Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Dell ControlVault 3 firmware and its associated Windows software, four vulnerabilities in Entr’ouvert Lasso, and one vulnerability in GL.iNet Slate AX.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Dell vulnerabilities

Discovered by Philippe Laulheret of Cisco Talos.

The Dell ControlVault is a hardware-based security solution designed for user authentication functions. Talos reported five vulnerabilities, as follows:

• TALOS-2025-2173 (CVE-2025-31649) is a hard-coded password vulnerability. A specially crafted ControlVault API call can lead to an execution of privileged operation.
• TALOS-2025-2174 (CVE-2025-31361) is a privilege escalation vulnerability. A specially crafted WinBioControlUnit API call can lead to privilege escalation.
• TALOS-2025-2175 (CVE-2025-36460-CVE-2025-36463) covers multiple out-of-bounds read and write vulnerabilities. A specially crafted WinBioControlUnit API call can lead to memory corruption.
• TALOS-2025-2188 (CVE-2025-32089) is a buffer overflow vulnerability. A specially crafted ControlVault API call can lead to an arbitrary code execution.
• TALOS-2025-2189 (CVE-2025-36553) is a buffer overflow vulnerability. A specially crafted ControlVault API call can lead to memory corruption.

Entr’ouvert Lasso vulnerabilities

Discovered by Keane O’Kelley and another member of Cisco Advanced Security Initiative Group.

Lasso is a free (GNU General Public License) C library that defines processes for federated identities, single sign-on, and related protocols.

TALOS-2025-2193 (CVE-2025-47151) is a type confusion vulnerability, where a specially crafted SAML response can lead to an arbitrary code execution.

TALOS-2025-2194 (CVE-2025-46404), TALOS-2025-2195 (CVE-2025-46784), and TALOS-2025-2196 (CVE-2025-46705) are denial of service vulnerabilities. Specially crafted SAML responses can lead to a denial of service in all three cases.

GL.iNet Slate AX vulnerability

Discovered by Lilith >_> of Cisco Talos.

Slate AX (GL-AXT1800) is a Wi-Fi 6GB travel router. Cisco Talos discovered a firmware downgrade vulnerability, TALOS-2025-2230 (CVE-2025-44018), in the OTA Update functionality. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

Cisco Talos Blog – ​Read More

Stealers, loaders, and targeted campaigns dominated November’s activity. ANY.RUN analysts examined cases ranging from PNG-based in-memory loading used to deploy XWorm to JSGuLdr, a three-stage JavaScript-to-PowerShell loader pushing PhantomStealer. 

Alongside these public cases, three Threat Intelligence Reports detailed new activity across Windows, Linux, and Android, including loader-enabled hijackers, Tor-based cryptotrojan communication, Linux ransomware in Go, MaaS stealers, and a WhatsApp-propagating campaign with geofencing controls. 

Each case was analyzed inside ANY.RUN’s Interactive Sandbox, revealing execution flows, persistence mechanisms, and behavioral indicators that help teams tune detections and trace related activity. 

Let’s break down how these attacks unfolded, where they hit, and what security teams can take away to strengthen their defenses before the next wave arrives. 

1. XWorm: PNG Files Used as Containers for an In-Memory Loader 

Post on X 

ANY.RUN analysts observed a new wave of XWorm infections in November, delivered through phishing pages and emails that distribute a JavaScript dropper named PurchaseOrder_25005092.js. While it appears benign at first glance, the script unpacks a full multi-stage chain designed to bypass quick checks, hide payloads inside PNG files, and execute a .NET assembly directly in memory. 

How the attack begins 

The campaign begins with a phishing lure (T1566.001) delivering a heavily obfuscated JavaScript installer (T1027). Once executed, the script checks whether the required components exist on the system and writes the missing files to C:UsersPUBLIC using Base64-encoded and AES-encrypted data (T1027.013). The staged components are later used during the PowerShell-driven decryption and in-memory execution stages. 

The three staged files are: 

• Kile.cmd: A heavily obfuscated batch script filled with variable noise, percent-encoding, and fragmented Base64 

• Vile.png: Not an image but a Base64-encoded and AES-encrypted payload 

• Mands.png: Another encrypted data blob used during the second stage 

Attackers deliberately use the “.png” extension (T1036.008) to make the files look harmless and evade quick manual reviews. 

In-memory execution chain 

After writing the staged components to C:UsersPUBLIC, the JavaScript dropper reconstructs readable commands from its fragments and launches a PowerShell payload (T1059). This PowerShell script operates as a two-stage AES-CBC loader. 

Stage 1: Command runner 

Reads C:UsersPUBLICMands.png as Base64 → AES-decrypt → yields Base64-encoded commands. Each command is decoded and executed via Invoke-Expression, enabling the script to run attacker-controlled instructions without a traditional executable. 

Stage 2: In-memory assembly load 

Reads C:UsersPUBLICVile.png as Base64 → AES-decrypt → raw bytes. Loader attempts to execute the resulting .NET assembly directly from memory (T1620). 

This creates an in-memory loader that launches XWorm without dropping a traditional executable. A successful compromise enables credential theft, remote control, and lateral movement across corporate environments. 

See the full execution inside ANY.RUN 

Enrich this case using Threat Intelligence Lookup 

Below are ready-to-use TI Lookup queries for finding similar campaigns: 

• PowerShell with .Replace() obfuscation: imagePath:”\powershell.exe$” AND commandLine:”.Replace(“ 

• PowerShell invoking IEX: imagePath:”\powershell.exe$” AND commandLine:”iex” 

• JavaScript droppers writing to PublicLibraries: filePath:”^C:\Users\Public\Libraries\*.js$” 

2. JSGuLdr: Multi-Stage Loader Delivering PhantomStealer 

Post on X 

In November, ANY.RUN analysts identified JSGuLdr, a multi-stage loader that moves from JScript to PowerShell and ultimately deploys PhantomStealer. The chain relies on obfuscation, COM-based execution, cloud-hosted payloads, and in-memory loading, allowing the final payload to run with limited on-disk exposure. 

Stage 1: JScript Execution and COM-Based PowerShell Launch 

The first stage is an obfuscated JScript file signed with a fake Authenticode certificate to appear trustworthy (T1027, T1553.006). It generates an encrypted PowerShell string and writes it to %APPDATA%Registreri62, forming the second-stage component. 

Execution then shifts to Shell.Application and Explorer COM interaction, which launches powershell.exe under explorer.exe, masking the activity as normal user behavior (T1559.001, T1218). 

Stage 2: PowerShell Loader, Cloud Retrieval, and In-Memory Execution 

The PowerShell code decodes the contents of Registreri62, reconstructs hidden commands, and downloads an encrypted payload from Google Drive using a WebClient request (T1105). This payload is stored as %APPDATA%Autorise131.Tel, used as the on-disk container for the next stage (T1074.001). 

Stage 3: In-Memory Loading and PhantomStealer Injection 

PowerShell decrypts Autorise131.Tel, extracts raw bytes, and loads the resulting .NET assembly directly in memory (T1620). The final payload, PhantomStealer, is then injected into msiexec.exe, allowing it to run under a trusted Windows process and steal data without creating a conventional executable on disk (T1055, T1218.007). 

Execution chain: wscript.exe → explorer.exe → explorer.exe (COM) → powershell.exe → msiexec.exe 

Review the complete execution chain and behavioral indicators in the JSGuLdr analysis session.  

Track similar activity with TI Lookup 

Use the following TI Lookup query to identify related JSGuLdr activity, pivot from shared IOCs, and uncover additional loader variants across recent submissions. 

commandLine:”windowssystem32″ and imagePath:”explorer.exe” 

Gathered IOCs: 

• URL: hxxps://drive[.]google[.]com/uc?export=download&id=1gUB_fKBej5Va_l3ZSEXk_7r5Q4EeJuwd  

• Files: %APPDATA%Registreri62, %APPDATA%Autorise131[.]Tel  

• CMD: powershell.exe “$Citize=$env:appdata+’Registreri62′;$Guazuma=gc $Citize;$Aristape=$Guazuma[4460..4462] -join ”” 

Threat Intelligence Report 1: PDFChampions, Efimer, and BTMOB 

Full analysis in TI Report  

This Threat Brief provides a focused breakdown of three active threats, including how each sample behaves in the sandbox, its persistence and execution patterns, and the key detection points analysts can rely on. The report includes details about process activity, file system changes, network behavior, and extracted indicators, along with TI Lookup queries tailored to each malware family; PDFChampions’ mutex-based signature, Efimer’s Tor-based curl command, and BTMOB’s Android configuration file. 

PDFChampions (Windows) 

A browser hijacker distributed via malvertising that also acts as a loader. It changes the default search engine, terminates competing browsers, and can download and run additional payloads directly in memory.

Detection note: identify activity via the mutex “Champion.”

TI Lookup: syncObjectName:”Champion” 

Efimer (Windows) 

A cryptocurrency-focused trojan spread through phishing and compromised WordPress sites. It steals wallets and credentials and uses curl.exe to reach a Tor-hidden C2 endpoint (.onion/route.php). 
Detection note: monitor curl connections to .onion/route.php. 
TI Lookup: commandLine:”curl.exe*.onion/route.php” 

BTMOB RAT (Android) 

An Android RAT sold as MaaS. It abuses Accessibility Services for full device control, records screen and audio, and targets financial apps. Distributed through phishing APKs.

Detection note: presence of BTConfig.xml in the app’s shared preferences.

TI Lookup: filePath:”/data/data/*/shared_prefs/BTConfig.xml” 

Threat Intelligence Report 2: Monkey, Phoenix, and NonEuclid 

Full analysis in TI Report 

This month’s Threat Brief examines three threats in detail, with execution-flow screenshots, detection indicators, persistence artifacts, and public-sample telemetry. The report also provides ready-to-use TI Lookup queries and IOCs so teams can expand visibility and identify similar cases in their environments. 

Monkey (Linux) 

Monkey is a Go-based x64 ELF ransomware that disables security controls, establishes persistence through cron, rc.local, and systemd, collects system information, and encrypts files with a .monkeyRansomware extension. It also drops a ransom note and changes the system wallpaper.

Detection note: creation of /etc/systemd/system/monkey.service.

Lookup: filePath:”/etc/systemd/system/monkey.service” 

Phoenix (Windows) 

Phoenix is a Windows backdoor delivered as a second-stage payload in targeted email campaigns. It creates a mutex, copies itself for persistence, gathers system information, and communicates with its C2 via WinHTTP. The malware also uses process injection during execution.

Detection note: dropped binary sysProcUpdate.exe used for injection.

Lookup: registryValue:”sysProcUpdate.exe” 

NonEuclid (Windows) 

NonEuclid is a C# RAT with persistence, AMSI and Defender bypass, anti-VM checks, UAC bypass, and optional AES-based file encryption using the .NonEuclid extension. Sold as a crimeware kit, it combines remote control features with ransomware capabilities and uses obfuscated strings and NTSTATUS codes that can be detected via a dedicated YARA rule. 
Detection note: YARA detection based on obfuscated Unicode strings and NTSTATUS markers. 

Threat Intelligence Report 3: Valkyrie, Sfuzuan, and Sorvepotel 

Full analysis in TI Report 

This Threat Brief examines three Windows-based threats with different infection vectors and persistence patterns. The report includes sandbox screenshots, process activity, on-disk artifacts, and TI Lookup queries for tracking related behavior across public submissions. 

Valkyrie (Windows) 

Valkyrie is a credential-stealing MaaS platform linked to Prysmax. It collects browser and system data, stores temporary output in Valkyrie.zip under the Temp directory, and exfiltrates the archive to a remote C2. Detection is possible through the Temp-path signature or a dedicated YARA rule included in the report.

TI Lookup: filePath:”C:\Users\admin\AppData\Local\Temp\Valkyrie.zip” 

Sfuzuan (Windows) 

Sfuzuan is a backdoor distributed through multiple, unrelated sources. It bypasses system protections to gain access, gathers system and location details, and connects to a set of rotating command-and-control domains. The malware drops a distinctive TXT file that serves as a reliable detection point.

TI Lookup: filePath:”C:\Windows\864ac8″ 

Sorvepotel (Windows) 

Sorvepotel is a self-propagating campaign spread through WhatsApp messages containing malicious ZIP archives. After launch, it uses PowerShell and VBS scripts for execution and persistence, creates scheduled tasks, and automatically sends the same archive to all WhatsApp Web contacts. The campaign targets Portugal and Brazil using geofencing based on IP and system language.

TI Lookup: filePath:”Orcamento-2025*” 

Empower Your SOC with Real-Time Behavioral Insights 

Multi-stage loaders, encrypted payload containers, and region-aware campaigns are getting harder to catch with static filtering alone. While these threats unfold across PowerShell chains, COM-triggered executions, Linux services, or Android components, attackers move quickly, and manual triage can’t keep up. ANY.RUNgives SOC teams the behavioral visibility they need to respond at the speed of modern attacks. 

Here’s how teams stay ahead: 

• Surface hidden execution paths immediately: Detonate loaders, encrypted payloads, and cloud-hosted components inside a live VM and watch each stage, JavaScript, PowerShell, .NET, Linux services, or APK behavior, as it unfolds. 

• Shorten investigation time: Automated unpacking, network tracing, and live indicators turn multi-stage chains into readable timelines, reducing time spent reversing obfuscated scripts or in-memory loaders. 

• Catch stealthy techniques earlier: From fileless PowerShell commands to COM-based execution and WhatsApp-triggered propagation, behavioral cues expose activity that traditional tools overlook. 

• Strengthen detections with instant enrichment: Use Threat Intelligence Lookup to pivot from a single IOC, file path, mutex, command line, or domain, to related submissions and shared TTPs across hundreds of cases. 

• Feed continuous intelligence into your stack: Integrate Threat Intelligence Feeds with your SIEM, SOAR, or XDR to keep detections updated as new loader variants, stealer kits, and region-specific campaigns emerge. 

For SOC teams, MSSPs, and threat researchers, ANY.RUN provides the depth and real-time visibility needed to investigate faster, validate threats quickly, and turn emerging behaviors into reliable detection logic. 

Explore ANY.RUN with a 14-day trial → 

About ANY.RUN 

ANY.RUN supports more than 15,000 organizations worldwide across finance, healthcare, telecom, retail, and technology, helping security teams investigate threats with clarity and confidence. 

Built for speed and deep visibility, the solution combines interactive malware analysis with live threat intelligence, allowing SOC analysts to observe real execution behavior, extract indicators, and understand attacker techniques in seconds. 

By integrating ANY.RUN’s Threat Intelligence suite into existing security workflows, teams can accelerate investigations, reduce uncertainty during incidents, and strengthen resilience against fast-evolving malware families and multi-stage attack chains. 

The post Major Cyber Attacks in November 2025: XWorm, JSGuLdr Loader, Phoenix Backdoor, Mobile Threats, and More  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

We recently detected a new malicious campaign that employs a rather intriguing approach. The actor creates their own signed builds of a legitimate remote access tool. To distribute them, they use an AI-powered service to mass-generate malicious web pages that convincingly masquerade as the official sites of various applications.

Read on to find out how this attack works, why it’s particularly dangerous for users, and how to protect yourself.

How the attack works

It appears that the malicious actor is utilizing several launchpad options for their attacks. First, they are clearly banking on a significant number of users landing on their fake pages through simple Google searches. This is because the fake sites most often have addresses that match — or are very close to — what users are searching for.

Second, they employ malicious email campaigns as an alternative. In this scenario, the attack kicks off with the user getting an email that contains a link to a fake website. The content might look something like this:

Dear $DOP holders,
The migration window from DOP-v1 to DOP-v2 has officially closed, with over 8B+ tokens successfully migrated.
We're excited to announce that the DOP-v2 Claim Portal is now OPEN!
All $DOP holders can now visit the portal to securely claim their tokens and step into the next phase of the ecosystem.
Claim Your DOP-v2 Tokens Now https://migrate-dop[dot]org/
Welcome to DOP-v2 — a stronger, smarter, and more rewarding chapter begins today.
Thank you for being part of this journey.
The DOP Team

Some of the malicious pages we discovered in this campaign masquerade as the websites of antivirus or password management applications. Their content is clearly designed to scare the user with fake warnings about some kind of security issue.

So, the attackers are also leveraging a well-known tactic known as scareware: foisting an unsafe application on users under the guise of protection against an imaginary threat.

Fake websites built with Lovable

Despite differences in content, the fake websites involved in this malicious campaign share several common features. For starters, their addresses are most often constructed according to the formula: {popular app name} + desktop.com — a URL that closely matches an obviously common search query.

Besides, the fake pages themselves look quite professional. Interestingly, the appearance of the fake sites doesn’t exactly replicate the design of the originals — these are not direct clones. Rather, they are very convincing variations on a theme. As an example, we can look at some fake versions of the Lace crypto wallet page. One of them looks like this:

And the other looks like this:

The original Lace website looks a lot like these fakes, but it still differs from them in many obvious ways:

It turns out the attackers have weaponized an AI-powered web builder to create fake pages. Because the attackers cut corners and inadvertently left a few tell-tale artifacts, we managed to identify the exact service they are leveraging: Lovable.

Using an AI tool allowed them to significantly reduce the time required to create a fake, thereby churning out forgeries on an industrial scale.

Syncro remote administration tool

Another common feature of the fake sites involved in this campaign is that they all distribute the exact same payload. The malicious actor neither created their own Trojan nor bought one off the black market. Instead, they are using their own build of a perfectly legitimate remote access tool, Syncro.

The original app facilitates centralized monitoring and remote access for corporate IT support teams and managed service providers (MSPs). Syncro services are relatively inexpensive, starting at $129 per month with an unlimited number of managed devices.

At the same time, the tool possesses serious capabilities: in addition to screen sharing, the service also provides remote command execution, file transfer, log analysis, registry editing, and other background actions. However, Syncro’s main appeal is a simplified installation and connection process. The user — or, in this case, the victim — only has to download and run the installation file.

From that point, the installation runs completely in the background, secretly loading a malicious Syncro build onto the computer. Because this build has the attacker’s CUSTOMER_ID hardcoded, they instantly gain full control over the victim’s machine.

Once Syncro is installed on the victim’s device, the attackers gain full access and can use it to achieve their objectives. Given the context, these appear to be stealing crypto wallet keys from victims and siphoning off funds into the attackers’ own accounts.

How to protect yourself against these attacks

This malicious campaign poses a heightened threat to users for two main reasons. First, the fake sites crafted with the AI service look quite professional, and their URLs aren’t overly suspicious. Of course, both the design of the fake pages and the domains used differ noticeably from the real ones, but this only becomes apparent in direct comparison. At a glance, however, it’s easy to mistake the fake for the original.

Second, the attackers are using a legitimate remote access tool to infect users. This means that detecting the infection can be difficult.

Our security solution has a special verdict, Not-a-virus for cases like this. This verdict is assigned, among other things, when various remote access tools — including the legitimate Syncro — are detected on the device. As for Syncro builds used for malicious purposes, our security solution detects them as HEUR:Backdoor.OLE2.RA-Based.gen.

It’s important to remember that an antivirus won’t block all legitimate remote administration tools by default to avoid interfering with intentional usage. Therefore, we recommend that you pay close attention to notifications from your security solution. If you see a warning that Not-a-virus software has been detected on your device, take it seriously and, at the very least, check which application triggered it.

If you have Kaspersky Premium installed, use the Remote Access Detection feature — and, if necessary, the app removal option — that come with your premium subscription. This feature detects around 30 of the most popular legitimate remote access applications, and if you know you didn’t install them yourself, that is cause for concern.

Further recommendations:

• Don’t download applications from dubious sources, especially on devices with financial or crypto apps installed.
• Always double-check the addresses of the pages you’re visiting before performing any potentially dangerous actions like downloading an app or entering personal data.
• Pay close attention to warnings from the antivirus and anti-phishing defenses built into our security solutions.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

This week, we explore how advances in agentic AI are rapidly transforming the cyber crime business. 

Agentic AI programming gives AI agents autonomy, allowing them to interact with external systems to collect information, make decisions with the help of a generative AI system, and then effect changes in the external environment. The activity takes place through various APIs according to the instructions provided to the agent and in the context of a defined workflow.  

The advantage for human operators is that these systems can efficiently execute routine activities that would otherwise require accessing multiple systems. Essentially, the AI agent acts as a trusted assistant who is able to get on with things with minimal supervision while the human operator can focus on other things. 

As this approach brings advantages to the legitimate economy, so it brings similar efficiencies to the cyber crime economy. More recently, the publication of the discovery of the first AI-orchestrated cyber campaign should give us pause. It signals a new era for cybersecurity teams. 

We’re entering a time when we can expect to see much experimentation and innovation with AI in both the legitimate and cyber crime economies. AI can act as a force enabler, making tasks easier and faster to perform. Similarly, AI can lower barriers to entry, allowing lower skilled actors to perform tasks that they lack the skills to perform. While AI does not bring new capabilities, it can make existing capabilities easier to execute. However, AI systems still require skillful instruction and supervision. 

AI is not infallible, it gets things wrong, and it is prone to inventing nonsense. When it does go off the rails, a human needs to step in and resolve the situation. This is not necessarily easy to do and may prove tricky for low-skilled threat actors. 

Don’t be discouraged: We can also leverage these developments to our advantage. Defensive teams can write their own agentic systems to find and fix weaknesses in their own systems before malicious actors identify them. We can deploy honeypot systems designed to be found by malicious AI systems, engage with them and tie up their resources. 

The threat landscape has never been static. While AI does make some tasks more accessible to threat actors, it is a double-edged sword and also brings opportunities to defenders.

The one big thing 

Cisco Talos has introduced new features for Snort3 users within Cisco Secure Firewall. A new “Severity” rule group allows you to organize detection rules by CVSS-based vulnerability severity (low, medium, high, critical). This allows teams to better prioritize and manage rules according to risk and urgency. You can also select rules based on vulnerability age (e.g., last 2, 5, or 10 years). 

Why do I care? 

This update allows you greater flexibility and control. It makes it simpler to maintain consistent, targeted detection coverage, whether you’re running large, distributed networks or smaller environments with tailored security priorities. 

So now what? 

Review your current Snort3 rule configurations in Cisco Secure Firewall and consider adopting the new Severity and time-based grouping features. By tailoring rule sets to your organization’s specific risk tolerance and patching cycles, you can optimize detection coverage, streamline management, and better protect your environments.

Top security headlines of the week 

Critical railway braking systems open to tampering 
Researchers have figured out how to spoof the signals that tell train conductors to brake, opening the door to any number of dangerous attack scenarios. (Dark Reading) 

EchoGram flaw bypasses guardrails in major LLMs 
A flaw discovered in early 2025 and dubbed EchoGram allows simple, specially chosen words or code sequences to completely trick the automated defences, or guardrails, meant to keep the AI safe. (HackRead) 

Over 67,000 fake npm packages flood registry in worm-like spam attack  
The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods Worm. The bogus packages masquerade as Next.js projects. (The Hacker News) 

Cornerstone Staffing ransomware attack leaks 120,000 resumes, claims Qilin gang 
The notorious Qilin gang posted the industry-leading recruitment agency on its dark leak blog last Thursday. The group claims to have exfiltrated 300GB of sensitive information from Cornerstone. (Cybernews) 

Surveillance tech provider Protei was hacked, its data stolen, and its website defaced 
It’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8 and restored soon after. (TechCrunch)

Can’t get enough Talos? 

The TTP: How Talos built an AI model into one of the internet’s most abused layers 
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet). 

Humans of Talos: On epic reads, lifelong learning, and empathy 
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.

Unleashing the Kraken ransomware group 
In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.

Upcoming events where you can find Talos 

• DeepSec IDSC (Nov. 18 – 21) Vienna, Austria 
• AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: ck8yh2og.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
MD5: bf9672ec85283fdf002d83662f0b08b7  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe 
Example Filename: f_0008d7.html  
Detection Name: W32.C0AD494457-95.SBX.TG 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg 

Cisco Talos Blog – ​Read More