Cisco Talos’ Vulnerability Discovery & Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital’s Norton VPN.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except the Norton VPN vulnerability, which was discovered in-use before a patch was available. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

TP-Link vulnerabilities

Discovered by Lilith >_> of Cisco Talos.

The TP-Link Archer AX53 is a dual band gigabit Wi-Fi router. Talos has disclosed eight vulnerabilities, as follows:

TALOS-2025-2302 (CVE-2026-30814) is a stack-based buffer overflow vulnerability in the tmpServer opcode 0x436 functionality of Tp-Link AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted set of network packets can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2303 (CVE-2026-30815) is an OS command injection vulnerability in the OpenVPN configuration restore script_security functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary command execution. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2304 (CVE-2026-30816) is an external config control vulnerability in the OpenVPN configuration restore crt.sed functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary file reading. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2305 (CVE-2026-30817) is an external config control vulnerability in the OpenVPN configuration restore route_up functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary file reading. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2306 (CVE-2026-30818) is an OS command injection vulnerability exists in the dnsmasq configuration restore dhcpscript functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary command execution. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2307, TALOS-2025-2308, and TALOS-2025-2309 are OS command injection vulnerabilities in the OpenVPN configuration restore client_disconnect, client_connect, and route_up functionalities of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary command execution. An attacker can upload a malicious file to trigger this vulnerability.

Photoshop vulnerabilities

Discovered by KPC of Cisco Talos.

Adobe Photoshop is a popular digital photo manipulation and illustration program with a wide array of features for personal and business use cases.

TALOS-2025-2274 (CVE-2026-34632) is a privilege escalation vulnerability in the installation process of Adobe Photoshop via the Microsoft Store. The vulnerable version of the installer is Photoshop_Set-Up.exe 2.11.0.30. A low-privilege user can replace files during the installation process, which may result in elevation of privileges.

OpenVPN vulnerabilities

Discovered by Emma Reuter of Cisco ASIG.

OpenVPN is an open source SSL VPN with remote access, site-to-site VPNs, WiFi security, enterprise load balancing, failover, and granular access control features available.

TALOS-2026-2381 (CVE-2026-35058) is a reachable assertion vulnerability in the TLS Crypt v2 Client Key Extraction functionality of OpenVPN 2.6.x and 2.8_git. A specially crafted network packet can lead to a denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability.

Gen Digital Norton VPN vulnerabilities

Discovered by KPC of Cisco Talos.

Gen Digital’s Norton VPN client is a proprietary tool for private proxy network information exchange. 

TALOS-2025-2276 (CVE-2025-58074) is a privilege escalation vulnerability in the installation process of Norton VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files, possibly leading to elevation of privileges.

Cisco Talos Blog – ​Read More

Have you ever tried to tally up how much you spend on subscriptions each month? Music, movies, gaming, language courses, delivery services, heated seats, and even the ability to chat with the Grok bot directly from your car — there’s a subscription for just about everything now. There’s even a subscription service specifically designed to… track your other subscriptions.

The number of subscriptions varies significantly depending on where you live, but statistically, 78% of adults worldwide have at least one paid subscription, with the average user juggling 5.6 active services. Furthermore, a large portion of these are family plans used by groups of close relatives… and sometimes other people: 37% of users share their subscriptions outside their immediate family.

Because subscription accounts, especially family plans, often contain sensitive personal data, they’ve become a prime target for cybercriminals. Today we look at how to manage your subscriptions securely, avoid having your accounts compromised, and keep from falling for scammers’ latest tricks.

Security of shared accounts and subscriptions

Why would anyone want to hack your subscription? Even if the service only offers entertainment, your account almost certainly contains sensitive information: your name, address, email, phone number, the names of other members, and other personally identifiable information. This data is then sold on the dark web and used for further attacks.

Attackers compromise subscription accounts either through social engineering and phishing, or by taking advantage of many users’ reliance on weak or leaked passwords. As we recently highlighted in our research, nearly half of all passwords worldwide can be cracked in less than a minute. Scammers then either resell existing subscriptions or slots in a family group at a discount, or they sign the victim up for new services, hoping the extra charges go unnoticed.

Finally, some middlemen don’t bother with hacking at all; they simply buy bulk subscriptions for a large number of devices, where the per-unit cost is typically much lower. They then resell individual slots in these plans on online marketplaces. As a result, a single “family” account can end up filled with people who are complete strangers to one another.

Sharing subscriptions with family and others

Many subscription owners think nothing of sharing access with family and friends. What could possibly go wrong?

The worst-case scenario from a security standpoint is when a single account is purchased and the owner shares the login and password with other users. This usually happens when people try to save money on a family plan by buying an individual subscription and sharing it. Some services even allow for different profiles, but they are all tied to a single account, meaning the credentials are shared. This is how streaming platforms like Hulu and Disney+ operate.

Sharing one account among multiple people significantly increases the risk of your credentials falling into the wrong hands. There’s no way to guarantee that everyone else is storing those details securely or that their devices aren’t infected with malware. Even without malware, it’s incredibly easy to accidentally hand over a password to attackers simply by signing in to the subscription service over unprotected public Wi-Fi.

It’s entirely possible that the password you kindly shared with some friends has already surfaced in some corner of the dark web, and you may soon lose access to your account. Furthermore, if you reuse the same password across different sites and apps, your other accounts are now in the crosshairs as well.

The second scenario is when each group member has an individual account. Many services now allow you to add extra users to a subscription at no additional cost, and most owners are happy to give away these free slots. Even then, you shouldn’t let your guard down: a breach of just one of these accounts can still leak sensitive information, such as family members’ names, addresses, billing info, and other subscription-related data.

How to protect your subscriptions (and your wallet)

To keep your and your loved ones’ personal data private and your accounts under your control, follow these simple rules.

Use strong account security

To do this, learn — and teach your friends and family — how to use password managers, two-factor authentication, or passkeys.

If you and your loved ones rely on memory to store passwords, there’s a high probability that you’re reusing the same one across multiple services. This is a major blunder: data breaches happen all the time, and a single compromised password gives attackers access to your other accounts.

The simplest solution is to use a password manager that generates and remembers complex, unique passwords for every site and service on your behalf. All you have to do is remember the single main password for its encrypted vault. Additionally, Kaspersky Password Manager doesn’t just store and create passwords; it can also check if they’ve appeared in leaked databases, and sync your credentials across all your devices.

Additionally, a password manager provides a robust defense against phishing: unlike a human, who can easily be misled by a sign-in form that looks almost identical to the real thing and is hosted on a look-alike domain, a password manager won’t fall for the trick. It’ll only offer to autofill your saved login and password on the specific site or service for which they were originally stored.

Avoid using browsers to store your passwords: unfortunately, attackers have long figured out how to extract browser-saved passwords in a matter of seconds.

Two-factor authentication (2FA) is an extra layer of verification the system requests after you enter your password — such as an SMS code or a one-time code from an authenticator app. Whenever technically possible, be sure to enable 2FA on every account linked to a subscription. This applies to the subscription services themselves, as well as any third-party accounts you use to sign in, such as Google, Apple, or Facebook.

We recommend storing your two-factor authentication tokens and generating the one-time codes — which refresh every 30 seconds — inside Kaspersky Password Manager. This significantly lowers the chances of someone hijacking your account. Even if an attacker somehow discovers or guesses your password, they won’t be able to get the code without physical access to your device.

Finally, you can ditch passwords (almost) entirely by switching to passkeys. We’ve previously covered what this password alternative looks like and the specifics of using it. Currently, this is the most breach-resistant authentication system out there. Its main drawback has been the difficulty of syncing passkeys across different ecosystems, like Windows and iOS, but the updated version of Kaspersky Password Manager can now save and sync passkeys across Windows, macOS, iOS, and Android devices, making that issue a thing of the past.

Don’t overlook device security

Even a complex password and 2FA aren’t reasons to let your guard down. An attacker can infect your device with an infostealer: malware designed to swipe things like session cookies from your browser, app configuration files, and other sensitive data. Session cookies allow you to stay signed in without re-entering your credentials every time; however, if scammers get their hands on them, they can sign in to the service as you — even without knowing your username or password. This makes a proactive approach essential, especially if you use Chrome, Edge, Opera, or other Chromium-based browsers on Windows. We recommend installing Kaspersky Premium on all your devices; it includes Kaspersky Password Manager in addition to comprehensive protection against cyberthreats.

Only share subscriptions with people you trust

Otherwise, you might be asking for trouble. For example, if you share a Steam subscription with a friend who cheats, both of your accounts could end up banned. Furthermore, never try to let someone else into your personal account or individual subscription. Sharing your password with others is usually a violation of the terms of service, and can result in your account being blocked.

Make sure there are no strangers in your family group

To do this, periodically check active devices and sessions in your subscription settings. If you see an unrecognized device in the authorized list, terminate that session — or all of them — and change your account password immediately. Signing back in on a few devices is much easier than trying to recover a hijacked account.

And remember: don’t let your own habits compromise your security. If you’re visiting friends, on vacation, or on a business trip and use a local computer or smart TV — or if you sign in to your account from a public computer — don’t forget to sign out when you’re done. Otherwise, the next person to use that device might find themselves with free subscriptions or, even worse, access to your email or cloud photo stream.

Don’t take the bait

Watch out for phishing emails and messages spoofing legitimate services. If you receive a notification about a “need to update your billing details”, or a claim that a “new user has been added” to your family plan, don’t rush to click any links or open attachments. Links can lead to a phishing page, and attachments may hide malware. Scammers often use email addresses and domains that look nearly identical to the real ones — for instance, by swapping l (lowercase L) for I (uppercase i), or using a familiar name in a different domain zone.

Unfortunately, phishing pages are often indistinguishable from the originals now that AI is being used for high-quality design and layout. Since spotting every red flag yourself is increasingly difficult, it’s best to delegate anti-phishing protection to Kaspersky Premium. It will alert you to suspicious sites, saving your money and keeping your peace of mind.

Lastly, some scammers lure users in with freebies like fake gift subscriptions for Telegram Premium. The victim is asked to visit a phishing page mimicking the Telegram login screen and sign in to their account to claim the gift. The result isn’t hard to guess: instead of a premium subscription — a hijacked account. Recently, scammers have even learned to use mini-apps to steal credentials directly inside Telegram under various pretexts — ranging from gift giveaways to claims that you must move to a new chat because the old one was blocked.

Avoid buying subscriptions from third-party sellers

You can often find subscription offers on marketplaces and retail platforms at prices significantly lower than what the official provider charges. More likely than not, that tempting price hides a hacked account or a family group that you could be kicked out of at any moment, because the family admin is either the seller or a random user. Furthermore, sharing a family plan with strangers from around the world is a violation of terms for many services.

How to get rid of unwanted subscriptions

Now that we’ve covered subscription security, what about those extra subscriptions that quietly eat away at your balance every month? Research shows that users typically underestimate how many active subscriptions they have and how much they spend on them; they also frequently forget to cancel auto-renewals for subscriptions they no longer use, or auto-charges after the trial period ends.

If you suspect you’re in that boat, start your investigation with your own bank statements. Recurring charges for the same amount can be a subscription you’ve forgotten about. Check who received the payment; if the name doesn’t ring a bell, do an online search on the company. It’s also worth searching your email box for the merchant name or the payment amount; this can help you track down subscription notifications and figure out what exactly you’re paying for. And don’t forget to check your spam folder, as that’s where subscription alerts often end up.

Now, let’s look at how to check and cancel active subscriptions purchased through the App Store and Google Play.

For Android users

1. Open Settings on your device.
2. Tap Google, then tap your profile picture, and go to Google Account.
3. Go to Wallet & subscriptions.

If you’re the family group manager, you’ll be able to see the purchase history for other family members.

For iOS users

1. Open Settings on your device.
2. Tap your profile picture at the top of the menu.
3. Go to Subscriptions.

Note: to manage your iCloud subscription, you’ll need to go to the specific iCloud section located just below Subscriptions. In the Family Sharing section, if you’re the one who set it up, you can view the subscription and purchase history for all family members.

Read more on subscriptions:

• You’ve been sent a “gift” — a Telegram Premium subscription
• How to share subscriptions without tears
• How to control your subscriptions and save money
• Meet the Trojan subscribers hungry to sign you up

Kaspersky official blog – ​Read More

• Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded “demo.pdb” strings — that functions as commodity malware. This variant is likely sold or shared among multiple Chinese-speaking cybercrime groups that operate under a malware-as-a-service (MaaS) model for continuous monetization. 
• Analysis of program database (PDB) file paths reveals a sustained, multi-year development effort by an author operating under the alias “lwxat”, spanning from at least September 2021 through January 2026, with evidence of rapid iterative updates, feature branching, and reactive evasion tactics targeting specific security vendors such as Norton.
• Talos recovered a dedicated builder tool that allows threat actors to generate configuration files, customize payloads, and inject parameters into BadIIS binaries — enabling capabilities including traffic redirection to illicit sites, reverse proxying for search engine crawler manipulation, content hijacking, and backlink injection for malicious search engine optimization (SEO) fraud. 
• Beyond BadIIS, the same author has developed a suite of auxiliary tools — including service-based installers, droppers, and persistence mechanisms that automate deployment, ensure survivability across IIS server restarts, and evade detection through custom Base64 encoding and obfuscation techniques.

Mystery BadIIS containing “demo.pdb” 

Since 2024, Talos has investigated numerous attacks across the Asia-Pacific region (along with a few in South Africa, Europe and North America) that utilize a specific variant of BadIIS characterized by “demo.pdb” strings. While multiple security vendors are tracking the global spread of these variants, Talos’ observed tactics, techniques, and procedures (TTPs) show notable divergences from those documented by other vendors like Trend Micro, Ahnlab, VNPT, and Elastic. Consequently, it is difficult to attribute these attacks to a single threat actor. However, we assess with moderate confidence that the “demo.pdb” BadIIS variant is a commodity tool utilized by multiple Chinese-speaking cybercrime groups. 

Insights from embedded PDB strings 

Although the core functionality of this BadIIS variant is largely limited to SEO fraud, content injection, and proxy‑based traffic manipulation, our investigation pivoted toward the malware’s embedded PDB strings. The consistent PDB path pattern offers much more intelligence value than the generic “demo.pdb” filename. The combination of a stable “AdministratorDesktop” build environment, Chinese-language folder names, and date-based versioning creates a highly reliable fingerprint for tracking and clustering this BadIIS version toolset. Beyond reinforcing our assessment that this is a commodity IIS malware family, the PDB paths enabled attribution to a possible customer name alias “x神” (“xshen”). Furthermore, the PDB artifacts reveal the existence of customized builds, some explicitly tailored to:

• Bypass specific antivirus products, such as Norton 
• Perform site‑wide hijacking 
• Redirect users conditionally based on browser language or environment

Prompted by these initial discoveries, Talos expanded our threat hunting efforts to identify similar PDB strings associated with this author with high confidence. The PDB paths extracted from these BadIIS variants reveal a sustained, multi-year development effort spanning from at least September 2021 to January 2026. By analyzing the developer’s folder naming conventions, we can accurately map the malware’s evolutionary trajectory, feature branching, and commercialization model.

Timeline and iterative maintenance 

Talos observed that the earliest explicit timestamp in the PDB paths is Sept. 30, 2021, indicating that the development of this specific toolset began on or before this date. The naming conventions observed in folders such as “dll0217”, “dll0301”, and “dll0315” (likely representing February 17, March 1, and March 15) demonstrate periods of rapid, sprint-like updates. Additionally, the “dll-no503” directory is particularly notable; it likely represents a troubleshooting build designed to resolve an issue where the malware caused IIS to throw “503 Service Unavailable” errors, which would otherwise alert server administrators to the infection. Finally, the latest observed compilation date, “dll20260106” (Jan. 6, 2026), confirms that this toolset remains actively maintained and deployed in the wild as of early 2026.

Feature branching and evasion tactics 

Talos also observed that the folder “兼容百度浏览器+劫持robots.txt” (“Compatible with Baidu browser + hijacking robots.txt”) explicitly confirms the malware’s role in malicious SEO campaigns, specifically targeting the Chinese search engine ecosystem. Furthermore, the “2024-05-05-tcp” branch indicates a shift or enhancement in how the malware handles network traffic, potentially introducing custom proxying or SEO fraud communication protocols over raw TCP. Additionally, the inclusion of “过诺顿” (”bypass Norton”) in the build paths highlights a reactive development cycle, demonstrating that the author actively modifies the code to evade specific security vendor detections.

Below are the PDB strings Talos collected:

• C:UsersAdministratorDesktop2021-09-30x64Releasedemo.pdb 
• C:UsersAdministratorDesktopiisx64Releasedemo.pdb 
• C:UsersAdministratorDesktopdllx64Releasedemo.pdb 
• C:UsersAdministratorDesktopdll0217Releasedemo.pdb 
• C:UsersAdministratorDesktopdll0217x64Releasedemo.pdb 
• C:UsersAdministratorDesktopdll0301Releasedemo.pdb 
• C:UsersAdministratorDesktopdll0301x64Releasedemo.pdb 
• C:UsersAdministratorDesktopdll0315Releasedemo.pdb 
• C:UsersAdministratorDesktopdll0315x64Releasedemo.pdb 
• C:UsersAdministratorDesktopdll-no503Releasedemo.pdb 
• C:UsersAdministratorDesktopdll-no503x64Releasedemo.pdb 
• C:UsersAdministratorDesktop兼容百度浏览器+劫持robots.txtx64Releasedemo.pdb  
  (translation: “compatible with Baidu browser + hijacking robots.txt”) 
• C:UsersAdministratorDesktop2023-10-10dllReleasedemo.pdb 
• C:UsersAdministratorDesktop2023-10-10dllx64Releasedemo.pdb 
• C:UsersAdministratorDesktop2023-11-02dllReleasedemo.pdb 
• C:UsersAdministratorDesktop2023-11-02dllx64Releasedemo.pdb 
• C:UsersAdministratorDesktop2024-05-05-tcpx64Releasedemo.pdb 
• C:UsersAdministratorDesktop2024-05-05-tcpReleasedemo.pdb 
• C:UsersAdministratorDesktopJ3x64Releasedemo.pdb 
• C:UsersAdministratorDesktopdll(cur)Releasedemo.pdb 
• C:UsersAdministratorDesktopdll(cur)x64Releasedemo.pdb 
• C:UsersAdministratorDesktop2024-05-05-tcp(过诺顿)xshenReleasedemo.pdb  
  (translation: “bypass Norton”) 
• C:UsersAdministratorDesktop2024-05-05-tcp(过诺顿)xshenx64Releasedemo.pdb  
  (translation: “bypass Norton”) 
• C:UsersAdministratorDesktop2025-11-21 (x神订制全站劫持按浏览器语言跳转)dllReleasedemo.pdb  
  (translation: “xshen custom site hijacking: redirect based on browser language)” 
• C:UsersAdministratorDesktop2025-11-21 (x神订制全站劫持按浏览器语言跳转)dllx64Releasedemo.pdb  
  (translation: “xshen custom site hijacking: redirect based on browser language”) 
• C:UsersAdministratorDesktopdll20260106Releasedemo.pdb 
• C:UsersAdministratorDesktopdll20260106x64Releasedemo.pdb

Builder architecture and BadIIS generation 

During our research into these BadIIS campaigns, Talos discovered a builder tool specifically designed for this malware variant. The threat actor utilizes this utility to generate configuration files, JavaScript redirectors, and PHP backlink scripts, as well as to inject custom parameters directly into the BadIIS malware. Figure 3 shows a screenshot of the builder’s interface.

The observed builder is labeled as “version 1.0,” with an estimated original release year of 2021. However, the application header and compilation timestamp indicate that this specific artifact is an updated build compiled on August 22, 2022. The interface fields and configurable settings perfectly align with known BadIIS capabilities, which can be categorized into four primary functions: 

• Traffic redirection: The builder allows threat actors to input target URLs, typically JavaScript-based redirectors, designed to be injected into the victim’s browser. This feature forcibly redirects legitimate user traffic to spam infrastructure, such as illegal gambling, adult content, or other malicious websites. 
• Reverse proxy: This feature manipulates how the compromised server interacts with search engine crawlers. When a crawler visits specific hidden URLs, the BadIIS malware acts as a reverse proxy, silently fetching illicit content from the threat actor’s command-and-control (C2) backend and serving it to the crawler for indexing. Furthermore, the builder includes a toggle to enable this reverse proxy behavior globally, intercepting crawlers even if they do not visit the designated hidden URLs.
• Content hijacking: The builder includes a site hijacking function capable of replacing the compromised website’s original content for both normal users and search engine crawlers. Threat actors can configure the hijacking rate (percentage of traffic affected), toggle whether the homepage is explicitly targeted, and supply a remote URL to dynamically fetch malicious title, description, and keyword (TDK) metadata. 
• Internal and backlinks setting: The final component configures the injection of internal links and external backlinks. Internal links force search engines to discover and index the spam pages hosted directly on the compromised server. Meanwhile, external backlinks siphon the compromised server’s Domain Authority, passing that high reputation onto external illicit websites to artificially inflate their search engine rankings.

Furthermore, operating this builder is not a simple, single-click process. Prior to generating the final payloads, the threat actor must stage unconfigured 32-bit and 64-bit BadIIS binaries within the same directory as the builder. Upon initiating the build process, the builder generates a “config.txt” file based on the threat actor’s configured parameters.

It then attempts to authenticate with the C2 server by checking for the specific response string “lwxat”. Although the builder does not enforce this validation step — continuing the payload generation process regardless of whether the authentication succeeds or fails — this specific network behavior is highly valuable. Notably, this unique authentication mechanism serves as a critical pivot point, enabling us to identify and attribute other tools developed by the same author.

The final step of the build process involves obfuscating the C2 server address using a single-byte XOR operation with the key 0x3. Once encoded, the builder embeds these addresses, along with all other configured parameters, directly into the final BadIIS malware under the output folder. This configured and output files are illustrated in Figure 7.

Advancement of the builder architecture 

Talos has been tracking multiple cybercrime groups, including those detailed in our previous reports on DragonRank and UAT-8099, that utilize various BadIIS variants to turn global web servers into compromised assets for search engine manipulation. The BadIIS variants deployed by those two groups primarily relied on hardcoded C2 infrastructure and statically compiled payloads to spread. However, the variant characterized by the “demo.pdb” strings represents a significant departure from these previous iterations.

Based on the recovered builder and PDB strings, Talos assesses with moderate confidence that this “demo.pdb” variant is commodity malware, likely sold privately or shared within underground markets. The architecture of this toolset suggests a modular, MaaS business model designed for continuous monetization. The malware developer can initially sell a basic version of BadIIS alongside the builder tool. If a threat actor later requiresan advanced, updated, or customized version (such as the “Norton bypass” or “custom site hijacking: redirect based on browser language” modules), they can request a bespoke payload from the developer and use their existing builder to inject the necessary configurations. Figure 9 shows the workflow Talos assessed.

Additional tools developed by same author 

By pivoting on the previously identified PDB strings and the authentication mechanism, Talos discovered that this author has developed a suite of additional tools designed to facilitate the installation of BadIIS on target machines. The observed PDB strings are listed below, followed by a detailed analysis of the differences between these tools and their respective capabilities.

• D:\vc\dll封装进exe\x64\Release\moduleinit.pdb  
  (translation: “DLL packaged into EXE”) 
• C:\Users\Administrator\Desktop\2024-05-28\install\x64\Release\install.pdb 
• C:\Users\Administrator\Desktop\install\x64\Release\install.pdb 
• C:vcserviceReleaseservice.pdb 
• C:vcservicex64Releaseservice.pdb 
• C:UsersAdministratorDesktopserviceReleaseservice.pdb 
• C:UsersAdministratorDesktopbaosvchostx64Releaseservice.pdb 
• C:UsersAdministratorDesktop2024-05-26svchostx64Releaseservice.pdb 
• C:UsersAdministratorDesktopx神的自安装服务svchostx64Releaseservice.pdb
  (translation: “xshen self-installation service”)

Early service‑based installer 

Talos identified an additional tool that we assess with high confidence is linked to the same author. Upon execution, the tool verifies that it is running as a Windows service named “Winlogin.” If this condition is met, it initiates a two-stage C2 communication process. First, it connects to a primary C2 server for authentication. During this phase, the malware validates the connection by checking if the server’s response matches the specific string “lwxat”.

Once authenticated, it connects to a secondary C2 server to download and execute additional malicious payloads on the target machine. Furthermore, the malware uses double Base64 encoding to obfuscate the addresses of both C2 servers.

Configuration‑driven service installer 

Talos observed another service-based tool that dynamically locates and reads an external configuration file to deploy BadIIS onto target machines. This component serves the same operational purpose as the installation batch scripts traditionally observed in earlier BadIIS campaigns. Upon execution, the malware identifies its own absolute path and searches its current directory for a file named “config.txt”. This configuration file uses an XML-like syntax, employing custom tags such as “<globalModules>”, “<name>”, “<path>”, and “<cmd>”. The tool employs a custom parsing routine to segment the file based on these tags, extracting string arrays that dictate its subsequent actions. Using this extracted data, the malware dynamically assembles command-line instructions by iterating through the parsed modules and replacing placeholders like “{name}” and “{path}” with randomized DLL paths and command snippets.

During this assembly phase, the tool specifically prepares commands for both 32-bit and 64-bit BadIIS (e.g., appending “32.dll” /y and “64.dll” /y). These fully-formed commands are then executed, likely via cmd.exe /c, using a function designed to capture the command output.

Authentication and configuration‑driven unified tool 

The threat actor continues to update this tool, recently merging two distinct capabilities into a single binary. The malware still impersonates the Winlogin system service for registration and persistence, but it now utilizes a higher volume of command-line executions to successfully install the BadIIS payload. Notably, these command lines closely resemble the syntax used in earlier BadIIS batch scripts. To evade detection by security products, the tool obfuscates its command lines and parameters using a custom Base64 encoding algorithm. A list of the encoded strings and their decoded counterparts is provided below.

Based on the decoded strings and the tool’s code structure, we can categorize the functionality of this upgraded tool into three primary areas. The first group of strings focuses on file discovery, searching for “module.txt”, “.dll”, and “.config” files. The “.config” and “.dll” searches serve the same purpose as in previous versions, targeting IIS configuration files and the BadIIS malware, respectively. The “module.txt” file likely acts as a staging file to temporarily store the IIS modules list before committing changes to the active configuration. Furthermore, this phase targets the “<globalModules>” and “<modules>” sections to register the malicious DLL at the server level. The second group handles payload registration; the tool utilizes specific XML nodes to inject its payloads into the IIS configuration, dynamically replacing placeholders (e.g., “{name32}” and “{path64}”) with actual values. Finally, the third group is responsible for locating the primary BadIIS DLL and establishing its backup location to ensure persistence. However, prior to executing its primary functions, the tool sends a request to the C2 server for authentication. The validation process remains identical to previous versions; the tool verifies the connection by checking if the server’s response matches the specific string “lwxat”.

Latest two‑stage installation toolset 

Talos observed that the latest version of the service installation tool is now separated into two distinct files. The workflow is shown in Figure 15.

The first file acts as the primary installer and begins by authenticating with the C2 server. Following successful authentication, it searches for the BadIIS malware, copies the payloads to specific primary and backup directories, and registers them within the IIS server module list to ensure persistence. Subsequently, it drops a secondary malware component, installing it as a Windows service. During our research, Talos observed this secondary malware impersonating legitimate services such as FaxService or AudiosService. Additionally, we recovered customization parameters and execution logs associated with this installer, which provided deeper insights into its overall capabilities.

The commands and parameters embedded in the install are also encoded. Below is a list of the encoded strings and their decoded counterparts.

The secondary malware component functions similarly to the previously described service tool. However, recognizing that security operations centers (SOCs) or antivirus products can easily quarantine or delete the primary BadIIS malware, the author has implemented a robust persistence mechanism. The installer now copies the BadIIS malware not only to the active directory used for hooking IIS requests and responses but also to a hidden backup location. This ensures that the malicious BadIIS is automatically restored and launched every time the compromised IIS server is restarted. The table below provides a list of the encoded strings and their decoded counterparts.

Module initialization dropper 

Alongside the service-based tools, Talos identified another utility that shares the same C2 authentication mechanism, custom Base64 encoding algorithm, and similar code structure. However, rather than operating as a persistent service, this tool functions primarily as a dropper designed to install the BadIIS malware onto the target IIS server. The embedded PDB string (“D:vcdll封装进exex64Releasemoduleinit.pdb”, which translates to “DLL packaged into EXE”) explicitly confirms its purpose: packaging malicious DLL payloads within a standalone executable. The BadIIS are found in the resource and named as “IIS32” and “IIS64” (see Figure 17).

The drop location for this BadIIS malware is identical to the one used by the installation script previously documented by Trend Micro.

“lwxat”: BadIIS author identification 

Through detailed analysis of numerous BadIIS samples, associated tools, and builder artifacts, Talos assesses with moderate-to-high confidence that the string “lwxat” is the author’s alias or handle. This assessment is based on the following converging evidence: 

• Builder authentication mechanism: The BadIIS builder and service tool uses the string “lwxat” as a hardcoded match string within its authentication routine, suggesting the author embedded their identity into the tool’s access control logic. 
• Configuration parameter: The string “lwxat” is used as the enable function parameter within the builder’s “config.txt” file, further indicating authorship attribution embedded in the tool’s operational configuration. 
• User-agent signature: Most notably, several BadIIS malware samples were observed using “lwxatisme” as a custom user-agent string during HTTP communications — a strong behavioral indicator that directly ties the malware to the “lwxat” persona.

Additionally, corroborating evidence was identified through PDB path strings found within certain samples. One PDB path contained the Chinese-language string:

This suggests that the author created a dedicated development folder for a user or client named “xshen” (x神), indicating that this particular BadIIS variant was a customized build tailored specifically for “xshen’s”requirements that a full-site traffic hijacking with redirection logic based on the victim’s browser language settings.

Collectively, these findings presence of “lwxat” across the builder’s authentication, configuration, and in-the-wild user-agent strings, combined with the PDB path referencing a customized build for “xshen” and provide converging evidence indicating that “lwxat” is the primary developer or operator behind the BadIIS malware family, potentially offering customization services to other threat actors. 

Coverage 

The following ClamAV signatures detect and block this threat: 

• Win.Malware.BadIIS-10059971-0 
• Win.Malware.BadIIS-10059977-0 
• Win.Malware.BadIIS-10059984-0 
• Win.Malware.BadIIS-10059985-0

The following SNORT® rules (SIDs) detect and block this threat:  

• Snort2: 1:66400, 1:66399, 1:66398 
• Snort3: 1:66400, 1:301491 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here.

Cisco Talos Blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

Many solutions have been proposed to reduce software bugs: zero-defect mandates, pair programming, formal methods, and mathematical software proofs. The reality is that software engineering is hard. Identifying and fixing bugs before they make it into production code is hard. Source code peer review and extensive unit testing have improved code quality, but bugs still get through. 

Not every bug is a vulnerability, and not every fault that appears to be a vulnerability can be usefully exploited. Nevertheless, through extensive testing and review, a skilled vulnerability researcher can still uncover faults in software that has already undergone rigorous quality assurance. However, skilled vulnerability researchers are a scarce resource and can only review so much software. 

AI is the great hope for improving software quality. Iterative improvements in AI’s ability to find bugs mean that each new version of these systems is better than the last. We’re now at the point where AI, although still not as good as a skilled vulnerability researcher, can scan code to find errors at a scale and speed that human analysis cannot match. Used well, it can identify potential vulnerabilities before they reach production. 

In the long term, this is very good news. Better automated review and analysis of software is how we will improve code quality. However, in the short term, decades of technical debt and latent errors will be uncovered and will need to be addressed. To make things more complex, threat actors will have access to these same tools to search for exploitable vulnerabilities for their own ends. 

The result is likely to be a surge in patches. More vulnerabilities discovered means more fixes released, placing additional pressure on already stretched operations teams. Many of these patches will be urgent; some will address vulnerabilities that are being actively exploited. Without proper planning, the volume of fixes may outpace an organization’s capacity to deploy them.

The surge of patches has yet to happen, but the first signs may already be visible. Now is an excellent time to consider how you prioritise patching, apply patches at scale, and manage systems that cannot be patched quickly — or at all. We can reflect on these questions now, and improve our processes, or we can flounder when the surge of patches arrives. Either way, ready or not, the time of much patching is coming. 

The one big thing 

In Cisco Talos’ latest blog, we outline the differences between responding to state-sponsored threat actors and handling commodity ransomware. These advanced adversaries log in using valid credentials and leverage your own trusted tools to remain invisible for months. Because their primary objectives are long-term espionage and pre-positioning rather than immediate financial gain, standard incident response playbooks are entirely inadequate.  

Why do I care? 

State-sponsored actors operate inside your trust boundary and aim to remain completely undetected. They have the patience and resources to map your infrastructure, exploit supply chain vulnerabilities, and blend their lateral movement into routine administrative tasks. If your security architecture assumes internal traffic is inherently trustworthy, these adversaries will exploit that gap to establish deep, persistent access across both IT and operational technology environments. Prematurely containing these threats can even tip off the attacker, causing you to lose critical intelligence and the chance to fully eradicate their foothold.

So now what? 

Shift to a zero trust architecture that continuously verifies access and plans for inevitable failures, starting with maximizing your visibility through centralized log aggregation and enabling Windows command-line and PowerShell script block logging. Prioritize identity management by enforcing multi-factor authentication on all administrative accounts and implementing a tiered access model. Update your incident response playbooks to specifically address living-off-the-land techniques, supply chain compromises, and the complex operational timing required for state-sponsored containment. Read the blog here for more information. 

Top security headlines of the week 

Linux bitten by second severe vulnerability in as many weeks 
The leaked exploit is deterministic, meaning it works precisely the same way each time it’s run and across different Linux distributions. It causes no crashes, making it stealthy to run. Install patches immediately. (Ars Technica) 

A DOD contractor’s API flaw exposed military course data and service member records 
The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings. According to Strix, an ordinary low-privilege account was able to access data across multiple tenants. (CyberScoop) 

Fake OpenAI Privacy Filter repo hits No. 1 on Hugging Face, draws 244K downloads 
A malicious repository managed to take a spot in the platform’s trending list by impersonating OpenAI’s Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. (The Hacker News) 

TanStack, Mistral AI, UiPath hit in fresh supply chain attack 
The same as in previous campaigns, the worm targets sensitive information, including developer credentials, API keys, tokens, cloud credentials and secrets, cryptocurrency wallets, and more. (SecurityWeek) 

Official CheckMarx Jenkins package compromised with infostealer 
Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. (BleepingComputer) 

Can’t get enough Talos? 

Breaking things to keep them safe with Philippe Laulheret 
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research. 

Inside the SOC: AI-powered DNS defense against ransomware 
Learn how Cisco Talos’ advanced AI-driven detection, including domain generation algorithm (DGA) analysis, integrates within Cisco Secure access to proactively identify and predict malicious domains. 

Clustering and reuse of phone numbers in scam emails 
Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.   

Upcoming events where you can find Talos 

• OffensiveCon (May 15 – 16) Berlin, Germany 
• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
MD5: dbd8dbecaa80795c135137d69921fdba  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
Example Filename: u112417.dat  
Detection Name: W32.Variant:MalwareXgenMisc.29d4.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: APQ9305.dll  
Detection Name: Auto.90B145.282358.in02

Cisco Talos Blog – ​Read More