Welcome to this week’s edition of the Threat Source newsletter.
June 9 was Whit Monday — a bank holiday here in Germany — so I decided to take the whole week off. It turned out to be the perfect opportunity to try out a brand new car. Little did I know, I was about to get a crash course in modern vehicle technology (and a few unexpected life lessons).
There’s an EU regulation that requires new cars to come equipped with “Advanced Vehicle Systems,” which include features like driver drowsiness and attention warnings, lane-keeping systems and intelligent speed assistance. I hadn’t swapped cars in over a decade, so I was blissfully unaware of just how intrusive these systems could be.
While I generally appreciate technology that makes our life safer, these features gave me a tough time. The car seemed to beep at me constantly, so much so that the beeping itself became a distraction. Instead of focusing on the road, I found myself trying to decipher what each alert meant. After a few kilometers, I had to pull over and consult the manual just to figure out how to disable these “helpful” assistants.
Problem solved? Not quite. Every time I turned off and restarted the car, the systems re-enabled themselves. Disabling the lane-keeping assistant was just a button press, but turning off the “intelligent” speed assistant required a convoluted sequence: six menu clicks, a long press then a short click. I had to dig out the manual every time.
You might think I’m just cutting corners, or that I should pay better attention to speed limits. But here’s the thing: Technology fails, and these systems are no exception. Sometimes the cameras miss speed signs, or worse, pick up the wrong ones. I’ve read about people putting stickers on their windshields to block the camera, only to discover the system then falls back to GPS data, which can be outdated or just plain wrong. On one occasion, it thought a car was on a 50 km/h road when the person was actually on the Autobahn directly next and parallel to the road, which famously has no speed limit.
Some drivers try to muffle the alerts by gluing the speaker, but in modern cars, the system also lowers the radio volume to make sure you hear the alarm. Pulling the fuse would disable the emergency brake, too — not something I’m willing to risk, regardless of how insurance would feel about it.
I ended up learning two important lessons that week. The first was technical: I dove into the world of Controller Area Network (CAN) bus wiring, protocols, network gateways and tools like SavvyCAN to understand how these systems work… and maybe how to disable a few, purely for educational purposes.
The second lesson hit me later, and it was more personal. In my job, I often preach about deploying multi-factor authentication (MFA) everywhere. My focus has always been on keeping out the bad guys, not on the user experience. I never understood why anyone would use apps to automatically accept authentication pushes — it seemed crazy to me. But after a a few days with the car, I finally saw things from the user’s perspective. Security tools can’t just be effective; they also have to be easy to use. Reducing friction, like using single sign-on or minimizing unnecessary clicks, matters just as much. Users also need to understand why these barriers are in place.
Tomorrow is another holiday. Maybe I’ll spend it exploring Kali Linux 2025.2 and the latest CARsenal tools (formerly CAN Arsenal). Who knows? I might just tap a wire or two — for educational purposes only, of course.
The one big thing
Cisco Talos has discovered that the North Korean-aligned threat actor Famous Chollima has been actively targeting cryptocurrency and blockchain professionals (primarily in India) through sophisticated phishing campaigns. Previously known for using the GolangGhost trojan, they’ve now introduced a Python-based variant called PylangGhost, which retains the same capabilities. Recent campaigns have targeted Windows users with the Python version, while MacOS users are still being hit with the Golang-based variant.
Why do I care?
Even if you’re not in the cryptocurrency or blockchain space, this campaign highlights how threat actors are constantly evolving their tools. It’s a reminder that no matter how niche or localized an attack might seem, the techniques could easily be adapted to broader campaigns. Plus, if attackers succeed in these targeted efforts, stolen credentials could ripple across networks and platforms globally.
So now what?
Take this as your cue to double-check your defenses. Ensure your organization’s security tools can detect Python and Golang-based malware, and educate your teams on recognizing phishing attempts, especially fake job offers. Stay proactive by monitoring emerging threats like PylangGhost, because even if you’re not the target today, tomorrow isn’t a guarantee.
Top security headlines of the week
AI Scraping Bots Are Breaking Open Libraries, Archives, and Museums AI bots that scrape the internet for training data are hammering the servers of libraries, archives, museums and galleries, and are in some cases knocking their collections offline. (404 Media)
Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web Hackers leaked the personal data of 7.4 million people in Paraguay on the dark web. A cybercriminal group called “Cyber PMC” demanded $7.4 million, blaming government corruption and poor security. (Security Affairs)
Trend Micro fixes critical vulnerabilities in multiple products Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities. (Bleeping Computer)
Can’t get enough Talos?
When legitimate tools go rogue From LOLBins to open-source utilities like DonPAPI, threat actors are leveraging legitimate tools to evade detection and carry out attacks. Read the blog here.
Microsoft Patch Tuesday for June 2025 Microsoft released its monthly security update last week, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-18 18:06:372025-06-18 18:06:37A week with a “smart” car
Editor’s note: The current article is authored by Clandestine, threat researcher and threat hunter. You can find Clandestine on X.
Threat actors today are continuously developing sophisticated techniques to evade traditional detection methods. ANY.RUN’s Threat Intelligence Lookup offers advanced capabilities for threat data gathering and analysis. As a specialized search engine, it allows security analysts to query various indicators of compromise (IOCs), behaviors (IOBs), and attacks (IOAs), providing valuable insights into real-world malware activity observed in sandboxed environments.
We shall review several advanced threat hunting techniques using ANY.RUN’s TI Lookup to provide cybersecurity researchers and threat intelligence analysts of SOC and MSSP teams with effective strategies to identify and analyze various types of threats.
Threat Intelligence Lookup Key Capabilities
Threat Intelligence Lookup provides analysts with access to a vast malware database topped up by over 500,000 users of the Interactive Sandbox, including 15,000 corporate SOC teams. A single search request can deliver hundreds of relevant analysis sessions, malware samples, or indicators for further research and refining the results with more specific queries.
Besides the ability to instantly get a verdict and context on a potential indicator of compromise, TI Lookup offers a number of functions that enable effective threat hunting and analysis:
IOC Lookups: Detailed searches of various indicators of compromise, including IP addresses, file hashes, URLs, and domain names.
Behavioral Lookups: Beyond traditional IOCs, the service enables searches based on behavioral indicators, such as registry modifications, process activities, network communications, and mutex creations. It is particularly effective for identifying unknown or emerging threats that may not have established IOCs.
MITRE Techniques Detection: The incorporation of the MITRE ATT&CK framework allows analysts to search for specific tactics, techniques, and procedures (TTPs) used by threat actors. This capability facilitates a more structured and comprehensive approach to threat hunting.
File/Event Correlation: The ability to correlate files and events helps analysts identify relationships between different components of an attack and understand the broader context of malicious activities.
YARA-based Threat Hunting: This capability allows for highly specific searches based on file characteristics and patterns.
Wildcards and Logical Operators: The search supports various wildcards and logical operators for the construction of complex and precise queries.
The sophisticated query syntax of Threat Intelligence Lookup supports over 40 parameters, allowing for highly specific and contextualized searches. The basic structure of a query typically includes a parameter, a colon, and a value, often enclosed in quotation marks (e.g., submissionCountry:”us” ).
Logical operators play a crucial role in constructing effective queries:
The AND operator requires both conditions to be true.
The OR operator requires at least one condition to be.
The NOT operator excludes results that match a specific condition.
Parentheses can be used to group conditions and establish precedence.
Wildcards and special characters enhance the flexibility of queries:
The asterisk (*) represents any number of characters.
The question mark (?) represents a single character.
The caret (^) matches the beginning of a string.
The dollar sign ($) matches the end of a string.
The search parameter set covers various aspects of threat analysis, including file properties (e.g., fileExtension, filePath), process activities (e.g., commandLine, imagePath), network communications (e.g., destinationIp, URL), registry operations (e.g., registryKey, registryValue), and threat classifications (e.g., threatName, threatLevel).
Key Tasks Solved by Threat Intelligence Lookup
Threat Intelligence Lookup is used by security teams worldwide to detect, prioritize, and contain threats faster. With TI Lookup, your SOC can:
Speed Up Incident Response: Flexible queries across 40+ IOCs, IOAs, and IOBs with 2-second response times and exclusive indicators enable SOC teams to quickly investigate and mitigate incidents, slashing Mean Time to Respond (MTTR) and minimizing damage.
Enhance Alert Triage with Contextual Insights: An extensive database of indicators on the latest attacks provides analysts with quick insights into any artifact, letting them enrich alerts, pin them to threats, and prioritize critical incidents.
Accelerate Threat Detection and Containment: Query Updates subscriptions and proactive searches using network artifacts help uncover hidden threats, allowing SOC teams to detect, escalate, and mitigate attacks early, preventing spread and protecting business operations.
Uncover critical threat context for faster triage and response with ANY.RUN’s Threat Intelligence Lookup
Now let’s see how this architecture works on a number of hands-on use cases of peculiar threat hunting tasks.
1. Country-based Threat Detection
Geographic analysis of threats provides valuable insights into the origin and distribution of malicious activities. ANY.RUN’s TI Lookup enables country-based threat detection through the submissionCountry parameter, which can be combined with other parameters to create highly specific queries. Many organizations that employ TI Lookup in their SOC, utilize this feature.
Geographic threat analysis typically involves identifying submissions from specific countries and filtering them based on threat levels, threat names, or behavioral indicators. This approach helps security analysts understand regional threat landscapes, identify country-specific attack campaigns, and establish geopolitical context for observed threats.
Several example queries demonstrate the application of country-based threat detection.
The query below targets phishing attacks originating from Brazil. By combining the submissionCountry parameter with the threatName parameter, it focuses on a specific type of threat within a geographic context.
Samples of phishing added to the Sandbox by users from Brazil
This approach helps identify regional trends in phishing campaigns, which may target local institutions or use language-specific social engineering techniques.
The next identifies malicious submissions from India that involve PowerShell commands. It combines geographic filtering with a behavioral indicator and threat classification, providing a more comprehensive view of specific attack methodologies within a regional context.
Malicious samples from Indian users containing PowerShell commands
This approach is particularly valuable for identifying sophisticated attacks that leverage legitimate system tools like PowerShell.
Country-based threat detection can be further enhanced by analyzing temporal patterns, comparing threat distributions across different regions, and correlating geographic data with other threat indicators. This multidimensional approach provides a more comprehensive understanding of the global threat landscape and helps security teams prioritize their defensive efforts based on regional risk profiles.
2. MITRE Technique-Focused Queries
TI Lookup incorporates this framework through the MITRE parameter, enabling highly specific searches based on known attack techniques.
Command and Script Execution (T1059)
Command and script execution involves the use of command-line interfaces or scripting languages to execute commands, scripts, or binaries. This technique is commonly used by threat actors for various purposes, including initial access, execution, and persistence. The following query targets this technique:
Endpoint events with script and application calls linked to malware samples
Here we identify submissions that exhibit command and script execution behavior, as defined by the MITRE technique T1059, and involve either PowerShell commands or the Microsoft HTML Application Host (mshta.exe). The combination of the MITRE parameter with specific command-line or image path indicators provides insights into how threat actors leverage legitimate system tools for malicious purposes.
TI Lookup returns hundreds of relevant results, including numerous sandbox sessions
This example also gives us a representation of TI Lookup’s search volume and comprehensiveness: it can deliver hundreds and thousands of relevant malware samples, indicators, artifacts, and other types of data. An analyst can limit and refine the search employing the parameters and setting, for instance, changing the search period (circled on the screenshot) from the minimum of one day to the maximum of 180 days.
Registry-Based Persistence (T1547)
Registry-based persistence involves modifying the Windows Registry to ensure that malware runs automatically when the system starts or when specific conditions are met. This technique is commonly used by threat actors to maintain access to compromised systems. The following query targets this technique:
Search results for malware changing Windows registry
This query identifies submissions that exhibit registry-based persistence behavior, as defined by the MITRE technique T1547, and specifically target the Run key in the Windows Registry. This key is commonly used for persistence, as any executable listed here will run automatically when a user logs in.
Advanced MITRE Correlation
Advanced threat hunting often involves correlating multiple MITRE techniques to identify sophisticated attack patterns. The following query illustrates this approach:
Malware strains and types combining several attack techniques
This query identifies submissions that exhibit three distinct MITRE techniques: process injection (T1055), registry-based persistence (T1547), and system information discovery (T1082).
The correlation of these techniques suggests a sophisticated attack that injects code into legitimate processes, establishes persistence through registry modifications, and attempts to collect information about the system.
MITRE technique-focused queries can be further enhanced by incorporating additional parameters related to file properties, network communications, or threat classifications. This multidimensional approach provides a more comprehensive understanding of how specific techniques are implemented in real-world attacks and helps security teams develop more effective detection and mitigation strategies.
3. Obfuscated File Behavior Detection
Obfuscation is a common technique used by malware authors to hide malicious code and evade analysis. ANY.RUN TI Lookup enables the detection of various obfuscation techniques through specialized queries that focus on file behaviors and characteristics.
Executables in Non-Standard Directories
Malware often places executable files in non-standard directories to avoid detection and blend in with legitimate system files. The following query targets this behavior:
Samples with executable files in directories except for the queried
This query identifies executable files (.exe) that are not located in the standard Windows or Program Files directories. The combination of the fileExtension parameter with negative conditions for standard file paths helps security analysts identify potentially suspicious executables that may be attempting to hide in unusual locations.
Script-Based Obfuscation
Script-based obfuscation involves the use of scripting languages to hide malicious code or execute obfuscated commands. The following query targets this behavior:
This query identifies JavaScript (.js) files that execute PowerShell commands (you can also search for other script types, like Visual Basic Script (.vbs) files). This pattern is commonly observed in multi-stage attacks where script files are used as initial droppers that subsequently execute obfuscated PowerShell commands. The combination of file extension parameters with command-line indicators helps security analysts identify and analyze this obfuscation technique.
4. Persistence and Mutex Creation
Persistence mechanisms and mutex creation are common techniques used by malware to maintain access to compromised systems and ensure that only one instance of the malware is running at a time.
Mutexes can be explored with the aid of Object parameters:
This query identifies submissions that contain a mutex (a synchronization object often used by malware to ensure single-instance execution) with the name “rmc”. TI Lookup provides numerous analysis results, demonstrating that this mutex belongs to the Remcos trojan.
This approach helps security analysts identify sophisticated malware based on artifacts found in system logs. Further analysis of persistence and mutex creation can involve examining the specific values written to registry keys, analyzing the naming conventions of mutexes, and correlating these indicators with other malicious behaviors.
5. Domain Generation Algorithm (DGA) Detection
Domain Generation Algorithms (DGAs) are techniques used by malware to dynamically generate domain names for command and control (C2) communication. This approach helps malware evade detection and blocking by constantly changing the domains used for communication. ANY.RUN TI Lookup enables the detection of DGA-based malware through specialized queries that focus on domain characteristics and communication patterns.
Random TLD with Active Communication
DGA-generated domains often use uncommon or cheaper top-level domains (TLDs) to reduce costs and avoid detection. The following query targets this behavior:
Domains utilizing cheap-TLD domains found across analyses of malicious samples
This query identifies malicious submissions that communicate with domains using the .top or .xyz TLDs over HTTP (port 80) or HTTPS (port 443). These TLDs are relatively inexpensive and are commonly used in DGA implementations. The combination of domain name patterns, communication ports, and threat classification helps security analysts identify potential DGA-based malware.
Domain Name Patterns
This query identifies submissions that communicate with domains deployed on Cloudflare Workers. This is a common way for attackers to host phishing pages:
Malware of known families that abuses legitimate CDN services
This query identifies submissions associated with RedLine or Lumma malware families that communicate with any domain resolved to Cloudflare’s infrastructure. These malware families are known to use DGAs, and the correlation with Cloudflare ASN (Autonomous System Number) may indicate attempts to hide behind legitimate CDN services. This approach helps security analysts identify specific malware families that employ DGAs for C2 communication.
DGA detection can be further enhanced by analyzing temporal patterns of domain generation, examining the linguistic characteristics of generated domains, and correlating domain communications with other malicious behaviors.
6. Malware Family Behavior Queries
Different malware families exhibit distinct behavioral patterns that can be used for identification and analysis. ANY.RUN TI Lookup enables the detection of specific malware families through queries that target their characteristic behaviors.
Formbook
Formbook is a data-stealing malware that captures screenshots, logs keystrokes, and steals data from web browsers.
Sandbox analyses of fresh Formbook samples found via TI Lookup
This query identifies submissions explicitly classified as Formbook or exhibiting behaviors characteristic of this malware family, including process injection (MITRE T1055) combined with Run registry modifications and executable files, or communication with PHP endpoints using specific content types. These indicators collectively provide strong evidence of Formbook activity.
AsyncRAT
AsyncRAT is a remote access trojan that provides attackers with full control over infected systems.
This query identifies submissions explicitly classified as AsyncRAT or exhibiting behaviors characteristic of this malware family, including the use of mshta.exe or PowerShell.
Malware family behavior queries can be further enhanced by incorporating additional indicators specific to each family, analyzing temporal evolution of behaviors, and correlating family-specific indicators with broader threat intelligence. This comprehensive approach provides deeper insights into malware family behaviors and helps security teams develop more effective detection and mitigation strategies.
7. Thematic Search Query Updates
TI Lookup lets you subscribe to receive updates on your custom search queries. For example, you can focus on specific malware families, enabling more efficient and targeted threat hunting.
Credential Stealers
Credential stealing is a common objective for various malware families. The following query targets three popular credential stealers Redline, Lumma, and Formbook that access the Security Account Manager (SAM) registry key, which stores user account information.
You can subscribe to query updates via the bell icon on the right
By subscribing to this query, we’ll receive updates each time new search results become available in TI Lookup. This thematic approach helps security analysts focus specifically on threats targeting credentials, regardless of the specific malware family involved.
Conclusion
We have reviewed a number of advanced threat hunting techniques using ANY.RUN TI Lookup.
Through detailed exploration of various query methodologies, including country-based threat detection, MITRE technique-focused queries, obfuscated file behavior detection, persistence mechanisms, domain generation algorithm detection, and malware family behavior analysis, the research demonstrates the power and flexibility of query-based threat intelligence in modern security operations.
The correlation of different indicators through logical operators and grouping enhances detection precision and reduces false positives, allowing security analysts to focus their efforts on the most relevant threats.
By focusing on specific threat categories and leveraging advanced query techniques, security teams can develop more efficient and effective threat detection strategies.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, Threat Intelligence Lookup and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Late one Tuesday night, Elena’s phone buzzed with an alert from her company’s SIEM. Her team had set up a rule to flag when certain system tools — whoami, nltest and nslookup—were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance Department. The time? 2:13 a.m.
Concerned, Elena logged in from home to investigate. Almost immediately, two more alerts appeared. One signaled that Mimikatz (a tool popular with threat actors to steal credentials) had been used on the same Finance machine. The other reported a PsExec download (a command line tool used to execute processes) on a domain controller.
Elena and her team began isolating systems and tracing the activity, determined to stop it before it spread any further. What first looked like routine system commands now clearly pointed to something more serious.
This story is a compartmentalized version of something we’re seeing more and more often in Cisco Talos Incident Response engagements: Rather than inventing their own tools, attackers are making use of familiar, legitimate software — just with a very different purpose.
What exactly are LOLBins?
A big part of this trend revolves around “living off the land binaries,” or LOLBins. LOLBins are tools built into an operating system that attackers can use to carry out malicious actions without having to download or install any new software or utilities.
They’re especially concerning because they’re already installed, trusted, and frequently used for normal IT tasks, making them difficult to detect or block without disrupting operations.
Defenders can reference the “Living Off The Land Binaries, Scripts and Libraries” or LOLBAS project, which maintains a list of known LOLBins on GitHub.
But it’s not just LOLBins…
LOLBins were used often across Talos IR engagements in 2024, but we actually saw a wider variety of commercial and open-source tools used as well. Threat actors likely gravitate towards these because they can choose which tools best suit their needs best (or which commercial tools will blend into the victim environment).
Take DonPAPI, for example. This is an open-source tool observed in several recent Talos IR engagements that automates credential dumping remotely on multiple Windows computers. It locates and retrieves Windows Data Protection API (DPAPI) protected credentials, a process also known as “DPAPI dumping.” DonPAPI searches for certain files, including Wi-Fi keys, RDP passwords and credentials saved in web browsers, to help authenticate and move laterally to identify other assets in the environment.
From an identity perspective, open-source tools like DonPAPI pose a significant risk to organizations based on their wide availability on code repositories like GitHub and their ease of installation.
Legit tool, suspicious intent
Here’s how this plays out in the field, using the top three examples of most used tools as observed in Cisco Talos’ 2024 Year in Review:
These tools weren’t built for attackers, but they’ve become some of the most common ingredients in ransomware and advanced persistent threat (APT) campaigns.
In a recent episode of The Talos Threat Perspective, one of our senior Talos IR consultants spoke about tools that were created for legitimate purposes (e.g., HRSword, REMCOS RAT and Cobalt Strike), but played a large part in the ransomware engagements investigated by Talos IR in 2025.
Remote Access Management tools
Lately, Talos has seen an increase in the use of remote monitoring and management (RMM) tools during attacks — the same kind of software IT teams and managed service providers rely on to access systems remotely. These tools are designed for legitimate use, but in the wrong hands, they become a stealthy way to maintain persistence on compromised systems without raising alarms.
One colleague shared a story that stuck with me: In some incidents, the attackers showed up with an entire toolkit of RMM software, testing each one to see which would slip through unnoticed (or not get blocked). Often, they’d use exactly the same tools already trusted by the target or their service provider, such as ScreenConnect or AnyDesk.
It’s like they arrived at the front door with a ring full of keys, trying each one until something clicked. And when the tool they use is something the environment already knows — already trusts — the question becomes: how do you spot the intruder when they’re using your own keys?
How do you detect something that looks normal?
Let’s go back to Elena. Her team stopped the attack not just because of the alert, but because they knew what should be running on that workstation. They had clear asset inventories and network behavior baselines, and they conducted continuous anomaly monitoring.
That’s really the heart of what works best when it comes to detecting these types of attacks:
Asset management: Know what’s installed and where. Know who owns what assets and what high-privileged accounts are for.
Behavioral baselining: Understand what “normal” looks like.
Continuous monitoring: Configure detections to catch known TTPs and subtle deviations from baselines.
Threat intel alignment: Use current trends like the DonPAPI surge to inform what you log and watch for. Talos’ blog and IR reports are great resources to keep up with industry trends.
Bottom line
Whether it’s PsExec, DonPAPI or TeamViewer, attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations.
Detecting malicious use of legitimate tools isn’t just about recognizing what’s running. It’s about asking why it’s running.
Sometimes, the only difference between a routine operation and a breach is the analyst who stopped to ask: “Why was that tool running at 2:13 a.m.?”
In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities.
In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns.
The attacks are targeting employees with experience in cryptocurrency and blockchain technologies.
Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users.
Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.
Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns.
In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.”
Fake job interview sites mislead users to PylangGhost infection
Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.
This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application.
Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.
Figure 1. Examples of initial fake job sites.
Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.
Figure 2. Example of questions asked for an illegitimate Business Development Manager position at Robinhood.
Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button.
Figure 3. A camera setup page displayed once questions are answered.
Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.
Figure 4. Windows instructions to copy, paste and execute a malicious command. Figure 5. MacOS instructions to copy, paste and execute a malicious command.
Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.
Figure 6. Command Shell, PowerShell or Bash instructions to download a payload.
PylangGhost – Python variant of GolangGhost
As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute.
The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run.
Figure 7. The first stage simply unzips a Python distribution library and launches the RAT.
PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable.
The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.
Figure 8. ”nvidia.py” executes the main loop for communication with the C2 server
The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.
The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.
Command
Functionality
qwer
COMMAND_INFORMATION – collect information about the infected system, username, OS version etc
asdf
COMMAND_FILE_UPLOAD – file upload
zxcv
COMMAND_FILE_DOWNLOAD – file download
vbcx
COMMAND_OS_SHELL – launch an OS shell for remote access and control of the infected system
ghdj
COMMAND_WAIT – sleep for a number of seconds specified by the C2 server
r4ys
COMMAND_AUTO – browser information stealing command
89io
AUTO_CHROME_GATHER_COMMAND – subcommand of the browser information stealer command
gi%#
AUTO_CHROME_COOKIE_COMMAND – subcommand of the browser information stealer command
dghh
COMMAND_EXIT
Table 1. Commands and functionalities.
The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.
“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.
Finally, “util.py” handles the compression and decompression of files.
Comparison of Python and Golang modules
To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.
Module
Python name
Golang name
Main function module
nvidia.py
cloudfixer.go
Configuration module
config.py
config/constans.go
Main command loop
nvidia.py
core/loop.go
Command handlers
command.py
core/loop.go
Browser Stealer functionality
auto.py
auto/* modules
File compression
util.py
util/compress.go
Base64 message encoding
command.py
command/stackcmd.go
Duplicate process check
nvidia.py
instance/check.go
Communications protocol
api.py
transport/htxp.go
Table 2. Comparison of Python and Golang RAT module names.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-18 10:06:402025-06-18 10:06:40Famous Chollima deploying Python version of GolangGhost RAT
It usually starts with something small: an app download, a strange text message, a tap on the wrong link. But when that device is also connected to company email, Slack, or cloud storage, it’s no longer just a personal problem.
Android malware has become a serious risk for businesses. Attackers know mobile devices are often the easiest way into a company’s internal systems, and they’re getting better at using that to their advantage.
Let’s take a closer look at why businesses are exposed, the kinds of risks these attacks create, and why it’s worth addressing them before they hit you first.
When Phones Become Attack Vectors against Businesses
Here are some of the most common and dangerous ways Android malware can put your business at risk:
1. Employee Devices with Work Access Get Infected
Personal phones are often used to check work emails, join internal chats, or access shared drives. If an employee installs a malicious app or clicks a phishing link, malware can sneak in and quietly start stealing data without triggering corporate security alerts.
2. Compromised MFA and Authenticator Apps
Many employees use their phones for two-factor authentication. If malware gains access to these apps, it can intercept or extract one-time codes, letting attackers bypass logins that were supposed to be protected.
3. Phishing Through Messaging Apps
Attackers are getting smarter about how they deliver malware. A casual-looking message via SMS, WhatsApp, or Telegram can include a link that installs malware or tricks someone into giving away credentials.
4. Sideloaded Apps from Untrusted Sources
While Google Play has basic protections, sideloaded apps don’t. If an employee downloads something from a third-party site, it could be hiding spyware, screen recorders, or backdoors that give attackers long-term access.
5. Malware Reaching Into Cloud Drives
If a compromised phone is synced with cloud services like Google Drive or OneDrive, attackers may gain access to shared folders filled with contracts, reports, or customer data.
Real-World Android Malware Attacks That Hit Businesses
The risks of Android malware aren’t hypothetical. They are already out there, actively targeting mobile users. Let’s take a closer look at how these threats operate and what they look like when analyzed inside a safe environment of ANY.RUN’s Interactive Sandbox.
Protect your company against malware and phishing with proactive analysis in ANY.RUN’s Interactive Sandbox
Salvador Stealer: Fake Banking App That Collects Sensitive Data in Real Time
Some Android malware doesn’t need advanced tricks to be effective; it just needs to look trustworthy. Salvador Stealer is a perfect example. Masquerading as a legitimate banking app, it lures users into handing over their most sensitive information, then quietly sends it off to the attacker.
At first glance, it looks like just another banking app. But once launched, Salvador Stealer kicks off a multi-stage attack designed to harvest personal and financial data. Inside the sandbox, the full scope of its behavior becomes immediately clear; everything from fake interfaces to live credential theft is laid bare.
Here’s what we observed inside ANY.RUN’s Android sandbox:
The APK drops a second payload (base.apk), which acts as the real data stealer.
The dropper APK designed to install and launch a secondary payload (base.apk) as a new activity
A phishing-style login page embedded in the app tricks users into entering Aadhaar numbers, PAN cards, banking credentials, and more.
The interface of the fake banking app displayed inside ANY.RUN Android sandbox
As soon as data is entered, it’s exfiltrated in real time, sent simultaneously to a phishing site and a Telegram bot.
Stolen data sent to phishing site
SMS access is abused to intercept OTPs, allowing the attacker to bypass MFA protections.
ANY.RUN sandbox exposes how attackers monitor and intercept incoming messages
If the app is stopped or the device is rebooted, it restarts automatically, making removal difficult without deeper system access.
Business Impact: How This Threat Could Compromise Financial Operations
When malware like Salvador Stealer slips onto an employee’s phone, it doesn’t only steal personal information but can also open the door to your company’s financial systems.
If that employee has access to payroll platforms, vendor payment portals, or internal banking credentials, the attacker could:
Extract login tokens or session cookies from financial apps
Capture 2FA codes via SMS interception to bypass login security
Impersonate the employee and initiate unauthorized transactions
Use stolen identity data (like PAN or Aadhaar) to access linked accounts
Exfiltrate sensitive data synced with corporate drives or mobile finance apps
Even worse, because Salvador uses multiple exfiltration channels and persistence mechanisms, it can continue collecting and forwarding data long after the initial infection without triggering most mobile security alerts.
Analyze sensitive files and URLs in a private sandbox to detect threats early and avoid incident escalation
SpyNote: Remote Access Malware That Turns Phones into Listening Devices
SpyNote is a remote access trojan (RAT) designed to turn infected phones into full-on surveillance tools. Disguised as a legitimate app, it silently gains deep access to the device and starts recording, tracking, and exfiltrating everything in the background.
Once installed, SpyNote immediately requests Accessibility Service permissions, a common trick to quietly escalate privileges. That one tap is all it needs. From there, it clicks through remaining prompts on its own, granting itself dangerous capabilities without alerting the user.
Permissions requested inside ANY.RUN sandbox
Now the attacker can activate the microphone and cameras, record calls, track GPS location, and access contacts, files, and SMS, all silently.
Audio capture technique exposed by interactive sandbox
To see all the tactics and techniques used in this attack, you can click the “ATT&CK” button in the top-right corner of the ANY.RUN sandbox session. This instantly maps every malicious action to the MITRE ATT&CK framework, giving your team a clear breakdown of the attacker’s behavior, connected directly to the processes that triggered them.
MITRE ATT&CK techniques used by attackers
Business Risk: Surveillance on Corporate Phones
SpyNote’s goal isn’t only to steal but also to observe. When installed on a phone used for work, the risks escalate fast.
Think of what could be exposed:
Internal meetings recorded via microphone
Conversations in HR or legal teams captured via keylogs or screenshots
GPS-tracked business travel or client visits
Shared files, documents, and client data pulled from storage
2FA codes intercepted and forwarded to attackers
The stealthy nature of SpyNote means an infected phone might remain under attacker control for weeks, gathering intelligence, watching operations, and quietly spreading further into your network.
How ANY.RUN Helps You Detect and Respond Faster
As you’ve seen with Salvador Stealer and SpyNote, Android malware can be stealthy, persistent, and devastating. These two samples used different methods, phishing, privilege escalation, surveillance, but both were fully exposed inside ANY.RUN’s interactive sandbox.
By analyzing malware in a real Android environment, ANY.RUN helps security teams see the full picture quickly and clearly. Instead of sifting through logs or relying on static reports, you can observe how threats behave in real time and understand their true intent in minutes.
Here’s what that means for your business:
Faster incident response: Spot and contain threats before they escalate into breaches or downtime
Smarter decision-making: Understand the risk level and prioritize based on actual behavior, not guesses
Clear communication: Visual reports and mapped behavior make it easier to explain threats to leadership or compliance teams
Reduced investigation time: Automatically extract IOCs and behavioral data that would take hours to collect manually
Stronger mobile security posture: Detect threats that specifically target mobile workflows, BYOD environments, and remote access apps
ANY.RUN shows you what malware does and helps you act on it faster, defend your organization more effectively, and avoid costly consequences.
Final Thoughts: Mobile Threats Need Real-Time Visibility
Android malware is a growing threat to business continuity, security, and trust. From stolen credentials to full-device surveillance, these attacks demand more than traditional defenses.
With ANY.RUN, your team can uncover malicious behavior in real time, trace how it works, and act before it spreads.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-17 13:06:402025-06-17 13:06:40Why Businesses Are at Risk of Android Malware Attacks and How to Detect Them Early
In today’s world, staying connected isn’t just a habit — it’s a necessity. We’re used to sharing beach photos on social media, keeping in touch with loved ones across time zones, and handling work from anywhere. All of this is possible if your smartphone has a reliable internet connection.
For years, the main barriers to seamless connectivity abroad were high roaming costs and the hassle associated with physical SIM cards, which you had to find, buy, activate, figure out how to top up, and swap out — risking losing your primary one in the process. With the invention of eSIMs (embedded digital SIM cards) — supported by most modern smartphones — the fuss with physical SIMs became a thing of the past. However, you still had to find a suitable, usually single-use, eSIM for the specific region you were visiting, and do it all over again for each trip.
The new Kaspersky eSIM Store is a game-changer for mobile internet, providing a simple way to find, pay for, and activate available mobile-data plans from local carriers worldwide. What’s more, you won’t have to buy and activate a new eSIM every time. Once you install it, you can use it indefinitely, connecting to data plans for different regions with the amount of data you need through a user-friendly app or website. Plus, with non-expiring Kaspersky eSIM Store plans, the mobile data you paid for doesn’t expire, which means any unused GBs will be there for you for your next trip. Let’s dive into the details…
What’s an eSIM?
First, let’s refresh our memory (or learn for the first time) what an eSIM — embedded SIM — is, and how it differs from traditional physical SIM cards.
Every cell phone has one or more slots for mini, micro, or nano-SIM cards. This small piece of plastic with contacts and a chip — essentially a microcomputer — stores GSM identification keys, which the given network uses to identify the subscriber. The SIM card can also store your contacts, SMS messages, lists of incoming, outgoing, and missed calls, as well as pre-installed carrier apps. However, the memory capacity of SIM cards is usually small, which limits their functionality.
But why not extract the chip from the plastic and install it into the phone directly? That’s exactly how eSIMs emerged in 2016. The data identifying the subscriber is no longer hardwired into the SIM card’s chip during manufacturing. Instead, it’s transmitted by the carrier to the subscriber in encrypted form and written to the eSIM on their device. Thanks to its larger memory capacity, an eSIM can store multiple carrier profiles, so you can have several virtual SIMs in your phone at once.
This doesn’t mean they’ll all work simultaneously, though. Most often, you can store multiple profiles and switch between them, but the upside is you don’t have to fiddle with swapping tiny pieces of plastic and risk losing them. Depending on the smartphone, one or more profiles can be active simultaneously.
What almost all modern smartphones allow you to do is choose which SIM to use for voice calls and text messages, and which for data. And this is one of the main advantages of eSIMs. To avoid huge roaming bills for mobile internet, you install Kaspersky eSIM Store on your smartphone, select your travel country or region, the plan type — either with a time limit or non-expiring — and the amount of data you need, then buy and activate the eSIM. If you buy the eSIM in advance, you can choose not to activate it immediately but schedule the desired activation date.
Installing and activating the eSIM takes a few minutes, and you can do it either in your destination country or at home. You’ll need a stable internet connection for this, so we recommend doing it beforehand. When you arrive at your destination, the eSIM will automatically connect to a local carrier — but don’t forget to enable roaming and switch data-transmission to the eSIM in your phone’s settings, following the instructions provided.
eSIMs acquired from Kaspersky eSIM Store don’t support voice calls — only data transmission. However, your regular SIM card stays in your phone, meaning you’ll still receive text messages and incoming calls. You don’t necessarily have to answer them while roaming, but you can always call back through messaging apps without breaking the bank on roaming. Now that’s handy!
You can find out if your smartphone supports eSIM on the Kaspersky eSIM Store website.
Unlike traditional SIM cards, activating an eSIM requires neither an ID/passport, nor verification through local government services. Payment can be made in the mobile app or on the secure website. Thus, your personal and banking details won’t leak from some local SIM card stand.
Unified account
When you first use it, you’ll need to register on the website or in the app. But if you already have a My Kaspersky account, just link that, and you’ll be logged in automatically. In your personal account on the website or in the app, you can track your mobile data usage in real time, receive notifications when you’re about to run out of data, and instantly top up your eSIM with any amount of data you need.
You can track your mobile data usage in real time and instantly top up your eSIM
In some countries, a Smart Top-up feature is available. When your data balance drops below 100MB, we’ll automatically boost your eSIM with the same amount of gigabytes that you purchased earlier and extend your plan’s validity. That way, you won’t be caught off guard by a sudden loss of connectivity.
Value
Our wide selection of plans allows you to find the perfect fit. You can choose (i) a Local plan — valid in one of the 177 available countries and territories, (ii) one of nine Regional plans, or (iii) the Global plan — valid in 122 countries worldwide.
In the Kaspersky eSIM Store, you can choose between Local and Regional plans
Next, you can select the type of plan (Expiring or Non-expiring), specify how much data you need, and pay for it with your bank card in just a few clicks.
With Expiring plans, you need to use all your data within a fixed period, which is 30 days for most plans. With Non-expiring plans, your mobile data remains assigned to your account indefinitely. Even if you’ve bought too much data and haven’t been able to use it all up, or if you had to cut your trip short for some reason, you can use the remainder on your next journey to the same region.
With Expiring plans, you need to use all the data within a specific period; with Non-expiring plans, your data will wait patiently for your next journey
Planning
Conveniently, you can activate your eSIM immediately upon purchase — for example, if you’re already abroad — or postpone its activation to a specific date. By default, the eSIM starts working at the moment of purchase, and for Expiring plans, the validity period begins at that time too. However, if you like to plan and get everything ready in advance, you can buy a data plan ahead of time from home. At checkout, select the Schedule activation option, and specify your trip’s start date. If your plans change, you can alter the activation date even after purchase.
Rollover and flexibility
The issue with most travel eSIMs is that they’re effectively single-use. You buy it, install it, use it, and that’s it. You have to delete the eSIM from your phone and get a new one for your next trip. With Kaspersky eSIM Store, you buy the eSIM once, install it on your smartphone, and then connect different data plans to it as needed. Still, there’s nothing stopping you from buying more than one eSIM. For example, you could get one for each family member traveling with you. This way, you can monitor each person’s data usage in a single personal account (and remind your teens to go easy on the social media if they’re burning through their data too quickly!). Or, if you have an eSIM with remaining data on a Non-expiring plan for a specific country or region, but you’re heading to a different part of the world, you can simply purchase another eSIM for your new destination. If you frequently travel to the same few countries, it’s more cost-effective to set up multiple eSIMs, one for each country, and use a Non-expiring plan on each. That way, you won’t lose a single byte. Kaspersky eSIM Store provides all the flexibility you need for eSIM juggling.
Security
Let’s start with something we’ve covered in previous articles: when in a foreign country, it’s much safer to use mobile internet than to connect to public Wi-Fi, and here’s why. However, buying a local SIM card isn’t as easy as it seems. You need to find a mobile operator’s store (or a booth selling SIMs), navigate a dizzying array of plans often described in the local language, and make sure they’re not trying to push unnecessary services on you. Moreover, in most countries, you have to give the seller a copy of your passport to buy a SIM card. Are you sure you want to share your passport (and also maybe bank card details) with a stranger? And let’s not forget the difficulties of tracking remaining data and topping up local SIM cards.
That’s why using an eSIM — which doesn’t require a passport to purchase, offers clear and transparent pricing, comes with no hidden fees or unwanted add-ons, and processes payments through a secure connection — is really the smartest way to go. To further enhance your gadgets’ security while traveling, our robust protection will shield you from viruses, secure online payments, and warn you about connecting to unsafe networks. And for Android smartphone owners, it can even help locate a lost or stolen phone.
And Kaspersky VPN Secure Connection, included with a Kaspersky Premiumsubscription, or available separately, will encrypt your internet traffic — preventing interception, and helping you connect to banking sites, government services, or streaming platforms in your home country as if you never left it.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-17 08:06:442025-06-17 08:06:44How to buy and connect a travel eSIM with Kaspersky eSIM Store | Kaspersky official blog
According to the 2025 State of Open Source report, 96% of surveyed companies use open-source applications. Their wide selection, customization options, and zero licensing costs are highly appealing. However, more than half of the firms surveyed face significant challenges with ongoing maintenance of open-source apps. A staggering 63% struggle to keep solutions updated and apply patches. Close behind are issues with cybersecurity, regulatory compliance, and the presence of end-of-life (EoL) open-source applications — meaning they’re no longer supported. So, how can you minimize the likelihood of these problems, and what should you look for when selecting open-source software (OSS) for implementation?
Updates and patches
Since updating OSS in good time is the most widespread problem, examine potential OSS-contenders-for-adoption from this perspective very carefully. It’s easy to check the frequency and scope of updates, as well as their content, right within the application’s public repository. Pay attention to how well-documented the updates are; what kinds of issues they resolve; what new features they add; how often minor fixes are released a few days or weeks after a major version; and how quickly bug-related requests are closed.
Standard tools like Git Insights, along with supplementary services such as Is it maintained?, Repology, and Libraries.io, can help answer these questions. Libraries.io immediately shows which outdated dependencies the current version uses.
Pay special attention to security-related updates. Are they released separately, or are they bundled with functionality updates? Typically, developers choose the latter path. In that case, you need to understand how long security updates might have been waiting for release.
In addition, assess how complex the process of installing updates is. Official documentation and support can be a starting point, but they aren’t enough. Thoroughly reviewing user community feedback will likely be more helpful here.
All of this will help you understand how much effort will go into maintaining the product. You’ll need to allocate internal resources for support. It’s not enough to simply assign responsibility; dedicated work hours will be required for these and related tasks.
Vulnerabilities
To accurately predict how often you’ll face cybersecurity issues, it’s best to evaluate the product’s engineering culture and cybersecurity hygiene from the get-go. While this can be labor-intensive, you can use automated tools to perform an initial, high-level analysis.
For popular products and packages, a good approach is to check already existing heuristic assessment results from tools like OpenSSF Scorecard. It provides a variety of cybersecurity hygiene data, ranging from the number of unpatched vulnerabilities and the presence of security policies to the use of fuzzing and dependency pinning.
In addition, examine public vulnerability databases like NVD and GitHub advisories to understand how many flaws have been discovered in the project, their criticality, and how quickly they were fixed. A high number of vulnerabilities in and of itself may indicate the project’s popularity rather than poor development practices. However, the types of defects and how developers have responded to them are what’s truly important.
Dependencies and supply chain
Nearly every OSS project relies on third-party open-source components, which are often undocumented. These components are updated as per their own schedules, and they can contain bugs, vulnerabilities — even malicious code. The key question here is how quickly patched component updates make their way into the project you’re considering.
To assess this, you’ll need SBOM (software bill of materials) or SCA (software composition analysis) tools. Available open-source solutions like OWASP Dependency-Check or Syft can build a project’s dependency tree, but these are usually designed for projects already in operation, deployed in your own repositories or container images. Therefore, a deep dive into dependency analysis is best performed on a product that has already passed the preliminary evaluation and is a serious contender for a place in your infrastructure.
Examine the list of dependencies thoroughly to determine if they’re sourced from trusted and well-vetted repositories, if they’re popular, and if they have digital signatures. Essentially, you’re assessing the risks of their being compromised.
While you could theoretically check for vulnerabilities in dependencies manually, if an OSS project is already deployed in a test environment, it’s much more straightforward to use tools like Grype.
A huge hidden challenge is monitoring updates. In theory, every dependency update for a project needs to be re-checked. In practice, this is only feasible with automated scanners; other approaches are simply too expensive.
If a project uses outdated dependencies and generally isn’t ideal from a cybersecurity standpoint, it’s obviously better to look for an alternative. But what if the business insists on a specific solution because of its core functionality? The answer is the same as always: conduct a deeper risk analysis, develop compensating controls and, most importantly, allocate significant resources for ongoing maintenance. Internal resources are often insufficient, so it’s wise to evaluate options for professional technical support for that specific product from the outset.
Compliance with internal and regulatory requirements
If regulatory policies that apply to your company cover your chosen software and the data within it, develop a plan for compliance audits right away. Very large enterprise-grade open-source applications sometimes come with supporting documentation that can simplify certain types of audits. If not, you’ll have to develop it all yourself, which again means allocating significant time and resources.
Nearly every piece of software in every industry will require a license compliance audit. Some open-source components and applications are distributed under restrictive licenses, like AGPL, which limit how you can distribute and use the software. Thanks to SBOM/SCA analysis, you can inventory all licenses for your software and its dependencies, and then verify that your use case doesn’t violate any of them. These processes can be largely automated with specialized tools such as the OSS Review Toolkit, but the automation will require clear policies and effort from your development team.
Support costs
After analyzing all these aspects, you should have a clear picture allowing you to compare different approaches to application support. For support by an in-house team, you’ll need to allocate hours of relevant specialists. If your team doesn’t have the necessary expertise, you’ll have to hire someone. Those primarily responsible for OSS support and security will also need time and a budget for constant ongoing professional development.
If your internal team’s resources are insufficient for support (due to limited staff or expertise), there are at least two types of professional outsourced technical support: firms like Red Hat — which specialize in application operations, and managed hosting providers — for specific applications (Kube Clusters, MongoDB Atlas, and the like).
Beyond time and expertise, the cost and complexity of technical support are also influenced by the organization’s overall readiness for widespread open-source adoption:
Does your cybersecurity team have vulnerability scanners and risk management tools that are well-adapted to OSS?
Do your IT asset tracking and monitoring tools support OSS projects and components?
For in-house development teams, are image, repository, and other code source scanning processes included in your CI/CD pipeline? Specialized security solutions, such as Kaspersky Hybrid Cloud Security, can automate this aspect.
Has your company developed a policy regulating OSS usage, and is there a clear understanding of who makes decisions and who is responsible for operational matters?
Furthermore, it’s crucial to consider the broad spectrum of open source risks, including abrupt project discontinuation, a proliferation of minor dependencies, and other supply-chain risks.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-16 16:06:382025-06-16 16:06:38The true cost of open-source support in companies | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
This week, I’m coming to you from Cisco Live in San Diego where I’ve just talked to a room that some of you may have been in, so writing this feels a bit surreal. It’s really hard to try and write a cogent newsletter with all that’s happening in the world, some directly outside my door. To purposefully butcher Charles Dickens, “It was the worst of times, it was the even worse times.” Nevertheless, I’m persisting.
I’ve had great conversations with so many smart people this week, but I was reminded once again that the most important tool you can leverage in protecting and securing your environment is knowing your environment and knowing yourself.
Knowing your environment can and should be tooled and processed so that it can be repeatable. Continuing to know your environment requires constant vigilance and effort. Knowing yourself requires a level of introspection that is hard — and honestly, sometimes I just lift the rug and sweep my issues under it when I can’t tackle that negativity.
I’ll give you an excellent example: every single thing I write would get flagged as AI. Everything. Why? I use an em dash (“—”) for roughly every four words I write — sometimes more, if I let it fly. It’s clear that I could never go back to school successfully, despite the comedy gold that it would produce. For those of you old enough to remember “Back to School” with Rodney Dangerfield, I think you can imagine. I don’t even want to talk about my kludgy code. Sure, it runs, but at what cost?
So my advice? Do as I say, not as I do. Learn everything about your environment in a repeatable way, with a clear and documented process. Then analyze your own weaknesses in your work — let’s not try to make miracles happen — and identify chances for you to learn, fill the gaps in your skill set and then do it all over again. The bad guys are really good at learning your environment; make it as hard for them as you can.
The one big thing
Cisco Talos recently disclosed several vulnerabilities across various software, including catdoc, Parallel, NVIDIA and High-Logic FontCreator. While most vulnerabilities were patched by their respective vendors, catdoc posed an exception as the vendor was unreachable, prompting Talos to provide patches directly.
Why do I care?
These vulnerabilities highlight risks in widely used software, potentially exposing systems to attacks such as privilege escalation, memory corruption and data leaks. Understanding these risks is crucial to protect your systems.
So now what?
If you use these programs, update them immediately with the latest patches to protect yourself. If you’re on a security team, grab the latest Snort rules to detect possible exploits and keep an eye out for suspicious activity. And if you’re a developer, take notes from these vulnerabilities to strengthen your own code and avoid similar pitfalls in your projects. Security is everyone’s job!
Top security headlines of the week
NHS in England calls for blood donors after ransomware attack The UK’s National Health Service (NHS) is calling for one million donors after a Qilin ransomware attack last summer caused a severe shortage of O-negative blood. (Cybernews)
Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders. (The Register)
Google fixes bug that could reveal users’ private phone numbers A security researcher has discovered a bug that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, potentially exposing users to privacy and security risks. (TechCrunch)
SinoTrack GPS Devices Vulnerable to Remote Vehicle Control via Default Passwords Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. (The Hacker News)
Can’t get enough Talos?
Microsoft Patch Tuesday for June 2025 Microsoft has released its monthly security update, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.
PathWiper targeting Ukrainian critical infrastructure Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” Learn more.
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except in the case of the catdoc zero-day vulnerabilities, which were patched by our researcher (patches found in this repository). This is an unusual case, because the vendor could not be reached to fix these high-risk bugs; our policy does not include fixing third-party vulnerabilities.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
TALOS-2024-2128 (CVE-2024-48877) is a memory corruption vulnerability in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2024-2131 (CVE-2024-52035) is an integer overflow vulnerability which exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95., and TALOS-2024-2132 (CVE-2024-54028) is an integer underflow vulnerability in the OLE Document DIFAT Parser functionality. A specially crafted malformed file can lead to heap-based memory corruption for either vulnerability, and an attacker can provide a malicious file as a trigger.
Parallel integer overflow vulnerability
Discovered by KPC of Cisco Talos.
Parallels is a desktop emulator for Mac computers that enables virtual Windows applications.
TALOS-2025-2160 (CVE-2025-31359) is a directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write to arbitrary files, potentially leading to privilege escalation.
There are three privilege escalation vulnerabilities in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740).
TALOS-2024-2126 (CVE-2024-36486): When an archived virtual machine is restored, the prl_vmarchiver tool decompresses the file and writes the content back to its original location using root privileges. An attacker can exploit this process by using a hard link to write to an arbitrary file, potentially resulting in privilege escalation.
TALOS-2024-2124 (CVE-2024-54189): When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.
TALOS-2024-2123 (CVE-2024-52561): When a snapshot of a virtual machine is deleted, a root service verifies and modifies the ownership of the snapshot files. By using a symlink, an attacker can change the ownership of files owned by root to a lower-privilege user, potentially leading to privilege escalation.
NVIDIA integer overflow vulnerability
Discovered by Dimitrios Tatsis of Cisco Talos.
NVIDIA cuobjdump is a command-line utility included in the NVIDIA CUDA Toolkit. Similar to the standard `objdump` utility, it parses CUDA executable files and displays information like PTX disassembly, section headers, relocations etc.
TALOS-2025-2151 (CVE-2025-23247) is an integer overflow in the ELF Section Parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
High-Logic out-of-bounds read vulnerability
Discovered by KPC of Cisco Talos.
High-Logic FontCreator is a font editor for Windows & macOS. The program allows you to create, edit and export OpenType, TrueType and responsive variable fonts.
An out-of-bounds read vulnerability, TALOS-2025-2157 (CVE-2025-20001), exists in High-Logic FontCreator 15.0.0.3015. A specially crafted font file can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
ANY.RUN’s Threat Intelligence Feeds (TI Feeds) provide security teams with exclusive intel on threats targeting 15,000 companies worldwide. With TAXII protocol, you can safely and easily reinforce your company’s proactive detection with TI Feeds.
Why Use TAXII for TI Feeds?
TAXII (Trusted Automated eXchange of Indicator Information) allows for swift and comfortable delivery of threat intelligence feeds. It’s a popular standard acknowledged for its security and usability.
TI Feeds are available for integration with the support of TAXII protocol. With this combo, you’ll achieve:
Secure and Standardized Data Exchange: TAXII provides a secure framework for transferring threat intelligence.
Customizable Data Delivery: TAXII allows you to tailor the data you receive, whether it’s all available IOCs or specific types like IPs, URLs, or domains.
Integrate Threat Intelligence Feeds in your SOC Start with 14-day trial
How ANY.RUN’s TI Feeds Strengthen Businesses’ Proactive Security
TI Feeds empower your SOC with actionable intelligence to proactively monitor and prevent threats, mitigating breach risks and associated costs.
With ANY.RUN, MSSP companies get to stand out among competitors by enriching their infrastructure with data on real threats targeting companies across industries.
Integrate TI Feeds into your system for an easy access to all of their perks:
Detect Threats Early: Access high-quality indicators from threat investigations across 15,000 organizations worldwide to proactively identify and prevent threats from compromising your systems.
Expand Threat Coverage: Get unique IOCs from Memory Dumps, Suricata IDS, and internal threat categorization systems allowing you to catch the most evasive malware. for better monitoring and alert triage.
Minimize False Positives: The feeds are pre-processed to ensure indicators are reliable and false positive rate is near-zero.
Accelerate Response through Automation: Automatically block malicious IPs, flag related logs, or trigger playbooks based on TI Feeds’ data to reduce manual workload and enable faster reactions.
Gain Better Attack Visibility: Our indicators of compromise come with extensive metadata, as well as links to related sandbox sessions for further analysis.
Simplify Setup: In addition to TAXII protocol support, we offer API and SDK to deliver ANY.RUN’s feeds in a structured, easy-to-use format—STIX or MISP.
TI Feeds & TAXII: How It Works
Integration through TAXII protocol is available for all users with paid plans. You can easily setup TI Feeds as a TAXII endpoint in their system, be that SIEM, TIP, EDR/XDR, NGFW, or other Security Operations solutions.
Upon connection to ANY.RUN’s TAXII server, your system automatically receives fresh threat intelligence. Check out what our feeds look like by downloading a sample in STIX or MISP format.
After that, your infrastructure will be enriched with uniquely sourced threat data, adding to its efficiency. Feeds will be ready for further processing: you can determine correlations, launch playbooks, and more.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
