惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
爱范儿
爱范儿
P
Proofpoint News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
Latest news
Latest news
The Hacker News
The Hacker News
Cyberwarzone
Cyberwarzone
博客园 - 【当耐特】
Project Zero
Project Zero
小众软件
小众软件
T
Tailwind CSS Blog
量子位
博客园 - 聂微东
I
Intezer
美团技术团队
S
SegmentFault 最新的问题
T
Tor Project blog
Spread Privacy
Spread Privacy
V
Vulnerabilities – Threatpost
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Jina AI
Jina AI
罗磊的独立博客
B
Blog RSS Feed
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Troy Hunt's Blog
有赞技术团队
有赞技术团队
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
C
Cisco Blogs
L
LINUX DO - 热门话题
Last Week in AI
Last Week in AI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Microsoft Azure Blog
Microsoft Azure Blog
L
LINUX DO - 最新话题
Know Your Adversary
Know Your Adversary
GbyAI
GbyAI
Engineering at Meta
Engineering at Meta
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
Lohrmann on Cybersecurity
The Register - Security
The Register - Security
L
LangChain Blog
博客园 - 叶小钗
T
Tenable Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC

Cisco Talos Blog

Begun, the Patch Wars have The Hunter's Paradox: Is it time to embrace automated threat hunting? UAT-11795 deploys novel Starland RAT and bespoke WLDR C2 implant in financially motivated campaign Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilities [Video] Where protection starts: Cisco Talos Intelligence Integrations The serpent’s tongue: Luring the Python out of its den WolfSSL, GeoVision, VTK vulnerabilities Winning 54% of the time UAT-7810 continues building ORB networks using new malware Catan and Mouse Martin Lee: Running through the Arctic (and the threat landscape) ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365 Introduction to COM usage by Windows threats Close Encounters of the Human Kind Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model A tale of two eras Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities Reporting from Vegas: Networking, AI, and good boys Winning the cyber marathon with Tony Giandomenico Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting Less panic patching, more precision DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap MediaArea heap-based buffer overflow vulnerabilities Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake The art of being ungovernable TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat The time of much patching is coming Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities Breaking things to keep them safe with Philippe Laulheret Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities State-sponsored actors, better known as the friends you don’t want Unplug your way to better code Insights into the clustering and reuse of phone numbers in scam emails UAT-8302 and its box full of malware
Beyond IOCs: AI-enabled threat intelligence
Martin Lee · 2026-06-26 · via Cisco Talos Blog

Welcome to this week’s Threat Source newsletter. 

The issue of AI in cybersecurity is often portrayed as a binary choice: either a force multiplier for our adversaries, or a tool bringing professional obsolescence. The reality is more nuanced. While AI certainly brings some advantage to attackers, it also offers advantages to the defender, notably in how we manage, index, and derive value from threat intelligence. 

Currently, our industry excels in the use and dissemination of indicators of compromise (IOCs). These atomic indicators fit neatly into key-value data stores and their value can be enhanced with added context, neatly structured in STIX/MISP format. However, this is only the tactical layer. 

Ultimately, we want the consumers of threat intelligence reports to develop their knowledge and to build a picture of the relevance of the threat to their own situation, along with understanding of how they can respond given their resources and constraints. This capability is conferred by the natural language found within strategic and operational intelligence briefings. 

These reports provide the context required for meaningful response, yet they remain notoriously difficult to index. We are often left with disparate incident reports, darknet monitoring, and malware analysis that fail to cross-reference effectively, further complicated by inconsistent naming conventions for threat actors. 

This is a problem that large language models (LLMs) may be able to solve. Although AI models have no real understanding of an issue, they can identify synonyms and relate entities across vast, unstructured datasets. This can only make the retrieval of relevant threat intelligence reports easier, and facilitate the generation of relevant advice to protect against threats. 

There are still issues to resolve. We need to be vigilant regarding the veracity of the data that LLMs ingest, and of the confidentiality of the queries made of such a system. However, the development of personal, domain-specific LLMs offers the possibility of a world of integrated threat intelligence where relevant reports from disparate sources can be easily retrieved, and specific advice returned to even the vaguest of queries. 

Rather than fearing AI’s potential negative effects on our employment, we can consider AI’s development as a powerful tool that enables access to threat intelligence reports and allows us to provide tailored actionable advice faster to those who need to know it. Ultimately, AI can help us do what we do best: making a difference and making the bad guy’s lives harder. 

The one big thing 

Cisco Talos is highlighting how Windows threats increasingly abuse the Component Object Model (COM) to execute malicious activities. While COM is a fundamental Windows technology for legitimate inter-process communication, malware families like Qakbot and WarmCookie hijack it for lateral movement, persistence, and evasion. Because COM functionality relies on opaque GUIDs and indirect vtable calls, it obscures the attacker's intent and makes manual analysis incredibly labor-intensive. 

Why do I care? 

Threat actors love COM because it provides convenient access to built-in Windows functionality while making static analysis a nightmare. By hiding malicious behavior behind indirect function calls, attackers easily bypass basic scrutiny and blend in with legitimate system processes. Adversaries are effectively turning Windows' own architecture against itself. If analysts aren't prioritizing COM during triage, they are likely missing critical pieces of the infection chain. 

So now what? 

Defenders must sharpen their skills in recognizing COM usage and translating evidence like ProgIDs and vtable offsets into human-readable actions. Leverage specialized tools like OleView.NET, IDA’s COM Helper, and DispatchLogger to map anonymous indirect calls to clear behaviors. Security teams should also build static hunting logic to track these threats. You can find a simplified YARA hunting rule for binaries referencing the Task Scheduler COM class in the full blog post

Top security headlines of the week 

FortiBleed campaign used custom FortiGate sniffer to steal credentials 
Security firm SOCRadar says the large-scale FortiBleed campaign targeting Fortinet FortiGate devices used custom sniffers to harvest authentication secrets from compromised firewalls and steal credentials. (BleepingComputer

Scattered Spider hackers plead guilty on Day 1 of trial 
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyber attack affecting Transport for London, the entity responsible for the public transport network in the Greater London area. (Krebs on Security

Klue says hackers stole credential from 2022 that led to customer data breaches 
Market research company Klue has confirmed that a credential dating back to 2022, which was part of a limited pilot, was used by hackers earlier this month to steal data from its corporate customers, including several cybersecurity companies. (TechCunch

New exploit bypasses Apple’s boot defenses, affects millions of iPhones 
Baked permanently into the device’s SoC, SecureROM is the first code an iPhone runs on startup and the foundation of Apple’s entire secure boot chain. The exploit chains a USB controller bug and a device firmware configuration weakness. (SecurityWeek

Windows 11 KB5095093 update rolls out new Point-in-Time restore feature 
This update introduces numerous new features, including a standout Point-in-Time Restore feature that allows Windows users to easily roll back their operating system, applications, and files to a previous point in time. (BleepingComputer

Can’t get enough Talos? 

AI is finding bugs faster. Now what? 
In this episode of Beers with Talos, the team is joined by Nick Biasini to unpack what attackers are doing with AI-assisted vulnerability discovery, review FIFA World Cup threat trends, and phish the Pope. 

Patching in the dark: Managing unknown threats in complex environments 
If you're tired of being told to "just patch," we understand. Amy and Pierre explore the logistical, technical, and business realities that make patching a complex, high-stakes operation rather than a simple button click — and break down the things defenders often miss that build true resilience in organizations. 

Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting 
Learn how Cisco Talos Threat Hunting uses hypothesis-driven methods and multi-domain telemetry correlation to find stealthy threats operating below automated detection thresholds. 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: SECOH-QAD.exe 
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
MD5: cc4d231df34e57f59eb970353c7d9de2  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
Example Filename: AutoPico.exe  
Detection Name: PUA.Win.Tool.Kmsactivator::1201 

SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba 
MD5: dbd8dbecaa80795c135137d69921fdba 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba 
Example Filename: u992574.dll  
Detection Name: W32.Variant:MalwareXgenMisc.29d4.1201 

SHA256: 853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453 
MD5: 41acb30b9d662d48b7b4fc0ac3d4b79f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453 
Example Filename: SignInfoConsole.exe 
Detection Name: W32.853BAAB97B.in12.Talos