All news with #mimikatz tag

Qilin Ransomware: Attack Methods and TTPs Exposed Globally

🔍 Cisco Talos details widespread Qilin ransomware operations observed in late 2025, highlighting persistent leak-site activity and sustained victim publication. The analysis links many intrusions to exposed administrative credentials and unprotected remote access, with manufacturing, professional services, and wholesale trade heavily affected. Talos documents abuse of open-source exfiltration tools (notably Cyberduck), dual-encryptor deployment patterns, credential harvesting with mimikatz and SharpDecryptPwd, and numerous defense-evasion techniques, recommending layered controls such as MFA, credential monitoring, and hardened backups.

Remote Access Abuse Signals Major Pre-Ransomware Risk

🔒 Cisco Talos finds abuses of remote access software and services are the most common pre-ransomware indicator, with threat actors leveraging legitimate tools such as RDP, PsExec, PowerShell and remote-support apps like AnyDesk and Microsoft Quick Assist. The report highlights credential dumping (for example, Mimikatz) and network discovery as other frequent TTPs. It recommends rapid response, MFA, application allowlisting and enhanced endpoint monitoring to limit ransomware execution.

UAT-7237 Targets Taiwanese Web Hosting Infrastructure

🔍 Cisco Talos describes UAT-7237, a Chinese‑speaking APT active since 2022 that compromised a Taiwanese web hosting provider to establish long‑term persistence. The actor relies largely on open‑source tooling, customized utilities and a tailored shellcode loader tracked as SoundBill, which can decode and execute Cobalt Strike beacons. UAT-7237 favors SoftEther VPN and RDP for access rather than mass web‑shell deployment. Talos provides IOCs and mitigation guidance for detection and blocking.