Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say that's not how it works.

The social network X suffered intermittent outages on Monday, a situation owner Elon Musk attributed to a “massive cyberattack.” Musk said in an initial X post that the attack was perpetrated by “either a large, coordinated group and/or a country.” In a post on Telegram, a pro-Palestinian group known as Dark Storm Team took credit for the attacks within a few hours. Later on Monday, though, Musk claimed in an interview on Fox Business Network that the attacks had come from Ukrainian IP addresses.

Web traffic analysis experts who tracked the incident on Monday were quick to emphasize that the type of attacks X seemed to face—distributed denial-of-service, or DDoS, attacks—are launched by a coordinated army of computers, or a “botnet,” pummeling a target with junk traffic in an attempt to overwhelm and take down its systems. Botnets are typically dispersed around the world, generating traffic with geographically diverse IP addresses, and they can include mechanisms that make it harder to determine where they are controlled from.

“It’s important to recognize that IP attribution alone is not conclusive. Attackers frequently use compromised devices, VPNs, or proxy networks to obfuscate their true origin," says Shawn Edwards, chief security officer of the network connectivity firm Zayo.

X did not return WIRED's requests for comment about the attacks.

Multiple researchers tell WIRED that they observed five distinct attacks of varying length against X's infrastructure, the first beginning early Monday morning with the final burst on Monday afternoon.

The internet intelligence team at Cisco's ThousandEyes tells WIRED in a statement, “During the disruptions, ThousandEyes observed network conditions that are characteristic of a DDoS attack, including significant traffic loss conditions which would have hindered users from reaching the application.”

DDoS attacks are common, and virtually all modern internet services experience them regularly and must proactively defend themselves. As Musk himself put it on Monday, “We get attacked every day.” Why, then, did these DDoS attacks cause outages for X? Musk said it was because “this was done with a lot of resources,” but independent security researcher Kevin Beaumont and other analysts see evidence that some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible. As a result, attackers could target them directly. X has since secured the servers.

“The botnet was directly attacking the IP and a bunch more on that X subnet yesterday. It's a botnet of cameras and DVRs,” Beaumont says.

A few hours after the final attack concluded, Musk told Fox Business host Larry Kudlow in an interview, “We're not sure exactly what happened, but there was a massive cyberattack to try to bring down the X system with IP addresses originating in the Ukraine area.”

Musk has mocked Ukraine and its president, Volodymyr Zelensky, repeatedly since Russia invaded its neighbor in February 2022. A major campaign donor to President Donald Trump, Musk now heads the so-called Department of Government Efficiency, or DOGE, which has razed the US federal government and its workforce in the weeks since Trump's inauguration. Meanwhile, the Trump administration has recently warmed relations with Russia and moved the US away from its longtime support of Ukraine. Musk has already been involved in these geopolitics in the context of a different company he owns, SpaceX, which operates the satellite internet service Starlink that many Ukrainians rely on.

DDoS traffic analysis can break down the firehose of junk traffic in different ways, including by listing the countries that had the most IP addresses involved in an attack. But one researcher from a prominent firm, who requested anonymity because they are not authorized to speak about X, noted that they did not even see Ukraine in the breakdown of the top 20 IP address origins involved in the X attacks.

If Ukrainian IP addresses did contribute to the attacks, though, numerous researchers say that the fact alone is not noteworthy.

“What we can conclude from the IP data is the geographic distribution of traffic sources, which may provide insights into botnet composition or infrastructure used,” Zayo’s Edwards says. “What we can’t conclude with certainty is the actual perpetrator’s identity or intent.”

_Additional reporting by Zoë Schiffer._

What Really Happened With the DDoS Attacks That Took Down X

The telecom industry is at a major turning point. With 5G, IoT, and AI reshaping global connectivity, the…

The telecom industry is at a major turning point. With 5G, IoT, and AI reshaping global connectivity, the need for scalable, secure, and smart networks is higher than ever. Cloud IMS is stepping up as a game-changer, combining the flexibility of cloud technology with the reliability of traditional IMS systems. Virtualizing core network functions helps telecom operators roll out next-generation services while keeping security strong in a time of growing cybersecurity threats.

This article breaks down how Cloud IMS has evolved, the key benefits it brings to telecom, and the advanced security measures that help protect essential digital infrastructure.

****Cloud IMS: Redefining Telecommunications Architecture****

Traditional IMS has long served as the foundation for delivering voice, video, and multimedia services over IP networks. However, its reliance on dedicated hardware and inflexible architecture presents limitations in scalability, cost efficiency, and adaptability to emerging network paradigms like 5G and edge computing.

Cloud IMS disrupts this paradigm by decoupling software from hardware, enabling network functions to operate on a highly scalable cloud infrastructure. This expansion introduces several key advantages:

*   Elastic Scalability: Dynamic resource allocation ensures seamless network expansion and load balancing across regions.

*   5G Integration: Cloud IMS seamlessly interfaces with 5G core networks, enabling ultra-low latency communications and network slicing for enterprise applications.

*   Edge Computing Synergy: By distributing processing closer to end users, Cloud IMS enhances real-time applications such as autonomous systems, augmented reality (AR), and smart city infrastructure.

By integrating cloud-native flexibility with IMS standards, operators establish a future-proof foundation for global connectivity.

****Strategic Benefits of Cloud IMS in Modern Networks****

1\. Accelerating Service Deployment

Cloud-native architecture, coupled with DevOps and Continuous Integration/Continuous Deployment (CI/CD) practices, allows operators to launch new services—such as VoNR (Voice over New Radio), 5G-enabled telemedicine, or high-definition video conferencing—in days rather than months. This agility enhances network responsiveness to evolving market demands.

2\. Cost Optimization and Infrastructure Efficiency

By leveraging multi-tenancy and cloud-based resource pooling, Cloud IMS significantly reduces capital expenditure (CAPEX) and operational expenditure (OPEX). Operators transition from hardware-intensive deployments to an on-demand, pay-as-you-go model, optimizing resource utilization.

3\. Global Reach with Localized Performance

Cloud IMS enables geo-distributed deployments, ensuring minimal latency while optimizing bandwidth for mission-critical applications such as emergency services, industrial automation, and defence communications.

4\. 5G Monetization & Network Slicing

With network slicing, telecom operators can create dedicated virtual networks tailored to specific industries, including autonomous transportation, smart grids, and financial services. This customization unlocks new revenue streams while maintaining strict Quality of Service (QoS) and cybersecurity standards.

5\. Sustainable and Energy-Efficient Networks

The transition to cloud-native IMS minimizes physical hardware dependency, reducing energy consumption and carbon footprints. By optimizing server utilization and leveraging AI-powered energy management, telecom providers align with global sustainability initiatives while improving cost efficiency.

****Fortifying National Infrastructure: The Security Imperative of Cloud IMS****

Given the critical role of telecommunications in modern infrastructure, network security remains a paramount concern. As cyber threats evolve in complexity, telecom networks require a multi-layered security framework to safeguard both national and commercial interests.

1\. Zero-Trust Architecture (ZTA)

Cloud IMS adopts a “never trust, always verify” approach, requiring strict authentication and continuous security monitoring. Techniques such as mutual TLS (mTLS), biometric authentication, and blockchain-based identity verification ensure that only authorized entities access network resources.

2\. AI-Powered Threat Intelligence

Artificial intelligence (AI) and machine learning (ML) algorithms continuously monitor network traffic, detecting anomalies such as DDoS attacks, signalling fraud, and unauthorized access. Automated threat response mechanisms neutralize attacks before they escalate.

3\. Quantum-Resistant Encryption

With the impending advancements in quantum computing, traditional encryption methods face obsolescence. Cloud IMS integrates post-quantum cryptographic algorithms to safeguard sensitive communications, ensuring future-proof data protection for national and enterprise-level security.

4\. Secure Network Slicing for Critical Infrastructure

Network slices dedicated to healthcare, finance, and emergency response operate in fully isolated, encrypted environments, ensuring data integrity and operational continuity during crises. For instance, a 5G-powered emergency response network remains segregated from public internet traffic, prioritizing low-latency, high-reliability communication.

5\. Immutable Audit Trails and Regulatory Compliance

With blockchain-backed logging and tamper-proof audit trails, Cloud IMS simplifies compliance with international security regulations, including GDPR, HIPAA, and CALEA. This capability enhances transparency in network operations while facilitating forensic investigations in case of security breaches.

****Cloud IMS in Action: Real-World Applications****

Cloud IMS is already driving technological advancements across multiple sectors:

*   Enterprise Unified Communications (UCaaS): Multinational corporations deploy end-to-end encrypted communication platforms with ultra-low latency.

*   Smart Cities: Cloud IMS supports real-time traffic management, AI-powered surveillance, and emergency response systems.

*   Rural Broadband Expansion: Enables cost-effective VoLTE and 5G deployments in underserved regions, bridging the digital divide.

*   Industrial IoT (IIoT): Manufacturers leverage private 5G slices for predictive maintenance, AI-driven automation, and robotics.

****Future Trajectory: Trends Shaping Cloud IMS****

Cloud IMS will continue evolving through:

*   AI-Driven Network Optimization: Predictive analytics for traffic routing, cybersecurity, and personalized telecom experiences.

*   Edge-Native Deployments: Low-latency solutions for autonomous vehicles, remote surgery, and immersive metaverse applications.

*   Public-Private Regulatory Collaboration: Standardized security frameworks for national infrastructure protection and data sovereignty.

*   Green Networks: Energy-efficient architectures leveraging renewable-powered data centers for sustainable telecom solutions.

Cloud IMS represents a defining shift in telecommunications, merging agility, security, and scalability into a unified framework. Telecom operators who fail to embrace this transformation risk obsolescence in an increasingly AI-driven, hyperconnected world.

For consumers, Cloud IMS promises seamless, low-latency, and secure digital experiences, whether in high-definition communication, AI-driven automation, or national security applications. For telecom providers, it unlocks unparalleled efficiency, cost optimization, and revenue diversification.

As telecommunications becomes the backbone of modern infrastructure, keeping it secure, reliable, and resilient is more important than ever. Cloud IMS isn’t just a breakthrough; it’s a necessity. The time to act is now.

Cloud IMS: The Confluence of Innovation and Security in Modern Telecommunications

Push notifications are a common feature that many websites use to keep users engaged. However, what happens when these notifications turn malicious? Renée Burton, Vice President of Threat Intel at Infoblox, recently shared her firsthand experience with this alarming trend. Here’s a look at how scammers exploit push notifications to deliver scams, including fake gift cards and sweepstakes.

****The Push Notification Trap****

Renée found that when users visit a website that requests permission to send notifications, they may unknowingly grant scammers a powerful tool. Cybercriminals take advantage of this by tricking users into accepting notifications, often without fully understanding the consequences. Once accepted, users are bombarded with misleading messages that redirect them to fraudulent content.

These misleading messages often pose as legitimate alerts from trusted brands like Google or Walmart. They may falsely claim that a user’s account has been hacked or that they have won a gift card. Engaging with these notifications can lead to downloading harmful apps or surrendering personal information.

****The Gift Card Scam****

As part of her investigation, Renée visited sites that employ push notification scams and observed how scammers entice users with promises of substantial winnings. A notification may claim the recipient has won a $10,000 Walmart gift card, prompting them to click on it. Instead of receiving a prize, users are redirected through multiple domains before landing on a fraudulent site.

To claim the gift card, users are asked to provide personal details, including their email and home address. In many cases, they must complete a survey before they can “win.” However, the survey never ends, keeping users trapped in a cycle of never-ending ads and data collection schemes.

Screenshot of a series of non-stop email spam pushing gift card scams (Credit: Renée Burton – Infoblox)

****The Survey Scam****

Renée discovered that survey scams are a prevalent tactic used by scammers. Upon clicking a notification that promises a prize, users are led to websites like reward-lockercom. These sites request personal details such as name, email, address, and phone number under the guise of confirming eligibility.

Once users provide this information, they are required to complete a series of surveys. Each survey leads to additional advertisements, and scammers keep them engaged with the illusion of an imminent reward. However, the prize never materializes, and users remain stuck in an endless loop of data harvesting.

****The Sweepstakes Scam****

Similar to survey scams, sweepstakes scams exploit users’ trust. Renée investigated fraudulent sites like zippywinnercom, which advertise lucrative sweepstakes that appear genuine. These sites lure users into believing they have won big prizes, but in reality, the odds of winning are practically nonexistent. Instead, users are funnelled into more surveys and deceptive schemes designed to extract personal information and generate ad revenue for scammers.

****The Bigger Picture****

Through her research, Renée uncovered that scammers use advanced techniques to evade detection. They employ domain cloaking and traffic distribution systems (TDSs) to deliver varied content, making it difficult for security teams to identify and mitigate these threats.

Infoblox has observed this malicious adtech (advertising technology) operating across various websites, including scientific research platforms, car dealership pages, and activist blogs. The problem is extensive, with millions of websites compromised by push notification scams each year.

****The Impact****

While some may dismiss these scams as minor nuisances, Renée’s findings highlight their severe consequences. Scammers harvest personal and financial information, keeping users locked in cycles of misleading ads and phishing attempts. The only beneficiaries of this system are the scammers themselves.

In conclusion, Renée’s research underscores the dangers of push notifications when misused by cybercriminals. While push notifications can be valuable engagement tools, they can also serve as a gateway for scams. Users should remain alert, avoid clicking suspicious notifications, and never share personal information in response to unsolicited alerts.

What Happens When Push Notifications Go Malicious?

Plus: The world’s “largest illicit online marketplace” gets hit by regulators, police seize the Garantex crypto exchange, and scammers trick targets by making up ransomware attacks.

As Donald Trump’s administration continues its relentless reorganization of the United States federal government, documents obtained by WIRED showed this week that the Department of Defense is looking at cutting as much as three-quarters of its workforce that’s specifically focused on stopping proliferation of chemical, biological, and nuclear weapons. Meanwhile, the US Army is using its “CamoGPT” AI tool to “review” diversity, equity, inclusion, and accessibility policies per Trump administration orders. The military originally developed the AI service to improve productivity and operational readiness.

US civil liberties organizations are pushing the director of national intelligence. Tulsi Gabbard, to declassify details about Section 702 of the Foreign Intelligence Surveillance Act—a central overseas wiretap authority that is notorious for also capturing a large number of calls, texts, and emails made or sent by Americans. And the US Justice Department on Wednesday charged 10 alleged hackers and two Chinese government officials over digital crimes spanning more than a decade as part of China’s extensive hack-for-hire ecosystem.

Ongoing analysis from a consortium of researchers led by Human Security found that at least a million low-price Android devices, like TV streaming boxes and tablets, have been compromised as part of a scamming and ad fraud campaign known as Badbox 2.0. The activity, which the researchers say comes out of China, is an evolution of a previous effort to backdoor similar devices.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Cybercriminals Allegedly Used a Backdoor to Steal Taylor Swift Tickets**

Two people who allegedly worked as part of a group to access nearly 1,000 tickets to concerts and other events—many for Taylor Swift’s Eras Tour—before selling them on for more than $600,000 profit were arrested and charged with the potential crimes in Queens this week. Tyrone Rose, 20, and Shamara P. Simmons, 31, of Jamaica, Queens, were arrested and arraigned in connection to the theft and sales, according to Queens district attorney Melinda Katz.

Between June 2022 and July 2023, it is alleged that 350 orders—totaling 993 tickets—on ticketing platform StubHub were accessed at a third-party contractor called Sutherland. “The Sutherland employees, defendant Tyrone Rose and an unapprehended accomplice, allegedly used their access to StubHub’s computer system to find a backdoor into a secure area of the network where already sold tickets were given a URL and queued to be emailed to the purchaser to download,” the district attorney’s office wrote in a statement.

They then emailed URLs to another accomplice who has since died, the office says, before posting the tickets to StubHub for resale. While the investigations are ongoing, the District Attorney’s office claimed the proceeds of the cybercrime totaled around $635,000 and also involved tickets for Ed Sheeran concerts, NBA games, and the US Open Tennis Championships.

**Payment Provider Linked to ‘Largest Illicit Online Marketplace’ Loses Banking License**

Every year, criminals make billions from the operations of highly organized scam compounds in Southeast Asia. As these operations have grown in sophistication, so has the wider ecosystem that supplies them with the technology and services needed to run the scams. And experts say there’s no bigger marketplace than Huione Guarantee—a Cambodian gray market selling scam services that researchers claim has facilitated more than $24 billion in transactions.

This week, according to a report by Radio Free Asia, the banking arm of Huione Guarantee’s parent company, Huione Group, had its financial license suspended by officials in Cambodia. According to the report, the Huione Pay service had its license withdrawn for failing to comply with “existing regulations.” The United Nations Office on Drugs and Crime and crypto tracing firm Elliptic previously had linked money moving through Huione Pay to cyberscamming. “They are willing facilitators of pig butchering and other fraud, so any regulatory action against them should be welcomed,” Elliptic founder Tom Robinson claimed to Radio Free Asia.

**Russian Cryptocurrency Exchange Garantex Taken Down in Law Enforcement Action**

The US Department of Justice announced an operation this week with Germany and Finland to disrupt the digital infrastructure behind notorious Russian cryptocurrency exchange Garantex. For years, the platform has allegedly been used for money laundering and other criminal transactions, including sanctions evasion. The DOJ claimed in its announcement that “transnational criminal organizations—including terrorist organizations” have utilized the exchange. Law enforcement said that the platform has processed at least $96 billion in cryptocurrency transactions since April 2019. US authorities said they froze over $26 million in funds used to facilitate money laundering as part of the Garantex takedown.

**Scammers Are Impersonating Notorious Ransomware Attackers to Extort Targets**

The FBI warned this week that scammers pretending to be attackers from the BianLian ransomware gang are demanding ransoms from corporate executives in the US. The demands include claims that the group has breached a company’s network and threaten to publish sensitive information unless a target pays up. Such criminal digital extortion is common enough that scammers apparently feel that they can plausibly make the claims and intimidate targets without even attacking them. The FBI says that the scammers’ ransom demands say that they come from BianLian and range from $250,000 to $500,000 payable via a QR code that links to a Bitcoin wallet. The real BianLian group has links to Russia and has targeted US critical infrastructure since June 2022, according to a November alert from the US Cybersecurity and Infrastructure Security Agency.

Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets

Outpost24’s KrakenLabs reveals EncryptHub’s multi-stage malware campaign, exposing their infrastructure and tactics through critical OPSEC failures. Learn how…

Outpost24’s KrakenLabs reveals EncryptHub’s multi-stage malware campaign, exposing their infrastructure and tactics through critical OPSEC failures. Learn how this rising cybercriminal group operates and the threats they pose.  

In a recent in-depth investigation, Outpost24’s specialized threat intelligence team, KrakenLabs, identified previously undisclosed aspects of a sophisticated malware operation known as EncryptHub. KrakenLabs’ analysis, shared with Hackread.com, provides a detailed understanding of the group’s operational infrastructure, tools, and characteristic behavioural patterns.

This enhanced understanding was made possible by a series of security lapses on the part of EncryptHub, which, according to Outpost24, inadvertently exposed crucial elements of their malicious ecosystem.

These operational errors include the enabling of directory listings on their core infrastructure, the storage of stolen data alongside malware files, and the exposure of Telegram bot configurations used for data theft and campaign oversight.

EncryptHub’s attack campaigns are characterized by multi-layered PowerShell scripts, designed to collect system information, extract valuable data, implement evasion techniques, inject malicious code, and deploy additional data-stealing programs. Their distribution methods include the use of trojanized versions of popular applications and the employment of third-party pay-per-install services. The group prioritizes stolen credentials based on factors such as cryptocurrency holdings, corporate network access, and VPN usage.

Furthermore, EncryptHub is developing a remote access tool, “EncryptRAT,” which features a command-and-control panel for managing infected systems, suggesting potential future commercialization. The group also actively monitors the ongoing cybersecurity trends, integrating newly discovered vulnerabilities into their attacks.

EncryptHub has tested various methods to deploy malware without detection, including disguising malicious software as legitimate applications. During the investigation, researchers observed the group used counterfeit versions of applications like QQ Talk, WeChat, and Microsoft Visual Studio 2022 signed with revoked code-signing certificates, and later with certificates issued by Encrypthub LLC. These trojanized applications contained PowerShell scripts to download and execute further malicious code, gathering system information and deploying data stealers.

Another distribution method involved the use of LabInstalls, a pay-per-install service, which facilitates the rapid deployment of malware through automated Telegram bots. It is available for as low as $10 (for 100 loads) to up to $450 (for 10,000 loads). EncryptHub confirmed their use of this service through feedback posted on an underground forum.

Encrypthub’s positive feedback on an underground forum “XSS” (Source: Outpost24)

The group’s attack process, or killchain, has evolved, with the latest version involving a multi-stage PowerShell script execution. The initial script steals sensitive data, including messaging sessions, cryptocurrency wallet information, and password manager files. It then downloads and executes a second script, which deploys further malicious components, including a modified Microsoft Common Console Document. The final stage involves the deployment of Rhadamanthys, an information stealer.

EncryptHub’s Killchain and Attack Process (Source: Outpost24)

EncryptHub is also developing a command-and-control panel, EncryptRAT, which allows for the management of infected systems, remote command execution, and the monitoring of stolen data. The tool’s development suggests a potential move towards commercialization, with features like multi-user support and segregated data storage.

KrakenLabs’ findings emphasise the need for continuous monitoring and enhancing security measures to counter the evolving threats posed by groups like EncryptHub. The group’s ability to adapt and utilize both in-house tools and third-party services highlights the importance of multi-layered security strategies.

EncryptHub’s OPSEC Failures Expose Its Malware Operation

Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the…

Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the use of LOLBAS, and the various malware payloads. Get detailed analysis, IOCs, and mitigation recommendations.

Microsoft’s Threat Intelligence team has recently dismantled a large-scale malvertising campaign that impacted nearly one million devices worldwide. The primary targets were Windows systems running various browsers, including Chrome and Edge and it impacted a wide range of organizations, from individual users to large enterprises, which demonstrates its widespread impact.

Tracked under the name Storm-0408, this campaign was discovered in December 2024 and involved a multi-stage attack chain. According to Microsoft’s research report, shared with Hackread.com, the attack originated from illegal streaming websites where the attackers utilized compromised GitHub repositories to distribute malware as well as Discord and Dropbox for hosting some payloads. The malicious GitHub repositories have since been removed.

Users were initially redirected from illegal streaming sites, which embedded malicious advertisements within video frames “to generate pay-per-view or pay-per-click revenue,” leading to intermediate websites. These websites then redirected users to GitHub, where the first-stage malware payloads were hosted.

These repositories served as a launchpad for deploying additional malware and scripts. The initial malware established a foothold on the compromised devices, enabling the deployment of subsequent payloads – designed to collect system information and exfiltrate documents and data from the affected systems. 

The initial access payloads on GitHub were typically obfuscated JavaScript files that initiated the download and execution of further malware. The attack chain consisted of multiple stages, each with specific objectives as Microsoft explained in this image:

Attack Stages and Attack Chain (Source: Microsoft)

The first-stage payload, hosted on GitHub, acted as a dropper for the second-stage files. These files were used for system discovery, collecting information such as memory size, graphics details, screen resolution, operating system, and user paths. This data was then Base64-encoded and exfiltrated to a command-and-control (C2) server. A typical redirection chain might look like this:

illegalstreamingsite.com/movie.html -> malvertisingredirector.com/redirect.php -> intermediarysite.net/landing.html -> github.com/malicioususer/malware.js.

Depending on the second-stage payload, various third-stage payloads were deployed, which conducted additional malicious activities, including C2 communication, data exfiltration, and defence evasion techniques.

The attackers also utilized legitimate tools and scripts, and most importantly a technique known as “living-off-the-land binaries and scripts” (LOLBAS), to blend in with normal system activity. For example, one common tactic was to inject malicious code into the legitimate RegAsm.exe process to establish C2 connections and exfiltrate data.

The campaign employed a modular approach, with each stage dropping another payload with distinct functions including system discovery, credential theft, and data exfiltration. Persistence was achieved through modifications to the registry and the creation of shortcut files in the Windows Startup folder.

The prompt collaboration between Microsoft and GitHub in taking down malicious repositories highlights the importance of industry cooperation in combating cyber threats.

Microsoft has provided detailed recommendations to mitigate the impact of this threat, including strengthening Microsoft Defender for Endpoint configurations, enhancing operating environment security, and implementing multi-factor authentication.

Ensar Seker, Chief Security Officer at SOCRadar commented on the latest development stating, “The attackers used geofencing, device fingerprinting, and cloaking techniques to evade detection, which means the malicious payload is only delivered to targeted users, making it harder for security solutions to track and mitigate the campaign.”

“This campaign is likely part of a broader MaaS (Malware as a Service) ecosystem, where attackers use pre-built malvertising kits to distribute payloads like stealers, ransomware, and banking trojans,” Ensar added. “Malvertising has traditionally targeted Windows users, but with more professionals using macOS and Linux, we’ll see cross-platform payloads becoming more common.”

Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox

Tulsi Gabbard, the director of national intelligence, has long held anti-surveillance views. Now she oversees a key surveillance program she once tried to dismantle.

Former US congresswoman Tulsi Gabbard’s ascendance to director of national intelligence last month signaled a major shift in views toward government surveillance at the highest rung of the US intelligence community. While backing down from some of her more extreme anti-surveillance views in the run-up to her confirmation, Gabbard nevertheless held fast to a few promises of reform that have been traditionally eschewed by federal law enforcement leaders.

Now, some of the nation’s premier civil liberties organizations have begun lobbying America’s “top spy” to follow through on a pledge to bring about new levels of oversight and transparency to a key US surveillance program that’s long been plagued by reports of misuse.

Led by the American Civil Liberties Union, at least 20 major privacy groups this week urged Gabbard to declassify information concerning Section 702 of the Foreign Intelligence Surveillance Act (FISA)—the nation’s cornerstone wiretap authority that, while aimed at collecting intelligence on foreigners overseas, is known to vacuum up large quantities of calls, texts, and emails belonging to Americans.

In a letter first obtained by WIRED, the groups privately urged Gabbard this week to declassify information regarding the types of US businesses that can now be secretly compelled to install wiretaps on the US National Security Agency’s (NSA) behalf.

While it’s no secret that the government routinely compels phone and email service providers like AT&T and Google into conducting wiretaps, Congress passed a new provision last year expanding the range of businesses that can receive such orders. Legal experts had warned in advance that the provision was far too ambiguous and likely to vastly increase the number of Americans whose communications are wiretapped. But their warnings were not heeded.

It is widely assumed that the classified purpose behind the expanded authority is allowing the government to obtain access to communications in US data centers. Lawyers for the US Justice Department attempted to unilaterally expand the reach of the program in 2022, but its efforts were foiled by the secret surveillance court that oversees FISA. Only Congress has the power to expand FISA, the department was told.

As its a matter of secret law, lawmakers were unable to specify much about the limits of the government’s access in the provision they ultimately passed. This inevitably led to the adoption of a vague new definition for what the government calls an “electronic communications service provider” (ECSP)—the term for companies whose cooperation can be compelled under FISA.

Privacy experts and industry leaders had likewise raised concerns about introducing ambiguity into a law that defines the scope of a powerful surveillance tool, warning the changes could expose a near limitless new range of new businesses to secret government demands.

As WIRED reported last spring, opponents of the provision in Washington had cast the surveillance program’s new parameters as effectively “Stasi-like”—a reference to the defunct East German secret police agency notorious for infiltrating industry and forcing private citizens to spy on one another.

Senator Ron Wyden of Oregon, a renowned privacy hawk who has served on the Senate intelligence committee since just after 9/11, has referred to the new provision as “one of the most dramatic and terrifying expansions of government surveillance authority in history.”

Declassifying the new types of businesses that can actually be considered an ECSP is an essential step in bringing about clarity to an otherwise nebulous change in federal surveillance practices, according to the ACLU and the other organizations joined in its effort. “Without such basic transparency, the law will likely continue to permit sweeping NSA surveillance on domestic soil that threatens the civil liberties of all Americans,” the groups wrote in their letter to Gabbard this week.

The Office of the Director of National Intelligence did not respond to multiple requests for comment.

In addition to urging Gabbard to declassify details about the reach of the 702 program, the ACLU and others are currently pressing Gabbard to publish information to quantify just how many Americans have been “incidentally” wiretapped by their own government. Intelligence officials have long claimed that doing so would be “impossible,” as any analysis of the wiretaps would involve the government accessing them unjustifiably, effectively violating those Americans’ rights.

The privacy groups, however, point to research published in 2022 out of Princeton University, which details a methodology that could effectively solve that issue. “The intelligence community’s refusal to produce the requested estimate undermines trust and weakens the legitimacy of Section 702,” the groups say.

Gabbard is widely reported to have softened her stance against government spying while working to secure her new position as director of the nation’s intelligence apparatus. During the 116th Congress, for instance, Gabbard introduced legislation that sought to completely dismantle the Section 702 program, which is considered the “crown jewel” or US intelligence collection and crucial to keeping tabs on foreign threats abroad, including terrorist organizations and cybersecurity threats—exhibiting a stance far more extreme than those traditionally held by lawmakers and civil society organizations who’ve long campaigned for surveillance reform.

While begging off from this position in January, Gabbard’s newly espoused views have, in fact, brought her more closely in line with mainstream reformers. In response to questions from the US Senate ahead of her confirmation, for example, Gabbard backed the idea of requiring the Federal Bureau of Investigation to obtain warrants before accessing the communications of Americans swept up by the 702 program.

Slews of national security hawks from former House speaker Nancy Pelosi to former House intelligence committee chairman Mike Turner have long opposed this warrant requirement, as traditionally have all directors of the FBI. “This warrant requirement strengthens the \[intelligence community\] by ensuring queries are targeted and justified," Gabbard wrote in response to Senate questions in late January.

The Section 702 program was reauthorized last spring, but only for an additional two years. Early discussions about reauthorizing the program once more are expected to kick off again as early as this summer.

Sean Vitka, executive director of Demand Progress, one of the organizations involved in the lobbying effort, notes that Gabbard has a long history of supporting civil liberties, and refers to her recent statements about secret surveillance programs “encouraging.” “Congress needs to know, and the public deserves to know, what Section 702 is being used for,” Vitka says, “and how many Americans are swept up in that surveillance.”

“Section 702 has been repeatedly used to conduct warrantless surveillance on Americans, including journalists, activists, and even members of Congress,” adds Kia Hamadanchy, senior policy counsel for the ACLU. “Declassifying critical information, as well as providing long-overdue basic data about the number of US persons whose communications are collected under this surveillance are essential steps to increasing transparency as the next reauthorization debate approaches.”

Trump’s Spy Chief Urged to Declassify Details of Secret Surveillance Program

Discover how artificial intelligence is shaping the future of workplace management, from optimizing efficiency to enhancing employee experience.…

Discover how artificial intelligence is shaping the future of workplace management, from optimizing efficiency to enhancing employee experience. Explore the evolving role of AI in transforming workplace operations and strategies for smarter, more effective decision-making.

Artificial Intelligence (AI) is transforming nearly every aspect of business operations, and workplace management is no exception. The integration of AI into workplace management brings a range of benefits, from optimizing office space to improving employee productivity and engagement. However, it also introduces several challenges that organizations must address to ensure a smooth transition and successful implementation.

**Table of Contents**

1.  The benefits of AI in workplace management
2.  AI: the brain behind modern workplace decision-making
    1.  The challenges of AI in workplace management
    2.  Resistance to change
    3.  Integration with existing systems
    4.  Bias and Fairness in AI
3.  The next frontier: AI in workplace management
4.  Conclusion

AI can significantly improve workplace efficiency by automating routine tasks, such as scheduling, resource allocation, and inventory management. By removing these repetitive and time-consuming activities from employees’ workloads, AI allows them to focus on more critical tasks, ultimately boosting productivity across the organization.

For instance, AI-driven meeting room booking systems can automatically allocate rooms based on team size, equipment requirements, and availability, ensuring seamless operations. For those wondering, **what is workplace management?** It refers to the strategic approach of optimizing workplace resources, processes, and technology to create a more efficient and productive work environment.

****AI: the brain behind modern workplace decision-making****

With the ability to analyze vast amounts of data in real-time, AI can help managers make informed, data-driven decisions. For example, AI-powered workplace analytics tools can provide insights into **employee performance**, space utilization, and overall operational efficiency. These insights allow managers to identify trends, improve resource allocation, and optimize workflows, ensuring that both employees and resources are used to their full potential.

*   **Personalized Employee Experience**: AI is capable of creating a personalized work environment for employees by understanding individual preferences and needs. By analyzing data on work patterns, preferences, and behaviours, AI can suggest customized solutions for improving employee productivity, wellness, and satisfaction. From automatically adjusting room lighting and temperature based on preferences to offering personalized workspaces and task prioritization, AI can tailor the workplace to enhance the overall employee experience.

*   **Cost Savings and Resource Optimization**: AI helps organizations optimize resource utilization, reducing waste and inefficiencies. By utilizing predictive analytics, businesses can better forecast demand for resources, such as meeting rooms, office equipment, and even parking spaces. As a result, companies can minimize costs associated with underutilized assets and improve overall space management. AI-driven energy management systems can also help cut down on energy consumption by adjusting lighting, heating, and cooling systems based on occupancy and weather patterns.

****The challenges of AI in workplace management****

One of the biggest challenges when integrating AI into workplace management is ensuring data privacy and security. AI systems rely on large volumes of data to function effectively, and this data often includes sensitive information about employees and business operations. Without proper safeguards in place, there is a risk of data breaches and privacy violations. Organizations must implement robust cybersecurity protocols and ensure compliance with data protection regulations to mitigate these risks.

****Resistance to change****

Implementing AI solutions in the workplace may encounter resistance from employees who are sceptical about the technology or concerned about job security. Employees may fear that AI will replace human workers, leading to a decline in morale and productivity. To overcome this resistance, organizations must focus on education and training, helping employees understand the benefits of AI and how it can support their work rather than replace it.

****Integration with existing systems****

Integrating AI into existing workplace management systems can be complex and time-consuming. Many organizations rely on legacy systems that may not be compatible with AI technologies. This can lead to difficulties in data transfer, system integration, and operational disruptions. Organizations must carefully plan their **AI implementation strategy**, ensuring that they invest in systems that integrate seamlessly with their current infrastructure to avoid costly delays and technical challenges.

****Bias and Fairness in AI****

AI algorithms are only as good as the data they are trained on, and if that data is biased, the AI system may produce biased results. For example, AI-driven employee performance management tools could inadvertently favour certain groups over others if the data used to train the system reflects biases related to gender, race, or other factors. To address this, organizations must ensure that the data used to train AI models is diverse and representative and that AI systems are regularly audited for fairness and accuracy.

****The next frontier: AI in workplace management****

As AI continues to evolve, its role in workplace management will only expand. Future AI systems will be even more sophisticated, with the potential to transform how employees interact with their work environment. AI-powered tools will become more intuitive, anticipating needs before they arise and offering proactive solutions.

However, for AI to achieve its full potential, organizations must ensure that they are prepared to address the challenges outlined above. By focusing on transparency, employee engagement, and data privacy, businesses can unlock the full benefits of AI while mitigating the associated risks. As AI technology becomes increasingly integrated into workplace management systems, it promises to create smarter, more efficient, and more personalized work environments that benefit both employees and organizations alike.

****Conclusion****

AI is revolutionizing workplace management by improving efficiency, enhancing decision-making, and optimizing resource utilization. While the benefits are clear, organizations must also be mindful of the challenges, such as **data privacy**, employee resistance, and system integration.

By carefully navigating these challenges, businesses can successfully harness the power of AI to create smarter, more efficient, and more productive workplaces. As AI technology continues to advance, the future of workplace management looks promising, offering exciting possibilities for organizations that embrace it.

The Future of AI in Workplace Management

Documents obtained by WIRED show the US Department of Defense is considering cutting up to 75 percent of workers who stop the spread of chemical, biological, and nuclear weapons.

US agencies responsible for preventing the global proliferation of weapons of mass destruction and building security capacity around the world are facing deep cuts, perhaps total abolition, as the Trump administration continues its assault on any and all spending going overseas.

According to a draft working paper provided to WIRED, the Department of Defense is asking all its agencies and services that conduct “security cooperation” programs to consider the impact if the Pentagon were to “realign” its funding. The authors of the paper warn that the cuts could hobble the fight against organized crime in South America, impair the battle against the Islamic State, increase the likelihood of a rogue state producing and using chemical weapons, and defund pandemic surveillance measures.

The working paper is in response to a request for information from Secretary of Defense Pete Hegseth, asking agencies to assess the consequences of four levels of staff reduction—25 percent, 50 percent, and 75 percent cuts, or outright abolition.

This cost-cutting exercise is being conducted in response to a January 20 executive order from President Donald Trump, mandating that departments and agencies review all foreign aid programs. But the DOD review is going well beyond foreign aid. According to the working paper, the Defense Department looks set to make cuts to all humanitarian assistance, security cooperation, and cooperative threat-reduction efforts. The DOD has made clear that all spending ought to align with the secretary’s three priorities: deterring China, increasing border security, and pushing allies to shoulder more of the burden. It is not clear what role, if any, Elon Musk’s so-called Department of Government Efficiency (DOGE) is playing in these workforce reduction decisions.

**Pandemics and Weapons of Mass Destruction**

In response to the Pentagon’s request for information, the agencies contemplated lower bounds of cuts of 20, 40, and 60 percent—a counter-offer, the Pentagon source says, because officials in these agencies see a 60 percent cut as a “red line” that would still severely hurt global and domestic security.

A 20 percent reduction in funding, the memos say, would reduce some mine-clearance efforts in former war zones, significantly hurt programs to surveil and prevent infectious disease outbreaks in Africa, and worsen biosafety and biosecurity programs at biological laboratories worldwide, among other losses.

A 40 percent reduction would limit funding for counter-extremism programs in Africa and the Middle East, close all mine-clearance operations, shut down programs to intercept and prevent the development of weapons of mass destruction, and completely shut down biological surveillance programs.

A 60 percent cut would be significantly more severe, according to the memo. It would fundamentally eliminate America’s role in preventing the spread of chemical, biological, and nuclear weapons, the documents warn, and increase the likelihood of a lab accident or theft of potentially dangerous biological material.

The secretary of defense also asked the agencies to game out the consequences of fully shutting down some of their operations—a move, the agencies claim, that would defund border security measures and anti-drug-trafficking efforts.

One of the agencies targeted by this spending review is the Defense Threat Reduction Agency (DTRA), which leads counter-proliferation efforts on chemical, biological, and nuclear threats, both on its own and with US allies. In recent years, DTRA took the lead on destroying chemical weapons in Syria, helped secure 10 metric tons of highly enriched uranium in Kazakhstan, and worked with the Ukrainian government to upgrade security at its infectious disease laboratories.

A Pentagon source tells WIRED that if cuts on the higher end of the proposed spectrum are made, DTRA will effectively end. “Anything more than a 60 percent cut cripples the program,” they say. The source, who requested anonymity because they are not authorized to discuss the spending review, claims a total elimination of these programs is also on the table.

"All reductions increase risk to US due to pathogen spread and easier adversary pathways to develop WMD,” the memos read.

The secretary of defense declined to comment for this story, with a spokesperson writing, “We will not comment on internal deliberations.”

The cost-savings of these cuts would be relatively marginal compared to the Pentagon’s $850 billion budget. The Department of Defense only spends about $19 billion on humanitarian assistance, security cooperation, and cooperative threat-reduction programs, including DTRA—of that, the proposed cuts would eliminate between $5 billion and $15 billion. Because many of these programs are funded via congressional earmark, it’s not clear the Pentagon has the authority to cut and reappropriate their funding.

Trump and Hegseth have previewed defense cuts, promising to reduce spending by $50 billion—about 8 percent of the Pentagon’s nonlethal budget, Hegseth has said.

These cuts could also have a domino effect on other programs that are run in conjunction with the State Department and other agencies. One long-standing project facing cuts under this review is the State Partnership Program, which sends National Guard members to liaise and train with friendly militaries abroad. This program has historically been particularly popular with Republican members of Congress. But it, like dozens of other Pentagon activities, faces steep cuts or outright abolition.

A source with knowledge of the funding review says that a decision has yet to be made about the exact level of these cuts, and that meetings are ongoing to decide which agencies or programs will be hit and how hard. A final decision is due in mid-April, at the end of the 90-day window set out in the January 20 executive order. Sources inside the Pentagon who work on security cooperation say they are fearful that the cuts will be severe.

**Burst Bubble**

The people who work to stop the spread of dangerous material insist that these programs are not foreign assistance at all—they are all about domestic and global security.

DTRA, for example, currently works with 35 nations, helping to upgrade their biosafety and biosecurity practices while also helping them destroy dangerous biological samples. Much of this work takes place in veterinary clinics, which often treat and collect samples from sick livestock, making them the front line of infectious disease outbreaks. This work, in recent years, has included many of the African nations hit by Ebola.

Partnering with local health authorities not only helps prevent the next epidemic, but it also makes sure that these virological samples are kept secure—“so it's not accidentally going to leak out of these public health facilities or not be stolen by a terrorist,” Robert Pope, director of Cooperative Threat Reduction at DTRA, explained in a 2022 interview.

DTRA’s staff operate as an “early warning system,” a congressional staffer tells WIRED, ahead of any deployment of the US military, they say. While it may not be a traditional kind of military power, they add, it should still fit into this administration’s priorities. “It secures our border from pathogens.”

An independent analysis conducted for the Pentagon in 2022 found that these threat reduction programs are “well-positioned to respond quickly to emerging \[weapons of mass destruction\] threats; its authorities are unique and fill an existing gap.”

Programs like DTRA ought to be expanded, not cut, says Gigi Gronvall, a professor at the Johns Hopkins Center for Health Security. These are primarily national security programs, she says, designed to “give ourselves the eyes and ears around the world to put out those fires, or prevent them from happening in the first place.”

If you don’t put out the fire—whether it’s a novel infectious disease or a chemical weapons program in a rogue state—it will keep growing, Gronvall adds. “We have areas of the world that don’t have fire departments,” she says. “By helping them help themselves, we are helping them step up.”

**‘A Fire Sale on Expertise’**

The Pentagon’s threat reduction efforts, and the DTRA itself, stem from the work of former US senators Sam Nunn, a Democrat, and Richard Lugar, a Republican, to secure weapons of mass destruction after the fall of the Soviet Union. America, through their work, destroyed thousands of ballistic missiles and nuclear warheads, disposed of tens of thousands of pounds of chemical weapons, and dismantled Soviet bioweapon laboratories. In 1998, DTRA was formally created and given a more expensive mandate to both track and destroy chemical and biological threats while also helping other nations do the same.

For its work, DTRA has been targeted by Russian disinformation efforts, with Moscow accusing America of producing biological weapons in these DTRA-funded labs. Following the full-scale Russian invasion of Ukraine in 2022, conspiracy theorists in America picked up that thread, suggesting the invasion was cover to destroy these bioweapons labs.

Fears about DTRA’s work have since been raised by Health and Human Services secretary Robert F. Kennedy Jr., director of national intelligence Tulsi Gabbard, and Russia itself. Republican senator Rand Paul has repeatedly issued subpoenas to the DTRA looking for evidence that it has been engaged in dangerous virological research and suggesting that it may have had a hand in creating Covid-19.

“When Russia was attacking that program, it was doing so because it wanted to erode our national security,” Gronvall says. Russia may not believe these lies, she adds, but “they have been enormously successful in getting people with power to believe these things.”

Last year, the United States accused Russia of using prohibited chemical weapons in its war on Ukraine. According to this working paper, the proposed cuts to the DTRA could eliminate America’s ability to investigate and attribute such chemical weapons attacks in Eastern Europe.

Investigating and attributing these attacks is a form of deterrence, Gronvall says. Without this capability, she adds, “it means you’re going to see a lot more chemical weapons used.”

The United States believes that Russia, North Korea, and other rogue states have active biological weapons programs. Despite that, no state has actually deployed a biological weapon since the adoption of the Biological Weapons Convention. Gronvall is worried that dismantling the DTRA could weaken that prohibition. “I would worry that that would be something we would see,” she says.

The working paper warns that reducing this funding could surrender ground to Russia and China, which may try and fill the void left by the US. That could see Moscow and Beijing move in to partner with foreign militaries, cooperate with these biological facilities, and even recruit new scientists.

“It’s going to be a fire sale on expertise,” Gronvall says, “and that is helping China, 100 percent.”

Pentagon Cuts Threaten Programs That Secure Loose Nukes and Weapons of Mass Destruction

Martin Lee dives into to the complexities of defending our customers from threat actors and covers the latest Talos research in this week's newsletter.

Thursday, March 6, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter.

At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them.

In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself.  Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity.

We are all creatures of habit; we all have our preferred methods of doing things, tools that we are familiar with, or suppliers that we often choose over another. Threat actors are no different. Over time, the choices made by a threat actor in how they carry out their attacks, the methods they use, and their choice of victims builds to become a characteristic fingerprint.

New attacks can be analysed to identify if their characteristics overlap with those of a known threat actor. If so, we may surmise that the attack has been carried out by that threat actor. Nevertheless, uncovering and understanding the relationship between an attack and the threat actor behind the attack requires detailed research or possibly will only become apparent with the passage of time and the publication of additional information.

Even if an attack can be attributed to a known threat actor, the nature and origin of that threat actor may be obscure. Threat actors rarely admit to their actions and volunteer their identity. A detailed investigation by law enforcement or intelligence agencies may identify an attacker’s identity. Otherwise the security industry refers to known threat actors by various pseudonyms, few of which are definitively tied to one or more named individuals or an organistation. Understanding and communicating degrees of uncertainty when it comes to describing threat actors is a key skill in the threat intelligence community.

Suffice to say that we do not pick and choose the threats that we block. We block them regardless of their origin because this is who we are and what we do, and in any case, identifying the origin of a threat is not a simple matter.

**The one big thing**

Lotus Blossum is a sophisticated threat actor that we’ve uncovered conducting espionage campaigns against the government, manufacturing, telecoms, and media sectors in Vietnam, Hong Kong, Taiwan, and the Philippines. As part of this activity, the threat actor uses the Sagerunex family of backdoor malware for command and control activity. 

**Why do I care?**

Understanding how threat actors such as Lotus Blossom conduct their operations helps inform organisations about the defenses that are required to protect against this and similar threats. Even if you are not working within one of the affected industrial sector, other threat actors may be conducting information stealing campaigns against you.

**So now what?**

Use the IOCs associated with the campaign to search for evidence of incursion within your own organization. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs.

**  
Top security headlines of the week**

244 million additional compromised passwords from a data dump offered for sale by criminals have been added to the privacy breach notification service “Have I Been Pwned”. (The Register)

A massive botnet consisting of more than 86 000 compromised IoT devices is conducting DDoS attacks against telecom firms and gaming platforms. (Cybersecurity Dive)

The US agency, CISA reports that it will continue to defend against threats including those from Russia. (TheRecord)

****Can’t get enough Talos?****

In The Talos Threat Perspective episode 9, Hazel Burton speaks with Nick Biasini about changes in social engineering techniques.

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025)  San Francisco, CA    
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA   

**Most prevalent malware files from Talos telemetry over the past week**

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Simple\_Custom\_Detection

SHA256: 592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac  
MD5: 6361f25ede0442f2e0ad3bcd33c331c8  
Typical Filename: KMSSS.exe  
Detection Name: PUA.Win.Dropper.Hackkms::tpd  
VirusTotal: https://www.virustotal.com/gui/file/592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: img001.exe  
Detection Name: Win.Trojan.Miner-9835871-0  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Tag

#intel