{“lastseen”:”2026-05-21T20:05:08″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\n _\\” It takes very little to govern good people. Very little. And bad people can’t be governed at all. Or if they could, I never heard of it.\\” \u2015 Cormac McCarthy, No Country for Old Men_\\n\\nMost of my career has been built on dichotomy: striving to be a supportive teammate while also pushing every boundary in front of me. I’ve often been told to \\”never do X, only do Y,\\” but I’ve invariably chosen to do X anyway (even when fraught with peril) to get to the deeper answer. For years, I was told that I should perform in certain ways — instead of in ways that made sense for my brain and way of learning.\\n\\nI wasn’t governable, but I wasn’t bad. Just … challenging. While Sheriff Ed Tom Bell’s view of good vs. bad is compelling, maybe our careers should be defined as \\”acquiescent\\” vs. \\”challenging.\\” It’s less of an existential crisis that way.\\n\\nOver the past few years, I’ve been enjoying the mentoring aspect of my career. One of the things that I love to share with people is that being ungovernable is very challenging early in career; it’snot a favorite of middle management, but it can take you to places that you really want to be (i.e., Talos). The road is going to be longer and much bumpier than your governable cohort, but this is the long con.\\n\\nThe path to Talos was long and arduous, but I’ve learned to make my career choices through the lens of the axiom, \\”If you’re the smartest person in the room, you’re in the wrong room.\\” It’s been the only guidepost I’ve needed. I don’t know that it applies to everyone, because everyone is unique, but it absolutely helps me decide what I want to learn, what I want to dive into, who I want to surround myself with.\\n\\nThe secret lies in the last comment — it’s the people. If you continue to search for the smartest people in the room, you’ll find it and when you do, you’ll find that you aren’t ungovernable — rather, you’re understood. Be ungovernable (but kind) in the short term, find new ways to solve problems, think around solutions in new ways, program in different languages, and be the person in the meeting that says, \\”I think we should do Y instead, and here’s why.\\”\\n\\nI suspect that this is the same approach many of you already take in your daily roles when identifying threats vs. benign activity, choosing your pivots in hunting, or deciding the priorities in device replacement. It’s a natural direction for the intellectually curious, so be kind, but ungovernable.\\n\\n _\\” The future of intelligence must be about search, while the future of ignorance must be about the inability to evaluate information.\\” \u2015 Patricia Lockwood, No One Is Talking About This_\\n\\n## The one big thing\\n\\nCisco Talos has recently discovered a _commodity_ _BadIIS_ _malware variant_ fueling a thriving malware-as-a-service (MaaS) ecosystem for Chinese-speaking cybercrime groups. Identifiable by its embedded \\”demo.pdb\\” strings, this toolset boasts a multi-year development cycle complete with builder tools and persistence mechanisms. Threat actors are leveraging this robust framework to easily execute malicious search engine optimization (SEO) fraud, hijack server content, and redirect traffic to illicit sites.\\n\\n### Why do I care?\\n\\nThis is a highly active, commercially driven malware ecosystem. The author constantly pushes rapid updates to introduce new features and actively evade specific security vendors, making it a persistent headache for defenders. Because this BadIISvariant is sold as a commodity tool, it lowers the barrier to entry for cybercriminals, leading to widespread attacks that silently hijack server traffic without triggering obvious alarms.\\n\\n### So now what?\\n\\nDefenders should actively monitor IIS environments for unauthorized traffic redirection, unexpected reverse proxying, or sudden spikes in \\”503 Service Unavailable\\” errors. Threat hunting efforts should also target the distinct \\”demo.pdb\\” strings and associated Chinese-language folder paths within IIS binaries. Ensure your endpoint detection solutions are updated to catch these reactive evasion tactics, and _read the full blog_ for complete coverage and indicators of compromise (IOCs).\\n\\n## Top security headlines of the week\\n\\n**CISA exposes secrets, credentials in \\”private\\” repo** \\nA researcher discovered a public GitHub repository belonging to CISA that contained 844MB of sensitive data, including plain-text passwords, authentication tokens, and other secrets. (_Dark Reading_)\\n\\n**NYC Health + Hospitals says hackers stole medical data and fingerprints, affecting at least** **1.8 million people** \\nThe breach is particularly sensitive because hackers stole biometric information, including fingerprints and palm prints, which affected individuals have for life and cannot replace. (_TechCrunch_)\\n\\n**Bug bounty businesses bombarded with AI slop** \\nCompanies that pay hackers to find flaws in their software are being inundated with low-quality (often false) reports generated by AI, forcing some to suspend the programs altogether. (_Ars Technica_)\\n\\n**Four** **OpenClaw** **flaws enable data theft, privilege escalation, and persistence** \\nThe vulnerabilities, collectively dubbed Claw Chain, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. (_The Hacker News_)\\n\\n**New NGINX vulnerability allows remote attackers to trigger malicious code** \\nA new vulnerability in NGINX JavaScript (njs) allows unauthenticated remote attackers to trigger a heap\u2011based buffer overflow that can lead to denial\u2011of\u2011service and, in some conditions, remote code execution in the NGINX worker process. (_Cyber Security News_)\\n\\n## Can’t get enough Talos?\\n\\n** _TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities_** \\nTalos’ Vulnerability Discovery \\u0026 Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital’s Norton VPN. The vulnerabilities have been patched by their respective vendors.\\n\\n** _Webinar: AI found the problem. Now what?_** \\nExperts from Talos and Cisco Security will examine how AI is changing the game for both defenders and well-resourced adversaries, and why the most persistent risks often remain rooted in unpatched legacy systems.\\n\\n** _Breaking things to keep them safe with Philippe Laulheret_** \\nFrom his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research.\\n\\n## Upcoming events where you can find Talos\\n\\n * _Cisco Live U.S._ (May 31 – June 4) Las Vegas, Nevada\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nExample Filename: VID001.exe \\nDetection Name: Win.Worm.Coinminer::1201**\\n\\n**SHA256: d87e8d9d43758ce67a8052cb2334b99cc24f9b0437ee44815f360be0b22d835a** \\nMD5: 362498c3e71eeaa066a67e4a3f981d1c \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=d87e8d9d43758ce67a8052cb2334b99cc24f9b0437ee44815f360be0b22d835a_ \\nExample Filename: TunMirror.exe \\nDetection Name: PUA.Win.Tool.Tunmirror::1201\\n\\n**SHA256:** **9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f** \\nMD5: 38de5b216c33833af710e88f7f64fc98 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f_ \\nExample Filename: SECOH-QAD.exe \\nDetection Name: Win.Tool.Procpatcher::1201\\n\\n**SHA256:** **acd55c44b8b0d66d66defed85ca18082c092f048d3621da827fce593305c11fd** \\nMD5: 0f03f72a92aef6d63eb74e73f8ac201d \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=acd55c44b8b0d66d66defed85ca18082c092f048d3621da827fce593305c11fd_ \\nExample Filename: KMSSS.exe \\nDetection Name: PUA.Win.Tool.Hackkms::1201\\n\\n**SHA256:** **96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974** \\nMD5: aac3165ece2959f39ff98334618d10d9 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_ \\nExample Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe \\nDetection Name: W32.Injector:Gen.21ie.1201″,”published”:”2026-05-21T18:00:14″,”modified”:”2026-05-21T18:00:14″,”type”:”talosblog”,”title”:”The art of being ungovernable”,”source”:””,”references”:””,”id”:”TALOSBLOG:8A230343CA41CDA991DD2BFA3873D7AA”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/the-art-of-being-ungovernable\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-21T20:05:08″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\n _\\” It takes very little to govern good people. Very little….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-56167","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n