Tag: cisco talos
31 articles

ARToken Phishing Platform Exposes EvilTokens' Microsoft 365 Toolkit
Cisco Talos researchers have uncovered a sophisticated phishing platform, ARToken, that offers a Microsoft 365 toolkit and goes far beyond traditional credential-harvesting pages, exposing over 80 API endpoints. This phishing-as-a-service operation is a game-changer in the world of cyber threats.

EvilTokens Phishing Kit Exposes Sophisticated Evasion Tactics
Microsoft VP of security research Tanmay Ganacharya revealed that 10-15 distinct EvilTokens phishing campaigns have been launching daily since March 15, 2026, showcasing the alarming speed at which device-code phishing operations have scaled. This comes as Cisco Talos incident responders uncovered a targeted phishing chain that abused a real vendor relationship using an outstanding-invoice lure.

Cisco Tests AI for Incident Reports, Finds Mixed Results
Cisco's experiment with AI-generated incident reports yielded mixed results, with large language models producing significant inaccuracies, unusual conclusions, and inconsistent writing styles when used for long-form technical content. The findings revealed four predictable failure modes, highlighting the need for guardrails to ensure reliable outcomes.

MacOS Attacks Evolve, Exploiting Native Tools for Stealth
As macOS use surges in enterprise environments, accounting for over 45% of organizations, attackers are getting creative - exploiting native tools like Remote Application Scripting, Terminal, and AppleScript to stealthily run code, move undetected, and evade security measures. Cisco Talos warns that these tactics allow hackers to issue malicious instructions across processes and systems without triggering conventional monitoring.

PowMix Botnet Targets Czech Workers with Randomized C2 Traffic
Cybersecurity researchers have uncovered a sneaky new botnet, dubbed PowMix, that's targeting Czech workers with a clever tactic: hiding in the timing of its command-and-control traffic. This stealthy approach has left experts scrambling to respond to the active campaign, which has been observed since December 2025.

Ransomware Actors Exploit Vulnerable Drivers to Evade EDR Tools
Ransomware operators are outsmarting defenders by exploiting vulnerable drivers to evade detection by endpoint security tools, with recent attacks disabling over 300 security products. This clever tactic allows hackers to silence security defenses and wreak havoc on networks.

Kraken Exclusive: Dangerous Ransomware Threat Escalates
Meet Kraken ransomware: an emergent cartel that borrows proven playbooks—exploiting SMB flaws, stalking networks for days, then encrypting systems and threatening data leaks—to squeeze big payouts. Cisco Talos warns this shift from scattershot attacks to precision double‑extortion raises the stakes for already overstretched defenders and demands smarter, faster responses.

BeaverTail and OtterCookie: Stunning Critical Threat
Cisco Talos warns a North Korean group is fusing BeaverTail’s credential-theft with OtterCookie’s browser persistence into single, stealthier JavaScript malware that’s harder to spot — defenders should start hunting for blended behaviors and tighten basics like MFA, patching, and anomaly detection now.

IIS server hijacking: Stunning Risky Threat
A Chinese‑speaking cybercrime group has been quietly hijacking Microsoft IIS servers to inject poisoned pages that hijack search results and steer real traffic to scams and affiliate schemes. If you run IIS sites, now’s the time to patch, lock down admin access, and add file‑integrity and content monitoring to stop stealthy SEO fraud before it ruins your reputation.

remote access Risky Threats: Must-Have Defenses
Attackers are increasingly using misconfigured or abused remote-access tools to stage ransomware, so treating RDP, VPNs and apps like TeamViewer as frontline security priorities—with MFA, patching, segmentation and monitoring—is no longer optional.

exposed Ollama servers: Risky Must-Have Security Fix
Cisco Talos found 1,100+ publicly exposed Ollama servers, creating easy paths for data theft, malicious model swaps, and other abuse. It’s a wake-up call to fix misconfigurations, enforce authentication, and make secure defaults the norm.

Cisco legacy flaw: Stunning Risky Exploits Exposed
Years after Cisco patched CVE-2018-0171, state-backed hackers are still exploiting the old Smart Install flaw to slip into networks that assumed retired gear was safe — a sharp reminder that “end-of-life” isn’t the same as “out of harm’s way.” Inventory your devices, disable legacy management features, and prioritize fixes or replacements before an old router becomes someone else’s backdoor.

Taiwanese web hosting Exclusive: Critical Espionage Risk
Imagine an invisible enemy living inside the servers that power your websites and email — Cisco Talos found a Chinese‑linked APT using a Taiwanese web host to intercept traffic, harvest credentials and stage persistent espionage. This supply‑chain breach is a wake‑up call: treat hosts as critical infrastructure and demand stronger controls, logging and incident guarantees now.

Taiwanese web host Critical: Exclusive Must-Have Fixes
A suspected Chinese state-backed crew quietly breached a Taiwanese web host, stealing credentials and planting backdoors to maintain months-long access — a stark reminder that compromising one trusted provider can expose dozens of downstream victims. Strengthening access controls, adopting zero-trust segmentation, and rotating credentials aren’t optional — they’re the best way to stop a single breach from becoming a widespread supply-chain disaster.

Brute-force attacks target Apache Tomcat management panels
Brute-force attacks target Apache Tomcat management panels by exploiting weak credentials and misconfigurations to gain unauthorized access.

Mirai Botnet Exploits Command Injection Vulnerability to Target TBK DVR Systems
Mirai Botnet uses a command injection flaw to target TBK DVR systems, exposing critical vulnerabilities and posing serious cybersecurity threats.

New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack
New PathWiper Data Wiper Malware attack in 2025 disrupts Ukrainian critical infrastructure, exposing vulnerabilities and triggering widespread data chaos.

Counterfeit DocuSign Sites Deploy Multi-Stage NetSupport RAT Malware
Counterfeit DocuSign sites lure users while deploying multi-stage NetSupport RAT malware to compromise systems and steal personal data.

Google Apps Script Exploited for Stealthy Phishing Schemes
Google Apps Script is exploited for stealthy phishing schemes. Uncover warning signs and safeguard your data from evolving cyber threats.

PumaBot Malware Targets Linux IoT Devices
PumaBot malware targets Linux IoT devices by exploiting vulnerabilities to compromise systems. Learn how to protect your connected devices.

Chinese Hackers Exploit Cityworks Flaw to Target US Local Governments
Chinese hackers exploited a flaw in Cityworks to target US local governments, exposing vulnerabilities in municipal cybersecurity infrastructure.

Chrome Unveils One-Click Update for Compromised Passwords
Chrome introduces a one-click update for compromised passwords, streamlining security and simplifying password management for safer browsing.

Critical Versa Concerto Flaws Let Attackers Escape Docker and Compromise Hosts
Critical Versa Concerto flaws let attackers escape Docker, compromising hosts. Patch vulnerabilities now to protect your infrastructure.

Talos: Chinese Cyber Intruders Attempted Breach of US City Utilities
Talos details how alleged Chinese cyber intruders attempted a breach of US city utilities, exposing vulnerabilities in critical infrastructure.