Lattica’s cloud-based solution uses Fully Homomorphic Encryption to query encrypted data on AI models without decrypting it, preserving privacy and bolstering security.

Lattica, an FHE-based platform enabling secure and private use of AI in the cloud, has emerged from stealth. The company is backed by Konstantin Lomashuk’s Cyber Fund, and Sandeep Nailwal, co-founder of Polygon Network and Sentient: The Open AGI Foundation, among others.

Lattica’s technology represents a critical new standard for industries such as healthcare, finance and government sectors, where data privacy and security concerns have limited AI adoption. According to Cisco’s 2025 AI Briefing: CEO Edition, 70% of CEOs surveyed admitted being concerned about the state of their networks due to the rising adoption of AI, with 34% citing security as a major barrier to adoption. 

Fully Homomorphic Encryption (FHE) – the “holy grail” of cryptography in the last decade – ensures all communication between AI providers and end users remains encrypted, without needing to decrypt it, but due to longstanding computational inefficiencies, FHE has yet to be widely adopted. By capitalizing on the latest breakthroughs in the AI acceleration stack, Lattica leverages advanced acceleration techniques to operationalize FHE. 

Led by founder and CEO, Dr. Rotem Tsabary, who holds a PhD in lattice-based cryptography from the Weizmann Institute of Science, Lattica takes advantage of the foundational mathematical similarities between FHE and machine learning to offer a hardware-agnostic, cloud-based platform that utilizes FHE to deliver secure and private use of AI.

A key differentiator powering Lattica’s solution is its Homomorphic Encryption Abstraction Layer (HEAL), which enhances FHE performance and standardizes its acceleration. A cloud-based service, HEAL serves as a universal bridge connecting FHE applications and AI algorithms across a diverse range of hardware including GPUs, TPUs and CPUs, as well as dedicated accelerators like ASICs and FPGAs.

“By combining the advancements of hardware acceleration with software-based optimization, we realized that not only could we improve FHE efficiency to the point of commercial viability, but use it to solve critical data dilemmas holding back AI’s adoption in sensitive industries,“ said Dr. Rotem Tsabary, founder and CEO of Lattica. “We’re enabling practical FHE by developing a solution that is tailor-made for neural networks.”

As part of its emergence from stealth, Lattica has made demos of the platform available on its website, alongside insights from an in-depth survey within the FHE community. Survey results validate Lattica’s approach, revealing that a majority (71%) of respondents believe FHE adoption will be achieved through a combination of hardware and software. 

“Lattica is pushing the boundaries of Fully Homomorphic Encryption, solving one of the most critical challenges in AI security,” said Konstantin Lomashuk, Managing Partner at Cyber Fund. “Cyber Fund is proud to have led Lattica’s pre-seed round. This is the kind of deep-tech innovation that defines the future, and we’re excited to see Lattica leading the way.”

Lattica’s focus on healthcare and finance further underscores the platform’s relevance, with potential applications in secure data analysis for medical research and encrypted financial transactions.

“Lattica’s product-first approach fundamentally transforms sensitive data processing in the AI ecosystem,” said Sandeep Nailwal, co-founder of Polygon Network and investor in Lattica. “Lattica has made FHE a reality that is both practical and scalable, as Tsabary and her research team is proving that advances in the machine learning stack can significantly boost the performance of FHE and have an immediate impact on the market.”

****About Lattica****

Lattica enables querying AI models with Fully Homomorphic Encryption, offering FHE as a hardware-agnostic, cloud-based service. The platform leads in scientific innovation by ensuring that user queries remain encrypted throughout the entire machine-learning inference process.

Lattica’s Homomorphic Encryption Abstraction Layer (HEAL) connects FHE applications, algorithm implementations, and diverse hardware backends, making secure AI computation as accessible as traditional cloud-based AI services. The company is headquartered in Tel Aviv.

Lattica Emerges from Stealth to Solve AI’s Biggest Privacy Challenge with FHE

Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

Terrance, United States / California, 22nd April 2025, CyberNewsWire

**Terrance, United States / California, April 22nd, 2025, CyberNewsWire**

**Joining Criminal IP at Booth S-634 | South Expo, Moscone Center | April 28 – May 1, 2025**

Criminal IP, the global cybersecurity platform specializing in AI-powered threat intelligence and OSINT-based data analytics, will exhibit at RSAC 2025 Conference, held from April 28 to May 1 at the Moscone Center in San Francisco. The company will welcome attendees at Booth S-634 in the South Expo Hall.

**Strengthening Its Global Presence Through Proven Success**

Following its impactful debut at RSAC 2023, Criminal IP has continued to expand its international footprint, establishing partnerships with over 40 global cybersecurity leaders, including Cisco, Tenable, Fortinet, VirusTotal, and Snowflake. Returning to RSAC 2025, the company will further strengthen its position in the global security market by showcasing its latest innovations in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI).

**Elevating Threat Intelligence with ASM at RSAC**

With a presence in over 150 countries, Criminal IP has positioned itself as a trusted leader in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI). At RSAC 2025, the company will highlight how its platform empowers security teams with real-time, actionable insights to proactively detect and respond to today’s most advanced cyber threats.

**Live Demonstrations & Strategic Dialogues**

Throughout the event, Criminal IP will host live demos and interactive sessions led by the CEO, senior developers, and global product experts. Visitors will gain exclusive insights into:

*   Real-world applications of ASM for enterprise security
*   Emerging threat trends and response tactics
*   Enhancing CTI workflows with AI and automation

Attendees will experience firsthand how Criminal IP uncovers exposed assets, detects abnormal behaviors, and delivers complete visibility across digital infrastructures.

**Connecting with the Criminal IP Team**

Attendees can arrange 1:1 meetings directly at Booth S-634 or pre-book sessions in advance through the Knowledge Hub > Conference section of the Criminal IP website. The team will be available to discuss how the platform can be tailored to support diverse cybersecurity goals.

The booth will also feature exclusive giveaways and a roulette-style prize draw for all on-site attendees.

> “RSAC continues to be a vital platform for exchanging ideas around proactive security,” said Byungtak Kang, CEO of AI SPERA. “We look forward to showcasing how our ASM-powered threat intelligence helps global organizations safeguard their external attack surfaces.”

**About Criminal IP**

Criminal IP is an all-in-one AI-driven threat intelligence platform that enables organizations to detect, assess, and respond to cyber threats in real time. Powered by massive-scale OSINT data and machine learning, the platform provides complete visibility into exposed assets, suspicious behaviors, and indicators of compromise.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP to Showcase Advanced Threat Intelligence at RSAC™ 2025

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android…

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, targeted attacks using XWorm and Strela Stealer, and potential connections to Chang Way Technologies.

Cybersecurity experts at Trustwave’s SpiderLabs have discovered an increase in malicious online activities originating from a Russian “bulletproof” hosting provider known as Proton66. These services, often favoured by cybercriminals due to their relaxed policies, have been linked to a wave of attacks targeting organizations worldwide since January 8, 2025.

Researchers have detailed their findings in a two-part series. The first part highlights a major increase in “mass scanning, credential brute-forcing, and exploitation attempts” coming from Proton66’s network (ASN 198953). This means attackers were actively probing for weaknesses in systems and trying to guess login details on a large scale.

SpiderLabs has also noticed an increase in scanning and exploiting traffic from Proton66’s network from January 8, 2025, with a sharp decline in February. The attacks targeted specific network blocks, the most active being 45.135.232.0/24 and 45.140.17.0/24, while some had been inactive for a significant period, with the last reported malicious activity dating back to July and November 2021.

Traffic Volume Analysis (Source: SpiderLabs)

Notably, the address 193.143.1.65, was observed connected to the operators of a new ransomware strain called SuperBlack, and its operators were distributing “some of the latest critical priority exploits,” researchers noted in the blog post.

The second part discusses malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android users to fake Google Play Store pages likely to steal their information or install malicious apps.

The domain naming conventions used suggest targets speaking English (“us-playmarket.com“), French (“playstors-france.com“), Spanish (“updatestore-spain.com“), and Greek (“playstors-gr.com“).

SpiderLabs also discovered operators deploying Strela Stealer, an information-stealing tool that extracts email login credentials from targeted systems, between January and February 2025.

Another campaign involved XWorm malware targeting users of Korean-speaking chat rooms. Additionally, connections to WeaXor ransomware, a modified version of Mallox that encrypts files and demands a ransom for recovery, were detected. At the time of the report, the WeaXor group was asking for “$2,000, transferred in BTC or USDT.”

Sample Ransom Note (Source: SpiderLabs)

Interestingly, SpiderLabs’ investigation reveals a potential rebranding or connection between Proton66 and Hong Kong-based company, Chang Way Technologies Co. Limited. In November 2024, security firm Intrinsec linked Proton66 and PROSPERO to bulletproof hosting services advertised on underground forums as UNDERGROUND and BEARHOST.

SpiderLabs’s investigation revealed that while the Russian control panel for UNDERGROUND/BEARHOST customers remained at my.31337.ru, the my.31337.hk page was updated with a “CHANGWAY / HOSTWAY” theme. Still, technical connections between the infrastructures remained, suggesting an underlying link.

Technology and financial organizations are the prime targets of this campaign. However, the SuperBlack ransomware group preferred targeting non-profit, engineering, and financial sectors. Research by Forescout linked this IP address to the Mora\_001 threat actor who exploited vulnerabilities in Fortinet FortiOS devices, leading to the deployment of the SuperBlack ransomware.

It is worth noting that hackers have exploited vulnerabilities in Palo Alto Networks’ PAN-OS software (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Link NAS devices (CVE-2024-10914). D-Link has announced that the affected devices have reached their end-of-life, therefore, no security updates will be provided.

Nevertheless, researchers strongly recommend that organizations block all the internet address ranges associated with both Proton66 and Chang Way Technologies to protect themselves from potential compromise.

Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity, commented on the development, stating that while IPs aren’t reliable indicators of threat actors, since changing scan sources is cheap, patterns like consistent brute-force attempts still matter. “It’s a reminder to monitor login velocity, harden exposed services, and make attacks costly for low-effort actors,” he said.

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

Morphisec discovers a new malware threat ResolverRAT, that combines advanced methods for running code directly in computer memory,…

Morphisec discovers a new malware threat ResolverRAT, that combines advanced methods for running code directly in computer memory, figuring out necessary system functions and resources as it runs, and employing multiple layers of techniques to avoid detection by security software.

A new and sophisticated piece of malware, dubbed ResolverRAT by Morphisec researchers, has been discovered actively targeting organisations within the healthcare and pharmaceutical sectors, with the most recent wave of attacks occurring around March 10, 2025.

Morphisec’s Threat Labs researchers dubbed it Resolver because of the malware’s high reliance on figuring things out and handling resources dynamically while running, making it much harder for traditional methods to detect it.

According to researchers, ResolverRAT is distributed via phishing emails designed to create a sense of urgency or fear, pressuring recipients to click on a malicious link. Once clicked, the link leads to a file that starts the ResolverRAT infection process.

This is a highly localised phishing attack as the emails are written in the native language of the targeted country and consistently use alarming subjects, such as legal investigations or copyright violations. This multi-language approach suggests a global operation aimed at maximising successful infections through personalised targeting.

Use of native language subject lines (Source: Morphisec)

ResolverRAT infections begin with DLL side-loading, a technique that involves placing a malicious DLL file alongside a legitimate, signed program, identified as ‘hpreader.exe‘ in this case. When ‘hpreader.exe’ is executed, it unknowingly loads the malicious DLL, triggering the malware’s execution.

Interestingly, the same executable was identified by CPR in a recent campaign distributing the Rhadamanthys malware, and Cisco Talos documented similar phishing techniques used to deliver Lumma information-stealing malware. This could suggest that the groups are reusing tools, sharing resources, or part of a coordinated effort or shared network of cybercriminal affiliates.

ResolverRAT employs multiple layers of evasion to avoid detection, including extensive code obfuscation and a custom protocol over standard ports to blend network traffic. It executes malicious code directly in the computer’s memory (in-memory execution) and dynamically identifies and uses necessary system functions as it runs (API resolution).

To stay on an infected system even after a reboot, ResolverRAT creates up to 20 entries in the Windows Registry, spread across various locations, and installs copies of itself in various locations.

Moreover, the malware uses a unique method of certificate validation and ‘.NET Resource Resolver Hijacking’ technique is a key element of its stealth. Additionally, it attempts to fingerprint analysis environments and can alter its behaviour when it detects it’s being examined.

It allows attackers to steal sensitive information like credentials and patient data, breaking large datasets into smaller chunks for easier transmission. ResolverRAT also has remote access capabilities, allowing attackers to execute commands, upload files, take screenshots, capture keystrokes, and potentially deploy further malware.

This sophisticated blend of in-memory execution, advanced evasion techniques, and resilient C2 infrastructure poses a substantial threat to sensitive sectors like healthcare and pharmaceuticals, highlighting the need for organisations to adopt proactive defence strategies to effectively counter these threats.

Native Language Phishing Spreads ResolverRAT to Healthcare

Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…

Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and Russia after years of silence. Learn about its new tactics and modular design.

Cybercriminals are constantly developing new malware for cyberattacks. These malicious tools have varying lifespans; some malware families have been tracked for decades, while others vanish from public awareness relatively quickly. In 2021, Kaspersky researchers discovered one such short-lived implant during their investigation of the CVE-2021-40449 zero-day vulnerability, which they dubbed MysterySnail RAT.

At the time of its discovery, MysterySnail RAT was linked to IronHusky APT, a Chinese-speaking threat group active since at least 2017. After the initial report, no further public details about this malware emerged.

However, recent observations have uncovered attempted deployments of a new version of MysterySnail RAT targeting government entities in Mongolia and Russia. This targeting aligns with previous intelligence indicating IronHusky’s specific interest in these two countries dating back to 2018, suggesting the RAT has been active covertly for several years.

A recent infection began with a malicious MMC script disguised as a document from Mongolia’s National Land Agency (ALAMGAC). This script downloaded a ZIP archive from fileio, which contained a secondary malicious component and a decoy DOCX file. The script would then extract the archive, placing the decoy in %AppData%\Cisco\Plugins\X86\bin\etc\Update, and execute CiscoCollabHost.exe from the archive. For persistence, it configured CiscoCollabHost.exe to run at start-up and opened the decoy document to deceive the user.

While CiscoCollabHost.exe was legitimate, the archive also held a malicious DLL named CiscoSparkLauncher.dll, designed for DLL Sideloading by the legitimate process, acting as a new intermediary backdoor. This backdoor facilitated C2 communication by leveraging the open-source piping-server project.

The new version can execute around 40 commands, enabling various malicious activities like file system management, command execution via cmd.exe process creation and termination, service management, and network resource connection.

Unlike the 2021 samples, the new version uses five additional DLL modules for command execution, a key upgrade from the previous version’s single malicious component.

Moreover, it was configured to establish persistence on infected machines as a service, and the malicious DLL loads a payload encrypted using RC4 and XOR algorithms. Upon decryption, it gets loaded into memory through DLL hollowing, facilitated by code within the run_pe library.

Following the disruption of recent MysterySnail RAT intrusions, the threat actors persisted by deploying a modified, single-component variant named MysteryMonoSnail. This streamlined version communicated with the same C2 servers as the original RAT but utilised the WebSocket protocol instead of HTTP and possessed a reduced set of only 13 basic commands, enabling actions like listing directories, writing files, and launching processes and remote shells.

The return of MysterySnail RAT shows how old malware doesn’t just disappear; they evolve. It’s also a reminder that staying on top of new and resurfacing cybersecurity threats is key to keeping systems secure.

Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia

Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
"The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by 'Wang Duo Yu,'" Cisco Talos researchers Azim Khodjibaev, Chetan

Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States.
"From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.

Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT

Security researchers report CVE-2025-32433, a CVSS 10.0 RCE vulnerability in Erlang/OTP SSH, allowing unauthenticated code execution on exposed…

Security researchers report CVE-2025-32433, a CVSS 10.0 RCE vulnerability in Erlang/OTP SSH, allowing unauthenticated code execution on exposed systems.

A newly disclosed vulnerability in the Erlang/OTP SSH implementation could allow attackers to run code on affected systems without logging in. The flaw, tracked as CVE-2025-32433, was reported by researchers at Ruhr University Bochum and has been rated with a maximum CVSSv3 score of 10.0 due to its potential impact on systems using the widely deployed library.

Disclosed by researchers via the oss-security mailing list, the issue affects the SSH protocol message handling within Erlang/OTP, allowing attackers to send specially crafted messages before authentication takes place. If exploited, the vulnerability could lead to arbitrary code execution. In cases where the SSH daemon is running with root privileges, this could result in a complete system compromise.

****Who Is Affected?****

Any application or service running an SSH server built on the Erlang/OTP SSH library is likely exposed. This includes a range of environments, particularly those relying on Erlang for high-availability systems such as telecommunications equipment, industrial control systems, and connected devices.

“If your application uses Erlang/OTP SSH for remote access, you should assume it is affected,” the researchers stated.

The vulnerability is caused by the way the SSH server handles certain messages during the initial connection, before authentication takes place. An attacker with network access to the server can exploit this flaw by sending connection protocol messages before the authentication step, slipping past normal checks and triggering remote code execution.

According to the advisory, the flaw could allow unauthorised users to gain the same privileges as the SSH daemon. This means if the daemon is running as root, the attacker would have unrestricted access.

****What to Do Now****

The official advisory is available on Erlang’s GitHub security page. For those unable to upgrade immediately, firewall rules should be used to block access to the SSH server from untrusted sources.

This flaw is particularly serious not just because of how it works, but where it lives. Erlang/OTP is quietly embedded in many production systems, often overlooked in routine audits. That makes widespread exposure a real concern.

When a widely used library like Erlang/OTP is affected, the impact can quickly spread. CVE-2025-32433 is a clear example, especially for systems that depend on remote access and automation. Therefore, administrators and vendors are urged to assess their systems, verify if Erlang/OTP SSH is in use, and patch or isolate as soon as possible.

****Expert Insight****

Mayuresh Dani, Manager of Security Research at Qualys, described the flaw as “extremely critical.”

“Due to improper handling of pre-authentication SSH protocol messages, a remote threat actor can bypass security checks to execute code on a system. If the SSH daemon runs with root privileges, which is common in many deployments, the threat actor will gain complete control,” Dani said.

He added that Erlang is frequently used in high-availability systems due to its reliable support for concurrent processing. “Many Cisco and Ericsson devices run Erlang. Any service using the Erlang/OTP SSH library for remote access, such as those in OT or IoT setups, is at risk.”

Dani recommends updating to the latest patched versions of Erlang/OTP. These include OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. For organisations that need more time to implement upgrades, he advises limiting SSH port access to trusted IPs only.

Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH

In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online.

Thursday, April 17, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives. 

Lately, I've found myself thinking about these differences in the context of online interactions, particularly with search engines. I've become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It's often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me. 

It's easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It's not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language. 

Luckily, I came across an open-source project called SearXNG, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.” 

I like it for three reasons: 

1.  You can try one of the public instances and check if you like it before you go all-in.
2.  You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data. 
3.  With Opensearch it seamlessly integrates with your existing browser. 

It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize: 

*   “:en”, “:de” or “:fr” to search in a given language 
*   “!social\_media” or “!news” to search just a given category 

The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven't explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it's wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine ransomware.

**Why do I care? **

Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.  

Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).

**So now what? **

These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.

**Top security headlines of the week **

*   **OpenAI cuts safety tests in “reckless” AI push.** According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this: 
*   **AI-hallucinated code dependencies become new supply chain risk.** “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
*   **Windows Recall seems to be back again.** More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like TotalRecall, Microsoft paused the launch last June. (BleepingComputer)
*   **The 25-year-old CVE program seemed to be at risk.** MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had exercised an option to extend MITRE’s contract—reportedly for another 11 months, according to multiple sources.

**Can’t get enough Talos? **

*   **Unmasking the new XorDDoS controller and infrastructure.** Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. 
*   **Talos Takes: Year in Review Special (Pt. 2).** Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA    
*   PIVOTcon (May 7 – 9) Malaga, Spain    
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA    
*   Cisco Connect UK & Ireland (May 20) London, UK  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385**   
MD5: 01b521c78f5bbdaba0cc221bc893e2b8   
VirusTotal: https://www.virustotal.com/gui/file/2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385   
Typical Filename: toyboy.exe     
Detection Name: Gen:Variant.Tedy.758566 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**   
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277   
Typical Filename: Rainmeter-4.5.22.exe    
Detection Name: Artemis!Trojan 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: IMG001.exe    
Detection Name: Win.Trojan.Miner-9835871-0

Tag

#cisco