Executive Summary

CRIL (Cyble Research and Intelligence Labs) has been tracking a sophisticated commodity loader utilized by multiple high-capability threat actors. The campaign demonstrates a high degree of regional and sectoral specificity, primarily targeting Manufacturing and Government organizations across Italy, Finland, and Saudi Arabia.

This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882), malicious SVG files, and ZIP archives containing LNK shortcuts. Despite the variety of delivery methods, all vectors leverage a unified commodity loader.

The operation’s sophistication is further evidenced by the use of steganography and the trojanization of open-source libraries. Adding their stealth is a custom-engineered, four-stage evasion pipeline designed to minimize their forensic footprint.

By masquerading as legitimate Purchase Order communications, these phishing attacks ultimately deliver Remote Access Trojans (RATs) and Infostealers.

Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors.

Key Takeaways

• Precision Targeting & Geographic Scope: The campaign specifically targets the Manufacturing and Industrial sectors across Europe and the Middle East. The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials.
• Versatile Malware Distribution: The loaders serve as a multi-functional distribution platform. They have been observed delivering a variety of RATs (and information stealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos). This indicates the loader is likely shared or sold across different threat actor groups.
• Steganography & Infrastructure Abuse: To bypass traditional network security, the threat actors hosted image files on legitimate delivery platforms. These images contain steganographically embedded payloads, allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic
• Trojanization of Open-Source Libraries: The actors utilize a sophisticated “hybrid assembly” technique. By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult.
• Four-Stage Evasion Pipeline: The infection chain is engineered to minimize forensic footprint. It employs a high-velocity, four-stage process:
  • Script Obfuscation: To hide initial intent.
• • Steganographic Extraction: To pull the payload from images.
• • Reflective Loading: To run code directly in memory without touching the disk.
• • Process Injection: To hide malicious activity within legitimate system processes.
• Novel UAC Bypass Discovery: A unique User Account Control (UAC) bypass was identified in a recent sample. The malware monitored system process creation events and opportunistically triggered UAC prompts during legitimate launches, tricking the system or user into granting elevated privileges under the guise of a routine operation.

Technical Analysis

To demonstrate the execution flow of this campaign, we analyzed the sample with the following SHA256 hash: c1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a.

Initial Infection vector

The campaign begins with targeted phishing emails sent to manufacturing organizations, masquerading as legitimate Purchase Order communications from business partners (see Figure 2).

Extraction of the RAR archive reveals a first-stage malicious JavaScript payload, PO No 602450.js, masquerading as a legitimate purchase order document.

Stage 1: JavaScript and PowerShell execution

The JavaScript file contains heavily obfuscated code with special characters that are stripped at runtime. The primary obfuscation techniques involve split and join operations used to dynamically reconstruct malicious strings (see Figure 3).

The de-obfuscated JavaScript creates a hidden PowerShell process using WMI objects (winmgmts:rootcimv2). It employs multiple obfuscation layers, including base64 encoding and string manipulation, to evade detection, with a 5-second sleep delay (see Figure 4).

Stage 2: Steganographic payload retrieval

The decoded PowerShell script functions as a second-stage loader, retrieving a malicious PNG file from Archive.org. This image file contains a steganographically embedded base64-encoded .NET assembly hidden at the end of the file (see Figure 5).

Upon retrieval, the PowerShell script employs regular expression (regex) pattern matching to extract the malicious payload using specific delimiters (“BaseStart-‘+’-BaseEnd”). The extracted assembly is then reflected in memory via Reflection.Assembly::Load, invoking the “classlibrary1” namespace with the class name “class1” method “VAI”

This fileless execution technique ensures the final payload executes without writing to disk, significantly reducing detection probability and complicating forensic analysis (see Figure 6).

Stage 3: Weaponized TaskScheduler loader

The reflectively loaded .NET assembly serves as the third-stage loader, weaponizing the legitimate open-source TaskScheduler library from GitHub. The threat actors appended malicious functions to the original library source code and recompiled it, creating a trojanized assembly that retains all legitimate functionality while embedding malicious capabilities (see Figure 7).

Upon execution, the malicious method receives the payload URL in reverse and base64-encoded format, along with DLL path, DLL name, and CLR path parameters (see Figure 8).

Stage 4: Process injection and payload execution

The weaponized loader creates a new suspended RegAsm.exe process and injects the decoded payload into its memory space before executing it (see Figure 9). This process hollowing technique allows the malware to masquerade as a legitimate Windows utility while executing malicious code.

The loader downloads additional content that is similarly reversed and base64-encoded. After downloading, the loader reverses the content, performs base64 decoding, and runs the resulting binary using either RegAsm or AddInProcess32, injecting it into the target process.

Final payload: PureLog Stealer

The injected payload is an executable file containing PureLog Stealer embedded within its resource section. The stealer is extracted using Triple DES decryption in CBC mode with PKCS7 padding, utilizing the provided key and IV parameters. Following decryption, the data undergoes GZip decompression before the resulting payload, PureLog Stealer, is invoked (see Figure 10).

PureLog Stealer is an information-stealing malware designed to exfiltrate sensitive data from compromised hosts, including browser credentials, cryptocurrency wallet information, and comprehensive system details. The threat actor’s command and control infrastructure operates at IP address 38.49.210[.]241.

PureLog Stealer steals the following from the victim’s machines:

Category	Targeted Data	Detail
Web Browsers	Chromium-based browsers	Data harvested from a wide range of Chromium-based browsers, including stable, beta, developer, portable, and privacy-focused variants.
	Firefox-based browsers	Data extracted from Firefox and Firefox-derived browsers
	Browser credentials	Saved usernames and passwords associated with websites and web applications
	Browser cookies	Session cookies, authentication tokens, and persistent cookies
	Browser autofill data	Autofill profiles, saved payment information, and form data.
	Browser history	Browsing history, visited URLs, download records, and visit metadata.
	Search queries	Stored browser search terms and normalized keyword data
	Browser tokens	Authentication tokens and associated email identifiers
Cryptocurrency Wallets	Desktop wallets	Wallet data from locally installed cryptocurrency wallet applications
	Browser extension wallets	Wallet data from browser-based cryptocurrency extensions
	Wallet configuration	Encrypted seed phrases, private keys, and wallet configuration files
Password Managers	Browser-based managers	Credentials stored in browser-integrated password management extensions
	Standalone managers	Credentials and vault data from desktop password manager applications
Two-Factor Authentication	2FA applications	One-time password (OTP) secrets and configuration data from authenticator applications
VPN Clients	VPN credentials	VPN configuration files, authentication tokens, and user credentials
Messaging Applications	Instant messaging apps	Account tokens, user identifiers, messages, and configuration files
	Gaming platforms	Authentication and account metadata related to gaming services
FTP Clients	FTP credentials	Stored FTP server credentials and connection configurations
Email Clients	Desktop email clients	Email account credentials, server configurations, and authentication tokens
System Information	Hardware details	CPU, GPU, memory, motherboard identifiers, and system serials
	Operating system	OS version, architecture, and product identifiers
	Network information	Public IP address and network-related metadata
	Security software	Installed security and antivirus product details

Tracing the Footprints: Shared Ecosystem

CRIL’s cross-campaign analysis reveals a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.

This standardized methodology includes the use of steganography to conceal payloads within benign image files, the application of string reversal combined with Base64 encoding for deep obfuscation, and the delivery of encoded payload URLs directly to the loader. Furthermore, the actors consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.

This observation is also reinforced by research from Seqrite, Nextron Systems, and Zscaler, which documented identical class naming conventions and execution patterns across a variety of malware families and operations.

The following code snippet illustrates the shared loader architecture observed across these campaigns (see Figure 11).

This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.

UAC Bypass

Notably, a recent sample revealed an LNK file employing similar obfuscation techniques, utilizing PowerShell to download a VBS loader, along with an uncommon UAC bypass method. (see Figure 12)

An uncommon UAC bypass technique is employed in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, thereby enabling the execution of a PowerShell process with elevated privileges after user approval (see Figure 13).

Conclusion

Our research has uncovered a hybrid threat with striking uniformity of tradecraft, uncovering a persistent architectural blueprint. This standardized methodology includes the use of steganography to conceal payloads within benign image files, the application of string reversal combined with Base64 encoding for deep obfuscation, and the delivery of encoded payload URLs directly to the loader. Furthermore, the actors consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.

The fact that multiple malware families leverage these class naming conventions as well as execution patterns across is further testament to how potent this threat is to the target nations and sectors.

The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle. Organizations, especially in the targeted regions, should treat “benign” image files and email attachments with heightened scrutiny.

Recommendations

Deploy Advanced Email Security with Behavioral Analysis

Implement email security solutions with attachment sandboxing and behavioral analysis capabilities that can detect obfuscated JavaScript, VBScript files, and malicious macros. Enable strict filtering for RAR/ZIP attachments and block execution of scripts from email sources to prevent initial infection vectors targeting business workflows.

Implement Application Whitelisting and Script Execution Controls

Deploy application whitelisting policies to prevent unauthorized JavaScript and VBScript execution from user-accessible directories. Enable PowerShell Constrained Language Mode and comprehensive logging to detect suspicious script activity, particularly commands attempting to download remote content or perform reflective assembly loading. Restrict the execution of legitimate system binaries from non-standard locations to prevent their abuse in living-off-the-land (LotL) attacks.

Deploy EDR Solutions with Advanced Process Monitoring

Implement Endpoint Detection and Response (EDR) solutions that can detect sophisticated evasion techniques and runtime anomalies, enabling effective protection against advanced threats. Configure EDR platforms to monitor for process hollowing activities where legitimate signed Windows binaries are exploited to execute malicious payloads in memory. Establish behavioral detection rules for fileless malware techniques, including reflective assembly loading and suspicious parent-child process relationships that deviate from normal system behavior.

Monitor for Memory-Based Threats and Process Anomalies

Establish behavioral detection rules for fileless malware techniques, including reflective assembly loading, process hollowing, and suspicious parent-child process relationships. Deploy memory analysis tools to identify code injection into legitimate Windows processes, such as MSBuild.exe, RegAsm.exe, and AddInProcess32.exe, which are commonly abused for malicious payload execution.

Strengthen Credential and Cryptocurrency Wallet Protection

Enforce multi-factor authentication across all critical systems and encourage users to store cryptocurrency assets in hardware wallets rather than browser-based solutions. Implement monitoring for unauthorized access to browser credential stores, password managers, and cryptocurrency wallet directories to detect potential data exfiltration attempts.

Implement Steganography Detection and Image Analysis Capabilities

Deploy specialized steganography detection tools that analyze image files for hidden malicious payloads embedded within pixel data or metadata. Implement statistical analysis techniques to identify anomalies in image file entropy and bit patterns that may indicate the presence of concealed executable code. Configure security solutions to perform deep inspection of image formats, particularly PNG files, which are frequently exploited for embedding command-and-control infrastructure or malicious scripts in covert communication channels.

MITRE Tactics, Techniques & Procedures

Tactic	Technique	Procedure
Initial Access (TA0001)	Phishing: Spearphishing Attachment (T1566.001)	Phishing emails with malicious attachments masquerading as Purchase Orders
Initial Access (TA0001)	Exploit Public-Facing Application (T1190)	Exploitation of CVE-2017-11882 in Microsoft Equation Editor
Execution (TA0002)	User Execution: Malicious File (T1204.002)	User opens JavaScript, VBScript, or LNK files from archive attachments
Execution (TA0002)	Command and Scripting Interpreter: JavaScript (T1059.007)	Obfuscated JavaScript executes to download second-stage payloads
Execution (TA0002)	Command and Scripting Interpreter: PowerShell (T1059.001)	A hidden PowerShell instance was spawned to retrieve steganographic payloads
Execution (TA0002)	Windows Management Instrumentation (T1047)	WMI used to spawn hidden PowerShell processes
Defense Evasion (TA0005)	Obfuscated Files or Information (T1027)	Multi-layer obfuscation using base64 encoding and string manipulation
Defense Evasion (TA0005)	Steganography (T1027.003)	Malicious payload hidden within PNG image files
Defense Evasion (TA0005)	Reflective Code Loading (T1620)	The .NET assembly is reflectively loaded into memory without disk writes
Defense Evasion (TA0005)	Process Injection: Process Hollowing (T1055.012)	Payload injected into legitimate Windows system processes
Defense Evasion (TA0005)	Masquerading: Match Legitimate Name or Location (T1036.005)	Execution through legitimate Windows utilities for evasion
Defense Evasion (TA0005)	Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)	UAC bypass using process monitoring and a user approval prompt
Defense Evasion (TA0005)	Virtualization/Sandbox Evasion: Time-Based Evasion (T1497.003)	5-second sleep delay to evade automated sandbox analysis
Credential Access (TA0006)	Unsecured Credentials: Credentials In Files (T1552.001)	Extraction of credentials from browser databases and configuration files
Credential Access (TA0006)	Credentials from Password Stores: Credentials from Web Browsers (T1555.003)	Harvesting saved passwords and cookies from web browsers
Credential Access (TA0006)	Credentials from Password Stores (T1555)	Extraction of credentials from password manager applications
Discovery (TA0007)	System Information Discovery (T1082)	Collection of hardware, OS, and network information
Discovery (TA0007)	Security Software Discovery (T1518.001)	Enumeration of installed antivirus products
Collection (TA0009)	Data from Local System (T1005)	Collection of cryptocurrency wallets, VPN configs, and email data
Collection (TA0009)	Email Collection (T1114)	Harvesting email credentials and configurations from email clients
Command and Control (TA0011)	Web Service (T1102)	Abuse of Archive.org for payload hosting
Exfiltration (TA0010)	Exfiltration Over C2 Channel (T1041)	Data exfiltration to C2 server at 38.49.210.241

Indicators of Compromise (IOCs)

Indicator	Type	Comments
5c0e3209559f83788275b73ac3bcc61867ece6922afabe3ac672240c1c46b1d3	SHA-256	Email
c1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a	SHA-256	PO No 602450.rar
3dfa22389fe1a2e4628c2951f1756005a0b9effdab8de3b0f6bb36b764e2b84a	SHA-256	Microsoft.Win32.TaskScheduler.dll
bb05f1ef4c86620c6b7e8b3596398b3b2789d8e3b48138e12a59b362549b799d	SHA-256	PureLog Stealer
0f1fdbc5adb37f1de0a586e9672a28a5d77f3ca4eff8e3dcf6392c5e4611f914	SHA-256	Zip file contains LNK
917e5c0a8c95685dc88148d2e3262af6c00b96260e5d43fe158319de5f7c313e	SHA-256	LNK File
hxxp://192[.]3.101[.]161/zeus/ConvertedFile[.]txt	URL	Base64 encoded payload
hxxps://pixeldrain[.]com/api/file/7B3Gowyz	URL	Base64 encoded payload
hxxp://dn710107.ca.archive[.]org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64[.]png	URL	PNG file
hxxps://ia801706.us.archive[.]org/25/items/msi-pro-with-b-64_20251208/MSI_PRO_with_b64[.]png	URL	PNG file
38.49.210[.]241	IP	Purelog Stealer C&C

References:

https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat

https://www.seqrite.com/blog/steganographic-campaign-distributing-malware

https://www.nextron-systems.com/2025/05/23/katz-stealer-threat-analysis/

The post Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns appeared first on Cyble.

Cyble – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

For us in America, we’re in the holiday doldrums and things slow and/or shut down until the new year. At Cisco, we shut down the last week of the year to reset and recharge, and I’ve grown to be quite fond of it. I’ve worked plenty of gigs where there were no holiday breaks, and now that I’m living that dream, I gotta tell ya, it’s a damn civilized way to live if you can get it. 

It’s only natural for us to think on 2025 — what happened to us, what made the news, and with some trepidation (and maybe some hope) what lies in store for 2026. 

I thought I’d summarize the notable things that come to mind for me:

1. Uncovering Qilin attack methods exposed through multiple cases 
   Why this one? Quilin is one of the more aggressive cartels that I see in the ransomware space in 2025. On their dark web site, you can see a very active presence. When Talos crunches the numbers for the 2025 Year in Review, don’t be surprised if you see them at the top of the list as one of the more lucrative criminal cartels. Our blog post on this was outstanding — give it a read! (Also, our banner art is just great, if I do say so myself. Our design team is the best.) I think 2026 will see a heavy ransomware tempo. It is simply just too lucrative for the bad guys. Compounding this is the macro/micro world economy and good old fashioned geopolitical tensions. Everyone hold on tight. 
2. Jaguar Land Rover posts heavy loss after cyber attack 
   As someone who focuses on industrial control security, seeing a manufacturer getting hit so hard resonates with me. It proves the fragility that we see in this space, where operational and information technology mix to fulfill business imperatives, but at a real financial risk.  This will be a case study of financial impacts cyber attacks can have on manufacturing with a heavily targeted vertical because the disruptions are costly and lucrative to ransomware actors. My bet is 2026 will see much more of this. No one wants to be the next Land Rover Jaguar. The bad guys know this, and there’s certainly blood in the water and the sharks have noticed. 
3. Disrupting the first reported AI-orchestrated cyber espionage campaign 
   Anthropic released a first of its kind report on a state-sponsored adversary using Claude to launch a full kill chain campaign against victims. I had a hard time with this report. It felt (and still feels) hyped to a degree. It’s an entirely plausible scenario, and I don’t want to imply it’s misleading! But the report doesn’t show its work. You can certainly see this being real, but it just misses the test for actual substantive intel. Still, it surely does make one wonder how much better AI attacks will get. The space is moving at blazing speed. Who’s to say what 2026 will show us for attacks and defense!

If you celebrate, enjoy the holidays. At the same time, I know this season can feel especially lonely for those of us who are missing loved ones. This year I lost my grandmother, and I am still processing the tremendous grief and loss for someone who helped raise me to be the man I am today. Find the time to spend with others and be kind to yourself. Resist the urge to isolate yourself. Use the holidays to invest in yourself and your health. I believe in you. I’ll see you all in 2026.

The one big thing 

For this end-of-year Talos Takes episode — and Hazel’s last as host — we took a time machine back to 2015 to ask, “What would a defender from back then think of the madness we deal with in 2025?” Alongside Pierre, Alex, and yours truly, we reminisced about our own journeys, then got into the real meat: just how much ransomware has exploded (thanks, “as-a-service” model), why identity is now the main battleground, and how the lines between state-sponsored actors and APTs have blurred to the point of being almost meaningless. 

Why do I care? 

You don’t need me to tell you it’s a different world than it was ten years ago. The ransomware industry is bigger and nastier than ever, and attackers are more organized, more efficient, and more professionalized. The tools (and the stakes) keep changing, but burnout and complexity are constants. If you’re not keeping pace, you’re falling behind, and the attackers aren’t waiting up. 

So now what? 

Don’t panic, and don’t try to win it all alone. Double down on the basics, like identity and access management and keeping tabs on those “service accounts” that keep multiplying. Make sure your team is trained, supported, and has permission to step away from the keyboard once in a while. Don’t get distracted by AI; it is powerful, but it’s not a magic bullet. And maybe most important of all: Take care of yourself and your people. 2026 is going to bring more of the same (and some surprises), but if you stay grounded, curious, and human, you’ll be ready for whatever’s next. 

Top security headlines of the week 

Microsoft: Recent Windows updates break VPN access for WSL users 
This known issue affects users who installed the KB5067036 October 2025 non-security update, released October 28th, or any subsequent updates, including the KB5072033 cumulative update released during this month’s Patch Tuesday. (Bleeping Computer) 

French Interior Ministry confirms cyber attack on email servers 
While the attack (detected overnight between Thursday, December 11, and Friday, December 12) allowed the threat actors to gain access to some document files, officials have yet to confirm whether data was stolen. (Bleeping Computer) 

In-the-wild exploitation of fresh Fortinet flaws begins 
The two flaws (CVE-2025-59718 and CVE-2025-59719 [CVSS score of 9.8]) are described as improper verification of cryptographic signature issues impacting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. (SecurityWeek) 

Google to shut down dark web monitoring tool in February 2026  
Google has announced that it’s discontinuing its dark web report tool in February 2026, less than two years after it was launched as a way for users to monitor if their personal information is found on the dark web. (The Hacker News) 

Compromised IAM credentials power a large AWS crypto mining campaign 
The activity, first detected on Nov. 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication. (The Hacker News) 

Can’t get enough Talos? 

Humans of Talos: Lexi DiScola 
Amy chats with Senior Cyber Threat Analyst Lexi DiScola, who brings a political science and French background to her work tracking global cyber threats. Even as most people wind down for the holidays, Lexi is tackling the Talos 2025 Year in Review.

UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager 
Our analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack. 

TTP: Talking through a year of cyber threats, in five questions 
In this episode of the Talos Threat Perspective, Hazel is joined by Talos’ Head of Outreach Nick Biasini to reflect on what stood out, what surprised them, and what didn’t in 2025. What might defenders want to think about differently as we head into 2026? 

Upcoming events where you can find Talos 

We’ll be back in 2026 — see ya then!

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename:ck8yh2og.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b  
MD5: a8fd606be87a6f175e4cfe0146dc55b2  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b  
Example Filename: 1aa70d7de04ecf0793bdbbffbfd17b434616f8de808ebda008f1f27e80a2171b.exe  
Detection Name: W32.1AA70D7DE0-95.SBX.TG 

Cisco Talos Blog – ​Read More

It’s December — that time of year when we take a pause and look back at how much we’ve achieved. 

If you’re reading this, chances are you’ve shared these wins with us. Maybe you’ve launched one analysis, maybe thousands. Maybe you’ve browsed our Threat Intelligence Lookup daily or just joined us. Anyhow, thanks for being here! 

2025 kept all of us busy for sure. But it also brought a ton of breakthrough studies, insights, and improvements. Let’s glance back at the year and see what we accomplished together — through numbers, stories, and proud moments. 

Milestones We Achieved Together in 2025  

We bet it’s safe to say that no analyst was idle this year, and the numbers support this statement: the total number of analyses launched in ANY.RUN’s Interactive Sandbox across 195(!) countries exceeded 5.7 millions, with 1.1 million threats uncoveredin the process. 

Our most active users this year were based in the US, Germany, UK, and India. Many of them represent big enterprises. In fact, 74 of Fortune 100 companies used our sandbox this year. 

The community overall kept growing: out of 500,000+ users, 81K joined us this year, bringing new insights with them.  

Altogether, ANY.RUN’s users have spent 400,000+ hours in our sandbox — that’s more than 45 years of research! Just imagine how much longer it would take without a solution built for fast and efficient analysis. 

When it comes to what exactly our community analyzed most, there are no surprises: in 2025, phishing continued to reign over the threat landscape. In particular, the most active threat was Tycoon2FA. 

The top suspects among file types were: executables, ZIP archives, PDFs, and emails (EML and MSG). A clear proof of how widespread both file- and email-based malware is. 

But no threat should scare an analyst equipped with strong security solutions. Here are some of the tangible results reported by ANY.RUN’s users in 2025: 

This is a solid proof of the fact that our malware analysis and threat intelligence solutions change SOC workflows for the better. 

Key Sandbox Updates: Driving Malware Analysis Forward 

More Ways to Run Malware 

This year we broadened the sandbox horizons by adding new operating systems to our VM for more flexible and realistic environments. 

For teams tackling mobile threats, we introduced Android support. It gives you the opportunity to upload, interact, and analyze APK files in ANY.RUN’s virtual machine closely replicating a real Android device. Great timing, since mobile threats have been pretty active this year! But more on that below. 

We also added Linux Debian OS, helping you detonate ARM-based threats. Since 2025, you can do full-scale malware built for IoT devices and other ARM systems in ANY.RUN’s Interactive Sandbox. 

Thanks to these and other updates, our sandbox became even more universal and useful for faster, deeper, and more reliable analysis. 

Deep Analysis Made Simple 

When it comes to malware analysis, it’s not always clear where to start, as threats get increasingly more complex and evasive. To simplify the process of uncovering them, we came up with Detonation Actions — hints that guide you through the analysis in our ANY.RUN Sandbox as you search for hidden threats. 

Another feature we added solves one of the most time-consuming parts of detection: rule creation. Now our sandbox is equipped with AI Sigma Rules that reveal the logic behind threat behavior while saving manual effort. Just copy them to your SIEM, SOAR, or EDR for smooth deployment. 

Threat Intelligence Lookup: Data Solving Real-World Challenges 

In 2025, our users made almost 195k requests in Threat Intelligence Lookup in search of actionable insights and verified indicators. Tycoon topped the list as the most searched malware. 

Thanks to our global community, we have access to a rich collection of fresh, verified, ready- and safe-to-use data. It would be a shame not to share it with the world, right? 

So, an important step we took this year to make TI Lookup more accessible. Namely, we introduced the Free plan, giving everyone the opportunity to enrich threat research with 100% verified context at no cost. It’s a perfect way to tap into quality intel and see it bring tangible results. 

We also supported knowledge exchange by launching TI Reports, analyst-driven articles covering APTs, campaigns, and emerging threats. Each report comes with IOCs and queries for a deeper dive. 

Finally, in 2025 we boosted threat monitoring capabilities of our users with Industry & geo threat landscape. It shows exactly how a given threat or indicator relates to sectors and countries — a real live-saver for those drowning in alerts with no context.  

Threat Intelligence Feeds: Always Fresh and Relevant 

Throughout 2025, Threat Intelligence Feeds grew both in terms of data and interoperability. It was powered by constant data updates coming from over 15K SOC teams, which guarantee that TI Feeds always remain on point. 

The STIX/TAXII integration made the delivery of fresh, real-time data more efficient. And newly added integrations like ThreatQ + TI Feeds connector brought live, behavior-based malware for better prioritization and contextualization of indicators. 

Expanding Our Reach with New Integrations & Connectors 

Our goal is to make your workflow smoother and more efficient, simplifying daily tasks and automating what’s possible. One of the steps we took in this direction is the launch of SDK, which makes it easy to connect our solutions with tools you’re already using. 

We also released a lot of ready-to-use integrations, such as: 

• Palo Alto Networks Cortex XSOAR: Available for all three ANY.RUN’s products, it helps automate investigation and response. 

• Microsoft Sentinel & Microsoft Defender: Integrate sandbox and TI Feeds with your Microsoft solutions for fast and confident decision-making. 

• IBM Security QRadar SOAR: Turn alert noise into actionable conclusions without leaving your SOAR by integrating it with ANY.RUN sandbox and TI Lookup. 

These and other integrations and connectors support your work without disrupting the way you already operate. 

Catching What Others Miss 

In 2025, ANY.RUN was the first to uncover multiple campaigns and malware families, giving a head start to the entire cybersecurity community. Let’s recap the most notable cases: 

Salty 2FA

A newly discovered PhaaS framework that quickly raised to the level of major phishing kits in today’s threat landscape. Its ability to distribute payloads at scale, intercept 2FA authentication methods, and complex communication models ensured that. 

Android Threats 

Some of the recently occurred threats were Android-based, and we were able to break them down in detail and analyze their behavior in our sandbox. 

• Salvador Stealer, an Android banking malware revealed in April 2025. By disguising itself as a legitimate app, it phishes critical personal and financial data — a clear example of how mobile malware continues to evolve and blend into everyday user environments.  

• Pentagon Stealer, a relatively simple threat that quickly grew into a persistent, versatile, and widespread data-stealing malware. 

Tykit

In October we took a closer look at Tykit, a credential-stealing malware. It might not reinvent phishing per se but clearly demonstrates how a tiny loophole in a defense system can lead to significant real-world impact. 

Salty2FA & Tycoon2FA: A Hybrid Threat

We ended the year with a detection of a hybrid cross-kit malware Salty2FA & Tycoon2FA. It combines two phishing frameworks, multiplying the dangers of both. 

ANY.RUN Recognized by Industry and Community 

2025 brought us a handful of awards, indicating recognition and acclaim in the industry, for which we’re super grateful. 

What we appreciate more than anything, however, is our community. Every nomination, vote, and kind word reflect your trust — a big thank-you to everyone involved! 

Our Most Influential Reports 

Alongside TI Reports you can find in TI Lookup, we regularly share technical analyses on our blog. 2025 was no exception. We published many nuanced studies of both newly discovered and evolved threats. 

• April brought a surge inactivity around PE32 Ransomware, a Telegram-based encryptor. Our in-depth breakdown highlights how even unsophisticated ransomware can pose a very real danger. 

• In July we covered DEVMAN, a malware sample tied to the DragonForce ransomware lineage but standing out with unique behaviors and identifiers. 

• Later the same month we analyzed Ducex packer, an advanced tool used to conceal Android malware payloads. An increase in its activity highlights the escalating arms race between threat actors and security teams. 

• Finally, in December we took an unprecedented look inside Lazarus Group’s North Korean IT workers infiltration scheme, capturing actors live inside controlled ANY.RUN environments and documenting their activities. 

These and other reports by ANY.RUN are a testament to how interactive sandboxing and knowledge exchange makes analysis sharper and the entire community stronger. 

Spoiler Alert: What to Look Forward to in 2026 

We’ve grown a lot this year and we’re not planning to stop. Here’s a peek into what we’re working on and what you can expect from ANY.RUN in the coming year: 

• Enhanced teamwork mode for efficient collaboration inside SOCs. 
• Refined reporting, including new types of text reports, industry-focused prioritization, security recommendations, improved AI Summaries, and auto-generated YARA rules. 
• Enrichment of sandbox detections with relevant threat intelligence data. 
• Improved detection quality with features like SSL decryption without MITM, in-browser data inspection, and AI-powered analysis. 
• Expanded analysis options for Enterprise users, including MacOS and Windows Server support in VM. 

Conclusion 

Everything’s changing — threats, TTPs, security measures… But our goal stays the same: to make malware analysis and threat investigations faster, easier, and smarter. 

Thanks for analyzing, researching, experimenting, and growing together with us. Every contribution, insight, and a bit of feedback brings us closer to a more secure future. 

Have alert-free holidays and stay safe in 2026!  

About ANY.RUN

ANY.RUN supports over 500,000 cybersecurity professionals around the world. Its Interactive Sandbox makes malware analysis easier by enabling the investigation of threats targeting Windows, Android, and Linux systems. ANY.RUN’s threat intelligence solutions—Threat Intelligence Lookup and TI Feeds—allow teams to quickly identify IOCs and analyze files, helping them better understand threats and respond to incidents more efficiently.

Start a 2-week trial of ANY.RUN’s solutions → 

The post Year in Review by ANY.RUN: Key Threats, Solutions, and Breakthroughs of 2025  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

·       Cisco Talos recently discovered a campaign targeting Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).

·       We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups.

·       As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as “AquaShell” accompanied by additional tooling meant for reverse tunneling and purging logs.

·       Our analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack.

---

Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell. Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). Talos’ analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack.

The Cisco Secure Email and Web Manager centralizes management and reporting functions across multiple Cisco Email Security Appliances (ESAs) and Web Security Appliances (WSAs), offering centralized services such as spam quarantine, policy management, reporting, tracking, and configuration management to simplify administration and enhance security enforcement.

Customers are strongly advised to follow the guidance published in the security advisories discussed below. Additional recommendations specific to Cisco are available here.

Talos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor, which we track as UAT-9686. We have observed overlaps in tactics, techniques and procedures (TTPs), infrastructure, and victimology between UAT-9686 and other Chinese-nexus threat actors Talos tracks. Tooling used by UAT-9686, such as AquaTunnel (aka ReverseSSH), also aligns with previously disclosed Chinese-nexus APT groups such as APT41 and UNC5174. Additionally, the tactic of using a custom-made web-based implant such as AquaShell is increasingly being adopted by highly sophisticated Chinese-nexus APTs.

 

AquaShell

AquaShell is a lightweight Python backdoor that is embedded into an existing file within a Python-based web server. The backdoor is capable of receiving encoded commands and executing them in the system shell. It listens passively for unauthenticated HTTP POST requests containing specially crafted data. If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell.

AquaShell is delivered as an encoded data blob that is decoded and ultimately placed in “/data/web/euq_webui/htdocs/index.py”.

The result of decoding the data blob is the Python code that constitutes the AquaShell backdoor. AquaShell parses the HTTP POST request, decodes it using a combination custom algorithm and Base64 decoding and executes the resulting commands on the appliance.

AquaPurge

AquaPurge removes lines containing specific keywords from the log files specified. It uses the “egrep” command  to filter out (invert search) all content that doesn’t contain the keywords and then simply commits them to the log files:

AquaTunnel

AquaTunnel is a compiled GoLang ELF binary based on the open-source “ReverseSSH” backdoor. AquaTunnel creates a reverse SSH connection from the compromised system back to an attacker‑controlled server, enabling unauthorized remote access even when the system is behind firewalls or NAT.

Chisel

Chisel is an open‑source tunneling tool that supports creating TCP/UDP tunnels over a single‑port HTTP‑based connection. Chisel allows an attacker to proxy traffic through a compromised edge device, allowing them to easily pivot through that device into the internal environment.

Coverage and remediation

Recommendations for Cisco customers are available here. If your organization does find connections to the provided actor Indicators of Compromise (IOCs), please open a case with Cisco TAC.

All IOCs, including IPs and file hashes determined to be associated with this campaign have been blocked across the Cisco portfolio.

 

IOCs

 

The IOCs can also be found in our GihtHub repository here.

AquaTunnel

2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef

 

AquaPurge

145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca

 

Chisel

85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc

  

172[.]233[.]67[.]176

172[.]237[.]29[.]147

38[.]54[.]56[.]95

Cisco Talos Blog – ​Read More