Welcome to this week’s edition of the Threat Source newsletter.
“Upon us all a little rain must fall” — Led Zeppelin, via Henry Wadsworth Longfellow
I recently bumped into a colleague with whom I spent several years working in an MSSP environment. We had very different roles within the organization, so our viewpoints, both then and now, were very different. He asked me the question I hear almost every time I speak somewhere: “What do you think are the most essential things to protect your own network?” This always leads to my top answer — the one that no one ever wants to hear.
“Know your environment.”
It led me down a path of thinking about how cyclical things are in the world of cybersecurity and how we, the global “we”, have slipped back to a place where reconnaissance is too largely ignored in our day-to-day workflow.
Look, I know that we all have alert fatigue. We’re managing too many devices, dealing with too many data points, generating too many logs, and facing too few resources to handle it all. So my “Let’s not ignore reconnaissance” mantra might not be regarded well at first.
Here’s the thing: It’s always tempting to trim your alerts and reduce your ticketing workload. After all, attack signals seem more “impactful” by nature, right? But I've always believed it’s a mistake to dismiss reconnaissance events to clear the way for analysts to look for the “real” problems. I always go back to my first rule: “Know your environment.” The bad actors are only getting better at the recon portion, both on the wire and in social engineering.
AI tooling has made a lot of the most challenging aspects of reconnaissance automagical. If you search the dark web for postings from initial access brokers (IABs), you’ll find that they excel in reconnaissance and understanding your ownenvironment. They’re quick to find every Windows 7 machine still on your network, not to mention your unpatched printers, smart fridges, and vulnerable thermostats.
I get that we can’t get spun up about every half-open SYN, but spotting when these events form a pattern is exactly what we’re here for, and it’s as important as tracking down directory traversal attempts.
“Behind the clouds is the sun still shining;
Thy fate is the common fate of all...” — Henry Wadsworth Longfellow
The one big thing
Cisco Talos researchers recently discovered and disclosed vulnerabilities in Foxit PDF Editor, Epic Games Store, and MedDream PACS, all of which have since been patched by the vendors. These vulnerabilities include privilege escalation, use-after-free, and cross-site scripting issues that could allow attackers to execute malicious code or gain unauthorized access.
Why do I care?
These vulnerabilities could have enabled attackers to escalate privileges, execute arbitrary code, or compromise sensitive systems, potentially leading to data breaches or system outages. Even though patches are available, unpatched systems remain at risk.
So now what?
Organizations should make sure all affected software is updated with the latest patches and review security monitoring for signs of exploitation attempts. Additionally, defenders should implement layered defenses and educate users on the risks of opening suspicious files or clicking unknown links to reduce the likelihood of successful attacks.
Top security headlines of the week
How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East
TechCrunch analyzed the source code of the phishing page, and believes the campaign aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings. (TechCrunch)
LastPass warns of fake maintenance messages targeting users' master passwords
The campaign, which began on or around Jan. 19, 2026, involves sending phishing emails claiming upcoming maintenance and urging them to create a local backup of their password vaults in the next 24 hours. (The Hacker News)
Everest Ransomware claims McDonalds India breach involving customer data
The claim was published on the group’s official dark web leak site earlier today, January 20, 2026, stating that they exfiltrated a massive 861GB of customer data and internal company documents. (HackRead)
North Korea-linked hackers pose as human rights activists, report says
North Korea-linked hackers are using emails that impersonate human rights organizations and financial institutions to lure targets into opening malicious files. (UPI)
Hackers use LinkedIn messages to spread RAT malware through DLL sideloading
The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). (The Hacker News)
Can’t get enough Talos?
Engaging Cisco Talos Incident Response is just the beginning
Sophisticated adversaries leave multiple persistence mechanisms. Miss one backdoor, one scheduled task, or one modified firewall rule, and they return weeks later, often selling access to other criminal groups.
Talos Takes: Cyber certifications and you
In the first episode of the year, Amy Ciminnisi, Talos’ Content Manager and new podcast host, steps up to the mic with Joe Marshall to explore certifications, one of cybersecurity’s overwhelming (and sometimes most controversial) topics.
Microsoft Patch Tuesday for January 2026
Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as “critical.”
Upcoming events where you can find Talos
- JSAC (Jan. 21 – 23) Tokyo, Japan
- DistrictCon (Jan. 24 – 25) Washington, DC
- S4x26 (Feb. 23 – 26) Miami, FL
Most prevalent malware files from Talos telemetry over the past week
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe
Detection Name: Win.Worm.Coinminer::1201
SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: APQCE0B.dll
Detection Name: Auto.90B145.282358.in02
SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Example Filename: VID001.exe
Detection Name: Coinminer:MBT.26mw.in14.Talos