Description
Welcome to this week's edition of the Threat Source newsletter.
Last week, yet another security AI tool made the rounds on social media: _Shannon_, a fully autonomous AI penetration testing tool created by Keygraph. It "autonomously hunts for attack vectors in your code, then uses its built-in browser to execute real exploits, such as injection attacks, and auth bypass, to prove the vulnerability is actually exploitable."
If you thought manual pentesters kept you busy, it looks like Shannon's here to ensure you never run out of vulnerabilities -- or questions.
As with every new advancement in AI, social posts are popping up left and right to question Shannon's future impact on pentesters' job security. It goes without saying these days that among the many thoughtful questions are comments praising Shannon and bemoaning the "old days" with a few obviously canned AI slop quips, which infuriates me as an editor -- I could go on for days about this, but we're getting off-topic. Ahem.
Shannon requires access to the application's source code, repository layout, and AI API keys. Even as a cybersecurity novice, I know that this in itself is a major liability that organizations should investigate and weigh carefully before proceeding. In last week's newsletter, Joe gave a _passionate sermon_ on why feeding highly private information to an agentic engine is nine times out of ten a terrible idea. While I hope Shannon is more secure than Clawdbot, given its intended use, I encourage everyone to ask as many questions as possible about what happens to the information you provide before using it. Quoting Joe, "As disciples of security, we understand installing first and asking questions later is practically asking to get pwnt."
Other questions I've had while reading through comments and exploring the GitHub page:
* Can you set scoping guidelines? If not, you might end up with a lot of issues that'll take a lot of time to fix.
* No penetration test is truly representative of attackers' situations (e.g., attackers don't work within billable hours or two-week schedules, and only have to find one or a set of vulnerabilities). Relying on access to source code widens the gap between simulated and real-world attacks... I guess this wasn't a question, huh?
* For the companies who choose to use Shannon, how are you using the report it produces to improve not only your product, but also your secure development lifecycle and your developers' skills? Make a conscious decision: Are you going to rely on Shannon as a quick fix, or integrate it and secure development into your coding practices?
AI-powered pentesters aren't going away any time soon. Anthtropic's _Claude Opus 4.6_ was also released last week. Unlike Shannon, they added a new layer of detection to support their team in identifying and responding to Claude cyber misuse.
As the landscape evolves, tools like Shannon and Claude Opus 4.6 will continue to push the boundaries of what's possible, and there will be new questions about risk, responsibility, and readiness. Whether these tools become standard or remain controversial, staying informed and vigilant is as important as ever.
## The one big thing
Cisco Talos has _uncovered a new threat actor_, UAT-9921, using the advanced VoidLink framework to target mainly Linux systems. VoidLink stands out for its modular, on-demand plugin creation, auditability, and ability to evade detection, with features rarely seen in similar threats. UAT-9921 has been active since at least 2019, focusing on the technology and financial sectors, and uses advanced techniques for both compromise and stealth.
### Why do I care?
VoidLink introduces powerful new methods for attackers to compromise, control, and hide within Linux environments, which are common in critical infrastructure and cloud services. Its ability to quickly generate customized attack tools and evade detection makes it harder for defenders to respond. The framework's advanced stealth and lateral movement features increase the risk of undetected breaches and data theft.
### So now what?
Update your defenses and use the _Snort rules and ClamAV signature mentioned in the blog_ to help detect and block VoidLink activity. Strengthen Linux security, especially for cloud and IoT environments, and monitorfor unusual network activity or signs of lateral movement. Make sure endpoint detection solutions are up to date and configured to recognize the latest threats.
## Top security headlines of the week
**SolarWinds WHD** **attacks** **highlight** **risks of** **exposed** **apps**
Several vendors in recent days have warned of exploitation of vulnerabilities in WHD, though it's not entirely clear which bugs are under attack. (_Dark Reading_, _SecurityWeek_)
**Ivanti EPMM exploitation widespread as** **governments,** **others targeted**
Ivanti released advisories on Jan. 29 for code injection vulnerabilities in the on-premises version of Endpoint Manager Mobile. Researchers warn the activity shows evidence of initial access brokers preparing for future attacks. (_Cybersecurity Dive_)
**New** **" ZeroDayRAT"** **spyware** **kit** **enables** **total** **compromise of iOS, Android** **devices**
Once installed, capabilities include victim and device profiling, including model, OS, country, lock status, SIM and carrier info, dual SIM phone numbers, app usage broken down by time, preview of recent SMS messages, and more. (_SecurityWeek_)
**European Commission probes intrusion into staff mobile management backend**
Brussels is digging into a cyber break-in that targeted the European Commission's mobile device management systems, potentially giving intruders a peek inside the official phones carried by EU staff. (_The Register_)
## Can't get enough Talos?
** _Humans of Talos:_** ** _Ryan Liles, master of technical diplomacy_**
Amy chats with Ryan Liles, who bridges the gap between Cisco's product teams and the third-party testing labs that put Cisco products through their paces. Hear how speaking up has helped him reshape industry standards and create strong relationships in the field.
** _Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework_**
Cisco Talos uncovered "DKnife," a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices.
** _Talos Takes: Ransomware chills and phishing heats up_**
Amy is joined by Dave Liebenberg, Strategic Analysis Team Lead, to break down Talos IR's Q4 trends. What separates organizations that successfully fend off ransomware from those that don't? What were the top threats facing organizations? Can we (pretty please) get a sneak peek into the 2025 Year in Review?
## Upcoming events where you can find Talos
* _Cisco Live_ _2026_ (Feb. 9 - 13) Amsterdam, Netherlands
* _S4x26_ (Feb. 23 - 26) Miami, FL
## Most prevalent malware files from Talos telemetry over the past week
**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610_
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG
**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91_
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg**
**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Example Filename: VID001.exe
Detection Name: Win.Worm.Coinminer::1201
**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59_
Example Filename: d4aa3e7010220ad1b458fac17039c274_64_Dll.dll
Detection Name: Auto.90B145.282358.in02
**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201
**SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55**
MD5: 41444d7018601b599beac0c60ed1bf83
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55_
Example Filename: content.js Detection Name: W32.38D053135D-95.SBX.TG
Welcome to this week's edition of the Threat Source newsletter.
Last week, yet another security AI tool made the rounds on social media: _Shannon_, a fully autonomous AI penetration testing tool created by Keygraph. It "autonomously hunts for attack vectors in your code, then uses its built-in browser to execute real exploits, such as injection attacks, and auth bypass, to prove the vulnerability is actually exploitable."
If you thought manual pentesters kept you busy, it looks like Shannon's here to ensure you never run out of vulnerabilities -- or questions.
As with every new advancement in AI, social posts are popping up left and right to question Shannon's future impact on pentesters' job security. It goes without saying these days that among the many thoughtful questions are comments praising Shannon and bemoaning the "old days" with a few obviously canned AI slop quips, which infuriates me as an editor -- I could go on for days about this, but we're getting off-topic. Ahem.
Shannon requires access to the application's source code, repository layout, and AI API keys. Even as a cybersecurity novice, I know that this in itself is a major liability that organizations should investigate and weigh carefully before proceeding. In last week's newsletter, Joe gave a _passionate sermon_ on why feeding highly private information to an agentic engine is nine times out of ten a terrible idea. While I hope Shannon is more secure than Clawdbot, given its intended use, I encourage everyone to ask as many questions as possible about what happens to the information you provide before using it. Quoting Joe, "As disciples of security, we understand installing first and asking questions later is practically asking to get pwnt."
Other questions I've had while reading through comments and exploring the GitHub page:
* Can you set scoping guidelines? If not, you might end up with a lot of issues that'll take a lot of time to fix.
* No penetration test is truly representative of attackers' situations (e.g., attackers don't work within billable hours or two-week schedules, and only have to find one or a set of vulnerabilities). Relying on access to source code widens the gap between simulated and real-world attacks... I guess this wasn't a question, huh?
* For the companies who choose to use Shannon, how are you using the report it produces to improve not only your product, but also your secure development lifecycle and your developers' skills? Make a conscious decision: Are you going to rely on Shannon as a quick fix, or integrate it and secure development into your coding practices?
AI-powered pentesters aren't going away any time soon. Anthtropic's _Claude Opus 4.6_ was also released last week. Unlike Shannon, they added a new layer of detection to support their team in identifying and responding to Claude cyber misuse.
As the landscape evolves, tools like Shannon and Claude Opus 4.6 will continue to push the boundaries of what's possible, and there will be new questions about risk, responsibility, and readiness. Whether these tools become standard or remain controversial, staying informed and vigilant is as important as ever.
## The one big thing
Cisco Talos has _uncovered a new threat actor_, UAT-9921, using the advanced VoidLink framework to target mainly Linux systems. VoidLink stands out for its modular, on-demand plugin creation, auditability, and ability to evade detection, with features rarely seen in similar threats. UAT-9921 has been active since at least 2019, focusing on the technology and financial sectors, and uses advanced techniques for both compromise and stealth.
### Why do I care?
VoidLink introduces powerful new methods for attackers to compromise, control, and hide within Linux environments, which are common in critical infrastructure and cloud services. Its ability to quickly generate customized attack tools and evade detection makes it harder for defenders to respond. The framework's advanced stealth and lateral movement features increase the risk of undetected breaches and data theft.
### So now what?
Update your defenses and use the _Snort rules and ClamAV signature mentioned in the blog_ to help detect and block VoidLink activity. Strengthen Linux security, especially for cloud and IoT environments, and monitorfor unusual network activity or signs of lateral movement. Make sure endpoint detection solutions are up to date and configured to recognize the latest threats.
## Top security headlines of the week
**SolarWinds WHD** **attacks** **highlight** **risks of** **exposed** **apps**
Several vendors in recent days have warned of exploitation of vulnerabilities in WHD, though it's not entirely clear which bugs are under attack. (_Dark Reading_, _SecurityWeek_)
**Ivanti EPMM exploitation widespread as** **governments,** **others targeted**
Ivanti released advisories on Jan. 29 for code injection vulnerabilities in the on-premises version of Endpoint Manager Mobile. Researchers warn the activity shows evidence of initial access brokers preparing for future attacks. (_Cybersecurity Dive_)
**New** **" ZeroDayRAT"** **spyware** **kit** **enables** **total** **compromise of iOS, Android** **devices**
Once installed, capabilities include victim and device profiling, including model, OS, country, lock status, SIM and carrier info, dual SIM phone numbers, app usage broken down by time, preview of recent SMS messages, and more. (_SecurityWeek_)
**European Commission probes intrusion into staff mobile management backend**
Brussels is digging into a cyber break-in that targeted the European Commission's mobile device management systems, potentially giving intruders a peek inside the official phones carried by EU staff. (_The Register_)
## Can't get enough Talos?
** _Humans of Talos:_** ** _Ryan Liles, master of technical diplomacy_**
Amy chats with Ryan Liles, who bridges the gap between Cisco's product teams and the third-party testing labs that put Cisco products through their paces. Hear how speaking up has helped him reshape industry standards and create strong relationships in the field.
** _Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework_**
Cisco Talos uncovered "DKnife," a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices.
** _Talos Takes: Ransomware chills and phishing heats up_**
Amy is joined by Dave Liebenberg, Strategic Analysis Team Lead, to break down Talos IR's Q4 trends. What separates organizations that successfully fend off ransomware from those that don't? What were the top threats facing organizations? Can we (pretty please) get a sneak peek into the 2025 Year in Review?
## Upcoming events where you can find Talos
* _Cisco Live_ _2026_ (Feb. 9 - 13) Amsterdam, Netherlands
* _S4x26_ (Feb. 23 - 26) Miami, FL
## Most prevalent malware files from Talos telemetry over the past week
**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610_
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG
**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91_
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg**
**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_
Example Filename: VID001.exe
Detection Name: Win.Worm.Coinminer::1201
**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59**
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59_
Example Filename: d4aa3e7010220ad1b458fac17039c274_64_Dll.dll
Detection Name: Auto.90B145.282358.in02
**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201
**SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55**
MD5: 41444d7018601b599beac0c60ed1bf83
Talos Rep: _https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55_
Example Filename: content.js Detection Name: W32.38D053135D-95.SBX.TG
Basic Information
ID
TALOSBLOG:C90440C99D2D18600A27D92BAC028E2C
Published
Feb 12, 2026 at 19:00