Welcome to this week’s edition of the Threat Source newsletter.
At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them.
In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself. Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity.
We are all creatures of habit; we all have our preferred methods of doing things, tools that we are familiar with, or suppliers that we often choose over another. Threat actors are no different. Over time, the choices made by a threat actor in how they carry out their attacks, the methods they use, and their choice of victims builds to become a characteristic fingerprint.
New attacks can be analysed to identify if their characteristics overlap with those of a known threat actor. If so, we may surmise that the attack has been carried out by that threat actor. Nevertheless, uncovering and understanding the relationship between an attack and the threat actor behind the attack requires detailed research or possibly will only become apparent with the passage of time and the publication of additional information.
Even if an attack can be attributed to a known threat actor, the nature and origin of that threat actor may be obscure. Threat actors rarely admit to their actions and volunteer their identity. A detailed investigation by law enforcement or intelligence agencies may identify an attacker’s identity. Otherwise the security industry refers to known threat actors by various pseudonyms, few of which are definitively tied to one or more named individuals or an organistation. Understanding and communicating degrees of uncertainty when it comes to describing threat actors is a key skill in the threat intelligence community.
Suffice to say that we do not pick and choose the threats that we block. We block them regardless of their origin because this is who we are and what we do, and in any case, identifying the origin of a threat is not a simple matter.
The one big thing
Lotus Blossum is a sophisticated threat actor that we’ve uncovered conducting espionage campaigns against the government, manufacturing, telecoms, and media sectors in Vietnam, Hong Kong, Taiwan, and the Philippines. As part of this activity, the threat actor uses the Sagerunex family of backdoor malware for command and control activity.
Why do I care?
Understanding how threat actors such as Lotus Blossom conduct their operations helps inform organisations about the defenses that are required to protect against this and similar threats. Even if you are not working within one of the affected industrial sector, other threat actors may be conducting information stealing campaigns against you.
So now what?
Use the IOCs associated with the campaign to search for evidence of incursion within your own organization. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs.
Top security headlines of the week
244 million additional compromised passwords from a data dump offered for sale by criminals have been added to the privacy breach notification service “Have I Been Pwned”. (The Register)
A massive botnet consisting of more than 86 000 compromised IoT devices is conducting DDoS attacks against telecom firms and gaming platforms. (Cybersecurity Dive)
The US agency, CISA reports that it will continue to defend against threats including those from Russia. (TheRecord)
Can’t get enough Talos?
In The Talos Threat Perspective episode 9, Hazel Burton speaks with Nick Biasini about changes in social engineering techniques.
Upcoming events where you can find Talos
RSA (April 28-May 1, 2025) San Francisco, CA
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA
Most prevalent malware files from Talos telemetry over the past week
SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection
SHA256: 592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac
MD5: 6361f25ede0442f2e0ad3bcd33c331c8
Typical Filename: KMSSS.exe
Detection Name: PUA.Win.Dropper.Hackkms::tpd
VirusTotal: https://www.virustotal.com/gui/file/592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac
SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: img001.exe
Detection Name: Win.Trojan.Miner-9835871-0
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
