< ciso
brief />
Tag Banner

All news with #threat research tag

91 articles · page 2 of 5

Analysis: Fast16 Malware Targeted Nuclear Simulations

🔎 Symantec and Carbon Black confirm the Lua-based fast16 malware was a pre-Stuxnet sabotage tool designed to corrupt nuclear weapons testing simulations. The threat specifically targets high-explosive runs in LS-DYNA and AUTODYN, activating only when simulated material density reaches ~30 g/cm³. With 101 hook rules organized into 9–10 groups, the framework tracked software versions and spread laterally while avoiding some security products, indicating a methodical, long-running operation.
read more →

TCLBANKER Trojan Targets 59 Brazilian Financial Services

🛡️Elastic Security Labs has detailed a previously undocumented Brazilian banking trojan named TCLBANKER, tracked as REF3076, which targets 59 banks, fintechs and cryptocurrency platforms. The campaign appears to be a major evolution of the Maverick family and bundles a robust loader, a full-featured trojan, and a worm that propagates via WhatsApp Web and Outlook. The loader abuses a signed Logitech installer and uses DLL side-loading, anti-analysis checks, and environment-gated payload decryption to evade detection.
read more →

Adaptive SIEM Correlation: Moving Beyond Static Rules

🔍 Traditional SIEM logic — fixed rules that match event A followed by event B — is increasingly insufficient against modern, sophisticated threats that use legitimate tools and supply-chain vectors. Kaspersky describes a shift to continuously updated correlation content informed by its MDR service and threat research. In 2025 the team delivered dozens of updates and hundreds of new or refined rules, and now maintains over 850 rules mapped to MITRE ATT&CK. Integration with Kaspersky EDR and expanded telemetry helps detect multi-stage attack chains and reduce false positives.
read more →

Inside Department 4: Russia's Secret Hacker School

🔍 A joint investigation uncovered a covert faculty at Bauman Moscow State Technical University, known as Department 4, that appears to funnel students into GRU-linked hacking units. Leaked documents show the GRU controls admissions, curricula, and graduate postings, teaching malware development, penetration testing, and physical surveillance. The report highlights a state-run pipeline producing highly trained cyber operators.
read more →

World Economic Forum: AI, Deepfakes, and Cyber Defense

🔐 At the World Economic Forum Annual Meeting on Cybersecurity 2026, Fortinet highlighted how AI and deepfakes are reshaping attack surfaces, with identity now a primary vector and attackers operating in structured, continuous campaigns. Discussions stressed that AI accelerates reconnaissance and exploitation while defenders contend with fragmentation, governance gaps, and inconsistent visibility. Fortinet urged platform consolidation, stronger identity and exposure management, and operationalized public-private collaboration to better align detection with response.
read more →

Frontier AI Defense: Shifting Cybersecurity to Machine Speed

🔒 Palo Alto Networks introduces Frontier AI Defense, a platform initiative designed to counter next-generation, agentic AI threats that can autonomously discover and chain software flaws. Their testing of frontier models (including GPT-5.5-Cyber, Mythos, and Claude Opus 4.7) revealed a step-change in coding capability and attack automation. The program combines Unit 42 expertise, early model access, platform integration, and partner alliances to enable prioritized mitigation and autonomous remediation at machine speed.
read more →

Analysis of Phone Number Clustering and Reuse in Scam Emails

📞 Cisco Talos analyzed phone numbers extracted from scam emails and found that API-driven VoIP provisioning enables large-scale, low-cost operations that are difficult to trace. Attackers rotate through sequential DID blocks, use cool-down windows, and frequently recycle numbers across multiple lures and attachment types. In a Feb 26–Mar 31, 2026 dataset of 1,652 numbers, the median lifespan was ~14 days; Sinch was the most abused provider. Talos recommends using phone numbers as anchors for cross-channel threat mapping.
read more →

CrowdStrike Named Leader in Gartner Cyberthreat Intelligence

🔒 CrowdStrike was named a Leader in the inaugural 2026 Gartner Magic Quadrant for Cyberthreat Intelligence Technologies and ranked furthest to the right for Completeness of Vision. The company emphasizes its AI-native Falcon platform and Threat AI agents — including Malware Analysis and Hunt agents — to deliver tailored, actionable intelligence at decision points. It highlights telemetry from trillions of daily events and multiple integration paths to operationalize intelligence.
read more →

CISA Malware Analysis: FIRESTARTER Backdoor on Cisco

🔒 CISA and the U.K. NCSC analyzed a sample of the FIRESTARTER Linux ELF backdoor affecting Cisco Firepower and Secure Firewall devices running ASA/FTD. The agency assesses the malware provides persistent remote access, installs a hook into LINA to execute arbitrary shellcode, and can survive firmware updates and reboots. CISA provides YARA rules for detection and directs U.S. FCEB agencies to collect and submit core dumps per V1: ED 25-03, and to await further guidance.
read more →

New Linux GoGra Backdoor Uses Microsoft Graph API for Comms

🔐 Symantec researchers describe a new Linux variant of the GoGra backdoor that abuses Microsoft Graph API and Outlook mailboxes for stealthy command-and-control. The malware uses hardcoded Azure AD credentials to obtain OAuth2 tokens and polls a mailbox folder named "Zomato Pizza" for base64-encoded, AES-CBC-encrypted commands. A Go-based dropper hides an i386 ELF payload as a PDF and establishes persistence via systemd and an XDG autostart entry mimicking the Conky monitor. Processed commands are encrypted and returned by reply email with the subject "Output," and the original command email is removed to limit forensic visibility.
read more →

New Lotus wiper targets Venezuelan energy and utilities

🔴 Kaspersky researchers analyzed a previously undocumented data-wiping malware, dubbed Lotus, uploaded from a Venezuelan host in mid-December and used in targeted attacks against energy and utility organizations in Venezuela. Before detonation the attacker runs two batch scripts that weaken defenses, change account passwords, log off users, disable network interfaces and run destructive tools like diskpart, robocopy and fsutil to overwrite and fill drives. The Lotus binary then performs low-level IOCTL operations, clears USN journals, deletes restore points and overwrites physical sectors to render systems unrecoverable. Administrators are advised to monitor these precursor activities and maintain offline, validated backups.
read more →

AI Compresses Attack Timelines: Network Resilience Tested

⚠️ Anthropic's reported Claude Mythos marks a shift: AI is compressing attack timelines by accelerating vulnerability discovery, exploit development, and multi-step attack planning. Attackers can now run malware, phishing, and vulnerability exploitation in parallel, reducing time to compromise and widening exposure. This trend demands prevention-first controls and real-time detection to identify and remediate gaps earlier, limiting impact.
read more →

State-Sponsored & Phishing Trends: Printers, M365 Risks

🔍 This podcast episode examines the 2025 Talos Year in Review, highlighting a sharp increase in internal phishing that evades traditional perimeter defenses. Hosts Amy Ciminnisi and Martin Lee explain how Microsoft 365's Direct Send feature has been broadly weaponized to deliver trusted-looking internal mail. They also unpack blended state-sponsored campaigns from China and North Korea that pair zero-day exploitation with advanced social engineering.
read more →

Weaponizing macOS Primitives for Movement and Execution

🔐 Talos demonstrates how adversaries can repurpose legitimate macOS features to achieve remote execution and lateral movement across enterprise fleets. By weaponizing Remote Application Scripting (RAE) and abusing Spotlight Finder comments as a staging area, attackers can bypass static file analysis and traditional SSH-focused telemetry. The research validates multiple native transfer channels—including SMB, netcat, Git, TFTP, and SNMP—and urges defenders to emphasize process lineage, IPC anomalies, and strict MDM controls.
read more →

Handala, CyberAv3ngers and Iran’s Proxy Cyber Ops Activities

🔍 US authorities issued an April 7 advisory warning that Iranian-affiliated APTs could be conducting infrastructural cyberattacks, citing links to 2023 water and wastewater incidents attributed to CyberAv3ngers. The article examines two prominent groups — Handala Hack Team and CyberAv3ngers — and argues they function as proxy or false-flag operations likely tied to Iran’s Ministry of Intelligence. It describes a broader pattern of gray warfare, where state actors obscure involvement to retain plausible deniability while exerting persistent pressure on adversaries.
read more →

Underground Guide: How Threat Actors Vet Stolen Cards

🔍 Flare analysts recovered a forum document, The Underground Guide to Legit CC Shops, that explains how fraud actors vet stolen credit card marketplaces. The guide shifts emphasis from opportunistic card use to disciplined supplier evaluation, offering a technical checklist (domain age, WHOIS, SSL), social‑intel techniques, and strict OPSEC recommendations. It also highlights how shops emulate legitimate e‑commerce (pricing, ticketing, escrow) and warns of commercial bias in endorsed services.
read more →

Securing the AI Era: Google Public Sector Strategy

🔒 Google outlines an AI-focused security strategy for public sector organizations, emphasizing agentic SOCs powered by Gemini agents and Mandiant frontline expertise. The post summarizes 2026 threat trends — compressed attack cycles, prolonged nation-state access, rising voice phishing, and emerging shadow agents — and stresses integrated visibility across code, cloud, and runtime via Security Command Center. It highlights operational gains such as Connecticut reducing investigations from months to hours and previews demonstrations at Google Cloud Next.
read more →

AI Inflection Point: Strategic Imperatives for CISOs

🤖 AI has moved from experimentation into production in security operations, creating a strategic operating-model choice for CISOs: layer AI onto existing workflows or rebuild processes around it. Defenders briefly hold a Cyber AI Parity Window, but advantage favors teams that adopt multi-agent architectures, embed deep contextual integration and measure outcomes in production. Leaders must demand transparency, reliability and workflow redesign to elevate analysts into oversight and strategy roles.
read more →

Qilin Ransomware Surge in Japan 2025: Detection Insights

🔍 In 2025 Japan reported 134 ransomware incidents—a 17.5% increase from 2024—with Qilin responsible for 22 cases (16.4%). Talos highlights Qilin’s growing automation, credential‑based access, and use of an EDR‑killer that targets 300+ drivers and employs locale-based geo‑fencing. The blog focuses on detecting activity during the pre‑ransomware phase (average six days to execution) and shares Sigma/YARA rules plus correlation guidance to reduce false positives.
read more →

Transparent COM Instrumentation for Malware Analysis

🔍 Cisco Talos introduces DispatchLogger, an open-source DLL that transparently instruments late-bound COM (IDispatch) interactions to enhance malware analysis visibility. The tool hooks COM instantiation APIs and returns proxy objects that forward calls while logging method names, parameters, return values, and object relationships. It supports recursive wrapping, enumerator proxies, and moniker handling to reveal high-level automation events often missed by low-level API tracing. Deployment requires injecting the DLL into target processes and preserves COM lifetime and threading semantics.
read more →