Welcome to this week’s edition of the Threat Source newsletter.
“It takes very little to govern good people. Very little. And bad people can’t be governed at all. Or if they could, I never heard of it.” ― Cormac McCarthy, No Country for Old Men
Most of my career has been built on dichotomy: striving to be a supportive teammate while also pushing every boundary in front of me. I've often been told to “never do X, only do Y,” but I’ve invariably chosen to do X anyway (even when fraught with peril) to get to the deeper answer. For years, I was told that I should perform in certain ways — instead of in ways that made sense for my brain and way of learning.
I wasn’t governable, but I wasn’t bad. Just ... challenging. While Sheriff Ed Tom Bell’s view of good vs. bad is compelling, maybe our careers should be defined as “acquiescent” vs. “challenging.” It’s less of an existential crisis that way.
Over the past few years, I’ve been enjoying the mentoring aspect of my career. One of the things that I love to share with people is that being ungovernable is very challenging early in career; it’snot a favorite of middle management, but it can take you to places that you really want to be (i.e., Talos). The road is going to be longer and much bumpier than your governable cohort, but this is the long con.
The path to Talos was long and arduous, but I've learned to make my career choices through the lens of the axiom, “If you’re the smartest person in the room, you’re in the wrong room.” It's been the only guidepost I’ve needed. I don’t know that it applies to everyone, because everyone is unique, but it absolutely helps me decide what I want to learn, what I want to dive into, who I want to surround myself with.
The secret lies in the last comment — it's the people. If you continue to search for the smartest people in the room, you’ll find it and when you do, you’ll find that you aren’t ungovernable — rather, you’re understood. Be ungovernable (but kind) in the short term, find new ways to solve problems, think around solutions in new ways, program in different languages, and be the person in the meeting that says, “I think we should do Y instead, and here’s why.”
I suspect that this is the same approach many of you already take in your daily roles when identifying threats vs. benign activity, choosing your pivots in hunting, or deciding the priorities in device replacement. It’s a natural direction for the intellectually curious, so be kind, but ungovernable.
“The future of intelligence must be about search, while the future of ignorance must be about the inability to evaluate information.” ― Patricia Lockwood, No One Is Talking About This
The one big thing
Cisco Talos has recently discovered a commodity BadIIS malware variant fueling a thriving malware-as-a-service (MaaS) ecosystem for Chinese-speaking cybercrime groups. Identifiable by its embedded "demo.pdb" strings, this toolset boasts a multi-year development cycle complete with builder tools and persistence mechanisms. Threat actors are leveraging this robust framework to easily execute malicious search engine optimization (SEO) fraud, hijack server content, and redirect traffic to illicit sites.
Why do I care?
This is a highly active, commercially driven malware ecosystem. The author constantly pushes rapid updates to introduce new features and actively evade specific security vendors, making it a persistent headache for defenders. Because this BadIISvariant is sold as a commodity tool, it lowers the barrier to entry for cybercriminals, leading to widespread attacks that silently hijack server traffic without triggering obvious alarms.
So now what?
Defenders should actively monitor IIS environments for unauthorized traffic redirection, unexpected reverse proxying, or sudden spikes in "503 Service Unavailable" errors. Threat hunting efforts should also target the distinct "demo.pdb" strings and associated Chinese-language folder paths within IIS binaries. Ensure your endpoint detection solutions are updated to catch these reactive evasion tactics, and read the full blog for complete coverage and indicators of compromise (IOCs).
Top security headlines of the week
CISA exposes secrets, credentials in “private” repo
A researcher discovered a public GitHub repository belonging to CISA that contained 844MB of sensitive data, including plain-text passwords, authentication tokens, and other secrets. (Dark Reading)
NYC Health + Hospitals says hackers stole medical data and fingerprints, affecting at least 1.8 million people
The breach is particularly sensitive because hackers stole biometric information, including fingerprints and palm prints, which affected individuals have for life and cannot replace. (TechCrunch)
Bug bounty businesses bombarded with AI slop
Companies that pay hackers to find flaws in their software are being inundated with low-quality (often false) reports generated by AI, forcing some to suspend the programs altogether. (Ars Technica)
Four OpenClaw flaws enable data theft, privilege escalation, and persistence
The vulnerabilities, collectively dubbed Claw Chain, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. (The Hacker News)
New NGINX vulnerability allows remote attackers to trigger malicious code
A new vulnerability in NGINX JavaScript (njs) allows unauthenticated remote attackers to trigger a heap‑based buffer overflow that can lead to denial‑of‑service and, in some conditions, remote code execution in the NGINX worker process. (Cyber Security News)
Can’t get enough Talos?
TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities
Talos’ Vulnerability Discovery & Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital's Norton VPN. The vulnerabilities have been patched by their respective vendors.
Webinar: AI found the problem. Now what?
Experts from Talos and Cisco Security will examine how AI is changing the game for both defenders and well-resourced adversaries, and why the most persistent risks often remain rooted in unpatched legacy systems.
Breaking things to keep them safe with Philippe Laulheret
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research.
Upcoming events where you can find Talos
- Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: VID001.exe
Detection Name: Win.Worm.Coinminer::1201**
SHA256: d87e8d9d43758ce67a8052cb2334b99cc24f9b0437ee44815f360be0b22d835a
MD5: 362498c3e71eeaa066a67e4a3f981d1c
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d87e8d9d43758ce67a8052cb2334b99cc24f9b0437ee44815f360be0b22d835a
Example Filename: TunMirror.exe
Detection Name: PUA.Win.Tool.Tunmirror::1201
SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
MD5: 38de5b216c33833af710e88f7f64fc98
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
Example Filename: SECOH-QAD.exe
Detection Name: Win.Tool.Procpatcher::1201
SHA256: acd55c44b8b0d66d66defed85ca18082c092f048d3621da827fce593305c11fd
MD5: 0f03f72a92aef6d63eb74e73f8ac201d
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=acd55c44b8b0d66d66defed85ca18082c092f048d3621da827fce593305c11fd
Example Filename: KMSSS.exe
Detection Name: PUA.Win.Tool.Hackkms::1201
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201