We’ve been seeing attempts at using spear-phishing tricks on a mass scale for quite a while now. These efforts are typically limited to slightly better than usual email styling that mimics a specific company, faking a corporate sender via ghost spoofing, and personalizing the message, which, at best, means addressing the victim by name. However, in March of this year, we began noticing a particularly intriguing campaign in which not only the email body but also the attached document was personalized. The scheme itself was also a bit unusual: it tried to trick victims into entering their corporate email credentials under the pretense of HR policy changes.
A fake request to review new HR guidelines
Here’s how it works. The victim receives an email, seemingly from HR, addressing them by name. The email informs them of changes to HR policy regarding remote work protocols, available benefits, and security standards. Naturally, any employee would be interested in these kinds of changes, so their cursor naturally drifts toward the attached document, which, incidentally, also features the recipient’s name in its title. What’s more, the email has a convincing banner stating that the sender is verified and the message came from a safe-sender list. As experience shows, this is precisely the kind of email that deserves extra scrutiny.
A phishing email message designed to lure victims with fake HR policy updates
For starters, the entire email content — including the reassuring green banner and the personalized greeting — is an image. You can easily check this by trying to highlight any part of the text with your mouse. A legitimate sender would never send an email this way; it’s simply impractical. Imagine an HR department having to save and send individual images to every single employee for such a widespread announcement! The only reason to embed text as an image is to bypass email antispam or antiphishing filters.
There are other, more subtle clues in the email that can give away the attackers. For example, the name and even the format of the attached document don’t match what’s mentioned in the email body. But compared to the “picturesque” email, these are minor details.
An attachment that imitates HR guidelines
Of course, the attached document doesn’t contain any actual HR guidelines. What you’ll find is a title page with a small company logo and a prominent “Employee Handbook” header. It also includes a table of contents with items highlighted in red as if to indicate changes, followed by a page with a QR code (as if to access the full document). Finally, there’s a very basic instruction on how to scan QR codes with your phone. The code, of course, leads to a page where the user is asked to enter corporate credentials, which is what the authors of the scheme are after.
The scammers’ document used as a lure
The document is peppered with phrases designed to convince the victim it’s specifically for them. Even their name is mentioned twice: once in the greeting and again in the line “This letter is intended for…” that precedes the instruction. Oh, and yes, the file name also includes their name. But the first question this document should raise is: what’s the point?
Realistically, all this information could have been presented directly in the email without creating a personalized, four-page file. Why would an HR employee go to such lengths and create these seemingly pointless documents for each employee? Honestly, we initially doubted that scammers would bother with such an elaborate setup. But our tools confirm that all the phishing emails in this campaign indeed contain different attachments, each unique to the recipient’s name. We’re likely seeing the work of a new automated mailing mechanism that generates a document and an email image for each recipient… or perhaps just some extremely dedicated phishers.
How to stay safe
A specialized security solution can block most phishing email messages at the corporate mail server. In addition, all devices used by company employees for work, including mobile phones, should also be protected.
We also recommend educating employees about modern scam tactics — for example, by sharing resources from our blog — and continually raising their overall cybersecurity awareness. This can be achieved through platforms like Kaspersky Automated Security Awareness.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-18 08:06:392025-07-18 08:06:39HR guidelines phishing email | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and an attack evades our protections, but nobody notices our best days when complex threats are detected and neutralized. Our failures are very visible, while our successes are imperceptible to others. This, coupled with a professional propensity to always consider negative outcomes, is a recipe for poor mental health – not to mention that we most of our waking hours sitting in front of screens, engaging with machines.
Making a difference and stopping the bad guys means being in cybersecurity for the long haul. Experience is built with each new deployment and each resolved incident. Sometimes the worst incidents are in retrospect the best learning experiences. Professional experience is gained through many years of struggle. Losing a team member through burnout or being unable to continue with a career in the domain is a personal tragedy and a loss of experience to the entire cybersecurity community.
Various factors contribute to the high stress loads felt by cybersecurity teams. Many of these, such as the nature and frequency of attacks, are outside of our control. Others, such as budget approval or the appropriate prioritisation of projects, often appear close to being under control before somehow getting derailed.
We might not be able to control external factors, but we can manage our own responses to the stress that we face. Firstly, set boundaries and stick to them. Once your shift is over, stop working – and that includes thinking about it. This is easier said than done, but unless there is a real emergency, practice stepping away from work at the end of the day. Leaving work at work allows you to destress during your free time.
Second, prioritize fun activities that don’t involve work or computers. Set aside time during your week to do something that you enjoy. Having many different activities and pastimes in your life helps provide balance. If one aspect of your life is particularly tough, then balance that with another part of your life which is going well. Personally, I find joy and escape in trail running. Finding myself deep in the countryside as far away from computer screens as possible provides me with time to recharge and recover.
Detecting threats and stopping the bad guys requires more than technical prowess. We must be committed to looking after ourselves, and each other, and to disconnecting from our passion for the work to continue doing it for years to come.
The one big thing
Cisco Talos identified a Malware-as-a-Service (MaaS) operation in early 2025 that used the Emmenhtal loader and Amadey malware to deliver malicious payloads targeting Ukrainian entities, often via public GitHub repositories. Talos worked with GitHub to remove these malicious accounts and recommends security solutions to prevent similar threats.
Why do I care?
This operation shows how easily adversaries can use trusted platforms like GitHub to deliver malware, making it more difficult for organizations to detect and block threats — especially if GitHub access is required for legitimate purposes.
So now what?
Organizations should review their security policies around GitHub access, deploy advanced security controls and remain vigilant for phishing campaigns and malware leveraging public repositories to minimize the risk of compromise.
Top security headlines of the week
Four arrested in connection with M&S and Co-op cyber-attacks The National Crime Agency (NCA) says a 20-year-old woman was arrested in Staffordshire, and three males – aged between 17 and 19 – were detained in London and the West Midlands. (BBC)
Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb The flaw allows unauthenticated attackers to execute remote code by writing malicious files to the server’s filesystem, potentially leading to full remote code execution. (Security Affairs)
Train brakes can be hacked over radio — and the industry knew for 20 years “Successful exploitation… could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said. (SecurityWeek)
Episource is notifying millions of people that their health data was stolen The breach affects more than 5.4 million people, making it one of the largest healthcare breaches of the year so far. The attacker stole personal information and protected health data. (TechCrunch)
Can’t get enough Talos?
The significance of timeliness in incident response Cisco Talos IR compares two real-world ransomware engagements and shares how the organizations’ response times made all the difference in the outcome of an attack.
Talos Takes: Why attackers love your remote access tools Attackers are increasingly abusing the same remote access tools that IT teams rely on every day. In this episode, Hazel sits down with Talos security researcher Pierre Cadieux to unpack why these legitimate tools have become such an effective tactic for adversaries.
TTP: The next phase of LLM abuse Talos researcher Jaeson Schultz explores how cybercriminals are starting to integrate LLMs into full attack workflows, and even experiment with manipulating the data these models rely on.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-17 18:06:492025-07-17 18:06:49This is your sign to step away from the keyboard
Wi-Fi can be used to track people’s (and pets’) movements in the home — from the tiniest gestures, such as hand waves. This application of Wi-Fi is nothing new in theory, but only recently has it been put on a commercial footing. The technology is now being offered by home internet providers and equipment vendors. It may even be incorporated in the new Wi-Fi standard, so it’s important to understand the associated pros and cons. Let’s see how the technology works, whether it poses any privacy risks, and how to disable it if necessary.
How Wi-Fi sensing works
Wi-Fi sensing came about as a side effect of the quest to speed up Wi-Fi. Modern routers have the ability to focus the signal on devices they exchange data with, making the connection faster and more reliable. Known as Wi-Fi beamforming, this technique involves the router measuring the radio signal with sufficient accuracy to determine not only its strength but also its propagation in space. Based on these parameters, the router beams the signal in the direction of the device, and uses channel state information (CSI) to continuously monitor and adjust the communication link.
During the data exchange, if interference of some kind appears between the device and the router, say, a person or a dog passes by, the shape of the radio signal will change slightly. The router is sensitive enough to detect this, effectively making it a motion sensor.
Then there’s just the small matter of developing mathematical algorithms that can detect movement in the home based on changes in CSI, and implementing them in the router firmware. And to receive analytics and signals about motion events, the router communicates with a mobile app on the user’s smartphone, for which a proprietary cloud service is used. Smart doorbells or video baby monitors work in exactly the same way.
Wi-Fi sensing requirements and limitations
There are some important technical nuances that must be considered for Wi-Fi sensing to do its job:
The router itself must have multiple antennas and be at least Wi-Fi 5 (802.11ac) compatible.
In the home there must be stationary or rarely moved devices (usually one to three) connected to this router via Wi-Fi — for example, a printer, a smart speaker and/or a smart TV. Sometimes Wi-Fi extenders and mesh Wi-Fi devices can perform the role of a “sensor”.
Motion detection will occur only in the oval zone between the router and the “sensor”, and post-setup testing is required.
When motion is detected, it’s not possible to determine what moved or where exactly it took place between the router and the “sensor”. In this respect, the technology is not unlike the infrared motion sensors of conventional security systems. However, with advances in computing power and machine learning, this limitation may disappear — witness a new study in which researchers harnessed Wi-Fi for human pose estimation.
Wi-Fi sensing can be used to detect motion in the oval zone between the router and a stationary device connected to the router via Wi-Fi
The past, present and future of Wi-Fi sensing
The first known commercial application of Wi-Fi sensing technology was the Aware feature in Linksys routers. Back in 2019, Linksys positioned Aware as a subscription-based feature. But in mid-2024, the service was discontinued, and now, according to the vendor itself, Linksys routers have no proprietary application and don’t collect data.
However, since 2025, the feature has been available to customers of Xfinity — Comcast’s home internet brand. It’s called Wi-Fi Motion. Deutsche Telekom has also announced such a feature, but not yet named it. In any case, Wi-Fi sensing will likely cease to be a rarity in the coming years: work has been underway since 2020 to standardize the feature under the technical name 802.11bf. Once motion recognition enters the 802.11 family of standards, almost all vendors will support it.
The pros and cons of Wi-Fi sensing
If the service is provided for free, some will jump at the chance of getting a home security system without having to buy additional hardware. At the very least, it will appeal to home owners who want to keep their property under surveillance for a short period of time — for example, when away on vacation. But bear in mind that Wi-Fi sensing is no replacement for a full-fledged security system, and you need an action plan in place should the alarm go off. Note also that the oval zone between your printer or smart TV and router is by no means the only area that thieves can penetrate, so you need to secure other parts of your home too.
Another relatively harmless use of Wi-Fi sensing is monitoring routine activity in the home: whether the kids are back from school, whether grandma is okay, etc.
Wi-Fi sensing also has potential in the home automation niche; for example, motion tracking can be used to turn the lights on and, after a set period of inactivity, off again.
The potential harm from the technology lies in the fact that not only owners can track movements in their homes. Xfinity documentation already states that motion event data may be transferred to the police and other “third parties” in legal proceedings. And if the provider collects and stores data from motion sensors, it’s a short step to selling this data to advertisers.
Another potential threat is router hacking. Hackers already break into home routers to spy on users or make money in various ways. Another monetization route for malicious actors is to analyze motion-in-the-home data and sell this information on to burglars.
How to guard against Wi-Fi sensing abuse
So far, the feature is available only on a few router models leased out by certain internet providers. And in Xfinity devices, it’s disabled by default.
If you’re one of those who decide that the benefits outweigh the risks, you’ll need to activate the feature yourself, set up and test it, and also make sure that the router is configured according to our smart-home protection tips. To recap them in brief: the Wi-Fi network and the router control panel must be protected by unique, strong passwords, and all computers and smartphones must have a full-fledged security solution installed that delivers smart-home security analysis (vulnerability search in the home Wi-Fi network, and notifications about attempts to connect new devices to it).
But what if you don’t want anything to do with Wi-Fi sensing? As the number of compatible devices increases and the risk of forced activation rises, your first line of defense against Wi-Fi sensing will be to buy your own router instead of leasing one from a provider. You can then set up the router yourself and disable unnecessary features; just be sure to choose a model that allows control without mobile apps and doesn’t require connection to the vendor’s cloud service. After buying a router, remember to apply our home network setup tips.
A more complex method is to connect all stationary devices to a computer network using an Ethernet cable. For printers, TVs and game consoles, this is not only safe, but also provides the fastest and most stable connection.
What other hidden risks and opportunities does Wi-Fi technology harbor? Essential reading:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-17 12:06:502025-07-17 12:06:50What is Wi-Fi sensing, and how does it detect human motion in the home? | Kaspersky official blog
Managed Security Service Providers (MSSPs) are tasked with protecting multiple clients simultaneously while maintaining cost efficiency, rapid response times, and customer trust. The key to success lies in early threat detection, which requires access to high-quality, actionable threat intelligence that can be immediately applied across diverse client environments.
Main MSSP Challenges
MSSPs operate in a complex environment where they must deliver consistent security outcomes across varied client infrastructures.
Resource constraints create additional pressure. False positives consume valuable analyst time, while missed threats can damage client relationships and business reputation.
The heterogeneous nature of client environments means MSSPs must work with different security tools, network architectures, and threat landscapes. Additionally, MSSPs must demonstrate clear value to clients while competing on both service quality and cost.
Threat intelligence turns raw data into actionable insights, helping MSSPs prioritize threats, streamline workflows, and respond quickly. Real-time, high-quality intelligence reduces false positives, improves detection accuracy, and optimizes resource use, enhancing client outcomes.
High-quality threat intelligence feeds are crucial for MSSPs to stay ahead of threats. They provide:
Timely Data: Fresh indicators of compromise (IOCs) enable rapid action before threats spread.
Contextual Insights: Detailed threat behavior data supports informed decision-making.
Scalable Integration: Feeds must work seamlessly across varied client systems.
Automation Support: Automated integration speeds up responses and reduces manual effort.
How ANY.RUN’s Threat Intelligence Feeds Help MSSPs Keep Ahead
ANY.RUN‘s Threat Intelligence Feeds empower Managed Security Service Providers (MSSPs) to detect threats early across diverse client infrastructures, delivering real-time, context-enriched indicators of active threat campaigns.
By integrating these feeds, MSSPs can optimize their workflows and directly support their clients’ business objectives. The key benefits of ANY.RUN’s feeds are designed to enhance operational efficiency and drive measurable business outcomes for MSSPs and their clients.
Expanding Threat Monitoring and Detection Across All Clients
ANY.RUN’s TI Feeds draw from a vast, reliable data source, collecting threat indicators from live sandbox investigations of the latest threats by security teams at 15,000 organizations worldwide. Updated every two hours, these feeds provide fresh malicious IPs, domains, and URLs that have been used by threat actors for only a short time.
This near-instant delivery ensures MSSPs can spot threats that are still active right now across all client systems, whether they’re cloud-based or traditional setups. By catching threats early, MSSPs protect clients’ operations, prevent disruptions, and maintain trust across their customer base.
Improve threat visibility across all clients with TI Feeds
Informing Response to Stop Incidents Before Major Impact
Each threat indicator includes links to detailed sandbox reports that explain how attacks work, including their methods and behaviors (e.g., how malware communicates or spreads). This clear insight helps MSSPs build stronger defenses and respond quickly to specific threats.
For example, knowing an attack’s pattern allows security teams to block it before it causes harm, improving accuracy and reducing risks. The proactive approach prevents business interruptions, protects sensitive data, and reassures clients that their operations are secure.
Reducing Costs, Easing Team Workloads, and Scaling Services
ANY.RUN’s feeds are built for automation, working smoothly with common security tools like SIEM, XDR, threat intelligence platforms, and firewalls. They support standard formats (STIX, MISP, TAXII) and offer easy API and SDK integration for quick, automated setup.
Automation means less manual work for analysts, as threat data is automatically fed into systems to flag or block risks. By cutting down on repetitive tasks, MSSPs can manage more clients with less effort, lowering costs while maintaining top-notch protection.
Get a demo sample of ANY.RUN’s Threat Intelligence Feeds with custom parameters.
TI Feeds Performance: Turning IOC Data into Business Value
ANY.RUN’s Threat Intelligence Feeds enable MSSPs to optimize their operations and deliver tangible business value to clients, including minimized downtime, enhanced competitiveness, cost efficiency, and stronger client retention through proactive threat prevention.
All these features and benefits transform into a number of business advantages for MSSPs. Threat Intelligence Feeds enable them to:
Minimize client downtime and operational disruption: Early detection of threats protects against widespread incidents that could affect multiple clients. Real-time indicators of active threat campaigns enable identification of threats regardless of which client environment they target first, preventing cascading failures across the MSSP’s customer base.
Optimize operational efficiency and reduce costs: Reduce analyst workload by supplying ready-to-use IOCs and comprehensive context data that eliminates time-consuming threat research and validation activities. Pre-processed, actionable intelligence allows analysts to manage more clients with existing resources, improving profit margins while maintaining service quality.
Strengthen client retention and satisfaction: Block malware proactively before it strikes: the proactive approach prevents incidents rather than merely detecting them after they occur, reducing client impact and demonstrating measurable security value.
Integrate ANY.RUN’s Threat Intelligence Feeds
You can download a free sample of ANY.RUN’s TI Feeds data and integration
Spot and block attacks quickly to prevent disruptions and damage.
Keep your detection systems updated with fresh data to proactively detect emerging threats.
Handle incidents faster to lower financial and brand damage.
ANY.RUN also runs a dedicated MISP instance that you
Conclusion
ANY.RUN’s Threat Intelligence Feeds enable MSSPs to tackle their toughest challenges. With fresh, actionable, and context-rich IOCs, these feeds support early threat detection, streamline operations, and enhance client protection. MSSPs using ANY.RUN’s solution can strengthen their security posture, differentiate in a competitive market, and deliver exceptional value to clients.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals and 15,000 corporate security teams worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-17 10:06:322025-07-17 10:06:32How MSSPs Detect Incidents Early with Threat Intelligence Feeds from ANY.RUN
In April 2025 Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads.
The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.
Several operator tactics, techniques and procedures (TTPs) overlap with a SmokeLoader phishing campaign, identified in early 2025, that targeted Ukrainian entities.
The same variant of Emmenhtal identified in the SmokeLoader campaign was used by the MaaS operation to download Amadey payloads and other tooling.
In early February 2025, Talos observed a cluster of invoice payment and billing-themed phishing emails that appeared to target Ukrainian entities. These emails included compressed archive attachments (e.g., ZIP, 7Zip or RAR) containing at least one JavaScript file that used several layers of obfuscation to disguise a PowerShell downloader. The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system. Talos assessed the JavaScript downloaders to be the Emmenthal loader, based on notable similarities between the obfuscation methods observed in the collected samples and those described by Orange Cyberdefense.
During analysis of the Emmenhtal loaders collected from this phishing campaign, Talos identified additional samples on VirusTotal that were highly similar in structure, but did not appear to be part of the original activity cluster. Most notably, these samples were not delivered via email but were instead found in several public GitHub repositories. They also did not deliver SmokeLoader as a next-stage payload. Instead, the Emmenhtal samples were being used to deliver Amadey, which in turn downloaded a variety of custom payloads from certain public GitHub repositories.
Further review of the associated GitHub accounts and the files hosted within related repositories showed that they may be part of a larger MaaS operation that uses public GitHub repositories as open directories for staging custom payloads.
MaaS operation leverages GitHub public repositories
MaaS is a business model in which the operators of the service sell access to malware or pre-existing infrastructure. In the operation Talos identified, the operators utilized Amadey to download a variety of malware families from fake GitHub repositories onto infected hosts. Initial activity appeared in February 2025, around the same time as the SmokeLoader campaign.
This distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups. In addition, the command and control (C2) infrastructures for the secondary payloads do not overlap with that of Amadey.
Emmenhtal and Amadey
The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It was given the name “Emmenhtal” by Orange Cyberdefense in August 2024, though it is sometimes referred to as “PEAKLIGHT”, which is how Mandiant refers to the final stage PowerShell downloader. Orange and Talos have observed activity that appears to involve elements of the Emmenhtal loader dating back to April 2024.
Emmenhtal variants have been found embedded in other files and deployed in a standalone format. Each loader typically includes four layers — three that act as obfuscation and the final PowerShell downloader script. These layers are described in the “Emmenhtal similarities between activity clusters” section below.
Amadey (or Amadey bot) originally appeared in late 2018 on Russian-speaking hacking forums with a $500 price tag. It was initially used by various threat actors to establish botnets. Amadey has also been observed dropping other malware including Redline, Lumma, StealC and SmokeLoader.
Amadey’s primary functions are to collect system information and download secondary payloads on an infected host. However, Amadey is modular and its functionality can be expanded with an assortment of plugins. These plugins come in the form of dynamic link libraries (DLLs) that can be selected based on desired functionality, such as screenshot capabilities or credential harvesting. Despite its common use as a downloader, Amadey can pose a serious threat.
GitHub as an open directory
During Talos’ research into the MaaS operation, we uncovered three GitHub accounts being used as open directories for hosting tools, secondary payloads and Amadey plugins:
Legendary99999
DFfe9ewf
Milidmdds
In addition to being an easy means of file hosting, downloading files from a GitHub repository may bypass web filtering that is not configured to block the GitHub domain. While some organizations can block GitHub in their environment to curb the use of open-source offensive tooling and other malware, many organizations with software development teams require GitHub access in some capacity. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic.
Talos reported the accounts listed above to GitHub, who quickly took them down. Talos would like to thank the GitHub team for their cooperation and quick response time.
Legendary999999
“Legendary99999” appears to have been the most utilized account, containing over 160 repositories with randomized names. Each of these repositories contained a single file in the “Releases” section:
Figure 1. Legendary99999 GitHub account overview.
The files hosted on “Legendary99999” are a collection of payloads from numerous different malware families. By hosting these files in a GitHub repository, they can easily be downloaded via a URL to the “Releases” section of the repository:
Once a host was infected with Amadey, the operators of this service could choose the payload to be delivered by simply downloading the file from the URL above.
Talos also discovered other GitHub accounts that may be linked to this operator by commonality of account name, file name, repository structure and type of hosted malware (i.e., information stealers delivered via Amadey). The earliest “first seen” date on VirusTotal for files related to these repositories was Jan. 3, 2025. None of the accounts were active at the time of Talos’ review.
Account
Malware Types Hosted in Repositories
legend1234561111
Rhadamanthys, Lumma
legendary69696911
Lumma
legendary6911331
Redline, Lumma
legendarik1111
Unknown
DFfe9ewf
“DFfe9ewf” appears to have been a test account. The repositories all contained “test” within the names and no new commits have been made since February 2025, the same month as the first commit to “Legendary99999”.
Figure 2. DFfe9ewf GitHub account overview.
While this GitHub account does not bear similarities to the other two accounts detailed in this section, files associated with the MaaS operation interacted with at least one repository associated with this account.
“DFfe9ewf” only contained six repositories, one of which was a fork of DInvoke, a tool used to invoke arbitrary unmanaged code from managed code. Attackers frequently use DInvoke to perform process injection and avoid Windows API hooks to evade detection.
The repository “test3” contains a legitimate Selenium WebDriver file, as well as versions for Microsoft Edge and Google Chrome (ChromeDriver). A WebDriver is a powerful development tool that is intended for automating the testing of web-based applications by remotely and programmatically controlling the target browser. However, they can be used in a malicious context on a victim’s machine to remotely perform a variety of tasks, such as retrieving payloads from malicious URLs or accessing local browser data.
While WebDrivers are helpful for many developers, they can pose a serious security risk when abused. Security considerations for using WebDriver can be found here, in the documentation for ChromeDriver.
Milidmdds
The third repository, named “Milidmdds”, contained 10 repositories with similar random names to those in “Legendary99999”. This account contained several malicious scripts that ultimately download a payload to the infected host.
Figure 3. Milidmdds GitHub account overview.
Emmenhtal similarities between activity clusters
Our research revealed similarities in TTPs and indicators between the SmokeLoader campaign and the Amadey MaaS activity. Three of the JavaScript files hosted by the “Milidmdds” GitHub account are nearly identical to the Emmenthal scripts used in the SmokeLoader campaign. Aside from randomized variable and function names, and different download targets in the final PowerShell script, much of the code is the same between all samples. These loader files found in the various “Milidmdds” repositories were called:
Work.js
Workhmv.js
Putikatest.js
Although we did not observe the use of these scripts in the wild, it is likely they were intended for delivery through phishing emails or for embedding in malicious files in a manner similar to the SmokeLoader activity.
The similarities between the Emmenhtal loaders used in the phishing campaign targeting Ukrainian entities (noted as Sample 1) and those in the “Milidmdds” repositories (noted as Sample 2, Sample 3 and Sample 4) are shown below.
The first obfuscation layer used by the Emmenhtal samples defines a series of two-letter variables mapped to a two- or three-digit numeric value. These variables apply to a long string of comma-separated values defined in a variable with a random name, such as “qiXSF”.
Figure 4. First layer of obfuscation, Sample 1 (left) vs, Sample 2 (right).
Once this initial script has been executed, a second script is revealed that uses the ActiveXObject function to execute an encoded PowerShell command with WScript.Shell:
Figure 5. Second layer of obfuscation, Sample 1 (left) vs. Sample 2 (right).
The third layer is a PowerShell command that contains an AES-encrypted binary large object (blob).
The blob contains an additional AES-encrypted PowerShell script that is decrypted and executed by the initial script. This final script initiates the download of the next stage from a hard-coded IP address. In the phishing campaign targeting Ukrainian entities, this final payload would be SmokeLoader and a decoy PDF. The Emmenhtal loader files found in the public GitHub repositories noted previously were found to download a variety of files, including:
Amadey
A legitimate copy of PuTTY.exe
AsyncRAT
The presence of a legitimate copy of PuTTY in the list of files delivered by the Emmenhtal loaders found in the public GitHub repositories demonstrates the adaptability of the MaaS operation to deliver whatever tooling is required by its customers.
Examples of the final decrypted PowerShell downloader are shown below.
Figure 7. Final PowerShell script, Sample 1 (left, SmokeLoader download) vs. Sample 2 (right, Amadey download).
Figure 8. Final PowerShell script, PuTTY download (left) vs. AsyncRAT download (right).
Related Emmenhtal variants
MP4 file variants
During research of both activity clusters noted in this article, Talos identified Emmenhtal samples masquerading as MP4 files. Two URLs link to .mp4 files hosted on pivqmane[.]com:
pivqmane[.]com/testonload[.]mp4/
pivqmane[.]com/doc/fb[.]mp4
Although the two .mp4 files hosted here had been removed, the abuse of this file format highlights another similarity between the MaaS operation and the SmokeLoader campaign. This observation also aligns with a statement made by Orange Cyberdefense that certain Emmenhtal variants masquerade as MP3 or MP4 files.
Purpose-built variant: “Checkbalance.py”
Talos discovered another unique file on the “Milidmdds” GitHub account during this research — a malicious Python script named “checkbalance.py”. While this sample did not use initial obfuscation layers like the samples previously discussed, the later PowerShell stages were nearly identical to those shown above. This variant could represent an evolution of the Emmenhtal loader or, more likely, was a purpose-built variant developed for a specific campaign.
In its initial state, the script masquerades as a simple tool that enumerates the contents of Zerion cryptocurrency accounts. However, the script also includes a large lambda function containing a Base64-encoded and compressed blob that executes at runtime. The user is then presented with an error message in Cyrillic, “Аккаунт кончились”. Curiously, this message isn’t grammatically correct since “Аккаунт” is singular and “кончились” is plural. However, given the context of the message, the author may have meant “no more accounts” or “end of accounts,” approximately.
Figure 9. Checkbalance.py.
The lambda function then runs a second Python script, which uses the subprocess.run method to execute an encoded PowerShell command. The resulting PowerShell is nearly identical to the JavaScript variants discussed previously.
The final PowerShell command downloads the Amadey payload from the IP address “185[.]215[.]113[.]16” as a file labeled “amnew.exe”. The resulting PowerShell script found in “checkbalance.py” is identical to the one derived from the Sample 2 (“work.js”) file, which was also found in the “Milidmdds” repository.
After execution, this payload contacts “hxxp://185[.]215[.]113[.]43/Zu7JuNko/index.php”, a known Amadey C2 address.
Figure 11. Final PowerShell script, Checkbalance.py.
Coverage
Ways our customers can detect and block this threat are listed below.
Indicators of compromise (IOCs)
IOCs for this threat can be found on our GitHub repository here.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private applications no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protection measures with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-17 10:06:312025-07-17 10:06:31MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
A recently disclosed breach of thousands of ASUS home routers goes to show that your home Wi-Fi access point isn’t just useful to you (and possibly your neighbors) — it’s also coveted by cybercriminals and even state-sponsored hackers carrying out targeted espionage attacks. This new attack, presumably linked to the infamous APT31 group, is still ongoing. What makes it especially dangerous is its stealthy nature and the unconventional approach required to defend against it. That’s why it’s crucial to understand why malicious actors target routers — and how to protect yourself from these hacker tricks.
How compromised routers are exploited
Residential proxy. When hackers target large companies or government agencies, the attacks are often detected by unusual IP addresses attempting to access the secured network. It’s highly suspicious when a company operates in one country, but an employee suddenly logs in to the corporate network from another. Logins from known VPN-server addresses are equally suspect. To mask their activities, cybercriminals use compromised routers located in the country — and sometimes even in the specific city — close to their intended target. They funnel all their requests through your router, which then forwards the data to the target computer. To monitoring systems, this looks just like a regular employee accessing work resources from home — nothing to raise any eyebrows.
Command-and-control server. Attackers can host malware on the compromised device for target computers to download. Or, conversely, they can exfiltrate data from the network directly to your router.
Honeypot for competitors. A router can be used as bait (a honeypot) to study the techniques used by other hacker groups.
Mining rig. Any computing device can be used for crypto mining. Using a router for mining isn’t particularly efficient, but when a cybercriminal isn’t paying for electricity or equipment, it still pays off for them.
Traffic manipulation tool. A compromised router can intercept and alter the contents of internet connections. This allows attackers to target any device connected to the home network. The range of applications for this technique is broad: from stealing passwords to injecting ads into web pages.
DDoS bot. Any home device, including routers, baby monitors, smart speakers, and even smart kettles, can be linked together into a botnet and used to overwhelm any online service with millions of simultaneous requests from those devices.
These options appeal to various groups of attackers. While mining, ad injection, and DDoS attacks are typically of interest to financially motivated cybercriminals, targeted attacks launched from behind a residential IP address are usually carried out either by ransomware gangs or by groups engaged in genuine espionage. This sounds like something out of a spy novel, but it’s so widespread that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI have issued multiple warnings about it at various times. True to form, spies operate with utmost stealth, so router owners rarely ever notice that their device is being used for more than its intended purpose.
How routers get hacked
The two most common ways to hack a router are by brute-forcing the password to its administration interface and by exploiting software vulnerabilities in its firmware. In the first scenario, attackers take advantage of owners leaving the router with its factory settings and the default password admin, or have changed the password to something simple to remember — and easy to guess, like 123456. Once they crack the password, attackers can log in to the control panel just like the owner would.
In the second scenario, attackers remotely probe the router to identify its manufacturer and model, then try known vulnerabilities one by one to seize control of the device.
Typically, after a successful hack, they install hidden malware on the router to perform their desired functions. You may spot that something’s wrong when your internet slows down, your router’s CPU is working overtime, or the router itself even starts overheating. A factory reset or firmware update usually eliminates the threat. However, the recent attacks on ASUS routers were a different story.
What makes the ASUS attacks different, and how to spot them
The main thing about this attack is that you can’t fix it with a simple firmware update. Attackers set up a hidden backdoor with administrative access that persists through regular reboots and firmware updates.
To start the attack, the malicious actor employs both of the techniques described above. If brute-forcing the admin password fails, attackers exploit two vulnerabilities to bypass authentication entirely.
From this point on, the attack becomes more sophisticated. The attackers use yet another vulnerability to activate the router’s built-in SSH remote management feature. They then add their own cryptographic key to the settings, which allows them to connect to the device and control it.
Few home users ever manage their router using SSH or check the settings section where administrative keys are listed, so this access technique can go unnoticed for years.
All three vulnerabilities exploited in this attack have since been patched by the vendor. However, if your router was previously compromised, updating its firmware won’t remove the backdoor. You need to open your router’s settings and check if an SSH server is enabled — listening on port 53282. If so, disable the SSH server and delete the administrative SSH key, which starts with the characters
AAAAB3NzaC1yc2EA
If you’re not sure how to do all that, there’s a more drastic solution: a full factory reset.
It’s not just ASUS
The researchers who discovered the ASUS attack believe it’s part of a broader campaign that has hit around 60 types of home and office devices, including video surveillance systems, NAS boxes, and office VPN servers. Affected devices include D-Link DIR-850L S, Cisco RV042, Araknis Networks AN-300-RT-4L2W, Linksys LRT224, and some QNAP devices. The attacks on these unfold a bit differently, but share the same general features: exploiting vulnerabilities, using built-in device functions to gain control, and maintaining stealth. According to the researchers’ assessments, compromised devices are being exploited to reroute traffic and monitor the attack techniques employed by rival threat actors. These attacks are attributed to a “well-resourced and highly capable” hacking group. However, similar techniques have been adopted by targeted attack groups around the world — which is why home routers in any moderately large country are now an enticing target for them.
Takeaways and tips
The attack on ASUS home routers displays classic signs of targeted intrusions: stealth, compromise without using malware, and the creation of persistent access channels that remain open even after the vulnerability is patched and the firmware is updated. So, what can a home user do to defend against such attackers?
Your choice of router matters. Don’t settle for the standard-issue router your provider rents out to you, and don’t just shop for the cheapest option. Browse the selection at electronics retailers, and choose a model released within the last year or two so you can be sure to receive firmware updates for years to come. Try to pick a manufacturer that takes security seriously. This is tricky, as there are no perfect options out there. You can generally use the frequency of firmware updates and the manufacturer’s stated period of support as a guide. You can find the latest router security news on sites like Router Security, but don’t expect to find any “good tales” there — it’s more useful for finding “anti-heroes”.
Update your device’s firmware regularly. If your router offers an automatic update feature, it’s best to enable it so you don’t have to worry about manual updates or falling behind. Still, it’s a good idea to check your router’s status, settings, and firmware version a few times a year. If you haven’t received a firmware update in 12-18 months, it may be time to consider replacing your router with a newer model.
Disable all unnecessary services on your router. Go through all the settings and turn off any features or extras you don’t use.
Disable administrative access to your router from the internet (WAN) through all management channels (SSH, HTTPS, Telnet, and whatever else).
Disable mobile router management apps. Although convenient, these apps introduce a range of new risks — in addition to your smartphone and router, a proprietary cloud service will likely be involved. For this reason, it’s best to disable this management method and avoid using it.
Change the default passwords for both router administration and Wi-Fi access. These passwords shouldn’t match. Each should be long and not consist of obvious words or numbers. If your router allows it, change the admin username to something unique.
Use comprehensive protection for your home network. For example, Kaspersky Premium comes with a smart-home protection module that monitors for common problems like vulnerable devices and weak passwords. If your smart home monitoring detects weak spots or a new device on your network that you haven’t previously identified as known, it will alert you and provide recommendations for securing your network.
Check every page of your router’s configuration. Look for the following suspicious signs: (1) port forwarding to unknown devices on your home network or the internet, (2) new user accounts you didn’t create, and (3) unfamiliar SSH keys or any other login credentials. If you find anything like this, search online for your router model combined with the suspicious information you’ve discovered, such as a username or port address. If you can’t find any mention of the issue you discovered as a documented system feature of your router, remove that data.
Subscribe to ourTelegram channel, and stay up to date on all cybersecurity news.
For more tips on choosing, setting up, and protecting your smart home devices — along with information on other hacker threats targeting your household electronics — check out these posts:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-16 14:06:412025-07-16 14:06:41How to protect your router from being hacked and becoming a residential proxy | Kaspersky official blog
With it, you can enrich your threat investigations with data on attacks targeting 15,000 companies all over the world. All you need to do to strengthen your defense against them is to register, browse our unique database, and gain actionable insights.
Threat Intelligence in ANY.RUN continues to evolve — not only by adding more features, but by making the right ones easier to use. We’ve simplified access to ANY.RUN Threat Intelligence with a free version of TI Lookup.
You now can explore Public Samples, TTPs, Suricata rules, and malware trends inside our Threat Intelligence product in a cleaner, faster way.
It’s about putting existing value in the right place, for the right audience. For analysts and teams starting with ANY.RUN in a Threat Intelligence context, this is a much better entry point.
It’s a step to help you do less — so you can focus on more.
Aleksey Lapshin, ANY.RUN CEO
TI Lookup—Essential Solution for SOC Teams
TI Lookup provides access to an extensive database of the latest IOCs, IOBs, and IOAs
TI Lookup is ANY.RUN’s key solution for working with threat intelligence. It simplifies and accelerates different stages of malware investigations, from proactive monitoring to gaining insights for incident response. As a result, you get to ensure a better defense against cyber threats for your company.
In practice, this means that TI Lookup provides you with Indicators of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs). It not only links each indicator to an attack or sample but also showcases its behavior inside the sandbox.
The source of indicators is unique: all data comes from millions of public malware analysis sessions done in ANY.RUN’s Interactive Sandbox. TI Lookup allows you to tap into it to gain invaluable insights into real threats targeting 15,000 companies in finance, manufacturing, transportation, government, and other industries right now.
Start your threat investigation in TI Lookup right away Triage alerts and handle incidents faster with rich context
Unlike other solutions relying on public reports or databases published days or weeks after an incident, TI Lookup provides fresh, actionable data available to you hours or even minutes after the attack happened.
And now you get to access the benefit of our service at no cost. See how even its free version with limited functionality can become a game-changer for your security operations.
Results You Can Achieve Using Free Plan
Essential features of TI Lookup are available at no cost. With the free plan, you can view up to 20 recent sandbox sessions per query, conduct unlimited searches using basic search fields (file hashes, URLs, domains, IPs, MITRE ATT&CK techniques, Suricata IDs, etc.) and an operator for combination search (AND).
With free access to TI Lookup, you can gain a powerful solution to common challenges of SOC teams:
Enrich threat investigations: Get extensive threat context by linking existing artifacts to actual attacks.
Reduce response time(MTTR): Explore identified threats’ behavior, purpose, and targets through sandbox analyses for fast, informed security decisions.
Strengthen proactive defense: Collect data on emerging threats to act before they cause harm.
Grow expertise of your team: Let your SOC specialists explore real-world attacks and see examples of TTPs in actual malware via the interactive MITRE ATT&CK matrix.
Develop SIEM, IDS/IPS, or EDR rules: Intelligence collected via TI Lookup can be used to improve proactive defense of your business.
See how TI Lookup can give you a hand in solving common SOC challenges in a couple of examples. They involve threats active today and demonstrate how ANY.RUN’s solution will speed up and simplify their breakdown.
Fast Triage and Data-Fueled Response
If you receive an alert related to a suspicious domain, you can check it in TI Lookup to get the verdict in seconds. E.g., enter this simple query:
And almost instantly you’ll see the verdict—it is indeed malicious.
TI Lookup provides fresh sandbox sessions for in-depth threat context
This info is enough to escalate the incident, but that’s not all TI Lookup is capable of. Take a look at the tags in analysis sessions that involve the domain in question. From them, you can also determine the name of the threat it’s related to—Agent Tesla.
And by clicking any of the sessions, you’ll be transferred to ANY.RUN sandbox for further investigation. You can observe how malware behaves and collect extra IOCs and TTPs. For example, follow this link to see the analysis of a threat sample from TI Lookup search results:
One of the sandbox reports showing Agent Tesla analysis
That’s how you get to enrich your threat research to follow through with an informed incident response.
Threat Hunting for Proactive Defense
Another way to apply TI Lookup’s free functions is to use it for threat hunting. For instance, if you would like to research the phishing kit Tycoon2FA’s activity in a particular region, you can create a compound query like this:
It combines the name of the threat we’re interested in with the id of a country—in this case, de – Germany. By entering this query, you’ll see the most recent analysis samples involving Tycoon2FA that were uploaded by users from there:
TI Lookup results with latest Tycoon2FA phishing attacks on companies from Germany
Now you get to collect IOCs and use this data to proactively defend your infrastructure.
With a Premium plan, you would also be able to subscribe to your query. This feature is called Search Updates and allows you to stay on the lookout for emerging threats that fit your previous search:
You can subscribe to queries to track relevant threats’ evolution
Maximize Benefits and Unlock Premium Features
The free version of TI Lookup grants you the functionality needed to achieve tangible results. To gain full access to its features and expand your ability to conduct investigations, opt for the Premium plan. With it, you can access three times more data, automate alert triage, and receive notifications on attacks as soon as they emerge.
Free
Premium
Requests
Unlimited number of basic requests
Advanced requests (100/500/5K/25K)
Search operators
AND
AND, OR, NOT
Search parameters
11
44
Links to analysis sessions
Up to 20 most recent
All available
Interface
Limited (only analyses)
Full (all threat data + analyses)
Integration
–
API and SDK (Python package)
YARA Search
–
+
Private search
–
+
TI Reports
–
+
Search Updates
–
+
It’s designed for SOC teams from businesses and organizations, as it allows for private searches that can’t be seen by other users and other exclusive features:
Speed up alert triage: Quickly correlate alerts against a vast database of the latest IOCs, IOBs, and IOAs.
Automate workflow for real-time monitoring: Integrate TI Lookup with your security tools (e.g., SIEM, TIP, or SOAR systems).
Threat hunt with precision: Create and browse custom YARA rules in ANY.RUN’s database to identify malware patterns with YARA Search.
Investigate in detail: Fine-tune your searchwith over 40 search parameters, as well as extra operators.
Stay proactive: Set up automated alerts for specific IOCs or threat patterns for continuous updates.
Follow malware trends: With TI Reports by our expert analysts, you can raise awareness about the latest attacks targeting different industries.
Request trial access to TI Lookup Premium Cut MTTR, stop incidents early, and reduce business risks
Let’s see how TI Lookup’s interface looks like with all features unlocked. For that, we’ll use a query to look for the Lumma family threats. Additionally, we’ll browse for all domains related to it:
With Premium plan, you get three times more data about threats, including network IOCs
As you can see, the Premium plan grants you more data: it includes domains, countries, ports, IPs, and more. In this case, it’s especially important that we got to collect many malicious domains.
Conclusion
TI Lookup is a must-have tool if you want to maintain a simpler and faster way to conduct threat investigations. SOC teams can benefit from it immensely thanks to relevant, real-world data it provides. Accelerate your decision-making and take proactive action against malware with TI Lookup—available with Free and Premium plans.
About ANY.RUN
Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.
Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions.
Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-16 12:06:332025-07-16 12:06:33Free. Powerful. Actionable. Make Smarter Security Decisions with Live Attack Data
Cisco Talos routinely responds to ransomware engagements where the impact could have been mitigated or wholly prevented if the victim organization had initiated remediation efforts earlier in the attack lifecycle. The significance of early intervention in ransomware attacks is particularly exemplified by two recent Talos Incident Response (Talos IR) ransomware engagements.
In one incident, the victim engaged Talos IR immediately after discovering malicious activity alerts. Talos IR worked swiftly to combat additional malicious activity and prevented the execution of any encryption in the environment.
Conversely, in a second incident, the victim ignored alerts of malicious activity and did not contact Talos IR until after the ransomware binary began to execute. Talos IR was then not provided network access for analysis for over a day, during which time the actors achieved nearly 100% host encryption.
While there are many factors that can impact the success and severity of a ransomware attack, such as an actor’s sophistication and advanced tooling, close similarities between these two ransomware engagements led us to negate that these variables significantly influenced the disparate outcomes between these two attacks.
Introduction
As ransomware threat actors continuously decrease their dwell time — here defined as the duration between initial access and encryption — it is increasingly imperative to be mindful of timeliness in incident response engagements (Infosecurity Magazine, CyberScoop, Orca, ThreatDown). Early intervention and remediation can significantly mitigate or even wholly prevent repercussions of ransomware attacks, such as financial loss, reputational damage and legal repercussions, as exemplified by a comparison of two recent Talos IR engagements.
In both these cases, the threat actors leveraged similar tools and tactics, techniques and procedures (TTPs) and the victim was alerted to suspicious activity prior to ransomware execution, yet one engagement resulted in 0% network encryption while the other victim experienced nearly 100% encryption.
Talos assesses that encryption occurred due to several time delays at pivotal moments. First, Talos was not employed to start an IR engagement until after the ransomware binary was executed, despite early warnings, which allowed the actor to initiate encryption. Then, Talos was provided network access over 30 hours after the engagement began, during which time the actors obtained widespread encryption. For context, according to Talos data, many ransomware variants can seize complete control of a network in just 24-48 hours after initial access. Furthermore, these delays also allowed the threat actor to employ defensive measures that severely limited Talos’ ability to retroactively analyze system logs, a crucial step toward remediating the threat and hardening the network.
Description of attack lifecycles
Engagement 1: Data theft without encryption
In late April, Chaos ransomware affiliates gained an initial foothold into a victim environment via social engineering. They sent a flood of spam emails to a single user, then contacted the user in Microsoft Teams masquerading as IT support. During the Microsoft Teams session, the adversary guided the user to launch Microsoft Quick Assist and enter their credentials into an unknown login page, which ultimately provided access to the account. That same day, the victim was alerted to the security breach and engaged Talos IR to mitigate the threat, allowing Talos IR to review activity logs before the adversary could completely delete or modify them.
The affiliates relied heavily on living-off-the-land binaries (LoLBins) and dual-use tools to conduct post-compromise activity and leveraged Impacket’s “atexec.py” module to execute commands remotely, specifically leveraging the Task Scheduler service. They began exploring the victim’s environment using Windows command line utilities like “ipconfig /all” to list network connections, “nltest /dclist” to list the domain controllers (DCs) within Active Directory (AD) and “quser.exe” to query information about user sessions. We also observed multiple outbound connections to adversary-controlled IP addresses using OpenSSH, an open-source suite of secure networking utilities that provide encrypted communication channels to create a reverse proxy SSH connection.
To move laterally within the environment, the adversary used Microsoft Remote Desktop and Advanced IP Scanner to obtain access to new accounts and maintained persistence by changing account passwords to lock users out.
Notably, the actors used multiple remote monitoring and management (RMM) applications on different system tiers (e.g., workstations, servers and DCs) to ensure persistent remote access across multiple phases of the operation and to perform slightly different functions:
Microsoft Quick Assist socially engineered the victim to install the tool for initial access.
AnyDesk was likely the primary method of remote access as it was found on a majority of compromised systems.
OptiTune was leveraged to deploy ScreenConnect RMM on a number of hosts.
SplashTop was leveraged to enumerate activities on at least one host.
They also took precautionary measures to evade detection, like uninstalling Duo from the host:
C:WINDOWSsystem32cmd.EXE, /c, wmic, product, where, name=Duo Authentication for Windows Logon x64, call, uninstall, /nointeractive:
A renamed Rclone executable was ran via command line to copy files from a network share:
Finally, just hours after initial access, the adversary launched the script “backup.sh”, a normal process found on ESXi hosts. Talos IR suspects the adversary leveraged the script to deliver the ransomware executable. We observed attempts to encrypt data on the victim’s VPN that were ultimately unsuccessful.
Engagement 2: Nearly 100% encryption
In the second engagement, the victim ignored alerts from Cisco’s Managed Detection and Response (MDR) of malicious activity and did not contact Talos IR until after the Medusa ransomware binary began to execute. Then, Talos IR was not provided network access for analysis for over a day, during which time the actors achieved nearly 100% host encryption.
A retroactive analysis of the limited logs that remained after encryption revealed the actors similarly relied on dual-use tools. For remote access they used SimpleHelp, a legitimate RMM tool that is commonly abused by ransomware actors and, since January 2025, has been routinely exploited for path traversal (CVE-2024-57727). Talos IR also observed several remote incoming desktop connections from suspicious IP addresses, beacon activity from the commonly abused Brute Ratel C4 (BRC4) red teaming tool, and Windows APIs invoked that could be leveraged for data collection:
Getnativesysteminfo determines the underlying hardware architecture and characteristics of a system, including the type of processor, number of processors and memory page size.
Telemetry:api_invoke is the invocation of a Telemetry API. Attackers may monitor or trigger api_invoke events to discover what APIs are available, which users or services call which APIs and which cloud services are used, leveraging corresponding “telemetry:api_invoke” logs for environment enumeration.
Bcryptgeneratesymmetrickey generates keys for AES decryption.
The adversary established command and control (C2) using JWrapper, a component of SimpleHelp that is often used by IT support and therefore may not be identified as malicious. JWrapper can also be leveraged to stealthily execute files and exfiltrate data, as it is designed to package Java applications into native executable formats for Windows, macOS and Linux. In this attack, the actors used it to execute a file that disabled the User Access Control in the registry by setting the Windows PromptOnSecureDektop record to false:
The actors gained unauthorized access to remotely read and modify files within the System32 folder, a critical part of the Windows OS containing essential files needed for the system to function properly, and attempted to delete volume shadow copies from the folder, a common tactic to inhibit data recovery:
They also executed Impacket in the System32 folder via PsExec remote copy and execution:
C:Windowssystem32services.exe, C:Windowssystem32msiexec.exe /V, C:Windowssyswow64MsiExec.exe -Embedding 27A094D718378410D2002AE3023D3731 E GlobalMSI0000
Analysis
Talos IR assesses that victim response time was the dominant factor that caused the discrepancy in impact. All other factors were incredibly similar, such as the actor’s level of sophistication, the victims’ endpoint security and Talos IR’s response. In both attacks, the affiliates displayed a similar level of sophistication in their tools, heavily using LoLBins and dual-use tools throughout the attack lifecycle. Examples include shared use of Msiexec, WMIC and PowerShell LoLBins and legitimate RMM tools. The actors also both used Impacket to execute commands remotely over SMB or WMI without deploying new payloads and used ADMIN$ administrative shares to propagate malware. A more sophisticated actor may have opted to use a custom malware, similar to the recently discovered Betruger backdoor, which is rarely seen in ransomware attacks.
In both cases, the actors also used similarly sophisticated TTPs to obtain widespread network access. They attempted to evade detection and analysis by deleting or modifying files, logs, and tools, and they were able to compromise the victims’ System32 folder and administrative accounts.
While Talos IR acknowledges that there are a few minor differences between these two engagements, these would not indicate a significant disparity. For example, the actors used different paid legitimate software to scan IPs and different RMM tools, but this would not have played any significant role in the impact to the victim.
We also observed that both victims had a similar flaw in endpoint hygiene by using the outdated PowerShell version 1.0 that was exploited by both threat actors. PowerShell 1.0 lacks several critical security features present in later iterations, making it difficult to detect and analyze malicious activity. For instance, the PowerShell 1.0 execution policy can be easily bypassed using inline execution “powershell.exe -ExecutionPolicy Bypass” or by modifying policy values in memory or the registry. This means scripts can be run without being digitally signed or verified, a common vector for ransomware payloads. Additionally, PowerShell 1.0 does not support Constrained Language Mode (CLM), which in later versions restricts access to .NET classes and APIs that can be exploited for lateral movement or privilege escalation. Without CLM, an attacker gains unrestricted access to the full breadth of PowerShell’s capabilities, including registry manipulation, WMI queries, COM object interaction and raw .NET assembly loading — all of which can be used to establish persistence or elevate privileges.
Finally, both victims received notifications of malicious activity prior to ransomware execution and, once the victims chose to engage Talos, we provided the same level of assistance.
Timely log analysis enables quick recovery
Early engagement with one of the victims and continued communication throughout allowed Talos IR to access the system logs before they could be deleted or modified, which likely helped the victim avoid encryption. Logs are a crucial component of remediating ransomware engagements for many reasons:
Identifying weaknesses in network security that the actor exploited so they can be fixed
Understanding what data was compromised so the victim can understand the potential fallout and notify the affected customers
Establishing a baseline to help easily identify anomalies that indicate suspicious behavior (particularly important considering many ransomware affiliates leverage legitimate tools)
Identifying adversary’s routine tools and TTPs to know how to identify future malicious activity, where to place detection systems to prevent future malicious activity and potentially attribute the activity to a particular actor
Determining the actor’s goal (e.g., financial theft or espionage) to protect data the actor is likely trying to access
Observing a clear path indicating a certain target will be compromised, or viewing failed attempts at a compromise, to preemptively harden the target
While Talos IR provided some similar remediation recommendations for each victim due to overlaps in activity, the victim that waited to engage Talos IR received more general recommendations because they had limited logs to review, preventing Talos from understanding the full scope of malicious activity that occurred and how the adversary was able to compromise their network.
Recommendations based on limitedaccess to logs
Tailored recommendations based on logs
Protect against malicious use of RMM software
Only allow RMM software that is allowed by the company. All other RMMs should be blocked.
Based on malicious SSH remote connection, make sure malicious IPs are blocked. Also consider blocking SSH at the firewall level.
Secure passwords
Conduct a full password reset for all accounts, including all privileged accounts, service accounts, user accounts and local accounts.
Adversaries had access to hosts, which gave them access to the unencrypted data stored in their browsers. To help prevent this vulnerability in the future, implement GPOs to disable users from storing credentials and PII in browsers.
Bar the adversary from moving laterally
No recommendations provided due to limited visibility
Consider migrating to Entra ID instead of the hybrid AD approach as this would have helped prevent the adversary’s lateral movement in the environment.
Recommendations
Raise awareness of phishing and social engineering. Given ransomware actors’ proficiency in using a wide array of techniques to obtain initial access, user education is a key part of spotting phishing attempts, countering MFA bypass techniques and knowing where to report unauthorized access attempts.
Monitor and prevent unnecessary and/or unauthorized use of system administration tools, such as PowerShell, and adhering to zero trust principles. Restrict access to employees who need these for legitimate business purposes. Use of these tools should be logged and audited.
Protect logs from modification or deletion. Consider creating service control policies (SCP) for cloud-based resources to prevent users or roles, across the organization, from being able to access specific services or take specific actions within services. For example, the SCP can be used to restrict users from being able to delete logs, update virtual private cloud (VPC) configurations and change log configurations. Additionally, log process execution events and deploy Sysmon to enhance logging capabilities on Windows devices.
Restrict the use of RMM and dual-use tools. Review logs for execution of RMM software to detect abnormal use, such as RMM software only being loaded in memory and block both inbound and outbound connections on common RMM ports and protocols at the network perimeter.
Employ data loss prevention (DLP) strategies to prevent unauthorized disclosure or leakage. These include data classification policies, data handling policies, user awareness and training and DLP software that can identify and block unauthorized data transfer attempts.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-16 10:06:332025-07-16 10:06:33Talos IR ransomware engagements and the significance of timeliness in incident response
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-16 04:06:382025-07-16 04:06:38Unmasking AsyncRAT: Navigating the labyrinth of forks
This year marks the 20th anniversary of the Common Vulnerability Scoring System (CVSS), which has become a widely accepted standard for describing software vulnerabilities. Despite decades of use and four generations of the standard — now at version 4.0 — CVSS scoring rules continue to be misused, and the system itself remains the subject of intense debate. So, what do you need to know about CVSS to effectively protect your IT assets?
The CVSS Base Score
According to its developers, CVSS is a tool for describing the characteristics and severity of software vulnerabilities. CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST). It was created to help experts speak a common language about vulnerabilities, and to facilitate automatic processing of data on software flaws. Almost every vulnerability published in major vulnerability registries like CVE, EUVD, or CNNVD includes a severity assessment based on the CVSS scale.
An assessment typically consists of two main parts:
A numerical rating (CVSS score), which shows how severe the vulnerability is on a scale from 0 to 10. A score of 10 means it’s an extremely dangerous, critical vulnerability.
A vector, which is a standardized text string that describes the vulnerability’s key characteristics. This includes details like whether it can be exploited remotely over a network or only locally, if elevated privileges are needed, how complex it is to exploit, and what aspects (such as availability, integrity, or confidentiality) of the vulnerable system are affected by exploitation.
Here’s an example using the highly severe and actively exploited vulnerability CVE-2021-44228 (Log4Shell): Base Score 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Let’s break that down: the attack vector is network-based, attack complexity is low, privileges required: none, user interaction isn’t required, the scope indicates the vulnerability impacts other system components, and the impact on confidentiality, integrity, and availability is high. Detailed descriptions of each component are available in the CVSS 3.1 and CVSS 4.0 specifications.
A crucial part of the CVSS system is its scoring methodology — also known as the calculator, and available for both 4.0 and 3.1. By filling in all the vector components, you can automatically get a numerical criticality score.
The original CVSS calculation methodology included three metric groups: Base, Temporal, and Environmental. The first group covers the fundamental and unchanging characteristics of a vulnerability, and forms the basis for calculating the CVSS Base Score. The second group includes characteristics that can change over time — such as the availability of published exploit code. The third group is designed for internal organizational use to account for context-specific factors like the vulnerable application’s scope or the presence of mitigating security controls in the organization’s infrastructure. In CVSS 4.0, the Temporal metrics have evolved into Threat metrics, and a new group of Supplemental metrics has been introduced.
Here’s how the metrics are interconnected. Software vendors or cybersecurity companies typically assess the Base criticality of a vulnerability (referred to as “CVSS-B” in the 4.0 specification). They also often provide an assessment related to the availability and public disclosure of an exploit (CVSS-BT in 4.0, and Temporal in 3.1). This assessment is a modified Base Score; therefore CVSS-B can be higher or lower than CVSS-BT. As for the Environmental score (CVSS-BTE), it’s calculated within a specific organization based on the CVSS-BT, with adjustments made for their unique conditions of using the vulnerable software.
The Evolution of CVSS
The first two versions of CVSS, released in 2005 and 2007, are hardly used today. While you might still find older CVSS scores for modern vulnerabilities, CVSS 3.1 (2019) and CVSS 4.0 (2023) are the most common scoring systems. However, many software vendors and vulnerability registries aren’t in a rush to adopt version 4.0, and they continue to provide CVSS 3.1 scores.
The core idea behind the first CVSS version was to quantify the severity of vulnerabilities via a scoring system — with an initial separation into Base, Temporal, and Environmental metrics. At that stage, the textual descriptions were loosely formalized, and the three groups of metrics were calculated independently.
CVSS 2.0 introduced a standardized vector string and a new logic: a mandatory and unchangeable Base score, a Temporal score calculated from the Base score but accounting for changing factors, and an Environmental score used within specific organizations and conditions derived from either the Base or Temporal score.
Versions 3.0 and 3.1 added the concept of Scope (impact on other system components). They also more precisely defined parameters related to required privileges and user interaction, and they generalized and refined the values of many parameters. Most importantly, these versions attempted to solidify the fact that CVSS measures the severity of a vulnerability — not the risks it creates.
In version 4.0, the creators aimed to make the CVSS metric more useful for business-level assessments of how vulnerabilities impact risk. This is still not a risk metric, though. Attack complexity was split into two distinct components: attack requirements and attack complexity. This highlights the difference between the inherent engineering difficulty of an attack and the external factors or conditions necessary for the attack to succeed. In practical terms, this means a flaw that requires a specific, non-default configuration on the vulnerable product to be exploited will have higher attack requirements and, consequently, a lower overall CVSS score.
The often-misunderstood Scope metric, which simply offered “yes” or “no” options for “impact on other components”, has been replaced. Developers have introduced the clearer concept of “subsequent systems”, which now specifies what aspect of their operation the vulnerability affects. Additionally, a range of supporting indicators has been added — such as the automatability of an exploit and the impact of exploitation on human physical safety. The formulas themselves have also undergone substantial revisions. The influence of various components on the numerical threat score has been re-evaluated based on a vast database of vulnerabilities and real-world exploitation data.
How CVSS 4.0 is changing vulnerability prioritization
For cybersecurity professionals, CVSS 4.0 aims to be more practical and relevant to today’s realities. We’re facing tens of thousands of vulnerabilities — many of which receive a high CVSS score. This often leads to them being automatically flagged for immediate remediation in many organizations. The problem is, these lists are constantly growing, and the average time to fix a vulnerability is nearing seven months.
When vulnerabilities are re-evaluated from CVSS 3.1 to CVSS 4.0, the Base Score for defects with a severity between 4.0 and 9.0 tends to slightly increase. However, for vulnerabilities that were considered critically severe in CVSS 3.1, the score often remains unchanged or even decreases. More importantly, while Temporal metrics had little impact on a vulnerability’s numerical rating before, the influence of Threat and Environmental metrics is now much more significant. Orange Cyberdefense conducted a study to illustrate this. Imagine a company is tracking 8000 vulnerabilities, and their IT and security teams are required to fix all defects with a Base CVSS score above 8 within a specified timeframe. What percentage of these 8000 real-world vulnerabilities would fall into that category — with or without considering exposure of the exploit to the public (Temporal/Threat adjustment)? The study found that CVSS 4.0, in its base version, assigns a score of 8 or higher to a larger percentage of vulnerabilities (33% compared to 18% in version 3.1). However, when adjusted for the availability of exploits, this number drops significantly — leaving fewer truly critical flaws to prioritize (8% versus 10%).
Critical, High, and everything in between
What’s the difference between a “critical” vulnerability and one that’s just plain dangerous? A text-based severity description is part of the specification — but it’s not always required in a vulnerability description:
Low Severity: 0.1–3.9
Medium Severity: 4.0–6.9
High Severity: 7.0–8.9
Critical Severity: 9.0–10.0
In practice, many software vendors take a creative approach to these text descriptions. They might modify the names or incorporate their own assessments and factors not included in CVSS. A case in point is June’s Microsoft Patch Tuesday — specifically CVE-2025-33064 and CVE-2025-32710. The first is described as “Important” and the second as “Critical”, yet their CVSS 3.1 scores are 8.8 and 8.1, respectively.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-15 16:06:352025-07-15 16:06:35What you need to know about CVSS to protect your IT assets
