How scammers have mastered AI: deepfakes, fake websites, and phishing emails | Kaspersky official blog

While AI presents endless new opportunities — it also introduces a whole array of new threats. Generative AI allows malicious actors to create deepfakes and fake websites, send spam, and even impersonate your friends and family. This post covers how neural networks are being used for scams and phishing, and, of course, we’ll share tips on how to stay safe. For a more detailed look at AI-powered phishing schemes, check out the full report on Securelist.

Pig butchering, catfishing, and deepfakes

Scammers are using AI bots that pretend to be real people, especially in romance scams. They create fabricated personas and use them to communicate with multiple victims simultaneously to build strong emotional connections. This can go on for weeks or even months, starting with light flirting and gradually shifting to discussions about “lucrative investment opportunities”. The long-term personal connection helps dissolve any suspicions the victim might have, but the scam, of course, ends once the victim invests their money in a fraudulent project. These kinds of fraudulent schemes are known as “pig butchering”, which we covered in detail in a previous post. While they were once run by huge scam farms in Southeast Asia employing thousands of people, these scams now increasingly rely on AI.

Neural networks have made catfishing — where scammers create a fake identity or impersonate a real person — much easier. Modern generative neural networks can imitate a person’s appearance, voice, or writing style with a sufficient degree of accuracy. All a scammer needs do is gather publicly available information about a person and feed that data to the AI. And anything and everything can be useful: photos, videos, public posts and comments, information about relatives, hobbies, age, and so on.

So, if a family member or friend messages you from a new account and, say, asks to lend them money, it’s probably not really your relative or friend. In a situation like that, the best thing to do is reach out to the real person through a different channel — for example, by calling them — and ask them directly if everything’s okay. Asking a few personal questions that a scammer wouldn’t be able to find online or even in your past messages is another smart thing to do.

But convincing text impersonation is only part of the problem — audio and video deepfakes are an even bigger threat. We recently shared how scammers use deepfakes of popular bloggers and crypto investors on social media. These fake celebrities invite followers to “personal consultations” or “exclusive investment chats”, or promise cash prizes and expensive giveaways.

And why wouldn't Jennifer Aniston be giving away a MacBook?

And why wouldn’t Jennifer Aniston be giving away a MacBook?

Social media isn’t the only place where deepfakes are being used, though. They’re also being generated for real-time video and audio calls. Earlier this year, a Florida woman lost US$15,000 after thinking she was talking to her daughter, who’d supposedly been in a car accident. The scammers used a realistic deepfake of her daughter’s voice, and even mimicked her crying.

Experts from Kaspersky’s GReAT found offers on the dark web for creating real-time video and audio deepfakes. The price of these services depends on how sophisticated and long the content needs to be — starting at just US$30 for voice deepfakes and US$50 for videos. Just a couple of years ago, these services cost a lot more — up to US$20 000 per minute — and real-time generation wasn’t an option.

The listings offer different options: real-time face swapping in video conferences or messaging apps, face swapping for identity verification, or replacing an image from a phone or virtual camera.

Scammers also offer tools for lip-syncing any text in a video — even in foreign languages, as well as voice cloning tools that can change tone and pitch to match a desired emotion.

However, our experts suspect that many of these dark-web listings might be scams themselves — designed to trick other would-be scammers into paying for services that don’t actually exist.

How to stay safe

  • Don’t trust online acquaintances you’ve never met in person. Even if you’ve been chatting a while and feel like you’ve found a “kindred spirit”, be wary if they bring up crypto, investments, or any other scheme that requires you to send them money.
  • Don’t fall for unexpected, appealing offers seemingly coming from celebrities or big companies on social media. Always go to their official accounts to double-check the information. Stop if at any point in a “giveaway”, you’re asked to pay a fee, tax, or shipping cost, or to enter your credit card details to receive a cash prize.
  • If friends or relatives message you with unusual requests, contact them through a different channel such as telephone. To be safe, ask them about something you talked about during your latest real-life conversation. For close friends and family, it’s a good idea to agree on a code word beforehand that only the two of you know. If you share your location with each other, check it and confirm where the person is. And don’t fall for the “hurry up” manipulation — the scammer or AI might tell you the situation is urgent and they don’t have time to answer “silly” questions.
  • If you have doubts during a video call, ask the person to turn their head sideways or make a complicated hand movement. Deepfakes usually can’t fulfill such requests without breaking the illusion. Also, if the person isn’t blinking, or their lip movements or facial expressions seem strange, that’s another red flag.
  • Never dictate or otherwise share bank-card numbers, one-time codes, or any other confidential information.
How to spot a video deepfake

An example of a deepfake falling apart when the head turns. Source

Automated calls

These are an efficient way to trick people without having to talk with them directly. Scammers are using AI to make fake automated calls from banks, wireless carriers, and government services. On the other end of the line is just a bot pretending to be a support agent. It feels real because many legitimate companies use automated voice assistants. However, a real company will never call you to say your account was hacked or ask for a verification code.

If you get a call like this, the key thing is to stay calm. Don’t fall for scare tactics like “a hacked account” or “stolen money”. Just hang up, and use the official number on the company’s website to call the genuine company. Keep in mind that modern scams can involve multiple people who pass you off from one to another. They might call or text from different numbers and pretend to be bank employees, government officials, or even the police.

Phishing-susceptible chatbots and AI agents

Many people now prefer to use chatbots like ChatGPT or Gemini instead of familiar search engines. What could be the risks, you might ask? Well, large language models are trained on user data, and popular chatbots have been known to suggest phishing sites to users. When they perform web searches, AI agents connect to search engines that can also contain phishing links.

In a recent experiment, researchers were able to trick the AI agent in the Comet browser by Perplexity with a fake email. The email was supposedly from an investment manager at Wells Fargo, one of the world’s largest banks. The researchers sent the email from a newly created Proton Mail account. It included a link to a real phishing page that had been active for several days but was yet to be flagged as malicious by Google Safe Browsing. While going through the user’s inbox, the AI agent marked the message as a “to-do item from the bank”. Without any further checks, it followed the phishing link, opened the fake login page, and then prompted the user to enter their credentials; it even helped fill out the form! The AI essentially vouched for the phishing page. The user never saw the suspicious sender’s email address or the phishing link itself. Instead, they were immediately taken to a password entry page given by the “helpful” AI assistant.

In the same experiment, the researchers used the AI-powered web development platform Loveable to create a fake website that mimicked a Walmart store. They then visited the site in Comet — something an unsuspecting user could easily do if they were fooled by a phishing link or ad. They asked the AI agent to buy an Apple Watch. The agent analyzed the fake site, found a “bargain”, added the watch to the cart, entered the address and bank card information stored in the browser, and completed the “purchase” without asking for any confirmation. If this had been a real fraudulent site, the user would have lost a chunk of change while they served their banking details on a silver platter to the scammers.

Unfortunately, AI agents currently behave like naive newcomers on the Web, easily falling for social engineering. We’ve talked in detail before about the risks of integrating AI into browsers and how to minimize them. But as a reminder, to avoid becoming the next victim of an overly trusting assistant, you should critically evaluate the information it provides, limit the permissions you give to AI agents, and install a reliable security solution that will block access to malicious sites.

AI-generated phishing websites

The days of sketchy, poorly designed phishing sites loaded with intrusive ads are long gone. Modern scammers do their best to create realistic fakes which use the HTTPS protocol, show user agreements and cookie consent warnings, and have reasonably good designs. AI-powered tools have made creating such websites much cheaper and faster, if not nearly instantaneous. You might find a link to one of these sites anywhere: in a text message, an email, on social media, or even in search results.

Credential input forms on scam sites imitating Tesla and Pantene

Credential input forms on scam sites imitating Tesla and Pantene

How to spot a phishing site

  • Check the URL, title, and content for typos.
  • Find out how long the website’s domain has been registered. You can check this here.
  • Pay attention to the language. Is the site trying to scare or accuse you? Is it trying to lure you in, or rushing you to act? Any emotional manipulation is a big red flag.
  • Enable the link-checking feature in any of our security solutions.
  • If your browser warns you about an unsecured connection, leave the site. Legitimate sites use the HTTPS protocol.
  • Search for the website name online and compare the URL you have with the one in the search results. Be careful, as search engines might show sponsored phishing links at the top of the page. Make sure there is no “Ad” or “Sponsored” label next to the link.

Read more about using AI safely:

Kaspersky official blog – ​Read More

Great Scott, I’m tired

Great Scott, I’m tired

Welcome to this week’s edition of the Threat Source newsletter. 

“Back to the Future” is 40 years old this year, and at the risk of giving away sensitive information to an audience of hackers… so am I. 

I don’t really know what 40 is supposed to feel like. Honestly, I don’t feel all that different from my 20s, with two key exceptions: One, I care a whole lot less about what people think of me. And two, my trainer recently stopped mid-set to ask, “Was that your knee making that sound?” 

I’ve always loved “Back to the Future” (mommy issues aside). For my 30th birthday, I threw a BTTF-themed party. Guests had to dress for either 1955, 1985 or 1885. (2015 was also allowed, but only if you wore two ties.) 

But watching the documentary “Still” recently gave me a whole new appreciation for what Michael J. Fox went through to make it happen. 

Because he was still under contract with “Family Ties,” and because the original Marty had been fired five weeks into filming, Fox had to shoot both projects at the same time. He’d wrap “Back to the Future “at 2:00 a.m., sleep in the back of a car, then be on set for the sitcom a few hours later. 

In “Still,” he talks about mixing up lines between scripts, barely functioning from exhaustion and constantly fearing a call from his agent saying he wasn’t doing a good job. The pressure. The pace. The fear he was messing it up. Fox himself admits the experience nearly broke him. But he kept showing up, because people were counting on him. 

Sound familiar? 

That “I can’t stop, people are relying on me” mindset is something I see a lot in this industry. We care about the mission. We care about our teams. We don’t want to give the adversary any opportunity.  

So we say yes. We log back in. We fix the thing no one else will notice, but we know it matters. 

Fox’s schedule and resultant exhaustion weren’t the only issues behind the scenes of “Back to the Future.” The “What Went Wrong” podcast (a favourite of mine) recently covered the mishaps and difficulties, from the DeLorean doors constantly jamming shut, to having to change the entire ending. The film was originally supposed to climax at a nuclear test site, with Marty manufacturing a time machine out of a fridge.  

That ending was axed as the producers were concerned children would copy the idea and get trapped in fridges. Thankfully, Steven Spielberg (a producer on the film) would use the concept 20 years later in “Indiana Jones and the Kingdom of the Crystal Skull” to huge success. Ahem.  

So much about the making of “Back to the Future” was fraught and uncertain. But what we, the audience, saw was pure delight. And that’s the thing — what looks effortless on the surface is often the result of long hours, unfair compromises, and the kind of behind-the-scenes effort that nobody ever sees. 

I want to echo the thoughts of my colleague Joe from last week’s newsletter: Burnout is brutal, and it takes no prisoners. Trying to be there for everyone and everything all the time is unsustainable. And (trust me on this one), the longer we put off taking care of ourselves, the harder and longer the recovery.  

Creating boundaries is one of the best things we can do for ourselves. So, this week, whether you’re coordinating an incident, researching something cool, supporting your team or just trying to be a functioning human, give yourself a moment. Identify your boundaries. Move them closer if you need to.  

In fact, write down just one thing that will help decompress you this week, and do that thing. Whether that’s less screen time, a short walk after dinner or playing a game.  

Just… give yourself permission, okay? As Doc Brown says: 

“The future is whatever you make it. So make it a good one.”

The one big thing 

Cisco Talos uncovered a new PlugX malware variant targeting telecom and manufacturing sectors in Central and South Asia since 2022, using the same sneaky tactics as the RainyDay and Turian backdoors. These threats abuse legitimate software and share unique technical fingerprints, suggesting they’re the work of the same or closely linked attackers. The campaign shows a high level of sophistication and ongoing risk for targeted industries. 

Why do I care? 

If your organization is in telecom or manufacturing, especially in Central or South Asia, you’re squarely in the crosshairs of advanced attackers using updated, evasive malware that can compromise your systems, steal data and lurk undetected for years. 

Even if you’re in a different industry, attackers are getting smarter at hiding in plain sight and any organization could be at risk if these tactics spread. 

So now what? 

Double down on security controls. Make sure your endpoint, email and network protection solutions are up to date, review your defenses against DLL hijacking and stay alert for new updates.

Top security headlines of the week 

Microsoft fixed Entra ID vulnerability allowing Global Admin impersonation 
Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. (HackRead

U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area 
The U.S. Secret Service dismantled a network of electronic devices located throughout the New York tristate area that were used to conduct multiple telecommunications-related threats directed towards senior U.S. government officials. (U.S. Secret Service

European airport disruptions caused by ransomware attack  
ENISA said the type of ransomware involved in the attack has been identified and law enforcement is conducting an investigation. The cyberattack hit services provided by US-based Collins Aerospace, which is owned by RTX (formerly Raytheon). (SecurityWeek

ChatGPT targeted in server-side data theft attack 
The attack, dubbed ShadowLeak, targeted ChatGPT’s Deep Research capability, which is designed to conduct multi-step research for complex tasks. OpenAI neutralized ShadowLeak after notification. (SecurityWeek

Attackers abuse AI tools to generate fake CAPTCHAs in phishing attacks 
The fake CAPTCHA pages redirect victims to malicious websites hosted by the attackers. The apparent routine security check makes the malicious link appear more legitimate to the victim and helps bypass security tools. (Infosecurity Magazine

SystemBC malware turns infected VPS systems into proxy highway 
The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. (Bleeping Computer)

Can’t get enough Talos? 

The TTP: Threat Hunter’s Cookbook 
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply. 

Engaging Cisco Talos Incident Response 
You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements. 

Tampered Chef: When malvertising serves up infostealers  
Imagine downloading a PDF Editor tool from the internet that works great… until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in malvertising and challenges in defense.

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: 0a0dc0e95070a2b05b04c2f0a049dad8_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536  
MD5: 79b075dc4fce7321f3be049719f3ce27  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536 
Example Filename: RemCom.exe  
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

SHA256: 1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1  
MD5: 45f586861cc745a6b29a957fdbc03645  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1 
Example Filename: cleanup.bat  
Detection Name: W32.1E9EFD7B2B-90.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201

Cisco Talos Blog – ​Read More

EDR or XDR — which does your company need? | Kaspersky official blog

The misconception that “we’re too small to be a target” is becoming less common these days. The numerous supply-chain attacks in recent years have shown that you don’t have to be the attackers’ ultimate target to face a sophisticated attack — all it takes is to have a major client or partner, or simply a broad customer base. That’s why many small and mid-sized businesses (SMBs) have long since adopted EDR solutions. Fortunately, the market offers modern EDR products that are accessible even to small companies and which aren’t particularly difficult to manage.

But is EDR functionality enough for your needs — or is it time to start considering XDR? To answer that, you need to ask yourself four more questions.

Is your cybersecurity team coping with the volume of alerts?

Any cybersecurity employee using an EDR console has to process an enormous number of endpoint alerts. A single incident can trigger hundreds of similar alerts; for example, when the same malicious file is detected on a hundred different endpoints. Each of these alerts consumes the time and attention of the cybersecurity specialist. This repetitive, exhausting work is a major cause of security team burnout.

With Kaspersky Next XDR Optimum, related alerts are grouped together, allowing operators to instantly see a more complete picture of the incident. Response actions can also be applied to all similar alerts with a single click instead of handling them one by one. This reduces the team’s workload and significantly cuts incident response time.

Do your experts have enough time to investigate incidents?

Let’s say your EDR solution detects malicious activity on one of your workstations. The logical response for an EDR operator is to isolate the device and thoroughly investigate it. But this takes time, and given a serious incident, time is the one thing you don’t have. First, it may not be immediately clear at what stage the attack was detected. The attackers may have already gained access to other endpoints. Second, a huge number of today’s attacks take place because of compromised corporate credentials. The operator can’t know whether an employee inadvertently opened a malicious email attachment — or whether an outsider logged in as that employee to attack the infrastructure. And if it’s the latter, they may try to gain access with the same username and password somewhere else.

Next XDR Optimum allows you to block users directly in Active Directory right from the alert card. This helps contain the attack, limit potential damage, and buy valuable time for a more thorough investigation.

Does your cybersecurity team have enough context when responding to threats?

An EDR alert tells the operator that a malicious file has been detected on a workstation so that they can start taking defensive actions. But sometimes that’s not enough. A malicious file might be just one part of a larger attack that would require a deeper investigation to detect and counter.

Next XDR Optimum gives operators access to the Kaspersky Cloud Sandbox, where suspicious files can be uploaded to an isolated cloud environment and safely analyzed to see what they actually do. The system helps create an indicator of compromise — allowing for a quick scan of the infrastructure for the same threat on other endpoints.

Are your employees sufficiently aware of cyberthreats?

Returning to the issue of alert overload: cybersecurity specialists working with an EDR system while investigating an incident sometimes find that the cause of the alert was human error — someone opened a malicious attachment in an email, or followed a link to a phishing web page. Experience shows that raising employee awareness significantly reduces the workload on cybersecurity teams in general, and the alert volume in particular. For this purpose, a well-designed educational program is more effective than lectures and occasional reminders.

This benefit isn’t directly related to XDR functionality; however, each Kaspersky Next XDR Optimum license includes targeted Kaspersky Security Awareness training for employees most likely to cause high-impact incidents (executives, members of finance teams, privileged users, and anyone who’s previously been a victim of social engineering). But most importantly, Next XDR Optimum allows the cybersecurity specialist to assign a relevant course to a user directly from the alert card — without interrupting the incident response. Experience shows that lessons learned immediately after a fail that caused an incident are particularly memorable and useful and so help prevent the same mistake being made again in the future.

If your cybersecurity team feels overwhelmed by alerts, or needs more management tools and threat context, it’s worth considering a move over to Kaspersky XDR Optimum. Migrating from Kaspersky EDR Optimum to XDR Optimum doesn’t require additional resources for deployment or staff retraining. And the slight increase in cost is far outweighed by the significant improvement in your company’s infrastructure security.

Kaspersky official blog – ​Read More

ANY.RUN Sandbox & Microsoft Sentinel: Less Noise, More Speed for Your SOC

SOC teams may waste hours daily manually enriching alerts and switching between tools, delaying response. ANY.RUN’s Microsoft Sentinel Connector fixes this by introducing fast, accurate, and interactive sandbox analysis into Sentinel’s workflow, so alerts get auto-processed, enriched with IOCs, and prioritized in seconds.  

Here’s how you can speed up response times, filter out false positives, and focus on real threats without leaving your existing workspace. 

Maximize Your SOC’s Efficiency 

ANY.RUN’s sandbox helps SOCs process alerts by delivering fast, accurate verdicts

ANY.RUN’s Interactive Sandbox is a cloud-based solution offering security teams immediate, real-time access to Windows, Linux, and Android virtual environments for investigating suspicious files and URLs. 

With the Microsoft Sentinel connector, SOCs and MSSPs can automate triage and enrich alerts with actionable verdicts and IOCs to: 

  • Cut MTTR by up to 21 minutes per incident by eliminating manual steps and speeding up analysis. 
  • Boost threat detection by up to 36% thanks to ANY.RUN’s powerful capabilities to catch threats missed by standard security tools. 
  • Increase team productivity by up to 3x through automation to free up analysts for high-value tasks. 
  • Reduce alert overload, filtering false positives and prioritizing high-risk incidents. 
  • Detect and respond to attacks early with clear, actionable threat insights. 
  • Save resources and optimize costs by using your existing MS Sentinel setup without extra infrastructure expenses. 

Set up the connector → 

To expand threat coverage further, security teams can also utilize ANY.RUN’s Threat Intelligence Feeds connector for Microsoft Sentinel.  

It supplies a continuous stream of fresh, actionable IOCs extracted from attack data across 15K SOCs around the world straight to your Microsoft Sentinel environment, helping you proactively detect the latest malware active right now. 

Reduce MTTR and beat alert fatigue in your SOC
Request a quote or trial for ANY.RUN’s Sandbox 



Contact us


How ANY.RUN’s Sandbox Improves Microsoft Sentinel Workflows

SOCs can integrate ANY.RUN’s sandbox analysis into their workflows through playbooks

With the connector, SOC teams can analyze files and links right from Sentinel alerts: either with one click or automatically. You’ll instantly get the verdict, risk score, IOCs, and a link to the full analysis, while Sentinel’s threat database updates automatically.  

All analyses via the connector are launched in the Automated Interactivity mode. This means the sandbox will automatically perform the investigation, including by clicking links, opening files, and launching payloads on its own to ensure full attack detonation. 

As a result, security teams can: 

  • Automate alert enrichment by getting verdicts and IOCs to assess incidents quickly. 
  • Speed up and simplify triage with one-click analyses of files/attachments/links without the need for manual uploads or switching tools. 
  • Prioritize threats automatically by checking incidents’ severity for faster decision-making. 
  • Extract IOCs effortlessly, pulling IPs, domains, and hashes into Sentinel’s Threat Intelligence. 
  • Respond to incidents faster thanks to ready-made analysis results and reports enabling quicker containment and remediation. 

How to Set Up Malware Sandbox Connector for Microsoft Sentinel 

Follow the official instruction to connect ANY.RUN’s Interactive Sandbox with your Microsoft Sentinel workspace.  

Please note that you need an API Key for it to work. To receive your key, please reach out to your account manager or request a demo access as part of the 14-day trial

About ANY.RUN   

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.   

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.   

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks.   

Ready to see the difference?  

Start your 14-day trial of ANY.RUN today →     

The post ANY.RUN Sandbox & Microsoft Sentinel: Less Noise, More Speed for Your SOC appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Lovense ignored app vulnerabilities for eight years | Kaspersky official blog

Our blog has covered vulnerabilities in some unusual gadgets — from smart mattress covers and robot vacuums to traffic signal audio buttons, children’s toys, pet feeders, and even bicycles. But the case we’re discussing today might just be the most… exotic yet. Recently, cybersecurity researchers uncovered two extremely serious vulnerabilities in the remote control apps for… Lovense sex toys.

Everything about this story is wild: the nature of the vulnerable gadgets, the company’s intention to take 14 months (!) to fix the problems, and the scandalous details that emerged after researchers published their findings. So let’s… get stuck straight in to right into this tale, which is as absurd as it is fantastic.

The Lovense online ecosystem

The first thing that makes this story so unusual is that Lovense, a maker of intimate toys, caters to both long-distance couples and cam models (human models that use webcams) working on streaming platforms.

To control devices and enable user interaction, the company has developed an entire suite of software products tailored for a variety of scenarios:

  • Lovense Remote: the main mobile app for controlling intimate devices.
  • Lovense Connect: a companion app that acts as a bridge between Lovense devices and other apps or online services. It’s installed on a smartphone or computer and allows a toy to connect via Bluetooth, and then relays control commands from external sources.
  • Lovense Cam Extension: a browser extension for Chrome and Edge that links Lovense devices with streaming platforms. It’s used with the Lovense Connect app and the OBS Toolset streaming software for interactive control during live broadcasts.
  • Lovense Stream Master: an all-in-one app for streamers and cam models combining device control features with live streaming functionality.
  • Cam101: Lovense’s online educational platform for models working on streaming sites.

Of course, this whole setup also includes APIs, SDKs, an internal platform for mini-apps, and more. In short, Lovense isn’t just about internet-connected intimate toys — it’s a full-fledged ecosystem.

Lovense Stream Master: a service for webcam models

UI of the Stream Master app, which combines device management and video streaming. Source

If you create an account in the Lovense infrastructure, you’re required to provide an email address. Whereas some services offer the option to sign in with Google or Apple, an email address is the primary sign-up method for a Lovense account. This detail might seem insignificant, but it’s at the core of the vulnerabilities that were discovered.

Two vulnerabilities in Lovense online products

So, how did this all unfold? In late July 2025, a researcher known as BobDaHacker published on his blog a detailed post about two vulnerabilities in Lovense’s online products. Many of the products (including Lovense Remote) have social-interaction features. These features allow users to chat, add friends, send requests and subscribe to other users, including people they don’t know.

While using the social-interaction features of one of the Lovense apps, BobDaHacker spotted the first vulnerability: when he disabled notifications from another user, the app sent an API request to the Lovense server. After examining the body of this request, BobDaHacker was surprised to find that, instead of the user’s ID, the request contained their actual email address.

Lovense API vulnerability exposing user emails

When a simple action (like disabling notifications) was performed, the app would send a request to the server that included another user’s real email address. Source

Upon further investigation, the researcher found that Lovense’s API architecture was designed so that for any action that concerned another user (like disabling their notifications), the app sends a request to the server. And in this request the user’s account is always identified by the real email address they signed up with.

In practice, this meant that any user who intercepted their own network traffic could get access to the real email addresses of other people on the app. It’s important to remember that the Lovense apps have social-interaction features and allow communication with cam models. In many cases, users don’t know each other outside of the platform, and exposing the email addresses linked to their profiles could lead to deanonymization.

BobDaHacker discussed his findings with another cybersecurity researcher named Eva, and together they examined the Lovense Connect app. This led them to discover an even more serious vulnerability: generating an authentication token in the app only required the user’s email address — no password was needed.

This meant that any technically skilled person could gain access to any Lovense user’s account — as long as they knew the user’s email address. And as we just learned, that address could easily be obtained by exploiting the first vulnerability.

Second vulnerability: account takeover using only an email address

To generate an authentication token in the Lovense app, only the user’s email was required — without the password. Source

These tokens were used for authentication across various products in the Lovense ecosystem, including:

  • Lovense Cam Extension
  • Lovense Connect
  • Stream Master
  • Cam101

Furthermore, the researchers successfully used this method to gain access to not only regular user profiles but also accounts with administrator privileges.

Lovense’s response to vulnerability reports

In late March 2025, BobDaHacker and Eva reported the vulnerabilities they’d discovered in Lovense products through The Internet Of Dongs Project — a group dedicated to researching and improving the security of internet-connected intimate devices. The following month, in April 2025, they also posted both vulnerabilities on HackerOne, a more traditional platform for engaging with security researchers and paying bug bounties.

Lovense, the adult-toy manufacturer, acknowledged the report and even paid BobDaHacker and Eva a total of $4000 in bounties. However, in May and then again in June, the researchers noticed the vulnerabilities still hadn’t been fixed. They continued talking to Lovense, which is when the most bizarre part of the story began to unfold.

First, Lovense told the researchers that the account takeover vulnerability had been fixed on April. But BobDaHacker and Eva checked and confirmed this was false: it was still possible to get an authentication token for another user’s account without a password.

The situation with the email disclosure vulnerability was even more absurd. The company stated it’d take 14 months to fully resolve the issue. Lovense admitted they had a fix that could be implemented in just one month, but they decided against it to avoid compatibility problems and maintain support for older app versions.

The back-and-forth between the researchers and the manufacturer continued for several more months. The company would repeatedly claim the vulnerabilities were fixed, and the researchers would just as consistently prove they could still access both emails and accounts.

Finally, in late July, BobDaHacker published a detailed blogpost describing the vulnerabilities and Lovense’s inaction, but only after giving the company advance notice. Journalists from TechCrunch and other outlets contacted BobDaHacker and were able to confirm that in early August — four months after the company was first notified — the researcher could still ascertain any user’s email address.

And that was far from the end of it. The most scandalous details were revealed to BobDaHacker and Eva only after their research was published.

A history of negligence: who warned Lovense and when

BobDaHacker’s work made waves across media, blogs, and social networks. As a result, just two days after the report was published, Lovense finally patched both vulnerabilities — and this time, it seems, for real.

However, it soon came to light that this story started long before BobDaHacker’s report. Other researchers had already warned Lovense about the very same vulnerabilities for years, but their messages were either ignored or hushed up. These researchers shared their stories with BobDaHacker and the publications that covered his investigation.

To truly grasp the extent of Lovense’s indifference to user security and privacy, you just need to look at the timeline of these reports:

  • 2023: a researcher known as @postypoo reported both bugs to Lovense, and was offered… two free adult toys in response, but the vulnerabilities were never fixed.
  • Also2023: researchers @Krissy and @SkeletalDemise discovered the vulnerability related to account takeovers. Lovense claimed the issue had been fixed, and paid a bounty in the same month. However, @Krissy’s follow-up message stating that the vulnerability was still present went unanswered.
  • 2022: a researcher named @radiantnmyheart discovered the bug that exposed emails, and reported it. The message was ignored.
  • 2017: the company Pen Test Partners reported the email exposure vulnerability and the lack of chat encryption in the Lovense Body Chat app, and published its study on this. The report was ignored.
  • 2016: The Internet Of Dongs Project identified three similar email exposure vulnerabilities. This all means that Lovense asked BobDaHacker to give it 14 months to patch vulnerabilities they’d known about for at least eight years!

What’s more, after BobDaHacker’s report was published, they heard not only from the ethical hackers who’d previously reported these bugs, but also from the creator of an OSINT website and their friends, who were anything but happy. These individuals had apparently been exploiting the vulnerabilities for their own purposes — specifically, harvesting user emails and subsequent deanonymization. This isn’t surprising though given that the Pen Test Partners report had been publicly available since 2017.

Protecting your privacy

Lovense’s approach to user privacy and security clearly leaves a lot to be desired — to put it mildly. Whether to continue using the brand’s devices after this — especially connecting them to the company’s online services — is a decision each user needs to make for themselves.

For our part, we offer some tips on how to protect yourself and maintain your privacy should you interact with adult online services.

  • Always create a separate email address when you register for these types of services. It shouldn’t contain any information that can be used to identify you.
  • Don’t use this email address for any other activities.
  • When registering, don’t use your real first name, surname, age, date of birth, city of residence, or any other data that could identify you.
  • Don’t upload real photos of yourself that could easily be used to recognize you.
  • Protect your account with a strong password. It should contain at least 16 characters and ideally include a mix of uppercase and lowercase letters, numbers, and special characters.
  • This password must be unique. Never use it for other services so you don’t put them at risk in the event of a data leak.
  • To avoid forgetting the password and email address you created specifically for this service, use a reliable password manager. KPM can also help you generate a random, strong, and unique password.

And if you want to be more… boned up when it comes to choosing adult toys and relevant services, we recommend looking at specialized resources like The Internet Of Dongs Project, where you can find information about brands that interest you.

Check out our other posts on how to protect your private life from prying eyes:

Kaspersky official blog – ​Read More

Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies

Telecommunications companies are the digital arteries of modern civilization. Compromise a major telecom operator, and you don’t just steal data — you gain the power to intercept communications, manipulate network traffic, and bring entire regions offline. 
 
Every day, ANY.RUN’s solutions process thousands of threat samples, and hidden within them are patterns of activity targeting telecom operators. Some are opportunistic, others are advanced and carefully orchestrated.   

In this report, we’ll walk through real-world attacks where threat actors weaponized telecom brand trust to launch attacks. We’ll also show how analysts can detect these threats, extract indicators of compromise (IOCs), and strengthen defenses. 

Key Takeaways 

  • Telecommunications under siege: The telecom sector faced sustained growth in malicious activity from May-July 2025, with 56% of observed APT campaigns targeting telecom and media companies.  
  • Brand impersonation is weaponized trust: Attackers systematically abuse telecom brand recognition, using familiar logos, official-looking domains, and corporate communication styles to bypass human skepticism and technical filters. 
  • Pattern recognition defeats mass campaigns: Simple YARA rules can expose large-scale operations.  
  • Tycoon2FA phishing kit remains active: The phishing framework designed to steal Microsoft credentials and bypass two-factor authentication is a critical concern for enterprise telecom environments. 
  • Interactive Sandbox reveals multi-stage attack progression: ANY.RUN’s Interactive Sandbox captured the complete attack flow from the initial PDF attachment to the final phishing page. This real-time analysis exposed the redirection chain from legitimate-looking emails to DGA-generated domains (xjrsel.ywnhwmard[.]es), enabling early detection before credentials could be harvested. 
  • Proactive hunting scales defense: Combining YARA Search with Threat Intelligence Lookup transforms reactive incident response into proactive threat hunting, enabling security teams to build comprehensive defense before attacks succeed. 

Recent Telecom Attack Dynamics 

Attacks on communication operators can disrupt critical services, lead to leaks of confidential information, and be used as a springboard for large-scale cyber espionage operations. 

According to Cyfirma, telecommunications and media industry were targeted in 9 out of 16 observed APT campaigns in May–July 2025, accounting for 56% of all cases. The peak activity occurred in May, followed by a slight decline in June and a renewed increase in July. 

We at ANY.RUN have observed a steady increase in telecom-targeting attacks in May–July 2025. The Sandbox data shows a smoother continuous growth, reaching a maximum in July. This reflects the constant pressure of mass attacks. 

ANY.RUN’s data shows steady growth of telecom attacks 

In our Threat Intelligence Reports highlighting the activity of top APT groups, we also see an increased targeting of media and telecom campaigns in the recent attacks.  

Analysis of Threats Targeting a Major Telecom Holding 

Let’s take the perspective of an information security specialist at a huge British telecommunications holding company operating in approximately 180 countries and providing fixed-line, broadband internet, mobile communications, and pay-TV services. 

Our goal is to determine how attackers spread malware, which families they use, which indicators can be collected, and the frequency, dynamics, and technical details of the attacks.   

The results of a YARA rule scan 

We will start with Threat Intelligence Lookup, which allows SOC teams to navigate a database of live attack data from 15,0000 organizations. Using TI Lookup’s YARA Search, we can create a simple rule to find all emails uploaded into the sandbox where the recipient field contains the holding’s domain. This allows us to identify malicious attachments and links aimed at its employees. 

As a result of executing the YARA rule, dozens of files were discovered containing addresses with the corporation’s domain in the recipient field. Each of these files was linked to one or more analyses in ANY.RUN’s Sandbox, which also featured this domain, confirming the presence of potentially significant malicious activity directed at company employees.

Catch attacks early with instant IOC enrichment in TI Lookup
Power your proactive defense with data from 15K SOCs 



Request trial for your team


ANY.RUN’s Interactive Sandbox allows security analysts to safely execute suspicious files and observe their behavior in real-time, capturing network communications, file modifications, and malicious redirections before they can impact production systems. This controlled environment reveals attack chains from initial email delivery through credential harvesting attempts.

Let us analyze one of the found emails.  

View sandbox analysis of the malicious email 

A phishing email sample detonated in ANY.RUN’s Sandbox

A Phishing Message Through a SOC Analyst Lens 

On July 9, 2025, an email addressed to giova[xx.xx]stantini@[thedomain dot]com was uploaded to ANY.RUN. The sender was listed as Bt_Bt_xu86@ksi.com.pk with the display name “DocSgn.” The domain ksi[.]com[.]pk belongs to Khatib Sons International, a Pakistani metal company, and has no relation to the email content. Coupled with the “DocSgn” branding, this impersonated a well-known electronic document signature service to trick the recipient. 

View sandbox analysis of the email 

A phishing email with characteristic sender and subject

The subject line — “Re: Re: Completed: For Sales contract (h4nc)” — mimicked an ongoing conversation, a common social engineering tactic to reduce suspicion. 

The email contained a PDF attachment and a form with a “Review and Sign” button in the body, luring the recipient to view and sign a supposed document. 

Additionally, at least five similar emails were detected targeting other employees, with generic content not tailored to specific recipients — indicating a mass campaign. 

The redirect to a generated domain 

Clicking the “Review and Sign” button redirected the user to a fake Microsoft login page hosted on xjrsel.ywnhwmard[.]es, a domain resembling a DGA-generated address, a common indicator of phishing or malicious resources. 

This threat was identified as the Tycoon2FA phishing kit, known for spoofing Microsoft login pages and harvesting credentials. 

Reduce MTTR and minimize risks with ANY.RUN’s solutions
Request a quote or trial for your SOC  



Contact us


Network-Level Detection 

Suricata rules triggered on network activity associated with the Tycoon2FA kit. The alerts provided details such as MITRE ATT&CK technique T1566 (Phishing), the suspicious DGA-like domain, and connection metadata. 

Suricata rule with domain and telemetry data detected in the sandbox

That’s exactly how ANY.RUN’s solutions help detect threats early, exposing phishing attempts before they do damage.  

Searching for Similar Threats Targeting UK Companies 

Using ANY.RUN’s Threat Intelligence Lookup, we’ve searched for samples uploaded from the UK containing the same PDF attachment. The query returned about 40 sandbox analyses, mostly from July 2025, including emails targeting a number of UK companies. 

sha256:”689cdb319d8cae155516d9f8ddfbd0c99de048252e84f529e0ccc538523a5eba” and submissionCountry:”GB” 

File hash TI Lookup search results 

We’ve also identified repeating sender address patterns across multiple phishing emails, indicating automated mass distribution. 

Sorting Out Emails with Specific Sender Pattern 

Many malicious emails sent to telecom companies have fixed patterns for forming sender addresses in the From field. The structure looks as follows: 

“._*” <*_*_*@*.com> 

The display name usually began with “._” followed by a word in capital letters. The email address repeated a word twice, separated by underscores, followed by random characters before the @, and ending in .com. 

Email with sender name generated with a specific pattern 

This structure strongly suggests automated mass phishing. 

Email with characteristic sender name from another campaign 

Such a pattern is highly likely created automatically for mass mailings, so it can be used as a basis for a filtering rule that blocks similar emails. 

A YARA rule was created to detect such emails in ANY.RUN’s database of malware samples. The rule revealed 16 files with the sender pattern, linked to multiple sandbox analyses. From these, we can extract senders’ addresses, email and attachment hashes, URLs, phishing domains, IPs, subjects, and other indicators. 

YARA rule for searching emails with the sender pattern

This data allows analysts to assess the relevance of the threat, determine its timeframe and target organizations and countries. Based on this, you can prioritize this threat for your company and add indicators to the detection and response systems. 

Tracking Telecom Impersonation Attacks 

Let’s build a threat landscape where attackers use domains containing the element “telecom” in their names. We are interested in cases where such activity is classified as phishing to assess the scale, frequency, and targets of these attacks.

The search returned 86 analysis sessions, 70 related domains, and enriched context data such as headers, attachments, network artifacts, timelines, and submission geographies. 

domainName:”telecom” AND threatName:”phishing” and threatLevel:”malicious” 

Search for malware samples featuring domains with “telecom” in name 

These insights allow security teams to enrich TI sources, prioritize threats, identify campaign clusters, track temporal dynamics, update detection rules, and map related infrastructure. 

How ANY.RUN Helps Telecom Companies Withstand the Growing Pressure of Phishing Attacks 

Telecom companies are under constant fire from phishing campaigns that combine brand impersonation, malicious attachments, and fake domains. While attackers automate and scale their operations, security teams often struggle to keep up. ANY.RUN’s ecosystem of services provides telecom defenders with the tools to detect, investigate, and respond to these threats more effectively: 

Interactive Sandbox 

Set up your virtual environment and run safe malware analysis in the Sandbox 

Quickly detonate suspicious emails, attachments, or links in a safe, interactive environment. Observe behavior in real time, identify phishing kits like Tycoon2FA, and capture artifacts such as malicious redirects, domains, or dropped files. 

Threat Intelligence Feeds 

TI Feeds: get real-time indicators from 15K SOC incident investigations 

Get continuously updated, actionable indicators of compromise (IOCs) drawn from global malware submissions. Telecom SOCs can integrate Threat Intelligence Feeds directly into SIEM or EDR systems to block known phishing infrastructure before it reaches employees or customers. 

Threat Intelligence Lookup 

Click the search bar and use tips on parameters and operators to look up IOCs and TTPs 

Go beyond single-sample analysis by exploring related campaigns. With Threat Intelligence Lookup, analysts can pivot on domains, file hashes, or sender patterns to uncover broader phishing clusters targeting telecom brands. This makes it easier to map attacker infrastructure, understand campaign scope, and strengthen detection rules. 

By combining these services, telecom companies gain both the depth to analyze individual phishing attempts and the breadth to track large-scale campaigns. This layered approach enables faster detection, better prioritization, and ultimately stronger resilience against persistent phishing pressure. 

Conclusion 

The analysis confirms that phishing attacks against telecom companies’ employees remain highly relevant, often used to steal credentials and bypass 2FA. 

ANY.RUN’s TI Lookup and YARA Search allow analysts to research the attacks and the employed malware, find samples linked to a targeted company’s email addresses, and expose domains utilized for phishing. Security teams are able to gather valuable indicators (hashes, domains, IPs, headers) to enrich internal threat intelligence sources. 

Pattern-based detection methods tailored to telecom-sector targeting can help identify new campaigns faster and reduce organizational risk. 

About ANY.RUN

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.   

  • Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions.   
  • Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.  

Start 14-day trial of ANY.RUN’s solutions in your SOC today 

The post Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

What happens when you engage Cisco Talos Incident Response?

What happens when you engage Cisco Talos Incident Response?

In today’s world, cybersecurity incidents are not a matter of if, but when and how. From ransomware attacks to data breaches exposing sensitive information, organizations face a changing threat landscape. As a result of cybersecurity attacks, organizations can experience downtime, financial losses, reputational damage and regulatory penalties. That’s when it really helps to have a team like Cisco Talos Incident Response (Talos IR) by your side. But what exactly happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

This blog post takes you behind the scenes of engaging an incident response (IR) firm like Talos IR. We will walk through what really happens during an IR engagement, from the moment you pick up a phone and call for help in the middle of a crisis to the long-term changes that make your organization stronger and more secure.

Why engage an IR team? 

Before diving into the process, let’s address the fundamental question: Why engage an IR firm? Cybersecurity incidents are complex, often requiring specialized skills, tools and experience that internal teams may lack. The Talos Year In Review Report highlights the rising frequency and sophistication of attacks; as a result, many security teams are struggling to address emergencies due to resource constraints or the complexity of response at scale. 

Engaging an IR firm like Talos IR brings several key advantages: 

  • Speed and availability: We provide 24/7 global support, with response times often under a few hours for remote engagements and on-site support wherever needed. Engaging an IR firm is like calling in a S.W.A.T. team for a cybersecurity crisis. We bring the tools, tactics and experience to contain the threat and minimize damage while guiding the organization toward recovery and increasing future resilience. 
  • Expertise: With numerous incident responders and threat intelligence analysts, all of whom have access to industry-leading Talos threat intelligence, the team has deep experience handling diverse threats, from ransomware to business email compromise (BEC). We handle it all, from “small” attacks on a single organization to a country-level threats. We don’t focus just on typical IT environments — we work with ICS/OT, cloud or mobile forensic, as well.  
  • Vendor-agnostic approach: Talos IR works with customers’ existing infrastructure and tooling, whether you use Cisco products or not. We simply don’t like to wait for deployment of tools before getting our hands dirty in all the logs, consoles and forensic artifacts. At a time when you are already resource-constrained, the last thing we want to do is make you replace an existing security solution, such as endpoint detection and response (EDR), on the endpoints. 
  • Comprehensive services: Beyond emergency response, Talos IR provides proactive services like Threat Hunting and IR Planning to strengthen your security posture before an incident happens or after to build up resilience.

Overview of the IR lifecycle 

The IR process typically follows a structured lifecycle, based on frameworks such as NIST SP 800-61 or the SANS Institute’s model. Talos IR aligns with these best practices, tailoring its approach to organization’s unique needs at the time of crisis and beyond. Handling incidents day in and day out has given Talos IR a deep well of experience, and we’ve built that knowledge into processes to support every organization we work with. The lifecycle of our IR typically includes: 

  1. Preparation 
  2. Identification 
  3. Containment 
  4. Eradication 
  5. Recovery 
  6. Lessons learned 

When you engage Talos IR, we apply this lifecycle with a blend of technical prowess, threat intelligence and collaborative teamwork. Let’s walk through each phase in detail.

Phase 1: Preparation (before the incident) 

Preparation is the foundation of effective IR. While many organizations only engage IR firms during a crisis, proactive engagement with Talos IR can significantly reduce the impact of future incidents. With a Talos IR retainer, you secure an agreement that ensures rapid response during an emergency and access to proactive services tailored to your organization’s risk profile and needs, offering: 

  • Emergency response: Guaranteed access to a global team within a short time of experiencing of an incident. During major global cybersecurity events like Wannacry, Heartbleed or Log4J or others, an existing retainer can be the difference between receiving immediate help and waiting days to weeks.
  • Proactive services: Access to proactive services for Threat Hunting, Tabletop Exercises or Purple Teaming
  • Relationship building: Familiarity with your environment, reducing response time during a crisis

These services build trust and familiarity, ensuring Talos IR can hit the ground running during an emergency.

Phase 2: Identification (beginning of incident) 

When a cybersecurity incident occurs, the first step is identifying and confirming the threat, whether it’s a ransomware attack, phishing campaign, or data breach. This is often when organizations reach out to Talos IR. Talos IR’s emergency response team is available 24/7 and can be reached via phone or email, but phone is the fastest and most direct way to reach our dedicated IR team.  

Initial call

During the first call, Talos IR gathers critical information to help us move onto analysis as soon as possible: 

  • Nature of the incident: What symptoms were observed (e.g., encrypted files, suspicious emails, new files on the webserver that were committed outside of the development lifecycle)? 
  • Affected systems: Which servers, endpoints, or networks are impacted? 
  • Business impact: Is the incident disrupting operations or exposing sensitive data? 
  • Existing actions: What steps have been taken so far? 
  • Visibility: What existing systems and tools can we access to handle the incident? Would complimentary Cisco tools help close a current gap, such as no EDR solution on a specific network? 

Triage, scoping and analysis 

Talos IR deploys a team led by an Incident Commander, who coordinates efforts and communicates with the stakeholders. The Incident Commander is supported by a skilled team of responders, threat analysts and project managers who keep everything moving and progress analysis 24/7. We typically start our work with in-depth triage of your environment which often involves: 

  • Log analysis: Reviewing logs from security information and event management (SIEM) systems, EDR tools, or network devices to identify indicators of compromise (IOCs)
  • Threat intelligence: Leveraging Talos global telemetry to match IOCs against known adversary tactics, techniques and procedures (TTPs)
  • Digital forensics: Collecting and analyzing evidence, such as memory dumps or disk images, to understand the attack’s scope

What makes IR truly effective is having access to as much relevant data as possible from the very beginning. The earlier our team can review endpoint telemetry, network traffic, identity logs and other critical data points, the faster we can determine what happened, how far the threat spread and what needs to be done to contain the threat. We often use the triage process to understand and search for: 

  • Initial access vector: Common vectors include phishing, exploited vulnerabilities (e.g., Microsoft Exchange Server flaws), or misconfigured VPN servers. You can read all about the trends we see each quarter here
  • Adversary goals: Is the attacker after data theft, ransomware deployment, or persistent access? 
  • Scope: How many systems, users, or networks are affected? 
  • Persistence mechanisms: Are there backdoors, scheduled tasks, or web shells that allow re-entry? 
  • Data exfiltration: Was sensitive data stolen? 

Talos IR provides an initial assessment, outlining the incident’s severity and recommended next steps, and keeps you updated daily. This phase sets the stage for containment, where speed is critical to limit damage. This analysis goes on for a number of days and typically uncovers additional information that adds to the picture during each 24-hour cycle.

Phase 3: Containment (stopping the attack) 

Containment focuses on preventing the threat from spreading further while preserving evidence for analysis. Talos IR employs a technology-agnostic approach, working with existing tools to implement short-term and long-term containment strategies while simultaneously looking to minimize business impact. 

Short-term containment 

Immediate actions to isolate the threat typically include: 

  • Network segmentation: Isolating affected systems or subnets to prevent lateral movement
  • Account lockdown and/or password changes: Disabling compromised accounts, changing compromised passwords, or enforcing multi-factor authentication (MFA). Talos IR frequently observes incidents where the lack of MFA enables ransomware or business email compromise (BEC) attacks. 
  • Process termination: Isolating malicious processes, such as ransomware encryptors or command-and-control (C2) beacons, when identified. Reimaging devices is often a recommended step, but it depends on the extent of the breach.
  • Firewall rules: Blocking malicious IPs or domains identified through Talos’ threat intelligence

Long-term security hardening 

While short-term countermeasures stop immediate damage, long-term security hardening ensures the attacker can’t regain access. By working together with an organization on emergency response, Talos IR gains a great understanding of what needs to be applied to build long term resistance. Some of these recommendations would be: 

  • Patching vulnerabilities: Addressing exploited flaws, such as unpatched servers or vulnerable web applications
  • Endpoint protection: Extending EDR deployments to monitor for residual threats on systems that were previously unprotected
  • Strengthening resilience: Taking a long-term, strategic approach to uncover and address weaknesses in your organization’s security posture to better prepared for future threats
  • Improving efficiency and consistency: Developing clear policies and procedures, while automating routine tasks such system hardening to reduce risk

Phase 4: Eradication (removing the threat) 

Once the threat is contained, Talos IR focuses on recommendations for completely removing all remnants of the adversary from the environment. Eradication is a delicate process that needs to balance business needs with recovery operations. Eradication typically involves: 

  • Account remediation: Resetting passwords and revoking compromised credentials. This may sound familiar from the containment phase, but often it is necessary to do two or more credential purges during a major incident. 
  • System rebuilds: In severe cases, rebuilding affected systems from clean backups to eliminate hidden threats.
  • Reverting adversary changes: Some sophisticated adversaries will do things like change firewall rules, embed fileless malware in the registry, or create future scheduled tasks as “sleeper agents.” Detecting, documenting and reverting these changes can be the most difficult and important part of eradication. 

Before wrapping up this phase, Talos IR verifies eradication through: 

  • Threat hunting: Scanning for residual IOCs or anomalous behavior
  • Log reviews: Confirming no further malicious activity

This process minimizes the risk of the adversary returning, as seen in cases where adversaries used tools like Cobalt Strike to maintain persistence. A single overlooked persistence mechanism is enough to let the adversary back in at a later date, which is why a thorough forensic review by an experienced IR team is critical. 

Phase 5: Recovery (restoring operations) 

Recovery aims to restore systems and operations to normal while enhancing security to prevent recurrence. Talos IR collaborates with IT and business teams to ensure a smooth transition. If it is necessary to accept some risk in order to get business operations back online, the Talos IR Incident Commander will work with your organizational leadership to ensure that the risk is minimized and understood, and that compensating controls are applied.  

Key recovery recommendations often include: 

  • Restoring from backups: Deploying clean backups to affected systems, ensuring they’re free of malware
  • Application testing: Verifying critical applications (e.g., ERP systems) function correctly post-recovery
  • User access: Gradually restoring user access with strengthened controls, such as MFA
  • Alternative processes: Implementing manual or temporary workflows if systems remain offline
  • Stakeholder communication: Coordinating with PR and legal teams to manage external messaging and regulatory notifications
  • Employee training: Educating staff on phishing awareness or secure practices to prevent future incidents
  • Logging improvements: Enhancing visibility to overcome the logging deficiencies
  • Patch management: Establishing processes to prevent exploitation of known vulnerabilities

Phase 6: Lessons learned (building resilience) 

The final phase of IR involves analyzing the incident to extract lessons and improve future preparedness. Talos IR’s approach ensures that insights translate into actionable strategies. Talos IR delivers a comprehensive incident report, including: 

  • Incident summary: A timeline of events, from initial detection to resolution 
  • Findings: Details on the attacker’s TTPs, entry points and impact
  • Recommendations: Specific actions to ensure long-term and short-term improvements

Ongoing partnership 

At Talos IR, we believe IR isn’t only a service we provide; it’s a relationship and the ultimate team sport. We’re not here just for the crisis; we’re here to support before, during and long after the incident is resolved. As many of our long-term retainer customers like Veradigm have observed, those multi-year relationships pay great dividends during incidents:  

“With the [Talos IR] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,” Jeremy Maxwell, Veradigm CISO. 

This is one of many stories we observe during our engagements with different organizations. For Talos IR, once the immediate threat is handled, the real work begins. We help to strengthen your defenses through ongoing support, so your organization is better prepared for the future. We keep the defenders in the loop with up-to-date threat intelligence, and we run regular training and drills to make sure that various teams know exactly what to do if something happens again. 

It’s a partnership built on trust, experience and a shared goal: keeping your organization resilient in a constantly evolving threat landscape.

Cisco Talos Blog – ​Read More

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

  • Cisco Talos discovered a new campaign active since 2022, targeting the telecommunications and manufacturing sectors in Central and South Asian countries, delivering a new variant of PlugX.
  • Talos discovered that the new variant’s features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL sideloading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used.
  • The configuration associated with this new variant of PlugX differs significantly from the standard PlugX configuration format. Instead, it adopts the same structure as RainyDay, enabling us to assess with medium confidence that this variant of PlugX can be attributed to Naikon.
  • Although these malware families have historically been associated with campaigns attributed to Naikon or BackdoorDiplomacy, our analysis of the victimology and technical malware implementation has uncovered evidence that indicates a potential connection between the two threat actors and suggests that they are the same group or that both are sourcing their tools from the same vendor.

Overview

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

Cisco Talos has identified an ongoing campaign targeting the telecommunications and manufacturing sectors in Central and South Asian countries. Based on our analysis of collected evidence, we assess with medium confidence that this campaign can be attributed to Naikon, an active Chinese-speaking threat actor that has been operating since 2010. This assessment is based on analysis of the PlugX configuration format used during this campaign as well as the malware infection chain involved, which was very similar to their previous malware, RainyDay. 

During the investigation and hunting efforts for RainyDay backdoors, Talos uncovered two significant findings. First, we found that several instances of the Turian backdoor and newly identified variants of the PlugX backdoor were abusing the same legitimate Mobile Popup Application as RainyDay to load themselves into memory. Second, we observed that the three malware families leverage loaders which not only have a similar XOR decryption function but also use the same RC4 key to decrypt the encrypted payload. Although we did not observe any activity associated with RainyDay or Turian during this campaign, this finding enables us to make assessments regarding attribution. 

Attribution

Naikon

Naikon is a well-known Chinese-speaking cyber espionage group that has been active since at least 2010. This threat group has primarily targeted government, military, and civil organizations across Southeast Asia. 

Naikon employs a variety of backdoors, including Aira-body, Nebulae and RainyDay, along with numerous customized hacking tools to maintain persistence and exfiltrate data from victims’ network environments. Notably, Symantec reported the group has been using the RainyDay backdoor to target telecom operators in several Asian countries as part of a prolonged espionage campaign, which they traced back to 2020.

BackdoorDiplomacy

BackdoorDiplomacy is a threat group that has been active since at least 2017. The group has primarily targeted Ministries of Foreign Affairs and telecommunication companies across Africa, Europe, the Middle East and Asia.

Their primary tool of choice is Turian, believed to be an upgraded version of Quarian. ESET has noted similarities in the network encryption methods of Turian and a backdoor known as Backdoor.Whitebird.1. Bitdefender has suggested that Quarian, Turian and Whitebird may be different versions of the same backdoor. Bitdefender has also published a blog on attacks against telecommunication companies in the Middle East, which began in February 2022.

Talos compares Naikon and BackdoorDiplomacy using the diamond model in Figure 1.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 1. Comparison between the Naikon and the BackdoorDiplomacy by using the diamond model.

Relations in recent campaigns

While investigating the DLL search order hijacking abuse used in this campaign, Talos discovered that RainyDay, Turian and the PlugX variant all abused the same legitimate software to execute their malicious loaders. Although these malware families are seemingly operated by different threat groups ( Naikon and BackdoorDiplomacy), our analysis uncovered evidence suggesting a potential connection between them.

First, there are consistent targeting patterns observed in campaigns Naikon and BackdoorDiplomacy conducted, with similar countries and industries affected by these campaigns, which could indicate a possible connection . Both primarily focus on telecommunications companies, with their most recent campaigns continuing this trend. In a recent campaign we observed, Naikon targeted a telecommunications company in Kazakhstan, which borders Uzbekistan — another country previously victimized by BackdoorDiplomacy . Prior reporting suggests that targeting of countries in this region aligns with historical BackdoorDiplomacy activity. Additionally, both Naikon and BackdoorDiplomacy have been observed targeting South Asian countries.

Furthermore, the malware loaders and shellcode structures used by both groups show significant similarities, and Talos has observed the use of the same RC4 keys, as well as the XOR-RC4-RtlDecompressBuffer algorithm, for decrypting malware payloads across RainyDay (Naikon), PlugX (Naikon) and Turian (BackdoorDiplomacy). These overlaps will be explored further in the next section. Talos created a timeline of intrusion activity associated with these three malware families (Figure 2) by analyzing data from:

  • Campaigns we observed
  • Third-party reporting
  • Malware compilation timestamps
  • Timestamps present in keystroke logs generated during infections
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 2. Timeline of RainyDay, new variant PlugX and Turian backdoor.

While we cannot conclude that there is a clear connection between Naikon and BackdoorDiplomacy, there are significant overlapping aspects — such as the choice of targets, encryption/decryption payload methods, encryption key reuse and use of tools supported by the same vendor. These similarities suggest a medium confidence link to a Chinese-speaking actor in this campaign.

Malware attack flow

RainyDay, Turian and the new variant of PlugX identified in this campaign are all executed via DLL search order hijacking.

Although there are differences among the three pieces of malware, the behavior of the loaders themselves is similar. The loaders for RainyDay, PlugX and Turian, which are loaded by abusing legitimate executables, read encrypted shellcode files located in the same directory as the executables and decrypt the data to execute their respective malware. The decrypted RainyDay and PlugX payloads are unpacked into memory and inject code into the calling process to execute the malware. Turian injects into a new legitimate process (either wabmig.exe or explorer.exe) to execute the malware. After execution, it loads the Config data, which defines the command and control (C2) destination and an INI file containing an “AntiVir” section.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 3. RainyDay malware flow.
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 4. New PlugX variant malware flow.
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 5. Turian malware flow.

RainyDay, new PlugX variant and Turian loaders

These three loaders are designed to read, decrypt and execute the encrypted shellcode for their respective malware from the Initial directory.
Let’s examine the decryption routines for the RainyDay, PlugX and Turian loaders. The three loaders share a significant amount of common code. First, they use the GetModuleFileNameA API to obtain the full path of the executable. Then, they read data from the Initial directory using hardcoded filenames within the malware.
The initial RainyDay loader Talos observed in 2016 did not encrypt the data. However, in subsequent malware samples, each loader includes a decryption routine. As illustrated in Figures 6 – 8, the RainyDay loader decrypts data from “rdmin.src”, the PlugX loader from “Mcsitesdvisor.afx” and the Turian loader from “winslivation.dat”, each using XOR encryption. The decrypted shellcode is then unpacked in memory and executed using CALL or JMP instructions.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 6. RainyDay loader.
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 7. PlugX loader.
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 8. Turian loader.

The format of the shellcode each of the three malware loaders decrypts is the same. It contains data that has been encrypted and compressed using RC4 and LZNT1, respectively. This data is then decompressed and decrypted, ultimately providing code to be executed in memory.

After the transition via a CALL or JMP instruction, code like that shown in the figure below is repeatedly executed. Control Flow Flattening (CFF) may be implemented in some cases.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 9. A portion of the code used by RainyDay and Turian to implement CFF.

As shown in the image, it uses the ROL25-based additive API hash function to resolve Windows APIs. Then, the code is decrypted using RC4, as indicated in the illustration below.

After decryption, the code is compressed using LZNT1 and call the RtlDecompressBuffer API to decompress and deploy RainyDay, PlugX or Turian.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 10. ROL25-based additive API hash function.
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 11. RC4 decryption and LZNT1 decompression code.

The DLL file decompressed by LZNT1, as indicated in Figure 12 below, has its file header bytes removed. In this example, the e_lfanew value (which indicates the location of the PE header) is set to an abnormally large value of 0x01240120, clearly showing that an invalid value has been inserted.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 12. Part of the DLL file decompressed by LZNT1.

RC4 key used for malware decryption

Figure 13 below shows the RC4 keys used by each of the three different malware families and their corresponding samples. RainyDay uses “8f-2;g=3/c?1wf+c92rv.a” as its RC4 key. This same key is also used in PlugX and Turian. In early versions of RainyDay, this string was used for encrypting communications, not the malware itself. Another RC4 key specified in RainyDay, “jfntv`1-m0vt801tyvqaf_)U89chasv”, is also used in PlugX. We can conclude that the same RC4 keys are shared across RainyDay, PlugX and Turian. We can also infer that the attackers are operating multiple malware families simultaneously, and that the use of shared RC4 keys across multiple malware families suggests these activities are carried out by the same or connected attacker groups.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 13. RC4 key by malware family.

PDB paths included in the loader

There are a few PDB paths found in the loader samples which explain the role of the DLL loader files.

Turian loader:

C:vc_codeNo.33-2hao3-2hao-211221dlltoshellcode_and_shellcodeloader_211221Resourcespc2msupp.pdb

C:vc_codecode_test26.icmpsh-master(tigong wangzhiban)shellcodeloader_vs2008Releaseshellcodeloader_vs2008.pdb

Possible PlugX loader:

C:UsersadminDesktopDesktop_baksuccess_baiMicrosoftEdgeUpdate.exeshellcode_xordll-MicrosoftEdgeUpdateRelease2-dll-MicrosoftEdgeUpdate.pdb

A deeper analysis of the PDB strings reveals a few key points. First, all the loaders contain shellcode structures that are consistent across both backdoors, which is extracted and injected into memory. Second, the Turian loader PDB path (also mentioned by Bitdefender), “No.33-2hao3-2hao-211221,” seems to reference project names, versions, and a timestamp, with “211221” possibly representing the date Dec. 21, 2021.

Additionally, another Turian loader PDB path includes “icmpsh-master,” likely referring to ICMP Shell (icmpsh), a well-known tool or malware technique used for covert C2 communication. In the PDB string, the phrase “(tigong wangzhiban) ” in parentheses translates from Chinese to “provide web version” (提供网页版), suggesting that this version of icmpsh might have been modified for web-based use, possibly to interact with a remote server or web-based C2 infrastructure.

Finally, the RainyDay loader PDB path points to a project involving a DLL associated with “MicrosoftEdgeUpdate”. This DLL could be malicious and designed to be injected into the legitimate MicrosoftEdgeUpdate.exe process.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 14. Loader for each malware family that includes a PDB.

RainyDay and new PlugX variant from same infection chain

This section examines the history and technical details of the RainyDay backdoor. This malware was first discovered in 2021 by Bitdefender, and may be tracked by Kaspersky as FoundCore, based on the behavior they describe in their analysis. By combining insights from both research reports, we can outline the key characteristics and behavior of the RainyDay backdoor:

  • It uses legitimate DLL sideloading to run the malware.
  • The payload includes shellcode, which is responsible for extracting the final payload.
  • The payload is encrypted using XOR-RC4-RtlDecompressBuffer and its configuration is encrypted using a simple single-byte XOR key.
  • Most importantly, the configuration holds critical details like the C2 server address, folder name, service description, mutex, registry key path and other information.

From the information above, Talos was able to find several RainyDay backdoor loaders and payloads in various malware repositories. While all of the samples matched RainyDay backdoor signatures, we found that the final backdoors actually belonged to two different malware families: the previously reported RainyDay backdoor and a new variant of the notorious Chinese remote access trojan (RAT), PlugX. Figures 15 – 17 display the different malware families which both contain the same code responsible for configuration decryption.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 15. Bitdefender’s identified RainyDay configuration decryption code.
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 16. Oldest RainyDay configuration decryption code.
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 17. PlugX variant configuration decryption code.

Older version of RainyDay backdoor

Following a detailed analysis, Talos identified an older variant of the RainyDay backdoor. The code structure aligns closely with newer variants described in other cybersecurity vendors’ publications. This older variant employs the same code logic to determine the target machine’s Windows version and CPU architecture. Notably, the debug logs exhibit significant similarities between the variants. As illustrated in Figure 18, it is evident that the threat actor has not only enhanced the functionality of the RainyDay backdoor but has also refined the debug log output. This enhancement likely facilitates more efficient debugging of individual functions by the malware’s developers. However, this older variant closely mirrors what has been detailed in Bitdefender’s previous reports , with the primary differences being the absence of C2 HTTP communication capabilities and file manipulation functions.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 18. Left: Bitdefender-described RainyDay. Right: Talos-discovered older variant of RainyDay.

Talos uncovered two additional compelling pieces of evidence to support the conclusion that this is an earlier version of the RainyDay backdoor. First, the loader for this variant was compiled on Feb. 27, 2018 at 12:32:40 UTC, making it the oldest sample identified to date. Second, the configuration file contains a timestamp dating back to Dec. 28, 2016. Based on this information, we assess with high confidence that the RainyDay backdoor has likely been in operation since at least 2016.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 19. Old version of RainyDay configuration.

Talos also discovered a PDB string path embedded in the malware, which discloses the backdoor’s original file name.


C:UsersQsDesktopWorkspace1qazbincore.pdb

The file names are the same; therefore, this finding further strengthens the link between this older variant of the RainyDay backdoor and the 2021 FoundCore version.

PlugX variant backdoor

The other final payload Talos identified is a customized variant of the PlugX backdoor, which we believe has become the primary backdoor used by the threat actor in recent campaigns. While this variant of PlugX is not particularly new and its plug-in functionalities have been documented in previous reports, it stands out for a key reason: its configuration differs significantly from the previously-identified PlugX configuration. Instead, it adopts the same configuration structure as the RainyDay backdoor. This anomaly strongly suggests that the threat actors likely have access to the original source code of PlugX, enabling them to modify it in this manner. However, it is still necessary to be aware that the threat actor might further patch the PlugX backdoor configuration part to fit their preferred configuration structure.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 20. PlugX configuration.

Talos has high confidence that the PlugX variant observed in this campaign is a customized version of BackDoor.PlugX.38. Like the original variant, it utilizes the “SetUnhandledExceptionFilter exception handler to identify the thread ID responsible for triggering the exception within the “threads_container” and subsequently generates the associated strings. However, this variant introduces a modification to employ an additional XOR operation to encrypt those strings. When the malware executes the relevant function, it decrypts the strings dynamically during runtime.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 21. Exception filter setting.

After completing its preparation procedures, the trojan escalates its privileges by acquiring SeDebugPrivilege and SeTcbPrivilege. It then initializes its main routine and determines the folder path, specified in its configuration, where it will drop the infection chain files. The malware creates a DoImpUserProc thread to manage plug-in operations or execute a function named OnlineMainDump. To evade detection, the threat actor conceals the SeDebugPrivilege and SeTcbPrivilege strings by encrypting them using a modified Tiny Encryption Algorithm (TEA).

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 22. Escalation privileges.

If the PlugX backdoor executes the OnlineMainDump function, it first attempts to elevate its privileges to grant high-level access for its own process. It then retrieves three specific plug-ins: KeylogDump, Nethood and PortMap. Following this, it employs the same techniques as BackDoor.PlugX.38 to hide its malicious service within the services.exe process. Once this is completed, the OnlineNotifyDump thread is initiated, and the configuration is re-initialized. The malware then utilizes the OlProcManager thread to manage the execution of the three plug-ins within the framework of the current process.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 23. PlugX main function.

Once all initialization procedures are complete, the malware begins a recurring cycle of connections to its C2 server. While the connection methodology remains identical to that of BackDoor.PlugX.38, this variant specifically utilizes the HTTPS protocol for communication. Additionally, we identified the library version name “VTCP 10.12.08” embedded within this PlugX backdoor. The VTCP library has already been confirmed in previous analyses as a component commonly associated with PlugX, further supporting the attribution of this variant to the same malware family.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 24. PlugX protocol.

Furthermore, Talos observed that the threat actor embedded a keylogger plug-in in all analyzed PlugX backdoor payloads. The keylogger’s functionality and data-writing format remain consistent with those described in previous reports. However, there are notable differences: The file name has been altered and the drop file path adjusted to match the current location of the PlugX backdoor. These modifications suggest that the threat actor aimed to better integrate the keylogger with this specific variant.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Figure 25. Keylogger log file path.

Additionally, by pivoting on several keylogger log files discovered on VirusTotal, Talos observed timestamps indicating that these files were actively generated throughout 2022. Notably, one of the log files demonstrated successful persistence within the victim’s environment, recording activity from late 2022 through December 2024 — spanning nearly two years of ongoing compromise.

Coverage

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

ClamAV detections are also available for this threat:

Win.Loader.RainyDay-10045411-0

Indicators of compromise (IOCs)

The IOCs can also be found in our GitHub repository here.

Cisco Talos Blog – ​Read More

VMScape attack | Kaspersky official blog

A team of researchers at the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has published a research paper demonstrating how a Spectre v2 attack can be used for a sandbox escape in a virtualized environment. With access to only a single isolated virtual machine, the researchers were able to steal valuable data normally accessible only to the server administrator. Servers based on AMD CPUs (including AMD’s newest – with Zen 5 architecture) or Intel’s Coffee Lake are susceptible to the attack.

The danger of Spectre attacks for virtual environments

We regularly write about CPU vulnerabilities that employ speculative execution, where standard hardware features are exploited to steal secrets. You can read our previous posts on this subject, which describe the general principles of these attacks in detail, here, here, and here.

Although this type of vulnerability was first discovered back in 2018, up until this paper researchers haven’t demonstrated a single realistic attack. All their efforts have culminated in the notion that, theoretically, a sophisticated and targeted Spectre-like attack is feasible. Furthermore, in most of these papers, the researchers restricted themselves to the most basic attack scenario: they’d take a computer, install malware on it, and then use the CPU hardware vulnerability to steal secrets. The drawback of this approach is that if an attacker successfully installs malware on a PC, they can steal data in numerous other, significantly simpler methods. Because of this, Spectre and similar attacks are unlikely to ever pose a threat to end-user devices. However, when it comes to cloud environments, one shouldn’t dismiss Spectre.

Imagine a provider that rents virtual servers to organizations or individuals. Each client is assigned their own virtual machine, which allows them to run any software they want. Other clients’ virtual systems can be running on the same server. Separating data-access privileges is crucial in this situation. You must prevent an attacker who has gained access to one virtual machine from reading the confidential data of an adjacent client, or compromising the provider’s infrastructure by gaining access to the host’s data. It is precisely in this scenario that Spectre attacks start appearing as a significantly more perilous threat.

VMScape: a practical look at a Spectre v2 attack

In previous research papers on the feasibility of the Spectre attack, researchers didn’t delve into a realistic attack scenario. For an academic paper, this is normal. A theoretical proof of concept for a data leak is typically enough to get CPU makers and software developers to beef up their defenses and develop countermeasures.

The authors of the new paper from ETH Zurich directly address this gap, pointing out that previously examined scenarios for attacks on virtualized environments – such as those in this paper, also by ETH Zurich – made an extremely broad assumption: that the attackers had already managed to install malware on the host. Just like with attacks on regular desktop computers, this doesn’t make much practical sense. If the server is already compromised, the damage is already done.

The new attack proposed in their paper – dubbed VMScape – uses the same branch target injection mechanism as the one found in all attacks since Spectre v2. We’ve talked about it several times before, but here’s a quick summary.

Branch target injection is a way to train a CPU’s branch prediction system, which speeds up programs by using speculative execution. This means the CPU tries to run the next set of commands before it even knows the results of the previous computations. If it guesses the right direction (branch) the software will take, the performance significantly increases. If it guesses wrong, the results are simply discarded.

Branch target injection is an attack during which an attacker can trick the CPU into accessing secret data and move it into the cache during speculative execution. The attacker then retrieves this data indirectly through a side channel.

The researchers discovered that the privilege separation between the host and guest operating systems during speculative execution is imperfect. This allows for a new version of the branch target injection attack, which they’ve named “Virtualization-based Spectre-BTI” or vBTI.

As a result, the researchers were able to read arbitrary data from the host’s memory while only having access to a virtual machine with default settings. The data reading speed was 32 bytes per second on an AMD Zen 4 CPU, with nearly 100% reliability. That’s fast enough to steal things like data encryption keys, which opens a direct path to stealing information from adjacent virtual machines.

Is VMScape a threat in the real world?

AMD CPUs with Zen architecture from the first through the latest fifth generation have proved vulnerable to this attack. This is because of the subtle differences in how these CPUs implement Spectre attack protections, as well as the unique way the authors’ vBTI primitives operate. For Intel CPUs, this attack is only possible on servers with older Coffee Lake CPUs from 2017. Newer Intel architectures have improved protections that make the current version of the VMScape attack impossible.

The researchers’ achievement was designing the first-ever Spectre v2 attack in a virtual environment that’s close to real-world conditions. It doesn’t rely on overly permissive assumptions or crutches like malicious hypervisor-level software. The VMScape attack is effective; it bypasses many standard security measures, including KASLR, and successfully steals a valuable secret: an encryption key.

Fortunately, immediately after designing the attack, the researchers also proposed a fix. The issue was assigned the vulnerability identifier CVE-2025-40300, and it was patched in the Linux kernel. This particular patch doesn’t significantly reduce computational performance, which is often a concern with software-based protections against Spectre attacks.

Methods for protecting confidential data in virtual environments have existed for a while. AMD has a technology named “Secure Encrypted Virtualization” and its subtype, SEV-SNP, while Intel has Trusted Domain Extensions (TDX). These technologies encrypt secrets, making it pointless to try to steal them directly. The researchers confirmed that SEV provides additional protection against the VMScape attack on AMD CPUs. In other words, a real-world VMScape attack against modern servers is unlikely. However, with each new study, Spectre attacks look more and more realistic.

Despite the academic nature of the research, attacks that exploit speculative execution in modern CPUs remain relevant. Operators of virtualized environments should continue to consider these vulnerabilities and potential attacks in their threat models.

Kaspersky official blog – ​Read More

Gamaredon X Turla collab

Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine

WeLiveSecurity – ​Read More