Welcome to this week’s edition of the Threat Source newsletter.
Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited “Project Hail Mary” movie adaptation. I read (and cried over) the book by Andy Weir, who’s also the author of “The Martian,” about a year ago and, shortly after, found out it was being made into a movie.
(I know what you’re thinking: Two movie-themed editions in two weeks? It’s every cinephile’s dream!)
Anyway, the story centers around a biologist and science teacher named Ryland Grace (Ryan Gosling), who wakes up from a coma on a spaceship lightyears away from Earth, his two crewmembers long dead. Our planet’s sun is slowly dimming, its energy being consumed by alien microbes called “astrophage” that are infecting all the stars in our stellar neighborhood — except one. Grace’s task is to figure out why this star is unaffected and send the solution back to Earth. It's a one-way trip, and he’ll eventually die in space alone... or so he thinks.
The movie met 99.9% of my expectations, which is rare for an adaptation. The humor was spot-on, the soundtrack was gorgeous, and the puppetry — yes, the puppetry (mild spoilers for Rocky, Grace’s new alien friend) — was out-of-this-world.
While it is a story about space, it’s first and foremost about communication, trust, and collaboration — things we’re no strangers to at Talos, especially when creating the Year in Review report (which is available now). The entire processof creating this report, from raw data to final design, is only a little bit less monumental than stopping alien microbes from plunging the earth into an ice age.
The process begins with Talos’ Strategic Analysis team, who leverage the vast amount of Cisco’s telemetry, Talos research, and data from Talos Incident Response cases to analyze trends over the past year. This analysis is synthesized into a comprehensive report, which undergoes rigorous review and proofing at multiple levels. While the report is being drafted, the Strategic Comms team develops a detailed schedule of content and collateral to promote it both internally and externally, meeting weekly to track our progress. Once the text is finalized, it moves to our design team, who transform the data into a visually stunning, accessible format. Even after the report launches, the work continues: We produce videos, answer your questions on Reddit (today only!), record podcasts, create social media graphics, and collaborate across Cisco to ensure our findings reach the right people.
We do this for the good of the community. Our report isn’t gated, and it never will be; you can read it right in your browser without filling out fake names and emails in annoying forms. Talos’ job is to keep as many people as safe as possible, and that means free access to critical information. Here's a taste of our findings:
- React2Shell was the No. 1 most targeted CVE in 2025 despite only being discovered in December. ToolShell was No. 3 despite being released in June.
- About 25% of the vulnerabilities on our top 100 list affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks.
- Nearly a third of MFA spray attacks targeted identity and access management (IAM) applications.
- Attackers continued to rely heavily on phishing for initial access, observed in 40% of Talos IR cases. 35% of cases involved internal phishing.
- Qilin was the most seen ransomware variant in 2025, with over 40 victims each month except January.
We also offer insights on AI and state-sponsored threats, so be sure to view the full report.
In “Project Hail Mary,” Grace and his alien friend, Rocky, realize that they can't save their respective worlds alone. The Talos Year in Review is the result of a massive, cross-functional mission. It takes collaboration between all of Talos’ teams to turn complex, often daunting telemetry into actionable intelligence for the community.
When we share knowledge, communicate clearly, and work together, the results are, to quote Rocky, “Amaze! Amaze! Amaze!”
Stay tuned over the coming days and weeks as we break each section down into the most important 2025 Year in Review findings you need to know.
The one big thing
One of the main themes from the 2025 Year in Review's vulnerability data is that attackers are targeting identity by compromising the infrastructure that sits around it, including physical hardware devices, software, and management platforms. Network components act as de facto identity gateways, allowing adversaries to impersonate users, bypass MFA, and traverse networks undetected. Attackers overwhelmingly prefer high-access targets that require minimal exploitation steps and yield maximum operational payoff.
Why do I care?
Identity-centric network components act as control points for the entire environment, meaning their compromise can invalidate MFA, bypass segmentation, and grant immediate access to high-value resources. Network management platforms give adversaries direct access to privileged administrative functions, device credentials, and automation pipelines that touch hundreds of downstream systems. Compromising a single ADC or management platform can expose dozens of downstream systems, making these devices powerful force multipliers.
So now what?
Organizations should consider the impact on identity when prioritizing the patching of network devices. ADCs must be protected as identity control points, not merely performance appliances. Defenders should focus on these high-leverage vulnerability classes that enable identity compromise, policy manipulation, and infrastructure-wide escalation. Read the full Year in Review for more information.
Top security headlines of the week
U.S. Department of Energy publishes five-year energy security plan
The three goals are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents. (SecurityWeek)
Someone has publicly leaked an exploit kit that can hack millions of iPhones
Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. (TechCrunch)
Checkmarx KICS code scanner targeted in widening supply chain hit
Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. (Dark Reading)
Attackers hide infostealer in copyright infringement notices
Aimed at organizations in critical sectors, including healthcare, government, hospitality, and education, it attempts to install PureLog Stealer, a low-cost infostealer easy for threat actors to use. (Dark Reading)
Oracle releases emergency patch for critical identity manager vulnerability
CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. (SecurityWeek)
Can’t get enough Talos?
Today only: Ask us anything
Talos and Splunk researchers are standing by on Reddit to answer your questions about the Year in Review, Top 50 Cybersecurity Threats report, or just about anything else you want to know. It’s halfway over, so post your questions now!
Year in Review highlights
In 2025, attackers moved fast, but they also played the long game. This short video highlights the biggest trends from the 2025 Talos Year in Review and what they reveal about where the threat landscape is headed.
Gravy, glutes, and the Talos Year in Review
Hazel, Bill, Joe, and Dave discuss the 2025 Year in Review, supported as always by the Turkey Lurkey Man. We also discuss the cyber activity tied to the situation in the Middle East.
Cybersecurity’s double-header
With the recent release of the Year in Review and Splunk’s Top 50 Cybersecurity Threats report, Amy, Bill, and Lou break down the most critical trends that shaped the security landscape last year.
Upcoming events where you can find Talos
- Botconf 2026 (April 15 – 17) Reims, France
Most prevalent malware files from Talos telemetry over the past week
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe
Detection Name: Win.Worm.Coinminer::1201
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: APQ9305.dll
Detection Name: Auto.90B145.282358.in02
SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe
MD5: a2cf85d22a54e26794cbc7be16840bb1
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe
Detection Name: W32.5E6060DF7E-100.SBX.TG
SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg
SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
MD5: 41444d7018601b599beac0c60ed1bf83
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js
Detection Name: W32.38D053135D-95.SBX.TG