Skip to main content

Tag: cisco talos

31 articles

Modern office building exterior in a business district at daytime.

ARToken Phishing Platform Exposes EvilTokens' Microsoft 365 Toolkit

Cisco Talos researchers have uncovered a sophisticated phishing platform, ARToken, that offers a Microsoft 365 toolkit and goes far beyond traditional credential-harvesting pages, exposing over 80 API endpoints. This phishing-as-a-service operation is a game-changer in the world of cyber threats.

Analyst 207
Cluttered office desk with open laptop, invoices, and scattered papers showing signs of disruption.

EvilTokens Phishing Kit Exposes Sophisticated Evasion Tactics

Microsoft VP of security research Tanmay Ganacharya revealed that 10-15 distinct EvilTokens phishing campaigns have been launching daily since March 15, 2026, showcasing the alarming speed at which device-code phishing operations have scaled. This comes as Cisco Talos incident responders uncovered a targeted phishing chain that abused a real vendor relationship using an outstanding-invoice lure.

Analyst 207
Researcher sits at cluttered desk in modern office with laptop and papers.

Cisco Tests AI for Incident Reports, Finds Mixed Results

Cisco's experiment with AI-generated incident reports yielded mixed results, with large language models producing significant inaccuracies, unusual conclusions, and inconsistent writing styles when used for long-form technical content. The findings revealed four predictable failure modes, highlighting the need for guardrails to ensure reliable outcomes.

Analyst 207
Security analysts work at desks with laptops and monitors displaying code and system maps in a brightly-lit operations…

MacOS Attacks Evolve, Exploiting Native Tools for Stealth

As macOS use surges in enterprise environments, accounting for over 45% of organizations, attackers are getting creative - exploiting native tools like Remote Application Scripting, Terminal, and AppleScript to stealthily run code, move undetected, and evade security measures. Cisco Talos warns that these tactics allow hackers to issue malicious instructions across processes and systems without triggering conventional monitoring.

Analyst 207
Worker surrounded by broken computer equipment in dimly lit office with cityscape visible through grimy window.

PowMix Botnet Targets Czech Workers with Randomized C2 Traffic

Cybersecurity researchers have uncovered a sneaky new botnet, dubbed PowMix, that's targeting Czech workers with a clever tactic: hiding in the timing of its command-and-control traffic. This stealthy approach has left experts scrambling to respond to the active campaign, which has been observed since December 2025.

Analyst 207
Ransomware Actors Exploit Vulnerable Drivers to Evade EDR Tools

Ransomware Actors Exploit Vulnerable Drivers to Evade EDR Tools

Ransomware operators are outsmarting defenders by exploiting vulnerable drivers to evade detection by endpoint security tools, with recent attacks disabling over 300 security products. This clever tactic allows hackers to silence security defenses and wreak havoc on networks.

Analyst 207
Kraken Exclusive: Dangerous Ransomware Threat Escalates

Kraken Exclusive: Dangerous Ransomware Threat Escalates

Meet Kraken ransomware: an emergent cartel that borrows proven playbooks—exploiting SMB flaws, stalking networks for days, then encrypting systems and threatening data leaks—to squeeze big payouts. Cisco Talos warns this shift from scattershot attacks to precision double‑extortion raises the stakes for already overstretched defenders and demands smarter, faster responses.

Analyst 207
BeaverTail and OtterCookie: Stunning Critical Threat

BeaverTail and OtterCookie: Stunning Critical Threat

Cisco Talos warns a North Korean group is fusing BeaverTail’s credential-theft with OtterCookie’s browser persistence into single, stealthier JavaScript malware that’s harder to spot — defenders should start hunting for blended behaviors and tighten basics like MFA, patching, and anomaly detection now.

Analyst 207
IIS server hijacking: Stunning Risky Threat

IIS server hijacking: Stunning Risky Threat

A Chinese‑speaking cybercrime group has been quietly hijacking Microsoft IIS servers to inject poisoned pages that hijack search results and steer real traffic to scams and affiliate schemes. If you run IIS sites, now’s the time to patch, lock down admin access, and add file‑integrity and content monitoring to stop stealthy SEO fraud before it ruins your reputation.

Analyst 207
remote access Risky Threats: Must-Have Defenses

remote access Risky Threats: Must-Have Defenses

Attackers are increasingly using misconfigured or abused remote-access tools to stage ransomware, so treating RDP, VPNs and apps like TeamViewer as frontline security priorities—with MFA, patching, segmentation and monitoring—is no longer optional.

Analyst 207
exposed Ollama servers: Risky Must-Have Security Fix

exposed Ollama servers: Risky Must-Have Security Fix

Cisco Talos found 1,100+ publicly exposed Ollama servers, creating easy paths for data theft, malicious model swaps, and other abuse. It’s a wake-up call to fix misconfigurations, enforce authentication, and make secure defaults the norm.

Analyst 207
Cisco legacy flaw: Stunning Risky Exploits Exposed

Cisco legacy flaw: Stunning Risky Exploits Exposed

Years after Cisco patched CVE-2018-0171, state-backed hackers are still exploiting the old Smart Install flaw to slip into networks that assumed retired gear was safe — a sharp reminder that “end-of-life” isn’t the same as “out of harm’s way.” Inventory your devices, disable legacy management features, and prioritize fixes or replacements before an old router becomes someone else’s backdoor.

Analyst 207
Taiwanese web hosting Exclusive: Critical Espionage Risk

Taiwanese web hosting Exclusive: Critical Espionage Risk

Imagine an invisible enemy living inside the servers that power your websites and email — Cisco Talos found a Chinese‑linked APT using a Taiwanese web host to intercept traffic, harvest credentials and stage persistent espionage. This supply‑chain breach is a wake‑up call: treat hosts as critical infrastructure and demand stronger controls, logging and incident guarantees now.

Analyst 207
Taiwanese web host Critical: Exclusive Must-Have Fixes

Taiwanese web host Critical: Exclusive Must-Have Fixes

A suspected Chinese state-backed crew quietly breached a Taiwanese web host, stealing credentials and planting backdoors to maintain months-long access — a stark reminder that compromising one trusted provider can expose dozens of downstream victims. Strengthening access controls, adopting zero-trust segmentation, and rotating credentials aren’t optional — they’re the best way to stop a single breach from becoming a widespread supply-chain disaster.

Analyst 207
Locked metal gate with broken padlock surrounded by glowing code patterns, with ominous server room in background.

Brute-force attacks target Apache Tomcat management panels

Brute-force attacks target Apache Tomcat management panels by exploiting weak credentials and misconfigurations to gain unauthorized access.

Analyst 207
Mirai Botnet Exploits Command Injection Vulnerability to Target TBK DVR Systems

Mirai Botnet Exploits Command Injection Vulnerability to Target TBK DVR Systems

Mirai Botnet uses a command injection flaw to target TBK DVR systems, exposing critical vulnerabilities and posing serious cybersecurity threats.

Analyst 207
New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack

New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack

New PathWiper Data Wiper Malware attack in 2025 disrupts Ukrainian critical infrastructure, exposing vulnerabilities and triggering widespread data chaos.

Analyst 207
Counterfeit DocuSign Sites Deploy Multi-Stage NetSupport RAT Malware

Counterfeit DocuSign Sites Deploy Multi-Stage NetSupport RAT Malware

Counterfeit DocuSign sites lure users while deploying multi-stage NetSupport RAT malware to compromise systems and steal personal data.

Analyst 207
Google Apps Script Exploited for Stealthy Phishing Schemes

Google Apps Script Exploited for Stealthy Phishing Schemes

Google Apps Script is exploited for stealthy phishing schemes. Uncover warning signs and safeguard your data from evolving cyber threats.

Analyst 207
PumaBot Malware Targets Linux IoT Devices

PumaBot Malware Targets Linux IoT Devices

PumaBot malware targets Linux IoT devices by exploiting vulnerabilities to compromise systems. Learn how to protect your connected devices.

Analyst 207
Chinese Hackers Exploit Cityworks Flaw to Target US Local Governments

Chinese Hackers Exploit Cityworks Flaw to Target US Local Governments

Chinese hackers exploited a flaw in Cityworks to target US local governments, exposing vulnerabilities in municipal cybersecurity infrastructure.

Analyst 207
Chrome Unveils One-Click Update for Compromised Passwords

Chrome Unveils One-Click Update for Compromised Passwords

Chrome introduces a one-click update for compromised passwords, streamlining security and simplifying password management for safer browsing.

Analyst 207
Critical Versa Concerto Flaws Let Attackers Escape Docker and Compromise Hosts

Critical Versa Concerto Flaws Let Attackers Escape Docker and Compromise Hosts

Critical Versa Concerto flaws let attackers escape Docker, compromising hosts. Patch vulnerabilities now to protect your infrastructure.

Analyst 207
Talos: Chinese Cyber Intruders Attempted Breach of US City Utilities

Talos: Chinese Cyber Intruders Attempted Breach of US City Utilities

Talos details how alleged Chinese cyber intruders attempted a breach of US city utilities, exposing vulnerabilities in critical infrastructure.

Analyst 207