What happened in Vegas (that you actually want to know about)
Welcome to this week’s edition of the Threat Source newsletter.
Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I’ve decided Black Hat feels exactly like trying to run in a dream — you’re always heading somewhere, never quickly, and the water costs $8.
I don’t mean to complain (although, as a Brit, I’m practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.
Rather than recap everything we did (our YouTube channel will have plenty of research highlights soon), here are three standouts:
- Joe Marshall’s live incident-response exercise – Joe ran Backdoors & Breaches, an interactive card game originally developed with NetHope and NGO-ISAC for humanitarian non-governmental organizations. At Black Hat, he adapted it for a lunch-and-learn with over 60 participants, guiding them through a simulated cybersecurity crisis. If you’re curious, you can find the cards online here. With a websharing tool, you can stream it to any size audience and have people play along virtually. You can also read more about Joe’s experience developing the game, alongside a video walkthrough, in his new blog post.
- Amy Chang’s AI guardrail bypass research – Amy’s booth talk revealed a novel way to break the guardrails of generative AI by tricking it into repeating human-written content verbatim, a technique called “decomposition.” Her work drew attention from media outlets including TechRepublic, SecurityWeek and WebProNews.
- Philippe Laulheret’s ReVault presentation – Philippe, from our Vulnerability Research and Discovery team, revealed vulnerabilities in embedded security chips affecting millions of laptops, potentially allowing attackers to bypass Windows login or install persistent malware. A few days ago, he published a longer version of his investigation, so you can now read the full technical deep dive covering the research process and exploit breakdown.
We’ll have more to share soon, including a behind-the-scenes tour of the Black Hat Network Operations Center (NOC).
The one big thing
Cisco Talos has identified a widespread malvertising campaign distributing a multi-stage malware framework Talos calls “PS1Bot,” which uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. PS1Bot employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection. The campaign has been active and rapidly evolving throughout 2025.
Why do I care?
Casual browsing and downloading seemingly safe files can lead to infection, putting your personal data, passwords and financial info at risk — especially if you use cryptocurrency wallets or save passwords in browsers.
So now what?
Be extra cautious when downloading files from search results or ads, keep your security software updated, and use dedicated password managers and security tools instead of storing sensitive info in browsers. Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos’ blog also provides Snort SIDs and ClamAV detections.
Top security headlines of the week
Russian government hackers said to be behind US federal court filing system hack
The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times. (TechCrunch)
North Korean Kimsuky hackers exposed in alleged data breach
The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group’s data and leaked it publicly online. (Bleeping Computer)
Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April. (DataBreaches)
Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs
The Netherlands’ National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach “critical organizations” in the country. (Bleeping Computer)
Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada
A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability (now patched) as part of a cyberespionage campaign aimed at organizations in Europe and Canada. (SecurityWeek)
Can’t get enough Talos?
- Microsoft Patch Tuesday for August 2025
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”. - ReVault! When your SoC turns against you… deep dive edition
Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault.” 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls. - The TTP: Cyber criminals brought PowerShell 1.0 to a modern ransomware fight
Groups like Qilin are using custom encryptors, uncommon RMM tools, and even PowerShell 1.0 (yes, from 2006) to quietly recon networks. - Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analyst
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).
Upcoming events where you can find Talos
BlueTeamCon (Sept. 4 – 7) Chicago, IL
LABScon (Sept. 17 – 20) Scottsdale, AZ
VB2025 (Sept. 24 – 26) Berlin, Germany
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08
MD5: 906282640ae3088481d19561c55025e4
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08
Typical Filename: AAct_x64.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Winactivator::1201
Cisco Talos Blog – Read More
