Whenever you’re asked to log in to an online service, verify your identity, or download a document through a link, you’re usually required to enter your username and password. This is so common that most of us do it automatically without thinking twice. However, scammers can trick you into giving them passwords for your email, government service websites, banking services, or social networks by mimicking the service’s login form on their own (third-party) website. Don’t fall for it: only the email service itself can ask to verify your email password — no one else! The same applies to government services, banks, and social networks.

To avoid becoming a victim of fraud, every time you enter a password, take a moment to check where exactly you’re logging in, and what window is asking for your credentials. Three main scenarios are possible here — two are safe, one is fraudulent. Here they are.

Safe scenarios for entering passwords

1. Logging into your email, social network, or online service through the official website. This is the simplest scenario, but you need to make sure you are indeed on the legitimate site — with no errors in the URL. If you’re accessing the online service by clicking a link in an email or from search results, carefully check the browser’s address bar before entering your password. Make sure that both the service name and the site address are correct and match each other.

Why is it so important to take an extra second to check? Creating phishing copies of legitimate sites is a favorite trick of scammers. A phishing site’s address may be almost identical to the original, differing in just a letter or two (for example, the “i” letter might be replaced with an “I”), or use a different domain zone.

It’s also rather simple to create a link that appears to lead to a site but actually takes you somewhere else. Check it out for yourself: this link seems to lead to our blog kaspersky.com/blog but actually redirects you to our other blog — securelist.com.

The image below shows examples of legitimate login pages for various services where you can safely enter your username and password.

Examples of legitimate login pages for various services. Entering your credentials here is safe

2. Logging in to a site using an auxiliary service. This is a convenient way to log in without creating additional passwords, commonly used for file storage services, collaboration tools, and so on. Auxiliary services are typically large email providers, social networks, or government service sites. The login button may say something like “Continue with Google”, “Continue with Facebook”, “Continue with Apple”, etc.

When you click the button, another window opens belonging to the auxiliary service (Google, Facebook, Apple, etc.). It works like this: the external service verifies your identity and confirms this to the site you’re logging in to. It’s crucial to check the addresses in both windows: make sure that the pop-up window asking for your password really belongs to the auxiliary service you expected (Google, Facebook, Apple, etc.), and the main window really belongs to the legitimate site you’re trying to log in to. In many cases, the pop-up window also indicates which site you’ll be logging in to. This auxiliary service mechanism allows you to enter the desired site without it ever seeing your password. Password verification takes place on the side of the auxiliary service (Google, Facebook, Apple, etc.). IT specialists call this login method single sign-on (SSO).

Example of SSO login to eBay through an auxiliary service (Google) that verifies your password. Entering your credentials here is also safe

Fraudulent scenario: password theft

You receive an email or message with a login link, click it, and end up on a site that very closely resembles a legitimate email, social network, file-sharing, or e-signature service. The site asks you to log in to your account to prove your identity. To this end, you’re prompted to enter your email and password for your email, government services site, banking service, or social network directly on this site.

In this scenario, either there’s no pop-up window from a legitimate service (such as the one in the previous case), or the additional window also belongs to some third-party site. This is a scam designed to steal your

Look at the address bar: this is definitely not Netflix! Don’t enter your credentials here!

account password! Remember, a third-party site can’t verify your password — it simply doesn’t know it, and passwords are never shared between sites.

How to protect yourself from password theft

1. Carefully check the address of the site requesting your password.
2. Only enter a password for a service on the official website of that service — nowhere else.
3. Sometimes a separate window appears for entering a password. Make sure this window is a regular browser window where you can see the address bar and verify the address.
4. Scammers can create lookalike sites with addresses that are hard to distinguish from real ones. To avoid falling into such a trap, use reliable anti-phishing protection on all devices and platforms. We recommend Kaspersky Premium, the winner of an anti-phishing test in 2024.
5. An advanced protection method is to use a password manager for all your accounts. It verifies the actual page address, and will never enter your credentials on an unfamiliar site — no matter how convincing it looks.

Kaspersky official blog – ​Read More

The old saying, “A chain is only as strong as its weakest link”, directly applies to enterprise cybersecurity. Businesses these days often rely on dozens or even hundreds of suppliers and contractors, who, in turn, use the services and products of yet more contractors and suppliers. And when these chains involve not raw materials but complex IT products, ensuring their security becomes significantly more challenging. This fact is exploited by attackers, who compromise a link in the chain to reach its end — their main target. Accordingly, it’s essential for business leaders and the heads of IT and information security to understand the risks of supply-chain attacks in order to manage them effectively.

What is a supply-chain attack?

A supply-chain attack involves a malicious actor infiltrating an organization’s systems by compromising a trusted third-party software vendor or service provider. Types of this attack include the following:

• Compromising well-known software developed by a supplier and used by the target organization (or multiple organizations). The software is modified to perform malicious tasks for the attacker. Once the next update is installed, the software will contain undeclared functionality that allows the organization to be compromised. Well-known examples of such attacks include the compromise of the SolarWinds Orion and 3CX Last year, the to-date largest attempt at such an attack was discovered — XZ Utils. Fortunately, it was unsuccessful.
• Attackers find corporate accounts used by a service provider to work within the target organization’s systems. The attackers use these accounts to infiltrate the organization and carry out an attack. For example, the American retail giant Target was hacked through an account issued to an HVAC provider.
• Attackers compromise a cloud provider or exploit the features of a cloud provider’s infrastructure to access the targeted organization’s data. The most high-profile case last year involved the compromise of more than 150 clients of the Snowflake cloud service, leading to the data leak of hundreds of millions of users of Ticketmaster, Santander Bank, AT&T, and others. Another large-scale, big-impact attack was the hack of the authentication service provider Okta.
• Attackers exploit permissions delegated to a contractor in cloud systems, such as Office 365, to gain control over the target organization’s documents and correspondence.
• Attackers compromise specialized devices belonging to or administered by a contractor, but connected to the target organization’s network. Examples include smart-office air-conditioning systems, and video surveillance systems. For example, building automation systems became a foothold for a cyberattack on telecom providers in Pakistan.
• Attackers modify IT equipment purchased by the target organization, either by infecting pre-installed software or embedding hidden functionality into the devices’ firmware. Despite their complexity, such attacks have actually occurred in practice. Proven cases include Android device infections, and widely discussed server infections at the chip level.

All variations of this technique in the MITRE ATT&CK framework come under the name “Trusted Relationship” (T1199).

Benefits of supply-chain attacks for criminals

Supply-chain attacks offer several advantages for attackers. Firstly, compromising a supplier creates a uniquely stealthy and effective access channel — as demonstrated by the attack on SolarWinds Orion software, widely used in major U.S. corporations, and the compromise of Microsoft cloud systems, which led to email leaks from several U.S. government departments. For this reason, this type of attack is especially favored by criminals hunting for information. Secondly, the successful compromise of a single popular application or service instantly provides access to dozens, hundreds, or even thousands of organizations. Thus, this kind of attack also appeals to those motivated by financial gain, such as ransomware groups. One of the most high-profile breaches of this type was the attack on IT supplier Kaseya by the REvil group.

A tactical advantage (to criminals) of attacks exploiting trusted relationships lies in the practical consequences of this trust: the applications and IP addresses of the compromised supplier are more likely to be on allowlists, actions performed using accounts issued to the supplier are less frequently flagged as suspicious by monitoring centers, and so on.

Damage from supply-chain attacks

Contractors are usually compromised in targeted attacks carried out by highly motivated and skilled attackers. Such attackers are typically aiming to obtain either a large ransom or valuable information — and in either case, the victim will inevitably face long-term negative consequences.

These include the direct costs of investigating the incident and mitigating its impact, fines and expenses related to working with regulators, reputational damage, and potential compensation to clients. Operational disruptions caused by such attacks can also result in significant productivity losses, and threaten business continuity.

There are also cases that don’t technically qualify as supply-chain attacks — attacks on key technology providers within a specific industry — that nevertheless disrupt the supply chain. There were several examples of this in 2024 alone, the most striking being the cyberattack on Change Healthcare, a major company responsible for processing financial and insurance documents in the U.S. healthcare industry. Clients of Change Healthcare were not hacked, but while the compromised company spent a month restoring its systems, medical services in the U.S. were partially paralyzed, and it was recently revealed that confidential medical records of 100 million patients were exposed as a result of this attack. In this case, mass client dissatisfaction became a factor pressuring the company to pay the ransom.

Returning to the previously mentioned examples: Ticketmaster, which suffered a major data breach, faces several multi-billion-dollar lawsuits; criminals demanded $70 million to decrypt the data of victims of the Kaseya attack; and damage estimates from the SolarWinds attack range from $12 million per affected company to $100 billion in total.

Which teams and departments should be responsible for supply-chain-attack prevention?

While all the above may suggest that dealing with supply-chain attacks is entirely the responsibility of information security teams, in practice, minimizing these risks requires the coordinated efforts of multiple teams within the organization. Key departments that should be involved in this work include:

• Information security: responsible for implementing security measures and monitoring compliance with them, conducting vulnerability assessments, and responding to incidents.
• IT: ensures that the procedures and measures required by information security are followed when organizing contractors’ access to the organization’s infrastructure, uses monitoring tools to oversee compliance with these measures, and prevents the emergence of shadow or abandoned accounts and IT services.
• Procurement and vendor management: should work with information security and other departments to include trust and corporate information-security compliance criteria in supplier selection processes. Should also regularly check that supplier evaluations meet these criteria and ensure ongoing compliance with security standards throughout the contract period.
• Legal departments and risk management: ensure regulatory compliance and manage contractual obligations related to cybersecurity.
• Board of directors: should promote a security culture within the organization, and allocate resources for implementing the above measures.

Measures for minimizing the risk of supply-chain attacks

Organizations should take comprehensive measures to reduce the risks associated with supply-chain attacks:

• Thoroughly evaluate suppliers. It’s crucial to assess the security level of potential suppliers before beginning collaboration. This includes requesting a review of their cybersecurity policies, information about past incidents, and compliance with industry security standards. For software products and cloud services, it’s also recommended to collect data on vulnerabilities and pentests, and sometimes it’s advised to conduct dynamic application security testing (DAST).
• Implement contractual security requirements. Contracts with suppliers should include specific information security requirements, such as regular security audits, compliance with your organization’s relevant security policies, and incident notification protocols.
• Adopt preventive technological measures. The risk of serious damage from supplier compromise is significantly reduced if your organization implements security practices such as the principle of least privilege, zero trust, and mature identity management.
• Organize monitoring. We recommend using XDR or MDR solutions for real-time infrastructure monitoring and detecting anomalies in software and network traffic.
• Develop an incident response plan. It’s important to create a response plan that includes supply-chain attacks. The plan should ensure that breaches are quickly identified and contained — for example by disconnecting the supplier from company systems.
• Collaborate with suppliers on security issues. It’s vital to work closely with suppliers to improve their security measures — such collaboration strengthens mutual trust and makes mutual protection a shared priority.

Deep technological integration throughout the supply chain affords companies unique competitive advantages, but simultaneously creates systemic risks. Understanding these risks is critically important for business leaders: attacks on trusted relationships and supply chains are a growing threat, entailing significant damage. Only by implementing preventive measures across the organization and approaching partnerships with suppliers and contractors strategically can companies reduce these risks and ensure the resilience of their business.

Kaspersky official blog – ​Read More

Google Chrome and WordPress users face high-severity security threats. CyberSecurity Malaysia advises immediate updates to prevent potential exploits and safeguard data.

Overview

CyberSecurity Malaysia has recently notified users of critical vulnerabilities in two widely used software platforms: Google Chrome and the WordPress File Upload plugin. If exploited, these vulnerabilities could allow attackers to execute arbitrary code, escalate privileges, or cause disruptions.

Security updates have been issued, and users are strongly advised to apply these updates immediately to protect their systems.

This article provides an in-depth look at these vulnerabilities, their potential impacts, affected products, and recommended mitigation actions.

Google Chrome Security Update

Google has released security updates to address multiple vulnerabilities in the Chrome browser. These vulnerabilities have been categorized as high-severity risks and require immediate attention from users and administrators.

If successfully exploited, these vulnerabilities could enable attackers to:

• Execute arbitrary code on the target system.
• Escalate their privileges to gain unauthorized access.
• Cause denial-of-service (DoS) attacks on affected ChromeOS devices.

These threats underscore the importance of keeping software updated to prevent exploitation.

One of the critical vulnerabilities addressed in this update is:

• CVE-2025-0291 (High): This is a Type Confusion vulnerability in the V8 JavaScript engine. Type Confusion occurs when the program allocates or uses a resource in an unintended way, which could allow attackers to manipulate the system and execute malicious code.

Recommendations

CyberSecurity Malaysia advises all users and administrators to:

1. Review the latest Google Chrome release notes.
2. Update Chrome to the latest version without delay.
3. Regularly check for updates to ensure their browser remains secure.

WordPress File Upload Plugin Vulnerability

WordPress has issued a critical security update to address a vulnerability in its File Upload plugin. This vulnerability, if exploited, could have severe consequences for WordPress websites, particularly those using outdated versions of the plugin.

The vulnerability could allow unauthenticated attackers to:

• Execute remote code on the server.
• Read arbitrary files, potentially exposing sensitive information.
• Delete files, causing data loss and service disruptions.

With a high severity score of 9.8 on the CVSS scale, this vulnerability is categorized as critical and poses a significant threat to websites using the affected plugin.

Affected Products

• WordPress File Upload Plugin: Versions 4.24.15 and below are affected.
• Vulnerability Details:
  • CVE Identifier: CVE-2024-11613
  • Vulnerability Type: Improper Control of Code Generation (Code Injection).
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Researcher: Abrahack
  • Date of Public Disclosure: January 7, 2025

The vulnerability lies in the improper sanitization of the source parameter within the file wfu_file_downloader.php, which allows attackers to define their own directory paths. This flaw enables remote code execution, arbitrary file reading, and file deletion.

Recommendations

To protect their websites, CyberSecurity Malaysia urges WordPress users and administrators to:

1. Update the WordPress File Upload Plugin: Install version 4.25.0 or any newer patched version.
2. Regularly Monitor Plugin Updates: Ensure plugins are always up to date to prevent vulnerabilities.
3. Review the Official Wordfence Security Updates: Follow detailed guidance provided by WordPress security teams.

Patched versions can be found on the WordPress.org plugin page.

Key Takeaways

1. Act Quickly: The vulnerabilities in Google Chrome and WordPress File Upload plugin can lead to severe consequences, including unauthorized access, data breaches, and service disruptions. Immediate action is necessary to mitigate risks.
2. Stay Updated: Regularly updating software, browsers, and plugins is one of the most effective ways to defend against cyber threats.
3. Follow Trusted Sources: Always rely on credible sources such as Google, WordPress, and CyberSecurity Malaysia for updates and advisories.
4. Educate Yourself and Your Team: Awareness of such vulnerabilities and their potential impacts can help individuals and organizations build a proactive security posture.

Conclusion

Both Google and WordPress have acted swiftly to address these vulnerabilities, and now it’s up to users to ensure their systems and websites are secure. CyberSecurity Malaysia’s advisories serve as a crucial reminder of the need for consistent software updates and security monitoring.

By taking timely action, users and administrators can safeguard their digital assets and minimize the risk of exploitation.

Stay updated, stay protected!

Source:

• https://www.mycert.org.my/portal/advisory?id=MA-1233.012025
• https://www.mycert.org.my/portal/advisory?id=MA-1231.012025
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-file-upload/wordpress-file-upload-42415-unauthenticated-remote-code-execution-arbitrary-file-read-and-arbitrary-file-deletion
• https://chromereleases.googleblog.com/

The post CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe? appeared first on Cyble.

Blog – Cyble – ​Read More

As China-backed threat groups have been linked to recent attacks on telecom networks, the U.S. Treasury and other high-value targets, one issue has become increasingly clear: Good cyber hygiene could have limited damage from many of the attacks. 

Organizations have little in the way of defenses against advanced persistent threats (APTs) exploiting unknown zero-day vulnerabilities – at least until there’s an available patch – but they can make it harder for those threat actors to move laterally once inside their network. 

No incident drives that point home more than one cited by Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, in a December 27 press briefing. 

Admin Account Had Access to 100,000 Routers 

Many of the media questions focused on China’s infiltration of U.S. telecom networks. Neuberger noted that a ninth telecom service provider has now been identified as a victim. When asked for details, she noted one startling fact about one of the breaches: 

“in one telecoms case, there was one administrator account that had access to over 100,000 routers,” Neuberger said. “So, when the Chinese compromised that account, they gained that kind of broad access across the network. That’s not meaningful cybersecurity to defend against a nation-state actor.” 

Lack of access controls gave the threat actors “broad and full access” to networks. “[W]e believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.” 

Neuberger expressed support for an FCC effort to mandate stronger telecom network security, and said she hopes it includes network segmentation. “Even if an attacker like the Chinese government gets access to a network, they’re controlled and they’re contained,” she said. 

An FCC vote on the new telecom security rules could come on January 15. 

Other important cybersecurity practices cited by Neuberger – and included in hardening guidance from the NSA and CISA – included: 

• Improved configuration management 
• Securing the management plane 
• Better vulnerability management of networks 
• Improved information sharing on incidents and techniques 

“The Chinese, you know, were very careful about their techniques,” Neuberger said. “They erased logs. In many cases, companies were not keeping adequate logs. So, there are details likely … that we will never know regarding the scope and scale of this.” 

Treasury Hack, Ivanti Zero-Day Exploits Attributed to China 

Other recent attacks attributed to China include the U.S Treasury Department breach and an Ivanti zero-day exploit. 

The Ivanti Connect Secure, Policy Secure and ZTA Gateways vulnerabilities – CVE-2025-0282 and CVE-2025-0283 – were added to CISA’s Known Exploited Vulnerabilities catalog on January 8, and CISA also published mitigation guidance for the vulnerabilities the same day. 

In response to the growing cyber threat from China, the Biden Administration is reportedly rushing out an executive order to harden federal networks against attacks. 

Cyber Hygiene Recommendations from Cyble 

Cyber hygiene also figures prominently in Cyble’s annual threat landscape report and an accompanying podcast, which will be released next week and will be available as a free Cyble research report. 

In the podcast, Kaustubh Medhe, Cyble’s Vice President of Research and Cyber Threat Intelligence, noted that perimeter security products such as VPNs, firewalls, WAFs, and load balancers from Fortinet, Cisco, Ivanti, Palo Alto, Citrix, Ivanti, Barracuda and others are “being exploited for ransomware and data theft. 

“What’s concerning is that the patching window for enterprises continues to shrink as ransomware gangs and APT groups are quick to weaponize and exploit zero-day vulnerabilities on a mass scale months before these vulnerabilities becoming public,” Medhe said. 

He listed a number of cybersecurity lapses that commonly lead to breaches and cyberattacks: 

• Local copies of sensitive data stored on end user systems and laptops 
• Insecure file servers, network shares or cloud storage, with weak or non-existent access policies, exposed on the internet 
• Lack of secure hardening configurations on endpoints, servers and IT infrastructure 
• Lack of network segmentation, allowing lateral movement 
• Inadequate protection of API keys, access tokens and passwords in public code repositories 
• Weak or ineffective endpoint protection and anti-malware solutions, and failure to detect and prevent infostealer infections that lead to credential compromise and theft 
• Weak endpoint and network-level monitoring controls to detect and prevent high-volume data exfiltration 
• Security misconfigurations on internet-facing applications and servers and cloud infrastructure 
• Weak API security settings, inadequate authentication, lack of proper input validation, absence of rate limiting, lack of API monitoring, and weak detection controls 
• Poor security hygiene at third parties with access to sensitive data 

Conclusion 

Recent cyberattacks linked to Chinese APT groups strongly suggest that while not every cyberattack can be prevented – particularly those involving exploitation of unknown zero days – basic security practices like proper access control and permissions, network segmentation, and proper application, device and cloud configuration could go a long way toward limiting damage from attacks that do occur. 

The good news is that proper cyber hygiene often doesn’t cost anything more than the time to get it right. 

The post U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene appeared first on Cyble.

Blog – Cyble – ​Read More

Welcome to the first edition of the Threat Source newsletter for 2025.  

Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professional should do at the start (and indeed any) time of year. I listened to Wendy Nather. 

Legendary Security Hall of Famer Wendy recently gave the keynote at BSides NYC and the video has just landed. The theme? “When do we get to play in easy mode?” I.e why is security still so hard? 

Wendy showed a list of the InfoSec Research Council’s “Hard Problems” list of 2005. Any of these sound familiar? 

• Global scale identity management 
• Insider threat 
• Availability of time critical systems 
• Building scalable secure systems 
• Attack attribution and situational understanding 
• Information provenance 
• Security with privacy 
• Enterprise level security metrics 

If the toughest challenges we face in 2025 are also the same challenges we were dealing with twenty years ago, what hope is there? 

Plus, if anything, security is even harder today than it was then, due to all the added complexity. Wendy also pointed out the larger ripple effect of breaches today due to supply chains, stolen credentials up for sale, and shared infrastructure. 

Jeez Hazel, way to start 2025 on a massive downer. 

However, something we can perhaps do more of this year is to go a bit easier on ourselves. Plus, if something you’ve been trying for a while isn’t working and is only leading to deeper frustrations, is it possible to come at from it a different way? 

One of Wendy’s recommendations on how to do just that uses the example of user awareness training. As she said in her keynote, it’s easy to get someone to click on a link (sorry to any bad guys reading this, but you’re not exactly carrying out rocket surgery with your phishing campaigns). 

Getting 1000 people NOT to click on a link is infinitely harder. Wendy even said that she once worked in an organization where the people who attended cybersecurity awareness training were even MORE likely to click on malicious links. The theory being that these people really wanted to help the security team, and were more than happy to respond to emails asking them to test the strength of their passwords. 

And that’s where social engineering, defender style, can come in. “People are your greatest asset, if you treat them that way.” 

I’m seeing a lot of “how to thrive in 2025!” posts right now. For anyone who isn’t ready for that, or tired of it all, I just want to say, I’m right there with you. But if you’re also feeling like it’s “new year, same problems”  perhaps there’s one thing that you can pick this year which has the potential to change that story.

Wendy’s keynote contains a bunch of insights for defenders on how to go about picking something to change or improve, from knowledge sharing, to hiring, and addressing complexity. I’m also looking forward to reading the upcoming National Academy of Science’s report on Cyber Hard Problems, of which Wendy is on the committee for. 

I’d thoroughly recommend checking out the full keynote, if only to see Wendy yielding a hammer in a moderately threatening manner.

The one big thing

Attacks in which malicious actors are deliberately installing known vulnerable drivers, only to exploit them later, is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).   

Cisco Talos recently published our research into the real-world application of the BYOVD technique. We identified three major payloads used, as well as recent activity linked to ransomware groups. 

 Why do I care?  

With the wide availability of tools exploiting vulnerable drivers, exploitation has moved from the domain of advanced threat actors into the domain of commodity threats – primarily ransomware. Malicious actors use corrupted drivers to perform a myriad of actions that help them achieve their goals, such as escalating privileges, deploying unsigned malicious code, or even terminating EDR tools. 

So now what?  

There are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique. This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers. Read more in the Talos blog. 

Top security headlines of the week   

• CISA says there is ‘no indication’ of a wider government hack beyond the treasury, following the disclosure that the department had been the target of a “major incident” in December. TechCrunch 
• FireScam Android spyware campaign fakes the Telegram Premium app and delivers information-stealing malware. Researchers say this is a prime example of the rising threat of adversaries leveraging everyday applications. Dark Reading. 
• Meduza stealer analysis: A closer look at its techniques and attack vector. Splunk Threat Research 

Can’t get enough Talos?  

• Talos Takes is now in video format! Catch up on the latest discussion, all about the major shifts and changes in ransomware since the very first iteration over 35 years ago. 

• The evolution and abuse of proxy networks – check out this piece of research by Nick Biasini and Vitor Ventura. 

Upcoming events where you can find Talos     

Cisco Live EMEA (February 9-14, 2025)  

Amsterdam, Netherlands  

Most prevalent malware files of the week

SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA 256:
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
Typical Filename: endpoint.query  
Claimed Product: Endpoint-Collector  
Detection Name: W32.File.MalParent  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal:  https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
MD5: d86808f6e519b5ce79b83b99dfb9294d  

VirusTotal: https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
Typical Filename: n/a 
Claimed Product: n/a  
Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8  

Cisco Talos Blog – ​Read More