading to privilege escalation.

**NVIDIA integer overflow vulnerability  **

_Discovered by Dimitrios Tatsis of Cisco Talos._    

NVIDIA cuobjdump is a command-line utility included in the NVIDIA CUDA Toolkit. Similar to the standard \`objdump\` utility, it parses CUDA executable files and displays information like PTX disassembly, section headers, relocations etc. 

TALOS-2025-2151 (CVE-2025-23247) is an integer overflow in the ELF Section Parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. 

**High-Logic out-of-bounds read vulnerability  **

_Discovered by KPC of Cisco Talos._    

High-Logic FontCreator is a font editor for Windows & macOS. The program allows you to create, edit and export OpenType, TrueType and responsive variable fonts. 

An out-of-bounds read vulnerability, TALOS-2025-2157 (CVE-2025-20001), exists in High-Logic FontCreator 15.0.0.3015. A specially crafted font file can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities

Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.”

Tuesday, June 10, 2025 17:45

Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” 

In this month's release, none of the included vulnerabilities have been observed by Microsoft being actively exploited in the wild. Out of eleven "critical" entries, nine are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Windows Remote Desktop Service, Windows Schannel (Secure Channel), KDC Proxy service, Microsoft Office, Word and SharePoint server. There are two elevation of privilege vulnerabilities affecting Windows NetLogon and Power Automate. 

CVE-2025-32710 is the RCE vulnerability in Windows Remote Desktop Services and is given CVSS 3.1 score of 8.1. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker could successfully exploit this vulnerability by attempting to connect to a system with the Remote Desktop Gateway role, triggering the race condition to a use-after-free scenario, and then leveraging this to execute arbitrary code. Microsoft has assessed that the attack complexity is “high,” and exploitation is "less likely." 

CVE-2025-29828 is an RCE vulnerability in Windows Schannel (Secure Channel), a security support provider (SSP) in the Windows operating system that implements Secure Sockets layer (SSL) and Transport Layer Security (TLS) Protocols. It is part of the Security Support Provider Interface (SSPI) and is used to secure network communications. Microsoft noted that a missing release of memory by Windows Cryptographic Services could trigger this vulnerability, allowing an unauthorized attacker to execute code over a network. An attacker can exploit this vulnerability through the malicious use of fragmented ClientHello messages to a target server that accepts TLS connections. Microsoft has assessed that the attack complexity is “high”, and exploitation is "less likely".  

CVE-2025-33071 is the RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and Domain controllers are not affected. Microsoft has assessed that the attack complexity is “high”, and exploitation is "more likely".  

CVE-2025-47172 is the RCE vulnerability in Microsoft SharePoint server given CVSS 3.1 score of 8.8. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper neutralization of special elements used in a SQL command which would allow an authorized attacker to execute code over a network. To exploit this vulnerability an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely." 

CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities in Microsoft Office. The vulnerabilities CVE-2025-47164 and CVE-2025-47953 are "use after free” (UAF) vulnerabilities that occur when Microsoft Office tries to access memory that has already been freed. CVE-2025-47162 is a heap-based buffer overflow in Microsoft Office and the CVE-2025-47167 is a "type confusion" vulnerability which is triggered when Microsoft Office interprets a block of memory as the wrong data type. An unauthorized attacker exploits these vulnerabilities and executes arbitrary code on the victim's machine. Microsoft has assessed that for CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167, the attack complexity is "low," and exploitation is "more likely." For CVE-2025-47953, the attack complexity is "low," and exploitation is "less likely."  

Microsoft listed two critical elevations of privilege vulnerabilities. 

CVE-2025-33070 is an elevation of privilege critical vulnerability in Windows Netlogon. An attacker could exploit the vulnerability by leveraging an authentication bypass in the Windows Netlogon service using uninitialized resources. An attacker, by successfully exploiting this vulnerability, could gain domain administrator privileges. Microsoft has assessed that the attack complexity is “high,” and exploitation is “more likely."  

Microsoft noted that the CVE-2025-47966 is a critical elevation of privilege vulnerability in Power Automate in the Windows OS. Power Automate is a Microsoft tool for automating repetitive tasks and business processes across different applications and services. This vulnerability in Power Automate exposed sensitive information to an unauthorized actor, allowing privilege escalation over a network. Microsoft has reported that this vulnerability with CVSS 3.1 base score of 9.8 has been fully mitigated and no further action is required by the users.  

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that exploitation is "more likely:" 

*   CVE-2025-32713 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. 
*   CVE-2025-32714 - Windows Installer Elevation of Privilege Vulnerability. 
*   CVE-2025-47962 - Windows SDK Elevation of Privilege Vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 55802, 56290, 65030-65043. There are also these Snort 3 rules: 301220, 301250-301255.

Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities

President Trump’s deployment of more than 700 Marines to Los Angeles—following ICE raids and mass protests—has ignited a fierce national debate over state sovereignty and civil-military boundaries.

As hundreds of United States Marines deploy in Los Angeles under presidential orders to protect federal property amid growing protests over immigration enforcement, constitutional scholars and civil rights attorneys warn of long-term implications for American democracy and civil-military relations.

President Donald Trump revealed Monday that he had ordered the deployment of more than 700 activity-duty Marines out of Camp Pendleton—an extraordinary use of military force in response to civil unrest. The move, widely condemned by his critics, follows Trump’s federalization of the National Guard. Some 3,800 guardsmen have since been deployed in California against the objections of its government, spurring debate among legal observers over the limits of the president’s power to send troops into American streets.

Trump ordered the deployments in response to thousands of Angelenos who took to the streets on Friday in protests. LA residents responded after Immigration and Customs Enforcement (ICE) agents carried out sweeping raids of local businesses, arresting, among others, dozens of day laborers who were vying for work outside a local Home Depot. Larger demonstrations soon formed and remained largely peaceful until residents were engaged by police with riot shields and crowd control weapons. Over the weekend, the clashes between police and protesters escalated across many neighborhoods with large immigrant populations. Numerous buildings were vandalized with anti-ICE messages, and several Waymo autonomous vehicles were set ablaze.

Videos captured by protest attendees show police firing upon demonstrators with rubber bullets and other crowd control agents, including waves of asphyxiating CS gas. Members of the press shared images online showing injuries they incurred from the police assault. In widely shared footage, a law enforcement officer appears to intentionally target an Australian reporter, Lauren Tomasi, shooting her from feet away with a rubber bullet as she delivers a monologue into a camera. On Monday, CNN correspondent Jason Carroll was arrested live on air.

California governor Gavin Newsom condemned Trump’s troop deployment in posts on social media, calling the president’s actions an “unmistakable step toward authoritarianism.” His attorney general, Rob Bonta, has filed a lawsuit in federal court claiming the order violated the state’s sovereignty, infringing on Newsom’s authority as the California National Guard’s commander in chief.

In response to a request for comment, the Department of Defense referred WIRED to a US Northern Command press release detailing the deployment of Marines and National Guardsmen.

Federal troops in the United States are ordinarily barred from participating in civilian law enforcement activities. This rule, known as “posse comitatus,” may be suspended, however, by a sitting president in cases of civil unrest or outright rebellion. This exception—permitted under the Insurrection Act—allows the president to deploy troops when circumstances make it “impracticable” for state authorities to enforce federal law by “ordinary” means.

While these powers are most often invoked at the request of a state government, the president may also invoke the act when a state chooses to ignore the constitutional rights of its inhabitants—as happened multiple times in the mid-20th century, when southern states refused to desegregate schools after the Supreme Court’s landmark _Brown v. Board of Education_ decision.

President Trump, however, has so far not invoked the Insurrection Act, relying instead on a theory of “inherent authority” advanced by the US Justice Department in 1971 during the height of the anti–Vietnam War protests. This interpretation of presidential power finds that troops may be deployed in an effort to “protect federal property and functions.” Notably—unlike the Insurrection Act—this does not permit troops to engage in activities that are generally the purview of civilian law enforcement agencies.

Trump also invoked statutory power granted to him by Congress under Title 10 of the US Code, which enabled him to federalize elements of California’s National Guard. These activations typically occur when guardsmen are needed to support overseas military operations, as happened routinely this century during the wars in Iraq and Afghanistan. Domestically, however, guardsmen are not usually federalized without the agreement of a state’s governor—unless the Insurrection Act has been invoked.

Legal experts interviewed by WIRED offered a range of opinions on the president’s authority to deploy active-duty military troops or federalize the National Guard. While most believe it is likely within Trump’s power to ignore Newsom’s express objections, doing so without an invocation of the Insurrection Act, they say, is a decision fraught with legal complexities that carries serious implications, from altering—perhaps permanently—the fundamental relationship between Americans, states, and the federal government, to disturbing the delicate balance between civilian governance and military power.

Liza Goitein, senior director of the Brennan Center's Liberty and National Security Program, underscores the “unprecedented” nature of Trump’s approach. “He’s trying to basically exercise the powers of the Insurrection Act without invoking it,” she says. A key issue for Goitein is that the memorandum signed by Trump last week federalizing the National Guard makes no mention of Los Angeles or California. Rather, it states that the guardsmen are being mobilized to address protests that are both “occurring” and “likely to occur.”

In essence, the memo “authorizes the deployment of federal troops anywhere in the country,” Goitein says, “including places where there are no protests yet. We’re talking about preemptive deployment.”

Goitein argues that the administration’s justifications could undermine both judicial accountability and civil‑military boundaries. Under the Insurrection Act, federal troops can take on the responsibilities of local and state police. But without it, their authority should be quite limited. Neither the guardsmen nor the Marines, for instance, should engage with protesters acting peacefully, according to Goitein. “He says they’re there to protect federal property,” she says. “But it looks a lot like quelling civil unrest.”

Anthony Kuhn, a 28-year US Army veteran and managing partner at Tully Rinckey, believes, meanwhile, that there is really “no question” that Trump would be justified in declaring a “violent rebellion” underway in California, empowering him to ignore Newsom’s objections. The images and video of protesters hurling rocks and other items at police and lighting cars on fire all serve as evidence toward that conclusion.

“I know people in California, the governor, the mayor, are trying to frame it as a protest. But at this point,” says Kuhn, “it’s a violent rebellion. You can draw your own conclusions from the pictures and videos floating around.” Kuhn argues that the intentions of the protesters, the politics fueling the demonstrations, don’t matter. “They’re attacking federal facilities. They’re destroying federal property. So in an attempt to restore the peace, the president has the authority under Title 10 to deploy troops. It’s pretty straightforward.”

In contrast, Rutgers University professor Bruce Afran says deploying military forces against Americans is “completely unconstitutional” in the absence of a true state of domestic insurrection. “There was an attack on ICE’s offices, the doorways, there was some graffiti, there were images of protesters breaking into a guardhouse, which was empty,” he says. “But even if it went to the point of setting a car on fire, that's not a domestic insurrection. That's a protest that is engaged in some illegality. And we have civil means to punish it without the armed forces.”

Afran argues that meddling with the expectations of civilians, who naturally anticipate interacting with police but not armed soldiers, can fundamentally alter the relationship between citizens and their government, even blurring the line between democracy and authoritarianism. “The long-term danger is that we come to accept the role of the army in regulating civilian protest instead of allowing local law enforcement to do the job,” he says. “And once we accept that new paradigm—to use a kind of BS word—the relationship between the citizen and the government is altered forever.”

“Violent rioters in Los Angeles, enabled by Democrat governor Gavin Newsom, have attacked American law enforcement, set cars on fire, and fueled lawless chaos," Abigail Jackson, a White House spokesperson, tells WIRED. "President Trump rightfully stepped in to protect federal law enforcement officers. When Democrat leaders refuse to protect American citizens, President Trump will always step in.”

As the orders to mobilize federal troops have come down, some users on social media have urged service members to consider the orders unlawful and refuse to obey—a move that legal experts say would be very difficult to pull off.

David Coombs, a lecturer in criminal procedure and military law at the University of Buffalo and a veteran of the US Army’s Judge Advocate General's Corps, says it’s hypothetically possible that troops could question whether Trump has the authority to mobilize state guardsmen over the objection of a state governor. “I think ultimately the answer to that will be yes,” he says. “But it is a gray area. When you look at the chain of command, it envisions the governor controlling all of these individuals.”

Separately, says Coombs, when troops are ordered to mobilize, they could—again, hypothetically—refuse to engage in activities that are beyond the scope of the president’s orders, such as carrying out immigration raids or making arrests. “All they can do in this case, under Title 10 status, is protect the safety of federal personnel and property. If you go beyond that, then it violates the Posse Comitatus Act.” Federal troops, for instance, would need civilian police to step in at the point that local authorities want peaceful protesters to disperse.

The San Francisco Chronicle reports that, in a letter on Sunday, Homeland Security Secretary Kristi Noem requested that military troops be directed to detain alleged “lawbreakers” during protests “or arrest them,” which legal experts almost universally agree would be illegal under ordinary circumstances. The letter was addressed to Defense Secretary Pete Hegseth and accused the anti-ICE protesters of being “violent, insurrectionist mobs” aiming to “protect invaders and military aged males belonging to identified foreign terrorist organizations.”

Khun, who warns there’s a big difference between philosophizing over what constitutes an unlawful order and disobeying commands, dismisses the idea that troops, in the heat of the moment, will have an option. “It’s not going to be litigated in the middle of an actual deployment,” he says. “There’s no immediate relief, no immediate way to prove that an order is unlawful.”

Khun says that were he deployed into a similar situation, “me and my junior soldiers would not respond to a nonviolent or peaceful protest.” Asked what protesters should expect, should they engage with federal troops trained for combat overseas, Kuhn says the Marines will hold their ground more firmly than police, who are often forced to retreat as mobs approach. In addition to being armed with the same crowd control weapons, Marines are extensively trained in close-quarters combat.

“I would expect a defensive response,” he says, “but not lethal force.”

_Additional reporting by Alexa O’Brien._

_Updated at 1:40 pm ET, June 10, 2025: Added clarifying language around the less-lethal shooting of Lauren Tomasi and fixed a typo in the California attorney general's name._

Tag

#cisco