Cisco Talos Blog

February 27, 2024 08:00

TimbreStealer campaign targets Mexican users with financial lures

Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.

February 22, 2024 08:00

TinyTurla-NG in-depth tooling and command and control analysis

Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

February 20, 2024 08:00

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans.

February 15, 2024 08:00

TinyTurla Next Generation - Turla APT spies on Polish NGOs

This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

February 14, 2024 08:00

How are attackers using QR codes in phishing emails and lure documents?

QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.

February 8, 2024 08:00

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”

December 11, 2023 08:50

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.

November 30, 2023 08:00

New SugarGh0st RAT targets Uzbekistan government and South Korea

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.”

November 2, 2023 07:58

Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams.