The startup is leveraging AI to prevent AI-powered attacks across applications, users, machines, and cloud workloads.
The post Artemis Emerges From Stealth With $70 Million in Funding appeared first on SecurityWeek.
SecurityWeek – Read More
Retail giant Express was publicly spilling customer information to the open web. The bug is now fixed after TechCrunch alerted Express, but the company would not say if it plans to notify customers.
Security News | TechCrunch – Read More
Cookeville Regional Medical Center was targeted last year by the Rhysida ransomware group, which stole 500GB of data.
The post Data Breach at Tennessee Hospital Affects 337,000 appeared first on SecurityWeek.
SecurityWeek – Read More
The flaws can be exploited remotely to impersonate users or execute arbitrary commands on the underlying OS.
The post Cisco Patches Critical Vulnerabilities in Webex, ISE appeared first on SecurityWeek.
SecurityWeek – Read More
Private Fiverr user documents, including tax records and IDs, were reportedly found in Google search results due to a storage configuration issue. Read more about the findings and the company’s response to the data exposure.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
To optimize management of CVE volume, entries that do not meet specific criteria will not be automatically enriched.
The post NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software appeared first on SecurityWeek.
SecurityWeek – Read More
In this episode of Humans of Talos, Amy sits down with Wendy Bishop, Head of Creative, to explore the vital role of design in the world of cybersecurity. From her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy shares the unique challenges and rewards of bridging the gap between artistic expression and highly technical research.
Whether you’re a creative professional looking to break into the cybersecurity industry or simply curious about the people behind our security intelligence, this conversation offers a fascinating look at the artistic side of Talos’ mission to keep the digital world safe.
Amy Ciminnisi: Wendy, welcome! We haven’t had anyone from creative here yet. Can you talk to me a little bit about what drew you into creative work and how your career evolved into what it is now at Talos?
Wendy Bishop: I never in my entire life thought I would do anything besides something creative. It’s the only thing I’ve ever known. I have so many memories in my childhood of just being locked in my moody teenage bedroom. In high school, I started doing web design courses, and I think that’s when I really started being interested in a graphic design path. I learned Photoshop and basic HTML/CSS stuff as a side hobby. I moderated a message board for my favorite pop-punk band in high school. When it came time to go to college, there was nothing I wanted to do otherwise besides design. I found myself at Ohio University— that’s where I’m from, Ohio — in the School of Visual Communication.
I went off to a job working in newspapers. I actually never thought I would, but it was the job I found after college, and I designed news pages. It sounds funny now; it was already dying then, probably not the best long career path. But I think my background in journalism and communication-driven design is really what made me a great fit for the kind of design work we do here at Talos. We work with complicated materials, and a lot of the creative work we do is comms-driven. Our blog in some ways functions as a news outlet, so visual storytelling is a lot of my job. But of course, we have a lot of regular, branding-based design work now that comes out of my team.
AC: We just had a really big report come out that has occupied our minds for months, especially over here in design. Can you talk a little bit about the 2025 Year in Review and share what that process is like?
WB: When it starts to take shape, I look over that draft with the team and we talk about each graphic. I say, “That one might be better if we did this,” or “This is missing that piece for when it goes into production.” I really start to wrap my mind around the various assets and how we would go about taking what is essentially an Excel graphic or something created in PowerPoint and making it into a much more polished and designed presentation.
We get a sneak peek, and then one day it lands on your desk, Amy. From there, my designers and I put it together. It’s a lot about putting that puzzle together, thinking about what makes sense on each page, making sure the content flow is clean and linear, and the adjacencies of the graphics are in the right place. I come to you and say, “Amy, I need a headline,” or “Does this make sense?” We come up with a look and feel and theme for the whole report every year that’s greater than just the layout of the document. That gets extended to all the other companion pieces — our videos, social graphics, and any continuing campaign pieces.
Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.
Cisco Talos Blog – Read More
Talos observed that an attacker targeted Czech organizations across various levels, based on the contents of the lure documents used by the attacker in the current campaign.
Impersonating the legitimate EDEKA brand and authentic regulatory frameworks such as the Czech Data Protection Act, the attacker deploys decoy documents with compliance-themed lures, potentially aimed at compromising victims from human resources (HR), legal, and recruitment agencies. In the lure documents, the attacker also used compensation data, as well as the legitimate legislative references, to enhance the authenticity of these decoy documents and to entice the job aspirants across diverse sectors like IT, finance, and logistics.
Figures 1 (left) and 2 (right). First pages of two decoy documents.
Talos observed a few tactical similarities employed in the current campaign with that of the ZipLine campaign, reported by researchers from Check Point in August 2025.
In the current campaign, the PowMix botnet payload is delivered via an LNK triggered PowerShell loader that extracts it from a ZIP archive data blob, bypasses AMSI, and executes the decrypted script directly in memory. This campaign shares tactical overlaps with the older ZipLine campaign (which deployed the MixShell malware), including identical ZIP-based payload concealment, Windows-scheduled task persistence, CRC32-based BOT ID generation, and the abuse of “herokuapp.com” for command-and-control (C2) infrastructure. Although there are overlaps in the tactics, the attacker’s final payload was unobserved, and the intent remains unknown in this campaign.
The attack begins when a victim runs the Windows shortcut file contained within the received malicious ZIP file, potentially through a phishing email. This shortcut file triggers the execution of an embedded PowerShell loader script, which initially creates a copy of the ZIP file along with its contents in the victim’s “ProgramData” folder. Subsequently, it loads the malicious ZIP file, extracts, and executes the embedded PowMix botnet payload directly in the victim’s machine memory and starts to communicate with the botnet C2.
The first stage PowerShell script functions as a loader, and its execution routine is designed to bypass security controls and deliver a secondary payload. It begins by defining several obfuscated variables, including file name of the malicious ZIP file that was likely received via a phishing email. Then, the script dynamically constructs paths to the folders such as “ProgramData” and the user’s “Downloads” folder to locate this ZIP file. Once the ZIP file is found, it extracts the contents to the “ProgramData”folder, effectively staging the environment for the next phase of the attack.
To evade detection, the script employs an AMSI (Antimalware Scan Interface) bypass technique. It uses a reflection technique to browse the loaded assemblies in the current process, specifically searching for the AmsiUtils class. Once located, it identifies the amsiInitFailed field and manually sets its value to true. This action deceives the Windows security subsystem into thinking that AMSI has not initialized, which disables real-time scanning of subsequent commands, enabling the script to run malicious code in memory without being detected by Windows Defender or other endpoint detection and response (EDR) solutions.
The script parses the malicious ZIP file to locate a specific marker that is hardcoded, such as zAswKoK. This marker is treated as a delimiter, enabling the extraction of a hidden, encoded command that is embedded within the ZIP file data blob.
Throughout this process, the script performs a series of string replacements, which include the removal of # symbols and the mapping of placeholders, such as {cdm}, to their corresponding specific file paths, reconstructing a functional secondary PowerShell script payload. Then it executes the secondary payload script in the victim machine memory using the Invoke-Expression (IEX) PowerShell command.
Talos discovered that the secondary payload PowerShell script, which we call “PowMix,” is a previously unreported botnet designed for remote access, reconnaissance, and remote code execution.
The main execution of the script begins with an environment check to ensure it is running within a specific loader context at the placeholder {cdm}, which is the path of the Windows shortcut in the ProgramData folder, before immediately attempting to conceal its presence. It invokes a function that utilizes the Win32ShowWindowAsync function of “user32.dll” to hide the current PowerShell console window.
Then it decrypts the C2 domain and a configuration file using a custom XOR-based routine with a hardcoded key. It retrieves the machine’s product ID by querying the HKLM: SOFTWAREMicrosoftWindows NTCurrentVersion registry key for the Windows ProductID. PowMix processes the victim machine’s ProductID and the decrypted configuration data through a CRC32-style checksum function to generate a unique Bot ID and a corresponding Windows schedule task name, which it subsequently uses to establish persistence.
Some of the hardcoded XOR key strings found in this campaign are:
Instead of using obvious task names, PowMix names the scheduled task by concatenating the Bot ID and Configuration file hash, resulting in names that appear as random hexadecimal strings (such as “289c2e236761”). The task configuration specifies a daily trigger set to execute at 11:00 a.m., and the execution action is configured to launch the benign Windows Explorer binary with the malicious Windows Shortcut file path as an argument. Windows Explorer’s file association handling then automatically launches the malicious shortcut file to execute the PowerShell loader script.
Before attempting to establish persistence, PowMix performs several validation checks to ensure that another instance of the botnet is not running in the infected machine. It examines the process tree using Common Information Model (CIM) queries to identify its parent processes. If the PowMix is not running under either “svchost.exe” or “powershell.exe”, and if certain environmental variables are not set, it attempts to restart itself in the privileged context.
The mutex implementation in the botnet prevents multiple instances from running at the same time. It creates a mutex with the name “Global[BotID]”. The “Global” prefix makes the mutex visible across all user sessions, stopping separate instances from running in different user sessions.
PowMix avoids persistent connections to the C2 server. Instead, it implements a jitter via Get-Random PowerShell command to vary the beaconing intervals initially between 0 and 261 seconds, and subsequently between 1,075 and 1,450 seconds. This technique attempts to prevent detection of C2 traffic through predictable network signatures.
Each request from PowMix to C2 is created by concatenating the base C2 domain with the Bot ID, configuration file hash, an encrypted heartbeat, a hexadecimal Unix timestamp, and a random hexadecimal suffix. The standard heartbeat string “[]0” is encrypted using a custom XOR routine using the Bot ID as the key and is then converted to a hex string. The inclusion of a random length hexadecimal suffix further ensures that every URL is unique.
The attacker mimics the REST API calls URLs by embedding these data directly into the URL path, instead of using a URL query string or a POST request for communicating with the C2 server.
PowMix establishes a Chrome User-Agent and configures the Accept-Language (en-US) and Accept-Encoding (gzip, deflate, br) headers. It utilizes the GetSystemWebProxy API along with DefaultCredentials to dynamically adopt the host machine’s network proxy settings and automatically authenticates using the logged-in user’s active session tokens, thereby disguising the C2 traffic as legitimate web browser traffic within the victim’s environment.
The PowMix command processing logic is executed upon receiving the response from the C2 with a period delimiter. It extracts the second segment and decrypts it using the unique Bot ID as the XOR key. The resulting decrypted response is then evaluated through a conditional parser that distinguishes between the command operations hardcoded in the botnet and arbitrary code execution, allowing the attacker to remotely control the victim machine.
The remote management commands that the botnet receives from the C2 are identified by a leading hash symbol (#). We found that the PowMix botnet facilitates the commands described below:
#KILL – The KILL command initiates a self-deletion routine, utilizing the Unregister-ScheduledTask PowerShell command with the parameter Confirm: $false to silently remove persistence, followed by Remove-Item -Recurse–Force command to wipe the malware’s directory in the victim machine. #HOST – The HOST command enables the C2 infrastructure migration by remotely updating a new C2 URL to a configuration file. By receiving the HOST command, PowMix will encrypt the new domain that it receives using the hardcoded XOR key and save it to a local configuration file via Set-Content PowerShell command. During the next initialization of the botnet through the task scheduler execution, it prioritizes the local configuration file data with the encrypted new C2 domain over hardcoded defaults, providing a robust mechanism for evading domain blacklisting. Invoke-Expression (IEX) PowerShell command by dynamically reconstructing the command string from the $VerbosePreference variable and executes the decrypted payload while redirecting the output to Out-Null, ensuring erasing the execution traces. 
The following ClamAV signature detects and blocks this threat:
The following Snort Rules (SIDs) detect and block this threat:
The IOCs for this threat are also available at our GitHub repository here.
Cisco Talos Blog – Read More
ANY.RUN has observed a sustained surge in a credential-phishing campaign active since 2024. This campaign, dubbed BlobPhish, introduces a sneaky twist: instead of delivering phishing pages via traditional HTTP requests, it generates them directly inside the victim’s browser using blob objects. The result is a phishing payload that lives entirely in memory, leaving little to no trace in logs, caches, or network telemetry.
The campaign targets credentials across multiple platforms, including Microsoft 365, banking services, and webmail portals, making it both widespread and high-impact.
The attack is based on the abuse of browser Blob objects to serve fake authentication forms. A JavaScript loader, fetched from an attacker-controlled page, constructs a Blob from a Base64-encoded payload and loads it directly into browser memory — never touching disk and never generating the traditional HTTP requests that security tools rely on to detect phishing.
Targeted services include: Microsoft 365, OneDrive, SharePoint, Chase, FDIC, Capital One, E*Trade, American Express, Charles Schwab, Merrill Lynch, PayPal, Intuit, and others.
Because the phishing page exists only in memory and is referenced by the scheme blob:https://, it cannot be blocked by URL reputation engines, does not appear in proxy logs as a suspicious request, and leaves no cache artefact. This makes BlobPhish significantly harder to detect and investigate than conventional phishing.
View the observed analysis session in ANY.RUN sandbox
The typical initial access point is a phishing email or a link to a trusted-looking service such as DocSend. Example phishing link: hxxps[://]docsend[.]com/view/vsrrknxprh2xt84n
Upon clicking, the victim is redirected to an HTML page that contains the loader script. Example loader URL: hxxps[://]mtl-logistics[.]com/blb/blob[.]html
The loader uses jQuery to perform the following sequence invisibly to the user:
The victim sees a convincing Microsoft 365 (or other financial service) login page. The browser address bar shows the scheme blob:https://, which can appear legitimate to an untrained eye.
The page contains:
Observed exfiltration endpoint pattern:
hxxps[://]mtl-logistics[.]com/css/sharethepoint/point/res[.]php
The following YARA rule matches the loader HTML page and can be used in ANY.RUN Threat Intelligence Lookup to hunt for BlobPhish infrastructure:
rule BlobPhishLoaderHTML
{
meta:
author = "ANY.RUN"
description = "Matches HTML pages with JS-script which creates and loads
phishing page as blob-object"
strings:
$s1 = "function saveFile(" ascii
$s2 = "var a = $("<a style='display: none;'/>");" fullword ascii
$s3 = "var encodedStringAtoB" fullword ascii
$s4 = "var decodedStringAtoB = atob(encodedStringAtoB);" fullword ascii
$s5 = "window.URL.createObjectURL(myBlob);" fullword ascii
$s6 = "window.URL.revokeObjectURL(url);" fullword ascii
condition:
all of them
} Pivoting on url:”/res.php$” and via the YARA rule above, ANY.RUN researchers identified multiple targets and corresponding exfiltration URLs.
Exfiltration URL: hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php
Exfiltration URL: hxxps[://]hnint[.]net/cgi-bin/peacemind//res[.]php
Exfiltration URL: hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res[.]php
Variants with exfiltration to url:”*/tele.php” with a roughly similar request structure were also observed view a sandbox analysis with exfiltration URL hxxps[://]_wildcard_[.]gonzalezlawnandlandscaping[.]com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele[.]php.
Importantly, in some cases calls to the service endpoint /panel.php have been observed. In response to a POST request, an error and its description (e.g., “IP not found”) are returned.
Example POST URL: hxxps[://]hnint[.]net/cgi-bin/peacemind//panel[.]php
The following HTTP traffic signatures reliably identify BlobPhish activity in proxy and SIEM logs:
The following initial-access vectors have been observed:
First spotted in October 2024, BlobPhis has proved itself as a sustained, continuously evolving campaign that remains active at the time of publication.
Analysis of related artefacts shows that the threat actors regularly rotate infrastructure, exfiltration endpoints, loader hosting domains, and phishing lure themes. They also vary the path names of the loader pages (blob.html, blom.html, bloji.html, emailandpasssss.html) and exfiltration scripts (res.php, tele.php), complicating static signature-based detection.
Although the phishing lures predominantly impersonate financial and cloud services, the victim organizations span multiple sectors:
Regardless of the victim’s industry, attackers focus on harvesting credentials for high-value financial and cloud corporate services — increasing the probability of capturing credentials that unlock significant monetary or data assets.
Financial institutions and cloud-productivity platforms most frequently spoofed:
Approximately one-third of observed activity involves US-based users and organisations. BlobPhish activity has been observed from: Germany, Poland, Spain, Switzerland, United Kingdom, Australia, South Korea, Saudi Arabia, Qatar, Jordan, India, and Pakistan.
BlobPhish does not just steal one employee’s password. By targeting the financial, cloud, and productivity accounts that employees use every day, a single successful compromise can cascade into:
Security and risk teams should model the following impact chains when a BlobPhish credential is compromised:
Regulatory consequences may include mandatory breach notification under GDPR (72-hour window), SEC cybersecurity incident disclosure requirements, and FFIEC guidance on authentication for financial institutions.
ANY.RUN provides the complementary capabilities that address BlobPhish at every stage of the threat lifecycle: from proactive hunting to real-time detection and automated feed enrichment.
When a suspicious link or email is forwarded to the security team, ANY.RUN’s fully interactive cloud sandbox executes the entire BlobPhish kill chain in a safe cloud environment:
This means your SOC can definitively confirm or dismiss a BlobPhish suspicion within minutes rather than hours, without risking any internal system.
Threat Intelligence Lookup gives threat hunters direct, query-based access to the ANY.RUN database of analyzed samples and infrastructure:
url:”*/res.php$” AND url:”*/blob.html$” and threatName:”phishing”
Security teams can monitor this campaign continuously rather than reacting after a compromise. New loader domains and exfiltration endpoints are surfaced as soon as ANY.RUN community members (and automated systems) submit related tasks.
Threat Intelligence Feeds deliver structured, machine-readable threat intelligence in STIX/TAXII or flat-file formats, enabling automated enforcement across your security stack:
Rather than relying solely on reactive detection, TI Feeds shift your posture to proactive blocking: exfiltration endpoints are denied before a single employee credential can be harvested.
URLs
Domains
BlobPhish represents a mature, well-maintained phishing operation that has been running continuously for over eighteen months. Its core innovation — abusing the browser’s Blob URL API to serve phishing pages entirely in memory — renders the campaign invisible to a wide range of conventional controls including secure email gateways, URL filters, web proxies, and file-based endpoint solutions.
For security teams, the takeaway is clear: static and perimeter-based defenses are insufficient against this class of attack. Effective defense requires dynamic analysis (to execute and observe the full attack chain), proactive threat hunting (to discover attacker infrastructure before it is weaponized against your organization), and automated, continuously updated threat intelligence feeds that propagate IOCs across the entire security stack in near-real-time.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls.
BlobPhish is an ongoing credential-phishing campaign active since October 2024 that delivers fake login pages as browser blob objects, evading traditional security tools.
JavaScript decodes a base64 payload, creates a blob object, generates a blob:https:// URL, forces the browser to load it via a hidden link, then immediately cleans up — leaving no file or cache trace.
Microsoft 365, Chase, Capital One, FDIC, E*TRADE, Charles Schwab, American Express, PayPal, and others — primarily U.S. financial and cloud brands.
URLs ending in /blob.html, /res.php, /tele.php or /panel.php; the YARA rule provided; and blob:https:// URLs in browser history.
Organizations in Finance, Manufacturing, Education, Government, Transport, and Telecommunications — especially those using Microsoft 365 or corporate online banking.
Enforce MFA, train staff on unexpected login prompts, and integrate proactive threat intelligence that catches memory-resident attacks before they reach employees.
The interactive Sandbox detonates the attack in a real browser to reveal blob behavior; TI Lookup surfaces related samples instantly; and TI Feeds push live IOCs into your security tools for automated prevention.
The post BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
A researcher has disclosed the details of the AI attack method he has named ‘Comment and Control’.
The post Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments appeared first on SecurityWeek.
SecurityWeek – Read More