Cherry Pie, Douglas Firs and the Last Trip of the Summer

Cherry Pie, Douglas Firs and the Last Trip of the Summer

Welcome to this week’s edition of the Threat Source newsletter. I’ve just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partner through the Twilight Museum in Forks, I recommend stopping for a cup of hot, black coffee and a slice of cherry pie at any roadside diner. It’s nothing short of extraordinary.

But as I navigated the Rialto Beach tidepools (at 5:30 a.m., no less) and moss-laden trees of the Hoh Rainforest, I made a classic misstep: I forgot to connect to Wi-Fi the entire trip. By the time I returned, my high-speed data allowance had vanished into the mist, leaving me puzzled and restarting my cell phone for days — a humbling reminder that even seasoned agents can overlook the basics.

Travel is a curious thing, Diane. When you’re on the road, it’s easy to let your guard down, become enchanted by the scenery and forget that digital dangers can lurk behind every public WiFi signal or seemingly harmless USB charging station. As the summer draws to a close and more people venture out of Twin Peaks for those last-minute adventures, I’ve compiled a list of field-tested precautions for the journey ahead, because even professionals need a reminder sometimes: Diane, the woods are lovely, dark and deep, and so are the digital trails we leave behind. Stay vigilant, stay caffeinated and remember that the best protection is awareness.

Threat Update

Static Tundra, a Russian state-backed group, is exploiting end-of-life and unpatched Cisco network devices using a seven-year-old patched vulnerability (CVE-2018-0171) to steal data and maintain long-term hidden access in organizations worldwide. Their tactics include persistent implants and bespoke SNMP tools to exfiltrate data and maintain undetected access, with a focus on entities of strategic interest to the Russian government.

We urge immediate patching or disabling of at-risk features to prevent compromise. If your organization uses Cisco devices that haven’t been patched or replaced, you could be vulnerable to undetected cyberattacks and data breaches—even if the vulnerability is years old. This risk affects organizations of all sizes and industries, putting sensitive data and business operations in jeopardy.

Immediately review your network infrastructure for unpatched or end-of-life Cisco devices and apply available patches or disable vulnerable features as recommended. Ongoing security hardening, regular updates and vigilant monitoring are critical to defend against this and similar state-sponsored threats.

Security Headlines

  • Workday Data Breach Bears Signs of Widespread Salesforce Hack
  • Novel 5G Attack Bypasses Need for Malicious Base Station
  • Internet-wide Vulnerability Enables Giant DDoS Attacks
  • Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web
  • XenoRAT malware campaign hits multiple embassies in South Korea

Cybersecurity Insights

The art of controlling information JJ Cummings leads Talos' Threat Intelligence and Interdiction team on nation-state security and intelligence. He shares his story, thoughts on burnout and motivation, and advice for anyone looking to join Talos.

Ransomware Update

Ransomware incidents in Japan during the first half of 2025 In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Read our blog to learn the most recent trends.

Cyber Analyst Series

Cybersecurity overview and the role of the cybersecurity analyst A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).

Upcoming Events

Most prevalent malware files from Talos telemetry over the past week SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca MD5: 71fea034b422e4a17ebb06022532fdde VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details

Typical Filename: VID001.exe Claimed Product: N/A Detection Name: Coinminer:MBT.26mw.in14.Talos SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 MD5: 2915b3f8b703eb744fc54c81f4a9c67f VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 Typical Filename: VID001.exe Claimed Product: N/A Detection Name: Win.Worm.Coinminer::1201 SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610 MD5: 85bbddc502f7b10871621fd460243fbc VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details

Typical Filename: N/A Claimed Product: Self-extracting archive Detection Name: Win.Worm.Bitmin-9847045-0 SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 MD5: 7bdbd180c081fa63ca94f9c22c457376 VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details Typical Filename: IMG001.exe Detection Name: Simple_Custom_Detection SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa MD5: df11b3105df8d7c70e7b501e210e3cc3 VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details Typical Filename: DOC001.exe Claimed Product: N/A Detection Name: Win.Worm.Coinminer::1201