Trick, treat, repeat

Welcome to this week’s edition of the Threat Source newsletter. 

This one is pretty much an updated, Halloween-themed version of my newsletter from July, including data up through Q3. 

October 14th has passed, so free support for Windows 10 has come to an end, leaving you with no more fixes unless you’re willing to pony up. While users in many countries must now pay to get Windows 10 security updates (the “trick”), private users in the European Economic Area get free security updates (the “treat”) until Oct. 14, 2026. This special reward, won after consumer rights groups pushed Microsoft to do better under EU law,  means no $30 fee, no reward points, and no cloud backup needed… just a Microsoft account.  

There’s another trick: The treat is for consumers, not companies, and there are some technical prerequisites (described here). 

While Cybersecurity Awareness Month is coming to end, you still have a chance to reach out to friends and family and encourage them to update their software (one of the Core4 Messages this year). Get them to enable the Extended Security Updates (ESU), update to Windows 11, or migrate to any other OS that will receive future patches. 

Patching is critical. In Q3, we did not run short on vulnerabilities.

With roughly 35,000 CVEs by the end of September, we are still tracking a pace of about 130 CVEs per day. If the almost-linear trend continues, we will land at round about 47,000 for 2025. And for legal purposes, I am not challenging anyone to break the barrier of 50,000! 

This is not just about theoretical vulnerabilities. Known Exploited Vulnerabilities (KEVs) are also on the rise. In comparison, the number of KEVs stayed nearly the same between 2023 and 2024, with 187 and 186, respectively.

With 183 at the end of Q3, I think it is safe to say we are going to surpass the number this year. (Spoiler: At the time of writing, there were already 210.) KEVs that affect network-related gear are up by 3% to 28%, which is not a massive increase but for sure a relevant portion. Overall, vendor diversity also continues to expand, increasing from 61 in July to 79 so far this year.

While the oldest CVE added to the catalog was from 2017 last time, the third quarter introduced a few new negative records from 2007, 2013, 2014, and 2016. 

While this isn’t a part of our Q3 data, CVE-2025-59287 caught my attention late Friday afternoon. I didn’t expect WSUS service to be publicly exposed to the internet, but it found its way into the KEV, too. 

In a pumpkin shell: Keep stalking those bugs and patching your spells, because vulnerabilities won’t patch themselves. Happy Halloween!

The one big thing 

We’re introducing the Tool Talk series, where Talos shares open-source tools alongside practical insights, tips, and enhancements to help cybersecurity professionals and researchers work smarter and more effectively.  

Our first post introduces dynamic binary instrumentation (DBI) and provides a step-by-step guide to building your own DBI tool using the open-source DynamoRIO framework on Windows 11. DBI lets you analyze and modify running programs — crucial for malware analysis, security audits, reverse engineering, and performance profiling — even when you don’t have the original source code. The post covers DynamoRIO’s strengths, compares it to other frameworks, and offers practical examples, including sample code from our GitHub repository. 

Why do I care? 

If you’re interested in malware analysis, debugging, or getting a deeper look inside how binaries behave at runtime, this blog shows you how to do all that without needing source code access. DBI tools like DynamoRIO are essential for modern security research, especially for bypassing common malware defenses and anti-analysis tricks. 

So now what? 

Ready to get hands-on? Follow the blog’s step-by-step instructions to build your own DBI client, test it out, and explore the example code provided. Whether you’re looking to automate malware analysis, profile software, or just tinker with low-level instrumentation, you’ll find everything you need to kickstart your own DBI projects.

Top security headlines of the week 

Microsoft issues emergency patch for critical Windows Server bug 
This CVE is a remote code execution (RCE) flaw in WSUS, which is part of Windows Server and allows administrators to schedule, manage, and deploy patches, hotfixes, service packs, and other updates. (DarkReading) 

Shutdown sparks 85% increase in U.S. government cyberattacks 
Cyberattacks against federal employees have nearly doubled since the US government shut down on Oct. 1. Experts emphasize that the most serious cyber consequences of the shutdown won’t come in the form of immediate breaches. (DarkReading) 

Over 250 Magento stores hit overnight as hackers exploit new Adobe Commerce flaw 
E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms. (The Hacker News) 

Hacking Team successor linked to malware campaign, new “Dante” commercial spyware 
Kaspersky found that victims were infected through personalized phishing links exploiting a zero-day Chrome vulnerability, with the campaign targeting a broad range of Russian organizations for espionage. (CyberScoop) 

Can’t get enough Talos? 

• The TTP: How attackers use your own tools against you 
  From a wave of Toolshell events, to a rise in post-exploitation phishing, and the misuse of legitimate tools like Velociraptor, the team unpacks Q3 trends. 
• Cybersecurity on a budget: Strategies for an economic downturn 
  Budget cuts and layoffs make securing an organization more difficult. This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts. 
• Principles of the CIA triad, threat intel, and threat hunting 
  This recorded CCNA prep session with our own Pierre Cadieux teaches you how to effectively discuss risks and threats using the CIA triad, build a solid foundation in threat intelligence, and gain insight into how threat hunting operates in today’s security landscape.

Upcoming events where you can find Talos 

• Bsides Osijek (Nov. 5) Osijek, Croatia 
• AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
MD5: bf9672ec85283fdf002d83662f0b08b7  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe 
Example Filename: f_003b84.html 
Detection Name: W32.C0AD494457-95.SBX.TG 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe  
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

Cisco Talos Blog – ​Read More