How SOC Teams Save Time and Effort with ANY.RUN: Action Plan 

Recently, we hosted a webinar exploring the everyday challenges SOC teams face and how ANY.RUN helps solve them. From low detection rates to alert fatigue, poor coordination, and infrastructure overhead, our team outlined a practical action plan to tackle it all. 

Missed the session? Here are the key highlights in this quick recap. 

🔔 Quick reminder
Try ANY.RUN’s services with 14-day trial
to improve your SOC metrics 



Get 14-day trial


1. Increasing Detection Rate 

Challenge: Malware is getting trickier. Fileless techniques, multi-stage payloads, and threats that hide behind user interactions are slipping past traditional tools. This leaves SOC teams blind to critical risks. 

Solution: ANY.RUN tackles this head-on by giving analysts a fully interactive sandbox environment. You don’t just watch malware from a distance but also engage with it like a real user. Open files, enter passwords, click suspicious links, whatever it takes to trigger the full execution chain. 

One real-world case shows exactly why this is so important. 

View analysis session here 

Fake document with malicious PDF displayed inside ANY.RUN sandbox 

A phishing email came through with an SVG attachment and a password hidden in the message body. Opening the SVG revealed a fake document with a link to download a PDF. That triggered a download of a ZIP archive; one that could only be extracted by manually entering the earlier password. 

Entering password hidden in the message body 

Inside we found an executable file. When run, ANY.RUN flagged it immediately as AsyncRAT, a remote access trojan capable of spying on and controlling infected systems. 

AsyncRAT detected by ANY.RUN sandbox 

Without interactivity, none of this would have unfolded. A fully automated tool wouldn’t have clicked the link, copied the password, or opened the archive. The attack would’ve gone undetected. 

More importantly, the sandbox gave the team: 

  • Network activity visibility, helping block C2 communication before data exfiltration 
  • Malware configuration (MalConf), revealing hardcoded domains and other indicators 

Why it matters for business
  • Higher detection rates: Fewer blind spots and stronger cyber resilience
  • Cost efficiency: Avoiding costly breaches by stopping threats early
  • Proactive threat mitigation: Addressing vulnerabilities before attackers exploit them

2. Accelerating Alert Triage and Incident Response 

Challenge: When a threat gets past initial defenses, every second counts. The longer it takes to triage an alert or respond to an incident, the higher the risk of malware spreading, systems being compromised, and costly damage being done. 

Solution: ANY.RUN provides real-time visibility into malware behavior; no waiting for the sandbox session to end. SOC teams can spot malicious activity the moment it begins, with some malware families being identified even in under 40 seconds. 

View analysis session here 

Detection of RedLine Stealer in 18 seconds 

In one case, a suspicious executable was submitted. Within just 18 seconds, ANY.RUN identified it as RedLine Stealer, an infostealer known for targeting credentials and sensitive data. 

That rapid detection enabled the security team to take immediate action, cutting off further exposure and containing the threat before it spread. 

Why it matters for business
  • Minimized risk exposure: Stop malware early, before it spreads across systems
  • Operational efficiency: Reduce alert fatigue and free up analyst resources
  • Faster, more reliable incident handling: Protect brand trust and stakeholder confidence

3. Streamlining Training and Onboarding

Challenge: Most security tools come with a steep learning curve. New hires, especially junior analysts, often need months of training before they can contribute meaningfully. That slows down onboarding and increases your team’s dependency on a handful of experts. 

Solution: ANY.RUN’s intuitive interface and interactive analysis experience make it a powerful learning environment even for less experienced team members. 

New analysts work directly with real threats in a controlled, visual sandbox environment. Features like Script Tracer and AI Summary break down even complex threats into clear, understandable steps. 

View analysis session here 

In one case, a junior analyst explored a sample involving malicious scripting. By opening the Script Tracer, they followed each function call and saw how the attack unfolded line by line. No guesswork. No external tools. 

And with the AI Summary, they quickly reviewed the session’s key events, including dropped files, command-line activity, and network behavior, all explained in plain terms. 

AI Summary provided by ANY.RUN sandbox 

What the sandbox offered for junior specialists: 

  • Hands-on practice with real malware builds confidence and accelerates learning 
  • Step-by-step script analysis simplifies complex attacks into teachable moments 
  • Automated summaries make onboarding easier and less resource-intensive 

Why it matters for business
  • Skilled workforce: Accelerate team readiness and reduce reliance on senior staff
  • Cost-effective training: No need for expensive onboarding and training
  • Faster onboarding: New hires start contributing sooner, without draining resources

4. Addressing Infrastructure Maintenance 

Challenge: Maintaining local infrastructure for malware analysis can be a huge drain on time, budget, and IT resources. From server upkeep to licensing and hardware limitations, scaling your operations becomes a logistical challenge, especially across global or hybrid teams. 

Solution: ANY.RUN eliminates that overhead with a fully cloud-based sandbox platform. There’s no setup, no hardware dependency, and no waiting around for installations or updates. Everything runs in the browser. 

Your team can launch pre-configured virtual machines (Windows, Linux, or Android) in seconds, whether they’re in the office or halfway across the world. There’s no cap on the number of analyses, and you can scale instantly by adding users without touching infrastructure. 

In fact, one of our enterprise clients, Expertware, reduced their IOC extraction and investigation turnaround time by over 50% after switching to ANY.RUN, all without deploying a single server. 

Read interview details here: How MSSP Expertware Uses ANY.RUN’s Interactive Sandbox for Faster Threat Analysis 

Key benefits of the sandbox: 

  • Zero setup required: Fully browser-based, ready to go from day one 
  • Unlimited analysis: No hardware limits, no bottlenecks 
  • Pre-configured VMs: Supports cross-platform investigations (Windows, Linux, Android) 

Why it matters for business
  • Cost savings: No on-prem infrastructure or licensing overhead
  • Scalability: Add new users instantly without extra drag
  • Faster time to value: Onboard, analyze, and act faster than traditional setups

5. Improving Team Coordination 

Challenge: Even the best tools fall short when teams can’t work together efficiently. In many SOCs, communication gaps between analysts, team leads, and managers lead to duplicated work, missed alerts, and delays in decision-making. 

Solution: ANY.RUN’s built-in Teamwork Mode is designed to make collaboration effortless no matter if your team works in the same office or across time zones. You can create different teams, assign roles, manage access, and track progress, all from a single interface. 

Team management in ANY.RUN 

You also get full control over privacy settings. Make all submissions private by default or customize access levels for each user based on their role. That means sensitive data stays protected without compromising collaboration. 

Learn more about the Teamwork Mode here: ANY.RUN Teamwork Mode Updates 

Why it matters for business
  • Better visibility for managers: Monitor investigations without slowing the team down
  • More structure across teams: Define roles and workflows clearly
  • Improved security posture: Ensure sensitive data is only seen by the right people 

6. Freeing up Analysts for More Important Tasks

Challenge: Manual analysis takes time, and relying on human input for every alert doesn’t scale. But the alternative, fully automated tools, often miss threats that require user interaction to activate, like phishing pages behind CAPTCHAs or payloads inside password-protected files. 

Solution: ANY.RUN bridges that gap with Automated Interactivity, a unique feature that emulates real user behavior inside the sandbox. It clicks, types, solves CAPTCHAs, and opens files, just like a real analyst would, ensuring full detonation of the threat and speeds up investigations. 

That means even in automated mode, your team doesn’t miss threats that rely on tricking the user into doing something first. 

View automated interactivity session here 

In this session, the sandbox was given a phishing URL. It required a CAPTCHA check to reach the final malicious page; something most tools would skip. But with Automated Interactivity, ANY.RUN solved the CAPTCHA, reached the phishing content, and flagged the threat immediately. 

CAPTCHA solved with Automated Interactivity 

Why it matters for business
  • Scalable analysis workflows: Handle more alerts without expanding your team
  • Lower operational costs: Less time per case, more automation without blind spots
  • Consistent detection quality: Get the same deep results whether done manually or programmatically

7. Gaining Better Visibility into Emerging Threats 

Challenge: One of the biggest challenges for SOCs today is staying ahead of threats. When you don’t have enough intel, or worse, outdated intel, you’re forced to react instead of prepare. That slows down your defenses and increases your exposure. 

Solution: ANY.RUN’s Threat Intelligence Lookup (TI Lookup) gives your team access to a constantly updated database of real-world Indicators of Compromise (IOCs), Action (IOAs), and Behavior (IOBs), collected from hundreds of thousands of sandbox analyses performed by SOC teams across 15,000 businesses. 

With over 40 filterable parameters, your team can create advanced queries to uncover patterns, spot repeat offenders, and enrich investigations with up-to-date threat data. 

Let’s have a look at the following TI Lookup query:  

threatName:”telegram” AND (threatName:”phishing” OR threatName:”possible-phishing”) AND (domainName:”*.glitch.me”) 

This query helps to collect intel on phishing threats that host malicious pages on the glitch.me domain and use Telegram for exfiltration. 

After hitting enter and see fresh threat samples and indicators that match our request. This includes IPs, URLs, domains, and links to sandbox analyses of actual phishing attacks. 

TI Lookup query and results

That’s how in seconds we gained over a hundred new indicators that can enrich our defense infrastructure.  

By having just one or two artifacts, you can quickly connect them to the threats, attacks, and campaigns behind them.  

Enrich threat investigations with TI Lookup
Get 50 trial requests to collect your first intel 



Try now for your SOC


Our database is constantly updated with unique indicators because the data comes from the latest sandbox analyses globally. 

As a result, your team gains: 

  • Fast, flexible search to find IOCs by threat name, behavior, domain, file type, and more 
  • Fresh, actionable data sourced from real sandbox detonations globally 
  • Subscription-based monitoring to stay informed on new threats matching saved queries 

ANY.RUN’s TI Lookup turns passive intel into an active advantage, giving your team the context they need to protect your business from evolving threats. 

Why it matters for business
  • Proactive defense: Equip your team with the intel they need to strengthen defenses before an attack happens, not after
  • Continuous monitoring: Subscribe to threat patterns and stay informed about evolving risks specific to your environment
  • Faster triage and response: Quickly link isolated indicators to known threats and campaigns, helping your team respond with precision and speed

8. Expanding Threat Monitoring and Detection Capabilities 

Challenge: Many detection systems rely on outdated or generic threat feeds. The result is missed attacks, wasted time chasing false positives, and a growing gap between what your team sees and what attackers are actually doing in the wild. 

Solution: ANY.RUN’s Threat Intelligence Feeds (TI Feeds) deliver fresh, high-confidence IOCs straight from live sandbox investigations submitted by over 15,000 companies around the world. These feeds include metadata-rich indicators linked to real execution behavior and attack chains. 

Test and integrate TI Feeds from ANY.RUN  

You can test TI Feeds with a free demo sample 

The feeds are available in widely supported formats (STIX, MISP) and integrate via the TAXII protocol, making it easy to plug directly into your SIEM, SOAR, or XDR platform. 

Request access to Threat Intelligence Feeds
and start improving SOC KPIs 



Reach out to us


What your team gains: 

  • Enriched detection systems supplemented with data from active malware campaigns 
  • Unique indicators for identifying emerging malware pulled from memory dumps, Suricata alerts, and internal categorization 
  • Context-aware intel with IOCs tied to sandbox sessions, giving full visibility into how the threat behaves, which is essential for timely and effective incident response 

Why it matters for business
  • Improved detection rates: Expand your visibility with threat data that reflects what attackers are doing right now, not last quarter
  • Competitive advantage: Stay ahead of emerging threats, build resilience, and position your organization as security-forward
  • Proactive security: Fresh, actionable feeds allow your team to take preventive measures, reducing the chances of successful attacks before they even begin

Solve Your SOC Challenges with ANY.RUN 

Security teams today are under constant pressure to detect more, react faster, and do it all with limited resources. ANY.RUN is built to help modern SOCs meet those demands with speed, precision, and clarity. 

ANY.RUN helps your team reduce effort, increase impact, and stay ahead of evolving threats with the tools they actually need. 

Ready to see the difference for yourself? 

Start your ANY.RUN trial to see how our services can contribute to your security→ 

About ANY.RUN 

ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.  

With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency. 

The post How SOC Teams Save Time and Effort with ANY.RUN: Action Plan  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Kaspersky study looks at how cybercriminals use games, TV shows, and anime to target Gen Z | Kaspersky official blog

Gen Z, or “Zoomers”, are those born between ~1997 and 2012. That’s a 15-year age gap between the oldest and youngest. So what could they possibly have in common? Well, every member of Gen Z is a digital native. They barely remember a time before computers, smartphones, and social media. More than any other generation, Gen Z loves games (especially our own — Case 404 — we hope!), TV shows, and movies. Sometimes, they even shape their identities by constantly connecting with their favorite characters. Naturally, this level of immersion makes them a prime target for malicious actors.

Kaspersky experts have released two reports detailing how cybercriminals target Gen Z through their love of games, movies, TV shows, and anime. Check out the full versions of the first and second reports to dive deeper.

How gamers get attacked

In the one-year period from April 1, 2024, we recorded at least 19 million attempts to distribute malware disguised as games popular with Gen Z. The top three games targeted by these attacks were GTA, Minecraft, and Call of Duty, together accounting for a staggering 11.2 million attempts. So, why are these particular games at the top of both gamers’ and cybercriminals’ lists? We just might know the reason. They’re replayable; that is, players can dive back in any time and still get a fresh experience. Besides, these titles boast massive online communities. Players are constantly creating content, making mods, and searching for cheats and cracked versions.

One of the most common threats facing Gen Z gamers is phishing — where cybercriminals impersonate a trusted entity and tempt players with promises of free in-game rewards to lure them into sharing personal data. Enticing trade offers and easy ways to earn money are some of the most popular tricks used against gamers.

We uncovered a phishing site that looked eerily similar to a legitimate Riot Games campaign. The campaign aimed to blend two different universes: the game Valorant and the animated series Arcane. Players were invited to “spin the wheel” for a chance to win exclusive new skins. In reality, gamers who participated in this “contest” essentially handed over their gaming accounts, banking details, and phone numbers to third parties. Of course, they received no skins in return.

A beautiful background and recognizable characters — what more do you need to fall for a scam?

A beautiful background and recognizable characters — what more do you need to fall for a scam?

But it’s not just about scams. In November 2024, our experts from the Global Research and Analysis Team (GReAT) uncovered a campaign where attackers were distributing the Hexon stealer disguised as game installer files. Once installed, this malware attacked gaming platforms; for example, it could extract user data from Steam. On top of that, Hexon targeted messaging apps like Telegram and WhatsApp, and other social media platforms, such as TikTok, YouTube, Instagram, and Discord.

These fake installers flooded gaming forums, chats on Signal and Telegram, Discord channels, and popular file-sharing sites. The cybercriminals promoted the Hexon stealer using a malware-as-a-service model, where some malicious actors provide malware to others — often less tech-savvy ones — for a fee.

Example of attackers' message in a Discord channel

Example of attackers’ message in a Discord channel

Interestingly, a short while later, the creator of Hexon announced a rebrand. The stealer was now called “Leet”, and was offered at a 50% discount. Unlike its predecessor, the updated version can bypass sandboxes by checking the infected device’s public IP address and system specifications. If the stealer detects signs of being in a virtual machine, it shuts down immediately.

How movie, TV show, and anime fans get attacked

We dug into some data provided by the Kaspersky Network Security (KSN) — our global threat intelligence network which processes cyberthreat information from every corner of the world. We analyzed the data for the same one-year period starting April 1, 2024, and here’s what we found:

  • Netflix was dangled as bait in about 85 000 attacks. That’s nearly 233 times a day.
  • Gen Zers aren’t the only ones passionate about anime. Cybercriminals are big fans too, with 250 000 attacks recorded during the reporting period.
  • The total number of leaked streaming-service accounts exceeded seven million.

When it comes to the most exploited streaming platforms, alongside Netflix, we found Amazon Prime Video, Disney+, Apple TV+, and HBO Max at the top of the list. Scammers used these brand names in their campaigns throughout the year, with no significant peaks or troughs in popularity. Mostly, they used a classic approach: sending phishing links to fake websites while pretending to represent a streaming platform. The pretexts, however, varied. In some instances, attackers would prompt users to renew their subscriptions or update payment details — only to direct them to a fake site to do so. Such emails often mimicked the streaming service’s official style, making it easy to miss the red flags.

Phishing website imitating the official Netflix page

Phishing website imitating the official Netflix page

Beyond just harvesting personal data, these bad actors also distributed various malware. RiskTool was a big one, accounting for around 80% of all attempts. While not malicious on its own, it’s often used in conjunction with other threats, such as miners, helping them conceal their presence in the infected system.

Many of the attacks were designed to steal users’ personal information. We uncovered roughly seven million compromised accounts across Netflix, Amazon Prime Video, Disney+, Apple TV+, and HBO Max. Stolen accounts are typically used by cybercriminals to spread phishing links and malware to more users, or they’re sold off to other malicious actors at a low price.

Anime fans weren’t spared by the digital villains, either. Unsurprisingly so — recent data shows that over 65% of Gen Z watch anime. To gauge just how often attackers targeted fans of Japanese animation, we focused on five popular anime titles: Naruto, One Piece, Demon Slayer, Attack on Titan, and Jujutsu Kaisen. We recorded over 250 000 attack attempts centered around just these five titles. The undisputed leader? Naruto, with over 114 000 attempts.

How Gen Zers can stay cybersafe

Zoomers should protect themselves in the same way as everyone else who enjoys TV shows, games, movies, and anime, and is generally active online. Here’s a short list of the “golden rules” to help protect your accounts, banking details, and devices from prying eyes.

(If you want to learn more about cybersecurity, try your hand as a detective in our new, free browser-game, Case 404. It features three storylines, each showing what can go wrong when you skip out on proper digital hygiene. But for now, let’s get back to those rules.)

  • Stick to official sources when downloading games, TV shows, and anime. Seriously, ditch the torrents, sketchy third-party sites, and random links strangers share on forums and in chats. And here’s a heads-up: even official game stores can sometimes get infiltrated by malware. To learn more, read Gamers beware: Trojans have invaded Steam.
  • Enable two-factor authentication (2FA) everywhere you can. By the way, tokens can be conveniently stored in Kaspersky Password Manager.
  • Remember the adage about a free lunch? Yep — there’s no such thing. Be skeptical of giveaways of skins, cheats, in-game currency, or supposedly leaked episodes of your favorite TV show or anime.
  • When you’re paying online, only use virtual cards with spending limits. That way, your main bank account stays safe — even if something goes sideways.
  • Use robust security. A security solution will warn you when you’re about to open a phishing website, and help you detect threats in time, even if they’ve already made their way onto your device.
  • Read the full reports on attacks targeting Gen Z. The report on movies, TV shows, and anime is here, and the one on gaming attacks can be found here.

The last, but perhaps one of the most important, rules is to stay one step ahead. Subscribe to our Telegram channel to make your online life safer.

How else attackers target Gen Z as well as other demographic groups:

Kaspersky official blog – ​Read More

Everyone’s on the cyber target list

Everyone's on the cyber target list

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve discovered that being a rent guarantor for someone is an involved experience. While I’m glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed payments required handing over far more personal and financial data than I was comfortable with. 

I asked the agent about their information security policies and cybersecurity posture. I was relieved to hear that they delete all the personal data within two weeks of processing, but I was concerned that the person dealing with my dossier didn’t think that they were at risk of a cyber attack. They believed that because they had a low online profile and their organisation was small, they didn’t present as a target. 

Not wanting to jeopardise my position as a guarantor, I didn’t argue further beyond offering a few words of advice. The truth is that everyone is a target. Many criminals do not discriminate; they seek to compromise anyone and see how they can make money from a compromise once access is achieved. Sophisticated criminals research their targets and their wider ecosystem of suppliers and partners in depth to identify potential weak points. It only takes a moment’s inattention for anyone to fall for a phishing or social engineering scam. 

Cybersecurity training needs to reinforce the fact that anyone can be a victim of a cyber attack. No matter how careful you might be, how insignificant you think that you might be, an attack can still catch you off guard. The good news is that by ensuring basic cyber hygiene, we can make a lot of progress towards preventing harm. 

Impressing on users the need to install updates promptly, the importance of having end-point protection and using multi-factor authentication is not a panacea, but it is a basic foundation upon which more advanced protection can be built. 

Good cybersecurity begins with an awareness of the threat, an acknowledgement that we are all at risk, and knowing the potential consequences. Nobody is too insignificant, too small or too well hidden to escape the risk of cyber attack. Suitable protection follows from reflecting on what is at risk and what could possibly go wrong.

The one big thing 

Talos has uncovered a destructive attack on Ukrainian critical infrastructure involving a new wiper malware, “PathWiper,” deployed through a legitimate endpoint administration framework. Talos attributes this attack to a Russia-linked APT actor, underscoring the persistent threat to Ukraine’s infrastructure amid the ongoing war. 

Why do I care? 

This attack highlights the sophisticated tactics of state-sponsored threat actors and the risks critical infrastructure entities face, which could have global implications for cybersecurity and geopolitical stability. 

So now what? 

Organizations, particularly those managing critical infrastructure, should strengthen their endpoint security, monitor for unusual administrative activity, and stay informed on evolving threats to mitigate potential risks.

Top security headlines of the week

New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch 
The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. (The Hacker News

Vanta bug exposed customers’ data to other customers 
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. (TechCrunch

Data Breach Affects 38K UChicago Medicine Patients 
UChicago Medicine released a statement that the data of 38K patients may have been exposed by a third-party debt collector’s system breach. The exposed data may include SSNs, addresses, dates of birth, medical information, and financial account information. (UPI)

Can’t get enough Talos? 

Fake AI installers target businesses. Catch up on the ransomware and malware threats Talos discovered circulating in the wild and masquerading as legit AI tool installers. Read the blog or listen to our most recent Talos Takes to hear Hazel and Chetan, the author, discuss the blog more in-depth.

Talos at Cisco Live 2025. From sessions featuring a live IR tabletop session to learning how to outsmart identity attacks, there’s plenty of Talos to keep you going in San Diego next week. Browse sessions Talos is participating in, and we’ll see you there!

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe  
Detection Name: Simple_Custom_Detection 

SHA 256: 
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Detection Name: Simple_Custom_Detection 

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 
MD5: 8c69830a50fb85d8a794fa46643493b2  
Typical Filename: AAct.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

Cisco Talos Blog – ​Read More

Commercial vs. open-source SIEM: pros and cons | Kaspersky official blog

According to OpenLogic’s “State of Open Source” report, 96% of surveyed organizations use open-source solutions (OSS). Such solutions can be found in every segment of the IT market — including infosec tools. And they’re often recommended for building SIEM systems.

At first glance, OSS seems like a great choice. A SIEM system’s primary function is systematic telemetry collection and correlation, which you can set up using well-known data storage and processing tools. Just gather all your data with Logstash, hook up Elasticsearch, build the visualizations you need in Kibana — and you’re good to go! A quick search will even get you ready-made open-source SIEM solutions (often built on the same components). With SIEMs, adapting both data collection and processing to your organization’s specific needs is always key, and a custom OSS system offers endless possibilities for that. Besides, the license cost is zero. However, the success of this endeavor hinges on your development team, your organization’s specifics, how long your organization is willing to wait for results, and how much it’s ready to invest in ongoing support.

Time is money

A key question — one whose importance is consistently underestimated — is how long it’ll take before your company’s SIEM not only goes live but actually starts delivering real value. Gartner data shows that even a fully-featured, ready-made SIEM takes an average of six months to fully implement — with one in ten companies spending a year on it. And if you’re building your own SIEM or adapting an OSS, you should expect that timeline to double or triple. When budgeting, multiply that time by your developers’ hourly rates. It’s also hard to imagine a full-fledged SIEM being  by a single talented individual — your company will need to maintain an entire team.

A common psychological pitfall is being misled by how fast a prototype comes together. You can deploy a ready-made OSS in a test environment in just a few days, but bringing it up to production quality can take many months — even years.

Skill shortages

An SIEM needs to collect, index, and analyze thousands of events per second. Designing a high-load system, or even adapting an existing one, requires specialized and in-demand skills. Beyond just developers, the project would need highly skilled IT administrators, DevOps engineers, analysts, and even dashboard designers.

Another kind of shortage that SIEM builders have to overcome is the lack of hands-on experience needed to write effective normalization rules, correlation logic, and other content that comes out of the box in commercial SIEM solutions. Of course, even that out-of-the-box content requires significant adjustments, but bringing it up to your organization’s standards is both faster and easier.

Compliance

For many companies, having an SIEM system is a regulatory requirement. Those who build an SIEM themselves or implement an OSS solution have to put in considerable effort to achieve compliance. They need to map their SIEM’s capabilities to regulatory requirements on their own — unlike the users of commercial systems, which often come with a built-in certification process and all the necessary tools for compliance.

Sometimes, management might want to implement an SIEM just to “tick a box”, aiming to minimize the expense. But since PCI DSS, GDPR, and other local regulatory frameworks focus on the actual breadth and depth of SIEM implementation — not just its mere existence — a token SIEM system implemented just for show would fail to pass any audit.

Compliance isn’t something you can consider only at the time of implementation. If, during self-managed maintenance and operation, any components of your solution stop receiving updates and reach end-of-life, your chances of passing a security audit would plummet.

Vendor lock-in vs. employee dependence

The second most important reason for organizations to consider an open-source solution has always been flexibility in adapting it to their specific needs, along with avoiding reliance on a software vendor’s development roadmap and licensing decisions.

Both of these are compelling arguments, and in large organizations they can sometimes outweigh other factors. However, it’s crucial to make this choice with a clear understanding of its pros and cons:

  • OSS SIEMs can be simpler to adjust for unique data inputs.
  • With an OSS SIEM, you maintain complete control over how data is stored and processed.
  • The cost of scaling an OSS SIEM primarily consists of prices for additional hardware and the development of required features.
  • Both the initial setup and ongoing evolution of an OSS SIEM demand seasoned professionals who are well-versed in both development practices and SOC realities. If the team members who best understand the system leave the company or change roles, the system’s evolution might come to a halt. What’s worse, it gradually becomes less functional.
  • While the upfront implementation cost of an OSS SIEM might be lower due to the absence of license fees, this difference often erodes during the maintenance phase. This is because of the continuous, additional expense of qualified staff dedicated solely to SIEM development. Over the long term, the total cost of ownership (TCO) for an OSS SIEM often turns out to be higher.

Content quality

The relevance of detection and response content is a key factor in an SIEM’s effectiveness. For commercial solutions, updates to correlation rules, playbooks, and threat intelligence feeds are typically provided as part of a subscription. They’re developed by large teams of researchers, undergo thorough testing, and generally require minimal effort from your in-house security team to implement. With an OSS SIEM, you’re on your own when it comes to updates: you need to search community forums, GitHub repositories, and free feeds yourself. The rules then require detailed vetting and adaptation to your specific infrastructure, and the risk of false positives ends up being higher. As a result, implementing updates in an open-source SIEM demands significantly more effort from your internal team.

The elephant in the room: hardware

To launch an SIEM, you need to acquire or lease hardware, and depending on the system’s architecture, this expense can vary dramatically. It doesn’t really matter much whether the system is an open-source or proprietary commercial solution. However, when implementing an open-source SIEM on your own, there’s a greater risk of making sub-optimal architectural decisions. In the long run, this translates into persistently high operational costs.

We cover the topic of evaluating SIEM hardware needs in detail in a separate post.

The final tally

While the idea of a fully customizable and adaptable platform with zero licensing fees is highly appealing, there is a significant risk that such a project would demand far more time and effort from your internal development team than an off-the-shelf commercial solution. It may also hinder your ability to quickly adopt new innovations and shift your security team’s focus from developing detection logic and response scenarios to dealing primarily with operational issues. This is why a managed, expert-supported, and well-integrated commercial solution often aligns more closely with a typical organization’s goals of effective risk reduction and predictable budgeting.

Commercial SIEMs enable your team to leverage pre-built rules, playbooks, and telemetry parsers, allowing it to focus on organization-specific projects — such as threat hunting or improving visibility in cloud infrastructure — instead of reinventing and refining basic SIEM features, or struggling to pass regulatory audits with a homegrown system.

Kaspersky official blog – ​Read More

Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine

  • Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper”. 
  • The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints. 
  • Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities.  
  • The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war. 

Proliferation of PathWiper 

Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine

Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file, with the command line partially resembling that of Impacket command executions, though such commands do not necessarily indicate the presence of Impacket in an environment.

The BAT file consisted of a command to execute a malicious VBScript file called ‘uacinstall.vbs’, also pushed to the endpoint by the administrative console: 

C:WINDOWSSystem32WScript.exe C:WINDOWSTEMPuacinstall.vbs

Upon execution, the VBScript wrote the PathWiper executable, named ‘sha256sum.exe’, to disk and executed it: 

C:WINDOWSTEMPsha256sum.exe 

Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment.

PathWiper capabilities 

On execution, PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly. It first gathers a list of connected storage media on the endpoint, including: 

  • Physical drive names 
  • Volume names and paths 
  • Network shared and unshared (removed) drive paths 

Although most storage devices and volumes are discovered programmatically (via APIs), the wiper also queries ‘HKEY_USERSNetwork<drive_letter>| RemovePath’ to obtain the path of shared network drives for destruction. 

Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes. The wiper reads multiple file systems attributes, such as the following from New Technology File System (NTFS). PathWiper then overwrites the contents/data related to these artifacts directly on disk with random data: 

  • MBR 
  • $MFT 
  • $MFTMirr 
  • $LogFile 
  • $Boot 
  • $Bitmap 
  • $TxfLog 
  • $Tops 
  • $AttrDef 

Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the ‘FSCTL_DISMOUNT_VOLUME IOCTL’ to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized bytes. 

PathWiper’s mechanisms are somewhat semantically similar to another wiper family, HermeticWiper, previously seen targeting Ukrainian entities in 2022. HermeticWiper, also known as FoxBlade or NEARMISS, is attributed to Russia’s Sandworm group in third-party reporting with medium to high confidence. Both wipers attempt to corrupt the master boot record (MBR) and NTFS-related artifacts.  

 A significant difference between HermeticWiper and PathWiper is the corruption mechanisms used against recorded drives and volumes. PathWiper programmatically identifies all connected (including dismounted) drives and volumes on the system, identifies volume labels for verification and documents valid records. This differs from HermeticWiper’s simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them. 

Coverage 

Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

Snort 2 rules: 64742, 64743 

Snort 3 rules: 301174

Indicators of compromise (IOCs) 

7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3

Cisco Talos Blog – ​Read More

Scammers are promising compensation from a bank | Kaspersky official blog

Scammers just can’t stop playing Santa: one day it’s free Telegram subscriptions; another it’s cryptocurrency. This new scam keeps things simple: they’re offering money right off the bat — or, more accurately, sharing a supposedly legal way for you to cash in.

The scammers created a two-minute video in which journ-AI-lists and a celebrity spin tall tales: “Everyone can get compensation. You just need to…” Read on to find out what the scammers are instructing their victims to do, and about the bait they’re using to lure unsuspecting folks into their trap.

The scammers’ modus operandi

This campaign saw scammers create phishing websites to host the video. You won’t find it on YouTube or any other video hosting site (for your safety, we won’t share it here either), because this kind of AI-generated content tends to be taken down in short order. It’s much harder to deal with scam websites — especially when links are distributed via email and messaging apps.

Now for the most interesting part: the video. It looks just like a brand-new Brazilian news segment, but there’s a twist. The news is completely fake — and was “shot” without the journalists’ permission. The scammers used a real news broadcast as the base, overlaying it with AI-generated voiceover and syncing the lip movements to match the new script. In it, AI-generated clones of real journalists weigh in on “violations” by one of the country’s leading banks.

  • “Clients see their balances shrink for no reason — or even get wiped out entirely”
  • “Accounts are being unjustly frozen”
  • “Interest rates on loans are being inflated”

Part of the fake article created by AI for this scam

Once the stage is set, another AI clone takes over. Here, the scammers use the same approach as with the journalists: real video footage, AI-generated voiceover, and lip-syncing to match the new script. An AI-generated copy of a celebrity in Brazil delivers a fiery speech: “For months on end, the bank has repeatedly violated regulations, and now we’re taking decisive, uncompromising action. From this point forward, the bank will be allowed to operate in Brazil only if it pays compensation to every citizen, in the amounts specified.” And — what do you know? — bingo! Suddenly, every Brazilian is entitled to a one-time payout ranging from 1518 to 10 626 Brazilian reals (approximately US$250–2000).

Scam says court ruling guarantees compensation of up to R$10 000

Scam says court ruling guarantees compensation of up to R$10 000

Then the journalist clones return to the screen, supposedly showing a social media post from the bank that “confirms” the statement. But how do you actually cash in? Well, an AI-generated voiceover, set against a video tutorial, explains that all Brazilians need to visit a website “created by the tax authority and the bank”, enter their CPF (the Brazilian taxpayer ID), and calculate their personal compensation amount.

The setup is clear: as soon as the victim finishes watching the video, they’re funneled straight to a specially crafted phishing website, where a quick identity check awaits.

  • “What’s your mother’s name?”
  • “What’s your date of birth?”
  • “You have an overdue insurance payment in the amount of…”
A barrage of questions, and even a voice message generated by AI — now that's technology at work!

A barrage of questions, and even a voice message generated by AI — now that’s technology at work!

Answer all the questions correctly (not that it really matters — you can type whatever you like), and you’re through to the final stage. You’re told the transaction is practically on its way and the money is about to hit your account, but there’s a snag. You’re required to pay three taxes: a road tax, a transfer tax, and a receipt tax, totaling just 55 Brazilian reals (around $10) — a mere pittance compared to the promised windfall of 7854 reals (roughly $1400). Next, the site asks you to enter your bank card details, confirm your CPF once again, and provide your name, email, and phone number before making the payment. And when those “taxes” are paid… absolutely nothing happens! The money and personal information will go straight to the scammers — and, of course, no one will ever see a payout.

Protecting yourself against payout scams

This scam targets Brazilian residents, but it could easily be adapted to other languages, themes, and continents. By tomorrow, you can bet the scammers will have cooked up a brand-new pretext: government fitness reimbursements, free food, a gas-bill refund, or something else entirely. That’s why it’s crucial to recognize the pattern: there’s always enticing bait (think free giveaways of something valuable), a phishing website, and a fake news report to seal the deal. But how can you spot the catch in videos like these?

  • Watch the lips. Then you can spot the AI-generated journalist clones not always opening their mouths correctly. AI still struggles to perfectly sync lip movements with the audio track.
  • Watch the facial expressions. Sure, these “news” videos might look convincing in a still frame, but if you look closely at AI-generated footage, you’ll notice how the speaker’s face can suddenly shift or change in unnatural ways.
  • Inspect the background and lighting. If the “journalist” is standing in the middle of a field or some other empty space with blurry edges, or the lighting just looks off, chances are you’re looking at an AI creation.

But there’s more!…

Be sure to read Watch the (verified) birdie, or new ways to recognize fakes. In that post, we provide detailed guidance on telling real photos from fakes. If you’re worried that you or your loved ones might accidentally end up on a scam website, install Kaspersky Premium. It automatically blocks access to suspicious links from chat apps and email to keep you safe from phishing. That way, if there’s ever a threat, you won’t even have to worry about spotting fake news yourself.

Remember: following basic safety tips is one of the best ways to steer clear of scammers:

  • Avoid entering personal and payment details on suspicious websites. If they’re asking for your date of birth, email, bank details, taxpayer ID, and… which doormat you keep your spare key under, chances are you’re dealing with scammers.
  • Just a reminder: there’s no such thing as a free lunch. Be suspicious if someone promises you the world for nothing — even if it seems to be coming from a government official in a video. In fact, be even more cautious if it’s a government official speaking on camera!
  • If you have to pay to claim your prize, it’s probably a scam. That’s a classic scammer’s trick: they promise you a huge payout, but only if you pay “a fee”, “tax”, or “shipping” first.
  • Avoid clicking suspicious links. As a rule of thumb, consider any link sent to you by strangers to be suspicious by default. But remember, even friends can end up sending scam links — sometimes without even realizing it.

What else are scammers up to?

Kaspersky official blog – ​Read More

Release Notes: TAXII Support for TI Feeds, New Sandbox Onboarding, and 900+ Detection Rules 

We’ve packed May with updates to make your experience smoother and your threat detection even sharper. Whether you’re just getting started or knee-deep in malware every day, these changes are here to save you time and give you better insights. 

In this update: 

  • A brand-new onboarding tutorial in the sandbox to guide you step by step 
  • TAXII support for TI Feeds, so you can plug threat intel right into your tools 
  • A big boost in threat coverage, with new signatures, YARA rules, and standout samples 

Take a look below to see how these updates can help you work faster, stay ahead of threats, and get more out of ANY.RUN

Product Updates 

New Sandbox Onboarding Tutorial 

New sandbox tutorial for quick and effortless onboarding 

Whether you’re brand new to ANY.RUN or just want a quick refresher, the new onboarding tutorial in the sandbox has you covered. It walks you through each step of the analysis process, from uploading a sample to making sense of the process tree, network activity, and IOCs

It’s a great starting point for new analysts or anyone looking to get more comfortable with the platform. 

You can find it in the FAQ section under the Tutorials tab; just click on Quick Sandbox Tutorial and you’re good to go. 

Test ANY.RUN’s services with 14-day trial
to see how they can strengthen your company’s security 



Get 14-day trial


TAXII Protocol Now Supported for TI Feeds 

TAXII (Trusted Automated eXchange of Indicator Information) is a widely used protocol for sharing threat intelligence in a fast, secure, and standardized way. It’s designed to make integrating threat data with your existing tools, like SIEMs, EDRs, or TIPs, smooth and efficient. 

Now, ANY.RUN’s Threat Intelligence Feeds fully support TAXII, making it even easier to bring high-quality threat data directly into your security stack. 

Here’s what you get with ANY.RUN’s TI Feeds + TAXII integration: 

  • Actionable, real-world threat indicators: The feeds pull data from threats seen across 15,000+ companies worldwide. You’ll get fresh, high-confidence IOCs sourced from dynamic malware analysis and enriched with context from ANY.RUN’s sandbox.  
  • Minimal false positives: Every indicator is pre-processed and vetted before it reaches your system, so you get clean, reliable data that won’t overload your analysts or flood your alerts.  
  • Boosted detection and response automation: Use TI Feeds to automatically block malicious IPs, flag risky logs, enrich alerts, or trigger playbooks, saving your team time and cutting response delays. 

How It Works 

If you’re on a paid plan, you can now set up ANY.RUN’s TI Feeds as a TAXII endpoint in your existing system, whether it’s a SIEM, EDR/XDR, NGFW, or TIP platform. 

Once connected to our TAXII server, your tools will start receiving fresh threat intel automatically. Want to see what the feeds look like? You can preview a sample in STIX or MISP format. 

For full access to the latest indicators, reach out to us for 14-day trial of TI Feeds. 

Threat Coverage Updates 

In May, we expanded our detection coverage across Windows, Linux, and Android environments with 900+ new behavior signatures, YARA rules, Suricata rules, and attribution-based detections. These updates help defenders spot emerging malware families and reduce analysis time with better context and accuracy. 

New Behavior Signatures 

162 new behavior-based signatures were added to improve detection across commodity malware, ransomware, loaders, and remote tools. 

Highlighted additions include: 

  • BPFDoor – A stealthy Linux backdoor that receives TCP/UDP/ICMP packets directly via BPF filters. Linked to the Red Menshen group, this malware hides without opening network ports and persists on servers for months. 
  • Sakura RAT – A rare APT-26 (Deep Panda) tool used in major data breaches. It hides C2 traffic in normal HTTP requests and uses stolen certificates to avoid detection. 
  • RoamingMOUSE – An Excel dropper used by MirrorFace (APT10) to side-load the Anel backdoor. Targets Japanese and Taiwanese government entities. 
  • FinalDraft – A cross-platform backdoor that uses Microsoft Graph API and Outlook drafts as C2 channels. It can proxy traffic and inject malicious code. 
  • PayDay Loader – Delivered via fake VPN/AI websites, this tool silently downloads stealers like Lumma and Poseidon across Windows, macOS, and Android. 
  • TerraStealer v2 – A stealer from the Golden Chickens toolkit. It grabs browser credentials and crypto wallets and exfiltrates data via Telegram or cloud services. Often paired with TerraLogger

Other behavior-based detections added for the following threats: 

New Tool and Utility Detections 

We also added detections for commonly abused remote access tools and packers: 

YARA Rule Updates 

In May, we released 19 new and updated YARA rules to strengthen static detection and improve malware classification during analysis. These rules help identify emerging threats, improve attribution, and support faster triage, especially when working with evasive samples or reviewing files pre-execution. 

Here are the latest additions: 

  • Packit Stealer – Rule added to detect this custom packer-based stealer known for targeting credentials and crypto assets. 
  • Lobshot – Detection rule to catch a Windows-based stealer that uses legitimate processes for stealth. 
  • GoFing – Rule added for this lesser-known info-stealer that focuses on browser and session data. 
  • Anel Backdoor – Part of the RoamingMOUSE dropper chain; used in targeted attacks. 
  • Teapot Stealer – New rule to detect this Python-based stealer active in commodity malware campaigns. 
  • Ralord Ransomware – Detection rule for this rapidly spreading ransomware targeting personal files and enterprise systems. 

We also added YARA rules tied to the following threats: 

Suricata Rule Updates 

To improve detection of network-based threats, we added 756 new Suricata rules in May. These updates expand visibility into malicious domains, phishing infrastructure, and command-and-control traffic seen across live malware samples. 

Some highlights include new detections for infrastructure observed in: 

  • WikiKit Campaign – Detects domain chains used in phishing and payload delivery. 
  • EvilProxy Campaign – Tracks malicious proxies abusing login flows and multi-factor authentication bypasses. 

These rules are automatically applied during analysis and contribute to network-layer IOCs in your reports, making it easier to detect lateral movement, data exfiltration, and malware beaconing early in the infection chain. 

About ANY.RUN 

ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.  

With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency. 

The post Release Notes: TAXII Support for TI Feeds, New Sandbox Onboarding, and 900+ Detection Rules  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Cyber Attacks on Government Agencies: Detect and Investigate with ANY.RUN for Fast Response

Government institutions worldwide face a growing number of sophisticated cyberattacks. This case study examines how ANY.RUN’s solutions can be leveraged to detect, analyze, and mitigate cyber threats targeting government organizations. 

By analyzing real-world threats, we demonstrate how ANY.RUN’s Threat Intelligence Lookup, Interactive Sandbox, and YARA Search assist cybersecurity teams in identifying attack vectors, tracking malicious activities, and enhancing organizational resilience. 

Case Studies 

We will explore several attack scenarios where adversaries impersonate government structures to gain initial access:  

  • A phishing email sent to the Department of Employment and Workforce (a U.S. government agency responsible for helping with employment and paying unemployment insurance benefits). 
  • A domain imitating the official website of the U.S. Social Security Administration. 
  • A malicious PDF disguised as a court notice from the South African Judiciary. 

1. Phishing Email Targeting South Carolina Department of Employment and Workforce 

Let’s take up the role of a cybersecurity officer at the department and try to understand who is targeting the organization, what malware is used, and what delivery methods are applied.  
 
A YARA rule is created to search emails with recipients from the domain dew.sc.gov analyzed in ANY.RUN sandbox. It identified 33 files and their analyses featuring email addresses on dew.sc.gov.

YARA rule search of email analyses by domain 

These results help to better understand threats targeting the agency:  

  • Study subject lines, attachment types, and delivery methods. 
  • Identify malware and tools used for attacks. 
  • Collect artifacts (hashes, URLs, IPs) for filtering and monitoring. 
  • Detect recurring techniques to improve protection. 

Let’s view one of the sandbox analyses linked to the detected files:  
 
In April 2025, a phishing email was uploaded to ANY.RUN, targeting an employee at the South Carolina DEW. The email, sent from @163.com domain, contained a malicious ZIP attachment named “Quotation.zip” (658 KB).  

The malicious email as seen by a user 

We can run a separate analysis of the email in the Sandbox. First of all, header analysis shows that the email failed SPF, DKIM, and DMARC checks — the IP address wasn’t authorized for sending from 163.com, and no DKIM signature was present.

Detect phishing and malware threats faster
with ANY.RUN’s Interactive Sandbox 



Sign up with business email


The IP can be used as an IOC and subjected to reputation checks. 

Email sender IP fails verification 

The email attachment that includes an executable file, “Quotation.exe”, has been flagged as a stealer by ANY.RUN’s signatures even before execution. The malware was identified as FormBook, with behaviors mapped to MITRE ATT&CK techniques T1552.001 (Credentials in Files) and T1518 (Software Discovery). The execution chain is visualized in the Graph section:  

Processes graph 
The detailed process involving FormBook activity

Network traffic analysis confirmed FormBook activity through Suricata rules detecting characteristic HTTP headers. 

Suricata stealer detection 

How to Find Similar Emails via ANY.RUN 

And now let us scale up to exploring the landscape of similar attacks, the patterns they follow, and to understanding the urgency of such threats for government agencies in the USA. A TI Lookup search was run for FormBook samples uploaded for sandbox analysis by users from the USA and delivered to them by email opened via Outlook:  
 
threatName:”FormBook” and submissionCountry:”US” and commandLine:”outlook.exe” 

TI Lookup search for emails with FormBook stealer received by US users

12 sandbox analysis sessions were found — each containing unique indicators like hashes, IPs, C2 calls, and email content. This data can be used for deriving context and tracking repetitive techniques. 

Uncover critical threat context for faster triage and response
with ANY.RUN’s Threat Intelligence Lookup 



Get 50 trial requests


Broader analysis is available using YARA Search for .gov email recipients in 2025 to identify malicious activity targeting US state agencies:  

At least 2,500+ emails received by .gov recipients by mid-2025 

Not all the found letters are malicious, but many reflect current phishing tactics recruited against government bodies.  

Custom YARA rules can be adjusted for relevance: change conditions, add filters, and thus create a selection of emails relevant to an organization’s threat profile. 

2. Fraudulent Domain Mimicking the U.S. Social Security Administration 

Next, we simulate the role of a SOC analyst at the U.S. SSA and research phishing domains that impersonate our entrusted agency. How do the documents these domains host look and feel, what payloads they disseminate, and what tactics and methods adversaries use?  

Via TI Lookup, we search for domains flagged as malicious and containing ssagov. 

domainName:”ssagov” and threatLevel:”malicious” 

The search returned 22 sandbox analyses, with 7 unique potentially malicious domains. This indicates attackers actively spoof SSA for phishing. Exploring these campaigns allows SOC teams to gather indicators, set up detection systems, and enhance triage and response.  

For example, an Interactive Sandbox analysis session from May 2025 spotted a malicious domain documentssagov[.]com that mimics SSA’s website and prompts users to download a “document”. Typical social engineering tactics are engaged — urgency, fake branding, and download prompts. 

An executable disguised as a document urging to be opened 
Typical social engineering baits activated 

Instead of a document, an executable SSA_Document.exe is downloaded. On execution, the ScreenConnect remote administration tool is deployed — indicating an attempt to gain remote access. This activity has been detected via Suricata and mapped to MITRE ATT&CK matrix.

Remote access software and connection to an unusual port detected 

How to Find Similar Domains via ANY.RUN 

Besides researching threats targeting a specific agency, we can uncover a domain-based tactic that involves spoofing a government agency sector.   

We aim to identify which phishing domains are being used by malicious actors, how actively they are being exploited, and what techniques are employed to deliver malicious payloads — while also enriching our detection systems with new indicators. 

Suppose we are interested in current attacks targeting ministries of foreign affairs. Let’s try to find potentially malicious domains that imitate the official websites of such organizations. Typically, these sites contain the abbreviation “mofa” (Ministry of Foreign Affairs) in their domain names. 

domainName:”*mofa*” AND threatLevel:”malicious” 

Search results of domains containing –mofa- 
Sandbox analyses from the –mofa- search results 

This TI Lookup search reveals 12 potentially malicious domains and 22 related analyses. Each analysis session contains IOCs, TTPs, domain interaction patterns, and data on malware distribution vectors. Such insights help understand phishing strategies, delivery mechanisms, and enrich detection systems with new indicators. 

3. Malicious PDF Posing as a South African Judiciary Notice 

Finally, let’s put on the hat of a South African Judiciary body employee and imagine having received an email with a PDF document disguised as an urgent judicial notice. We upload the file to ANY.RUN’s Interactive Sandbox and perform an analysis.  
 
The document mimics a court summons allegedly sent to a company, urging the recipient to immediately review the case materials. A button labeled “PREVIEW YOUR SUMMON DOCUMENT HERE” leads to an external link likely hosting a malicious payload. 

Email with a malicious link instead of an official document

This is a classic example of social engineering, designed to create a sense of urgency and official pressure. The use of visual elements typical of government notifications increases the chances of recipient engagement. Such PDF files are often used to deliver and execute malicious code or as a trigger to redirect users to phishing sites. 

Upon opening the PDF, ANY.RUN flags the file as potentially phishing-related. It detects telltale signs, such as wording commonly used in phishing campaigns and embedded links. Quickly it becomes clear that the file is unsafe and likely part of an attack. 

The document instantly gets flagged as malicious 
Suspicious attributes considered in detection 

Clicking the “PREVIEW YOUR SUMMON DOCUMENT HERE” button redirects the user to FloppyShare, from which a file named “SUMMON COURT DEMAND DOCUMENT.html” is automatically downloaded. When opened, this HTML document displays a fake Microsoft Office 365 Mail login form, prompting the victim to enter their credentials. 

Fake Microsoft authentication page ready to steal credentials 

This tactic is typical of credential-harvesting phishing attacks. The form visually mimics Microsoft’s authentication page, increasing the likelihood that victims will input their login details. 

How to Find Similar Documents via ANY.RUN 

One effective approach is to extract embedded images from the PDF and search for their hashes in the ANY.RUN database. This helps identify similar samples, recurring templates, and visual elements used by attackers in social engineering campaigns. By doing so, we gain deeper insight into their tactics and uncover related malicious content. 

An image forms a phishing letter can be used for exposing more 
Image identifiers including hashes in the Interactive Sandbox 

Let’s take the hash of one of the PDF’s embedded images and perform a search via TI Lookup with a simple query:  
 
sha256:”dfbbc198e7cb36ca31a5cb9dfd859955c4366b94f4a87c2a03102d60168eb74d” 

The results reveal 18 analyses featuring various PDF variants and payload delivery methods. Attackers disguise malicious pages as legitimate services and use different hosting platforms. 

File names typical for phishing pseudo-official attachments 

The data from the samples can serve as indicators of compromise (IOCs) for malicious activity targeting a specific company or sector of interest. 

Summary on the Cases 

ANY.RUN’s capabilities enabled rapid threat detection and analysis: 

  • TI Lookup: Provides detailed threat intelligence, including domain and IP reputation. 
  • YARA Search: Identifies targeted phishing campaigns by filtering emails with specific recipient domains, yielding actionable IOCs and samples. 
  • Sandbox Analysis: Executes malicious files to observe behaviors, map MITRE ATT&CK techniques, and detect network-based threats using Suricata rules. 

The ability of these solutions to scale analysis and correlate threats across multiple incidents helps to build a comprehensive attack profile, critical for government cybersecurity strategies. 

Recommendations for Decision-Makers 

For government cybersecurity leaders, we recommend to: 

  1. Adopt proactive threat hunting: Use ANY.RUN’s YARA Search to monitor emails and files targeting agency domains, enabling early detection of phishing and malware campaigns. 
  1. Leverage real-time analysis: Employ ANY.RUN’s Interactive Sandbox to analyze suspicious attachments and URLs, ensuring rapid identification of threats.  
  1. Use threat intelligence: Utilize TI Lookup to gather IOCs to block malicious IPs, domains, and URLs across agency networks.  
  1. Empower staff with phishing awareness: Educate employees on recognizing spoofed domains and suspicious attachments, using insights from ANY.RUN analyses.  
  1. Integrate with existing systems: Incorporate ANY.RUN’s TI Feeds to automate threat detection. 

By providing real-time analysis, scalable threat hunting, and actionable intelligence, ANY.RUN empowers cybersecurity teams to protect critical infrastructure effectively. Implementing these recommendations will strengthen defenses, reduce response times, and mitigate risks posed by targeted cyber threats. 

Get a 14-day trial of ANY.RUN’s solutions and see how much faster and deeper your threat investigations can be. 

The post Cyber Attacks on Government Agencies: Detect and Investigate with ANY.RUN for Fast Response appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

DollyWay is infecting WordPress sites | Kaspersky official blog

Given that just under half of all websites in the world are powered by the WordPress content management system, it’s no wonder cybercriminals are constantly looking for loopholes to exploit it. This past March, cybersecurity researchers at the hosting company GoDaddy described a campaign that began in 2016 and has since compromised more than 20 000 WordPress websites worldwide.

The campaign has been dubbed “DollyWay World Domination” after a line of code (define (‘DOLLY_WAY’, ‘World Domination’)) found in the malware used in this campaign. As part of DollyWay, threat actors inject malicious scripts with various capabilities onto websites. Their main goal is to redirect users from legitimate websites to third-party pages. As of February 2025, experts had recorded over 10 000 infected WordPress websites worldwide.

To compromise websites, malicious actors exploit vulnerabilities in WordPress plugins and themes. They start by injecting a harmless-looking script that raises no red flags with security systems performing static HTML code analysis. The script operates as a stealthy infiltrator — quietly downloading more dangerous code used for profiling victims, communicating with command-and-control servers, and ultimately redirecting visitors to infected sites. You can read the original research paper for a detailed description of how these scripts work.

Monetizing the malicious campaign

Redirect-links generated by DollyWay include an affiliate identifier — much like referral programs that bloggers often use to promote products or services. These identifiers allow websites to track where users are coming from. Bloggers typically earn a commission on purchases made by visitors who arrive through referral links. The DollyWay World Domination Campaign is monetized in much the same way, using the VexTrio and LosPollos affiliate programs.

VexTrio has been called the “Uber of cybercrime”. Reportedly active since at least 2017, this service primarily acts as a broker for scam content, spyware, malware, pornography, and so on. It’s VexTrio that redirects the traffic from DollyWay to scam sites. As noted above, the malware profiles its victims. Based on these profiles, users are then funneled to various types of websites, such as fake dating sites, crypto scams, or gambling pages.

LosPollos apparently specializes in selling traffic to legitimate services. Whenever DollyWay redirects traffic to a site promoted by LosPollos, the redirects always include the same LosPollos affiliate account identifier. DollyWay’s partnership with LosPollos explains why, in some cases, redirects from infected sites lead users not to malicious pages, but to legitimate app listings on Google Play such as Tinder or TikTok.

How DollyWay conceals itself on websites it has infected

Cybercriminals exercise great care to keep their malware from being detected and removed. For starters, the malicious code is injected into every active plugin. Removing it is no walk in the park, as DollyWay employs an advanced re-infection mechanism that triggers every time a page on the compromised site is accessed. If the malicious code isn’t removed from all active plugins and snippets, loading any page on the site will result in re-infection.

Detecting DollyWay may prove no simple task either — the malware is adept at hiding its presence on an infected site. To maintain access to the compromised site, the attackers create their own account with admin privileges, and DollyWay hides this account from the WordPress dashboard.

In case their accounts are discovered, the attackers also hijack the credentials of legitimate administrators. To do this, DollyWay monitors everything entered into the site’s admin login form and saves the data to a hidden file.

The attackers also take steps to ensure their assets remain operational. Researchers found evidence of a script apparently used by the attackers to maintain infected sites. Specifically, it can update WordPress, install and update required components, and initiate the injection of malicious code.

Experts also discovered a web shell that the attackers use, among other things, to update compromised sites and keep away rival malware. This goes to show that the attackers are keen to prevent other malware from hijacking traffic or setting off any security alarms that might alert the site owner.

The experts believe that the maintenance script and web shell aren’t deployed on every site infected by DollyWay. Maintaining such infrastructure across all 10 000 sites would be prohibitively resource-intensive. Chances are, the attackers only deploy these scripts on their most valuable assets.

Protecting your corporate website

The sheer scale and longevity of the DollyWay World Domination campaign once again underscore the need for regular security audits of company websites. When it comes to WordPress sites, plugins and themes deserve particular attention — they’ve repeatedly proven to be the most vulnerable parts of the platform’s infrastructure.

If you suspect your company’s website has fallen victim to DollyWay, researchers recommend keeping a close eye on file creation and deletion events. Such activity can be an indicator of compromise, as some versions of DollyWay v3 perform file operations every time a page is loaded.

Here is what you need to do if you come across signs of compromise.

  • Temporarily take the affected site offline, redirecting all traffic to a static page. Or, at the very least, deactivate all plugins while you’re removing the malware.
  • Remove any suspicious plugins — but keep in mind that DollyWay knows how to hide them from the WordPress dashboard.
  • Delete any unrecognized administrator accounts — again, be aware that DollyWay can hide these too.
  • Change the passwords for all WordPress users, starting with anyone who has admin privileges.
  • Enable two-factor authentication for WordPress sign-in.
  • If the internal infosec team’s resources are insufficient, seek help from third-party incident response specialists.

Kaspersky official blog – ​Read More

OtterCookie Malware Analysis and Distribution

Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

What looks like a simple freelance bug fix turns out to be a full-blown malware infection. OtterCookie, a new tool from the Lazarus Group APT, hides behind clean code and fake job offers, then silently steals credentials, crypto wallets, and more.  

In this step-by-step technical analysis, Mauro Eldritch breaks down the full attack chain, supported by live insights from ANY.RUN’s Interactive Sandbox

Overview of OtterCookie Malware 

North Korean state-sponsored groups, most notably Lazarus, continue to target the financial and cryptocurrency sectors using a range of custom malware families. Previously observed campaigns included threats like InvisibleFerret and Beavertail, which were distributed through elaborate social engineering tactics such as fake developer interviews and staged business calls with executives. 

A new addition to this toolkit is OtterCookie, a stealer malware that, much like its predecessors, isn’t spread through random means like pirated software or infected USB drives. Instead, it is part of a broader, coordinated campaign targeting professionals in the tech, financial, and crypto industries. By staging fake interviews, threat actors deliver malware disguised either as coding challenges (or their dependencies) or video call software, in a campaign now known as Contagious Interview or DevPopper. 

OtterCookie, written in heavily obfuscated JavaScript, was uncovered during a recent investigation conducted with the Bitso Quetzal Team. Notably, the delivery method used in this case stands out for its creativity and level of deception. 

Picture 1: Obfuscated code. Lazarus loves Deobfuscator.io 

Key Takeaways 

  • OtterCookie is a new stealer malware linked to North Korean APT Lazarus, delivered through fake job offers. 
  • Malware is hidden in clean-looking Node.js repos and executed via an intentional try/catch failure. 
  • Payload is fetched from an external API and executed using a require() call—no local implant needed. 
  • Targets include browser credentials, macOS keychains, and crypto wallets like Solana and Exodus. 
  • Data is exfiltrated via port 1224 to a U.S.-based C2 server, following patterns seen in Beavertail and InvisibleFerret. 
  • ANY.RUN detects OtterCookie early, before deobfuscation, and maps its behavior in the ATT&CK Matrix
  • OtterCookie eventually deploys InvisibleFerret, continuing Lazarus’s modular, multi-stage approach. 

Social Engineering Delivery: The “Job Offer” Trap 

As part of the Contagious Interview campaign, one observed variation involved a new form of social engineering distributed through LinkedIn. Instead of requesting participation in a coding challenge or scheduling a business call, as seen in previous campaigns, the attacker proposed freelance contract work. The task was simple: resolve a minor visual bug in the frontend of a decentralized application (DApp). 

The sender claimed their development team was unavailable due to vacation and shared access to a Bitbucket repository containing Node.js code. 

Picture 2: Bitbucket repo 

Surprisingly, the repository appeared entirely clean. No implants, no hidden payloads, and none of the suspicious NPM dependencies commonly associated with earlier malware like Beavertail. This wasn’t an example of FUD (Fully Undetectable) malware bypassing antivirus detection, it was genuinely clean. The kind of clean that instills confidence and lowers suspicion. 

Picture 3: VirusTotal 

A Closer Look at OtterCookie Malware

The code simulates a NodeJS web service and frontend based on Express, with two interesting functions. First, there’s an error section that looks hastily written, with a particularly odd error message. 

Picture 4: Badly written Error 

Next, there’s a notable try/catch block in the code. For context, a try/catch block is a common programming construct that allows an application to attempt an operation. If the operation fails, due to either a specific error or a general exception, the catch block executes to handle the failure without crashing the application. 

Picture 5: Try/Catch block 

Execution Through Controlled Failure 

This particular implementation is one of the most creative ways of deploying malware seen recently. The app’s initialization sequence is wrapped in a try/catch block. When an error is triggered, it fetches a response from an external API that appears to provide contextual error information, and then… executes it. 

You read it right – it uses a require() statement to execute whatever response comes back from the external API. 

The first thought that comes to mind: “Does that mean the system gets infected if the app fails?” 

And yes, that’s exactly the point! The failure is intentional and triggered during the app’s bootstrap phase. It kicks in, catches the error, prints it to the console, and pretends it just handled the issue gracefully—like everything’s fine now and ready to go. In the background, it already fetched “the error” and is executing it. 

Interactive Sandbox Analysis with ANY.RUN 

Let’s take a closer look at how this plays out in ANY.RUN’s interactive sandbox 

View analysis session 

Picture 6: A forced failure 

After launching an Ubuntu instance and installing Node.js, the next step involves adding the legacy peer dependencies from NPM—around 1,540 packages in total. Running the web server then triggers the expected error routine: “Unexpected reserved word.” Despite the wording, this error is anything but unexpected. 

Speed up and simplify analysis of malware and phishing threats with ANY.RUN’s Interactive Sandbox 



Sign up with business email


Originally, the task was to fix a simple visual bug. But that raises the question—how did a blatant, critical error like using a reserved word make it into the code? The answer becomes obvious a bit too late: while the app was running, it quietly queried a remote API in Finland—chainlink-api-v3[.]cloud—and received what appeared to be an error response. 

Or at least something that looked like one. And it got executed. 

Picture 7: The response, obfuscated in JavaScript 

Deobfuscation and Payload Behavior 

Let’s try to deobfuscate that response. 

Lazarus is known for its frequent use of a legitimate online tool: deobfuscate[.]io. This platform has been used to obfuscate JavaScript payloads in fake NPM packages, and even entire malware families like Beavertail. 

Picture 8: Decoded malware 

When the obfuscated code is pasted, the webapp recognizes which version was used to scramble it and offers to redirect you straight to the right decoder. One click later, you get the original code, which is nice and readable. Let me introduce you to OtterCookie. Let’s analyze it.  

Inside OtterCookie: What It Targets 

OtterCookie begins by requesting libraries that allow interaction with the operating system, such as fs, os, path, request, and child_process. It also includes modules specifically designed to target major browsers like Brave, Google Chrome, Opera, and Mozilla Firefox, along with numerous browser extensions, primarily those related to cryptocurrency wallets and password managers. 

Picture 9: Imported libraries and dedicated malicious modules 

This behavior may sound familiar to those who’ve followed earlier DPRK-linked malware campaigns, such as Beavertail and InvisibleFerret. 

Credential and Wallet Theft 

In this case, OtterCookie specifically targets Firefox profile directories, copying the user’s Solana-related profile data for exfiltration. 

Picture 10: Firefox and Solana profiles are stolen 

In addition to Solana, other wallets, such as Exodus, are also targeted, with sensitive files being copied for exfiltration. This aligns with the broader pattern observed in DPRK campaigns, where cryptocurrency assets are a primary focus due to their relative ease of laundering and anonymization. 

And it’s not just about cryptocurrency. Some NFTs, despite having little market value, are used as authentication mechanisms in certain Web3 environments, which are increasingly widespread. These, too, can be valuable to threat actors. 

Picture 11: Exodus Wallet is actively targeted 

Next, OtterCookie attempts to access the macOS login keychain, along with credential databases from various browsers, extracting saved passwords, session tokens, and other sensitive authentication data. 

Exfiltration Tactics and Infrastructure 

Once everything is staged, the malware sends the loot to a webserver in the US (144.172.101.45), using port 1224 and the /uploads path. 

We’ve seen this exact pattern before… in InvisibleFerret. 

It’s safe to assume that some practices—and even bits of code—are being recycled across these malware strains. 

Picture 12: Remembrances of InvisibleFerret and BeaverTail 

Before exfiltration, OtterCookie attempts to compress the collected data using tar. At this stage, some familiar filenames appear, p.zi and p2.zip, previously seen in related campaigns. 

That definitely rings a bell. Similar filenames were seen in the Beavertail campaign, used to download and install its partner-in-crime and next stage: InvisibleFerret, pulled from an endpoint called /pdown. Just like in the snippet at the end of this script. 

Picture 13: Downloading the next stage: InvisibleFerret 

Next Stage: Delivering InvisibleFerret 

At this stage, the malware attempts to download a portable Python distribution, compatible with either Windows or Unix, from its command-and-control (C2) server. Once installed, it proceeds to execute InvisibleFerret as the next stage of the attack. For context, InvisibleFerret is a cross-platform remote access trojan (RAT) written in Python, known for leveraging legitimate tools such as AnyDesk to maintain persistent access to the victim’s system. 

Picture 14: Preparing the next stage by setting up Python 

The good news is that ANY.RUN successfully detects all three malware strains—OtterCookie, InvisibleFerret, and Beavertail. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

Follow along a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



In this case, the obfuscated payload was flagged even before manual deobfuscation could begin. 

With that covered, it’s time to move on to the MITRE ATT&CK Matrix, which ANY.RUN conveniently generates as part of the analysis. 

Picture 15: Detected as OTTERCOOKIE 

The OtterCookie Matrix 

OtterCookie shares several Tactics, Techniques, and Procedures (TTPs) with its counterparts, InvisibleFerret and Beavertail. Some of the most notable include: 

  • T1082 – System Information Discovery 
    OtterCookie collects detailed information from the victim’s system to build a comprehensive host profile. 
  • T1003 – OS Credential Dumping 
    The malware accesses sensitive local files such as /etc/passwd and /etc/shadow, along with browser credential stores and OS keychains. The harvested data is then compressed and prepared for exfiltration. 
  • T1071 – Application Layer Protocol 
    This technique is used to communicate with the command-and-control server (144.172.101.45) for data exfiltration. 
  • T1571 – Non-Standard Port 
    Supporting T1071, this technique involves the use of an uncommon port—1224—to evade standard detection mechanisms. 
Picture 16: MITRE ATT&CK Matrix 

Conclusion 

OtterCookie is yet another reminder of how advanced and deceptive modern malware has become. Hidden behind a routine bug fix task, it exfiltrates credentials, crypto wallet data, and system information, while quietly setting up a second-stage payload like InvisibleFerret. 

Attacks like this demand more than traditional detection. They require a dynamic, transparent environment to truly understand what’s happening. 

With ANY.RUN’s interactive sandbox, security teams can: 

  • Cut investigation time from hours to seconds by getting clear verdicts in under 40 seconds even for obfuscated, evasive malware. 
  • Understand threats in real time, helping analysts take action before damage is done. 
  • Train junior analysts faster by giving them a safe, hands-on environment to explore real malware behavior without risking the network. 
  • Improve response quality and speed, thanks to visualized tactics, techniques, and clear IOCs that can be used immediately in detection rules. 
  • Boost team efficiency with easy-to-share sessions and collaborative analysis tools, reducing back-and-forth and enabling faster decision-making. 

Whether you’re investigating OtterCookie or preparing for what’s next, ANY.RUN helps you detect, understand, and respond faster with clarity and control. 

Join now to experience its advanced features for 14 days. 

Gathered IOCs 

IPv4: 135.181.123.177

IPv4: 144.172.101.45

Domain: chainlink-api-v3.cloud

URL: http://144.172.101.45:1224/

URL: http[:]//chainlink-api-v3[.]cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e

URL:http[:]//chainlink-api-v3[.]cloud/api/

URL: https[:]//bitbucket.org/0xhpenvynb/mvp_gamba/downloads/

SHA256: aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1

SHA256: 071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9

SHA256: 486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d

SHA256: ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687

FileName: 0xhpenvynb-mvp_gamba-6b10f2e9dd85.zip

SOLWallet: V2grJiwjs25iJYqumbHyKo5MTK7SFqZSdmoRaj8QWb9 

The post OtterCookie Malware Analysis and Distribution appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More