Blog

Cisco Talos Network Intrusion Prevention Service (Talos IPS, also known as Snort), delivers advanced, real-time network protection by monitoring and analyzing traffic at the packet level. By combining comprehensive rule-based detection with behavior-based analysis, Talos IPS identifies and blocks malicious traffic—vulnerability exploitation attempts, malware traffic, SQL injections, and reconnaissance and exfiltration traffic—all before new or emerging threats can compromise systems.

May 14, 2026 12:02

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.

By Cisco Talos
Threat Advisory
May 5, 2026 06:00

UAT-8302 and its box full of malware

Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.

By Jungsoo An, Asheer Malhotra, Brandon White
APT Threat Spotlight
May 5, 2026 06:00

CloudZ RAT potentially steals OTP messages using Pheno plugin

Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”

By Alex Karkins, Chetan Raghuprasad
Threat Spotlight RAT
April 23, 2026 11:10

UAT-4356's Targeting of Cisco Firepower Devices

Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices.

By Cisco Talos
Threat Advisory Threats APT
April 16, 2026 06:00

PowMix botnet targets Czech workforce

Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.”

By Chetan Raghuprasad
Threat Spotlight
April 3, 2026 13:00

Axios NPM supply chain incident

Overview of the recent Axios NPM supply chain incident including details of the payloads delivered from actor-controlled infrastructure.

By Nick Biasini
Threat Advisory
April 2, 2026 06:00

UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications

Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we currently track as UAT-10608. The campaign is primarily leveraging a collection framework dubbed “NEXUS Listener.”

By Asheer Malhotra, Brandon White
Threat Spotlight malware
April 2, 2026 06:00

Qilin EDR killer infection chain

This blog provides an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems.

By Takahiro Takeda, Holger Unterbrink
Threat Spotlight Reverse Engineering malware
March 5, 2026 06:00

UAT-9244 targets South American telecommunication providers with three new malware implants

Cisco Talos is disclosing UAT-9244, who we assess with high confidence is a China-nexus advanced persistent threat (APT) actor closely associated with Famous Sparrow.

By Asheer Malhotra, Brandon White
APT malware
February 26, 2026 06:00

New Dohdoor malware campaign targets education and health care

Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”

By Alex Karkins, Chetan Raghuprasad
Threat Spotlight
February 25, 2026 11:13

Active exploitation of Cisco Catalyst SD-WAN by UAT-8616

Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.

By Cisco Talos
Threat Advisory
February 10, 2026 19:00

New threat actor, UAT-9921, leverages VoidLink framework in campaigns

Cisco Talos recently discovered a new threat actor, UAT-9221, leveraging VoidLink in campaigns. Their activities may go as far back as 2019, even without VoidLink.

By Nick Biasini, Aaron Boyd, Asheer Malhotra, Vitor Ventura
Threat Advisory
February 5, 2026 06:00

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants.

By Ashley Shen
Threat Spotlight
January 29, 2026 06:00

Dissecting UAT-8099: New persistence mechanisms and regional focus

Cisco Talos has identified a new, regionally targeted campaign by UAT-8099 that leverages advanced persistence techniques and custom BadIIS malware variants to compromise IIS servers, particularly in Thailand and Vietnam.

By Joey Chen
January 15, 2026 06:00

UAT-8837 targets critical infrastructure sectors in North America

Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor.

By Asheer Malhotra, Vitor Ventura, Brandon White
Threat Spotlight
January 8, 2026 06:00

UAT-7290 targets high value telecommunications infrastructure in South Asia

Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of advanced persistent threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia.

By Asheer Malhotra, Vitor Ventura, Brandon White
Threat Spotlight APT malware