Care that you share

Care that you share

/in

Care that you share

Welcome to this week’s edition of the Threat Source newsletter.

Back in April, I wrote about the risks of unintentionally leaking information while using search engines. Since then, I’ve been thinking: Life doesn’t just happen in front of a keyboard. There’s a social side, too (or so I’m told). With Thanksgiving around the corner, it seems the perfect time to flip the script and focus on a different but related concept: Care that you share. 

For my non-American friends, who may be enjoying just another Thursday, stick with me. This season brings heightened risks everywhere. Many teams are running with skeleton crews, whether due to holiday mode (family, turkey, football, days off) or the year-end compliance push (hello, NIS2 and DORA). At the same time, on the other side of the fence, attackers ramp up their efforts; globally, Black Friday and similar events are peak periods for phishing campaigns, often targeting credentials with fake employee perk emails and other seasonal lures. 

So, why emphasize “care that you share?” 

Recently, I visited a university of applied sciences to give a guest lecture and learn more about the projects students are working on. It was a great experience, though preparing for an audience of students (not my usual crowd) was challenging. What do they already know? What topics interest them? Should I give them some history of STIX/TAXII? Geopolitical tensions? Honestly speaking, none of this was interesting to me when I was a student. I chose to start simple, discussing what threats and the DKIW pyramid were, and then focusing on CVE, CVSS, and KEV — one of my favorite topic clusters

To my surprise, not only did the students engage and ask questions, but they also stuck around late on a Friday afternoon, diving into discussions about software supply chain risks and beyond. I don’t remember ever staying at university past 6:00 p.m. on a Friday as a student! A week later, when they presented their projects — many centered on authentication, TOTP, and SmartCards — I was genuinely impressed by their ideas and the real-world problems they were addressing. 

“Care that you share” is a mindset that helps us appreciate the knowledge exchange that happens in person, too. 

Whether sharing stories over dinner, IOCs over email, or ideas in a classroom, let’s all take a moment to consider not just what we share, but how and why we share it. I’ll admit, I sometimes hesitate to share certain stories myself, worried they might seem too obvious or uninteresting, or maybe even dumb. But more often than not, those moments of openness lead to the best conversations and new perspectives. 

This rings especially true during busy or understaffed times, when teams are stretched thin. It’s tempting to keep things to ourselves to avoid “bothering” others. In reality, sharing a helpful tip, a concern, or just a quick update can make all the difference for colleagues who might be juggling extra responsibilities or missing context. 

So this holiday season, care that you share. Thoughtful communication isn’t just about protecting information — it’s also about supporting each other, especially when resources are limited. You never know who might benefit from what you have to offer, yourself included. 

The one big thing 

Last week, Cisco Talos announced an initiative to retire outdated ClamAV signatures to reduce database sizes and improve efficiency by focusing on currently relevant threats. Starting Dec. 16, 2025, the “main.cvd” and “daily.cvd” databases will be cut roughly in half, offering smaller downloads and reduced resource usage. Retired signatures may be reintroduced if old threats reappear, and only supported ClamAV container images will remain available on Docker Hub to enhance security and management. 

Why do I care? 

Smaller signature databases mean faster updates, lower bandwidth and storage requirements, and improved performance, especially on resource-constrained systems. By focusing detection on active threats, ClamAV can more efficiently protect against current malware without being bogged down by obsolete signatures. 

So now what? 

We will continue to monitor the activity of retired signatures and will restore any that are needed to protect the community. Stay attentive and request the reinstatement of retired signatures if older threats reappear. In the meantime, we recommend that ClamAV container image users select a feature release tag rather than a specific minor release tag to stay up to date with security updates and bug fixes. 

Top security headlines of the week 

Second Sha1-Hulud wave affects 25,000+ repositories via npm preinstall credential theft 
The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others. (The Hacker News

FBI: Cybercriminals stole $262M by impersonating bank support teams  
Since January 2025, the FBI’s Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors. (Bleeping Computer

Everest ransomware claims breach at Spain’s national airline Iberia with 596 GB data theft 
The group states that the data covers millions of customers in multiple countries, and says it had long-term access with the ability to read and alter bookings. (HackRead

CISA warns of active spyware campaigns hijacking high-value Signal and WhatsApp users 
CISA on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. (The Hacker News

LINE messaging bugs open Asian users to cyber espionage 
Researchers discovered critical vulnerabilities that open the door to three main buckets of compromise: message replay attacks, plaintext and sticker leakage, and, most concerningly, impersonation attacks. (Dark Reading

Can’t get enough Talos? 

Talos Takes: When you’re told “no budget” 
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn. 

Humans of Talos: On epic reads, lifelong learning, and empathy  
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals. 

The TTP: How Talos built an AI model into one of the internet’s most abused layers 
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking the internet. 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
MD5: 1f7e01a3355b52cbc92c908a61abf643 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
Example Filename: cleanup.bat 
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: ck8yh2og.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff  
MD5: 71da0bf3094e3ed17bc5a1c78de80933  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff  
Example Filename: cleanup.bat  
Detection Name: W32.26FA67DB9A-90.SBX.TG 

Cisco Talos Blog – ​Read More