Description
Welcome to this week's edition of the Threat Source newsletter.
Back in April, I _wrote_ about the risks of unintentionally leaking information while using search engines. Since then, I've been thinking: Life doesn't just happen in front of a keyboard. There's a social side, too (or so I'm told). With Thanksgiving around the corner, it seems the perfect time to flip the script and focus on a different but related concept: Care _that_ you share.
For my non-American friends, who may be enjoying just another Thursday, stick with me. This season brings heightened risks everywhere. Many teams are running with skeleton crews, whether due to holiday mode (family, turkey, football, days off) or the year-end compliance push (hello, _NIS2_ and DORA). At the same time, on the other side of the fence, attackers ramp up their efforts; globally, Black Friday and similar events are peak periods for phishing campaigns, often targeting credentials with fake employee perk emails and other seasonal lures.
So, why emphasize "care that you share?"
Recently, I visited a university of applied sciences to give a guest lecture and learn more about the projects students are working on. It was a great experience, though preparing for an audience of students (not my usual crowd) was challenging. What do they already know? What topics interest them? Should I give them some history of STIX/TAXII? Geopolitical tensions? Honestly speaking, none of this was interesting to me when I was a student. I chose to start simple, discussing what threats and the _DKIW pyramid_ were, and then focusing on CVE, CVSS, and KEV -- one of my favorite _topic clusters_.
To my surprise, not only did the students engage and ask questions, but they also stuck around late on a Friday afternoon, diving into discussions about software supply chain risks and beyond. I don't remember ever staying at university past 6:00 p.m. on a Friday as a student! A week later, when they presented their projects -- many centered on authentication, TOTP, and SmartCards -- I was genuinely impressed by their ideas and the real-world problems they were addressing.
"Care that you share" is a mindset that helps us appreciate the knowledge exchange that happens in person, too.
Whether sharing stories over dinner, IOCs over email, or ideas in a classroom, let's all take a moment to consider not just what we share, but how and why we share it. I'll admit, I sometimes hesitate to share certain stories myself, worried they might seem too obvious or uninteresting, or maybe even dumb. But more often than not, those moments of openness lead to the best conversations and new perspectives.
This rings especially true during busy or understaffed times, when teams are stretched thin. It's tempting to keep things to ourselves to avoid "bothering" others. In reality, sharing a helpful tip, a concern, or just a quick update can make all the difference for colleagues who might be juggling extra responsibilities or missing context.
So this holiday season, care that you share. Thoughtful communication isn't just about protecting information -- it's also about supporting each other, especially when resources are limited. You never know who might benefit from what you have to offer, yourself included.
## The one big thing
Last week, Cisco Talos announced _an initiative to retire outdated ClamAV signatures_ to reduce database sizes and improve efficiency by focusing on currently relevant threats. Starting Dec. 16, 2025, the "main.cvd" and "daily.cvd" databases will be cut roughly in half, offering smaller downloads and reduced resource usage. Retired signatures may be reintroduced if old threats reappear, and only supported ClamAV container images will remain available on Docker Hub to enhance security and management.
### Why do I care?
Smaller signature databases mean faster updates, lower bandwidth and storage requirements, and improved performance, especially on resource-constrained systems. By focusing detection on active threats, ClamAV can more efficiently protect against current malware without being bogged down by obsolete signatures.
### So now what?
We will continue to monitor the activity of retired signatures and will restore any that are needed to protect the community. Stay attentive and request the reinstatement of retired signatures if older threats reappear. In the meantime, we recommend that ClamAV container image users select a feature release tag rather than a specific minor release tag to stay up to date with security updates and bug fixes.
## Top security headlines of the week
**Second Sha1-Hulud wave affects 25,000+ repositories via npm preinstall credential theft**
The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others. (_The Hacker News_)
**FBI: Cybercriminals stole $262M by impersonating bank support teams**
Since January 2025, the FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors. (_Bleeping Computer_)
**Everest ransomware claims breach at Spain 's national airline Iberia with 596 GB data theft**
The group states that the data covers millions of customers in multiple countries, and says it had long-term access with the ability to read and alter bookings. (_HackRead_)
**CISA warns of active spyware campaigns hijacking high-value Signal and WhatsApp users**
CISA on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. (_The Hacker News_)
**LINE messaging bugs open Asian users to cyber espionage**
Researchers discovered critical vulnerabilities that open the door to three main buckets of compromise: message replay attacks, plaintext and sticker leakage, and, most concerningly, impersonation attacks. (_Dark Reading_)
## Can't get enough Talos?
** _Talos Takes: When you 're told "no budget"_**
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn.
** _Humans of Talos: On epic reads, lifelong learning, and empathy_******
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.
** _The TTP: How Talos built an AI model into one of the internet 's most abused layers_**
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it's so difficult to spot in real time, and how Talos built an AI model to detect it without breaking the internet.
## Upcoming events where you can find Talos
* _AVAR_ (Dec. 3 - 5) Kuala Lumpur, Malaysia
* _Black Hat Europe_ (Dec. 8 - 11) London, U.K.
## Most prevalent malware files from Talos telemetry over the past week
**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**
MD5: 1f7e01a3355b52cbc92c908a61abf643
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a_
Example Filename: cleanup.bat
Detection Name: W32.D933EC4AAF-90.SBX.TG
**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe
Detection Name: Win.Worm.Coinminer::1201
**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59_
Example Filename: ck8yh2og.dll
Detection Name: Auto.90B145.282358.in02
**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201
**SHA256: 26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff**
MD5: 71da0bf3094e3ed17bc5a1c78de80933
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff_
Example Filename: cleanup.bat
Detection Name: W32.26FA67DB9A-90.SBX.TG
Welcome to this week's edition of the Threat Source newsletter.
Back in April, I _wrote_ about the risks of unintentionally leaking information while using search engines. Since then, I've been thinking: Life doesn't just happen in front of a keyboard. There's a social side, too (or so I'm told). With Thanksgiving around the corner, it seems the perfect time to flip the script and focus on a different but related concept: Care _that_ you share.
For my non-American friends, who may be enjoying just another Thursday, stick with me. This season brings heightened risks everywhere. Many teams are running with skeleton crews, whether due to holiday mode (family, turkey, football, days off) or the year-end compliance push (hello, _NIS2_ and DORA). At the same time, on the other side of the fence, attackers ramp up their efforts; globally, Black Friday and similar events are peak periods for phishing campaigns, often targeting credentials with fake employee perk emails and other seasonal lures.
So, why emphasize "care that you share?"
Recently, I visited a university of applied sciences to give a guest lecture and learn more about the projects students are working on. It was a great experience, though preparing for an audience of students (not my usual crowd) was challenging. What do they already know? What topics interest them? Should I give them some history of STIX/TAXII? Geopolitical tensions? Honestly speaking, none of this was interesting to me when I was a student. I chose to start simple, discussing what threats and the _DKIW pyramid_ were, and then focusing on CVE, CVSS, and KEV -- one of my favorite _topic clusters_.
To my surprise, not only did the students engage and ask questions, but they also stuck around late on a Friday afternoon, diving into discussions about software supply chain risks and beyond. I don't remember ever staying at university past 6:00 p.m. on a Friday as a student! A week later, when they presented their projects -- many centered on authentication, TOTP, and SmartCards -- I was genuinely impressed by their ideas and the real-world problems they were addressing.
"Care that you share" is a mindset that helps us appreciate the knowledge exchange that happens in person, too.
Whether sharing stories over dinner, IOCs over email, or ideas in a classroom, let's all take a moment to consider not just what we share, but how and why we share it. I'll admit, I sometimes hesitate to share certain stories myself, worried they might seem too obvious or uninteresting, or maybe even dumb. But more often than not, those moments of openness lead to the best conversations and new perspectives.
This rings especially true during busy or understaffed times, when teams are stretched thin. It's tempting to keep things to ourselves to avoid "bothering" others. In reality, sharing a helpful tip, a concern, or just a quick update can make all the difference for colleagues who might be juggling extra responsibilities or missing context.
So this holiday season, care that you share. Thoughtful communication isn't just about protecting information -- it's also about supporting each other, especially when resources are limited. You never know who might benefit from what you have to offer, yourself included.
## The one big thing
Last week, Cisco Talos announced _an initiative to retire outdated ClamAV signatures_ to reduce database sizes and improve efficiency by focusing on currently relevant threats. Starting Dec. 16, 2025, the "main.cvd" and "daily.cvd" databases will be cut roughly in half, offering smaller downloads and reduced resource usage. Retired signatures may be reintroduced if old threats reappear, and only supported ClamAV container images will remain available on Docker Hub to enhance security and management.
### Why do I care?
Smaller signature databases mean faster updates, lower bandwidth and storage requirements, and improved performance, especially on resource-constrained systems. By focusing detection on active threats, ClamAV can more efficiently protect against current malware without being bogged down by obsolete signatures.
### So now what?
We will continue to monitor the activity of retired signatures and will restore any that are needed to protect the community. Stay attentive and request the reinstatement of retired signatures if older threats reappear. In the meantime, we recommend that ClamAV container image users select a feature release tag rather than a specific minor release tag to stay up to date with security updates and bug fixes.
## Top security headlines of the week
**Second Sha1-Hulud wave affects 25,000+ repositories via npm preinstall credential theft**
The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others. (_The Hacker News_)
**FBI: Cybercriminals stole $262M by impersonating bank support teams**
Since January 2025, the FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors. (_Bleeping Computer_)
**Everest ransomware claims breach at Spain 's national airline Iberia with 596 GB data theft**
The group states that the data covers millions of customers in multiple countries, and says it had long-term access with the ability to read and alter bookings. (_HackRead_)
**CISA warns of active spyware campaigns hijacking high-value Signal and WhatsApp users**
CISA on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. (_The Hacker News_)
**LINE messaging bugs open Asian users to cyber espionage**
Researchers discovered critical vulnerabilities that open the door to three main buckets of compromise: message replay attacks, plaintext and sticker leakage, and, most concerningly, impersonation attacks. (_Dark Reading_)
## Can't get enough Talos?
** _Talos Takes: When you 're told "no budget"_**
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn.
** _Humans of Talos: On epic reads, lifelong learning, and empathy_******
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.
** _The TTP: How Talos built an AI model into one of the internet 's most abused layers_**
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it's so difficult to spot in real time, and how Talos built an AI model to detect it without breaking the internet.
## Upcoming events where you can find Talos
* _AVAR_ (Dec. 3 - 5) Kuala Lumpur, Malaysia
* _Black Hat Europe_ (Dec. 8 - 11) London, U.K.
## Most prevalent malware files from Talos telemetry over the past week
**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**
MD5: 1f7e01a3355b52cbc92c908a61abf643
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a_
Example Filename: cleanup.bat
Detection Name: W32.D933EC4AAF-90.SBX.TG
**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe
Detection Name: Win.Worm.Coinminer::1201
**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59_
Example Filename: ck8yh2og.dll
Detection Name: Auto.90B145.282358.in02
**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201
**SHA256: 26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff**
MD5: 71da0bf3094e3ed17bc5a1c78de80933
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff_
Example Filename: cleanup.bat
Detection Name: W32.26FA67DB9A-90.SBX.TG
Basic Information
ID
TALOSBLOG:F4B6739141B322648BB48BD5C838F7FC
Published
Nov 26, 2025 at 17:00