EUVD-2024-32082

Malicious code in bioql PyPI...

How ToddyCat tried to hide behind AV software

To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals...

CVE-2025-27665

Vasion Print formerly PrinterLogic before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Insufficient Antivirus Protection and thus drivers can have known malicious code OVE-20230524-0009...

Ghidra data type archive for Windows driver functions

While reverse-engineering Windows drivers with Ghidra, it is common to encounter a function or data type that is not recognized during disassembly. This is because Ghidra does not natively include the majority of the definitions for data types and functions used by Windows drivers. Thankfully,...

The 2024 Threat Landscape State of Play

As we head into the final furlong of 2024, we caught up with Talos' Head of Outreach Nick Biasini to ask him what sort of year it's been so far in the threat landscape. In this video, Nick outlines his two major areas of concern. He also focusses on one state-sponsored actor that has been...

Exploring malicious Windows drivers (Part 2): the I/O system, IRPs, stack locations, IOCTLs and more

This blog post is part of a multi-part series, and it is highly recommended to read the first entry here before continuing. As the second entry in our "Exploring malicious Windows drivers" series, we will continue where the first left off: Discussing the I/O system and IRPs. We will expand on the...

CVE-2024-3496

Attackers can bypass the web login authentication process to gain access to the printer's system information and upload malicious drivers to the printer. As for the affected products/models/versions, see the reference URL...

CVE-2024-3496

CVE-2024-3496 is an authentication-bypass flaw affecting Toshiba e-STUDIO multifunction printers. Public sources in the connected documents describe a vulnerability where network-adjacent attackers can bypass web login authentication, gaining access to system information and the ability to upload...

CVE-2024-3496 Authentication Bypass Vulnerability

Attackers can bypass the web login authentication process to gain access to the printer's system information and upload malicious drivers to the printer. As for the affected products/models/versions, see the reference URL...

CVE-2024-3496 Authentication Bypass Vulnerability

Attackers can bypass the web login authentication process to gain access to the printer's system information and upload malicious drivers to the printer. As for the affected products/models/versions, see the reference URL...

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Real-world examples can be found in our previous...

Scattered Spider: The Modus Operandi

Scattered Spider: The Modus Operandi By Trellix · August 17, 2023 This story was also written by Phelix Oluoch Executive Summary Scattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022...

Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers

Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. Actors are leveraging multiple open-source tools that alter the signing date of kernel mode...

Guidance on Microsoft Signed Drivers Being Used Maliciously

Executive Summary: Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program MWHDP were being used maliciously in post-exploitation activity. In these attacks, the attacker gained administrative privileges on compromised systems before using the...

LOLDrivers

LOLDrivers - Living Off The Land Drivers 🚗💨 !CI buildhttps...

Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

Microsoft on Tuesday disclosed it took steps to implement blocking protections and suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program. The tech giant said its investigation revealed the activity was restricted to a number of...

Guidance on Microsoft Signed Drivers Being Used Maliciously

Executive Summary: Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. Microsoft has completed its investigation and determined that the activity was limited to the abuse of several...

Stuxnet Worm Detection

The remote Windows host has files present on the system that indicate the Stuxnet worm has infected the system. This worm attempts to spread in several ways, making use of known Windows vulnerabilities and removable media. It has been seen making use of several 0-day vulnerabilities as well as...