We are proud to announce that ANY.RUN has earned the title of Momentum Leader and ranked #1 in the Relationship Index in the latest G2 Summer Reports. Reflecting real security teams’ actual experience, these rankings once again prove how critical ANY.RUN’s solutions are for daily SOC operations in modern enterprises. 

Why ANY.RUN’s Momentum Leader Title Matters for Your Team 

G2 awards the Momentum Leader spot to companies that show high growth and strong market resonance. They calculate this score by looking at real customer feedback and how quickly teams are adopting the solution. 

Modern SOCs often deal with high alert volumes and evasive attacks that beat traditional defenses. The ranking shows that more security teams are choosing ANY.RUN as a better way to respond to these challenges and detect malware & phishing early.  

When an analyst can clearly see what a suspicious file or link is doing in real-time, they stop guessing and start taking action. This speed directly improves both security metrics like MTTR and overall business security, helping prevent incidents, downtime, and financial losses. 

Building Strong Relationships Through Usability 

G2 also awarded ANY.RUN with the title of a #1 Malware Analysis Vendor in the Relationship Index, demonstrating customers’ high regard for our products’ usability, support, and overall reliability over time. 

As noted by ANY.RUN CEO, we aim to provide “a burnout-free environment SOC teams actually want to return to”. Recognition by G2 shows that we deliver on our vision by creating a consistent experience for everyone on the client’s team: 

• Tier 1 analysts use ANY.RUN’s products to reach accurate threat verdicts faster. 

• Tier 2/3 professionals save time on routine tasks so they can focus on deep, complex investigations. 

• CISOs, Heads of SOC, and other security leaders see more stable performance across different shifts and a significant risk reduction for the company. 

Stronger Results for Modern Security Operations 

When SOC and MSSP teams use ANY.RUN’s malware analysis & threat intelligence solutions, they get full context on files, URLs, IOCs, IOAs, and IOBs for fast and confident decisions. 

The clarity ANY.RUN provides, reduces uncertainty and leads to measurable improvements in security posture: 

• Accelerated Triage and Detection: Direct observation lets teams move from uncertainty to action fast, lowering investigation time and operational costs. 

• Immediate Confirmation of Business Exposure: Instant visibility helps leaders understand threat impact earlier and prevent successful breaches. 

• Enhanced SOC Efficiency and Stability: ANY.RUN supports decision-making across tiers, enabling consistent quality of investigations and reduced operational friction. 

• Comprehensive Multi-Platform Analysis: Broad visibility across Windows, macOS, Linux, and Android environments provides the exact execution context needed for precise, enterprise-scale incident response. 

• Secure and Controlled Investigations: Private analysis, SSO, and team-based access let teams collaborate within shared workflows without compromising investigation security. 

Conclusion 

At the end of the day, a successful SOC needs three things: speed, clarity, and consistency. The recognition from G2 confirms that ANY.RUN empowers teams to achieve those goals.  

We help SOC professionals understand threats earlier and make confident decisions even under pressure. We are excited to keep building solutions that reduce risk and make security operations more efficient. 

About ANY.RUN 

ANY.RUN develops cybersecurity solutions for SOC and MSSP teams that enable stronger operations across threat investigation workflows. The company’s mission is to deliver fast threat understanding and confident incident response. 

Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection.  

ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection. 

The post Leader in Malware Analysis: ANY.RUN Named Top Vendor in G2 Summer 2026 Awards appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Based on 2,101,483 malware and phishing investigations from Q1 2026, ANY.RUN‘s Cyber Risk report provides a real-world view of modern attack trends. 

It covers trending malware families, TTPs, and other technical observations, while also delivering executive insights CISOs and SOC teams can use to connect attacker behavior to business risk. 

Combining data-backed malware trends with strategic guidance for security leaders, the report reveals critical gaps in detection, response, and visibility that directly impact business resilience, and outlines solutions organizations can use in their defense strategy. 

Explore the full report to discover seven key cyber risk trends, their strategic implications, and the security priorities organizations should consider for Q2 2026. 

What the Data Shows 

• Early-stage compromise is an overlooked risk: Loader-based attacks nearly doubled, highlighting the expanding role of these tools used for initial compromise in organizations. 

• Identity remains a primary target: A 14.7% increase in credential theft activity shows that attackers prioritize gaining valid credentials that allow them to operate in a low-noise way. 

• Trusted tools are increasingly weaponized: For instance, LOLBAS attacks leveraging JavaScript rose by 58.4%. 

• Detection and attribution are becoming more challenging: The growing popularity of credential abuse and trusted tool exploitation makes behavior-based monitoring and anomaly investigation increasingly important. 

The full report expands these and other threat intelligence insights, including trending malware families and attack vectors, as well as the evolving nature of modern cyber risk and its strategic implications for Q2 2026, supported by data and actionable recommendations. 

The Growing Cost of Delayed Response 

One of the clearest messages from ANY.RUN’s Q1 2026 Cyber Risk report is that defenders have less time than ever to detect and respond. 

Median times such as 21 seconds to persistence establishment and 16 seconds to Living-off-the-Land (LOTL) execution using native system tools prove that the window between initial compromise and attackers foothold continues to shrink. 

In this environment, speed and certainty in investigations become a key advantage for security teams. Establishing early threat detection and rapid investigation flow is what allows successful SOCs to act before incidents escalate to financial impact. 

This is where enterprise-scale malware analysis and threat intelligence solutions become critical. By providing faster visibility into attack behavior, the help reduce investigation time, accelerate decision-making, and ultimately limit the business impact of security incidentsthrough early detection and response. 

Give Your SOC the Threat Visibility It Needs with ANY.RUN 

ANY.RUN gives security leaders stronger control. With malware analysis and threat intelligence solutions get in-depth threat visibility, private analyses, multi-platform analysis across Windows, macOS, Linux, and Android, advanced privacy controls, SSO, team management, API access, workspace analytics, and fast validation of threats without losing visibility or control.  

With these capabilities, enterprise teams can:  

• Reduce investigation delays by safely analyzing suspicious files, URLs, scripts, and phishing flows in real time.  

• Confirm business exposure faster by seeing whether credentials, OTPs, remote access tools, C2 traffic, or fileless execution were involved.  

• Protect sensitive investigations with private analyses, advanced privacy controls, SSO, and team-based access.  

• Improve SOC efficiency with shared workflows, workspace analytics, API access, and full task history.  

• Strengthen detection coverage to connect related infrastructure, IOCs, and attack patterns.  

• Support enterprise-scale response with analysis across major operating systems. 

About ANY.RUN 

ANY.RUN provides cybersecurity solutions that help organizations strengthen security operations and respond to threats with greater speed and confidence. The company’s mission is to enable security teams to understand threats faster, make informed decisions, and operationalize threat intelligence across detection, investigation, and response workflows. 

Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection. 

ANY.RUN is SOC 2 Type II attested, demonstrating its commitment to strong security controls and customer data protection. For SOCs, MSSPs, and enterprise security teams, ANY.RUN helps reduce investigation uncertainty, accelerate triage, and transform threat analysis into actionable intelligence. 

The post Q1 2026 Cyber Risk Report: Insights from 2.1 Million Malware and Phishing Investigations  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

According to global research, the market share of highly automated, driverless vehicles is growing rapidly. Analysts estimate that the next 10 to 15 years will mark a major shift from pilot projects to the mass adoption of autonomous transport. The momentum is building worldwide: Europe has already rolled out over 35 autonomous vehicle pilots, while the U.S. and China log more than 450 000 and 250 000 commercial trips per week, respectively. However, the report notes several roadblocks slowing down this progress. One such hurdle is the uncertainty surrounding legal liability and regulation, including in the areas of safety and security. The allocation of responsibility among suppliers, manufacturers, enterprise clients, and end users remains a major point of discussion.

Each market stakeholder sees the issue of ensuring the safety of autonomous vehicles differently. For automakers, it means taking responsibility for how a vehicle behaves on the road and for vetting their suppliers. For the suppliers themselves, it means designing security mechanisms directly into their solution architecture from day one and guaranteeing their adequacy. For insurance companies, it means completely overhauling their risk models to account for not just accidents, but also potential software glitches and cyberattacks. Ultimately, everyone agrees on one fundamental point: security must be a foundational feature of the vehicle — not an optional add-on.

Ensuring vehicle security in the modern era

For years, discussions around automotive safety focused strictly on functional safety. In other words, the goal was to ensure that vehicle systems operated correctly, and that risks associated with potential failures were fully mitigated or reduced to an acceptable level. The ISO 26262 standard “Road vehicles — Functional safety” helps address this very challenge, and serves as the baseline for the automotive industry.

However, the modern connected vehicle is a complex cyberphysical system that stores and processes massive amounts of data, including sensitive information. And this leads to the emergence of new basic needs. To draw an analogy with two levels of Maslow’s hierarchy of needs, a modern vehicle must:

• Satisfy the need for “esteem” — meaning it must securely and reliably store user profile data, such as account credentials, biometric data, payment details, and more.
• Satisfy the user’s cognitive needs — meaning it must provide secure internet connectivity, transmit vehicle telemetry, and send reminders for scheduled or emergency maintenance.

All of this means equipping vehicles with a wide array of interfaces — telematics, Bluetooth, Wi-Fi, cellular connectivity, OTA updates, and V2X — which opens the door to remote attacks. Therefore, it becomes necessary to ensure not only the functional security, but also the information security of the vehicle. As a result, specialized industry standards that help address automotive cybersecurity challenges have emerged in most countries. The key international standards are ISO/SAE 21434 “Road vehicles — Cybersecurity engineering”, UNECE R155, and UNECE R156.

China’s regulations are evolving too. In 2024, the country published the national standard GB 44495-2024 “Technical Requirements for Vehicle Cybersecurity”, which went into effect on January 1, 2026. The document introduces mandatory cybersecurity requirements for vehicles, including communications protection, security event management, threat monitoring, and secure vehicle interaction with external infrastructure.

Understanding and applying these standards is becoming absolutely critical. Research shows that cybersecurity risks are escalating daily, and their impact on functional safety can sometimes trigger far more dangerous incidents than an internal system failure. What happens if an attacker gains access to a self-driving truck’s remote-control system, or manages to reflash a critical electronic control unit during an unauthorized diagnostic session?

One of the key components for mitigating these scenarios is a security gateway, which isolates the vehicle’s architecture into different domains based on criticality, while providing secure routing, filtering, and traffic control. Developing this type of software solution is precisely what our team focuses on as we build the Kaspersky Automotive Secure Gateway based on KasperskyOS.

Why Kaspersky Automotive Secure Gateway?

The primary purpose of Kaspersky Automotive Secure Gateway (KASG) is to secure the vehicle’s CAN domain, since the CAN bus is used to transmit a vast number of critical control commands. This impacts nearly 80% of the electronic control units inside the car, which handle engine management, braking, body electronics, and more. Because of this, we utilize the Safety-Aware Cybersecurity approach — a unified architecture that accounts for both functional safety and cybersecurity requirements.

For example, standard End-to-End Protection (E2E) mechanisms are typically used to mitigate risks associated with dropped, out-of-order, or corrupted CAN messages. However, these mechanisms were not originally designed to counter targeted cyberattacks. If an attacker manages to construct a malicious frame that conforms to the required E2E format, the system may accept it as valid.

This introduces a new factor: it’s critical not only to verify that a message was delivered without errors, but also to ensure that it was actually generated by a trusted electronic control unit (ECU), and was not altered in transit. This is particularly vital for transmitting control commands — such as those sent to the vehicle’s braking system — or for implementing keyless entry (NFC) systems.

To address that challenge, Secure Onboard Communication (SecOC) mechanisms are integrated into the vehicle’s architecture. They use cryptographic methods to verify message authenticity and integrity, protecting the system against message spoofing and replay attacks. KASG successfully implements these mechanisms, which, in addition to message verification, perform the crucial function of centralized key management. This allows encryption keys to be distributed and updated from a single point within the vehicle, reducing both the cost and the processing load on the ECUs involved in SecOC-backed data exchange.

Automotive IDS

However, in complex systems, it’s no longer enough to apply security mechanisms only to individual messages or separate network segments. It’s essential to provide vehicle-wide monitoring and control, tracking behavioral anomalies, unusual cross-domain interactions, and unauthorized tampering attempts. In the IT domain, this is known as an Intrusion Detection System (IDS). These systems have been successfully adopted by the automotive industry as well.

At the same time, it’s important to realize that for a modern vehicle, an IDS is not a single magic point of data collection and analysis; the vehicle requires a distributed monitoring system. Monitoring is carried out at various architectural levels: within domains, at the individual controller level, and at network boundaries.

The security gateway becomes a critical monitoring point because all cross-domain interaction passes through. Additionally, the gateway provides visibility into data exchange across different segments of the vehicle network. Its job is to detect deviations from normal behavior and generate security events.

When it comes to the CAN domain monitoring implemented in KASG, the IDS looks at the following criteria for traffic analysis:

• Alignment of CAN message parameters (CAN ID, DLC) with their descriptions in the DBC specification.
• Frequency and periodicity of CAN messages.
• Allowable ranges for CAN signals.

In practice, however, an important limitation becomes clear: even with an onboard IDS, more context is required to determine the exact characteristics of an attack. Furthermore, when operating highly automated vehicles — where fleet-wide monitoring is essential — such isolated analysis becomes inherently insufficient.

Connecting a vehicle to an SIEM

Multi-object monitoring, data correlation, and data analysis can be efficiently handled externally — specifically in SIEM (Security Information and Event Management) systems, which are traditionally used in corporate and industrial cybersecurity operations centers. Therefore, utilizing a SIEM system fleet-wide is a logical step that makes it possible to:

• Collect security events from multiple vehicles.
• Correlate events over time and across contexts.
• Detect advanced and distributed attacks.
• Provide incident auditing and investigation.
• Respond to individual incidents and manage cyber-risks fleet-wide.

When integrating with external SIEM systems, several critical tasks must be addressed: ensuring a secure connection, tuning the security event transmission process, and establishing baseline rules for event processing and correlation. We are actively working through all of these challenges using our own SIEM system — Kaspersky Unified Monitoring and Analysis Platform — as a blueprint.

There are still many issues ahead that need to be resolved. This article covered only a fraction of the approaches currently used in KASG to ensure vehicle safety and security. Yet even this small part demonstrates that automotive security cannot be achieved by solving a single problem or applying a single mechanism. Achieving it requires an approach that enables methodical architecture development — balancing diverse requirements for vehicle functionality, security, and reliability.

Kaspersky official blog – ​Read More

A previously unidentified cyberattack is quietly spreading through US businesses — and most security tools are not catching it. Researchers at ANY.RUN have identified a new backdoor called JS.MonoGlyphRAT, an advanced piece of malware delivered as an ordinary-looking JavaScript file disguised as a purchase order, quote, or business proposal. Once an employee opens the file, the attacker gains silent, persistent access to the company’s systems.

This threat is currently active and primarily targeting organizations in the United States, with victims confirmed across the technology sector, managed security service providers (MSSPs), telecommunications, and education. It has also been observed in Germany, Sweden, Australia, and several other countries.

The financial consequences can quickly escalate beyond incident response costs. Organizations may face operational downtime, regulatory penalties, contractual liabilities, lost business opportunities, reputational damage, and increased cyber insurance expenses. Because MonoGlyphRAT functions as a loader capable of delivering additional malware, even a seemingly minor infection can become the first step toward a large-scale breach with significant business impact.

Key Takeaways

• It is actively targeting US businesses. JS.MonoGlyphRAT is an operational threat, with confirmed victims in the US technology, MSSP, and telecom sectors, delivered via convincing sales-themed phishing lures.
• Most security tools are blind to it. The malware is currently classified as ‘Unknown malware’ on VirusTotal and ThreatFox. Standard signature-based antivirus provides little to no protection.
• It is designed for persistence and deep access. The RAT establishes a permanent foothold via the Windows registry, runs silently in the background, and can pivot to download ransomware, exfiltrate data, or deploy further stages.
• The attack begins with a single click. Employees in procurement, sales, and finance are the primary targets. A .js file disguised as a purchase order or quote is all it takes to compromise a machine.
• The financial exposure is real and immediate. From ransomware deployment to data breach fines and incident response costs, a successful compromise can cost a mid-sized US business millions of dollars — plus reputational damage that is harder to quantify.
• Behavioral detection is the key defense. The malware’s most reliable detection artifacts are behavioral: unusual wscript.exe activity, PowerShell chains launched from a user directory, suspicious registry writes, and HTTP beaconing to non-standard ports. Hunt for these patterns actively.
• ANY.RUN detects and analyzes this threat in real time. ANY.RUN’s Interactive Sandbox first identified and documented JS.MonoGlyphRAT, providing full behavioral analysis, C2 traffic capture, and MITRE ATT&CK mapping. The ANY.RUN Threat Intelligence suit allows defenders to query related IOCs — including C2 IPs, domains, URI patterns, and Suricata rule IDs — to proactively hunt for this threat across their environments. Organizations using ANY.RUN can analyze suspicious .js files in seconds before they reach endpoints, dramatically reducing the window of exposure.

What This Attack Means for Your Business

JS.MonoGlyphRAT is not a smash-and-grab attack. It is designed for persistence — staying hidden on infected machines for as long as possible while giving attackers full remote control. The financial consequences for affected organizations can be severe and varied:

• Ransomware deployment: The malware can silently download and execute ransomware or other destructive payloads, potentially locking businesses out of critical systems and demanding seven-figure ransoms.
• Data theft and regulatory fines: Attackers can exfiltrate sensitive data — customer records, financial information, intellectual property — triggering GDPR, HIPAA, or SEC disclosure obligations and associated penalties.
• Business email compromise (BEC) and fraud: With full access to an employee’s machine, attackers can pivot to email systems and initiate fraudulent wire transfers or supplier fraud.
• Operational disruption: A compromised endpoint in a network operations center or a managed service provider can cascade into downtime for dozens of downstream clients.
• Incident response costs: The average cost of a data breach in the US exceeded $9.4 million in 2024. Detection, containment, forensics, legal counsel, and notification alone typically run into hundreds of thousands of dollars.
• Reputational damage: Clients who learn their MSSP or technology vendor was compromised often terminate contracts, compounding the financial blow.

Because this malware cluster is currently unattributed in public threat intelligence feeds (flagged only as ‘Unknown malware’ on VirusTotal and ThreatFox), standard signature-based antivirus provides little protection. Behavioral detection and sandbox analysis are essential to identify and stop it.

Technical Analysis of a WSH/JScript Backdoor with Monoglyph Obfuscation and PowerShell Stagers

During analysis of Generic clusters of tracked activity, researchers identified an obfuscated JScript sample executed via Windows Script Host (WSH).

The malware uses a distinctive monoglyph obfuscation technique for identifiers: variable and function names are constructed from repeated characters in mixed case (e.g., IiIiIiIiiIII, KkkKKKkKkK, and so on), making the code difficult to read and hampering static analysis.

This cluster has not been publicly identified. In open threat intelligence sources, related samples are classified as unknown malware: ThreatFox marks one of the C2 addresses as ‘Unknown malware’ with threat type ‘payload delivery’, while VirusTotal shows Malicious activity (29/59 detections) but no specific family name.

For tracking purposes, ANY.RUN researchers have designated this cluster JS.MonoGlyphRAT, named after the monoglyph identifier obfuscation method (IiiIIii…, KkkKkKk…, etc.).

The malware implements persistent RAT/loader functionality running on the JS/WScript platform. It achieves persistence via the HKCU Run registry key, collects system and process information via WMI, communicates with its C2 server over HTTP, receives commands through control headers, launches AES-encrypted PowerShell stagers, and supports file execution, remote shell access, payload download, and self-update.

Delivery Vector & Victimology

Based on filenames submitted to the sandbox, the presumed delivery vector is social engineering (phishing with malicious JS attachments) using sales-themed lures: purchase orders, requests for proposals (RFPs), requests for quotations (RFQs), and similar documents.

Sample filenames observed:

• PURCHASE ORDER_12258.js (Analysis session: https://app.any.run/tasks/e39d92e9-a8c3-4c71-8009-2087847fb669/)
• QUOTE_B2026.js (Analysis session: https://app.any.run/tasks/0bd61201-efaf-4b40-ae7b-4af1042a3d17/)
• CKML220066 – MSRS no. 812399.js (Analysis session: https://app.any.run/tasks/8b78c1a7-119b-4980-8639-7756e9bc3edc/)
• QUOTATION2026115.js (Analysis session: https://app.any.run/tasks/040bddbf-3952-4b6d-afa4-56fefa0c3741/)

Industries affected: Technology sector, MSSPs, Education, Telecommunications.
Geographic distribution of victims: primarily the United States, Germany, and Sweden; to a lesser extent Australia, Costa Rica, Greece, Poland, and Turkey.

Execution Chain

The following analysis is based on sandbox session: https://app.any.run/tasks/e39d92e9-a8c3-4c71-8009-2087847fb669/

Initialization

The analyzed sample is a heavily obfuscated JS script (SHA256: 5446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d200f).

The defining characteristic is the repeating pattern of object and function names in the code: sequences of the same letter in alternating case — for example, ‘function iiiiiiiiiiiiii()’, ‘var IiIiiiiiiIiIIi’, ‘function Iiiiiiiiiiiiii(iIiiiiiiiiiiii, IIiiiiiiiiiiii)’, and so on.

In the sandbox, the script runs under the wscript.exe process. Shortly after execution, a series of behavioral signatures fire with Malicious and Suspicious severity levels.

Network activity is also visible: the script sends HTTP requests to an unknown IP address.

Observed URLs:

• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=GEZHOV8LBB7PY4KX&df=0
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=GEZHOV8LBB7PY4KX
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=UDP3HIP4P5SH3U5R&df=0
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=UDP3HIP4P5SH3U5R

WSH Bindings

The malware creates wrapper objects for interacting with WScript and WMI.

These provide the following capabilities:

• Process execution;
• PowerShell payload execution;
• WMI data collection;
• File system operations;
• C2 HTTP communication;
• Registry value writing;
• Persistence mechanisms and self-copying to the installation path.

Installation and Persistence

On the first run, the script copies itself into a subdirectory of %USERPROFILE%. After a successful C2 exchange, it adds itself to the Windows autorun mechanism by writing to the registry:

C2 Implementation and Capabilities

C2 connection parameters are defined in a static configuration within the main RAT class.

HTTP C2 addresses are hardcoded; the connectionMode parameter determines the communication scheme: header C2 mode (commands delivered via HTTP response headers) or legacy mode.

On initial connection, the client collects basic host telemetry:

• USERDOMAIN
• USERNAME
• Win32_SystemEnclosure.SerialNumber (via WMI)
• Win32_OperatingSystem.Caption (via WMI)

This data is sent to the C2 in an HTTP POST request.

The server responds with two control headers:

• X-S: <session ID>
• X-A: <command_id>

If the response status code is not 200, or if the X-S header is absent, the RAT client considers the connection failed and enters a shutdown state.

After successful registration, MonoGlyphRAT enters a beacon loop.

The beacon URL format is:
http://<c2_host>/<endpoint>?ia=<session_id>[&<param>=<value>]

If the response status is below 300, the response is passed to the command dispatcher. Otherwise, the connection is considered broken and the client attempts to reconnect.

The command dispatcher reads the command code from the ‘X-A’ header. Supported commands:

The following POST-requests from the client also add parameters to the URL (along with ‘?ia=<session_id>’):

• “&ex=<token>”: file download
• “&sb=<token>”: loader/stage
• “&vc=<token>”: payload URL for stage
• “&df=0”: host telemetry upload

X-A: -7 “Update client”

X-A: 1 “Execute file”

C2 response body format:

• [0:12] — file token
• [12:44] — AES encryption key
• [44:] — hex-encoded file extension

The extracted parameters are passed to SystemUtilities.DownloadAesEncryptedFile, which interpolates them into a PowerShell command executed via the WSH/WMI wrapper objects.

Encryption parameters used:

• Mode: AES-128-CBC
• Padding: PKCS #7
• Key: 16 bytes, supplied per-task in the C2 response body
• IV: ‘sixteenbyteslong’ — static across samples, stored as reverse-hex

X-A: 2 “Execute shell”

C2 response body format:

• [0:32] — AES encryption key
• [32:] — hex-encoded encrypted PowerShell command

Parameters are passed to SystemUtilities.RunEncryptedPowerShellCommand, which constructs and executes a PowerShell command in the same manner as the Execute File handler.

X-A: 3 — In-Memory .NET Execution

This is the most sophisticated C2 handler. C2 response body format:

• [0:12] — loader token
• [12:44] — loader AES encryption key
• [44:] — loader host / argument encrypted blob (hex-encoded)

The handler builds two URLs (loaderUrl and payloadUrl), encodes them as reversed hex, then downloads and executes an additional payload in memory within a newly created .NET process.

The PowerShell command used for execution:

• Reconstructs loaderUrl from its obfuscated form
• Downloads the additional payload
• Decrypts the payload
• Patches AmsiScanBuffer to bypass AMSI
• Assembles the decrypted bytes into a memory buffer
• Reflectively loads a .NET Assembly via [System.Reflection.Assembly]::Load()
• Transfers execution to the entry point: [Software.Program].GetMethod(‘Main’).Invoke()

AMSI patching is implemented using LoadLibrary(‘amsi.dll’), GetProcAddress(‘AmsiScanBuffer’), VirtualProtect(), and Marshal.Copy().

X-A: 4 “Host telemetry”

C2 response body format:

• [0:32] — XOR key from server
• [32] — extended telemetry flag

In the request body:

• “X-A: 4” — “Get host telemetry” command
• “766BBAE98154B60B381CE91BFB5473ED” — XOR encryption key (in hex)
• “1” – get extended info flag

When the flag is set to ‘1’, the client collects an extended host profile:

The data collected:

• USERDOMAIN / USERNAME
• Win32_SystemEnclosure.SerialNumber
• Win32_OperatingSystem.Caption
• Win32_ComputerSystem.TotalPhysicalMemory
• Win32_ComputerSystem.Model
• Win32_Processor.Name
• Win32_VideoController.Name
• Win32_Process.Name (unique entries list, via separate WMI call)

The collected data is XOR-encoded and sent as a JSON payload via POST:

{
    “b”: “<xored_host_info>”,
    “c”: “<xored_process_list>”
}

The POST-request:

POST /<endpoint>?ia=<session_id>&df=0
Content-Type: application/json
<JSON host info payload in request body>

MonoGlyphRAT C2 protocol operation scheme:

The RAT client configuration is set statically in the JS script code:

Threat Landscape

Based on available sources, JS.MonoGlyphRAT is supported by a stable infrastructure cluster — IP addresses, C2 domains, and non-standard URI paths — that remains without attribution (classified as Unknown RAT/malware in public feeds).

ANY.RUN TI related samples query:

destinationIP:”158.94.211.76″ or url:”?ia=&df=” or domainName:”aryamint.com$” or destinationIP:”91.92.243.79″ or url:”/gATIjh” or url:”/ceoznp” or suricataID:”85006579″ or suricataID:”85006580″ or suricataID:”85006581″

Within the kill chain, MonoGlyphRAT occupies the role of a first- or mid-stage RAT/loader: it establishes persistence on the victim host, sets up a persistent C2 session, and can download and execute additional stage payloads (files, shell commands, in-memory .NET execution).

Attribution to a specific campaign or threat actor cannot be confirmed on the current dataset. While there are consistent infrastructure artifacts, network traffic patterns, and a shared execution chain, these are insufficient for reliable actor attribution.

MITRE ATT&CK Mapping

How ANY.RUN Helps Defend Against JS.MonoGlyphRAT

Defending against threats like JS.MonoGlyphRAT requires visibility across the entire attack chain, from the initial phishing attachment to command-and-control communications and follow-on payload delivery. ANY.RUN’s security solutions help organizations identify and stop such activity at multiple stages.

Using Interactive Sandbox, analysts can safely execute suspicious JavaScript attachments and immediately observe malicious behaviors associated with MonoGlyphRAT, including the execution of wscript.exe, PowerShell spawning, registry-based persistence, C2 communications, and payload delivery attempts.

AI Summary in the Sandbox analysis results automatically highlights key malicious actions, helping analysts understand the attack chain faster and reducing investigation time. In addition, AI Recommendations provide actionable guidance for further analysis, threat hunting, and incident response, helping teams move from detection to remediation more efficiently.

Tier 1 Reports provide ready-made analysis summaries that explain malware behavior, attack techniques, indicators of compromise, and detection opportunities in a structured, easy-to-consume format. This enables teams to quickly understand threats without requiring extensive reverse engineering expertise..

Threat Intelligence Lookup enables defenders to investigate indicators associated with the malware cluster, including IP addresses, domains, URLs, process chains, Suricata detections, and behavioral artifacts. Analysts can quickly determine whether their organization has encountered related infrastructure or attack patterns and pivot across connected indicators to uncover broader malicious activity.

For proactive defense, Threat Intelligence Feeds help security teams enrich SIEM, EDR, XDR, SOAR, and other security controls with continuously updated threat data. By automatically incorporating fresh indicators linked to emerging malware campaigns, organizations can improve detection coverage and block malicious infrastructure before attackers establish persistence.

Together, ANY.RUN’s Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds provide security teams with the visibility needed to detect, investigate, and respond to MonoGlyphRAT infections early, reducing the likelihood of costly incidents, operational disruption, and follow-on attacks such as ransomware deployment.

Conclusions

JS.MonoGlyphRAT is a fully featured persistent RAT/loader built around Windows Script Host, PowerShell, and a custom HTTP C2 protocol. Its purpose is to establish persistence on the victim host, register with the C2, receive operator commands, and download additional payloads and stages.

The defining characteristic of this cluster is monoglyph obfuscation of JavaScript identifiers: class and variable names are constructed from repeated characters in mixed case, making the code difficult to read and hampering manual analysis.

C2 communication is conducted via HTTP headers X-S and X-A, where X-S carries the session identifier and X-A acts as a command selector. The C2 response body contains task parameters: tokens, encryption keys, and encrypted PowerShell or stager payloads.

Functionally, MonoGlyphRAT supports a broad capability set: host telemetry collection, active process enumeration, HKCU Run persistence, AES-encrypted payload download and execution, PowerShell task execution, in-memory .NET code execution, client self-update, and installed copy removal. The implant can also serve as an intermediate platform for delivering subsequent payloads.

From a Threat Intelligence perspective, a distinct code/infrastructure cluster is consistently observed; public TI sources currently classify related IOCs as ‘Unknown malware’, so attribution to a known group or family remains unconfirmed. The working designation JS.MonoGlyphRAT is proposed for analysis and indicator-sharing purposes.

In defensive practice, the most valuable detection artifacts are behavioral:

• wscript.exe executing JS files from user-writable directories
• Registry write to HKCU Run pointing to a .js file
• Process chain: wscript.exe → powershell.exe -nop –enc …
• HTTP POST requests to non-standard ports
• Presence of query parameters ia=, df=, ex=, sb=, vc= and HTTP response headers X-S: and X-A:

Indicators of Compromise (IOCs)

Network Artifacts:

hxxp[://]158[.]94[.]211[.]76:34567/ceoznp

158[.]94[.]211[.]76

91[.]92[.]243[.]79

scan[.]aryamint[.]com

aryamint[.]com

HTTP / C2 protocol Artifacts:

HTTP Header: ‘X-A:’

HTTP Header: ‘X-S:’

POST body pattern: ‘a=iz&b=<data>’

Query parameter: ‘ia=<session_id>’

Query parameter: ‘ex=<token>’

Query parameter: ‘sb=<token>’

Query parameter: ‘vc=<token>’

Query parameter: ‘df=0’ or ‘df=<token>’

Query parameter: ‘kp=<token>’

Query parameter: ‘tw=<token>’

Query parameter: ‘fp=1’

Host-based Artifacts:

File path: %USERPROFILE%<random letters><random letters>.js

Registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRun<random letters>

Crypto IV:

Static string: ‘sixteenbyteslong’

Encoded IV: ‘76E6F6C63756479726E6565647879637’ (reversed hex)

Detection patterns:

Process tree: ‘wscript.exe -> powershell.exe -nop –enc …’

Registry key record: ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun*’, value contains: ‘wscript.exe | .js’

HTTP POST body: ‘a=iz&b=…’

HTTP response headers: ‘X-S:’ + ‘X-A:’

HTTP query parameters:

• ‘?ia=<session_id>&ex=’
• ‘?ia=<session_id>&sb=’
• ‘?ia=<session_id>&vc=’
• ‘?ia=<session_id>&df=’

JavaScript strings:

• MSXML2.XMLHTTP
• Scripting.FileSystemObject
• Wscript.Shell
• winmgmts:{impersonationLevel=impersonate}!\.rootcimv2
• powershell
• -nop
• -enc
• 76E6F6C63756479726E6565647879637

About ANY.RUN  

Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.  

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.  

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks. ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. 

Try ANY.RUN to strengthen your proactive defense 

FAQ

The post From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More