Hazel braves Vegas, overpriced water and the Black Hat maze to bring you Talos’ latest research — including a deep dive into the PS1Bot malware campaign.

Thursday, August 14, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I’ve decided Black Hat feels exactly like trying to run in a dream — you’re always heading somewhere, never quickly, and the water costs $8.

I don’t mean to complain (although, as a Brit, I’m practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.

Rather than recap everything we did (our YouTube channel will have plenty of research highlights soon), here are three standouts: 

*   **Joe Marshall’s live incident-response exercise** – Joe ran _Backdoors & Breaches_, an interactive card game originally developed with NetHope and NGO-ISAC for humanitarian non-governmental organizations. At Black Hat, he adapted it for a lunch-and-learn with over 60 participants, guiding them through a simulated cybersecurity crisis. If you’re curious, you can find the cards online here. With a websharing tool, you can stream it to any size audience and have people play along virtually. You can also read more about Joe’s experience developing the game, alongside a video walkthrough, in his new blog post.
*   **Amy Chang’s AI guardrail bypass research** – Amy’s booth talk revealed a novel way to break the guardrails of generative AI by tricking it into repeating human-written content verbatim, a technique called “_decomposition.”_ Her work drew attention from media outlets including TechRepublic, SecurityWeek and WebProNews.
*   **Philippe Laulheret’s _ReVault_ presentation** – Philippe, from our Vulnerability Research and Discovery team, revealed vulnerabilities in embedded security chips affecting millions of laptops, potentially allowing attackers to bypass Windows login or install persistent malware. A few days ago, he published a longer version of his investigation, so you can now read the full technical deep dive covering the research process and exploit breakdown.

We’ll have more to share soon, including a behind-the-scenes tour of the Black Hat Network Operations Center (NOC).

**The one big thing **

Cisco Talos has identified a widespread malvertising campaign distributing a multi-stage malware framework Talos calls “PS1Bot,” which uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. PS1Bot employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection. The campaign has been active and rapidly evolving throughout 2025. 

**Why do I care? **

Casual browsing and downloading seemingly safe files can lead to infection, putting your personal data, passwords and financial info at risk — especially if you use cryptocurrency wallets or save passwords in browsers. 

**So now what? **

Be extra cautious when downloading files from search results or ads, keep your security software updated, and use dedicated password managers and security tools instead of storing sensitive info in browsers. Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos' blog also provides Snort SIDs and ClamAV detections. 

**Top security headlines of the week **

**Russian government hackers said to be behind US federal court filing system hack**   
The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times. (TechCrunch) 

**North Korean Kimsuky hackers exposed in alleged data breach**   
The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group's data and leaked it publicly online. (Bleeping Computer) 

**Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.**   
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April. (DataBreaches) 

**Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs**   
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach "critical organizations" in the country. (Bleeping Computer) 

**Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada**   
A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability (now patched) as part of a cyberespionage campaign aimed at organizations in Europe and Canada. (SecurityWeek) 

**Can’t get enough Talos? **

*   **Microsoft Patch Tuesday for August 2025**   
    Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.   
*   **ReVault! When your SoC turns against you… deep dive edition**   
    Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault.” 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls. 
*   **The TTP:** **Cyber criminals brought PowerShell 1.0 to a modern ransomware fight**   
    Groups like Qilin are using custom encryptors, uncommon RMM tools, and even PowerShell 1.0 (yes, from 2006) to quietly recon networks. 
*   **Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analyst**   
    A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages). 

**Upcoming events where you can find Talos **

BlueTeamCon (Sept. 4 – 7) Chicago, IL 

LABScon (Sept. 17 – 20) Scottsdale, AZ 

VB2025 (Sept. 24 – 26) Berlin, Germany 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0   
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**   
MD5: 906282640ae3088481d19561c55025e4   
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08    
Typical Filename: AAct\_x64.exe   
Claimed Product: N/A   
Detection Name: PUA.Win.Tool.Winactivator::1201

What happened in Vegas (that you actually want to know about)

Cybersecurity researchers have uncovered multiple security flaws in Dell's ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware.
The vulnerabilities have been codenamed

Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models

Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”.

ReVault! When your SoC turns against you… deep dive edition

The now-patched vulnerabilities exist at the firmware level and enable deep persistence on compromised systems.

'ReVault' Security Flaws Impact Millions of Dell Laptops

Organisational culture, as we know it, isn’t built overnight. It takes shape over time through decisions, habits and…

Organisational culture, as we know it, isn’t built overnight. It takes shape over time through decisions, habits and values that gradually define how people work together. One of the most overlooked influences on culture is the presence or absence of clear and effective security policies.

For executives and managers, these aren’t just operational tools; they’re signals that show what the business takes seriously, how it protects its people and assets, and how it expects staff to behave. When developed properly, security policies help create a culture that is aware, responsive and able to adapt as threats evolve. Their effect goes far beyond compliance, shaping how people see their roles and what they expect from each other.

****How Policies Guide Behaviour and Establish Shared Standards****

Security policies are more than documents; they are instructions that shape behaviour. They set expectations, define actions during uncertainty and provide consistency across the organisation. When applied clearly and consistently, they remove doubt in high-pressure situations and make it easier for people to act quickly and correctly.

A shared understanding of what’s expected creates confidence, improves collaboration and reduces the chance of avoidable mistakes. Policies also serve as a foundation for training, ensuring everyone starts with the same understanding of risks and procedures.

Over time, these become part of the day-to-day rhythm of the workplace, reinforcing a shared commitment to safety and responsibility. They move the business from broad values to consistent action.

****Shaping a Mindset of Continuous Risk Awareness****

Security isn’t just about having a plan. It’s about creating an environment where people pay attention, act early and take ownership. Policies help turn awareness into habits, making security part of everyone’s job rather than something delegated to a few specialists.

When staff understand not just what to do but why it matters, they’re more likely to speak up or take early action. Leaders play a key role by modelling the right behaviours and holding themselves to the same standards. When procedures are well defined, responses are consistent and coordinated, reducing weak points that attackers might exploit.

As physical and online threats continue to blur, a workforce that takes security seriously is more important than ever. Clear policies don’t just guide action, they build confidence, reduce hesitation and help people respond calmly when things go wrong.

According to ROWAN Security, cyber attacks have been increasing across all industries, highlighting the need for companies to make security part of their everyday thinking, not just a response to crises.

****Building Trust and Confidence Among Employees****

Policies also shape how staff feel about the organisation’s priorities. When leadership visibly supports and follows security procedures, it sends a clear message that employee safety and fairness are not optional.

Trust grows when people feel protected and taken seriously. That trust helps teams focus, speak up and flag concerns without fear of being dismissed. When the culture supports openness around security, incidents can be dealt with early rather than after damage has already been done.

Policies aren’t meant to be static. They should evolve as the environment changes. When employees are involved in shaping and improving these policies, they’re more likely to follow them. Security then becomes part of the way the business works rather than a separate set of rules.

****Integrating Security into Daily Operations****

Strong security cultures don’t treat policy as a box to tick. Instead, they build it into everyday work. Good procedures are clear, practical and make sense for the way people already operate. When security feels natural, people are more likely to follow it without hesitation.

Leaders need to ensure policies stay up to date, especially as threats change or new tools are introduced. Lessons from past breaches should be reflected in updated processes. This ongoing adjustment shows staff that the organisation takes its responsibilities seriously and is always improving.

Security policies also work best when they’re tailored. What works for one business might not fit another. When procedures match the real-world pace and structure of the company, they’re more likely to be followed consistently. Over time, security becomes part of the routine, shaping how people think and act across the board.

****Reinforcing Organisational Resilience Over Time****

Well-structured policies don’t just respond to emergencies; they build long-term strength. When something goes wrong, clear guidance reduces confusion and helps people act without panic. That stability helps protect both operations and morale.

Consistency is key during any crisis. Staff need to know what the plan is and that decisions will follow it. This reinforces leadership credibility and keeps teams aligned. Companies that make security part of their everyday operations tend to recover faster and learn more from setbacks.

Security should be seen as a process that grows with the business. Policies should be reviewed regularly and improved based on experience. When that happens, organisations become more resilient, more alert and better prepared for future uncertainty.

(Image by Steve Buissinne from Pixabay)

The Role of Security Policies in Shaping Organisational Culture and Risk Awareness

A new Cisco Talos report reveals critical flaws in Dell Latitude and Precision laptops. Find out how hackers can exploit the ControlVault chip to steal sensitive data.

Cybersecurity giant Cisco has found serious security vulnerabilities in more than 100 Dell laptop models, putting tens of millions of devices at risk worldwide. This was revealed in a report shared by Cisco with Hackread.com, warning that the flaws could let attackers take full control of a device, steal passwords and access sensitive data, including fingerprint information.

The vulnerabilities, which Cisco’s Talos team has named ReVault, affect a hardware component called Dell ControlVault. Five vulnerabilities were found in this hardware, which have been assigned the following CVEs:

*   CVE-2025-24311
*   CVE-2025-25050
*   CVE-2025-25215
*   CVE-2025-24922
*   CVE-2025-24919

For your information, Dell ControlVault is a security chip designed to securely store passwords and biometric data. However, the flaws could allow attackers to bypass Windows login, gain persistent access to a device, or even tamper with the device to accept any fingerprint.

This could be especially troubling for government and business users, considering that these vulnerabilities are found in many business-focused models, including Dell’s Latitude and Precision series, which are common in government and corporate settings.

The report details two main ways attackers could take advantage of these flaws. The first is a way to gain permanent access to a laptop. Even if a user completely reinstalls their operating system, a malicious program could hide in the ControlVault chip itself, making it a persistent threat.

The second is a physical attack. A person with access to the laptop could open it up and directly tamper with the chip, giving them the ability to bypass the login screen or even fool the fingerprint reader into accepting any fingerprint.

Cisco Talos recommends that all affected Dell laptop owners install the latest firmware updates immediately and consider disabling the ControlVault services if they don’t use features like the fingerprint or smart card reader.

In a separate announcement, Cisco has also teamed up with Hugging Face, a major hub for AI models, to address the growing risk of malware and vulnerabilities within the AI supply chain, which includes millions of models available to developers.

As part of the partnership, a special version of Cisco’s malware scanner, ClamAV, will now automatically scan every public file uploaded to the Hugging Face platform. Cisco notes that this new anti-malware capability for AI models is being made available to the public for free. These findings highlight a broader message from Cisco about the importance of security at every level, from a laptop’s hardware to the digital files powering AI.

Over 100 Dell Laptop Models Plagued by Vulnerabilities Impacting Millions

Tuesday, August 5, 2025 09:00

*   Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”. 
*   100+ models of Dell Laptops are affected by this vulnerability if left unpatched. 
*   The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls.  
*   The ReVault attack can also be used as a physical compromise to bypass Windows Login and/or for any local user to gain Admin/System privileges. 

**Dell ControlVault overview **

Dell ControlVault is “a hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware.” A daughter board provides this functionality and performs these security features in firmware. Dell refers to the daughter board as a Unified Security Hub (USH), as it is used as a hub to run ControlVault (CV), connecting various security peripherals such as a fingerprint reader, smart card reader and NFC reader. 

Here is a photographic example of a USH board:  ​​​​

Picture of a USH Board running CV. 

This is the board in its natural environment:  

USH board (highlighted in orange) inside a Dell Latitude laptop. 

The current iterations of the product are called ControlVault3 and ControlVault3+. and can be found in more than 100 different models of actively-supported Dell laptops (see DSA-2025-053), mostly from the business-centric Lattitude and Precision series. These laptop models are widely used in the cybersecurity industry, government settings and challenging environments in their Rugged version. Sensitive industries that require heightened security when logging in (via smartcard or NFC) are more likely to find ControlVault devices in their environment, as they are necessary to enable these security features. 

**Findings **

Today, Talos is publishing five CVEs and their associated reports. The vulnerabilities include multiple out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050) an arbitrary free (CVE-2025-25215) and a stack-overflow (CVE-2025-24922), all affecting the CV firmware. We also reported an unsafe-deserialization (CVE-2025-24919) that affects ControlVault’s Windows APIs. 

**Impact **

With a lack of common security mitigations and the combination of some of the vulnerabilities mentioned above, the impact of these findings is significant. Let’s highlight two of the most critical attack scenarios we have uncovered. 

**Post-compromise pivot **

On the Windows side, a non-administrative user can interact with the CV  firmware using its associated APIs and trigger an Arbitrary Code Execution on the CV firmware. From this vantage point, it becomes possible to leak key material essential to the security of the device, thus gaining the ability to permanently modify its firmware. This creates the risk of a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system in the case of a Threat Actor’s post-compromise strategy. The following video shows how a tampered CV firmware can be used to “hack Windows” by leveraging the unsafe deserialization bug mentioned previously. 

0:00

/0:22

**Physical attack **

A local attacker with physical access to a user’s laptop can pry it open and directly access the USH board over USB with a custom connector. From there, all the vulnerabilities described previously become in-scope for the attacker without requiring the ability to log-in into the system or knowing a full-disk encryption password. While chassis-intrusion can be detected, this is a feature that needs to be enabled beforehand to be effective at warning of a potential tampering. 

Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint rather than only allowing a legitimate user’s.   

0:00

/0:07

**Mitigation **

To mitigate these attacks, Talos recommends the following: 

*   Keep your system up to date to ensure the latest firmware is installed. CV firmware can be automatically deployed via Windows Update, but new firmware usually gets released on the Dell website a few weeks prior. 
*   If not using any of the security peripherals (fingerprint reader, smart card reader and NFC reader) it is possible to disable the CV services (using the Service Manager) and/or the CV device (via the Device Manager).  
*   It is also worth considering disabling fingerprint login when risks are heightened (e.g., leaving one’s laptop unattended in a hotel room). Windows also provides Enhanced Sign-in Security (ESS), which may help mitigate some of the physical attacks and detect inappropriate CV firmware. 

**Detection **

To detect an attack, consider the following: 

*   Depending on your laptop model, chassis intrusion detection can be enabled in the computer’s BIOS. This would flag physical tampering and may require entering a password to clear the alert and restart the computer. 
*   In the Windows logs, unexpected crashes of the Windows Biometric Service or the various Credential Vault services could be a sign of compromise. 
*   Cisco customers using Cisco Secure Endpoint can be made aware of potential risks with the signature definition “bcmbipdll.dll Loaded by Abnormal Process”. 

**Conclusion **

These findings highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software. As Talos demonstrated, vulnerabilities in widely-used firmware such as Dell ControlVault can have far-reaching implications, potentially compromising even advanced security features like biometric authentication. Staying vigilant, patching your systems and proactively assessing risk are essential to safeguard your systems against evolving threats.

ReVault! When your SoC turns against you…

Cisco Talos is back at Black Hat with new research, threat detection overviews and opportunities to connect with our team. Whether you're interested in what we’re seeing in the threat landscape, detection engineering or real-world incident response, here's where and how to find us.

Wednesday, July 30, 2025 06:00

Cisco Talos is back at Black Hat with new research, threat detection overviews and opportunities to connect with our team. Whether you're interested in what we’re seeing in the threat landscape, detection engineering or real-world incident response, here's where and how to find us: 

**Visit us at the Cisco booth: 2726 **

We’ll have short, 15-minute booth talks throughout Wednesday and Thursday of Black Hat, with topics including: 

*   Talos Vulnerability Discovery Year in Review 
*   How to: Threat Intel 
*   Full Metal SnortML: Accelerating Machine Learning based Firewalls with FPGAs 
*   From CVE to Detection: A Rule Writer's Journey Through Modern Threats 

We also have these sessions as part of the wider conference agenda: 

**Lunch & Learn: Backdoors & Breaches **

**Lagoon KL, Level 2 | Wednesday, Aug 6, 12:05–1:30 PM**    
**Speaker: Joe Marshall** 

Join Joe and members of Talos as we discuss and develop incident response plans in real-time. We’ll use real scenarios over a game of Backdoors & Breaches, an incident response card game developed by Black Hills Information Security. Members from Talos Threat Intelligence will lead tables through the game over lunch and discuss recent threat trends. 

**Reserve your spot here** 

**Mandalay Bay I | Wednesday, Aug 6, 11:20–12:10 PM**    
**Speaker: Nick Biasini** 

Nick will explore how generative AI is shaping today’s threat landscape, from attackers using AI to enhance operations, to malware posing as AI tools, to efforts targeting the models themselves. The session will also cover how organizations can safely adopt GAI while defending against its misuse. 

**Learn more here** 

**Threat Briefing: ReVault! Compromised by Your Secure SoC **

**Oceanside C, Level 2 |  Wednesday, Aug 6, 10:20–11:00 AM**   
**Speaker: Philippe Laulheret** 

This talk introduces ReVault, a vulnerability affecting a widely used embedded security chip. Philippe will demonstrate how a low-privilege user can exploit the flaw to extract sensitive data, gain persistence at the firmware level, and compromise the host system.  

Learn more here 

**Visit the Splunk Booth: Threat Hunters Cookbook Launch **

**Splunk Booth 3046**

Our colleagues at Splunk will be launching their brand new _Threat Hunters Cookbook_ in hard copy. We’ve had a sneak preview, and trust us, this is a brilliant resource for those who want to use modelling and machine learning to conduct threat hunts that really get the best out of your efforts.  

If you're at the show, we’d love to hear what you’re working on, so stop by the Cisco booth (and grab yourself a Snorty while you’re at it). See you in Vegas!

Cisco Talos at Black Hat 2025: Briefings, booth talks and what to expect

Summary The growing adoption of large language models (LLMs) in enterprise workflows has introduced a new class of adversarial techniques: indirect prompt injection. Indirect prompt injection can be used against systems that leverage large language models (LLMs) to process untrusted data. Fundamentally, the risk is that an attacker could provide specially crafted data that the LLM misinterprets as instructions.

How Microsoft defends against indirect prompt injection attacks

The World Leaks group accessed and released data from the company's Customer Solution Center, which is separated from customer and partner systems and stores primarily "synthetic" datasets used for demos and testing, Dell said.

Tag

#dell