Given the serious financial and reputational risks of incidents that grind business to a halt, organizations need to prioritize a prevention-first cybersecurity strategy
WeLiveSecurity – Read More
Microsoft has released its monthly security update for September 2025, which includes 86 vulnerabilities affecting a range of products.
In this month’s release, Microsoft observed none of the included vulnerabilities being exploited in the wild. However, there are eight vulnerabilities where exploitation may be likely. Five consist of elevation of privileges, two may result in information disclosure and only one, CVE-2025-54916, is a remote code execution (RCE) vulnerability.
CVE-2025-54916 is an RCE vulnerability caused by a stack-buffer overflow in Windows NTFS that allows an authorized attacker to execute code over the network. Microsoft has noted that this vulnerability affects different versions of Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.
CVE-2025-54910 is an RCE vulnerability caused by a heap-based buffer overflow in Microsoft Office that allows an unauthorized attacker to execute code locally. This type of vulnerability is also known as Arbitrary Code Execution (ACE). Microsoft clarifies that the attack itself is carried out locally, and that the location of the attacker can be remote, but the vulnerability must be exploited locally. This vulnerability affects Microsoft 365 Apps, Office 2016, 2019 and LTSC 2021 and 2024.
CVE-2025-54918 is an elevation of privilege (EoP) vulnerability caused by improper authentication in Windows NTLM that allows an authorized attacker to elevate privileges over a network to gain SYSTEM privileges. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.
CVE-2025-54101 is an RCE vulnerability caused by a use-after-free in Windows SMB v3 Client/Server that allows an authorized attacker to execute code over a network. Successful exploitation requires the attacker to win a race condition. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019 and 2022.
Two RCE vulnerabilities in DirectX Graphics kernel may result in remote code execution: CVE-2025-55226 and CVE-2025-55236. CVE-2025-55226 is caused by concurrent execution using a shared resource and improper synchronization in the Graphics Kernel allowing an authorized attacker to execute code locally. Microsoft also notes that this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.
CVE-2025-55236 is a time-of-check time-of-use (toctou) race condition in the Graphics Kernel allowing an authorized attacker to execute locally. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2019, 2022 and 2025.
Talos would also like to highlight the following important vulnerabilities as Microsoft has assessed that their exploitation is more likely:
CVE-2025-53803: Windows Kernel Memory Information Disclosure Vulnerability.
CVE-2025-53804: Windows Kernel-Mode Driver Information Disclosure Vulnerability.
CVE-2025-54093: Windows TCP/IP Driver Elevation of Privilege Vulnerability.
CVE-2025-54098: Windows Hyper-V Elevation of Privilege Vulnerability.
CVE-2025-54110: Windows Kernel Elevation of Privilege Vulnerability.
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65327 – 65334.
The following Snort3 rules are also available: 301310 – 301313.
Cisco Talos Blog – Read More
ANY.RUN’s Threat Intelligence Feeds are designed to power SOAR, SIEM, EDR/XDR, TIP, and other security systems. Our goal is simple: to fit naturally into a customer’s security ecosystem so analysts can investigate incidents faster, improve detection quality, and spend less time on repetitive tasks.
Now, IBM QRadar SIEM users can directly consolidate ANY.RUN’s Threat Intelligence Feeds to strengthen detection and triage capabilities — all from a single console.
IBM QRadar SIEM is a leading Security Information and Event Management solution that centralizes visibility across IT infrastructure, enables real-time threat detection through log and flow analysis, and incorporates advanced analytics like AI and user behavior monitoring.
The integration with TI Feeds helps teams using QRadar SIEM boost their security with high-quality threat intelligence. They deliver malicious IPs, domains, URLs extracted from live sandbox analyses of the latest threats hitting 15,000+ organizations worldwide. Unlike post-incident reports that lag behind, our feeds update in real time sending active attack indicators straight to clients.
Automatically correlate logs and events with the latest IOCs to spot the latest threats, reduce mean time to detect/respond (MTTD/MTTR), and lower analyst burnout.
ANY.RUN provides more than indicators — our data includes sandbox reports that provide actionable behavioral context (IOCs, IOBs, IOAs), helping SOC teams understand how threats operate.
Identify threats earlier in the kill chain to stop and mitigate attacks before they impact business operations
Automated correlation reduces manual research time, allowing analysts to focus on investigation and response rather than IOC verification and threat hunting.
Faster threat detection translates directly to reduced potential damage from security incidents, while improved analyst efficiency lowers operational costs.
API, SDK, and STIX/TAXII formats are supported to seamlessly bring the feeds into your existing architecture. No redesigning workflows, no extra costs.
For SOC level 1-2 analysts, the IBM-ANY.RUN connection fuels:
The ANY.RUN TI Feeds application is available through the IBM X-Force App Exchange marketplace, ensuring compatibility and support within IBM’s security ecosystem.
Deployment:
Requirements:
Consider a typical enterprise environment where network traffic and infrastructure logs flow into IBM QRadar SIEM. When the ANY.RUN TI Feeds connection is active:
This workflow turns reactive threat hunting into proactive threat detection, with verified threats automatically surfaced for investigation, near-zero false positives, and faster investigation and triage.
By combining QRadar’s proven correlation and alerting capabilities with ANY.RUN’s real-time, high-fidelity threat intelligence, organizations can achieve:
The ANY.RUN TI application is available now through the IBM X-Force App Exchange for organizations with active ANY.RUN Threat Intelligence Feeds subscriptions.
ANY.RUN is trusted by more than 500,000 cybersecurity professionals and 15,000+ organizations across finance, healthcare, manufacturing, and other critical industries. Our platform helps security teams investigate threats faster and with more clarity.
Speed up incident response with our Interactive Sandbox: analyze suspicious files in real time, observe behavior as it unfolds, and make faster, more informed decisions.
Strengthen detection with Threat Intelligence Lookup and TI Feeds: give your team the context they need to stay ahead of today’s most advanced threats.
Want to see it in action? Start your 14-day trial of ANY.RUN today →
The post ANY.RYN x IBM QRadar SIEM: Real-Time Intelligence for Wider Threat Coverage appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Several popular npm packages used in a number of web projects have been compromised and trojanized by unknown attackers. The attackers, through a phishing attack on maintainers, were able to gain access to at least one repository and injected the packages with malicious code used to hunt for cryptocurrency. Thus, all web applications that used trojanized versions of the packages were turned into cryptodrainers. And there can be quite a few of them — as the compromised packages had more than two billion downloads per day (according to Aikido Security).
Obfuscated JavaScript was added to all affected packages. If the compromised package is used in a web application, the malicious code is activated on the devices that were used to access this application. Acting at the browser level, malware intercepts network traffic and API requests, and changes data associated with Ethereum, Bitcoin, Solana, Litecoin, Bitcoin Cash, and Tron cryptocurrency wallets. The malware spoofs their addresses and redirects transactions to the attackers’ wallets.
About three hours after the attack began, the npm administration started to remove the infected packages, but it’s not known exactly how many times they were downloaded during this time.
The attackers used a rather banal technique — they created a phishing email in which maintainers were urged to update their two-factor authentication credentials at the first opportunity. Otherwise, they were threatened with account lockout starting September 10, 2025. The emails were sent from a mailbox on the domain npmjs[.]help, similar to the legitimate npmjs.com. The same domain also hosted a phishing site that mimicked the official npm registry page. Credentials entered on this site immediately fell into the hands of the attackers.
The attack was successful against at least one maintainer, compromising the npm packages color, debug, ansi-regex, chalk, and several others. However, the phishing attack appears to have been more extensive, because other maintainers and developers received similar phishing emails, so the full list of trojanized packages may be longer.
At the time of writing this post, the following packages are known to be compromised:
However, as we have already written above, the list may grow. You can keep an eye on the GitHub advisory page for updates.
Kaspersky Lab products, both for home and for corporate users, successfully detect and stop the malware used in this attack.
Developers are advised to audit the dependencies in their projects, and if one of the compromised packages was used there, pin the safe version using the overrides function in package.json. You can find more detailed instructions here.
Maintainers and developers with access to open source software repositories are advised to be doubly careful when receiving emails urging them to log into their accounts. Better yet — also use security solutions with an anti-phishing engine.
Kaspersky official blog – Read More
Talos IR associates specific adversary actions with pre-ransomware activity. When threat actors attempt to gain enterprise-level domain administrator access, they often conduct a series of account pivots and escalations, deploy command-and-control (C2) or other remote access solutions, harvest credentials and/or deploy automation to execute the modification of the OS. Though the specific tools or elements in the attack chain vary by adversary, Talos IR has seen these same classic steps in practice for years. These actions, along with observed indicators of compromise (IOCs) or tactics, techniques and procedures (TTPs) that we associate with known ransomware threats without the end result of enterprise-wide encryption, lead us to categorize an incident as “pre-ransomware.”
It is worth noting that some of the above attack techniques are also often deployed by initial access brokers (IABs) who seek to gain and sell access to compromised systems, and it is possible some of the incidents involved in this case study could have therefore been perpetrated by IABs instead of ransomware operators. While it is often challenging to determine a threat actor’s end goal, we have high confidence that all incidents involved tactics are consistently seen preceding ransomware deployment. If the adversary was instead an IAB, we have seen these types of IAB campaigns very frequently result in a ransomware attack after access has been sold, rendering the activity relevant to this analysis.
Talos analyzed incident response engagements spanning the past two and a half years that we categorized as pre-ransomware attacks, identifying actions and security measures that we assessed were key in halting adversaries’ attack chains before encryption. An overview of our findings can be found in Figure 1, followed by a more thorough breakdown of each category to explore exactly how certain actions impeded ransomware execution.
Engaging Talos IR within one to two days of first observed adversary activity (though we advise engagement as quickly as possible) was credited with preventing a more serious ransomware attack in approximately a third of engagements, providing benefits such as:
We observed numerous incidents where Talos IR was not engaged by the customer immediately, which enabled the adversary to continue working through their attack chain and conduct data theft and/or ransomware deployment. This often results in consequences such as backup files being corrupted or encrypted, endpoint detection and response (EDR) and other security tools being disabled, disruption to day-to-day operations and more.
Vigilant monitoring of security solutions and logs allows network administrators to act quickly when a threat is first detected, isolate the malicious activity and cut off threat actors’ ability to escalate their attack. In our case study, action from the security team within two hours of an alert from the organization’s EDR or managed detection and response (MDR) solution correlated with successful isolation of the threat in almost a third of engagements. Some of the observed alerts that prompted swift response in pre-ransomware engagements included, amongst others:
whoamiIn almost 15 percent of engagements, targeted organizations were able to get ahead of the threat to their environment due to notification from U.S. government (USG) partners and representatives of their managed service provider (MSP) about possible ransomware staging in their environment. In particular, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has launched an initiative to provide early warnings about potential ransomware attacks, aiming to help organizations detect threats and evict actors before significant damage occurs. CISA’s intelligence predominately derives from their partnerships with the cybersecurity research community, infrastructure providers and cyber threat intelligence companies.
In over 10 percent of Talos IR engagements, customers’ security solutions actively blocked and/or quarantined malicious executables, effectively stopping adversaries’ attack chains in their tracks.
Talos often observes organizations deploying endpoint protection technology in a passive manner, meaning the product is producing alerts to the user but not taking other actions. This configuration puts organizations at unnecessary risk, and Talos IR has responded to multiple engagements where passive deployment enabled threat actors to execute malware, including ransomware. A more aggressive configuration impeded ransomware deployment in this case study, underscoring its importance.
Based on our analysis, organizations’ robust security restrictions were key in impeding ransomware actors’ attack chains in nine percent of engagements. For example, in one engagement, the threat actors compromised a service account at the targeted organization, but appropriate privilege restrictions on the account prevented their attempts to access key systems like domain controllers.
Also of note, organizations who implemented thorough logging and/or had a SIEM in place to aggregate event data were able to provide Talos with forensic visibility to determine the exact chain of events and where additional security measures could be implemented. When an organization lacks these records, it can be challenging to identify the precise security weaknesses that enabled threat activity.
Upon categorizing TTPs observed in this case study per the MITRE ATT&CK framework, Talos found that the following in Figure 2 were most frequently seen across engagements.
We dove deeper into some of the top attack techniques and found the following:
The top observed TTPs serve as a reminder to security teams on what malicious activity often preempts a more severe attack. For example, prioritizing moderating the use of remote services and remote access software and/or securing the aforementioned credential stores could assist in limiting the majority of adversaries seen in these pre-ransomware engagements.
Talos IR crafts security recommendations for customers in each incident upon analyzing the environment and the adversary’s attack chain to help address any existing security weaknesses. Our most frequent recommendations include:
Cisco Talos Blog – Read More
As the attack surface expands and the threat landscape grows more complex, it’s time to consider whether your data protection strategy is fit for purpose
WeLiveSecurity – Read More
The internet is now a second home for most kids and teens. Many get their first device in elementary or middle school, while modern education basically runs on technology. Cybercriminals know this, and they can trick kids into revealing personal details, send harmful links, lure them into unsafe chats, or even drain their parents’ bank accounts.
That’s why cybersecurity needs to become a part of everyday life at home. Our guide to reducing your kids’ digital footprint will give you a firm grasp of the risks, and create a safe online environment — while avoiding blanket bans or grudging grievances.
First, let’s identify the digital “hot spots” where your attention as a parent matters most:
The best way to protect your kids isn’t through strict controls — it’s through honest conversation. Sure, you can block websites, introduce a phone curfew, and hover over your child every time they use Gemini. But this risks losing their trust: you could end up looking like a villain standing in the way of their freedom. Heavy-handed restrictions always invite attempts to get around them. It’s far better to build understanding, and explaining why the rules exist in the first place.
Here are some practical steps to help your child stay out of trouble and keep their digital footprint under control.
For Gen Z and Gen Alpha, sharing life online is second nature. But oversharing — being too open online — often opens the door to hacking and even offline risks.
Remind your child never to share their last name, date of birth, school name, or city when signing up for services. Explain the risk: attackers could use that data to find them and build false trust — for example, greeting them by name and posing as a classmate’s relative.
Turn off geolocation in posts and stories by default. If a post needs a location, only publish it after your child has left that place.
Also be careful with places your child visits regularly, and avoid sharing travel plans. The “gold standard” is to teach your child to remove geotags from photos they upload. Why this matters — and how to do it — we covered in our post Metadata: Uncovering what’s hidden inside.
Another taboo is sharing personal info — and in some cases even school uniforms. If the school has a distinctive look, photos or videos of clothing (whether sports or regular) can still give away too much.
Reinforce the first rule of the internet: what goes online, stays online. Everything they post can have consequences — from damaged reputations to data in scammers’ hands. If your child simply wants to share their experiences, suggest starting a blog. We cover how to do this safely here: How to help your kid become a blogger without ever worrying about their safety.
You probably know what phishing is — but your child may not. Explain that any links they get sent need scanning by a reliable anti-phishing tool for smartphones and computers.
Too-good-to-be-true offers, surprise prizes, and other “incredible deals” should always raise suspicion — and be shown to you before following the link. We’ve covered phishing schemes in detail, for example, in our post How scammers attack young gamers; use the examples there to show your child what can happen if links aren’t checked.
Caught up in a multiplayer game with voice chat, teens may let their tongues run wild. The gaming world has become a prime space for grooming — when adults build trust with teens for harmful purposes. So set a clear boundary with your child: voice chat should stick to gameplay only. If someone tries to steer things into personal topics, it’s safer to end the conversation — and if they persist, block them.
Explain that using public Wi-Fi networks is inherently unsafe: attackers can easily intercept logins, passwords, messages, and other sensitive data. Whenever possible, it’s best to stick to mobile data. If connecting to unsecured Wi-Fi is the only way to stay online, protect the connection with a trusted VPN service. That way your child’s data won’t leak.
Android smartphones are tempting targets for scammers of all stripes. Although malicious apps exist for iPhones too, it’s still easier to sneak onto Android. Teach your child that malicious files can take many forms. They may arrive through messengers or email disguised as photos or documents — even forwarded “homework assignments” — and can also hide behind links in their favorite Discord channels. By default, all attachments should be treated with caution and scanned automatically with a reliable antivirus.
Unsupervised chatbot use isn’t just an ethical or psychological issue — it’s a security risk. Recently, Google indexed tens of thousands of ChatGPT conversations, making them accessible internet-wide.
Explain to your child not to treat AI as a best friend for pouring out their soul. AI tools often collect large amounts of personal data — everything your child types, asks, or uploads in the chat. Make it clear they also shouldn’t share real names, school information, photos, or private details with AI.
And emphasize that chatbots are tools and helpers — not “wizards” that can think for them. Explain that AI can’t think, so any “facts” offered must be double-checked.
Start by enabling parental controls on all devices your child uses: smartphones, tablets, computers — even smart TVs. Most operating systems offer built-in features to block explicit websites, restrict certain apps, and filter search results.
On streaming platforms, enable “Restricted” or “Kids” mode to prevent access to adult content. For more fine-tuned control, your best option is Kaspersky Safe Kids, which filters content in real time, allows you to set screen-time limits, and monitors installed apps. It detects and blocks unwanted content that standard filters might miss — especially in browsers — and even shows your child’s physical location and phone battery level.
The most effective filter isn’t a program — it’s you. Make time to watch shows, surf the web, and play games together with your child. This will help you understand what’s going on in their life and create a space to discuss values, feelings, and real-life situations.
To further minimize your child’s digital footprint and reduce the risks of cyberattacks and cyberbullying, use:
For more advice on keeping your kids safe online, explore our Digital Schoolbag: A Parent’s Guide for the School Year.
Further reading on threats targeting children and teens online:
Kaspersky official blog – Read More
Welcome to this week’s edition of the Threat Source newsletter.
This is the way the world ends
This is the way the world ends
This is the way the world ends
Not with a bang but a whimper. – T.S. Eliot
So this is how Summer Camp 2025 ends, not with a bang but a whimper. We’ve put the summer behind us and are moving on to the next phase of the year, where we all put our noses down and grind from here to the holiday season. Happy Grind Season 2025.
As you know, threat research never takes a day off, but I’m going to step in and remind you all to look at your calendars. Decide, here and now, to take some time before that holiday season so that you can take care of your mental health, because mental health is health.
This is doubly important if you lead a team of people. Take a minute and make sure that they are going to do the same. Ensure your entire team is taking care of themselves. In the end, you will all be better for it.
Since we are on the subject of mental health, I don’t know if anyone else has read this paper (Psychopathia Machinalis: A Nosological Framework for Understanding Pathologies in Advanced Artificial Intelligence), but I found it truly fascinating. It’s one of the things we, as security practitioners, need to be cognizant of as we go forward with our AI tooling and efforts to protect against AI threats.
“As artificial intelligence (AI) systems attain greater autonomy and complex environmental interactions, they begin to exhibit behavioral anomalies that, by analogy, resemble psychopathologies observed in humans.”
The behavior of an evolving AI, and the psychosis it could present, is a touch-point to the long-standing problematic internal employee. This creates an interesting dynamic for defense and strategies within the evolving internal landscape.
I think understanding this presented framework can go a long way in identifying the types of behaviors that lead to malicious activity — not unlike understanding employee behavior. Stay ahead of the curve and prepare for not only a hallucinated package from an internal AI tool but perhaps a revelation that leads to new and interesting malicious behaviors.
In the latest episode of The Talos Threat Perspective, we explore three vulnerabilities that Talos researchers uncovered (and helped to fix) this year which highlight how attackers are pushing past the boundaries defenders rely on. One lived in the security chip within Dell laptops’ firmware, another in Microsoft Office for macOS permissions and the third in small office/home routers.
These aren’t just isolated issues. The Dell vulnerability showed that even a clean Windows reinstall isn’t always enough to kick out an attacker. The Office for macOS issue demonstrated how adversaries can “borrow” sensitive permissions like microphone access from trusted apps. And compromised routers allowed attackers to blend in with legitimate ISP traffic, making malicious connections hard to spot. Each case reveals current attacker creativity levels.
Take a closer look at the research:
TransUnion says hackers stole 4.4 million customers’ personal information
TransUnion is one of the largest credit reporting agencies in the United States, and stores the financial data of more than 260 million Americans. They confirmed that the stolen PII includes customers’ names, dates of birth, and Social Security numbers. (TechCrunch)
Google warns that mass data theft hitting Salesloft AI agent has grown bigger
Google is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts. (Ars Technica)
High-severity vulnerability in Passwordstate credential manager
Passwordstate is urging companies to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. (Ars Technica)
JSON config file leaks Azure ActiveDirectory credentials
A publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD), potentially allowing cyberattackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments. (Dark Reading)
WhatsApp zero-day exploited in attacks targeting Apple users
Tracked as CVE-2025-55177 (CVSS score of 5.4), an attacker could have exploited the issue to trigger the processing of content from arbitrary URLs, on the victims’ devices, WhatsApp’s advisory reads. (SecurityWeek)
Cisco: 10 years protecting Black Hat
Cisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.
Tales from the Black Hat NOC
How do you build and defend a network where attacks are not just expected, but a part of the curriculum? Hazel sits down with Jessica Oppenheimer to learn more.
Static Tundra exposed
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.
SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details
Typical Filename: N/A
Claimed Product: Self-extracting archive
Detection Name: Win.Worm.Bitmin-9847045-0
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: 186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62
MD5: bfc168a01a2b0f3cd11bf4bccd5e84a1
VirusTotal: https://www.virustotal.com/gui/file/186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62
Typical Filename: PDFSkills_Updater.exe
Claimed Product: PDF Skills
Detection Name: Win64.Application.Agent.W2MG0A
SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08
MD5: 906282640ae3088481d19561c55025e4
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08
Typical Filename: AAct_x64.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Winactivator::1201
Cisco Talos Blog – Read More
The flaws and vulnerabilities of cellular networks are regularly exploited to attack subscribers. Malicious actors use devices with catchy names like IMSI Catcher (Stingray) or SMS blaster to track people’s movements and send them spam and malware. These attacks were easiest to carry out on 2G networks, becoming more difficult on 3G and 4G networks through the introduction of security features. But even 4G networks had implementation flaws that made it possible to track subscriber movements and cause other information leaks. Can we breathe a sigh of relief when we upgrade to 5G? Unfortunately not…
Many practical attacks, such as the aforementioned SMS blaster, rely on a downgrade: forcing the victim’s smartphone to switch to an older communication standard. Legacy standards allow attackers more leeway — from discovering the subscriber’s unique identifier (IMSI), to sending fake text messages under the guise of real companies. A downgrade typically uses a device that jams the signal of the legitimate carrier’s base station, and broadcasts its own. However, this method can be detected by the carrier, and it will become less effective in the future as smartphones increasingly incorporate built-in protection against these attacks, which prevents the switch to 2G and sometimes even 3G networks.
Researchers at Singapore University of Technology and Design have demonstrated a SNI5GECT attack, which works on the latest 5G networks without requiring easy-to-detect actions like jamming legitimate base station signals. An attacker within a 20-meter radius of the victim can make the target device’s modem reboot and then force-switch it to a 4G network, where the subscriber is easier to identify and track. So how does this attack work?
Before a device and a 5G base station connect to each other, they exchange some information — and the initial stages of this process aren’t encrypted. Once they establish a secure, encrypted connection, the base station and the smartphone exchange handshakes, but coordinate the session parameters in a plain, unencrypted format. The attacker’s device monitors this process and selects the precise moment to inject its own information block before the legitimate base station does. As a result, the victim’s modem processes malicious data. Depending on the modem and the contents of the data packet, this either causes the modem to switch to a 4G network and refuse to reconnect to said 5G base station, or to crash and reboot. The latter is only good for temporarily disconnecting the victim, while the former brings all known 4G-based surveillance attacks into play.
The attack was demonstrated on the OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro smartphones. These devices use completely different cellular modems (MediaTek, Qualcomm, Samsung, Huawei, respectively), but the problem lies in the characteristics of the standard itself — not in the particular smartphones. The differences are subtle: some modems can be rebooted while others can’t; on some modems, inserting a malicious packet has a 50% success rate, while on others it’s 90%.
In its current form, the attack is unlikely to become widespread since it has two major limitations. First, the distance between the attacker and the victim can’t be over 20 meters under ideal conditions — even less in a real urban environment. Second, if the smartphone and the 5G base station have already established a connection, the attack cannot proceed. The attacker has to wait for a moment when the victim’s movement or changes in the radio environment require the smartphone to re-register with the base station. This happens regularly, but not every minute, so the attacker has to literally shadow the victim.
Still, such conditions may exist in certain situations, like when targeting people attending a specific meeting, or in an airport business lounge, or similar scenarios. The attacker would also need to combine SNI5GECT with legacy 4G/3G/2G attacks to achieve any practical results, which means making some radio noise.
SNI5GECT plays a significant role as a stepping stone toward more complex and dangerous future attacks. As 5G becomes more popular and older generations of connectivity are phased out, researchers will increasingly work with the new radio protocol, and apply their findings to the next stages of the mobile arms race.
Currently, there is no defense against 5G attacks. Disabling 5G for protection is pointless, as the smartphone just switches to a 4G network, which is exactly what hypothetical attackers want. Therefore, we have three pieces of advice:
Kaspersky official blog – Read More
August was a busy month at ANY.RUN. We expanded our list of connectors with Microsoft Sentinel and OpenCTI, added Linux Debian (ARM) support to the SDK, and strengthened detection across hundreds of new malware families and techniques. With fresh signatures, rules, and product updates, your SOC can now investigate faster, detect more threats in real time, and keep defenses sharp against the latest campaigns.
Let’s dive into the details now.
We continue to expand ANY.RUN connectors so teams can work with familiar tools while boosting threat visibility. Our goal is simple: reduce setup friction and deliver fresh, high-fidelity IOCs directly into your workflows; no extra tools, no complex scripts, no wasted analyst time.
ANY.RUN now delivers Threat Intelligence (TI) Feeds directly to Microsoft Sentinel via the built-in STIX/TAXII connector. That means:
Investigations become faster and responses more precise with IOCs enriched by full sandbox context. Unlike static or delayed threat feeds, ANY.RUN’s TI Feeds are powered by real-time detonations of fresh malware samples observed across attacks on 15,000+ organizations worldwide. The data is updated continuously and pre-processed by analysts to ensure high fidelity and near-zero false positives, so your SOC can act on threats that truly matter.
For SOC teams using Filigran’s OpenCTI, ANY.RUN now provides dedicated connectors that bring interactive analysis and fresh threat intelligence directly into your workflows. Instead of juggling multiple tools, analysts can analyze files, enrich observables, and track emerging threats inside the OpenCTI interface they already use.
You can connect any combination of these connectors based on their specific needs and licenses.
View documentation on GitHub →
We’ve expanded our software development kit (SDK) to include Linux Debian 12.2 (ARM, 64-bit) in the Linux connector. This addition ensures that analysts can now automate malware analysis for ARM-based threats alongside Windows, Linux x86, and Android, all from the same SDK.
With this update, your team can:
ARM-based malware is rapidly expanding across IoT, embedded systems, and cloud servers. By adding Debian ARM support, the SDK gives SOCs earlier visibility into these threats and helps reduce costs by keeping all environments under one automated process.
Explore ANY.RUN’s SDK on GitHub
In August, our team continued to expand detection capabilities to help SOCs stay ahead of evolving threats:
These updates mean analysts get faster, more confident verdicts in the sandbox and can enrich SIEM, SOAR, and IDS workflows with fresh, actionable IOCs.
New Behavior Signatures
In August, we introduced a new set of behavior signatures to help SOC teams detect obfuscation, persistence, and stealthy delivery techniques earlier in the attack chain. These detections are triggered by real actions, not static indicators, giving analysts deeper visibility and faster context during investigations.
This month’s coverage includes new families and techniques across stealers, lockers, loaders, and RATs:
YARA Rule Updates
In August, we released 14 new YARA rules into production to help analysts detect threats faster, improve hunting accuracy, and cover a wider range of malware families and evasion tactics. Key additions include:
New Suricata Rules
We also added 2,124 targeted Suricata rules to help SOC teams catch data exfiltration and phishing campaigns more reliably. Highlights include:
Other Updates
ANY.RUN supports over 15,000 organizations across banking, manufacturing, telecom, healthcare, retail, and tech, helping them build faster, smarter, and more resilient cybersecurity operations.
Our cloud-based Interactive Sandbox enables teams to safely analyze threats targeting Windows, Linux, and Android systems in under 40 seconds; no complex infrastructure required. Paired with TI Lookup, YARA Search, and Threat Feeds, ANY.RUN empowers security teams to accelerate investigations, reduce risk, and boost SOC efficiency.
The post Release Notes: Fresh Connectors, SDK Update, and 2,200+ New Detection Rules appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More