Welcome to this week’s Threat Source newsletter.
I love a Spielberg summer. His ability to imbue a sense of wonder, awe, curiosity, and connection means he’s in a league of his own. Granted, I haven’t felt that from him in a while, but when he hits? Oof. I feel like I need somebody to reach across and take off my sunglasses.
So, Disclosure Day then. A group of friends and I visited a thankfully packed-out cinema at the weekend to bear witness to Spielberg’s latest dalliance with extra-terrestrial beings.
Thar be no spoilers here, but I do want to touch on one of the film’s central themes: the idea that a group of people (let’s call them “the government”) believes they can predict how humanity will react to world-changing information based on historical data patterns.
We often assume that information influences behaviour. Surely, if people have the right information, they'll make the right decision? If people understand the risk, they'll act.
However, the older I get, the less convinced I am that human beings are rational creatures.
Organisations know they should patch. People know they should use MFA. Leaders know they should practice an incident before it happens for real.
And yet.
Life is messy. Life, uh, finds a way.
Most people aren't making decisions in a vacuum. They need to contend with limited budgets, workloads, competing business priorities, and a hundred other things demanding their attention. "Knowing" what they should do is the easy part. The hard part is finding the time, resources, urgency, and collective will to actually do it.
As one of my colleagues recently wrote, even in a post-Mythos world, many of the controls most likely to protect organisations are the same ones we've been talking about for years. Segmentation. Backups. MFA everywhere. Understanding if your controls are doing what they’re supposed to be doing.
And people can react to the exact same situation in very different ways.
Take the film itself. One of my friends remarked on the way out, "What a load of twaddle." (Do you use "twaddle" much in the U.S.? If not, I recommend introducing it into more sentences.) Another friend thought it was entertaining, exciting, and thought-provoking.
As Colin Firth’s character finds out in Disclosure Day, humans don’t always react the way you expect them to. I think that’s so important to acknowledge and work with, rather than against, in the cybersecurity field. Information is only one piece of the puzzle. Experience, priorities, personality, context, and a hundred other factors shape how people interpret and respond to that information.
So, this message probably won’t land with 99% of you. But for the 1% that it might, go ahead and do that MFA install you’ve been putting off.
Also, you’re running low on milk. Best pick some up on your way home.
The one big thing
Cisco Talos detailed a new approach to reverse engineering that pairs local AI agents with traditional analysis tools like the VB6 disassembler vbdec. Instead of awkwardly bolting AI onto the software, vbdec exposes its parsed data through a live Component Object Model (COM) interface. Analysts can simply use natural language prompts to automate complex tasks like decompiling functions or building call graphs. This transforms the disassembler from a static viewer into a highly interactive, queryable data server.
Why do I care?
This methodology empowers analysts to generate custom workflows on the fly, completely bypassing the wait for new vendor features. It also solves a massive privacy hurdle: because the AI agent and disassembler share a local machine, sensitive binaries never leave your workstation. This architectural shift proves that any analysis tool holding structured data behind a GUI can become a powerhouse for agentic automation, saving defenders countless hours of tedious reverse engineering.
So now what?
Tool developers should start exposing their application data through external scripting interfaces like COM or other inter-process communication (IPC) protocols. If you are analyzing VB6 binaries, enable remote scripting in vbdec and point your preferred local AI agent at the provided operator briefing to start automating your tasks. Security teams need to lean into this paradigm shift, letting agents handle the exhaustive, repeatable grunt work while analysts focus on the actual analysis. Read the blog for more.
Top security headlines of the week
ShinyHunters claims Council of Europe hack
On Sunday, ShinyHunters added the Council of Europe to its Tor-based leak site, threatening to release more than 297GB of data allegedly stolen from the organization’s network. (SecurityWeek)
Sweeping credential-harvesting heist compromises +30K Fortinet devices
A large-scale cyber espionage and credential-harvesting operation is actively targeting Fortinet firewalls and VPN gateways, and has already compromised more than 30,000 Internet-facing devices across nearly 200 countries. (Dark Reading)
Fileless Phantom Stealer targets browser credentials
In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to evade detection. (Dark Reading)
Bug in FIFA World Cup internal system gave anyone ability to modify TV stream
A security researcher said she was able to access several internal FIFA platforms due to a simple security flaw, which allowed her to watch and have full control of the TV stream of every World Cup game. (TechCrunch)
The FBI built its own replica small town to simulate real-world cyber attacks
Dubbed the Kinetic Cyber Range, the FBI’s small purpose-built town opened in February 2025 and features fully furnished houses, a hotel, a gas station and grocery mart, a courthouse, a hospital, roads, traffic lights, and a power company designed to mimic a real U.S. community. (TechCrunch)
Can’t get enough Talos?
Patching in the dark: Managing unknown threats in complex environments
If you're tired of being told to "just patch," we understand. In this episode of Talos Takes, Amy and Pierre explore the logistical, technical, and business realities that make patching a complex, high-stakes operation rather than a simple button click. Here are the things defenders often miss that build true resilience in organizations.
Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting
Learn how Cisco Talos Threat Hunting uses hypothesis-driven methods and multi-domain telemetry correlation to find stealthy threats operating below automated detection thresholds.
Winning the cyber marathon with Tony Giandomenico
In the high-speed world of cybersecurity, the difference between a breach and a breakthrough often comes down to endurance. Tony Giandomenico, Senior Director of Product Management with Cisco Talos, joins Amy to discuss Talos Threat Hunting, the challenges of leading major product launches, and the grueling discipline of Ironman triathlons.
Upcoming events where you can find Talos
- Black Hat USA (Aug. 1 – 6) Las Vegas, NV
- DEF CON 34 (Aug. 6 – 9) Las Vegas, NV
Most prevalent malware files from Talos telemetry over the past week
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: VID001.exe
Detection Name: Win.Worm.Coinminer::1201**
SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
MD5: bf9672ec85283fdf002d83662f0b08b7
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
Example Filename: f_000cd7.html
Detection Name: W32.C0AD494457-95.SBX.TG
SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
MD5: 38de5b216c33833af710e88f7f64fc98
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
Example Filename: SECOH-QAD.exe
Detection Name: Win.Tool.Procpatcher::1201
SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba
MD5: dbd8dbecaa80795c135137d69921fdba
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba
Example Filename: u992574.dll
Detection Name: W32.Variant:MalwareXgenMisc.29d4.1201