Family group chats: Your (very last) line of cyber defense
Welcome to this week’s edition of the Threat Source newsletter, and happy Cybersecurity Awareness Month.
Like everyone under the age of 35 who has at least one father, my dad sends me advice on online safety at least once a week. Does he work in information security? No. He’s a recently retired high school audio engineering teacher, who now spends his days touring with a yacht rock cover band and building guitars. But throughout his life, he’s been a true Renaissance man. From playing trombone on a Bruce Springsteen tour to building our backyard deck, to Roth IRA advice, to the history of Bell Labs, the breadth of his knowledge astounds me. I actually called him last week to find out just how long I can drive my car before taking it to the mechanic to get the oxygen sensor fixed.
There is one area where I think I have him beat: cybersecurity. Not by a lot, but I think working in Talos has given me an edge — or, at least, access to people who can tell me how worried I should be about an issue that Facebook is having a field day with.
Still, that doesn’t stop him from sending me a steady stream of headlines and warnings. Here are just a few that my dad has sent me:
- Jan. 31, 2024: An NBC news clip of former FBI Director Christopher Wray disclosing alarming hacking threats to critical U.S. infrastructure, also mentioning the takedown of Volt Typhoon.
- Sept. 19, 2024: An article explaining that if you’re shopping online and your credit card gets declined, you may be getting scammed.
- May 1, 2025: A video warning that “QR codes in mystery packages could steal your identity.”
- June 22, 2025: This video about hidden watermarks embedded in AI-generated content. Not nearly as menacing as the others (unless you’re a college student trying to coast), but it is fascinating. This article gives a deeper understanding.
Even without deep investigation, these headlines reveal a lot about how cybersecurity anxieties are shared and amplified on social media. It’s a cycle that’s probably familiar to a lot of us: technology keeps evolving, but the impulse to protect each other never really changes. Whether you’re the IT help desk for your family or the one receiving those late-night warnings (or both), every message is a chance to share knowledge, calm fears, and help each other navigate a world that’s always shifting under our feet.
So, the next time your dad (or mom, or aunt, or grandma) sends you a link that sounds a little far-fetched, take a moment to appreciate the intent behind it. They might not always get the details right, but their concern is real. In its own way, that’s another layer of security.
Breathe in, let it out, and let’s dive in.
The one big thing
Cisco Talos has uncovered a Chinese-speaking cybercrime group, UAT-8099, that is hacking into reputable Internet Information Services (IIS) servers in countries like India, Thailand, Vietnam, Canada, and Brazil. Their main goals are to manipulate search results for profit and steal sensitive data, such as credentials and certificates, often using advanced tools and custom malware to avoid detection. The group maintains long-term access to these servers and protects their control from other attackers.
Why do I care?
Cybercriminals are evolving to target trusted infrastructure for both financial gain and deeper access to valuable data. The use of automation, custom malware, and persistence techniques in this campaign shows UAT-8099 can impact a wide range of organizations.
So now what?
Review your environments for signs of BadIIS malware, unauthorized web shells and suspicious RDP or VPN activity on IIS servers. Also, strengthen server defenses, monitor for unusual traffic and share indicators of compromise (IOCs) within the security community to help prevent further attacks.
Top security headlines of the week
CISA 2015 cyber threat info-sharing law lapses amid government shutdown
Defenders have lost the information-sharing liability protection the bill provided, and the government has lost a lot of visibility into threats emerging across the private sector. (CSO)
Cyberattack on JLR prompts £1.5B UK government intervention
The announcement Sunday says that the support package is meant to “give certainty to its supply chain following a recent cyber-attack.” Some experts believe the bailout will encourage cybercriminals to continue targeting UK companies with weak cybersecurity. (Security Week)
Neon pays users to record their phone calls and sells data to AI firms
Unbelievably, this app was spotted in the No. 2 spot in Apple’s U.S. App Store’s Social Networking section. Their marketing claims to only record your side of the call unless it’s with another Neon user. (TechCrunch)
“Klopatra” trojan makes bank transfers while you sleep
A sophisticated new banking malware is hard to detect, capable of stealing lots of money, and infecting thousands of people in Italy and Spain, under the guise of a pirate streaming app. (Dark Reading)
Can’t get enough Talos?
Talos Takes: You can’t patch burnout
October is Cybersecurity Awareness Month, but what happens when the defenders themselves are overwhelmed? In this powerful episode, Hazel and Joe Marshall get real about why protecting your well-being is just as vital as any technical defense.
The TTP: Threat Hunter’s Cookbook
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply.
Engaging Cisco Talos Incident Response
You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements.
Upcoming events where you can find Talos
- Wild West Hackin’ Fest (Oct. 8 – 10) Deadwood, SD
- DEEP Conference (Oct. 22 – 23) Petrčane, Croatia
Most prevalent malware files from Talos telemetry over the past week
SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a
MD5: 1f7e01a3355b52cbc92c908a61abf643
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a
Example Filename:cleanup.bat
Detection Name: W32.D933EC4AAF-90.SBX.TG
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename:VID001.exe
Detection Name: Win.Worm.Coinminer::1201
SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
Example Filename:85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG
SHA256: 3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec
MD5: 5b7948e7ca9742a33be8403b3285a1aa
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec
Example Filename:onestart.exe
Detection Name: W32.3D8EEB6DF4-95.SBX.TG
SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
MD5: bf9672ec85283fdf002d83662f0b08b7
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
Example Filename:f_04b985.html
Detection Name: W32.C0AD494457-95.SBX.TG
Cisco Talos Blog – Read More