Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.

Thursday, July 10, 2025 11:24

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Asus Armoury Crate stack-based buffer overflow and authorization bypass  vulnerabilities**

_Discovered by Marcin &#39;Icewall&#39; Noga of Cisco Talos._   

These vulnerabilities were recently covered in a deep-dive post, Decrement by one to rule them all.

Asus Armoury Crate is a software utility used to manage Asus and ROG lighting, performance, and updates.

TALOS-2025-2144 (CVE-2025-1533) is a stack-based buffer overflow vulnerability in the AsIO3.sys kernel driver of Asus Armoury Crate 5.9.13.0. A specially crafted I/O request packet (IRP) can lead to stack-based buffer overflow. An unprivileged attacker can run a program from user mode to trigger this vulnerability.

TALOS-2025-2150 (CVE-2025-3464) is an authorization bypass vulnerability in the AsIO3.sys functionality of Asus Armoury Crate 5.9.13.0. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability.

**Adobe Acrobat Reader out-of-bounds read and use-after-free vulnerabilities **

_Discovered by Kamlapati Choubey of Cisco Talos._   

Adobe Acrobat Reader is one of the most popular PDF reading software currently available. Talos found an out-of-bounds read vuln, TALOS-2025-2159 (CVE-2025-43578), in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information.

TALOS-2025-2170 (CVE-2025-43576) is a use-after-free vulnerability in the annotation object processing functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution.

An attacker needs to trick the user into opening the malicious file to trigger either of these vulnerabilities.

Asus and Adobe vulnerabilities

Deepfake attacks aren't just for recruitment and banking fraud; they've now reached the highest levels of government.

Deepfake attacks aren’t just for recruitment and banking fraud; they’ve now reached the highest levels of government. News emerged this week of an AI-powered attack that impersonated US Secretary of State Marco Rubio. Authorities don’t know who was behind the incident.

A US State Department cable seen by the Washington Post warned that someone impersonated Rubio’s voice and writing style in voice and text messages on the Signal messaging app. The attacker reportedly tried to gain access to information or accounts by contacting multiple government officials in Rubio’s name. Their targets included three foreign ministers, a US governor, and a US member of Congress, the cable said.

The attacker created a Signal account with the display name ‘Marco.Rubio@state.gov’ and invited targets to communicate on Signal.

The AI factor in the attacks likely refers to deepfakes. These are a form of digital mimicry, in which attackers use audio or visual footage of a person to create convincing audio or images of them. Many have even created fake video of their targets, using them for deepfake pornography or to impersonate businesspeople.

The Rubio deepfake isn’t the first time that impersonators have targeted government officials. In May, someone impersonated White House Chief of Staff Susie Wiles in calls and texts to her contacts. Several failed to spot the scam initially and interacted with the attacker as though the conversations were legitimate.

This incident wasn’t Rubio’s fault, attacks like these are becoming commonplace with scammers making use of popular messaging tools. Signal is apparently a widely-used app in the executive branch, to the point that Director of National Intelligence Tulsi Gabbard said it came pre-installed on government devices.

This Signal usage culminated in then-national security advisor Mike Waltz accidentally adding a journalist to a group Signal chat containing discussions plans to bomb Yemen. He is now no longer the national security advisor. Misuse of the app extends back to the previous administration, when the Pentagon was forced to release a memo about it.

Why should you worry about such attacks on government high-ups? For one thing, it’s scary to think that foreign states might actually get away with sensitive information this way. But it also shows how easy it can be to impersonate someone with a deepfake. You can mount audio attacks with just a few snippets of audio to train an algorithm on.

You’d be suspicious if Pamela Bondi entered your book club chat, but if someone called an elderly relative pretending to be you, saying you’d been involved in an accident, or begging for ransom money because you’d been kidnapped, would they fall for it? Several have.

Strange though it may seem, modern threats demand some old-school protections. We recommend sharing a family password with close members, who can then request it to confirm each others’ identity. Never send this password anywhere, keep it to yourselves and agree to it in person.

But even family passwords won’t stop your grandma being targeted in deepfake romance scams from fake Mark Ruffalos and Brad Pitts, though. A quiet chat to explain the threats might avert such disasters, though, along with a regular check-in to ensure your less tech-savvy loved ones are safe and sound.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Deepfake criminals impersonate Marco Rubio to uncover government secrets 

Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.

If you want a job at McDonald’s today, there’s a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and résumé, directs them to a personality test, and occasionally makes them “go insane” by repeatedly misunderstanding their most basic questions.

Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants—including all the personal information they shared in those conversations—with tricks as straightforward as guessing the username and password “123456."

On Wednesday, security researchers Ian Carroll and Sam Curry revealed that they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with a long track record of independent security testing, discovered that simple web-based vulnerabilities—including guessing one laughably weak password—allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. “I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more,” says Carroll. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years.”

When WIRED reached out to McDonald’s and Paradox.ai for comment, a spokesperson for Paradox.ai shared a blog post the company planned to publish that confirmed Carroll and Curry’s findings. The company noted that only a fraction of the records Carroll and Curry accessed contained personal information, and said it had verified that the account with the “123456” password that exposed the information “was not accessed by any third party” other than the researchers. The company also added that it’s instituting a bug bounty program to better catch security vulnerabilities in the future. “We do not take this matter lightly, even though it was resolved swiftly and effectively,” Paradox.ai’s chief legal officer, Stephanie King, told WIRED in an interview. “We own this.”

In its own statement to WIRED, McDonald’s agreed that Paradox.ai was to blame. “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,” the statement reads. “We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”

One of the exposed interactions between a job applicant and “Olivia.”

Courtesy of Ian Carroll and Sam Curry

Carroll says he became interested in the security of the McHire website after spotting a Reddit post complaining about McDonald's hiring chatbot wasting applicants' time with nonsense responses and misunderstandings. He and Curry started talking to the chatbot themselves, testing it for “prompt injection” vulnerabilities that can enable someone to hijack a large language model and bypass its safeguards by sending it certain commands. When they couldn't find any such flaws, they decided to see what would happen if they signed up as a McDonald's franchisee to get access to the backend of the site, but instead spotted a curious login link on McHire.com for staff at Paradox.ai, the company that built the site.

On a whim, Carroll says he tried two of the most common sets of login credentials: The username and password “admin," and then the username and password “123456.” The second of those two tries worked. “It's more common than you'd think,” Carroll says. There appeared to be no multifactor authentication for that Paradox.ai login page.

With those credentials, Carroll and Curry could see they now had administrator access to a test McDonald's “restaurant” on McHire, and they figured out all the employees listed there appeared to be Paradox.ai developers, seemingly based in Vietnam. They found a link within the platform to apparent test job postings for that nonexistent McDonald's location, clicked on one posting, applied to it, and could see their own application on the backend system they now had access to. (In its blog post, Paradox.ai notes that the test account had “not been logged into since 2019 and frankly, should have been decommissioned.”)

That's when Carroll and Curry discovered the second critical vulnerability in McHire: When they started messing with the applicant ID number for their application—a number somewhere above 64 million—they found that they could increment it down to a smaller number and see someone _else_'s chat logs and contact information.

The two security researchers hesitated to access too many applicants' records for fear of privacy violations or hacking charges, but when they spot-checked a handful of the 64-million-plus IDs, all of them showed very real applicant information. (Paradox.ai says that the researchers accessed seven records in total, and five contained personal information of people who had interacted with the McHire site.) Carroll and Curry also shared with WIRED a small sample of the applicants' names, contact information, and the date of their applications. WIRED got in touch with two applicants via their exposed contact information, and they confirmed they had applied for jobs at McDonald's on the specified dates.

The personal information exposed by Paradox.ai's security lapses isn't the most sensitive, Carroll and Curry note. But the risk for the applicants, they argue, was heightened by the fact that the data is associated with the knowledge of their employment at McDonald's—or their intention to get a job there. “Had someone exploited this, the phishing risk would have actually been massive,” says Curry. “It's not just people's personally identifiable information and résumé. It's that information for people who are looking for a job at McDonald's, people who are eager and waiting for emails back.”

That means the data could have been used by fraudsters impersonating McDonald's recruiters and asking for financial information to set up a direct deposit, for instance. “If you wanted to do some sort of payroll scam, this is a good approach,” Curry says.

The exposure of applicants' attempts—and in some cases failures—to get what is often a minimum-wage job could also be a source of embarrassment, the two hackers point out. But Carroll notes that he would never suggest that anyone should be ashamed of working under the Golden Arches.

“I have nothing but respect for McDonald’s workers,” he says. “I go to McDonald's all the time.”

_Updated at 5 pm ET, July 9, 2025 to make clear that the phishing risks would only be possible if someone had the opportunity to exploit the data._

McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’

A Chinese state-sponsored hacker, Xu Zewei, 33, has been arrested for his alleged role in the widespread HAFNIUM cyber attacks and theft of COVID-19 research. Learn about the charges and China's Ministry of State Security involvement.

In a significant development in international cybercrime efforts, Xu Zewei, a 33-year-old Chinese national, was apprehended in Milan, Italy, on July 3, 2025. The arrest was made at the request of the United States, where Xu faces serious charges related to widespread computer intrusions.

Xu, alongside his co-defendant Zhang Yu, 44, is named in a nine-count indictment unsealed in the Southern District of Texas. The charges stem from their alleged involvement in cyberattacks carried out between February 2020 and June 2021. These intrusions include the notorious HAFNIUM (aka Silk Typhoon) campaign, which compromised thousands of computers globally, including many within the United States.

According to the US Department of Justice’s July 8 press release, Xu Zewei was directed in his hacking activities by officers from China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB). It must be noted that MSS and SSSB are intelligence agencies responsible for China’s domestic counterintelligence, non-military foreign intelligence, and aspects of its internal security.

Xu was allegedly employed by Shanghai Powerock Network Co. Ltd. (Powerock), a company identified as one of many “enabling” entities that conduct hacking operations for the Chinese government.

“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” stated Assistant Attorney General John A. Eisenberg. US Attorney Nicholas Ganjei for the Southern District of Texas added that Xu was allegedly “hacking and stealing crucial COVID-19 research at the behest of the Chinese government.”

****Targeting Vital Research and Global Systems****

The indictment (PDF) details how Xu and his co-conspirators targeted US-based universities, immunologists, and virologists involved in COVID-19 vaccine, treatment, and testing research in early 2020. Xu reportedly confirmed compromising a research university in the Southern District of Texas in February 2020 and was directed to access specific email accounts of researchers.

Later, in late 2020, Xu and his associates exploited vulnerabilities in Microsoft Exchange Server, a widely used email product. This exploitation was central to the HAFNIUM campaign, a large-scale intrusion that became public in March 2021 when Microsoft disclosed it.

“Through HAFNIUM, the CCP targeted over 60,000 US entities, successfully victimizing more than 12,700 in order to steal sensitive information,” noted Assistant Director Brett Leatherman of the FBI’s Cyber Division.

Victims of the HAFNIUM campaign included another university in Texas and a global law firm, where information related to US policymakers and government agencies was sought. Xu faces multiple charges, including conspiracy to commit wire fraud, wire fraud, conspiracy to cause damage to protected computers, and aggravated identity theft.

These charges carry significant penalties, with some counts carrying a maximum of 20 years in prison. Xu is currently awaiting extradition to the US whereas his co-defendant, Zhang Yu, remains at large.

US Announces Arresting Chinese Hacker Linked to HAFNIUM Group

Let's Encrypt has started rolling out certificates for IP addresses. Although it's a security solution it also offers cybercriminals opportunities.

Let’s Encrypt has announced its issued its first certificate for an IP address. Why that’s significant deserves a little explanation.

You may have run into Let’s Encrypt certificates many times without realizing it. When you see a padlock icon in your browser’s address bar, it means the site is using a certificate to secure your connection. These certificates are “digital passports” that websites use to prove their identity and to encrypt the data sent between your browser and the website.

Traditionally, these certificates have only been issued for domain names (like malwarebytes.com). Now, Let’s Encrypt has started issuing certificates for IP addresses, which are the numerical labels (like 192.0.66.233) that computers use to find each other on the internet.

Let’s Encrypt is a very popular provider of certificates, and you can find its certificates on hundreds of millions of websites. That’s because:

*   Let’s Encrypt certificates are free.
*   Hosting companies and content delivery networks often provide Let’s Encrypt by default as a service to their customers.
*   Let’s Encrypt is a mission-driven nonprofit aiming to make the web safer and more private for everyone.

The advantages of providing certificates for IP addresses are clear. Since some browsers will refuse to open sites without a certificate, it provides a safer way to access your website if you don’t have a domain name at all. It also allows you to use your browser to remotely access home devices like network-attached storage (NAS) servers and Internet-of-things (IoT) devices.

But most home users are unlikely to access a site by using the IP address. Domain names are much easier to remember (most of them anyway) and Domain Name System (DNS) translates domain names to IP addresses for us without a lot of problems.

And while IP addresses can change, DNS will make sure that our browser can still find the domain we want to visit. This is one reason why Let’s Encrypt will only issue short-term certificates for IP addresses: The certificates will be valid for just six days, a move designed to minimize the risk window in the event of a key compromise and to encourage automated certificate renewal practices.

Domain certificates can be compromised and abused. For example, in 2011, DigiNotar, a Dutch certificate authority, was breached, resulting in the issue of at least 500 fraudulent certificates for high-profile domains such as Gmail, Facebook, and the CIA.

And while you may have never heard of this breach, it spurred some much-needed improvements in the security of our online trust infrastructure.

**Here’s the problem**

If I post a URL online or send it by email, there is a visible part and a part that’s actually where you will be taken. For example <a href="https://malwarebytes.com/blog">example.com</a> will not take you to the displayed example.com, but to our blog’s landing page.

But let’s say that a cybercriminal can get a free certificate for the IP address of a server under their control, they could construct links that look like this <a href=”the server IP address”>payment provider X</a>. Should you click that link, you could end up on a specially crafted copy of the payment provider’s site set up by the cybercriminal which asks for your login credentials. Those credentials would then fall in the hands of the criminals if you entered them.

For an unsuspecting user, who potentially might have noticed the wrong domain in the address bar, an IP address might not raise any red flags, especially since they’ll see the padlock and assume it’s legitimate. But encrypted traffic doesn’t make it trustworthy. It is encrypted between the user and the website, so the receiver can read the credentials the visitor sent them.

At the same time, Let’s Encrypt’s move supports legitimate technical needs for IP-based certificates, so the challenge will be balancing security with accessibility. Defenders should monitor certificate transparency logs for suspicious IP certificates and combine this with other threat intelligence to identify abuse.

In essence, this new capability is a double-edged sword, both offering convenience and security benefits, but also new opportunities for cybercriminals.

**Tips for users**

The tips are basically the same as for any unsolicited link you encounter. The difference is that you should keep in mind that these URLs can now include IP addresses.

*   Don’t click on links in unsolicited emails, messages or on social media.
*   Hover over the link. A mismatch between the displayed domain and the target URL is a red flag.
*   The padlock does not mean the website is safe. It just means the traffic between you and the site is encrypted, so nobody in between can eavesdrop.
*   Enable multi-factor authentication (MFA) so criminals will not have access to your accounts with the credentials alone.
*   Keep your device and the software on it up to date, especially your security software and your browser.
*   Use a security solution that provides active protection, including against malicious domains and IPs.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Free certificates for IP addresses: security problem or solution? 

Cybersecurity threats have emerged so quickly that most companies struggle to keep up and executives are often the…

Cybersecurity threats have emerged so quickly that most companies struggle to keep up and executives are often the first targets. These individuals are known to the public and hold access to sensitive company data with valuable personal and financial information.

Keeping them safe from cyber attacks takes more than standard security measures. That is why Digital Executive Protection (DEP) is becoming an important part of how companies handle cybersecurity today

This article explores how Digital Executive Protection works, why it matters, and how platforms are setting the standard in safeguarding organizational leadership from online threats.

****Why Executives Are High-Value Targets****

Executives are ideal targets for cybercriminals for several reasons:

*   **Access to Sensitive Information:** C-level executives often have the highest level of access to proprietary corporate data, including strategic plans, customer databases, and financial records.

*   **Public Visibility:** Their names and roles are publicly known, making it easy for attackers to impersonate them in phishing and business email compromise (BEC) attacks.

*   **Insufficient Personal Cyber Hygiene:** Despite high professional stakes, many executives do not practice strong personal cybersecurity, leaving their personal devices and social media vulnerable.

These factors make executives not just victims but potential attack vectors that can lead to broader organizational breaches.

****What Is Digital Executive Protection?****

Digital Executive Protection (DEP) refers to the practice of securing executives’ digital identities across both personal and professional spheres. Unlike traditional cybersecurity measures that focus on networks or endpoints, DEP concentrates on the individual’s entire digital footprint, including:

*   Dark web monitoring

*   Social media impersonation

*   Public and private data exposure

*   Data broker tracking and removals DEP is both proactive and continuous, often delivered as a managed service that includes automated scans, real-time alerts, and expert remediation.

****Modern Threat Landscape for Executives****

The range of threats facing executives today includes:

*   **Social Media Impersonation:** Fake profiles are used to scam followers or damage reputations.

*   **Data Broker Exposure:** Personal information such as home addresses, phone numbers, and family data are sold online, increasing risk.

*   **Credential Stuffing and Account Takeovers**: Breached credentials reused across accounts can grant access to sensitive platforms.

*   **Ransomware Targeting:** Some ransomware groups target specific high-profile individuals.

*   **Location Tracking:** Publicly available metadata or broker data can expose executives’ real-time locations, creating safety concerns.

****Key Components of Effective DEP****

A robust Digital Executive Protection strategy should include:

1.  **Automated Monitoring:** Continuous scanning of the web, social platforms, and dark web for threats.
2.  **Data Broker Remediation:** Regular removal of PII from broker sites.
3.  **Dark Web Intelligence:** Alerts on credential leaks and sensitive information.
4.  **Impersonation Takedowns**: Rapid response to social media and web impersonations.
5.  **Concierge Support:** A human team for white-glove onboarding and threat remediation.

****How Digital Executive Protection Works in Practice****

According to VanishID, an effective DEP program should combine automation with expert support. Their approach includes features like:

*   Regular privacy reports with actionable insights

*   The option to extend protection to spouses and children

*   Proactive removal of personal data from brokers and exposed sources

*   Quick response to impersonation threats on social media or fake websites

*   Personal privacy monitoring that tracks exposure across data broker sites, breached databases and search engines

Rather than reacting after an incident, VanishID says its focus is on minimizing the attack surface before it can be exploited.

****Why Digital Executive Protection Matters for Businesses****

Strong executive protection can help companies maintain brand integrity by preventing damage from impersonation or breaches. It can also align with requirements from some cyber insurance providers that expect proactive risk management.

Reducing risks like BEC scams or ransomware targeting high-profile individuals supports overall security. Finally, showing top leaders that their privacy and safety are priorities can help build trust and confidence at the highest levels.

****In Conclusion****

Executives play a critical role in an organization’s security and reputation, making their personal online safety impossible to overlook. Digital Executive Protection adds an extra layer to cybersecurity by reducing risks that traditional tools often miss.

If companies prioritise this protection, they can protect their and customer data, leadership, and long-term stability in an environment where cybersecurity threats continue to grow.

How Digital Executive Protection Shields Top Leaders from Modern Threats

Hunters International ransomware gang closes after 55 confirmed and 199 unconfirmed cyberattacks. Read about its rebrand to World…

Hunters International ransomware gang closes after 55 confirmed and 199 unconfirmed cyberattacks. Read about its rebrand to World Leaks and its impact on healthcare and businesses.

A prominent ransomware-as-a-service group ‘Hunters International’ has officially declared its shutdown, effective today, July 4, 2025. Active for approximately two years, and speculated to be a revival or successor to the notorious Hive Ransomware (dismantled by global law enforcement in January 2023 after extorting over $100 million), Hunters International gained notoriety for its double extortion tactics.

This involved both encrypting victim data and stealing it for public release if a ransom wasn’t paid. However, security researchers have indicated that this closure is less a retirement and more a strategic junction, with the group already operating under a new name: World Leaks.

****A Legacy of Breaches and Demands****

Comparitech researchers have investigated and confirmed 55 ransomware attacks claimed by Hunters International, with an additional 199 unconfirmed claims. These confirmed breaches resulted in the compromise of at least 3.25 million personal records.

The healthcare sector was particularly hard hit, accounting for 2.9 million of those compromised records across 19 attacks on hospitals and clinics. Businesses saw 55 confirmed attacks, with manufacturers being the most frequent target (12 attacks). Government entities and schools also fell victim, with 16 and 2 confirmed attacks, respectively.

Hunters International rarely made its ransom demands public. However, two notable instances emerged: Hoya Corporation in Japan was hit with a $10 million demand in March 2024, and Azienda USL di Modena in Italy refused to pay a $3 million ransom in November 2023.

Some of the largest data breaches attributed to Hunters International in the US include Fred Hutchinson Cancer Centre (1,840,927 people affected in November 2023), Omni Family Health (468,344 people in August 2024), and Arisa Health (375,436 people in March 2024). In a daring move, Hunters even contacted individual patients from Fred Hutchinson Cancer Centre, demanding $50 to delete their stolen data.

This RaaS operation claimed 24 victim organizations only in November 2024, Forescout reports, with an average of one per day (10 in the US, 2 in the UK, 7 in the EU, 3 in South America, and 2 in Asia).

****World Leaks****

Threat intelligence firm Group-IB reported in April 2025 that Hunters International was in the process of rebranding to World Leaks. This new operation focuses solely on data theft and extortion, abandoning the encryption aspect of traditional ransomware.

Rebecca Moody, Head of Data Research at Comparitech, commented on this shift, suggesting it’s not a change of heart but rather a move towards a “potentially more lucrative” revenue stream in data theft. She noted that World Leaks is “not a ransomware gang” as the “ware” (encryption) is critically missing from their attacks.

World Leaks has already claimed responsibility for 33 attacks, including on Chain IQ (Switzerland) and Freedom Healthcare in Colorado. In a surprising development, Hunters International has stated it will offer free decryption software to companies that were infected by its ransomware but have not yet paid a ransom.

However, Moody believes many victims will have already restored their systems, rendering the offer largely symbolic given the group’s inactivity in new encryption attacks since May 2025. Nonetheless, this transition marks a significant evolution in the cybercrime community, with data extortion becoming an increasingly prevalent and targeted threat.

Hunters International Ransomware Gang Rebrands as World Leaks

IARPA director Rick Muller is departing after just over a year at the R&D unit that invests in emerging technologies of potential interest to agencies like the NSA and the CIA, WIRED has learned.

The head of the US government’s Intelligence Advanced Research Projects Activity (IARPA) is leaving the unit this month to take a job with a quantum computing company, WIRED has learned.

Rick Muller’s pending departure from IARPA comes amid broader efforts to downsize the United States intelligence community, including the Office of the Director of National Intelligence (ODNI), which oversees IARPA. A person familiar with Muller’s plans confirmed to WIRED his departure from IARPA.

Born during the aftermath of the September 11, 2001, terrorist attacks, IARPA is tasked with testing AI, quantum computing, and other emerging technologies that could aid the missions of spy agencies including the Central Intelligence Agency and National Security Agency.

The Trump administration reportedly has been moving to cut the workforces of intelligence agencies as part of the president’s broad efforts to dismantle diversity programs and streamline government operations. Influential Republicans in the US Senate also recently have proposed legislation that would cut several programs from the ODNI, though IARPA isn’t among listed targets.

Muller, a chemist and long-time computer science researcher, had overseen some quantum computing programs at the Department of Energy before taking the reins of IARPA in April 2024. His final day at IARPA will be July 11, according to the person familiar with his plans. He is joining IonQ, which is part of a race to commercialize quantum computing. IonQ declined to comment.

The technologies used by spy agencies are often shrouded in secrecy. But much of IARPA’s work is public. It has funded dozens of research projects at universities and other labs across the country, including efforts to improve systems for face and speech recognition. In April, Muller told Federal News Network that the cybersecurity risks of large language models would be a priority for upcoming research.

The Trump administration has fired workers and slashed government grants for research at several other agencies, sparking nationwide protests and jeopardizing the future of science. The ODNI is seeking a budget of about $82 billion for the coming year, an increase of about 11.5 percent over the amount requested for 2025. But Tulsi Gabbard, the director of national intelligence, has touted cutting her workforce by 25 percent this year.

Last week, Senator Tom Cotton, who chairs the Senate Select Committee on Intelligence, described Gabbard’s agency as an “overstaffed and bureaucratic behemoth” at which “coordinators coordinate with other coordinators.” He called for cuts and other changes that he characterized as “vital to keeping our country safe from the wide range of threats that we continue to face.”

Spokespeople for Cotton didn’t immediately respond to a request for comment about the senator’s views on IARPA. The White House also didn’t immediately respond to a request for comment.

IARPA was modeled on the Defense Advanced Research Projects Agency, or Darpa, which has long been considered one of the federal government’s most advanced research and development units with successful bets on technologies for vaccines, location tracking, and language translation.

The Person in Charge of Testing Tech for US Spies Has Resigned

Email is still the backbone of how businesses communicate, with more than 300 billion messages sent every day.…

Email is still the backbone of how businesses communicate, with more than 300 billion messages sent every day. But this huge volume also makes it one of the easiest ways for cybercriminals to get in. As companies depend more and more on digital communication, strong email security becomes essential.

****Understanding Email Security Threats****

Modern email threats go way beyond basic spam. Today’s attackers use advanced tactics like spear phishing, business email compromise and even zero-day malware. These threats can slip past older security tools and lead to data breaches, financial losses and serious damage to a company’s reputation.

Recent studies indicate that 94% of malware is delivered via email, making it the most common attack vector for cybercriminals. Furthermore, email-based attacks have increased by 67% over the past year, with phishing attempts becoming increasingly sophisticated and difficult to detect through conventional means.

****The Essential Defense: Secure Email Gateways****

A secure email gateway serves as a comprehensive defence mechanism positioned between your organization’s email infrastructure and external email traffic. This critical security layer performs multiple functions simultaneously, including malware detection, spam filtering, data loss prevention, and email encryption.

Unlike simple filters that just block suspicious senders based on reputation, today’s secure email gateways use advanced AI and machine learning to catch new threats as they happen. They check email content, watch for unusual sender behaviour, and inspect attachments to deliver layered protection against both known and unknown attacks.

New ways to block file-based attacks have become a key part of strong email security. Companies like Sasa Software named a ‘Cool Vendor’ by Gartner for its work in cyber-physical security, use advanced Content Disarm and Reconstruction (CDR) technology.

This process cleans risky files by stripping out harmful code but keeps the document usable. It adds an extra layer of protection against zero-day exploits and persistent threats that old signature-based tools often fail to catch.

****Key Features That Define Effective Email Security****

Advanced threat protection is essential for strong email security. This includes real-time link scanning, sandboxing suspicious attachments, and watching for unusual communication patterns that could signal a compromised account or a social engineering attempt.

Content filtering and data loss prevention features ensure that sensitive information remains protected during transmission. These capabilities automatically identify and classify confidential data, applying appropriate encryption or blocking unauthorized transmissions based on predefined policies.

Email encryption functionality also provides end-to-end protection for sensitive communications, ensuring that even if messages are intercepted during transmission, the content remains unreadable to unauthorized parties. This feature is particularly important for organizations handling regulated data such as healthcare records, financial information, or legal documents.

****Implementation Considerations for Organizations****

When evaluating email security solutions, organizations must consider scalability, integration capabilities, and user experience impact. The ideal solution should seamlessly integrate with existing email infrastructure while providing comprehensive protection without significantly disrupting normal business operations.

Cloud-based deployment options offer numerous advantages, including reduced infrastructure costs, automatic updates, and global threat intelligence sharing. These solutions can scale dynamically with organizational growth while providing consistent protection across distributed workforces.

Administrative oversight and reporting capabilities enable security teams to monitor threat landscapes, track security incidents, and generate compliance reports required by various regulatory frameworks such as GDPR, HIPAA, or PCI DSS.

****Best Practices for Email Security Implementation****

Successful email security implementation requires a comprehensive approach combining technological solutions with user education and policy development. Regular security awareness training helps employees recognize and report suspicious emails, creating a human firewall that complements technical security measures.

Establishing clear email usage policies and incident response procedures ensures that organizations can respond quickly and effectively when security incidents occur. These policies should address acceptable use guidelines, data handling procedures, and escalation protocols for suspected security breaches.

Regular security assessments and penetration testing help identify potential vulnerabilities in email security configurations, ensuring that protection mechanisms remain effective against evolving threat landscapes.

As cyber threats continue to evolve in sophistication and frequency, implementing a secure email gateway becomes increasingly critical for organizations of all sizes. The cost of a security breach far exceeds the investment required for comprehensive email protection, making robust email security not just a technical necessity but a sound business decision.

Organizations seeking to protect their digital communications should prioritize solutions that offer comprehensive threat protection, seamless integration capabilities, and scalable deployment options. By implementing proper email security measures, businesses can maintain secure communications while enabling productive collaboration in today’s interconnected business environment.

Protecting Your Business Communications: The Critical Role of Secure Email Gateways

This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing.

Thursday, July 3, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”  

This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.” 

I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for. 

Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.

There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.

My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend. 

And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar? 

I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes… 

*   _“You’re gonna need a bigger boat.”_ Overprepare. Expect things to go wrong.  
*   _“It’s only an island if you look at it from the water.”_ Perspective matters. Make sure your alerts are honed to spot the things that really matter. 
*   _“Smile, you son of a…”_ Sometimes, your last line of defense is your defining moment. Should everything else fail, make sure you have something left in the tank. 

In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points. 

If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open... 

_Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with._ 

_Bruce’s story is why_ _Cisco Talos Incident Response_ _exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see._ 

_Enjoy the Fourth of July weekend, and remember to listen out for the_ duh dun.

**The one big thing **

Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems. 

**Why do I care? **

Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you're not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate. 

**So now what? **

Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.

**Top security headlines of the week **

**Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects**   
The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News) 

**International Criminal Court hit by new 'sophisticated' cyberattack**   
In a statement yesterday, the ICC revealed that it had contained a "sophisticated and targeted" cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer) 

**Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black**   
After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek) 

**Ahold Delhaize Data Breach Impacts 2.2 Million People**   
The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek) 

**Germany asks Google, Apple remove DeepSeek AI from app stores**   
The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers.

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Beers with Talos: Terms and conceptions may apply**  
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836**   
MD5: c94c094513f02d63be5ae3415bba8031   
VirusTotal: https://www.virustotal.com/gui/file/cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836/details  
Typical Filename: setup   
Claimed Product: N/A   
Detection Name: W32.Variant:Gen.28iv.1201 

**SHA 256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**   
MD5: 79b075dc4fce7321f3be049719f3ce27   
VirusTotal: https://www.virustotal.com/gui/file/57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536/details   
Typical Filename: RemCom.exe   
Claimed Product: N/A   
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0**   
MD5: 8d74e04c022cadad5b05888d1cafedd0  
VirusTotal: https://www.virustotal.com/gui/file/061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0/details  
Typical Filename: smhost.exe   
Claimed Product: N/A   
Detection Name: Artemis:Lazy.27fx.in14.Talos

**SHA 256: 2eb95ef4c4c24f1e38a5c8b556d78b71c8a8fb2589ed8c5b95e9d18659bde293**  
MD5: N/A  
VirusTotal: N/A, use https://talosintelligence.com/sha\_searches  
Typical Filename: N/A  
Claimed Product: N/A  
Detection Name: W32.2EB95EF4C4-100.SBX.TG

Tag

#intel