Welcome to this week’s edition of the Threat Source newsletter. 

This week the Booker Prize Longlist was released and it featured several books I’ve read this year a couple that are on my TBR (To Be Read), a couple that I had not heard of, and a couple that make me scratch my head and question why they would be included at all. It’s always exciting for me to see the Booker Longlist as it gives me an idea of how I’ve tapped into the literary fiction zeitgeist in first half of the year and what I may be tapping into in the back half of the year. That got me thinking about the cycle of staying up to date with the current threat landscape and the evolution of the threat actor behaviors and techniques and how Black Hat and DEF CON reside in a similar space for all of us in the cyber security space. Some of the new or interesting things that will come out will provide actionable insights, others will be a heaping serving of more of the same and while not trivial they will be super interesting and important, and finally some information will simply be all name and sizzle, but in the end full of sound and fury and signifying nothing.  

As a reader I’ve to understand that these lists, and the authors and books included in them, are there for various reasons and not all of them are on the merit of the narrative and the craft of writing. Early in my career it was hard to separate the things that came out of Summer Camp because I was so desperate to learn and so excited that I often couldn’t leverage my own experiences and separate the actionable from the detritus. Now I find that I don’t even have to expend much energy to move the firehose of information into the proper channels in my mind and then dive in and take what I’ve learned and apply it. Also trusting that if something that seems like empty sizzle is important – that I have team members that will keep me clued in and finding the needles in the never-ending field of haystacks.  

I hope you all have a tremendous time at Summer Camp, see a lot of old friends and make new ones and most importantly that you shower and use deodorant. Conference season is a marathon, it’s long, it’s arduous, it’s sweaty – be the hygienic change you want to see in the world.  

The one big thing 

The Cisco Talos Incident Response Trends Q2 2025 report is out today, and as always it is packed with in-depth insights into recent attacker behavior. Phishing remains the top initial access vector, but interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities. Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware. Education was the most targeted industry vertical this quarter.

Why do I care? 

The report contains details of how attackers are exploiting vulnerabilities and circumventing security tools. Examples include MFA installations with self-service options that allow attackers to register their own devices. We also saw stealthy tactics in ransomware attacks such as the use of PowerShell 1.0 (yes the original version from 2006) in what we’re calling “bring your own binary”.

So now what? 

The report outlines actionable advice based on observed incidents,
such as:

• Proper configuration and monitoring of multi-factor authentication (MFA).
• Importance of centralized logging
• Steps to harden endpoint detection and response (EDR) systems.

These insights help prioritize mitigations that directly address real-world attack techniques. Download the report today.

Top security headlines of the week 

Journalist Discovers Google Vulnerability That Allowed People to Disappear Specific Pages From Search

By accident, journalist Jack Poulson discovered Google had completely de-listed two of his articles from its search results. “We only found it by complete coincidence,” Poulson told 404 Media. “I happened to be Googling for one of the articles, and even when I typed in the exact title in quotes it wouldn’t show up in search results anymore.” (404 media)

ChatGPT, GenAI Tools Open to ‘Man in the Prompt’ Browser Attack

A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. (DarkReading)

Phishers Target Aviation Execs to Scam Customers

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries (Krebs)

Can’t get enough Talos? 

We have lots of videos to share, so queue them up and let’s get learning!

Tales from the Frontlines

Join the Cisco Talos Incident Response team to hear real-world stories from the frontlines of cyber defense. Reserve your spot.

IR Trends Q2 2025

Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy. Read more.

Beers with Talos

So You Wanna Be an Incident Commander? Meet Alex Ryan. Bill, Joe and Hazel chat with Alex about what it really takes to lead through the chaos of a cybersecurity incident, from coordinating stressed-out teams, fielding exec questions, and making sure people eat. Listen here.

Upcoming events where you can find Talos 

Join us at hacker summer camp! Read our Black Hat preview here.

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08
MD5: 906282640ae3088481d19561c55025e4
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details
Typical Filename: AAct_x64.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Winactivator::1201  

SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442
MD5: 7854b00a94921b108f0aed00f77c7833
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details
Typical Filename: winword.exe
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote
Detection Name: W32.0581BD9F0E.in12.Talos 

SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277
MD5: 42c016ce22ab7360fb7bc7def3a17b04 
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277
Typical Filename: Rainmeter-4.5.22.exe
Detection Name: Artemis!Trojan    

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
Typical Filename: endpoint.query 
Detection Name: W32.File.MalParent    

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe 
Detection Name: Win.Worm.Bitmin-9847045-0  

Cisco Talos Blog – ​Read More

The stereotype of Gen Z as lazy, uncommitted employees averse to hard work, and prone to job-hopping is quite common. But the statistics tell a different story. Nearly half of Zoomers juggle multiple gigs: a full-time job, freelancing, and various side hustles. And cybercriminals have identified these polyworking young professionals as convenient targets.

Our experts dug into this trend and uncovered some non-obvious threats. This article explores how Gen Z can navigate their multi-job lifestyles without putting their cybersecurity at risk.

More apps, more problems

The core issue stems from the sheer number of corporate apps and accounts Gen Z has to juggle. Think about it: Zoom for one job, Slack for another, and Notion for tasks across the board. And the more applications they use, the larger the attack surface for cybercriminals. Scammers constantly send phishing emails that convincingly impersonate employers, and distribute malware disguised as business software. They can even send fake assignments, pretending to be your boss.

From mid-2024 to mid-2025, Kaspersky experts recorded six million attacks involving fake collaboration platforms. Most often, attackers imitated the “golden trio” of corporate applications: Zoom, and Microsoft Excel and Outlook.

Here’s how it might play out: an attacker sends an email seemingly from Zoom asking you to update the app. The email contains a link that leads to a phishing site mimicking the real Zoom page. This fake site then immediately downloads a bogus application to your device. The imposter app could then steal your contacts’ data or even gain access to your entire work environment — the potential scenarios are numerous.

How scammers are deceiving job-seeking Gen Z

If you’ve ever seen a message in a neighborhood chat like, “URGENT: remote work, $60 an hour!” — it’s likely a scam. But these days scammers have grown much more sophisticated. They’re posting what look like legitimate job openings on popular job platforms, detailing the terms so thoroughly that the positions appear genuine. In reality, even the most well-crafted job posting can turn out to be completely fake.

Cybercriminals may even conduct fake interviews to make their schemes appear more convincing. One common form of extortion targets Gen Z through fake “interviews”, where victims are told to log out of their personal Apple ID and access a purported “company” account. If the victim complies, the scammers activate Lost Mode, effectively bricking the applicant’s iPhone. Naturally, they then demand a hefty sum to unlock it.

Freelance opportunities also deserve a close look. The search for freelance work is often less formal than traditional job hunting: all communication happens through messaging apps, and payments might even come from a client’s personal account. It’s incredibly easy to imitate this casual communication style, and scammers exploit this. In a worst-case scenario, instead of landing a new gig, you could end up with a bricked phone, malware infection, compromised personal accounts, or even losing all your money to the “client”.

It’s impossible to list every single red flag when you’re looking for a new job, but here are the main things to watch out for.

• If someone wants something done yesterday and is promising a ton of cash for it, you’re likely dealing with scammers.
• Third-party payments. Stick to payment methods you trust.
• Sign-in/sign-out requests. Be extremely wary if someone asks you to sign in or out of any accounts — especially your personal Apple ID.
• Paid training. If they’re asking you to pay for training upfront with the promise of reimbursement later — simply ignore them.
• Excessive personal data. Applying to be a dog walker, but they’re asking for copies of every page of your passport? No way, José.

Why Gen Z is being targeted, and how to fight back

Some companies have adopted BYOD policies, asking employees to use their personal tech for work. The problem is, these are often the same devices used for everything else: gaming, downloading files from the internet, and chatting with friends. Do we even need to say that downloading torrents on the laptop used for work is a dubious idea?

Many Gen Zers also make a costly mistake when using a large number of applications: they use one password for everything. Just a single data breach (and they happen all the time!), and cybercriminals can gain access to all your messaging apps, calendars, email clients, and other work-specific applications. Of course, coming up with and remembering complex passwords every time is a challenge. That’s why we recommend using a password manager that can generate strong, unique passwords, and securely store them for you.

What else you can do to avoid falling victim to cybercriminals while you’re job searching?

• Boost your cybersecurity knowledge by playing Case 404.
• Always enable two-factor authentication wherever possible. By the way, you can store your 2FA tokens in our password manager.
• Avoid downloading apps or updates from suspicious websites.
• Install Kaspersky Premium on your personal devices. This application can prevent you from opening phishing links, and significantly improve your personal security.

Cybersecurity cheat-sheet for polyworkers:

• Creating an unforgettable password
• How to shrink your digital footprint
• Keep it under wraps: encrypted note-taking apps and to-do lists
• How to use ChatGPT, Gemini, DeepSeek and other AI securely
• What to do if someone tries to hack you

Kaspersky official blog – ​Read More