Ghosted by a cybercriminal

• CVE-2025-0994


Welcome to this week’s edition of the Threat Source newsletter.

Talos recently _published research_ into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton.

It’s a concerning trend — one that we believe calls for _rethinking traditional threat modeling_. But one thing stood out to me while reading: cybercriminals are often terrible at teamwork.

What if the ransomware affiliate is waiting on credentials that never arrive? The access broker sells a foothold, but the tooling meant to exploit it isn’t ready, doesn’t work in the target environment or never shows up at all?

Ghosting isn’t limited to dating apps or job interviews (and if you’ve been through six interview rounds and still heard nothing, I see you). Cybercriminals flake too — whether it’s bad timing, better targets, internal drama… or maybe they just went to get a haircut (an _actual complaint_ that a Conti member made about a fellow actor not showing up).

In this compartmentalized model, the threat chain becomes a fragile supply line, stitched together in real time. Efficient, yes — but brittle. If one actor drops out, the whole operation can unravel. And let’s not pretend there’s honour among cybercriminals. They’re opportunists. What’s to stop a broker from selling the same credentials to multiple buyers? Or backing out entirely if a better offer lands?

Of course, this ecosystem isn’t monolithic. Some groups run like structured businesses — access brokers, malware builders, “customer” (aka victim) services, the works. Others are looser, relying on whoever turns up in their DMs with access for sale. It’s the latter where ghosting seems more likely. In organised crews, a flaky broker risks reputational damage. In the freelance underworld, it’s just Tuesday.

Oof, I didn’t mean to knock freelancers there. Just, you know, _those_ ones…

History suggests fallouts are inevitable. Conti’s collapse, as _Wired _reported, started with a single angry post and spiraled into a full on leak about poor performance records:

> _” I have 100 people here, half of them, even 10 percent, do not do what they need.” _

> _\- Stern (or Demon), former Conti CEO _

LAPSUS$ imploded under its own infighting. One REvil affiliate even ranted on a cybercrime forum like a scammed eBay buyer.

To twist a familiar phrase: compartmentalized threats are only as strong as their weakest link. What if that link has poor communication skills, no follow-through and a serious case of commitment issues?

## The one big thing

In Talos’ _most recent blog post_, we shared that UAT-6382, Chinese-speaking threat actors, have exploited Cityworks, a widely-used asset management system, through a remote code execution vulnerability (CVE-2025-0994). The actors are deploying advanced malware for long-term persistence and control.

### Why do I care?

UAT-6382 is not only exploiting this vulnerability, but they’re also employing sophisticated tools like web shells, Rust-based malware loaders, and frameworks like Cobalt Strike to burrow deep into systems. This could lead to data breaches and operational downtime.

### So now what?

While the intrusions we mentioned in the blog have been contained, exploitation may be continuing in the wild. Use the indicators of compromise (IOCs) listed in the blog to scan your environment.

## Top security headlines of the week

**NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch **
VMware patches flaws that expose users to data leakage, command execution and denial-of-service attacks. No temporary workarounds available. (_SecurityWeek_)

**NIST ‘s ‘LEV’ Equation to Determine Likelihood a Bug Was Exploited **
The new equation, introduced by the National Institute of Standards and Technology (NIST), aims to offer a mathematical likelihood index that could be a game-changer for SecOps teams and vulnerability patch prioritization. (_Dark Reading_)

**Kettering Health hit by system-wide outage after ransomware attack **
Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. (_BleepingComputer_)

## Can’t get enough Talos?

* _Duping Cloud Functions: An emerging serverless attack vector_
* Talos Takes: _Inside the Kill Chain: Compartmentalized Threat Modeling Explained_

## Upcoming events where you can find Talos

* _BotConf_ (May 20 – 23) Angers, France
* _Cisco Live U.S._ (June 8 – 12) San Diego, CA
* _NIRMA_ (July 28 – 30) St. Augustine, FL
* _Black Hat USA_ (August 2 – 7) Las Vegas, NV

## Most prevalent malware files from Talos telemetry over the past week

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 **
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details
Typical Filename: IMG001.exe
Detection Name: Simple_Custom_Detection

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201