Welcome to this week’s edition of the Threat Source newsletter.

Hey, you. Yeah, you! The person endlessly scrolling or typing away at their computer. Did you touch grass today? It's just an expression, but if nature’s your thing, that works just fine.

What I do mean is that due to the nature of the field, cybersecurity is incredibly intangible. You can’t reach out and touch your logs, or the packets traversing your network, or the concept of DNS exfiltration... and if you tried, you’d just feel the smooth surface of your computer screen. (What a boring texture.) Spending all our time in the abstract can create some serious mental fatigue.

My point is that there’s something powerful to be said about engaging with the physical world. When we engage in a tactile hobby, we give our brains a hard reset. By moving from the abstract to the physical, our brains get the time and space to process the complex problems we’ve been staring at, often leading to the “aha!” moment that never comes when you're trying to force it.

The other week, I was working in the Talos office with the Creative team. It was a quiet afternoon, people’s energy sapped by stomachs full of Mediterranean food. That was swiftly interrupted (in the best way) when Joe Marshall came over into our work area with his miniature painting kit, broke it open, and started teaching us how to drybrush 3D-printed figurines. Everyone immediately came alive. While I didn’t partake (I know, “Do as I say, not as I do”), it reminded me of how revitalized I feel when I get outside for a walk during lunch or spend 10 minutes knitting in silence between meetings. There’s nothing to focus on but the feel of the yarn between your fingers, the clacking of the needles, and the repetitive motions that result in a physical object you can wear and fish for compliments about.

Speaking of, do you think the vest I knit is cool? All compliments can be sent to me on LinkedIn, and I refuse to accept any negative comments. (Critiques are fine.)

Ahem... anyway. Go on a walk without your earbuds, listen to the wind through the leaves, ask a stranger to pet their dog, watch a pigeon bop its head around, and reach out to touch a cool-looking rock or the lichen on a tree. I hear you saying, "That’s some tree-hugging bullshit,” and counter you with, “Just humor me, okay? What’s the worst that could happen?”

If you’re more of an inside person, the goal might be to find a physical anchor for your technical interest. Maybe it’s building a mechanical keyboard from scratch — feeling the weight of the switches and hearing the click of the keycaps. Maybe it’s a complicated LEGO set. Even something as simple as making espresso or organizing your bookshelf can provide that sensory feedback your brain is craving.

If you're not currently facing a life-altering deadline, take 10 minutes and try it now. The rest of the newsletter isn’t going anywhere, I promise.

When you pay attention to the noises you hear, the colors you see, and the textures under your fingertips, you might come back to your laptop refreshed, focused, and ready to solve the next problem.

The one big thing 

Cisco Talos has recently expanded our threat intelligence capabilities to track phone numbers as critical indicators of compromise (IOCs) in scam emails. Our latest research reveals that attackers heavily favor API-driven VoIP numbers to execute high-volume, cost-effective Telephone-Oriented Attack Delivery (TOAD) campaigns. To evade detection, these threat actors rotate through sequential blocks of numbers, use strategic cool-down periods, and recycle the exact same digits across completely unrelated lures and impersonated brands. 

Why do I care? 

Tracking ephemeral sender email addresses is a losing game, but phone numbers are the true operational anchors for these organized scam call centers. Because attackers reuse these numbers across multiple document types and brand impersonations, defenders who cluster this telephony infrastructure can expose the broader network of malicious activity. Understanding these reuse patterns gives defenders a much-needed edge in mapping out and dismantling these operations before users are manipulated into handing over sensitive data. 

So now what? 

Security teams should shift their focus toward clustering scam lures based on shared phone numbers and prioritize real-time reputation monitoring to flag high-risk infrastructure. Deploying an AI-powered email security solution like Cisco Secure Email Threat Defense can also help evaluate different portions of incoming emails to catch these targeted threats. A full list of indicators of compromise (IOCs) associated with these campaigns can be found in the blog.

Top security headlines of the week 

DigiCert revokes certificates after support portal hack 
The attack, the company said in a detailed report, occurred on April 2, when a threat actor targeted DigiCert’s support team with a malicious payload delivered via a customer chat channel, disguised as a screenshot. (SecurityWeek) 

Ubuntu services hit by outages after DDoS attack 
The DDoS-for-hire service in this case claims to power attacks in excess of 3.5 Tbps, which is about half of the bandwidth of a cyberattack that Cloudflare last year called the “largest DDoS attack ever recorded.” (TechCrunch) 

Canvas maker Instructure reveals data breach 
Instructure said the actors accessed “certain identifying information of users” at affected institutions, including names, email addresses, student ID numbers, and user communications. (Tech Radar) 

Exploitation of “Copy Fail” Linux vulnerability begins 
Threat actors are exploiting a recently disclosed Linux kernel vulnerability leading to root shell access, the US cybersecurity agency CISA warns. Dubbed Copy Fail, the security defect impacts all Linux distributions since 2017. (SecurityWeek) 

Student hacked Taiwan high-speed rail to trigger emergency brakes 
According to local reports, the student halted four trains for 48 minutes by using software-defined radio (SDR) communications and handheld radios to transmit a high-priority “General Alarm” signal, triggering emergency braking procedures. (BleepingComputer) 

Can’t get enough Talos? 

Tales from the Frontlines 
In this briefing, we’ll share behind-the-scenes insights from the most critical and high-impact incidents we responded to in the last quarter. This isn't a report walkthrough; it's a look at what really happened, how we handled it, and what it means for your organization. 

UAT-8302 and its box full of malware 
Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus APT group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. 

CloudZ RAT potentially steals OTP messages using Pheno plugin 
Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.” 

The trust paradox: How attackers weaponize legitimate SaaS platforms 
In this episode of Talos Takes, Amy Ciminnisi sits down with researcher Diana Brown to discuss the rise of "platform-as-a-proxy" (PAP) attacks. 

Upcoming events where you can find Talos 

• PIVOTcon (May 6 – 8) Málaga, Spain 
• OffensiveCon (May 15 – 16) Berlin, Germany 
• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: APQ9305.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
MD5: dbd8dbecaa80795c135137d69921fdba  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
Example Filename: u112417.dat  
Detection Name: W32.Variant:MalwareXgenMisc.29d4.1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg** 

In this episode, we unpack state-sponsored and phishing trends from the 2025 Talos Year in Review. Amy and Martin Lee explore the alarming rise of internal phishing campaigns that bypass traditional perimeter defenses, including the widespread weaponization of Microsoft 365's Direct Send feature. Beyond simple phishing, we analyze the aggressive, blended operations of state-sponsored actors from China and North Korea who are combining high-level zero-day exploits with sophisticated social engineering. From the "Dear Leader" interview test to the reality of fake developer personas, we break down exactly how these adversaries are infiltrating modern organizations.

View the 2025 Year in Review here.

In this episode of Humans of Talos, Amy sits down with Wendy Bishop, Head of Creative, to explore the vital role of design in the world of cybersecurity. From her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy shares the unique challenges and rewards of bridging the gap between artistic expression and highly technical research.

Whether you're a creative professional looking to break into the cybersecurity industry or simply curious about the people behind our security intelligence, this conversation offers a fascinating look at the artistic side of Talos' mission to keep the digital world safe.

Amy Ciminnisi: Wendy, welcome! We haven’t had anyone from creative here yet. Can you talk to me a little bit about what drew you into creative work and how your career evolved into what it is now at Talos?

Wendy Bishop: I never in my entire life thought I would do anything besides something creative. It’s the only thing I’ve ever known. I have so many memories in my childhood of just being locked in my moody teenage bedroom. In high school, I started doing web design courses, and I think that’s when I really started being interested in a graphic design path. I learned Photoshop and basic HTML/CSS stuff as a side hobby. I moderated a message board for my favorite pop-punk band in high school. When it came time to go to college, there was nothing I wanted to do otherwise besides design. I found myself at Ohio University— that’s where I’m from, Ohio — in the School of Visual Communication.

I went off to a job working in newspapers. I actually never thought I would, but it was the job I found after college, and I designed news pages. It sounds funny now; it was already dying then, probably not the best long career path. But I think my background in journalism and communication-driven design is really what made me a great fit for the kind of design work we do here at Talos. We work with complicated materials, and a lot of the creative work we do is comms-driven. Our blog in some ways functions as a news outlet, so visual storytelling is a lot of my job. But of course, we have a lot of regular, branding-based design work now that comes out of my team.

AC: We just had a really big report come out that has occupied our minds for months, especially over here in design. Can you talk a little bit about the 2025 Year in Review and share what that process is like?

WB: When it starts to take shape, I look over that draft with the team and we talk about each graphic. I say, "That one might be better if we did this," or "This is missing that piece for when it goes into production." I really start to wrap my mind around the various assets and how we would go about taking what is essentially an Excel graphic or something created in PowerPoint and making it into a much more polished and designed presentation.

We get a sneak peek, and then one day it lands on your desk, Amy. From there, my designers and I put it together. It’s a lot about putting that puzzle together, thinking about what makes sense on each page, making sure the content flow is clean and linear, and the adjacencies of the graphics are in the right place. I come to you and say, "Amy, I need a headline," or "Does this make sense?" We come up with a look and feel and theme for the whole report every year that’s greater than just the layout of the document. That gets extended to all the other companion pieces — our videos, social graphics, and any continuing campaign pieces.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.

Join Amy and Pierre Cadieux as they unpack the ransomware and vulnerability trends that defined 2025. From the persistent ransomware threats targeting the manufacturing sector to the rise of stealthy living-off-the-land tactics, we break down what these shifts mean for your defense strategy.

Why are attackers are increasingly targeting your management infrastructure? How do you spot the difference between a system admin and a threat actor? Tune in to hear Talos' insights on how to move beyond reacting to threats and start building a more resilient, proactive security posture for the year ahead.

View the 2025 Year in Review here.

Welcome to this week’s edition of the Threat Source newsletter. 

Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited “Project Hail Mary” movie adaptation. I read (and cried over) the book by Andy Weir, who’s also the author of “The Martian,” about a year ago and, shortly after, found out it was being made into a movie. 

(I know what you’re thinking: Two movie-themed editions in two weeks? It’s every cinephile’s dream!) 

Anyway, the story centers around a biologist and science teacher named Ryland Grace (Ryan Gosling), who wakes up from a coma on a spaceship lightyears away from Earth, his two crewmembers long dead. Our planet’s sun is slowly dimming, its energy being consumed by alien microbes called “astrophage” that are infecting all the stars in our stellar neighborhood — except one. Grace’s task is to figure out why this star is unaffected and send the solution back to Earth. It's a one-way trip, and he’ll eventually die in space alone... or so he thinks. 

The movie met 99.9% of my expectations, which is rare for an adaptation. The humor was spot-on, the soundtrack was gorgeous, and the puppetry — yes, the puppetry (mild spoilers for Rocky, Grace’s new alien friend) — was out-of-this-world. 

While it is a story about space, it’s first and foremost about communication, trust, and collaboration — things we’re no strangers to at Talos, especially when creating the Year in Review report (which is available now). The entire processof creating this report, from raw data to final design, is only a little bit less monumental than stopping alien microbes from plunging the earth into an ice age. 

The process begins with Talos’ Strategic Analysis team, who leverage the vast amount of Cisco’s telemetry, Talos research, and data from Talos Incident Response cases to analyze trends over the past year. This analysis is synthesized into a comprehensive report, which undergoes rigorous review and proofing at multiple levels. While the report is being drafted, the Strategic Comms team develops a detailed schedule of content and collateral to promote it both internally and externally, meeting weekly to track our progress. Once the text is finalized, it moves to our design team, who transform the data into a visually stunning, accessible format. Even after the report launches, the work continues: We produce videos, answer your questions on Reddit (today only!), record podcasts, create social media graphics, and collaborate across Cisco to ensure our findings reach the right people. 

We do this for the good of the community. Our report isn’t gated, and it never will be; you can read it right in your browser without filling out fake names and emails in annoying forms. Talos’ job is to keep as many people as safe as possible, and that means free access to critical information. Here's a taste of our findings: 

• React2Shell was the No. 1 most targeted CVE in 2025 despite only being discovered in December. ToolShell was No. 3 despite being released in June. 
• About 25% of the vulnerabilities on our top 100 list affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks. 
• Nearly a third of MFA spray attacks targeted identity and access management (IAM) applications. 
• Attackers continued to rely heavily on phishing for initial access, observed in 40% of Talos IR cases. 35% of cases involved internal phishing. 
• Qilin was the most seen ransomware variant in 2025, with over 40 victims each month except January. 

We also offer insights on AI and state-sponsored threats, so be sure to view the full report. 

In “Project Hail Mary,” Grace and his alien friend, Rocky, realize that they can't save their respective worlds alone. The Talos Year in Review is the result of a massive, cross-functional mission. It takes collaboration between all of Talos’ teams to turn complex, often daunting telemetry into actionable intelligence for the community. 

When we share knowledge, communicate clearly, and work together, the results are, to quote Rocky, “Amaze! Amaze! Amaze!” 

Stay tuned over the coming days and weeks as we break each section down into the most important 2025 Year in Review findings you need to know.

The one big thing 

One of the main themes from the 2025 Year in Review's vulnerability data is that attackers are targeting identity by compromising the infrastructure that sits around it, including physical hardware devices, software, and management platforms. Network components act as de facto identity gateways, allowing adversaries to impersonate users, bypass MFA, and traverse networks undetected. Attackers overwhelmingly prefer high-access targets that require minimal exploitation steps and yield maximum operational payoff. 

Why do I care? 

Identity-centric network components act as control points for the entire environment, meaning their compromise can invalidate MFA, bypass segmentation, and grant immediate access to high-value resources. Network management platforms give adversaries direct access to privileged administrative functions, device credentials, and automation pipelines that touch hundreds of downstream systems. Compromising a single ADC or management platform can expose dozens of downstream systems, making these devices powerful force multipliers. 

So now what? 

Organizations should consider the impact on identity when prioritizing the patching of network devices. ADCs must be protected as identity control points, not merely performance appliances. Defenders should focus on these high-leverage vulnerability classes that enable identity compromise, policy manipulation, and infrastructure-wide escalation. Read the full Year in Review for more information.

Top security headlines of the week 

U.S. Department of Energy publishes five-year energy security plan 
The three goals are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents. (SecurityWeek) 

Someone has publicly leaked an exploit kit that can hack millions of iPhones 
Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. (TechCrunch) 

Checkmarx KICS code scanner targeted in widening supply chain hit 
Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. (Dark Reading) 

Attackers hide infostealer in copyright infringement notices 
Aimed at organizations in critical sectors, including healthcare, government, hospitality, and education, it attempts to install PureLog Stealer, a low-cost infostealer easy for threat actors to use. (Dark Reading) 

Oracle releases emergency patch for critical identity manager vulnerability 
CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. (SecurityWeek) 

Can’t get enough Talos? 

Today only: Ask us anything 
Talos and Splunk researchers are standing by on Reddit to answer your questions about the Year in Review, Top 50 Cybersecurity Threats report, or just about anything else you want to know. It’s halfway over, so post your questions now! 

Year in Review highlights 
In 2025, attackers moved fast, but they also played the long game. This short video highlights the biggest trends from the 2025 Talos Year in Review and what they reveal about where the threat landscape is headed. 

Gravy, glutes, and the Talos Year in Review 
Hazel, Bill, Joe, and Dave discuss the 2025 Year in Review, supported as always by the Turkey Lurkey Man. We also discuss the cyber activity tied to the situation in the Middle East. 

Cybersecurity’s double-header 
With the recent release of the Year in Review and Splunk’s Top 50 Cybersecurity Threats report, Amy, Bill, and Lou break down the most critical trends that shaped the security landscape last year. 

Upcoming events where you can find Talos 

• Botconf 2026 (April 15 – 17) Reims, France 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: APQ9305.dll 
Detection Name: Auto.90B145.282358.in02 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe 
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe 
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
MD5: 41444d7018601b599beac0c60ed1bf83 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js 
Detection Name: W32.38D053135D-95.SBX.TG 

In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a "double-header" discussion. With the recent release of the Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats report, we’re breaking down the most critical trends that shaped the security landscape last year — all based on Cisco telemetry, Talos' original research, and Talos Incident Response engagements.

From the professionalization of ransomware-as-a-service to the persistent challenge of decade-old vulnerabilities, this episode moves beyond the headlines to provide a practical roadmap for defenders. You’ll get tips on how to prioritize your defenses and reduce your attack surface for the year ahead.

View the 2025 Year in Review today.

Welcome back! This week, we're shining a spotlight on Kri Dontje, a technical writer who’s become an essential voice in making Cisco Talos' work understandable for a wide audience. With a background in technical communications and a career that began at a small startup, Kri discusses the importance of consistency, accuracy, and accessibility in documentation, as well as how to get the most out of a subject matter expert-technical writer relationship.

Now transitioning into a new role, Kri continues to bridge the gap between deep technical expertise and clear communication. When she’s not decoding cyber jargon, she’s hand-spinning yarn for stunning knit pieces, showing that creativity and tech go hand in hand. Keep an eye out for more content featuring Kri in the future.

Amy Ciminnisi: Can you tell us a little bit about what you do here in Talos?

Kri Dontje: Absolutely. I have a technical writing degree — technical communications — which means I translate very technical topics into something that other people can understand if they're not necessarily experts in that field. I've had a very nontraditional career. My first position was at a very small company, 14 people at its largest. I did documentation, design and demonstration videos, and rebuilt their help system from the ground up. It was interesting and terrifying because I was learning it completely alone.

I'm also a huge nerd and a learning junkie, which helps with this kind of job. I enjoy being around people who are into really complex things and talking to them about it. I spent a lot of time around a local miniatures wargaming shop and became friends with a bunch of nerds, some of whom have migrated into Talos.

I transitioned over to the strategic communications team as a research engineer. I’m going to focus more on communicating about Talos at a slightly more technical level than our communications have been to the public for a while, while still creating content that makes Talos accessible for people as much as possible.

AC: What do you think are the most important qualities or skills that make someone a really good technical writer, especially in a fast-changing landscape like cybersecurity?

KD: That’s a big contradiction. One of the most important things for tech writing is consistency and accessibility. It’s not a career that encourages adjectives. You want to use the same word to mean the same thing every time because if you use a fun synonym, the reader might think it’s an entirely different concept.

Versioning is a big problem. People won’t trust documentation if they find bad information in it. They’ll never think it’s a reasonable place to go again. So keeping things accurate is really important.

Being snoopy and not being afraid to feel real stupid in front of extremely smart people is also key. Usually, you can find common ground. It’s important to recognize you’re not talking down to the audience or making the information for stupid people. Even within Talos and the cyber community, everyone has broad-ranging specialties. Most people don’t know what others do or can’t figure it out without spending a lot of time and energy they don’t need to. So the important thing is to bring the information to a level where other very intelligent people can cross-reference it and make it applicable to what they’re doing.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.

Welcome to this week’s edition of the Threat Source newsletter.  

Last week, yet another security AI tool made the rounds on social media: Shannon, a fully autonomous AI penetration testing tool created by Keygraph. It “autonomously hunts for attack vectors in your code, then uses its built-in browser to execute real exploits, such as injection attacks, and auth bypass, to prove the vulnerability is actually exploitable.” 

If you thought manual pentesters kept you busy, it looks like Shannon’s here to ensure you never run out of vulnerabilities — or questions. 

As with every new advancement in AI, social posts are popping up left and right to question Shannon’s future impact on pentesters’ job security. It goes without saying these days that among the many thoughtful questions are comments praising Shannon and bemoaning the “old days” with a few obviously canned AI slop quips, which infuriates me as an editor — I could go on for days about this, but we’re getting off-topic. Ahem. 

Shannon requires access to the application’s source code, repository layout, and AI API keys. Even as a cybersecurity novice, I know that this in itself is a major liability that organizations should investigate and weigh carefully before proceeding. In last week’s newsletter, Joe gave a passionate sermon on why feeding highly private information to an agentic engine is nine times out of ten a terrible idea. While I hope Shannon is more secure than Clawdbot, given its intended use, I encourage everyone to ask as many questions as possible about what happens to the information you provide before using it. Quoting Joe, “As disciples of security, we understand installing first and asking questions later is practically asking to get pwnt.” 

Other questions I've had while reading through comments and exploring the GitHub page: 

• Can you set scoping guidelines? If not, you might end up with a lot of issues that’ll take a lot of time to fix. 
• No penetration test is truly representative of attackers’ situations (e.g., attackers don’t work within billable hours or two-week schedules, and only have to find one or a set of vulnerabilities). Relying on access to source code widens the gap between simulated and real-world attacks... I guess this wasn't a question, huh? 
• For the companies who choose to use Shannon, how are you using the report it produces to improve not only your product, but also your secure development lifecycle and your developers’ skills? Make a conscious decision: Are you going to rely on Shannon as a quick fix, or integrate it and secure development into your coding practices? 

AI-powered pentesters aren’t going away any time soon. Anthtropic’s Claude Opus 4.6 was also released last week. Unlike Shannon, they added a new layer of detection to support their team in identifying and responding to Claude cyber misuse. 

As the landscape evolves, tools like Shannon and Claude Opus 4.6 will continue to push the boundaries of what’s possible, and there will be new questions about risk, responsibility, and readiness. Whether these tools become standard or remain controversial, staying informed and vigilant is as important as ever. 

The one big thing 

Cisco Talos has uncovered a new threat actor, UAT-9921, using the advanced VoidLink framework to target mainly Linux systems. VoidLink stands out for its modular, on-demand plugin creation, auditability, and ability to evade detection, with features rarely seen in similar threats. UAT-9921 has been active since at least 2019, focusing on the technology and financial sectors, and uses advanced techniques for both compromise and stealth. 

Why do I care? 

VoidLink introduces powerful new methods for attackers to compromise, control, and hide within Linux environments, which are common in critical infrastructure and cloud services. Its ability to quickly generate customized attack tools and evade detection makes it harder for defenders to respond. The framework's advanced stealth and lateral movement features increase the risk of undetected breaches and data theft. 

So now what? 

Update your defenses and use the Snort rules and ClamAV signature mentioned in the blog to help detect and block VoidLink activity. Strengthen Linux security, especially for cloud and IoT environments, and monitorfor unusual network activity or signs of lateral movement. Make sure endpoint detection solutions are up to date and configured to recognize the latest threats. 

Top security headlines of the week 

SolarWinds WHD attacks highlight risks of exposed apps 
Several vendors in recent days have warned of exploitation of vulnerabilities in WHD, though it's not entirely clear which bugs are under attack. (Dark Reading, SecurityWeek) 

Ivanti EPMM exploitation widespread as governments, others targeted 
Ivanti released advisories on Jan. 29 for code injection vulnerabilities in the on-premises version of Endpoint Manager Mobile. Researchers warn the activity shows evidence of initial access brokers preparing for future attacks. (Cybersecurity Dive) 

New “ZeroDayRAT” spyware kit enables total compromise of iOS, Android devices 
Once installed, capabilities include victim and device profiling, including model, OS, country, lock status, SIM and carrier info, dual SIM phone numbers, app usage broken down by time, preview of recent SMS messages, and more. (SecurityWeek) 

European Commission probes intrusion into staff mobile management backend 
Brussels is digging into a cyber break-in that targeted the European Commission's mobile device management systems, potentially giving intruders a peek inside the official phones carried by EU staff. (The Register) 

Can’t get enough Talos? 

Humans of Talos: Ryan Liles, master of technical diplomacy  
Amy chats with Ryan Liles, who bridges the gap between Cisco’s product teams and the third-party testing labs that put Cisco products through their paces. Hear how speaking up has helped him reshape industry standards and create strong relationships in the field. 

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework 
Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. 

Talos Takes: Ransomware chills and phishing heats up 
Amy is joined by Dave Liebenberg, Strategic Analysis Team Lead, to break down Talos IR’s Q4 trends. What separates organizations that successfully fend off ransomware from those that don’t? What were the top threats facing organizations? Can we (pretty please) get a sneak peek into the 2025 Year in Review? 

Upcoming events where you can find Talos 

• Cisco Live 2026 (Feb. 9 – 13) Amsterdam, Netherlands 
• S4x26 (Feb. 23 – 26) Miami, FL  

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610 
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610   
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe 
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg** 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: d4aa3e7010220ad1b458fac17039c274_64_Dll.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55  
MD5: 41444d7018601b599beac0c60ed1bf83  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: content.js Detection Name: W32.38D053135D-95.SBX.TG

Cisco Talos is back with another inside look at the people who keep the internet safe. This time, Amy chats with Ryan Liles, who bridges the gap between Cisco’s product teams and the third-party testing labs that put Cisco products through their paces. Ryan pulls back the curtain on the delicate dance of technical diplomacy, how he keeps his cool when the stakes are high, and how speaking up has helped him reshape industry standards. Plus, get a glimpse of the hobbies that keep him recharged when he’s off the clock.

Amy Ciminnisi: Ryan, you shared that you are on the Vulnerability Research and Discovery team, but you work in a little bit of a different niche. Can you talk a little bit about what you do?

Ryan Liles: My primary role is to work with all of the Cisco product teams. So anybody that Talos feeds security intelligence to — Firewall, Email, Endpoint — anybody that we write content for, I work with their product teams to help get their products tested externally. Cisco can come out all day and say our products are the best at what they do, but no one's going to take our word for it. So we have to get someone else to say that for us, and that's where I come in.

AC: Third-party testing involves coordinating with external organizations and standards groups. You mentioned it can be difficult sometimes and you have to choose your words carefully. What are some of the biggest challenges you face when working across these various groups? Do you have a particular method of overcoming them?

RL: The reason I fell into this role at Cisco is because of all the contacts I made while working at NSS Labs. The third-party testing industry for security appliances is like a lot of the rest of the security industry — very small. Even though there's a large dollar amount tied to it in the marketplace, the number of people in it is very small. So you're going to run into the same personalities over and over again throughout your career in security. Because I try to generally be friendly with those people and keep my network alive, I have a lot of personal relationships that I can leverage when it comes to having difficult conversations.

By difficult conversations, I mean if we've found a bug in the product or if a third-party test lab acquired our product through means not involving us and did some testing that didn't turn out great, I can have the conversations with them where we discuss both technically what was their testing methodology and how did they deploy the products. If there were instances where we feel maybe they didn't deploy the product correctly or there's some flaws in their methodology, being able to have that kind of discussion with a test lab, while not frustrating them, takes a lot of diplomatic skills. I think that's the biggest contributor to my success in this role — being able to have those conversations, leaving emotion out of things, and just sticking to the technical facts and saying, here's what went wrong, here's what went right, let's figure out the best way to fix this. That has really contributed to how Cisco and Talos interface with third-party testing labs and maintain those relationships.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.

Cisco Talos is kicking off the new year with a behind-the-scenes look at incident response through the eyes of Terryn Valikodath, Senior Incident Response Consultant at Talos. In this episode, Amy sits down with Terryn to explore the realities of a job that blends technical know-how with communication skills, proactive planning, and a passion for problem-solving. Terryn’s path to cybersecurity started with a fascination for criminal forensics and a knack for jailbreaking his family's tech — interests that eventually steered him toward the fast-paced world of digital investigations.

Join us as Terryn shares what keeps him motivated during high-pressure incidents, the satisfaction he finds in teaching others during cyber range trainings, and the creative outlets that help him recharge.

Amy Ciminnisi: Can you tell us a little bit about what you do here in Talos?

Terryn Valikodath: Absolutely. I’m a Senior Incident Response Consultant, so essentially an incident responder. The unique thing about our team is that we handle both proactive and reactive work. On the proactive side, we help develop incident response plans, run tabletop exercises, threat hunts, training, and similar tasks. On the reactive side, we step in when an organization experiences a security event, investigate, and provide recommendations to get them back up and running. It’s rewarding to see both sides of the work.

AC: On my end, I'm always amazed at all the different services Cisco Talos Incident Response provides. Is it difficult to balance them, and is there a part of the job you enjoy most?

TV: It definitely takes some getting used to since most cybersecurity roles focus on either proactive or reactive tasks, not both. But it’s helpful, because our direct experience informs the advice we give. For example, when we develop an incident response plan, we can reference real situations we’ve handled. That builds trust with customers. My favorite aspect is running cyber range trainings — a three-day course where we teach technical folks how to handle incident response. I’m passionate about teaching, both externally and within our team. I enjoy demystifying the field and showing people that it’s about dedication and learning, not just being a specialist.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.

Welcome to this week’s edition of the Threat Source newsletter. 

I went to bed at 8:30 p.m. on New Year’s Eve, and I think that’s pretty indicative of how I approach the whole idea of New Year’s resolutions. 

I love to count down to the new year with loved ones as much as the next person, but I have really conflicted feelings about traditional resolutions. On one hand, it’s great to have goals for the future and pick a day to start putting them into action. On the other, why wait until the New Year, and why pick goals that are often wildly unsustainable? It feels like it just promotes an “all or nothing” approach, and starts the year on a disappointing note if you stumble even a little. Life happens, and many resolutions don’t give enough grace. 

Here are some resolutions I failed at this past year: 

• Lift weights three days/week for a whole year: Close, but no cigar! 
• Journal at least one sentence every day: Yeah, I failed at this one pretty quickly. I’m not a journal person. 
• Knit at least three sweaters: I made a shirt, almost finished a vest, and spent a ton of money on yarn.

I have done a lot of things I’m proud about this year, so then... what has worked? An intention that I’ve held throughout the year is turning “shoulds” into setting plans into motion right away. For example, “I should host a one-time book club to discuss my favorite book” becomes “I just posted in my neighborhood Facebook page to find people who are interested and pick a date.” Or “I should finish my certification” becomes “I just set a weekly three-hour calendar block, and I won’t move it unless there’s an emergency.”

That shift in mindset reminds me a lot of what works in cybersecurity. Our industry is full of ambitious, high-level goals: “Eliminate all vulnerabilities,” “achieve zero trust,” or “stop every threat.” These aspirations are important, but the reality is that security happens in small, consistent actions: patching systems as soon as updates are available, educating teams on the latest phishing techniques, reviewing logs regularly, or simply responding quickly to a new alert.

Just like with personal resolutions, there’s often pressure in security to be perfect, to never let anything slip through the cracks. Even the organizations that have amazing budget and headcount will face challenges and setbacks, and no environment is ever perfectly secure. What matters most is how we respond in the moment, learn from what’s happened, and keep moving forward.

So as we head into 2026, whether you’re setting personal goals or planning your organization’s security strategy, consider focusing less on flawless resolutions and more on building habits that adapt to change. Celebrate the small wins, reflect on what you’ve accomplished, and don’t be afraid to pivot when things don’t go as planned. Show up every day and take that next step.

The one big thing 

Earlier today, Cisco Talos disclosed a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022. UAT-7290 is tasked with gaining initial access as well as conducting espionage-focused intrusions against critical infrastructure entities in South Asia. UAT-7290's arsenal includes a malware family consisting of implants we call RushDrop, DriveSwitch, and SilentRaid. Our findings indicate that UAT-7290 conducts extensive technical reconnaissance of target organizations before carrying out intrusions. 

Why do I care? 

UAT-7290 targets telecom and network infrastructure, which, if compromised, can have cascading impacts on national security, business operations, and customer data. Their advanced tactics, use of publicly available exploits, and ability to establish persistent footholds make detection and remediation difficult. 

So now what? 

Review and apply the latest ClamAV and Snort signatures (see the blog) to detect and block UAT-7290’s malware and activity. Audit your edge devices (especially those exposed to the internet) for signs of compromise, weak credentials, or unpatched vulnerabilities, and prioritize patching and hardening them. Make sure your incident response plans are ready to address potential intrusions involving advanced persistent threats (APTs).

Top security headlines of the week 

U.S. cyber pros plead guilty over BlackCat ransomware activity  
Two US citizens plead guilty to working as ALPHV/BlackCat ransomware affiliates in 2023. Along with an unnamed third conspirator, they were previously employed by security firms Sygnia and DigitalMint. (DarkReading)

European Space Agency (ESA) confirms breach after hacker offers to sell data 
The ESA has confirmed that some of its systems have been breached and is working on securing compromised devices. The hacker offered to sell 200GB of allegedly stolen data from ESA’s systems, including files from private Bitbucket repositories. (SecurityWeek)

Sophisticated ClickFix campaign targeting hospitality sector 
Fake Booking reservation cancellations and fake BSODs trick victims into executing malicious code leading to RAT infections. (SecurityWeek) (The Hacker News)

New n8n vulnerability lets authenticated users execute system commands  
It affects n8n versions from 1.0.0 up to, but not including, 2.0.0, and allows an authenticated user with permission to create or modify workflows to execute arbitrary operating system commands on the host running n8n. The issue has been addressed in version 2.0.0. (The Hacker News) 

Russia-aligned hackers abuse Viber to target Ukrainian military and government 
The attack chain involves the use of Viber to distribute malicious ZIP archives containing multiple Windows shortcut (LNK) files disguised as official Microsoft Word and Excel documents to trick recipients into opening them. (The Hacker News)

Can’t get enough Talos? 

How Cisco Talos powers the solutions protecting your organization 
What happens under the hood of Cisco's security portfolio? Our reputation and detection services apply Talos' real-time intelligence to detect and block threats. Here's how. 

The TTP: Talking through a year of cyber threats, in five questions 
Hazel is joined by Nick Biasini to reflect on what stood out, what surprised them, and what didn’t in 2025. What might defenders want to think about differently heading into 2026? 

Upcoming events where you can find Talos 

• JSAC (Jan. 21 – 23) Tokyo, Japan 
• S4x26 (Feb. 23 – 26) Miami, FL

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: ck8yh2og.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: ecd31e50ff35f41fbacf4b3c39901d5a2c9d4ae64b0c0385d661b1fd8b00481f  
MD5: e41ae00985e350137ddd9c1280f04fc3  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=ecd31e50ff35f41fbacf4b3c39901d5a2c9d4ae64b0c0385d661b1fd8b00481f  
Example Filename: tg-submit-JDs62cgS.exe  
Detection Name: Auto.ECD31E.252552.in02 

SHA256: 1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b  
MD5: a8fd606be87a6f175e4cfe0146dc55b2  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b  
Example Filename: WCInstaller_NonAdmin.exe  
Detection Name: W32.1AA70D7DE0-95.SBX.TG