Welcome to this week’s edition of the Threat Source newsletter. 

“Study hard what interests you the most in the most undisciplined, irreverent and original manner possible.” ― Richard Feynman  

“I had discovered that learning something, no matter how complex, wasn't hard when I had a reason to want to know it.” ― Homer Hickam, Rocket Boys  

*looks around at - gestures - everything*  

*opens a new tab in the browser, takes in the newest news on AI, a new tab on supply chains, a new tab on vulnerability, and a new tab on active exploitation and zero-days*   

*closes tabs and throws laptop into the nearest bin, à la Ron Swanson*  

*opens other laptop, avoids the internet*  

*puts on headphones for deep work binaural audio*  

*cracks knuckles*  

I’m often asked about why I bring up board games and video games when interviewing perspective analysts or threat hunters, so I’m going to give the 8,000 foot view on my thoughts. With everything that is going on, now more than ever we need the most curious people on the planet on our side.   

What’s the very first and most important step to securing any environment? Knowing the environment, inside and out. When you play any gameyou must understand the rules: the standard opening moves of chess, or Go, or perhaps the common resource-gathering patterns in strategy games. Once you understand what "normal" play looks like, you can immediately spot when an opponent makes a move that is inefficient or unusual — an anomalous trigger that, if spotted, can lead to victory.   

When experienced players recognize patterns (a specific chess gambit, a defensive build in a strategy game, etc.), they don't just react to the current move — they predict several moves into the future from both players, especially if they know their opponents' tendencies. As players gain experience and play against other skilled players, they begin involving feints or decoys (false flags, if you will). A player might sacrifice a minor piece to distract you from their true objective. Learning to look past that "noise" to find the real motivation is the key to taking your experience and skill to the next level.   

Threat actors rarely follow a predictable script. They constantly evolve tactics, techniques, and procedures (TTPs). Developing the mental flexibility to handle those unexpected, non-standard behaviors is essential in identifying the unknowns.  

The transition from board games to threat hunting is rooted in the development of critical thinking and situational awareness. While board games provide a controlled environment to practice these skills, the core competency — that ability to identify the why behind a deviation — is exactly what will make you a successful threat hunter.  

“I prefer to speak in metaphor: That way, no logic can trap me, and no rule can bind me, and no fact can limit me or decide for me what’s possible.” ― Claire Oshetsky, Chouette 

The one big thing 

Cisco Talos has observed threat actors weaponizing legitimate SaaS notification pipelines, such as those in GitHub and Jira, to deliver phishing and spam emails. By leveragingthese platforms' official infrastructure, attackers bypass traditional email authentication protocols like SPF, DKIM, and DMARC. This "Platform-as-a-Proxy" (PaaP) technique exploits the implicit trust organizations place in system-generated notifications to facilitate credential harvesting. These campaigns effectively mask malicious intent behind the reputation of trusted enterprise tools. 

Why do I care? 

Traditional email security gateways are often blind to these attacks because the emails are technically authenticated and originate from verified, trusted domains. This technique exploits "automation fatigue," where users are conditioned to reflexively trust system-generated alerts from business-critical platforms. Consequently, attackers can bypass standard perimeter defenses, making it harder to distinguish between legitimate business communications and sophisticated phishing attempts. 

So now what? 

Transition to a Zero-Trust approach by implementing instance-level verification and cross-referencing notifications against internal SaaS directories. Security teams should ingest SaaS API logs into their SIEM to detect anomalous precursor activities, such as suspicious project creation or mass invitations. Additionally, introduce friction for high-risk interactions by requiring out-of-band verification and apply semantic intent analysis to identify notifications that deviate from a platform's established functional baseline. 

Top security headlines of the week 

Tech giants launch AI-powered “Project Glasswing” 
Major technology companies have joined forces in an effort to use advanced artificial intelligence to identify and address security flaws in the world’s most critical software systems. (CyberScoop) 

Russian government hackers broke into thousands of home routers to steal passwords 
Fancy Bear, or APT 28, is known for its high-profile hacks and spying operations, including the breach of the U.S. Democratic National Committee in 2016 and the destructive hack that hit satellite provider Viasat in 2022. (TechCrunch) 

Storm-1175 deploys Medusa ransomware at “high velocity” 
Storm-1175 has rapidly exploited more than a dozen n-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access. (Dark Reading) 

North Korean hackers pose as trading firm to steal $285M from Drift 
A group of individuals approached Drift staff at a “major crypto conference,” presenting as a professional quantitative trading firm. They went so far as to deposit $1M of their own money into a Drift Ecosystem Vault between December 2025 and January 2026. (HackRead) 

Telehealth giant Hims & Hers says its customer support system was hacked 
A spokesperson for Hims & Hers said the company was hit by a social engineering attack, and the stolen data “primarily included customer names and email addresses.” (TechCrunch) 

Can’t get enough Talos? 

New Lua-based malware observed in targeted attacks against Taiwanese organizations 
Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.” 

Vulnerabilities old and new and something React2 
2025 was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of the year. 

From the field to the report and back again 
The same Year in Review report that Talos IR casework feeds into is the report that defenders should be feeding back into their own preparation cycles. Here’s how you can start. 

Talos Takes: 2025's ransomware trends and zombie vulnerabilities 
In this episode, Amy and Pierre Cadieux unpack the ransomware and vulnerability trends that defined 2025. From the persistent ransomware threats targeting the manufacturing sector to the rise of stealthy "living off the land" tactics, we break down what these shifts mean for your defense strategy. 

Upcoming events where you can find Talos 

• OffensiveCon (May 15 – 16) Berlin, Germany 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: APQ9305.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55  
MD5: 41444d7018601b599beac0c60ed1bf83  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: content.js  
Detection Name: W32.38D053135D-95.SBX.TG 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe 
Detection Name: Win.Dropper.Miner::95.sbx.tg** 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe  
MD5: a2cf85d22a54e26794cbc7be16840bb1  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe  
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe  
Detection Name: W32.5E6060DF7E-100.SBX.TG

Welcome to this week’s edition of the Threat Source newsletter.  

"'Tis dangerous to take a cold, to sleep, to drink; but I tell you, my lord fool, out of this nettle, danger, we pluck this flower, safety." - Hotspur, Shakespeare’s Henry IV, Part 1: Act 2 Scene 3 

I get it. Hotspur is the quintessential hothead, and we all understand his place in the story. He’s famous for his fiery temperament and impatience with anything that smells of caution or compromise. Hotspur’s whole deal is that you have to take risks if you want to achieve anything worthwhile, but he’s not wrong... at least not fully. Anyone who has been in this field for a while has seen risks lead to disaster and risks lead to success. There is no silver bullet and there is no black and white.  

Wait, am I talking about Henry IV and cybersecurity? Yes. Yes, I am, but stick with me and I bet it will make sense to you, as well.  

The speed at which all sides have taken on the monumental task of leveraging AI is a paradigm shift, but as we go forward, run into potholes, and see simple avoidable mistakes, I’m reminded that all of this is cyclical. While this feels insurmountable at times, the reality is that the baseline is already starting to be met. Useful outcomes and capabilities are highlighting that the answer is still finding the smartest people in the room. If you know me at all, you’ve heard the axiom, “If you’re the smartest person in the room you’re in the wrong room.” That’s how I got to Talos (now I just hope that they don’t remember that I’m here). If you continue to find the smartest people in the room and surround yourself with them, you will find that peer group full of ideas in this paradigm-shifting era. Allow those ideas to plant seeds in your mind, take a few risks, and let them grow. Use some of these tools (responsibly) in ways that you don’t think will work. You learn from your failures, so take the chance to fail. 

I have been using AI to teach myself Golang and Rust by leveraging AI to convert my clunky Perl and Python scripts and broken or questionable proofs of concept into those languages. Sometimes it’s very smooth and works flawlessly, which in turn has made it harder for me to learn, but sometimes I hit the jackpot and it’s a mess. Those messes have taught me the most while frustrating me to new heights. All of this has provided me with new directions to explore. 

While it’s overwhelming to read each new story on security flaws found in tools, stories on the latest “hallucinated” errors, and the latest vibe-coded disaster, it’s important to remember that NIMDA happened. Code Red existed. The ILOVEYOU virus walked so that MyDoom could run. Sapphire/Slammer walloped networks, doubling in size every 8.5 seconds. Hotspur contends that we MUST take risks to gain security. In the end, he dies at Hal’s hands (429 year spoiler alert!) because Hal has patiently grown into the mantle of leadership and finds that he wears it well. I’d say that we stand to learn from both of them — Take some risks but continue to be patient and learn the nuance of these new tools, both their capabilities and pitfalls, remembering all the while that this is all new, but we’ve been here before.  

"The past is so much safer, because whatever's in it has already happened. It can't be changed; so, in a way, there's nothing to dread." - Margaret Atwood 

The one big thing 

Cisco Talos identified an ongoing campaign by UAT-10027, using a new backdoor we call "Dohdoor” since December 2025. Dohdoor leverages DNS-over-HTTPS (DoH)  for stealthy command-and-control (C2) communications and can download and execute additional payloads within legitimate Windows processes. The campaign targets education and health care sectors in the US, using phishing, PowerShell scripts, and DLL sideloading, with C2 infrastructure hidden behind reputable services like Cloudflare. 

Why do I care? 

This threat demonstrates sophisticated techniques that evade traditional security controls, posing risks to organizations with sensitive data such as schools and hospitals. Dohdoor’s use of legitimate Windows tools and encrypted communications makes detection and response challenging. The campaign’s overlap with known APT tactics indicates a high level of adversary skill and persistence. The targeting of critical sectors raises the stakes for potential disruption and data theft. 

So now what? 

Security teams should make sure their detection tools are up-to-date with the latest ClamAV and SNORT® signatures we share in the blog. It’s important to keep an eye out for unusual DoH traffic and monitor legitimate Windows tools being used in unexpected ways. Reviewing endpoint logs for signs of anti-forensic activity and process hollowing can help spot infections early. Finally, sharing threat intelligence and best practices with other organizations in your sector can strengthen defenses and improve response to similar threats. 

Top security headlines of the week 

Operation Red Card 2.0 leads to 651 arrests in Africa 
In December and January, law enforcement officers from 16 African countries worked with Interpol and private companies to disrupt some major cybercriminal operations. (DarkReading) 

PayPal data breach led to fraudulent transactions 
Notification letters revealed that the cybersecurity incident was caused by an error in the PayPal Working Capital loan application. The personal information of a “small number of customers” was exposed for nearly six months. (SecurityWeek) 

Former L3Harris Trenchant boss jailed for selling hacking tools to Russian broker 
Williams was the general manager of the Trenchant division, which sells hacking and surveillance tools to the U.S. government and Five Eyes. (TechCrunch) 

Conduent data breach grows  
The spillover from a ransomware attack on one of the largest government contractors in the United States keeps getting bigger: More than 25 million people have now had personal data stolen in the hack. (TechCrunch) 

Spitting cash: ATM jackpotting attacks surged in 2025 
In 2025, criminals cracked 700 of ATMs across the U.S., marking a surprising spike in ATM attacks, according to the FBI, which has recorded around 1,900 incidents since 2020. (DarkReading) 

Can’t get enough Talos? 

Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.

“Good enough” emulation: Fuzzing a single thread to uncover vulnerabilities 
A Talos researcher used targeted emulation of the Socomec DIRIS M-70 gateway’s Modbus thread to uncover six patched vulnerabilities, showcasing efficient tools and methods for IoT security testing.

Upcoming events where you can find Talos 

• CARO Workshop 2026 (Feb. 25 – 27) Innsbruck, Austria 
• DEVCORE 2026 (Mar. 14) Taipei, Taiwan 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610 
MD5: 85bbddc502f7b10871621fd460243fbc 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610 
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe 
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: https_2915b3f8b703eb744fc54c81f4a9c67f.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: d4aa3e7010220ad1b458fac17039c274_64_Dll.dll 
Detection Name: Auto.90B145.282358.in02 

SHA256: d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 
MD5: 0c883b1d66afce606d9830f48d69d74b 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 
Example Filename: d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1.exe 
Detection Name: Win.Worm.Zard::95.sbx.tg

Welcome to this week’s edition of the Threat Source newsletter. 

“Upon us all a little rain must fall” — Led Zeppelin, via Henry Wadsworth Longfellow  

I recently bumped into a colleague with whom I spent several years working in an MSSP environment. We had very different roles within the organization, so our viewpoints, both then and now, were very different. He asked me the question I hear almost every time I speak somewhere: “What do you think are the most essential things to protect your own network?” This always leads to my top answer — the one that no one ever wants to hear. 

“Know your environment.” 

It led me down a path of thinking about how cyclical things are in the world of cybersecurity and how we, the global “we”, have slipped back to a place where reconnaissance is too largely ignored in our day-to-day workflow. 

Look, I know that we all have alert fatigue. We’re managing too many devices, dealing with too many data points, generating too many logs, and facing too few resources to handle it all. So my “Let’s not ignore reconnaissance” mantra might not be regarded well at first.  

Here’s the thing: It’s always tempting to trim your alerts and reduce your ticketing workload. After all, attack signals seem more “impactful” by nature, right? But I've always believed it’s a mistake to dismiss reconnaissance events to clear the way for analysts to look for the “real” problems. I always go back to my first rule: “Know your environment.” The bad actors are only getting better at the recon portion, both on the wire and in social engineering. 

AI tooling has made a lot of the most challenging aspects of reconnaissance automagical. If you search the dark web for postings from initial access brokers (IABs), you’ll find that they excel in reconnaissance and understanding your ownenvironment. They’re quick to find every Windows 7 machine still on your network, not to mention your unpatched printers, smart fridges, and vulnerable thermostats. 

I get that we can’t get spun up about every half-open SYN, but spotting when these events form a pattern is exactly what we’re here for, and it’s as important as tracking down directory traversal attempts. 

“Behind the clouds is the sun still shining;  
Thy fate is the common fate of all...” — Henry Wadsworth Longfellow

The one big thing 

Cisco Talos researchers recently discovered and disclosed vulnerabilities in Foxit PDF Editor, Epic Games Store, and MedDream PACS, all of which have since been patched by the vendors. These vulnerabilities include privilege escalation, use-after-free, and cross-site scripting issues that could allow attackers to execute malicious code or gain unauthorized access.

Why do I care? 

 These vulnerabilities could have enabled attackers to escalate privileges, execute arbitrary code, or compromise sensitive systems, potentially leading to data breaches or system outages. Even though patches are available, unpatched systems remain at risk.

So now what? 

Organizations should make sure all affected software is updated with the latest patches and review security monitoring for signs of exploitation attempts. Additionally, defenders should implement layered defenses and educate users on the risks of opening suspicious files or clicking unknown links to reduce the likelihood of successful attacks. 

Top security headlines of the week 

How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East 
TechCrunch analyzed the source code of the phishing page, and believes the campaign aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings. (TechCrunch) 

LastPass warns of fake maintenance messages targeting users' master passwords 
The campaign, which began on or around Jan. 19, 2026, involves sending phishing emails claiming upcoming maintenance and urging them to create a local backup of their password vaults in the next 24 hours. (The Hacker News) 

Everest Ransomware claims McDonalds India breach involving customer data  
The claim was published on the group’s official dark web leak site earlier today, January 20, 2026, stating that they exfiltrated a massive 861GB of customer data and internal company documents. (HackRead) 

North Korea-linked hackers pose as human rights activists, report says  
North Korea-linked hackers are using emails that impersonate human rights organizations and financial institutions to lure targets into opening malicious files. (UPI) 

Hackers use LinkedIn messages to spread RAT malware through DLL sideloading 
The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). (The Hacker News) 

Can’t get enough Talos? 

Engaging Cisco Talos Incident Response is just the beginning 
Sophisticated adversaries leave multiple persistence mechanisms. Miss one backdoor, one scheduled task, or one modified firewall rule, and they return weeks later, often selling access to other criminal groups. 

Talos Takes: Cyber certifications and you 
In the first episode of the year, Amy Ciminnisi, Talos’ Content Manager and new podcast host, steps up to the mic with Joe Marshall to explore certifications, one of cybersecurity’s overwhelming (and sometimes most controversial) topics. 

Microsoft Patch Tuesday for January 2026 
Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as “critical.”   

Upcoming events where you can find Talos 

• JSAC (Jan. 21 – 23) Tokyo, Japan 
• DistrictCon (Jan. 24 – 25) Washington, DC 
• S4x26 (Feb. 23 – 26) Miami, FL  

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: APQCE0B.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
Example Filename: VID001.exe  
Detection Name: Coinminer:MBT.26mw.in14.Talos