Cisco Talos Blog

September 19, 2023 08:00

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

Cisco Talos has discovered a new intrusion set we're calling "ShroudedSnooper" consisting of two new implants "HTTPSnoop" and "PipeSnoop" targeting telecommunications firms in the middle-east.

August 29, 2023 08:00

What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS

Confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients.

August 24, 2023 08:04

Lazarus Group's infrastructure reuse leads to discovery of new malware

Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.

August 24, 2023 08:02

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

August 7, 2023 08:00

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023 with customized Yashma ransomware.

July 13, 2023 06:45

Malicious campaigns target government, military and civilian entities in Ukraine, Poland

Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.

June 13, 2023 08:03

".Zip" top-level domains draw potential for information leaks

As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server

June 1, 2023 08:00

New Horabot campaign targets the Americas

Cisco Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign that has been ongoing since at least November 2020.

May 25, 2023 08:02

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).