Welcome to this week’s edition of the Threat Source newsletter. 

They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had Starry Night, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty. 

If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out: 

Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There’s more content coming out every week this month. Oh, you can also download the report itself here, which is useful. 

Here’s a two-minute animated overview. Watch those bad boy bar charts come to life. 

The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f*****s.” Part 2 is coming out tomorrow, April 4^th. 

This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”). 

A couple of the report’s top findings: 

• Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases. 
• Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding. 
• Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.

The one big thing 

Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

Why do I care? 

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. 

So now what? 

Ways our customers can detect and block this threat are listed in this dedicated blog post.

Top security headlines of the week

Gootloader Malware Resurfaces in Google Ads for Legal Docs: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading) 

UK threatens £100K-a-day fines under new cyber bill: The tech secretary revealed the landmark legislation’s full details for first time. (The Register) 

Hacker linked to Oracle Cloud intrusion threatens to sell stolen data: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive) 

WordPress attackers hide malware in overlooked plugins directory: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)

Can’t get enough Talos? 

I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings: 

• CNET: Phishing Emails Aren’t as Obvious Anymore. Here’s How to Spot Them
• The Register: Ransomware crews add ‘EDR killers’ to their arsenal – and some aren’t even malware
• SiliconANGLE: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
• CyberScoop: Identity lapses ensnared organizations at scale in 2024

Upcoming events where you can find Talos

• RSA (April 28 – May 1) San Francisco, CA  
• PIVOTcon (May 7 – 9) Malaga, Spain  
• CTA TIPS 2025 (May 14 – 15) Arlington, VA  
• Cisco Live U.S. (June 8 – 12) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Typical Filename: c0dwjdi6a.dll 
 VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 
MD5: 3e10a74a7613d1cae4b9749d7ec93515
 
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 
Typical Filename: IMG001.exe
 
Claimed Product: N/A
 
Detection Name: Win.Dropper.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde 
 
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe 
 
Claimed Product: N/A 
 
Detection Name: Coinminer:MBT.26mw.in14.Talos  

Cisco Talos Blog – ​Read More