Welcome to this week’s Threat Source newsletter. 

The issue of AI in cybersecurity is often portrayed as a binary choice: either a force multiplier for our adversaries, or a tool bringing professional obsolescence. The reality is more nuanced. While AI certainly brings some advantage to attackers, it also offers advantages to the defender, notably in how we manage, index, and derive value from threat intelligence. 

Currently, our industry excels in the use and dissemination of indicators of compromise (IOCs). These atomic indicators fit neatly into key-value data stores and their value can be enhanced with added context, neatly structured in STIX/MISP format. However, this is only the tactical layer. 

Ultimately, we want the consumers of threat intelligence reports to develop their knowledge and to build a picture of the relevance of the threat to their own situation, along with understanding of how they can respond given their resources and constraints. This capability is conferred by the natural language found within strategic and operational intelligence briefings. 

These reports provide the context required for meaningful response, yet they remain notoriously difficult to index. We are often left with disparate incident reports, darknet monitoring, and malware analysis that fail to cross-reference effectively, further complicated by inconsistent naming conventions for threat actors. 

This is a problem that large language models (LLMs) may be able to solve. Although AI models have no real understanding of an issue, they can identify synonyms and relate entities across vast, unstructured datasets. This can only make the retrieval of relevant threat intelligence reports easier, and facilitate the generation of relevant advice to protect against threats. 

There are still issues to resolve. We need to be vigilant regarding the veracity of the data that LLMs ingest, and of the confidentiality of the queries made of such a system. However, the development of personal, domain-specific LLMs offers the possibility of a world of integrated threat intelligence where relevant reports from disparate sources can be easily retrieved, and specific advice returned to even the vaguest of queries. 

Rather than fearing AI’s potential negative effects on our employment, we can consider AI’s development as a powerful tool that enables access to threat intelligence reports and allows us to provide tailored actionable advice faster to those who need to know it. Ultimately, AI can help us do what we do best: making a difference and making the bad guy’s lives harder. 

The one big thing 

Cisco Talos is highlighting how Windows threats increasingly abuse the Component Object Model (COM) to execute malicious activities. While COM is a fundamental Windows technology for legitimate inter-process communication, malware families like Qakbot and WarmCookie hijack it for lateral movement, persistence, and evasion. Because COM functionality relies on opaque GUIDs and indirect vtable calls, it obscures the attacker's intent and makes manual analysis incredibly labor-intensive. 

Why do I care? 

Threat actors love COM because it provides convenient access to built-in Windows functionality while making static analysis a nightmare. By hiding malicious behavior behind indirect function calls, attackers easily bypass basic scrutiny and blend in with legitimate system processes. Adversaries are effectively turning Windows' own architecture against itself. If analysts aren't prioritizing COM during triage, they are likely missing critical pieces of the infection chain. 

So now what? 

Defenders must sharpen their skills in recognizing COM usage and translating evidence like ProgIDs and vtable offsets into human-readable actions. Leverage specialized tools like OleView.NET, IDA’s COM Helper, and DispatchLogger to map anonymous indirect calls to clear behaviors. Security teams should also build static hunting logic to track these threats. You can find a simplified YARA hunting rule for binaries referencing the Task Scheduler COM class in the full blog post

Top security headlines of the week 

FortiBleed campaign used custom FortiGate sniffer to steal credentials 
Security firm SOCRadar says the large-scale FortiBleed campaign targeting Fortinet FortiGate devices used custom sniffers to harvest authentication secrets from compromised firewalls and steal credentials. (BleepingComputer

Scattered Spider hackers plead guilty on Day 1 of trial 
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyber attack affecting Transport for London, the entity responsible for the public transport network in the Greater London area. (Krebs on Security

Klue says hackers stole credential from 2022 that led to customer data breaches 
Market research company Klue has confirmed that a credential dating back to 2022, which was part of a limited pilot, was used by hackers earlier this month to steal data from its corporate customers, including several cybersecurity companies. (TechCunch

New exploit bypasses Apple’s boot defenses, affects millions of iPhones 
Baked permanently into the device’s SoC, SecureROM is the first code an iPhone runs on startup and the foundation of Apple’s entire secure boot chain. The exploit chains a USB controller bug and a device firmware configuration weakness. (SecurityWeek

Windows 11 KB5095093 update rolls out new Point-in-Time restore feature 
This update introduces numerous new features, including a standout Point-in-Time Restore feature that allows Windows users to easily roll back their operating system, applications, and files to a previous point in time. (BleepingComputer

Can’t get enough Talos? 

AI is finding bugs faster. Now what? 
In this episode of Beers with Talos, the team is joined by Nick Biasini to unpack what attackers are doing with AI-assisted vulnerability discovery, review FIFA World Cup threat trends, and phish the Pope. 

Patching in the dark: Managing unknown threats in complex environments 
If you're tired of being told to "just patch," we understand. Amy and Pierre explore the logistical, technical, and business realities that make patching a complex, high-stakes operation rather than a simple button click — and break down the things defenders often miss that build true resilience in organizations. 

Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting 
Learn how Cisco Talos Threat Hunting uses hypothesis-driven methods and multi-domain telemetry correlation to find stealthy threats operating below automated detection thresholds. 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: SECOH-QAD.exe 
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
MD5: cc4d231df34e57f59eb970353c7d9de2  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
Example Filename: AutoPico.exe  
Detection Name: PUA.Win.Tool.Kmsactivator::1201 

SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba 
MD5: dbd8dbecaa80795c135137d69921fdba 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba 
Example Filename: u992574.dll  
Detection Name: W32.Variant:MalwareXgenMisc.29d4.1201 

SHA256: 853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453 
MD5: 41acb30b9d662d48b7b4fc0ac3d4b79f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453 
Example Filename: SignInfoConsole.exe 
Detection Name: W32.853BAAB97B.in12.Talos