Ghosted by a cybercriminal

Welcome to this week’s edition of the Threat Source newsletter. 

Talos recently published research into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton. 

It’s a concerning trend — one that we believe calls for rethinking traditional threat modeling. But one thing stood out to me while reading: cybercriminals are often terrible at teamwork. 

What if the ransomware affiliate is waiting on credentials that never arrive? The access broker sells a foothold, but the tooling meant to exploit it isn’t ready, doesn’t work in the target environment or never shows up at all? 

Ghosting isn’t limited to dating apps or job interviews (and if you’ve been through six interview rounds and still heard nothing, I see you). Cybercriminals flake too — whether it’s bad timing, better targets, internal drama… or maybe they just went to get a haircut (an actual complaint that a Conti member made about a fellow actor not showing up). 

In this compartmentalized model, the threat chain becomes a fragile supply line, stitched together in real time. Efficient, yes — but brittle. If one actor drops out, the whole operation can unravel. And let’s not pretend there’s honour among cybercriminals. They’re opportunists. What’s to stop a broker from selling the same credentials to multiple buyers? Or backing out entirely if a better offer lands? 

Of course, this ecosystem isn’t monolithic. Some groups run like structured businesses — access brokers, malware builders, “customer” (aka victim) services, the works. Others are looser, relying on whoever turns up in their DMs with access for sale. It’s the latter where ghosting seems more likely. In organised crews, a flaky broker risks reputational damage. In the freelance underworld, it’s just Tuesday.  

Oof, I didn’t mean to knock freelancers there. Just, you know, those ones… 

History suggests fallouts are inevitable. Conti’s collapse, as Wired reported, started with a single angry post and spiraled into a full on leak about poor performance records: 

“I have 100 people here, half of them, even 10 percent, do not do what they need.”  

– Stern (or Demon), former Conti CEO 

LAPSUS$ imploded under its own infighting. One REvil affiliate even ranted on a cybercrime forum like a scammed eBay buyer. 

To twist a familiar phrase: compartmentalized threats are only as strong as their weakest link. What if that link has poor communication skills, no follow-through and a serious case of commitment issues?

The one big thing 

In Talos’ most recent blog post, we shared that UAT-6382, Chinese-speaking threat actors, have exploited Cityworks, a widely-used asset management system, through a remote code execution vulnerability (CVE-2025-0994). The actors are deploying advanced malware for long-term persistence and control. 

Why do I care? 

UAT-6382 is not only exploiting this vulnerability, but they’re also employing sophisticated tools like web shells, Rust-based malware loaders, and frameworks like Cobalt Strike to burrow deep into systems. This could lead to data breaches and operational downtime. 

So now what? 

While the intrusions we mentioned in the blog have been contained, exploitation may be continuing in the wild. Use the indicators of compromise (IOCs) listed in the blog to scan your environment.

Top security headlines of the week 

NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch 
VMware patches flaws that expose users to data leakage, command execution and denial-of-service attacks. No temporary workarounds available.  (SecurityWeek) 

NIST’s ‘LEV’ Equation to Determine Likelihood a Bug Was Exploited 
The new equation, introduced by the National Institute of Standards and Technology (NIST), aims to offer a mathematical likelihood index that could be a game-changer for SecOps teams and vulnerability patch prioritization. (Dark Reading) 

Kettering Health hit by system-wide outage after ransomware attack 
Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. (BleepingComputer)

Can’t get enough Talos? 

• Duping Cloud Functions: An emerging serverless attack vector 
• Talos Takes: Inside the Kill Chain: Compartmentalized Threat Modeling Explained 

Upcoming events where you can find Talos 

• BotConf (May 20 – 23) Angers, France  
• Cisco Live U.S. (June 8 – 12) San Diego, CA 
• NIRMA (July 28 – 30) St. Augustine, FL 
• Black Hat USA (August 2 – 7) Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe  
Detection Name: Simple_Custom_Detection 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 
MD5: 8c69830a50fb85d8a794fa46643493b2  
Typical Filename: AAct.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

Cisco Talos Blog – ​Read More