Threats - Cisco Talos Blog Blog Threats May 12, 2026 06:00 State-sponsored actors, better known as the friends you don’t want Responding to a state-sponsored threat is nothing like responding to ransomware, and the differences can make or break the outcome. Learn why your IR plan might need revisiting, and the factors you should consider. Elio Biasiotto , Jerzy ‘Yuri’ Kramarz April 23, 2026 11:10 UAT-4356's Targeting of Cisco Firepower Devices Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS).
UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. Cisco Talos Threat Advisory November 13, 2025 06:00 Unleashing the Kraken ransomware group In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.
Chetan Raghuprasad , Michael Szeliga Threat Spotlight ransomware October 26, 2025 22:00 Uncovering Qilin attack methods exposed through multiple cases Cisco Talos investigated the Qilin ransomware group, uncovering its frequent attacks on the manufacturing sector, use of legitimate tools for credential theft and data exfiltration, and sophisticated methods for lateral movement, evasion, and persistence.
Takahiro Takeda , Jordyn Dunk , James Nutland , October 16, 2025 06:00 BeaverTail and OtterCookie evolve with a new Javascript module Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). Vanja Svajcer , Michael Kelley SecureX DPRK September 23, 2025 14:00 How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors Joey Chen , Takahiro Takeda August 20, 2025 09:00 Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.
Sara McBroom , Brandon White June 18, 2025 06:00 Famous Chollima deploying Python version of GolangGhost RAT Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India. Vanja Svajcer May 29, 2025 06:00 Cybercriminals camouflaging threats as AI tool installers Cisco Talos has uncovered new threats, including ransomware like CyberLock and Lucky_Gh0$t, and a destructive malware called Numero, all disguised as legitimate AI tool installers to target victims.
Chetan Raghuprasad May 23, 2025 06:00 Scarcity signals: Are rare activities red flags? Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. Cisco Talos , Darin Smith March 13, 2025 06:00 Abusing with style: Leveraging cascading style sheets for evasion and tracking Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use.
This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking. Omid Mirzaei March 6, 2025 06:00 Unmasking the new persistent attacks on Japan Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities. February 27, 2025 06:00 Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools Joey Chen February 25, 2025 06:17 Your item has sold!
Avoiding scams targeting online sellers There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms. Edmund Brumaghin phishing February 6, 2025 06:00 Google Cloud Platform Data Destruction via Cloud Build A technical overview of Cisco Talos' investigations into Google Cloud Platform Cloud Build, and the threat surface posed by the storage permission family.
January 28, 2025 06:00 New TorNet backdoor seen in widespread campaign Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany. January 24, 2025 08:37 Seasoning email threats with hidden text salting Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords.
Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting. December 19, 2024 06:04 Exploring vulnerable Windows drivers This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. Nicole Hoffman , Chris Neal vulnerability drivers November 7, 2024 06:00 Unwrapping the emerging Interlock ransomware attack Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.
Aliza Johnson , October 31, 2024 09:37 Threat actors use copyright infringement phishing lure to deploy infostealers Cisco Talos has observed a threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. This campaign delivers an information stealer onto the target's machine to avoid network security product detections. October 22, 2024 06:00 Threat actor abuses Gophish to deliver new PowerRAT and DCRAT Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.
October 3, 2024 06:00 Threat actor believed to be spreading new MedusaLocker variant since 2022 The malware, called "BabyLockerKZ," has primarily affected users in Europe and South America. Tiago Pereira , Arnaud Zobec September 26, 2024 09:00 Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.
Jaeson Schultz September 10, 2024 00:00 DragonRank, a Chinese-speaking SEO manipulator service provider Cisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation. September 6, 2024 06:00 Vulnerability in Tencent WeChat custom browser could lead to remote code execution While this issue was disclosed and patched in the V8 engine in June 2023, the WeChat Webview component was not updated, and still remained vulnerable when Talos reported it to the vendor.
Ashley Shen , Vitor Ventura , Aleksandar Nikolic September 3, 2024 08:00 Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.
June 21, 2024 08:00 Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. Ashley Shen SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023.
April 24, 2024 11:54 ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices Cisco is aware of new activity targeting certain Cisco Adaptive Security Appliances (ASA) 5500-X Series and has released three CVEs related to the event. We assess with high confidence this activity is related to same threat actor as ArcaneDoor in 2024. April 23, 2024 08:01 Suspected CoralRaider continues to expand victimology using three information stealers Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
April 17, 2024 07:59 OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. April 16, 2024 08:00 Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials Cisco Talos would like to acknowledge Anna Bennett and Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the identification of these attacks.
Cisco Talos is actively monitoring a global April 9, 2024 08:02 Starry Addax targets human rights defenders in North Africa with new malware Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware. April 4, 2024 08:00 CoralRaider targets victims’ data and social media accounts Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated.
CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. March 13, 2024 08:00 Threat actors leverage document publishing sites for ongoing credential and session token theft Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks.
Craig Jackson On The Radar March 5, 2024 08:00 GhostSec’s joint ransomware operation and evolution of their arsenal Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. February 27, 2024 08:00 TimbreStealer campaign targets Mexican users with financial lures Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.
Jacob Finn , Tucker Favreau , Jacob Stanfill , Guilherme Venere February 22, 2024 08:00 TinyTurla-NG in-depth tooling and command and control analysis Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.
Asheer Malhotra , Holger Unterbrink , February 20, 2024 08:00 Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. Edmund Brumaghin , February 15, 2024 08:00 TinyTurla Next Generation - Turla APT spies on Polish NGOs This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
February 14, 2024 08:00 How are attackers using QR codes in phishing emails and lure documents? QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after. Jonathan Munshaw The Need to Know February 8, 2024 08:00 New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021.
The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” December 11, 2023 08:50 Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group. Jungsoo An , Vitor Ventura November 30, 2023 08:00 New SugarGh0st RAT targets Uzbekistan government and South Korea Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” November 2, 2023 07:58 Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox” Knowing the common scams is an important step in using the platform safely.
The following recommendations help players not fall into scams. Tiago Pereira October 31, 2023 07:00 Arid Viper disguising mobile spyware as updates for non-malicious Android applications Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users. October 25, 2023 08:01 Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan Cisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June 2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh and Russian.
October 5, 2023 07:00 Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. September 19, 2023 08:00 New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants Cisco Talos has discovered a new intrusion set we're calling "ShroudedSnooper" consisting of two new implants "HTTPSnoop" and "PipeSnoop" targeting telecommunications firms in the middle-east.
Caitlin Huey , Sean Taylor , August 29, 2023 08:00 What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS Confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients. Jaeson Schultz , Adam Katz August 24, 2023 08:04 Lazarus Group's infrastructure reuse leads to discovery of new malware Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.
Jungsoo An August 24, 2023 08:02 Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations. August 7, 2023 08:00 New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023 with customized Yashma ransomware.
July 13, 2023 06:45 Malicious campaigns target government, military and civilian entities in Ukraine, Poland Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access. June 13, 2023 08:03 ".Zip" top-level domains draw potential for information leaks As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server June 1, 2023 08:00 New Horabot campaign targets the Americas Cisco Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign that has been ongoing since at least November 2020.
May 25, 2023 08:02 Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox). May 15, 2023 08:00 Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.
April 18, 2023 11:02 State-sponsored campaigns target global network infrastructure This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. Matt Olney April 13, 2023 00:48 How threat actors are using AI and other modern tools to enhance their phishing attempts Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.
April 4, 2023 08:00 Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities The stealer is for sale on dark web forums for $59 a month, or $540 for a lifetime subscription, which is relatively inexpensive compared to other infostealers. March 22, 2023 15:41 Emotet resumes spam operations, switches to OneNote Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems.
March 15, 2023 19:46 Threat Advisory: Microsoft Outlook privilege escalation vulnerability being exploited in the wild Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild. March 14, 2023 07:00 Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency Cisco Talos has identified a new espionage oriented threat actor, which we are naming “YoroTrooper,” targeting a multitude of entities in Europe and Turkey.
March 9, 2023 08:02 Prometei botnet improves modules and exhibits new capabilities in recent updates The high-profile botnet, focused on mining cryptocurrency, is back with new Linux versions. Andrew Windsor , February 14, 2023 08:00 New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign Since December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims.
January 19, 2023 08:00 Following the LNK metadata trail While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. A closer look at the LNK files illustrates how their metadata could be used to identify and track new campaigns. December 20, 2022 08:00 Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.
November 17, 2022 08:01 Get a Loda This: LodaRAT meets new friends * LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta. * Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild. * Changes in these LodaRAT variants include new f November 9, 2022 08:00 Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns * The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors. * Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure August 18, 2022 08:00 Ukraine war spotlights agriculture sector's vulnerability to cyber attack The war in Ukraine has caused massive problems for global food supplies, underscoring the high impact of disruptive events to agriculture entities and related organizations. * The challenges to the Ukrainian agriculture sector imposed by the war--and global ripple effects--have Joe Marshall Ukraine August 8, 2022 08:42 Small-time cybercrime is about to explode — We aren't ready The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks.
Rightfully so, as it can be the most interesting, technically speaking. When most people think of cybercrime they think of large-scale breaches because that's what d Nick Biasini July 27, 2022 08:00 What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads By Nate Pors and Terryn Valikodath. Executive summary * In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely ha Cisco Talos Incident Response June 21, 2022 07:58 Avos ransomware group expands with new attack arsenal By Flavio Costa, * In a recent customer engagement, we observed a month-long AvosLocker campaign. * The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. * The initial ingress point in this incident was a pa Chris Neal , May 18, 2022 02:00 The BlackByte ransomware group is striking users all over the globe News summary * Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam. * The FBI released a joint cybersecurity advisory in February 2022 wa Holger Unterbrink January 7, 2022 16:41 Threat Roundup for December 31 to January 7 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 31 and Jan. 7.
As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting ke William Largent Threat Roundup December 3, 2021 15:02 Threat Roundup for November 26 to December 3 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 26 and Dec. 3. As with previous roundups, this post isn't meant to be an in-depth analysis.
Instead, this post will summarize the threats we've observed by highlighting ke Headlines November 19, 2021 14:31 Threat Roundup for November 12 to November 19 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 12 and Nov. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting k November 10, 2021 17:11 North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets * Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021. * Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012. * This campaign utilizes malici November 5, 2021 13:47 Threat Roundup for October 29 to November 5 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 29 and Nov. 5.
As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting ke November 3, 2021 08:00 Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk By Chetan Raghuprasad and Vanja Svajcer, with contributions from Caitlin Huey. * Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine October 28, 2021 08:00 Quarterly Report: Incident Response trends from Q3 2021 Ransomware again dominated the threat landscape, while BEC grew By David Liebenberg and Caitlin Huey.
Once again, ransomware was the most dominant threat observed in Cisco Talos Incident Response (CTIR) engagements this quarter. CTIR helped resolve several significant ransomwa Features October 26, 2021 08:00 SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike By Edmund Brumaghin, Mariano Graziano and Nick Mavis. Recently, a new threat, referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader.
This is a malware family that's been spre October 22, 2021 16:33 Threat Roundup for October 15 to October 22 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 15 and Oct. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting k October 19, 2021 20:00 Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India * Cisco Talos recently discovered a threat actor using political and government-themed malicious domains to target entities in India and Afghanistan. * These attacks use dcRAT and QuasarRAT for Windows delivered via malicious documents exploiting CVE-2017-11882 — a memory corru Asheer Malhotra October 15, 2021 17:08 Threat Roundup for October 8 to October 15 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 8 and Oct. 15.
As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting ke September 30, 2021 08:01 A wolf in sheep's clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus By Vitor Ventura and Arnaud Zobec. Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware.
Amnesty International recently made international headlines when it released a groundb September 23, 2021 08:01 Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs By Asheer Malhotra, Vanja Svajcer and Justin Thattil. * Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe). * This campaign distributes malicious documents and archive September 16, 2021 08:00 Operation Layover: How we tracked an attack on the aviation industry to five years of compromise By Tiago Pereira and Vitor Ventura. * Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years. * The same actor has been running successful malware campaigns for more than five years. * Although always September 2, 2021 08:02 Translated: Talos' insights from the recently leaked Conti ransomware playbook Cisco Talos recently became aware of a leaked playbook that has been attributed to the ransomware-as-a-service (RaaS) group Conti.
Talos has a team of dedicated, native-level speakers that translated these documents in their entirety into English. We also transl August 27, 2021 14:44 Threat Roundup for August 20 to August 27 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 20 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting k August 20, 2021 14:23 Threat Roundup for August 13 to August 20 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 13 and Aug. 20.
As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting k August 17, 2021 08:01 Neurevt trojan takes aim at Mexican users By Chetan Raghuprasad, with contributions from Vanja Svajcer. * Cisco Talos discovered a new version of the Neurevt trojan with spyware and backdoor capabilities in June 2021 using Cisco Secure Endpoint product telemetry. * This version of Neurevt appears to tar August 13, 2021 13:12 Threat Roundup for August 6 to August 13 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 6 and Aug. 13.
As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting ke August 12, 2021 18:33 Vice Society leverages PrintNightmare in ransomware attacks Another threat actor is actively exploiting the so-called PrintNightmarevulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Ci Joe Marshall , August 12, 2021 08:00 Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT By Vanja Svajcer. * Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data.
One of the common tools in TA505's arsenal is ServH August 11, 2021 08:00 Talos Incident Response quarterly threat report — The top malware families and TTPs used in Q2 2021 Last quarter, ransomware was not the most dominant threat for the first time since we began compiling these reports. We theorized that this was due to a huge uptick in Microsoft Exchange exploitation, which temporarily became a primary focus August 6, 2021 13:49 Threat Roundup for July 30 to August 6 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 30 and Aug. 6.
As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting ke July 30, 2021 17:50 Threat Roundup for July 23 to July 30 Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 23 and July 30. As with previous roundups, this post isn't meant to be an in-depth analysis.
Instead, this post will summarize the threats we've observed by highlighting k July 29, 2021 13:00 Threat Spotlight: Solarmarker By Andrew Windsor, with contributions from Chris Neal. * Cisco Talos has observed new activity from Solarmarker, a highly modular .NET-based information stealer and keylogger. * A previous staging module, "d.m," used with this malware has been rep