Welcome to this week’s edition of the Threat Source newsletter. 

As I’m writing this, today (April 28) is International Superhero Day. If you don’t know the origin story behind this, perhaps you would assume that this day was dreamed up by Marvel. And… you would be correct. 

However, it’s not a pure marketing ploy. It all started in 1995, when colleagues in Marvel asked a group of school children what superpower they’d want the most.  

Through the discussion, it became clear that the people in the children’s lives were already doing pretty heroic things, without the benefit of Hindsight Lad. (He’s a real Marvel invention — Carlton LaFroyge — whose superpower was to make aggressively obvious observations, delivered too late to matter. I’m sure we all have a real-life Carlton LaFroyge in our lives… heck, some of us ARE Carlton LaFroyge.) 

Ok, before I get to my next point, I need to take you down the same internet wormhole I just disappeared into. Here are some of the weirdest superpowers ever committed to comic book lore: 

1. Eye-Scream. His one power is to become ice cream (soft serve, apparently). Not to be confused with another Marvel character, Soft Serve, whose body acts as a portal to an ice cream dimension. 
2. Doorman. Recently seen sending Josh Gad into the Dark Dimension (where there presumably is no ice cream) in the Marvel TV show “WonderMan.” Because his body is a door. Man.  
3. The Wall. Has the ability to turn himself into a brick wall. I would genuinely love this ability during socially awkward networking events. 

Now I’m thinking how awesome a character called “Internet Wormhole” would be. I just looked it up, and such a character doesn’t exist yet (call me, Marvel).  

Right, let’s get back on topic. Ooh… “On topic” would be another good idea for a super… no, Hazel, no. 

Anyway, the children’s ability to identify the people closest to them — parents, grandparents, teachers, uncles, and aunts — as heroes is a comforting thought for me. Having someone’s back is more about showing up than anything else. Being there for them when they need it (and when they don’t even realise they need it). Helping to make someone’s situation a little bit less bad.  

I can think of a few people in my life who have done, and continue to do, exactly that for me, which makes me feel incredibly lucky. And in an industry like cybersecurity, where bad things happen every single day, it matters more than we tend to admit. You need people around you who can steady things, who can sense you need support, who can listen to you, and who can tell you a silly story on a bleak day. 

Empathy doesn’t usually get listed as a specific skillset within cybersecurity, but I think I, and many of my Talos colleagues, would agree that it’s absolutely essential. Users make decisions for reasons that make sense to them. Attackers take advantage of that. If you can’t see both sides of that equation, you’re probably not helping as many people as you could.  

I’ll end by answering the ultimate question — who is the greatest superhero of all time?  

It’s obviously Squirrel Girl. She bested Galactus with a cup of tea and a chat. And though my mum has never been in the same room as Galactus, I have no doubt she’d handle him in exactly the sameway. 

The one big thing 

Cisco Talos is wrapping up Year in Review coverage by giving five critical priorities to help defenders navigate an increasingly automated threat landscape. While AI and readily available exploit code have drastically lowered the barrier to entry for threat actors, these adversaries still rely on predictable patterns. Identity infrastructure, exposed legacy systems, and platforms that broker trust remain the primary battlegrounds. Ultimately, even the fastest automated attacks generate anomalous behavior that stands out from normal user activity. 

Why do I care? 

The speed at which attackers weaponize vulnerabilities and target identity systems — highlighted by a 178 percent spike in device compromise — can feel overwhelming. But there is a silver lining for security teams. Because adversaries inevitably reuse infrastructure and fail to mimic legitimate user behavior, defenders maintain a distinct advantage if they know exactly where to look. 

So now what? 

Security teams need to focus on what they can control right now by treating identity infrastructure as a top-tier critical asset. Secure your MFA workflows with strict verification and build baseline detections around what users actually do after they log in. Prioritize patching vulnerabilities based on internet exposure rather than only severity scores, and actively hunt down the long tail of legacy risks hiding in your network. Finally, apply enhanced monitoring to management-plane systems and focus your detection efforts on anomalous events to cut through the noise of alert fatigue. 

Top security headlines of the week 

Home security giant ADT data breach affects 5.5 million people 
The extortion group told BleepingComputer that they had allegedly breached the company after compromising an employee's Okta single sign-on (SSO) account in a voice phishing (vishing) attack. (BleepingComputer) 

U.S. companies hit with record fines for privacy in 2025 
The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy. (CyberScoop) 

PyPI package with 1.1M monthly downloads hacked to push infostealer 
The dangerous release is 0.23.3, and it extended to the Docker image due to the package's workflow that creates the image from the code and uploads it to a container registry for deployment. (BleepingComputer) 

LiteLLM CVE-2026-42208 SQL injection exploited within 36 hours of disclosure 
A newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. (The Hacker News) 

Feuding ransomware groups leak each other's data 
In response to its data leaking, KryBit breached and exfiltrated 0APT's infrastructure, listed the latter as a victim, and left a message on 0APT's leak site: "Next time, don't play with the big boys." (Dark Reading) 

Can’t get enough Talos? 

AI-powered honeypots: Turning the tables on malicious AI agents 
Because AI systems generate plausible responses within a given context and set of inputs, they can be tricked into responding inappropriately through prompt injection or into interacting with systems that are not what they appear to be. This Tool Talk shows how generative AI can be used to rapidly deploy adaptive honeypots. 

Talos IR Trends Q1 2026: Phishing reemerges 
Phishing is back as the top initial access vector for attackers targeting the health care and public administration sectors. We did not observe any ransomware deployment thanks to early and swift mitigation from Talos IR. 

25 years of uninterrupted persistence 
Hazel, Dave, and Joe cover Bill’s 25 years at Talos and the latest security headlines, including AI-assisted vulnerability research, and why attackers still can’t resist abusing trusted systems (or Roblox). 

Upcoming events where you can find Talos 

• PIVOTcon (May 6 – 8) Málaga, Spain 
• OffensiveCon (May 15 – 16) Berlin, Germany 
• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename:VID001.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: APQ9305.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55  
MD5: 41444d7018601b599beac0c60ed1bf83  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55  
Example Filename: content.js  
Detection Name: W32.38D053135D-95.SBX.TG 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg** 

SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
MD5: dbd8dbecaa80795c135137d69921fdba  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
Example Filename: u992574.dll  
Detection Name: W32.Variant:MalwareXgenMisc.29d4.1201 

A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures — all without code. 

One such case was recently detailed in the latest Cisco Talos Incident Response Quarterly Trends report.

Proof-of-concept code for exploiting new vulnerabilities used to take attackers months to create. Now they take hours.

All of this is very concerning for defenders. Yesterday, my colleague told me about a recent conference Q&A he hosted, where he was asked to provide some hope to those in the room who have faced an overwhelming amount of change in recent months. 

His answer was to focus on the here and now. Focus on what you can control, and what you have influence over. We can’t change what may or may not happen in six months’ time, but we can prioritize what’s important now. 

The other key thing for defenders to bear in mind is that even when attackers move fast, they still don’t behave like your normal users. At the end of the day, you’re still looking for anomalous behavior – whether that behavior is machine- or human-generated.

As we come to the end of our Year in Review content release (if you haven’t seen it yet, we published videos, podcasts, and topic specific blog posts), we’d like to end by summarizing the key priorities for defenders. 

Here are five of them that are worth considering when it comes to spotting malicious, unusual behaviour in your environment.

1. Identity is the main battlefield 

The Year in Review highlights how frequently attackers rely on valid accounts and credential abuse throughout the attack chain. We see this across multiple areas:

• MFA spray attacks targeting IAM platforms directly 
• Device compromise attacks increasing 178% year over year 
• Attackers registering their own devices as trusted multi-factor authentication (MFA) methods
• Ransomware attack chains largely relying on valid accounts, credentialed tools, or both

Network infrastructure is a key part of this. VPNs, Active Directory Controllers (ADCs), and firewalls are being exploited to steal session tokens, bypass MFA, and impersonate users.

However, when attackers successfully authenticate, where they go from there tends not to fall in line with normal user behavior. They start to access new systems outside of their role, move laterally using tools like PsExec, execute commands at unusual times, and overall operate at a scale that normal users don’t.

Therefore, having a baseline understanding of normal user behavior is more important than ever.

Prioritize:

• Treating identity infrastructure as Tier 1 critical assets and apply the strongest monitoring and protection controls to IAM and PAM systems
• Securing MFA device registration workflows with strict verification procedures and limited administrative approval rights
• Hardening authentication systems against automated attacks by enforcing rate limiting, anomaly detection, and strong conditional access policies
• Building baseline detections around what users do, not just how they log in

2. Prioritize the vulnerabilities that have the most exposure

One of the most important callouts in the report is how attackers select targets. The rapid exploitation of vulnerabilities such as React2Shell and ToolShell shows that exploitation can begin immediately after disclosure with readily available proof-of-concepts. Attackers then prioritize what is exposed and reachable. 

Attackers also like to exploit the vulnerabilities that are closest to identity, session handling, and access logic.

At the same time, older vulnerabilities such as Log4Shell remain among the most exploited, over four years after disclosure.

This creates a dual reality where some new vulnerabilities are weaponized instantly, but old, highly-valued vulnerabilities are never fully eliminated.

Prioritize:

• Remediating vulnerabilities based on internet exposure and access impact, not just CVSS scores
• Reducing time-to-patch for externally accessible systems 
• Continuously reassessing what is reachable from the outside

3. Address the long tail of legacy and embedded risk

The Year in Review highlights that nearly 40% of the top 100 most targeted vulnerabilities impact EOL systems, and 32% are over a decade old. Many of these vulnerabilities exist in deeply embedded components such as PHP frameworks, Log4j, and ColdFusion.

These components are often poorly inventoried, difficult to patch, and tightly coupled to business-critical systems.

It’s a frustrating fact that the most persistent risks are often the least visible,
and the hardest to remove. They create long-term blind spots, which are an attacker’s favorite thing to find and exploit.

Prioritize:

• Improving visibility into software dependencies and embedded components 
• Treating development frameworks and libraries as part of your attack surface 
• Establishing clear strategies for isolating or retiring legacy systems

4. Secure the systems that broker trust

Attackers are increasingly targeting systems that provide maximum operational leverage. This includes network management platforms, application delivery controllers (ADCs), and shared software platforms running across multiple devices.

These systems are attractive to adversaries because they store credentials, control configurations across large environments, provide visibility into the network, and enable changes at scale.

Unfortunately, these platforms are also traditionally less monitored than endpoints, more complex to patch or upgrade, and have centralized points of failure.

Prioritize:

• Identifying management-plane and control-plane systems that need securing
• Applying enhanced monitoring and access controls to these platforms 
• Limiting administrative access and enforce strong segmentation

5. Keep focusing on patterns, even with increased automation and AI-driven attacks

Yes, automation and AI are changing the threat landscape. As we’ve spoken about, attackers are increasingly able to rapidly identify and exploit vulnerabilities, launch large-scale identity attacks, generate convincing phishing lures that mimic real business workflows, and accelerate parts of the attack lifecycle using AI-assisted tooling.

However, all these things do not remove a key constraint for adversaries: Automated attacks still produce patterns of unusual behavior, and patterns are detectable.

Even highly scalable attacks tend to reuse the same infrastructure, tools, and techniques. They also follow predictable sequences of activity and generate anomalies.

Prioritize:

• Focusing detection efforts on anomalous events (e.g., unusual authentication flows, abnormal system access, anomalous device registration) 
• Reducing alert fatigue by prioritizing a smaller number of meaningful detections over broad, low-confidence alerting 
• Supporting triage and enrichment with automation where possible, alongside human decision-making
• Ensuring teams are equipped to investigate patterns of behavior, not just isolated alerts

Final thoughts

Much of the current concern in and around the security community is the new reality that anyone can create a malicious campaign. The Year in Review doesn’t disagree.

However, Talos data also shows something equally important:

• Attackers still rely on the same vulnerabilities 
• They reuse the same tools and techniques 
• They follow repeatable patterns 
• And, critically, they don’t behave like your users

Even when they successfully authenticate, move laterally, or establish persistence, their activity introduces detectable anomalies.

That’s where the opportunity lies for defenders. 

Read the 2025 Cisco Talos Year in Review

Download now

Across the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence.

But when you look at how these operations actually unfold, similar tactics, techniques, and procedures (TTPs) keep appearing: access through vulnerabilities and identity, and access that remains under the radar for a considerable period of time.

Here are the dominant themes from the state-sponsored section of the Talos Year in Review, available now.

China

China-nexus threat activity stood out this year for both volume and efficiency, with Talos investigations increasing by nearly 75% compared to 2024.

Newly disclosed vulnerabilities were exploited almost immediately (e.g., ToolShell), sometimes before patches were widely available. At the same time, long-standing, unpatched vulnerabilities in networking devices and widely used software continued to provide reliable entry points for these types of adversary.

Once inside, the focus shifts to persistence. Web shells, custom backdoors, tunneling tools, and credential harvesting all support long-term access. 

There’s also more overlap than ever before between state-sponsored and financially motivated activity. It is likely that in some cases, state-sponsored actors conducted operations for personal profit alongside espionage-focused missions, while in others, cybercriminals collected valuable information during an attack that could be sold to espionage-motivated actors for further exploitation, providing them dual revenue streams.

Russia

Russian-linked cyber activity remains closely tied to their geopolitical objectives, particularly the war in Ukraine.

Many operations continue to rely on unpatched, older vulnerabilities (especially in networking devices) to gain initial access. These flaws provide a dependable way in for adversaries and support long-term intelligence gathering.

Russia’s offensive cyber activity is highly correlated with developments in the larger geopolitical sphere. For example, the announcement of sanctions intended to apply pressure on Russia by both the U.S. and E.U. often corresponded with our observed levels of Russian cyber activity.

Common malware families like Dark Crystal RAT (DCRAT), Remcos RAT, and Smoke Loader appeared frequently in Talos investigations on operations against Ukraine in 2025. These families aren’t exclusive to Russia-nexus threat actors, but they continue to be effective in environments where patching and visibility are inconsistent, and should therefore be high priority targets for defense and monitoring.

North Korea

North Korea cyber operations leaned heavily into social engineering and insider access in 2025. These operations were both for financial and espionage purposes.

Campaigns like Contagious Interview (orchestrated by Famous Chollima) used fake recruiters from legitimate companies to socially engineering targets to execute code or hand over credentials. From there, actors stole cryptocurrency, exfiltrated data, and established persistent access.

North Korean cyber actors also pulled off the largest cryptocurrency heist in history in 2025, stealing $1.5 billion. Additionally, thousands of IT workers used stolen identities and AI-generated profiles to secure positions at Fortune 500 companies, generating billions in annual revenue for North Korea’s nuclear weapons and ballistic missiles programs.

Iran

Iranian cyber threat activity in 2025 combined visible disruption with long-term access.

Hacktivist operations increased by 60% in response to geopolitical events, particularly the Israel-Hamas conflict. These campaigns, which include distributed denial-of-service (DDoS) attacks, defacements, and other disruptive operations, are often designed to generate attention and shape narratives.

At the same time, more traditional advanced persistent threat (APT) activity focused on persistence. Groups such as ShroudedSnooper targeted sectors like telecommunications, using custom compact backdoors designed to blend into normal traffic and remain undetected. 

ShroudedSnooper is an APT that public reporting widely attributes to Iran’s Ministry of Intelligence and Security (MOIS). It is very likely an initial access group that passes operations off to secondary threat actors for long term espionage or destructive attacks.

For current threat intelligence related to the developing conflict in Iran, follow our coverage on the Talos blog.

Guidance for defenders

Though the state-sponsored activity that we tracked for the Talos Year in Review have different objectives, they still have the same reliance on gaining and maintaining access. The following guidance is recommended for security teams:

• Don’t ignore older systems: Both newly disclosed and long-known vulnerabilities are actively exploited. 
• Prioritize identity security: Credentialed access and social engineering remain reliable entry points. 
• Increase visibility into network and edge infrastructure: These systems are common targets for persistent access.
• Expect activity to follow global events: Sanctions, conflicts, and political developments often correlate with spikes in activity. Follow the Talos blog to keep informed of new state sponsored activity and campaigns.
• Inspect for long-term presence: Many state-sponsored operations are designed to persist stealthily over time, not trigger immediate disruption. 

Read the 2025 Cisco Talos Year in Review

Download now

One of the clearest trends in the 2025 Talos Year in Review is just how quickly vulnerabilities are now being turned into working exploits. What used to take weeks or months is now happening in days, sometimes hours — and in some cases, exploitation is beginning almost immediately after vulnerability details are made public.

The process of exploitation itself is changing. With the increasing availability of proof-of-concept code, automation, and AI-assisted tooling, certain vulnerabilities can very quickly become weaponized, which is what we saw with React2Shell.

At the same time, the data shows that attackers are not just chasing new vulnerabilities. They are consistently targeting what is exposed, accessible, and valuable.

On one end of the spectrum, near-instant exploitation.
On the other, long-standing vulnerabilities that remain unaddressed.

Attackers are using a combination of speed, scale, and accessibility to reduce the window defenders have to respond, while increasing the impact when they can’t.

In the latest episode of the Talos Threat Perspective, we explore what the ‘industrialization of exploitation’ looks like in practice, and what it means for defenders trying to prioritise risk in an increasingly compressed timeline.

▶️ Watch the full episode below.

Read the 2025 Cisco Talos Year in Review

Download now

In this episode of the Talos Threat Perspective, we explore how identity is being used to gain, extend, and maintain access inside environments. 

Drawing on insights from the 2025 Talos Year in Review, we break down how attackers are: 

·       Targeting identity systems and MFA workflows 

·       Establishing persistent, high-trust access 

·       Using internal phishing to move laterally 

·       Could potentially exploit over-permissioned AI agents and identity-linked access 

·       Blending into normal user behaviour 

This episode focuses on how identity enables attackers to scale their operations, and what that means for defenders trying to detect and contain them. 

Read the 2025 Cisco Talos Year in Review

Download now

Every year, the Cisco Talos Year in Review captures the patterns shaping the threat landscape. The 2025 report paints a clear picture: Attackers are moving faster than ever, while using identity-related attacks as the primary battleground.  

To unpack the biggest takeaways and what they mean for security teams, we brought together Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Security. 

Here’s their conversation. 

Old vulnerabilities, new speed 

Marshall:
 One of the clearest trends in this year’s data is the contrast in how vulnerabilities are being exploited. We saw React2Shell disclosed in December and within weeks it became the most targeted vulnerability we tracked. 

At the same time, a 12-year-old vulnerability still appeared in the top 10 most exploited list. So we’re seeing very rapid weaponization (likely fuelled by AI given the compressed timeline from initial proof of concept to large-scale exploitation, across multiple languages and platforms) alongside continued success with legacy flaws.  

Bailey:
 There’s always a lot of focus on the latest zero-day, and rightly so. The industrialization of vulnerability exploitation is extremely concerning. But at the same time, many attacks are still leveraging vulnerabilities that have been around for years.

Organizations are dealing with complexity. Large environments. Long device lifecycles. Change management processes that take time. But attackers don’t care about those constraints. They actually count on them. 

This is where we need to repeat that the fundamentals still matter. Patch management, asset visibility, lifecycle discipline... We still have work to do there as an industry.  

Marshall:
 And then you have 40% of the top 100 exploited vulnerabilities being effective because organizations were running end-of-life devices. That’s a measurable problem. When infrastructure is no longer supported, attackers know it. They scan for it, and then they target it. Technical debt becomes operational risk.  

Bailey:
 Absolutely. In most cases, it’s not that customers don’t want to patch. It’s that their critical networking infrastructure has been stable for years, and taking it offline can disrupt the business. 

As an industry, we need to reduce that friction. Cisco is a big part of that, with built-in protections in our networking equipment that can be applied without downtime, and options to shield systems when patching can'thappen immediately.  

Identity as the primary target 

Marshall:
 If there’s one area where attackers are consistently investing their time and energy, it’s identity. In 2025, identity-based attack techniques were central to major phases of operations, like lateral movement, privilege escalation, and persistence. Controlling identity effectively means controlling access across the environment.  

One of the most striking data points in the report is that fraudulent device registration increased 178 percent year over year. In many cases, attackers convinced administrators to register devices on their behalf through vishing (or voice phishing). They targeted administrator-managed registration flows at three times the rate of user-driven ones. There’s a clear preference for high-value victims. 

Bailey:
 And unfortunately these stolen credentials are widely available. Logging in is often easier than breaking in. Once attackers obtain legitimate access, they can blend in.  

For defenders, identity controls need to go beyond authentication. You need continuous monitoring. You need risk-based adjustments to access. You need to detect abnormal behavior quickly. 

Marshall:
 We’re also seeing a rise in internal phishing. More than a third of phishing incidents we observed involved attackers sending messages from already compromised accounts. 

Once inside, they create mailbox rules to hide replies and suppress visibility. They explore shared drives and collaboration platforms. They look for sensitive information that can help them expand access. This all means defenders need strong visibility into normal user behavior. If accounts suddenly start sending far more messages than usual or accessing data they never touched before, that should stand out. 

Bailey: 
Identity is no longer just an authentication problem. It’s a monitoring and governance problem, as well.  

State-sponsored activity and the blurring of motives 

Marshall:
 We observed continued evolution in state-sponsored activity throughout the year. Talos investigations into China-nexus campaigns increased nearly 75 percent in 2025. These actors are exploiting both zero-day and n-day vulnerabilities while also engaging in financially motivated activity to support their broader goals. 

Russian-linked activity continues to correlate closely with geopolitical developments. We consistently see these actors exploiting unpatched networking equipment to establish long-term access. 

North Korean affiliated actors refined their “Contagious Interview” campaigns. They compromised developers through fake job opportunities and expanded IT worker schemes using AI-generated personas. 

Iranian-linked actors increased hacktivist-style operations by roughly 60 percent last year, and we’ve seen that type of activity rise again during the ongoing conflict in the Middle East. At the same time, actors such as ShroudedSnooper are deploying highly evasive and stealthy backdoors to maintain long-term access to critical telecommunications infrastructure. 

Bailey:
 These groups are adaptive and pragmatic. From a defender’s perspective, the distinction between state-sponsored and criminal actors is less useful than it used to be. Techniques overlap, tools are shared, and infrastructure gets reused.  

What matters is speed. These actors move quickly and often target the edge of the network through unpatched devices and legacy infrastructure.   

That’s where intelligence becomes critical. At Cisco, when Talos identifies a campaign or toolset, that intelligence feeds directly into protections for customers. Speed of detection and response must match the pace of the threat.  

AI and the acceleration of attacks 

Marshall:
 In 2025, AI was most commonly used to automate and scale parts of traditional attacks, especially social engineering. It lowered the barrier to creating convincing phishing lures and fraudulent sites. 

The Year in Review is based on trends throughout 2025, but we also want to call attention to the fact that the AI threat landscape is changing fast, even in the first few months of 2026. Research into threats like VoidLinkshows how AI can accelerate malware development. The tasks that previously required extended development cycles are now being completed quicker than ever.   

We’re also seeing early examples of AI-enabled malware in mobile environments. Agentic capabilities can analyze screen content and determine next actions. It’s still early, but the pace of change is notable. 

Bailey:
 Organizations also need to think about how they deploy AI internally. 

We saw rapid adoption of consumer AI tools, followed by a realization that guardrails were necessary. Prompt injection, data exposure, unauthorized model access... These are real concerns.  

Now we’re seeing companies implement controls such as semantic inspection of prompts, model scanning, and discovery of shadow AI deployments. Secure AI deployment will quickly become standard practice. It has to. 

Using the report as a prioritization tool 

Marshall:
 We designed the Talos Year in Review to help defenders prioritize. And in terms of those priorities, I’d like to leave people with a few that stand out. 

The data shows that attackers consistently pursue access for scale and leverage. They want the keys to the kingdom, so they target identity systems, administrators, and end-of-life infrastructure because it gives them broad access. 

Strengthening your identity controls, understanding your environment, and safeguarding and removing EOL infrastructure are three of the most important actions organizations can take. 

Bailey:
 I agree. Patching is still crucial, but just as important is ensuring you have visibility across devices, strong segmentation, and continuous monitoring for abnormal behavior. 

We’re also seeing attacks happening faster, increasingly amplified by automation and AI.  Agentic AI is opening the door to a catalogue of features that will automate manual work and allow adversaries to greatly expandtheir capabilities. Now more than ever, defenders need architectures that are resilient and observable in the face of these developments.  

I encourage everyone to read the full Talos report. It’s filled with data and practical guidance.   

Marshall:
  

Thank you, Peter. This report represents a tremendous amount of effort across Talos and it's built with our customers in mind. I'd like to extend a sincere appreciation to my team and all of our partners who contributed to its life and launch.  

Our goal with the Year in Review, much like our general mission at Talos, is simple: Show where adversaries are succeeding, and provide clear guidance on how to reduce that success rate.  

In addition, I would ask all of our customers to use this report to challenge us, challenge Cisco. We strive to give you the greatest protection, products, and services possible. Let us know how we can be better. 

Read the 2025 Cisco Talos Year in Review

Download now

Ransomware attacks aren’t smash-and-grab anymore. They’re built on access that already looks legitimate — closer to positioning chess pieces than breaking the door down.

That’s the big trend that comes through in the ransomware data from the Talos 2025 Year in Review. Once attackers have initial access (and 40% of the time it’s through phishing) they move the way a user or administrator would: logging in, checking systems, and using the same remote access tools that are already installed.

In fact, one of the biggest challenges for defenders today is that ransomware actors are deliberately trying to overlap with everyday activity. RDP, PowerShell, and PsExec are the top three tools that are used by ransomware actors, but in many environments, these tools are part of normal operations.

The difference is how they’re being used. If they’re being used to expand access and move across systems, this should raise a few red flags. I’m not sure it’s possible to emphasise enough how important your asset management comes into play here — having clear asset inventories and network behaviour baselines and conducting continuous anomaly monitoring.

Like the rest of the Talos Year in Review, identity is what ties everything together. Valid accounts show up across nearly every stage of ransomware attacks: initial access, lateral movement, and execution. 

Top-targeted sectors

From our ransomware data analysis, manufacturing continues to be the most targeted sector, which reflects how challenging these environments are to monitor closely. There’s a mixture of systems, users, and processes, often with limited tolerance for disruption.

Professional, scientific, and technical services (second on the most targeted sectors list) face similar exposure, especially when access spans multiple systems or organizations.

Most prolific ransomware groups

The ransomware-as-a-service (RaaS) groups have had a bit of a shakeup. After LockBit topped our 2024 report, the group fell to 35^th this year following sustained law enforcement pressure. Qilin, a constant pain in the “you-know-what” for our incident responders for over a year now, came in at No. 1.

Qilin uses a double-extortion approach, combining data encryption with threats to release stolen information publicly. According to their data leak site, in 2025, Qilin targeted more than 40 victims every month except January, signaling that this ransomware group will remain a persistent and significant threat in 2026.

Akira and Play (No. 2 and 3 in the chart) had continued success, which can likely be credited to their evolving and adaptable tactics and absorption of affiliates from defunct ransomware groups (i.e., LockBit).

An opportunity for defenders

What’s interesting to note is that for the second year running, January saw lower activity, likely tied to holiday slowdowns and Eastern European public holidays.

It may be wise for security teams to consider testing ransomware defenses in months where activity levels are generally lower, such as January, as there is a reduced chance of interfering with real incidents.

Defender recommendations

• Strengthen identity protections. Actors predominately targeted the person who holds the key rather than the lock itself (i.e., the target’s infrastructure). Phishing and social engineering training is highly recommended.
• Monitor the use of built-in administrative tools such as RDP, PowerShell, and PsExec for lateral movement. Look for unexpected usage patterns, and abnormal access requests.
• Basics, basics, basics! They very much still hold true. Strengthen your backup, EDR, segmentation, logging, and recovery capabilities.
• Regularly test ransomware response readiness.

Read the full 2025 Talos Year in Review to dig deeper into ransomware trends, vulnerability exploitation, phishing and MFA bypass, state-sponsored activity, and how AI is shaping the threat landscape.

The Beers with Talos B team (that’s Hazel, Bill, Joe and Dave) break down (sometimes in the literal sense) the 2025 Talos Year in Review which is available now.

The team dives into the biggest cybersecurity trends of the year, including:

• The rapid weaponization of new vulnerabilities
• Why identity abuse showed up everywhere 
• Ransomware trends
• A rise in APT investigations
• What defenders should prioritize heading into the year ahead

Before that, we discuss the cyber activity tied to the situation in the Middle East (full details on our blog).

There’s also an alarming amount of discussion about glutes. And gravy. Listen here:

Download the full 2025 Talos Year in Review today.

Welcome to this week’s edition of the Threat Source newsletter. 

I found myself watching the Oscars ceremony in its entirety for the first time in a few years. I’m in the U.K., so I watched it the following day. With next week’s Year in Review launch looming and several pieces of content still to finalise, two hours of sleep didn’t seem like the best idea. 

My overriding thought from the ceremony was: How much poorer would this have been without “Sinners?” 

A purely original film (deservedly the winner of Best Original Screenplay), “Sinners” is set in 1932 in the Jim Crow-era Mississippi Delta. The storytelling is rooted in survival, connections to the past and the future, and cultural identity. And the music. Oh man, the music. 

It is also (mild spoiler warning) a vampire movie. 

Under the direction and quill of Ryan Coogler, the vampires take on an identity I haven’t seen before — they’re colonists. Some of them belong to the KKK. And they occasionally jig. 

In “Sinners,” they feed on vitality they can’t generate themselves. They circle a juke joint run by twin brothers Smoke and Stack, both played by (now Oscar winner) Michael B. Jordan in performances(emphasis on the plural) so clever and distinct you could almost believe they were played by different actors. 

My husband insists he enjoyed the film right up until the vampires appeared. After that, he says, it became less interesting. 

He is, of course, terribly and demonstrably wrong. 

Vampire stories are awesome. And they come with generally well-agreed rules: 

• They despise garlic.
• They’re not keen on fire or stakes through the heart.
• They have to be invited in.

Cue the perilous segue to a security topic… 

In our upcoming 2025 Talos Year in Review, attacks on identity emerged as the dominant theme across multiple vectors. Attackers are not so much trying to batter down doors with noisy exploits. Increasingly, they’re looking to be invited in as a recognisable user. And once inside, their goal is to operate as if they own the place.  

Most organisations have boundaries. Segmentation. Authentication. But when consent is manipulated (e.g., through social engineering), the system can authorise the intrusion itself. 

One of the most common techniques we see involves attackers persuading victims to read out their multi-factor authentication request code in real time, often over the phone, posing as IT support or a trusted vendor. In other cases, adversary-in-the-middle phishing kits proxy the legitimate login page and capture the one-time code as it’s entered. 

The code is valid. 

The authentication succeeds. 

The session is issued. 

In 2025, nearly a third of MFA spray attacks targeted identity access management (IAM) applications. Add to that a 178% surge in fraudulent device registration events, and the trend is clear: Attackers are targeting the mechanisms that issue invitations in the first place. 

“We talkin’ numbers now. And numbers always gotta be in conversation with each other.” - Smoke

In vampire mythology, the barrier holds until someone inside grants entry. In cybersecurity, the same principle applies. Access is increasingly granted, not forced. 

If you want to understand how measurable that shift has become, our 2025 Year in Review will be available on Monday on the Talos blog.

The one big thing 

Late on Friday, Cisco Talos updated our blog on the developing situation in the Middle East. Talos assesses that the recent cyber attack on the medical equipment manufacturing firm, Stryker, likely represents an opportunistic compromise rather than a systematic shift toward targeting the health care sector specifically. Nevertheless, the broader threat landscape remains elevated due to ongoing military operations in Iran, necessitating that all organizations increase vigilance and strengthen their defensive capabilities against destructive cyber activity. 

Why do I care? 

Destructive malware, often leveraged by Iranian threat actors, can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Disruptive cyber attacks against organizations in a target country may unintentionally spill over to organizations in other countries. The broader threat landscape remains elevated across all sectors amid ongoing military operations in Iran. 

So now what? 

Organizations should increase vigilance and evaluate their capabilities, encompassing planning, preparation, detection, and response for such an event. Defenders should ensure security fundamentals are being adhered to, such as robust patching for known vulnerabilities, visibility into end-of-sale (EOS)/end-of-life (EOL) devices in your network with a plan to upgrade, and requiring multi-factor authentication (MFA) for remote access and on critical services. Patches for critical vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment should be prioritized. Organizations can also implement a patch management program that enables a timely and thorough patching cycle.  

We will update this blog with further developments accordingly.

Top security headlines of the week 

New .NET AOT malware hides code as a black box to evade detection 
This new Ahead-of-Time (AOT) method strips metadata away, turning the code into a black box, which forces experts to rely on manual, native-level tools to see what is actually happening under the hood. (HackRead) 

SideWinder espionage campaign expands across Southeast Asia 
The suspected India-linked threat group targets governments, telecom, and critical infrastructure using spear-phishing, old vulnerabilities, and rapidly rotating infrastructure to maintain persistent access. (Dark Reading) 

Threat actor targeting VPN users in new credential theft campaign 
The campaign started in mid-January, luring individuals looking for VPN software into downloading trojans that have been signed with a legitimate digital certificate to evade detection. (SecurityWeek) 

Sears AI chatbot chats and audio files found exposed online 
A researcher discovered three publicly exposed, unprotected databases containing a total of 3.7M chat logs, audio recordings, and text transcripts of phone calls from 2024 to 2026. (Mashable) 

BeatBanker Android trojan uses silent audio loop to steal crypto 
Most modern phones kill background apps to save battery, but these actors found a clever loophole. The app plays a tiny, five-second audio file on a loop. Your phone thinks it’s an active music player, so it won’t shut the app down. (HackRead) 

Can’t get enough Talos? 

Everyday tools, extraordinary crimes: the ransomware exfiltration playbook 
Attackers use trusted tools for data theft, making traditional detection unreliable. The Exfiltration Framework enables defenders to spot exfiltration by focusing on behavioral signals across endpoints, networks, and cloud environments rather than static tool indicators. 

Transparent COM instrumentation for malware analysis 
Cisco Talos presents DispatchLogger, a new open-source tool that delivers high visibility into late-bound IDispatch COM object interactions via transparent proxy interception. 

It's the B+ Team: Matt Olney returns 
Matt is back to talk with the crew about about the most random things, including TikTok diagnosing us with ADHD, K-Pop Demon Hunters, ransomware in hospitals (the serious bit), attacker use of AI, and why 1999-era tricks are still undefeated. 

Modernizing your threat hunt 
David Bianco joins Amy to explore the evolution of the PEAK Threat Hunting framework and talk through how security teams can modernize their approach to identifying risks before they escalate.

Upcoming events where you can find Talos 

• AI Security & Privacy Conference (March 26) Gaia, Portugal 
• Botconf 2026 (April 15 – 17) Reims, France 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: https_2915b3f8b703eb744fc54c81f4a9c67f.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: APQ9305.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 5bb86c1cd08fe5e1516cba35c85fc03e503bd1b5469113ffa1f1b9e10897f811  
MD5: f3e82419a43220a7a222fc01b7607adc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5bb86c1cd08fe5e1516cba35c85fc03e503bd1b5469113ffa1f1b9e10897f811  
Example Filename: Accounts Final-2024 .exe  
Detection Name: Win.Dropper.Suloc::1201** 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg** 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
MD5: 41444d7018601b599beac0c60ed1bf83  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js  
Detection Name: W32.38D053135D-95.SBX.TG

Welcome to this week’s edition of the Threat Source newsletter.

I’ve struggled a lot over the last few years with balance. I want to follow the news closely, but at the same time, I want to block everything out for self-preservation. 

Add in the fact that I love history and I’m an empath, and you’ve got a lovely concoction of feeling things intensely, mixed with echoes of “Haven’t we been here before?” Following the news means I’m always feeding both sides of my brain — the need for context, and the feeling of being overwhelmed.  

At times like these, I have to remind myself that caring isn’t a flaw, and neither is paying attention. 

History has had its bleak moments, of course, but it’s also full of stories about humanity and resilience. And, just as importantly, wonderful bouts of weirdness. Even in some of humanity’s darkest periods, people have still found ways to endure, show up for one another, and be strange. Creativity and humour don’t disappear during difficult times, and nor should they.  

So this week, I’m acknowledging how hard all of this feels. But I’m also giving myself permission to be a little distracted. 

If this resonates with you, may I suggest partaking in an episode of the U.K. TV show Taskmaster? It’s a simple premise: Five comedians are given a series of strange and deceptively complex tasks to impress the Taskmaster —U.K. comedian Greg Davies.  

Some of my favourite tasks have included: 

• Paint a picture of a horse while riding a horse. 
• Find out this stranger’s profession, but they are only allowed to lie. 
• Do the most preposterous thing with a chickpea. 
• Destroy a cake as beautifully as possible. 
• Create a watercooler moment with a watercooler.

It sounds like a recipe for schadenfreude, but it isn’t. The show is designed to give funny people the space to be funny and human. You don’t watch hoping anyone fails — you actually end up rooting for them.  

In a recent series, comedians Stevie Martin and Jason Mantzoukas worked together on a task that involved moving a ball through the spokes of a railing using only wooden spoons. Every time they were about to move from one section to the next, they would shout, “I’m locked in!” It was joyful and tense at the same time, like watching a penalty shootout for a team you’ve supported your whole life. People now have tattoos of “I’m locked in!” 

I don’t know about you, but this week I’ve needed the reminder that people can still be creative, supportive, and ridiculous — even under pressure. 

What’s that? This is a security newsletter? Oh right. Here’s what we’ve been talking about this week:

The one big thing

Cisco Talos Incident Response’s report for Q4 2025 is now available. We observed that exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements. Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks. Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant.

Why do I care?

Attackers are quickly leveraging both newly disclosed and older vulnerabilities in internet-facing applications, underscoring the need for rapid patching and minimizing exposure. The increase in targeted phishing and MFA abuse demonstrates that adversaries are adapting their techniques to bypass common security controls. Public administration and under-resourced sectors remain highly attractive targets due to legacy systems and sensitive data.

So now what?

Security teams should focus on patching systems promptly, making sure MFA is well-configured and monitored, and keeping detailed logs to spot and investigate suspicious activity. Acting quickly and working closely with incident response experts can help limit the damage if an attack occurs. Read the blog for further recommendations.

Top security headlines of the week

Poland’s energy grid was targeted by never-before-seen wiper malware
After studying the tactics, techniques, and procedures (TTPs) used in the attack, ESET researchers said the wiper was likely the work of a Russian government hacker group, Sandworm. (Ars Technica)

Konni hackers target blockchain engineers with AI-built malware
Active since at least 2014, the North Korean hacker group Konni (aka Opal Sleet, TA406) is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector. (Bleeping Computer)

Two high-severity n8n flaws allow authenticated remote code execution
Successful exploitation of the flaws could permit an attacker to hijack an entire n8n instance, including under scenarios where it's operating under "internal" execution mode. (The Hacker News)

US charges 31 suspects in nationwide ATM jackpotting scam
The total number of suspects is now 87. The group allegedly used a computer malware called Ploutus, active since 2015, to steal funds. (HackRead)

Can’t get enough Talos?

IR Tales from the Frontlines
Go beyond the blog with Talos IR on February 11. This live session features candid stories, behind-the-scenes insights, and strategic lessons learned from the most critical real-world incidents we faced last quarter. Register now!

The TTP: Less ransomware, same problems
Every quarter, Talos IR reviews the incidents we’ve responded to and looks for meaningful shifts in attacker behavior. Hazel is joined by Joe Marshall and Craig Jackson to break down what trends stood out in Q4.

UAT-8099: New persistence mechanisms and regional focus
Cisco Talos uncovered a new wave of attacks by UAT-8099 targeting IIS servers across Asia, with a special focus on Thailand and Vietnam. Analysis confirms significant operational overlaps between this activity and the WEBJACK campaign.

Talos Takes: What encryption can (and can’t) do for you
Step into the fascinating world of cryptography. Amy, Yuri Kramarz, and Tim Wadhwa-Brown sit down to chat about what encryption really accomplishes, where it leaves gaps, and when defenders need to take proactive measures.

Upcoming events where you can find Talos

• S4x26 (Feb. 23 – 26) Miami, FL 

Most prevalent malware files from Talos telemetry over the past week

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe
Detection Name: Win.Worm.Coinminer::1201

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: APQCE0B.dll
Detection Name: Auto.90B145.282358.in02

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201

SHA256: e63ca039141d9ea9d14450c73d0ccb888dbb312a2e88193975adc566429eb7a2
MD5: 9da0e73c33026edd6c7e10cb34429d69 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e63ca039141d9ea9d14450c73d0ccb888dbb312a2e88193975adc566429eb7a2
Example Filename: AAct.exe
Detection Name: W32.Auto:e63ca0.in03.Talos

SHA256: ecd31e50ff35f41fbacf4b3c39901d5a2c9d4ae64b0c0385d661b1fd8b00481f 
MD5: e41ae00985e350137ddd9c1280f04fc3 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=ecd31e50ff35f41fbacf4b3c39901d5a2c9d4ae64b0c0385d661b1fd8b00481f
Example Filename:tg-submit-JDs62cgS.exe 
Detection Name: Auto.ECD31E.252552.in02