Thursday, July 16, 2026

Begun, the Patch Wars have

Begun, the Patch Wars have

Welcome to this week’s edition of the Threat Source newsletter. 

We all knew, to some degree or another, that this summer was going to a hot mess. I don’t mean FIFA drama or record setting heat waves. I mean the slow but steady momentum that AI frontier models were accruing for vulnerability research. If you were like me, and guesstimating exactly when that shoe would drop, my money was on the middle of summer. And... well, friends, I hate to say it, but I was right.  

This July’s Patch Tuesday is an absolute whopper. There are 622 vulnerabilities being patched, with 62 being a critical severity. To put this context, this month alone has more vulnerabilities listed than all of 2018 combined. Three are zero days, two of which are being actively exploited. July is usually a quiet month historically – two years ago, it was just five patches issued in total! These are wild times, friends.  

Microsoft has said this is due their AI frontier-accelerated research. We knew that this was coming, but what I am less sure about are companies that can meet the demand of this patch flood and getting these patches out to their infrastructures. The pessimist in me knows how most IT enterprises operate: You test, review stability, and then deploy. There’s a lag there – always has been, always will be. But that system worked under a sane patching load. As surely as much as Microsoft is using frontier models to research and announce vulnerabilities, so every is every other vendor.  

Either through bug bounty programs or their own internal research, vendors are eating these bugs from a fire hose. Some are straight-up slop and just noise, but some have absolute value and need to be fixed. A giant like Microsoft has the money and resources to address this – as well they should. But for every Microsoft, there are five other companies who don’t have those resources. They’ll get bugs analyzed and patches issued, surely, but it will be on a much longer timeline.  

The trick, I think, will be identifying what is a “surge” vs. our new normal. If everything is a fire drill to patch, then nothing is a fire drill. What might just be a hot summer for patching, might turn into a 12-month fusillade of KEV and EPSS notifications, with companies already under the gun taxed even more. 

I truly don’t know how this ends, but… Find your change management and IT administrators and give then a hug. There are going to be some long days and hard questions to answer, and they’ll need all the help they can get. 

The one big thing 

Cisco Talos is disclosing a new campaign by UAT-11795, a sophisticated, financially motivated Russian-speaking adversary targeting users in the U.S. and Europe since at least June 2025. UAT-11795 uses trojanized software installers — including popular tools like Webex, Zoom, and MobaXterm — to deliver a custom Python-based remote access tool we track as "Starland RAT." This RAT acts as a gateway to deploy further malicious payloads, most notably a bespoke, in-memory PowerShell command-and-control (C2) implant known as the "WLDR agent." 

Why do I care? 

This opportunistic campaign casts a wide net across multiple victim profiles, turning a simple software download into a full-blown compromise. UAT-11795 employs highly evasive techniques, including AMSI and ETW bypasses, and uses a clever blockchain-anchored fallback mechanism to maintain persistent command and control. Once inside, attackers rapidly deploy secondary payloads like CastleStealer and Remcos RAT to siphon high-value credentials and cryptocurrency assets. 

So now what? 

Educate your users on ClickFix social engineering tactics and the dangers of unofficial software downloads. Monitor for suspicious execution of mshta.exe and unusual PowerShell activity, particularly scripts executing from memory or creating unexpected scheduled tasks. Ensure endpoint detection solutions are tuned to catch in-memory execution and AMSI tampering. Read the full blog for coverage and indicators of compromise (IOCs). 

Top security headlines of the week 

Microsoft patches record 622 flaws, including two zero-days under active attack 
Microsoft shipped its largest Patch Tuesday on record, more than triple June's previous high of around 200. (The Hacker News

RabbitMQ vulnerability threatens enterprise systems 
RabbitMQ is a popular open-source message broker that routes, buffers, and distributes messages, enabling asynchronous communication between applications. The security defect impacts an open management endpoint that returns the OAuth secret to anyone, without authentication. (SecurityWeek

Nigeria deepens cybersecurity efforts as cybercriminals see more profits 
The West African country advanced rules to force organizations to disclose cyberattacks, joining other nations in a shift to mandated transparency. (DarkReading

Two-click cursor exploit enables dev environment takeover 
Cursor AI, a popular AI coding tool used by more than 50,000 enterprises and 64% of the Fortune 500, can be exploited in just two clicks, allowing attackers to install permission-rich model context protocol (MCP) servers on privileged developers' machines. (DarkReading

Can’t get enough Talos? 

[Video] Where protection starts: Cisco Talos Intelligence Integrations 
Every day, defenders make high-consequence decisions with incomplete information. Learn how Cisco Talos Intelligence Integrations help reduce uncertainty by turning the latest threat intelligence into proactive protections across Cisco technologies. 

The Hunter's Paradox: Is it time to embrace automated threat hunting?
Humans can no longer keep up with the volume and velocity of security data on their own, but AI can't be fully trusted. David discusses the merits of both and what the future might look like.

The serpent’s tongue: Luring the Python out of its den 
Protect your development environment from rising Python supply-chain threats by understanding the package installation lifecycle and implementing these essential defensive strategies. 

ARToken: How attackers are bypassing MFA and maintaining access 
In this episode of Talos Takes, we dive deep into ARToken, a sophisticated phishing-as-a-service platform that steals credentials, bypasses MFA entirely, and leverages primary refresh tokens (PRTs) to maintain persistence in your environment long after a password reset. 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: SECOH-QAD.exe 
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: tmp00055df5.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: b8be9a5e0a191050f9099c11c155b436863e9bc43bc904cdb842e249679aa35a 
MD5: 0398df5a18f71efcfeef4571a2cef577 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=b8be9a5e0a191050f9099c11c155b436863e9bc43bc904cdb842e249679aa35a 
Example Filename: b8be9a5e0a191050f9099c11c155b436863e9bc43bc904cdb842e249679aa35a.js 
Detection Name: W32.B8BE9A5E0A-95.SBX.TG 



from Cisco Talos Blog https://ift.tt/ybB5lM6
via IFTTT

No comments:

Post a Comment