Skip to content
.ca
sign in
6 minhigh

Intelligence Center

Talos IR's Q1 2026 trends report highlights the resurgence of phishing as the primary initial access vector, heavily targeting public administration and healthcare. The quarter saw novel abuses of AI tools like Softr for credential harvesting, the emergence of the Crimson Collective extortion group leveraging valid accounts and TruffleHog, and Rhysida ransomware deploying the MeowBackConn backdoor.

Conf:highAnalyzed:2026-04-22reports

Authors: Aliza Johnson

ActorsCrimson CollectiveRhysidaMoneyMessageQilinAkiraSocGholishToolShell
RhysidaCrimson CollectivePhishingMeowBackConnSoftr AI

Source:Cisco Talos

IOCs · 1
  • domain
    adobe[[.]]comLegitimate domain abused to host fake DocuSign documents for malicious links.

Key Takeaways

  • Phishing reemerged as the top initial access vector, surpassing public-facing application exploitation.
  • Public administration and healthcare tied as the most targeted industry verticals.
  • Threat actors are actively leveraging AI tools like Softr to rapidly generate credential-harvesting phishing pages.
  • Crimson Collective was observed using leaked GitHub PATs and the TruffleHog tool to access Azure cloud storage.
  • Rhysida ransomware actors utilized the uncommon MeowBackConn backdoor and Gootloader during pre-ransomware engagements.

Affected Systems

  • Microsoft Exchange
  • Outlook Web Access (OWA)
  • Azure cloud storage
  • GitHub repositories
  • Cisco Secure Email Gateway (AsyncOS)
  • Cisco IOS XE
  • Windows
  • Linux
  • VMware ESXi

Vulnerabilities (CVEs)

  • CVE-2025-20393
  • CVE-2023-20198

Attack Chain

Adversaries primarily gained initial access via phishing (often AI-generated) or valid accounts (e.g., exposed GitHub PATs). Once inside, attackers utilized tools like TruffleHog for reconnaissance and abused native APIs (Microsoft Graph) or remote services (SMB, RDP, WMI) for lateral movement. Persistence was achieved through scheduled tasks, malicious MFA device registration, or backdoors like MeowBackConn, leading to data exfiltration and pre-ransomware deployment.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the execution of tools like TruffleHog, PsExec, AnyDesk, MeshAgent, and ConEmu, as well as registry dumping and EDR tampering attempts. Network Visibility: Medium — Network monitoring can catch WebSockets (MeshAgent), SMB lateral movement, and exposed WinRM ports, though AiTM and encrypted C2 channels may obscure payload contents. Detection Difficulty: Moderate — Adversaries are heavily relying on valid accounts, native APIs (Microsoft Graph), and legitimate tools (TruffleHog, AnyDesk), which blend in with normal administrative traffic.

Required Log Sources

  • Windows Event Logs (Security, System)
  • M365 Audit Logs
  • Azure AD Sign-in Logs
  • PowerShell Script Block Logging
  • Firewall/Proxy Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous Microsoft Graph API calls originating from unexpected IP addresses or accessing large volumes of user GUIDs/emails.M365 Audit Logs, Azure AD LogsDiscoveryMedium
Monitor for the execution of TruffleHog or similar secret-scanning tools on internal developer endpoints or CI/CD pipelines.EDR Process Execution LogsDiscoveryMedium
Detect new device registrations for MFA on existing accounts, especially if followed by logins from unfamiliar geolocations.Identity Provider Logs, Azure AD Sign-in LogsPersistenceLow
Identify the use of ConEmu or other alternative terminal emulators combined with command history clearing.EDR Process Execution LogsDefense EvasionLow
Hunt for proxy-related DLLs (e.g., meow_eu.dll) being dropped or loaded in unexpected directories, indicating potential MeowBackConn activity.EDR File Creation and Module Load LogsCommand and ControlLow

Control Gaps

  • Missing or partially enabled MFA
  • Exposed WinRM management ports
  • Insufficient centralized logging
  • Unpatched public-facing infrastructure

Key Behavioral Indicators

  • New MFA device registration
  • Direct Outlook client connections bypassing MFA
  • Execution of TruffleHog
  • Use of ConEmu terminal
  • PsExec over SMB for lateral movement

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Restrict self-service MFA enrollment.
  • Audit and revoke exposed GitHub Personal Access Tokens (PATs).
  • Block or restrict access to exposed management ports like WinRM.

Infrastructure Hardening

  • Implement properly configured MFA across all remote access services.
  • Conduct robust patch management, prioritizing public-facing applications (e.g., Cisco AsyncOS, IOS XE).
  • Configure centralized logging (SIEM) to prevent forensic gaps from log deletion.

User Protection

  • Enforce strong, centralized authentication policies.
  • Deploy EDR and ensure anti-tampering features are enabled to prevent agent uninstallation.

Security Awareness

  • Train employees on identifying AI-generated phishing pages and fake document lures (e.g., DocuSign).
  • Educate developers on secure secret management to prevent accidental GitHub PAT exposure.

MITRE ATT&CK Mapping

  • T1589.002 - Gather Victim Identity Information: Email Addresses
  • T1595 - Active Scanning
  • T1593 - Search Open Websites/Domains
  • T1566 - Phishing
  • T1189 - Drive-by Compromise
  • T1078 - Valid Accounts
  • T1190 - Exploit Public-Facing Application
  • T1204.002 - User Execution: Malicious File
  • T1204.001 - User Execution: Malicious Link
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.006 - Command and Scripting Interpreter: Python
  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1556.006 - Modify Authentication Process: Multi-Factor Authentication
  • T1219 - Remote Access Software
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1505 - Server Software Component
  • T1068 - Exploitation for Privilege Escalation
  • T1548 - Abuse Elevation Control Mechanism
  • T1070.003 - Indicator Removal on Host: Clear Command History
  • T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
  • T1556 - Modify Authentication Process
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1003.002 - OS Credential Dumping: Security Account Manager
  • T1003.003 - OS Credential Dumping: NTDS
  • T1003.005 - OS Credential Dumping: Cached Domain Credentials
  • T1557 - Adversary-in-the-Middle
  • T1087.003 - Account Discovery: Email Account
  • T1580 - Cloud Infrastructure Discovery
  • T1069.002 - Permission Groups Discovery: Domain Groups
  • T1526 - Cloud Service Discovery
  • T1021.002 - Remote Services: SMB/Windows Admin Shares
  • T1047 - Windows Management Instrumentation
  • T1021.001 - Remote Services: Remote Desktop Protocol
  • T1530 - Data from Cloud Storage Object
  • T1040 - Network Sniffing
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1102 - Web Service
  • T1572 - Protocol Tunneling
  • T1201 - Traffic Signaling
  • T1567.002 - Exfiltration Over Web Service
  • T1041 - Exfiltration Over C2 Channel
  • T1657 - Financial Theft
  • T1486 - Data Encrypted for Impact
  • T1531 - Account Access Removal

Additional IOCs

  • Command Lines:
    • Purpose: Permission Groups Discovery to find high-privilege accounts | Tools: net.exe | Stage: Discovery | net group "domain admins" /domain
    • Purpose: Query remote computers via WMI for lateral movement | Tools: PowerShell, WMI | Stage: Lateral Movement | Get-WmiObject
  • Other:
    • Softr - AI-based web application development service abused to generate credential harvesting pages.
    • TruffleHog - Open-source secret scanning tool abused by Crimson Collective for reconnaissance in GitHub repositories.
    • ConEmu - Terminal emulator used by adversaries to run commands while intentionally avoiding log generation.

Related