The familiar checkout ritual at the supermarket: once everything’s been scanned — the offer, delivered with a hopeful smile: “Chocolate bar for the road? It’s a good one, and the discount is almost criminal”. If you’re lucky, you get a delicious bonus at a great price. But more often than not they’re trying to sell you something that’s not selling well: either it’s about to expire or it has some other hidden flaw.

Now, imagine you declined that chocolate bar, but it was secretly slipped into your bag anyway, or even worse, into your pocket, where it melted and ruined your clothes, spoiling your day. Well, something similar happened to those who bought knock-offs of popular smartphone brands from online marketplaces. No, they didn’t get a chocolate bar. They walked away with a brand-new smartphone that had the Triada Trojan embedded in its firmware. This is much worse than melted chocolate. Their crypto balances, along with their Telegram, WhatsApp, and social media accounts, could be gone before they could utter “bargain!”. Someone could steal their text messages and a lot more.

Triada? What Triada?

That’s the name we at Kaspersky gave to the Trojan we first discovered and described in detail in 2016. This mobile malware would infiltrate almost every process running on a device, while residing only in the RAM.

The emergence of Triada spelled a new era in the evolution of mobile threats targeting Android. Before Triada, Trojans were relatively harmless — mainly displaying ads and downloading other Trojans. This new threat showed that things would never be the same again.

With time, Android developers fixed the vulnerabilities that early versions of Triada exploited. Recent Android versions restricted even users with root privileges from editing system partitions. Did this stop the cybercriminals? What do you think?!..

Fast-forward to March 2025, and we discovered an adapted version of Triada that takes advantage of the new restrictions. The threat actor infects the firmware even before the smartphones are sold. Pre-installed in system partitions, the malware proves nearly impossible to remove.

What is this new version capable of?

Our Android security solution detects the new version of Triada as Backdoor.AndroidOS.Triada.z. This new version is what’s embedded in the firmware of fake Android smartphones available from online marketplaces. It can attack any application running on the device. This gives the Trojan virtually unlimited capabilities. It can control text messages and calls, steal crypto, download and run other applications, replace links in browsers, surreptitiously send messages in chat apps on your behalf, and hijack social media accounts.

A copy of Triada infiltrates every app launched on an infected device. Besides that, the Trojan includes specialized modules that target popular apps. As soon as the user downloads a legitimate app like Telegram or TikTok, the Trojan embeds itself in it and starts causing harm.

Telegram. Triada downloads two modules to compromise Telegram. The first one initiates malicious activity once a day, connecting to a command-and-control (C2) server. It sends the victim’s phone number to the criminals, along with complete authentication data — including the access token. The second module filters all messages, interacting with a bot (which didn’t exist at the time of our research), and deleting notifications about new Telegram logins.

Instagram. Once a day, the Trojan runs a malicious task to search for active session cookies and forward the data to the attackers. These files help the criminals assume full control over the account.

Browsers. Triada threatens a number of browsers: Chrome, Opera, Mozilla, and some others. The full list is available in the Securelist article. The module connects to the C2 server over TCP and randomly redirects legitimate links in the browsers to advertising sites for now. However, because the Trojan downloads redirect links from its C2 server, attackers can direct users to phishing sites at any time.

WhatsApp. Again, there are two modules. The first one collects and sends data about the active session to the C2 server every five minutes — giving the attackers full access to the victim’s account. The second one intercepts the client functions for sending and receiving messages, which allows the malware to send and then delete arbitrary instant messages to cover its tracks.

LINE. The dedicated Triada module collects internal app data, including authentication data (access token), every 30 seconds, and forwards it the C2 server. In this case, too, someone else assumes full control of the user’s account.

Skype. Although Skype is about to be retired, Triada still has a module for infecting it. Triada uses several methods to obtain the authentication token and then sends it to the C2 server.

TikTok. This module can collect a lot of data about the victim’s account from cookie files in the internal directory, and also extract data required for communicating with the TikTok API.

Facebook. Triada is armed with two modules for this app. One of them steals authentication cookies, and the other sends information about the infected device to the C2 server.

Of course, there are also modules for SMS and calls. The first SMS module allows the malware to filter all incoming messages and extract codes from them, respond to some messages (likely to subscribe victims to paid services) and send arbitrary SMS messages when instructed by the C2 server. The second, auxiliary module disables the built-in Android protection against SMS Trojans that requests user permission before sending messages to short codes (Premium SMS), which could be used to confirm paid subscriptions.

The call module embeds itself in the phone app, but it’s most likely still under development. We discovered that it partially implements phone number spoofing — something we expect to be completed soon.

Another module, a reverse proxy, turns the victim’s smartphone into a reverse proxy server, giving attackers access to arbitrary IP addresses on behalf of the victim.

Not unexpectedly, Triada also targets crypto owners, with a special surprise awaiting them: a clipper. The Trojan watches the clipboard for crypto wallet addresses, substituting one of the attackers’ own. A crypto stealer analyzes the victim’s activity, replacing crypto wallet addresses with a fraudulent addresses anywhere it can, whenever an attempt is made to withdraw cryptocurrency. It even interferes with button tap handlers inside apps and replaces images with generated QR codes that link to the attackers’ wallet addresses. The criminals have managed to steal more than US$264 000 in various cryptocurrencies since June 13, 2024 with the help of these tools.

See our Securelist report for a full list of Triada features and a detailed technical analysis.

How the malware infiltrates smartphones.

In every infection case that we are aware of, the firmware name on the device differed from the official one by a single letter. For example, the official firmware was TGPMIXM, while the infected phones had TGPMIXN. We found posts on relevant discussion boards where users complained about counterfeit devices purchased from online stores.

It’s likely that a stage in the supply chain was compromised, while the stores had no idea they were distributing devices infected with Triada. Meanwhile, it’s practically impossible to determine exactly when the malware was placed inside the smartphones.

How to protect yourself from Triada

The new version of the Trojan was found pre-installed on counterfeit devices. Therefore, the best way to avoid Triada infection is to buy smartphones from authorized dealers only. If you suspect that your phone may have been infected with Triada (or another Trojan), here are our recommendations.

• Refrain from using any of the potentially compromised apps listed above or making any financial transactions — including cryptocurrency.
• Install Kaspersky for Android on your smartphone to check if it’s indeed infected.
• If Triada is found on the device, reflash the smartphone with the official firmware yourself, or contact the local service center. Expect sudden changes to your smartphone’s specs: besides the pre-installed Trojan, the fake firmware often overstated the RAM and storage.
• If your smartphone is found to be infected with Triada, check all messaging and social media apps that may have been compromised. For chat apps, make sure you terminate any sessions still running on devices you don’t recognize, and check your privacy settings according to our guide WhatsApp and Telegram account hijacking: How to protect yourself against scams. If you suspect that your instant messaging accounts have been hijacked, read What to do if your WhatsApp account gets hacked or What to do if your Telegram account is hacked. Terminate all social media sessions on all your devices and change your passwords. Kaspersky Password Manager can help you with that.
• Our Privacy Checker portal offers a step-by-step guide on configuring privacy in various applications and operating systems in general.

Triada is far from the only mobile Trojan. Follow these links for our stories about other Android malware:

• How the Necro Trojan attacked 11 million Android users
• SparkCat trojan stealer infiltrates App Store and Google Play, steals data from photos
• Beware of stealers disguised as… wedding invitations
• LianSpy: new mobile spyware for Android

Kaspersky official blog – ​Read More

We are honored to announce that ANY.RUN became a gold winner at the annual Globee Business Awards 2025. The award aims to recognize and celebrate excellence in various industries worldwide, including cybersecurity. 

Our solution, ANY.RUN’s TI Lookup, was named best in the Cyber Threat Intelligence category. We believe that threat intelligence is an essential aspect of ensuring the cybersecurity of organizations, and recognition in this sphere is important to us. 

We’d like to thank you—our readers, partners, users of our products, and all fellow cybersecurity enthusiasts and professionals! The victory itself is not as important as the fact that it stands for continuous support from the community and acknowledgement of our high-quality products benefiting thousands of businesses. 

What makes TI Lookup special 

TI Lookup is a search engine that gives users the opportunity to navigate ANY.RUN’s database of fresh and unique information on cyber attacks. It is continuously enriched with extensive data on the latest threats analyzed by 500,000 security professionals and 15,000 companies in ANY.RUN’s Interactive Sandbox.  

As a result, it contains a wealth of indicators and events logged during analyses, including IOCs, IOAs, and IOBs. 

Threat Intelligence Lookup helps you: 

• Pin existing IOCs to specific threats and discover additional indicators to update your detection capabilities. 
• Simplify and accelerate threat investigation thanks to the quick response time and access to up-to-date information. 
• Browse extensive and regularly updated database of malware samples to get in-depth context of threats. 
• Increase the efficacy of incident response and triage by working on the tasks as a team. 
• Monitor evolving threats by subscribing to requests relevant to your company using Search Updates. 

How Threat Intelligence Lookup Benefits SOC Teams

• Accelerate triage and threat identification: Uncover attacks behind alerts with quick indicator search to block them before they escalate.
• Improve incident response: Collect attack IOCs, IOAs, IOBs, TTPs, and observe its full execution inside the sandbox for more accurate response.
• Strengthen proactive security: Enrich your defense with fresh indicators from the latest samples to prevent attacks, including with auto-updates.
• Simplify threat hunting: Run proactive searches on indicators found in your network to pin them to actual threats.
• Enhance forensic analysis: investigate system events and indicators with the help of TI Lookup to discover missing attack details.

Recognition 

It means a lot to us that the expert committee once again expressed their appreciation of our efforts. Previously our flagship product ANY.RUN’s Interactive Sandbox was announced a silver winner in the Outstanding Threat Detection and Response category at Globee Awards 2025. 

About ANY.RUN  

ANY.RUN creates products for malware analysts and SOC teams, such as ANY.RUN’s Interactive Sandbox, TI Lookup and TI Feeds. They help accelerate the work of security specialists of all tiers and benefit businesses by providing helpful insights that allow them to minimize harmful consequences of cyber attacks or avoid them altogether. 

Integrate ANY.RUN’s award-winning services in your organization to strengthen your security →

The post ANY.RUN Becomes a Gold Winner in Threat Intelligence at Globee Awards 2025   appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

When data meets automation, two pillars of modern tech converge to create something smarter: Threat Intelligence Feeds. Real-time insights, machine-speed decisions, and a global perspective — all working together to outsmart threats before they become incidents. 

ANY.RUN’s TI Feeds are structured, continuously updated streams of fresh threat data. They contain network-based IOCs — IP addresses, domain names, and URLs — and are enriched by additional context-providing indicators like file hashes and port indicators. 

The Feeds enhance threat detection capabilities of security systems, enable SOC teams to quickly mitigate attacks, including emerging malware and persistent threats. 

Source, Structure, Benefits of ANY.RUN’s TI Feeds 

Threat Intelligence Feeds provided by ANY.RUN are sourced from public analysis sessions in our cloud-based sandbox, where users including the SOC teams of 15,000 organizations from a variety of industries detonate and dissect real-world malware samples.  

The indicators are pre-processed using proprietary algorithms and whitelists to minimize false positives, ensuring high accuracy and relevance. Each indicator of compromise is enriched with contextual metadata providing deeper insights into the threat.

This means that an IP, URL, or domain in TI Feeds are enriched with:  

• External references: Links to relevant sandbox sessions. 

• Label: Name of the malware family or campaign. 

• Detection timestamps: last/first seen dates provide a timeline to understand if a threat is ongoing or historical. 

• Related objects: IDs of files and network indicators related to the IOC. 

• Score: Value representing the severity level of the IOC. 

ANY.RUN’s TI Feeds come in STIX or MISP format with indicators of your choice. Set up a test sample to start leveraging actionable IOCs data in your security operations. ANY.RUN also runs a dedicated MISP instance that you can synchronize your server with or connect to your security solutions. To get started, contact our team via this page. 

By delivering insights into threats and their indicators of compromise (OCs), TI Feeds support organizations across multiple phases of incident response: Incident Triage, Threat Hunting, and Post-Incident Analysis. 

Incident Triage 

Incident Triage involves assessing and prioritizing security alerts to determine their severity and potential impact. This must be done quickly and yet precisely, saving analysts from wasting time on false positives and highlighting critical true positives.  

TI Feeds streamline this process by providing contextual data to validate and enrich alerts, enabling faster and more accurate decision-making.  

TI Feeds for Triage: 

• Correlation with Known Threats: Feeds supply IOCs (e.g., malicious IPs, domains, file hashes) that can be cross-referenced with incoming alerts to confirm whether an incident is legitimate or a false positive. 

• Prioritization: Feeds provide threat severity scores and context (e.g., association with a known ransomware group) to help security teams sort out incidents that pose the greatest risk. 

• Automation: Integration with Security Information and Event Management (SIEM) systems or Security Orchestration, Automation, and Response (SOAR) platforms allows TI Feeds to automatically enrich alerts with relevant threat data, reducing manual effort. 

Example 

A financial institution receives an alert from its intrusion detection system (IDS) about a suspicious outbound connection to an unfamiliar IP address. A TI Feed identifies the IP as part of a command-and-control (C2) server linked to Lynx ransomware. Armed with this information, the team prioritizes the incident as high-severity, immediately isolates the affected endpoint, and escalates it for further investigation, avoiding a potential data breach. 

Business Impact

• Reduces Mean Time to Detect (MTTD) by quickly validating alerts. 

• Minimizes resource waste on false positives, allowing focus on critical incidents. 

• Enhances compliance by ensuring timely response to high-risk threats. 

ANY.RUN’s TI Feeds are updated every few hours, pulling fresh IOCs from over 16,000 daily public tasks submitted by its community. This near real-time delivery ensures organizations can respond to emerging threats almost immediately after they are detected in the wild. 

Threat Hunting

• Enriching Network Data: Feeds supply IOCs that can be correlated with network logs, endpoint data, or user activity to uncover anomalies. 

• Guiding Hypothesis Development: TI Feeds enriched with contextual data provide the basis for further malware, attack, or actor investigation. Enabled to proceed from IOCs to TTPs, hunters can craft targeted hypotheses about potential threats. 

• Proactive Defense: By highlighting emerging threats (e.g., new exploit kits or phishing campaigns), TI Feeds allow hunters to search for related activity before an attack fully unfolds. 

Example 

A retail company’s threat-hunting team learns from their TI Feed about a new phishing campaign targeting e-commerce platforms with a specific malicious domain and a unique file hash for a ransomware payload. The team uses this intelligence to search their network logs for any connections to the domain or instances of the file hash.  

They discover a single endpoint that attempted to access the domain but was blocked by the firewall. Further investigation reveals a phishing email that evaded initial detection. The team neutralizes the threat by quarantining the endpoint and updating email filters, preventing a potential ransomware outbreak. 

Business Impact 

• Prevents incidents by identifying threats before they cause harm. 

• Strengthens proactive security posture, reducing the likelihood of successful attacks. 

• Protects brand reputation by avoiding customer data exposure. 

Post-Incident Analysis 

Post-Incident Analysis focuses on understanding the root cause of an incident, assessing its impact, and improving future defenses. TI Feeds provide critical context to reconstruct the attack, identify gaps in security, and build remediation strategies.  

ANY.RUN’s TI Feeds draw from a vast dataset generated by a diverse community of 500,000 analysts and teams of 15,000 enterprises. This scale ensures broad coverage of threats, including zero-day exploits and emerging malware, tailored to various industries. It helps teams map incidents to global trends. 

TI Feeds in Post-Incident Analysis 

• Attack Reconstruction: Feeds supply detailed intelligence on threat actors and associated IOCs, helping teams trace the attack’s origin and progression. 

• Gap Identification: By comparing the incident to known threat patterns, TI Feeds reveal weaknesses in defenses (e.g., unpatched vulnerabilities or misconfigured systems). 

• Retrospective Analysis: Newly published threat intel can be used to re-analyze old data. This helps identify if earlier, undetected activity was related to a known campaign. 

Example 

After a manufacturing company suffers a data breach involving stolen intellectual property, the incident response team uses their TI Feed to analyze the attack. The feed reveals that the breach was caused by a spear-phishing campaign linked to a nation-state actor known for targeting industrial sectors. 

Since ANY.RUN’s Feeds provide links to sandbox analyses of the phishing samples, the team can extract the attacker’s TTPs, including the use of a specific exploit in an unpatched software version and a custom PowerShell script for data exfiltration.  

The team can now patch the vulnerability, deploy new endpoint detection rules to flag similar scripts, and conduct employee training on recognizing spear-phishing emails. Additionally, the feed’s geopolitical context prompts the company to enhance monitoring of critical R&D systems. 

Business Impact 

• Reduces Mean Time to Recover (MTTR) by guiding effective remediation

• Strengthens long-term resilience by addressing root causes and vulnerabilities

• Supports compliance by documenting lessons learned and mitigation steps for audits

Ways TI Feeds Support Organizational Efficiency 

ANY.RUN’s TI Feeds are designed for easy integration with SIEM, SOAR, firewalls, and other security platforms, supporting formats like STIX and MISP. This ensures automated ingestion of IOCs, streamlining workflows and enhancing existing tools’ effectiveness. 

By integrating real-time, high-quality threat data with automation, TI Feeds enhance organizational resilience, reduce risks, and support informed decision-making. Their most important benefits that align with business objectives and KPIs are:  

1. Early Detection Capabilities 

TI Feeds enable identification of potential risks before they escalate into costly incidents. By identifying malware or phishing campaigns at their inception, TI Feeds help businesses avoid disruptions, protect customer trust, and safeguard revenue streams. 

2. Faster Response Times 

TI Feeds significantly shorten the time to identify and mitigate threats by correlating threat data with ongoing incidents. Faster response times contribute to KPIs like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), which are critical for minimizing the impact of security breaches.  

Addressing breaches promptly reduces financial losses, protects brand reputation, and ensures compliance with regulatory requirements (e.g., GDPR, CCPA).

3. Informed Decision-Making  

TI Feeds give organizations actionable intelligence, enabling data-driven decisions that align cybersecurity strategies with business goals. A clear picture of the threat landscape helps business leaders prioritize investments in security controls, employee training, or third-party partnerships, driving long-term resilience and competitive advantage. 

4. Proactive Defense 

TI Feeds shift organizations from reactive to proactive cybersecurity, anticipating threats and preventing incidents before they occur. It improves KPIs like the percentage of prevented incidents, reduction in remediation costs, and increased system uptime 

Conclusion 

ANY.RUN’s Threat Intelligence Feeds deliver significant value by combining high-quality, low-noise data, near real-time updates, a massive community-driven dataset, seamless integration, and unique sandbox-driven insights.  

These benefits directly enhance Incident Triage by speeding up alert validation, Threat Hunting by enabling proactive threat discovery, and Post-Incident Analysis by providing detailed context for remediation. 

By integrating TI Feeds into incident response workflows, organizations can minimize damage, enhance security posture, and align cybersecurity efforts with business objectives.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request trial of ANY.RUN’s services to test them in your organization → 

The post How Threat Intelligence Feeds Help During Incident Response appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

There’s no shortage of ransomware these days. It’s everywhere, lurking in email attachments, hiding in cracked software, and making headlines almost daily. While some ransomware groups vanish or rebrand, new names step in to take their place, keeping security teams in a constant state of alert. 

One of the latest strains making the rounds is PE32 Ransomware, a newcomer that’s quickly gaining attention online, including on Twitter. Despite its amateur execution, it manages to encrypt files, communicate over Telegram, and cause real damage.

 PE32: Key Takeaways 

In this report, Mauro Eldritch takes a closer look at how PE32 works, how it communicates, and why its chaotic behavior still poses a real threat. 

• Fast encryption: Starts encryption after a simple prompt; targets visible folders like Desktop. 

• Unique ransom setup: Two payment tiers: one to unlock files, another to stop data leaks. 

• Telegram C2: Communicates entirely via Telegram Bot API; bot token is exposed in the code. 

• Easy to analyze: ANY.RUN makes it simple to extract bot data and monitor activity. 

• Messy & loud: Drops marker files, triggers disk repair, and encrypts even useless files. 

• No stealth: No obfuscation or evasion tricks; relies on basic Windows libraries. 

• Immature but active: Still evolving, but already a threat due to poor security hygiene. 

Execution Flow and Initial Behavior 

When executed, the sample waits for the operator’s input to determine whether it should encrypt only the folder where it was dropped or the entire system (see Image 2).

View sandbox analysis 

However, regardless of this selection, it immediately starts noisily encrypting the most visible locations, such as the desktop, appending the .pe32s extension (see Image 3). 

Encrypted Desktop files with .pe32s extension 

Instead of dropping a ransom note directly onto the Desktop (as most ransomware does), PE32 creates a folder named PE32-KEY in the root of the C: drive. This folder contains several internal files used during execution: 

• context.pe32c, lock.pe32, pe32lockfile.lock – for internal tracking and state 

• ID – stores the victim’s unique identifier 

• README.txt – the actual ransom note 

PE32 ransom note 

The ransom note stands out for its two-tiered payment model: one fee to unlock encrypted files, and another to prevent stolen data from being leaked. This approach differs from most ransomware strains, which typically bundle both into a single payment.  

Prices vary widely: 

• $700 to $7,000 for individual machines or servers 

• $10,000 to 2 BTC (or more) for corporate targets 

Victims are instructed to reach out via Telegram. If that fails, the attackers provide a Gmail address as a backup contact method, another sign of their operational inexperience. 

Telegram C2: Loud, Exposed, and Easy to Abuse 

Once PE32 finishes prompting the attacker for encryption scope, it hides its process window and shifts to background mode. From there, it begins broadcasting its activity to a hardcoded Telegram group via the Bot API. 

The first message looks like this: 

”[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:44:39] []  

NEW RUN ID: 58994073AC147486]”

If using Telegram as a C2 channel wasn’t already an OPSEC disaster, the actors also expose their Bot Token and Group Chat ID. 

The malware then begins reporting its lifecycle to the Telegram group, detailing every step of its execution, as seen below:[Text Wrapping Break] 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:45:07] [58994073AC147486] 

Staring UltraFast Round C:\”

PE32 struggles to process certain files (or their extensions—misspelled as “extentions” in its messages): 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:47:08] [58994073AC147486] 

Unknown Extentions:  

[...] 

odbc: 1 0MB 

en_gb_e: 1 0MB 

fr_fr_p: 1 0MB 

xls4: 1 0MB 

xls6: 1 0MB 

xsx: 1 0MB 

nettcp: 1 0MB 

xls8: 1 0MB 

access: 1 0MB”

The encryption cycle concludes with three messages. The first one confirms that the “UltraFast” cycle has been completed, followed by two more messages indicating that the “Fast” and “Slow” cycles have also finished successfully. 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:47:08] [58994073AC147486] 

UltraFast Compeleted C:\”

With no observable DNS or HTTP requests, we can confirm that this strain of PE32 Ransomware relies exclusively on Telegram Bots for communication. This tactic is commonly observed in the MaaS scene, particularly with certain Stealers, but is rarely used in the RaaS ecosystem. 

CFG Dumping with ANY.RUN 

ANY.RUN’s Interactive Sandbox provides a CFG extraction function, allowing analysts to inspect the malware’s internal configuration. Unsurprisingly, the Telegram Bot Token is scattered throughout the code, making it trivially easy to trace the adversarial infrastructure—it’s almost impossible to miss, even by accident. 

Armed with this token, anyone can easily flood the attacker’s C2 with fake requests or worse, use the bot’s key to impersonate the bot and send messages to any Telegram user. 

By feeding the bot token into third-party tools like Matkap, threat hunters can automate the retrieval of all data exchanged through the bot, ranging from communications to encrypted files, and even victims’ encryption or decryption keys, as long as they were sent to or received from the bot. 

A Chaotic Codebase 

Beyond its network behavior, PE32 operates like a typical ransomware strain. It collects system information such as the computer’s GUID, hostname, software policy settings, and supported languages, a common technique used to avoid infecting machines in specific regions, likely to minimize legal consequences. 

PE32’s untidy nature makes it somewhat difficult to read and profile. For instance, it places a file named “pe32lockfile.lock” in every locked folder, likely as a flag indicating “I was here already.” 

But when dropping the “pe32lockfile.lock” file in directories like the ones belonging to Skype, Firefox or Chrome, it trips a good portion of detection rules, so it’s a behaviour worth nothing. 

The chaos doesn’t stop there. PE32 also drops C:bootTel.dat, a legitimate Windows telemetry file associated with chkdsk.exe (Disk Checker). Although harmless on its own, the creation of this file is directly tied to the ransomware’s activity. 

By aggressively encrypting files across the C: drive, including non-critical system files, PE32 ends up triggering the disk repair utility. While it doesn’t halt system functionality, it does cause Windows to initiate self-repair checks, providing an additional footprint of the malware’s presence. 

With this, we now have additional indicators of PE32’s activity. 

PE32 shows no logic in file selection. It encrypts everything in sight, regardless of extension or value. Chrome’s language packs (messages.json), static resources like .gif and .css files, and even incomplete extension data are all locked without discrimination. 

On the technical side, PE32 keeps things simple. There’s no use of exotic libraries or obfuscated function calls. It relies on the classic combo of ntdll.dll and kernel32.dll to execute processes and manipulate files, while crypt32.dll and bcrypt.dll handle encryption.

It depends on schannel.dll, Windows’ native TLS/SSL to reach its C2 channel using HTTPS, and that’s it. Plain and simple! 

TTPs & IOCs 

Dissecting PE32 is challenging due to its unpredictable and erratic behavior. The ransomware triggers numerous detections, some legitimate, others the result of its careless execution, which can complicate analysis and lead to false trails. 

Fortunately, ANY.RUN’s automatic ATT&CK matrix and IOC collection make this task significantly easier. These features help analysts quickly identify behaviors and map them to known techniques, significantly reducing investigation time. 

One of the most notable techniques observed is T1102 – Web Service Communication, specifically communication via Telegram. Although not the most advanced tactic, it provides a clear indication of PE32’s reliance on a basic and exposed C2 channel. 

This behavior aligns with early-stage or poorly maintained ransomware, which typically lacks data exfiltration capabilities and instead focuses solely on encryption and basic status reporting. In this context, T1102 serves as a valuable early signal for identifying similar threats in the wild. 

PE32 Threat Impact 

The PE32 ransomware campaign introduces notable risks despite its unsophisticated design: 

• For end users: Victims face potential data loss, system instability, and financial pressure from ransom demands. The dual-payment model adds further psychological manipulation by threatening data exposure. 

• For organizations: While PE32 currently lacks data exfiltration, its ability to disrupt operations, encrypt shared resources, and leave behind recoverable indicators (e.g., lock files, telemetry triggers) makes it a growing concern, especially if it evolves. 

• For security teams: The use of Telegram as a C2 channel, combined with erratic behavior and non-selective encryption, can complicate detection and response. Its reliance on public communication channels also introduces new monitoring and containment challenges. 

• For the broader threat landscape: PE32 highlights a trend toward low-effort, fast-deploy ransomware strains, crafted with minimal obfuscation, relying on common tools, yet still capable of causing damage. Its open infrastructure and careless coding make it accessible for copycats and opportunistic attackers. 

Conclusion 

The analysis of PE32 Ransomware reveals how even basic, poorly coded malware can disrupt systems, encrypt valuable data, and leverage public platforms like Telegram for command and control.  

While it lacks advanced evasion or data theft capabilities, PE32 reflects the growing trend of fast-deploy, low-effort ransomware strains that still pose a real threat to individuals and organizations. 

By analyzing PE32 in real time using ANY.RUN’s Interactive Sandbox, we were able to fully observe its execution flow, uncover its communication channels, and extract key artifacts, without relying solely on static reverse engineering. 

Here’s how this kind of analysis brings value: 

• Faster threat detection: Catch suspicious encryption activity and exposed infrastructure early. 

• Full behavioral visibility: Monitor system changes, communication attempts, and encryption logic in real time. 

• Reduced investigation time: Quickly correlate observable behavior with known techniques and IOCs. 

• Improved incident response: Collect and share actionable indicators across teams. 

• Stronger threat intelligence: Identify attacker mistakes, such as hardcoded credentials and bot tokens. 

Try ANY.RUN’s Interactive Sandbox today 

Collect Indicators of Compromise

SHA256:15cb6bd05a35fdbd9a7e53b092a1b0537c64cb5df08ee0262479c0cc24eafd8a 

FilePath:C:PE32-KEYID 

SHA256:5946bdeb8b7bf0603e99cefb15c083a37352fa8a916b2664bbb9f9027f44985b 

FilePath:C:PE32-KEYREADME.txt 

SHA256:c6ddc9c2852eddf30f945a50183e28d38f6b9b1bbad01aac52e9d9539482a433 

Filename:PE32.exe 

SHA256:098ee778fca1bfd809499dac65f528ea727f2aee9c6eaf79fe662d9261086e4a 

FilePath:C:PE32-KEYcontext.pe32c 

SHA256:9e561018034479df1493addca30f1d031b9185e1d66f15333b8ea79d16acf64b 

FilePath:C:PE32-KEYlock.pe32 

References: 

Matkap tool: github.com/0x6rss/matkap 

Sandbox analysis: https://app.any.run/tasks/58b336b0-baec-48bb-9675-b2f3d352b63c

The post PE32 Ransomware: A New Telegram-Based Threat on the Rise  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More