2032 matches found
Catan and Mouse
Welcome to this week's edition of the Threat Source newsletter. " I do not know everything; still many things I understand." ― Madeleine L'Engle, A Wrinkle in Time " Don't try to comprehend with your mind. Your minds are very limited. Use your intuition." ― Madeleine L'Engle, A Wind in the Door T...
Martin Lee: Running through the Arctic (and the threat landscape)
Ever wonder how someone goes from studying human viruses to leading cybersecurity teams? In this Humans of Talos, we're joined by Martin Lee, EMEA Lead, to talk about his journey into the industry. Martin takes us back to the early days of the internet, explaining how he made the leap from academ...
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Cisco Talos identified a fully-featured phishing-as-a-service PhaaS operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026. The ARToken panel exposes 80+ API endpoints for...
Beyond IOCs: AI-enabled threat intelligence
Welcome to this week's Threat Source newsletter. The issue of AI in cybersecurity is often portrayed as a binary choice: either a force multiplier for our adversaries, or a tool bringing professional obsolescence. The reality is more nuanced. While AI certainly brings some advantage to attackers,...
Introduction to COM usage by Windows threats
Component Object Model COM is a fundamental Windows technology used by legitimate applications for object activation, inter-process communication, automation and language-independent component reuse. Those same qualities make it useful to threat actors. Malware frequently uses COM interfaces for...
Close Encounters of the Human Kind
Welcome to this week's Threat Source newsletter. I love a Spielberg summer. His ability to imbue a sense of wonder, awe, curiosity, and connection means he's in a league of his own. Granted, I haven't felt that from him in a while, but when he hits? Oof. I feel like I need somebody to reach acros...
Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model
Analysis tools do not need AI built in to support agentic workflows; they simply need to expose their data through an external scripting interface. Even traditional graphical user interface GUI applications can be made AI-accessible by publishing their internal object models, allowing agents to...
A tale of two eras
Welcome to this week's edition of the Threat Source newsletter. To the surprise of absolutely no one who has seen my face, I'm one of the younger employees at Talos. As my industry veteran colleagues were buying the first iPods, navigating the switch from dial-up to broadband, saying goodbye to...
Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for June 2026, which includes 206 vulnerabilities affecting a range of products, including 32 that Microsoft marked as "critical". Out of 32 "critical" entries, 28 are remote code execution RCE vulnerabilities in Microsoft Windows services and...
Reporting from Vegas: Networking, AI, and good boys
Welcome to this week's edition of the Threat Source newsletter. Howdy friends, and hello from Cisco Live U.S., here in sunny and very hot Las Vegas! An interesting quirk of being sent to one of these events is you learn to understand your limits as a person. Cisco Live is a three-day event, and i...
Winning the cyber marathon with Tony Giandomenico
In the high-speed world of cybersecurity, the difference between a breach and a breakthrough often comes down to endurance. Tony Giandomenico, Senior Director of Product Management with Cisco Talos, joins me to discuss how he balances the intensity of leading major product launches with the...
Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting
By Ron Scott-Adams Most security tools operate on a simple principle: If a known-bad pattern appears, fire an alert. This works well enough for many threats, but it fails against adversaries who closely study detection thresholds and deliberately stay under them. Cisco Talos Threat Hunting operat...
Less panic patching, more precision
Welcome to this week's edition of the Threat Source newsletter. Recently, Martin closed his introduction with a warning: Ready or not, the time of much patching is coming. I've been chewing on that one for a while because I'm rethinking my own enrichment pipelines along these lines, and the...
DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap
Over the last decade, DICOM parsing has become an active research topic. The reason is simple: DICOM is both critical and complicated. Hospitals rely on DICOM-based PACS systems, and those systems often automatically ingest files received over the network. That means malformed data could directly...
MediaArea heap-based buffer overflow vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed four vulnerabilities in MediaArea MediaInfoLib library. The vulnerabilities mentioned in this blog post have been patched by their respective vendor, in adherence to Cisco 's third-party vulnerability disclosure policy. For...
Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake
Security teams need high-quality, labeled datasets to train threat hunters and incident responders, validate detection logic, and develop robust analytic models. EvidenceForge helps teams overcome the limitations of anonymized or stale public datasets, while avoiding the cost and complexity of...
The art of being ungovernable
Welcome to this week's edition of the Threat Source newsletter. " It takes very little to govern good people. Very little. And bad people can't be governed at all. Or if they could, I never heard of it." ― Cormac McCarthy, No Country for Old Men Most of my career has been built on dichotomy:...
TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital's Norton VPN. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco 's...
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Cisco Talos has uncovered a BadIIS variant -- identifiable by its embedded "demo.pdb" strings -- that functions as commodity malware. This variant is likely sold or shared among multiple Chinese-speaking cybercrime groups that operate under a malware-as-a-service MaaS model for continuous...
The time of much patching is coming
Welcome to this week's edition of the Threat Source newsletter. Many solutions have been proposed to reduce software bugs: zero-defect mandates, pair programming, formal methods, and mathematical software proofs. The reality is that software engineering is hard. Identifying and fixing bugs before...
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Successful exploitation of CVE-2026-20182 allows an unauthenticated,...
Breaking things to keep them safe with Philippe Laulheret
In the latest Humans of Talos, Amy sits down with Senior Vulnerability Researcher Philippe Laulheret to demystify the world of ethical hacking. Philippe shares his unique journey from French engineering school to the front lines of cybersecurity, explaining how his lifelong love for solving puzzl...
Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities
By Jaeson Schultz Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 31 that Microsoft marked as "critical". In this month's release, Microsoft has not observed any of the included vulnerabilities being...
State-sponsored actors, better known as the friends you don’t want
State-sponsored actors don't break in. They log in, and they use your own tools to stay invisible for months. Responding to a state-sponsored threat is nothing like responding to ransomware, and the differences can make or break the outcome. From logging and baselines to OT segmentation and suppl...
Unplug your way to better code
Welcome to this week's edition of the Threat Source newsletter. Hey, you. Yeah, you! The person endlessly scrolling or typing away at their computer. Did you touch grass today? It's just an expression, but if nature's your thing, that works just fine. What I do mean is that due to the nature of t...
Insights into the clustering and reuse of phone numbers in scam emails
Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise IOC. In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails. According to Talos' observations, the ease of API-driven...
UAT-8302 and its box full of malware
Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat APT group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. After successful compromises, UAT-8302 deploys multiple custom-made...
CloudZ RAT potentially steals OTP messages using Pheno plugin
Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool RAT and a previously undocumented plugin called "Pheno." According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of...
Great responsibility, without great power
Welcome to this week's edition of the Threat Source newsletter. As I'm writing this, today April 28 is International Superhero Day. If you don't know the origin story behind this, perhaps you would assume that this day was dreamed up by Marvel. And… you would be correct. However, it's not a pure...
AI-powered honeypots: Turning the tables on malicious AI agents
Generative AI allows defenders to instantly create diverse honeypots, like Linux shells or Internet of Things IoT devices, using simple text prompts. This makes deploying complex, convincing deceptive environments much easier and more scalable than traditional methods. AI-driven attacks often...
Five defender priorities from the Talos Year in Review
A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures -- all without code. One such case was recently...
It pays to be a forever student
Welcome to this week's edition of the Threat Source newsletter. If I haven't said it in a newsletter before, I'll say it now: If you want to be good at cybersecurity, be a forever student. Cultivating and feeding your desire to know how things work is one of the key ingredients to being a hacker...
UAT-4356's Targeting of Cisco Firepower Devices
Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices' Firepower eXtensible Operating System FXOS. UAT-4356 exploited n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices, where the threat actor deployed their...
IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist
Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025. Public administration and health care tied as the most targeted...
[Podcast] It's not you, it's your printer: State-sponsored and phishing threats in 2025
!\Podcast\ It's not you, it's your printer: State-sponsored and phishing threats in 2025https://storage.ghost.io/c/af/a0/afa04ee3-414f-4481-8d23-7e7c146f192e/content/images/2026/04/YiR2025cover2x1-2-1.jpg In this episode, we unpack state-sponsored and phishing trends from the 2025 Talos Year in...
Phishing and MFA exploitation: Targeting the keys to the kingdom
In 2025, attackers increasingly targeted weaknesses in multi-factor authentication MFA workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations. Phishi...
Bad Apples: Weaponizing native macOS primitives for movement and execution
As macOS adoption grows among developers and DevOps, it has become a high value target; however, native "living-off-the-land" LOTL techniques for the platform remain significantly under-documented compared to Windows. Adversaries can bypass security controls by repurposing native features like...
Foxit, LibRaw vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed one Foxit Reader vulnerability, and six LibRaw file reader vulnerabilities. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco 's third-party vulnerability...
The Q1 vulnerability pulse
Welcome to this week's edition of the Threat Source newsletter. The first quarter of 2026 passed faster than a misconfigured firewall rule gets exploited -- and the last few weeks have been firmly stamped with the "software supply chain compromise" label, with headlines surrounding incidents...
PowMix botnet targets Czech workforce
Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call "PowMix." PowMix employs randomized command-and-control C2 beaconing intervals, rather than persistent...
More than pretty pictures: Wendy Bishop on visual storytelling in tech
In this episode of Humans of Talos, Amy sits down with Wendy Bishop, Head of Creative, to explore the vital role of design in the world of cybersecurity. From her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy shares the unique challenges and rewards...
The n8n n8mare: How threat actors are misusing AI workflow automation
Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026. In this blog, Talos provides concrete examples of how...
Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities
Microsoft has released its monthly security update for April 2026, which includes 165 vulnerabilities affecting a wide range of products, including eight Microsoft marked as "critical." CVE-2026-23666 is a critical Denial of Service DoS vulnerability that affects the .NET framework. Successful...
State-sponsored threats: Different objectives, similar access paths
Across the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence. But when you look at how these operations actually unfold, similar tactics,...
[Video] The TTP Ep. 22: The Collapse of the Patch Window
!\Video\ The TTP Ep. 22: The Collapse of the Patch Windowhttps://storage.ghost.io/c/af/a0/afa04ee3-414f-4481-8d23-7e7c146f192e/content/images/2026/04/YiR2025cover2x1-3.jpg One of the clearest trends in the 2025 Talos Year in Review is just how quickly vulnerabilities are now being turned into...
The threat hunter’s gambit
Welcome to this week's edition of the Threat Source newsletter. " Study hard what interests you the most in the most undisciplined, irreverent and original manner possible." ― Richard Feynman " I had discovered that learning something, no matter how complex, wasn't hard when I had a reason to wan...
From the field to the report and back again: How incident responders can use the Year in Review
Every year, Cisco Talos publishes Year in Review, a comprehensive look at the previous year's threat landscape. It's drawn from an enormous volume of telemetry, such as endpoint detections, network traffic, email data, and boots-on-the-ground Cisco Talos Incident Response Talos IR engagements. As...
New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations
Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations NGOs and suspected universities to deliver a newly identified malware family, "LucidRook." LucidRook is a sophisticated stager that embeds a Lua...
Talos Takes: 2025's ransomware trends and zombie vulnerabilities
Join Amy and Pierre Cadieux as they unpack the ransomware and vulnerability trends that defined 2025. From the persistent ransomware threats targeting the manufacturing sector to the rise of stealthy living-off-the-land tactics, we break down what these shifts mean for your defense strategy. Why...
The Trojan horse of cybercrime: Weaponizing SaaS notification pipelines
By Diana Brown Cisco Talos has recently observed an increase in activity that is leveraging notification pipelines in popular collaboration platforms to deliver spam and phishing emails. These emails are transmitted using the legitimate mail delivery infrastructure associated with GitHub and Jira...