Welcome to this week’s edition of the Threat Source newsletter.
Generative AI and agentic AI are here to stay. Although I believe that the advantages that AI brings to bad guys may be overstated, these new technologies allow threat actors to conduct attacks at a faster rate than before.
One capability that AI improves for threat actors is the ability to reconnoitre employees, discover their interests, and craft social engineering lures specific to them. Being able to deliver tailored, targeted social engineering using the language and tone most likely to trick an individual is a useful tool for the bad guys.
However, if AI brings advantages to those who seek to attack us, we shouldn’t overlook the benefits that it brings to defenders and the new weaknesses it exposes in the bad guys. If AI agents are searching for employees who are vulnerable to social engineering; then let us serve them exactly what that are looking for.
AI tools can create a whole army of fictitious employees who can be a rich source of threat intelligence. With AI we can easily create social media profiles of fake employees to entice malicious profiling agents. These AI avatars can post social media content or upload AI generated CVs or other documents to AI systems, leaving a trail of breadcrumbs for malicious agents to discover and follow.
Clearly, any message sent to the email address of an AI-generated employee is certain to be spam. We can update our lists of potentially malicious IP addresses and URLs appropriately. Similarly, we can create accounts on messaging platforms for our fake employees and wait for the social engineering attempts to analyse and block
Any attempt to access services or log-in using the credentials of an AI employee can only be malicious. Again, defensive teams can quickly and easily block the connecting IP address to nip in the bud any malicious campaign.
Malicious use of AI doesn’t need to be thought of only as a threat. It can be a way to turn the tables on threat actors and use their own tools against them. By understanding how AI tools are profiling and collecting information about our users, we can flood these tools with disinformation and treat any resulting attacks as a rich source of threat intelligence rather than as a source of concern.
AI is changing things for both attackers and defenders. New tools and capabilities allow us to think differently about defense and how we can increasingly make life difficult for the bad guys.
The one big thing
In our latest Vulnerability Deep Dive, a Cisco Talos researcher discovered six vulnerabilities in the Socomec DIRIS M-70 industrial gateway by emulating just the Modbus protocol handling thread, rather than the whole system. Using tools like Unicorn Engine, AFL, and Qiling for fuzzing and debugging, this “good enough” approach made it possible to find and analyze weaknesses despite hardware protections. The vulnerabilities were responsibly disclosed and have been patched by the manufacturer.
Why do I care?
Vulnerabilities in industrial gateways like the M-70 can cause major disruptions, especially in critical infrastructure, data centers, and health care. Attackers could exploit these flaws to stop operations or manipulate processes, leading to financial loss and equipment damage. The research highlights how even devices with strong hardware protections can still be vulnerable through their communication protocols.
So now what?
Organizations using Socomec DIRIS M-70 gateways should apply the manufacturer’s patches to fix the vulnerabilities. To detect exploitation attempts, defenders should download and use the latest Snort rulesets from Snort.org, as recommended in the blog. Finally, regularly monitor industrial devices for unusual activity and review security controls around critical gateways.
Top security headlines of the week
CISA navigates DHS shutdown with reduced staff
CISA is currently operating at roughly 38% capacity (888 out of 2,341 staff) due to the U.S. Department of Homeland Security shutdown that began February 14, 2026. KEV is one area that remains. (SecurityWeek)
EU Parliament blocks AI tools over cyber, privacy fears
According to an internal email seen by POLITICO, EU Parliament had disabled "built-in artificial intelligence features" on corporate tablets after its IT department assessed it couldn't guarantee the security of the tools' data. (POLITICO)
Supply chain attack embeds malware in Android devices
Researchers have spotted new malware embedded in the firmware of Android devices from multiple vendors that injects itself into every app on infected systems, giving attackers virtually unrestricted remote access to them. (Dark Reading)
Data breach at fintech giant Figure affects close to a million customers
Troy Hunt, security researcher and creator of the site Have I Been Pwned, analyzed the data allegedly taken from Figure and found it contained 967,200 unique email addresses associated with Figure customers. (TechCrunch)
Amnesty International: Intellexa’s Predator spyware used to hack iPhone of journalist in Angola
Government customers of commercial surveillance vendors are increasingly using spyware to target journalists, politicians, and other ordinary citizens, including critics. (TechCrunch)
Can’t get enough Talos?
New threat actor, UAT-9921, leverages VoidLink framework in campaigns
Cisco Talos recently discovered a new threat actor, UAT-9221, leveraging VoidLink in campaigns. Their activities may go as far back as 2019, even without VoidLink.
Humans of Talos: Ryan Liles, master of technical diplomacy
Amy chats with Ryan Liles, who bridges the gap between Cisco’s product teams and the third-party testing labs that put Cisco products through their paces. Hear how speaking up has helped him reshape industry standards and create strong relationships in the field.
Talos Takes: Ransomware chills and phishing heats up
Amy is joined by Dave Liebenberg, Strategic Analysis Team Lead, to break down Talos IR’s Q4 trends. What separates organizations that successfully fend off ransomware from those that don’t? What were the top threats facing organizations? Can we (pretty please) get a sneak peek into the 2025 Year in Review?
Upcoming events where you can find Talos
- S4x26 (Feb. 23 – 26) Miami, FL
- CARO Workshop 2026 (Feb. 25 – 27) Innsbruck, Austria
- DEVCORE 2026 (Mar. 14) Taipei, Taiwan
Most prevalent malware files from Talos telemetry over the past week
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: https_2915b3f8b703eb744fc54c81f4a9c67f.exe
Detection Name: Win.Worm.Coinminer::1201
SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG
SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename:d4aa3e7010220ad1b458fac17039c274_64_Dll.dll
Detection Name: Auto.90B145.282358.in02
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
MD5: 41444d7018601b599beac0c60ed1bf83
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
Example Filename: content.js
Detection Name: W32.38D053135D-95.SBX.TG