2024 wasn't the year that AI rewrote the cybercrime playbook — but it did turbocharge some of the old tricks. Read this summary of AI-based threats, from Talos' 2024 Year in Review.

Tuesday, April 29, 2025 05:47

2024 wasn't the year that AI rewrote the cybercrime playbook — but it did turbocharge some of the old tricks. In Cisco Talos' 2024 Year in Review, with the help of our friends at Robust Intelligence (now a Cisco company), we dissect how cybercriminals used generative AI to scale up social engineering, fine-tune phishing, and automate grunt work like OSINT gathering.

So while AI didn't completely rock the threat landscape last year, the groundwork is being laid for 2025, where agentic AI and automated vulnerability hunting could cause some significant challenges for defenders. Our research showcases the top four areas of concern for the coming year.

Curious about how AI could impact your defenses — or your data — this year? Take a look at this summary of AI-based threats:

Need a 60 second summary? Take a look at this video:

Download Talos' 2024 Year in Review.

Also check out Cisco's State of AI Security report.

Year in Review: AI based threats

This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

Monday, April 28, 2025 06:00

Phishing attacks spiked this quarter as threat actors leveraged this method of initial access in half of all engagements, a vast increase from previous quarters. Conversely, the use of valid accounts for initial access was rarely seen this quarter, despite being the top observed method in 2024, according to our Year in Review report. Nevertheless, valid accounts played a prominent role in the attack chains Cisco Talos Incident Response (Talos IR) observed as actors predominately used phishing to gain access to a user account, then leveraged this access to establish persistence in targeted networks.

Ransomware and pre-ransomware incidents made up a slightly larger portion of threats observed this quarter, with most incidents falling into the latter category. Talos IR’s investigations into pre-ransomware events provided unique insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed, including early engagement with the incident response team and robust monitoring of certain threat actor tactics, techniques and procedures (TTPs).

Watch a discussion on the biggest trends on this latest report

**Actors leverage access to valid accounts via phishing to establish persistence**

Threat actors used phishing to achieve initial access in 50 percent of engagements, a notable increase from less than 10 percent last quarter. Vishing was the most common type of phishing attack seen, accounting for over 60 percent of all phishing engagements, though we also observed malicious attachment, malicious link and business email compromise (BEC) attacks.

Adversaries predominately leveraged phishing to gain access to a valid account, pivot deeper into the targeted network, and expand their foothold, contrasting other phishing objectives we have seen in the past such as eliciting sensitive information or monetary transfers. For example, in an observed vishing campaign — described in further detail in the ransomware section below — adversaries deceived users over the phone into establishing remote access sessions to the user’s workstation, then used this access to load tooling, establish persistence mechanisms and disable endpoint protections.

In some engagements, actors leveraged phishing attacks to steal users’ legitimate access tokens, enabling them to maintain persistent access to the targeted networks. In one engagement, adversaries deployed a phishing email with a malicious link to successfully steal a user’s multi-factor authentication (MFA) session token along with their credentials. From there, the actors gained unauthorized access to the target’s Microsoft Office 365 environment and deployed enterprise applications with the likely goal of gaining further access into additional accounts. In another phishing engagement, upon gaining access to a user’s valid account, the actors cloned their active access token and specified new credentials for outbound connections. They then sought to expand their access by running commands to gather system information and creating a scheduled task to execute a malicious JavaScript file upon user login.

**Ransomware trends****Vishing campaign leveraging BlackBasta and Cactus TTPs hits manufacturing and construction organizations **

Ransomware and pre-ransomware incidents made up over 50 percent of engagements this quarter, an increase from nearly 30 last quarter. A robust campaign leveraging BlackBasta and Cactus TTPs that targeted manufacturing and construction organizations accounted for over 60 percent of pre-ransomware and ransomware engagements and was consistent with public reporting on likely related incidents.  

The attack chain we observed begins with the threat actors flooding users’ mailboxes at targeted organizations with a large volume of benign spam emails. After a few days, the actors call the victim, usually via Microsoft Teams, and direct them to initiate a Microsoft Quick Assist remote access session, helping them with installation of the program if not already present on the user’s system. Once a Quick Assist session is established, the adversary loads tooling to collect information about the target system and establish persistence. The actors create the TitanPlus registry key and embed IP addresses to enable command and control (C2) communication, using character substitution to obfuscate the infrastructure. After completing the TitanPlus registry key persistence process, the adversary then performs subsequent privilege escalation and lateral movement, seemingly with the ultimate goal of deploying ransomware. We initially observed the threat actors leveraging BlackBasta ransomware and pivoting to Cactus ransomware after public reporting on their use of the former was released. Our analysis of engagements involving Cactus led us to identify a previously undocumented variant of the ransomware, which builds upon previous functionality with new command-line arguments that provide the threat actors with greater control over the binary's function, likely to prioritize efficiency and maximum impact.

**Looking forward:** The threat actors responsible for this campaign have proven to be agile, modifying their TTPs as more public reporting on this campaign emerges, which leads us to assess they will continue to adjust their TTPs and/or incorporate a different ransomware family or tooling into their attack chain moving forward to evade detection. We published our findings on this campaign in our Year in Review report in late March 2025 and will be tracking this activity to see if the threat actors modify their operations moving forward.

**Early detection of pre-ransomware TTPs halts attacks before encryption**

Out of all ransomware and pre-ransomware engagements this quarter, 75 percent of incidents fell into the latter category, providing insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed.

One tactic that proved effective was early engagement with the incident response team. For example, in one engagement, Talos IR was contacted directly after the organization’s users experienced a flood of spam email. Given this TTP was consistent with the vishing campaign we had already observed affecting other organizations, we were able to advise that this was very likely pre-ransomware activity and share actionable indicators of compromise (IOCs) and mitigation recommendations.    

Another defensive measure that was effective in containing pre-ransomware activity was robust monitoring and endpoint detection and response (EDR) solutions, particularly those configured to alert on unauthorized remote access connections and suspicious file execution. In one engagement, Cisco XDR was configured to flag certain TTPs that the security team identified were consistent with pre-ransomware activity, and soon after the alerts were triggered, they moved quickly to focus on eradication of the threat. The TTPs included use of remote access tools, disabling of the volume shadow copy service (VSS), and use of a local account to deploy a vulnerable driver. In another engagement, the organization’s monitoring tools alerted them of unauthorized remote access and they acted swiftly to respond to the affected system, resulting in the threat actor only having access to the targeted system for three minutes. In a different incident, suspicious file execution was flagged, leading the customer to identify the threat and isolate the system within hours of initial access.

**Crytox becomes latest ransomware group to leverage HRSword to disable EDR protections**

Crytox appeared in a Talos IR engagement for the first time this quarter, with affiliates leveraging HRSword as part of their attack chain — a tool that has not previously been publicly associated with the ransomware group. According to public reporting, Crytox is a ransomware family first seen in 2020 that typically encrypts local disks and network drives and drops a ransom note with a five-day ultimatum. Affiliates are known to leverage the uTox messenger application so victims can communicate with the threat actors. 

Talos IR responded to an engagement in which adversaries exploited a public-facing application that was not protected by MFA to gain initial access, then launched a ransomware attack that encrypted two hypervisors hosting numerous VM servers. The actors used TTPs that aligned with known Crytox TTPs, including using uTox for communication and dropping a ransomware note that matches publicly shared Crytox ransom notes. Of note, we also observed the affiliates using HRSword to disable the target’s EDR solution. We first reported on ransomware actors’ use of HRSword in FY24 Q1, specifically highlighting a Phobos incident, and observed additional threat groups leverage the tool throughout the remainder of the year.

**Targeting**

The manufacturing industry vertical was the most affected this quarter, accounting for 25 percent of engagements. Notably, though education was the most targeted vertical for the second half of 2024, we did not respond to any incidents targeting education entities this quarter.

**Initial access**

As mentioned, the most observed means of gaining initial access this quarter was phishing, followed by use of valid accounts and exploitation of public facing applications. The increase in phishing attacks this quarter is likely due in part to the robust vishing campaign we observed that accounted for over 60 percent of all phishing engagements.

**Recommendations for addressing top security weaknesses **

**Implement properly configured MFA and other access control solutions**

Half of the engagements this quarter involved MFA issues, including misconfigured MFA, lack of MFA and MFA bypass. As mentioned in the above ransomware section, token theft played a role in several incidents this quarter, enabling threat actors to bypass authentication controls and establish trusted connections. We also observed threat actors adding malicious secondary MFA devices to compromised accounts as well as taking advantage of a lack of MFA on remote access services, the latter of which is a tactic we have consistently observed in previous quarters. Talos IR recommends monitoring and alerting on the following for effective MFA deployment: abuse of bypass codes, creation of accounts designed to bypass or be exempt from MFA and removal of accounts from MFA.

**Enforce user education on phishing and social engineering attacks**

Half of the engagements this quarter involved social engineering, potentially highlighting insufficient user education. This security weakness corresponds with the surge in phishing attacks, as users were manipulated to grant attackers access to their environments, with vishing proving to be particularly effective. Talos IR recommends raising awareness of phishing and social engineering techniques, as user education is a key part of spotting phishing attempts, countering MFA bypass techniques and knowing where to report suspicious activity.

**Protect endpoint security solutions**

Almost 20 percent of incidents involved organizations that did not have protections in place to prevent uninstallation of EDR solutions, enabling actors to disable these defenses. Talos IR strongly recommends ensuring endpoint solutions are protected with an agent or connector password and customizing their configurations beyond the default settings. Additional recommendations for hardening EDR solutions against this threat can be found in our 2024 Year in Review report.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:  

*   This was the first quarter since January to March of 2024 (Q1 FY24) in which phishing was the top initial access technique, with actors leveraging vishing, malicious links, malicious attachments and BEC attacks.   
*   We observed actors leveraging a wider variety of commercial and open-source remote access tools this quarter, including SplashTop, Atera, TeamViewer, AnyDesk, LogMeIn, ScreenConnect, QuickAssist, TightVNC and Level’s RMM platform. These tools appeared in 50 percent of engagements, a slight increase from almost 40 percent last quarter.

Tactic  

Technique  

Example  

Reconnaissance (TA0043)  

T1590 Gather Victim Network Information 

Adversaries may gather information about the victim's networks that can be used during targeting. Information may include a variety of details, including administrative data as well as specifics regarding its topology and operations. 

T1595.002 Active Scanning: Vulnerability Scanning 

Adversaries may run vulnerability scans against an organization’s public-facing infrastructure to identify potential vulnerabilities to exploit.   

Initial Access (TA0001) 

T1598.004  Phishing for Information: Spearphishing Voice   

In an observed campaign, users received calls from the adversary posing as IT support and were prompted to initiate a QuickAssist session. 

T1598.003 Phishing for Information: Spearphishing Link 

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. 

T1598 Phishing for Information: Spearphishing Attachment 

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. 

T1190 Exploit in Public-Facing Application 

Adversaries may exploit a vulnerability to gain access to a target system. 

T1078 Valid Accounts 

Adversaries may use compromised credentials to access valid accounts during their attack. 

Execution (TA0002)  

T1059.001 Command and Scripting Interpreter: PowerShell 

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. 

T1047 Windows Management Instrumentation 

Adversaries may use Windows Management Instrumentation (WMI) to execute malicious commands during the attack. 

T1053 Scheduled Task/Job 

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. 

Persistence (TA0003) 

T1098 Account Manipulation 

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.  

T1136.001 Create Account: Local Account 

Adversaries may create a local account to maintain access to victim systems. 

T1547.001 Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 

Adversaries established persistence by embedding IP addresses in the TitanPlus registry key.  

T1133 External Remote Services 

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. 

T1546.008 Event Triggered Execution: Accessibility Features 

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. 

Privilege Escalation (TA0004)   

T1134 Access Token Manipulation 

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. 

Defense Evasion (TA0005)  

T1562.001 Impair Defenses: Disable or Modify Tools 

Adversaries may disable or uninstall security tools to evade detection. 

T1562.004 Impair Defenses: Disable or Modify System Firewall   

Adversaries may disable or modify system firewalls to bypass controls limiting network usage.   

T1564.008 Hide Artifacts: Email Hiding Rules 

Adversaries may use email rules to hide inbound or outbound emails in a compromised user's mailbox. 

T1070.001 Indicator Removal: Clear Windows Event Logs 

Adversaries may clear the Windows event logs to cover their tracks and impair forensic analysis. 

T1112 Modify Registry 

Adversary used some registry modifications to get privilege escalation. 

Credential Access (TA0006)  

T1003 OS Credential Dumping 

Adversaries may dump credentials from various sources to enable lateral movement. 

T1528 Steal Application Access Token 

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. 

Discovery (TA0007) 

T1046 Network Service Discovery 

Adversaries may use tools like Advanced Port Scanner for network scanning. 

T1057 Process Discovery 

Adversaries may attempt to get information about running processes on a system.   

T1018 Remote System Discovery 

Adversaries may attempt to discover information about remote systems with commands, such as “net view”. 

T1082 System Information Discovery 

An adversary may attempt to get detailed information about the operating system and hardware. 

T1016 System Network Configuration Discovery 

Adversaries may use commands, such as ifconfig and net use, to identify network connections. 

T1087.001 Account Discovery: Local Account 

Enumerate user accounts on the system. 

Lateral Movement (TA0008)  

T1021.001 Remote Services: Remote Desktop Protocol 

Adversaries may abuse valid accounts using RDP to move laterally in a target environment. 

T1021.006 Remote Services: Windows Remote Management 

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). 

Command and Control (TA0011)  

T1219 Remote Access Software 

An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. 

T1105 Ingress Tool Transfer 

Adversaries may transfer tools from an external system to a compromised system. 

T1572 Protocol Tunneling 

Adversaries may tunnel network communications to and from a victim system within a separate protocol, such as SMB, to avoid detection and/or enable access. 

Exfiltration (TA0010)  

T1048 Exfiltration Over Alternative Protocol 

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel, such as WinSCP.   

Impact (TA0040)  

T1486 Data Encrypted for Impact 

Adversaries may use ransomware to encrypt data on a target system. 

T1490 Inhibit System Recovery 

Adversaries may disable system recovery features, such as volume shadow copies. 

T1489 Service Stop 

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. 

Software/Tool  

S0029 PsExec 

Free Microsoft tool that can remotely execute programs on a target system. 

S0349 LaZagne 

A post-exploitation, open-source tool used to recover stored passwords on a system. 

S0357 Impacket 

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols. 

S0002 Mimikatz 

Credential dumper that can obtain plaintext Windows logins and passwords. 

S0097 Ping 

An operating system utility commonly used to troubleshoot and verify network connections. 

S0552 AdFind 

Freely available command-line query tool used for gathering information from Active Directory. 

S1071 Rubeus   

A C# toolset designed for raw Kerberos interaction. 

S0057 Tasklist 

A utility that displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Lessons from Ted Lasso for cybersecurity success

Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

For the third topic for Talos' 2024 Year in Review, we tell the story of how identity has become the pivot point for adversarial campaigns.

Tuesday, April 22, 2025 06:03

For our third focussed topic for Talos' 2024 Year in Review, we tell the story of how identity has become the pivot point for adversarial campaigns.

The main themes of this story are credential abuse, Active Directory exploits, and MFA workarounds. Valid account details was the #1 way attackers got in, and nearly half of identity attacks involved poking at AD. We also look at common MFA missteps (like no enrollment or misconfigured policies) and break down how attackers are bypassing protections with techniques like push fatigue and password spraying.

Take a look at this short but data-rich overview of identity attacks. For defenders, it may be able to help you to identify gaps in MFA implementations, understand the operational tradecraft attackers are using post-authentication, and how to align your defenses with what’s being seen in the wild.

For a 60 second overview, have a watch of this video:

For the full analysis, download Talos' 2024 Year in Review today.

Year in Review: Attacks on identity and MFA

In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online.

Thursday, April 17, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives. 

Lately, I've found myself thinking about these differences in the context of online interactions, particularly with search engines. I've become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It's often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me. 

It's easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It's not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language. 

Luckily, I came across an open-source project called SearXNG, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.” 

I like it for three reasons: 

1.  You can try one of the public instances and check if you like it before you go all-in.
2.  You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data. 
3.  With Opensearch it seamlessly integrates with your existing browser. 

It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize: 

*   “:en”, “:de” or “:fr” to search in a given language 
*   “!social\_media” or “!news” to search just a given category 

The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven't explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it's wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine ransomware.

**Why do I care? **

Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.  

Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).

**So now what? **

These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.

**Top security headlines of the week **

*   **OpenAI cuts safety tests in “reckless” AI push.** According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this: 
*   **AI-hallucinated code dependencies become new supply chain risk.** “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
*   **Windows Recall seems to be back again.** More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like TotalRecall, Microsoft paused the launch last June. (BleepingComputer)
*   **The 25-year-old CVE program seemed to be at risk.** MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had exercised an option to extend MITRE’s contract—reportedly for another 11 months, according to multiple sources.

**Can’t get enough Talos? **

*   **Unmasking the new XorDDoS controller and infrastructure.** Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. 
*   **Talos Takes: Year in Review Special (Pt. 2).** Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA    
*   PIVOTcon (May 7 – 9) Malaga, Spain    
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA    
*   Cisco Connect UK & Ireland (May 20) London, UK  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385**   
MD5: 01b521c78f5bbdaba0cc221bc893e2b8   
VirusTotal: https://www.virustotal.com/gui/file/2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385   
Typical Filename: toyboy.exe     
Detection Name: Gen:Variant.Tedy.758566 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**   
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277   
Typical Filename: Rainmeter-4.5.22.exe    
Detection Name: Artemis!Trojan 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: IMG001.exe    
Detection Name: Win.Trojan.Miner-9835871-0

Care what you share

Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks.

Thursday, April 17, 2025 06:00

*   Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. 
*   A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. 
*   The language settings of the muti-layer controller, XorDDoS builder and controller binding tool strongly suggest that the operators are Chinese-speaking individuals. 
*   Talos discovered the latest version of the XorDDoS controller, called the “VIP version,” and its corresponding central controller were used to build the DDoS bot network for more sophisticated and widespread attacks. 
*   Talos' analysis exposes the network connection between central controller, sub-controller and XorDDoS malware in order to highlight the XorDDoS trojan network pattern. This may help victims identify when they are targeted by these trojans.

**Linux XorDDoS trojan trend and victimology  **

The XorDDoS trojan is a well-known DDoS malware that targets Linux machines, turning them into "zombie bots" that carry out attacks. First identified in 2014, its sub-controller was uncovered in 2015. Based on the simplified Chinese user interface and instructions of the XorDDoS controllers and builder, Talos assess with high confidence that the operators are Chinese-speaking individuals. 

From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence. This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots. It employs a strategy of Secure Shell (SSH) brute-force attacks to gain remote access to target devices. Once it obtains valid SSH credentials, the attacker leverages root privileges to execute a script that downloads and installs XorDDoS on the compromised device. 

Even though numerous security vendors have already provided solutions and detection methods to capture them, Talos continues to observe attempts to deliver XorDDoS malware.

__Figure 1. Cisco Secure Firewall’s monthly malware connection detection statistics.__

Between November 2023 and February 2025, Talos observed that the XorDDoS trojan continued to have a global impact, with nearly 50 percent of its successfully compromised victims located in the United States. Additionally, we noted that the compromised systems attempted to target and attack several countries, including Spain, the United States, Taiwan, Canada, Japan, Brazil, Paraguay, Argentina, the United Kingdom, the Netherlands, Italy, Ukraine, Germany, Thailand, China, India, Israel, Venezuela, Switzerland, Singapore, Finland, Australia, Saudi Arabia, France, Turkey, the United Arab Emirates and South Korea.

__Figure 2. Percentage of XorDDoS successfully-compromised machines across all regions.__

Talos also used our Cisco Secure Network/Cloud Analysis to observe actors using those compromised machines to launch DDoS attack and the attacks are globalized. Notably, we found that the United States accounted for over 70 percent of attempted attacks employing XorDDoS.

__Figure 3. Percentage of XorDDoS attempted targets across all regions.__

**Infection chain  **

XorDDoS has long relied on SSH brute-force attacks to spread. It deploys a malicious shell script that attempts numerous root credential combinations across thousands of servers until it successfully accesses a target Linux device. Once inside the machine, XorDDoS implements persistence mechanisms to ensure it launches automatically at system startup, therefore evading detection and termination by security products. To maintain persistence, the malware installs an init script and a cron job script. These scripts are embedded within the malware and perform actions consistent with those outlined in previous reports.

__Figure 4. Inint script and cron script embedded in trojan.__

The latest version of XorDDoS malware continues to use the same decryption function and the XOR key "BB2FA36AAA9541F0" to decrypt its embedded configuration. Once the URLs or IPs are decrypted, they are added to a remote list. This list is then used to establish communication and retrieve commands from the C2 server. Talos used CyberChef to successfully decrypt one of the examples.

__Figure 5. Talos CyberChef decryption.__

**XorDDoS new sub-controller and central controller **

Although the sub-controller for XorDDoS was exposed in 2015, attacks have persisted over the last decade. The panel from 2015 was for version 1.4, the oldest version, which we believe is no longer in use by threat actors. In 2024, Talos discovered a new “VIP” version of the XorDDoS sub-controller, which can control the "VIP version” of the XorDDoS trojan, the first instance of which we traced back to 2017. With the newest version of the XorDDoS sub-controller and trojan builder, Talos believes that this collection is a product suite developed for sale.

Figure 6 shows translated screenshots of the XorDDoS trojan sub-controller and builder. The builder also contains new feature descriptions, which strengthens Talos’ assessment that this is a product meant to be sold. The VIP version of the XorDDoS trojan builder includes new feature descriptions. When translated, the description in Figure 7 reads, "Stable Anti-Kick, 100% Packet Sending, Fixes for Over Ten Thousand Online Without Lag. Supports Domain Online, IP Online, with New Packet Sending Code and Wall-Penetration Optimization. Can Send 1024 Packets with Resource Utilization Optimization."

__Figure 6. VIP version sub-controller.__

__Figure 7. Feature description in the VIP version of the XorDDoS trojan builder.__

Talos observed a new version of the sub-controller, which we call the "central controller." Specifically created for the XorDDoS trojan, the central controller enables threat actors to manage multiple XorDDoS controllers simultaneously. This updated central controller enhances cybercriminals’ ability to coordinate and execute attacks more efficiently, indicating an evolution in their tactics and capabilities.

__Figure 8. Example view of central controller controlling each sub-controller__.

The central controller can generate a controller binder that will inject a DLL file to the XorDDoS controller to bind network connection and command operation to the sub-controller, allowing the central controller to fully remote control the sub-controllers.

__Figure 9. Generator Setting__

The controller binder will establish a connection with the central controller. When running the controller binder on the host, the actor can enter the controller's process name, allowing them to inject into the process and take control. This straightforward strategy allows the actor to send the DDoS commands to multiple controllers simultaneously. There are two notable facts Talos observed from this central controller. First, when the actor opens the central controller, there is a feature description in its mission list column that, when translated, includes the following:

*    "Check the SYN packet length to make it a large packet, otherwise it will be a small packet. 
*   A round-robin attack is a task performed by all online hosts.
*   Select the host and click the test mode, which means a single host sends a packet.
*   Multiple measurement modes cannot be selected, only one at a time!
*   The round-robin attack needs to be stopped manually.
*   Supports 1024 packages but requires a corresponding sub-controller.
*   The sub-controller of version 1.4 and 1.8 on the underground market cannot use the central controller to send 1024 packages."

Second, the controller's creator left their Tencent QQ instant message contact number and nickname on the central controller, while also mentioning other sub-controller versions available on the underground market. This further supports Talos’ assessment that these tools are for sale.

__Figure 10. Central controller and controller binder.__

**Advanced XorDDoS traffic analysis **

Talos’ detailed analysis of these new tools suggests cybercriminals’ continued investment in the development and deployment of the XorDDoS trojan, allowing for more sophisticated and widespread attacks. The entire control flow of these operations demonstrates the adaptability and resilience of these threat actors, emphasizing the ongoing challenge in combating this form of cybercrime. Talos completed a traffic analysis in our sandbox environment, first to analyze how the XorDDoS trojan is connected to the sub-controller, and then to understand how the central controller manages the sub-controller.

__Figure 11. XorDDoS control flow diagram.__

The connection between the sub-controller and DDoS trojan is the orange line in Figure 11. When the malware is successfully installed in the target system, it will attempt to send encrypted data, including "phone home," which consists of the CRC Header, uname string release, uname string machine, magic string and hardcoded version string. Talos used CyberChef to provide a decryptor function for this data.

__Figure 12. Example of decrypted phone home data.__

We noticed that the latest VIP version's "phone home" CRC header remains unchanged from what Unit 42 previously detailed in a blog post. Since the blog post has already covered the encryption of the XorDDoS trojan's phone home data, we will focus here on the behavior of the controller's responses and any modifications in the CRC header.

Once the XorDDoS trojan successfully establishes a connection, the CRC header changes to "5343f096000000000200000000000000000000000000000000000000", as shown in Figure 13. This functions similarly to basic client-server authentication for establishing a connection. When the controller issues a command to the XorDDoS trojan, it uses the same CRC header to attach the encrypted command, sending it to the trojan. This process, illustrated in Figure 14, helps the XorDDoS trojan verify that the commands are authorized and safe to execute.

__Figure 13. The CRC header changes after successfully establishing a connection.__

__Figure 14. Network flow of sub-controller sending the command to XorDDoS trojan.__

Next, Talos explored the connection between the central controller and the sub-controller, represented by the purple line in Figure 11. The central controller can create a controller binder to inject the sub-controller, thereby gaining full access to it. Once the controller binder successfully takes control of the sub-controller, it sends the sub-controller's machine information back to the central controller as a "phone home" beacon. This phone home data uses plaintext to send information, which includes the message number, packet size, IP address, hostname and connection port.

__Figure 15. Network flow of the phone home connection.__

Talos used the central controller to establish a connection with the sub-controller to monitor network traffic. During this process, we observed that the MSG number in the packets increases with each command sent to either the client controller or back to the central controller. As shown in Figure 16, Talos used the central controller to issue commands to start a SYN DDoS attack, stop the attack, and target specific IPs or domains. For every command sent, the MSG number increments. Similarly, each received packet also sees an increase in its MSG number. However, it's important to note that the MSG numbers for sent packets and received packets are not directly related to each other.

__Figure 16. Network flow of central controller sending the command to sub-controller.__

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64669, 64668 and 64667.

ClamAV detections are also available for this threat: Unix.Dropper.Xorddos::in07.talos

**Indicators of Compromise**

IOCs for this threat can be found in our GitHub repository here.

Unmasking the new XorDDoS controller and infrastructure

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics.   
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.

Wednesday, April 16, 2025 08:00

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics.   

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.     

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.      

**Eclipse vulnerabilities **

_Discovered by Kelly Patterson of Cisco Talos._    

Eclipse ThreadX is an embedded development suite including an operating system that provides performance for resource-constrained devices. 

TALOS-2024-2098 (CVE-2025-0726, CVE-2025-2260) A denial of service vulnerability exists in the NetX HTTP server functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. 

Two integer underflow vulnerabilities exist in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1, TALOS-2024-2104 (CVE-2025-0727, CVE-2025-2259) and TALOS-2024-2105 (CVE-2025-0728, CVE-2025-2258). Specially crafted network request packets can lead to denial of service. An attacker can send malicious packets to trigger these vulnerabilities. 

**STMicroelectronics vulnerabilities **

_Discovered by Kelly Patterson of Cisco Talos._    

STMicroelectronics is a European multinational semiconductor contract manufacturing and design company. 

TALOS-2024-2096 (CVE-2024-45064) is a buffer overflow vulnerability in the FileX Internal RAM interface functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted set of network packets can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability. 

TALOS-2024-2097 (CVE-2024-50384-CVE-2024-50385) is a denial-of-service vulnerability in the NetX Component HTTP server functionality. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. 

Two integer underflow vulnerabilities exist in the HTTP server PUT request functionality. For TALOS-2024-2102 (CVE-2024-50594-CVE-2024-50595), a specially crafted series of network requests can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability. For TALOS-2024-2103 (CVE-2024-50596-CVE-2024-50597), a specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Eclipse and STMicroelectronics vulnerabilities

This week, our Year in Review spotlight is on ransomware—where low-profile tactics led to high-impact consequences. Download our 2 page ransomware summary, or watch our 55 second video.

Tuesday, April 15, 2025 05:50

This week, our _Year in Review_ spotlight is on **ransomware**—where low-profile tactics led to high-impact consequences.

Ransomware operators often prioritized stealth over complexity for initial access. They also focused on slipping past defenses with minimal noise—uninstalling security tools, creating new firewall rules for remote access, and using common, freely available tools.

The ransomware-as-a-service landscape also paints an interesting picture. A new player quickly rose through the ranks, becoming the second most prolific operator by targeting large payouts.

Something that hasn't really changed over the years is the sectors that ransomware actors target most heavily - favouring industries that typically have lower security budgets, irregular monitoring, but highly sensitive data.

We’ve pulled together the most significant insights in a **quick, 2-page PDF**:

If you only have 55 seconds? Watch this video:

For the full analysis, download Talos' 2024 Year in Review.

Year in Review: The biggest trends in ransomware

Martin delves into how threat actors exploit chaos, offering insights from Talos' 2024 Year in Review on how to fortify defenses against evolving email lures and frequently targeted vulnerabilities, even amidst economic disruption.

Thursday, April 10, 2025 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

If there’s one thing that threat actors love, it’s chaos. Headlines in the news that provoke an emotional response make excellent phishing lures because the intense feelings invoked by a provocative subject line cause our critical thinking faculties to be bypassed. Without cautious reflection, we’re likely to engage with bait, fall for the lure and “click the link” rather than pausing to ask ourselves what the headline’s writer is trying to achieve. 

Economic disruption also works in the bad guys’ favor. In budgetary crises, investments in cyber defenses may be postponed or the hiring of sorely needed additional team members delayed. Alternatively, an end-of-life device that is still functional despite obsolescence and many unpatched vulnerabilities may get an additional year of operation before replacement. 

In such a climate, security teams are often asked to do more with less. However, security can be improved simply by getting the basics right and addressing gaps that don’t require investment. Patching might be time-consuming, but it doesn’t require extra budget. Prioritize removing the most exploited vulnerabilities as listed in our 2024 Year in Review report. Next, review your MFA implementation, ensuring that it is deployed everywhere throughout the organization and that it can’t be bypassed. 

When times are tough, focus on getting the basics right and fixing what can be fixed without needing costly investment. Each vulnerability fixed, each weakness remediated helps move the security posture forwards and makes your organization a tougher target for the bad guys who in turn are more likely to seek easier quarry.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine the evolution of email lures and the nature of the most frequently targeted vulnerabilities.

**Why do I care? **

In a world of limited resources, effective defense requires identifying areas that are more likely to be targeted by threat actors and prioritizing shoring up these areas. Not all vulnerabilities or systems are exploited equally, and remediating the most frequently exploited vulnerabilities maximizes security effectiveness. 

**So now what? **

Educate users on the types of social engineering that threat actors are currently using in email lures. Social engineering is not static but constantly changing to try and outwit unwary targets. 

Exploitation of the Shellshock series of vulnerabilities should not be continuing for over 10 years since disclosure. Aggressively identify systems within your IT estate that are vulnerable to this attack and urgently patch them.

**Top security headlines of the week **

**Hackers strike Australia's largest pension funds.** A series of coordinated attacks has reportedly led to criminals compromising in excess of 20,000 pension accounts and stealing funds. (Reuters) 

**Ireland Plans 300-Strong Military Cyber Command**. The Irish armed forces are creating a Joint Cyber Defence Command to support defensive and offensive cyber operations. (Irish Times) 

**Baltimore City Falls Victim to Vendor Fraud.** Two payments totaling $1.5 million were reportedly paid to a fraudulent bank account that had been swapped for a contractor’s genuine account. (CBS News) 

**CISA Warns of Vulnerabilities in ICS Software**. The US Cybersecurity & Infrastructure Agency released advisories relating to five series vulnerabilities in Industrial Control Systems software. (CISA)

**Can’t get enough Talos?**

*   **Unraveling the U.S. toll road smishing scams.** Talos has observed a widespread and ongoing smishing campaign since October 2024 that targets toll road users in the U.S. Read the blog here.
*   **Beers with Talos: 2024 Year in Review.** Joe, Hazel, Bill and Dave break down 2024 Year in Review and discuss how and why cybercriminals are learning on attacks based in stealth and simplicity. Listen here.
*   **The TTP Ep 10 (Part 1).** Peeling back the layers of the threats that dominated 2024. Watch now.
*   **The TTP Ep 10 (Part 2).** Ransomware groups, and why we're seeing more identity attacks. Watch now.

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA   
*   PIVOTcon (May 7 – 9) Malaga, Spain   
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA   
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**     
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details   
Typical Filename: VID001.exe     
Detection Name: Simple\_Custom\_Detection

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe   
Detection Name: Simple\_Custom\_Detection  

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**      
MD5: 71fea034b422e4a17ebb06022532fdde      
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe     
Detection Name: Coinminer:MBT.26mw.in14.Talos   

**SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b**   
MD5: f5e908f1fac5f98ec63e3ec355ef6279   
VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details   
Typical Filename: IMG001.exe   
Detection Name: Win.Dropper.Coinminer::tpd