Palo Alto, California, 16th April 2025, CyberNewsWire

**Palo Alto, California, April 16th, 2025, CyberNewsWire**

SquareX researchers Jeswin Mathai and Audrey Adeline will be disclosing a new class of data exfiltration techniques at BSides San Francisco 2025. Titled “Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out”, the talk will demonstrate multiple data splicing techniques that will allow attackers to exfiltrate any sensitive file or clipboard data, completely bypassing major Data Loss Protection (DLP) vendors listed by Gartner by exploiting architectural vulnerabilities in the browser. 

DLP is a core pillar of every enterprise security stack. Data breaches can result in severe consequences including IP loss, regulatory violations, fines, and severe reputational damage. With over 60% of corporate data being stored in the cloud, browsers have become the primary way for employees to create, access, and share data. Consequently, the browser has become a particularly attractive target for external attackers and insider threats alike. Yet, existing endpoint and cloud DLP solutions have limited telemetry and control over how employees interact with data on the browser. 

Additionally, there are several unique challenges when it comes to maintaining data lineage in the browser. This includes managing multiple personal and professional identities, the wide landscape of sanctioned and shadow SaaS apps, and the numerous pathways in which sensitive data can flow between these apps. Unlike managed devices where enterprises have full control over what can be installed on the device, employees can easily sign up for various SaaS services without the IT team’s knowledge or oversight. 

> SquareX researcher Audrey Adeline says, “Data splicing attacks are a complete game changer for insider threats and attackers that are seeking to steal information from enterprises. They exploit newer browser features that were invented long after existing DLP solutions and thus the data exfiltrated using these techniques are completely uninspected, resulting in full bypasses. With today’s workforce heavily relying on SaaS apps and cloud storage services, any organization that uses the browser is vulnerable to data splicing attacks.”

As part of the talk, they will also be releasing an open-source toolkit, “Angry Magpie”, which will allow pentesters and red teams to test their existing DLP stack and better understand their organization’s vulnerability to Data Splicing Attacks. SquareX hopes that the research will highlight the severe threats that browsers pose on data loss and serve as a call to action for enterprises and vendors alike to re-think their data loss protection strategies. 

Upon the completion of BSides San Francisco, the SquareX team will also be presenting at RSAC 2025 and will be available at Booth S-2361, South Expo for further discussions on the research.

**Talk Details:**

**Title:** Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out

**Speakers:** Jeswin Mathai and Audrey Adeline

**Event:** BSides San Francisco 2025

**Location:** San Francisco, CA

**Toolkit Release:** Angry Magpie (Open Source)

**About the Speakers**

**Jeswin Mathai****, Chief Architect, SquareX**

Jeswin Mathai serves as the Chief Architect at SquareX, where he leads the design and implementation of the company’s infrastructure. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEF CON US, DEF CON China, RootCon, Blackhat Arsenal, Recon Village, and Demo Labs at DEFCON. He has also imparted his knowledge globally, training in-classroom sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. He is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit.

**Audrey Adeline****, Researcher**

Audrey currently leads the Year of Browser Bugs (YOBB) project at SquareX which has disclosed multiple major architectural browser vulnerabilities to date. She is also a published author of The Browser Security Field Manual. Key discoveries from YOBB include Polymorphic Extensions, Browser Ransomware and Browser Syncjacking, all of which have been covered by major publications such as Forbes, Bleeping Computer and Mashable. She is passionate about furthering cybersecurity education and has run multiple workshops with Stanford University and Women in Security and Privacy (WISP). Prior to SquareX, Audrey was a cybersecurity investor at Sequoia Capital and graduated from the University of Cambridge with a degree in Natural Sciences.

**About SquareX**

SquareX’s industry-first Browser Detection and Response (BDR) helps organizations detect, mitigate, and threat-hunt client-side web attacks targeting employees happening against their users in real-time. This includes defending against identity attacks, malicious extensions, spearphishing, browser data loss, and insider threats. 

SquareX takes a research and attack-focused approach to browser security. SquareX’s dedicated research team was the first to discover and disclose multiple pivotal attacks, including Last Mile Reassembly Attacks, Browser Syncjacking, Polymorphic Extensions, and Browser-Native Ransomware. As part of the Year of Browser Bugs (YOBB) project, SquareX commits to continue disclosing at least one major architectural browser vulnerability every month.  

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics.   
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.

Wednesday, April 16, 2025 08:00

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics.   

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.     

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.      

**Eclipse vulnerabilities **

_Discovered by Kelly Patterson of Cisco Talos._    

Eclipse ThreadX is an embedded development suite including an operating system that provides performance for resource-constrained devices. 

TALOS-2024-2098 (CVE-2025-0726, CVE-2025-2260) A denial of service vulnerability exists in the NetX HTTP server functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. 

Two integer underflow vulnerabilities exist in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1, TALOS-2024-2104 (CVE-2025-0727, CVE-2025-2259) and TALOS-2024-2105 (CVE-2025-0728, CVE-2025-2258). Specially crafted network request packets can lead to denial of service. An attacker can send malicious packets to trigger these vulnerabilities. 

**STMicroelectronics vulnerabilities **

_Discovered by Kelly Patterson of Cisco Talos._    

STMicroelectronics is a European multinational semiconductor contract manufacturing and design company. 

TALOS-2024-2096 (CVE-2024-45064) is a buffer overflow vulnerability in the FileX Internal RAM interface functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted set of network packets can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability. 

TALOS-2024-2097 (CVE-2024-50384-CVE-2024-50385) is a denial-of-service vulnerability in the NetX Component HTTP server functionality. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. 

Two integer underflow vulnerabilities exist in the HTTP server PUT request functionality. For TALOS-2024-2102 (CVE-2024-50594-CVE-2024-50595), a specially crafted series of network requests can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability. For TALOS-2024-2103 (CVE-2024-50596-CVE-2024-50597), a specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Eclipse and STMicroelectronics vulnerabilities

President Trump last week revoked security clearances for Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs's employer SentinelOne, comes as CISA is facing huge funding and staffing cuts.

**President Trump** last week revoked security clearances for **Chris Krebs**, the former director of the **Cybersecurity and Infrastructure Security Agency** (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs’s employer **SentinelOne**, comes as CISA is facing huge funding and staffing cuts.

Chris Krebs. Image: Getty Images.

The extraordinary April 9 memo directs the attorney general to investigate Chris Krebs (no relation), calling him “a significant bad-faith actor who weaponized and abused his government authority.”

The memo said the inquiry will include “a comprehensive evaluation of all of CISA’s activities over the last 6 years and will identify any instances where Krebs’ or CISA’s conduct appears to be contrary to the administration’s commitment to free speech and ending federal censorship, including whether Krebs’ conduct was contrary to suitability standards for federal employees or involved the unauthorized dissemination of classified information.”

CISA was created in 2018 during Trump’s first term, with Krebs installed as its first director. In 2020, CISA launched Rumor Control, a website that sought to rebut disinformation swirling around the 2020 election.

That effort ran directly counter to Trump’s claims that he lost the election because it was somehow hacked and stolen. The Trump campaign and its supporters filed at least 62 lawsuits contesting the election, vote counting, and vote certification in nine states, and nearly all of those cases were dismissed or dropped for lack of evidence or standing.

When the Justice Department began prosecuting people who violently attacked the U.S. Capitol on January 6, 2021, President Trump and Republican leaders shifted the narrative, claiming that Trump lost the election because the previous administration had censored conservative voices on social media.

Incredibly, the president’s memo seeking to ostracize Krebs stands reality on its head, accusing Krebs of promoting the censorship of election information, “including known risks associated with certain voting practices.” Trump also alleged that Krebs “_falsely and baselessly denied that the 2020 election was rigged and stolen_, including by inappropriately and categorically dismissing widespread election malfeasance and serious vulnerabilities with voting machines” \[emphasis added\].

Krebs did not respond to a request for comment. SentinelOne issued a statement saying it would cooperate in any review of security clearances held by its personnel, which is currently fewer than 10 employees.

Krebs’s former agency is now facing steep budget and staff reductions. **The Record** reports that CISA is looking to remove some 1,300 people by cutting about half its full-time staff and another 40% of its contractors.

“The agency’s National Risk Management Center, which serves as a hub analyzing risks to cyber and critical infrastructure, is expected to see significant cuts, said two sources familiar with the plans,” The Record’s **Suzanne Smalley** wrote. “Some of the office’s systematic risk responsibilities will potentially be moved to the agency’s Cybersecurity Division, according to one of the sources.”

CNN reports the Trump administration is also advancing plans to strip civil service protections from 80% of the remaining CISA employees, potentially allowing them to be fired for political reasons.

The **Electronic Frontier Foundation** (EFF) urged professionals in the cybersecurity community to defend Krebs and SentinelOne, noting that other security companies and professionals could be the next victims of Trump’s efforts to politicize cybersecurity.

“The White House must not be given free reign to turn cybersecurity professionals into political scapegoats,” the EFF wrote. “It is critical that the cybersecurity community now join together to denounce this chilling attack on free speech and rally behind Krebs and SentinelOne rather than cowering because they fear they will be next.”

However, **Reuters** said it found little sign of industry support for Krebs or SentinelOne, and that many security professionals are concerned about potentially being targeted if they speak out.

“Reuters contacted 33 of the largest U.S. cybersecurity companies, including tech companies and professional services firms with large cybersecurity practices, and three industry groups, for comment on Trump’s action against SentinelOne,” wrote **Raphael Satter** and **A.J. Vicens**. “Only one offered comment on Trump’s action. The rest declined, did not respond or did not answer questions.”

**CYBERCOM-PLICATIONS**

On April 3, President Trump fired **Gen. Timothy Haugh**, the head of the **National Security Agency** (NSA) and the **U.S. Cyber Command**, as well as Haugh’s deputy, **Wendy Noble**. The president did so immediately after meeting in the Oval Office with far-right conspiracy theorist Laura Loomer, who reportedly urged their dismissal. Speaking to reporters on Air Force One after news of the firings broke, Trump questioned Haugh’s loyalty.

Gen. Timothy Haugh. Image: C-SPAN.

Virginia **Senator Mark Warner**, the top Democrat on the Senate Intelligence Committee, called it inexplicable that the administration would remove the senior leaders of NSA-CYBERCOM without cause or warning, and risk disrupting critical ongoing intelligence operations.

“It is astonishing, too, that President Trump would fire the nonpartisan, experienced leader of the National Security Agency while still failing to hold any member of his team accountable for leaking classified information on a commercial messaging app – even as he apparently takes staffing direction on national security from a discredited conspiracy theorist in the Oval Office,” Warner said in a statement.

On Feb. 28, The Record’s **Martin Matishak** cited three sources saying Defense Secretary **Pete Hegseth** ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions. The following day, **The Guardian** reported that analysts at CISA were verbally informed that they were not to follow or report on Russian threats, even though this had previously been a main focus for the agency.

A follow-up story from **The Washington Post** cited officials saying Cyber Command had received an order to halt active operations against Russia, but that the pause was intended to last only as long as negotiations with Russia continue.

The Department of Defense responded on Twitter/X that Hegseth had “neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority.”

But on March 19, Reuters reported several U.S. national security agencies have halted work on a coordinated effort to counter Russian sabotage, disinformation and cyberattacks.

“Regular meetings between the National Security Council and European national security officials have gone unscheduled, and the NSC has also stopped formally coordinating efforts across U.S. agencies, including with the FBI, the Department of Homeland Security and the State Department,” Reuters reported, citing current and former officials.

**TARIFFS VS TYPHOONS**

President’s Trump’s institution of 125% tariffs on goods from China has seen Beijing strike back with 84 percent tariffs on U.S. imports. Now, some security experts are warning that the trade war could spill over into a cyber conflict, given China’s successful efforts to burrow into America’s critical infrastructure networks.

Over the past year, a number of Chinese government-backed digital intrusions have come into focus, including a sprawling espionage campaign involving the compromise of at least nine U.S. telecommunications providers. Dubbed “Salt Typhoon” by Microsoft, these telecom intrusions were pervasive enough that CISA and the FBI in December 2024 warned Americans against communicating sensitive information over phone networks, urging people instead to use encrypted messaging apps (like Signal).

The other broad ranging China-backed campaign is known as “Volt Typhoon,” which CISA described as “state-sponsored cyber actors seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

Responsibility for determining the root causes of the Salt Typhoon security debacle fell to the Cyber Safety Review Board (CSRB), a nonpartisan government entity established in February 2022 with a mandate to investigate the security failures behind major cybersecurity events. But on his first full day back in the White House, President Trump dismissed all 15 CSRB advisory committee members — likely because those advisers included Chris Krebs.

Last week, **Sen. Ron Wyden** (D-Ore.) placed a hold on Trump’s nominee to lead CISA, saying the hold would continue unless the agency published a report on the telecom industry hacks, as promised.

“CISA’s multi-year cover up of the phone companies’ negligent cybersecurity has real consequences,” Wyden said in a statement. “Congress and the American people have a right to read this report.”

**The Wall Street Journal** reported last week Chinese officials acknowledged in a secret December meeting that Beijing was behind the widespread telecom industry compromises.

“The Chinese official’s remarks at the December meeting were indirect and somewhat ambiguous, but most of the American delegation in the room interpreted it as a tacit admission and a warning to the U.S. about Taiwan,” The Journal’s **Dustin Volz** wrote, citing a former U.S. official familiar with the meeting.

Meanwhile, China continues to take advantage of the mass firings of federal workers. On April 9, the **National Counterintelligence and Security Center** warned (PDF) that Chinese intelligence entities are pursuing an online effort to recruit recently laid-off U.S. employees.

“Foreign intelligence entities, particularly those in China, are targeting current and former U.S. government (USG) employees for recruitment by posing as consulting firms, corporate headhunters, think tanks, and other entities on social and professional networking sites,” the alert warns. “Their deceptive online job offers, and other virtual approaches, have become more sophisticated in targeting unwitting individuals with USG backgrounds seeking new employment.”

Image: Dni.gov

**ELECTION THREATS**

As Reuters notes, the FBI last month ended an effort to counter interference in U.S. elections by foreign adversaries including Russia, and put on leave staff working on the issue at the Department of Homeland Security.

Meanwhile, the U.S. Senate is now considering a House-passed bill dubbed the “**Safeguard American Voter Eligibility (SAVE) Act**,” which would order states to obtain proof of citizenship, such as a passport or a birth certificate, in person from those seeking to register to vote.

Critics say the SAVE Act could disenfranchise millions of voters and discourage eligible voters from registering to vote. What’s more, documented cases of voter fraud are few and far between, as is voting by non-citizens. Even the conservative **Heritage Foundation** acknowledges as much: An interactive “election fraud map” published by Heritage lists just 1,576 convictions or findings of voter fraud between 1982 and the present day.

Nevertheless, the GOP-led House passed the SAVE Act with the help of four Democrats. Its passage in the Senate will require support from at least seven Democrats, Newsweek writes.

In February, CISA cut roughly 130 employees, including its election security advisors. The agency also was forced to freeze all election security activities pending an internal review. The review was reportedly completed in March, but the Trump administration has said the findings would not be made public, and there is no indication of whether any cybersecurity support has been restored.

Many state leaders have voiced anxiety over the administration’s cuts to CISA programs that provide assistance and threat intelligence to election security efforts. **Iowa Secretary of State Paul Pate** last week told the **PBS** show I**owa Press** he would not want to see those programs dissolve.

“If those (systems) were to go away, it would be pretty serious,” Pate said. “We do count on a lot those cyber protections.”

Pennsylvania’s **Secretary of the Commonwealth Al Schmidt** recently warned the CISA election security cuts would make elections less secure, and said no state on its own can replace federal election cybersecurity resources.

The **Pennsylvania Capital-Star** reports that several local election offices received bomb threats around the time polls closed on Nov. 5, and that in the week before the election a fake video showing mail-in ballots cast for Trump and Sen. Dave McCormick (R-Pa.) being destroyed and thrown away was linked to a Russian disinformation campaign.

“CISA was able to quickly identify not only that it was fraudulent, but also the source of it, so that we could share with our counties and we could share with the public so confidence in the election wasn’t undermined,” Schmidt said.

According to CNN, the administration’s actions have deeply alarmed state officials, who warn the next round of national elections will be seriously imperiled by the cuts. A bipartisan association representing 46 secretaries of state, and several individual top state election officials, have pressed the White House about how critical functions of protecting election security will perform going forward. However, CNN reports they have yet to receive clear answers.

Nevada and 18 other states are suing Trump over an executive order he issued on March 25 that asserts the executive branch has broad authority over state election procedures.

“None of the president’s powers allow him to change the rules of elections,” Nevada Secretary of State **Cisco Aguilar** wrote in an April 11 op-ed. “That is an intentional feature of our Constitution, which the Framers built in to ensure election integrity. Despite that, Trump is seeking to upend the voter registration process; impose arbitrary deadlines on vote counting; allow an unelected and unaccountable billionaire to invade state voter rolls; and withhold congressionally approved funding for election security.”

The order instructs the **U.S. Election Assistance Commission** to abruptly amend the voluntary federal guidelines for voting machines without going through the processes mandated by federal law. And it calls for allowing the administrator of the so-called **Department of Government Efficiency** (DOGE), along with DHS, to review state voter registration lists and other records to identify non-citizens.

The Atlantic’s **Paul Rosenzweig** notes that the chief executive of the country — whose unilateral authority the Founding Fathers most feared — has literally no role in the federal election system.

“Trump’s executive order on elections ignores that design entirely,” Rosenzweig wrote. “He is asserting an executive-branch role in governing the mechanics of a federal election that has never before been claimed by a president. The legal theory undergirding this assertion — that the president’s authority to enforce federal law enables him to control state election activity — is as capacious as it is frightening.”

Trump Revenge Tour Targets Cyber Leaders, Elections

Plus: The Department of Homeland Security begins surveilling immigrants' social media, President Donald Trump targets former CISA director who refuted his claims of 2020 election fraud, and more.

The Israeli spyware maker NSO Group has been on the US Department of Commerce “blacklist” since 2021 over its business of selling targeted hacking tools. But a WIRED investigation has found that the company now appears to be working to stage a comeback in Trump's America, hiring a lobbying firm with the ties to the administration to make its case.

As the White House continues its massive gutting of the United States federal government, remote and hybrid workers have been forced back to the office in a poorly coordinated effort that has left critical employees without necessary resources—even reliable Wi-Fi. And Elon Musk’s so-called Department of Government Efficiency (DOGE) held a “hackathon” in Washington, DC, this week to work on developing a “mega API” that could act as a bridge between software systems for accessing and sharing IRS data more easily.

Meanwhile, new research this week indicates that misconfigured sexual fantasy-focused AI chatbots are leaking users' chats on the open internet—revealing explicit prompts and conversations that in some cases include descriptions of child sexual abuse.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

In a secret December meeting between the US and China, Beijing officials claimed credit for a broad hacking campaign that has compromised US infrastructure and alarmed American officials, according to Wall Street Journal sources. Tensions between the two countries have escalated sharply in recent weeks, because of President Donald Trump's trade war.

In public and private meetings, Chinese officials are typically firm in their denials about any and all accusations of offensive hacking. This makes it all the more unusual that the Chinese delegation specifically confirmed that years of attacks on US water utilities, ports, and other targets are the result of the US's policy support of Taiwan. Security researchers refer to the collective activity as having been perpetrated by the actor “Volt Typhoon.”

Meanwhile, the National Counterintelligence and Security Center, along with the FBI and Pentagon’s counterintelligence service, issued an alert this week that China’s intelligence services have been working to recruit current and former US federal employees by posing as private organizations like consulting firms and think tanks to establish connections.

**DHS Is Now Monitoring Immigrants’ Social Media for Antisemitism**

US Citizenship and Immigration Services said on Wednesday that it is starting to monitor immigrants' social media activity for signs of antisemitic activity and “physical harassment of Jewish individuals.” The agency, which operates under the Department of Homeland Security, said that such behavior would be grounds for “denying immigration benefit requests.” The new policy applies to people applying for permanent residence in the US as well as students and other affiliates of “educational institutions linked to antisemitic activity.” The move comes as Immigration and Customs Enforcement has made controversial arrests of pro-Palestinian student activists, including Mahmoud Khalil of Columbia University and Rumeysa Ozturk of Tufts University, over alleged antisemitic activity. Their lawyers deny the allegations.

**Trump Revokes Security Clearance, Orders Investigation of Ex-CISA Director**

President Trump this week ordered a federal investigation into former US Cybersecurity and Infrastructure Security Agency director Chris Krebs. An executive order on Wednesday revoked Krebs’ security clearance and also directed the Department of Homeland Security and the US attorney general to conduct the review. Krebs was fired by Trump in November 2020 during his first term after Krebs publicly refuted Trump’s claims of election fraud during that year's presidential election. The executive order alleges that by debunking false claims about the election while in office, Krebs violated the First Amendment's prohibition on government interference in freedom of expression.

In addition to removing Krebs' clearance, the order also revokes the clearances of anyone who works at Krebs' current employer, the security firm SentinelOne. The company said this week in a statement that it “will actively cooperate in any review of security clearances held by any of our personnel” and emphasized that the order will not result in significant operational disruption, because the company only has a handful of employees with clearances.

**NSA, Cyber Command Officials Cancel RSA Security Conference Appearances**

NSA Cybersecurity Division Director Dave Luber and Cyber Command Executive Director Morgan Adamski will no longer speak at the prominent RSA security conference, scheduled to begin on April 28 in San Francisco. Both appeared at the conference last year. A source told Nextgov/FCW that the cancellations were the result of agency restrictions on nonessential travel. RSA typically features top US national security and cybersecurity officials alongside industry players and researchers. President Trump recently fired General Timothy Haugh, who led both the NSA and US Cyber Command.

China Secretly (and Weirdly) Admits It Hacked US Infrastructure

Martin delves into how threat actors exploit chaos, offering insights from Talos' 2024 Year in Review on how to fortify defenses against evolving email lures and frequently targeted vulnerabilities, even amidst economic disruption.

Thursday, April 10, 2025 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

If there’s one thing that threat actors love, it’s chaos. Headlines in the news that provoke an emotional response make excellent phishing lures because the intense feelings invoked by a provocative subject line cause our critical thinking faculties to be bypassed. Without cautious reflection, we’re likely to engage with bait, fall for the lure and “click the link” rather than pausing to ask ourselves what the headline’s writer is trying to achieve. 

Economic disruption also works in the bad guys’ favor. In budgetary crises, investments in cyber defenses may be postponed or the hiring of sorely needed additional team members delayed. Alternatively, an end-of-life device that is still functional despite obsolescence and many unpatched vulnerabilities may get an additional year of operation before replacement. 

In such a climate, security teams are often asked to do more with less. However, security can be improved simply by getting the basics right and addressing gaps that don’t require investment. Patching might be time-consuming, but it doesn’t require extra budget. Prioritize removing the most exploited vulnerabilities as listed in our 2024 Year in Review report. Next, review your MFA implementation, ensuring that it is deployed everywhere throughout the organization and that it can’t be bypassed. 

When times are tough, focus on getting the basics right and fixing what can be fixed without needing costly investment. Each vulnerability fixed, each weakness remediated helps move the security posture forwards and makes your organization a tougher target for the bad guys who in turn are more likely to seek easier quarry.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine the evolution of email lures and the nature of the most frequently targeted vulnerabilities.

**Why do I care? **

In a world of limited resources, effective defense requires identifying areas that are more likely to be targeted by threat actors and prioritizing shoring up these areas. Not all vulnerabilities or systems are exploited equally, and remediating the most frequently exploited vulnerabilities maximizes security effectiveness. 

**So now what? **

Educate users on the types of social engineering that threat actors are currently using in email lures. Social engineering is not static but constantly changing to try and outwit unwary targets. 

Exploitation of the Shellshock series of vulnerabilities should not be continuing for over 10 years since disclosure. Aggressively identify systems within your IT estate that are vulnerable to this attack and urgently patch them.

**Top security headlines of the week **

**Hackers strike Australia's largest pension funds.** A series of coordinated attacks has reportedly led to criminals compromising in excess of 20,000 pension accounts and stealing funds. (Reuters) 

**Ireland Plans 300-Strong Military Cyber Command**. The Irish armed forces are creating a Joint Cyber Defence Command to support defensive and offensive cyber operations. (Irish Times) 

**Baltimore City Falls Victim to Vendor Fraud.** Two payments totaling $1.5 million were reportedly paid to a fraudulent bank account that had been swapped for a contractor’s genuine account. (CBS News) 

**CISA Warns of Vulnerabilities in ICS Software**. The US Cybersecurity & Infrastructure Agency released advisories relating to five series vulnerabilities in Industrial Control Systems software. (CISA)

**Can’t get enough Talos?**

*   **Unraveling the U.S. toll road smishing scams.** Talos has observed a widespread and ongoing smishing campaign since October 2024 that targets toll road users in the U.S. Read the blog here.
*   **Beers with Talos: 2024 Year in Review.** Joe, Hazel, Bill and Dave break down 2024 Year in Review and discuss how and why cybercriminals are learning on attacks based in stealth and simplicity. Listen here.
*   **The TTP Ep 10 (Part 1).** Peeling back the layers of the threats that dominated 2024. Watch now.
*   **The TTP Ep 10 (Part 2).** Ransomware groups, and why we're seeing more identity attacks. Watch now.

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA   
*   PIVOTcon (May 7 – 9) Malaga, Spain   
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA   
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**     
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details   
Typical Filename: VID001.exe     
Detection Name: Simple\_Custom\_Detection

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe   
Detection Name: Simple\_Custom\_Detection  

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**      
MD5: 71fea034b422e4a17ebb06022532fdde      
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe     
Detection Name: Coinminer:MBT.26mw.in14.Talos   

**SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b**   
MD5: f5e908f1fac5f98ec63e3ec355ef6279   
VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details   
Typical Filename: IMG001.exe   
Detection Name: Win.Dropper.Coinminer::tpd

Threat actors thrive in chaos

Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.

Thursday, April 10, 2025 10:30

*   Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.  
*   We observed that the campaign targets people across several states in the U.S. according to the domain names used in the smishing messages. 
*   Talos assesses with moderate confidence that the toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by “Wang Duo Yu”, according to the intelligence obtained by Talos. 

**Toll road smishing attacks **

Since the middle of Oct. 2024, Talos has seen ongoing smishing attacks impersonating U.S toll road automatic payment services (such as E-ZPass) with the intent of financial theft. The actors have so far sent SMS messages to individuals in about eight states in the U.S., including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois and Kansas. Talos identified these states via spoofed domains containing the states’ two-letter abbreviations that we observed in the SMS messages. 

The actors send an SMS notification for an outstanding bill claiming that the potential victim owes a small amount of money, under $5 USD. They warn of potential late fees, prompting victims to visit a spoofed domain for the payment.  

Sample phishing SMS messages. 

When the victim visits the domain, they are prompted to solve a fake image-based CAPTCHA, after which it redirects the victims to a fake webpage with the legitimate toll service's logo. This webpage prompts the victims to enter their name and ZIP code to view their fake bill. The fake bill displays the victim's name with a message showing that they owe approximately $4 and warning of a $35 late payment fee. 

After the victim views their fake bill, they click the “Proceed Now” button which redirects them to another fake webpage. This site prompts the victim to enter their name, address, phone number and credit card information, which the threat actor eventually steals. Due to the limited visibility of the threat actor phishing infrastructure, Talos is unsure if there are any further payloads delivered to the victims' devices. 

In April 2024, FBI’s Internet Crime Complaint Center (IC3) warned about a similar toll road smishing campaign where the threat actor used the same brand impersonation technique but with a slight difference in the SMS message language, monetary values and formatting. 

Targeting toll road users in multiple states indicates the likelihood of the threat actor leveraging user information publicly leaked from large databases. For example, the threat actor behind the 2024 National Public Data leak released billions of records publicly which were then shared on private Telegram channels for further abuse. However, Talos currently does not have any evidence to suggest that the toll road smishing campaign is fueled by the National Public Data leaks.  

**Phishing infrastructure **

Talos observed that the actors have used several typosquatted domains in the SMS phishing messages to convince the potential victims to visit them. These typosquatted phishing domains were created during Oct. and Nov. 2024 and were observed resolving to one of the following IP addresses: 45\[.\]152\[.\]115\[.\]161 and 82\[.\]147\[.\]88\[.\]22.  

As of March 2025, Talos is still seeing new domains registered by the threat actors for the toll road scams, implying that the campaign is ongoing. During our research period, these newly registered domains resolved to the IP address 43\[.\]156\[.\]47\[.\]209. 

**Smishing kits likely used in the U.S. toll road scams **

Talos assesses with moderate confidence that multiple threat actors are operating the toll road smishing campaign by leveraging a smishing kit developed by the actor known as “Wang Duo Yu", according to the intelligence obtained by Talos. 

We have observed similar smishing kits being used by the organized cybercrime group known as the "Smishing Triad." This group has conducted large-scale smishing attacks targeting mail services in multiple countries, including the United States Postal Service (USPS), as well as the financial and commercial sectors previously reported by Resecurity. 

Talos discovered references to specific phishing kits that are targeting toll systems in the DY Tongbu Telegram channel on "老王同步源码开发教学" translated to "Lao Wang Synchronized Source Code Development Tutorial."  

Public Lao Wang Synchronized Source Code Development Tutorial Telegram channel.

The Telegram channel shared details about a phishing module that allegedly spoofs the Massachusetts MassDOT's EZDriveMA toll system, as well as a phishing module that targets customers of the North Texas Toll Authority. At the time of publication, the Telegram channel had more than 4,400 subscribers. 

Further investigation has revealed that the developer, 王多余 (translated to Wang Duo Yu), has developed a similar smishing kit and operates the Lao Wang Synchronized Source Code Development Tutorial Telegram channel from two separate accounts. The pictures shown below display screenshots of the two telegram accounts related to Wang Duo Yu. 

Two telegram accounts related to Wang Duo Yu. 

Additionally, we noticed that the developer has created a YouTube channel where they upload tutorial videos. These videos cover topics such as "How to Build a PMTA Mail Server," "Setting Up an Automatic EPUSD Payment and Vending System," "Creating a Pagoda Panel Website (宝塔面板)," "Building the Simplest and Safest Node Using Native Tools," and "Using the X-UI Panel to Set Up a VMess+WS+TLS+Web or VLess+WS+TLS+Web Node."  Each video guides users on building basic web services or mail servers. 

Wang Duo Yu’s YouTube channel. 

There are also some private video links that cannot be found elsewhere. Talos found one such video on a Chinese forum. To access the post with the video link, users need special permissions in that forum. 

Wang Duo Yu’s YouTube channel with private video. 

We also observed Wang Duo Yu promoting their smishing kits business and tutorials on other Telegram channels, also offering personal lessons that include full-stack development, mail server setup and Telegram bot development. The threat actor offers a two-hour lesson each day and provides one-on-one instruction via remote desktop, charging ¥5888 (converting to approx. US $806 at time of publication) per class. 

Wang Duo Yu marketing the kits in telegram channels. 

One of the Telegram channels shown in the above picture is called, “向前论坛,” translating to " Xiangqian Forum,” of which Wang Duo Yu is a moderator. Wang Duo Yu posted articles in this forum to increase subscribers, promoted their own teaching courses, and provided links and discount codes for purchasing VPS and domains. 

Wang Duo Yu selling the VPS and cloud services through his website. 

We also found an additional website selling the VPS and cloud services, confirmed to be owned by Wang Duo Yu.  The “wangduoyu\[.\]vip” website was active from 2022 to 2023. 

Wang Duo Yu’s shop website. 

Wang Duo Yu’s shop DNS resolved IPs and active periods of time. 

We observed that Wang Duo Yu offers the toll smishing kit source code for sale and provides services to assist in setting up the whole system. In a forum post, they stated that anyone interested can reach out to their personal Telegram account "@wangduofish". The post also includes hidden content only visible to users with VIP access. 

Wang Duo Yu’s post includes hidden content only visible with VIP access. 

Wang Duo Yu has crafted and designed specific smishing kits and has been selling access to these kits on their Telegram channels. The kits are available with different infrastructure options, priced at US $50 each for a full-feature development, $30 each for proxy development (when the customer has a personal domain and server), $20 each for version updates, and $20 for all other miscellaneous support. The threat actor also offers updated releases for multiple source code versions. The offers on the Telegram channel revealed that the smishing kits and source code primarily target large public-facing entities with a large end-userbase, such as toll road operators, banks and postal services. 

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

Unraveling the U.S. toll road smishing scams

Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft has marked as “critical”.

Tuesday, April 8, 2025 14:53

Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”. 

In this month's release, none of the included vulnerabilities have been observed by Microsoft to be exploited in the wild. The eleven "critical” entries are all remote code execution (RCE) vulnerabilities, four of which have been marked as "Exploitation more likely". 

Two of the “critical” vulnerabilities listed affect components of the Windows Remote Desktop Services. 

CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in components of the Remote Desktop Gateway Service. Both vulnerabilities were given a CVSS 3.1 score of 8.1. To successfully exploit these an attacker could connect to a system with the Remote Desktop Gateway role and trigger a race condition to create a use-after-free scenario, potentially allowing arbitrary code to be executed. Microsoft has assessed that the attack complexity is “high”, and exploitation is “More likely”.

CVE-2025-26663 is an RCE vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) and has been given a CVSS 3.1 score of 8.1. This could be exploited by an attacker by sending a specially crafted LDAP call to trigger a use-after-free vulnerability, allowing arbitrary code to be executed in the context of the LDAP service. An attacker could initiate this by sending a victim an email or message containing a malicious link. Microsoft has assessed that exploitation is “more likely” and that the attack complexity is “high”.

CVE-2025-26670 is a RCE vulnerability in the Lightweight Directory Access Protocol (LDAP) Client and has been given a CVSS 3.1 base score of 8.1. An attacker could exploit this vulnerability by sending sequential specially crafted LDAP requests to a vulnerable LDAP server. Successful exploitation would require an attacker to win a race condition, which could result in a use-after-free that would allow for arbitrary code execution. Microsoft states that exploitation of this vulnerability is “More likely” and that the attack complexity is “high”.

CVE-2025-26686 is an RCE vulnerability in Windows TCP/IP and has been given a CVSS 3.1 base score of 7.5. Due to improperly locked memory in Windows TCP/IP, this vulnerability could allow an attacker to execute arbitrary code over a network. To exploit this an attacker must wait for a user to initiate a connection and send a DHCPv6, to which the attacker would reply with a DHCPv6 response containing a fake IPv6 address. Successful exploitation requires the attacker to win a race condition and make several preparations in the target environment beforehand. Due to this complexity Microsoft has determined that exploitation is "Less likely".

CVE-2025-27491 is an RCE vulnerability in Windows Hyper-V and has a CVSS 3.1 base score of 7.1. An attacker with guest privileges on a network could exploit this by convincing a victim to click a link to a malicious site.  Microsoft has determined that exploitation of this vulnerability is “Less likely” and that the attack complexity is “high”.

CVE-2025-29791 is an RCE vulnerability in Microsoft Excel and has a CVSS 3.1 base score of 7.8. An attacker could exploit this by sending a specially crafted document to a victim that triggers a type confusion when opened. Once triggered, the type confusion could lead to arbitrary code execution. Microsoft has assessed that exploitation of this vulnerability is "Less likely".

CVE-2025-27752 is another RCE vulnerability in Microsoft Excel and has a CVSS 3.1 score of 7.8. This is a heap overflow vulnerability and can be exploited by an attacker to locally execute arbitrary code. It has been assessed that exploitation of this vulnerability is considered "Less likely".

CVE-2025-27745, CVE-2025-27748 and CVE-2025-27749 are RCE vulnerabilities in Microsoft Office and all have a CVSS 3.1 base score of 7.8. These could be exploited by an attacker by triggering a use-after-free scenario, allowing for the execution of arbitrary code. Microsoft has determined that exploitation for each is considered "Less likely".

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that exploitation is "More likely":

*   CVE-2025-27472 - Windows Mark of the Web Security Feature Bypass Vulnerability  
    
*   CVE-2025-27727 - Windows Installer Elevation of Privilege Vulnerability  
    
*   CVE-2025-29792 - Microsoft Office Elevation of Privilege Vulnerability  
    
*   CVE-2025-29793 - Microsoft SharePoint Remote Code Execution Vulnerability  
    
*   CVE-2025-29794 - Microsoft SharePoint Remote Code Execution Vulnerability  
    
*   CVE-2025-29809 - Windows Kerberos Security Feature Bypass Vulnerability  
    
*   CVE-2025-29812 - DirectX Graphics Kernel Elevation of Privilege Vulnerability  
    
*   CVE-2025-29822 - Microsoft OneNote Security Feature Bypass Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58316, 58317, 64432, 64746 - 64757, 64760 - 64762. There are also these Snort 3 rules: 301176 - 301179.

Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities

New Xanthorox AI hacking platform spotted on dark web with modular tools, offline mode, and advanced voice, image, and code-based cyberattack features.

A sophisticated new artificial intelligence (AI) platform tailored for offensive cyber operations, named Xanthorox AI, has been identified by cybersecurity firm SlashNext. First appearing in late Q1 2025, Xanthorox AI is reportedly circulating within cybercrime communities on darknet forums and encrypted channels.

According to SlashNext’s investigation, shared with Hackread.com ahead of its publishing on Monday, Xanthorox stands out from previous malicious AI tools like WormGPT, FraudGPT and EvilGPT due to its independent, multi-model framework. The system is based on five distinct AI models optimized for specific cyber operations.

These models are hosted on private servers under the seller’s control rather than public cloud infrastructure or openly accessible APIs. This unique setup sets Xanthorox AI apart from previous malicious tools that often relied on existing large language models (LLMs).

Xanthorox AI is a fully custom-built platform that uses “fully custom-built language models” instead of established models like LLaMA or Claude. It is promoted as a modular system capable of code generation, vulnerability exploitation, data analysis, and integrated voice and image processing, enabling automated and interactive attacks.

Its modular design allows for future updates or the replacement of specific functionalities. Xanthorox AI also has built-in voice and image handling modules. It can perform live internet search scraping using over 50 engines, offering up-to-date information. It also offers offline functionality, allowing users to use it without a constant network connection. The platform also emphasizes data containment to eliminate third-party AI data collection risks.

The toolkit includes the Xanthorox Coder, which automates tasks such as code creation and script development, while Xanthorox Vision adds visual intelligence by allowing users to upload images or screenshots for analysis. Reasoner Advanced aims to replicate human-like decision-making, supporting tasks requiring logical consistency and persuasive communication.

The platform also facilitates voice-based interaction through real-time voice calls and asynchronous voice messaging, allowing hands-free command and control. Overall, Xanthorox AI offers a versatile hacking assistant representing a significant advancement in cyberattack capabilities, enabling more precise and scalable phishing campaigns and malware creation.

Screenshot: SlashNext

“Xanthorox AI presents itself as a comprehensive, all-in-one hacking tool, powered by a modular architecture designed to support a wide range of cybercrime operations. From an attacker’s perspective, Xanthorox AI hits most of the marks needed for a versatile hacking assistant,” researchers wrote in their blog post.

Its emergence highlights the importance of adopting advanced AI-powered detection technologies, including AI-powered threat detection platforms capable of behavioural anomaly analysis and signature-less malware identification, email security solutions employing AI-based content and intent analysis, and network security measures incorporating AI-driven intrusion detection and prevention systems.

Casey Ellis, Founder at Bugcrowd, a San Francisco-based leader in crowdsourced cybersecurity, called it “a fascinating development,” noting that the cybercriminal ecosystem works like any service industry, with specialized groups and “startups” creating competitive advantages. He highlighted the thought and R&D behind the toolkit, the local model tuning that avoids reliance on major vendors, and praised the expert mix as the most effective way to build a flexible AI-powered attack platform.

Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant

NSA and global cybersecurity agencies warn fast flux DNS tactic is a growing national security threat used in phishing, botnets, and ransomware.

A collaborative effort by international cybersecurity agencies, including the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ), has highlighted a critical security issue known as Fast Flux.

According to a joint advisory, both cybercriminals and state-sponsored actors are exploiting this new technique, which allows them to conceal malicious server locations and maintain persistent command and control (C2) infrastructure and has been declared a national security threat.

****Understanding fast flux****

Fast flux’s core mechanism lies in the dynamic manipulation of Domain Name System (DNS) records. By rapidly altering the IP addresses associated with a single domain, attackers effectively obfuscate the true location of their malicious servers. This rapid rotation renders traditional IP-based blocking methods ineffective, as the target IP address becomes obsolete almost immediately.

Research reveals that cybercriminals are employing two methods of fast flux- Single flux and Double flux. Single flux involves linking a single domain name to numerous, frequently rotated IP addresses, ensuring that even if one IP is blocked, the domain remains accessible.

Single Flux (Source: CISA)

Conversely, Double flux further enhances this obfuscation by also frequently changing the DNS name servers responsible for resolving the domain, adding another layer of anonymity.

Double Flux (Source: CISA)

“These techniques leverage a large number of compromised hosts,” CISA notes, often forming botnets, which act as proxies to hide the malicious traffic’s origin.

****Malicious Applications and the Role of Bulletproof Hosting****

CISA emphasizes that Fast Flux is not solely used for maintaining C2 communications. It plays a significant role in phishing campaigns, making social engineering websites difficult to take down.

Furthermore, “bulletproof hosting” (BPH) providers, who disregard law enforcement requests, are increasingly offering it as a service to their clients. This allows for the seamless operation of malicious activities like botnet management, fake online shops, and credential theft, all while providing a layer of protection against detection and takedown, and has been used in Hive and Nefilim ransomware attacks. One BPH provider even advertised the service’s ability to bypass Spamhaus blocklists, highlighting its appeal to cybercriminals. 

****Detection and Mitigation****

The agencies strongly recommend a multi-layered approach to detect and mitigate “fast flux” attacks. This includes leveraging threat intelligence feeds, implementing anomaly detection for DNS query logs, analyzing DNS record time-to-live (TTL) values, monitoring for inconsistent geolocation, and using flow data to identify unusual communication patterns.

 For organizations, agencies recommend DNS and IP blocking, reputational filtering, enhanced monitoring and logging, and phishing awareness training as potent mitigation strategies. It is crucial for organizations to coordinate with their Internet service providers and cybersecurity providers, particularly Protective DNS (PDNS) providers, to implement these measures, the advisory concludes.

John DiLullo, CEO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform, commented on the latest development, stating: This latest advisory will hit many organizations like a double espresso. Any enterprise relying on IP reputation as a credible means of securing their infrastructure or proprietary data is a soft target for this type of exploit.”

“Fortunately, correlative detection techniques, especially those leveraging ‘low and slow’ Machine Learning methods, can defeat these intrusions handily. However, many companies’ infrastructures simply aren’t there yet. This is a significant wake-up call,” he warned.

NSA and Global Allies Declare Fast Flux a National Security Threat

Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files.

Thursday, April 3, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter. 

They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had _Starry Night_, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty. 

If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out: 

Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There's more content coming out every week this month. Oh, you can also download the report itself here, which is useful. 

Here’s a two-minute animated overview. Watch those bad boy bar charts come to life. 

The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f\*\*\*\*\*s." Part 2 is coming out tomorrow, April 4th. 

This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”). 

A couple of the report’s top findings: 

*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases. 
*   Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.

**The one big thing **

Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Why do I care? **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. 

**So now what? **

Ways our customers can detect and block this threat are listed in this dedicated blog post.

**Top security headlines of the week**

**Gootloader Malware Resurfaces in Google Ads for Legal Docs**: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading) 

**UK threatens £100K-a-day fines under new cyber bill:** The tech secretary revealed the landmark legislation's full details for first time. (The Register) 

**Hacker linked to Oracle Cloud intrusion threatens to sell stolen data**: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive) 

**WordPress attackers hide malware in overlooked plugins directory**: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)

**Can’t get enough Talos? **

I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings: 

*   **CNET:** Phishing Emails Aren't as Obvious Anymore. Here's How to Spot Them
*   **The Register**: Ransomware crews add 'EDR killers' to their arsenal - and some aren't even malware
*   **SiliconANGLE**: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
*   **CyberScoop:** Identity lapses ensnared organizations at scale in 2024

**Upcoming events where you can find Talos**

*   RSA (April 28 – May 1) San Francisco, CA  
*   PIVOTcon (May 7 – 9) Malaga, Spain  
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** **9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376  Typical Filename: c0dwjdi6a.dll   VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

**SHA 256:** **5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1**   
MD5: 3e10a74a7613d1cae4b9749d7ec93515    
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1   
Typical Filename: IMG001.exe    
Claimed Product: N/A    
Detection Name: Win.Dropper.Coinminer::1201 

**SHA256:** **47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**  
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos

Tag

#cisco