September brought big updates to ANY.RUN. From four new connectors that plug our sandbox and threat intelligence straight into the world’s top SIEM and SOAR platforms, to a redesigned Threat Intelligence Lookup home screen built for speed and simplicity, your SOC now works smarter and faster than ever.
Add in 99 fresh signatures, 11 new YARA rules, and 2,322 Suricata rules, and you’ve got sharper coverage against the latest ransomware, stealers, and phishing campaigns.
Product Updates
Expanding the Ecosystem: New Connectors for Top SIEMs & SOARs
We continue to grow the ANY.RUN ecosystem so security teams can work inside familiar platforms while gaining richer, faster visibility into threats. The new integrations with IBM QRadar SIEM, Palo Alto Networks Cortex XSOAR, Microsoft Sentinel, and Microsoft Defender bring sandboxing and real-time IOCs directly into your daily workflows.
File analysis with ANY.RUN’s Interactive Sandbox inside Cortex XSOAR
Instead of switching platforms or manually enriching alerts, analysts can now automate malware analysis, correlate logs with high-fidelity IOCs, and prioritize incidents faster; all without disrupting existing workflows.
Microsoft Sentinel: Detonate suspicious files and links directly from Sentinel alerts and get enriched verdicts and IOCs fed back automatically.
An alert generated in MS Defender based on an indicator from TI Feeds
Microsoft Defender: Enhance endpoint alerts with Interactive Sandbox insights and live Threat Intelligence Feeds, reducing manual enrichment and improving accuracy.
Integrate ANY.RUN’s products for stronger proactive security Request a quote or demo for your SOC
What Security Teams Achieve with ANY.RUN Connectors
Early Detection: Spot threats earlier in the kill chain with live IOCs from sandbox detonations, reducing breach risk by up to 42% compared to static feeds.
Reduced MTTR: Automating enrichment and triage cuts investigation time by up to 21 minutes per incident, accelerating containment and remediation.
Lower Alert Fatigue: With nearly 100% malicious IOCs, analysts waste less time chasing false positives, freeing focus for true high-risk alerts.
Higher Productivity: SOC efficiency improves by up to 3x as routine checks and manual correlation are eliminated.
Connectors use API and STIX/TAXII standards, ensuring smooth deployment with no need for workflow redesign or extra infrastructure. By leveraging existing SIEM and SOAR platforms, teams avoid duplicate tools and infrastructure, reducing total cost of ownership (TCO).
Explore & Learn section: Quick access to daily top threats, public requests from the community, and expert-curated TI reports.
Beginner-friendly video tutorial: A short guide to help new users start searching, enriching, and analyzing IOCs right away.
Streamlined navigation: Cleaner interface for running lookups, YARA searches, or custom requests with advanced logic.
With these improvements, both new and experienced analysts can get to actionable threat intelligence faster, learn from the community, and explore the latest attack trends all in one place.
The new UI of the TI Feeds page simplifies navigation
Along with the TI home screen, we’ve also updated the Threat Intelligence Feeds page. Now you can easily request a trial, download a sample, or set up an integration with your security systems in just a couple of clicks.
Threat Coverage Update
In September, our team continued to strengthen detection capabilities so SOCs can stay ahead of new and evolving threats:
99 new signatures were added to improve coverage across malware families and techniques.
11 new YARA rules went live in production, enhancing accuracy and hunting capabilities.
2,322 new Suricata rules were deployed, expanding detection for network-based attacks.
These updates mean analysts gain faster, more confident verdicts in the sandbox and can enrich SIEM, SOAR, and IDS workflows with fresh, actionable IOCs.
New Behavior Signatures
This month’s signatures help analysts detect obfuscation, destructive activity, and persistence earlier in the attack chain. The new coverage spans ransomware, loaders, stealers, and RATs, alongside mutex detections of legitimate tools abused by attackers.
In September, we introduced 11 new YARA rules into production to help SOC teams detect emerging malware families, improve hunting accuracy, and broaden coverage across RATs, stealers, loaders, and C2 infrastructure. These rules give analysts faster verdicts and deeper visibility during investigations.
In September, we added 2,322 new Suricata rules to strengthen network-based detections against phishing, exfiltration, and evasive malware activity. These rules help SOCs identify threats earlier at the network layer and reduce investigation blind spots.
Key highlights include:
Google Auth Phishing Activity (sid:85003912): Detects phishing attempts based on mismatched domains and authorization URLs.
Tycoon 2FA Domain Generation Algorithms (sids: 85004041–85004047): Identifies DGA patterns across multiple TLD zones used by Tycoon 2FA infrastructure.
About ANY.RUN
ANY.RUN supports more than 15,000 organizations worldwide across industries like banking, manufacturing, telecom, healthcare, retail, and technology, helping them build faster, smarter, and more resilient cybersecurity operations.
Our cloud-based Interactive Sandbox enables teams to safely analyze threats targeting Windows, Linux, and Android systems in under 40 seconds, with no complex infrastructure required.
Combined with Threat Intelligence Lookup and Threat Intelligence Feeds, ANY.RUN empowers SOC teams to accelerate investigations, cut risks, and improve efficiency at every stage of the threat detection workflow.
“Hi! My niece is in a contest! Can you vote for her? It means the world to her”. Messages like this are common on WhatsApp — both in groups and private chats. Many people who aren’t security-savvy will, without a second thought, click to help someone they don’t actually know — and end up losing their account. In a recent investigation we found a new phishing campaign that has already hit WhatsApp users worldwide.
Today we’ll explain how the attack works, the potential consequences for victims, and how to avoid falling for it.
How the attack works
Cybercriminals first prepare for the attack by creating convincing phishing pages purportedly hosting legitimate voting polls — in the example below for young gymnasts, though the scenario can be easily changed. The pages look genuine: they include photos of real participants, Vote buttons and counters showing how many people have voted. Likely using AI and phishing-kits, the attackers easily produce multiple language versions of the same site — we found the identical poll in English, Spanish, German, Turkish, Danish, Bulgarian, and other languages.
Stage One: The Hook. On social networks, in messengers, or by email, the scammers use social engineering to direct you to a fake voting site. The pretext can be very believable, and the message may come from a friend or relative whose account has already been compromised. The request is usually personalized — in the first message the fraudster posing as your acquaintance asks you to vote for a certain contestant because they’re their charge, friend or relative.
First you’re lured to a fake voting page
Stage Two: The Trap. When you click Vote, you’re taken to a page that asks you to quickly authenticate via WhatsApp. All you need do is enter the phone number linked to your messenger.
Next they ask for your phone number associated with WhatsApp. The scammers even pretend to care about your data and “your valuable time”
Stage Three: The Heist. The attackers exploit the one-time code login feature in WhatsApp Web. They enter the phone number you provided, and WhatsApp generates an eight-character single-use verification code. The attackers immediately display that code on the fake site with instructions: open WhatsApp, go to “Connected devices” (never mind that it’s actually “Linked devices” in WhatsApp), and enter the code. For convenience, there’s even a button to copy the code to the clipboard.
For “fast and easy authorization” (read: WhatsApp account takeover) you only need enter the code shown on the site
At the same time, WhatsApp on your phone shows a prompt to link a new device by entering the code. Clicking that opens a warning that someone is trying to connect to your account, and a field to enter the code.
Unfortunately, in their uncontrollable desire to help a complete stranger in the contest, many users don’t carefully read WhatsApp’s warning. They think, “Someone wants to link to my account? That’s so I can vote — looks fine to me” When the careless victim types the code into the app on their phone, the web session initiated by the attackers is activated.
WhatsApp warns you that someone is trying to link to your account, but many users don’t read the warning, and enter the verification code anyway
If you enter that code, the attackers gain full access to your WhatsApp, as if you had logged in yourself — for example, from a computer alongside your phone. The attackers can view all your contacts, read conversations, send and delete messages in your name, and even take full control of the account. That opens up further possibilities for fraud: somehow extracting money from your contacts using your identity, or using your account to spread the same phishing link that trapped you.
What to do if you think you’ve been hacked
If you suspect you’ve fallen for the scam and given attackers access to your WhatsApp account, the first thing to do is open the WhatsApp settings on your smartphone and go to Linked devices. There you’ll see all devices currently logged into your account. If you notice any unfamiliar devices or browsers, click on them to disconnect them from your account. Do this quickly — before the criminals can fully take over your account.
We’ve prepared a detailed guide for such cases: it explains eight signs your WhatsApp account may be hacked, and provides step-by-step instructions on how to regain access even in difficult situations. We also have a similar guide for Telegram users.
How to prevent your WhatsApp account from being hacked
Never take part in dubious contests or votes — especially if they require messenger authentication. Legitimate polls don’t ask for access to your personal accounts.
Don’t click suspicious links in messages — even if they seem to come from friends or relatives. Their accounts may have been hacked.
Never enter personal data on unfamiliar websites — especially those reached via messages or social media links. Always check the URL carefully.
Don’t ignore browser warnings about unsafe sites, and use Kaspersky Premium on all your devices (both smartphones and computers). Our protection scans links and webpages, blocks phishing and malicious resources, and works in all popular mobile and desktop browsers.
Enable two-factor verification in your WhatsApp settings. This makes a six-digit PIN code necessary to log in on a new device, making attackers’ job harder even if your number is compromised. However, this doesn’t protect against the attack described above — the one-time code shown to you is, in WhatsApp’s view, already the “second factor”. That’s why the PIN isn’t requested during this login method.
Use passkeys instead of traditional passwords wherever possible. WhatsApp already supports passkeys for account verification.
Protect mobile devices from phishing — these are the main targets of messenger attacks. Three-level protection technology detects malicious links and blocks dangerous websites. At the first level, Notification Protection detects and automatically removes malicious links from app notifications, leaving only safe text. Next, Safe Messaging blocks harmful links in SMSs and messenger messages (WhatsApp, Viber, Telegram) before the user clicks them. Finally, Safe Browsing blocks malicious URLs in popular mobile browsers.
Configure privacy and security on both your smartphone and computer with Privacy Checker — Kaspersky’s free service that gives detailed guides for privacy settings in many popular apps, services, and operating systems.
Regularly check the list of connected devices in messengers’ settings. Both WhatsApp and Telegram have sections showing all active sessions, and you can disconnect suspicious ones. In Telegram, you can even enable automatic termination of inactive sessions.
Only use official versions of messengers downloaded from official app stores (such as Google Play, App Store, or Galaxy Store). Modified versions can contain malware.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-10-02 12:06:362025-10-02 12:06:36How to protect yourself from “voting” phishing scams, and avoid losing your WhatsApp account | Kaspersky official blog
Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data.
Cisco’s file census and DNS analysis show affected Internet Information Services (IIS) servers in India, Thailand, Vietnam, Canada, and Brazil, targeting organizations such as universities, tech firms and telecom providers.
UAT-8099 manipulates search rankings by focusing on reputable, high-value IIS servers in targeted regions.
The group maintains persistence and alters SEO rankings using web shells, open-source hacking tools, Cobalt Strike, and various BadIIS malware; their automation scripts are customized to evade defenses and hide activity.
Talos found several new BadIIS malware samples in this campaign on VirusTotal this year — one cluster with very low detection and another containing simplified Chinese debug strings.
In April 2025, Cisco Talos identified a Chinese-speaking cybercrime group, tracked as UAT-8099, which targets a broad range of vulnerable IIS servers across specific regions. This group focuses on high-value IIS servers that have a good reputation within these areas to manipulate search engine results for financial gain.
UAT-8099 operates as a cybercrime group conducting SEO fraud. Additionally, UAT-8099 uses Remote Desktop Protocol (RDP) to access IIS servers and search for valuable data such as logs, credentials, configuration files and sensitive certificates, which they package for possible resale or further exploitation.
Upon discovering a vulnerability in a target server, the group uploads a web shell to collect system information and conduct reconnaissance on the host network. They then enable the guest account, escalate its privileges to administrator level, and use this account to enable RDP. For persistence, they combine RDP access with SoftEther VPN,EasyTier (a decentralized virtual private network tool) and FRP reverse proxy tool. Subsequently, the group performs further privilege escalation using shared tools to gain system-level permissions and install BadIIS malware. To secure their foothold, they deploy defense mechanisms to prevent other threat actors from compromising the same server or disrupting their setup.
This blog post provides a comprehensive overview of the campaign’s victimology, including the regions affected and the potential consequences of BadIIS infections. It also details the attack chain, automation scripts employed, and the malware and shared hacking tools UAT-8099 commonly uses.
Victimology
Based on Cisco’s file census and DNS traffic analysis, the affected IIS server regions include India, Thailand, Vietnam, Canada and Brazil. The targeted IIS servers are owned by organizations such as universities, technology companies and telecommunications providers. The compromised IIS servers redirect users to unauthorized advertisements or illegal gambling websites. The languages used on these websites assists with identifying the targeted regions or countries. While Talos observed that most victims were located within the same region as the compromised servers, some victims were affected when accessing compromised servers in different regions.
Figure 1. Gambling websites in Thai, Portuguese and English.
The majority of their targets are mobile users, encompassing not only Android devices but also Apple iPhone devices.
In this campaign, the UAT-8099 group took advantage of weak settings in the web server’s file upload feature.
Figure 4. UAT-8099 attack chain flowchart.
The target web server allowed users to upload files to the server, but did not restrict the file type, which allowed UAT-8099 to upload the web shell. This established initial access and gave them control over the compromised server. The following is the detected location of the web shell used in this campaign, which is identified as the open-source “ASP.NET Web BackDoor” web shell:
C:/inetpub/wwwroot/[REDACTED]/Html/hw/server.ashx
After dropping the web shell, Talos observed the actor utilizing it to execute commands such as ipconfig, whoami, arp and tasklist to collect system information and discover the host network information. Once the collection of information is complete, UAT-8099 enables the guest account, setss a password, and elevate the guest user privileges to administrator level, including the ability to access the system using RDP. Then, the actor uses another command to identify the network ports on which the TermService (Remote Desktop Services) process is actively listening. After completing creating a guest account and enabling the RDP on that target IIS server, the actor created a hidden account “admin$” and added it to Administrator permission privilege for long-term persistence.
Command
MITRE
cmd /c net user guest /active:yes & net user guest P@ssw0rd & net localgroupadministrators guest /add & net localgroup Remote Desktop Users guest /add
Table 1. Initial access, reconnaissance and addition of user credentials.
To maintain access to the target IIS server and install the BadIIS malware for SEO fraud, Talos observed the actor completing three steps to achieve persistence, escalate privileges, install malware and build a self-defense solution:
UAT-8099 is deploying SoftEther VPN, EasyTier (a decentralized virtual private network tool) and fast reverse proxy (FRP). This setup enabled them to use RDP remotely to control the server.
The actor also leveraged a shared public tool to escalate privileges on the IIS server. They then used Procdump to extract victim credentials, which were subsequently compressed with WinRAR. We assess that these actions were taken to finalize the installation of BadIIS for their SEO fraud activities.
The actor installed D_Safe_Manage, a well-known Windows IIS security tool, to prevent other attackers from compromising the server and tampering with their BadIIS setup.
Table 2. Installation of tools, dumping user credentials for exfiltration and securing the installation.
Talos did not only observe UAT-8099 conducting SEO fraud, but also stealing high-value credentials, configuration files and certificate data. After successfully compromising the target IIS server and deploying their BadIIS tool, their next step was to search for valuable credentials, configuration files, and certificate data within the compromised system.
The commands Talos observed indicate the actor utilizes RDP to access the IIS server. Once inside, they leverage the ‘Everything’ graphical user interface (GUI) tool — a fast filename search engine for Windows — to locate high-value data such as logs, credentials, configuration files and sensitive certificates. Upon identifying relevant files, the actor used Notepad to review the content and employed Windows Crypto Shell Extensions (via rundll32.exe cryptext.dll) to open and inspect .crt certificate files, examining their properties and details.
Finally, all collected high-value files were consolidated into a hidden directory, specifically “Usersadmin$Desktoploade”. These files were then archived using WinRAR before being exfiltrated to the actor.
Table 3. Searching and preparing credentials and certificates for exfiltration.
Automation script used
Talos also observed UAT-8099 dropping and executing three batch script files in some attacks to automate their tasks or to set up the compromised server for persistence and SEO fraud. The first script is for IIS module installation, as documented in Talos DragonRank and Trend Micro blog posts.
C:Windowssystem32cmd.exe /c C:ProgramDataiis.bat
Figure 5. Setting up the server for persistence and SEO fraud.
The second script is for configuring RDP settings and related network activity on a Windows system, including past RDP usage, the RDP listening port, the status of the RDP service, associated network activity, and to configure the Windows firewall to allow RDP.
C:Windowssystem32cmd.exe /c C:ProgramDatafuck.bat
Figure 6. Configuring RDP settings to allow incoming connections.
The third set of scripts is designed to establish and immediately trigger a persistent, high privilege scheduled task using “inetinfo.exe”, and then list all system scheduled tasks. The inetinfo.exe is a legitimate file “WMI V2 provider code generation tool” that is used by the actor to do DLL sideloading and run the Cobalt Strike in memory. The detailed Cobalt Strike analysis will be described in the next section.
C:Windowssystem32cmd.exe /c C:ProgramData1.bat
Figure 7. inetinfo.exe is used to sideload a Cobalt Strike beacon.
User-defined reflective loader of Cobalt Strike beacon
Talos observed UAT-8099 utilized Cobalt Strike as their backdoor in this campaign. They employed DLL sideloading as a method to execute the backdoor and also established a scheduled task to maintain persistence on the compromised systems.
Figure 9. Cobalt Strike beacon execution diagram.
The encrypted first-stage payload is embedded within the wmicodegen.dll file. When this DLL is loaded by the legitimate WMI V2 provider code generation tool, it uses the VirtualQuery API to allocate a block of memory specifically for this first-stage payload.
Figure 10. Uses VirtualQuery API to load first-stage payload.
After decrypting the first stage payload, we can see both the second stage payload combined with a small piece of shellcode, and the third stage payload, which is encrypted and encoded with Base64.
Figure 11. The second stage payload.
When jumping into the third stage payload, we observed it is a DLL file but without the original PE header. We also identify this third stage payload as the User-Defined Reflective Loader for the Cobalt Strike beacon. The erased original PE header and heavy obfuscation in each stage are consistent with the blog description. In addition, the machine information collection structure is also the same as the beacon structure such as listener name, computer name, username and process name. The listener name in this campaign is PUBG.
Figure 12. Beacon structure with the listener name PUBG.
Most importantly, the DLL file contains the “udrl.x64.dll” and “customLoader” inside that also match with the User-Defined Reflective Loader blog description. Using a URL that mimics a legitimate content delivery network (CDN), along with ports and paths typical of Exchange servers, enables the attacker to blend in with normal network traffic and avoid detection by security analysts.
Talos’ analysis of the BadIIS variants used in this campaign revealed functional and URL pattern similarities to a variant previously documented in the Black Hat USA 2021 white paper and a Trend Micro blog. However, this new BadIIS malware has altered its code structure and functional workflow to evade detection by antivirus products. Additionally, we identified several instances of the BadIIS malware on VirusTotal this year. One cluster exhibited very low detection rates and the other showed simplified Chinese debug strings inside the malware.
Figure 15. First cluster of new BadIIS with low detection rates.Figure 16. Second cluster of new BadIIS with simplified Chinese debug strings.
First cluster of new BadIIS
The first cluster of new BadIIS malware implements handlers named “CHttpModule::OnBeginRequest” and “CHttpModule::OnSendResponse”. Both handlers use the “User-Agent” and “Referer” fields from the incoming HTTP headers to determine which malicious function to execute. Specifically, this malware targets requests where the “User-Agent” is Googlebot and the “Referer” is google.com, confirming that the user and crawler accessed the compromised website via the Google search engine only. Below, we describe how the malicious functions, including proxy, injector and SEO fraud, trigger.
SEO manipulation schemes
The OnBeginRequest handler processes incoming requests by examining the “User-Agent” and “Referer” HTTP headers to proxy or Injector responses. When the request is detected as originating from Googlebot and meets a specific URL path condition, the request is forwarded through a Proxy function. The targeted URL path pattern is as follows:
Alternatively, if the request is not from Googlebot, the system then checks if it was referred by a Google search and if the same URL path condition is satisfied, in which case it proceeds to inject JavaScript. The injected JavaScript embeds a C2 URL such as “http://[C2]/jump.html” or “http://[C2]/pg888.js”. This injection enables the actor to compromise users’ browsers by downloading malicious scripts from the C2 server.
The OnSendResponse handler first performs SEO fraud by delivering specific content from C2 server to requests where the “User-Agent” is Googlebot, manipulating search rankings to increase the visibility of the malicious content. This C2 content typically appears as a URL like “http://[C2]/u.php”. Subsequently, the function targets human users by conditionally injecting JavaScript when a request comes from a Google search and results in a 404 or 500 error page.
Figure 20. OnSendResponse handler.Figure 21. SEO fraud mode.
Technical highlights of each mode
Proxy mode
When operating in proxy mode, BadIIS first verifies the URL path to ensure the process is running in the correct mode. It then extracts the embedded C2 server address, which is encoded in hexadecimal bytes, and uses this C2 as a proxy to retrieve content from a secondary C2 server, subsequently responding to the IIS server.
Figure 22. Use C2 server as a proxy.
Before responding to the Google crawler, it modifies the response data to resemble a valid HTTP response and uses the native HTTP module API “WriteEntityChunks” to insert data into the body of the HTTP response.
Figure 23. Using ”WriteEntityChunks” to insert data into the body of the HTTP response.
SEO fraud mode
Talos identified that the actor employs a conventional SEO technique known as backlinking to boost website visibility. Google’s search engine uses backlinks to discover additional sites and assess keyword relevance. A higher number of backlinks increases the likelihood of Google crawlers visiting a site, which can accelerate ranking improvements and enhance exposure for the webpages. However, simply accumulating backlinks without regard to quality can lead to penalties from Google. Algorithms like Penguin, introduced in 2012, and SpamBrain, launched in 2022, rigorously evaluate backlink quality. To exploit this, the actor compromises multiple IIS servers across the internet to conduct SEO fraud. In this SEO fraud mode, BadIIS serves numerous backlinks with HTML content to Google crawlers to improve search engine rankings.
Figure 24. Retrieving backlinks containing HTML content.
One example of a backlink from the C2 server is shown in Figure 25, with additional compromised IIS servers performing similar backlink SEO fraud.
Figure 25. Backlinks from the C2 server.
Injector mode
In injector mode, BadIIS intercepts browser requests originating from Google search results. It connects to the C2 server to retrieve JavaScript code, then uses the “WriteEntityChunks” API to embed the downloaded JavaScript into the HTML content of the response. It then returns the altered response to redirect the user to the destination intended by the actor.
Figure 26. Injecting JavaScript code to response data.Figure 27. Fetching JavaScript code from C2 server.
BadIIS retrieves malicious JavaScript code from a C2 server and redirects users to malicious websites instead of legitimate ones. By not embedding the JavaScript code directly in the binary, it allows easier modification of the redirect targets and helps evade detection by antivirus security products. The script is programmed to show a brief loading message before automatically redirecting the user to a malicious site. The redirect function and alert message vary across different C2 servers; some scripts reference two C2 servers and randomly select one with a 50% probability. Additionally, the alert message language is tailored to match the target region of the user.
Figure 28. JavaScript code with alert message in Portuguese.Figure 29. Two different C2 servers in JavaScript code.
Second cluster of new BadIIS
The second cluster of the new BadIIS malware also includes handlers named “CHttpModule::OnBeginRequest” and “CHttpModule::OnSendResponse”. In this cluster, OnBeginRequest is used as a decision point to execute before any intensive processing occurs, while OnSendResponse handles output modification to ensure that no other module can override the redirect. This cluster also features three modes: SEO fraud mode, injector mode and proxy mode. Notably, the injector and proxy modes operate under the SEO fraud mode umbrella, which itself has four variants tailored to different scenarios:
All interface hijacking targets all webpages on the webserver, replacing original content for both search engine crawlers and users.
Figure 30. All interface hijacking.
Homepage hijacking targets only the homepage, substituting its content for search engine crawlers and users.
Figure 31. Homepage hijacking.
Global reverse proxy configures a proxy to automatically replace content for search engine crawlers and users.
Figure 32. Global reverse proxy.
Specify URL path reverse proxy configures a proxy to automatically replace content for search engine crawlers and users.
Figure 33. Specify URL path reverse proxy.
The URL path pattern referred to as “Tezhengma” in the debug strings by the actor includes multiple versions. Some of these versions partially match the patterns found in the first cluster of BadIIS malware.
The injector mode injects JavaScript in each SEO fraud type when the user-agent and referer do not match its criteria. The algorithm is same as the first cluster BadIIS; it verifies the user-agent to identify search engine crawlers and checks the referer to determine if the user is browsing from an expected source.
User-agent
Referer
Baiduspider
Sogouspider
Sogou web spider
360spider
YisouSpider
Googlebot
Bingbot
BingPreview
MicrosoftPreview
baidu
sogou
sm[.]cn
360
so[.]com
toutiao
google
bing
Table 4. Combination of User-Agent and Referer headers used for injecting JavaScript to redirect the browser.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for the threats are: 65346, 65345
ClamAV detections are also available for this threat:
Win.Malware.SysShell-10058032-0
Win.Malware.NewBadIIS-10058033-0
Win.Malware.BadIISCR45-10058034-0
Win.Malware.WebShellCn-10058035-0
Win.Packed.CSBeaconCn-10058036-0
Indicators of compromise (IOCs)
The IOCs can also be found in our GitHub repository here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-10-02 10:06:322025-10-02 10:06:32UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted onTalos Intelligence’s website.
Nvidia vulnerabilities
Discovered by Dimitrios Tatsis of Cisco Talos.
Nvidia is a large technology company developing graphics cards, chip systems, and applications for AI and high performance computing. Talos has found 5 vulnerabilities in the CUDA Toolkit, a development environment for developing GPU-accelerated applications.
TALOS-2025-2155 (CVE-2025-23339) is an arbitrary code execution vulnerability in the DWARF parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2025-2169 (CVE-2025-23338) is an improper array index validation vulnerability in the symbol table parsing functionality of NVIDIA nvdisasm 12.8.90. A specially crafted ELF file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2025-2172 (CVE-2025-23340) is an out-of-bounds write vulnerability in the RELA section parsing functionality of NVIDIA nvdisasm 12.8.90. A specially crafted ELF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2025-2191 (CVE-2025-23271), a heap-based buffer overflow vulnerability, andTALOS-2025-2204 (CVE-2025-23308), an out-of-bounds write vulnerability, exist in the REL section header parsing functionality of NVIDIA nvdisasm 12.8.90. Specially crafted ELF files can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.
Adobe use-after-free vulnerability
Discovered by KPC of Cisco Talos.
Adobe Acrobat Reader is one of the most popular PDF reading software currently available.
Talos discoveredTALOS-2025-2222 (CVE-2025-54257), a use-after-free vulnerability in the page property functionality of Adobe Acrobat Reader 2025.001.20531. Specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
AI is part of our lives whether we like it or not. Even if you are not quite a fan, or not a user at all, you probably came across multiple AI-generated avatars, pictures, scenes, videos, articles and even malware.
All technological advancements are taken advantage of by society. They were discovered to be used, but some people just abuse them, and AI used for software development is not the exception.
This time we’ll analyze FunkLocker, a ransomware strain by the FunkSec Ransomware group, whose creation was aided in an important part by artificial Intelligence.
Key Takeaways
AI-assisted development: FunkSec ransomware strains, including FunkLocker, show signs of “AI snippet” coding patterns (Ask AI → Paste snippet), making them easy to build but inconsistent in quality.
Multiple builds, mixed stability: Some versions are barely functional, while others integrate advanced features such as anti-VM checks.
Aggressive disruption: FunkLocker forcefully terminates processes and services using predefined lists, often causing unnecessary errors but still leading to full system disruption.
System tools abused: Legitimate Windows utilities like taskkill.exe, sc.exe, net.exe, and PowerShell are heavily misused to stop apps, disable defenses, and prepare for encryption.
Local-only encryption: Unlike many modern ransomware groups, FunkSec encrypts files locally without contacting a command-and-control server, using the .funksec extension.
Ransom note quirks: Notes are dropped on the desktop, but system instability sometimes prevents victims from viewing them without a reboot.
Weak operational security: Reused BTC wallets and locally derived or hardcoded keys suggest sloppy practices. This has allowed researchers (e.g., Avast Labs) to build a public decryptor for FunkSec victims.
Key MITRE ATT&CK techniques: FunkLocker activity maps to techniques such as Masquerading (T1036.005), Service Stop (T1489), PowerShell execution (T1059.001), Network Share Discovery (T1135), and Inhibit System Recovery (T1490), among others.
Detectionand Response: SOCs can utilize ANY.RUN’s Interactive Sandbox to safely detonate samples of FunkLocker, identify its malicious activities in seconds, and gather critical threat insights for fast mitigation of the attack.
Artificial Intelligence, Natural Evil
This is not the first time we see AI-aided malware, or even malware fully written by an AI. Just recently, another strain, PromptLocker, made it to the news. But FunkSec has been active for quite a while and even managed to publish many victims in their DLS.
There are many samples, some more stable than others, and a few barely functional. Interestingly, the older builds (dating back to January of this year) included an anti-VM capability that detected virtualized environments with high accuracy before refusing to run.
A FunkSec strain refusing to run
That build was also characterized by its livid colours displayed in the terminal text while running. This one, found in late July, features a monochromatic style and is missing the anti-VM feature. While this could indicate it being an older build, the lack of a standardized versioning schema, like other groups such as LockBit, makes it hard to confirm.
By early 2025, FunkSec had been linked to more than 120 compromized organizations worldwide, hitting targets in government institutions, the defense sector, tech companies, financial services, and higher education.
The group’s first reported attacks surfaced in November 2024, and in December they launched a dedicated data leak site to publicize stolen information. Since then, the tally of known victims has continued to grow, with estimates ranging from 120 to 170, and some trackers recording as many as 172 cases. Notably, at least 30 of these incidents involved organizations in the United States, alongside confirmed cases in India, Spain, and Mongolia.
Execution and Process Disruption
Immediately after execution, all our setup will go dark, and this is caused by the malware bashing its way through different processes in order to stop them. Why bashing? Because it doesn’t take a fraction of a second to list the running applications and stop them in a strategic way; it just acts on a predefined list, causing multiple errors when trying to stop non-existing ones.
FunkLocker bashing through processes, bat in hand
It will also attempt to stop multiple services, again, matching them with a hardcoded predefined list, causing another set of errors. Some of these occur because the services are not running at all, and others because they simply can’t be stopped due to dependencies from other services that rely on them to function.
This seems like the result of someone individually studying which services to stop and adding them to a list, without adding a layer of context on which ones depend on others or which ones could actually not be running (optional).
Applications being stopped forcefully
This doesn’t stop the malware from continuing its raid, and eventually the file system is encrypted. The first and most obvious change is the extension of our files, which is now .funksec, but there’s more than meets the eye.
Let’s take a look at the process tree behind the sample. FunkLocker — aside from clubbing everything in its reach — is pretty “structured”, where each of its steps is represented by a legit system tool being abused or a PowerShell script executed procedurally, suggesting an “Ask AI → Get snippet → Paste snippet” development cycle.
FunkLocker’s process tree shown in ANY.RUN’s Interactive Sandbox
PowerShell and System Abuse
The PowerShell routine is based on four commands:
The first one stops Windows Defender via DisableRealtimeMonitoring.
The second one relies on wevtutil to deactivate Security Events logging.
The third one uses wevtutil again to deactivate Application Events logging.
The fourth and final one sets the Execution Policy to Bypass, allowing unrestricted PowerShell execution during that session.
Abused tools include net.exe and its compatibility-mode counterpart net1.exe, used to check if there are any network sessions established.
taskkill.exe is used naturally to stop applications or tasks — in this case used to forcefully stop browsers like Chrome, Firefox, and Edge, daily-use apps like Notepad, Skype, Spotify, programming environments like Java, Python, and Node, and even Steam, among a long list of other apps.
Arbitrary list of apps to be stopped
sc.exe, which is Windows Service Control, is used as a tool (or club) to stop services like Windows Defender & Firewall, SMB (Shared Folders), the Event Log, the Shell Experience Host (which is why our screen turns black), and other absolutely not-necessary services like Bluetooth or Audio.
Encryption and Ransom Note
After that, Shadow Volume Copies are taken care of, deleted, by abusing the Volume Shadow Service Administrator (vssadmin) to wipe them silently. This prevents the victim from locally restoring the system to a previous state, effectively removing any chance of rollback using Windows’ built-in recovery mechanisms.
The ransomware deletes Shadow Volume Copies
Now for the encryption part — FunkLocker didn’t attempt to contact a remote server at any time, as all the encryption process occurred locally. We’ve seen similar behavior in a previous article when we analyzed Mamona Ransomware.
While this may seem like it could make the malware easier to hide and harder to track — due to the lack of network infrastructure in the short term — it is beneficial in the long run, and you’ll soon see why.
The ransom note is dropped right on the desktop but, with the unnecessary killing of the Shell Experience Host service, we’re left with few chances but to reboot our server to view it (if it ever boots again after its intense contusions session).
Luckily, ANY.RUN’s Interactive Sandbox has a reliable system which allows us to capture any created, deleted or modified file directly from its GUI. So, let’s take a look.
A ransom note captured by ANY.RUN filesystem hook
From here we can notice a BTC address which, after a quick inspection, shows that it has transacted just a few times for around $3,000 USD, suggesting once again that this wallet is shared across different victims or is a default one.
Using this instead of receiving a unique wallet, summed up with the technical aspects we saw before. And the chances of encryption keys being either derived locally or hardcoded, highlights the “homemade AI-assisted” fashion of this strain.
This is where things get shinier for victims, because deriving keys locally (or having them hardcoded) greatly improves the chances of a decryptor being made. And this is exactly what happened: Avast Labs was able to create a decryptor for FunkSec, which will give some hope to affected organisations.
After sharing the bad news (ransomware) and the good news (decryptors), it’s time to move on to the ATT&CK Matrix, which ANY.RUN does automatically for us.
MITRE ATT&CK Techniques
ANY.RUN’s Interactive Sandbox maps TTPs to the MITRE ATT&CK matrix
FunkLocker does a lot of things which could be pinned down individually and used as “footprints” to understand how it works:
Technique ID
Technique name
Observed behaviour / notes
T1036.005
Masquerading: Match Legitimate Resource Name or Location
The malware creates files with names similar to legitimate system files and drops them directly in the system drive root.
T1569.002
Service Execution: Service Commands
Launches sc.exe to manage Windows services (e.g., stopping them as part of its disruption routine).
T1007
System Service Discovery
Uses sc.exe to query or discover system services before acting on them.
T1489
Impact: Service Stop
Executes taskkill.exe to forcefully terminate: – Office apps – Running processes – Web browsers like Chrome, Firefox, Edge
T1059.001
Command and Scripting Interpreter: PowerShell
Runs multiple PowerShell commands to: – Disable Windows Defender real-time protection – Change the execution policy to Bypass (allowing unrestricted script execution)
T1135
Discovery: Network Share Discovery
Uses net.exe to display or manage information about current active sessions.
T1490
Impact: Inhibit System Recovery
Deletes Volume Shadow Copies using vssadmin delete shadows /all /quiet to prevent recovery via system restore points.
T1562.001
Defense Evasion: Disable or Modify Tools
Modifies Windows Defender configuration to weaken or disable protection mechanisms.
How Security Teams Should Respond
FunkSec shows how AI is changing the pace and style of ransomware development. For security leaders, the lesson is less about one strain and more about the trend it represents. A few priorities stand out:
Prioritize behavioral detection: Static indicators aren’t enough when code can be generated and tweaked with AI. Monitoring behaviors, especially misuse of system tools, becomes essential.
Invest in rapid visibility: The longer it takes to understand what’s happening inside an endpoint, the higher the cost of downtime. Tools that reveal the full execution chain within minutes are critical.
Test your recovery: With shadow copies removed, recovery depends on isolated backups and practiced response playbooks. Tabletop exercises should assume ransomware disables standard rollback options.
Close the skill gap: AI makes it easier for criminals to write malware, but defenders can also lean on AI-driven or interactive platforms to augment analysts and shorten investigation times.
The takeaway: FunkSec isn’t just about today’s attacks. It’s a signal that the future of ransomware will be faster, messier, and more frequent, and security leaders should prepare their defenses accordingly.
About ANY.RUN
Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN to streamline malware investigations worldwide.
Speed up triage and response by detonating suspicious files in ANY.RUN’s Interactive Sandbox, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with Threat Intelligence Lookup and Threat Intelligence Feeds, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-10-01 11:06:382025-10-01 11:06:38FunkSec’s FunkLocker: How AI Is Powering the Next Wave of Ransomware
When a business scales up, its security challenges grow as well. Once, a small team responsible for both IT and cybersecurity could handle everything, but with increases in numbers of both employees and endpoints, broader use of public cloud services, and the introduction of new business processes, that same small team might not be able to cope; especially when cybercriminals are constantly refining their methods and tactics, developing new social engineering techniques, and adapting artificial intelligence for attacks. Sooner or later, every growing small or mid-sized business is faced with an urgent need to strengthen resilience against modern cyberthreats while keeping investment tempered.
Choosing the ideal strategy boils down to one of two options. The first is to develop strong internal expertise, and expand the cybersecurity team and equip it with XDR-class solution. The second is to rely on external experts through a managed solution, but they’d probably need XDR solution as well. Both approaches are viable — the difference lies in your strategy and priorities. In this blog post, we consider both options and explore which solution may best fit for your company.
Typical cybersecurity challenges of a growing business
Let’s imagine a typical fast-growing small or medium-sized company. At some point, the IT-people responsible for information security and using an EDR-class solution come to the management with the following information:
We’re drowning in hundreds of alerts and don’t have enough time to process them all
New employees are completely unfamiliar with information security and make mistake after mistake, which increases the number of alerts even more
We can’t respond quickly to incidents; we lack context regarding modern cyberthreats
We don’t have time to thoroughly investigate incidents on every host; we need more robust tools that can block suspicious accounts and buy us some time
It’s clear that all these problems have two roots: imperfect tools and insufficient resources for the security team. From a management perspective, the logical solution would be to upgrade the security solution to XDR (you can read why this is logical in another blog post of ours). However, the question remains: should we develop the expertise of the internal team, or entrust protection to external experts?
Growing internal expertise
Management may prefer to keep things internal: they consider security as part of their long-term strategy. Their goal is to build expertise and grow capabilities inside the team. In this case Kaspersky Next XDR Optimum — a simple and user-friendly tool — would be a good choice for empowering the IT or security team. It empowers through its essential investigation and response tools, allowing the team to track traces of the multi-stage attacks and boost security posture.
With Next XDR Optimum, a company can prevent widespread, evasive cyberthreats — including spyware and ransomware attacks, gain insights into modern threats, and discover how they act both within and outside the endpoint. Here are just some of the features available to Next XDR Optimum operators:
Access to Kaspersky Cloud Sandbox allows for testing malicious files in an isolated cloud environment to get a clear result on its behavior and plan further response actions accordingly
Integration with Active Directory gives cybersecurity personnel an option to block user accounts directly from the alert card to stop a threat from spreading
Robust investigation tools optimized to track traces of the multi-stage attacks
Access to the Kaspersky Automated Security Awareness platform, which, in case of an incident, can be used to assign a related security awareness course right from the alert card to minimize the chance of a recurrence of the cyber-incidents caused by human error.
Aggregation of similar alerts allows analysis of alert groups instead of single detections — it shows a more holistic picture of the protected infrastructure, and shortens response time (MTTR)
To sum up, the solution enables cybersecurity teams to investigate incidents, respond faster, and build cybersecurity awareness across the organization. For most companies, this is the best starting point on a journey to stronger protection.
Gaining resilience with managed security
Building an effective security system in-house takes time, and requires from the cybersecurity team understanding of the techniques, tactics, and procedures used by attackers — as well as constant monitoring of changes in the constantly evolving threat landscape. Not all management is ready to invest in the education of an information security team. Also, training and professional development take up working time — leaving the company less secure, at least temporarily.
This is where Kaspersky Next MXDR Optimum steps up. This solution combines the technological power of XDR tools with the expertise of a Kaspersky team of MDR specialists — delivering protection that goes beyond what an SMB can typically achieve on its own.
In practice, this means:
continuous monitoring and threat hunting performed by external specialists
incident management processes handled by experts
response recommendations or even direct incident response actions if needed
This approach results in lower operational overheads, since a company doesn’t not need to staff night shifts or maintain a large cybersecurity department. At the same time, the business still benefits from essential incident detection and response. And all that at a predictable cost, without the hidden expenses of recruitment, training, and retention.
Growing internal expertise with the help of external specialists
However, no one is saying that these two paths are mutually exclusive. If company management wants to develop internal expertise but doesn’t want to risk leaving the company without effective protection until the information security team has gained the necessary experience and know-how, they should also consider Kaspersky Next MXDR Optimum.
The solution provides not only managed protection and essential XDR tools, but also cybersecurity training that allows the security team to learn how to use these tools most effectively. Training helps develop expertise and critical cybersecurity thinking, while delegating certain routine tasks to Kaspersky SOC specialists allows internal infosec officers to acquire unique practical skills in the application of XDR capabilities for enriched incident detection and response by observing the work of experienced professionals.
How to choose the right solution: a simple checklist
To make your choice easier and to wrap up this article — we’ve compiled a short checklist that can help you decide which model aligns best with your business’s growth strategy:
Do you have a plan to build a dedicated, strong internal cybersecurity team or to develop one further?
Are customization and control more important for you than simplicity and speed?
Do you want to invest in staff and infrastructure (CAPEX), or keep costs predictable with a subscription service (OPEX)?
How critical is your need for round-the-clock monitoring? Do you need it right now, or are you ready to wait?
Do you want to maintain expertise inside the company, or rely on a trusted partner for faster, more cost-efficient results?
If your answers lean toward control, customization, and further team development — Kaspersky Next XDR Optimum is your choice. If instead your focus is on speed, efficiency, and minimizing operational overhead — Kaspersky Next MXDR Optimum provides the balance needed for secure growth of your business.
Explore more about both solutions and how they fit into your security strategy on the Kaspersky Next Optimum page.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-30 15:06:502025-09-30 15:06:50Internal expertise vs. managed security | Kaspersky official blog
Lack of context makes it hard for Security Operations Centers (SOC) to tell actual threats from false positives. ANY.RUN’s connectors for Microsoft Defender bridge this gap by automating interactive sandbox analysis and providing real-time threat intelligence for correlation.
As a result, security teams achieve faster incident resolution, reduced alert fatigue, and proactive threat detection all without disrupting existing workflows. Here’s how.
ANY.RUN & Microsoft Defender Connectors
Security teams can use ANY.RUN’s products without leaving the MS Defender workspace
SOCs using Microsoft Defender can seamlessly connect ANY.RUN’s solutions into their existing workflows, boosting their ability to combat advanced threats seamlessly and without disrupting existing processes.
The ANY.RUN connectors include:
Interactive Sandbox connector: Automates the analysis of suspicious files and URLs, delivering detailed behavioral insights and IOCs directly within Microsoft Defender.
These connectors empower SOC teams to triage alerts efficiently, detect elusive malware, and respond to incidents faster, all while reducing operational overhead.
Enhanced threat detection: Real-time IOCs and behavioral analysis uncover evasive and targeted attacks that signature-based systems may miss.
Reduced Mean Time to Respond (MTTR): Automation of sandbox analysis and threat intelligence correlation cuts incident resolution time by tens of percent, enabling faster response to critical threats.
Decreased analyst workload: By automating routine tasks like file analysis and alert enrichment, analysts can focus on high-priority incidents, reducing burnout and improving productivity.
Improved MSSP competitiveness: Automated workflows help MSSPs meet SLAs, deliver higher-value services, and stand out in a competitive market.
Cost efficiency: Seamless interoperability with Microsoft Defender eliminates the need for costly infrastructure changes, maximizing ROI on existing tools.
Integrate ANY.RUN’s products for stronger proactive security Request a quote or demo for your SOC
File analysis verdict from the sandbox shown in MS Defender interface
ANY.RUN’s Interactive Sandbox is a cloud-based solution offering SOC teams immediate, real-time access to Windows, Linux, and Android virtual environments for analyzing suspicious files and URLs.
Submit files and URLs for analysis across Windows, Ubuntu, or Android operating systems.
Retrieve detailed report details and IOCs in JSON or HTML formats.
Download file submission samples and analysis network traffic dumps for deeper incident response insights.
The process is fully automated by default. The built-in playbook detects files or URLs in alerts/incidents and launches the analysis. Obtained IOCs are stored in the internal Threat Intelligence portal within Microsoft Defender.
How Interactive Sandbox Boosts Microsoft Defender Workflows
Higher detection rate: Automated Interactivity ensures even evasive attacks are fully detonated and identified.
Reduced alert fatigue: Focus only on severe incidents, while the sandbox provides verdicts for effective prioritization.
Threat Intelligence Feeds in Microsoft Defender
An alert generated in MS Defender based on an indicator from TI Feeds
ANY.RUN’s Threat Intelligence Feeds empower SOCs and MSSPs to strengthen security with high-fidelity, actionable IOCs from real-time sandbox analysis. Indicators are continuously updated from sandbox investigations across 15,000+ organizations, delivering a curated stream of malicious IPs, domains, and URLs to detect ongoing attacks.
Correlate feed data with incoming alerts to identify high-risk threats.
Use indicators to create new detection rules for proactive threat mitigation.
Automate threat hunting and response workflows using Microsoft Defender playbooks.
Data such as IP addresses, URLs, and domains are automatically pulled into the system for analysis, playbook creation, and correlation.
The connector generates alerts if indicators from the feeds are detected in the client’s infrastructure, matching the feed entry’s status (medium, high).
How Threat Intelligence Feeds Boost Microsoft Defender Workflows
Expanded threat coverage: Real-time IOCs from 15,000+ organizations boost SOC’s ability to detect current threats, reducing the number of possible security gaps.
Enhanced threat prioritization: Correlating alerts with IOCs helps SOC teams identify critical risks.
Proactive attack prevention: Fresh intelligence enables early threat detection to avoid any damage to the business.
About ANY.RUN
Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.
Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.
The past several years have seen a number of positive developments in global cybersecurity, with organizations worldwide making significant investments to bolster their defenses against cyberthreats. More sophisticated solutions, more guidelines available, and a more collaborative cybersecurity environment have all contributed toward a digital landscape enhancement. Yet, against the backdrop of these encouraging developments, a disparity in cyber-resilience between small and large organizations has been widening.
According to a recent World Economic Forum report, larger organizations are showing steady progress in improving their cyber-defenses, but their smaller counterparts are struggling to keep up. While many larger enterprises are equipped with cutting-edge security solutions and dedicated personnel, SMBs often lack the necessary resources, resulting in a yawning gap in their cyber-resilience. Given the context, small businesses have to use every opportunity to mitigate potential cybersecurity risks without extra resources, and that’s where security hardening can turn the tide and help avert potential threats by basically configuring organizations’ systems and networks in the right way.
So what is security hardening? Security hardening is shorthand for a range of techniques and procedures that help protect digital infrastructure by reducing an attack surface — essentially turning the security of existing systems up to the maximum without necessarily resorting to extra protection solutions. In this article, we explore some of the must-have strategies that can help organizations — especially those with limited or no dedicated cybersecurity resources — to reduce exposure to potential attacks.
Implementing strong authentication and authorization
The first fundamental is taking steps to reduce the risk of unauthorized access to a company’s systems and data. This requires the enforcement of a strict password policy that defines password length requirements, allowed characters, prohibited combinations, password expiration interval, etc. It should also include recommendations on the password storage method to rule out unsafe practices.
Another indispensable practice is the use of two-factor authentication, meaning that to access specific resources or data an employee has to verify their identity in two different ways. With two-factor authentication in place, even if attackers learn an employee’s password somehow, they still need to bypass the second factor, which gives an extra layer of protection.
And finally, organizations need to implement network accesscontrol measures to control users that enter the corporate network and also the level of access of these users. Configuring permissions within a corporate network following the least-privilege principle is a best practice, ensuring that users only have access to the systems needed to perform their tasks, and don’t have access to the entire environment. In an environment where employees have access only to the systems that they strictly need, in case of a potential breach attackers would have limited options for lateral movement within the network, which would minimize potential damage. Another useful tip is to regularly audit all accounts and their permissions, and revoking unnecessary ones – in case an employee is dismissed or moves to a different department.
Regularly updating software and timely patching vulnerabilities
Regular and prompt updates of operating systems, applications, and other software can help eliminate known vulnerabilities that can be used by attackers to compromise organizations’ networks. Software development is continually advancing, leading to two main challenges: a system can rapidly become outdated or even obsolete, and, more critically, it may become vulnerable to cyberattacks. Software developers address these issues by implementing new code distributed as part of updates. Software updates not only fix bugs or improve performance, but also might include patches of vulnerabilities detected during software operation. Сybercriminals never fail to grab the opportunity to exploit known vulnerabilities, with some of them exploited for years, which exposes the fact that years after the release of patches some organizations fail to install them.
Encrypting data
Encryption of data at rest (when data is stored, for example, on drives) as well as in transit (when data is moving between devices, such as within private networks or over the internet), protects the data from interception and unauthorized access. The two most effective data protection technologies are File and Folder Level Encryption (FLE) and Full Disk Encryption (FDE), which are used for tackling different tasks. The former protects critical data and restricts access to it, while the latter rules out the possibility of any data falling into the hands of third parties — even if a data storage device holding valuable information is lost or stolen.
Both FLE and FDE can be implemented on corporate computers with the help of built-in tools:
BitLocker (Windows) or FileVault (macOS) for FDE.
Encrypting File System (EFS) (Windows) or Disk Utility and FileVault (macOS) for FLE.
With data encryption in place, organizations can minimize the risk of confidential data being intercepted.
Implementation of backups and data backups
Backing up data is essential to ensure its integrity in case of a potential cyberattack, including with the use of ransomware or wipers. To guarantee a continuous backup process, one can schedule automatic backups to avoid time-wasting, with manual backups nevertheless still being an option.
When the process itself is set up, it’s necessary to check the integrity of backups regularly and perform practice runs resurrecting the server in a staging environment, and generally to make sure that if it becomes necessary, recovery will be possible. It should be noted that if a backup server is located inside the network perimeter, then in case of a potential attack, the backup will also be at risk of being destroyed by attackers. Therefore, it’s recommended to create several backups of critical data and diversify its storage, not neglecting data storage on physical devices. With data encryption in place, the risks of critical data loss and subsequent disruption of business processes are reduced.
Employee training
Last but not least, organizations have to adopt a systematic approach to cyber-education, carrying out regular assessments of the level of the cyber-literacy among staff, and implementing training to fill gaps in employees’ knowledge — making cybersecurity training a continual effort. Such training should include the basics of information security, best practices for data management, as well as typical attack scenarios used by cybercriminals — in particular social engineering techniques. Additionally, organizations can incorporate simulated phishing exercises to assess and reinforce both learning and monitoring employees’ proficiency from time to time to identify gaps in cyber-knowledge.
With nearly two-thirds of cyber-incidents caused by a human error, ongoing work to raise staff’s awareness of existing threats can help minimize the risks of attacks that exploit the human factor.
Altogether, the hardening techniques described above represent a strategy for reducing an organization’s attack surface. By implementing these security measures — ideally, together with the deployment of intrusion detection and prevention systems and installation of endpoint protection solutions — organizations can significantly minimize potential vulnerabilities. With this proactive approach, organizations can strengthen defenses against cyberthreats and also minimize risks of unauthorized access to their networks and systems.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-29 14:06:382025-09-29 14:06:38What is security hardening? | Kaspersky official blog
Phishing links are no longer a rare sight. They’re increasingly common in messaging apps, and often come seemingly from people you know well, who, of course, are completely unaware. Scammers hijack accounts and cleverly impersonate friends and family — abusing trust to get closer to your wallet or your secrets.
To help you fight off this growing wave of threats, we’ve added some new features to Kaspersky for Android. In this post, we explain the new layer of defense against phishing and malicious links brought to you in the latest Kaspersky for Android update.
Phishing links and where to find them
By default, we consider any link designed to deceive to be a phishing link. These links often lead to fraudulent websites that mimic legitimate ones using typosquatting and other tricks. For example, this link — https://www.kaspersky.com/blog/, seemingly to our blog, will redirect you to our Telegram channel instead. This is a safe example, but scammers aren’t so harmless.
You can encounter phishing links just about anywhere: in emails, text messages, but especially in messaging apps. A common scam we’ve covered involves attackers using hacked accounts of friends and family to send fake gift subscriptions for apps like Telegram. But instead of a free Premium subscription, victims end up with their personal account hijacked.
Phishing scams can also lurk in job offers, Google Forms surveys, or crypto giveaways. Sometimes you don’t even have to do anything on a phishing site to get infected. This is called a zero-click attack. The victim doesn’t need to fill out any forms, click on buttons, or submit anything. All that’s required is to follow a link to the malicious page that exploits a vulnerability. Once you reach that page, your device is compromised.
Phishers have a plethora of ways to reach their victims. It’s often difficult to spot a fake URL with the naked eye — one mistake can get you trapped. That’s where an automated solution comes in handy, recognizing and neutralizing the suspicious link.
How anti-phishing security works in Kaspersky for Android
The updated Kaspersky for Android protects your devices from phishing with three distinct layers:
Notification Protection detects and blocks malicious links in notifications from any apps, whether they be well-known like WhatsApp or Telegram, new apps, or even ones that don’t exist yet.
Safe Messaging blocks dangerous links in text messages and the WhatsApp, Viber, and Telegram messaging apps.
Safe Browsing checks links before opening them and blocks malicious and phishing websites in Google Chrome, Yandex Browser, Firefox, and some other pre-installed browsers like Samsung Internet and Huawei Browser.
Why do we call these features “layers”? Think of it as a medieval fortress with multiple defenses: the castle’s tall walls, archers atop the walls, and a moat. You might wonder, why bother building tall walls and employing archers if there’s a moat? Attackers wouldn’t be able to get across the moat anyway. The thing is, attacking archers could still fire on those inside if there were no tall fortress walls, and catapults could lob stones (or something more deadly) over both the moat and walls. So, a good fortress needs all three defenses.
Similarly, a smartphone needs security on every level. The Kaspersky for Android app has long blocked phishing links in browsers with Safe Browsing and in SMS messages, WhatsApp, Viber and Telegram with Safe Messaging.
Here’s how it works. If any app — say, a messaging app — tries to show you a phishing link in a pop-up notification, our security solution hides the malicious notification and replaces it with its own. This new notification will have the title Dangerous link detected and the text of the original message, but with the malicious link removed.
This is what a Kaspersky for Android notification looks like when it detects a malicious link
Important: no Kaspersky employee can read your private messages. This security mechanism is fully automated and only scans for standard links within notification text. For this reason, it won’t be able to check links that are concealed with special formatting like hidden text in a messaging app or those disguised as a hyperlink with anchor text like “click here”.
How to enable maximum anti-phishing security
To give Kaspersky for Android the permissions it needs to find and repel threats, you need to enable certain settings in the Android OS. The first step is to turn on access to Accessibility features, which is required for all layers of security. If you don’t grant this permission, the app will warn you and provide instructions. You can also enable it manually: Settings → Accessibility → Kaspersky → Use Service → OK.
How to grant Kaspersky for Android access to Accessibility features
How to grant Kaspersky for Android access to Accessibility features
How to grant Kaspersky for Android access to Accessibility features
How to grant Kaspersky for Android access to Accessibility features
Next, you need to enable the first layer of security: Notification Protection. This allows the app to detect phishing links directly in your notifications.
Go to All features → Safe Messaging → Check notifications.
Grant notification access: Settings → Apps & notifications → Special app access → Notification access → Kaspersky → Allow.
The exact steps may vary slightly depending on your smartphone model. For this reason, all Kaspersky for Android users can access a quick link from the app itself to the correct settings section. Simply tap Check Notifications in the app, and in the window that opens, tap Show instructions → Continue.
How to grant Kaspersky for Android notification access
How to grant Kaspersky for Android notification access
How to grant Kaspersky for Android notification access
How to grant Kaspersky for Android notification access
The first layer of security is on. Now, Kaspersky for Android will alert you when it detects malicious links in notifications.
Now for the second layer, Safe Messaging, which blocks dangerous links in SMS messages and WhatsApp, Viber, and Telegram.
Activate the toggles next to Block dangerous websites and Check links you open from other apps.
How to enable Safe Browsing in Kaspersky for Android
Don’t forget to check the settings in the messaging apps you use, and make sure you allow new message notifications. We recommend paying attention not only to the general app settings, but also to individual chat settings. Remember that phishing links can even come from hacked accounts of people you know.
Here’s another important detail for Telegram users. This messaging app opens all links by default in its built-in browser, and scammers take advantage of this. Our Safe Browsing feature doesn’t work in Telegram’s built-in browser. For increased device security, you should change the default Telegram settings to open links in a third-party browser instead. To do this, in Telegram go to Settings → Chat Settings and turn off the switch for In-App Browser.
How to configure Telegram so that links are opened in a third-party browser and checked by Kaspersky for Android
Install the best anti-phishing security on your devices, treat every unexpected link received in a messaging app or via SMS with due suspicion, and follow our Telegram channel to stay up to date on the latest cybersecurity trends.
Protect yourself from scams in messaging apps and SMS:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-29 13:07:022025-09-29 13:07:02How to set up anti-phishing security in Kaspersky for Android | Kaspersky official blog
While AI presents endless new opportunities — it also introduces a whole array of new threats. Generative AI allows malicious actors to create deepfakes and fake websites, send spam, and even impersonate your friends and family. This post covers how neural networks are being used for scams and phishing, and, of course, we’ll share tips on how to stay safe. For a more detailed look at AI-powered phishing schemes, check out the full report on Securelist.
Pig butchering, catfishing, and deepfakes
Scammers are using AI bots that pretend to be real people, especially in romance scams. They create fabricated personas and use them to communicate with multiple victims simultaneously to build strong emotional connections. This can go on for weeks or even months, starting with light flirting and gradually shifting to discussions about “lucrative investment opportunities”. The long-term personal connection helps dissolve any suspicions the victim might have, but the scam, of course, ends once the victim invests their money in a fraudulent project. These kinds of fraudulent schemes are known as “pig butchering”, which we covered in detail in a previous post. While they were once run by huge scam farms in Southeast Asia employing thousands of people, these scams now increasingly rely on AI.
Neural networks have made catfishing — where scammers create a fake identity or impersonate a real person — much easier. Modern generative neural networks can imitate a person’s appearance, voice, or writing style with a sufficient degree of accuracy. All a scammer needs do is gather publicly available information about a person and feed that data to the AI. And anything and everything can be useful: photos, videos, public posts and comments, information about relatives, hobbies, age, and so on.
So, if a family member or friend messages you from a new account and, say, asks to lend them money, it’s probably not really your relative or friend. In a situation like that, the best thing to do is reach out to the real person through a different channel — for example, by calling them — and ask them directly if everything’s okay. Asking a few personal questions that a scammer wouldn’t be able to find online or even in your past messages is another smart thing to do.
And why wouldn’t Jennifer Aniston be giving away a MacBook?
Social media isn’t the only place where deepfakes are being used, though. They’re also being generated for real-time video and audio calls. Earlier this year, a Florida woman lost US$15,000 after thinking she was talking to her daughter, who’d supposedly been in a car accident. The scammers used a realistic deepfake of her daughter’s voice, and even mimicked her crying.
Experts from Kaspersky’s GReAT found offers on the dark web for creating real-time video and audio deepfakes. The price of these services depends on how sophisticated and long the content needs to be — starting at just US$30 for voice deepfakes and US$50 for videos. Just a couple of years ago, these services cost a lot more — up to US$20 000 per minute — and real-time generation wasn’t an option.
The listings offer different options: real-time face swapping in video conferences or messaging apps, face swapping for identity verification, or replacing an image from a phone or virtual camera.
Scammers also offer tools for lip-syncing any text in a video — even in foreign languages, as well as voice cloning tools that can change tone and pitch to match a desired emotion.
However, our experts suspect that many of these dark-web listings might be scams themselves — designed to trick other would-be scammers into paying for services that don’t actually exist.
How to stay safe
Don’t trust online acquaintances you’ve never met in person. Even if you’ve been chatting a while and feel like you’ve found a “kindred spirit”, be wary if they bring up crypto, investments, or any other scheme that requires you to send them money.
Don’t fall for unexpected, appealing offers seemingly coming from celebrities or big companies on social media. Always go to their official accounts to double-check the information. Stop if at any point in a “giveaway”, you’re asked to pay a fee, tax, or shipping cost, or to enter your credit card details to receive a cash prize.
If friends or relatives message you with unusual requests, contact them through a different channel such as telephone. To be safe, ask them about something you talked about during your latest real-life conversation. For close friends and family, it’s a good idea to agree on a code word beforehand that only the two of you know. If you share your location with each other, check it and confirm where the person is. And don’t fall for the “hurry up” manipulation — the scammer or AI might tell you the situation is urgent and they don’t have time to answer “silly” questions.
If you have doubts during a video call, ask the person to turn their head sideways or make a complicated hand movement. Deepfakes usually can’t fulfill such requests without breaking the illusion. Also, if the person isn’t blinking, or their lip movements or facial expressions seem strange, that’s another red flag.
Never dictate or otherwise share bank-card numbers, one-time codes, or any other confidential information.
An example of a deepfake falling apart when the head turns. Source
Automated calls
These are an efficient way to trick people without having to talk with them directly. Scammers are using AI to make fake automated calls from banks, wireless carriers, and government services. On the other end of the line is just a bot pretending to be a support agent. It feels real because many legitimate companies use automated voice assistants. However, a real company will never call you to say your account was hacked or ask for a verification code.
If you get a call like this, the key thing is to stay calm. Don’t fall for scare tactics like “a hacked account” or “stolen money”. Just hang up, and use the official number on the company’s website to call the genuine company. Keep in mind that modern scams can involve multiple people who pass you off from one to another. They might call or text from different numbers and pretend to be bank employees, government officials, or even the police.
Phishing-susceptible chatbots and AI agents
Many people now prefer to use chatbots like ChatGPT or Gemini instead of familiar search engines. What could be the risks, you might ask? Well, large language models are trained on user data, and popular chatbots have been known to suggest phishing sites to users. When they perform web searches, AI agents connect to search engines that can also contain phishing links.
In a recent experiment, researchers were able to trick the AI agent in the Comet browser by Perplexity with a fake email. The email was supposedly from an investment manager at Wells Fargo, one of the world’s largest banks. The researchers sent the email from a newly created Proton Mail account. It included a link to a real phishing page that had been active for several days but was yet to be flagged as malicious by Google Safe Browsing. While going through the user’s inbox, the AI agent marked the message as a “to-do item from the bank”. Without any further checks, it followed the phishing link, opened the fake login page, and then prompted the user to enter their credentials; it even helped fill out the form! The AI essentially vouched for the phishing page. The user never saw the suspicious sender’s email address or the phishing link itself. Instead, they were immediately taken to a password entry page given by the “helpful” AI assistant.
In the same experiment, the researchers used the AI-powered web development platform Loveable to create a fake website that mimicked a Walmart store. They then visited the site in Comet — something an unsuspecting user could easily do if they were fooled by a phishing link or ad. They asked the AI agent to buy an Apple Watch. The agent analyzed the fake site, found a “bargain”, added the watch to the cart, entered the address and bank card information stored in the browser, and completed the “purchase” without asking for any confirmation. If this had been a real fraudulent site, the user would have lost a chunk of change while they served their banking details on a silver platter to the scammers.
Unfortunately, AI agents currently behave like naive newcomers on the Web, easily falling for social engineering. We’ve talked in detail before about the risks of integrating AI into browsers and how to minimize them. But as a reminder, to avoid becoming the next victim of an overly trusting assistant, you should critically evaluate the information it provides, limit the permissions you give to AI agents, and install a reliable security solution that will block access to malicious sites.
AI-generated phishing websites
The days of sketchy, poorly designed phishing sites loaded with intrusive ads are long gone. Modern scammers do their best to create realistic fakes which use the HTTPS protocol, show user agreements and cookie consent warnings, and have reasonably good designs. AI-powered tools have made creating such websites much cheaper and faster, if not nearly instantaneous. You might find a link to one of these sites anywhere: in a text message, an email, on social media, or even in search results.
Credential input forms on scam sites imitating Tesla and Pantene
How to spot a phishing site
Check the URL, title, and content for typos.
Find out how long the website’s domain has been registered. You can check this here.
Pay attention to the language. Is the site trying to scare or accuse you? Is it trying to lure you in, or rushing you to act? Any emotional manipulation is a big red flag.
If your browser warns you about an unsecured connection, leave the site. Legitimate sites use the HTTPS protocol.
Search for the website name online and compare the URL you have with the one in the search results. Be careful, as search engines might show sponsored phishing links at the top of the page. Make sure there is no “Ad” or “Sponsored” label next to the link.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-26 18:06:442025-09-26 18:06:44How scammers have mastered AI: deepfakes, fake websites, and phishing emails | Kaspersky official blog
