Phishing emails typically end up in the spam folder, because today’s security systems easily recognize most of them; however, these systems aren’t completely reliable, so some bona fide email messages land in the junk folder too. This article explains how to detect phishing emails, and what to do about them.
Signs of phishing email
There are several markers that are widely believed to indicate a message sent by scammers. Below are some examples.
Catchy subject line. A phishing message will likely represent a fraction of all the mail landing in your inbox. This is why scammers usually try to make their subject lines stand out by using trigger words like “urgent”, “prize”, “cash”, “giveaway”, or similar, designed to prompt you to open the message as quickly as possible.
Call to action. You can bet the message will encourage you to do at least one of the following: click a link, pay for something you don’t really need, or check the details in an attachment. The attackers’ primary goal is to lure victims away from their email and into unsafe spaces where they’re tricked into spending money or surrendering access to their accounts.
Expiring timer. The message might feature a timer that says, “Follow this link. It expires in 24 hours.” All these tricks are just nonsense. Scammers want to rush you so you start to panic and stop thinking carefully about your money.
Mistakes in the email body. In the past year, there’s been an increase in phishing emails sent in multiple languages at once, often with some odd mistakes.
Suspicious sender address. If you live in, say, Brazil, and you get an email message from an Italian address, that’s a red flag and a good reason to completely ignore its contents.
An impersonal greeting like “Dear %username%” used to be a sure sign of a phishing email, but scammers have moved on from that. Targeted messages addressing the victim by name are becoming increasingly common. Ignore those too.
What to do if you get a phishing email
If you’ve managed to spot one using the signs described above, well done — you’re awesome! You can go ahead and delete it without even opening. And if you want to do your good deed for the day, report the phishing attempt via Outlook or Gmail to make this world a tiny bit safer. We understand that spotting phishing in your email right away isn’t easy — so here’s a short list of don’ts to help with detection.
Don’t open attachments
Scammers can hide malware inside various types of email attachments: images, HTML files, and even voice messages. Here’s a recent example: you get an email with an attachment that appears to be a voice message with the SVG extension, but that’s typically an image format… To listen to the recording, you have to open the attachment, and what do you know — you find yourself on a phishing site that masquerades as Google Voice! And no, you don’t hear any audio. Instead, you’re redirected to another website where you’ll be prompted to enter the login and password for your email account. If you’re interested in learning more, here’s a Securelist blog post on this.
It seems that voice messages are sent more often through messengers than by email
This and other stories just go to show you shouldn’t open attachments. Any attachments. At all. Especially if you weren’t expecting the message in the first place.
Don’t open links
This is a golden rule that will help keep your money and accounts safe. A healthy dose of caution is exactly what everyone needs when using the internet. Let’s take a look at this phishing message.
An “exciting win-win”, but only the scammers benefit
Does this look odd? It’s written in two languages: Russian and Dutch. It shows the return address of a language school in the Netherlands, yet it references the Russian online marketplace Ozon. The message body congratulates the recipient: “You are one of our few lucky clients who get a chance to compete for uncredible prizes.” “Competing for prizes” is easy: just click the link, which has been thoughtfully included twice.
A week later, another message landed in the same inbox. Again, it came in two languages: Italian and Russian. This one came from a real Italian email address associated with the archive of Giovanni Korompay‘s works. The artist passed away in 1988. No, this wasn’t an offer to commemorate the painter. Most likely, hackers have breached the archive’s email account and are now sending phishing mail about soccer betting pretending to be from that source. All of that looks a rather fishy.
Another email in two languages
These messages have a lot in common. One thing we didn’t mention is how phishing links are disguised. Scammers deliberately use the TinyURL link shortener to make links look as legitimate as possible. But the truth is, a link that starts with tinyurl.com could point to anything: from the Kaspersky Daily blog to something malicious.
Don’t believe what’s written down
Scammers come up with all sorts of tricks: pretending to be Nigerian princes, sending fake Telegram Premium subscriptions, or congratulating people on winning fake giveaways. Every week, I get email with text like this: “Congratulations! You can claim your personal prize.” Sometimes they even add the amount of the supposed winnings to make sure I open the message. And once, I did.
The scammers were too lazy to shorten this link
Inside, it’s all by the book: a flashy headline, congratulations, and calls to click the link. To make it seem even more convincing, the email is supposedly signed by a representative from the “Prize Board of the Fund”. What fund? What prize board? And how could I possibly have won something I never even entered into? That part is unclear.
You may have noticed the unusual design of this message: it clearly stands out from the previous examples. To add credibility, the scammers used Google Forms, Google’s official service for surveys and polls. The scheme is a simple one: they create a survey, set it up to send response copies to the email addresses of their future victims, and collect their answers. Read Beware of Google Forms bearing crypto gifts to find out what happens if you open a link like that.
The bottom line
Following these rules will protect you from many — but not all — of the tricks that attackers might come up with. That’s why we recommend trusting a reliable solution: Kaspersky Premium. Every year, our products undergo testing by the independent Austrian organization AV-Comparatives to evaluate their ability to detect phishing threats. We described the testing procedure in a post a year ago. In June 2025, Kaspersky Premium for Windows successfully met the certification criteria again and received the Approved certificate, a mark of quality in protecting users from phishing.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-29 14:06:362025-07-29 14:06:36What to do if you get a phishing email | Kaspersky official blog
While cybercriminals were working overtime this July, so were we at ANY.RUN — and, dare we say, with better results. As always, we’ve picked the most dangerous and intriguing attacks of the month. But this time, there’s more.
Alongside the monthly top, we are highlighting a key trend that’s been powering campaigns throughout 2025: the top 5 Remote Access Tools most abused by threat actors in the first half of the year.
The threats were investigated with ANY.RUN’s Interactive Sandbox, where you can trace the full attack chain and see malware behavior in action, and our Threat Intelligence Lookup (available now for free), which helps you turn raw IOCs into actionable intelligence to better protect your organization.
DeerStealer Delivered via Obfuscated .LNK and LOLBin Abuse
The recent phishing campaign delivers malware through a fake PDF shortcut (Report.lnk) that leverages mshta.exe for script execution, which is a known LOLBin technique (MITRE T1218.005).
ANY.RUN’s Script Tracer reveals the full chain, including wildcard LOLBin execution, encoded payloads, and network exfiltration, without requiring manual deobfuscation.
The attack begins with a .lnk file that covertly invokes mshta.exe to drop scripts for the next stages. The execution command is heavily obfuscated using wildcard paths.
Fake Report.lnk detonated in the sandbox
To evade signature-based detection, PowerShell dynamically resolves the full path to mshta.exe in the System32 directory. It is launched with flags, followed by obfuscated Base64 strings. Both logging and profiling are disabled to reduce forensic visibility during execution.
Characters are decoded in pairs, converted from hex to ASCII, reassembled into a script, and executed via IEX. This ensures the malicious logic stays hidden until runtime.
The script dynamically resolves URLs and binary content from obfuscated arrays, downloads a fake PDF to distract the user, writes the main executable into AppData, and silently runs it. The PDF is opened in Adobe Acrobat to distract the user.
You can use Threat Intelligence Lookup to find malware samples using similar techniques with fake .lnk files and PowerShell commands to enrich your company’s detection systems.
ANY.RUN’s analysts were one of the first teams to research a DeerStealer distribution campaign when it had just emerged: read the article in our blog and keep an eye on this malware.
Fake 7-Zip installer exfiltrates Active Directory files
A malicious installer disguised as 7-Zip steals critical Active Directory files, including ntds.dit and the SYSTEM hive, by leveraging shadow copies and exfiltrating the data to a remote server.
Upon execution, the malware creates a shadow copy of the system drive to bypass file locks and extract protected files without disrupting system operations. It then copies ntds.dit, which contains Active Directory user and group data, and SYSTEM, which holds the corresponding encryption keys.
The malware connects to a remote server via SMB using hardcoded credentials. All output is redirected to NUL to minimize traces.
This technique grants the attacker full access to ntds.dit dump, allowing them to extract credentials for Active Directory objects and enables lateral movement techniques such as Pass-the-Hash or Golden Ticket.
ANY.RUN’s Sandbox makes it easy to detect these stealthy operations by providing full behavioral visibility, from network exfiltration to credential staging, within a single interactive session.
As our data shows, banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread MaaS phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.
In this attack, the malware uses layered obfuscation to hide execution logic and evade traditional detection.
The attack begins with a loader using control-flow flattening (MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts. The loader uses COM automation via WshShell3, avoiding direct PowerShell or CMD calls and bypassing common detection rules.
Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %…%, further complicating static and dynamic analysis.
Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into “/Windows /” and Public directories. The operation is performed using extrac32.exe, a known LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.
Persistence is established by creating a Run registry key pointing to a .url file containing the execution path. Snake is launched after a short delay using a PING, staggering execution.
Explore ANY.RUN’s threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization’s security response. Here are several examples of Threat Intelligence Lookup search requests that allow to discover malware samples using the above-described TTPs:
While legitimate and widely used by IT teams, Remote Monitoring and Management tools are increasingly used by threat actors to establish persistence, bypass defenses, and exfiltrate data.
In the first half of 2025, ANY.RUN observed a significant number of malware samples leveraging known RMM software for malicious access. Here are the 5 most frequently abused tools illustrated with sandbox malware sample analyses:
To support faster detection and investigation, we’ve added the rmm-tool tag in Threat Intelligence Lookup, making it easier for threat hunters and incident responders to track RMM-based intrusions. Use the “threatName” search parameter to sort out sandbox sessions featuring remote access software and malware.
The attacks we’ve reviewed this month showcase the growing sophistication and stealth of threat actors — from abusing LOLBins and fake installers to hijacking legitimate RMM tools. Detecting, understanding, and responding to such threats demands more than just static indicators. It requires deep behavioral insight and high-fidelity threat intelligence.
ANY.RUN’s Interactive Sandbox empowers malware analysts to dissect the full attack chain, observe real payload execution, and uncover hidden behaviors without getting lost in obfuscation or waiting for post-mortem reports. You don’t just watch malware — you watch it work.
Meanwhile, Threat Intelligence Lookup helps you connect the dots across thousands of similar cases: identify recurring tactics, extract IOC patterns, and enrich detection rules with real, contextualized data. Whether you’re tracing fake .lnk campaigns or hunting RMM-based persistence, it gives you a shortcut to actionable answers.
As attackers get bolder, your investigation workflow has to get smarter — and faster. ANY.RUN is here to support both.
About ANY.RUN
ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.
Designed to accelerate threat detection and improve response times, ANY.RUN equips teams with interactive malware analysis capabilities and real-time threat intelligence.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-29 13:06:462025-07-29 13:06:46Major Cyber Attacks in July 2025: Obfuscated .LNK‑Delivered DeerStealer, Fake 7‑Zip, and More
When the NIS2 Directive arrived in 2023, organizations across Europe began preparing for enhanced cybersecurity requirements. Many focused on obligations such as rapid incident notifications and comprehensive security policies. However, while the directive provided the “what,” it left the “how” largely undefined. Organizations understood that they needed incident response capabilities and swift reporting mechanisms, but the details of implementation remained unclear.
The release of ENISA’s Technical Implementation Guidance in June 2025 revealed the true complexity of compliance with the NIS2 standard. The technical guidance now reveals requirements that fundamentally challenge conventional security operations, particularly during incidents. Organizations that once prioritized operational continuity over forensic response and detailed analysis must now balance all three.
Competing objectives in incident response
Under the old approach, organizations had the flexibility to isolate, investigate and report incidents at their own pace. These processes were typically be dictated by business needs, with exceptions for when personal data was involved under GDPR.
The incident response procedures outlined in Section 3.5.2 of the ENISA guidance illustrate this shift perfectly. Security teams must now “recognize and address potential conflicts between forensic activities, incident response activities, and operational continuity.” The guidance explicitly acknowledges that teams face competing objectives:
Preserve evidence for legal purposes
Mitigate current threats to minimize business disruption
Minimize IT service downtime to maintain operational continuity
Traditional incident response playbooks assume you can prioritize one or two of these objectives. NIS2 demands all three simultaneously.
Let’s consider an example. A ransomware attack hits payment processing systems at midnight. According to Section 3.2.3, teams must maintain comprehensive logs including “all privileged access to systems and applications and activities performed by administrative accounts,” while Section 3.5.4 requires logging all incident response activities and recording evidence. At the same time, the business operations would require system restoration to process morning transactions so that the bottom line is not impacted.
Throughout this process, someone must compile an initial report meeting the notification requirements within 24 hours as mandated by Article 23(3) of the NIS2 Directive. This is followed by a more detailed report with impact assessment details within 72 hours. Not to mention, organizations operating across borders may need country-specific procedures to support notification timelines.
The guidance acknowledges the inherent conflict in these objectives and requires organizations to “establish a clear decision-making process that prioritizes based on the accepted risk tolerance levels, business impact and legal obligations.”
Logging requirements
Another key challenge lies in the depth of logging requires. Section 3.2.3 specifies that logs shall include, where appropriate: “(a) relevant outbound and inbound network traffic; (b) creation, modification or deletion of users of the relevant entities’ network and information systems and extension of the permissions; (c) access to systems and applications; (d) authentication-related events; (e) all privileged access to systems and applications and activities performed by administrative accounts” as well as 7 additional categories, for 12 total. All this assumes visibility into shadow IT and appropriate configuration of user activity tracking so that a proper audit trail can be constructed, reviewed and stored for analysis.
Furthermore, the guidance notes in Section 3.2.6 that monitoring and logging systems must be redundant, and that “the availability of the monitoring and logging systems shall be monitored independent of the systems they are monitoring.” Although this is music to an incident responder’s ears, setting up the complex systems needed to correlate, analyze, store and retrieve detailed audits is a significant challenge.
Forensic activities vs. business recovery
Traditional incident response strategies often prioritize rapid recovery to ensure that business operations can return to normal while simultaneously analyzing evidence. Incident response teams often want to acquire all evidence upfront so that business recovery can begin alongside the forensic investigation. The business can also decide what to recover and even go as far as to simply make decision to rebuild the environment from scratch and thus accelerate recovery and eradication.
Section 3.5.2 explicitly calls for creation of a playbook to ensure that evidence handling, incident response and threat eradication take place during appropriate stages of the business cycle. The playbook must manage tradeoffs so that there is no impact on preservation of evidence for compliance and legal purposes.
In addition, Section 3.5.4 mandates that entities “log incident response activities” and “record evidence.” The guidance suggests this should include “time of detection, containment and eradication,” “indicators of compromise,” “root cause” and “actions taken during each phase.” To meet this requirement, organizations must develop procedures that capture this critical information while managing active incidents. Typically, incident response teams already do this when creating a detailed timeline of all activities. Close collaboration between business stakeholders and IR teams is a must for NIS2 compliance.
Looking beyond compliance
While the guidance focuses on meeting technical requirements, organizations that implement these capabilities also gain broader operational benefits. For example, comprehensive logging not only satisfies compliance, but also supports threat hunting and delivers valuable operational insights. With these capabilities, IR teams can review the environment for malicious activities. Enhanced monitoring, especially when automated, can identify security incidents quicker and reduce adversary dwell time.
Structured incident response procedures improve overall operational resilience by ensuring every team member knows what to do and when to act. Talos IR services directly align with these key ENISA Technical Implementation Guidance requirements, helping organizations bridge the gap between current capabilities and NIS2 compliance.
Section 3.2.3 mandates logging across 12 categories of events “where appropriate,” while Section 3.2.6 requires redundant logging systems with synchronized time sources. Talos IR’s Log Architecture Assessment evaluates current logging capabilities against best practices, identifying deficiencies and providing a roadmap to strengthen an organization’s logging posture.
Perhaps the most challenging aspect of the NIS2 is the explicit requirement for “incident response playbooks that incorporate decision making and escalation paths for managing trade-offs between evidence preservation, threat containment and operational continuity.” Talos IR develops customized playbooks that address these competing priorities, giving your team a clear process tailored for each incident type.
Section 3.1.1 requires establishing comprehensive “procedures for detecting, analyzing, containing or responding to, recovering from, documenting and reporting of incidents.” Talos IR helps organizations develop IR plans that reflect their internal processes and operational needs.
Section 3.4.1 requires organizations to assess “suspicious events to determine whether they constitute incidents.” Talos IR provides proactive Threat Hunting and Compromise Assessment services to identify suspicious events before they escalate into major incidents. We look to answer critical questions such as “Am I currently compromised?” or “Is there any evidence of historical compromise?”
Talos IR provides 24/7 incident support to help organizations respond swiftly and effectively during emergencies. Our team engages quickly to understand the situation, address immediate concerns and analyze threats. In addition to deep forensic expertise, Talos IR provides comprehensive root cause analysis and actionable recommendations that transform each incident into an opportunity to strengthen the organization’s security posture.
Every major tech giant touts passkeys as an effective, convenient password replacement that can end phishing and credential leaks. The core idea is simple: you sign in with a cryptographic key that’s stored securely in a special hardware module on your device, and you unlock that key with biometrics or a PIN. We’ve already covered the current state of passkeys for home users in detail across two articles (on terminology and basic use cases and more complex scenarios. However, businesses have entirely different requirements and approaches to cybersecurity. So, how good are passkeys and FIDO2 WebAuthn in a corporate environment?
Reasons for companies to switch to passkeys
As with any large-scale migration, making the switch to passkeys requires a solid business case. On paper, passkeys tackle several pressing problems at once:
Lower the risk of breaches caused by stolen legitimate credentials — phishing resistance is the top advertised benefit of passkeys.
Strengthen defenses against other identity attacks, such as brute-forcing and credential stuffing.
Help with compliance. In many industries, regulators mandate the use of robust authentication methods for employees, and passkeys usually qualify.
Reduce costs. If a company opts for passkeys stored on laptops or smartphones, it can achieve a high level of security without the extra expense of USB devices, smart cards, and their associated management and logistics.
Boost employee productivity. A smooth, efficient authentication process saves every employee time daily and reduces failed login attempts. Switching to passkeys usually goes hand in hand with getting rid of the universally loathed regular password changes.
Lightens the helpdesk workload by decreasing the number of tickets related to forgotten passwords and locked accounts. (Of course, other types of issues pop up instead, such as lost devices containing passkeys.)
How widespread is passkey adoption?
A FIDO Alliance report suggests that 87% of surveyed organizations in the US and UK have either already transitioned to using passkeys or are currently in the process of doing so. However, a closer look at the report reveals that this impressive figure also includes the familiar enterprise options like smart cards and USB tokens for account access. Although some of these are indeed based on WebAuthn and passkeys, they’re not without their problems. They’re quite expensive and create an ongoing burden on IT and cybersecurity teams related to managing physical tokens and cards: issuance, delivery, replacement, revocation, and so on. As for the heavily promoted solutions based on smartphones and even cloud sync, 63% of respondents reported using such technologies, but the full extent of their adoption remains unclear.
Companies that transition their entire workforce to the new tech are few and far between. The process can get both organizationally challenging and just plain expensive. More often than not, the rollout is done in phases. Although pilot strategies may vary, companies typically start with those employees who have access to IP (39%), IT system admins (39%), and C-suite executives (34%).
Potential obstacles to passkey adoption
When an organization decides to transition to passkeys, it will inevitably face a host of technical challenges. These alone could warrant their own article. But for this piece, let’s stick to the most obvious issues:
Difficulty (and sometimes outright impossibility) of migrating to passkeys when using legacy and isolated IT systems — especially on-premises Active Directory
Fragmentation of passkey storage approaches within the Apple, Google, and Microsoft ecosystems, complicating the use of a single passkey across different devices
Additional management difficulties if the company allows the use of personal devices (BYOD), or, conversely, has strict prohibitions such as banning Bluetooth
Ongoing costs for purchasing or leasing tokens and managing physical devices
Necessity to train employees and address their concerns about the use of biometrics
Necessity to create new, detailed policies for IT, cybersecurity, and the helpdesk to address issues related to fragmentation, legacy systems, and lost devices (including issues related to onboarding and offboarding procedures)
What do regulators say about passkeys?
Despite all these challenges, the transition to passkeys may be a foregone conclusion for some organizations if required by a regulator. Major national and industry regulators generally support passkeys, either directly or indirectly:
The NIST SP 800-63 Digital Identity Guidelines permit the use of “syncable authenticators” (a definition that clearly implies passkeys) for Authenticator Assurance Level 2, and device-bound authenticators for Authenticator Assurance Level 3. Thus, the use of passkeys confidently checks the boxes during ISO 27001, HIPAA, and SOC 2 audits.
In its commentary on DSS 4.0.1, the PCI Security Standards Council explicitly names FIDO2 as a technology that meets its criteria for “phishing-resistant authentication”.
The EU Payment Services Directive 2 (PSD2) is written in a technology-agnostic manner. However, it requires Strong Customer Authentication (SCA) and the use of Public Key Infrastructure based devices for important financial transactions, as well as dynamic linking of payment data with the transaction signature. Passkeys support these requirements.
The European directives DORA and NIS2 are also technology-agnostic, and generally only require the implementation of multi-factor authentication — a requirement that passkeys certainly satisfy.
In short, choosing passkeys specifically isn’t mandatory for regulatory compliance, but many organizations find it to be the most cost-effective path. Among the factors tipping the scales in favor of passkeys are the extensive use of cloud services and SaaS, an ongoing rollout of passkeys for customer-facing websites and apps, and a well-managed fleet of corporate computers and smartphones.
Enterprise roadmap for transitioning to passkeys
Assemble a cross-functional team. This includes IT, cybersecurity, business owners of IT systems, tech support, HR, and internal communications.
Inventory your authentication systems and methods. Identify where WebAuthn/FIDO2 is already supported, which systems can be upgraded, where single sign-on (SSO) integration can be implemented, where a dedicated service needs to be created to translate new authentication methods into ones your systems support, and where you’ll have to continue using passwords — under beefed-up SOC monitoring.
Define your passkey strategy. Decide whether to use hardware security keys or passkeys stored on smartphones and laptops. Plan and configure your primary sign-in methods, as well as emergency access options such as temporary access passcodes (TAP).
Update your corporate information security policies to reflect the adoption of passkeys. Establish detailed sign-up and recovery rules. Establish protocols for cases where transitioning to passkeys isn’t on the cards (for example, because the user must rely on a legacy device that has no passkey support). Develop auxiliary measures to ensure secure passkey storage, such as mandatory device encryption, biometrics use, and unified endpoint management or enterprise mobility management device health checks.
Plan the rollout order for different systems and user groups. Set a long timeline to identify and fix problems step-by-step.
Enable passkeys in access management systems such as Entra ID and Google Workspace, and configure allowed devices.
Launch a pilot, starting with a small group of users. Collect feedback, and refine your instructions and approach.
Gradually connect systems that don’t natively support passkeys using SSO and other methods.
Train your employees. Launch a passkey adoption campaign, providing users with clear instructions and working with “champions” on each team to speed up the transition.
Track progress and improve processes. Analyze usage metrics, login errors, and support tickets. Adjust access and recovery policies accordingly.
Gradually phase out legacy authentication methods once their usage drops to single-digit rates. First and foremost, eliminate one-time codes sent through insecure communication channels, such as text messages and email.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-28 16:06:342025-07-28 16:06:34Are passkeys enterprise-ready? | Kaspersky official blog
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-26 12:06:372025-07-26 12:06:37SharePoint under fire: ToolShell attacks hit organizations worldwide
Attackers are using expired and deleted Discord invite links to distribute two strains of malware: AsyncRAT for taking remote control of infected computers, and Skuld Stealer for stealing crypto wallet data. They do this by exploiting a vulnerability in Discord’s invite link system to stealthily redirect users from trusted sources to malicious servers.
The attack leverages the ClickFix technique, multi-stage loaders and deferred execution to bypass defenses and deliver malware undetected. This post examines in detail how attackers exploit the invite link system, what is ClickFix and why they use it, and, most importantly, how not to fall victim to this scheme.
How Discord invite links work
First, let’s look at how Discord invite links work and how they differ from each other. By doing so, we’ll gain an insight into how the attackers learned to exploit the link creation system in Discord.
Discord invite links are special URLs that users can use to join servers. They are created by administrators to simplify access to communities without having to add members manually. Invite links in Discord can take two alternative formats:
https://discord.gg/{invite_code}
https://discord.com/invite/{invite_code}
Having more than one format, with one that uses a “meme” domain, is not the best solution from a security viewpoint, as it sows confusion in the users’ minds. But that’s not all. Discord invite links also have three main types, which differ significantly from each other in terms of properties:
Temporary invite links
Permanent invite links
Custom invite links (vanity URLs)
Links of the first type are what Discord creates by default. Moreover, in the Discord app, the server administrator has a choice of fixed invite expiration times: 30 minutes, 1 hour, 6 hours, 12 hours, 1 day or 7 days (the default option). For links created through the Discord API, a custom expiration time can be set — any value up to 7 days.
Codes for temporary invite links are randomly generated and usually contain 7 or 8 characters, including uppercase and lowercase letters, as well as numbers. Examples of a temporary link:
https://discord.gg/a7X9pLd
https://discord.gg/Fq5zW2cn
To create a permanent invite link, the server administrator must manually select Never in the Expire After field. Permanent invite codes consist of 10 random characters — uppercase and lowercase letters, and numbers, as before. Example of a permanent link:
https://discord.gg/hT9aR2kLmB
Lastly, custom invite links (vanity links) are available only to Discord Level 3 servers. To reach this level, a server must get 14 boosts, which are paid upgrades that community members can buy to unlock special perks. That’s why popular communities with an active audience — servers of bloggers, streamers, gaming clans or public projects — usually attain Level 3.
Custom invite links allow administrators to set their own invite code, which must be unique among all servers. The code can contain lowercase letters, numbers and hyphens, and can be almost arbitrary in length — from 2 to 32 characters. A server can have only one custom link at any given time.
Such links are always permanent — they do not expire as long as the server maintains Level 3 perks. If the server loses this level, its vanity link becomes available for reuse by another server with the required level. Examples of a custom invite link:
https://discord.gg/alanna-titterington
https://discord.gg/best-discord-server-ever
https://discord.gg/fq5zw2cn
From this last example, attentive readers may guess where we’re heading.
How scammers exploit the invite system
Now that we’ve looked at the different types of Discord invite links, let’s see how malicious actors weaponize the mechanism. Note that when a regular, non-custom invite link expires or is deleted, the administrator of a legitimate server cannot get the same code again, since all codes are generated randomly.
But when creating a custom invite link, the server owner can manually enter any available code, including one that matches the code of a previously expired or deleted link.
It is this quirk of the invite system that attackers exploit: they track legitimate expiring codes, then register them as custom links on their servers with Level 3 perks.
As a result, scammers can use:
Any expired temporary invite links (even if the expired link has capital letters and the scammers’ custom URL replaces them with lowercase, the system automatically redirects the user to this vanity URL)
Permanent invite links deleted from servers, if the code consisted solely of lowercase letters and numbers (no redirection here)
Custom invite links, if the original server has lost Level 3 perks and its link is available for re-registration
What does this substitution lead to? Attackers get the ability to direct users who follow links previously posted on wholly legitimate resources (social networks, websites, blogs and forums of various communities) to their own malicious servers on Discord.
What’s more, the legal owners of these resources may not even realize that the old invite links now point to fake Discord servers set up to distribute malware. This means they can’t even warn users that a link is dangerous, or delete messages in which it appears.
How ClickFix works in Discord-based attacks
Now let’s talk about what happens to users who follow hijacked invite links received from trusted sources. After joining the attackers’ Discord server, the user sees that all channels are unavailable to them except one, called verify.
On the attackers’ Discord server, users who followed the hijacked link have access to only one channel, verify Source
This channel features a bot named Safeguard that offers full access to the server. To get this, the user must click the Verify button, which is followed by a prompt to authorize the bot.
On clicking the Authorize button, the user is automatically redirected to the attackers’ external site, where the next and most important phase of the attack begins. Source
After authorization, the bot gains access to profile information (username, avatar, banner), and the user is redirected to an external site: https://captchaguard[.]me. Next, the user goes through a chain of redirects and ends up on a well-designed web page that mimics the Discord interface, with a Verify button in the center.
Redirection takes the user to a fake page styled to look like the Discord interface. Clicking the Verify button activates malicious JavaScript code that copies a PowerShell command to the clipboard Source
Clicking the Verify button activates JavaScript code that copies a malicious PowerShell command to the clipboard. The user is then given precise instructions on how to “pass the check”: open the Run window (Win + R), paste the clipboarded text (Ctrl + C), and click Enter.
Next comes the ClickFix technique: the user is instructed to paste and run the malicious command copied to the clipboard in the previous step. Source
The site does not ask the user to download or run any files manually, thereby removing the typical warning signs. Instead, users essentially infect themselves by running a malicious PowerShell command that the site slips onto the clipboard. All these steps are part of an infection tactic called ClickFix, which we’ve already covered in depth on our blog.
AsyncRAT and Skuld Stealer malware
The user-activated PowerShell script is the first step in the multi-stage delivery of the malicious payload. The attackers’ next goal is to install two malicious programs on the victim’s device — let’s take a closer look at each of them.
First, the attackers download a modified version of AsyncRAT to gain remote control over the infected system. This tool provides a wide range of capabilities: executing commands and scripts, intercepting keystrokes, viewing the screen, managing files, and accessing the remote desktop and camera.
Next, the cybercriminals install Skuld Stealer on the victim’s device. This crypto stealer harvests system information, siphons off Discord login credentials and authentication tokens saved in the browser, and, crucially, steals seed phrases and passwords for Exodus and Atomic crypto wallets by injecting malicious code directly into their interface.
Skuld sends all collected data via a Discord webhook — a one-way HTTP channel that allows applications to automatically send messages to Discord channels. This provides a secure way for stealing information directly in Discord without the need for a sophisticated management infrastructure.
As a result, all data — from passwords and authentication tokens to crypto wallet seed phrases — is automatically published in a private channel set up in advance on the attackers’ Discord server. Armed with the seed phrases, the attackers can recover all the private keys of the hijacked wallets and gain full control over all cryptocurrency assets of their victims.
How to avoid falling victim?
Unfortunately, Discord’s invite system lacks transparency and clarity. And this makes it extremely difficult, especially for newbies, to spot the trick before clicking a hijacked link and during the redirection process.
Nevertheless, there are some security measures that, if done properly, should fend off the worst outcome — a malware-infected computer and financial losses:
Never paste code into the Run window if you don’t know exactly what it does. Doing this is extremely dangerous, and normal sites will never give such an instruction.
Configure Discord privacy and security by following our detailed guide. This will not guard against hijacked invite links, but will minimize other risks associated with Discord.
Use a reliable security solution that gives advance warning of danger and prevents the download of malware. It’s best to install it on all devices, but especially on ones where you use crypto wallets and other financial software.
Malicious actors often target Discord to steal cryptocurrency, game accounts and assets, and generally cause misery for users. Check out our posts for more examples of Discord scams:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-25 11:06:482025-07-25 11:06:48Hijacking Discord invite links to install malware | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
Yesterday, Cisco Talos debuted the first Humans of Talos episode, where I interviewed Hazel Burton, a face and voice you’re probably familiar with. In our conversation, Hazel shared not just the story of how she found her way onto the team, but also the passions and hobbies that energize her work. Plus, she offered a sneak peek into what she’s most looking forward to at Black Hat this year! With future Humans of Talos episodes, you’ll get to learn not only about the people behind the research, but the people behind the communications, operations, and design, too.
My team chose to name the series “Humans of Talos” as a cheeky wink to the world of machine learning (ML) and a reminder that no matter how sophisticated our technology gets, it’s always our humanity that makes the difference.
I’m a sci-fi nerd who loves a captive audience, so let’s consider Murderbot from Martha Wells’ “The Murderbot Diaries”(now a TV show starring Alexander Skarsgård). Designed as a security unit with both organic and mechanic parts, self-named Murderbot secretly hacks its own governor module and, instead of turning on humans, spends its free time watching soap operas like “The Rise and Fall of Sanctuary Moon.” So relatable, right? What draws readers in isn’t its technical specs. It’s Murderbot’s dry humor, awkwardness, struggle with newfound autonomy, and the way it wrestles with what it means to care for others (even if it pretends not to). Despite its past, when it was treated as a piece of equipment rather than a living thing, Murderbot is both highly analytical and empathetic. Advanced technology is most powerful when paired with genuine human creativity and insight, and this is a balance we seek every day at Talos.
If cozy, found family sci-fi is more your vibe, take Lovey (aka Sidra) from Becky Chambers’ “A Long Way to a Small, Angry Planet” and “A Closed and Common Orbit.” Originally an AI managing a tunneling spaceship, Lovey is suddenly transferred into a human-like body kit and faces the challenge of living in a world she was never designed for, which is where her story really gets interesting. She has to learn everything from how to move and act to how to build friendships and find her own purpose. Learning to ask for help, make mistakes and trust the people around us is familiar to many of us in the cybersecurity community. No matter how advanced our tools become, it’s our willingness to learn from each other, collaborate and grow together that truly makes us stronger and better at our work.
So while Talos has practically always used ML in our work, I’ll always say that it is nothing without the humans behind it. We all share one mission: protecting our customers.
Tune into the next episode mid-August, and whether you’re streaming “Sanctuary Moon” or finding your place in the universe like Lovey, stay safe and secure out there!
The one big thing
Cisco Talos Incident Response (Talos IR) has identified a new ransomware-as-a-service (RaaS) group called Chaos, which is actively targeting organizations worldwide with sophisticated attacks involving phishing, remote management tool abuse, and double extortion tactics.
We assess with moderate confidence that Chaos was likely formed by former members of the BlackSuit (Royal) gang. They use advanced encryption, anti-analysis techniques, and target both local and networked systems for maximum disruption. We believe the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, and the group uses the same name to create confusion.
Why do I care?
Chaos is going after organizations of all sizes across verticals using techniques that can bypass common security measures, steal sensitive data and disrupt business operations. Even if you’re not a direct target, your company could be affected if you work with a business that is attacked, or if similar tactics are used against your sector.
So now what?
Review your organization’s security posture, especially around email, remote access and backup systems. Make sure you’re using multi-factor authentication, keeping software up-to-date and educating employees about phishing and social engineering.
Top security headlines of the week
Microsoft rushes emergency patch for actively exploited SharePoint “ToolShell” bug Malicious actors already have already pounced on the zero-day vulnerability in Microsoft Sharepoint Server, tracked as CVE-2025-53770, to compromise US government agencies and other businesses in ongoing and widespread attacks. (DarkReading) (Cisco Talos)
Europol sting leaves Russian cybercrime’s “NoName057(16)” group fractured National authorities have issued seven arrest warrants in total relating to the cybercrime collective known as NoName057(16), which recruits followers to carry out DDoS attacks on perceived enemies of Russia. (DarkReading)
Indian crypto exchange CoinDCX confirms $44M stolen during hack On Saturday, CoinDCX co-founder and CEO Sumit Gupta disclosed in a post on X that an internal account was compromised during the hack. The executive assured that the incident did not affect customer funds and that all its customer assets remain secure. (TechCrunch)
Ryuk ransomware operator extradited to US, faces five years in federal prison Justice Department officials said the operators received about 1,160 bitcoins — valued at more than $15 million at the time — in ransom payments from victim companies.(CyberScoop)
Can’t get enough Talos?
We have lots of videos to share, so queue them up and let’s get learning!
SnortML in 60 seconds Most detection engines rely on signatures, but when threats evolve or the exploit is brand new, these rules can fall short. Enter SnortML!
Humans of Talos: Hazel Burton Okay, I know I hammered this into you in the intro, but Hazel is a delight to listen to, and she gives a lot of wonderful insights. Watch here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-24 18:07:002025-07-24 18:07:00BRB, pausing for a “Sanctuary Moon” marathon
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2.
Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. The implementation of the database utilizes optimistic locking for concurrent operation.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Comdb2 vulnerabilities
Discovered by a member of Cisco Talos.
Three null pointer dereference vulnerabilities exist in Bloomberg Comdb2 8.1. Two vulnerabilities (TALOS-2025-2197 (CVE-2025-36520) and TALOS-2025-2201 (CVE-2025-35966)) are in protocol buffer message handling, which can lead to denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability. TALOS-2025-2199 (CVE-2025-48498) is in the distributed transaction component. A specially crafted network packet can lead to a denial of service. An attacker can send packets to trigger this vulnerability.
There are also two denial-of-service vulnerabilities:
TALOS-2025-2198 (CVE-2025-46354) exists in the Distributed Transaction Commit/Abort Operation of Bloomberg Comdb2 8.1. A specially crafted network packet can lead to a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
TALOS-2025-2200 (CVE-2025-36512) exists in the Bloomberg Comdb2 8.1 database when handling a distributed transaction heartbeat. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability.
Even with all the new ways we stay in touch, Slack, Teams, DMs, email is still the backbone of business communication. That also makes it one of the easiest ways in for attackers.
A single message with the right subject line or attachment can lead to stolen logins, malware infections, or even full network access. It happens so fast that many employees don’t notice until it’s too late.
Let’s take a closer look at the most common security risks businesses face when it comes to email, and what you can do to avoid falling into those traps.
Why Email is Still a Big Risk for Businesses
For security teams, email is often the most unpredictable part of the attack surface. Firewalls, EDR, and filters help but one convincing message can still get through.
Here are a few reasons why email remains a top security concern:
It’s too familiar: Employees open dozens (or hundreds) of emails a day. One click on a fake invoice or calendar invite is all it takes.
Threats are getting smarter: Attackers use trusted services like SharePoint or QR codes. They design malware that doesn’t trigger alerts.
Some attacks don’t need clicks: Zero-click exploits can launch as soon as the message is previewed.
Traditional tools miss behavior: Filters and antivirus might scan attachments, but they don’t show what the file does once it’s opened.
To reduce risk, businesses need visibility into what’s happening behind the scenes; what gets triggered, what connects where, and what the real intent is.
Sandboxes like ANY.RUN makes that possible. It lets security teams safely detonate suspicious emails and watch every step of the attack before it reaches users or spreads across the network.
Check Out Real Email Attacks That Target Businesses Now
The following real-world cases, captured inside ANY.RUN’s sandbox, show how today’s most common email threats actually unfold. From malware-laced attachments to zero-click exploits, these examples reveal the tactics that put businesses at risk every day.
1. Malware Attachments: A Hidden Threat in Everyday Emails
Malware-laced attachments remain one of the most effective ways for attackers to break into corporate systems. According to Verizon’s 2024 Data Breach Report, more than 50% of successful email-based attacks involved malicious attachments, often disguised as invoices, contracts, or shipping documents. All it takes is one click from a distracted employee.
These files can open the door to data theft, ransomware, and full system compromise.
Here’s a real-world example that shows exactly how this happens, captured in an ANY.RUN sandbox session where the entire attack chain unfolds in front of you.
Suspicious PDF attachment analyzed inside ANY.RUN sandbox
In this analysis, the file is named Rauscher-Fahrzeugeinrichtungen.pdf; harmless enough at first glance. But once opened, it immediately starts reaching out to a phishing page hosted on SharePoint. That’s your first red flag.
Why SharePoint? Because it’s a legitimate Microsoft domain, often trusted by corporate environments. Hosting a phishing link there increases the chance of bypassing security filters and convincing the user to trust it.
Detect threats faster with ANY.RUN’s Interactive Sandbox See full attack chain in seconds for immediate response
Phishing page with malicious attachment hosted on SharePoint
ANY.RUN flags this right away. In the Threats panel, we see it’s marked as “Social Engineering Attempted” and tied to MITRE Technique T1566 (Phishing).
Threat details exposed by ANY.RUN sandbox
Digging deeper, the PDF contains obfuscated JavaScript; a common trick used to hide malicious code from basic scanners. The user doesn’t see anything unusual, but Adobe Acrobat and Microsoft Edge are triggered, opening a fake Microsoft login page. These processes attempt to communicate with external servers and interact with the system in suspicious ways.
Fake Microsoft page used to steal credentials from potential victims
The goal of the attack here is to steal credentials using social engineering and invisible redirections. Everything about this PDF is designed to trick both the user and the security software.
Without a sandbox, this kind of attack is easy to miss. The file looks like a regular PDF, the hosting domain is trusted, and the user doesn’t see anything unusual until it’s too late.
But with ANY.RUN:
Your team sees the entire attack flow in real time
Threats are automatically labeled and enriched with context
2. Credential Theft: When One Click Gives Away Everything
Login credentials are gold for attackers. With the right email and a well-placed link, they can trick employees into handing over usernames and passwords, sometimes without even realizing it.
In fact, spearphishing links (MITRE T1566.002) remain one of the most popular ways to steal credentials, especially those tied to business accounts like Microsoft 365 or Gmail.
Here’s one case from the ANY.RUN sandbox that shows exactly how fast it can happen.
Phishing email with Tycoon 2FA analyzed inside ANY.RUN sandbox
This phishing campaign used a platform called Tycoon 2FA; a tool designed to bypass multi-factor authentication on Microsoft and Google accounts. It all starts with a single malicious link sent via email.
Once the victim clicks the link, the system opens it in the browser, but that’s just the beginning. In the sandbox, we can see multiple Microsoft Edge processes launch one after another, which is already suspicious.
Several Edge processes (msedge.exe) running in parallel, often a sign of automated phishing behavior
Then things get weirder. The sandbox also shows that these processes are modifying browser cache and user data folders, which normally wouldn’t happen during casual browsing.
The system also starts making changes in the registry, a place Windows uses to store settings. This often points to deeper system manipulation.
Registry keys under HKEY_CURRENT_USERSoftwareMicrosoft are being edited silently by the browser; activity that would never happen during normal use.
Eventually, the victim is redirected to a fake Microsoft login page. It looks completely legitimate, but it’s hosted on a malicious domain. If the victim enters their credentials here, the attacker gets immediate access.
Fake Microsoft login page exposed inside interactive sandbox
The sandbox also catches a possible connection to the Tor network, which attackers often use to hide where the stolen data is being sent.
Phishing links like this don’t leave much trace but a sandbox catches what users and filters miss. With ANY.RUN, you see how the attack really works, so you can block it smarter, faster, and for good.
3. Zero-Day Exploits: When Hackers Use the Tools You Haven’t Patched For
Some attacks don’t rely on tricking users; they rely on software flaws that no one even knows about yet. These are zero-day exploits, and they’re dangerous because there’s no fix when they first appear.
One of the most recent examples is CVE-2024-43451, a Windows vulnerability that leaks a user’s NTLMv2 hash; a sensitive authentication value. All it takes is interacting with a specially crafted shortcut file. Just hovering, renaming, or deleting it can silently trigger a connection to a remote server controlled by the attacker.
Once the hash is captured, it can be reused to impersonate the user in a classic pass-the-hash attack, giving intruders a way to move through the network with elevated access.
In this sandbox session, attackers exploit the CVE-2024-43451 vulnerability to launch a malicious HTML file from an .eml email attachment. The user doesn’t need to click a link or run anything manually; just opening the email is enough to trigger the chain.
The attacker sends an .eml email with a zipped attachment that silently triggers system activity when previewed
Microsoft Edge launches instantly and redirects the user to a phishing site, without any additional interaction. This is a textbook example of a zero-interaction phishing attack, where the victim is compromised simply by viewing the message
Inside the sandbox, we also see that the malicious file triggers WinRAR.exe, which in turn executes hidden commands tied to the CVE-2024-43451 vulnerability.
ANY.RUN detects the use of CVE-2024-43451 and flags the process as 100/100 malicious due to scheduled task abuse and registry tampering
But that’s not all. The exploit leads to a silent SMB connection; a network communication that sends the victim’s NTLMv2 hash to an external server. This hash can later be used in pass-the-hash attacks, letting intruders move through a network as if they were the victim.
ANY.RUN shows a successful connection to an external SMB server, exposing a potential corporate privacy violation
This kind of attack is especially dangerous because it doesn’t rely on clicks or user mistakes. It looks like a normal email but behind the scenes, it opens the door to credential theft and internal access.
With ANY.RUN, the entire chain was exposed in under one minute. That kind of speed gives your security team a real advantage, cutting detection time, reducing investigation effort, and preventing costly breaches before they unfold.
Sandbox for Businesses
Boost performance of your SOC with the Enterprise plan designed for SMBs, MSSPs, enterprise companies, and government organizations.
See details
4. Quishing: When a QR Code Becomes the Attack
QR codes have become part of everyday life; menus, logins, verifications. And attackers know it. That’s what makes Quishing (QR phishing) so effective.
Instead of sending a suspicious link, attackers embed a QR code into an email, document, or image. When scanned, it sends the user to a fake website, often mimicking Microsoft 365, voicemail systems, or banking portals, where credentials can be stolen or malware downloaded.
As the code is scanned on a phone, it often bypasses email filters and endpoint protection entirely. Since mobile devices are typically outside the company’s full security stack, they make an easy target.
ANY.RUN sandbox exposing the malicious URL in seconds
In this ANY.RUN sandbox session, the attack comes in the form of an email telling the user they have a voicemail waiting, asking them to scan a QR code to listen.
Malicious URL discovered in the Static discovering section inside ANY.RUN sandbox
Thanks to the sandbox’s automated interactivity, analysts don’t need to manually extract or decode anything. The QR code is scanned automatically, and the URL is uncovered; all in just a few seconds.
That means faster insights, less analyst effort, and a clearer view of where the attack leads, even when the delivery method tries to avoid traditional defenses. For businesses, it’s a smarter way to catch threats that bypass filters and target mobile users directly.
5. CVE-2017-11882: Exploiting a Known Vulnerability in Microsoft Office
CVE-2017-11882 is a remote code execution (RCE) vulnerability in a legacy component of Microsoft Office; the Equation Editor (eqnedt32.exe). This flaw is caused by a stack buffer overflow, which occurs due to improper handling of objects in memory. When exploited, it allows attackers to execute arbitrary code on the victim’s system.
All it takes is for the user to open a specially crafted Office document, typically in .RTF or .DOC format.
Malicious email that triggers the CVE-2017-11882 vulnerability inside ANY.RUN sandbox
In this sandbox session, the malicious payload is delivered via an email containing a .eml attachment. This attachment includes an Office document that exploits CVE-2017-11882 through the Equation Editor.
ANY.RUN identified the exploit within seconds of the document opening, flagging the vulnerable process and its suspicious behavior right away. By catching CVE-2017-11882 so early, teams can reduce mean time to detect (MTTD), avoid time-consuming manual investigation, and respond before the threat spreads.
Exploitation of CVE-2017-11882 through the Equation Editor exposed in the MITRE ATT&CK section of ANY.RUN sandbox
As soon as the victim opens the file, the EQNEDT32.EXE process is triggered, kicking off a series of malicious actions:
Reading system parameters and configurations
Accessing stored certificates and proxy settings
Creating and dropping new files
Establishing connections to external servers
EQNEDT32.EXE modifying security-related system files
Strengthen Your Email Security Before the Next Threat Hits
The above-mentioned attacks are happening right now, in inboxes just like yours. Some rely on tricking users. Others don’t need user interaction at all. And in many cases, traditional defenses simply don’t catch them in time.
This is exactly where ANY.RUN’s sandbox comes in handy. With real-time sandbox analysis, your team can uncover how threats behave, understand their full impact, and stop them before they spread.
Here’s what you gain when ANY.RUN becomes part of your email security workflow:
Faster detection of threats and reduced Mean Time to Detect (MTTD)
Full visibility into what files and links actually do without any guesswork
Immediate access to IOCs for SIEM enrichment and faster response
Less manual effort for analysts, thanks to automated interactivity
Lower risk of breaches, data loss, and business disruption
Shareable, detailed reports for internal teams, clients, or compliance needs
Try ANY.RUN now and take back control of your email security.
About ANY.RUN
ANY.RUN is relied on by more than 500,000 cybersecurity professionals and 15,000+ organizations across finance, healthcare, manufacturing, and other critical industries. Our platform helps security teams investigate threats faster and with more clarity.
Speed up incident response with our Interactive Sandbox: analyze suspicious files in real time, observe behavior as it unfolds, and make faster, more informed decisions.
Strengthen detection with Threat Intelligence Lookup and TI Feeds: give your team the context they need to stay ahead of today’s most advanced threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-24 13:06:512025-07-24 13:06:51Top Email Security Risks for Businesses and How to Catch Them Before They Cause Damage
Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.
Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration.
The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery.
Talos believes the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, as the group uses the same name to create confusion.
Talos assesses with moderate confidence that the new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks.
Victimology
The new Chaos has impacted a wide variety of business verticals and seems to be opportunistic without focusing on any specific verticals. Victims have been predominantly in the U.S. and a fewer in the UK, New Zealand and India according to the actor’s data leak site.
Who is Chaos?
Chaos is a relatively new RaaS group that emerged as early as February 2025. The Chaos group is actively promoting their cross-platform ransomware software in the dark web Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP) and is seeking collaboration with affiliates. They emphasize that the new Chaos ransomware software is compatible with Windows, ESXi, Linux and NAS systems, with features such as individual file encryption keys, rapid encryption speeds and network resource scanning — all with a strong emphasis on high-speed encryption and robust security measures.
Additionally, the group provides an automated panel for managing targets and communications, which requires a paid entry fee that is refundable upon the first case of payment. They have also clearly stated in their dark web forum post that they explicitly avoid collaborating with BRICS/CIS countries, hospitals and government entities.
Furthermore, the group is offering an onion URL for potential affiliates to register for an account with the Chaos group and has provided a support email address at “win88@thesecure[.]biz”.
Talos IR observed that the group has been launching big-game hunting and double extortion attacks. Like other operators in the double extortion space, Chaos also runs a data leak site to disclose the stolen data of victims who fail to meet their ransom demands.
Figure 2. Chaos data leak site homepage.
Chaos encrypts the victim’s environment, uses “.chaos” as the file extension for the encrypted files, and drops the ransom note “readme.chaos[.]txt”. In the ransom note, the actor claims that they attempted to perform security testing in the victim’s environment and were successful in compromising it. They also threaten the victims with the disclosure of their stolen confidential data if they fail to pay the ransom amount. The actor does not leave an initial ransom demand or payment instructions in their ransom note but provides instructions to contact them using an onion URL specific to each victim.
Figure 3. Chaos ransom note.
Talos IR observed that the actor demanded a ransom amount of $300K through the victim communication channel and offered two options. If the victim pays the amount, the actor will provide a decryptor application for targeted environments, along with a detailed report of the penetration test conducted on the victim’s environment. They also assure the victim that the stolen data will not be disclosed and will be permanently deleted, ensuring that they will not conduct repeated attacks.
If the victim fails to pay the ransom, the actor threatens to disclose their stolen data and conduct a distributed denial-of-service (DDoS) attack on all the victim’s internet-facing services, as well as spread the news of their data breach to competitors and clients.
Figure 4. Chaos actor demand.
The Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions. Importantly, this new Chaos ransomware gang is not connected to the variants produced by the Chaos ransomware builder tool or its developers. To hide their identity, these threat actors have exploited the confusion within the security community regarding the name “Chaos” and its various variants and associated builder tools. This deliberate obfuscation complicates the identification and mitigation of risks posed by this emerging threat.
Figure 5. Chaos RaaS diamond model.
Recent attack methodologies and notable TTPs
During our investigation of Chaos ransomware attacks, the Talos IR team observed several significant, noteworthy TTPs.
The actor has gained initial access to the victim through social engineering, utilizing phishing and voice phishing techniques. The victim was initially flooded with spam emails, encouraging them to contact the threat actor via a telephone call. When the victim reaches out, the threat actor, impersonating IT security representatives, advises the victim to launch a built-in remote assistance tool on their Windows machine, specifically Microsoft Quick Assist, and instructs them to connect to the actor’s session.
Talos IR observed multiple commands executed by the actor in the victim environment to carry out post-compromise discovery and reconnaissance. The actor collects network configuration details, information about the domain controller and trust relationships, logged-in user data, running processes, and performs reverse DNS lookup.
The actor executed scripts and commands to perform the following actions on the victim machine, preparing the environment to download and execute malicious files and connect to the actor’s command and control (C2) server.
The threat actor executes the following PowerShell command to set the working environment on the victim machine.
The actor executes the command on all the compromised machines in the victim’s network to set the Windows delivery optimization for allowing the files to be downloaded from a local server on port 8005 that are greater than 50 MB in size, ensuring the large files are downloaded efficiently from peer servers.
Talos IR observed that the actor has installed RMM tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM and Splashtop streamer on compromised machines to establish persistent connection to the victim network.
The actor executed a command to modify the Windows registry setting to hide a user account from the Windows login screen. By configuring this registry setting the user account still exists and can be used to log in using Remote Desktop Protocol (RDP) or runas, without the username being displayed on Welcome or login screen.
To secure continuous access to the victim machines, the actor also uses net[.]exe utility to reset the passwords of the enumerated domain user accounts in the victim network.
Talos IR observed that the threat actor executed an “ldapsearch” command remotely on the victim machine through the reverse SSH tunnel and dumped the user details from the active directory to a text file. The actor is likely attempting to steal the credentials of the privileged accounts in the victim’s active directory using the kerberoasting technique, thereby gaining elevated privilege access in the victim’s environment.
Talos IR observed that the actor deletes the PowerShell event logs on the victim machine to evade the security controls, they also attempted to uninstall security or multifactor authentication application on the victim machine using Windows Management Instrumentation Commands (WMIC).
cmd.EXE /c wmic product where name=$MFA_application for Windows Logon x64 call uninstall /nointeractive
Talos IR found that the actor leveraged an RDP client and Impacket, facilitating the command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI) to move laterally in the victim’s network.
During our investigation, we found that the actor used GoodSync, a legitimate and widely used file synchronization and backup software, in the attack to extract the data from the victim’s machine.
The actor has executed a command using a file synchronization or cloud upload tool masquerading as a legitimate Windows executable “wininit[.]exe” to copy data from a network file share to a threat actor-controlled remote cloud storage location.
The command filters files on the victim machine to include only those files modified within the last year and excludes several file types, possibly to avoid large or sensitive files that may trigger detection, including: Adobe Photoshop documents, 7-Zip compressed archives, Microsoft Outlook files, image and audio files, generic database files, log files, temporary files, Hyper-V virtual hard disk files, Microsoft installer packages, executable files, dynamic-link library files, and disc image files.
The actor uses the Windows OpenSSH client to execute a command that establishes a reverse SSH tunnel from the victim machine to the actor’s C2 server with the IP address “45[.]61[.]134[.]36” and the port 443 instead of the default SSH port. The actor also attempted to disable the SSH fingerprint checking by not storing the host key in the “known_hosts” file. We spotted that the actor attempts to set up remote port forwarding, where port 12840 on the remote server is forwarded to port 12840 on the local victim machine.
Talos IR observed during investigation the evidence of the encryption command execution in the victim environment. The ransomware performs selective encryption on the targeted files on the victim machines by encrypting specific portions of the files, enhancing the speed of the encryption. It appends “.chaos” file extensions to the encrypted files on the victim machine.
The new Chaos ransomware represents an encryptor that possesses the ability to encrypt files not only across local resources but also throughout network resources. It employs anti-analysis techniques specifically designed to evade detection, alongside a multi-threaded operation that facilitates rapid encryption. This design is intended for maximum impact on targeted organizations, all while ensuring operational stealth and implementing recovery prevention capabilities.
Talos found a few samples of Windows version of the Chaos ransomware encryptor, which are 32-bit executables that were compiled in February, March and May 2025, indicating the active operations of the Chaos group.
In this section we explain the functionalities of the new Chaos ransomware encryptor used to target Windows machines.
Anti-analysis techniques
The Chaos ransomware implements a multi-layered anti-analysis technique that systematically identifies and evades a range of debugging tools, virtual machine environments, automated sandboxes and security analysis platforms through window enumeration, process monitoring and timing analysis techniques:
Ransomware specifically targets and detects debugging environments by enumerating the window classes and title pattern matching the debugger application window.
It detects virtual machine and sandbox environments utilizing both process enumeration and window class detection techniques.
It detects various security and monitoring tools used for threat and malware analysis using process enumeration.
All these detection evasion techniques are implemented in the ransomware by employing hash-based comparisons against precomputed signatures to avoid storing plaintext tool names that could be detected through static analysis, ensuring the malware immediately terminates execution upon detecting any analysis environment to prevent analysis.
Configuration and initialization
Following a successful evasion, the ransomware parses command-line configuration parameters provided by the operator during the attack. A sample encryption command is shown below:
Selective encryption percentage (‘encrypt_step’ defaulting to 30%)
Operation mode (‘work_mode’ supporting local, network, or local_network combined operations)
Large file handling options (‘ignorar_arquivos_grandes’)
Figure 6. Snippet of the function parsing the encryption configuration command-line parameters.
Simultaneously, the ransomware executes an obfuscated system command that performs shadow copy deletion to prevent file recovery through Windows System Restore. Each character of the command is stored as byte value followed by 0x0E in the binary and is decrypted during execution using the custom algorithm shown in the screenshot.
The decrypted volume shadow copy deletion command is shown below:
cmd.exe /c vssadmin to delete shadows /all
Figure 7. Snippet of the function to decrypt and execute the volume shadow copy deletion command.
Encryption algorithm and process
The ransomware employs hybrid cryptographic techniques utilizing Elliptic Curve Diffie-Hellman (ECDH) with Curve25519 for asymmetric operations and AES-256 for symmetric file encryption.
In each execution, the ransomware generates a unique ECC key pair using windows CNG (Cryptography Next Generation), with the private key maintained in memory and the public key exported as ECCPUBLICBLOB format. File-specific encryption keys are derived through ECDH key agreement combined with the operator-controlled 32-byte master key and another key (generated for each encryption iteration), ensuring each file receives a unique encryption key.
Figure 8. Function initializes the cryptographic provider.
Chaos Ransomware handles three different modes of encryption: local, network and local_network (both).
In local encryption mode, the ransomware is configured to encrypt only the targeted set of files on the infected machine. It initiates its attempts by seeking normal access, and in the event of a failure to gain standard access, it elevates its privileges by modifying the security descriptors, followed by executing token impersonation. It accomplishes this by enumerating system processes such as svchost.exe and explorer.exe, subsequently opening process tokens. Through this method, the ransomware impersonates high-privilege security contexts, effectively bypassing file access restrictions on victim machines.
Figure 9. Privilege escalation function of Chaos ransomware.
The ransomware performs recursive directory traversal while skipping system-critical folders and files to prevent system instability while targeting user created documents. Folders excluded for encryption by Chaos ransomware on Windows machines include:
System folders: Windows, boot, system volume information, perflogs
Other files: Icns, lock, nomedia and files without file extensions
Previously encrypted files: *.chaos extension
In the network encryption mode, the ransomware performs network discovery by enumerating local network interfaces, identifying private IP address ranges, generating target lists for all hosts within discovered subnets and connects to discovered machines using SMB, and enumerating and queuing the available network shares for encryption while excluding the administrative shares (ADMIN$, C$ and IPC$). This technique may allow the ransomware to propagate across entire corporate infrastructures, encrypting shared drives, network-attached storage and distributed file systems, significantly amplifying the attack’s impact.
Chaos ransomware performs selective encryption based on the command line configuration parameter “/encrypt_step” specified by the operator during the attack. It calculates specific file offsets for encryption to optimize the encryption speed with complete file corruption. It appends metadata of 60 bytes containing the public key in ECCPUBLICBLOB format and other encryption parameters such as algorithm identifier, key data size to every encrypted file and renames the file extension with the “.chaos” extension.
Figure 10. Snippet of the encryption function initializing “.chaos” file extensions.
Ransom note deployment and clean-up
The ransomware decrypts its ransom note message using a custom XOR cipher with a 25-byte key. It allocates 1310 bytes (0x51E) for the decrypted note in the machine memory and employs complex offset calculations to obfuscate the simple XOR operation. The encrypted data is decrypted in 5-byte chunks using a distinct XOR key pattern from the 25-byte key. The decrypted ransom message is written in the file “readme[.]chaos[.]txt”.
The 25-byte key used for ransom note XOR decryption is:
Figure 11. Snippet of the ransom note decryption function.
After completing encryption, the ransomware executes cleanup procedures, which include worker threads termination, freeing memory buffers, releasing cryptographic resources, cleaning network connections, closing file handles, and terminating the process, ensuring the proper program termination.
Chaos TTPs overlap with BlackSuit (Royal) ransomware
Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members. This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks.
Talos IR observed that the Chaos operator utilizes configuration parameters for the encryption process during the attack, including “lkey”, “encrypt_step”, and “work_mode”. This configuration enables the ransomware to selectively encrypt both local and network resources within the victim’s environment.
A similar encryption technique usage was seen in earlier Royal and BlackSuit ransomware attacks according to the external security reporting. Although the names of the encryption parameters used seemed different, the action remained the same.
The table shows the encryption parameters similarities of the new Chaos and BlackSuit (Royal) ransomware.
Chaos
BlackSuit (Royal)
Purpose
/lkey
-id
32-byte key
/encrypt_step
-ep
Defines the portion / percentage of each targeted file to be encrypted.
/kill_vms
–stopvm
stops virtual machines from running on the target system
The Chaos ransomware ransom note shares a similar theme and structure to Royal/BlackSuit, including a greeting, references to a security test, double extortion messaging, assurances of data confidentiality and an onion URL for contact.
Figure 12. Ransom note of BlackSuit ransomware. Figure 13. Ransom note of Royal ransomware.
Additionally, Talos observed the similarities in the techniques employed in the Chaos ransomware attacks with that of the BlackSuit ransomware TTPs, as reported in CISA’s StopRansomware advisory for BlackSuit (Royal) ransomware.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please
contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for the threats are:
Snort2: 65125, 65126
Snort3: 301273
ClamAV detections are also available for this threat:
Win.Ransomware.Chaos-10045485-0
Indicators of compromise (IOCs)
IOCs for this threat can be found in our GitHub repository here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-24 10:06:362025-07-24 10:06:36Unmasking the new Chaos RaaS group attacks
