The overselling of AI – and how to resist it

Simply dropping AI into an operation will not deliver positive results without significant work behind the scenes.

Latest news – ​Read More

Meta Ray-Bans vs. Optics: Why glasses wearers should consider the new model

The new Optics smart glasses might be the first pair of Meta Ray-Bans you can wear all day. Here’s why.

Latest news – ​Read More

Deleting yourself from the internet could cost less than your daily coffee – here’s how

Spring cleaning should include your online data. Here’s how to protect yours for less with discounts on Incogni, DeleteMe, and more.

Latest news – ​Read More

Ransomware in 2025: Blending in is the strategy

Ransomware in 2025: Blending in is the strategy

Ransomware attacks aren’t smash-and-grab anymore. They’re built on access that already looks legitimate — closer to positioning chess pieces than breaking the door down.

That’s the big trend that comes through in the ransomware data from the Talos 2025 Year in Review. Once attackers have initial access (and 40% of the time it’s through phishing) they move the way a user or administrator would: logging in, checking systems, and using the same remote access tools that are already installed.

In fact, one of the biggest challenges for defenders today is that ransomware actors are deliberately trying to overlap with everyday activity. RDP, PowerShell, and PsExec are the top three tools that are used by ransomware actors, but in many environments, these tools are part of normal operations.

The difference is how they’re being used. If they’re being used to expand access and move across systems, this should raise a few red flags. I’m not sure it’s possible to emphasise enough how important your asset management comes into play here — having clear asset inventories and network behaviour baselines and conducting continuous anomaly monitoring.

Like the rest of the Talos Year in Review, identity is what ties everything together. Valid accounts show up across nearly every stage of ransomware attacks: initial access, lateral movement, and execution. 

Top-targeted sectors

From our ransomware data analysis, manufacturing continues to be the most targeted sector, which reflects how challenging these environments are to monitor closely. There’s a mixture of systems, users, and processes, often with limited tolerance for disruption.

Professional, scientific, and technical services (second on the most targeted sectors list) face similar exposure, especially when access spans multiple systems or organizations.

Most prolific ransomware groups

The ransomware-as-a-service (RaaS) groups have had a bit of a shakeup. After LockBit topped our 2024 report, the group fell to 35th this year following sustained law enforcement pressure. Qilin, a constant pain in the “you-know-what” for our incident responders for over a year now, came in at No. 1.

Ransomware in 2025: Blending in is the strategy

Qilin uses a double-extortion approach, combining data encryption with threats to release stolen information publicly. According to their data leak site, in 2025, Qilin targeted more than 40 victims every month except January, signaling that this ransomware group will remain a persistent and significant threat in 2026.

Akira and Play (No. 2 and 3 in the chart) had continued success, which can likely be credited to their evolving and adaptable tactics and absorption of affiliates from defunct ransomware groups (i.e., LockBit).

An opportunity for defenders

What’s interesting to note is that for the second year running, January saw lower activity, likely tied to holiday slowdowns and Eastern European public holidays.

It may be wise for security teams to consider testing ransomware defenses in months where activity levels are generally lower, such as January, as there is a reduced chance of interfering with real incidents.

Defender recommendations

  • Strengthen identity protections. Actors predominately targeted the person who holds the key rather than the lock itself (i.e., the target’s infrastructure). Phishing and social engineering training is highly recommended.
  • Monitor the use of built-in administrative tools such as RDP, PowerShell, and PsExec for lateral movement. Look for unexpected usage patterns, and abnormal access requests.
  • Basics, basics, basics! They very much still hold true. Strengthen your backup, EDR, segmentation, logging, and recovery capabilities.
  • Regularly test ransomware response readiness.

Read the full 2025 Talos Year in Review to dig deeper into ransomware trends, vulnerability exploitation, phishing and MFA bypass, state-sponsored activity, and how AI is shaping the threat landscape.

Cisco Talos Blog – ​Read More

Release Notes: Cross-Platform Threat Analysis with macOS, SSL Decryption, and 1,300+ New Detections 

March was a packed month for ANY.RUN. We rolled out major product improvements that help security teams investigate phishing inside encrypted traffic, expand cross-platform analysis with macOS, and bring Windows Server into the sandbox workflow.

At the same time, our detection team continued to strengthen threat coverage with new behavior signatures, Suricata rules, and fresh threat intelligence reports focused on active malware and attack techniques. 

Here’s a closer look at what’s new. 

Product Updates 

This month’s updates are all about helping security teams see more and investigate with less friction. We improved phishing detection inside encrypted traffic, expanded sandbox coverage to macOS, and added Windows Server analysis so teams can work across more of the environments they protect every day.

Automatic SSL Decryption for Stronger Phishing Detection 

Encrypted HTTPS traffic remains one of the main reasons phishing is harder to confirm quickly. It hides credential theft, redirect chains, and token-based attacks inside traffic that often appears legitimate, forcing teams to spend more time on validation and increasing the chance of missed compromise.

In March, ANY.RUN introduced automatic SSL decryption in the Interactive Sandbox across all subscription tiers. By extracting encryption keys directly from process memory, the sandbox can now inspect decrypted traffic during analysis and apply Suricata rules, detection signatures, and IOC extraction immediately.

Check real-world example: Detecting Salty2FA phishing campaign with SSL decryption

Automatic SSL decryption provides a major phishing detection boost in the sandbox

This significantly expands phishing visibility across every sandbox session. After implementing the technology, ANY.RUN saw a 5x increase in SSL-decrypted phishing detection and added 60,000 more confirmed malicious URLs to TI Lookup each month. 

For your SOC, this means: 

  • Higher detection rate: Analysts can now identify phishing activity that would otherwise stay hidden inside encrypted traffic. 
  • Faster MTTD and MTTR: Teams confirm malicious behavior earlier and respond before phishing causes broader damage. 
  • Reduced Tier 1-to-Tier 2 escalation volume: Tier 1 can close more cases independently and escalate only the incidents that truly need deeper investigation. 

Expanding Your SOC’s Cross-Platform Analysis with macOS 

As enterprise environments grow more complex, SOC teams are expected to investigate threats across multiple operating systems without slowing down triage. But when analysis is split across separate tools and environments, investigations take longer, alert backlogs grow, and the risk of delayed or missed detection increases. 

To help solve this, ANY.RUN expanded its sandbox OS coverage with macOS virtual machine, now available in beta for Enterprise Suite users. This gives teams one environment to investigate threats across WindowsLinuxAndroid, and now macOS.  

View analysis of macOS threat 

Miolab stealer analyzed inside ANY.RUN sandbox 
Miolab stealer analyzed inside ANY.RUN sandbox 

Bringing interactive macOS analysis into the workflow is especially important for threats that stay dormant until a user enters a password, approves a system dialog, or triggers another action. By allowing real user interaction during detonation, the sandbox can expose behaviors that automated analysis often misses, including fake authentication prompts, staged execution chains, file collection, and post-authentication data exfiltration.

Expand your SOC’s
cross-platform threat visibility

Reduce breach risk with analysis across 4 major OS
 



Request for your team


This operational improvement leads to measurable outcomes:  

  • Faster validation of suspicious files and URLs: Teams can confirm malicious behavior in minutes through behavior-based analysis during triage. 
  • Shorter investigation cycles: Analysts can observe full execution behavior in one environment without manually piecing evidence together across multiple tools. 
  • Improved cross-platform detection coverage: Security teams can investigate platform-specific threats across macOS, Windows, Linux, and Android in a consistent workflow. 
  • Higher productivity during triage: Less context switching helps analysts process more alerts per shift. 
  • Reduced alert backlog during peak activity: Faster decisions help SOC teams keep queues under control during phishing waves and malware outbreaks. 

Advancing Server-Side Threat Analysis with Windows Server 

For many enterprise teams, critical infrastructure runs on Windows Server, from domain services and file storage to business applications and backups. But malware that targets server environments often behaves differently from threats launched on standard Windows systems, making it harder to assess risk accurately in a desktop-focused setup. 

To close that gap, ANY.RUN Sandbox now supports analysis in a Windows Server environment. This gives security teams a way to observe attack behavior in a server OS and investigate techniques tied to infrastructure, including changes to domain accounts, security policies, and the use of administrative tools. 

Threats analyzed inside a Windows Server environment
Threats analyzed inside a Windows Server environment

This addition helps teams strengthen infrastructure-focused triage and response: 

  • Better visibility into server-specific techniques: Teams can analyze behavior tied to domains, policies, and administrative utilities in a more relevant environment. 
  • Stronger investigation confidence for infrastructure threats: Analysts can validate whether a sample affects server-side services or critical business systems before escalating. 
  • More effective detection and response preparation: Security teams can collect artifacts, refine detections, and improve incident playbooks for Windows Server scenarios. 


Cut business risk
with earlier malware & phishing detection
Equip your SOC with deeper threat analysis
 



Integrate in your SOC


Threat Coverage Updates 

In March, our detection team continued to expand coverage across phishing, credential theft, backdoors, miners, stealers, loaders, and evasive system abuse. 

This month’s updates include: 

  • 91 new behavior signatures 
  • 1,293 new Suricata rules 

These additions give security teams better visibility into modern attack chains, from OAuth phishing and Telegram-based credential theft to backdoor communication, loader behavior, and suspicious use of built-in system tools. 

New Behavior Signatures 

In March, we added 91 new behavior signatures to strengthen detection across malware families, Android threats, stealers, loaders, RATs, ransomware, and suspicious system-level activity. 

These updates improve visibility into behaviors often seen in real attacks, including persistence, self-deletion, loader activity, shell delivery, registry tampering, PowerShell abuse, and virtual machine checks used to evade analysis. 

Highlighted families and detections include: 

District analyzed inside ANY.RUN sandbox
District analyzed inside ANY.RUN sandbox
  • HolyCat 
  • SuperCard 
  • Noodlopfile 
  • CharlieKirk 
  • LockCrypt 
  • GibCrypto 
  • ZipWhisper 
  • PixyNetLoader 
  • Quantum 
  • Queen 
  • Zov 
  • FileScavenger 
  • Rodecap 
  • Recuva 
  • OCRFix 

Reduce MTTD to
15 seconds per case
in your SOC
Detect malware & phishing threats early
 



Sign up now


Banshee stealer targeting macOS users detected inside ANY.RUN sandbox 
Banshee stealer targeting macOS users detected inside ANY.RUN sandbox 

New behavior-based detections also cover: 

Together, these additions give security teams broader behavioral coverage across both established malware families and attacker techniques that commonly appear in multi-stage intrusions. 

Threats evolve fast across campaigns and infrastructure
Now your SOC can track them with TI Lookup 
 



Try TI Lookup


New Suricata Rules 

In March, we added 1,293 new Suricata rules to strengthen detection of credential theft, phishing activity, and malicious command-and-control traffic. 

Key highlights include: 

  • Credential theft via Telegram API (sid: 84001778): Tracks adversary attempts to exfiltrate victim’s email & password via Telegram Bot API 
  • MS OAuth Device Code phish / EvilTokens activity (sid: 84001845): Identifies usage of emerged attack technique that exploits legitimate OAuth 2.0 device authorization flows to gain control over victims’ Microsoft 365 accounts
  • DinDoor backdoor HTTP activity (sid: 85006556): Detects Iran-linked MuddyWater (TA450) actor’s new backdoor attempts to establish C2 communication via HTTP

Threat Intelligence Reports 

In March, our team published new threat reports covering emerging malware, banking trojans, ransomware, backdoors, and stealthy delivery techniques. 

Threat Intelligence reports available in ANY.RUN 
  • VIDAR, VENON, and SLOPOLY: This report covers a polymorphic stealer, a Rust-based banking RAT, and a PowerShell backdoor tied to the Hive0163 ecosystem, with a focus on their behavior, artifacts, and detection opportunities. 
  • Steaelite, BlackReaper, and Jigsaw: This brief looks at three threats combining credential theft, remote access, persistence, and ransomware behavior, including Telegram-based control and file encryption activity. 

About ANY.RUN 

ANY.RUN provides interactive malware analysis and threat intelligence solutions built to support modern security operations. 

By combining Interactive SandboxThreat Intelligence Lookup, and Threat Intelligence Feeds, ANY.RUN helps SOC and MSSP teams accelerate threat analysis, investigate incidents with greater clarity, and detect emerging attacks earlier. 

Used by more than 15,000 organizations and over 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN is focused on helping teams improve detection and response while meeting the data protection, compliance, and workflow demands of real-world security operation

Integrate ANY.RUN’s solution for Tier 1/2/3 in your organization → 

The post Release Notes: Cross-Platform Threat Analysis with macOS, SSL Decryption, and 1,300+ New Detections  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency.
Versions 1.14.1 and 0.30.4 of Axios have been found to inject “plain-crypto-js” version 4.2.1 as a fake dependency.
According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios

The Hacker News – ​Read More

Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise 

Researchers found an OpenAI Codex vulnerability that could have been exploited to compromise GitHub tokens.

The post Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise  appeared first on SecurityWeek.

SecurityWeek – ​Read More

I installed this Arch-based distro my way in under 5 minutes – so can you

Thanks to the Prism Linux installer, I curated exactly the software I wanted and achieved the holy grail of out-of-the-box experiences.

Latest news – ​Read More

This privacy-first chatbot is taking off – here’s why and how to try it

Users are flocking to Duck.ai. Is it a reaction to increasing concerns about AI companies and privacy? Here’s what you should know.

Latest news – ​Read More

AI Agents Are Democratizing Finance but Also Redefining Risk

AI agents are transforming finance, enabling automated trading and payments, but introduce new risks around keys, data inputs and secure execution control.

Hackread – Cybersecurity News, Data Breaches, AI and More – ​Read More