Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Libbiosig vulnerability
Discovered by Mark Bereza of Cisco Talos.
BioSig is an open source software library for biomedical signal processing. The BioSig Project seeks to encourage research in biomedical signal processing by providing open source software tools.
TALOS-2025-2296 (CVE-2025-66043-CVE-2025-66048) includes several stack-based buffer overflow vulnerabilities in the MFER parsing functionality of the Biosig Project libbiosig 3.9.1. An attacker can supply a specially crafted MFER file to trigger these vulnerabilities, possibly leading to arbitrary code execution.
Grassroot DiCoM vulnerabilities
Discovered by Emmanuel Tacheau of Cisco Talos.
Grassroots DiCoM is a C++ library for DICOM medical files, accessible from Python, C#, Java, and PHP. It supports RAW, JPEG, JPEG 2000, JPEG-LS, RLE and deflated transfer syntax. Talos found three out-of-bounds read vulnerabilities in DiCoM. An attacker can provide a malicious file to trigger these vulnerabilities.
TALOS-2025-2210 (CVE-2025-53618-CVE-2025-53619) can lead to an information leak.
TALOS-2025-2211 (CVE-2025-52582) can lead to an information leak.
TALOS-2025-2214 (CVE-2025-48429) can lead to leaking heap data.
Smallstep step-ca vulnerabilities
Discovered by Stephen Kubik of the Cisco Advanced Security Initiatives Group (ASIG).
Smallstep step-ca is a TLS-secured online Certificate Authority (CA) for X.509 and SSH certificate management. TALOS-2025-2242 (CVE-2025-44005) is an authentication bypass vulnerability in step-ca. An attacker can bypass authorization checks and force a Step-CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
· Cisco Talos recently discovered a campaign targeting Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).
· We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups.
· As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as “AquaShell” accompanied by additional tooling meant for reverse tunneling and purging logs.
· Our analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack.
Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell. Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). Talos’ analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack.
The Cisco Secure Email and Web Manager centralizes management and reporting functions across multiple Cisco Email Security Appliances (ESAs) and Web Security Appliances (WSAs), offering centralized services such as spam quarantine, policy management, reporting, tracking, and configuration management to simplify administration and enhance security enforcement.
Customers are strongly advised to follow the guidance published in the security advisories discussed below. Additional recommendations specific to Cisco are available here.
Talos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor, which we track as UAT-9686. We have observed overlaps in tactics, techniques and procedures (TTPs), infrastructure, and victimology between UAT-9686 and other Chinese-nexus threat actors Talos tracks. Tooling used by UAT-9686, such as AquaTunnel (aka ReverseSSH), also aligns with previously disclosed Chinese-nexus APT groups such as APT41 and UNC5174. Additionally, the tactic of using a custom-made web-based implant such as AquaShell is increasingly being adopted by highly sophisticated Chinese-nexus APTs.
AquaShell
AquaShell is a lightweight Python backdoor that is embedded into an existing file within a Python-based web server. The backdoor is capable of receiving encoded commands and executing them in the system shell. It listens passively for unauthenticated HTTP POST requests containing specially crafted data. If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell.
AquaShell is delivered as an encoded data blob that is decoded and ultimately placed in “/data/web/euq_webui/htdocs/index.py”.
The result of decoding the data blob is the Python code that constitutes the AquaShell backdoor. AquaShell parses the HTTP POST request, decodes it using a combination custom algorithm and Base64 decoding and executes the resulting commands on the appliance.
AquaPurge
AquaPurge removes lines containing specific keywords from the log files specified. It uses the “egrep” command to filter out (invert search) all content that doesn’t contain the keywords and then simply commits them to the log files:
AquaTunnel
AquaTunnel is a compiled GoLang ELF binary based on the open-source “ReverseSSH” backdoor. AquaTunnel creates a reverse SSH connection from the compromised system back to an attacker‑controlled server, enabling unauthorized remote access even when the system is behind firewalls or NAT.
Chisel
Chisel is an open‑source tunneling tool that supports creating TCP/UDP tunnels over a single‑port HTTP‑based connection. Chisel allows an attacker to proxy traffic through a compromised edge device, allowing them to easily pivot through that device into the internal environment.
Coverage and remediation
Recommendations for Cisco customers are available here. If your organization does find connections to the provided actor Indicators of Compromise (IOCs), please open a case with Cisco TAC.
All IOCs, including IPs and file hashes determined to be associated with this campaign have been blocked across the Cisco portfolio.
IOCs
The IOCs can also be found in our GihtHub repository here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-17 17:06:392025-12-17 17:06:39UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
The Australian Cyber Security Centre (ACSC) has published a new guide, Quantum Technology Primer: Overview, aimed at helping organizations understand the field of quantum technologies for cybersecurity. The publication is part of a bigger effort to raise awareness and preparedness as quantum capabilities move closer to practical deployment across digital systems and organizational infrastructure.
The primer provides a foundational understanding of key quantum technologies, the scientific principles behind them, and the cybersecurity considerations organizations need to address today to prepare for a quantum-enabled future. According to the ACSC, this guidance is essential for cybersecurity leaders, IT managers, and decision-makers responsible for technology strategy and risk management.
Foundations of Quantum Technology
Quantum technologies rely on principles of quantum mechanics, the branch of physics that describes the behavior of matter and energy at atomic and subatomic scales. Two core concepts underpin these technologies: superposition and entanglement.
Superposition allows a particle to exist in multiple states simultaneously, collapsing to a single state only when measured. In practical terms, this property enables quantum systems to evaluate many potential outcomes at once, offering computational advantages far beyond classical computers.
Entanglement occurs when particles share a quantum state, creating correlations that persist even across great distances. Measuring one particle instantaneously provides information about the other. This capability underpins emerging quantum communication methods and has significant implications for secure data transmission.
The ACSC emphasizes that understanding these principles is no longer relevant only to quantum specialists. Decision-makers must grasp the basics to integrate quantum cybersecurity considerations into organizational planning effectively.
Implications for Cybersecurity and Business Functions
While many quantum technologies remain in development, their potential impact on digital systems, data protection, and organizational resilience is significant. The ACSC’s Technology Primer notes that quantum computing could render some current cryptographic methods obsolete.
“Preparing now for quantum technologies is crucial,” the ACSC states. “Adopting post-quantum cryptography is a key step, as capable quantum computers will break some existing encryption. Organizations that delay preparation risk vulnerabilities and costly remediation.”
The primer outlines several proactive steps organizations can take:
Ensure cybersecurity plans are current and aligned with industry best practices.
Develop and implement strategies for PQC across networks.
Assess risks across data lifecycles and safeguard sensitive information.
Verify that service providers and vendors comply with quantum readiness plans.
Continue staff training to reinforce good cybersecurity practices.
By incorporating these measures, organizations can strengthen their resilience and reduce potential threats from new quantum technologies.
Types of Quantum Technologies Covered
The ACSC primer details several categories of quantum technologies that could affect business and cybersecurity landscapes:
Quantum Computing: From noisy intermediate-scale quantum computers to cryptographically relevant systems capable of challenging classical encryption.
Quantum Information Sciences: Includes quantum communications using quantum key distribution (QKD) and quantum networking, which could redefine secure data transfer.
Quantum Sensors: Devices that leverage quantum mechanics to achieve unprecedented precision in measurement and sensing applications.
Although most quantum technologies are still in the early stages, some are already integrated into research, development, and pilot implementations. The ACSC notes that as these technologies mature, they will become part of organizational supply chains and digital infrastructure, making awareness and preparedness essential.
Quantum Cybersecurity as a Strategic Necessity
The ACSC’s Technology Primer highlights quantum cybersecurity as a strategic priority, weighing on both the risks and opportunities of quantum technologies. Organizations that plan for quantum today will be better prepared for a future where these technologies are standard. Cyble’s AI-powered threat intelligence and autonomous security solutions help identify new cyber threats, protect data, and maintain resilience.
Schedule a free demo to see how Cyble can protect your organization better!
Welcome back to Humans of Talos. This month, Amy chats with Senior Cyber Threat Analyst Lexi DiScola from the Strategic Analysis team. Lexi’s journey into cybersecurity is anything but traditional — she brings a background in political science and French to her work tracking global cyber threats and collaborating with colleagues across continents.
Tune in as Lexi opens up about finding her place in cybersecurity, the unique strengths that come from a non-technical path, and the joys (and challenges) of balancing complex intel analysis with a towering stack of books to be read (TBR) at home.
Amy Ciminnisi: Can you introduce yourself? What do you do here at Talos? What team do you work on, and what does your day-to-day look like?
Lexi DiScola: Sure. I’m on the strategic analysis team here at Talos. I joined about three years ago. What my team does is a whole bunch of things, really, but we focus on tracking and analyzing major trends in the cyber threat landscape. We maintain intelligence sharing relationships with a bunch of private sector and government partners. We conduct regular threat hunting activity in our telemetry and support the Talos Incident Response team. My favorite part is producing written analytical products — logs, intelligence bulletins, threat assessment reports, and our annual Year in Review report, which we just started working on. We’ve kicked into high gear, prepping for the year in review, taking all the data we’ve accumulated and seeing what we can pull out of it. It sounds like a headache to some people, but for us, it’s fun, so we’re looking forward to it.
AC: What made you want to join Talos, and when did you join?
LD: I joined about three years ago this fall. I worked in cyber threat intelligence in a government position before. Because of that experience, I was always aware of Talos’s reputation in this space. When I was looking to shift to the private sector from the government, I knew I’d be working with some of the best of the best here. I knew I wouldn’t be stagnant if I came here. That was my focus in a new position — I always want to be learning and working toward something.
AC: What are your favorite resources for staying up to date with current trends in cybersecurity?
LD: There are multiple sources I look at. OSINT, or open-source intelligence, is a huge tool, especially when focusing on specific countries or nation-state actors. Looking at their local reporting and translating it is super helpful, and looking at competitors’ or cybersecurity researchers’ reporting is also useful. But I really rely on the people I work with. Talos has so many talented people who are always willing to help. At first, I was hesitant to ask questions, but as I got to know people better, I stopped feeling embarrassed. It’s a two-way street. You might feel awkward asking for help, but down the road, they may ask you for help with something you’re an expert in. Asking people and not being afraid or embarrassed has served me well.
Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-17 11:07:022025-12-17 11:07:02Lexi DiScola’s guide to global teamwork and overflowing TBRs
Our experts from the Global Research and Analysis Team (GReAT) have investigated a new wave of targeted emails from the ForumTroll APT group. Whereas previously their malicious emails were sent to public addresses of organizations, this time the attackers have targeted specific individuals — scientists from Russian universities and other organizations specializing in political science, international relations, and global economics. The purpose of the campaign was to infect victims’ computers with malware to gain remote access thereto.
What the malicious email looks like
The attackers sent the emails from the address support@e-library{.}wiki, which imitates the address of the scientific electronic library eLibrary (its real domain is elibrary.ru). The emails contained personalized links to a report on the plagiarism check of some material, which, according to the attackers’ plan, was supposed to be of interest to scientists.
In reality, the link downloaded an archive from the same e-library{.}wiki domain. Inside was a malicious .lnk file and a .Thumbs directory with some images that were apparently needed to bypass security technologies. The victim’s full name was used in the filenames of the archive and the malicious link-file.
In case the victim had doubts about the legitimacy of the email and visited the e-library{.}wiki page, they were shown a slightly outdated copy of the real website.
What happens if the victim clicks on the malicious link
If the scientist who received the email clicked on the file with the .lnk extension, a malicious PowerShell script was executed on their computer, triggering a chain of infection. As a result, the attackers installed a commercial framework Tuoni for red teams on the attacked machine, providing the attackers with remote access and other opportunities for further compromising the system. In addition, the malware used COM Hijacking to achieve persistency, and downloaded and displayed a decoy PDF file, the name of which also included the victim’s full name. The file itself, however, was not personalized — it was a rather vague report in the format of one of the Russian plagiarism detection systems.
Interestingly, if the victim tried to open the malicious link from a device running on a system that didn’t support PowerShell, they were prompted to try again from a Windows computer. A more detailed technical analysis of the attack, along with indicators of compromise, can be found in a post on the Securelist website.
How to stay safe
The malware used in this attack is successfully detected and blocked by Kaspersky’s security products. We recommend installing a reliable security solution not only on all devices used by employees to access the internet, but also on the organization’s mail gateway, which can stop most threats delivered via email before they reach an employee’s device.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-17 11:07:022025-12-17 11:07:02ForumTroll targets political scientists | Kaspersky official blog
When CISOs ask for budget, they are rarely competing against “no security.” They are competing against growth initiatives, product launches, and cost optimization.
Technical jargon and security metrics often fall flat here. To win the conversation, threat intelligence cannot be framed as more data for analysts. It must be positioned as a business enabler that reduces measurable risk, protects revenue, and accelerates decision-making.
Here are the board-ready cases that connect threat intelligence investments directly to business objectives.
1. Protecting Revenue and Avoiding Financial Loss
Boards understand one number very well: the cost of a breach. What they often underestimate is how much of that cost comes from late detection.
Reactive security means discovering threats after damage has already begun. By then, costs multiply across downtime, incident response, legal exposure, regulatory fines, and reputational damage.
Threat intelligence changes the equation.
ANY.RUN’s Threat Intelligence Feeds deliver high-fidelity indicators sourced from interactive sandbox analyses of live malware samples and targeted attacks. This expands threat coverage, reduces the likelihood of successful breaches, and directly lowers potential financial impact — turning threat intelligence into a clear ROI driver.
TI Feeds: features and data sources
Threat Intelligence Lookup is another decision-enabling service from ANY.RUN. It is an on-demand searchable database that provides instant access to detailed threat reports, behavioral insights, direct links to sandbox sessions, and contextual connections between IOCs and active campaigns, enabling rapid enrichment during investigations. Instead of asking “What could happen?”, security leaders can answer “What is actively targeting organizations like ours right now?”
See what malware is threatening the organizations from your country and industry right now
Board-level takeaway:
Early detection driven by real-world threat intelligence materially lowers breach impact and recovery costs.
Message pattern: “Investing in threat intelligence reduces our average incident response cost by 60-70% by enabling early detection and prevention. For every major incident we prevent, we save the organization between $1-4 million in direct costs, not including reputational damage and customer trust.”
Reduce business risks with actionable threat intel.
Integrate ANY.RUN’s TI solutions in your SOC.
2. Ensuring Revenue-Critical Operations and Business Continuity
Board members understand downtime in dollars per minute. For e-commerce platforms, financial services, manufacturing operations, or SaaS providers, every minute of disruption translates directly to lost revenue, damaged customer relationships, and competitive disadvantage. Ransomware attacks alone now cost businesses an average of 25 days of downtime — a strike that many organizations cannot absorb.
Threat intelligence supports resilience by helping organizations:
Identify emerging attack campaigns early;
Anticipate shifts in attacker tactics;
Prepare controls before attacks reach critical systems.
TI shortens mean time to detect (MTTD) and mean time to respond (MTTR) by providing actionable context during incidents. SOC teams correlate alerts against real-time feeds, quickly identifying and containing threats before they spread.
With ANY.RUN’s feeds, powered by community submissions from thousands of organizations, teams gain immediate access to indicators tied to active global campaigns. This accelerates incident response, limits disruption, and keeps critical systems online preserving revenue and operational momentum.
Board-level takeaway:
Threat intelligence reduces the likelihood that cyber incidents escalate into operational outages or prolonged downtime.
Message pattern: “Our revenue-critical operations represent $X million in daily transactions. Threat intelligence gives us advance warning of attacks targeting our industry, allowing us to prevent disruptions before they impact operations. The cost of this service is equivalent to less than one hour of system downtime.”
3. Maximizing ROI on Existing Security Investments
Most organizations have already invested heavily in security infrastructure: firewalls, SIEM platforms, EDR solutions, and of course SOC teams. However, tools are only as effective as the intelligence that drives them. Without current threat data, your security stack operates reactively, generating alerts based on generic signatures and outdated indicators.
Threat Intelligence Feeds dramatically amplify the effectiveness of your security investments. Context-rich current threat data transforms them from reactive alert generators into proactive defense mechanisms.
ANY.RUN’s Threat Intelligence Feeds integrate seamlessly with major security platforms through APIs and standard formats like STIX. Your existing tools immediately gain access to millions of current indicators and threat context without requiring additional headcount or infrastructure. Your SOC analysts can make faster, more accurate decisions because they have the context they need at their fingertips.
ANY.RUN integration options
Board-level takeaway:
Threat intelligence ensures security investments are aligned with real, current threats to the business, not theoretical risks.
Message pattern: “We’ve invested $X million in security infrastructure. Threat intelligence feeds cost a fraction of that while potentially doubling the effectiveness of every security tool we’ve already purchased.”
4. Optimizing Security Resource Allocation and Driving Efficiency
Cybersecurity budgets are under scrutiny, with boards demanding maximum value from every dollar. Overworked SOC teams drowning in alerts waste resources on false positives and low-priority events. Hiring more analysts is expensive, slow, and increasingly unrealistic. Boards want efficiency, not headcount inflation.
Threat intelligence enriches alerts with context, reduces noise, and allows teams to focus on high-risk threats. Pre-filtered, accurate IOCs improve detection rates while lowering analyst burnout.
ANY.RUN’s feeds are designed for exactly this: clean, enriched indicators ready for automation, with low false-positive rates thanks to sandbox-verified data. The result is higher SOC productivity, better resource utilization, and a stronger return on existing security investments.
By feeding curated, high-confidence intelligence directly into detection and response workflows, ANY.RUN’s Threat Intelligence Feeds:
Reduce false positives,
Speed up alert triage,
Shorten investigation time,
Enable junior analysts to make better decisions faster.
This allows organizations to scale their security posture without scaling payroll.
Board-level takeaway:
Threat intelligence increases SOC productivity, delivering better protection without proportional increases in staffing costs.
Message pattern: “Our SOC team currently handles X,000 alerts monthly with Y analysts at an annual cost of $Z. Threat intelligence increases our team’s effective capacity by 50-70% without adding headcount, delivering better protection while keeping personnel costs stable.”
5. Demonstrating Regulatory Compliance and Due Diligence
Regulatory frameworks like GDPR, NIS2, DORA, and SOC 2 don’t just require security controls. They mandate demonstrable due diligence and continuous improvement. Failure to meet these standards results in crippling fines (up to 4% of global revenue under GDPR), potential business restrictions, and loss of customer trust. More importantly, regulators increasingly expect organizations to demonstrate proactive threat awareness and intelligence-driven security practices.
Threat intelligence feeds provide auditable evidence of continuous monitoring, proactive threat hunting, and intelligence-driven security operations. ANY.RUN’s TI Feeds deliver documented indicators of compromise with rich context, enabling your team to demonstrate to auditors that you’re actively monitoring the threat landscape relevant to your industry and geography.
Align security spend with board-level risk priorities.
Focus on threats that affect business operations.
Threat intelligence provides auditable evidence of proactive monitoring and rapid response capabilities. Non-compliance triggers fines, audits, and reputational damage.
Message pattern: “Threat intelligence isn’t just about preventing attacks — it’s about showing regulators, auditors, and customers that we take our security obligations seriously. This investment protects us from regulatory fines that could reach tens of millions of dollars and positions us favorably during audits and compliance reviews.”
Conclusion
Threat intelligence gives CISOs a way to translate cyber risk into business terms the board understands. It replaces reactive defenses with foresight, guesswork with evidence, and isolated security efforts with a unified, risk-driven strategy.
ANY.RUN’s Threat Intelligence Feeds are built on visibility into real attacker activity observed daily in live malware executions. This means decisions are based on what adversaries are doing now, not what they did months ago. For CISOs, this enables stronger protection. For boards, it delivers confidence that security investments directly support business objectives.
In budget discussions, threat intelligence should not be positioned as “more data.” It should be positioned as business assurance: fewer costly incidents, more efficient operations, and a clearer understanding of cyber risk across the organization.
When CISOs can demonstrate that intelligence-driven security reduces financial impact, protects revenue streams, and scales without ballooning costs, the budget conversation changes. Threat intelligence becomes a strategic pillar of the organization’s risk management program, not a line item to be negotiated away.
Turn cybersecurity from a cost center into business assurance
As a leading provider of interactive malware analysis and threat intelligence, ANY.RUN is trusted by over 500,000 analysts across 15,000 organizations worldwide. Its solutions enable teams to investigate threats in real time, trace full execution chains, and surface critical behaviors within seconds.
Safely detonate samples, interact with them as they run, and instantly pivot to network traces, file system changes, registry activity, and memory artifacts in ANY.RUN’s Interactive Sandbox. For threat intelligence insights, integrate TI Lookup and TI Feeds supplying enriched IOCs and automation-ready intelligence. No infrastructure maintenance is required.
1. Why do CISOs need threat intelligence to defend security budgets?
Because boards fund outcomes, not tools. Threat intelligence helps CISOs demonstrate how security investments reduce financial risk, prevent costly incidents, and support business continuity.
2. How is threat intelligence different from traditional security monitoring?
Traditional monitoring reacts to alerts after suspicious activity occurs. Threat intelligence provides context about active attackers, campaigns, and techniques, enabling earlier detection and proactive defense.
3. What makes threat intelligence board-relevant?
It connects cyber activity to measurable business impact, such as reduced breach costs, lower downtime risk, and improved operational efficiency, which are metrics boards understand.
4. How do Threat Intelligence Feeds support SOC efficiency?
By delivering high-confidence indicators and attacker context, feeds reduce false positives, speed up investigations, and help analysts prioritize alerts that matter most to the business.
5. Can threat intelligence replace hiring more analysts?
It cannot replace people, but it significantly increases analyst productivity. Many organizations use threat intelligence to scale security operations without proportional headcount growth.
6. Why is real-world attacker data important for threat intelligence?
Intelligence based on live, observed attacks reflects current adversary behavior. This ensures defenses are aligned with how threats operate today, not outdated assumptions.
7. How can CISOs measure ROI from threat intelligence?
Common metrics include faster detection times, fewer high-impact incidents, reduced investigation effort, and improved alignment between security spend and risk exposure.
Admit it: you’ve been meaning to jump on the latest NFT reincarnation — Telegram Gifts — but just haven’t gotten around to it. It’s the hottest trend right now. Developers are churning out collectible images in partnership with celebs like Snoop Dogg. All your friends’ profiles are already decked out with these modish pictures, and you’re dying to hop on this hype train — but pay as little as possible for it.
And then it happens — a stranger messages you privately with a generous offer: a chance to snag a couple of these digital gifts — with no investment required. A bot that looks completely legit is running an airdrop. In the world of NFTs, an airdrop is a promotional stunt where a small number of new crypto assets are given away for free. The buzzword has been adopted on Telegram, thanks to the crypto nature of these gifts and the NFT mechanics running under the hood.
Limited time offer: a marketer’s favorite trick… and a scammer’s tool
They’re offering you these gift images for free — or so they say. You could later attach them to your profile or sell them for Telegram’s native currency, Toncoin. You don’t even have to tap an external link. Just hit a button in the message, launch a Mini App right inside Telegram itself, and enter your login credentials. And then… your account immediately gets hijacked. You won’t get any gifts, and overall, you’ll be left with anything but a celebratory feeling.
This is the first of the screens where, by filling in the fields, you receive a gift lose access to your Telegram account
Today, we break down a phishing scheme that exploits Telegram’s built-in Mini Apps, and share tips to help you avoid falling for these attacks.
How the new phishing scheme works
The principle of classic phishing is straightforward: the user gets a link to a fake website that mimics a legitimate sign-in form. When the victim enters their credentials, this data goes straight to the scammer. However, phishing tactics are constantly evolving, and this new attack method is far more insidious.
The bad actors create phishing Mini Apps directly inside Telegram. These appear as standard web pages but are embedded within the messaging app’s interface instead of opening in an external browser. To the user, these apps look completely legitimate. After all, they run within the official Telegram app itself.
To make it even more convincing, scammers often add a plausible-sounding limit on gifts per user
This leads the victim to think, “If this app runs inside Telegram, there must be some kind of vetting process for these apps. Surely they wouldn’t let an obvious scam through?” In practice, it turns out that’s not the case at all.
How is this scheme even a thing?
A core security issue with Telegram Mini Apps is that the platform does almost no vetting before an app goes live. This is a world apart from the strict review processes used by Google Play and the App Store — although even there, obvious malware occasionally slips through.
On Telegram, it’s far easier for bad actors. Essentially, anyone who wishes to create and launch a Mini App can do so. Telegram does not review the code, functionality, or the developer’s intent. This turns a security flaw within a messaging service boasting nearly a billion global users into a global-scale problem. To make matters worse, moderation of these Mini Apps within Telegram is entirely reactive — meaning action is only taken after users start complaining or law enforcement gets involved.
This is a global operation, with phishing lures being distributed simultaneously in both Russian and English. However, the Russian version gives away a tell-tale sign of the scammers’ haste and lack of polish. They forgot to remove a clarification question from the AI that generated the text: “Do you need bolder, more official, or humorous options?”
In this case, the bait was “gifts” from UFC fighters: a giveaway of “papakhas” — digital gift images of the traditional Dagestani hat released by Telegram in partnership with Khabib Nurmagomedov. An auction for these items did take place, with Pavel Durov even posting about it on his X and Telegram (Khabib reposted these announcements but later deleted them after the auction ended). However, there were only 29 000 of these “papakhas” released, which wasn’t enough to satisfy all the eager fans. Scammers seized on the opportunity, assuring fans they could get the exclusive items for free. The phishing campaign was a targeted one — focusing on users who’d been active on the athlete’s channel.
How the scammers lull their victims
The criminals leveraged the name of the popular Portals platform — a legitimate service for games, apps, and entertainment within Telegram. They created a series of Mini Apps that were visually almost indistinguishable from the real ones, and promoted them as free giveaways — airdrops.
To add a veneer of authenticity, the scammers even listed the official Telegram channel for Portals in the phishing Mini App’s profile. However, the legitimate Portals Market bot has a different username: @portals
That said, the scam campaigns themselves show signs of being rushed and cutting design and copywriting costs — with obvious signs of AI involvement. Some of the messages contain leftover text fragments clearly generated by a neural network, which the scammers either forgot or couldn’t be bothered to edit.
How to protect your Telegram account from being hacked
The golden security rules are simple: stay vigilant, and learn the key hallmarks of these attacks:
Verify the source. If you receive a link promising a giveaway from a celebrity or even Telegram itself but sent from an unfamiliar account or a dubious group, don’t click. Cross-check through the celebrity or company’s official channel to see if they’re actually running a promo like that.
Inspect the account verification badge. Ascertain that the blue checkmark is real and not just an emoji status or part of the profile name. You can verify this by simply tapping that checkmark icon in the profile. If it’s a Premium emoji status, Telegram will explicitly tell you so. If a checkmark emoji is simply added to the profile name, tapping it doesn’t do anything. But if the account is genuinely verified, tapping the blue checkmark will bring up an official confirmation message from Telegram.
Don’t be in a rush to authenticate in Mini Apps. Legitimate Telegram apps typically don’t require you to sign in again through a form inside the Mini App. If you’re prompted to enter your phone number or a verification code, it’s likely a phishing attempt.
Look for signs of AI-generated text or design. Weird grammar, unnatural phrasing, or leftover neural network prompts within a message are a red flag. Scammers frequently use AI-powered generation to churn out text quickly and cheaply.
Turn on two-step verification (your Telegram password). Do this right now in Settings → Privacy and Security → Two-Step Verification. Even if a scammer manages to get your phone number and SMS code, they won’t be able to access your account without this password. Obviously, never share your password with anyone — it’s meant only for you to sign in to your Telegram account.
Use a passkey to secure your account. A recent Telegram update added the ability to securely sign in with a passkey. We’ve covered using passkeys with popular services and the associated caveats in detail. A passkey makes it nearly impossible for a malicious actor to steal your account. You can set one up in Settings → Privacy and Security → Passkeys.
Store your password and passkey in a password manager. If you’ve secured your account with both a password and a passkey, remember that a weak, reused, or compromised password can still be the proverbial “spare key under the mat” for attackers — even if the “front door” is locked with a passkey. Therefore, we recommend creating a strong, unique password for Telegram and storing it — along with your passkey — in Kaspersky Password Manager. This keeps your credentials and keys available across all your devices.
What to do if your Telegram account was already stolen
The key is keeping calm and acting swiftly. You have just 24 hours to reclaim your account, or you risk losing it permanently. Follow the step-by-step guide to restoring access in our post What to do if your Telegram account is hacked.
Finally, a reminder that has become our classic mantra: if an offer looks too good to be true, it almost certainly is. Always verify information through official channels, and never enter your passwords or passkeys into unofficial apps or forms — even if they look legit. Stay vigilant and stay safe.
Want more tips on securing your messenger accounts and chats? Check out our related posts:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-16 17:13:472025-12-16 17:13:47Phishing in Telegram Mini Apps: how to avoid taking the bait | Kaspersky official blog
If you’ve ever looked at a SOC queue and thought, “Where do we even start?” you’re not alone.
Most teams face more alerts than they can realistically investigate, tools that don’t always connect, and investigations that take longer than they should.
In a recent webinar, we shared a simple framework for speeding up detection and response without overloading teams. You can watch the full recording here: SOC Leader’s Playbook
SOC teams that applied this approach have already seen measurable results:
21 minutes less MTTR per incident
15-second median MTTD
3× improvement in team throughput
For now, let’s look at how you can apply the same ideas to help your SOC respond faster in real environments.
The Cost of a Slow SOC
When detection and response take too long, the impact shows up fast and in very practical ways.
The high costs of slow response, including 4.4m data breach
Incidents cost more: According to IBM’s Cost of a Data Breach Report 2025, the average breach now costs $4.4 million, and that number grows the longer attackers stay active.
Downtime lasts longer: Delayed response means systems stay compromised, business processes slow down, and recovery becomes harder.
Teams waste time on noise: Analysts spend hours chasing alerts that turn out to be harmless, often repeating the same checks across different tools.
Real threats get missed: Fatigue and overload make it easier for serious incidents to slip through unnoticed.
People burn out: Constant pressure and reactive work drain focus and motivation, especially in Tier 1 teams.
For SOC leaders, this creates a familiar loop: more alerts, slower response, higher risk, and exhausted teams. Breaking that loop starts with reducing time at every stage, from the first alert to final containment.
3 main steps needed for faster response
Step 1: Prioritize Incidents and Reduce False Positives
Speed starts with focus. If your SOC treats every alert the same, response will always be slow.
Most teams receive far more alerts than they can realistically investigate. Many are low-risk, duplicated, or lack context. Analysts lose time figuring out what an alert actually means instead of responding to real threats.
The root issue is usually threat intelligence.
Indicators pulled from public reports often arrive too late, after attackers have already changed infrastructure. Other feeds may be fast but offer no explanation beyond “malicious,” forcing analysts to investigate manually. Automation suffers, false positives rise, and the SOC stays reactive.
Step 1: prioritize incidents and reduce false positives
What works
Effective prioritization depends on threat intelligence that is:
Real-time, not report-based
Context-rich, showing how an indicator is used
Integrated, flowing directly into SIEM, SOAR, and EDR
When alerts arrive already enriched with reputation, behavior, and risk level, teams can automate routine triage and focus on high-impact incidents.
TI Feeds providing fresh data from 15k organizations
TI Feeds provide real-time IOCs sourced from live attacks analyzed in ANY.RUN’s Interactive Sandbox by 15,000 organizations and 500,000 analysts. As a result, 99% of network IOCs are unique and come with links to full sandbox reports for immediate context.
For SOC teams, this means earlier detection of new threats, fewer false positives, and up to a 20% reduction in Tier 1 workload.
Expand threat coverage in your SOC
Rely on 99% unique IOCs from TI Feeds
Once an alert is prioritized, the next bottleneck is investigation speed.
Many SOCs still rely on static analysis. It’s fast, but it doesn’t show what actually happens when a file or link runs. Modern malware hides behind obfuscation, delayed execution, or multi-stage delivery, leaving analysts with partial answers and slow decisions.
To respond quickly, teams need to see real behavior, not just a verdict.
Step 2: Speed up threat investigations
What actually speeds investigations up
Effective investigations depend on dynamic analysis that:
Integrate with your existing tools to automate investigations and avoid manual handoffs
Expose real threat behavior quickly, even in multi-stage or silent attacks
Deliver clear, actionable reports with verdicts, IOCs, and TTPs
Defeat evasion techniques, forcing malware to reveal itself
How teams do this with ANY.RUN
ANY.RUNhelps SOC teams move from alert to answer in under 60 seconds.
By detonating files and URLs in real time, the Interactive Sandbox exposes the full attack chain and automatically generates clear reports with verdicts, IOCs, and attacker techniques. This allows teams to confirm threats quickly and move straight to containment, cutting up to 21 minutes from MTTR per incident.
How ANY.RUN’s Sandbox helps in faster reponse
Because the results are easy to interpret, even junior analysts can handle more alerts independently. Many teams report up to a 30% reduction in Tier 1–to–Tier 2 escalations, easing pressure on senior staff and speeding up response overall.
For high-volume workflows, the sandbox also runs in Automated Interactivity mode. Files and URLs can be sent automatically via API, SDK, or native integrations with SOAR, EDR, and other security tools. The sandbox detonates the entire attack chain on its own and returns a conclusive verdict with full context in seconds.
In this analysis, a QR code hidden in a phishing email leads to a CAPTCHA-protected page and then to a fake Microsoft 365 login designed to steal credentials. The sandbox detonates the full chain, reveals the phishing infrastructure, and confirms credential theft behavior in seconds.
Detect complex threats in under 60 seconds Integrate ANY.RUN’s Sandbox in your SOC
Not every alert points to a file you can detonate.
Often, SOC teams see alerts tied to a suspicious IP, domain, URL, or process. In those cases, the key question is simple: Is this a real threat, or just noise? The faster you answer that, the faster you can move on.
Where verification slows teams down
Most alerts are enriched using free reputation services. These usually provide only a label like “malicious” with no explanation.
There’s no context about:
how the indicator was used,
what malware or campaign it’s linked to,
or what the attacker is actually doing.
So, analysts start from zero. They search blogs, PDFs, forums, and tools, copy-paste the same indicator repeatedly, and hope something useful turns up. It’s slow, distracting, and often outdated. Even when teams cross-check multiple sources, the information can be incomplete or contradictory.
The result is delayed decisions, unnecessary escalations, and analyst fatigue.
Step 3: Verify alerts fast
What helps analysts verify alerts faster
Analysts move faster when they have access to a single, reliable source of fresh threat intelligence that gives instant context for any indicator they see.
The most effective solutions don’t rely on second hand reports. They pull data from their own live sources; real malware executions, active honeypots, and real victim environments. That means the intelligence is current, detailed, and available the moment an alert appears.
With this level of context, analysts can make confident decisions in seconds instead of spending time searching, cross-checking, and guessing.
TI Lookup gives analysts instant access to live attack data for IPs, domains, URLs, file hashes, and behavioral indicators. Each lookup returns real-world context, including how the indicator is used, what malware it’s linked to, and where it was observed; all based on active threat analysis, not old reports.
As the intelligence comes from real malware executions shared by 15,000 organizations and 500,000 analysts, analysts can verify alerts in seconds instead of starting from zero.
How ANY.RUN’s TI Lookup helps in faster response
To see how this works in practice, imagine this: A SOC receives an alert about a connection to an unfamiliar IP address. A quick lookup shows it’s actively used in a Remcos malware campaign, with links to sandbox sessions where the same infrastructure was observed. With this context, the analyst can block the connection and close the alert confidently within minutes.
TI Lookup demonstrates recent analysis sessions related to the search IP address and Remcos malware campaign
For even faster workflows, TI Lookup integrates directly with SIEM, SOAR, TIP, and XDR platforms. Alerts can be enriched automatically as they arrive, so reputation, behavior, and threat context are available immediately, reducing manual checks, unnecessary escalations, and investigation time.
Speed up triage with rich threat context
using ANY.RUN’s TI Lookup
In most SOCs, the problem isn’t speed. It’s the delay between seeing an alert and knowing what to do next.
When alerts arrive without context, investigations stall. When verification depends on manual research, response drags on. Fixing these gaps changes how the SOC operates:
incidents are prioritized earlier,
investigations reach clear answers faster,
alerts are confirmed before they turn into distractions.
How ANY.RUN boosts response with its solutions
Teams that apply this approach consistently reduce MTTR by 21 minutes, detect threats in a median of 15 seconds, and achieve a 3× increase in team efficiency, without adding pressure to the team.
About ANY.RUN
ANY.RUN provides interactive malware analysis and threat intelligence solutions used by 15,000 SOC teams to investigate threats and verify alerts. They enable analysts to observe real attacker behavior in controlled environments and access context from live attacks. The services support both hands-on investigation and automated workflows and integrates with SIEM, SOAR, and EDR tools commonly used in security operations.
Last week’s reports from Cyble Research & Intelligence Labs (CRIL) to clients highlighted new flaws from December 03 through December 09, 2025, including newly disclosed IT vulnerabilities, ICS vulnerabilities, active exploitation attempts, and dark-web discussions around weaponized CVEs. Drawing from CISA alerts, CRIL’s global sensor network, and Cyble’s vulnerability intelligence platform, the findings outline rapid PoC release cycles, persistent automated exploitation, and targeted attacks against critical infrastructure.
CRIL’s threat-hunting infrastructure deployed across multiple regions continues to record real-time malicious activity, including exploit attempts, brute-force intrusions, malware injections, and financially motivated attacks. There has been a sustained rise in botnet-driven campaigns and opportunistic exploitation of internet-exposed and misconfigured industrial devices throughout the reporting period.
More broadly, CRIL’s weekly insight reveals a sharp increase in newly disclosed vulnerabilities. The Vulnerability Intelligence (VI) module identified 1,378 vulnerabilities this week, including over 131 with publicly available PoCs and three new zero-days.
The Week’s Top IT Vulnerabilities
CRIL’s weekly vulnerability intelligence analysis found multiple high-impact issues affecting enterprise technologies, software ecosystems, and internet-facing applications. Major vendors reporting significant vulnerability counts included Linux distributions, Google, Microsoft, Siemens, and Nextcloud.
A subset of critical vulnerabilities drew community and industry attention:
CVE-2025-67494:A critical server-side request forgery (SSRF) flaw in ZITADEL, enabling unauthorized network pivoting and data exposure.
CVE-2025-42880:A code injection flaw in SAP Solution Manager.
CVE-2025-66516:A severe XML External Entity (XXE) vulnerability in Apache Tika affects modules such as tika-core, tika-pdf-module, and tika-parsers.
These IT vulnerabilities present a direct risk to organizations due to their potential to enable unauthorized access, data theft, and remote code execution. Across all disclosures, CRIL identified 68 critical vulnerabilities under CVSS v3.1 and 23 rated critical under CVSS v4.0, making it another high-activity week in vulnerability disclosure trends.
CISA – Known Exploited Vulnerabilities (KEV) Catalogue
Between December 3 and December 9, 2025, CISA added six new exploited vulnerabilities to its CVE catalog.
CVE-2025-55182:A critical pre-authentication RCE in React Server Components (RSC) leveraging unsafe deserialization in the “Flight” protocol.
The exploitation of CVE-2025-55182 began around December 08, employing payloads that diverged from the December 04 PoC publicly released by researchers. The variant techniques suggest rapid adaptation by attackers following disclosure.
Notable Vulnerabilities Discussed in Open-Source Communities
CRIL identified multiple trending vulnerabilities drawing attention across open-source security and research forums.
Key discussions included:
CVE-2025-62221:A use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. A local attacker could gain SYSTEM-level privileges, and the flaw can be chained with phishing or browser exploits for full host compromise.
CVE-2025-10573: A critical stored XSS vulnerability in Ivanti Endpoint Manager, allowing remote unauthenticated attackers to embed malicious JavaScript that executes when an administrator views the dashboard.
Vulnerabilities Under Discussion on the Dark Web
CRIL’s dark-web monitoring identified several vulnerabilities actively discussed, traded, or weaponized by threat actors:
CVE-2025-6440:A critical arbitrary file upload vulnerability in the WooCommerce Designer Pro plugin for WordPress (also distributed with the Pricom Printing Company & Design Services theme). Allows unauthenticated file upload and remote code execution via malicious PHP web shells.
CVE-2025-55182:Also referred to as “React2Shell” or “React4Shell,” actively weaponized on underground forums. The flaw affects React 19’s Server Components Flight protocol and frameworks such as Next.js.
CVE-2025-66516:A severe XXE vulnerability in Apache Tika. The administrator of the “Proxy Bar” Telegram channel circulated exploit material demonstrating how malicious PDF files with embedded XFA forms could achieve arbitrary file read, SSRF, denial-of-service, and, in some cases, remote code execution.
CRIL highlighted multiple ICS vulnerabilities affecting industrial vendors across energy, manufacturing, and commercial facilities.
Key issues included:
Sunbird – DCIM dcTrack & Power IQ (≤ 9.2.0): Authentication bypass and hard-coded credentials vulnerabilities (CVSS 6.5 and 6.7), risking unauthorized access and credential compromise.
Johnson Controls OpenBlue Workplace (2025.1.2 and prior): A CVSS 9.3 Forced Browsing vulnerability enabling unauthorized access to sensitive operations in critical infrastructure environments.
Across the ICS landscape, most vulnerabilities were medium severity, while commercial facilities, critical manufacturing, and energy sectors accounted for 43% of total incidents. Multi-sector issues, including IT, government, healthcare, and transportation, accounted for an additional 29%.
Deploy comprehensive monitoring and logging with SIEM correlation.
Track alerts from vendors, CERTs, and government authorities.
Conduct routine VAPT exercises and security audits.
Maintain visibility into internal and external assets.
Enforce strong password policies, replace all default credentials, and adopt MFA across all environments.
Conclusion
The wide range of vulnerabilities identified this week highlights the expanding threat landscape facing industrial and operational environments. Security teams must act quickly and focus on risk-based vulnerability management to protect critical systems.
Key practices, such as network segmentation, restricting exposed assets, applying Zero-Trust principles, maintaining resilient backups, hardening configurations, and continuous monitoring, remain essential for reducing attack surface and improving incident response readiness.
Cyble’s attack surface management solutions can support these efforts by detecting exposures across network and cloud environments, prioritizing remediation, and providing early indicators of potential cyberattacks. To see how Cyble can strengthen your industrial security posture, request a demo today.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-16 09:06:322025-12-16 09:06:32The Week in Vulnerabilities: Cyble Tracks New ICS Threats, Zero-Days, and Active Exploitation
