Welcome to this week’s edition of the Threat Source newsletter. 

As summer retreats into the rear-view mirror, I’d like to take a moment to reflect on one of my favorite things about the cybersecurity profession: the community. Earlier this month, I attended Black Hat USA 2025 and DEF CON 33 in scalding hot Las Vegas, NV. We often refer to it as “hacker summer camp,” where all the security nerds of various stripes congregate to eat, drink, party, hack and reforge or make new bonds of fellowship with other awesome hackers. Hacker summer camp is, simply put, a whirlwind of activity, from the talks to see, villages to visit, parties to attend, and knowledge to gain. In 5 days, I think I walked almost 30 miles. By the end I was exhausted, but happy to have learned so much and see many of my hacker friends. 

For all the fun and learning you can have at summer camp, it’s a very privileged position to be able to attend. Las Vegas is not a cheap town. Hotels, flights and food — everything, really — is more expensive than average. A Black Hat badge is $1,000+, and DEF CON $500+. If you’re new to this space and early in your career, or your company doesn’t have the money to send you, the FOMO can be real. Earlier in my career, getting the opportunity to visit hacker summer camp — either with my company covering my costs or me paying out of pocket — wasn’t going to happen.  

I bring this up not to flex that I went to BH/DEF CON, but to tell you that as good as those conferences are, there is so much more. Do not be daunted by what is inaccessible but know that there are other conferences out there for like-minded hackers who want to learn and share knowledge with you, wherever you are in the world. Are you in high school? I promise you there are clubs and organizations there to help you. College? There are student clubs and organizations there that will welcome you. And if you’re looking for projects and contests, there are quite a few out there. And hackathons? I got you covered, fam. 

It’s also important to know that there are smaller information security conferences around the world. Perhaps the most popular and usually super local is Bsides. Check them out — their website has a calendar that might have one local to you.  

Infosec is as much a calling as it is a career. You were drawn to this space for a reason — and finding friends and colleagues who match your vibe is important to both grow as a human, but also to maintain a healthy relationship with this industry, especially one that’s notoriously capable of burning you out. We as humans are social creatures, and we need social interaction, even if it’s limited doses (I see you, introverts). Our professions are a natural magnet to pull others into our orbit. I can tell you so many of the things that I consider personal career milestones happened because I talked with fellow security practitioners over drinks or a meal, and something truly wonderful happened.  

So go find your people, lean into the things you are a total security nerd about, and enjoy the fellowship and growth. You’ll be all the better for it.

The one big thing 

Last week, Talos shared that ransomware attacks in Japan surged by about 1.4 times in the first half of 2025, with small and medium-sized companies (especially manufacturing) being the hardest hit. The Qilin group was the most active, and a new player, “Kawa4096,” also began targeting Japanese businesses. Even though some major ransomware groups were shut down, new threats are quickly taking their place. 

Why do I care? 

The ransomware landscape is always changing, and it often highlights vulnerabilities in small and mid-sized businesses in critical industries like manufacturing. With new ransomware groups like Kawa4096 emerging and techniques evolving, the risks are growing, and attackers are finding new ways to target organizations that may not have strong defenses.

So now what? 

While small- to mid-size manufacturing companies are the most targeted in Japan, it’s important for all businesses to stay updated on threats, invest in cybersecurity, and train their teams to spot suspicious activity. ClamAV detections are also available in the blog.

Top security headlines of the week 

Organizations warned of exploited Git vulnerability 
The US cybersecurity agency CISA on Monday warned that the flaw, tracked as CVE-2025-48384 (CVSS score of 8.1), is an arbitrary file write during the cloning of repositories with submodules that use a ‘recursive’ flag. (SecurityWeek) 

CISA updates SBOM recommendations 
The document is primarily meant for federal agencies, but CISA hopes businesses will also use it to push vendors for software bills of materials. (Cybersecurity Dive) 

AI-powered ransomware: “PromptLock” 
Although it has not yet been observed in active cyberattacks, the researchers said the PromptLock ransomware appears to be under development and nearly ready to be unleashed onto the threat landscape. (Dark Reading) 

Credential harvesting campaign targets ScreenConnect cloud administrators 
The campaign uses compromised Amazon Simple Email Service accounts to spear-phish senior IT administrators who have elevated privileges in ScreenConnect environments. (Cybersecurity Dive) 

Security researcher maps hundreds of TeslaMate servers spilling Tesla vehicle data 
A security researcher has found over a thousand publicly exposed hobby servers run by Tesla vehicle owners that are spilling sensitive data about their vehicles, including their granular location histories. (TechCrunch)

Can’t get enough Talos? 

• State of Identity Security Report 
  Cisco Duo’s global survey of 650 Security & Data Ops leaders shows where orgs succeed, and where they’re exposed. Download the full report now. 
• Static Tundra exposed 
  A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.

Upcoming events where you can find Talos 

• BlueTeamCon (Sept. 4 – 7) Chicago, IL 
• LABScon (Sept. 17 – 20) Scottsdale, AZ 
• VB2025 (Sept. 24 – 26) Berlin, Germany 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe   
Claimed Product: N/A  
Detection Name: Simple_Custom_Detection 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos 

Cisco Talos Blog – ​Read More