Phishing used to be easy to spot. Now it looks clean, trusted, and almost perfect. Behind it are phishkits; ready-made attack platforms built to steal credentials, bypass MFA, and hijack live sessions in seconds. 

For SOC teams, one click starts the countdown. What looks like a routine alert can already be a live account takeover. 

Here’s how these attacks actually work, and how advanced SOC teams catch them before they spread. 

What Is a Phishing kit? 

A phishing kit, aka phishkit, is a ready-made toolkit that attackers use to launch phishing campaigns fast and at scale. Instead of building fake pages and infrastructure from scratch, they buy or rent a kit and deploy a full attack setup in minutes. 

Most phishkits come with: 

• Fake login pages for popular services 

• Reverse proxy scripts to quietly intercept traffic 

• Built-in MFA bypass 

• Admin panels for harvesting credentials 

• Tools to filter out bots and security scanners 

What makes phishkits especially dangerous is how little skill they now require. Even low-experience attackers can run advanced phishing operations using these packaged platforms; with the infrastructure, automation, and data collection already built in. 

Detecting phishkits early comes down to understanding what happens after the click. With an interactive sandbox like ANY.RUN, analysts can safely open suspicious links, interact with phishing pages like a real user, and observe the full execution chain as it unfolds. This makes it possible to expose reverse proxy behavior, MFA capture, and credential theft in real time, often within seconds.

Why Phishkits Are So Dangerous for Businesses 

Phishkits quietly remove the barriers that businesses rely on for protection. By sitting between the employee and the real service, these tools capture logins, MFA codes, and active sessions in real time. The result is immediate, legitimate-looking access to corporate systems. 

Once attackers get inside, the impact spreads fast. A single compromised account can open access to email threads, internal tools, cloud platforms, customer data, and even financial systems. From there, attackers blend in, send messages from trusted inboxes, reset passwords, and move deeper without triggering obvious alarms. 

What makes phishkits especially dangerous is how clean the entry point often looks. There’s no malware dropped right away or a suspicious attachment. Just a normal login that isn’t normal at all. This makes early detection hard and gives attackers valuable time to act before security teams even realize something is wrong. 

For businesses, phishkits often lead to: 

• Silent data leaks from email, cloud apps, and internal systems 

• Business disruption caused by locked accounts and broken workflows 

• Direct financial losses from fraud and unauthorized transactions 

• Follow-up attacks launched from trusted employee inboxes 

• Long investigations and recovery efforts that stretch on for weeks 

• Reputational damage and loss of customer trust 

Key Detection Challenges for SOC Teams 

How SOC Teams Can Detect Phishkit Attacks Faster 

Speed matters with phishkits. The sooner a team can see the full phishing chain in action, the sooner they can contain access, block infrastructure, and stop the same kit from hitting more users. A fast investigation comes from combining interactive sandboxing with real-time threat intelligence. 

Step 1: Send suspicious links straight to the sandbox 

Instead of only blocking the URL, run it in an isolated environment to see what actually happens after the click, redirects, proxy behavior, and the final phishing page. 

Step 2: Interact with the page like a real user 

Phishkits stay quiet until someone behaves like a victim. Clicking buttons, entering test credentials, and moving through the flow helps trigger session theft, MFA capture, and hidden scripts. 

Step 3: Watch the full chain unfold in real time 

A live sandbox session shows every redirect, outbound connection, script call, and credential capture attempt, not just the final page. 

Step 4: Pull fresh IOCs as the attack runs 

Domains, IPs, URLs, scripts, and proxy infrastructure can be extracted immediately and pushed into blocking rules and hunting queries. 

Step 5: Enrich indicators with TI Lookup 

With ANY.RUN TI Lookup, analysts can instantly check whether the same domains, IPs, scripts, or redirect patterns were seen in past phishing or malware campaigns. This helps confirm phishkit families and link related activities. 

Using indicators from both the sandbox and TI Lookup, teams can quickly: 

• Identify related infrastructure across past and current cases 

• Detect active waves using the same phishkit 

• Validate whether a campaign is isolated or part of a larger operation 

This workflow turns phishing from a slow, reactive task into a fast, repeatable investigation process, with confirmation in minutes. 

Step 6: Track new infrastructure with Threat Intelligence Feeds 

ANY.RUN’s Threat Intelligence Feeds deliver fresh, actionable indicators of compromise (IOCs) sourced directly from live attack data across 15,000 SOCs, ensuring your security infrastructure stays ahead of emerging threats.  

With only 1% overlap with other sources, your team gains access to previously undiscovered threat intelligence that competitors miss. Every IOC comes enriched with detailed sandbox reports and contextual metadata, providing the forensic depth needed for rapid incident response and threat hunting. Real-time updates deliver a live view of the threat landscape as attacks unfold, enabling proactive defense before threats reach your perimeter.  

Integration is seamless. TI Feeds connects directly to your existing SIEM, TIP, and SOAR platforms via popular standards (STIX/TAXII) or through dedicated API and SDK, minimizing implementation overhead while maximizing threat coverage across your entire security stack. 

Real Phishkit Examples Analyzed inside the ANY.RUN Sandbox 

The following examples come from real attacks and show how different phishkits operate in live environments: 

TyKit: A Multi-Stage Microsoft 365 Phishkit in Action 

TyKit is a multi-stage phishing kit built to steal Microsoft 365 credentials at scale. It spreads through malicious SVG files that silently redirect victims to fake login pages protected by CAPTCHA and anti-bot checks. Once credentials are entered, they’re sent straight to the attackers through a structured C2 API. 

View analysis session with Tykit 

The kit has been active since at least mid-2025 and has targeted organizations across finance, IT, government, telecom, and professional services worldwide. Its strength is simplicity: clean delivery, fast credential theft, and infrastructure that’s easy to rotate. 

TyKit shows how modern phishkits don’t need malware to succeed, just one clean login flow is enough. 

Tycoon 2FA: A Phishkit Built to Bypass MFA 

Tycoon 2FA is a phishing-as-a-service platform designed to steal Microsoft 365 and Gmail accounts even when MFA is enabled. It works as an adversary-in-the-middle (AiTM) kit, using a reverse proxy to capture credentials, MFA codes, and active session cookies in real time. 

View real attack exposed inside ANY.RUN sandbox 

What sets Tycoon 2FA apart is its constant evasion upgrades. Over time, it has added: 

• Rotating CAPTCHA systems 

• Browser and sandbox fingerprinting 

• Multi-layer obfuscation (Base64, XOR, AES) 

• Fake 404 pages and legitimacy checks 

• Long redirect chains to hide the true entry point 

Once access is captured, attackers log in using a fully valid session. From a SOC view, it often looks like a normal user login until damage is already unfolding. 

Mamba2FA: A Persistent Corporate Phishkit 

Mamba2FA is a widely used phishkit built to steal corporate credentials, with repeated campaigns observed against organizations in the finance and manufacturing sectors. Like TyKit and Tycoon, it relies on clean phishing flows, fast infrastructure rotation, and live credential capture to move quickly before defenders can react. 

What makes Mamba2FA especially useful as an example is how clearly it shows the value of tracking phishkits as ongoing campaigns, not one-off incidents. If your organization has already encountered a specific kit, the worst mistake is treating it as “closed.” 

Using ANY.RUN’s Threat Intelligence Lookup, analysts can instantly surface: 

• New sandbox analyses tied to the same phishkit 

• Fresh phishing domains and URLs 

• Recently reused infrastructure and scripts 

To find recent Mamba2FA activity, teams can use a simple query like: 

threatName:”mamba” AND domainName:”” 

This immediately reveals both new attacks and network indicators observed during live sandbox analysis. 

Instead of chasing isolated alerts, this approach turns phishkits like Mamba2FA into continuously monitored threats, making it much easier to spot repeat campaigns early and shut them down faster. 

Phishkit Evolution: Hybrid Threats 

Phishkits are no longer operating in isolation. One of the most worrying shifts is the rise of hybrid phishing chains, where multiple kits are combined into a single attack. These blended campaigns mix different infrastructures, redirect logic, and credential-theft methods to make detection and attribution far more difficult. 

In recent enterprise-focused attacks, analysts have observed Tycoon 2FA and Salty working together in the same chain. One kit handles the initial lure and proxying, while the other takes over at later stages for credential capture, session hijacking, or follow-up delivery. For SOC teams, this breaks many traditional assumptions about how a “single” phishing campaign should look. 

Check real-world analysis with Tycoon and Salty 

Hybrid chains create several challenges at once: 

• Indicators belong to different kits, not just one 

• Redirect paths change mid-attack 

• Infrastructure overlaps across separate actor groups 

• Detection rules based on one kit alone often miss the full picture 

This evolution shows where phishing is heading: modular, flexible attack chains built from multiple commercial kits. For defenders, that means investigations must focus on behavior and execution flow,  not just kit names or static indicators. 

Key Takeaways for SOC Readiness in 2026 

Phishkits now shape how real-world phishing attacks are built, delivered, and scaled against organizations. 

• Phishing is now a real-time intrusion, not just a user mistake. Once a link is clicked, the compromise may already be underway. 

• MFA alone is no longer enough: Session hijacking turns traditional MFA into a speed bump, not a barrier. 

• Hybrid phishing chains are becoming common: When multiple kits are combined in one attack, single-family detections fall short. 

• Behavior matters more than static indicators: Clean emails, short-lived domains, and valid sessions leave very little to flag at first glance. 

• Speed defines outcome: Minutes often decide whether an incident stays contained or escalates. 

• Evasion must be assumed by default: CAPTCHA abuse, fingerprinting, layered redirects, and sandbox checks are now standard tactics. 

See It for Yourself 

Phishkits behave very differently from what logs alone can show. A live run-through exposes even the most complex phishing chains, from redirects and proxy logic to live credential theft, often within the first 60 seconds of analysis in over 90% of cases. That speed alone can cut investigation time dramatically and help teams act before access spreads. 

Explore interactive phishkit analysis with ANY.RUN 

About ANY.RUN 

ANY.RUN supports more than 15,000 organizations worldwide, including leaders in finance, healthcare, telecom, retail, and tech, helping them strengthen security operations and respond to threats with greater confidence.  

Designed for speed and visibility, the solution blends interactive malware analysis with live threat intelligence, giving SOC teams instant insight into attack behavior and the context needed to act faster.  

By integrating ANY.RUN’s Threat Intelligence suite into your existing workflows, you can accelerate investigations, minimize breach impact, and build lasting resilience against evolving threats. 

Frequently Asked Questions (FAQ) 

The post Phishing Kit Attacks 101: Everything SOC Analysts Should Know  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

The Patch Tuesday for December of 2025 includes 57 vulnerabilities, including two that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” Microsoft assessed that exploitation of the two “critical” vulnerabilities is “less likely.” 

CVE‑2025‑62562 is a Microsoft Outlook remote code execution vulnerability. Although it involves a use after free in Microsoft Office Outlook to allow an unauthorized attacker to execute code locally, an attacker would still need to send a malicious email and persuade the user to reply to it for the exploit to work.  

CVE-2025-62553, CVE-2025-62554, CVE-2025-62556 and CVE-2025-62557 are Microsoft Office Remote Code Execution Vulnerability. An attacker can access resources using incompatible type (‘type confusion’) or use after free or untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally. Despite some of them being considered “critical”, the successful exploitation of this vulnerability requires an attacker to execute exploit code from the local machine to exploit the vulnerability. 

CVE-2025-62456 is a Remote Code Execution Vulnerability in Windows Resilient File System (ReFS). The vulnerability is based on heap-based buffer overflow in Windows Resilient File System (ReFS) that allows an authorized attacker to execute code over a network. Although the vulnerability has high CVSS scores, Microsoft has assessed that this exploitation in the wild is unlikely. 

CVE-2025-62549 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability. An attacker could exploit this vulnerability by deceiving a user to send a request to a malicious server. The malicious server could then respond with crafted data that may lead to arbitrary code execution on the user’s system. However, exploitation of this vulnerability requires user interaction, meaning the attacker must wait for the user to initiate a connection to the malicious server set up by the attacker before the exploit can occur. This dependency on user action increases the complexity of a successful attack. 

CVE‑2025‑62565 and CVE‑2025‑64661 are Windows Shell elevation‑of‑privilege vulnerabilities. They involve issues such as use after free or concurrent execution using shared resources with improper synchronization (‘race condition’) in Windows Shell which could allow a local authorized attacker to gain higher privileges on the system. 

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited: 

• CVE-2025-62454 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 
• CVE-2025-62458 – Win32k Elevation of Privilege Vulnerability 
• CVE-2025-62470 – Windows Common Log File System Driver Elevation of Privilege Vulnerability 
• CVE-2025-62472 – Windows Remote Access Connection Manager Elevation of Privilege Vulnerability 
• CVE-2025-59516 and CVE-2025-59517– Windows Storage VSP Driver Elevation of Privilege Vulnerability 
• CVE-2025-62221 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are: 62486, 62487, 65555-65562, 65571-65574. There are also these Snort 3 rules: 300719, 301351-301354, 301356, 301357.

Cisco Talos Blog – ​Read More

• While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware. 
• The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes. 
• The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery. 
• The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files. 
• This custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques, which complicate recovery.

Disabling EDR services via BYOVD technique 

T1211 – Exploitation for defense evasion 

Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload. 

The attack relied on “BdApiUtil.sys”, a legitimate Baidu Antivirus driver containing an Improper Privilege Management vulnerability with CVE-2024-51324 — which the actor disguised using the file name “DriverGay.sys”. This Improper Privilege Management vulnerability exposes a critical function in the driver program that allows unprivileged users to terminate any process on the system at the kernel level. 

The attack began when the actor dropped the loader (using the file name “EDRGay.exe”) and the vulnerable driver into the victim’s Videos folder and ran the loader. The loader, running in user mode, initializes the driver and establishes a connection via the CreateFile() Windows API. It specifies the driver’s real device name (“\.BdApiUtil”) to obtain a handle which essentially acts as a “ticket” to authorize future communication between the loader and the driver. 

Once connected, the loader enumerates running system processes to identify the process ID (PID) of the target antivirus or EDR solution. To trigger the exploit, it calls the DeviceIOControl() function, passing the target PID along with the specific I/O Control Code (IOCTL) 0x800024b4. 

This 32-bit IOCTL value is structured to instruct the driver exactly how to operate: 

• Device Type: 0x8000 
• Access: 0x0 (FILE_ANY_ACCESS) 
• Method: 0x0 (METHOD_BUFFERED) 
• Function Code: 0x92D 

Upon receiving the request, the driver decodes the function code 0x92D as a “terminate process” command. Due to the CVE-2024-51324 vulnerability, the driver fails to validate if the user-mode program has the necessary permissions to make this request. Because the driver operates in kernel mode with the highest system privileges, it blindly accepts the command and executes ZwTerminateProcess(), instantly killing the targeted security service. 

PowerShell script for inhibiting system recovery 

T1548.002 – Bypass User Account Control 

T1490 – Inhibit system recovery  

Talos observed that the threat actor executed a PowerShell script in the victim’s machine before the encryption process. The PowerShell script is a pre-encryption preparation component of the attack that the actor used to bypass the UAC, disable the detection services, and inhibit the system recovery of the victim machine.  

The script implements a privilege escalation mechanism through the Test-Admin function that automatically detects current user permissions and re-launches itself with administrative privileges using the Verb RunAs parameter, ensuring it operates with the necessary system-level access required for service manipulation and shadow copy deletion. This elevation technique bypasses UAC prompts through the exec bypass execution policy override, allowing the script to execute without standard PowerShell security restrictions. 

The main functionality of the script centers around service termination, designed to disable security software, backup systems, and database applications that could affect the ransomware encryption process. It includes an extensive exclusion list of Windows services that must remain operational to maintain basic functionality of the system for ransom payment discussions and processing, including core networking services (Winrm, Dns, Dhcp), authentication mechanisms (Kdc, Netlogon, Lsm), and essential system components (Rpcss, Plugplay, Eventlog).  

The script targets the running services outside the exclusion list, which not only terminates active services but permanently disables their startup configuration to prevent automatic recovery during system reboots.  

The script executes commands to delete all volume shadow copy snapshots, eliminating the victim’s ability to recover the system. It has a self-deletion mechanism that removes the traces of its existence in the victim machine, hindering the forensic analysis efforts.  

Talos found that the threat actor disabled several other commands in the script that are designed to eliminate network shares and terminate system process and services through alternative methods. The network share deletion commands target specific Windows file sharing infrastructure through Windows Management Instrumentation (WMI) queries, removing all standard network shares while preserving administrative and domain controller shares, effectively isolating the infected system from network file sharing capabilities that could be used for lateral movement or data exfiltration activities. Subsequently, there are commands that target print-related shares by removing print$ and prnproc$ administrative shares, disrupting network printing services that could potentially be used as communication channels or recovery mechanisms.  

There are also process termination commands which are designed to directly kill the PIDs associated with the running services that are not on the exclusion list, bypassing standard service shutdown procedures that would trigger alerts before termination.  

Talos spotted a service startup modification command in the script that shows the advanced Windows service management techniques used to permanently alter service startup configurations, ensuring that even after system reboots, targeted services remain disabled. 

We also observed a file-based exclusion technique in the final section of the script where it reads the exclusion service names from an external file “run[.]txt”, indicating the dynamic control of the service exclusion list depending upon the targeted environments.  

Other notable TTPs 

Talos discovered several other notable TTPs of the DeadLock ransomware attacks from the telemetry data. Our assessment revealed that the actor had access to the victim’s network five days prior to the ransomware deployment.   

Initial access and system registry modification  

T1078 – Valid Accounts 

T1112 – Modify Registry 

T1021.001 – Remote Desktop Protocol 

T1562.004 – Disable or Modify System Firewall 

T1569.002 – Service execution 

Talos suspects that the threat actor leverages the compromised valid accounts to gain access to the victim’s machine based on telemetry data. 

Upon gaining the system access, we observed that the threat actor attempted to enable and expose remote access services on the victim machine by using the reg add command to modify the fDenyTSConnections registry value, which directly enables the machine to accept Remote Desktop Protocol (RDP) connections. Then, the actor executed the netsh advfirewall command to create a new inbound firewall rule, opening TCP port 3389 to ensure RDP traffic isn’t blocked. Finally, they used sc config and sc start to change the RemoteRegistry service to on-demand and immediately start it, allowing them to query and modify the system’s registry from another machine for further reconnaissance and configuration modifications. 

reg add HKLMSYSTEMCurrentControlSetControlTerminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f 

netsh advfirewall firewall add rule name=allow RemoteDesktop dir=in protocol=TCP localport=3389 action=allow 

sc config RemoteRegistry start= demand 

Sc start RemoteRegistry 

Remote access for persistent connection 

T1219.002 – Remote Desktop Software 

We assess that the threat actor, operating from a compromised user account, installed a new instance of AnyDesk on a specific host one day prior to an encryption event. This action was likely taken to establish persistent, remote access. 

While other instances of AnyDesk were already present in the environment, this new installation was suspicious. The actor used a specific sequence of commands to silently install the software, configure it to start with Windows, and set up a password for unattended access, while disabling updates that might terminate the actor’s connection to the victim’s machine. 

C:AnyDesk.exe --install C:Program Files (x86)AnyDesk --start-with-win --silent --update-disabled 

C:Program Files (x86)AnyDeskAnyDesk.exe --start-service 

C:Program Files (x86)AnyDeskAnyDesk.exe --set-password 

C:Program Files (x86)AnyDeskAnyDesk.exe --control 

Reconnaissance and lateral movement  

T1018 – Remote System Discovery 

T1069.002 – Domain discovery 

T1033 – System owner / user discovery 

T1046 – Network service discovery 

T1218.014 – System Binary proxy execution: MMC 

T1102 – Web Service 

Talos observed several commands the actor executed for internal reconnaissance and lateral movement within the victim environment following the AnyDesk installation, highlighting their intent to discover and move to high-value targets.  

The actor attempted to discover domain controllers, query the domain structure, and enumerate the privileged groups and their members. They performed a connectivity test using a ping command to see if a target machine was reachable and checked the logged-on user details by executing the Quser command.  

Then, with the discovered internal IP addresses, the actor moved laterally by executing the mstsc command to start the Remote Desktop Protocol (RDP) session. They also executed the mmc.exe compmgmt.msc command, which is an alternative remote computer management command without a full interactive RDP session. Finally, the actor executed iexplore.exe, likely to access an internal web resource.  

Nltest /dclist 

Nltest  

Nltest dclist: DC HOST NAME 

Net local group /domain  

Mstsc.exe /v:   

Ping  

Quser 

iexplore.exe http: INTERNAL IP ADDRESS 

mmc.exe compmgmt.msc /computer: INTERNAL IP ADDRESS 

Impair defenses 

T1562.001 – Disable or Modify tools 

T1218 – System Binary Proxy Execution 

Talos observed that the actor modified the Windows Defender settings using legitimate Windows executable SystemSettingsAdminFlows.exe. By executing the following commands, the actor disabled Real-Time Protection (RTP) in Windows Defender. They subsequently disabled cloud-based protections through the command SpynetReporting 0, which stops the machine from sending threat reports to Microsoft. The command SubmitSamplesConsent 0 prevents Windows Defender from automatically submitting suspicious files for analysis. 

SystemSettingsAdminFlows.exe Defender RTP 1 

SystemSettingsAdminFlows.exe Defender SpynetReporting 0 

SystemSettingsAdminFlows.exe Defender SubmitSamplesConsent 0 

SystemSettingsAdminFlows.exe Defender DisableEnhancedNotifications 1 

DeadLock ransomware 

Talos observed that the threat actor deployed DeadLock ransomware as the payload in their attack. DeadLock ransomware has been active since as early as July 2025 and, unlike other ransomware actors, this threat actor does not operate a data leak site. Instead, victims are persuaded to contact the threat actor operating the DeadLock ransomware via Session messenger. 

The DeadLock ransomware encryptor is specifically designed to target the Windows environment. The encryptor binary was written in C++ and compiled in July 2025, indicating the start time of the threat actor’s operation. 

Upon execution, the DeadLock ransomware immediately drops and executes an embedded batch script (.cmd) in the victim’s “ProgramData” folder. This script functions as a loader, first preparing the system by setting up the console code page to UTF-8 by executing the command chcp 65001. This step ensures that the ransom note can be displayed correctly, even with special or non-English characters. After configuring the environment, the script stealthily launches the main ransomware binary and then deletes itself to remove its tracks. 

The ransomware then uses a process hollowing technique to inject itself into the targeted process rundll32.exe, masquerading as a normal system process in the victim machine. 

Ransomware configuration data 

The DeadLock ransomware relies on a massive 8,888-byte configuration block embedded directly within its binary to dictate its entire operational strategy. Upon execution, the ransomware parses this data using pipe (|) delimiters and loads the structure into memory in the following format: 

[CRYPTO_SEED] | [TIMING] | [PROCESSES] | [SERVICES] | [EXCLUDED_EXTENSIONS] | [EXCLUDED_PATHS] | [CAMPAIGN_ID] | [RANSOM_NOTE] | [HTML_MARKER] | [VISUAL_DATA] 

Talos identified a hardcoded 65-character numeric string within the configuration that serves as the base key for the encryption function:  

10581067105910871088211520721049106420921068109010791065111492178193

This key is coupled with specific timing parameters (1000, 0055242988), which are likely used to implement execution delays and initialize pseudo-random number generation seeds. 

The configuration contains a comprehensive “kill list” designed to disable security controls, remote access tools, and file-locking applications. 

The ransomware terminates standard Windows utilities (e.g., Explorer, PowerShell, Task Manager), alongside specific high-value targets: 

• Remote access: AnyDesk, RustDesk, Microsoft Remote Desktop connection (mstsc). 
• Cloud storage: Dropbox, OneDrive. 
• Security: Antimalware Service (msmpeng), SecurityHealthService, SmartScreen. 

The ransomware targets services to release file handles and disable defenses, specifically: 

• Databases: Microsoft SQL Server (including named instances like MSSQL$VEEAMSQL2012), Sybase SQL Anywhere (dbsrv12), and MySQL (FishbowlMySQL). 
• Backup and recovery: Enterprise solutions including Veeam (VeeamTransportSvc), Veritas Backup Exec, Acronis, CA Arcserve, and Carbonite. 
• Security suites: Endpoint protection components from Symantec/Norton (ccEvtMgr, RTVscan), McAfee (MVArmor), and 360 Security defender (zhudongfangyu). 
• Business applications: Intuit QuickBooks, Microsoft Exchange, Apache Tomcat, and VMware tools (vmware-usbarbitator6s4). 

To ensure the OS remains stable enough for the victim to pay the ransom, the configuration enforces strict exclusion lists: 

• Critical folders: $recycle.bin, Program Files, ProgramData, Windows, and System Volume Information. 
• File extensions: A vast list of executables, drivers, and system files, including .exe, .dll, .sys, .msi, .lnk, and .boot. 
• Critical files: Boot loaders and system configuration files, such as bootmgr, ntldr, ntuser.dat, and desktop.ini. 

The configuration block also stores the full plaintext ransom note along with an HTML marker (<!doctype html>) indicates the ransomware is also capable of generating an HTML version of the note. Additionally, Talos observed a unique 64-character, SHA256-like hash value which likely serves as a specific campaign identifier or infection marker. 

DeadLock ransomware encryption process 

The Deadlock ransomware encryption operation is a sophisticated approach which includes recursive directory traversal, memory-mapped file I/O, custom stream cipher implementation, and multi-threaded processing to efficiently encrypt entire file systems while avoiding detections through custom cryptographic implementations rather than standard Windows cryptographic APIs.  

The encryption orchestration function begins its operation with the recursive directory traversal to enumerate all accessible files on the target system while applying the exclusion filters from the parsed configuration data. 

Then the encryption orchestration function executes another key generation function that relies on time-based seeding from system timers through the function GetSystemTimeAsFileTime along with complex mathematical operations producing 8-byte pseudo-random encryption key streams. 

Finally, it executes the core encryption function which first performs a UTF-8 validation check on the file’s content and processes file data in 16-byte blocks. For each byte it applies to the stream cipher using the generated pseudo-random key stream, ultimately encrypting the file data in the memory and writing the encrypted result back to the filesystem.  Then the ransomware renames the encrypted file by appending the hexadecimal identifier and the file extension “.dlock” to the encrypted files. 

To evade the automated sandbox analysis, the ransomware executes a delay function, which implements a 50-second delay before it initiates the encryption action. 

During its execution, the DeadLock ransomware drops an icon file, Windows batch script, and a bitmap image file in the ProgramData folder of the victim machine.  

Talos observed that the ransomware replaces the icon of encrypted files with a custom icon file by configuring the path of the dropped icon file to the file extension .dlock in the “DefaultIcon” registry key of the victim machine Software registry hive.  

After encryption, the actor also changed the victim machine’s desktop wallpaper to a custom wallpaper and disabled the command line utilities in the victim machine.  

The ransomware drops the ransom note in each of the folders in the victim machine where the targeted files have been encrypted. 

The DeadLock ransom note displays an alarming claim of “military-grade encryption” followed by a six-step recovery process. The ransom note also describes the acceptance of ransom payment in Bitcoin or Monero and indicates warnings against file renaming or third-party decryption attempts. The personal identifier “READ ME.hex_identifier.txt” at the end of the ransom note is likely a victim identification marker. 

The threat actor employs the Session messenger as their primary communication platform, leveraging its end-to-end encryption and anonymity features to evade law enforcement surveillance while maintaining victim contact through the session ID. 

Coverage 

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please  contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for the threats are:  65576, 65575 and 301358.

ClamAV detections are also available for this threat: 

• Win.Tool.EDRKiller-10058432-0 
• Win.Tool.VulnBaiduDriver-10058431-1 
• Ps.Tool.DeleteShadowCopies-10058429-0 
• Win.Ransomware.Deadlock-10058428-0 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed an out-of-bounds read vulnerability in PDF XChange Editor, and ten vulnerabilities in Socomec DIRIS Digiware M series and Easy Config products.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

PDF XChange vulnerabilities

Discovered by KPC of Cisco Talos.

PDF XChange Editor is freemium software used to create, edit, digitally sign, and otherwise handle PDF files. Talos discovered TALOS-2025-2280 (CVE-2025-58113), an out-of-bounds read vulnerability in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

Socomec vulnerabilities

Discovered by Kelly Patterson of Cisco Talos.

Talos discovered nine vulnerabilities in the Socomec DIRIS Digiware M-70 version 1.6.9. DIRIS Digiware M series are multifunction communication gateways that act as a point of access to Digiware systems, combining power supply and communication control monitoring. 

One disclosed vulnerability is also in the Socomec Easy Config System. This software is used to configure and monitor Socomec power monitoring and control equipment. 

Socomec DIRIS Digiware M Series

TALOS-2024-2115 (CVE-2024-48894) is a cleartext transmission vulnerability. Specially crafted HTTP requests can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

TALOS-2024-2116 (CVE-2024-53684) is a cross-site request forgery. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger this vulnerability.

TALOS-2024-2118 (CVE-2024-49572) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service and weaken credentials, resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2024-2119 (CVE-2024-48882) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2025-2138 (CVE-2025-20085) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service and weaken credentials, resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2025-2139 (CVE-2025-23417) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2025-2248 (CVE-2025-54848-CVE-2025-54851) is a denial-of-service vulnerability in the Modbus TCP and Modbus RTU over TCP functionalities. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.

TALOS-2025-2251 (CVE-2025-55221-CVE-2025-55222) is a denial-of-service vulnerability in the Modbus TCP and Modbus RTU over TCP USB Function functionalities. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

TALOS-2025-2152 (CVE-2025-26858) is a buffer overflow vulnerability in the Modbus TCP functionality. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.

Socomec Easy Config System

TALOS-2024-2117 (CVE-2024-45370) is an authentication bypass vulnerability in the User profile management functionality. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability.

Cisco Talos Blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

“They say that a person’s personality is the sum of their experiences. But that isn’t true, at least not entirely, because if our past was all that defined us, we’d never be able to put up with ourselves. We need to be allowed to convince ourselves that we’re more than the mistakes we made yesterday. That we are all of our next choices, too, all of our tomorrows.” ― Fredrik Backman 

It’s December, so ‘tis the season to enjoy the onslaught that is a reflection of your year. Here there be tygers… and Spotify Wrapped,  Goodreads Year in Books, Duolingo Year in Review, and… and…  

This is the perfect opportunity to reflect on the defining moments of your career in information security. I can predict, without fail, your defining moment. No matter the length of that career and no matter the breadth and depth of your knowledge, I can assure you that the defining moment is not when you flexed your expertise, but rather when you made the most impactful mistake you can make in your given role at the time. 

Ask any practitioner for a success story and it’s a struggle — partially because they aren’t that memorable and partially because it stokes the imposter syndrome fire to five-alarm bonfire levels. Ask the same practitioner for examples of huge mistakes or failures and get ready for never-ending stories. The best part about that is that not only are those stories wildly entertaining, they are also incredibly instructive. Not only have I learned the most in my career BY FAR from my mistakes, but I’ve learned a lot from the mistakes of my peers and friends. They just seem to make them less often, which is really infuriating (and there goes my imposter syndrome). 

So, take a second to look back on the biggest mistakes in 2025 and in your career. Go on, open your Notes app (after finishing this fantastic newsletter, of course). Then pull up a stump, take some time in one of the big team get-togethers that are so common during this time of year, and share. You’ll entertain, you’ll teach, you’ll connect, and you’ll learn from your peers who will jump in to share the bizarre and hilarious missteps that led them to their current job. 

“I’ve missed more than 9,000 shots in my career. I’ve lost almost 300 games. 26 times I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.” — Michael Jordan 

The one big thing

Cisco Talos released a blog exploring how generative AI (GenAI) is changing cybersecurity for both attackers and defenders. Adversaries are using GenAI for coding, phishing, evasion, and vulnerability discovery, especially as uncensored models become more widely available. While GenAI’s direct role in malware is still limited, its use in social engineering and vulnerability hunting is quickly growing. For defenders, GenAI provides powerful tools to process large amounts of threat data, respond to incidents faster, and proactively find code vulnerabilities. 

Why do I care?

GenAI is lowering the barrier for adversaries to launch sophisticated attacks and discover new vulnerabilities, making threats more dynamic and harder to predict. At the same time, defenders who harness GenAI effectively can level the playing field. GenAI can help defenders overcome issues created by analyst shortages and overwhelming data volumes, gaining the edge in detection and response. 

So now what?

Now’s the time for security teams to start experimenting with GenAI in their daily work — think threat detection, incident response, and reviewing code for vulnerabilities. It’s also important to get comfortable with these tools and train teams so everyone knows how to use them wisely. As GenAI keeps evolving, staying flexible and combining smart automation with human expertise will be key to staying secure.

Top security headlines of the week 

Police disrupt “Cryptomixer,” seize millions in crypto 
Multiple European law enforcement agencies recently disrupted Cryptomixer, a service allegedly used by cybercriminals to launder ill-gotten gains from ransomware and other cyber activities. (Dark Reading) 

Malicious Rust crate delivers OS-specific malware to Web3 developer systems 
Researchers have discovered a malicious Rust package that features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. (The Hacker News) 

Chrome, Edge extensions caught tracking users, creating backdoors 
A threat actor published over one hundred extensions, which were seen profiling users, reading cookie data to create unique identifiers, and executing payloads with browser API access. (SecurityWeek) 

CISA warns of ScadaBR vulnerability after hacktivist ICS attack 
CISA has expanded its Known Exploited Vulnerabilities (KEV) catalog with an old “OpenPLC ScadaBR” flaw that was recently leveraged by hackers to deface a honeypot they believed to be an industrial control system (ICS). (SecurityWeek) 

New legislation targets scammers that use AI to deceive 
Following a rash of AI-assisted impersonations of U.S. officials, the bill would raise the financial and criminal penalties around using the technology to defraud. (CyberScoop)

Can’t get enough Talos? 

Ranksgiving Returns: The Appetizer Uprising
Guess who’s back? Hazel, Bill and Joe welcome back fresh-from-parental-leave Dave Liebenberg, who has returned with a new baby and some truly chaotic Thanksgiving opinions.

Cisco Talos Incident Response: Threat Hunting at GovWare 2025 
Yuri Kramarz goes behind the scenes of the Security Operations Centre (SOC) at the GovWare Conference and Exhibition in Singapore, which Talos IR supported for the first time this year.

Talos Takes: When you’re told “no budget” 
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn.

Upcoming events where you can find Talos 

• AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 
• Black Hat Europe (Dec. 8 – 11) London, U.K. 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: ck8yh2og.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: ~6325.tmp 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
MD5: bf9672ec85283fdf002d83662f0b08b7 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
Example Filename: g77wokon.html  
Detection Name: W32.C0AD494457-95.SBX.TG 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe  
Detection Name: W32.41F14D86BC-100.SBX.TG 

Cisco Talos Blog – ​Read More