Welcome to this week’s edition of the Threat Source newsletter. 

A year ago, fresh off a layoff, I never would have guessed I’d be spending Halloween weekend bouncing between conversations about space policy, satellite hacking, and wedding plans. That’s exactly what happened when my space analyst friend came to stay with us for a few days. Between coffee runs, getting sneak peeks of his upcoming book, and painting on skull makeup for a party, we found ourselves deep in discussions about putting data centers in space and, inevitably, the world of satellite cybersecurity. 

Somewhere within all of that, I realized I was on deck for the newsletter intro soon, and I did what any cyber newbie would do: I asked the nearest expert if there had ever been a well-known cyberattack on satellites. My friend didn’t even blink before answering, “KA-SAT.”

Some light research and a few Webex messages later, I was speaking with our own Joe Marshall — who, lucky for me, might be the only person at Cisco who’s been to satellite hacking training.

Joe walked me through how on Feb. 24, 2022, just hours before Russia’s invasion of Ukraine, a cyber attack targeted Viasat’s KA-SAT satellite network. The attackers exploited a vulnerability in a VPN appliance, gaining access to the network’s management systems. They then deployed a wiper malware called AcidRain, which was designed to erase data on modems and routers across Europe.

Satellite communications were disrupted for thousands of users in Ukraine, but surprisingly, beyond Ukraine’s borders, approximately 5,800 Enercon wind turbines in Germany lost connectivity for remote monitoring and control. 

One surprise from the conversation was the overlap between the AcidRain wiper and VPNFilter, which you may remember from Joe’s September newsletter. AcidRain may be VPNFilter’s successor. Take a look:

Identical, hinting at a shared compiler and other technical links, as SentinelOne’s blog details.

What followed this summary was a LOT of questions on my part. What was the VPN vulnerability? How did the wiper work, exactly? What are the pros and cons of replacing vs. fixing the modems, and what about the logistics of the winning decision? Ultimately, while the AcidRain attack was destructive, it was, in the context of what else was happening to Ukraine’s infrastructure, a blip.

As a newcomer to both cybersecurity and Talos, I keep discovering that there are always gaps in the story. I didn’t get all my questions answered because companies guard details, official statements leave out key information, and sometimes, even years later, we’re still piecing things together. Being okay with that is a tall order for people who scour logs looking for a needle in a stack of needles. But when attacks are raining down, customers aren’t asking you to send a flawless analysis. They want to know what you’redoing to keep them safe. 

So, as I write this, still with more questions than answers about AcidRain and the KA-SAT attacks, I’m learning to find peace in knowing that curiosity is the foundation for future expertise. Keep acquiring knowledge, asking questions (both basic and complex), and being okay with some uncertainty.

The one big thing 

Cisco Talos published a new blog today on the Kraken ransomware group. Linked to HelloKitty, they double-extort organizations globally with cross-platform attacks and use advanced techniques like encryption benchmarking and anti-analysis. Kraken has also launched a new underground forum to strengthen ties within the cybercrime community. 

Why do I care? 

Kraken’s advanced, cross-platform techniques — including encryption benchmarking and evasion methods — raise the threat level for organizations of all sizes, and may inspire similar advancements in future ransomware. Plus, their new secure underground forum may accelerate collaboration between threat actors, making robust, layered defenses and intelligence sharing among defenders even more critical. 

So now what? 

Prioritize patching known vulnerabilities (especially SMB), strengthen credential management, and implement comprehensive endpoint, network, and access security solutions. Continuous monitoring, incident response planning, and user awareness training are crucial to detect and contain threats early. 

Top security headlines of the week 

SAP fixes serious security issues – here’s how to stay safe 
A patch is now publicly available, and while SAP’s users were previously notified, the researchers are once again urging everyone to apply it as soon as possible since the risk is only going to get bigger going forward. (TechRadar) 

Phishing tool uses smart redirects to bypass detection 
A new phishing tool targeting Microsoft 365 users called Quantum Route Redirect simplifies what was once a technically complex campaign flow, as well as offers a uniquely evasive redirect feature that can bypass even robust email protections. (Dark Reading) 

Cisco finds open-weight AI models easy to exploit in long chats 
The report, titled Death by a Thousand Prompts: Open Model Vulnerability Analysis, analyzed eight leading open-weight language models and found that multi-turn attacks, where an attacker engages the model across multiple conversational steps, were up to ten times more effective than one-shot attempts. (HackRead) 

Nearly 30 alleged victims of Oracle EBS hack named on Cl0p ransomware site 
The Cl0p website lists major organizations such as Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland. (SecurityWeek) 

Kimsuky APT takes over South Korean Androids, abuses KakaoTalk 
One of North Korea’s formidable advanced persistent threat (APT) groups is targeting Android users in South Korea with a remote reset attack that exploits a feature in Google aimed at helping users find their devices. (Dark Reading) 

Can’t get enough Talos? 

The TTP: How Talos built an AI model into one of the internet’s most abused layers
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet).

The 2026 Snort Calendar is now available 
Snorty will pose as a new mythical creature each month. To get your copy, fill out our short survey. Calendars will begin shipping in December 2025. U.S. shipping only, available while supplies last. 

Talos Takes: How attackers use your own tools against you 
From a wave of Toolshell events, to a rise in post-exploitation phishing, and the misuse of legitimate tools like Velociraptor, this quarter’s cases all point to a theme: attackers are getting very good at living off what’s already in your environment.

Do robots dream of secure networking? 
This blog demonstrates a proof of concept using LangChain and OpenAI, integrated with Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions.

Upcoming events where you can find Talos 

• DeepSec IDSC (Nov. 18 – 21) Vienna, Austria 
• AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe  
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
MD5: bf9672ec85283fdf002d83662f0b08b7 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
Example Filename: f_003b6c.html  
Detection Name: W32.C0AD494457-95.SBX.TG 

Cisco Talos Blog – ​Read More

• In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.
• Talos observed in one intrusion that the Kraken actor exploited Server Message Block (SMB) vulnerabilities for initial access, then used tools like Cloudflared for persistence and SSH Filesystem (SSHFS) for data exfiltration before encryption. 
• Kraken is a cross-platform ransomware with distinct encryptors for Windows, Linux, and VMware ESXi, targeting a wide range of enterprise environments. 
• Kraken ransomware benchmarks a victim machine before starting the encryption process, a feature rarely seen in ransomware. 
• Talos also observed the announcement of a new underground forum, “The Last Haven Board,” on Kraken’s data leak blog, aimed at creating an anonymous and secure communication channel for the cybercrime underground. 

Who is Kraken? 

The Kraken ransomware group, which emerged in February 2025, employs a double extortion technique and appears to be opportunistic, as it has not concentrated on any specific business verticals. According to Kraken’s leak site, victims span various geographies, including the United States, the United Kingdom, Canada, Denmark, Panama, and Kuwait. 

Like other operators in the double extortion space, Kraken also operates a data leak site to disclose the stolen data of victims who do not meet their ransom demands. 

Kraken encrypts the victim’s environment, uses the .zpsc file extension for the encrypted files, and drops a ransom note titled “readme_you_ws_hacked.txt.” In the ransom note, the actor threatens the victims by stating that they have stolen and encrypted their confidential data. They instruct the victim to contact them using an onion URL to prevent posting to their leak site. 

 Talos observed in one of the instances that the actor demanded a ransom of around 1 million USD to be paid in Bitcoin to the actor’s wallet address. Kraken assures victims that after the successful payment, they will decrypt the environment and guarantee the non-disclosure of stolen data. 

Ties to HelloKitty 

Kraken, a Russian-speaking gang, is suspected to have emerged from the ashes of the HelloKitty ransomware cartel or to have been established by some of its former members, according to external reports. The title of the Kraken data leak site explicitly mentions the HelloKitty ransomware group name. Additionally, Talos has observed that Kraken and HelloKitty use the same ransom note filename, indicating a possible link between the two groups. 

In September 2025, the Kraken group announced a new underground forum called “The Last Haven Board” in their data leak blog. According to its description, Last Haven’s primary objective is to create an anonymous and secure environment for communication within the cybercrime underground. Talos observed that the Last Haven forum administrator announced support and collaboration from the HelloKitty team and WeaCorp, an exploit buyer organization, suggesting the possible involvement of HelloKitty operators with the Kraken group. 

Infection chain

In August 2025, Cisco Talos Incident Response (Talos IR) observed in one instance that the Kraken ransomware actor gained initial access to the victim’s machine by exploiting an existing vulnerability in the SMB service on servers exposed to the internet. Once they established their foothold on the victim’s machine, they extracted valid administrators’ and other privileged accounts’ credentials. Subsequently, they re-entered the victim environment through a Remote Desktop connection using the exfiltrated privileged account credentials. 

After re-entering the victim machine, the attacker established a persistent connection by installing the Cloudflared tool and configuring a reverse tunnel on the victim’s machine. Additionally, the attacker installed the SSHFS tool on the victim machine, utilizing it to navigate the victim’s environment and exfiltrate sensitive data. The attacker then deployed the Kraken ransomware binary and moved laterally to other machines connected to the infected machine through Remote Desktop Protocol (RDP) connections, using the stolen privileged user accounts to deploy the ransomware binaries. Through this persistent remote connection, the attacker executed commands to run the ransomware on multiple systems within the victim’s environment. 

Kraken ransomware analysis  

Kraken ransomware is a sophisticated ransomware family with variants that target Windows, Linux, and ESXi systems. This ransomware offers extensive command-line options, providing operational flexibility for the actors who utilize Kraken ransomware in their attacks. It has the capability for either full or partial encryption of targeted files, along with features that allow for the encryption of specific files, including SQL databases and network shares. 

To encrypt targeted files, Kraken ransomware employs RSA encryption algorithms with a key length of 4096 bits and ChaCha20 symmetric encryption. Additionally, the ransomware features encryption benchmarking capabilities to assess how quickly it can operate on the victim’s machine without causing system overload, ensuring maximum damage in minimal time while evading detection through resource exhaustion. 

Talos observed that the attacker executed the commands on Windows and ESXi environments to run the encryptor program. The Kraken encryptor is engineered with various command line arguments that the attacker could leverage depending on the victim’s environment. 

Commands for Windows machine: 

Encryptor[.]exe –key  -path  -timeout  -d\targeted>32-byte>

Command-line options	Description
-path	Targeted drive or file’s location in the victim machine
-timeout N	Delays the execution of the encryptor for N seconds
-solid	Full file encryption without blocks
-step N	Numbers of blocks of a file to encrypt
-limit N	Limit encryption to first N megabytes
-d	For the execution through remote SSH connection
–noteonly	Drops ransom note only without performing the encryption
-tests	Run encryption performance tests
–tempfile	Temporary test file path
–tempsize	Test file size in megabytes

Commands for Linux/ESXi: 

chmod +x ./encryptor[.]elf && ./encryptor[.]elf –path  -d -timeout 

Command-line options	Description
-path	Targeted encryption path
-timeout N	Delays the execution of the encryptor for N seconds
-solid	Full file encryption without blocks
-step N	Numbers of blocks of a file to encrypt
-limit N	Limit encryption to first N megabytes
-d	Runs as daemon and execution through remote SSH connection
–noteonly	Drops ransom note only without performing the encryption
-tests	Run encryption performance tests
–tempfile	Temporary test file path
–tempsize	Test file size in megabytes
-all	Encrypt all files
–nolsof	Disable lsof checking
–nokillallvms	Skip VM termination

Kraken Windows encryptor  

The Windows version of Kraken ransomware is a 32-bit executable written in C++ and possibly obfuscated using a Golang-based packer. The ransomware exhibits features such as anti-reinfection checks, anti-analysis, and anti-recovery, and it encrypts the targeted files, appending the .zpsc file extension to the encrypted files. 

Initial execution phase 

In the initial phase of execution, Kraken processes the command line parameters and performs the anti-reinfection checks on the victim machine to avoid double-encryption. The actor has employed anti-reinfection checks to effectively manage the decryption keys.

Kraken ransomware disables the WoW64 filesystem redirection on the victim machine by using the function Wow64EnableWow64FsRedirection with the argument “ (False)” to enable the 32-bit binary to access the 64-bit files on Windows machine. 

WoW64 is a compatibility layer on a 64-bit Windows operating system that allows 32-bit applications to run seamlessly. The key feature of WoW64 is file system redirection, which ensures that when a 32-bit application attempts to access the “C:WindowsSystem32” folder, WoW64 redirects it to “C:WindowsSysWoW64”, allowing the 32-bit application to load the correct 32-bit version of system DLLs. 

Kraken ransomware, after disabling the WoW64 redirection, modifies its process token privilege, enabling the debugging rights. This privilege is essential for ransomware to access and encrypt files belonging to other processes. Further, the ransomware encrypts the local drives, network shares, and SQL database files and disables the backup services on the 64-bit Windows operating system. All these operations of the 32-bit ransomware binary would require access to the folder “C:WindowsSystem32”. Disabling the redirection in Wow64 will enable the 32-bit ransomware binary to access the “C:WindowsSystem32” folder on the 64-bit Windows operating system. 

Anti-analysis and anti-recovery techniques 

Kraken ransomware utilizes anti-analysis techniques to evade detection, complicate analysis, and prevent execution in sandbox environments. 

The ransomware employs extensive control flow obfuscation with multiple conditional loops throughout the code, concealing the actual control flow paths and increasing complexity for static analysis and pattern matching for signature generation. 

It also manipulates system exception handlers to prevent Windows error dialogs from appearing by executing SetErrorMode function with the value 0x8003 which is a bitwise OR combination of three Windows error mode flags: 

• SEM_FAILCRITICALERRORS (0x0001) – no critical error handler message box 
• SEM_NOGPFAULTERRORBOX (0x0002) – no general protection fault error box 
• SEM_NOOPENFILEERRORBOX (0x8000) – no open file error box 

It employs a sleep-based execution delay to evade sandbox analysis, stops the backup services, and executes the embedded command to remove all restore points on the victim machine. 

vssadmin delete shadows /all /quite 

It also deletes the recycle bin using the Windows function SHEmptyRecycleBinA.

Encryption performance testing and benchmarking   

Kraken ransomware has the ability to conduct performance testing on the victim’s machine before initiating the actual encryption. An actor can use this feature through command line options such as “-tests,” “-tempfile,” and “-tempsize” to assess the victim machine’s performance and optimize the ransomware encryption process.  

Kraken does this by first creating a temporary test file, using the path and filename specified via the “-tempfile” parameter. It then populates this file with random data, writing in 1MB chunks until the total size defined by the “-tempsize” parameter is reached. To time the core operation, the module records the start time with the clock_gettime function, performs the actual encryption on the test file, and then records the end time. Finally, it calculates the elapsed time and computes the encryption speed for the victim machine, expressed in MB/s, using the formula:  

Speed = ((total bytes / elapsed time) * 1000) / 1048576. 

Based on the throughput results, the function validates if the attacker should choose full encryption mode or partial encryption mode with the maximum file size chunks to encrypt. After the performance testing process, it removes the test file using the function unlink() .  

Parallel encryption operation  

The Kraken Windows encryptor has four encryption modules including SQL database, Network share, Local drive, and Hyper-V encryption. Based on the command-line flags provided by the attacker, the encryptor determines which encryption module to execute.  

The SQL database encryption module encrypts Microsoft SQL server databases. To target database files, the module accesses the Microsoft SQL Server registry keys on the victim machine, specifically querying “HKLMSOFTWAREMicrosoftMicrosoft SQL Server” and its “Instance NamesSQL” subkey to search for the “MSSQLSERVER” and “SQLEXPRESS” instances. Upon locating an instance, it retrieves the “SQLDataRoot” registry value to determine the path to the database files. The module then validates that these paths exist using the PathFileExistsWWindows API before proceeding to encrypt the database files.  

The network share encryption module enumerates and encrypts accessible network shares by using Windows WNet APIs to detect both mapped and unmapped network locations, specifying RESOURCETYPE_DISK and RESOURCETYPE_ANY. During enumeration, it iterates through the discovered network resources but explicitly skips the ADMIN$ and IPC$ shares. For each accessible network shares it finds, the module creates dedicated encryption worker threads to handle the encryption process. 

The local drive encryption module encrypts all locally attached drives by first using the GetLogicalDrives function to enumerate all available drive letters from A to Z. For each letter, it checks the drive type with the GetDriveTypeW function, targeting drives identified as DRIVE_REMOVABLE, DRIVE_FIXED, or DRIVE_REMOTE while excluding CD-ROM and network-only drives. After constructing the drive path (e.g., “X:”), it creates a dedicated encryption worker thread for each validated drive path. 

The Hyper-V virtual machine encryption module targets virtual machine files by executing a series of embedded PowerShell commands. First, it disables PowerShell restrictions on the victim machine to ensure its commands run. It then discovers the virtual machine files by listing all VMs and extracting their corresponding hard disk file paths. To unlock these files for encryption, the module forcefully stops all running virtual machines. After these prerequisite steps, it creates encryption worker threads to encrypt the located virtual machine files. The PowerShell commands executed by the module: 

powershell -c "Set-ExecutionPolicy bypass" 
powershell -c "get-vm | format-list" 
powershell -c "get-vm | Get-VMHardDiskDrive | ForEach-Object {$_.Path}" 
powershell -c "get-vm | stop-vm -force -turnoff" 

The ransomware excludes the executables (.exe) and dynamic-link library (.dll) files along with the folders “Program Files”, “Program Files (X86)”,  and “ProgramData” from the encryption processes on the victim machine, allowing the victims to still access the system to communicate with the threat actor. 

Kraken Linux/ESXi encryptor 

The Linux or ESXi version of the Kraken ransomware is 64-bit executable written in C++ and compiled using the tool crosstool-NG version 1.26.0.  

In the initial phase of the execution, the Linux executable file version of Kraken ransomware processes the command-line parameters specified by the attacker. 

Platform discovery 

The ransomware runs the platform detection module to discover the type of victim machine by executing the commands mentioned below and adapting the behavior based on the detected platform. 

System type	Command
ESXi	esxcli system version get
Nutanix	uname –a with “nutanix”
Ubuntu Linux	uname –a with “ubuntu”
Synology NAS devices	cat /etc.defaults/VERSION with “dsm”

While targeting the ESXi environments, the ransomware lists any running virtual machines and forcefully attempts to kill them by executing the following commands embedded in the ransomware binary: 

esxcli vm process list 
esxcli vm process kill --type=force --world-id=    

Encryption types  

The ELF version of Kraken ransomware performs the multi-threaded encryption, supporting both “solid – Full encryption” and “setp – partial encryption”. It also employs the encryption performance benchmarking module that an attacker can leverage during the attack to calculate the encryption speed and decide if they want to perform full or partial encryption. The performance benchmarking algorithm is like the Windows version of Kraken ransomware described in the previous section.  

It performs the recursive directory traversal and encrypts the file based on the type of encryption mode specified in the command line parameter by the attacker and appends the .zpsc file extension to the encrypted files.  

Anti-analysis and detection evasion  

The ELF version of Kraken ransomware employs control flow obfuscation with the complex loop structure to hinder the analysis and operates in daemon mode by forking into background process through fork_as_daemon() function and continues to run, performing the encryption in background. It also ignores the signal handlers SIGCHLD (child process termination) and SIGHUP (Terminal hangup).  

The ransomware employs a multi-stage self-deletion and cleanup process to erase traces of its execution, leaving a minimal forensic artefact, after completing the encryption operation. Kraken creates a bash script “_bye_bye_.sh” in the same directory as the ransomware binary. It then builds the script with the commands to delete the log files, shell history, ransomware binary, and the script itself. 

rm -f “/var/logs/*” 
rm -f “/.ash_history” 
rm -f “ransomware binary path” 
rm -f “delete the script _bye_bye_.sh" 

It executes the script using popen function popen(“sh ”<deletion_script_path>””,"r") which runs in a separate shell process, and the parent process can exit before the script finishes its execution which helps to delete itself before the completion of the execution.  

Coverage 

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please  

contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for the threats are: 65480 and 65479. 

ClamAV detections are also available for this threat: 

• Win.Ransomware.Kraken-10056931-0 
• Unix.Ransomware.Kraken-10057031-0 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

These days, attackers probing an organization’s infrastructure rarely come across the luxury of a workstation without an EDR agent, so malicious actors are focusing on compromising servers, or various specialized devices connected to the network with fairly broad access privileges yet lacking EDR protection and often even logging capabilities. We’ve previously written in detail about the types of vulnerable office devices. Real-world attacks in 2025 are focused on network devices (such as VPN gateways, firewalls, and routers), video surveillance systems, and the servers themselves. But printers shouldn’t be overlooked either, as independent researcher Peter Geissler reminded the audience at the Security Analyst Summit 2025. He described a vulnerability he’d found in Canon printers (CVE-2024-12649, CVSS 9.8), which allows executing malicious code on these devices. And the most interesting aspect regarding this vulnerability is that exploiting it merely requires sending an innocent-looking file to print.

Trojan Type Font: an attack via CVE-2024-12649

The attack begins with sending an XPS file to print. This format, created by Microsoft, contains all the prerequisites for successful document printing, and serves as an alternative to PDF. XPS is essentially a ZIP archive containing a detailed description of the document, all its images, and the fonts used. The fonts are usually stored in the popular TTF (TrueType Font) format invented by Apple. And it’s precisely the font itself — something not typically perceived as dangerous — that contains the malicious code.

The TTF format was designed to both make letters look identical on any medium, and scale correctly to any size — from the smallest character on a screen to the largest on a printed poster. To achieve this goal, each letter can have font hinting instructions written for it, which describe the nuances of displaying letters of small sizes. Hinting instructions are essentially commands for a compact virtual machine which, despite its simplicity, supports all the basic building blocks of programming: memory management, jumps, and branching. Geissler and his colleagues studied how this virtual machine is implemented in Canon printers. They discovered that some TTF hinting instructions are executed insecurely. For example, the virtual machine commands that manage the stack don’t check for overflow.

As a result, they succeeded in creating a malicious font. When a document containing it is printed on certain Canon printers, it causes a stack buffer overflow, writes data beyond the virtual machine’s buffers, and ultimately achieves code execution on the printer’s processor. The entire attack is conducted via the TTF file; the rest of the XPS file content is benign. In fact, detecting the malicious code even within the TTF file is quite difficult: it’s not very long, the first part consists of TTF virtual machine instructions, and the second part runs on the exotic, proprietary Canon operating system (DryOS).

It should be noted that in recent years Canon has focused on securing printer firmware. For example, it uses DACR registers and NX (no-execute) flags supported in ARM processors to limit the ability to modify system code or execute code in memory fragments intended solely for data storage. Despite these efforts, the overall DryOS architecture doesn’t allow for effective implementation of memory protection mechanisms, such as ASLR or stack canary, which are typical of larger modern operating systems. This is why researchers occasionally find ways to bypass the existing protection. For instance, in the attack we’re talking about, the malicious code was successfully executed by placing it, via the TTF trick, into a memory buffer intended for a different printing protocol — IPP.

Realistic exploitation scenario

In their bulletin describing the vulnerability, Canon asserts that the vulnerability can be exploited remotely if the printer is accessible via the internet. Consequently, they suggest configuring a firewall so the printer can only be used from the internal office network. While this is good advice and the printer should indeed be removed from public access, this isn’t the only attack scenario.

In his report, Peter Geissler pointed to a much more realistic, hybrid scenario in which the attacker sends an employee an attachment in an email or a messenger message and, under one pretext or another, suggests they print it. If the victim does send the document to print — within the internal organization network and without any internet exposure — the malicious code is executed on the printer. Naturally, the capabilities of the malware when running on the printer will be limited compared to malware that’s infected a full-fledged computer. However, it could, for example, create a tunnel by establishing a connection to the attacker’s server — allowing the attackers to target other computers in the organization. Another potential use case for this malware on the printer could result in the forwarding of all information being printed at the company directly to the attacker’s server. In certain organizations, such as law firms, this could lead to a critical data breach.

How to fend off this printer threat

The vulnerability CVE-2024-12649 and several closely related defects can be eliminated by installing the printer firmware update according to Canon’s instructions. Unfortunately, many organizations — even those that diligently update software on computers and servers — lack a systematic process for updating printer firmware. The process must be implemented for all equipment connected to the computer network.

However, security researchers emphasize that there’s a multitude of attack vectors targeting specialized equipment. Therefore, there’s no guarantee that attackers won’t arm themselves tomorrow with a similar exploit unknown to printer manufacturers or their customers. To minimize the risk of exploitation:

• Segment the network — limiting the printer’s ability to establish outbound connections and to accept connections from devices and users not authorized to print.
• Disable all unused services on the printer.
• Set a unique, complex administrator password on each printer/device.
• Implement a comprehensive security system within the organization — including EDR installed on all computers and servers, a modern firewall, and comprehensive network monitoring based on an SIEM system.

Kaspersky official blog – ​Read More

Android constantly tightens app restrictions to prevent scammers from using malicious software to steal money, passwords, and users’ private secrets. However, a new vulnerability dubbed Pixnapping bypasses every protective layer and allows an attacker to imperceptibly read image pixels from the screen — essentially taking a screenshot. A malicious app with zero permissions can see passwords, bank account balances, one-time codes, and anything else the owner views on the screen. Fortunately, Pixnapping is currently a purely research-based project and is not yet being actively exploited by threat actors. The hope is that Google will thoroughly patch the vulnerability before the attack code is integrated into real-world malware. As of now, the Pixnapping vulnerability (CVE-2025-48561) likely affects all modern Android smartphones, including those running the latest Android versions.

Why screenshots, media projection and screen reading are dangerous

As demonstrated by the SparkCat OCR stealer we discovered, threat actors have already mastered image processing. If an image on a smartphone contains a valuable piece of information, the malware can detect it, perform optical character recognition directly on the phone, and then exfiltrate the extracted data to the attacker’s server. SparkCat is particularly noteworthy because it managed to infiltrate official app marketplaces including the App Store. It would not be difficult for a malicious Pixnapping-enabled app to replicate this trick, especially given that the attack requires zero special permissions. An app that appears to offer a legitimate, useful feature could simultaneously and silently send one-time multi-factor authentication codes, cryptowallet passwords, and any other information to scammers.

Another popular tactic used by malicious actors is to view the required data as it’s shown, in real-time. For this social engineering approach, the victim is contacted via a messaging app and, under various pretexts, convinced to enable screen sharing.

Anatomy of the Pixnapping attack

The researchers were able to screenshot content from other apps by combining previously known methods of stealing pixels from browsers and from ARM phone graphics processing units (GPUs). The attacking app silently overlays translucent windows atop the target information and then measures how the video system combines the pixels of these layered windows into a final image.

As far back as 2013, researchers described an attack that allowed one website to load another within part of its own window (via an iframe) and, by performing legitimate operations of image layering and transformation, infer exactly what was drawn or written on the other site. While modern browsers have mitigated that specific attack, a group of U.S. researchers have now figured out how to apply the same core principle to Android.

The malicious app first sends a system call to the target app. In Android, this is known as an intent. Intents typically enable not only simple app launching but also things like immediately opening a browser to a specific URL or a messaging app to a specific contact’s chat. The attacking app sends an intent designed to force the target app to draw the sensitive information onto the screen. Special hidden launch flags are used. The attacking app then sends a launch intent to itself. This specific combination of actions allows the victim app to not appear on the screen at all, yet it still renders the information sought by the attacker in its window, in the background.

In the second stage of the attack, the malicious app overlays the hidden window of the victim app with a series of translucent windows, each of which covers and blurs the content beneath it. This complex arrangement remains invisible to the user, but Android dutifully calculates how this combination of windows should look if the user were to bring it to the foreground.

The attacking app can only directly read the pixels from its own translucent windows; the final combined image, which incorporates the victim app’s screen content, is not directly accessible to the attacker. To bypass this restriction, the researchers employ two ingenious tricks. The specific pixel to be stolen is isolated from its surroundings by overlaying the victim app with a mostly opaque window that has a single transparent point precisely over the target pixel. A magnifying layer is then placed on top of this combination, consisting of a window with heavy blurring enabled.

To decipher the resulting mush and determine the value of the pixel at the very bottom, the researchers leveraged another known vulnerability, GPU.zip (this may look like a file link, but it actually leads to a research paper site). This vulnerability is based on the fact that all modern smartphones compress the data of any images being sent from the CPU to the GPU. This compression is lossless (like a ZIP file), but the speed of packing and unpacking changes depending on the information being transmitted. GPU.zip permits an attacker to measure the time it takes to compress the information. By timing these operations, the attacker can infer what data is being transferred. With the help of GPU.zip, the isolated, blurred, and magnified single pixel from the victim app’s window can be successfully read by the attacking app.

Stealing something meaningful requires repeating the entire pixel-stealing process hundreds of times, as it needs to be applied to each point separately. However, this is entirely feasible within a short time frame. In a video demonstration of the attack, a six-digit code from Google Authenticator was successfully extracted in just 22 seconds, while it was still valid.

How Android protects screen confidentiality

Google engineers have nearly two decades of experience combating various privacy attacks, which has resulted in a layered defense built against illegal capture of screenshots and videos. A complete list of these measures would span several pages, so we only list some key protections:

• The FLAG_SECURE window flag prevents the operating system from taking screenshots of content.
• Access to media projection tools (capturing screen content as a media stream) requires explicit user confirmation and can only be performed by an app that is visible and active.
• Tight restrictions are placed on access to administrative services like AccessibilityService and the ability to draw app elements over other apps.
• One-time passwords and other secret data are hidden automatically if media projection is detected.
• Android restricts apps from accessing other apps’ data. Additionally, apps cannot request a full list of all installed apps on the smartphone.

Unfortunately, Pixnapping bypasses all these existing restrictions and requires absolutely no special permissions. The attacking app only needs two fundamental capabilities: to draw within its own windows and to send system calls (intents) to other apps. These are basic building blocks of Android functionality, so they are very difficult to restrict.

Which devices are affected by Pixnapping, and how to defend oneself

The attack’s viability was confirmed on Android versions 13–16 across Google Pixel devices from generations 6–9, as well as Samsung Galaxy S25. The researchers believe the attack will be functional on other Android devices as well, as all the mechanisms used are standard. However, there may be nuances related to the implementation of the second phase of the attack (the pixel magnification technique).

Google released a patch in September after being notified of the attack in February. Unfortunately, the chosen method for fixing the vulnerability proved to be insufficiently reliable, and the researchers quickly devised a way to bypass the patch. A new attempt to eliminate the vulnerability is planned for Google’s December update release. As for GPU.zip, there are no plans to issue a patch for this specific data leakage channel. At least, no smartphone GPU manufacturer has announced plans to that effect since the flaw became public knowledge in 2024.

User capabilities to defend against Pixnapping are limited. We recommend the following measures:

• Promptly update to the latest version of Android with all current security patches.
• Avoid installing apps from unofficial sources, and exercise caution with apps from official stores if they are too new, have low download counts, or are poorly rated.
• Ensure a full-fledged security system is used on your phone, such as Kaspersky for Android.

What other non-standard Android attack methods exist:

• Spyware that pretends to be an antivirus
• Trojan embedded in fake Android smartphones
• Data theft during smartphone charging
• Your pics are at risk: the threat posed by the new SparkKitty Trojan
• How the Necro Trojan attacked 11 million Android users

Kaspersky official blog – ​Read More