Executive Summary

Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility. Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long‑term interactive control over compromised systems.

The loader decrypts and executes its payload exclusively in memory, leaving no persistent binary artifacts on disk. Once active, the payload exposes an interactive post‑exploitation environment that aggressively fingerprints host security controls, enumerates defensive tooling, and evaluates prior compromise before enabling higher‑risk actions. While observed runtime behaviour remains deliberately conservative, payload analysis reveals a broad set of latent capabilities, including fingerprinting, credential access, lateral movement, privilege escalation, cryptomining, memory inspection, and covert data exfiltration.

Notably, the framework includes operator‑driven data exfiltration mechanisms that avoid traditional network transports altogether, instead abusing user‑space tunneling to stage or extract data in a manner designed to evade firewall controls and endpoint monitoring.

This clear separation between restrained runtime behaviour and extensive dormant functionality strongly suggests deliberate operator tradecraft rather than commodity malware logic. Overall, the activity reflects a mature, multi‑purpose Linux post‑compromise platform optimized for fileless execution, interactive control, and situationally adaptive expansion.

Key Takeaways

• The payload is not a standalone malware binary but a weaponized post-exploitation framework, derived from hackshell and adapted for long-term, interactive operator use.
• Incorporates fileless execution as its core design principle. The payload executes from anonymous file descriptors, spoofs argv[0], and avoids persistent filesystem artifacts, significantly complicating detection and forensic reconstruction.
• Runtime behaviour is intentionally restrained. The payload initially focuses on environmental awareness, security control discovery, and operator safety, while destructive or noisy actions remain dormant unless explicitly invoked.
• The framework includes covert, operator‑initiated data staging and exfiltration primitives that abuse user‑space tunneling and legitimate administrative tooling, enabling stealthy data movement even in tightly restricted network environments.
• The presence of extensive EDR/AV fingerprinting, kernel integrity checks, and in-memory malware detection suggests the operator expects to operate in defended enterprise environments rather than opportunistic or unmanaged systems.
• Dormant modules for credential access, lateral movement, crypto-mining, and anti-competition cleanup indicate that the payload can be dynamically repurposed based on operator intent, without altering the loader or redeploying artifacts.
• Overall, the tradecraft observed aligns more closely with advanced intrusion tooling or red-team frameworks than with commodity Linux malware, emphasizing flexibility, stealth, and manual control over automation.

Technical Analysis

The analyzed intrusion chain consists of two primary components:

1. A multi-stage, encrypted shell loader responsible for payload decryption, reconstruction, and fileless execution.
2. An in-memory payload that resolves to a heavily modified version of hackshell, weaponised into a full-featured operator framework. It can download other malware components (such as kernel exploits, cryptominer, and fingerprinting modules) as required by the operator.

Design choices observed throughout the chain—including encrypted embedded payloads, execution context awareness, argv spoofing, and extensive OPSEC logic—indicate a toolset intended for controlled post‑exploitation rather than mass exploitation. The framework enables operators to assess host posture, remain undetected for extended periods, and selectively activate additional capabilities.

The infection flow begins with execution of the obfuscated shell loader, which decrypts an embedded payload using AES‑256‑CBC, reconstructs it in memory, and executes it directly via /proc/<pid>/fd/<fd>. At no stage is the payload written to disk.

Once executed, the payload initializes an interactive shell environment. From this point forward, all activity is explicitly operator‑driven. Rather than automatically deploying miners, extracting data, or attempting propagation, the framework prioritizes reconnaissance, defensive awareness, and operational security. Advanced actions—such as covert data exfiltration using user‑space tunnels, credential harvesting, or privilege escalation—are available on demand, reinforcing that this tooling is designed for deliberate, long‑term intrusion operations rather than noisy, automated campaigns.

At first glance, the malware appears to contain 3 lines of heavily obfuscated shell code, where we see a high-entropy payload assigned to the special shell variable _ & staged text-encoded payload staged and emitted via shell escape processing ($’…’). (See Figure 1)

Loader Script

Upon analysis, it turned out to be a multi-stage, encrypted Linux loader with embedded payload written in POSIX shell, leveraging OpenSSL, Perl, and gzip to decrypt, decompress, and execute a payload entirely in memory. (See Figure 2)

The malware demonstrates tradecraft consistent with mature red-team tooling or advanced post-compromise frameworks, rather than commodity botnet loaders. Key characteristics include:

• Password-protected AES-256-CBC encrypted payload
• Dynamic execution path detection (source vs eval vs exec)
• Fileless execution with argv spoofing
• Environment hardening to evade logging
• Live system security introspection
• Operator-facing interactive CLI

Dependency Validation

Upon execution, the loader validates runtime dependencies (openssl, perl, gunzip) required for decryption and decompression. The absence of any fallback logic suggests targeted, operator-controlled attacks rather than opportunistic mass exploitation. (See Figure 3)

Credential-Based Payload Decryption

The loader contains an embedded Base64-encoded password and an encrypted control blob, both of which are decrypted using OpenSSL. During execution, the decrypted value (R=4817) is used as a byte offset to skip a binary header during stream reconstruction. The decryption command is dynamically assembled at runtime:

echo S1A76XhLvaqIQ+7WsT+Euw== | openssl enc -d -aes-256-cbc -md sha256 -nosalt -k C-92KemmzRUsREnkdk-SMxUoJy8yHhmItvA -a -A

This ensures that the compressed payload cannot be recovered statically without the full execution context.

Execution Context Awareness

Execution culminates in an interactive post-exploitation environment that explicitly minimizes filesystem artifacts, enumerates system security posture, and adapts execution based on shell context (Bash/Zsh). (See Figure 4)

The loader dynamically determines how it was invoked in order to guarantee correct payload execution — a pattern uncommon in commodity malware but common in operator-driven frameworks :

• Source execution: $BASH_SOURCE[0]
• Eval execution: $BASH_EXECUTION_STRING
• Direct file execution: $0
• Zsh compatibility: $ZSH_EVAL_CONTEXT

Payload Reconstruction & Fileless Execution

The payload is reconstructed through a multi-stage decoding pipeline consisting of Perl marker translation, AES-256-CBC decryption, Perl byte skipping (R=4817), and gzip decompression. The resulting binary is executed directly from memory via /proc/<pid>/fd/<f> using exec, with a spoofed argv[0] (${0:-python3}) (See Figure 5)

This ensures the payload never touches disk, evades file-integrity monitoring and traditional AV inspection, and obscures process attribution during incident response.

Importantly, all arguments passed to the loader are forwarded to the payload unchanged. This enables operator-controlled execution modes and on-demand behavior while keeping the loader’s behavior static—a deliberate tradecraft choice that complicates detection strategies that rely on argument patterns.

Weaponized Hackshell

Once decrypted and executed directly from memory, the payload resolves to a heavily modified variant of hackshell, repurposed from a lightweight post-exploitation helper into a fully operator-driven intrusion framework. At runtime, it presents an interactive shell and explicitly signals that it avoids filesystem writes, immediately establishing intent for long-lived, low-noise operator interaction rather than smash-and-grab activity.

Payload Capabilities

The payload begins by fingerprinting the host and reporting environmental context back to the operator, including OS details, active users, PTYs, and privilege boundaries. This early-stage reconnaissance indicates that the operator is expected to make informed manual decisions rather than rely on fully automated tasking. (See Figure 6)

Expanded EDR / AV fingerprinting

The payload performs aggressive EDR and AV discovery using both filesystem path checks and service-state enumeration. Compared to upstream hackshell, this variant significantly expands coverage to include commercial EDR platforms, cloud agents, OT/ICS tooling, and telemetry collectors.

• Notable file-path-based detections (_hs_chk_fn) include CrowdStrike, LimaCharlie, Tanium, OTEL collectors, cloud vendor agents (Qcloud, Argus agent). (See Figure 7.1)
• Service-based detections (_hs_chk_systemd) include Falcon Sensor,  Cybereason, Elastic Agent, Sophos Intercept X & SPL, Cortex XDR, WithSecure, Wazuh, Rapid7, and Microsoft Defender (mdatp). (See Figure 7.2)

These checks are surfaced directly to the operator, reinforcing that this is an interactive intrusion tool rather than a background implant.

Anti-competition Logic

The malware implements robust anti-competition logic designed to identify and terminate rival miners and in-memory implants. It actively hunts for competing malware families such as Rondo and Kinsing, detects kernel rootkits via LKM and kernel-taint checks, and enumerates deleted or memfd-backed executables.

The payload collects PIDs associated with XMRig miners, UPX-packed binaries, and related scripts. It contains explicit logic to detect and kill Ebury — a well-known OpenSSH credential-stealing backdoor targeting Linux servers.

In parallel, the framework performs deep security posture introspection by enumerating kernel protections such as AppArmor, inspecting loaded kernel modules, and surveying /proc for indicators of instrumentation or prior compromise.

This enables the operator to rapidly assess whether the host is already infected, monitored, or hardened. (See Figure 8)

PATH manipulation, combined with TMPDIR and HOME relocation, further enables command shadowing and the execution of helper binaries from memory-backed locations, reducing forensic residue and enhancing operational flexibility.

Dormant / On‑Demand Capabilities

While runtime execution remains restrained, analysis of the payload code reveals a broad set of dormant capabilities that can be invoked on demand via operator commands or invocation arguments.

Notable on-demand capabilities include:

• Execution gating via _once() to ensure certain actions run only once per host or session.
• Memory dumping routines capable of extracting & dumping credentials/secrets from live processes. (See Figure 9)

• SSH-based network scanning and lateral movement tooling, including support for legacy cryptographic algorithms. (See Figure 10)

• Credential theft targeting AWS credentials, SSH keys, GitLab, Bitrix database, WordPress database, OpenStack user data, Yandex Cloud user data, Docker, Proxmox VMs and LXC, OpenVZ, and user HOME directory.
• Privilege escalation via execution of exploits downloaded from hardcoded C2 infrastructure. During analysis, multiple kernel exploits, an auto-exploitation script & a C source file were recovered from the C2 server. (Hashes mentioned in the IOC section) (See Figure 11)

Cryptomining

The framework implements multiple CPU and GPU cryptocurrency mining workflows, including XMRig, XMR-Stak, GMiner, and lolMiner, with pool failover logic. Miner configuration dynamically sources worker identifiers from bootcfg*.data files and executes miners through a wrapper (./-bash-screen) using password strings such as c=XMR,mc=${COIN_NAME}, where COIN_NAME defaults to “${1:-FREN}”.

GMiner operates using the Kawpow algorithm with configured intensity, while additional miners target RYO and ETCHASH using CUDA backends and hardcoded wallet addresses and pools, including infrastructure at 204.93.253[.]180. (See Figure 12)

• GMiner implemented in gpu() uses kawpow algorithm with 75 intensity
  • Wallet address – 88H9UmU6QyYiGeZdR6hXZJXtJF9Z8zLHDQbC1NV1PDdjCynBq3QKzB1fo1NRhgMX4cBx68Rva5msyKW3PGXfPhCA4itHmiv
  • 87YLCx7zEFghgMEeZvJCZ3gHyS3fUsbAnXSTH8nh8EP7SeptPH8Pnh18snravwhE3dfRt5x67aWo8e6tSJ2cv4mpRNkSdqL

• Pool priority used by miner
  • 204.93.253[.]180 at port 4080
  • Kawpow.na.mine.zergpool[.]com at port 3638
  • Kawpow.asia.mine.zergpool[.]com at port 3638
  • kawpow.eu.mine.zergpool[.]com at port 3638

The other 2 miners’ details are:

• XMR-Stak (gpustak())
  • Wallet address – RYoNsBiFU6iYi8rqkmyE9c4SftzYzWPCGA3XvcXbGuBYcqDQJWe8wp8NEwNicFyzZgKTSjCjnpuXTitwn6VdBcFZEFXLcY4DwEsWGnj1SC1Sgq
  • Backend – CUDA (libxmrstak_cuda_backend.so)
  • Coin payout – RYO
  • Pool server – 204.93.253[.]180:3080

• LolMiner (gpuecho())
  • Wallet address – 0xd67f158b2bcc819eee7029f3477f0270ec1d37b4
  • Algorithm – ETCHASH
  • Pool server – 204.93.253[.]180:1080

Covert Data Staging and Exfiltration via GSocket‑Backed rsync

The payload implements dedicated data staging helpers (rs() and rs1()) that enable stealthy exfiltration of files or directories from the compromised host using rsync, while deliberately avoiding conventional network transports such as SSH, SCP, or SFTP. Instead of relying on standard TCP connections, the payload replaces rsync’s transport layer via the -e option with GSocket user‑space tunnels (gs-dbus and gs-netcat), allowing file transfers to traverse covert channels that are rarely monitored by security tooling.

Both functions route traffic through a hardcoded GSocket rendezvous endpoint (62.171.153[.]47) and authenticate sessions using an operator‑supplied token ($rsynccode). The apparent destination (127.1:.) is intentionally misleading. However, it resembles a loopback address; the connection is intercepted by GSocket before reaching the local networking stack, enabling remote file transfer without opening inbound ports or establishing visible outbound sessions. This technique allows the operator to exfiltrate data even from hosts protected by restrictive firewall or egress filtering policies.

Two transport variants are provided. The rs() function leverages DBus‑based tunneling (gs-dbus), favoring stealth in environments where DBus traffic is common and rarely inspected. The rs1() variant uses a netcat‑style GSocket tunnel (gs-netcat), offering higher throughput for bulk transfers at the cost of slightly increased visibility. (See Figure 13)

Both modes preserve file permissions, timestamps, and partial transfer state, indicating deliberate support for long‑running, interruption‑tolerant exfiltration workflows rather than opportunistic data theft.

Lateral Movement

For lateral movement, the malware performs automated discovery and brute-force attempts against SSH services by using open-source tools.

• Rustscan, a modern port scanner used to identify reachable SSH endpoints (with configurable target) and output the result in oG format (output Greppable), meant to be consumed by spirit. This serves as an attack surface for brute-force attacks.
• Next, it downloads & extracts spirit (another penetration testing tool) to the local directory, renames it to –bash, cleans up artifacts, & runs it to grab banners (to determine version info.) & brute-force SSH logins against hosts in h.lst using default credentials. (See Figure 14)

Integrated Assessment

The payload exhibits a deliberate dual-layer design. The default runtime layer emphasizes reconnaissance, memory-only execution, stealth, and interactive control. The dormant, on-demand layer enables crypto-mining, privilege escalation, memory theft, covert staging & exfiltration, lateral movement, and C2-driven updates, allowing operators to expand impact opportunistically without increasing detection surface.

Combined with the loader’s fileless execution model, this malware is optimized for long-term presence, operational flexibility, and defensive evasion. It is not characteristic of commodity Linux malware; instead, it reflects a mature, multi-purpose post-exploitation framework built around interactive operator control.

Conclusion

Together, the loader and payload analyzed in this report demonstrate a highly mature Linux post‑exploitation framework designed for stealth, flexibility, and long-term operator control.

Rather than focusing on immediate or obvious impact, the malware emphasizes situational awareness, evasion of defenses, and the selective activation of capabilities based on real-time operator judgment and environmental factors.

This behavior is unusual for standard Linux malware. Instead, it shows intentional design choices typical of advanced intrusion tools, prioritizing operational safety, flexibility, and durability over automation and scale.

The framework’s comprehensive security review, along with its fileless execution approach, argument-driven modularity, and operator-controlled data movement methods, allows customized per-host operations while keeping a consistently low-profile execution environment.

The weaponization of the original hackshell utility further highlights this intent. Equipped with features for cryptomining, lateral movement tools, exploit delivery methods, covert data staging, and exfiltration primitives, along with aggressive OPSEC measures, the payload is clearly meant for long-term access and targeted monetization rather than widespread distribution.

Therefore, effective detection and disruption require visibility into in-memory execution, process behavior, and kernel-level telemetry, as traditional file-based and signature-driven controls are unlikely to offer enough coverage against this type of threat.

Cyble’s Threat Intelligence Platforms continuously monitor emerging threats, phishing infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

Defenders should prioritize behavioral detection over static signatures for staying protected against attacks like ShadowHS

• Execution of ELF binaries from /proc/<pid>/fd/<fd>
• OpenSSL decryption invoked from shell or Perl pipelines reconstructing executables.
• Full execution strings from bash‑memory and Perl one‑liners invoking syscalls.
• Shell scripts performing dependency validation for openssl, perl & gunzip.
• Extensive enumeration of /proc/*/exe for deleted or memfd-backed binaries
• GDB is being invoked against live processes for memory dumping
• PATH prefixed with . in interactive shells
• Abuse of legitimate synchronization or transfer utilities over non‑standard execution transports for data staging or exfiltration.
• Monitor for argv spoofing anomalies where executable path is not equal to the cmdline name & alert on memory-only processes, specifically interactive shells running without backing executables.
• Monitor perl exec{} pattern with anonymous file descriptors.
• Add rules for AES-CBC -nosalt misuse in shell pipelines.
• Track outbound data transfers initiated via user‑space tunnels or non‑standard rsync transports.

Cloud & Container Environments

This framework explicitly checks for cloud agents and monitoring tools. In cloud-hosted Linux environments:

• Treat unexpected /proc scanning and kernel module enumeration as high-risk
• Monitor for SSH brute‑force or reconnaissance tooling launched post‑compromise (e.g., rustscan, spirit)
• Watch for GPU utilization spikes tied to hidden –bash-screen sessions
• Alert on data movement from compute workloads using atypical synchronization or tunnelling mechanisms.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Execution	T1059.004 – Command and Scripting Interpreter: Unix Shell	The loader and payload are implemented entirely in POSIX shell and Perl, enabling execution through standard shell interpreters without introducing foreign binaries.
Execution	T1620 – Reflective Code Loading	The payload is decrypted, decompressed, and executed directly from memory via anonymous file descriptors under /proc/<pid>/fd/, never touching disk.
Defense Evasion	T1036.005 – Masquerading: Match Legitimate Name or Location	The payload spoofs argv[0] to match the loader script name, causing process listings and /proc/<pid>/cmdline to resolve to a benign-looking script.
Defense Evasion	T1070 – Indicator Removal on Host	The payload aggressively disables shell history, cleans command artifacts, relocates HOME/TMPDIR, and avoids filesystem writes to minimize forensic traces.
Defense Evasion	T1562.001 – Impair Defenses: Disable or Modify Tools	The framework detects EDR/AV tooling and exposes operator functions that can terminate competing malware, miners, or defensive agents.
Discovery	T1082 – System Information Discovery	The payload collects OS, kernel, user sessions, PTYs, and privilege context to inform operator decision-making during interactive access.
Discovery	T1083 – File and Directory Discovery	Extensive inspection of /proc and system paths is performed to enumerate executables, deleted binaries, and memory-backed artifacts.
Discovery	T1518.001 – Software Discovery: Security Software	The payload performs both path-based and service-based discovery for dozens of EDR, AV, cloud agents, OT tools, and log shippers.
Discovery	T1016.001 – Network Service Discovery	Dormant scanning modules support SSH discovery and enumeration of reachable services for potential lateral movement.
Credential Access	T1555 – Credentials from Password Stores	Memory-dump routines present in the payload enable the extraction of credentials and secrets from live processes when invoked by the operator.
Lateral Movement	T1021.004 – Remote Services: SSH	SSH-based access and pivoting are supported, including forced use of legacy cryptographic algorithms to access older infrastructure.
Collection	T1005 – Data from Local System	Interactive operator commands allow targeted collection of host data, process information, and sensitive artifacts without bulk exfiltration.
Exfiltration	T1048.003 – Exfiltration Over Alternative Protocol	Data can be staged or exfiltrated using legitimate synchronization utilities over user‑space tunnels, avoiding traditional C2 channels.
Impact	T1496 – Resource Hijacking	Dormant CPU/GPU mining modules can be activated on demand, supporting multiple miners and pool configurations.

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
91.92.242[.]200	IPv4	Primary payload staging infrastructure
62.171.153[.]47	IPv4	Operator-controlled relay for exfiltration and post-compromise operations
20c1819c2fb886375d9504b0e7e5debb87ec9d1a53073b1f3f36dd6a6ac3f427	SHA-256	Main obfuscated shell loader script
9f2cfc65b480695aa2fd847db901e6b1135b5ed982d9942c61b629243d6830dd	SHA-256	Custom weaponized hackshell payload
148f199591b9a696197ec72f8edb0cf4f90c5dcad0805cfab4a660f65bf27ef3	SHA-256	RustScan port scanner
574a17028b28fdf860e23754d16ede622e4e27bac11d33dbf5c39db501dfccdc	SHA-256	spirit-x86_64.tgz archive
3f014aa3e339d33760934f180915045daf922ca8ae07531c8e716608e683d92d	SHA-256	spirit/-bash (UPX-packed binary)
847846a0f0c76cf5699342a066378774f1101d2fb74850e3731dc9b74e12a69d	SHA-256	spirit/-bash (unpacked Golang binary)
5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6	SHA-256	gpu1/screen miner wrapper
e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096	SHA-256	gpu1/lol miner component
0bb7d4d8a9c8f6b3622d07ae9892aa34dc2d0171209e2829d7d39d5024fd79ef	SHA-256	xmr/xmrigremove.sh
9fdaf64180b7d02b399d2a92f1cdd062af2e6584852ea597c50194b62cca3c0b	SHA-256	gpustak/-bash binary
b3ee445675fce1fccf365a7b681b316124b1a5f0a7e87042136e91776b187f39	SHA-256	gpustak/libxmrstak_cuda_backend.so CUDA backend
5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6	SHA-256	gpustak/screen miner wrapper
5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6	SHA-256	gpuecho/screen miner wrapper
3ba88f92a87c0bb01b13754190c36d8af7cd047f738ebb3d6f975960fe7614d6	SHA-256	gpuecho/lol miner component
5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6	SHA-256	gpu/screen miner wrapper
e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096	SHA-256	gpu/lol miner component
4069eaadc94efb5be43b768c47d526e4c080b7d35b4c9e7eeb63b8dcf0038d7d	SHA-256	ex/dirtycredz.x86_64 credential exploitation tool
72023e9829b0de93cf9f057858cac1bcd4a0499b018fb81406e08cd3053ae55b	SHA-256	ex/payload.so shared object payload
662d4e58e95b7b27eb961f3d81d299af961892c74bc7a1f2bb7a8f2442030d0e	SHA-256	ex/overlay helper component
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	SHA-256	ex/GCONV_PATH=./lol empty placeholder file
c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f	SHA-256	ex/payload.c payload source code
666122c39b2fd4499678105420e21b938f0f62defdbc85275e14156ae69539d6	SHA-256	ex/blast exploitation utility
8007b94d367b7dbacaac4c1da0305b489f0f3f7a38770dcdb68d5824fe33d041	SHA-256	ex/dp Dirty Pipe exploit
072e08b38a18a00d75b139a5bbb18ac4aa891f4fd013b55bfd3d6747e1ba0a27	SHA-256	ex/ubu privilege escalation helper
6c50fcf14af7f984a152016498bf4096dd1f71e9d35000301b8319bd50f7f6d0	SHA-256	ex/cve-2025-21756 exploit binary
04a072481ebda2aa8f9e0dac371847f210199a503bf31950d796901d5dbe9d58	SHA-256	ex/traitor-x86_64 privilege escalation tool
19df5436972b330910f7cb9856ef5fb17320f50b6ced68a76faecddcafa7dcd7	SHA-256	ex/autoroot.sh automated root escalation script
7fbab71fcc454401f6c3db91ed0afb0027266d5681c23900894f1002ceca389a	SHA-256	ex/dirtypipe.x86_64 Dirty Pipe exploit variant
e5a6deec56095d0ae702655ea2899c752f4a0735f9077605d933a04d45cd7e24	SHA-256	ex/dirtypagetable.x86_64 kernel exploitation tool
7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97	SHA-256	ex/lol/gconv-modules GCONV-based exploitation component

The post ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell appeared first on Cyble.

Cyble – ​Read More

• Microsoft has published three out-of-band (OOB) updates so far in January 2026. One of these updates was released to address a vulnerability, CVE-2026-21509, affecting Microsoft Office that has been reportedly exploited in the wild. 
• Additional OOB updates have been published to resolve operational issues experienced following installation of the updates released as part of the standard Microsoft Patch Tuesday process.

CVE-2026-21509 was published to address a security feature bypass vulnerability affecting Microsoft Office. This vulnerability was rated as “Important” and received a CVSS 3.1 score of 7.8. This vulnerability is considered “local,” meaning that it must be triggered by an attacker with access to an affected system, or by convincing a victim to open a malicious Office document that triggers the vulnerability. It has also been added to the CISA Known Exploited Vulnerabilities (KEV) list. Microsoft reports that this vulnerability cannot be triggered via the Preview Pane in Microsoft Office. Microsoft has also released mitigation guidance for CVE-2026-21509 as part of this advisory.  

In response to these vulnerability disclosures, Talos is releasing a new SNORT® ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65823-65830.  

The following Snort3 rules are also available: 301384-301387. 

The following ClamAV signature has been released to detect activity associated with this vulnerability: 

• Rtf.Exploit.CVE_2026_21509-10059214-0 

Cisco Talos Blog – ​Read More

• Cisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that is targeting vulnerable Internet Information Services (IIS) servers across Asia with a specific focus on victims in Thailand and Vietnam. 
• Analysis confirms significant operational overlaps between this activity and the WEBJACK campaign. This includes critical indicators of compromise including malware hashes, command and control (C2), and victimology. 
• UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers. 
• New variants of BadIIS now hardcode the target region directly into the malware, offering customized features for each specific variant. These customizations include exclusive file extensions, corresponding dynamic page extensions, directory indexing configurations, and the ability to load HTML templates from local files. 
• A Linux Executable and Linkable Format (ELF) variant of BadIIS was uploaded to VirusTotal on Oct. 1, 2025. The malware includes proxy mode, injector mode, and search engine optimization (SEO) fraud mode, similar to what Talos described in the previous UAT-8099 blog.

---

UAT-8099 new activity 

Cisco Talos observed new activity from UAT-8099 spanning from August 2025 through early 2026. Analysis of Cisco’s file census and DNS traffic indicates that compromised IIS servers are located across India, Pakistan, Thailand, Vietnam, and Japan, with a distinct concentration of attacks in Thailand and Vietnam. Furthermore, this activity significantly overlaps with the WEBJACK campaign; we have identified high-confidence correlations across malware hashes, C2 infrastructure, victimology, and the promoted gambling sites.

While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly. First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence.

Infection chain 

Upon gaining initial access, the threat actor executes standard reconnaissance commands, such as whoami and tasklist, to gather system information. Following this, they deploy VPN tools and establish persistence by creating a hidden user account named “admin$”. UAT-8099 has further expanded their arsenal with the several new tools below: 

• Sharp4RemoveLog: A .NET utility designed to clear all Windows event logs, effectively erasing forensic traces 
• CnCrypt Protect: A Chinese-language file-protection utility. In this intrusion activity, it is abused to hide malicious files and facilitate dynamic-link library (DLL) redirection. This tool has been linked to previous IIS attacks since 2024, including SEO fraud campaigns targeting Vietnam and China, as well as the WEBJACK campaign. 
• OpenArk64: An open source anti-rootkit. The threat actor uses its kernel-level access to terminate security product processes that are otherwise protected from deletion. 
• GotoHTTP: An online remote control tool. The threat actor uses VBscript to deploy this tool and let them remote control the compromised server. Talos provides more detail in the following section.  

Subsequently, the threat actor deploys two archive files containing the latest version of the BadIIS malware. Notably, the file names of these archives are correlated with the specific geographic regions targeted by the BadIIS malware; for example, “VN” denotes Vietnam and “TH” denotes Thailand.

C:/Users/admin$/Desktop/TH.zip 
C:/Users/admin$/Desktop/VN.zip 

 Following the publication of our previous research, Cisco Security products have widely flagged the “admin$” account name. In response, if this name is blocked, the threat actor  creates a new user account named “mysql$” to maintain access and sustain the BadIIS SEO fraud service.

Using the newly created account, the threat actor redeploys the updated BadIIS malware to the compromised machines. Notably, this marks a strategic shift from broad, global targeting to specific regional focus. This is evidencedby the directory naming conventions for the malware and its scripts, which use identifiers such as “VN” for Vietnam and “newth” for Thailand.

C:/Users/mssql$/Desktop/VN/fasthttp.dll  
C:/Users/mssql$/Desktop/VN/cgihttp.dll  
C:/Users/mssql$/Desktop/VN/install.bat  
C:/Users/mssql$/Desktop/VN/uninstall.bat  
C:/Users/mssql$/Desktop/newth/iis32.dll  
C:/Users/mssql$/Desktop/newth/iis64.dll  
C:/Users/mssql$/Desktop/newth/install.bat  
C:/Users/mssql$/Desktop/newth/uninstall.bat  

Additionally, Talos observed the UAT-8099 threat actor attempting to create alternative hidden accounts to maintain persistence. The specific commands used to create these accounts and execute subsequent actions are detailed in Figures 3a, 3b, and 3c.

Abuse of the GotoHTTP remote control tool 

Talos has observed several instances where UAT-8099 uses a web shell to execute PowerShell commands, which subsequently download and run a malicious VBScript. This script is designed to deploy the GotoHTTP tool and exfiltrate the “gotohttp.ini” configuration file to the C2 server. This enables the threat actor to obtain the connection ID and password necessary to remotely control the infected server.

The malicious script contains multiple functions, each annotated by the threat actor using Simplified Chinese and Pinyin comments. We provide a detailed analysis of these functions below.

The code begins by initializing key parameters, including the download and upload URLs, file paths, and the expected file size of “gotohttp.exe”. Notably, this initialization section is marked with the comment “dingyichangliang” (定义常量), which translates to “Define Constants.”

The first functional block is marked with the comment “xiazaiwenjian” (下载文件), which translates to “Download File.” In this section, the code utilizes an HTTP GET request to download the GotoHTTP tool, saving it to the public folder as “xixixi.exe”.

The second and third function blocks are marked with the comments “jianchawenjian” (检查文件) and “jianchawenjian” (检查文件大小), translating to “Check File” and “Check File Size,” respectively. In these sections, the code verifies the integrity of the downloaded GotoHTTP tool by ensuring the file size exceeds the threshold defined in the previous block. If the validation fails, the script sends an error message to the C2 server, reporting either“xiazaishibai” (下载失败 – Download Failed) or “daxiaobudui” (大小不对 – Incorrect Size).

The fourth and fifth function blocks are marked with the comments “zhixingwenjian” (执行文件) and “jianchajieguo” (检查结果), translating to “Execute File” and “Check Result,” respectively. In these sections, the code executes the GotoHTTP tool in a hidden window without waiting for the process to terminate. Notably, the code uses Chr(34) to represent quotation marks, as indicated by the comments. This technique is employed to avoid syntax errors caused by improper escaping; using Chr(34) allows the insertion of the double-quote character without breaking the code structure. 

Following a five-second sleep delay, the script attempts to upload the “gotohttp.ini” file to the C2 server. If the file is missing, it sends the error message “gotohttp.ini bucunzai” (gotohttp.ini 不存在 – gotohttp.ini does not exist).

The last function blocks are marked with the comment “qingli” (清理), translating to “Clean.”. This section will clean up all the COM objects.

Two new BadIIS malware to target specific region 

Since September 2025, Talos has observed two new variants of BadIIS appearing in the wild, both utilized for SEO fraud. While other vendors have observed these malware, this section provides a deep analysis based on our reverse engineering and infection chain assessment. We have determined that UAT-8099 customizes these new cluster BadIIS to target specific regions. The first cluster, which we have named BadIIS IISHijack, derives its name from the original malware file name. The second cluster, BadIIS asdSearchEngine, is named after the PDB strings observed within the sample.

E:原生DLLSearchEngineReleaseSearchEngine.pdb
C:UsersqwesourcereposDll1dasdx64ReleaseDll1dasd.pdb 

BadIIS IISHijack primarily targets victims in Vietnam. This variant explicitly embeds the country code within its source code and creates a specific directory named when the malware drops into the victim’s machine.

BadIIS asdSearchEngine malware focuses on targets in Thailand or users with Thai language preferences. By using the CHttpModule::OnBeginRequest handler, the malware hijacks incoming HTTP traffic and analyzes headers such as “User-Agent” and “Referer” to determine its next move. A key addition to this version is the use of the “Accept-Language” header to verify the target region.

When an infected IIS server receives a request, the malware first filters the file path. If the path contains an extension on its exclusion list, it ignores the request to preserve static resources. Next, it checks the “User-Agent” to see if the visitor is a search engine crawler (e.g., Googlebot, sogu, 360spider, or Baiduspider). If confirmed, the crawler is redirected to an SEO fraud site. However, if the visitor is a standard user and the malware verifies that the “Accept-Language” field indicates Thai, it injects HTML containing a malicious JavaScript redirect into the response.  

We have identified three distinct variants within this BadIIS cluster. While they share the core workflow described above, each possesses unique features, which are detailed in the following section. Moreover, to evade detection, some specific variants employ XOR encryption (key 0x7A) to obfuscate their C2 configuration and malicious HTML content.

Exclusive multiple extensions variant 

While many variants employ extensive exclusion lists, the specific extensions targeted can differ between them. For the purpose of this analysis, we will use a representative example to illustrate the general functionality and strategy. Before executing its malicious payload, the new BadIIS variant inspects the URL path for specific file extensions. This filtering mechanism serves three strategic objectives:  

• The extensions (.png, .jpg, .css, .js, .woff, .ttf, .eot, and .otf) are critical for a website’s appearance, layout, and interactive features. If the BadIIS were to indiscriminately redirect or tamper with requests for these essential assets, the website would quickly appear broken to users and administrators. 
• The BadIIS likely uses filtering based on document type extensions (.pdf, .txt, .xml, .json, .doc, .docx, .xls, and .xlsx) and web-related files extensions (.manifest, .appcache, .webmanifest, .robots, and .sitemap) to focus its malicious injections (e.g., hidden links, keywords, malicious scripts) or redirect specifically on HTML pages or other content types that contribute to SEO rankings or user interaction, while leaving static assets untouched. 
• The archive extensions (.zip, .rar, .7z, .tar, .gz) are filtered so that the BadIIS can conserve resources.

Dynamic page extension/directory index variant 

Another variant of BadIIS adds a validation function that checks if a requested path corresponds to a dynamic page extension or a directory index. This determines whether the request is routed to the malware’s dynamic processing flow.

We assess that the threat actor, UAT-8099, implemented this feature to prioritize SEO content targeting while maintaining stealth. Since SEO poisoning relies on injecting JavaScript links into pages that search engines crawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) where these injections are most effective. Furthermore, by restricting hooks to other specific file types, the malware avoids processing incompatible static files, thereby preventing the generation of suspicious server error logs. 

Load HTML templates variant 

The last variant of BadIIS contains a sophisticated HTML template generation system that dynamically creates web content. It has a content generator that can load templates from disk or use embedded fallbacks, then performs extensive placeholder replacement with random data, dates, and URL-derived content.

If there are no files found in the host, the BadIIS generates a response using an embedded HTML template, populating a date placeholder with the local system time. Notably, the variable names within this HTML template are written in Chinese Pinyin. Below, Talos provides detailed translations of these variables. Analyzing these names allows us to accurately determine how the dynamic template leverages keywords to facilitate SEO fraud.

Head section 

• <title>{biaoti}</title>: The browser tab title; substituted from {biaoti} (“标题”, title). 
• <meta name="description" content="{shoudongmiaoshu}">: SEO description; {shoudongmiaoshu} (“手动描述”, manual description). 
• <meta name="keywords" content="{guanjianci}">: SEO keywords; {guanjianci} (“关键词”, keywords).  

Body section 

• <h1>Welcome to {biaoti}</h1>: Main heading, repeats the title. 
• <p>{shoudongmiaoshu}</p>: A paragraph with the manual description. 
• <p>Current URL: {gudinglianjie}</p>: Shows the fixed/current link; {gudinglianjie} (“固定链接”, permalink). 
• <p>Date: {riqi}</p>: The date; {riqi} (“日期”, date). 
• <p>Contact: {suijirenming1}</p>: A contact name; {suijirenming1} (“随机人名”, random person name). 
• <div>{suijiduanluo1}</div>: A block of content; {suijiduanluo1} (“随机段落”, random paragraph).

The keywords that UAT-8099 intends to promote are directly embedded within the BadIIS malware. BadIIS utilizes these keywords to populate page titles and generate HTML content, thereby facilitating SEO fraud. The screenshot below captures a representative sample of these keywords; however, the complete list embedded within the malware is significantly more extensive.

Linux BadIIS variant found on VirusTotal 

Talos also identified an ELF variant of BadIIS submitted to VirusTotal that exhibits functionality identical to the samples described in Talos’ previous blog post that includes the proxy, injector, and SEO fraud modes. Furthermore, the malware’s hardcoded C2 servers share the same domain we previously documented. Based on these indicators, we assess with high confidence that this malware is attributable to UAT-8099. 

Below is the targeted URL path pattern, which is identical to the pattern in our previous UAT-8099 post.

news|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|nohu

While the behavior and URL path signature match our previous report, there is a key difference between this ELF BadIIS variant and the older BadIIS. Unlike the previous version, which targeted numerous search engines, this variant targets only three. The target search engines are shown as follows.

User-agent	Referer
Googlebot	google
Bingbot	bing
Yahoo!	yahoo

Coverage 

ClamAV detections are also available for this threat: 

• Win.Malware.Tedy-10059198-0  
• Win.Trojan.Crypter-10059205-0  
• Win.Trojan.BadIIS-10059191-0  
• Unix.Trojan.BadIIS-10059196-0  
• Win.Trojan.IISHijack-10059197-0  
• Win.Malware.Remoteadmin-10059206-0  
• Win.Packed.Zpack-10059207-0  
• Txt.Trojan.BadIIS-10059202-0 

The following Snort Rules (SIDs) detect and block this threat: 

• Snort2: 65712, 65713, 65710, 65711, 65708, 65709, 65707, 65706. 
• Snort3: 301378, 301377, 301376, 65707, 65706 

Indicators of compromise (IOCs) 

The IOCs for this threat are available at our GitHub repository here. 

Cisco Talos Blog – ​Read More

Running a SOC today means constant trade-offs: too many alerts, not enough people, strict SLAs, and attacks that keep getting smarter. Most leaders aren’t asking for “the next cool product” but a proof that something actually cuts time, risk, and workload in real environments like theirs. 

Thousands of organizations already rely on ANY.RUN to reduce analyst load, resolve phishing cases faster, cut unnecessary escalations, and speed up detection so incidents are contained before they reach the business. 

Here we are bringing that evidence together. Let’s look at the results from different industries, how teams use ANY.RUN across Tier 1/2/3, and why it became a core part of their SOC operations, so if you’re still hesitating, you can see exactly what teams like yours are achieving with it. 

What Real Teams Achieve with ANY.RUN: Proven Results Across Industries 

When you look across banks, MSSPs, transport companies, and healthcare providers, the pattern is the same: once ANY.RUN becomes part of daily SOC operations, teams move faster, reduce noise, and prevent incidents earlier. 

Here are the outcomes customers report consistently: 

• 94% of users report faster phishing and malware triage in real SOC workflows. 

• 76% faster phishing triage for a healthcare MSSP (from 30–40 minutes down to 4–7 minutes). 

• 50%+ reduction in malware investigation and IOC extraction time. 

• Tier-1 closure rates rising from ~20% to around 70% after giving Tier 1 full behavioral evidence. 

• 30–55% fewer false escalations thanks to richer context and verdict confidence. 

• 21 minutes average MTTR reduction in SOCs that integrated ANY.RUN into their workflows. 

• 15 seconds MTTD for phishing and malware threats which allows analysts to accelerate their SIEM/SOAR investigations. 

• Insights from ANY.RUN’s solutions helped SOC and MSSP teams stop hundreds of ransomware attempts before they ever touched production systems. 

MSSP Success Case: Faster Threat Analysis Without Expanding the Team 

Expertware is a European MSSP with over 18 years of experience, providing SOC services to organizations across banking, insurance, retail, telecom, and other industries. Their cyber intelligence operations team supports multiple customers at once, where speed and depth of analysis directly impact SLAs. 

Challenge 

Before adopting ANY.RUN’s Interactive Sandbox, malware investigations required manually building and maintaining reverse-engineering environments. This slowed response times, limited visibility into full attack chains, and made it harder to scale analysis across multiple customers without adding workload. 

Outcome 

Expertware standardized a single analysis cycle centered on interactive execution and fast intelligence sharing: 

• Execute and observe: Suspicious files and phishing samples are detonated to expose full behavior and multi-stage chains. 

• Analyze in depth: Analysts interact with malware in real time to uncover obfuscation, memory-only stages, and C2 infrastructure. 

• Extract and share: Indicators and findings are mapped, documented, and shared across SOC and IR teams to speed decisions. 

This approach removed the need for custom VMs and reduced friction across investigations. 

Results 

• Over 50% reduction in malware investigation and IOC extraction time 

• Faster turnaround on customer incidents without increasing staff 

• Clear visibility into full kill chains, including fileless and memory-based stages 

• Easier collaboration through shared, interactive analysis reports 

• Improved SLA performance by resolving cases earlier in the workflow 

Healthcare MSSP Success Case: Faster Phishing Triage Without SLA Risk 

A mid-sized MSSP specializing in healthcare supports hospitals, clinics, and labs across thousands of endpoints. Operating in a highly regulated environment, the SOC had to balance strict SLAs, audit requirements, and a growing volume of phishing and malware alerts. 

Challenge 

As the customer base expanded, Tier 1 and Tier 2 teams were overwhelmed. Multi-stage phishing emails with redirects, QR codes, and CAPTCHA checks often took 30–40 minutes per case, driving escalations, slowing response, and putting SLA commitments at risk. 

Outcome 

The MSSP standardized a single operational triage cycle combining sandbox execution, threat intelligence, and detection feeds: 

• Early execution with the Interactive Sandbox cuts phishing triage by 76%, reducing analysis from 30–40 minutes to 4–7 minutes, while giving Tier 1 full visibility into real malware behavior. 

• Richer context through Threat Intelligence Lookup improves decision confidence, driving 34% fewer false escalations and enabling Tier 1 closure rates to rise from 20% to 70%. 

• Live intelligence via Threat Intelligence Feeds keeps detections current as attacker infrastructure rotates, resulting in faster MTTR and fewer false positives across automated workflows. 

• Continuous monitoring of active attacks affecting 15,000+ organizations enables early detection of the latest threats. 

Results 

Since we implemented new solutions, every investigation now comes with evidence and threat data, from MITRE tags to screenshots. This made reporting faster and extra work fell off our shoulders.

• 76% reduction in phishing triage time (from 30–40 minutes down to 4–7 minutes) 

• Higher Tier-1 closure rates with fewer escalations to Tier 2 

• Stronger SLA stability across multiple healthcare customers 

• Audit-ready investigations with clear execution evidence and context 

• A shift from reactive response to proactive, repeatable defense  

Banking Success Case: Faster Analysis, Stronger Security Outcomes 

A Brussels-based investment bank (750 employees) runs cybersecurity with a lean team of 12, where people often switch between threat analysis and incident response depending on what’s happening. 

Challenge 

When the Head of Cybersecurity joined, the security setup was “messier” than expected, and the team was getting swamped with alerts daily. Improving efficiency meant fixing the workflow, and a malware sandbox quickly became a top priority. 

Outcome 

The number of ransomware and credential stealing attempts we have prevented thanks to the sandbox is already in the hundreds.

After integrating ANY.RUN as part of a broader workflow overhaul, results showed up almost immediately. In the first week, the team was able to process alerts and threat analysis at least twice as fast, helping avoid incident response and recovery costs through timely actions. 

Results  

• 2× faster alert processing and threat analysis (visible in the first week) 

• Better understanding of malware behavior through VM control (browsing websites, downloading, executing files) 

• A faster, more practical approach than running custom-built VMs on isolated machines that take significant preparation 

• Prevented hundreds of ransomware and credential-stealing attempts over time 

• Stopped a supplier email attack by detonating the email, opening a password-protected ZIP, identifying a loader, and seeing it download and initiate ransomware in the VM, then blocking the email across the organization and warning other departments 

Transport Company Success Case: Real-Time Visibility into Active Cyber Attacks 

A multinational transport company operating across North America, Latin America, and Europe relies heavily on email to communicate with clients, contractors, and suppliers. With a 30-person security team, staying ahead of active attacks required a threat hunting approach that scaled without adding manual work. 

Challenge 

Attacker infrastructure changes rapidly, making static indicators and public reports outdated within days. Manually tracking phishing campaigns, malware activity, and CVEs relevant to the transport industry consumed time and made prioritization difficult. 

Outcome 

The team standardized a continuous threat hunting cycle that turns fresh execution data into detections: 

• Confirm reality with an interactive sandbox: Detonate suspicious samples to capture behavior and extract high-confidence artifacts. 

• Expand to campaign scope: Subscribe to TI Lookup’s Search Updates, pivot across related IOCs/IOAs/IOBs, domains, hosts, and historical activity. 

• Operationalize fast: Use TI Feeds to push validated indicators into existing security workflows so detections stay current. 

Results 

• Near real-time visibility → faster decisions while attacks are still active. 

• Quicker IOC/IOA/IOB discovery → shorter time to contain relevant threats. 

• Less manual research → more capacity without extra headcount. 

• Clear active vs. expired prioritization → steadier SLAs, fewer wasted cycles. 

• Fresher detection updates → fewer repeat incidents as infrastructure rotates. 

Trusted by Security Teams Worldwide 

ANY.RUN is a part of daily security operations across industries where mistakes are expensive and downtime isn’t an option. 

Today, organizations rely on ANY.RUN in real production environments across: 

• 3,102 IT & technology companies 

• 1,778 financial institutions 

• 1,354 manufacturing organizations 

• 919 healthcare providers 

• 1,059 government entities 

• 460 energy companies 

• 347 transportation & logistics businesses 

This trust shows up consistently in independent reviews: 

• 4.7 / 5 on G2 — praised for speed, visibility, and day-to-day usability 

• 4.8 / 5 on Gartner Peer Insights — recognized for real-world impact on SOC performance 

This broad adoption across regulated, high-risk industries reinforces one thing: 
ANY.RUN scales not just technically, but operationally; across teams, regions, and security maturity levels. 

If teams in finance, healthcare, government, and critical infrastructure rely on it daily, it’s because it delivers results where stakes are highest. 

Why These Results Repeat Across Teams and Industries 

These outcomes show up in very different environments for one reason: high-performing teams don’t treat investigations as one-off incidents. They run a consistent, repeatable way of working that turns uncertainty into clarity fast and keeps that clarity flowing across the whole operation. 

What makes the difference: 

• Decisions are based on evidence, not assumptions 
  Teams don’t wait for “maybe” signals to become obvious. They confirm what’s happening early, so risk doesn’t quietly grow in the background. 

• Context reaches the right people at the right moment 
  Frontline triage gets enough clarity to close routine cases confidently, while deeper work is reserved for what truly needs it. 

• Response stays steady even when attackers change tactics 
  As infrastructure rotates and methods evolve; teams don’t fall back into manual chase mode. They keep coverage current and avoid repeating the same work. 

• Workflows are built for scale, not heroics 
  The process holds up under load, across shifts, and across customers, which is why SLAs stabilize and burnout drops. 

That’s why the same gains keep showing up: faster decisions, less noise, and fewer business-impacting incidents. 

Ready to See What Results Like These Look Like in Your Environment? 

Every SOC operates under different constraints; tools, team size, industry pressure, compliance rules. What doesn’t change is the cost of slow decisions, unnecessary escalations, and incidents that reach the business before they’re contained. 

The teams featured here didn’t rebuild everything from scratch. They focused on shortening time-to-verdict, giving frontline staff better clarity, and keeping detection current as attacks evolved. The result was less noise, steadier SLAs, and fewer incidents turning into business problems. 

If you’re weighing whether a change will actually move the needle, not in theory, but in daily operations, these results show what’s possible when security work becomes faster, clearer, and easier to scale. 

See what faster decisions look like in practice, run your SOC with ANY.RUN. 

About ANY.RUN 

ANY.RUN is a core part of modern security operations, helping teams make faster, more confident decisions across Tier 1, Tier 2, and Tier 3. It fits into existing workflows without friction and strengthens the entire investigation lifecycle; from early validation to deeper analysis and ongoing threat awareness. 

By revealing real attacker behavior, adding context where it’s missing, and keeping detections aligned with how threats actually evolve, ANY.RUN helps SOCs reduce noise, shorten response times, and limit business impact. 

Today, more than 600,000 security specialists and 15,000 organizations worldwide rely on ANY.RUN to accelerate triage, cut unnecessary escalations, and stay ahead of phishing and malware campaigns that don’t stand still. 

FAQ

The post SOC & Business Success with ANY.RUN: Real-World Results & Cases  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More