Talos Takes

Hazel is joined by threat intelligence researcher James Nutland to discuss Cisco Talos’ latest findings on the newly emerged Chaos ransomware group. Based on real-world incident response engagements, James breaks down Chaos’ fast, multi-threaded encryption, their use of social engineering and remote access tools like Quick Assist, and the group’s likely connections to former BlackSuit operators. James also shares what defenders should be watching for and how to stay ahead of evolving ransomware tactics. Read the full research blog: https://blog.talosintelligence.com/new-chaos-ransomware [https://blog.talosintelligence.com/new-chaos-ransomware]

Attackers are increasingly abusing the same remote access tools that IT teams rely on every day. In this episode, Hazel sits down with Talos security researcher Pierre Cadieux to unpack why these legitimate tools have become such an effective tactic for adversaries. Pierre explains how the flexibility, legitimacy, and built-in capabilities of remote access management tools make them ideal for attackers who want to stay under the radar. They discuss trends Talos Incident Response is seeing in the field, examples of commonly abused tools, and the challenges defenders face when trying to detect misuse. You'll also hear practical advice on what defenders and IT teams can do today to better secure their environments — and what the rise of remote access management tool abuse tells us about attacker behavior and the current state of cybercrime. Resources mentioned: * Talos Incident Response Quarterly Trends Report [https://blog.talosintelligence.com/ir-trends-q1-2025/] * When Legitimate Tools Go Rogue (Talos Blog) [https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/]

Hazel welcomes back Ryan Fetterman from the SURGe team to explore his new research on how large language models (LLMs) can assist those who work in security operations centers to identify malicious PowerShell scripts. From teaching LLMs through examples, to using retrieval-augmented generation and fine-tuning specialized models, Ryan walks us through three distinct approaches, with surprising performance gains. For the full research, head to https://www.splunk.com/en_us/blog/security/guiding-llms-with-security-context.html [https://www.splunk.com/en_us/blog/security/guiding-llms-with-security-context.html]

Chetan Raghuprasad joins Hazel to discuss his threat hunting research into fake AI tool installers, which criminals are using to distribute ransomware, RATS, stealers and other destructive malware. He discusses the attack chain of three different campaigns, including one which even tries to justify its ransom as "humanitarian aid." For the full research, read Chetan's blog at https://blog.talosintelligence.com/fake-ai-tool-installers/ [https://blog.talosintelligence.com/fake-ai-tool-installers/]

Edmund Brumaghin joins Hazel to discuss how threat actors (including state sponsored attackers), are increasingly compartmentalizing their attacks i.e they're bringing in specialist skillsets from other groups to handle different aspects of the attack chain. Edmund discusses why this is happening, and the challenges this poses for defenders when it comes to attribution and reporting. He then discusses several solutions which seek to evolve traditional threat modelling, and help provide clarity to defenders. More details can be found in this blog https://blog.talosintelligence.com/compartmentalized-threat-modeling/ [https://blog.talosintelligence.com/compartmentalized-threat-modeling/] If you're interested in our other blog on initial access groups, that can be found at https://blog.talosintelligence.com/redefining-initial-access-brokers/ [https://blog.talosintelligence.com/redefining-initial-access-brokers/]