{“lastseen”:”2025-09-18T19:22:00″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nThis is gonna be a tough read. I’m sorry. Believe it or not, it’s even tougher for me to write. I want to talk about what it costs to be in the cybersecurity profession. Not money or time, but potentially your health, both mentally and physically. I want to move the curtain aside and show you an inside look at what happens to people when the pressure is high and the desire to succeed is not only essential, but sometimes _even life and death_.\\n\\nSo, story time.\\n\\nSeven years ago, Cisco Talos disclosed a novel and new threat campaign: _VPN Filter._ VPN Filter was a small office\/home office (SOHO) device botnet that had many new things we’d never seen before in SOHO devices: infection persistence past device reboot, modularity, victimology, and perhaps most importantly, the (later) attribution to the Russian threat actor APT28 (aka Sandworm). The platform also featured a kill switch, a module designed to cover the tracks and or destroy a device infected with VPN Filter. This could be executed en masse, if they desired. This was a methodical, clever and well-structured campaign to attack unpatched and\/or vulnerable devices all over the world for state cyber operations. As I look back at that time, it was (and still is) a marvel of tradecraft and offensive cyber operations.\\n\\nPut yourself in our position at Talos. We’ve just discovered a massive campaign by a notorious threat actor. We all know what this is, who is this is, and what the consequences could be — and the threat actor had a massive head start on us. We absolutely couldn’t screw this up. If we tipped our hand via our research, the threat actor might get spooked and just burn the whole thing down with the kill switch. The stakes were very high.\\n\\nWe spent months reversing and analyzing the malware, the victimology, infrastructure, and understanding the scale and scope of what VPN Filter did and potentially could do. The more we peeled things back, the more ominous the implications and the harder we worked.\\n\\nAs the weeks turned into months, the hours we worked grew longer and longer, and the stress began to take its toll on all of us. The raw enormity of the tasks of analyzing and responding to VPN Filter and the stress of being stealthy begin to extract a price from us personally. Attitudes grew sour, relationships frayed, and some were rent asunder completely. For me, personally, it was a very dark time and would cost me dearly – I would exit people management into an individual contributor role that I still inhabit to this day.\\n\\nIn the end, the threat actor forced us to into action. We had always theorized a \\”break glass\\” moment when the threat actor might hit the gas pedal and we would have to alert the world. One day we saw a massive spike in infections in Ukraine, and we disclosed to the world VPN Filter. We still had so many unanswered questions but had no choice when we saw the spike. In a way, it was a mercy. We had long since hit our limit and were just all collectively cooked and demoralized. I know I was, and it deeply affected my relationships and career, the reverberations of which I still feel to this day.\\n\\nI’m often asked by new or potential security practitioners, \\”Joe, what’s a cool hacker story?!\\” I have plenty of those, and VPN Filter is certainly one of them. But rarely does anyone want to hear the worst days of our lives. The tales of burnout and stress. Of the long hours and constant work. There is _always_ a breach happening somewhere, your company is _always_ under attack, there is _always_ a story of a someone getting hacked and sometimes people are even hurt or killed. This cadence takes a toll – from events like VPN Filter, to being in a SOC – it’s all the same. No matter where you work, we are here to keep our customers, constituents, and communities safe from some real assholes out there. It is about fighting the good fight, and the fight never stops.\\n\\nSo, what can we do about it? How can you avoid being me in the middle of VPN Filter?\\n\\n 1. **Learn and enforce boundaries.** You must make space and time for you and firmly enforce that space and time. If that means disabling after hours comms, then do so, and do so guilt free. You must look after yourself.\\n 2. **Peer support.** Whether it’s a therapist, a colleague, or a Slack\/Discord\/Bsides where you can share and vent with others in the same boat as you, you must reduce the sense of isolation this career space can give you. Others are looking for the same thing and happy to listen and share. Celebrate your wins with people who are eager to reciprocate.\\n 3. **Unplugged self-care.** This is tough, and I’m not great at it. Exercise, paint, work in your garden and do something unrelated to your job. Put down the hell rectangle that is your phone and unplug from the news and social media.\\n 4. **Mandatory decompression\/vacation.** After an incident, be it VPN Filter or a breach, leaders: _look after your people._ Recognize burnout and push your directs into some enforced downtime so they can recover. At a minimum, rotate them into a less stressful role so they can take a break. It’s your responsibility to care for those who work hard for you.\\n\\n\\n\\nResponding after the event is just as important as responding to the event itself. Every breach, VPN Filter-like event, or emergency is an opportunity to reflect on the cost to your health and evaluate what you can do to help yourself and others. This is a tough gig sometimes, but it’s a calling we love. Just take care of yourself and each other, ya hear?\\n\\n## The one big thing\\n\\nIn _Talos ‘ latest blog post_, we break down why having a Cisco Talos Incident Response (IR) Retainer is a game-changer for any organization facing today’s nonstop cyber threats. With a Talos IR Retainer, you get direct access to our expert team, 24\/7 emergency support, and tailored plans that keep everyone — from IT to leadership — on the same page. You’ll also benefit from continuous threat intelligence and real-world guidance to help your organization bounce back stronger after any incident.\\n\\n### Why do I care?\\n\\nOur team helps you hunt threats before they escalate, assess your readiness and improve your security posture over time. If a cyber incident hits, having a trusted partner already in place means you’re prepared to act decisively, with clear roles, tested procedures and experts ready to back you up every step of the way.\\n\\n### So now what?\\n\\nThink about securing a Talos IR Retainer to make sure you’ve got experts on speed dial and your defenses are always up to date. _Reach out to us_ to schedule a tabletop exercise or to talk through how prepared your organization really is.\\n\\n## Top security headlines of the week\\n\\n**New VoidProxy phishing service bypasses MFA on Microsoft and Google accounts** \\nAn attack typically begins with a deceptive email sent from a compromised account of legitimate email service providers, like Constant Contact, Active Campaign or NotifyVisitors. (_Hack Read_)\\n\\n**Shai-Hulud supply chain attack: Worm used to steal secrets, 180+ npm packages hit** \\nThe self-spreading potential of the malicious code will likely keep the campaign alive for a few more days. To avoid being infected, users should be wary of any packages that have new versions on npm but not on GitHub, and pin dependencies. (_SecurityWeek_)\\n\\n**Google nukes 224 Android malware apps behind massive ad fraud campaign** \\nThe apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. (_Bleeping Computer_)\\n\\n**Former FinWise employee may have accessed nearly 700K customer records** \\nNearly 700,000 FinWise Bank customers are being notified after a former employee may have accessed or taken personal data post-employment. The incident went undetected for over a year. (_The Register_)\\n\\n## Can’t get enough Talos?\\n\\n * ** _Alex Ryan: From zero chill to quiet confidence_** \\nDiscover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes, emotionally intense world of incident command, and the advice that she has for aspiring cybersecurity professionals.\\n * ** _Beers with Talos: How to ruin an APT ‘s day_** \\nThe B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries.\\n * ** _Tampered Chef: When malvertising serves up infostealers_** \\nImagine downloading a PDF Editor tool from the internet that works great… until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in \\”malvertising\\” and challenges in defense.\\n\\n\\n\\n## Upcoming events where you can find Talos\\n\\n * _LABScon_ (Sept. 17 – 20) Scottsdale, AZ\\n * _VB2025_ (Sept. 24 – 26) Berlin, Germany\\n * _Wild West Hackin ‘ Fest_ (Oct. 8 – 10) Deadwood, SD\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nTypical Filename: executable.exe \\nClaimed Product: N\/A \\nExample Filename:0a0dc0e95070a2b05b04c2f0a049dad8_1_Exe.exe \\nDetection Name: Win.Worm.Coinminer::1201\\n\\n**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610** \\nMD5: 85bbddc502f7b10871621fd460243fbc \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610_ \\nTypical Filename: nwx3hgsl.exe \\nClaimed Product: Self-extracting archive \\nDetection Name: W32.41F14D86BC-100.SBX.TG\\n\\n**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe** \\nMD5: bf9672ec85283fdf002d83662f0b08b7 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe_ \\nTypical Filename: werrx01USAHTML \\nClaimed Product: N\/A \\nDetection Name: W32.C0AD494457-95.SBX.TG\\n\\n**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974** \\nMD5: aac3165ece2959f39ff98334618d10d9 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_ \\nTypical Filename: ~3B6A.tmp \\nClaimed Product: N\/A \\nDetection Name: W32.Injector:Gen.21ie.1201\\n\\n**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91** \\nMD5: 7bdbd180c081fa63ca94f9c22c457376 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91_ \\nTypical Filename: img001.exe \\nClaimed Product: \\nDetection Name: Win.Dropper.Miner::95.sbx.tg”,”published”:”2025-09-18T18:00:43″,”modified”:”2025-09-18T18:00:43″,”type”:”talosblog”,”title”:”Put together an IR playbook \u2014 for your personal mental health and wellbeing”,”source”:””,”references”:””,”id”:”TALOSBLOG:0B937802BE59D5ECFDE7CFEDD25F61CE”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/put-together-an-ir-playbook\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-18T19:22:00″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nThis is gonna be…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-18002","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n