2032 matches found
Year in Review: Vulnerabilities old and new and something React2
Speed and age shouldn't be allowed to pair up, but that is the theme of the Talos 2025 Year in Review vulnerability findings. Figure 1. React/React2Shell 2025 at the top, with PHPUnit 2017 and Log4j 2021 following up. The year was characterized by an unending beat-down on infrastructure that reli...
Do not get high(jacked) off your own supply (chain)
In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. Prominent examples include the malicious modification of Axios, a popular HTTP client library for JavaScript, as well as cascading compromises from TeamPCP, a "chaos-as-a-service" group that injected...
Axios NPM supply chain incident
Cisco Talos is actively investigating the March 31, 2026 supply chain attack on the official Axios node package manager npm package during which two malicious versions v1.14.1 and v0.30.4 were deployed. Axios is one of the more popular JavaScript libraries with as many as 100 million downloads pe...
The democratisation of business email compromise fraud
Welcome to this week's edition of the Threat Source newsletter. Last weekend, I witnessed a crime. Not a notable crime that you might read about in the press, but an unremarkable fraud attempt that nevertheless illustrates how new threat actor capabilities are emerging. I imagine that most people...
[Video] The TTP Ep 21: When Attackers Become Trusted Users
!\Video\ The TTP Ep 21: When Attackers Become Trusted Usershttps://storage.ghost.io/c/af/a0/afa04ee3-414f-4481-8d23-7e7c146f192e/content/images/2026/04/YiR2025cover2x1.jpg In this episode of the Talos Threat Perspective, we explore how identity is being used to gain, extend, and maintain access...
UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications
Cisco Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we are tracking as "UAT-10608." Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted ...
Qilin EDR killer infection chain
Endpoint detection and response EDR tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. Disabling telemetry collection process, memory, network activity limits what defenders can see and analyze. As defenders...
Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders
Every year, the Cisco Talos Year in Review captures the patterns shaping the threat landscape. The 2025 report paints a clear picture: Attackers are moving faster than ever, while using identity-related attacks as the primary battleground. To unpack the biggest takeaways and what they mean for...
An overview of ransomware threats in Japan in 2025 and early detection insights from Qilin cases
In 2025, a total of 134 ransomware incidents were reported in Japan, marking a 17.5% increase compared to 2024. Among these, 22 incidents were attributed to Qilin, representing 16.4% of the total. In 2025, Qilin ransomware was highly active. Looking ahead to 2026, unless there is significant...
Ransomware in 2025: Blending in is the strategy
Ransomware attacks aren't smash-and-grab anymore. They're built on access that already looks legitimate -- closer to positioning chess pieces than breaking the door down. That's the big trend that comes through in the ransomware data from the Talos 2025 Year in Review. Once attackers have initial...
TP-Link, Canva, HikVision vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed a vulnerability in HikVision, as well as 10 in TP-Link, and 19 in Canva. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco 's third-party vulnerability...
A puppet made me cry and all I got was this t-shirt
Welcome to this week's edition of the Threat Source newsletter. Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited "Project Hail Mary" movie adaptation. I read and cried over the book by Andy Weir, who's also the author o...
Talos Takes: 2025 insights from Talos and Splunk
In this episode of Talos Takes, Amy is joined by William Largent Cisco Talos and Lou Stella Splunk for a "double-header" discussion. With the recent release of the Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats report, we're breaking down the most critical trends that...
Beers with Talos breaks down the 2025 Talos Year in Review
The Beers with Talos B team that's Hazel, Bill, Joe and Dave break down sometimes in the literal sense the 2025 Talos Year in Review which is available now. The team dives into the biggest cybersecurity trends of the year, including: The rapid weaponization of new vulnerabilities Why identity abu...
2025 Talos Year in Review: Speed, scale, and staying power
The 2025 Talos Year in Review is now available to view online. The pace and scale of adversary activity in 2025 placed sustained pressure on security teams across industries. As with each annual report, our goal at Talos is to provide the security community with a clear analysis of the tactics,...
You have to invite them in
Welcome to this week's edition of the Threat Source newsletter. I found myself watching the Oscars ceremony in its entirety for the first time in a few years. I'm in the U.K., so I watched it the following day. With next week's Year in Review launch looming and several pieces of content still to...
Everyday tools, extraordinary crimes: the ransomware exfiltration playbook
Data exfiltration activity increasingly leverages legitimate native utilities, commonly deployed third-party tools, and cloud service clients, reducing the effectiveness of static indicators of compromise IOCs and tool-based blocking strategies. The Exfiltration Framework systematically normalize...
Transparent COM instrumentation for malware analysis
COM automation is a core Windows technology that allows code to access external functionality through well-defined interfaces. It is similar to traditionally loading a DLL, but is class-based rather than function-based. Many advanced Windows capabilities are exposed through COM, such as Windows...
This one’s for you, Mom
Welcome to this week's edition of the Threat Source newsletter. I am the product of a single parent, my mom, who along with my grandparents helped raise me into the man I am today. I cannot fathom what it took for my mom, who worked three jobs to put herself through college to be a teacher, to...
DirectX, OpenFOAM, Libbiosig vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed vulnerabilities in the BioSig Project Libbiosig library and OpenCFD OpenFOAM, as well as an unpatched vulnerability in Microsoft DirectX. The vulnerabilities mentioned in this blog post have been patched by their respective...
Agentic AI security: Why you need to know about autonomous agents now
Agentic AI is making headlines worldwide for its potential force-multiplying capabilities, and organizations are understandably intrigued by how it can improve throughput and capabilities. However, as with any technological revolution, unforeseen issues are inevitable, and agentic AI is no...
Spinning complex ideas into clear docs with Kri Dontje
Welcome back! This week, we're shining a spotlight on Kri Dontje, a technical writer who's become an essential voice in making Cisco Talos' work understandable for a wide audience. With a background in technical communications and a career that began at a small startup, Kri discusses the importan...
Microsoft Patch Tuesday for March 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for March 2026 which includes 79 vulnerabilities, including three that Microsoft marked as "critical." The remaining vulnerabilities listed are classified as "important." Microsoft assessed that exploitation of the three "critical" vulnerabilitie...
Patch, track, repeat: The 2025 CVE retrospective
Welcome to this week's edition of the Threat Source newsletter. It's time to look back at a year that pushed the vulnerability landscape to new heights. I'll admit this retrospective is arriving a bit later than planned. With 48,196 CVEs in 2025 a stunning 132 vulnerabilities per day, the analysi...
UAT-9244 targets South American telecommunication providers with three new malware implants
Cisco Talos is disclosing UAT-9244, who we assess with high confidence is a China-nexus advanced persistent threat APT actor closely associated with Famous Sparrow. Since 2024, UAT-9244 has targeted critical telecommunications infrastructure, including Windows and Linux-based endpoints and edge...
Update, March 13: Talos on the developing situation in the Middle East
Update history Date | Description of updates ---|--- March 13, 2026 | Talos' assessment of the cyber attack on Stryker and the elevated threat landscape. Key findings and background on Handala, the Iranian-linked threat group. March 10, 2026 | Updated guidance and recommendations, IOCs, and...
Henry IV, Hotspur, Hal, and hallucinations
Welcome to this week's edition of the Threat Source newsletter. " 'Tis dangerous to take a cold, to sleep, to drink; but I tell you, my lord fool, out of this nettle, danger, we pluck this flower, safety." - Hotspur, Shakespeare's Henry IV, Part 1: Act 2 Scene 3 I get it. Hotspur is the...
New Dohdoor malware campaign targets education and health care
Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as "UAT-10027," delivering a previously undisclosed backdoor dubbed "Dohdoor." Dohdoor utilizes the DNS-over-HTTPS DoH technique for command-and-control C2 communications and h...
Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request...
Using AI to defeat AI
Welcome to this week's edition of the Threat Source newsletter. Generative AI and agentic AI are here to stay. Although I believe that the advantages that AI brings to bad guys may be overstated, these new technologies allow threat actors to conduct attacks at a faster rate than before. One...
“Good enough” emulation: Fuzzing a single thread to uncover vulnerabilities
A Cisco Talos researcher worked around the limitations of hardware-level Code Read-out Protection RDP on the Socomec DIRIS M-70 gateway by pivoting from physical debugging to a "good enough" emulation approach. By focusing on emulating only the single thread responsible for Modbus protocol handli...
Hand over the keys for Shannon’s shenanigans
Welcome to this week's edition of the Threat Source newsletter. Last week, yet another security AI tool made the rounds on social media: Shannon, a fully autonomous AI penetration testing tool created by Keygraph. It "autonomously hunts for attack vectors in your code, then uses its built-in...
Ryan Liles, master of technical diplomacy
Cisco Talos is back with another inside look at the people who keep the internet safe. This time, Amy chats with Ryan Liles, who bridges the gap between Cisco's product teams and the third-party testing labs that put Cisco products through their paces. Ryan pulls back the curtain on the delicate...
New threat actor, UAT-9921, leverages VoidLink framework in campaigns
Cisco Talos recently discovered a new threat actor, UAT-9921, leveraging VoidLink in campaigns. Their activities may go as far back as 2019, even without VoidLink. The VoidLink compile-on-demand feature lays down the foundations for AI-enabled attack frameworks, which can create tools on-demand f...
Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for February 2026, which includes 59 vulnerabilities affecting a range of products, including two that Microsoft marked as "Critical". CVE-2026-21522 is a critical elevation of privilege vulnerability affecting Microsoft ACI Confidential...
All gas, no brakes: Time to come to AI church
Welcome to this week's edition of the Threat Source newsletter. Brothers and sisters, gather close for a moment. We are all security followers here gathered in fellowship and community, with one joyful spirit to fight the good fight and do good out there in the security world. It is with that...
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Cisco Talos uncovered "DKnife," a fully featured gateway-monitoring and adversary-in-the-middle AitM framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Based on the artifact metadata, DKnife ha...
I'm locked in!
Welcome to this week's edition of the Threat Source newsletter. I've struggled a lot over the last few years with balance. I want to follow the news closely, but at the same time, I want to block everything out for self-preservation. Add in the fact that I love history and I'm an empath, and you'...
Microsoft releases update to address zero-day vulnerability in Microsoft Office
Microsoft has published three out-of-band OOB updates so far in January 2026. One of these updates was released to address a vulnerability, CVE-2026-21509, affecting Microsoft Office that has been reportedly exploited in the wild. Additional OOB updates have been published to resolve operational...
Dissecting UAT-8099: New persistence mechanisms and regional focus
Cisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that is targeting vulnerable Internet Information Services IIS servers across Asia with a specific focus on victims in Thailand and Vietnam. Analysis confirms significant operational overlaps between this...
IR Trends Q4 2025: Exploitation remains dominant, phishing campaign targets Native American tribal organizations
Threat actors predominately exploited public-facing applications for the second quarter in a row, with this tactic appearing in nearly 40 percent of Cisco Talos Incident Response Talos IR engagements -- a notable decrease from over 60 percent last quarter, when engagements involving ToolShell...
I scan, you scan, we all scan for... knowledge?
Welcome to this week's edition of the Threat Source newsletter. " Upon us all a little rain must fall" -- Led Zeppelin, via Henry Wadsworth Longfellow I recently bumped into a colleague with whom I spent several years working in an MSSP environment. We had very different roles within the...
Foxit, Epic Games Store, MedDreams vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Foxit PDF Editor, one in the Epic Games Store, and twenty-one in MedDream PACS. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco...
Predicting 2026
Welcome to this week's edition of the Threat Source newsletter. It's become traditional at this time of year to make predictions about cybersecurity for the coming year. Obviously, no one has a crystal ball to predict the future, and if they did, they would be quietly making a fortune rather than...
UAT-8837 targets critical infrastructure sectors in North America
Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat APT actor based on overlaps in tactics, techniques, and procedures TTPs with those of other known China-nexus threat actors. Based on UAT-8837's TTPs and...
Brushstrokes and breaches with Terryn Valikodath
Cisco Talos is kicking off the new year with a behind-the-scenes look at incident response through the eyes of Terryn Valikodath, Senior Incident Response Consultant at Talos. In this episode, Amy sits down with Terryn to explore the realities of a job that blends technical know-how with...
Microsoft Patch Tuesday for January 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as "critical". In this month's release, Microsoft observed one of the included "important" vulnerabilities, CVE-2026-20805, as...
Resolutions, shmesolutions (and what’s actually worked for me)
Welcome to this week's edition of the Threat Source newsletter. I went to bed at 8:30 p.m. on New Year's Eve, and I think that's pretty indicative of how I approach the whole idea of New Year's resolutions. I love to count down to the new year with loved ones as much as the next person, but I hav...
UAT-7290 targets high value telecommunications infrastructure in South Asia
Cisco Talos is disclosing a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022. UAT-7290 is tasked with gaining initial access as well as conducting espionage focused intrusions against critical infrastructure entities in South Asia. UAT-7290's arsenal includ...
How Cisco Talos powers the solutions protecting your organization
Cisco Talos is Cisco's threat intelligence and security research organization that powers Cisco's product portfolio with that intelligence. While we are well known for the security research in our blog, vulnerability discoveries, and our open-source software, you may not be aware of exactly how o...