Live

Intelligence Feed

Latest threat intelligence articles from trusted security sources, auto-processed to extract entities, IoCs, and TTPs.

Filtered by source: talos Clear filter
Reporting from Vegas: Networking, AI, and good boys

4w ago · talos

Cisco Talos has expanded its Threat Hunting program to proactively identify advanced adversaries leveraging AI to evade traditional detection. The initiative recently uncovered a KongTuke command-and-control (C2) infrastructure, highlighting the need for hypothesis-driven threat hunting. As attackers increasingly use AI and legitimate tools to stay under the radar, Talos emphasizes continuous monitoring across endpoint, network, and identity data to detect sophisticated intrusions before signatures are available.

15 IoCs 1 Malware
Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities

3w ago · talos

Microsoft's June 2026 Patch Tuesday addresses 206 vulnerabilities, including 32 critical, with a focus on remote code execution (RCE) flaws in Windows services, Microsoft Office, and Azure components. Several vulnerabilities are deemed more likely to be exploited, including CVE-2026-42985 in Remote Desktop Client and CVE-2026-47291 in the HTTP Protocol Stack. Talos has released Snort rules to detect exploitation attempts, emphasizing proactive defense against potential attacks targeting these critical flaws.

A tale of two eras

3w ago · talos

Cisco Talos intelligence highlights the growing threat of AI-driven vulnerability discovery, which is outpacing human patching capabilities and enabling rapid exploitation of zero-day vulnerabilities. Organizations are urged to move beyond patch-reliant strategies and adopt a resilient security posture centered on foundational controls, behavioral detection, and incident response readiness. The report emphasizes that some breaches are inevitable, making detection and response capabilities as critical as prevention.

12 IoCs 1 Malware
Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model

2w ago · talos

The article discusses a novel approach to reverse engineering VB6 binaries by leveraging vbdec's live COM object model, enabling AI agents to automate analysis without modifying the core tool. By exposing its parsed project data through the Windows Running Object Table (ROT), vbdec allows local AI agents like Claude Code to interact with and query the disassembler programmatically. This method supports scalable, repeatable, and exhaustive analysis tasks such as decompilation, call graph generation, and database export, all performed locally without uploading sensitive binaries. The technique demonstrates how existing tools can be transformed into queryable services through structured data exposure and simple scripting interfaces.

Close Encounters of the Human Kind

2w ago · talos

Cisco Talos observed a large-scale credential-harvesting campaign targeting over 30,000 Fortinet devices across nearly 200 countries. The campaign leverages known vulnerabilities in Fortinet firewalls and VPN gateways to steal credentials and maintain persistent access. Additionally, fileless variants of Phantom Stealer malware are being used to target browser credentials, employing anti-analysis techniques to evade detection. These threats highlight ongoing exploitation of internet-facing infrastructure and the need for robust patching and multi-factor authentication.

12 IoCs 1 Actors 1 Malware
Introduction to COM usage by Windows threats

1w ago · talos

Component Object Model (COM) is a foundational Windows technology increasingly exploited by threat actors for malicious purposes such as persistence, lateral movement, execution, and evasion. Malware families like Qakbot, Gh0stRAT, and WarmCookie leverage COM interfaces to interact with Windows services including Task Scheduler, WMI, and BITS, often bypassing traditional detection mechanisms. These threats use indirect vtable calls and DCOM for stealthy operations, making static analysis more complex. Understanding COM usage is critical for effective threat hunting and reverse engineering.

1 Actors 2 Malware
Beyond IOCs: AI-enabled threat intelligence

1w ago · talos

Cisco Talos highlights the increasing abuse of Windows Component Object Model (COM) by malware families such as Qakbot and WarmCookie for lateral movement, persistence, and evasion. COM's use of opaque GUIDs and indirect vtable calls complicates manual analysis and static detection, allowing attackers to blend malicious activities with legitimate system processes. Defenders are advised to enhance their ability to detect and interpret COM-related artifacts to uncover hidden stages of the infection chain.

15 IoCs 2 Malware
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365

4d ago · talos

Cisco Talos identified ARToken, a phishing-as-a-service (PhaaS) platform affiliated with the EvilTokens infrastructure, targeting Microsoft 365 users via sophisticated device code phishing. The platform offers affiliates a comprehensive toolkit for token theft, persistence via Primary Refresh Tokens (PRT), business email compromise (BEC), and SharePoint/OneDrive exfiltration. ARToken leverages advanced anti-analysis techniques including client-side behavioral verification and XOR-encrypted payloads to evade detection, while operating through Cloudflare Workers and a React-based dashboard for management.

4 IoCs
Martin Lee: Running through the Arctic (and the threat landscape)

4d ago · talos

Martin Lee, EMEA Lead at Talos, shares his journey from academic research in human virology to leading cybersecurity initiatives. He reflects on the early days of the internet, the evolution of cyber threats, and the accidental discovery of advanced persistent threats (APT) while developing early spam filters. His current role focuses on analyzing the threat landscape and communicating insights to customers and partners. The discussion highlights the importance of curiosity and adaptability in cybersecurity careers.

Catan and Mouse

2d ago · talos

Cisco Talos has identified ARToken, a sophisticated phishing-as-a-service (PhaaS) platform, which provides a wide range of capabilities including device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC), and SharePoint exfiltration. The platform shares infrastructure and operational patterns with the previously documented EvilTokens platform. ARToken features a React-based dashboard and exposes over 80 API endpoints, indicating it is a mature BEC operations environment rather than a simple phishing kit.

15 IoCs