The overselling of AI – and how to resist it
Simply dropping AI into an operation will not deliver positive results without significant work behind the scenes.
Latest news – Read More
Simply dropping AI into an operation will not deliver positive results without significant work behind the scenes.
Latest news – Read More
The new Optics smart glasses might be the first pair of Meta Ray-Bans you can wear all day. Here’s why.
Latest news – Read More
Spring cleaning should include your online data. Here’s how to protect yours for less with discounts on Incogni, DeleteMe, and more.
Latest news – Read More

Ransomware attacks aren’t smash-and-grab anymore. They’re built on access that already looks legitimate — closer to positioning chess pieces than breaking the door down.
That’s the big trend that comes through in the ransomware data from the Talos 2025 Year in Review. Once attackers have initial access (and 40% of the time it’s through phishing) they move the way a user or administrator would: logging in, checking systems, and using the same remote access tools that are already installed.
In fact, one of the biggest challenges for defenders today is that ransomware actors are deliberately trying to overlap with everyday activity. RDP, PowerShell, and PsExec are the top three tools that are used by ransomware actors, but in many environments, these tools are part of normal operations.
The difference is how they’re being used. If they’re being used to expand access and move across systems, this should raise a few red flags. I’m not sure it’s possible to emphasise enough how important your asset management comes into play here — having clear asset inventories and network behaviour baselines and conducting continuous anomaly monitoring.
Like the rest of the Talos Year in Review, identity is what ties everything together. Valid accounts show up across nearly every stage of ransomware attacks: initial access, lateral movement, and execution.
From our ransomware data analysis, manufacturing continues to be the most targeted sector, which reflects how challenging these environments are to monitor closely. There’s a mixture of systems, users, and processes, often with limited tolerance for disruption.
Professional, scientific, and technical services (second on the most targeted sectors list) face similar exposure, especially when access spans multiple systems or organizations.
The ransomware-as-a-service (RaaS) groups have had a bit of a shakeup. After LockBit topped our 2024 report, the group fell to 35th this year following sustained law enforcement pressure. Qilin, a constant pain in the “you-know-what” for our incident responders for over a year now, came in at No. 1.

Qilin uses a double-extortion approach, combining data encryption with threats to release stolen information publicly. According to their data leak site, in 2025, Qilin targeted more than 40 victims every month except January, signaling that this ransomware group will remain a persistent and significant threat in 2026.
Akira and Play (No. 2 and 3 in the chart) had continued success, which can likely be credited to their evolving and adaptable tactics and absorption of affiliates from defunct ransomware groups (i.e., LockBit).
What’s interesting to note is that for the second year running, January saw lower activity, likely tied to holiday slowdowns and Eastern European public holidays.
It may be wise for security teams to consider testing ransomware defenses in months where activity levels are generally lower, such as January, as there is a reduced chance of interfering with real incidents.
Read the full 2025 Talos Year in Review to dig deeper into ransomware trends, vulnerability exploitation, phishing and MFA bypass, state-sponsored activity, and how AI is shaping the threat landscape.
Cisco Talos Blog – Read More
March was a packed month for ANY.RUN. We rolled out major product improvements that help security teams investigate phishing inside encrypted traffic, expand cross-platform analysis with macOS, and bring Windows Server into the sandbox workflow.
At the same time, our detection team continued to strengthen threat coverage with new behavior signatures, Suricata rules, and fresh threat intelligence reports focused on active malware and attack techniques.
Here’s a closer look at what’s new.
This month’s updates are all about helping security teams see more and investigate with less friction. We improved phishing detection inside encrypted traffic, expanded sandbox coverage to macOS, and added Windows Server analysis so teams can work across more of the environments they protect every day.
Encrypted HTTPS traffic remains one of the main reasons phishing is harder to confirm quickly. It hides credential theft, redirect chains, and token-based attacks inside traffic that often appears legitimate, forcing teams to spend more time on validation and increasing the chance of missed compromise.
In March, ANY.RUN introduced automatic SSL decryption in the Interactive Sandbox across all subscription tiers. By extracting encryption keys directly from process memory, the sandbox can now inspect decrypted traffic during analysis and apply Suricata rules, detection signatures, and IOC extraction immediately.
Check real-world example: Detecting Salty2FA phishing campaign with SSL decryption

This significantly expands phishing visibility across every sandbox session. After implementing the technology, ANY.RUN saw a 5x increase in SSL-decrypted phishing detection and added 60,000 more confirmed malicious URLs to TI Lookup each month.
For your SOC, this means:
As enterprise environments grow more complex, SOC teams are expected to investigate threats across multiple operating systems without slowing down triage. But when analysis is split across separate tools and environments, investigations take longer, alert backlogs grow, and the risk of delayed or missed detection increases.
To help solve this, ANY.RUN expanded its sandbox OS coverage with macOS virtual machine, now available in beta for Enterprise Suite users. This gives teams one environment to investigate threats across Windows, Linux, Android, and now macOS.

Bringing interactive macOS analysis into the workflow is especially important for threats that stay dormant until a user enters a password, approves a system dialog, or triggers another action. By allowing real user interaction during detonation, the sandbox can expose behaviors that automated analysis often misses, including fake authentication prompts, staged execution chains, file collection, and post-authentication data exfiltration.
This operational improvement leads to measurable outcomes:
For many enterprise teams, critical infrastructure runs on Windows Server, from domain services and file storage to business applications and backups. But malware that targets server environments often behaves differently from threats launched on standard Windows systems, making it harder to assess risk accurately in a desktop-focused setup.
To close that gap, ANY.RUN Sandbox now supports analysis in a Windows Server environment. This gives security teams a way to observe attack behavior in a server OS and investigate techniques tied to infrastructure, including changes to domain accounts, security policies, and the use of administrative tools.

This addition helps teams strengthen infrastructure-focused triage and response:
In March, our detection team continued to expand coverage across phishing, credential theft, backdoors, miners, stealers, loaders, and evasive system abuse.
This month’s updates include:
These additions give security teams better visibility into modern attack chains, from OAuth phishing and Telegram-based credential theft to backdoor communication, loader behavior, and suspicious use of built-in system tools.
In March, we added 91 new behavior signatures to strengthen detection across malware families, Android threats, stealers, loaders, RATs, ransomware, and suspicious system-level activity.
These updates improve visibility into behaviors often seen in real attacks, including persistence, self-deletion, loader activity, shell delivery, registry tampering, PowerShell abuse, and virtual machine checks used to evade analysis.
Highlighted families and detections include:


New behavior-based detections also cover:
Together, these additions give security teams broader behavioral coverage across both established malware families and attacker techniques that commonly appear in multi-stage intrusions.
In March, we added 1,293 new Suricata rules to strengthen detection of credential theft, phishing activity, and malicious command-and-control traffic.
Key highlights include:
In March, our team published new threat reports covering emerging malware, banking trojans, ransomware, backdoors, and stealthy delivery techniques.

ANY.RUN provides interactive malware analysis and threat intelligence solutions built to support modern security operations.
By combining Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, ANY.RUN helps SOC and MSSP teams accelerate threat analysis, investigate incidents with greater clarity, and detect emerging attacks earlier.
Used by more than 15,000 organizations and over 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN is focused on helping teams improve detection and response while meeting the data protection, compliance, and workflow demands of real-world security operation
Integrate ANY.RUN’s solution for Tier 1/2/3 in your organization →
The post Release Notes: Cross-Platform Threat Analysis with macOS, SSL Decryption, and 1,300+ New Detections appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency.
Versions 1.14.1 and 0.30.4 of Axios have been found to inject “plain-crypto-js” version 4.2.1 as a fake dependency.
According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios
The Hacker News – Read More
Researchers found an OpenAI Codex vulnerability that could have been exploited to compromise GitHub tokens.
The post Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise appeared first on SecurityWeek.
SecurityWeek – Read More
Thanks to the Prism Linux installer, I curated exactly the software I wanted and achieved the holy grail of out-of-the-box experiences.
Latest news – Read More
Users are flocking to Duck.ai. Is it a reaction to increasing concerns about AI companies and privacy? Here’s what you should know.
Latest news – Read More
AI agents are transforming finance, enabling automated trading and payments, but introduce new risks around keys, data inputs and secure execution control.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More