Cisco Talos uncovers CyberLock ransomware, Lucky_Gh0$t, and Numero malware masquerading as legitimate software and AI tool installers. Learn…

Cisco Talos uncovers CyberLock ransomware, Lucky\_Gh0$t, and Numero malware masquerading as legitimate software and AI tool installers. Learn how these fake installers exploit businesses in sales, tech, and marketing.

Cybersecurity researchers at Cisco Talos have revealed that the increasing presence of Artificial Intelligence (AI) in the business world has opened new opportunities for cybercriminals. Threat actors are hiding malicious software within fake installers for AI tools, tricking businesses into downloading malware. This new wave includes ransomware like CyberLock and Lucky\_Gh0$t, and destructive malware called Numero.

According to researchers, these fake AI tool installers are distributed via various online channels, through SEO poisoning (manipulating search engine rankings) so that the fake websites appear at the top of search results. Additionally, social media and messaging platforms like Telegram are used to spread their malicious links.

Businesses, especially those in sales, technology, and marketing, are prime targets because they frequently use legitimate AI tools for automation, data analysis, and customer engagement.

As detailed by Cisco Talos’ report shared with Hackread.com ahead of its publishing on Thursday, May 29, when unsuspecting users download seemingly harmless installers, they unknowingly invite malware onto their systems, putting sensitive business data and financial assets at risk, and eroding trust in genuine AI solutions.

****Cisco Talos Exposes Several Threats********CyberLock Ransomware****

This ransomware, observed as early as February 2025, poses as a lead monetization AI platform called NovaLeadsAI. Its operators have created a fake website, ‘novaleadsaicom,’ to mimic the real ‘novaleads.app.’ They even offered deceptive “free access” for the first year to lure victims.

Fake Website Offering the AI Tool (Source: Cisco Talos)

Once downloaded, a file named ‘NovaLeadsAI.exe’ deploys the CyberLock ransomware. This ransomware, written in PowerShell and embedded with CSharp code, encrypts various file types, including documents, spreadsheets, images, and videos, and demands a $50,000 ransom in Monero (XMR) cryptocurrency.

As a manipulative tactic, cybercriminals falsely claim the ransom will support humanitarian aid in regions like Palestine, Ukraine, Africa, and Asia. CyberLock also attempts to wipe free space on the hard drive via a built-in Windows tool ‘cipher.exe’., making it harder to recover deleted files.

****Lucky\_Gh0$t Ransomware****

This Yashma ransomware variant (part of the Chaos ransomware series) is distributed through fake ChatGPT installers, usually as ‘ChatGPT 4.0 full version – Premium.exe’. This malicious installer includes a file called ‘dwn.exe’ which is the ransomware, along with legitimate Microsoft AI tools, likely to avoid detection.

Lucky\_Gh0$t encrypts files smaller than 1.2GB and also has destructive behaviour for larger files, overwriting them with a single character. Victims are given a personal ID and instructed to use a secure messenger platform for communication.

****Numero Malware****

This newly discovered destructive malware imitates the installer for InVideo AI, a popular online video creation tool. Compiled in January 2025, it is a window manipulator malware that continuously runs on a victim’s machine, making Windows systems unusable by interfering with their graphical interface. It avoids being detected by checking for common malware analysis tools like IDA, x64 debugger, and OllyDbg.

Fake Installer Running Numero Payload (Source: Cisco Talos)

Given these evolving threats, organizations and individuals must be extremely careful. Always verify the source of AI tools and only download software from trusted vendors.

Fake ChatGPT and InVideo AI Downloads Deliver Ransomware

Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero.
"CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system," Cisco Talos researcher Chetan

Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools

Cisco Talos has uncovered new threats, including ransomware like CyberLock and Lucky_Gh0$t, and a destructive malware called Numero, all disguised as legitimate AI tool installers to target victims.

Thursday, May 29, 2025 06:00

*   Cisco Talos has discovered new threats, including the ransomware CyberLock, Lucky\_Gh0$t, and a newly-discovered malware we call “Numero,” all of which masquerade as legitimate AI tool installers. 
*   CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system. The threat actor deceitfully claims in the ransom note that the payments will be allocated for humanitarian aid in various regions, including Palestine, Ukraine, Africa and Asia. 
*   Lucky\_Gh0$t ransomware is yet another variant of the Yashma ransomware, which is the sixth iteration of the Chaos ransomware series, featuring only minor modifications to the ransomware binary. 
*   The newly-identified destructive malware, Numero, affects victims by manipulating the graphical user interface (GUI) components of their Windows OSs, rendering systems completely unusable. 

AI has increasingly proliferated across various business verticals, leading to a transformation of industries through automation, data-driven decision-making and enhanced customer engagements. However, as AI continues to propel multiple industry sectors forward, malicious actors are exploiting its popularity by distributing a range of malware disguised as AI solutions’ installers and tools.  

Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers, including SEO-poisoning tactics to manipulate search engine rankings and cause their malicious websites or download links to appear at the top of search engine results, as well as platforms such as Telegram or social media messengers. 

As a result, unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded. This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions. Therefore, organizations and users must exercise extreme caution, meticulously verify sources, and rely exclusively on reputable vendors to avoid falling prey to these threats. 

Talos has recently uncovered multiple threats masquerading as AI solutions being circulated in the wild, including the CyberLock and Lucky\_Gh0$t ransomware families, along with a newly discovered destructive malware, dubbed “Numero.” The legitimate versions of these AI tools are particularly popular within the B2B sales domain and the technology and marketing sectors, indicating that individuals and organizations in these industries are particularly at risk of being targeted by these malicious threats. 

**CyberLock ransomware **

Talos observed a threat actor creating a lookalike fake AI solution website with the domain ‘novaleadsai\[.\]com’, likely masquerading as the original website domain ‘novaleads.app’, a lead monetization platform designed to help businesses maximize the value of their leads through various services and performance-based models. 

Figure 1. Fake website advertising the AI tool. 

On the fake website, the actor persuades users to download the product with an offer of free access to the tool for the first 12 months, followed with a monthly subscription of $95. The threat actor also used an SEO manipulation technique that made their fake website appear in the top search results for online search engines.   

When a user downloads the fake AI product as a ZIP archive, it contains a .NET executable with the file name ‘NovaLeadsAI.exe’. The executable was compiled on Feb. 2, 2025, which is on the same day the fake domain ‘novaleadsai\[.\]com’ was created.  

The ‘NovaLeadsAI.exe’ file is the loader that has the CyberLock ransomware PowerShell script embedded as the resource file. When the victim runs the loader executable, it deploys the ransomware. 

Figure 2. Snippet of the CyberLock ransomware loader. 

**CyberLock ransom note **

The CyberLock ransomware appeared to be operating as early as Feb. 2025. The ransom note claims that the threat actor has obtained full access to sensitive business documents, personal files and confidential databases, demanding a hefty ransom in exchange for decryption keys. Victims are instructed to communicate with the threat actor by emailing ‘cyberspectreislocked@onionmail\[.\]org’. 

The CyberLock threat actor demands that the USD $50,000 ransom be paid exclusively in Monero (XMR) cryptocurrency and employs psychological tactics by falsely claiming that the ransom payments will be used for humanitarian aid in regions like Palestine, Ukraine, Africa and Asia. The actor splits the payment into two separate wallets, complicating defenders' tracking efforts. 

The ransom note is structured to intimidate and manipulate victims by threatening to expose stolen data if payment is not made within three days. However, Talos did not see any evidence of data exfiltration functionality within the ransomware code. 

Figure 3. CyberLock ransom note.

**CyberLock, the PowerShell ransomware **

CyberLock ransomware is written in PowerShell, embedded with the CSharp code and delivered to the victims as an embedded resource of the .NET loader. 

When CyberLock is executed, it initially uses the functions GetConsoleWindow from kernel32.dll and ShowWindow from user32.dll to hide the PowerShell window. Then it generates a secret by decrypting the encrypted public key and uses it to derive the AES key and IV during the encryption process. 

Figure 4. Snippet of CyberLock ransomware. 

CyberLock has the capability to elevate privileges and re-execute itself with administrative privileges if it is not already running in an elevated context.   

Figure 5. Snippet of CyberLock ransomware. 

CyberLocker enumerates folders and files of the logical partitions with the labels ‘C:\\’, ‘D:\\’ and ‘E:\\’. It encrypts the targeted files using AES and appends the file extension ‘.cyberlock’ to the encrypted files.  

Figure 6. Snippet of CyberLock ransomware. 

The targeted file extensions and the categories are shown below: 

Category

File Extensions

Text Documents

.txt, .doc, .docx, .odt, .rtf, .md, .rst, .tex, .sty

Spreadsheets

.xls, .xlsx, .ods, .csv, .tsv

Presentations

.ppt, .pptx, .odp, .potx, .ppsx

PDF & eBooks

.pdf, .pdfx, .epub, .mobi, .azw, .azw3, .chm, .hlp

Images

.jpg, .jpeg, .png, .gif, .bmp, .tiff, .raw, .svg, .jfif, .ico, .webp

Audio

.mp3, .wav, .ogg, .aac, .flac, .m4a, .m4b, .caf, .mp3g

Video

.avi, .mp4, .mov, .mkv, .wmv, .webm, .3gp, .flv, .m4v, .vob, .mts, .m2ts, .ts, .mxf, .divx, .mpeg, .mpg, .ram, .rm

Archives & Disk Images

.zip, .rar, .7z, .tar, .gz, .xz, .tar.gz, .tar.bz2, .iso, .iso9660, .img, .dmg, .cdr, .zipx, .cab, .zpaq, .seam, .rar5

Executables & Scripts

.exe, .bat, .cmd, .sh, .ps1, .vbs, .js, .appx, .apk, .ipa, .deb, .rpm, .whl

Code & Programming

.html, .css, .scss, .xml, .json, .yaml, .cfg, .sql, .pl, .rb, .py, .lua, .h, .c, .cpp, .m, .swift, .java, .asm, .psm1

Database Files

.sql, .mdb, .accdb, .db, .sqlite, .sqlitedb, .db3, .sqlite3

System & Config

.log, .bak, .tmp, .swp, .ini, .plist, .xmlrpc, .dsk, .xcv

Fonts

.ttf, .otf, .woff, .woff2, .eot, .pfb

Design & Graphics

.ai, .psd, .indd, .eps, .fla, .swf

Backup & Virtual Machine

.vhd, .vmdk, .qcow2, .gho, .vpb

GIS & Maps

.gpx, .kml, .shp

Other Files

.torrent, .bup, .ifo, .bin, .dll, .msi, .sys, .qif, .pages, .key, .numbers, .rdata, .seed, .3dxml, .kdbx

After encrypting the targeted files, CyberLock creates a ransom note on the victim machine desktop with the file name ‘ReadMeNow.txt’. Ransom note contents are written into it from the embedded strings in the ransomware PowerShell script. 

Talos observed that the ransomware actor sets a wallpaper to the victim machine’s desktop after dropping the ransom note. The threat actor downloads a header image from a cybersecurity organization’s blog post to the victim machine user profile applications temporary folder. They configure the path of the downloaded image to the registry key “Wallpaper” and enable the wallpaper through PowerShell commands. Talos not fully certain of the actor’s motive for setting the victim machine’s desktop wallpaper to a security research blog post header image. 

Figure 7. Snippet of CyberLock ransomware. 

Figure 8. Sample blog post header wallpaper. 

Finally, CyberLock uses the living-off-the-land binary (LoLBin) ‘cipher.exe’ with the ‘/w’ option to erase free space on the victim's hard drive partitions, hindering forensic recovery of deleted files. 

Figure 9. Command execution to wipe the hard drive free space. 

‘Cipher.exe’ is a built-in Windows command-line tool for managing file and folder encryption. One of its features allows users to prevent recovery of deleted files by overwriting free space with the ‘/w’ option. This was designed by Microsoft for legitimate purposes, such as securely wiping disks before reallocating them or complying with data protection laws to ensure sensitive data is unrecoverable by unauthorized parties.  

Threat actors often misuse this feature to eliminate their malicious footprints or permanently delete files from victim machines. This technique was previously utilized by a Russian APT in their attacks, as noted by Volexity researchers. However, Talos has not observed any indication that this activity is related to the activity described in prior reporting. 

**Lucky\_Gh0$t ransomware as fake ChatGPT installer  **

Talos discovered a threat actor distributing Lucky\_Gh0$t ransomware in the wild, archived in a self-extracting archive (SFX) ZIP installer with the file name ‘ChatGPT 4.0 full version - Premium.exe’. 

The malicious SFX installer included a folder that contained the Lucky\_Gh0$t ransomware executable with the filename ‘dwn.exe’, which imitates the legitimate Microsoft executable ‘dwm.exe’. The folder also contained legitimate Microsoft open-source AI tools that are available on their GitHub repository for developers and data scientists working with AI, particularly within the Azure ecosystem. The threat actor’s intention in including the legitimate tools in the SFX archive is likely to evade the anti-malware file scanners detections by masquerading as a legitimate package.  

The SFX script executes the ransomware when a victim runs the malicious SFX installer file. 

Figure 10. Malicious SFX executable contents. 

Lucky\_Gh0$t ransomware is the Yashma ransomware variant with most features unchanged, including the evasion techniques, deleting the volume shadow copies and backups, and AES-256 and RSA-2048 encryption techniques. Talos observed a few minor modifications in the Lucky\_Gh0$t binary with targeted file size limits that are to be considered by the ransomware during encryption. 

Lucky\_Gh0$t targets files on the victim machine that are approximately less than 1.2GB in size and encrypts the files with the RSA-encrypted AES key, appending a 4-digit random alphanumeric characters as the file extension. The targeted files category for encryption include: 

*   Text, code and config files 
*   Microsoft Office and Adobe files 
*   Media formats and images 
*   Archives and installers 
*   Backup and database files 
*   Android package kit, Java Server Pages and Active server pages 
*   Certificate files 
*   Visual Studio Solutions and PostScripts 

Figure 11. Lucky\_Gh0$t encryption function for files less than 1.2GB. 

For the targeted files with a size larger than 1.2GB, the ransomware creates a new file the same size of the original file and writes a single character “?” as the file content. It appends a 4-digit random alphanumeric character file extension to the new file and deletes the original file, exhibiting destructive behavior. 

Figure 12. Lucky\_Gh0$t encryption function for files larger than 1.2GB. 

Lucky\_Gh0$t ransomware provides a personal ID to the victims in their ransom note. For further communication regarding ransom payment and decryption, it instructs the victims to contact the threat actor using a secure messenger platform at ‘getsession\[.\]org’ with a unique session ID.

Figure 13. Lucky\_Gh0$t ransom note.

Talos recently discovered a new destructive malware in the wild that we call “Numero,” designed to imitate the AI video creation tool installer, InVideo AI. InVideo AI is an online platform widely used for marketing videos, social media content, explainer videos and presentations. The threat actor impersonates the product and the organization names in the malicious file’s metadata. 

Figure 14. A fake installer execution flow running the payload Numero. 

The fake installer is a dropper containing a malicious Windows batch file, VB script and the Numero executable with the file name ‘wintitle.exe’. When the victim runs the fake installer, it drops the malicious components in a folder at the local user profile’s application temporary folder. Then it executes the dropped Windows batch file through Windows shell in an infinite loop. It first runs the Numero malware and then halts the execution for 60 seconds by executing the VB script through cscript.  

After resuming the execution, the batch file terminates the Numero malware process and restarts its execution. By implementing the infinite loop in the batch file, the Numero malware is continuously run on the victim machine. 

Figure 15. Malicious Windows bat loader. 

Numero's behavior is consistent with window manipulator malware. Numero is a 32-bit windows executable written in C++ and was compiled on Jan. 24, 2025.  

Numero evades analysis by checking the process handles of various malware analysis tools and debuggers including IDA, x64 debugger, x32debugger, ollydbg, scylla, windbg, reshacker, ImportREC, Immunity debugger, Zeta debugger and Rock debugger. 

Figure 16. Snippet of the Numero function and the malicious thread. 

Numero malware creates and executes the thread in an infinite loop. The thread code interacts with the Windows GUI and manipulates the victim’s desktop window using the Windows APIs GetDesktopWindow, EnumChildWindows and SendMessageW. It monitors the victim machine desktop window continuously and hooks to the child window created in the victim desktop. Numero overwrites the window title, buttons and contents with the numeric string ‘1234567890’, corrupting the victim machine to become unusable.  

Figure 17. Corrupted Windows Run terminal. 

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for the threats are: 

*   Snort 2: 64901, 64902, 64899, 64900, 64897, 64898, 64896 
*   Snort 3: 301207, 301206, 301205 

ClamAV detections are also available for this threat:   

*   Ps1.Ransomware.CyberLock-10045054-0 
*   Win.Dropper.CyberLock-10045058-0 
*   Win.Dropper.LuckyGhost-10045078-0 
*   Win.Ransomware.LuckyGhost-10045080-0 
*   Win.Loader.Numero-10045084-0 
*   Win.Dropper.Numero-10045088-0 
*   Win.Malware.Numero-10045090-0 
*   Win.Malware.Numero-10045093-0 

**Indicators of Compromise **

IOCs for this threat can be found in our GitHub repository here.

Cybercriminals camouflaging threats as AI tool installers

Cisco Talos warns of active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks supposedly by Chinese hackers from…

Cisco Talos warns of active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks supposedly by Chinese hackers from the UAT-6382 threat group. Learn about the malware, affected organizations, and critical security patches.

Cisco Talos researchers have issued a critical alert regarding active cyberattacks targeting Trimble Cityworks, a widely used platform for managing public assets. According to Cisco Talos’ latest research, shared with Hackread.com, a sophisticated threat group, tracked as UAT-6382, is exploiting a newly discovered high-severity vulnerability CVE-2025-0994 in the system.

This vulnerability, having a CVSS score of 8.6, allows for remote code execution, meaning attackers can run their malicious programs on affected systems from afar. These attacks have been observed since January 2025 and primarily target local government organizations in the United States. Some attacks have already resulted in successful compromises.

The Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have also released their warnings about this serious flaw. Reportedly, the vulnerability allows attackers to gain remote access and execute malicious code against Microsoft Internet Information Services web server without needing to authenticate. Cityworks vulnerability affects versions before 15.8.9 and Cityworks with Office Companion versions before 23.10.

Once inside, UAT-6382 quickly deploys _web shells_ like AntSword and chinatso/Chopper on the compromised web servers to maintain hidden access. They also use custom-made tools, including a Rust-based loader called TetraLoader to install more persistent malware such as Cobalt Strike and VSHell.

> _“Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning in January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access.”_
> 
> Cisco Talos

****Chinese-Speaking Actors Identified****

Based on their methods and tools, Cisco Talos’ report suggests with high confidence that UAT-6382 is a group of “Chinese-speaking threat actors.” Evidence supporting this includes the Chinese language found in the web shells and the fact that MaLoader, the framework used to build TetraLoader, is also written in Simplified Chinese. This malware builder, which emerged in December 2024, allows operators to package malicious code into Rust-based programs like TetraLoader.

MaLoader Builder Interface (Source: Cisco Talos)

Researchers noted that upon gaining access, the attackers show a particular interest in systems related to utility management. Their initial actions involve scanning the compromised server to understand its setup, looking for specific directories related to Cityworks, and then quickly setting up their web shells. They also stage sensitive files for potential data theft and deploy backdoors using PowerShell commands to ensure long-term access.

****Understanding the Malware****

TetraLoader’s main function is to inject various payloads into legitimate processes, such as notepad.exe. These payloads can be Cobalt Strike beacons, which are widely used by attackers for command and control, or VShell stagers.

For your information, VShell is a GoLang-based remote access Trojan that allows attackers to manage files, run commands, take screenshots, and set up proxy services on infected systems. Like other tools used by this group, the VShell control panels also display Chinese text, indicating the operators’ proficiency in the language.

Cityworks has released security patches to address the CVE-2025-0994 vulnerability, urging users to update immediately. Organizations should monitor suspicious activity using Cisco Talos’ technical indicators of compromise (IOCs). Cisco Talos also recommend the use of security products like Cisco Secure Endpoint, Secure Firewall, and Umbrella to protect against such attacks.

Chinese Hackers Exploit Cityworks 0-Day to Hit US Local Governments

Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network.
The threat actor has been observed exploiting a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers (CVE-2023-20118) to corral them into

ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices

Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.

Friday, May 23, 2025 06:00

_By Darin Smith and John Arneson_

*   Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 – Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious. 
*   Key findings reveal that the odds of a rare domain being malicious were 3.18 times higher than for frequently contacted domains (95% CI: 0.39–25.9), suggesting a trend towards higher risk in rare domains. 
*   Notably, the non-rare domain ‘githubusercontent.com’ was flagged as malicious due to activity from its subdomain ‘raw.githubusercontent.com’. This is an example of why subdomains should be considered when looking for malicious network traffic, especially for cloud services where the service itself is legitimate, but the content hosted on it is not guaranteed to be.  

**Research Methodology ****Hypothesis**

At a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more likely to be malicious than domains that are frequently connected to, regardless of PowerShell module. 

**Data Collection **

Talos queried telemetry for PowerShell network connection logs from a time period of June 1, 2024 to Dec. 31, 2024. This dataset included the following processes: ‘powershell.exe’, ‘powershell studio.exe’, ‘powershell\_ise.exe’, ‘powershelltools.exe’, ‘powershelltoolsx64.exe’, ‘pwsh’, and ‘pwsh.exe’. All of these processes are different versions of PowerShell. Talos excluded non-public top-level domains (TLDs), such as internal domains, to focus on external connections.  

**Data Processing**

Using the tldextract library, Talos extracted base domains (e.g., ‘automox.com’ from ‘api.automox.com’), resulting in 742 unique base domains. Rarity was defined as an average of ≤5 average contacts per full domain, calculated by dividing the total contacts by the number of unique full domains per base domain. This threshold identified 550 rare domains (74.1% of the total).  

**Threat Intelligence and Manual Review **

Talos assessed domain reputation using ReversingLabs (RL), which flagged a domain as malicious if any third-party source indicated so. To mitigate false positives (e.g., ‘adobe.com’), 29 domains were manually reviewed and overridden as benign, and their process arguments were documented. For subdomains such as ‘raw.githubusercontent.com’ under ‘githubusercontent.com’, the process arguments in those logs were manually reviewed, flagging 5 out of 10 connections as malicious based on commands like downloading PowerSploit or executing Invoke-Mimikatz, ensuring comprehensive threat detection.

**Findings & Analysis ****Domain Contact Distribution **

The distribution of contacts was heavily skewed: 

*   **Percentiles**: 60th percentile at 5.0 contacts, 90th at 82.0, 95th at 321.55, and 99th at 7,925.87 
*   **Top Domains**: ‘automox.com’ (2,282,308 contacts), ‘launchdarkly.com’ (493,812), and ‘amazonaws.com’ (166,536) accounted for most activity.
    *   Automox is a service for automated endpoint configuration and patch management.
    *   LaunchDarkly is a software development platform for managing feature flags and context-aware targeting of features.
    *   Amazon Web Services (AWS) is the largest cloud service provider. 
*   **Rare Domains**: 550 of 742 domains fell into the rare category.

Figure 1. Cumulative distribution of domain contact frequencies. 

**Malicious Domain Statistics **

*   **Rare Domains**: 9 malicious out of 550 (1.64%, 95% CI: 0.86%–3.08%)
*   **Non-Rare Domains**: 1 malicious out of 192 (0.52%, 95% CI: 0.09%–2.89%), notably ‘githubusercontent.com’
*   **Odds Ratio**: 3.18 (95% CI: 0.39–25.9), indicating a trend towards higher risk in rare domains, though not statistically significant (chi-square p=0.4291, Fisher’s exact p=0.4668), likely due to small sample sizes (9 rare, 1 non-rare) 

Figure 2. Malicious rates by domain rarity.

**Case Study: githubusercontent.com **

The non-rare domain ‘githubusercontent.com’ (38 contacts, 2 full domains: ‘raw.githubusercontent.com’ and ‘objects.githubusercontent.com’, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from ‘raw.githubusercontent.com’. These contacts involved potentially malicious PowerShell commands, such as downloading and executing scripts like PowerSploit or Invoke-Mimikatz. The other subdomain, ‘objects.githubusercontent.com’ (28 contacts), showed no malicious activity. This finding illustrates that even frequently contacted domains can host malicious subdomains, emphasizing the need for subdomain-level analysis in threat detection.

**Comparison to other Processes **

Another research question investigated was how the domains contacted by other similar processes would compare to those contacted by PowerShell. For the purposes of this research, Talos chose the following processes for analysis: 

*   ‘rundll32.exe’ 
*   Python (including macOS and Windows versions) 
*   ‘cmd.exe’ 
*   ‘cscript.exe’ 
*   ‘wscript.exe’ 
*   ‘bash’ 
*   ‘zsh’

These processes are primarily other command line or script interpreters, as well as ‘rundll32.exe’, which allows executing Dynamically Linked Libraries (DLLs) from the command line.

When the same heuristics as were utilized for PowerShell were applied to the domains contacted by these processes, the results varied somewhat. Across 156,203 total connection records for ‘rundll32.exe’, 940 unique domains were contacted. Of these, 722 of these domains were “rare,” using the same heuristic applied to PowerShell (i.e., they were contacted at most five times). Only one of the domains contacted was found to be malicious, either among the rare domains or the non-rare domains.

Similarly, among 795,346 total connection records for Python, 825 unique domains were contacted and 616 were rare using the same criteria. None of the rare domains were malicious, while 1 of the non-rare domains was. The processes cscript, cmd, zsh and csh had similar results, with no or single digit numbers of malicious domains contacted. However, wscript was much more interesting. It had a much smaller amount of total utilization in the dataset investigated, with just 6,936 connection events and 82 unique domains contacted. Of these, 58 domains were rare (or roughly 71%), and 5 were found to be malicious.

**Recommendations **

*   **Prioritize Rare Domains**: Security teams should focus investigations on rare domains due to their higher likelihood of being malicious, despite statistical non-significance. This finding applies primarily to PowerShell and wscript among the processes considered in this research.  
*   **Subdomain Analysis**: For frequently contacted domains, analyze subdomains and process arguments to detect malicious activity, as demonstrated with ‘githubusercontent.com’. 
*   **Integrate Manual Review**: Combine automated threat intelligence with manual reviews to reduce false positives and identify nuanced threats, particularly in high-contact domains. 
*   **Investigate Anomalous Utilization of ‘wscript.exe’:** Some environments may still commonly utilize wscript. However, this research suggests that in environments where it is rare, it has the highest likelihood to be used to connect to malicious domains of the processes researched.

**Future Work **

This research presents several opportunities for future research. One opportunity is temporal analysis to determine if there were time-based patterns for contacting domains, and if so, determining if these patterns could be used to identify malicious activity. This could potentially include seeing increased contacts of malicious domains during weekends or off-hours. Time-series analysis could be applied to the data to test this hypothesis.

Another opportunity is the behavioral analysis of process arguments, focusing on identifying recurring patterns tied to malicious activity, such as downloading PowerShell scripts from a remote host, or exfiltration of data. This could be used to refine the current rarity to malicious correlation of 1.64% for rare domains versus 0.52% for non-rare domains. This may spotlight behavioral red flags and give actionable insights for more precision detection logic.

Finally, future research can develop a risk scoring system that integrates multiple factors such as contact frequency, malicious rate, TLDs and even ReversingLabs’ network threat intelligence. This can provide a scalable and practical tool for security teams to prioritize high-risk domains, whether rare or non-rare like ‘githubusercontent.com’. This builds on the current analysis but also paves the way for more robust, data-driven strategies to combat threats, ensuring this research delivers lasting value to the security community.

Scarcity signals: Are rare activities red flags?

On today’s episode of ‘Uncanny Valley,’ we discuss how WIRED was able to legally 3D-print the same gun allegedly used by Luigi Mangione, and where US law stands on the technology.

WIRED senior writer Andy Greenberg has been reporting on ghost guns for more than a decade. He first used a 3D printer to assemble a gun in 2015, and he says that today’s process is not only faster but cheaper. We talk to Andy about how he legally printed the same gun Luigi Mangione allegedly used in the alleged killing of the United Healthcare CEO last year, and whether US law is keeping up with the technology of 3D-printed guns.

You can follow Zoë Schiffer on Bluesky at @zoeschiffer and Andy Greenberg on Bluesky at ‪@agreenberg. Write to us at uncannyvalley@wired.com.

**Articles mentioned in this episode:**

*   We Made Luigi Mangione’s 3D-Printed Gun—and Fired It
*   Bluesky Is Plotting a Total Takeover of the Social Internet
*   The Delirious, Violent, Impossible True Story of the Zizians

**How to Listen**

You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here's how:

If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts and search for “Uncanny Valley.” We’re on Spotify too.

**Transcript**

_Note: This is an automated transcript, which may contain errors._

**Zoë Schiffer:** This is Zoë. Before we start, I want to take a chance to remind you that we really want to hear from you. If you have a tech-related question that's been on your mind or a topic that you wish we'd cover in the show, write to us at uncannyvalley@wired.com. If you listen and enjoy the episodes, please, please rate it and leave a review on your podcast app of choice. It honestly does help other people find us.

Welcome to WIRED's _Uncanny Valley_. I'm WIRED director of business and industry Zoë Schiffer. Today on the show, WIRED built and tested a 3D-printed pistol, the exact same model of the gun that Luigi Mangione allegedly used in the brutal killing of a health care CEO last year. Untraceable and often built entirely in private, those guns remain legal in some parts of the country due in part to a loophole in the US federal gun control laws. Today we hear about the process of creating a ghost gun, how those laws have evolved over time, and what future regulations may come. I'm joined today by Andy Greenberg, a senior writer at WIRED.

Andy, welcome to the show.

**Andy Greenberg:** Glad to be here. Thanks.

**Zoë Schiffer:** Andy, you've been reporting on ghost guns for a long time, and you started out this story with a question. Has the law in the United States actually caught up with the technology? I guess I wanted to start by asking you that same question. Has it?

**Andy Greenberg:** Well, the short answer is no. Even as the technology to make these so-called ghost guns and in particular 3D-printed guns has gotten more powerful, more practical, far, far, cheaper, the law has really lagged behind. It's opened up this space between the technology and the law that has allowed people to make their own guns at home in total privacy and anonymity more easily than ever.

**Zoë Schiffer:** I remember you saying that the first guns took hours and hours and hours. Now they still take half a day, but it's a lot less time.

**Andy Greenberg:** It's definitely faster. I printed two gun frames in 13 hours for this experiment.

**Zoë Schiffer:** Wow.

**Andy Greenberg:** That's probably just a little bit faster than it was 10 years ago, when I first … I should say 10 years ago, I made an AR-15 ghost gun in WIRED's San Francisco office.

**Zoë Schiffer:** Oh my gosh.

**Andy Greenberg:** Three different ways. One of those ways was trying to 3D-print the body of the gun known as the lower receiver of an AR-15. For the Glock-style pistol that Luigi Mangione allegedly used, it's called the frame. I was able to compare how this technology has changed and how well it works to make a gun back then in 2015 and then now. Yes, it's faster, but it's also just much better. And 3D printers are much, much cheaper.

That's perhaps the biggest thing of all. The 3D printer that I used back in 2015 to make the body of an AR-15 cost almost $3,000 alone. The entire ingredient list for my experiments in making allegedly Luigi Mangione's ghost gun was $1,144 or so, plus shipping.

**Zoë Schiffer:** Wow.

**Andy Greenberg:** That includes the cost of the printer, which was about $650. That's an enormous drop in price that has made this much more accessible to people, and just a much more practical way to try to obtain one of these guns in a fashion that completely circumvents all US gun control.

**Zoë Schiffer:** Right, completely. Before we go further on, I think it would be helpful if you explain for the audience what exactly is a ghost gun. What is the loophole that allows these guns to be made?

**Andy Greenberg:** Well, a ghost gun is this term that was originally used by gun control advocates, but now has actually been picked up by a lot of gun proponents as well. It basically means a gun that is homemade that has no serial number, and therefore is not registered with any government agency. You don't have to get a background check or show anyone ID. No gun control of any kind to obtain it. In that sense, it's a ghost.

The notion really is that you make just the parts of the gun that are regulated under US law, and then you can buy the rest of it off the internet or from stores, or whatever. And assemble it at home.

**Zoë Schiffer:** Right, yeah. Now we see why it's called a loophole. That's a pretty serious one. I want to actually go off-script, because I'm curious how you approached the story. But honestly, when I was reading it, I was like, “How the hell did Andy convince our lawyers to let him build not one, but multiple guns in the WIRED office?” I want to know how those initial conversations actually went.

**Andy Greenberg:** Well, the trick was in 2015 that I didn't ask anybody.

**Zoë Schiffer:** Oh, right.

**Andy Greenberg:** I just did it.

**Zoë Schiffer:** Right, right, right.

**Andy Greenberg:** In 2025, that turns out to be a lot harder, and we had to ask a lot of lawyers. We had to have an armorer on set, and a medic, and a special firearms specialist lawyer vet this. Then of course, I spoke to lawyers for the piece as well to make sure that what we were doing was legal. And also, to sketch out US gun control in 2025 and this gaping hole in it for homemade guns.

**Zoë Schiffer:** One of the things we're talking about is what you just mentioned, what has changed since you first started covering the space. You mentioned that the first time you built a 3D-printed gun, you did it in the WIRED office in San Francisco. This time, you actually went to Louisiana. Can you tell me about why that was important? What has changed on the regulatory side?

**Andy Greenberg:** Well, on some level, US law is trying to catch up with this problem, really at the state level mostly. 3D-printing a gun in New York is illegal unless you obtain a serial number for it. That's the same now in California too. My experiment in San Francisco would now be totally illegal. That's the case in 15 US states, that there are some laws around ghost guns.

In fact, there was a ban under Biden from the Bureau of Alcohol, Tobacco, and Firearms on ghost gun kits. These premade kits that allow anybody to finish a Glock-style frame or an AR-15 lower receiver from a plastic, or polymer, or even metal part with just a few tools in a matter of minutes. Those kits are not illegal according to the ATF. There was a Supreme Court ruling just in March upholding that ban.

Part of what I was trying to find out here is, despite a Supreme Court ruling, what's seen as a big crackdown on ghost guns, is this still possible to do legally with a 3D printer? And it is. The Supreme Court ruling basically said you can't sell parts that are readily convertible into a ghost gun, but it didn't say anything about creating one out of thin air and some plastic filaments out of empty space, which is really what a 3D printer does. What we did in Louisiana, where there is no state law around this, remains a wide-open loophole in the law, if you can call it that.

If you 3D-print a frame of a Glock-style pistol, then you can buy the rest of the parts off the internet and assemble it, and you have a gun that is a ghost gun. An anonymous, fully private, lethal weapon.

**Zoë Schiffer:** When we get back, we'll get into the details of how Andy actually made and assembled the ghost gun. But for now, we have to go to break.

\[_break_\]

**Zoë Schiffer**:Welcome back to _Uncanny Valley_. Okay, Andy, I want to get into the gun assembly process. Talk to me about the point from printing, to ordering the parts, to actually putting it together.

**Andy Greenberg:** The printing is definitely the easiest part in 2025. You really can download these files, these CAD files for gun frames from a bunch of different open source websites run by basically opponents of gun control. Then put them into some software and click print, and 13 hours later, in this case I had two perfect Glock-style frames. It was really remarkable how powerful the 3D printer, and cheap it was, that I was using.

The assembly is a lot trickier. That is as hard as ever. It's like assembling a very small piece of Ikea furniture. There's a lot of hammering little pins into place, and assembling the trigger mechanism, and it all has to fit into this small cavity inside of the frame. It took me more than an hour to do, and I was being guided in this process by a 3D-printed-gun aficionado. He calls himself Print, Shoot, Repeat, who was really helpful and patient about it. But I think that for people who know what they're doing, this takes 15 or 20 minutes—

**Zoë Schiffer:** Wow.

**Andy Greenberg:** —to assemble, once you have some practice at it.

**Zoë Schiffer:** OK. Then you shot the gun. What happened? How were you feeling at that moment at the gun range?

**Andy Greenberg:** Well, before I even shot it, there is this incredible moment when you're building a gun. It feels like this interesting, a little technical process, like making a model airplane or something. Then all of a sudden, I'm getting this slide onto the frame and then it clicks into place. Then you see for the first time that you actually have a gun in your hands, that it's a lethal weapon. The way that you have to treat a gun in your hands is so different from a collection of gun parts. Suddenly, it's this lethal weapon, you have to be careful where you point it. It's a really dramatic moment. It was for me, anyway.

**Zoë Schiffer:** There was that final part in the assembly where you put on a silencer, like allegedly Luigi Mangione had on his gun, right?

**Andy Greenberg:** Right. Luigi Mangione, in his backpack allegedly had a 3D-printed silencer too, which is a very new phenomenon, even in the 3D-printed gun world. We built that too. We 3D-printed a silencer. That actually is one part that's different. It's a felony for me to 3D-print a suppressor, a silencer as it's known. We did have an actual licensed gunsmith, the owner of the range that we were about to test that, who pushed print in that case and helped us to build that silencer. When Luigi Mangione allegedly did that, he would have been breaking the law. I would have been too, if not for having a gunsmith on-hand to help us out.

**Zoë Schiffer:** Then it started to jam a little bit. Or I don't know the correct term, but it did malfunction, right?

**Andy Greenberg:** Yeah, it did jam and it misfired several times. We reloaded it and I fired it a bunch more times. It would fire, and then misfire, and fire, and misfire. We did a bunch of troubleshooting, but ultimately we did get it working as a full semi-automatic handgun that could really empty a whole magazine worth of rounds.

**Zoë Schiffer:** You also pointed out that Brian Thompson's alleged killer—their gun also malfunctioned. It looked like, from the videos, that they had practiced a fair amount because they were totally unperturbed by the experience that you had, where the gun jammed, and then you had to troubleshoot, and then keep going.

**Andy Greenberg:** Right. Once we had gotten the gun working as a real semi-automatic, then we put the silencer on, our 3D-printed silencer. The silencer, based on the way that it attaches to the muzzle, it does actually prevent the slide from getting its full range of motion. It no longer actually worked as a true semi-automatic weapon. I had to, every time I pulled the trigger, pull back the slide, rack the gun as they say, which ejects a casing and pushes a new round into the chamber, ready to be fired. You have to manually rack it each time.

But when I looked at the surveillance video of allegedly Luigi Mangione killing Brian Thompson, or whoever that was in that video, you can see that they do exactly that. They pull back the slide with every shot. In fact, they seem to be fully prepared to do that. They don't hesitate at all. It was this eerie feeling of realizing that we had arrived at exactly the place where Brian Thompson's killer did. It was this very unnerving feeling of realizing that I was carrying out exactly the same process, I was going through exactly the same sensations of recoil, and racking, and firing again that I was seeing in this actual murder video.

**Zoë Schiffer:** Talk to me about what proponents of ghost guns say. Why are they for this untraceable and potentially really dangerous technology?

**Andy Greenberg:** I think there's a whole range of people who are interested in ghost guns and 3D-printed guns. Cody Wilson, the creator of the first fully 3D-printed gun, I was there in 2013 when he fired for the first time the Liberator, this fully plastic, fully 3D-printed one-shot pistol. He wants to destroy the state. He's a full-on radical Libertarian who believes that actually making gun control impossible, but demonstrating that it is fundamentally impossible. He can use that as a lever to show that “all government is impossible.”

But then you talk to somebody like Print, Shoot, Repeat, who was the one who helped us out in this experiment. He's also a real advocate for 3D-printed guns. But he told me, “I like this because I like the idea of being able to make my own guns at home. You can experiment with the process, and build guns that are not commercially available, and do it with full anonymity and privacy.” I did ask him, “Doesn't that also pose a real risk? Doesn't the ability for anybody essentially to make a gun at home with anonymity and privacy mean that they can use it to commit a crime?” He, like a lot of gun advocates I think in general, his answer was, “Well, freedom is dangerous,” and that's the American way, essentially.

**Zoë Schiffer:** I was really struck by that in your work. That it really felt like their POV was the occasional outburst of violence is the cost of freedom in this country, which is a very different way of seeing the world. My last question is just where do you think this is all heading? What does 3D printing and the way the technology has developed since you first started covering this space tell us about our ability to regulate guns in the United States?

**Andy Greenberg:** Well, it's just definitely clear that the law in this country is not keeping up with technology on this issue. That's a running theme probably of this podcast and everything we do at WIRED. But it's very visible. I feel like this is almost a parable about the ways that technology runs ahead of the law, especially in this country. And especially in a country where people love to defy the law and break the law. This is one example where Americans, it's the American way to try to have more guns than even our very meager gun control laws would allow us.

For me, as someone who's covered 3D-printed guns since 2012, it just strikes me that this topic caught up and even ran ahead of me in my reporting. I used to think of this as some future threat that I was describing in this science fictional way. Now it's definitely a present threat. In fact, it took me by surprise in December 2024, when a 3D-printed gun was used allegedly in this massively high-profile murder. I don't know. It's a future shock, as Alvin Toffler would call it. Where it's like, “Wow, we are in that future now.” This is a particularly scary one.

**Zoë Schiffer:** We're going to take a quick break. When we come back, we'll share our recommendations for what to read on Wired.com this week.

\[_break_\]

**Zoë Schiffer:** Welcome back to _Uncanny Valley_. I'm Zoë Schiffer, WIRED's director of business and industry. I'm joined today by WIRED senior writer Andy Greenberg. Before we take off, Andy, tell our listeners what they need to read on Wired.com today.

**Andy Greenberg:** Well, this ghost gun story is part of the Rogue's package as we're calling it, all about people on the edge of the law and breaking the law in interesting ways. There's another story in that package that I thought was incredible, written by my colleague Evan Ratliff. It's about the Zizians, this group that went in an extremely irrational direction—became actually this violent militant group. It's a remarkable piece about their evolution and how they came to do truly horrifying criminal things.

There's also this idea in the piece that has just haunted me in the weeks since I read it. It's called Roko's basilisk. It's something that rationalists and AI people talk about. Which is this notion that, if there is going to be a superintelligent AI in the future, it might punish people who were aware that it could be created and didn't work to create it.

**Zoë Schiffer:** That's just so weird and scary.

**Andy Greenberg:** It just really bothers me that there's this idea that's so dangerous you can't even think about it.

But I would also say that I have a piece in this Rogue's package also coming out tomorrow that I've been working on for about a year and a half, about at one point the dark web's biggest dealer in DMT, this incredibly potent psychedelic that he made in secret labs across the western half of the US. I hope you'll check that out, too.

**Zoë Schiffer:** I am very excited for that one. DMT is a big topic of discussion in California these days.

I have another recommendation. I feel like the topic of this podcast has been very, at least to me, and I understand I have my own biases here, a bleak vision of the future. But we also have this interview that our fantastic reporter Kate Knibbs did with Jay Graber, the head of Bluesky. She lays out a vision of the future of the social web that I actually found extremely uplifting.

I thought it was interesting, because Jay uses a lot of the language that you hear from the cutting-edge tech VCs and executives, but she does it in a way that feels completely different from the future that these other people and a lot of the men lay out. I really found her words compelling, and I think everyone should read it.

That's our show for today. We'll link to all the stories we spoke about in the show notes. Make sure to check out Thursday's episode of _Uncanny Valley_, which is about AI in schools and a big question we're having. Is using this technology cheating?

Kyana Moghadam and Adriana Tapia produced this episode. Greg Obis mixed this episode. Pran Bandi was our New York studio engineer. Jordan Bell is our executive producer. Conde Nast's head of global audio is Chris Bannon. Katie Drummond is WIRED's global editorial director.

Why 3D-Printing an Untraceable Ghost Gun Is Easier Than Ever

Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.

Thursday, May 22, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Talos recently published research into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton. 

It’s a concerning trend — one that we believe calls for rethinking traditional threat modeling. But one thing stood out to me while reading: cybercriminals are often terrible at teamwork. 

What if the ransomware affiliate is waiting on credentials that never arrive? The access broker sells a foothold, but the tooling meant to exploit it isn’t ready, doesn’t work in the target environment or never shows up at all? 

Ghosting isn’t limited to dating apps or job interviews (and if you’ve been through six interview rounds and still heard nothing, I see you). Cybercriminals flake too — whether it’s bad timing, better targets, internal drama… or maybe they just went to get a haircut (an actual complaint that a Conti member made about a fellow actor not showing up). 

In this compartmentalized model, the threat chain becomes a fragile supply line, stitched together in real time. Efficient, yes — but brittle. If one actor drops out, the whole operation can unravel. And let’s not pretend there’s honour among cybercriminals. They're opportunists. What’s to stop a broker from selling the same credentials to multiple buyers? Or backing out entirely if a better offer lands? 

Of course, this ecosystem isn’t monolithic. Some groups run like structured businesses — access brokers, malware builders, “customer” (aka victim) services, the works. Others are looser, relying on whoever turns up in their DMs with access for sale. It’s the latter where ghosting seems more likely. In organised crews, a flaky broker risks reputational damage. In the freelance underworld, it’s just Tuesday.  

Oof, I didn’t mean to knock freelancers there. Just, you know, _those_ ones… 

History suggests fallouts are inevitable. Conti's collapse, as Wired reported, started with a single angry post and spiraled into a full on leak about poor performance records: 

> _“I have 100 people here, half of them, even 10 percent, do not do what they need.”_  

> _\- Stern (or Demon), former Conti CEO_ 

LAPSUS$ imploded under its own infighting. One REvil affiliate even ranted on a cybercrime forum like a scammed eBay buyer. 

To twist a familiar phrase: compartmentalized threats are only as strong as their weakest link. What if that link has poor communication skills, no follow-through and a serious case of commitment issues?

**The one big thing **

In Talos’ most recent blog post, we shared that UAT-6382, Chinese-speaking threat actors, have exploited Cityworks, a widely-used asset management system, through a remote code execution vulnerability (CVE-2025-0994). The actors are deploying advanced malware for long-term persistence and control. 

**Why do I care? **

UAT-6382 is not only exploiting this vulnerability, but they're also employing sophisticated tools like web shells, Rust-based malware loaders, and frameworks like Cobalt Strike to burrow deep into systems. This could lead to data breaches and operational downtime. 

**So now what? **

While the intrusions we mentioned in the blog have been contained, exploitation may be continuing in the wild. Use the indicators of compromise (IOCs) listed in the blog to scan your environment.

**Top security headlines of the week **

**NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch**   
VMware patches flaws that expose users to data leakage, command execution and denial-of-service attacks. No temporary workarounds available.  (SecurityWeek) 

**NIST's 'LEV' Equation to Determine Likelihood a Bug Was Exploited**   
The new equation, introduced by the National Institute of Standards and Technology (NIST), aims to offer a mathematical likelihood index that could be a game-changer for SecOps teams and vulnerability patch prioritization. (Dark Reading) 

**Kettering Health hit by system-wide outage after ransomware attack**   
Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. (BleepingComputer)

**Can’t get enough Talos? **

*   Duping Cloud Functions: An emerging serverless attack vector 
*   Talos Takes: Inside the Kill Chain: Compartmentalized Threat Modeling Explained 

**Upcoming events where you can find Talos **

*   BotConf (May 20 – 23) Angers, France  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (August 2 - 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details    
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

Ghosted by a cybercriminal

A Chinese-speaking threat actor tracked as UAT-6382 has been linked to the exploitation of a now-patched remote-code-execution vulnerability in Trimble Cityworks to deliver Cobalt Strike and VShell.
"UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance, and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access," Cisco Talos researchers

Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks

Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.

Tag

#cisco