If you’ve ever looked at a SOC queue and thought, “Where do we even start?” you’re not alone. 

Most teams face more alerts than they can realistically investigate, tools that don’t always connect, and investigations that take longer than they should. 

In a recent webinar, we shared a simple framework for speeding up detection and response without overloading teams. You can watch the full recording here: SOC Leader’s Playbook 

SOC teams that applied this approach have already seen measurable results: 

• 21 minutes less MTTR per incident 

• 15-second median MTTD 

• 3× improvement in team throughput 

For now, let’s look at how you can apply the same ideas to help your SOC respond faster in real environments. 

The Cost of a Slow SOC 

When detection and response take too long, the impact shows up fast and in very practical ways. 

• Incidents cost more: According to IBM’s Cost of a Data Breach Report 2025, the average breach now costs $4.4 million, and that number grows the longer attackers stay active. 

• Downtime lasts longer: Delayed response means systems stay compromised, business processes slow down, and recovery becomes harder. 

• Teams waste time on noise: Analysts spend hours chasing alerts that turn out to be harmless, often repeating the same checks across different tools. 

• Real threats get missed: Fatigue and overload make it easier for serious incidents to slip through unnoticed. 

• People burn out:  Constant pressure and reactive work drain focus and motivation, especially in Tier 1 teams. 

For SOC leaders, this creates a familiar loop: more alerts, slower response, higher risk, and exhausted teams. Breaking that loop starts with reducing time at every stage, from the first alert to final containment. 

Step 1: Prioritize Incidents and Reduce False Positives 

Speed starts with focus. If your SOC treats every alert the same, response will always be slow. 

Most teams receive far more alerts than they can realistically investigate. Many are low-risk, duplicated, or lack context. Analysts lose time figuring out what an alert actually means instead of responding to real threats. 

The root issue is usually threat intelligence. 

Indicators pulled from public reports often arrive too late, after attackers have already changed infrastructure. Other feeds may be fast but offer no explanation beyond “malicious,” forcing analysts to investigate manually. Automation suffers, false positives rise, and the SOC stays reactive. 

What works 

Effective prioritization depends on threat intelligence that is: 

• Real-time, not report-based 

• Context-rich, showing how an indicator is used 

• Integrated, flowing directly into SIEM, SOAR, and EDR 

When alerts arrive already enriched with reputation, behavior, and risk level, teams can automate routine triage and focus on high-impact incidents. 

How this looks with ANY.RUN 

ANY.RUN delivers this through its Threat Intelligence Feeds. 

TI Feeds provide real-time IOCs sourced from live attacks analyzed in ANY.RUN’s Interactive Sandbox by 15,000 organizations and 500,000 analysts. As a result, 99% of network IOCs are unique and come with links to full sandbox reports for immediate context. 

For SOC teams, this means earlier detection of new threats, fewer false positives, and up to a 20% reduction in Tier 1 workload. 

Step 2: Speed Up Threat Investigations 

Once an alert is prioritized, the next bottleneck is investigation speed. 

Many SOCs still rely on static analysis. It’s fast, but it doesn’t show what actually happens when a file or link runs. Modern malware hides behind obfuscation, delayed execution, or multi-stage delivery, leaving analysts with partial answers and slow decisions. 

To respond quickly, teams need to see real behavior, not just a verdict. 

What actually speeds investigations up 

Effective investigations depend on dynamic analysis that: 

• Integrate with your existing tools to automate investigations and avoid manual handoffs 

• Expose real threat behavior quickly, even in multi-stage or silent attacks 

• Deliver clear, actionable reports with verdicts, IOCs, and TTPs 

• Defeat evasion techniques, forcing malware to reveal itself 

How teams do this with ANY.RUN 

ANY.RUN helps SOC teams move from alert to answer in under 60 seconds. 

By detonating files and URLs in real time, the Interactive Sandbox exposes the full attack chain and automatically generates clear reports with verdicts, IOCs, and attacker techniques. This allows teams to confirm threats quickly and move straight to containment, cutting up to 21 minutes from MTTR per incident. 

Because the results are easy to interpret, even junior analysts can handle more alerts independently. Many teams report up to a 30% reduction in Tier 1–to–Tier 2 escalations, easing pressure on senior staff and speeding up response overall. 

For high-volume workflows, the sandbox also runs in Automated Interactivity mode. Files and URLs can be sent automatically via API, SDK, or native integrations with SOAR, EDR, and other security tools. The sandbox detonates the entire attack chain on its own and returns a conclusive verdict with full context in seconds. 

Check a real-world case inside sandbox 

In this analysis, a QR code hidden in a phishing email leads to a CAPTCHA-protected page and then to a fake Microsoft 365 login designed to steal credentials. The sandbox detonates the full chain, reveals the phishing infrastructure, and confirms credential theft behavior in seconds. 

Step 3: Verify Alerts Fast 

Not every alert points to a file you can detonate. 

Often, SOC teams see alerts tied to a suspicious IP, domain, URL, or process. In those cases, the key question is simple: Is this a real threat, or just noise? 
The faster you answer that, the faster you can move on. 

Where verification slows teams down 

Most alerts are enriched using free reputation services. These usually provide only a label like “malicious” with no explanation. 

There’s no context about: 

• how the indicator was used, 

• what malware or campaign it’s linked to, 

• or what the attacker is actually doing. 

So, analysts start from zero. They search blogs, PDFs, forums, and tools, copy-paste the same indicator repeatedly, and hope something useful turns up. It’s slow, distracting, and often outdated. Even when teams cross-check multiple sources, the information can be incomplete or contradictory. 

The result is delayed decisions, unnecessary escalations, and analyst fatigue. 

What helps analysts verify alerts faster 

Analysts move faster when they have access to a single, reliable source of fresh threat intelligence that gives instant context for any indicator they see. 

The most effective solutions don’t rely on second hand reports. They pull data from their own live sources; real malware executions, active honeypots, and real victim environments. That means the intelligence is current, detailed, and available the moment an alert appears. 

With this level of context, analysts can make confident decisions in seconds instead of spending time searching, cross-checking, and guessing. 

How teams do this with ANY.RUN 

ANY.RUN enables fast alert verification through its Threat Intelligence Lookup. 

TI Lookup gives analysts instant access to live attack data for IPs, domains, URLs, file hashes, and behavioral indicators. Each lookup returns real-world context, including how the indicator is used, what malware it’s linked to, and where it was observed; all based on active threat analysis, not old reports. 

As the intelligence comes from real malware executions shared by 15,000 organizations and 500,000 analysts, analysts can verify alerts in seconds instead of starting from zero. 

To see how this works in practice, imagine this: A SOC receives an alert about a connection to an unfamiliar IP address. A quick lookup shows it’s actively used in a Remcos malware campaign, with links to sandbox sessions where the same infrastructure was observed. With this context, the analyst can block the connection and close the alert confidently within minutes. 

TI Lookup query: destinationIP:”23.95.117.252″ 

For even faster workflows, TI Lookup integrates directly with SIEM, SOAR, TIP, and XDR platforms. Alerts can be enriched automatically as they arrive, so reputation, behavior, and threat context are available immediately, reducing manual checks, unnecessary escalations, and investigation time. 

Make Fast Response the Standard 

In most SOCs, the problem isn’t speed. It’s the delay between seeing an alert and knowing what to do next. 

When alerts arrive without context, investigations stall. When verification depends on manual research, response drags on. Fixing these gaps changes how the SOC operates: 

• incidents are prioritized earlier, 

• investigations reach clear answers faster, 

• alerts are confirmed before they turn into distractions. 

Teams that apply this approach consistently reduce MTTR by 21 minutes, detect threats in a median of 15 seconds, and achieve a 3× increase in team efficiency, without adding pressure to the team. 

About ANY.RUN 

ANY.RUN provides interactive malware analysis and threat intelligence solutions used by 15,000 SOC teams to investigate threats and verify alerts. They enable analysts to observe real attacker behavior in controlled environments and access context from live attacks. The services support both hands-on investigation and automated workflows and integrates with SIEM, SOAR, and EDR tools commonly used in security operations. 

See ANY.RUN’s solutions in action with 14-day trial 

The post SOC Leader’s Playbook: 3 Practical Steps to Faster MTTR  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Attackers often go after outdated and unused test accounts, or stumble upon publicly accessible cloud storage containing critical data that’s a bit dusty. Sometimes an attack exploits a vulnerability in an app component that was actually patched, say, two years ago. As you read these breach reports, a common theme emerges: the attacks leveraged something outdated: a service, a server, a user account… Pieces of corporate IT infrastructure that sometimes fall off the radar of IT and security teams. They become, in essence, unmanaged, useless, and simply forgotten. These IT zombies create risks for information security, regulatory compliance, and lead to unnecessary operational costs. This is generally an element of shadow IT — with one key difference: nobody wants, knows about, or benefits from these assets.

In this post, we try to identify which assets demand immediate attention, how to identify them, and what a response should look like.

Physical and virtual servers

Priority: high. Vulnerable servers are entry points for cyberattacks, and they continue consuming resources while creating regulatory compliance risks.

Prevalence: high. Physical and virtual servers are commonly orphaned in large infrastructures following migration projects, or after mergers and acquisitions. Test servers no longer used after IT projects go live, as well as web servers for outdated projects running without a domain, are also frequently forgotten. The scale of the problem is illustrated by Lets Encrypt statistics: in 2024, half of domain renewal requests came from devices no longer associated with the requested domain. And there are roughly a million of these devices in the world.

Detection: the IT department needs to implement an Automated Discovery and Reconciliation (AD&R) process that combines the results of network scanning and cloud inventory with data from the Configuration Management Database (CMDB). It enables the timely identification of outdated or conflicting information about IT assets, and helps locate the forgotten assets themselves.

This data should be supplemented by external vulnerability scans that cover all of the organization’s public IPs.

Response: establish a formal, documented process for decommissioning/retiring servers. This process needs to include verification of complete data migration, and verified subsequent destruction of data on the server. Following these steps, the server can be powered down, recycled, or repurposed. Until all procedures are complete, the server needs to be moved to a quarantined, isolated subnet.

To mitigate this issue for test environments, implement an automated process for their creation and decommission. A test environment should be created at the start of a project, and dismantled after a set period or following a certain duration of inactivity. Strengthen the security of test environments by enforcing their strict isolation from the primary (production) environment, and by prohibiting the use of real, non-anonymized business data in testing.

Forgotten user, service, and device accounts

Priority: critical. Inactive and privileged accounts are prime targets for attackers seeking to establish network persistence or expand their access within the infrastructure.

Prevalence: very high. Technical service accounts, contractor accounts, and non-personalized accounts are among the most commonly forgotten.

Detection: conduct regular analysis of the user directory (Active Directory in most organizations) to identify all types of accounts that have seen no activity over a defined period (a month, quarter, or year). Concurrently, it’s advisable to review the permissions assigned to each account, and remove any that are excessive or unnecessary.

Response: after checking with the relevant service owner on the business side or employee supervisor, outdated accounts should be simply deactivated or deleted. A comprehensive Identity and Access Management system (IAM) offers a scalable solution to this problem. In this system, the creation, deletion, and permission assignment for accounts are tightly integrated with HR processes.

For service accounts, it’s also essential to routinely review both the strength of passwords, and the expiration dates for access tokens — rotating them as necessary.

Forgotten data stores

Priority: critical. Poorly controlled data in externally accessible databases, cloud storage and recycle bins, and corporate file-sharing services — even “secure” ones — has been a key source of major breaches in 2024–2025. The data exposed in these leaks often includes document scans, medical records, and personal information. Consequently, these security incidents also lead to penalties for non-compliance with regulations such as HIPAA, GDPR, and other data-protection frameworks governing the handling of personal and confidential data.

Prevalence: high. Archive data, data copies held by contractors, legacy database versions from previous system migrations — all of these often remain unaccounted for and accessible for years (even decades) in many organizations.

Detection: given the vast variety of data types and storage methods, a combination of tools is essential for discovery:

• Native audit subsystems within major vendor platforms, such as AWS Macie, and Microsoft Purview
• Specialized Data Discovery and Data Security Posture Management solutions
• Automated analysis of inventory logs, such as S3 Inventory

Unfortunately, these tools are of limited use if a contractor creates a data store within its own infrastructure. Controlling that situation requires contractual stipulations granting the organization’s security team access to the relevant contractor storage, supplemented by threat intelligence services capable of detecting any publicly exposed or stolen datasets associated with the company’s brand.

Response: analyze access logs and integrate the discovered storage into your DLP and CASB tools to monitor its usage — or to confirm it’s truly abandoned. Use available tools to securely isolate access to the storage. If necessary, create a secure backup, then delete the data. At the organizational policy level, it’s crucial to establish retention periods for different data types, mandating their automatic archiving and deletion upon expiry. Policies must also define procedures for registering new storage systems, and explicitly prohibit the existence of ownerless data that’s accessible without restrictions, passwords, or encryption.

Unused applications and services on servers

Priority: medium. Vulnerabilities in these services increase the risk of successful cyberattacks, complicate patching efforts, and waste resources.

Prevalence: very high. services are often enabled by default during server installation, remain after testing and configuration work, and continue to run long after the business process they supported has become obsolete.

Detection: through regular audits of software configurations. For effective auditing, servers should adhere to a role-based access model, with each server role having a corresponding list of required software. In addition to the CMDB, a broad spectrum of tools helps with this audit: tools like OpenSCAP and Lynis — focused on policy compliance and system hardening; multi-purpose tools like OSQuery; vulnerability scanners such as OpenVAS; and network traffic analyzers.

Response: conduct a scheduled review of server functions with their business owners. Any unnecessary applications or services found running should be disabled. To minimize such occurrences, implement the principle of least privilege organization-wide and deploy hardened base images or server templates for standard server builds. This ensures no superfluous software is installed or enabled by default.

Outdated APIs

Priority: high. APIs are frequently exploited by attackers to exfiltrate large volumes of sensitive data, and to gain initial access into the organization. In 2024, the number of API-related attacks increased by 41%, with attackers specifically targeting outdated APIs, as these often provide data with fewer checks and restrictions. This was exemplified by the leak of 200 million records from X/Twitter.

Prevalence: high. When a service transitions to a new API version, the old one often remains operational for an extended period, particularly if it’s still used by customers or partners. These deprecated versions are typically no longer maintained, so security flaws and vulnerabilities in their components go unpatched.

Detection: at the WAF or NGFW level, it’s essential to monitor traffic to specific APIs. This helps detect anomalies that may indicate exploitation or data exfiltration, and also identify APIs that get minimal traffic.

Response: for the identified low-activity APIs, collaborate with business stakeholders to develop a decommissioning plan, and migrate any remaining users to newer versions.

For organizations with a large pool of services, this challenge is best addressed with an API management platform in conjunction with a formally approved API lifecycle policy. This policy should include well-defined criteria for deprecating and retiring outdated software interfaces.

Software with outdated dependencies and libraries

Priority: high. This is where large-scale, critical vulnerabilities like Log4Shell hide, leading to organizational compromise and regulatory compliance issues.

Prevalence: Very high, especially in large-scale enterprise management systems, industrial automation systems, and custom-built software.

Detection: use a combination of vulnerability management (VM/CTEM) systems and software composition analysis (SCA) tools. For in-house development, it’s mandatory to use scanners and comprehensive security systems integrated into the CI/CD pipeline to prevent software from being built with outdated components.

Response: company policies must require IT and development teams to systematically update software dependencies. When building internal software, dependency analysis should be part of the code review process. For third-party software, it’s crucial to regularly audit the status and age of dependencies.

For external software vendors, updating dependencies should be a contractual requirement affecting support timelines and project budgets. To make these requirements feasible, it’s essential to maintain an up-to-date software bill of materials (SBOM).

You can read more about timely and effective vulnerability remediation in a separate blog post.

Forgotten websites

Priority: medium. Forgotten web assets can be exploited by attackers for phishing, hosting malware, or running scams under the organization’s brand, damaging its reputation. In more serious cases, they can lead to data breaches, or serve as a launchpad for attacks against the given company. A specific subset of this problem involves forgotten domains that were used for one-time activities, expired, and weren’t renewed — making them available for purchase by anyone.

Prevalence: high — especially for sites launched for short-term campaigns or one-off internal activities.

Detection: the IT department must maintain a central registry of all public websites and domains, and verify the status of each with its owners on a monthly or quarterly basis. Additionally, scanners or DNS monitoring can be utilized to track domains associated with the company’s IT infrastructure. Another layer of protection is provided by threat intelligence services, which can independently detect any websites associated with the organization’s brand.

Response: establish a policy for scheduled website shutdown after a fixed period following the end of its active use. Implement an automated DNS registration and renewal system to prevent the loss of control over the company’s domains.

Unused network devices

Priority: high. Routers, firewalls, surveillance cameras, and network storage devices that are connected but left unmanaged and unpatched make for the perfect attack launchpad. These forgotten devices often harbor vulnerabilities, and almost never have proper monitoring — no EDR or SIEM integration — yet they hold a privileged position in the network, giving hackers an easy gateway to escalate attacks on servers and workstations.

Prevalence: medium. Devices get left behind during office moves, network infrastructure upgrades, or temporary workspace setups.

Detection: use the same network inventory tools mentioned in the forgotten servers section, as well as regular physical audits to compare network scans against what’s actually plugged in. Active network scanning can uncover entire untracked network segments and unexpected external connections.

Response: ownerless devices can usually be pulled offline immediately. But beware: cleaning them up requires the same care as scrubbing servers — to prevent leaks of network settings, passwords, office video footage, and so on.

Kaspersky official blog – ​Read More

Imagine: a user lands on a scam site, decides to make a purchase, and enters their bank card details, name, and address. Guess what happens next? If you think the attackers simply grab the cash and disappear — think again. Unfortunately, it’s much more complicated. In reality, the information enters a massive shadow-market pipeline, where victims’ data circulates for years, changing hands and being reused in new attacks.

At Kaspersky, we’ve studied the journey data takes after a phishing attack: who gets it, how it’s sorted, resold, and used on the shadow market. In this article, we map the route of stolen data, and explain how to protect yourself if you’ve already encountered phishing, or if you want to avoid it in the future. You can read the detailed report complete with technical insights on Securelist.

Harvesting data

Phishing sites are carefully disguised to look legitimate — sometimes the visual design, user interface, and even the domain name are almost indistinguishable from the real thing. To steal data, attackers typically employ HTML forms prompting users to enter their login credentials, payment card details, or other sensitive information.

As soon as the user hits Sign In or Pay, the information is instantly dispatched to the cybercrooks. Some malicious campaigns don’t harvest data directly through a phishing site but instead abuse legitimate services like Google Forms to hide the final destination server.

A fake DHL website. The user is asked to enter the login and password for their real DHL account

The stolen data is typically transmitted in one of three ways — or a combination of them:

• Email. This method is less common today due to possible delays or bans.
• Telegram bots. The attackers receive the information instantly. Most of these bots are disposable, which makes them hard to track.
• Admin panels. Cybercriminals can use specialized software to harvest and sort data, view statistics, and even automatically verify the stolen information.

What kind of data are phishers after?

The range of data sought by cybercriminals is quite extensive.

• Personal data: phone numbers, full names, email, registration and residential addresses. This information can be used to craft targeted attacks. People often fall for scams precisely because the attackers possess a large amount of personal information — addressing them by name, knowing where they live, and which services they use.
• Documents: data and scans of social security cards, driver licenses, insurance and tax IDs, and so on. Criminals use these for identity theft, applying for loans, and verifying identity when logging into banks or e-government portals.
• Credentials: logins, passwords, and one-time 2FA codes.
• Biometrics: face scans, fingerprints, and voice samples used to generate deepfakes or bypass two-factor authentication.
• Payment details: bank card and cryptocurrency wallet details.
• And much more.

According to our research, the vast majority (88.5%) of phishing attacks conducted from January through September 2025 targeted online account credentials, and 9.5% were attempts to obtain users’ personal data, such as names, addresses, and dates. Finally, 2% of phishing attacks were focused on stealing bank card details.

Distribution of attacks by type of data being targeted, January–September 2025

What happens to the stolen data next?

Not all stolen data is directly used by the attackers to transfer money to their own accounts. In fact, the data is seldom used instantly; more commonly, it finds its way onto the shadow market, reaching analysts and data brokers. A typical journey looks something like this.

1. Bulk sale of data

Raw data sets are bundled into massive archives and offered in bulk on dark web forums. These dumps often contain junk or outdated information, which is why they’re relatively cheap — starting at around US$50.

2. Data sorting and verification

These archives are purchased by hackers who act as analysts. They categorize datasets and verify the validity of the data by checking if the login credentials work for the specified services, if they are reused on other sites, and if they match any data from past breaches. For targeted attacks, cybercriminals compile a digital dossier. It stores information gathered from both recent and older attacks — essentially a spreadsheet of data ready to be used in hacks.

3. Resale of verified data

The sorted datasets are offered for sale again, now at a higher price — and not only on the dark web but also on the more familiar Telegram.

An ad for a Telegram sale of social media account credentials

According to Kaspersky Digital Footprint Intelligence, account prices are driven by a large number of factors: account age, 2FA authentication, linked bank cards, and service userbase. It’s no surprise that the most expensive and in-demand commodity on this market is access to bank accounts and crypto wallets.

4. Repeat attacks

Once a cybercriminal purchases a victim’s digital dossier, they can plan their next attack. They might use open-source intelligence to find out where the person works, and then craft a convincing email impersonating their boss. Alternatively, they could hack a social media profile, extract compromising photos, and demand a ransom for their return. However, rest assured that nearly all threatening or extortion emails are just a scare tactic by scammers.

Cybercriminals also use compromised accounts to send further phishing emails and malicious links to the victim’s contacts. So, if you receive a message asking you to vote for a niece in a contest, lend money, or click on a suspicious link, you have every reason to be wary.

What to do if your data has been stolen

1. First, recall what information you entered on the phishing site. If you provided payment card details, call your bank immediately and have the cards blocked. If you entered a login and password that you use for other accounts, change those passwords right away. A password manager can help you create and store strong, unique passwords.
2. Enable two-factor authentication (2FA) wherever possible. For more details on what 2FA is and how to use it, read our guide. When choosing a 2FA method, it’s best to avoid SMS, as one-time codes sent via a text can be intercepted. Ideally, use an authenticator app, such as Kaspersky Password Manager, to generate one-time codes.
3. Check the active sessions (the list of logged-in devices) in your important accounts. If you see a device or IP address you don’t recognize, terminate that session immediately. Then change your password and set up two-factor authentication.

How to guard against phishing

• Don’t click on links in emails or messages without first scanning them with a security solution.
• If you receive a suspicious email, always check the sender’s address to see if you’ve had any contact with that person before. If someone claims to represent a government authority or company, be sure to compare the domain the email was sent from with the domain of the organization’s official website. No official correspondence should ever come from a free email service.
• Use an authenticator app for two-factor authentication.
• Create hack-resistant passwords. Our research shows that hackers can crack almost 60% of all passwords in the world in less than an hour. Alternatively, consider switching to passkeys, which offer much stronger account protection, but keep in mind that they come with their own caveats.
• Remember: using the same password for multiple services is a critical mistake. This is exactly what malicious actors exploit. Even if you’ve never fallen for a phishing scam, your passwords and data can still end up in data breaches, as cyberattackers target not just individuals but entire companies. This year, the Identity Theft Resource Center has already recorded over two thousand data breaches. To minimize the risks, create a unique and strong password for every account. You don’t have to — and actually can’t — memorize them all. It’s better to use a password manager, which generates and securely stores complex passwords, syncs them across all your devices, auto-fills them on websites and in apps, and alerts you if any of your credentials appear in a known data breach.

More on phishing and scams:

• How phishers and scammers use AI
• Phishing 101: what to do if you get a phishing email
• Email extortion: how scammers use blackmail
• Telegram scams with bots, gifts, and crypto
• Et cetera

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter.  

“It’s a dangerous business, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you might be swept off to.” — Bilbo Baggins 

It’s almost the end of the year, which feels like the perfect time to start an epic quest. 

So, Middle-earth. I’m walking across it. Not with the intention of destroying the One Ring, but to increase my daily step count in the nerdiest way possible. 

As I suspect is the origin story for most quests these days, my journey began by downloading an app.

It’s called “The Conqueror.” There are many different distances you can choose from, but I chose Middle-earth because I’m that person who watched all the behind-the-scenes footage from Peter Jackson’s Lord of the Rings extended edition box set and physically shed tears because I wasn’t there. 

Heeding Bilbo’s warnings about roads, I’m using a treadmill. After receiving my official race bib (#199574), I hopped on and muttered under my breath, “So it begins.”

So far, I’ve passed Bag End, South Farthing, Woody End, Maggot’s Farm, and I’m currently doing a stopover at Buckleberry Ferry. That’s 130km (55% of the Shire) done. Only 120km until Bree, where I can rest up with a pint at The Prancing Pony. And a mere 2,787km to go until I get to Mount Doom. If only Frodo hadn’t taken so many detours… 

I’ve been rewarded at each milestone with postcards full of extremely nerdy facts about the landscape. And because of The Conqueror’s partnership with an ocean clean-up charity, I’ve also “saved” 20 plastic bottles from entering the sea, which feels very cool to have accomplished while never leaving the house.

It’s a strange, delightful journey: half fitness plan, half fantasy pilgrimage. And it got me thinking about the value of knowing your destination.

Oftentimes when I’m speaking to defenders, one of their main challenges is “I’m struggling to do all the things, all the time.” When everything gets a bit overwhelming, and threats either shift unpredictably or circle back to tactics we thought we’d left behind, it’s easy to lose your sense of direction and say, “What are we doing this for again?”

That’s what I’ve come to like about this quest across Middle-earth: there’s a destination, and there are milestones. Mount Doom is a f*****g long way from Buckleberry Ferry. But I like just knowing the next marker even if I can’t yet see the (Bag)end.

As you’re making plans for next year, it might be worth using that idea: Where are you heading? What are the things you’re doing right now are actually helping you get there? Which detours/madness will lead you into Fangorn Forest? 

If in doubt, follow your nose.

The one big thing 

While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware. The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files.  

Why do I care? 

There’s a few things that the threat actor does as part of this campaign to make recovery for victims more complicated. First, they use the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes. Also, the custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques. 

So now what? 

The Talos blog has a full breakdown of the attack, including the new TTPs, attempts at lateral movement, the ways the actor attempts to impair defenses, and the encryption process. Snort SIDs for the threats are: 65576, 65575 and 301358. ClamAV detections are also available for this threat:

• Win.Tool.EDRKiller-10058432-0  
• Win.Tool.VulnBaiduDriver-10058431-1  
• Ps.Tool.DeleteShadowCopies-10058429-0  
• Win.Ransomware.Deadlock-10058428-0

Top security headlines of the week  

Chinese hackers are using “stealthy and resilient” Brickstorm malware to target VMware servers 
The Cybersecurity and Infrastructure Security Agency (CISA) is warning that China-sponsored threat actors are using Brickstorm malware to achieve long-term persistence in critical infrastructure networks. (ITPro) 

Critical Apache Tika vulnerability leads to XXE injection 
A critical-severity vulnerability in the Apache Tika open source analysis toolkit could allow attackers to perform XML External Entity (XXE) injection attacks. (Security Week) 

Zero-click agentic browser attack can delete entire Google Drive using crafted emails 
A new agentic browser attack targeting Perplexity’s Comet browser that’s capable of turning a seemingly innocuous email into a destructive action that wipes a user’s entire Google Drive contents. (The Hacker News) 

Can’t get enough Talos? 

Spy vs. spy: How GenAI is powering defenders and attackers 
Nick Biasini provides an update on how Talos is seeing threat actors currently use genAI, and how defenders can use it as a force multiplier. 

Microsoft Patch Tuesday for December 2025 
The Patch Tuesday for December of 2025 includes 57 vulnerabilities, including two that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
MD5: 1f7e01a3355b52cbc92c908a61abf643 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
Example Filename: cleanup.bat 
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 1ec34305e593c27bb95d538d45b6a17433e71fa1c1877ce78bf2dbda6839f218 
MD5: a1f4931992bf05e9bff4b173c15cab15 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=1ec34305e593c27bb95d538d45b6a17433e71fa1c1877ce78bf2dbda6839f218 
Example Filename: a1f4931992bf05e9bff4b173c15cab15.exe 
Detection Name: Auto.1EC343.272247.in02

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: ck8yh2og.dll 
Detection Name: Auto.90B145.282358.in02 

Cisco Talos Blog – ​Read More