{“lastseen”:”2026-05-07T20:05:08″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nHey, you. Yeah, you! The person endlessly scrolling or typing away at their computer. Did you touch grass today? It’s just an expression, but if nature’s your thing, that works just fine.\\n\\nWhat I do mean is that due to the nature of the field, cybersecurity is incredibly intangible. You can’t reach out and touch your logs, or the packets traversing your network, or the concept of DNS exfiltration… and if you tried, you’d just feel the smooth surface of your computer screen. (What a boring texture.) Spending all our time in the abstract can create some serious mental fatigue.\\n\\nMy point is that there’s something powerful to be said about engaging with the physical world. When we engage in a tactile hobby, we give our brains a hard reset. By moving from the abstract to the physical, our brains get the time and space to process the complex problems we’ve been staring at, often leading to the \\”aha!\\” moment that never comes when you’re trying to force it.\\n\\nThe other week, I was working in the Talos office with the Creative team. It was a quiet afternoon, people’s energy sapped by stomachs full of Mediterranean food. That was swiftly interrupted (in the best way) when Joe Marshall came over into our work area with his miniature painting kit, broke it open, and started teaching us how to drybrush 3D-printed figurines. Everyone immediately came alive. While I didn’t partake (I know, \\”Do as I say, not as I do\\”), it reminded me of how revitalized I feel when I get outside for a walk during lunch or spend 10 minutes knitting in silence between meetings. There’s nothing to focus on but the feel of the yarn between your fingers, the clacking of the needles, and the repetitive motions that result in a physical object you can wear and fish for compliments about.\\n\\nSpeaking of, do you think the vest I knit is cool? All compliments can be sent to me on LinkedIn, and I refuse to accept any negative comments. (Critiques are fine.)\\n\\n\\n\\nAhem… anyway. Go on a walk without your earbuds, listen to the wind through the leaves, ask a stranger to pet their dog, watch a pigeon bop its head around, and reach out to touch a cool-looking rock or the lichen on a tree. I hear you saying, \\”That’s some tree-hugging bullshit,\\” and counter you with, \\”Just humor me, okay? What’s the worst that could happen?\\”\\n\\nIf you’re more of an inside person, the goal might be to find a physical anchor for your technical interest. Maybe it’s building a mechanical keyboard from scratch — feeling the weight of the switches and hearing the click of the keycaps. Maybe it’s a complicated LEGO set. Even something as simple as making espresso or organizing your bookshelf can provide that sensory feedback your brain is craving.\\n\\nIf you’re not currently facing a life-altering deadline, take 10 minutes and try it now. The rest of the newsletter isn’t going anywhere, I promise.\\n\\nWhen you pay attention to the noises you hear, the colors you see, and the textures under your fingertips, you might come back to your laptop refreshed, focused, and ready to solve the next problem.\\n\\n## The one big thing\\n\\nCisco Talos has recently expanded our threat intelligence capabilities to track phone numbers as critical indicators of compromise (IOCs) in scam emails. _Our latest research_ reveals that attackers heavily favor API-driven VoIP numbers to execute high-volume, cost-effective Telephone-Oriented Attack Delivery (TOAD) campaigns. To evade detection, these threat actors rotate through sequential blocks of numbers, use strategic cool-down periods, and recycle the exact same digits across completely unrelated lures and impersonated brands.\\n\\n### Why do I care?\\n\\nTracking ephemeral sender email addresses is a losing game, but phone numbers are the true operational anchors for these organized scam call centers. Because attackers reuse these numbers across multiple document types and brand impersonations, defenders who cluster this telephony infrastructure can expose the broader network of malicious activity. Understanding these reuse patterns gives defenders a much-needed edge in mapping out and dismantling these operations before users are manipulated into handing over sensitive data.\\n\\n### So now what?\\n\\nSecurity teams should shift their focus toward clustering scam lures based on shared phone numbers and prioritize real-time reputation monitoring to flag high-risk infrastructure. Deploying an AI-powered email security solution like Cisco Secure Email Threat Defense can also help evaluate different portions of incoming emails to catch these targeted threats. A full list of indicators of compromise (IOCs) associated with these campaigns can be found _in the blog_.\\n\\n## Top security headlines of the week\\n\\n**DigiCert** **revokes** **certificates** **after** **support** **portal** **hack** \\nThe attack, the company said in a detailed report, occurred on April 2, when a threat actor targeted DigiCert’s support team with a malicious payload delivered via a customer chat channel, disguised as a screenshot. (_SecurityWeek_)\\n\\n**Ubuntu services hit by outages after DDoS attack** \\nThe DDoS-for-hire service in this case claims to power attacks in excess of 3.5 Tbps, which is about half of the bandwidth of a cyberattack that Cloudflare last year called the \\”largest DDoS attack ever recorded.\\” (_TechCrunch_)\\n\\n**Canvas maker Instructure reveals data breach** \\nInstructure said the actors accessed \\”certain identifying information of users\\” at affected institutions, including names, email addresses, student ID numbers, and user communications. (_Tech Radar_)\\n\\n**Exploitation of \\”Copy Fail\\” Linux vulnerability begins** \\nThreat actors are exploiting a recently disclosed Linux kernel vulnerability leading to root shell access, the US cybersecurity agency CISA warns. Dubbed Copy Fail, the security defect impacts all Linux distributions since 2017. (_SecurityWeek_)\\n\\n**Student hacked Taiwan high-speed rail to trigger emergency brakes** \\nAccording to local reports, the student halted four trains for 48 minutes by using software-defined radio (SDR) communications and handheld radios to transmit a high-priority \\”General Alarm\\” signal, triggering emergency braking procedures. (_BleepingComputer_)\\n\\n## Can’t get enough Talos?\\n\\n** _Tales_** ** _from the Frontlines_** \\nIn this briefing, we’ll share behind-the-scenes insights from the most critical and high-impact incidents we responded to in the last quarter. This isn’t a report walkthrough; it’s a look at what really happened, how we handled it, and what it means for your organization.\\n\\n** _UAT-8302 and its box full of malware_** \\nCisco Talos is disclosing UAT-8302, a sophisticated, China-nexus APT group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.\\n\\n** _CloudZ RAT potentially steals OTP messages using Pheno plugin_** \\nCisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called \\”Pheno.\\”\\n\\n** _The trust paradox: How attackers weaponize legitimate SaaS platforms_** \\nIn this episode of Talos Takes, Amy Ciminnisi sits down with researcher Diana Brown to discuss the rise of \\”platform-as-a-proxy\\” (PAP) attacks.\\n\\n## Upcoming events where you can find Talos\\n\\n * _PIVOTcon_ (May 6 – 8) Malaga, Spain\\n * _OffensiveCon_ (May 15 – 16) Berlin, Germany\\n * _Cisco Live U.S._ (May 31 – June 4) Las Vegas, Nevada\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nExample Filename: VID001.exe \\nDetection Name: Win.Worm.Coinminer::1201**\\n\\n**SHA256:** **96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974** \\nMD5: aac3165ece2959f39ff98334618d10d9 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_ \\nExample Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe \\nDetection Name: W32.Injector:Gen.21ie.1201\\n\\n**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59** \\nMD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59_ \\nExample Filename: APQ9305.dll \\nDetection Name: Auto.90B145.282358.in02\\n\\n**SHA256:** **e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba** \\nMD5: dbd8dbecaa80795c135137d69921fdba \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba_ \\nExample Filename: u112417.dat \\nDetection Name: W32.Variant:MalwareXgenMisc.29d4.1201\\n\\n**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91** \\nMD5: 7bdbd180c081fa63ca94f9c22c457376 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91_ \\nExample Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe \\nDetection Name: Win.Dropper.Miner::95.sbx.tg**”,”published”:”2026-05-07T18:00:40″,”modified”:”2026-05-07T18:00:40″,”type”:”talosblog”,”title”:”Unplug your way to better code”,”source”:””,”references”:””,”id”:”TALOSBLOG:6EFE569CB664E297B1BBF9DEA8D5A144″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/unplug-your-way-to-better-code\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-07T20:05:08″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nHey, you. Yeah, you! The person endlessly scrolling or typing away…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-52182","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n