Description
Welcome to this week's edition of the Threat Source newsletter, and happy Cybersecurity Awareness Month.
Like everyone under the age of 35 who has at least one father, my dad sends me advice on online safety at least once a week. Does he work in information security? No. He's a recently retired high school audio engineering teacher, who now spends his days touring with a yacht rock cover band and building guitars. But throughout his life, he's been a true Renaissance man. From playing trombone on a Bruce Springsteen tour to building our backyard deck, to Roth IRA advice, to the history of Bell Labs, the breadth of his knowledge astounds me. I actually called him last week to find out just _how long_ I can drive my car before taking it to the mechanic to get the oxygen sensor fixed.
There is one area where I think I have him beat: cybersecurity. Not by a lot, but I think working in Talos has given me an edge -- or, at least, access to people who can tell me how worried I should be about an issue that Facebook is having a field day with.
Still, that doesn't stop him from sending me a steady stream of headlines and warnings. Here are just a few that my dad has sent me:
* **Jan. 31, 2024:** An _NBC news clip_ of former FBI Director Christopher Wray disclosing alarming hacking threats to critical U.S. infrastructure, also mentioning the takedown of Volt Typhoon.
* **Sept. 19, 2024:** An _article_ explaining that if you're shopping online and your credit card gets declined, you may be getting scammed.
* **May 1, 2025:** A _video_ warning that "QR codes in mystery packages could steal your identity."
* **June 22, 2025:** _This video_ about hidden watermarks embedded in AI-generated content. Not nearly as menacing as the others (unless you're a college student trying to coast), but it _is_ fascinating. _This article_ gives a deeper understanding.
Even without deep investigation, these headlines reveal a lot about how cybersecurity anxieties are shared and amplified on social media. It's a cycle that's probably familiar to a lot of us: technology keeps evolving, but the impulse to protect each other never really changes. Whether you're the IT help desk for your family or the one receiving those late-night warnings (or both), every message is a chance to share knowledge, calm fears, and help each other navigate a world that's always shifting under our feet.
So, the next time your dad (or mom, or aunt, or grandma) sends you a link that sounds a little far-fetched, take a moment to appreciate the intent behind it. They might not always get the details right, but their concern is real. In its own way, that's another layer of security.
Breathe in, let it out, and let's dive in.
## The one big thing
_Cisco Talos has uncovered a Chinese-speaking cybercrime group_, UAT-8099, that is hacking into reputable Internet Information Services (IIS) servers in countries like India, Thailand, Vietnam, Canada, and Brazil. Their main goals are to manipulate search results for profit and steal sensitive data, such as credentials and certificates, often using advanced tools and custom malware to avoid detection. The group maintains long-term access to these servers and protects their control from other attackers.
### Why do I care?
Cybercriminals are evolving to target trusted infrastructure for both financial gain and deeper access to valuable data. The use of automation, custom malware, and persistence techniques in this campaign shows UAT-8099 can impact a wide range of organizations.
### So now what?
Review your environments for signs of BadIIS malware, unauthorized web shells and suspicious RDP or VPN activity on IIS servers. Also, strengthen server defenses, monitor for unusual traffic and share indicators of compromise (IOCs) within the security community to help prevent further attacks.
## Top security headlines of the week
**CISA 2015 cyber threat info-sharing law lapses amid government shutdown**
Defenders have lost the information-sharing liability protection the bill provided, and the government has lost a lot of visibility into threats emerging across the private sector. (_CSO_)
**Cyberattack on JLR prompts Β£1.5B UK government intervention**
The announcement Sunday says that the support package is meant to "give certainty to its supply chain following a recent cyber-attack." Some experts believe the bailout will encourage cybercriminals to continue targeting UK companies with weak cybersecurity. (_Security Week_)
**Neon pays users to record their phone calls and sells data to AI firms**
Unbelievably, this app was spotted in the No. 2 spot in Apple's U.S. App Store's Social Networking section. Their marketing claims to only record your side of the call unless it's with another Neon user. (_TechCrunch_)
**" Klopatra" trojan makes bank transfers while you sleep**
A sophisticated new banking malware is hard to detect, capable of stealing lots of money, and infecting thousands of people in Italy and Spain, under the guise of a pirate streaming app. (_Dark Reading_)
## Can't get enough Talos?
** _Talos Takes: You can 't patch burnout_**
October is Cybersecurity Awareness Month, but what happens when the defenders themselves are overwhelmed? In this powerful episode, Hazel and Joe Marshall get real about why protecting your well-being is just as vital as any technical defense.
** _The TTP: Threat Hunter 's Cookbook_**
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco's Foundation AI group), who wrote the Threat Hunter's Cookbook: a collection of practical "recipes" security teams can pick up and apply.
** _Engaging Cisco Talos Incident Response_******
You've called Talos IR about a cyber incident -- now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements.
## Upcoming events where you can find Talos
* _Wild West Hackin ' Fest_ (Oct. 8 - 10) Deadwood, SD
* _DEEP Conference_ (Oct. 22 - 23) PetrΔane, Croatia
## Most prevalent malware files from Talos telemetry over the past week
**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**
MD5: 1f7e01a3355b52cbc92c908a61abf643
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a_
Example Filename:cleanup.bat
Detection Name: W32.D933EC4AAF-90.SBX.TG
**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Example Filename:VID001.exe
Detection Name: Win.Worm.Coinminer::1201
**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610_
Example Filename:85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG
**SHA256: 3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec**
MD5: 5b7948e7ca9742a33be8403b3285a1aa
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec_
Example Filename:onestart.exe
Detection Name: W32.3D8EEB6DF4-95.SBX.TG
**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**
MD5: bf9672ec85283fdf002d83662f0b08b7
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe_
Example Filename:f_04b985.html
Detection Name: W32.C0AD494457-95.SBX.TG
Welcome to this week's edition of the Threat Source newsletter, and happy Cybersecurity Awareness Month.
Like everyone under the age of 35 who has at least one father, my dad sends me advice on online safety at least once a week. Does he work in information security? No. He's a recently retired high school audio engineering teacher, who now spends his days touring with a yacht rock cover band and building guitars. But throughout his life, he's been a true Renaissance man. From playing trombone on a Bruce Springsteen tour to building our backyard deck, to Roth IRA advice, to the history of Bell Labs, the breadth of his knowledge astounds me. I actually called him last week to find out just _how long_ I can drive my car before taking it to the mechanic to get the oxygen sensor fixed.
There is one area where I think I have him beat: cybersecurity. Not by a lot, but I think working in Talos has given me an edge -- or, at least, access to people who can tell me how worried I should be about an issue that Facebook is having a field day with.
Still, that doesn't stop him from sending me a steady stream of headlines and warnings. Here are just a few that my dad has sent me:
* **Jan. 31, 2024:** An _NBC news clip_ of former FBI Director Christopher Wray disclosing alarming hacking threats to critical U.S. infrastructure, also mentioning the takedown of Volt Typhoon.
* **Sept. 19, 2024:** An _article_ explaining that if you're shopping online and your credit card gets declined, you may be getting scammed.
* **May 1, 2025:** A _video_ warning that "QR codes in mystery packages could steal your identity."
* **June 22, 2025:** _This video_ about hidden watermarks embedded in AI-generated content. Not nearly as menacing as the others (unless you're a college student trying to coast), but it _is_ fascinating. _This article_ gives a deeper understanding.
Even without deep investigation, these headlines reveal a lot about how cybersecurity anxieties are shared and amplified on social media. It's a cycle that's probably familiar to a lot of us: technology keeps evolving, but the impulse to protect each other never really changes. Whether you're the IT help desk for your family or the one receiving those late-night warnings (or both), every message is a chance to share knowledge, calm fears, and help each other navigate a world that's always shifting under our feet.
So, the next time your dad (or mom, or aunt, or grandma) sends you a link that sounds a little far-fetched, take a moment to appreciate the intent behind it. They might not always get the details right, but their concern is real. In its own way, that's another layer of security.
Breathe in, let it out, and let's dive in.
## The one big thing
_Cisco Talos has uncovered a Chinese-speaking cybercrime group_, UAT-8099, that is hacking into reputable Internet Information Services (IIS) servers in countries like India, Thailand, Vietnam, Canada, and Brazil. Their main goals are to manipulate search results for profit and steal sensitive data, such as credentials and certificates, often using advanced tools and custom malware to avoid detection. The group maintains long-term access to these servers and protects their control from other attackers.
### Why do I care?
Cybercriminals are evolving to target trusted infrastructure for both financial gain and deeper access to valuable data. The use of automation, custom malware, and persistence techniques in this campaign shows UAT-8099 can impact a wide range of organizations.
### So now what?
Review your environments for signs of BadIIS malware, unauthorized web shells and suspicious RDP or VPN activity on IIS servers. Also, strengthen server defenses, monitor for unusual traffic and share indicators of compromise (IOCs) within the security community to help prevent further attacks.
## Top security headlines of the week
**CISA 2015 cyber threat info-sharing law lapses amid government shutdown**
Defenders have lost the information-sharing liability protection the bill provided, and the government has lost a lot of visibility into threats emerging across the private sector. (_CSO_)
**Cyberattack on JLR prompts Β£1.5B UK government intervention**
The announcement Sunday says that the support package is meant to "give certainty to its supply chain following a recent cyber-attack." Some experts believe the bailout will encourage cybercriminals to continue targeting UK companies with weak cybersecurity. (_Security Week_)
**Neon pays users to record their phone calls and sells data to AI firms**
Unbelievably, this app was spotted in the No. 2 spot in Apple's U.S. App Store's Social Networking section. Their marketing claims to only record your side of the call unless it's with another Neon user. (_TechCrunch_)
**" Klopatra" trojan makes bank transfers while you sleep**
A sophisticated new banking malware is hard to detect, capable of stealing lots of money, and infecting thousands of people in Italy and Spain, under the guise of a pirate streaming app. (_Dark Reading_)
## Can't get enough Talos?
** _Talos Takes: You can 't patch burnout_**
October is Cybersecurity Awareness Month, but what happens when the defenders themselves are overwhelmed? In this powerful episode, Hazel and Joe Marshall get real about why protecting your well-being is just as vital as any technical defense.
** _The TTP: Threat Hunter 's Cookbook_**
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco's Foundation AI group), who wrote the Threat Hunter's Cookbook: a collection of practical "recipes" security teams can pick up and apply.
** _Engaging Cisco Talos Incident Response_******
You've called Talos IR about a cyber incident -- now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements.
## Upcoming events where you can find Talos
* _Wild West Hackin ' Fest_ (Oct. 8 - 10) Deadwood, SD
* _DEEP Conference_ (Oct. 22 - 23) PetrΔane, Croatia
## Most prevalent malware files from Talos telemetry over the past week
**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**
MD5: 1f7e01a3355b52cbc92c908a61abf643
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a_
Example Filename:cleanup.bat
Detection Name: W32.D933EC4AAF-90.SBX.TG
**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Example Filename:VID001.exe
Detection Name: Win.Worm.Coinminer::1201
**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610_
Example Filename:85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG
**SHA256: 3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec**
MD5: 5b7948e7ca9742a33be8403b3285a1aa
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=3d8eeb6df4a2d777f18d0f15b19cd9666a78927013b8359c883bff423d9faaec_
Example Filename:onestart.exe
Detection Name: W32.3D8EEB6DF4-95.SBX.TG
**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**
MD5: bf9672ec85283fdf002d83662f0b08b7
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe_
Example Filename:f_04b985.html
Detection Name: W32.C0AD494457-95.SBX.TG
Basic Information
ID
TALOSBLOG:9C2CF6E2AC5F3A7CD3294242D3AF29F4
Published
Oct 2, 2025 at 18:00