Almost one in three members of Generation Alpha dreams of becoming a blogger. Today’s influencers inspire kids to create content online even before they reach their teens. Therefore, it’s critical for adults to get involved — especially when it comes to very young bloggers. Exploring digital platforms together with your kids not only helps keep them safe, but also lays a solid foundation for their confident and comfortable growth as digital natives.
To help parents, Kaspersky experts have created the Digital Schoolbag: A Parent’s Guide for the School Year(available as a PDF). It’s a compilation of essential tips to help keep kids safe online. And today, we dive into how parents can help their aspiring young bloggers.
1. Be curious — not critical
If your kid says they want to be a blogger, the safest first step you should take is not to ignore or criticize them, but to discuss this new venture together. Ask them why they want to be a blogger, and what kind of content they plan to create. This approach accomplishes two important things. One, it shows your child that you take their interests seriously — which helps build trust. And two, it gives you a natural opportunity to bring up the topic of online safety.
To make these conversations easier and more engaging, start with age-appropriate resources. If your budding blogger is quite young, a great option is our Cybersecurity Alphabet — a free book that helps kids master the basics of digital hygiene in a simple, fun way.
2. Set up accounts together
Instead of just handing your child your phone and leaving them to figure things out themselves (come on Gen-X; it’s 2025:), take the time to set up their accounts with them — whether it’s for YouTube, TikTok, Instagram, or another platform. This is a great opportunity to help your child go through these key steps:
Choose appropriate privacy settings — for example, to control who can view their posts, comment on them, and send personal messages.
This both reduces the risk of your kid’s account being hacked in the future, and teaches them good digital hygiene habits.
3. What’s better left unposted
If left to their own devices, child bloggers would probably post most anything online: where they are, what they’re up to, and who they’re spending time with. Enter the parent/guardian: teach your kid how to tell what’s safe to post and what’s potentially dangerous. Explain that they should never share their home address, school name, daily schedule, vacation plans, or places they visit regularly. These details can inadvertently make them easier to track — especially when combined with photos, geotags, and metadata.
4. Look up your kid’s usernames in search engines
Once your child begins posting under a username, it’s important to monitor their visibility and searchability. A simple way to do this is to regularly search for their username on Google or other search engines. Just type their social media handle into the search bar and see what comes up. Are there any personal photos, geolocation tags, or comments that reveal too much? Has anyone cloned their content or tried to impersonate them? Be sure to check for any of these issues.
5. Warn your child about shady online offers
When young bloggers start catching some buzz, they might receive messages from brands or accounts offering free products, sponsorships, or other collaboration opportunities. For a child, this might feel like a dream come true, but in reality, these messages are often from scammers.
Teach your child to treat every unexpected message with caution. Fake collaboration offers often arrive in email or direct messages, and may contain links to phishing sites designed to steal login credentials, personal information, or even payment-card details. Another common scam involves fraudsters promising to send a product after the blogger pays a “shipping fee” for a package that never arrives. We’ve covered these kinds of delivery scams in detail on our Kaspersky Daily blog.
A great option for young bloggers is to have their own manager or agent. Sounds very business-y and fancy, but actually a parent/guardian is the best person for this role. This way, you can work together to negotiate with brands and respond to offers from strangers. Discuss which brands are worth collaborating with, and explain why some offers may not be as harmless as they seem.
6. Talk to your kids about stalkers
As your kid gains more followers, they may attract not only genuine admirers but also individuals with malicious intent who claim to be “fans”. Unfortunately, doxing and stalking are real threats, especially for young, open, and trusting bloggers who share every detail of their lives.
Explain to your child that not everyone who seems nice is actually a good person. These “fans” often act like friends — praising content, offering help, or even pretending to share the same interests. Over time, however, they might start asking for personal details, more photos, or try to move the conversation to less secure platforms.
Teach your child to recognize these red flags:
A stranger who messages them frequently, or who shows undue interest in them personally.
Someone who insists on secrecy and asks them not to tell their parents.
A person who tries to guilt-trip, threaten, or pressure them to share personal information.
Most importantly, whether your child becomes a successful blogger or not, you need to ensure they trust you, their parents/guardians, more than any strangers they meet online.
How to better understand your child blogger
Wanting to be a blogger is a form of self-expression and creativity for both children and adults alike. Your role as a parent is simple but crucial: support their aspirations, talk to them, and teach them the basics of digital safety.
Find out what your child is into. A quick way to prepare for this conversation is to read our blog post, What kids are doing online, to get a basic idea of popular memes, games, and music.
Install [placeholder Safe Kids] on your devices. Our app helps parents stay involved in their kids’ digital lives without being intrusive.
Study our Cybersecurity Alphabet with your child. It explains complex concepts — like Keyloggers, NFTs, and oversharing — in simple terms.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-18 10:06:432025-08-18 10:06:43A parent’s guide to keeping a child blogger safe | Kaspersky official blog
Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.
UAT-7237 aims to establish long-term persistence in high-value victim environments.
Talos also identified a customized Shellcode loader in UAT-7237’s arsenal that we track as “SoundBill.” SoundBill can be used to decode and load any shellcode, including Cobalt Strike.
Talos assesses with high confidence that UAT-7237 is a Chinese-speaking APT group, focusing heavily on establishing long-term persistence in web infrastructure entities in Taiwan. Most of UAT-7237’s tooling consists of open-sourced tools, customized to a certain extent, including the use of a customized Shellcode loader we track as “SoundBill.”
Talos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors. UAT-7237’s tooling, victimology and dates of activity overlap significantly with UAT-5918. Additionally, both threat groups develop, customize and operate tooling using the Chinese language as their preliminary language of choice.
While Talos assesses that UAT-7237 is a subgroup of UAT-5918, there are some deviations in UAT-7237’s tactics, techniques and procedures (TTPs) that necessitate its designation as a distinct threat actor:
UAT-7237 primarily relies on the use of Cobalt Strike as its staple backdoor implant while UAT-5918 relies primarily on Meterpreter based reverse shells.
After a successful compromise, UAT-5918 typically deploys a flurry of web shells. However, UAT-7237’s deployment of web shells is highly selective and only on a chosen few compromised endpoints.
While UAT-5918 relies on web shells as their primary channel of backdoor access, UAT-7237 relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients to achieve the same.
In a recent intrusion, UAT-7237 compromised, infiltrated and established long term persistence in a Taiwanese web hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure. UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning and proliferation.
Initial access and reconnaissance
UAT-7237 gains initial access by exploiting known vulnerabilities on unpatched servers exposed to the internet. Once the target has been successfully compromised, UAT-7237, like any other stealth-oriented APT, conducts rapid fingerprinting to evaluate if the target is worth conducting further malicious actions on.
Reconnaissance consists of identifying remote hosts, both internal and on the internet:
While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP:
Once UAT-7237 sets up initial access, reconnaissance and VPN-based access, they start preparing to pivot to additional systems in the enterprise to proliferate and conduct malicious activities:
cmd[.]exe /c cd /d "<remote_smb_share>"&net use
cmd[.]exe /c cd /d "<remote_smb_share>"&dir \<remote_smb_share>c$
cmd[.]exe /c cd /d "C:"&net group "domain admins" /domain
cmd[.]exe /c cd /d "C:"&net group "domain controllers" /domain
In addition to relying on living-off-the-land binaries (LOLBins), UAT-7237 actively employed Windows Management Instrumentation (WMI) based tooling during reconnaissance and proliferation such as SharpWMI and WMICmd:
cmd[.]exe /c cd /d "C:"&C:ProgramDatadynatracesharpwmi[.]exe <IP> <user> <pass> cmd whoami
cmd.exe /c cd /d "C:DotNet"&WMIcmd.exe
wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c whoami
wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c netstat -ano >c:1.txt
SharpWMI and WMICmd can both be used to execute WMI queries on remote hosts, and they allow for arbitrary command and code executions.
UAT-7237 fingerprinted any systems subsequently accessed using rudimentary window commands such as:
After compromise, UAT-7237 deploys a variety of customized and open-source tooling to perform a variety of tasks on the infected endpoints. Talos tracks one of UAT-7237’s custom-built tools as “SoundBill.” SoundBill is built based on “VTHello” and is a shellcode loader written in Chinese that will decode a file on disk named “ptiti.txt” and execute the resulting shellcode.
It is also worth noting that SoundBill contains two embedded executables. Both originate from QQ, a Chinese instant messaging software, and are likely used as decoy files in attacks involving spear phishing.
SoundBill’s payload (i.e., the shellcode) may be anything from, for example, a customized implementation of Mimikatz:
Or it may be a mechanism to execute arbitrary commands on the infected system, such as:
c:tempvtsb.exe -c whoami
The shellcode may even be a position-independent Cobalt Strike payload that allows UAT-7237 to establish long term access for information stealing. So far, the Cobalt Strike beacons Talos have found to be compatible with SoundBill communicate over HTTPS with its command and control (C2): cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1[.]on[.]aws
JuicyPotato
UAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints such as:
During intrusions on several occasions, UAT-7237 attempted to make configuration and setting changes to the Windows OS on the infected endpoints, such as disabling User Account Control (UAC) restriction via registry:
UAT-7237 also accessed the Component Services management console, likely to adjust privileges for their malicious components:
mmc comexp.msc
UAT-7237’s pursuit of credentials
UAT-7237 uses several mechanisms, predominantly Mimikatz, to extract credentials from the infected endpoints. However, the threat actor has evolved their use of Mimikatz over time, likely as a means of evading detection by using a Mimikatz instance built into SoundBill to extract credentials:
Furthermore, UAT-7237 also finds VNC credentials and configuration from infected endpoints by searching the registry and disk:
reg query "HKCUSoftwareORLWinVNC3Password"
dir c:*vnc.ini /s /b
Another (likely open-source) tool is used to execute commands on the endpoint, specifically to invoke a BAT file and another executable — again for credential extraction:
“Project1[.]exe” above is the ssp_dump_lsass project on GitHub. It takes a DLL file as an argument, injects it into the Local Security Authority Service (LSASS) process, which then dumps the LSASS process into a BIN file.
Optionally, JuicyPotato may be used to run the same credential extraction process via the BAT file:
The process dump obtained is then staged into an archive for exfiltration:
cmd.exe /c "c:program files7-Zip7z.exe" a C:hotfix1.zip C:hotfix1.bin
Proliferating through the enterprise
UAT-7237 uses the following network scanning tooling:
FScan: A network scanner tool used to scan for open ports against IP subnets:
fileless -h 10.30.111.1/24 -nopoc -t 20
SMB scans: To identify SMB services information on specific endpoints:
smb_version 10.30.111.11 445
As soon as accessible systems are found, UAT-7237 will conduct additional recon to pivot to them using credentials they’ve extracted previously:
cmd[.]exe /c netstat -ano |findstr 3389
cmd[.]exe /c nslookup <victim’s_subdomains>
cmd[.]exe /c net use <IP>ipc$ <pass> /user:<userid>
cmd[.]exe /c dir \<remote_system>c$
cmd[.]exe /c net use \<remote_system>ipc$ /del
SoftEther VPN
The remote server hosting the SoftEther VPN client consisted of two archives: one containing the Client executable and corresponding configuration, and another with the Executable and Linkable Format (ELF)-based server binary.
Talos’ analysis of the SoftEther artifacts led to the following observations of UAT-7237’s TTPs:
The server was created in September 2022 and was last used in December 2024, indicating that UAT-7237 may have been using SoftEther over a two-year period.
UAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language configuration file, indicating that the operators were proficient with the language.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The following Snort rules cover this threat:
Snort v2 : 64908 – 64916
Snort v3: 301209 – 301212
IOCs
IOCs for this research can also be found at our GitHub repository here.
You get a delivery notification — or simply find a package sitting by your front door. But you didn’t order anything! Of course, everyone loves a free gift, but in this case you should be wary. There are several scams that start with the delivery of a package to your home.
Of course, check with friends and family first — someone might have sent you something without mentioning it. But if nobody steps forward, there’s a good chance you’re facing one of the schemes described below.
Spoiler alert: under no circumstances scan QR codes or call phone numbers printed on the packaging.
Polishing orders
The term brushing scam comes from Chinese e-commerce slang. 刷单 literally means “to polish orders” — effectively referring to a kind of sales-pumping scam. Originally, this “brushing” was relatively harmless: you received a product you didn’t order, and the seller posted a glowing review in your name to boost their sales ranking. To pull this off, unscrupulous sellers buy leaked databases of personal data, then register new marketplace accounts using victims’ names and mailing addresses — but their (the sellers’) own email address and payment method. As such, the victims don’t suffer direct financial loss.
Lucky you; but first — your review
Over time, such relatively gentle “brushing” has evolved into a much rougher sweep up. These days, scammers try to rip off package recipients by luring them to a malicious website. To do this, they include a card or sticker with a QR code with the delivery. The story accompanying the code varies, with common examples including the following:
“You’ve received a gift! Scan the code to find out who sent it”
“Leave a review of our product and get a $100 gift card!”
“Confirm receipt of your free delivered item!”
If the victim scans the QR code to find out who the sender is or claim another gift, the rest follows the classic pattern of quishing (QR phishing): either coaxing the victim into entering their payment data (for example, to “activate” the gift card) or codes from banking/government apps, or urging them to install an app for “confirmation” or “activation” — which, of course, is malware.
What if there’s no product at all?
The above schemes only work when an online store can afford to “give away” products as a promotional tactic. But can scammers still get your data without sending any goods? They can — and do.
Instead of a package, the victim finds a professionally printed postcard at their door: “Unfortunately, our courier service couldn’t deliver your parcel because you weren’t home. A gift valued at $200 can only be handed over in person — please contact us to arrange redelivery.” The postcard includes a QR code, a website address, and sometimes even a phone number to “reschedule” delivery.
A phishing postcard supposedly from Royal Mail, complete with a website address and QR code, looks highly convincing — the scammers paid great attention to detail. Source
If you call the number or visit the malicious site linked in the QR code, you’ll be tricked into giving payment details, passwords, or one-time codes through one of the common “delivery” scam scenarios:
“Choose a delivery time right away so the item won’t be returned to sender”
“Pay a $2 fee for redelivery”. The goal here is to get your payment data and then charge much larger amounts.
“Pay the customs duty”. You’re told a valuable parcel has been sent to you, but you must pay the duty yourself. And these amounts can be quite significant (depending on the supposed item’s value). In some countries, a “courier” may even come in person to collect the fee in cash.
All these schemes can lead to the loss of personal and financial information — but sometimes they escalate into phone fraud with much larger losses. For example, after you pay a fake delivery fee, scammers may call you and claim the parcel cannot be delivered because it contains drugs. This is followed by the psychological pressure of calls from a “police officer”, and attempts to extort a large sum of money to “protect” you from criminal charges.
Cash on delivery
Another popular scam involves products with payment upon delivery. Sometimes scammers advertise a product in advance and send it to the victim with their consent — but there’s also a version where a parcel arrives out of the blue. One day, a courier turns up at your door with a package in your name. Usually, an attractive product name is prominently displayed on the box — for example, a high-end smartphone. But… you have to pay for it. The price is 2–3 times lower than the market rate. The scammers count on greed and urgency (“the courier’s in a hurry, let’s get this done quickly!”) to make the victim pay without checking the item properly. The courier rushes off, and the victim opens the box to find either a cheap knockoff of the claimed product — or just plain garbage.
If the target refuses to pay for the mystery item, the scammers may have a “Plan B” ready — tricking them into giving a one-time verification code for a marketplace or bank, under the pretext of “confirming the order cancellation”.
Targeted attacks
Sometimes, physical delivery scams target specific victims. For example, criminals have attempted to steal cryptocurrency by sending Ledger hardware wallet owners packages claiming to be a free warranty replacement for defective devices. Inside the package was a “new” crypto wallet — actually a USB stick loaded with malware designed to steal the wallet’s seed phrase. Mailing USB sticks has also been used by the FIN7 ransomware gang as part of targeted ransomware attacks on selected organizations.
The hidden threat
Brushing and quishing scams have an unpleasant root cause. If you’re receiving these packages, it means your address and other contact information have been leaked in databases and are circulating on underground forums. These data sets are sold repeatedly, so you may well be targeted by other types of scam too. Be prepared: enable two-factor authentication everywhere, expect scam calls, install to protect yourself from such spam calls, check your bank statements frequently, and be sure to install reliable protection on all your devices.
What to do if you receive an unexpected package?
Carefully examine the packaging, labels, and any accompanying documents.
Take a photo of the package just in case, but never follow any links from QR codes or printed text. Keep the packaging in case there’s an investigation later.
Never call the phone numbers or, again, visit the links printed on the parcel.
Never pay any “delivery fees” or “customs duties”, and never provide your payment details.
Never connect unexpectedly received digital storage devices to your computer or smartphone.
If the package was delivered by a major, well-known courier service (Amazon, eBay, DHL Express, UPS, FedEx, AliExpress, national postal services, etc.), go to the company’s official website, find their contact numbers, online tracking service, or live chat, and check the shipment status and sender information. If the parcel has a tracking number, enter it manually — don’t scan any QR codes on the label.
Report the suspicious package to the courier service and the police — even if no money was stolen from you.
Read more on scams involving QR codes, marketplaces, and delivery services:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-15 10:06:422025-08-15 10:06:42I never ordered this: fraud with delivered packages and letters — brushing and quishing | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I’ve decided Black Hat feels exactly like trying to run in a dream — you’re always heading somewhere, never quickly, and the water costs $8.
I don’t mean to complain (although, as a Brit, I’m practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.
Rather than recap everything we did (our YouTube channel will have plenty of research highlights soon), here are three standouts:
Joe Marshall’s live incident-response exercise – Joe ran Backdoors & Breaches, an interactive card game originally developed with NetHope and NGO-ISAC for humanitarian non-governmental organizations. At Black Hat, he adapted it for a lunch-and-learn with over 60 participants, guiding them through a simulated cybersecurity crisis. If you’re curious, you can find the cards online here. With a websharing tool, you can stream it to any size audience and have people play along virtually. You can also read more about Joe’s experience developing the game, alongside a video walkthrough, in his new blog post.
Amy Chang’s AI guardrail bypass research – Amy’s booth talk revealed a novel way to break the guardrails of generative AI by tricking it into repeating human-written content verbatim, a technique called “decomposition.” Her work drew attention from media outlets including TechRepublic, SecurityWeek and WebProNews.
Philippe Laulheret’s ReVault presentation – Philippe, from our Vulnerability Research and Discovery team, revealed vulnerabilities in embedded security chips affecting millions of laptops, potentially allowing attackers to bypass Windows login or install persistent malware. A few days ago, he published a longer version of his investigation, so you can now read the full technical deep dive covering the research process and exploit breakdown.
We’ll have more to share soon, including a behind-the-scenes tour of the Black Hat Network Operations Center (NOC).
The one big thing
Cisco Talos has identified a widespread malvertising campaign distributing a multi-stage malware framework Talos calls “PS1Bot,” which uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. PS1Bot employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection. The campaign has been active and rapidly evolving throughout 2025.
Why do I care?
Casual browsing and downloading seemingly safe files can lead to infection, putting your personal data, passwords and financial info at risk — especially if you use cryptocurrency wallets or save passwords in browsers.
So now what?
Be extra cautious when downloading files from search results or ads, keep your security software updated, and use dedicated password managers and security tools instead of storing sensitive info in browsers. Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos’ blog also provides Snort SIDs and ClamAV detections.
Top security headlines of the week
Russian government hackers said to be behind US federal court filing system hack The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times. (TechCrunch)
North Korean Kimsuky hackers exposed in alleged data breach The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group’s data and leaked it publicly online. (Bleeping Computer)
Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t. A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April. (DataBreaches)
Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs The Netherlands’ National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach “critical organizations” in the country. (Bleeping Computer)
Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability (now patched) as part of a cyberespionage campaign aimed at organizations in Europe and Canada. (SecurityWeek)
Can’t get enough Talos?
Microsoft Patch Tuesday for August 2025 Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.
ReVault! When your SoC turns against you… deep dive edition Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault.” 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-14 18:06:382025-08-14 18:06:38What happened in Vegas (that you actually want to know about)
Editor’s note: The current article was originally published on March 11, 2024, and updated on August 14, 2025.
Security Operations Centers (SOCs) face an overwhelming volume of threat alerts, making it difficult to separate real threats from false positives without heavy resource use.
For teams already working with, or planning to adopt Filigran’s OpenCTI, ANY.RUN now offers powerful interoperability that bring real-time malware analysis and fresh threat intelligence directly into your existing workflows. This helps SOCs boost efficiency, cut response times, and act with confidence, all without replacing current tools.
Build Faster Response in OpenCTI with ANY.RUN
ANY.RUN connectors inside OpenCTI
ANY.RUN now offers dedicated OpenCTI connectors for its main products, allowing SOC teams to use them with their existing security stack seamlessly. This means there is no need to change existing processes and tools, making interoperability simple for those already using OpenCTI.
Available for ANY.RUN’s Enterprise plan users, it is designed to improve SOC metrics for incident detection and response, streamline routine tasks, reduce response times, and provide deep analytics.
Interactive Sandbox: Automate analysis of suspicious files and URLs to quickly understand their threat level, TTPs, and collect IOCs.
This connectors ensure that accurate threat info is accessible in just a few clicks, significantly boosting SOC effectiveness.
Detailed documentation on how to set up the OpenCTI connector
Automate Threat Analysis for Early Detection with Interactive Sandbox
ANY.RUN’s Interactive Sandbox is a cloud-based service that provides SOC teams with instant access to fully interactive Windows, Linux, and Android virtual machines for analyzing suspicious files and URLs.
Malicious URL with its related IOCs detected by ANY.RUN sandbox
With the OpenCTI connector, SOC teams can:
Send files or URLs directly from OpenCTI for instant analysis in ANY.RUN’s Interactive Sandbox.
Automate the execution of multi-stage attacks to reach the final stage of an attack.
Enrich observables in OpenCTI with indicators obtained from the sandbox analysis.
The connector leverages the Automated Interactivity feature. It allows for automated execution of user actions like archive extraction, CAPTCHA solution, and payload launching to trigger each stage of an attack and ensure complete detection of the most evasive threats.
Integrate ANY.RUN’s Interactive Sandbox in your SOC Automate threat analysis, cut MTTD, & boost detection rate
The sandbox logs and marks malicious network traffic, processes, registry, and file modifications, providing immediate visibility into threat behavior.
Here’s a typical scenario of how you can use the connector in your SOC:
Analysis: Analysts can send files or URLs for automated sandbox analysis directly from OpenCTI.
Decision Making: Results from the sandbox analysis are used to assess threats and make informed decisions.
Response and Escalation: Based on the results, analysts can isolate threats, block malicious activities, or escalate incidents as needed.
Benefits the Interactive Sandbox in OpenCTI
Reduced manual effort with analysis automation.
Higher detection rate with deep insights into threat behavior.
Shorter MTTR with fast identification of malware and detailed reports for informed mitigation.
Enrich Incidents with Live Attack Data from 15K Organizations via Threat Intelligence Lookup
Malicious URL with its related relationships detected by ANY.RUN TI Lookup inside OpenCTI
ANY.RUN’s Threat Intelligence Lookup provides a searchable database of fresh Indicators of Compromise (IOCs), Behavior (IOBs), and Action (IOAs). This data is extracted from live sandbox analyses of active malware and phishing attacks across 15,000 organizations, ensuring the indicators are fresh and available quickly after an attack.
Enrich IOCs with threat context in TI Lookup Act faster. Slash MTTR. Stop breaches early
Here’s a typical scenario of how you can use the connector in your SOC:
Incident Enrichment: Analysts use TI Lookup to enrich incidents with detailed threat intelligence directly from OpenCTI.
Threat Assessment: Analysts rapidly assess threats using up-to-date data and behavioral context.
Response and Process Improvement: Enriched data aids in creating effective rules, updating playbooks, and improving detection models.
benefits of TI Lookup in OpenCTI
Automatic incident enrichment by pulling detailed threat intelligence for various indicator types.
Adding behavioral threat context to indicators, providing a deeper understanding.
Speeding up threat assessment using high-quality, up-to-date data.
Expand Threat Coverage and Proactive Defense with Threat Intelligence Feeds
Indicators gathered by ANY.RUN’s TI Feeds inside OpenCTI
Threat Intelligence Feeds help MSSPs and SOCs fortify their security with filtered, high-fidelity indicators of compromise (IPs, domains, URLs) enriched with context from ANY.RUN’s Interactive Sandbox. Sourced from real-time sandbox investigations of active attacks across 15,000 organizations, ANY.RUN’s feeds are updated every two hours, allowing you to track threats as they emerge, develop, and spread to take critical security actions early.
Boost detection and expand threat coverage in your SOC with TI Feeds from ANY.RUN in TI Lookup
Here’s a typical scenario of how you can use the connector in your SOC:
Expanded Threat Monitoring: Clients connect TI Feeds to OpenCTI to use real-time threat data for analyzing alerts and incidents.
Detection and Response: Enhanced detection quality allows for better threat identification and response.
Proactive Defense: Data from TI Feeds supports the creation of new rules, training models, and updating playbooks and dashboards.
Benefits of TI Feeds in OpenCTI
Proactive threat management by providing current and fresh data from active attacks.
Improved quality of detection in various security systems.
Enhanced ability to identify threats at earlier stages.
How OpenCTI Connectors Can Help Your Business
The interoperability of ANY.RUN with OpenCTI provides significant user and business value, leading to measurable performance gains across the SOC.
Reduced costs and time savings by eliminating the need for custom development and allowing analysts to focus on critical threats.
Increased SOC efficiency through streamlined triage, investigation, and escalation for Tier 1 and Tier 2 analysts.
Automation of routine tasks, such as manually copying artifacts or launching analyses, which reduces analyst burnout.
Reduced Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), enhancing overall SOC metrics.
Enhanced decision-making and process improvement by providing detailed reports and enriched data for creating effective rules, updating response playbooks, and training detection models.
Proactive threat management and early threat detection by uncovering stealthy or multi-stage attacks that traditional tools might miss.
Stronger ROI from existing tools by extending the capabilities of OpenCTI with behavioral analysis and contextual enrichment without additional infrastructure.
About ANY.RUN
Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.
Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-14 12:06:412025-08-14 12:06:41ANY.RUN & OpenCTI: Transform SOC for Maximum Performance
Artificial intelligence is already trying its hand as a travel agent: just ask a chatbot about your chosen destination, and in a couple of seconds you’ll get a full sightseeing itinerary, a list of hotels with good reviews, and even visa tips. And with the help of an AI agent, you can even buy tickets without having to trawl through endless airline websites and flight aggregators. Sounds like a traveler’s dream, but there are downsides. In this post, we look at what to pay attention to when planning a vacation with ChatGPT or another AI assistant.
What could go wrong?
A Kaspersky study reveals that just 28% of AI users trust artificial intelligence to plan their vacations, (with 96% of that 28% being satisfied with such AI assistance). Note that chatbots possess no knowledge of their own, but learn from input texts and data, and then formulate the most fitting answer to a question. And AI isn’t immune to serving up inaccurate, outdated, or downright false information. Sure, some chatbots already have an internet search function built in, but infallible fact-checking is still a long way off.
In March 2025, Mark Pollard of Australia was due to fly to Chile to give a lecture. But he was turned away at the check-in desk for not having a visa. Mark had duly consulted ChatGPT about the visa requirements of various Latin American countries, and had blindly trusted its response. As of 2019, however, Australian citizens need a visa to visit Chile, but this information was apparently unknown to the neural network. In another case, AI advised a journalist to visit museums that had been wiped out by a forest fire.
Sometimes, even professionals on duty are led astray by bad AI. In 2024, staff at Manila airport tried to stop a passenger boarding a UK-bound flight: she was a UK citizen, but only had her US passport on her at the time. As it turns out, that isn’t grounds to deny boarding a flight to England, but the staff had been misinformed by Google AI Overviews. It took a call to the embassy to resolve the situation.
If you don’t want AI to send you to a closed restaurant or a non-existent landmark, then check the information in real time. Just be aware — and beware — that connecting to public Wi-Fi is always a gamble, with the security of your devices and data at stake. When abroad, it’s much safer to use mobile internet. There’s no need to buy a physical SIM card — just use an eSIM.
Why you shouldn’t share personal data with AI
Most popular Ais, like ChatGPT and Gemini, process and store all user requests. Which means that in the event of a bug or major leak, outsiders could find out too much about you: travel dates, schedule, budget, and traveling companions. So only share with neural networks data that you wouldn’t mind the whole world knowing.
Many companies these days offer AI agents — digital assistants that can autonomously perform tasks on your behalf. For example, you can ask an AI agent to book a tour, and email your colleagues about your upcoming vacation (please don’t give AI agents access to work chats and email!). Once instructed, the AI agent either launches a virtual machine or captures your computer screen and connects to third-party services.
The problem is that you risk giving the neural network not only your personal data, but also the freedom to perform unwanted actions on websites. Recall that AI agents are vulnerable to prompt injection attacks — hidden commands that attackers plant on phishing pages and hacked websites. Spotting these on your own is near impossible: prompt injections are usually embedded in a website’s metadata or visual elements.
For now at least, the safest way to plan vacation travel is to do your own research and buy everything you need yourself — using AI only as an auxiliary tool. And to minimize the risks associated with prompt injections, use a reliable security solution that blocks all attempts to infect your device with malware.
Always double-check information supplied by AI — a manual search is always best.
Be careful with AI agents: they’re prone to prompt injections, and may leak your data to attackers — or worse.
Bear in mind that public Wi-Fi in airports, hotels, and cafes isn’t secure: traffic isn’t protected, and attackers can snoop on your data. When on the road, it’s better to use an eSIM for mobile internet.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-14 10:06:562025-08-14 10:06:56How AI can help plan your vacation | Kaspersky official blog
As we highlighted in our article on building threat resilience in enterprises, one of the key challenges that stand before CISOs is ensuring proactive security. Reacting to incidents is no longer enough; you need to anticipate upcoming threats.
To achieve this, your team needs powerful solutions that meet your criteria and deliver fast results. Explore our step-by-step guide on integrating threat intelligence into your workflow with ANY.RUN’s TI Lookup and TI Feeds, solutions trusted by 15,000+ organizations across diverse industries.
Find a Source for Intel That Fits Your SOC
TI Feeds are filtered to remove false positives and updated every two hours, ensuring fresh, extensive, and trustworthy data
Threat intelligence is a crucial component of modern SOC operations. Implementing it increases threat detection rates, speeds up incident response, and strengthens overall defense against emerging threats.
When choosing a threat intel solution, prioritize reliability of data, rich context that comes with indicators, and constant updates that will keep you on top of things.
Being an enterprise-grade service, Threat Intelligence Feedsmeets these standards. It delivers fast, fresh intelligence gained from threat investigations by 15,000 SOC teams. Each indicator, be that IP, domain, or URL, is linked to ANY.RUN’s Interactive Sandbox analysis of malware, enabling you to observe its impact, activities, and overall context in one click.
Not only SOC teams, but also MSSPs and DFIR specialists can use TI Feeds to improve their workflow
Enrich your SIEM, TIP, or XDR system with TI Feeds for:
Expanded Coverage: ANY.RUN’s exclusive IOCs come from Memory Dumps, Suricata IDS, in-browser data, and internal threat categorization systems, increasing the chance of detection of the most evasive threats.
Reduced Workload: The indicators are pre-processed to avoid false positives and ready to be used for malware analysis or incident investigation.
Informed Response: Rich metadata provided for IOCs gives you the context for in-depth threat investigations and faster response.
Create compound queries to retrieve data you need in ANY.RUN’s TI Lookup
Steady monitoring and expanded threat coverage provided by solutions like TI Feeds are important for maintaining a robust defense system. The next challenge is finding a way to browse, identify, and enrich indicators quickly.
In other words, you need targeted, fast access to threat intelligence, for both proactive threat hunting and swift incident response. That’s just what Threat Intelligence Lookup provides. For analysts, it’s like a fishing rod with which they can catch exactly what they’re looking for in the sea of extensive data on threats: for example, quick verdicts on suspicious IPs or additional info on malicious indicators.
Equipping your team with TI Lookup means that your SOC will reach:
Faster Triage and Data-Fueled Response: Check any indicator in seconds, identify malicious activity, and enriched it with more info.
Higher Expertise Levels: Your team members can explore actual attacks, see how they unfold and what TTPs are in use, gaining insights into modern malware.
Improved Proactive Defense: Use intel to develop new develop SIEM, IDS/IPS, or EDR rules for acting in advance.
Even the free version of TI Lookup makes it possible to achieve these results.
Enrich IOCs with live attack data from threat analyses across 15K SOCs
To conduct private analyses, gain three times more info on threats, and integrate TI Lookup into your system, choose Premium plan and:
Hunt Threats with Precision: Create and explore custom YARA rules in ANY.RUN’s database to detect malware patterns.
Reduce Risks of Breaches: Fast and accurate access to intelligence is a game-changer for alert triage and incident response, minimizing the likelihood of successful attacks.
Track Malware Trends: See Threat Intelligence Reports written by expert analysts and stay informed on latest industry-wide attacks.
As result, every stage of SOC operations will become sharper, faster, and more strategic.
Make Threat Intelligence a Part of Your Infrastructure
ANY.RUN app for IBM QRadar SOAR
For teams, it’s more effective to use flexible services available for integration, rather than standalone solutions. That’s how you create a coordinated, resource-efficient defense system.
ANY.RUN offers wide opportunities for integration, including API and SDK, as well compatibility with a majority of vendors, such as IBM QRadar, ThreatConnect, OpenCTI.
Automate Threat Monitoring: Connecting TI solutions to your SIEM, TIP, or SOAR system results in accelerated, more efficient workflow.
Expand Threat Coverage: For centralized protection, TI Feeds offer continuously updated stream of fresh intel available in STIX/TAXII and MISP.
Improved Detection Rate: Turn to TI Lookup to increase your detection capabilities, correlate indicators from over 15,000 global attacks for early detection, and enrich your threat investigations.
No Alert Overload: Reduce workload of Tier 2 and 3 specialists, empowering Tier 1 analytics to make informed decisions based on actionable and reliable threat intelligence.
Use Cases: Applying This Strategy In Real Life
Implementing threat intelligence into your security operations doesn’t mean increasing workload. It’s actually the opposite. Here are three real-world use cases explaining how quality TI solutions can address common SOC challenges.
Improving Speed and Confidence for Incident Response
The right solution can make a huge impact for your SOC team. It enables analysts to handle incidents faster and with more confidence, boosting overall efficiency.
For example, analysts can use TI Lookup for a quick check of an indicator. Enter this simple query like:
Overview of the query results in TI Lookup, indicating malicious activity
And within seconds, you’ll know that that this domain is malicious. Next step doesn’t take much either: click one of the linked analyses and you’ll see how exactly malware behaves and which processes it affects.
You can see analyses of samples that match your TI Lookup query within ANY.RUN Sandbox
And finally, block this threat—and the incident is solved. That’s how you make informed decisions effortlessly and quickly: you just need to know where to find data.
Increase Detection Rate
Another use case for TI Lookup is reviewing alert backlog data, where evasive threats might be hidden. Instead of spending time on manual research, you quickly check any suspicious fragment, such as a command line:
And you’ll find out whether it was a false alarm. In this case, it wasn’t. The command line is actually related to steganography attacks spread by AsyncRAT:
TI Lookup returns over 400 analyses of malicious samples associated with this command line
From here, go to sandbox analysis sessions to see how malware detonates, and collect data to take further informed action. As a result, an attack that could’ve remained in your systems for months is prevented.
Ensure Proactive Defense to Prevent Breaches
A key aspect of proactive defense is staying alert and continuously monitoring the threat landscape. One you know what’s going on in your industry or other sectors, you should keep an eye on malware in question, track how it evolves and what new data on it appears.
For that, use Query Updates feature in TI Lookup. Click the bell icon when doing a search to subscribe to your query. For example, if you need to access domains related to Lumma specifically, use this line:
Overview of TI Lookup results for Lumma-associated domains
Activate Query Updates:
Click Subscribe to stay alert for new results that match your query
And from now on, you’ll be notified on all new instances for proactive blocking of evolving threats.
About ANY.RUN
Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN to streamline malware investigations worldwide.
Speed up triage and response by detonating suspicious files in ANY.RUN’s Interactive Sandbox, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with Threat Intelligence Lookup and Threat Intelligence Feeds, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-13 12:06:462025-08-13 12:06:46Bridging the Threat Intelligence Gap in Your SOC: A Guide for Security Leaders
Remember the early days of the internet and 419 (aka “Nigerian prince”) scams promising mountains of gold just for you? That era is thankfully over, but today a new curse is all the rage: messenger phishing. Due to its vast user base, the openness of its API, and support for crypto payments, one particular messenger — Telegram — has become a very popular choice for phishing cybercriminals. So what new tricks do Telegram scammers employ, and how can you spot them in time?
Telegram bots in the service of cybercriminals
Telegram is home to a huge array of bot-related scams. And sometimes attackers offer their bots to other bad guys to create new ones. If you’re feeling a bit overwhelmed, don’t worry: our Securelist blogpost takes a detailed look at this phenomenon — known as phishing-as-a-service.
Attackers often use Telegram bots instead of websites. It’s much easier to lure potential victims this way; it’s far harder to create and maintain a full-fledged phishing site and get victims to swallow the bait. With bots, everything’s simpler since users don’t need to leave Telegram, which many mistakenly think is a safe environment by default.
So what does it look like in practice? One example is a new scam involving cryptocurrency investments: “We’re handing out a new token to everyone — just enter the bot and go through KYC verification”. Of course, “KYC verification” for scammers doesn’t mean a passport photo or a video call to confirm your identity, but depositing a sum of cryptocurrency. And, yes, this crypto goes straight into the attackers’ account, while you get zilch.
Telegram bot offers fake KYC verification
Sure, Telegram bots aren’t limited to extracting crypto. For instance, we uncovered a scam inviting victims to get paid for watching short videos. Where? In a Telegram bot, of course.
Victims “earn” two euros per video view
Telegram bots are highly intrusive — if you don’t block them, they’ll keep knocking on your door. Most phishing sites don’t do this; user interaction with them plays out differently: visit the site, browse, leave. But chat with a Telegram bot just once, and it’ll bombard you with suspicious links or pester you for access to manage your channels and groups. If you grow tired of an intrusive bot, just block it: open a dialog with the bot, tap its name, then select Block. That done, the pesky bot will message you no more.
In another nasty bot-related scam, attackers persuade victims to start bot chats, then share their data or send money. Once the victim is hooked, the scammers rename the bot Telegram Wallet or Support Bot (mimicking supposedly official channels), transfer ownership of the bot to the victim’s account without their knowledge, and report it to Telegram support. Thinking it was the victim who created the bot, Telegram support deletes not only the bot, but also the victim’s account. The scammers do this to cover their tracks and muddy the waters for a possible police investigation.
Fake gifts and account theft
Attackers employ a variety of tricks to gain access to victims’ accounts. One of the most common scams is a “gift” subscription to Telegram Premium. Check out our post You’ve been sent a “gift” — a Telegram Premium subscription for details. In brief: scammers message victims from the hacked account of a friend, prompting them to go to a phishing site to “finalize the subscription”. There’s no subscription, of course. Instead, victims have their own accounts stolen.
Another new vector of fraud involves Telegraph, Telegram’s tool for posting longer texts. Anyone can publish content there, and no prior registration is required, which is what attackers exploit since it’s easy to redirect users to phishing pages. The result, as a rule, is one more hijacked account.
The user is lured into following the link to view the full version of the document
What else have scammers and phishers come up with? Threat actors are actively using AI to create deepfakes, steal biometric data, hide phishing attacks under temporary Blob URLs, and even spoof Google Translate subdomains. Read about these and other trends in our Securelist report.
How to guard against Telegram scams and phishing
The best tip is to apply critical thinking at all times. But even the smartest of us can sometimes act rashly, so try to read up on scams as much as possible so that your muscle memory automatically triggers the right response.
Don’t follow links sent by people you barely know. Don’t follow such links even if they promise a juicy gift, and never enter personal data on sites they point to.
Configure privacy and security in your Telegram account. See our in-depth how-to on two-factor authentication and secret chats.
Don’t share one-time codes or passwords with anyone. And don’t enter them anywhere except in the official Telegram app. Scammers know how to trick users into revealing their OTPs.
Use reliable protection that knows phishing when it sees it and warns you about it.
Block intrusive bots. As we said, they’ll keep on knocking, so if after one chat with a Telegram bot you’re sure that’s enough, feel free to block it.
Set up automatic termination of all inactive Telegram sessions every week. In Telegram, go to Settings, then select Devices → Automatically terminate sessions → If inactive for → 1 week.
If your Telegram account is already hacked, read our post What to do if your Telegram account is hacked. Time is of the essence — it’s easier to restore access in the first 24 hours after an attack. And subscribe to our Telegram channel for the inside track on new cybersecurity trends.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-13 12:06:452025-08-13 12:06:45Telegram scams in 2025 | Kaspersky official blog
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.
In this month’s release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 13 “critical” entries, 9 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including the Windows kernel, Microsoft Message Queuing (MSMQ), Windows Hyper-V, Microsoft Office and GDI+.
CVE-2025-50176 is an RCE vulnerability in DirectX Graphics Kernel given a CVSS 3.1 score of 7.8, where access of resource using incompatible type (‘type confusion’) in Graphics Kernel allows an authorized attacker to execute code locally. Microsoft has noted that this vulnerability affects different versions of Windows 11, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”.
CVE-2025-50177 is an RCE vulnerability in Microsoft Message Queuing (MSMQ) service, given a CVSS score of 8.1, where use after free vulnerability allows an unauthorized attacker to execute code over a network. To exploit this vulnerability, an attacker would need to send a series of specially crafted MSMQ packets in arapid sequence over HTTP to a MSMQ server. Microsoft assessed that the attack complexity is “high”, and that exploitation is “more likely”.
CVE-2025-53778 is a Windows NTLM elevation of privilege vulnerability given a CVSS 3.1 base score of 8.8, where improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network, with an attacker successfully exploiting this vulnerability gaining SYSTEM privileges. Microsoft has noted that this vulnerability affects different versions of Windows 10, Windows 11, Windows server 2008, Windows Server 2012, Windows Server 2026, Windows Server 2019, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”.
CVE-2025-53781 is an information disclosure vulnerability in Windows Hyper-V given a CVSS 3.1 base score of 7.7, where an authorized attacker may be able to disclose sensitive information over a network. Microsoft has noted that this vulnerability affects Windows Server 2025 with the attack complexity assessed as “low” and that exploitation as “less likely”.
CVE-2025-53733 is a remote code execution vulnerability in Microsoft Word given a CVSS 3.1 base score of 8.4 where an incorrect conversion between numeric types in Microsoft Office Word allows an unauthorized attacker to execute code locally. Microsoft has noted that this vulnerability affects Word 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-53740 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4 where a use after free condition allows an unauthorized attacker to execute code locally using a Preview Pane as the attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019, Microsoft Office LTSC 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-53766 is a remote code execution vulnerability in GDI+, a graphics Windows subsystem providing a set of features for rendering 2D graphics, images, and text, given a CVSS 3.1 base score of 9.8 where a heap-based buffer overflow allows an unauthorized attacker to execute code over a network. An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server 2008. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-50165 is another remote code execution vulnerability in the Windows graphics component. It was also given a CVSS 3.1 base score of 9.8 where an untrusted pointer dereference allows an unauthorized attacker to execute code over a network without any user intervention. An attacker can use an uninitialized function pointer being called when decoding a JPEG image. This can be embedded in Office and 3rd party documents/files. This vulnerability affects Windows 11 24H2 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-49707 is a spoofing vulnerability in Windows Hyper-V hypervisor affecting Azure, given a CVSS 3.1 base score of 7.9, where improper access control may allow an attacker to perform spoofing locally. To exploit this vulnerability, an attacker could obtain a valid certificate after a system reboot, which could then be used to access sensitive information, bypassing security measures and allow an attacker with access to a confidential VM to impersonate its identity in communications with external systems. Microsoft has noted that this vulnerability affects NCCadsH100v5-series, ECesv5-series, ECedsv5-series, ECasv5-series, ECadsv5-series, DCesv5-series, DCedsv5-series, DCasv5-series and DCadsv5-series of Azure VM. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-48807 is a remote code execution vulnerability in Windows Hyper-V hypervisor, given a CVSS 3.1 base score of 7.5, where improper restriction of communication channels to intended endpoints may result in an attacker executing code locally in a nested guest VM to escape their VM and gain admin privileges on the guest VM that is serving as the host. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server VM. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.
CVE-2025-53731 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office 2019, Microsoft Office 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
CVE-2025-53784 is a remote code execution vulnerability affecting Microsoft Word, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
CVE-2025-53793 is an information disclosure vulnerability in Microsoft Azure Stack Hub, which may allow an attacker to disclose system internal configuration information over the network. It was given a CVSS 3.1 base score of 7.5 and affects Azure Stack Hub 2501, Azure Stack Hub 2406 and Azure Stack Hub 2408. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services, CVE-2025-53767, CVE-2025-53774, CVE-2025-53787 and CVE-2025-53792. While the CVSS base score for some of them is high, Microsoft has noted that no customer actions are required to resolve the issues.
Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely:”
CVE-2025-53786: Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability
CVE-2025-49743: Windows Graphics Component Elevation of Privilege Vulnerability,
CVE-2025-50167: Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2025-50168: Win32k Elevation of Privilege Vulnerability
CVE-2025-53132: Win32k Elevation of Privilege Vulnerability
CVE-2025-53147: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2025-53156: Windows Storage Port Driver Information Disclosure Vulnerability
CVE-2025-49712: Microsoft SharePoint Remote Code Execution Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65234- 65237, 65240-65247.
The following Snort 3 rules are also available: 301300, 301301, 30304-30306, 65240, 65241.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 20:06:412025-08-12 20:06:41Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”
PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance and the establishment of persistent system access.
PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.
PS1Bot distribution campaigns have been extremely active since early 2025, with new samples being observed frequently throughout the year.
The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems.
Campaign Overview
Cisco Talos has been monitoring an ongoing malware campaign that has been active throughout 2025. The campaign appears to be leveraging malvertising to direct victims to a multi-stage malware framework, implemented in PowerShell and C#, that possesses robust functionality, including the ability to deliver follow-on modules including an information stealer, keylogger, screen capture collector and more. It also establishes persistence to continue operations following system reboots. The design of this malware framework appears to attempt to minimize artifacts left on infected systems by facilitating the delivery and execution of modules in-memory, without requiring them to be written to disk. Due to similarities in the design and implementation with the malware family AHK Bot, we are referring to this PowerShell-based malware as “PS1Bot.”
This campaign has been extremely active, with new samples being observed continuously over the past several months. The cluster of malicious activity associated with this campaign also overlaps with prior reporting, including reporting on Skitnet. While Talos has not observed delivery of the Skitnet binary in any of the infection chains we analyzed, the PowerShell implementation described in that reporting appears to match the components delivered throughout the infection chain in this case as well. We have also observed significant overlap in the C2 infrastructure used in both cases. Likewise, we have observed code and indicator overlap with previously reported malvertising campaigns.
Delivery
The victim is initially delivered a compressed archive. The file names Talos observed in the wild are consistent with what is typically seen during search engine optimization (SEO) poisoning and/or malvertising campaigns, where the file name matches the keyword phrase being targeted in the campaigns:
chapter 8 medicare benefit policy manual.zip
Counting Canadian Money Worksheets Pdf.zip.e49
zebra gx430t manual.zip.081
kosher food list pdf (1).zip.c9a
pambu panchangam 2024-25 pdf.zip.a7a
Prior reporting on social media further strengthens this assessment, where researchers have observed the malvertising campaigns leading to the compressed archives delivered in this campaign.
Inside of the compressed archive is a single file called “FULL DOCUMENT.js” that functions as a downloader, retrieving the next stage of the infection. In the cases analyzed, the JS file contained VBScript, which employed a variety of obfuscation methods throughout 2025. Below is an example of one of the more simplistic examples observed recently.
Figure 1. Deobfuscating the downloader script.
Stage 1 retrieval
When executed, the malware retrieves a JScript scriptlet from an attacker controlled server, the contents of which are then executed.
Figure 2. Example JScript scriptlet contents.
This script is responsible for performing the environmental setup needed for subsequent malware operations to function properly. This includes writing a PowerShell script to C:ProgramData (ntu.ps1 in this case) and executing the script contents written to the file created in the previous step and redacted for space in the previous screenshot. This PowerShell script obtains the serial number of the C: drive and uses it to construct a URL, which it uses to attempt to establish a connection to the command and control (C2) server to retrieve additional malicious content to execute. Any PowerShell content received is then passed to Invoke-Expression (IEX) and executed within the existing PowerShell process. This is repeated in a loop with Sleep() delays added between each iteration.
Figure 3. PowerShell module retrieval and C2 polling.
This allows the malware to continue to run, periodically attempting to poll the attacker’s C2 server to retrieve additional commands to execute within the PowerShell process running on the system. We have observed this technique used to deliver a variety of additional modules, each enabling the attacker to conduct additional operations on the system, obtain additional environmental information about systems under their control, and enable the theft of sensitive information such as credentials, session tokens and financial account details (cryptocurrency wallet data).
PowerShell modules
We have observed the delivery of the following types of PowerShell modules during and after the initial infection process. Each module is responsible for carrying out its respective task, and several rely on delivery of C# classes that are dynamically compiled to generate assembly DLLs and executed to assist with collection of survey information, keylogging, and screenshot capture.
Antivirus detection
Screen capture
Wallet grabber
Keylogger
Information collection
Persistence
In most of the modules analyzed, logging functionality has been built in to allow the attacker to monitor the installation and runtime status during and post-deployment. In most cases, these status updates are delivered to the C2 server in the form of URL parameters that are included as part of HTTP GET requests to the URL used to establish an initial C2 connection.
We assess with high confidence that additional modules likely exist and are deployable as desired by the adversary. The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed. While analyzing activity associated with PS1Bot throughout 2025, we have observed development activities occurring over time, indicating that this is a rapidly evolving threat.
Antivirus detection
This PowerShell module is delivered after initial C2 establishment and is responsible for obtaining and reporting the antivirus programs present on the infected system. This is accomplished by querying Windows Management Instrumentation (WMI) to obtain a list of installed antivirus products.
Figure 4. Antivirus detection logic.
The returned product list is then transmitted to the attacker via an HTTP GET request containing the results of the operation as URL parameters.
Figure 5. Status logging implementation.
The following is an example of the URL structure used to transmit the information to the C2 server:
Once this is completed, execution is passed back to the main PowerShell script and C2 beaconing continues until additional instructions are received. In several cases, we have observed the delivery of several distinct PowerShell scripts during the infection process. To facilitate delivery of new PowerShell scripts, we have observed that the attacker simply manipulates the response content associated with the C2 URL derived initially. Each time the infected system beacons to the C2 server, any delivered PowerShell is dynamically passed to IEX and executed.
Screen capture
Once antivirus detection has been performed, we have observed the delivery of additional PowerShell modules, one of which is used to capture screenshots on infected systems and transmit the resulting images to the C2 server. This is often performed for a variety of reasons, including to identify when systems may be in active use by victims versus unattended or to collect sensitive information that may be displayed on screen but not otherwise recorded for easy exfiltration.
In this case, the adversary is using PowerShell to dynamically compile and execute a C# assembly DLL at runtime.
Figure 6. Example use of Add-Type for C# compilation.
The resulting DLL is then used to capture the screenshot and create a Bitmap image (.BMP) inside of the %TEMP% directory. The image is later converted and stored as a JPEG at %APPDATA%Screenshot.jpg.
Figure 7. Screenshot generation logic.
The content stored within the image file is then Base64 encoded and the resulting data is then transmitted to C2. The image files in both %TEMP% and %APPDATA% are also deleted.
Figure 8. Example HTTP POST containing Base64 encoded screenshot image file.
Additionally, status logging messages are sent to inform the attacker of the module’s progress, an example of which is shown below.
Following successful collection of screenshots on infected systems, we have observed the delivery of an additional PowerShell module that the attacker refers to as the “grabber module” that is used to steal sensitive data from infected systems. It is designed to target the following types of data that are then exfiltrated to the C2 server:
Local browser storage (stored credentials, cookies, etc.)
Browser extension data for cryptocurrency-related extensions like wallets
Local application data for cryptocurrency wallet applications
Files containing passwords, sensitive strings or wallet seed phrases
The module begins by checking the values of variables that were declared in earlier stages of the infection process. If the script is not being executed within the context of the PowerShell process established earlier, it will fail and terminate execution.
Next, it begins transmitting status logging messages to the C2 server via HTTP GET requests to inform the attacker that the grabber module is running and to provide basic runtime information. Log messages are periodically transmitted during the execution of this module to provide ongoing status updates, error alerting and other relevant information throughout the execution process.
The malware first checks for the existence of various installed applications of interest, including browsers, browser extensions and cryptocurrency wallet applications. If found, the application data is copied to %TEMP% for staging.
The malware specifically checks for the existence of application data associated with the following web browsers:
Google Chrome
Chromium
Kometa
Microsoft Edge
7Star
Maxthon
Opera
Atom
Mustang
Opera GFX
AVG Secure Browser
Netbox Browser
Brave
Avast Secure Browser
Orbitum
Vivaldi
CCleaner Browser
QQ Browser
Yandex
Chedot
SalamWeb
Slimjet
Chrome Beta
Sidekick
Epic Privacy Browser
Chrome Canary
Sleipnir
Comodo Dragon
Citrio
Sputnik
CentBrowser
CoolNovo
Superbird
Naver Whale
Coowon
Swing Browser
SRWare Iron
CryptoTab Browser
Tempest
Blisk
Elements Browser
UC Browser
Torch
Iridium
Ulaa
Coc Coc
Kinza
UR Browser
Amigo
Wavebo
Viasat Browser
In addition to the previously listed browsers, the information stealer also checks for the installation of the following Chromium extensions, most of which are associated with cryptocurrency wallets and multi-factor authentication (MFA) authenticators:
MetaMask
Trezor
wallet-guard-protect-your
MetaMask-edge
Ledger
subwallet-polkadot-wallet
MetaMask-Opera
Mycelium
argent-x-starknet-wallet
Trust-Wallet
TrustWallet
bitget-wallet-formerly-bi
Atomic-Wallet
Ellipal
core-crypto-wallet-nft-ex
Binance
Dapper
braavos-starknet-wallet
Phantom
BitKeep
Kepler
Coinbase
Argent
martian-aptos-sui-wallet
Ronin
Blockchain Wallet
xverse-wallet
Exodus
cryptocom-wallet-extension
gate-wallet
Coin98
Zerion
sender-wallet
KardiaChain
Aave
desig-wallet
TerraStation
Curve
fewcha-move-wallet
Wombat
SushiSwap
kepler-edge
Harmoney
Uniswap
okx-wallet
Nami
1inch
unisat-wallet
MartianAptos
petra-aptos-wallet
xdefi-wallet
Braavos
manta-wallet
rose-wallet
XDEFI
TON
Authenticator
Yoroi
Tron
If discovered, associated extension data is staged using a process similar to that described earlier for web browser application data. The information stealer also attempts to locate locally installed cryptocurrency wallet applications and MFA applications, including the following:
Authy Desktop
Atomic
Armory
Exodus
Electrum
Bytecoin
Coinomi
Daedalus
Ethereum
Bitcoin Core
Ledger Live
Guarda
Binance
Zcash
TrustWallet
One interesting piece of functionality included with the information stealer is a scanner that is designed to identify and exfiltrate files containing sensitive information. The script contains a large wordlist of English words. We have also observed variants of the grabber module that contain wordlists targeting other languages, such as Czech. Additionally, we have observed versions that contain multiple wordlists targeting different cryptocurrency wallet seed phrase combinations.
Figure 9. Wallet seed phrase wordlist.
This wordlist is designed to be used to identify files that may contain cryptocurrency wallet seed phrases, which can be used to regain access to wallets in the case that the primary authentication method is unavailable. This is performed by iterating through the file system on local hard drives, identifying files matching specific file extensions and file sizes, and then scanning them for the presence of multiple string values matching the wordlist.
Figure 10. File scanning parameters.
It also attempts to identify files that may contain passwords.
Figure 11. Password file detection criteria.
Once the sensitive information has been collected, it is then compressed and exfiltrated to the attacker’s C2 server.
Figure 12. Compressed archive exfiltration logic.
Data compression and exfiltration is performed via an HTTP POST request, as shown in Figure 13.
Figure 13. Example HTTP POST containing compressed archive.
Any discovered wallet seed phrases are communicated to the attacker using HTTP GET requests, using a format similar to the one in Figure 14.
Figure 14. Transmission of detected wallet seed phrase contents.
This demonstrates a robust information stealer that, in this case, has been implemented as a PowerShell module.
Keylogger
The keylogging and clipboard capture module is implemented similarly to the screen capture module described earlier, with PowerShell being used to dynamically compile and execute a C# assembly DLL at runtime.
Figure 15. Example use of Add-Type in PowerShell.
The keylogger uses SetWindowsHookEx() to monitor keyboard and mouse events to facilitate the capture of keystrokes and mouse activity on the system.
Figure 16. Example SetWindowsHookEx() logic.
Clipboard contents are also monitored so that information copied can be dynamically logged as well. As with other modules, status logging has been implemented and is performed via HTTP GET requests, an example of which is:
The module also relays this status in the body of an HTTP POST request.
Figure 17. Status logging transmission to C2.
Collected data is transmitted to the attacker via HTTP POST requests similar to Figure 18.
Figure 18. Keystroke log transmission.
Information collection
We have also observed the delivery of a system survey module that the attacker refers to as “WMIComputerCSHARP” that is used to collect and transmit information about the infected system and environment to the attacker. Consistent with the design of the screenshot and keylogging modules, this module is implemented using a combination of PowerShell and C# and features the use of runtime compilation.
The module uses WMI to query the domain membership information of the infected system, likely to enable the attacker to perform reconnaissance to determine if they were successful in gaining access to a high value target.
Figure 19. Survey collection status logging message.
The following WMI queries are performed as part of this process:
SELECT Domain, PartOfDomain FROM Win32_ComputerSystem
SELECT DomainName FROM Win32_NTDomain WHERE ClientSiteName IS NOT NULL
In addition, the %USERDNSDOMAIN% environment variable is also queried to attempt to enumerate the domain membership of the infected system. The collected information is transmitted to the attacker’s C2 server, consistent with what was described for other modules.
Figure 20. Example status logging implementation.
Persistence
We have also observed the delivery of a persistence module that can be used as desired to ensure that the main looping mechanism is re-executed following a system restart or user session termination. This allows for the reestablishment of a C2 communications channel and enables the delivery of additional modules as desired by the adversary.
The module begins by attempting to create a PowerShell script that will be executed each time the system restarts. The module creates a randomly generated directory within the %PROGRAMDATA% directory that will be used to store the components needed for persistence. These include a randomly-named PowerShell script (PS1) as well as a randomly-named shortcut file (ICO). A malicious randomly-named LNK file is also created in the Startup directory that is configured to point to the PowerShell script previously created so that it can be executed each time the system is rebooted.
The ICO file is created using base64-encoded content delivered as part of the module itself. The PowerShell script contents are generated by retrieving an obfuscated blob from the C2 server, which in our sample was hosted at the URL path /transform.
Figure 22. Persistence payload retrieval.
A simulated example of this process is shown in Figure 23.
Figure 23. Simulated delivery of obfuscated persistence payload.
This content is then written to the PS1 file and the LNK file is generated with the appropriate parameters to enable execution in the future. When deobfuscated, the contents of the PowerShell simply contain the same logic used to establish the C2 polling process previously described early in the infection chain.
Figure 24. Deobfuscated persistence payload.
We assess with high confidence that there are likely additional modules available for deployment as-needed by the adversary and the use of this framework provides a flexible means to enhance and increase the functionality available rapidly as needed.
Links to previous intrusion activity
During our analysis of the code and functionality associated with this infection chain, we observed similarities with components referenced in prior reporting related to the use of Skitnet/Bossnet to deliver PowerShell modules to infected systems. We have also observed multiple overlaps in the C2 infrastructure used in this campaign and the one described by the aforementioned reporting. Additionally, we assess with high confidence that the final deobfuscated payload dropped by the persistence module previously described was likely created by the same entity who created the PowerShell script described in the prior reporting. The overall implementation, use of specific variables throughout the code, and matching C2 URL construction strengthen this assessment. Below is a comparison of the code in both instances.
Figure 25. Comparison of persistence payload (left) vs. ProDaft reporting (right).
As observable in Figure 25, the only difference between the two samples is the addition of mutex handling and sleep periods.
While Talos did not identify any direct overlap in activity related to these malware families, we noted similarities in the design architecture and functionality provided by the PS1Bot malware delivered in this case and that present in another malware family Talos previously reported on called AHK Bot. The derivation of the C2 URL path based on the drive serial number is consistent across both malware families. Likewise, the use of a main polling script and subsequent delivery and execution of purpose-built modules is also similar to the design architecture found with AHK Bot. There are also several similarities in the types of modules available for both malware families. Heavy use of URL parameters when communicating with C2 is another similarity between the two families.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for the threats are:
Snort2: 65231 – 65233
Snort3: 65231 – 65233
ClamAV detections are also available for this threat:
Win.Backdoor.PS1Bot-10056514-0
Win.Backdoor.PS1Bot-10056515-0
Win.Backdoor.PS1Bot-10056516-0
Win.Backdoor.PS1Bot-10056517-0
Win.Backdoor.PS1Bot-10056518-0
Win.Backdoor.PS1Bot-10056519-0
Win.Backdoor.PS1Bot-10056520-0
Win.Backdoor.PS1Bot-10056521-0
Win.Backdoor.PS1Bot-10056522-0
Win.Backdoor.PS1Bot-10056523-0
Win.Backdoor.PS1Bot-10056524-0
Win.Backdoor.PS1Bot-10056525-0
Win.Backdoor.PS1Bot-10056526-0
Win.Backdoor.PS1Bot-10056527-0
Win.Backdoor.PS1Bot-10056528-0
Win.Backdoor.PS1Bot-10056529-0
Win.Backdoor.PS1Bot-10056530-0
Win.Backdoor.PS1Bot-10056531-0
Win.Backdoor.PS1Bot-10056532-0
Win.Backdoor.PS1Bot-10056533-0
Win.Backdoor.PS1Bot-10056534-0
Win.Backdoor.PS1Bot-10056535-0
Win.Backdoor.PS1Bot-10056536-0
Win.Backdoor.PS1Bot-10056537-0
Win.Backdoor.PS1Bot-10056538-0
Win.Backdoor.PS1Bot-10056539-0
Win.Backdoor.PS1Bot-10056540-0
Win.Backdoor.PS1Bot-10056541-0
Win.Backdoor.PS1Bot-10056542-0
Indicators of compromise (IOCs)
IOCs for this threat can be found in our GitHub repository here.
Benefits the Interactive Sandbox in OpenCTI 
