The education sector is notoriously short on cash, but rich in assets for threat actors to target. How can managed detection and response (MDR) help learning institutions regain the initiative?
WeLiveSecurity – Read More
In 2022, we dived deep into an attack method called browser-in-the-browser — originally developed by the cybersecurity researcher known as mr.d0x. Back then, no actual examples existed of this model being used in the wild. Fast-forward four years, and browser-in-the-browser attacks have graduated from the theoretical to the real: attackers are now using them in the field. In this post, we revisit what exactly a browser-in-the-browser attack is, show how hackers are deploying it, and, most importantly, explain how to keep yourself from becoming its next victim.
For starters, let’s refresh our memories on what mr.d0x actually cooked up. The core of the attack stems from his observation of just how advanced modern web development tools — HTML, CSS, JavaScript, and the like — have become. It’s this realization that inspired the researcher to come up with a particularly elaborate phishing model.
A browser-in-the-browser attack is a sophisticated form of phishing that uses web design to craft fraudulent websites imitating login windows for well-known services like Microsoft, Google, Facebook, or Apple that look just like the real thing. The researcher’s concept involves an attacker building a legitimate-looking site to lure in victims. Once there, users can’t leave comments or make purchases unless they “sign in” first.
Signing in seems easy enough: just click the Sign in with {popular service name} button. And this is where things get interesting: instead of a genuine authentication page provided by the legitimate service, the user gets a fake form rendered inside the malicious site, looking exactly like… a browser pop-up. Furthermore, the address bar in the pop-up, also rendered by the attackers, displays a perfectly legitimate URL. Even a close inspection won’t reveal the trick.
From there, the unsuspecting user enters their credentials for Microsoft, Google, Facebook, or Apple into this rendered window, and those details go straight to the cybercriminals. For a while this scheme remained a theoretical experiment by the security researcher. Now — real-world attackers have added it to their arsenals.
Attackers have put their own spin on mr.d0x’s original concept: recent browser-in-the-browser hits have been kicking off with emails designed to alarm recipients. For instance, one phishing campaign posed as a law firm informing the user they’d committed a copyright violation by posting something on Facebook. The message included a credible-looking link allegedly to the offending post.
Attackers sent messages on behalf of a fake law firm alleging copyright infringement — complete with a link supposedly to the problematic Facebook post. Source
Interestingly, to lower the victim’s guard, clicking the link didn’t immediately open a fake Facebook login page. Instead, they were first greeted by a bogus Meta CAPTCHA. Only after passing it was the victim presented with the fake authentication pop-up.
This isn’t a real browser pop-up; it’s a website element mimicking a Facebook login page — a ruse that allows attackers to display a perfectly convincing address. Source
Naturally, the fake Facebook login page followed mr.d0x’s blueprint: it was built entirely with web design tools to harvest the victim’s credentials. Meanwhile, the URL displayed in the forged address bar pointed to the real Facebook site — www.facebook.com.
The fact that scammers are now deploying browser-in-the-browser attacks just goes to show that their bag of tricks is constantly evolving. But don’t despair — there’s a way to tell if a login window is legit. A password manager is your friend here, which, among other things, acts as a reliable security litmus test for any website.
That’s because when it comes to auto-filling credentials, a password manager looks at the actual URL, not what the address bar appears to show, or what the page itself looks like. Unlike a human user, a password manager can’t be fooled with browser-in-the-browser tactics, or any other tricks, like domains having a slightly different address (typosquatting) or phishing forms buried in ads and pop-ups. There’s a simple rule: if your password manager offers to auto-fill your login and password, you’re on a website you’ve previously saved credentials for. If it stays silent, something’s fishy.
Beyond that, following our time-tested advice will help you defend against various phishing methods, or at least minimize the fallout if an attack succeeds:
Finally, this post serves as yet another reminder that theoretical attacks described by cybersecurity researchers often find their way out into the wild. So, keep an eye on our blog, and subscribe to our Telegram channel to stay up to speed on the latest threats to your digital security and how to shut them down.
Read about other inventive phishing techniques scammers are using day in day out:
Kaspersky official blog – Read More
Modern software development relies on containers and the use of third-party software modules. On the one hand, this greatly facilitates the creation of new software, but on the other, it gives attackers additional opportunities to compromise the development environment. News about attacks on the supply chain through the distribution of malware via various repositories appears with alarming regularity. Therefore, tools that allow the scanning of images have long been an essential part of secure software development.
Our portfolio has long included a solution for protecting container environments. It allows the scanning of images at different stages of development for malware, known vulnerabilities, configuration errors, the presence of confidential data in the code, and so on. However, in order to make an informed decision about the state of security of a particular image, the operator of the cybersecurity solution may need some more context. Of course, it’s possible to gather this context independently, but if a thorough investigation is conducted manually each time, development may be delayed for an unpredictable period of time. Therefore, our experts decided to add the ability to look at the image from a fresh perspective; of course, not with a human eye — AI is indispensable nowadays.
Our Kaspersky Container Security solution (a key component of Kaspersky Cloud Workload Security) now supports an application programming interface for connecting external large language models. So, if a company has deployed a local LLM (or has a subscription to connect a third-party model) that supports the OpenAI API, it’s possible to connect the LLM to our solution. This gives a cybersecurity expert the opportunity to get both additional context about uploaded images and an independent risk assessment by means of a full-fledged AI assistant capable of quickly gathering the necessary information.
The AI provides a description that clearly explains what the image is for, what application it contains, what it does specifically, and so on. Additionally, the assistant conducts its own independent analysis of the risks of using this image and highlights measures to minimize these risks (if any are found). We’re confident that this will speed up decision-making and incident investigations and, overall, increase the security of the development process.
In addition to adding API to connect the AI assistant, our developers have made a number of other changes to the products included in the Kaspersky Cloud Workload Security offering. First, they now support single sign-on (SSO) and a multi-domain Active Directory, which makes it easier to deploy solutions in cloud and hybrid environments. In addition, Kaspersky Cloud Workload Security now scans images more efficiently and supports advanced security policy capabilities. You can learn more about the product on its official page.
Kaspersky official blog – Read More
The geopolitical landscape of the Middle East has entered one of its most volatile phases in decades. On February 28, 2026, tensions that had been simmering for years erupted into a full‑blown conflict involving the Islamic Republic of Iran, the United States, and Israel. A confluence of diplomatic stalemate, military posturing, and covert cyber preparations set the stage for what would evolve from a localized confrontation into an expansive, multi‑domain campaign.
The conflict’s opening salvo — codenamed Operation Epic Fury by the US and Operation Roaring Lion by Israel — was not just a conventional military assault. It was a synchronized hybrid offensive in which cyber operations were integrated as a co‑equal domain with kinetic strikes, psychological messaging, and information warfare. Over the course of the first 72 hours, from February 28 to March 3, kinetic blows and digital disruptions merged in ways that revealed both the strengths and vulnerabilities of actors across the region.
Throughout this critical period, Cyble Research and Intelligence Labs (CRIL) has been meticulously tracking the movements, attacks, claims, and associated cyber activity between Iran, Israel, and the US, providing real‑time insights into both the kinetic strikes and the evolving threat landscape.
In the days leading up to February 28, the Middle East witnessed a massive US military buildup, the largest since the 2003 Iraq invasion. Aircraft carriers, fighter wings, and intelligence assets positioned themselves within striking range of Iran’s borders. At the same time, indirect nuclear negotiations in Geneva appeared, momentarily, to offer a diplomatic pathway, with Iran publicly agreeing to halt enrichment stockpiling under International Atomic Energy Agency (IAEA) supervision. However, distrust and strategic imperatives among the US, Israel, and Tehran rendered the diplomatic exercise insufficient to prevent escalation.
At approximately 06:27 GMT, the first concerted wave of strikes hit Iran. US‑Israeli forces began a broad assault across more than two dozen provinces, targeting nuclear facilities, IRGC command centers, ballistic missile launchers, and secure compounds tied to the Iranian leadership. The offensive reportedly included the targeted killing of Supreme Leader Ayatollah Ali Khamenei, a moment that marked a profound turning point in the conflict.
What set the opening apart from traditional air campaigns was its immediate cyber component. For the first time on such a scale, network disruption was planned to coincide with a kinetic impact. Independent monitors observed Iranian internet connectivity collapse to roughly 1–4% of normal levels as cyberattacks crippled state media, government digital services, and military communications.
Popular local services, including widely used mobile applications and prayer tools, were reportedly compromised to sow confusion and prompt defections, while defaced state news sites delivered messages contradicting official Iranian narratives.
Before the current situation, MuddyWater, long associated with Iran‑linked cyber campaigns, remained a critical piece of the pre‑existing threat landscape. Alongside other advanced persistent threat (APT) groups — such as APT42 (Charming Kitten), Prince of Persia / Infy, UNC6446, and CRESCENTHARVEST — these campaigns had already been active before February 28, conducting phishing, exploitation of public servers, and information theft targeting Israeli, US, and regional networks.
While Iran’s domestic internet infrastructure faltered, the US‑Israeli offensive extended psychological operations into Israeli territory. Threatening messages referencing national ID numbers and fuel shortages arrived in civilians’ inboxes, and misinformation campaigns amplified anxieties even as authorities worked to blunt digital interference.
Iran’s kinetic retaliation was swift and forceful. From March 1 onward, waves of ballistic missiles and drones launched at Israel, Gulf Cooperation Council (GCC) states, and US military bases reinforced that Tehran’s response would not be limited to symbolic posturing. The UAE alone intercepted hundreds of projectiles, resulting in civilian casualties and infrastructure damage, including at Dubai’s international airport and an AWS cloud data center within its mec1‑az2 availability zone.
On the cyber front, March 1 started the dramatic expansion of hacktivist activity across the region. More than 70 groups — spanning ideological spectrums and even blending pro‑Iranian and pro‑Russian motivations — activated operations in parallel with state responses. An Electronic Operations Room organized by Iraqi‑aligned hackers, such as Cyber Islamic Resistance / Team 313 began orchestrating distributed denial‑of‑service (DDoS) attacks, website defacements, and theft of credentials across national government portals and key infrastructure systems in Turkey, Poland, and GCC states.
One of the most technically significant artifacts of March 1 was a malicious RedAlert APK observed by Unit 42 analysts. Designed to mimic Israel’s official missile alert app, this payload was distributed via Hebrew‑language SMS links. Once installed, it collected sensitive device and user information — contacts, SMS logs, IMEI numbers, and email credentials — with encrypted exfiltration mechanisms and anti‑analysis protections, providing a rare glimpse of tradecraft resembling state‑level cyber operations at a time when Iranian domestic internet access was severely limited.
Beyond MuddyWater and other established APTs, opportunistic cybercriminals exploited the chaos through social engineering campaigns in the UAE.
The kinetic campaign broadened on March 2 with the destruction of the IRGC’s Malek‑Ashtar headquarters in Tehran. By March 3, Israeli forces had struck Iran’s state broadcaster, further constraining Tehran’s ability to manage domestic information and cyber operations. The extended internet blackout — persisting well into the third day — continued to isolate Iranian networks, allowing external campaigns to operate with limited interference.
Several digital fronts emerged during this period:
Throughout March 1–3, analysts noted that most observed cyber activity fell into the realm of DDoS attacks, exposed CCTV feeds, and information operations rather than destructive intrusions into industrial control systems — although unverified claims of SCADA manipulation circulated widely in pro‑Iranian forums.
The first 72 hours of Operation Epic Fury reveal several critical insights about modern conflict dynamics in the Middle East:
These dynamics suggest that defenders in the region — from government CERTs to multinational enterprises — must maintain heightened vigilance across both technical and psychological threat vectors, with particular emphasis on credential harvesting, DDoS mitigation, and proactive monitoring of emerging malware campaigns.
The events from February 28 to March 3 highlight that the US‑Israeli offensive against Iran — launched as Operation Epic Fury — is not merely a military confrontation but a hybrid engagement across kinetic, cyber, and informational domains. While Iran’s internet infrastructure remains degraded, sophisticated pre‑positioned capabilities could still be activated in the coming weeks, particularly if connectivity is restored. Meanwhile, the hacktivist theatre continues to grow in both volume and geographic scope, even as the technical sophistication of most operations remains limited.
In this environment, security practitioners and strategic planners must be prepared for adaptive threat behavior that blends political motivations with opportunistic cybercrime — a reality that defines the 21st‑century battlespace in the Middle East and beyond.
The post Middle East on the Brink: Iran-US-Israel Hostilities Trigger Cyber-Kinetic Conflict appeared first on Cyble.
Cyble – Read More
Cisco Talos continues to monitor the ongoing conflict in the Middle East. As always, we will be watching closely for any cyber-related incidents that are tied to the conflict. At this time we have not seen any significant cyber impacts, with some small incidents such as web defacements and small-scale distributed-denial-of-service (DDoS) attacks occurring. As with any highly fluid or dynamic situation, we are focused on providing our customers with highly accurate and timely intelligence and information.
Iranian groups involved in this conflict have historically operated primarily in the espionage, destructive attack, and hack-and-leak landscapes. We expect these, along with the mentioned activity, to be the most likely avenues in the near term.
Please see the following Talos research into regional actors in this area:
The data has thus far supported the belief that this will be a regional war with a large focus on kinetic activity, but that can change, we’ll continue to monitor and will update accordingly. Currently there does not appear to be any significant increase in cyber activity associated with state-sponsored or state-affiliated groups.
Any possible impacts will likely be from sympathetic groups like hacktivists, some of whom have already launched website defacement and DDoS campaigns in support of Iran. Additionally, cyber criminals are likely to take advantage of the war to try and increase their scope of infections through the use of lures and other social engineering avenues. Users are reminded to be vigilant when clicking links and opening documents, as it is common for criminals to leverage these conflicts as cover for monetary gain.
Talos is well-versed in monitoring wartime environments with our ongoing work in Ukraine and across the globe. We will remain vigilant looking to identify any cyber related activity relevant to the region. If and/or when more relevant information becomes available, we will update this blog accordingly.
Recommendations for organizations are currently focused on security hygiene, to include having multi-factor authentication (MFA) enabled, being diligent around any links or documents that are circulating, and ensuring you have proper monitoring in place to ensure you are prepared for any collateral impacts as they arise.
Since this activity appears to be regionally focused, making sure enterprises are aware of any impacts to partners and third-party suppliers in the region will be paramount. Additional inspection or controls may be warranted to insulate potential larger impacts to the wider organization.
Employee awareness: Beware of “hacktivist” lures
Third-party risk assessment
Mitigate “nuisance” attacks and defacements
As always, ensure all software has been updated to the latest versions to minimize the attack surface and ensure you have a robust patching process. Many updated software versions have improvements in security and visibility capabilities that can help in cyber defense.
Cisco Talos Blog – Read More
Can a computer be infected with malware simply by processing a photo — particularly if that computer is a Mac, which many still believe (wrongly) to be inherently resistant to malware? As it turns out, the answer is yes — if you’re using a vulnerable version of ExifTool or one of the many apps built based on it. ExifTool is a ubiquitous open-source solution for reading, writing, and editing image metadata. It’s the go-to tool for photographers and digital archivists, and is widely used in data analytics, digital forensics, and investigative journalism.
Our GReAT experts discovered a critical vulnerability — tracked as CVE-2026-3102 — which is triggered during the processing of malicious image files containing embedded shell commands within their metadata. When a vulnerable version of ExifTool on macOS processes such a file, the command is executed. This allows a threat actor to perform unauthorized actions in the system, such as downloading and executing a payload from a remote server. In this post, we break down how this exploit works, provide actionable defense recommendations, and explain how to verify if your system is vulnerable.
ExifTool is a free, open-source application addressing a niche but critical requirement: it extracts metadata from files, and enables the processing of both that data and the files themselves. Metadata is the information embedded within most modern file formats that describes or supplements the main content of a file. For instance, in a music track, metadata includes the artist’s name, song title, genre, release year, album cover art, and so on. For photographs, metadata typically consists of the date and time of a shot, GPS coordinates, ISO and shutter speed settings, and the camera make and model. Even office documents store metadata, such as the author’s name, total editing time, and the original creation date.
ExifTool is the industry leader in terms of the sheer volume of supported file formats, as well as the depth, accuracy, and versatility of its processing capabilities. Common use cases include:
The list goes on and on. ExifTool is available both as a standalone command-line application and an open-source library, meaning its code often runs under the hood of powerful, multi-purpose tools; examples include photo organization systems like Exif Photoworker and MetaScope, or image processing automation tools like ImageIngester. In large digital libraries, publishing houses, and image analytics firms, ExifTool is frequently used in automated mode, triggered by internal enterprise applications and custom scripts.
To exploit this vulnerability, an attacker must craft an image file in a certain way. While the image itself can be anything, the exploit lies in the metadata — specifically the DateTimeOriginal field (date and time of creation), which must be recorded in an invalid format. In addition to the date and time, this field must contain malicious shell commands. Due to the specific way ExifTool handles data on macOS, these commands will execute only if two conditions are met:
A rare but by no means fantastical scenario for a targeted attack would look like this: a forensics laboratory, a media editorial office, or a large organization that processes legal or medical documentation receives a digital document of interest. This can be a sensational photo or a legal claim — the bait depends on the victim’s line of work. All files entering the company undergo sorting and cataloging via a digital asset management (DAM) system. In large companies, this may be automated; individuals and small firms run the required software manually. In either case, the ExifTool library must be used under the hood of this software. When processing the date of the malicious photo, the computer where the processing occurs is infected with a Trojan or an infostealer, which is subsequently capable of stealing all valuable data stored on the attacked device. Meanwhile, the victim could easily notice nothing at all, as the attack leverages the image metadata while the picture itself may be harmless, entirely appropriate, and useful.
GReAT researchers reported the vulnerability to the author of ExifTool, who promptly released version 13.50, which is not susceptible to CVE-2026-3102. Versions 13.49 and earlier must be updated to remediate the flaw.
It’s critical to ensure that all photo processing workflows are using the updated version. You should verify that all asset management platforms, photo organization apps, and any bulk image processing scripts running on Macs are calling ExifTool version 13.50 or later, and don’t contain an embedded older copy of the ExifTool library.
Naturally, ExifTool — like any software — may contain additional vulnerabilities of this class. To harden your defenses, we also recommend the following:
Finally, if you work with freelancers or self-employed contractors (or simply allow BYOD), only allow them to access your network if they have a comprehensive macOS security solution installed.
Still think macOS is safe? Then read about these Mac threats:
Kaspersky official blog – Read More
In this roundup, Tony looks at how opportunistic threat actors are taking advantage of weak authentication, unmanaged exposure, and popular AI tools
WeLiveSecurity – Read More
Start using a new app and you’ll often be asked to grant it permissions. But blindly accepting them could expose you to serious privacy and security risks.
WeLiveSecurity – Read More
In a previous post, we walked through a practical example of how threat attribution helps in incident investigations. We also introduced the Kaspersky Threat Attribution Engine (KTAE) — our tool for making an educated guess about which specific APT group a malware sample belongs to. To demonstrate it, we used the Kaspersky Threat Intelligence Portal — a cloud-based tool that provides access to KTAE as part of our comprehensive Threat Analysis service, alongside a sandbox and a non-attributing similarity-search tool. The advantages of a cloud service are obvious: clients don’t need to invest in hardware, install anything, or manage any software. However, as real-world experience shows, the cloud version of an attribution tool isn’t for everyone…
First, some organizations are bound by regulatory restrictions that strictly forbid any data from leaving their internal perimeter. For the security analysts at these firms, uploading files to a third-party service is out of the question. Second, some companies employ hardcore threat hunters who need a more flexible toolkit — one that lets them work with their own proprietary research alongside Kaspersky’s threat intelligence. That’s why KTAE is available in two flavors: a cloud-based version and an on-prem deployment.
First off, the local version of KTAE ensures an investigation stays fully confidential. All the analysis takes place right in the organization’s internal network. The threat intelligence source is a database deployed inside the company perimeter; it is packed with the unique indicators and attribution data of every malicious sample known to our experts; and it also contains the characteristics pertaining to legitimate files to exclude false-positive detections. The database gets regular updates, but it operates one-way: no information ever leaves the client’s network.
Additionally, the on-prem version of KTAE gives experts the ability to add new threat groups to the database and link them to malware samples they discovered on their own. This means that subsequent attribution of new files will account for the data added by internal researchers. This allows experts to catalog their own unique malware clusters, work with them, and identify similarities.
Here’s another handy expert tool: our team has developed a free plugin for IDA Pro, a popular disassembler, for use with the local version of KTAE.
For a SOC analyst on alert triage, attributing a malicious file found in the infrastructure is straightforward: just upload it to KTAE (cloud or on-prem) and get a verdict, like Manuscrypt (83%). That’s sufficient for taking adequate countermeasures against that group’s known toolkit and assessing the overall situation. A threat hunter, however, might not want to take that verdict at face value. Alternatively, they might ask, “Which code fragments are unique across all the malware samples used by this group?” Here an attribution plugin for a disassembler comes in handy.
Inside the IDA Pro interface, the plugin highlights the specific disassembled code fragments that triggered the attribution algorithm. This doesn’t just allow for a more expert-level deep dive into new malware samples; it also lets researchers refine attribution rules on the fly. As a result, the algorithm — and KTAE itself — keeps evolving, making attribution more accurate with every run.
The plugin is a script written in Python. To get it up and running you need IDA Pro. Unfortunately, it won’t work in IDA Free, since it lacks support for Python plugins. If you don’t have Python installed yet, you’d need to grab that, set up the dependencies (check the requirements file in our GitHub repository), and make sure IDA Pro environment variables are pointing to the Python libraries.
Next, you’d need to insert the URL for your local KTAE instance into the script body and provide your API token (which is available on a commercial basis) — just like it’s done in the example script described in the KTAE documentation.
Then you can simply drop the script into your IDA Pro plugins folder and fire up the disassembler. If you’ve done it right, then, after loading and disassembling a sample, you’ll see the option to launch the Kaspersky Threat Attribution Engine (KTAE) plugin under Edit → Plugins:
When the plugin is installed, here’s what happens under the hood: the file currently loaded in IDA Pro is sent via API to the locally installed KTAE service, at the URL configured in the script. The service analyzes the file, and the analysis results are piped right back into IDA Pro.
On a local network, the script usually finishes its job in a matter of seconds (the duration depends on the connection to the KTAE server and the size of the analyzed file). Once the plugin wraps up, a researcher can start digging into the highlighted code fragments. A double-click leads straight to the relevant section in the assembly or binary code (Hex view) for analysis. These extra data points make it easy to spot shared code blocks and track changes in a malware toolkit.
To learn more about the Kaspersky Threat Attribution Engine and how to deploy it, check out the official product documentation. And to arrange a demonstration or piloting project, please fill out the form on the Kaspersky website.
Kaspersky official blog – Read More
Welcome to this week’s edition of the Threat Source newsletter.
“‘Tis dangerous to take a cold, to sleep, to drink; but I tell you, my lord fool, out of this nettle, danger, we pluck this flower, safety.” – Hotspur, Shakespeare’s Henry IV, Part 1: Act 2 Scene 3
I get it. Hotspur is the quintessential hothead, and we all understand his place in the story. He’s famous for his fiery temperament and impatience with anything that smells of caution or compromise. Hotspur’s whole deal is that you have to take risks if you want to achieve anything worthwhile, but he’s not wrong… at least not fully. Anyone who has been in this field for a while has seen risks lead to disaster and risks lead to success. There is no silver bullet and there is no black and white.
Wait, am I talking about Henry IV and cybersecurity? Yes. Yes, I am, but stick with me and I bet it will make sense to you, as well.
The speed at which all sides have taken on the monumental task of leveraging AI is a paradigm shift, but as we go forward, run into potholes, and see simple avoidable mistakes, I’m reminded that all of this is cyclical. While this feels insurmountable at times, the reality is that the baseline is already starting to be met. Useful outcomes and capabilities are highlighting that the answer is still finding the smartest people in the room. If you know me at all, you’ve heard the axiom, “If you’re the smartest person in the room you’re in the wrong room.” That’s how I got to Talos (now I just hope that they don’t remember that I’m here). If you continue to find the smartest people in the room and surround yourself with them, you will find that peer group full of ideas in this paradigm-shifting era. Allow those ideas to plant seeds in your mind, take a few risks, and let them grow. Use some of these tools (responsibly) in ways that you don’t think will work. You learn from your failures, so take the chance to fail.
I have been using AI to teach myself Golang and Rust by leveraging AI to convert my clunky Perl and Python scripts and broken or questionable proofs of concept into those languages. Sometimes it’s very smooth and works flawlessly, which in turn has made it harder for me to learn, but sometimes I hit the jackpot and it’s a mess. Those messes have taught me the most while frustrating me to new heights. All of this has provided me with new directions to explore.
While it’s overwhelming to read each new story on security flaws found in tools, stories on the latest “hallucinated” errors, and the latest vibe-coded disaster, it’s important to remember that NIMDA happened. Code Red existed. The ILOVEYOU virus walked so that MyDoom could run. Sapphire/Slammer walloped networks, doubling in size every 8.5 seconds. Hotspur contends that we MUST take risks to gain security. In the end, he dies at Hal’s hands (429 year spoiler alert!) because Hal has patiently grown into the mantle of leadership and finds that he wears it well. I’d say that we stand to learn from both of them — Take some risks but continue to be patient and learn the nuance of these new tools, both their capabilities and pitfalls, remembering all the while that this is all new, but we’ve been here before.
“The past is so much safer, because whatever’s in it has already happened. It can’t be changed; so, in a way, there’s nothing to dread.” – Margaret Atwood
Cisco Talos identified an ongoing campaign by UAT-10027, using a new backdoor we call “Dohdoor” since December 2025. Dohdoor leverages DNS-over-HTTPS (DoH) for stealthy command-and-control (C2) communications and can download and execute additional payloads within legitimate Windows processes. The campaign targets education and health care sectors in the US, using phishing, PowerShell scripts, and DLL sideloading, with C2 infrastructure hidden behind reputable services like Cloudflare.
This threat demonstrates sophisticated techniques that evade traditional security controls, posing risks to organizations with sensitive data such as schools and hospitals. Dohdoor’s use of legitimate Windows tools and encrypted communications makes detection and response challenging. The campaign’s overlap with known APT tactics indicates a high level of adversary skill and persistence. The targeting of critical sectors raises the stakes for potential disruption and data theft.
Security teams should make sure their detection tools are up-to-date with the latest ClamAV and SNORT® signatures we share in the blog. It’s important to keep an eye out for unusual DoH traffic and monitor legitimate Windows tools being used in unexpected ways. Reviewing endpoint logs for signs of anti-forensic activity and process hollowing can help spot infections early. Finally, sharing threat intelligence and best practices with other organizations in your sector can strengthen defenses and improve response to similar threats.
Operation Red Card 2.0 leads to 651 arrests in Africa
In December and January, law enforcement officers from 16 African countries worked with Interpol and private companies to disrupt some major cybercriminal operations. (DarkReading)
PayPal data breach led to fraudulent transactions
Notification letters revealed that the cybersecurity incident was caused by an error in the PayPal Working Capital loan application. The personal information of a “small number of customers” was exposed for nearly six months. (SecurityWeek)
Former L3Harris Trenchant boss jailed for selling hacking tools to Russian broker
Williams was the general manager of the Trenchant division, which sells hacking and surveillance tools to the U.S. government and Five Eyes. (TechCrunch)
Conduent data breach grows
The spillover from a ransomware attack on one of the largest government contractors in the United States keeps getting bigger: More than 25 million people have now had personal data stolen in the hack. (TechCrunch)
Spitting cash: ATM jackpotting attacks surged in 2025
In 2025, criminals cracked 700 of ATMs across the U.S., marking a surprising spike in ATM attacks, according to the FBI, which has recorded around 1,900 incidents since 2020. (DarkReading)
Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.
“Good enough” emulation: Fuzzing a single thread to uncover vulnerabilities
A Talos researcher used targeted emulation of the Socomec DIRIS M-70 gateway’s Modbus thread to uncover six patched vulnerabilities, showcasing efficient tools and methods for IoT security testing.
SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: https_2915b3f8b703eb744fc54c81f4a9c67f.exe
Detection Name: Win.Worm.Coinminer::1201
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: d4aa3e7010220ad1b458fac17039c274_64_Dll.dll
Detection Name: Auto.90B145.282358.in02
SHA256: d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
MD5: 0c883b1d66afce606d9830f48d69d74b
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
Example Filename: d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1.exe
Detection Name: Win.Worm.Zard::95.sbx.tg
Cisco Talos Blog – Read More