I’m locked in!

I’m locked in!

/in

I'm locked in!

Welcome to this week’s edition of the Threat Source newsletter.

I’ve struggled a lot over the last few years with balance. I want to follow the news closely, but at the same time, I want to block everything out for self-preservation. 

Add in the fact that I love history and I’m an empath, and you’ve got a lovely concoction of feeling things intensely, mixed with echoes of “Haven’t we been here before?” Following the news means I’m always feeding both sides of my brain — the need for context, and the feeling of being overwhelmed.  

At times like these, I have to remind myself that caring isn’t a flaw, and neither is paying attention. 

History has had its bleak moments, of course, but it’s also full of stories about humanity and resilience. And, just as importantly, wonderful bouts of weirdness. Even in some of humanity’s darkest periods, people have still found ways to endure, show up for one another, and be strange. Creativity and humour don’t disappear during difficult times, and nor should they.  

So this week, I’m acknowledging how hard all of this feels. But I’m also giving myself permission to be a little distracted. 

If this resonates with you, may I suggest partaking in an episode of the U.K. TV show Taskmaster? It’s a simple premise: Five comedians are given a series of strange and deceptively complex tasks to impress the Taskmaster —U.K. comedian Greg Davies.  

Some of my favourite tasks have included: 

  • Paint a picture of a horse while riding a horse. 
  • Find out this stranger’s profession, but they are only allowed to lie. 
  • Do the most preposterous thing with a chickpea. 
  • Destroy a cake as beautifully as possible. 
  • Create a watercooler moment with a watercooler.

It sounds like a recipe for schadenfreude, but it isn’t. The show is designed to give funny people the space to be funny and human. You don’t watch hoping anyone fails — you actually end up rooting for them.  

In a recent series, comedians Stevie Martin and Jason Mantzoukas worked together on a task that involved moving a ball through the spokes of a railing using only wooden spoons. Every time they were about to move from one section to the next, they would shout, “I’m locked in!” It was joyful and tense at the same time, like watching a penalty shootout for a team you’ve supported your whole life. People now have tattoos of “I’m locked in!” 

I don’t know about you, but this week I’ve needed the reminder that people can still be creative, supportive, and ridiculous — even under pressure. 

What’s that? This is a security newsletter? Oh right. Here’s what we’ve been talking about this week:

The one big thing

Cisco Talos Incident Response’s report for Q4 2025 is now available. We observed that exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements. Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks. Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant.

Why do I care?

Attackers are quickly leveraging both newly disclosed and older vulnerabilities in internet-facing applications, underscoring the need for rapid patching and minimizing exposure. The increase in targeted phishing and MFA abuse demonstrates that adversaries are adapting their techniques to bypass common security controls. Public administration and under-resourced sectors remain highly attractive targets due to legacy systems and sensitive data.

So now what?

Security teams should focus on patching systems promptly, making sure MFA is well-configured and monitored, and keeping detailed logs to spot and investigate suspicious activity. Acting quickly and working closely with incident response experts can help limit the damage if an attack occurs. Read the blog for further recommendations.

Top security headlines of the week

Poland’s energy grid was targeted by never-before-seen wiper malware
After studying the tactics, techniques, and procedures (TTPs) used in the attack, ESET researchers said the wiper was likely the work of a Russian government hacker group, Sandworm. (Ars Technica)

Konni hackers target blockchain engineers with AI-built malware
Active since at least 2014, the North Korean hacker group Konni (aka Opal Sleet, TA406) is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector. (Bleeping Computer)

Two high-severity n8n flaws allow authenticated remote code execution
Successful exploitation of the flaws could permit an attacker to hijack an entire n8n instance, including under scenarios where it’s operating under “internal” execution mode. (The Hacker News)

US charges 31 suspects in nationwide ATM jackpotting scam
The total number of suspects is now 87. The group allegedly used a computer malware called Ploutus, active since 2015, to steal funds. (HackRead)

Can’t get enough Talos?

IR Tales from the Frontlines
Go beyond the blog with Talos IR on February 11. This live session features candid stories, behind-the-scenes insights, and strategic lessons learned from the most critical real-world incidents we faced last quarter. Register now!

The TTP: Less ransomware, same problems
Every quarter, Talos IR reviews the incidents we’ve responded to and looks for meaningful shifts in attacker behavior. Hazel is joined by Joe Marshall and Craig Jackson to break down what trends stood out in Q4.

UAT-8099: New persistence mechanisms and regional focus
Cisco Talos uncovered a new wave of attacks by UAT-8099 targeting IIS servers across Asia, with a special focus on Thailand and Vietnam. Analysis confirms significant operational overlaps between this activity and the WEBJACK campaign.

Talos Takes: What encryption can (and can’t) do for you
Step into the fascinating world of cryptography. Amy, Yuri Kramarz, and Tim Wadhwa-Brown sit down to chat about what encryption really accomplishes, where it leaves gaps, and when defenders need to take proactive measures.

Upcoming events where you can find Talos

  • S4x26 (Feb. 23 – 26) Miami, FL 

Most prevalent malware files from Talos telemetry over the past week

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe
Detection Name: Win.Worm.Coinminer::1201

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: APQCE0B.dll
Detection Name: Auto.90B145.282358.in02

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201

SHA256: e63ca039141d9ea9d14450c73d0ccb888dbb312a2e88193975adc566429eb7a2
MD5: 9da0e73c33026edd6c7e10cb34429d69 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e63ca039141d9ea9d14450c73d0ccb888dbb312a2e88193975adc566429eb7a2
Example Filename: AAct.exe
Detection Name: W32.Auto:e63ca0.in03.Talos

SHA256: ecd31e50ff35f41fbacf4b3c39901d5a2c9d4ae64b0c0385d661b1fd8b00481f 
MD5: e41ae00985e350137ddd9c1280f04fc3 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=ecd31e50ff35f41fbacf4b3c39901d5a2c9d4ae64b0c0385d661b1fd8b00481f
Example Filename:tg-submit-JDs62cgS.exe 
Detection Name: Auto.ECD31E.252552.in02

Cisco Talos Blog – ​Read More