8
/ 10
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Description
Welcome to this week's edition of the Threat Source newsletter.
As summer retreats into the rear-view mirror, I'd like to take a moment to reflect on one of my favorite things about the cybersecurity profession: the community. Earlier this month, I attended _Black Hat USA 2025_ and _DEF CON 33_ in scalding hot Las Vegas, NV. We often refer to it as "hacker summer camp," where all the security nerds of various stripes congregate to eat, drink, party, hack and reforge or make new bonds of fellowship with other awesome hackers. Hacker summer camp is, simply put, a whirlwind of activity, from the talks to see, villages to visit, parties to attend, and knowledge to gain. In 5 days, I think I walked almost 30 miles. By the end I was exhausted, but happy to have learned so much and see many of my hacker friends.
For all the fun and learning you can have at summer camp, it's a very privileged position to be able to attend. Las Vegas is _not a cheap town_. Hotels, flights and food -- everything, really -- is more expensive than average. A Black Hat badge is $1,000+, and DEF CON $500+. If you're new to this space and early in your career, or your company doesn't have the money to send you, the FOMO can be real. Earlier in my career, getting the opportunity to visit hacker summer camp -- either with my company covering my costs or me paying out of pocket -- wasn't going to happen.
I bring this up not to flex that I went to BH/DEF CON, but to tell you that as good as those conferences are, there is __so much more__ _._ Do not be daunted by what is inaccessible but know that there are other conferences out there for like-minded hackers who want to learn and share knowledge with you, wherever you are in the world. Are you in high school? I promise you there are _clubs and organizations_ there to help you. College? There are student clubs and organizations there that will welcome you. And if you're looking for projects and _contests_, there are quite a few out there. And _hackathons_? _I got you covered_, fam.
It's also important to know that there are smaller information security conferences around the world. Perhaps the most popular and usually super local is Bsides. _Check them out_ -- their website has a calendar that might have one local to you.
Infosec is as much a calling as it is a career. You were drawn to this space for a reason -- and finding friends and colleagues who match your vibe is important to both grow as a human, but also to maintain a healthy relationship with this industry, especially one that's notoriously capable of burning you out. We as humans are social creatures, and we need social interaction, even if it's limited doses (I see you, introverts). Our professions are a natural magnet to pull others into our orbit. I can tell you so many of the things that I consider personal career milestones happened because I talked with fellow security practitioners over drinks or a meal, and something _truly wonderful happened_.
So go find your people, lean into the things you are a total security nerd about, and enjoy the fellowship and growth. You'll be all the better for it.
## The one big thing
Last week, _Talos shared that ransomware attacks in Japan_ surged by about 1.4 times in the first half of 2025, with small and medium-sized companies (especially manufacturing) being the hardest hit. The Qilin group was the most active, and a new player, "Kawa4096," also began targeting Japanese businesses. Even though some major ransomware groups were shut down, new threats are quickly taking their place.
### Why do I care?
The ransomware landscape is always changing, and it often highlights vulnerabilities in small and mid-sized businesses in critical industries like manufacturing. With new ransomware groups like Kawa4096 emerging and techniques evolving, the risks are growing, and attackers are finding new ways to target organizations that may not have strong defenses.
### So now what?
While small- to mid-size manufacturing companies are the most targeted in Japan, it's important for all businesses to stay updated on threats, invest in cybersecurity, and train their teams to spot suspicious activity. ClamAV detections are also available in the _blog_.
## Top security headlines of the week
**Organizations warned of exploited Git vulnerability**
The US cybersecurity agency CISA on Monday warned that the flaw, tracked as CVE-2025-48384 (CVSS score of 8.1), is an arbitrary file write during the cloning of repositories with submodules that use a 'recursive' flag. (_SecurityWeek_)
**CISA updates SBOM recommendations**
The document is primarily meant for federal agencies, but CISA hopes businesses will also use it to push vendors for software bills of materials. (_Cybersecurity Dive_)
**AI-powered ransomware: "PromptLock"**
Although it has not yet been observed in active cyberattacks, the researchers said the PromptLock ransomware appears to be under development and nearly ready to be unleashed onto the threat landscape. (_Dark Reading_)
**Credential harvesting campaign targets ScreenConnect cloud administrators**
The campaign uses compromised Amazon Simple Email Service accounts to spear-phish senior IT administrators who have elevated privileges in ScreenConnect environments. (_Cybersecurity Dive_)
**Security researcher maps hundreds of TeslaMate servers spilling Tesla vehicle data**
A security researcher has found over a thousand publicly exposed hobby servers run by Tesla vehicle owners that are spilling sensitive data about their vehicles, including their granular location histories. (_TechCrunch_)
## Can't get enough Talos?
* ** _State of Identity Security Report_**
Cisco Duo's global survey of 650 Security & Data Ops leaders shows where orgs succeed, and where they're exposed. Download the full report now.
* ** _Static Tundra exposed_**
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.
## Upcoming events where you can find Talos
* _BlueTeamCon_ (Sept. 4 - 7) Chicago, IL
* _LABScon_ (Sept. 17 - 20) Scottsdale, AZ
* _VB2025_ (Sept. 24 - 26) Berlin, Germany
## Most prevalent malware files from Talos telemetry over the past week
**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: _https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 **
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: _https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details_
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Simple_Custom_Detection
**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca **
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: _https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details_
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos
Welcome to this week's edition of the Threat Source newsletter.
As summer retreats into the rear-view mirror, I'd like to take a moment to reflect on one of my favorite things about the cybersecurity profession: the community. Earlier this month, I attended _Black Hat USA 2025_ and _DEF CON 33_ in scalding hot Las Vegas, NV. We often refer to it as "hacker summer camp," where all the security nerds of various stripes congregate to eat, drink, party, hack and reforge or make new bonds of fellowship with other awesome hackers. Hacker summer camp is, simply put, a whirlwind of activity, from the talks to see, villages to visit, parties to attend, and knowledge to gain. In 5 days, I think I walked almost 30 miles. By the end I was exhausted, but happy to have learned so much and see many of my hacker friends.
For all the fun and learning you can have at summer camp, it's a very privileged position to be able to attend. Las Vegas is _not a cheap town_. Hotels, flights and food -- everything, really -- is more expensive than average. A Black Hat badge is $1,000+, and DEF CON $500+. If you're new to this space and early in your career, or your company doesn't have the money to send you, the FOMO can be real. Earlier in my career, getting the opportunity to visit hacker summer camp -- either with my company covering my costs or me paying out of pocket -- wasn't going to happen.
I bring this up not to flex that I went to BH/DEF CON, but to tell you that as good as those conferences are, there is __so much more__ _._ Do not be daunted by what is inaccessible but know that there are other conferences out there for like-minded hackers who want to learn and share knowledge with you, wherever you are in the world. Are you in high school? I promise you there are _clubs and organizations_ there to help you. College? There are student clubs and organizations there that will welcome you. And if you're looking for projects and _contests_, there are quite a few out there. And _hackathons_? _I got you covered_, fam.
It's also important to know that there are smaller information security conferences around the world. Perhaps the most popular and usually super local is Bsides. _Check them out_ -- their website has a calendar that might have one local to you.
Infosec is as much a calling as it is a career. You were drawn to this space for a reason -- and finding friends and colleagues who match your vibe is important to both grow as a human, but also to maintain a healthy relationship with this industry, especially one that's notoriously capable of burning you out. We as humans are social creatures, and we need social interaction, even if it's limited doses (I see you, introverts). Our professions are a natural magnet to pull others into our orbit. I can tell you so many of the things that I consider personal career milestones happened because I talked with fellow security practitioners over drinks or a meal, and something _truly wonderful happened_.
So go find your people, lean into the things you are a total security nerd about, and enjoy the fellowship and growth. You'll be all the better for it.
## The one big thing
Last week, _Talos shared that ransomware attacks in Japan_ surged by about 1.4 times in the first half of 2025, with small and medium-sized companies (especially manufacturing) being the hardest hit. The Qilin group was the most active, and a new player, "Kawa4096," also began targeting Japanese businesses. Even though some major ransomware groups were shut down, new threats are quickly taking their place.
### Why do I care?
The ransomware landscape is always changing, and it often highlights vulnerabilities in small and mid-sized businesses in critical industries like manufacturing. With new ransomware groups like Kawa4096 emerging and techniques evolving, the risks are growing, and attackers are finding new ways to target organizations that may not have strong defenses.
### So now what?
While small- to mid-size manufacturing companies are the most targeted in Japan, it's important for all businesses to stay updated on threats, invest in cybersecurity, and train their teams to spot suspicious activity. ClamAV detections are also available in the _blog_.
## Top security headlines of the week
**Organizations warned of exploited Git vulnerability**
The US cybersecurity agency CISA on Monday warned that the flaw, tracked as CVE-2025-48384 (CVSS score of 8.1), is an arbitrary file write during the cloning of repositories with submodules that use a 'recursive' flag. (_SecurityWeek_)
**CISA updates SBOM recommendations**
The document is primarily meant for federal agencies, but CISA hopes businesses will also use it to push vendors for software bills of materials. (_Cybersecurity Dive_)
**AI-powered ransomware: "PromptLock"**
Although it has not yet been observed in active cyberattacks, the researchers said the PromptLock ransomware appears to be under development and nearly ready to be unleashed onto the threat landscape. (_Dark Reading_)
**Credential harvesting campaign targets ScreenConnect cloud administrators**
The campaign uses compromised Amazon Simple Email Service accounts to spear-phish senior IT administrators who have elevated privileges in ScreenConnect environments. (_Cybersecurity Dive_)
**Security researcher maps hundreds of TeslaMate servers spilling Tesla vehicle data**
A security researcher has found over a thousand publicly exposed hobby servers run by Tesla vehicle owners that are spilling sensitive data about their vehicles, including their granular location histories. (_TechCrunch_)
## Can't get enough Talos?
* ** _State of Identity Security Report_**
Cisco Duo's global survey of 650 Security & Data Ops leaders shows where orgs succeed, and where they're exposed. Download the full report now.
* ** _Static Tundra exposed_**
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.
## Upcoming events where you can find Talos
* _BlueTeamCon_ (Sept. 4 - 7) Chicago, IL
* _LABScon_ (Sept. 17 - 20) Scottsdale, AZ
* _VB2025_ (Sept. 24 - 26) Berlin, Germany
## Most prevalent malware files from Talos telemetry over the past week
**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: _https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 **
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: _https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details_
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Simple_Custom_Detection
**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca **
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: _https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details_
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos
Basic Information
ID
TALOSBLOG:143856C8B230CB2AC76787734D246A76
Published
Aug 28, 2025 at 18:00