Cracking the code of a successful cybersecurity career starts here. Hear from ESET’s Robert Lipovsky as he reveals how to break into and thrive in this fast-paced field.
WeLiveSecurity – Read More
Some schemes might sound unbelievable, but they’re easier to fall for than you think. Here’s how to avoid getting played by gamified job scams.
WeLiveSecurity – Read More
Deep cuts in cybersecurity spending risk creating ripple effects that will put many organizations at a higher risk of falling victim to cyberattacks
WeLiveSecurity – Read More
Welcome to this week’s edition of the Threat Source newsletter.
Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”
This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.”
I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for.
Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.
There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.
My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend.
And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar?
I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes…
In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points.
If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open…
Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with.
Bruce’s story is why Cisco Talos Incident Response exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see.
Enjoy the Fourth of July weekend, and remember to listen out for the duh dun.
Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems.
Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you’re not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate.
Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.
Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects
The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News)
International Criminal Court hit by new ‘sophisticated’ cyberattack
In a statement yesterday, the ICC revealed that it had contained a “sophisticated and targeted” cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer)
Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black
After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek)
Ahold Delhaize Data Breach Impacts 2.2 Million People
The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek)
Germany asks Google, Apple remove DeepSeek AI from app stores
The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)
Decrement by one to rule them all: AsIO3.sys driver exploitation
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers.
Talos Takes: Teaching LLMs to spot malicious PowerShell scripts
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.
Beers with Talos: Terms and conceptions may apply
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836
MD5: c94c094513f02d63be5ae3415bba8031
VirusTotal: https://www.virustotal.com/gui/file/cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836/details
Typical Filename: setup
Claimed Product: N/A
Detection Name: W32.Variant:Gen.28iv.1201
SHA 256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536
MD5: 79b075dc4fce7321f3be049719f3ce27
VirusTotal: https://www.virustotal.com/gui/file/57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536/details
Typical Filename: RemCom.exe
Claimed Product: N/A
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Simple_Custom_Detection
SHA 256: 061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0
MD5: 8d74e04c022cadad5b05888d1cafedd0
VirusTotal: https://www.virustotal.com/gui/file/061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0/details
Typical Filename: smhost.exe
Claimed Product: N/A
Detection Name: Artemis:Lazy.27fx.in14.Talos
SHA 256: 2eb95ef4c4c24f1e38a5c8b556d78b71c8a8fb2589ed8c5b95e9d18659bde293
MD5: N/A
VirusTotal: N/A, use https://talosintelligence.com/sha_searches
Typical Filename: N/A
Claimed Product: N/A
Detection Name: W32.2EB95EF4C4-100.SBX.TG
Cisco Talos Blog – Read More
Summer is in full swing, and that means one thing — it’s time to travel! Remember how people used to prepare for trips? Buying pocket guidebooks and phrasebooks, bombarding all our well-traveled friends with questions: “What should I see?”, “How much do tours cost?”, “And how do I get a SIM card?“.
These days, the world has changed. You can plan a comfortable trip while lounging on your sofa with a smartphone in hand — or even while waiting at the airport gate. All you need do is download the right apps. In this guide, we’ll help you prep both yourself and your phone for your journey:
Sure, you could buy a paper map in advance, but it’s much easier to download a few mapping apps. Yes, a few — don’t rely on just one.
Google Maps. An absolute must-have for any traveler. Plan routes and find nearby hotels, cafes, currency exchanges, and attractions. Read folks’ reviews for insider knowledge on the best spots (and the ones to avoid). Google Maps is every traveler’s digital Swiss Army knife — useful for a ton of different things (as long as you’ve downloaded offline maps in advance or have an internet connection).
Organic Maps. If you’re going somewhere beyond the reach of mobile networks, offline maps are your best bet. You can download a detailed map of your destination before your trip. It includes everything you’d find in Google Maps — restaurants, shops, transport stops — just without user ratings and reviews.
One standout feature is route planning for walking, biking, and hiking. You can even switch to a topographic view to see elevation changes — great for mountainous terrain or outdoor adventures.
Guru Maps. Among tourists, this app is known as “the king of navigation” — and for good reason. With Guru Maps you can venture far off the grid without getting lost. It’s made for finding hiking trails, routes through the wilderness, even swamp-trekking — perfect for when Google Maps and Organic Maps find no route at all.
Like the other two, Guru Maps is free to use, but there’s also a paid Pro version. This lets you download unlimited maps and create enough pins and GPS tracks for even the most hardcore traveler.
Offline apps are great, but pre-downloaded information alone isn’t always enough. Especially in big cities, it’s essential to stay online. There are a few ways to do this.
eSIM. Get a local SIM card, or better yet, an eSIM. You can use the Kaspersky eSIM Store app to find and activate affordable local data plans — no roaming fees or plastic SIM cards needed.
It’s simple: install Kaspersky eSIM Store, choose your destination, and buy a data plan that suits your needs. Along with the data package, you’ll receive your free eSIM — simply install it in your device in a couple of clicks. Later you can top up your eSIM for the same or different destinations with more great plans from local operators. And you’re not limited to just one country at a time — if you’re traveling across several countries, choose a regional plan or even get global coverage in 122 countries for constant connection.
eSIMs from Kaspersky eSIM Store don’t include a phone number — they only support data transfer. But your regular SIM stays in your device, so you can still receive texts and calls. Of course, you don’t need to answer roaming calls — but you can see who contacted you and respond via messenger using your eSIM data.
The cool thing is that you can set up eSIMs in advance, including the date your data plan will activate. Kaspersky eSIM Store offers both expiring plans (valid for 30 days in most countries) and non-expiring ones where unused gigabytes are saved for your next trip.
eSIMs and related services are provided by our tech partner BNESIM Limited. For more on all the benefits of eSIMs, check out our blog post: Internet on the go with Kaspersky eSIM Store
Mobile operator app. If you still plan to use roaming from your usual operator, be sure to install their app to monitor your data use, enable roaming options, and top up.
However, there’s a downside here: roaming usually costs much more than using an eSIM from Kaspersky eSIM Store. Yes, some providers offer special plans like unlimited messaging or map access, but relying on them could backfire in a crucial moment. For example, what if you’re in a small town where Google Maps’ timetables for public transportation aren’t up to date? You’ll need to look for an alternative transport app or take a completely different route. That could mean using a search engine — which can be painfully expensive on roaming data.
This is where specialized apps come to the rescue — reliable in big cities and helpful even in small towns where you could otherwise get stuck.
Moovit. An app to help you navigate public transport almost anywhere in the world. It sources real-time data from transport providers — including private companies — so seasoned travelers trust Moovit in cities with a well-developed public transit system. But don’t expect it to tell you exactly when a local bus is going to arrive in a tiny remote village. In such cases, it’s best to rely on taxis.
Uber. If you’ve ever taken a taxi, there’s a good chance you already have Uber on your phone. It’s one of the world’s biggest ride-hailing platforms: just enter your destination, choose a rate, and wait for your driver. Simple and intuitive — but there’s a catch: Uber isn’t available everywhere. You’ll have no trouble getting a ride in North America, Europe, and parts of Asia, but elsewhere your best bet is often a local taxi app.
Bonus: InDrive is a unique app that lets you name your price for a ride and choose a driver. Available in 48 countries.
Sometimes you only have a few hours or a couple of days to explore a huge city. So how do you quickly decide what to see and where to go? Previously, you could find such answers on Foursquare — but what now?
Visit a City. According to its developers, this app covers more than 3000 cities worldwide. Choose free mini-guides, buy tickets to museums and attractions, or book tours. With just a few clicks, you can plan a trip — say, two days in Istanbul — and get a detailed itinerary down to the minute.
Many major cities now offer their own travel apps — so check those out too. For a Thames-side stroll, try Visit London; if it’s mosques and markets you’re after, check Istanbul Tourist Pass; and if you’ve always dreamed of seeing Park Güell, use Hola Barcelona.
ChatGPT. Yes, artificial intelligence can help here too, creating an itinerary for any city on Earth and offering it in a neat PDF or spreadsheet. Just bear in mind that AI can’t always account for real-world factors like traffic or opening hours — things that are kept up-to-date by real people in specialized apps like Visit a City.
But for general plans, ChatGPT works wonderfully. Just tell it something like, “Plan a 2-day trip to Istanbul for two people in their 30s. The pace should be relaxed and must include Galata Tower, a San Sebastián cheesecake stop, and a Bosphorus cruise. Break it down by time, considering traffic.”
If you’re just looking for a quick bite while exploring, Google Maps or any other map app will do the trick — as long as you’ve got an internet connection, you’ll see nearby food options in seconds. But if you’re after something more authentic or sophisticated, there are dedicated apps for that.
The MICHELIN Guide. Not sure where to eat and want a guaranteed good spot? Pick any restaurant in this guide — and you can even book a table right in the app. A common myth is that Michelin is only for expensive fine dining, but that’s not true anymore: today the guide includes plenty of local gems with reasonable prices and great service. So whether you’re a foodie or just want a reliable recommendation, the MICHELIN Guide has something for every budget.
TheFork. This popular app makes sure no tourist goes hungry — at least in Europe. It’s packed with everything you need: addresses, menus, cuisine types, food photos, average prices, real reviews, and the ability to book a table directly. Sounds ideal, but as usual there’s a catch: TheFork only works in certain major European cities — for now: Paris, Amsterdam, Barcelona, Lisbon, Madrid, Milan, Rome, Geneva, Brussels, Stockholm, Marseille, and Bordeaux.
Local apps. Just like with taxis, every country — or even every city — tends to have its own version of TheFork. So it’s worth doing a little research to see what app is popular at your destination. For example, in the United States, you’ll want Resy and Yelp, while in China, Dianping is the go-to (if your Chinese is ok: it’s only available in Chinese).
Bonus: Flush Toilet Finder. This handy app helps you locate public toilets all over the world — a perfect companion to your restaurant guide. While general maps might also show toilet locations, Flush Toilet Finder provides extra details such as wheelchair accessibility, whether access codes or keys are required, and how much it costs.
Connecting to the first open Wi-Fi spot you find is not a great idea — and neither is storing a passport scan in your photo gallery. Here’s how to add a dash of digital safety to your perfect trip mix:
Obsidian. You’ll probably want to plan your trip in advance — and most likely, you’ll try to do so using the standard Notes app on your phone. That’s not the safest option, and sometimes not the most convenient either when it comes to storing important information. Consider Obsidian — it protects your notes with end-to-end encryption and syncs them across your devices. But there are other similar apps out there, which we wrote about in our article Keep it under wraps: encrypted note-taking apps and to-do lists.
Kaspersky Password Manager. Store photos or PDFs of your passports, tickets, vouchers, and other important documents in secure storage — they can only be decrypted and viewed after entering a main password that only you know. At the same time, you can easily add or open any document on any device — the app is cross-platform and constantly syncs information between your smartphone and computer. In addition, our password manager can store two-factor authentication tokens. Remember that traditional one-time passwords may not arrive via SMS while roaming, or they may be severely delayed. Take a couple of minutes at home to configure your frequently used apps and websites so that 2FA codes are generated in Kaspersky Password Manager instead of being sent via SMS.
Kaspersky VPN Secure Connection. If you’ll be connecting to unfamiliar Wi-Fi networks often during your trip, your best bet is to protect your connection. You can do this with the help of one of the fastest VPNs in the world. Plus, VPN also lets you change your phone’s location in advance — so your search results become local! That way, even from home, you can plan visits to the events that locals actually go to, not just tourist traps.
Wherever you’re going, remember — happiness is only real when shared. Stay connected with Kaspersky eSIM Store and share your favorite travel moments with your loved ones.
What else to read before your trip:
Kaspersky official blog – Read More
We’ve packed June with updates designed to make your day-to-day analysis faster, clearer, and easier than before. Whether you’re just getting started or deep into reverse engineering every day, these improvements are here to save you time and help you catch more threats.
In this update:
Scroll down to see what’s new and how these updates can help your team work faster, spot threats earlier, and get more from your ANY.RUN sessions.
In June, we focused on helping analysts work faster and with more clarity, especially during high-pressure investigations. That’s why we introduced Detonation Actions: real-time execution hints that keep your analysis moving forward without guesswork.
Now, when a sample requires interaction to detonate, like opening a file or following a link, Detonation Actions will show exactly what needs to be done.
Whether you’re clicking through manually or relying on automation, you’ll see helpful hints to understand how the threat at hand unfolds.
You’ll find Detonation Actions inside the Actions tab, right next to the process tree. They work across all samples and help analysts of any skill level trigger and observe malware behavior with confidence.
You can activate Detonation Actions by clicking the new Auto button when launching your VM or toggle Automated Interactivity (ML) manually in Advanced Settings.
We’ve improved how the sandbox detects and extracts QR codes, making it easier to investigate threats hidden in documents, images, and archives.
Now, QR code detection works more reliably across a wider range of file types and delivery methods. Whether it’s a malicious link embedded in a PDF or a code inside an SVG file, the sandbox will automatically pick it up and display the decoded URL in the QR tab under Static Discovering.
QR-based phishing is still on the rise. This improvement makes it even easier to detect and investigate QR code threats before a user ever scans them.
This month, we expanded threat detection across all supported platforms, Windows, Linux, and Android, with major additions to our rule base and signature library.
These updates improve detection accuracy, shorten triage time, and give analysts better visibility into evasive threats. From commodity malware to nation-state actors, the latest rules reflect real-world samples seen in the wild and analyzed inside ANY.RUN.
We added 120 behavior signatures targeting stealers, ransomware, RATs, loaders, and evasive techniques, many of which were observed in active campaigns.
Some highlights:
Platform-Specific Threats
New behavior detections were also added for threats targeting specific operating systems:
Windows:
Linux:
Android:
We released 12 new and updated YARA rules this month to support faster static detection and classification of threats across all platforms. These rules help flag malicious files before execution and enhance attribution in multi-stage attacks.
Some of the key additions include:
To improve detection of phishing threats at the network layer, we added 1,320 new Suricata rules in June. These rules help security teams identify malicious domains, redirection chains, and phishing infrastructure early in the attack flow.
Here are some of the highlights:
We added behavior-based detection for a tactic used by malware to bypass standard execution monitoring:
This new detection helps analysts flag unusual execution chains earlier in the process tree and trace hidden payload delivery paths more efficiently.
ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.
With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency.
Integrate ANY.RUN’s Threat Intelligence suite in your organization →
The post Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Security-First Culture (SFC) is an organization-wide commitment where security considerations influence decision-making at every level, from strategic planning to daily operational tasks.
It’s not just about having fancy tech or a dedicated IT team; it’s about making security a core part of how the company thinks and acts. A mindset where every decision, from coding a new app to sending an email, considers “How could this go wrong, and how do we protect against it?”.
Leaders set the tone by prioritizing security, allocating resources, and weaving it into the company’s strategy. Every employee, regardless of their role, understands that they play a critical part in the organization’s security posture.
The principles sound sensible but quite challenging to implement. Transferring to SFC might look like an organizational revolution demanding changes on all levels, from the leadership mindset to everyday practices. And of course it must be quite a recourse-consuming adventure. Is the outcome worth it?
The advantages of implementing SFC extend far beyond just preventing cyberattacks. But the straightforward outcome of suffering less breaches must certainly be considered. Verizon’s 2022 Data Breach Report says 82% of breaches involve human error, so a security-minded workforce can slash that risk.
Fewer breaches mean less damage: financial, reputational, operational. Preventing even one incident can save millions: the average cost of a data breach exceeded $4 million back in 2023, according to IBM. Besides, if an attack does happen, a prepared organization bounces back faster, minimizing damage and downtime.
Customers, partners, and stakeholders have greater confidence in organizations that demonstrably prioritize security. This translates to stronger business relationships and competitive advantages.
Less obvious but no less valuable benefits include:
Several organizations have become benchmarks for security-first culture:
Microsoft: Following significant security challenges in the early 2000s, Microsoft implemented their “Security Development Lifecycle” and “Assume Breach” philosophy, fundamentally transforming their approach to security.
Google: Their “BeyondCorp” zero-trust security model and continuous security innovations demonstrate a deep cultural commitment to security.
Apple: Known for privacy-by-design principles and strong encryption standards across all products and services.
Not every company gets it right (providing us with impressive and didactic examples). These high-profile disasters could’ve been mitigated with a stronger SFC:
Equifax (2017): A failure to patch a known vulnerability led to a breach exposing 147 million people’s data. A lack of proactive monitoring and employee awareness was a key factor.
SolarWinds (2020): A supply chain attack compromised multiple organizations. Inadequate security training and siloed responsibilities left gaps that attackers exploited.
AT&T (Multiple breaches 2023-2024): Repeated incidents affecting millions of customers demonstrate ongoing security culture deficiencies despite previous breaches.
Here’s how to understand where you stand:
| Strong Security-First Culture Indicators | Warning Signs of Weak Security Culture |
| Employees proactively report security concerns | Security seen as “someone else’s job” |
| Security is discussed in regular business meetings | Frequent workarounds to security policies |
| New projects include security requirements from the start | Incident response is chaotic or delayed |
| Incident response is swift and coordinated | Security training completion rates below 90% |
| Regular security training has high participation rates | Security budget cuts during tough financial periods |
| Security metrics are tracked and reported to leadership | Repeated similar security incidents |
Cyber Threat Intelligence (CTI) isn’t just a technical capability — it’s the nervous system of a security-first culture. CTI provides the contextual awareness that transforms reactive security measures into proactive, strategic defense.
Like security-first culture permeates and consolidates every organizational unit and structure, state-of-the-art CTI vendors like ANY.RUN offer solutions to cover security-related challenges on all business levels.
Daily security operations rely on CTI to prioritize alerts, contextualize incidents, and guide response efforts. Instead of treating all security events equally, intelligence helps teams focus on genuine threats.
Threat Intelligence Lookup allows employees of any grade to utilize a vast database of fresh Indicators of Compromise (IOCs), Behavior (IOBs), and Attack (IOAs) to instantly collect context for alerts, incidents, and campaigns. The data is continuously updated and derived from the attacks on over 15,000 companies using ANY.RUN’s Interactive Sandbox for hands-on investigations of malware and phishing attacks.
An employee does not have to be a security expert to make a search request like a suspicious IP address and receive an instant verdict that the notorious banking stealer Lumma might have penetrated the perimeter:
TI Lookup enables teams to quickly gather critical threat context, transforming existing indicators tin actionable insights into the threat to hand to mitigate risks and protect the organization.
When it comes to tactical implementation, security tools and controls are configured based on current threat intelligence, ensuring defenses remain relevant as the threat landscape evolves.
Threat Intelligence Feeds provided by ANY.RUN deliver up-to-date curated indicators of compromise like URLs, domains, and IPs, enriched with threat context, to integrate with detection and monitoring systems and identify threats before they become incidents.
Smart threat intelligence solutions improve employees’ ability to make better security decisions in ambiguous situations. ANY.RUN’s Interactive Sandbox makes it possible to analyze any suspicious link, email, or file, and not just get a malicious/benign verdict, but to understand malware’s behavior as well as its operators’ TTPs.
Thanks to interactivity, the sandbox makes it possible to engage with the environment and the threat just like on a standard desktop, detonating every stage of the attack to reveal the final malicious payload.
As we can see, the Sandbox file analysis exposes its malicious behavior and labels it as AsyncRAT trojan.
The intuitive interface of the sandbox simplifies malware analysis for junior security professionals and even non-specialists, providing them with a clear understanding of any threat.
Sign up for ANY.RUN’s Interactive Sandbox with a business email
In strategic planning, CTI informs long-term security investments by identifying emerging threats and industry-specific risks. When planning business expansion, drafting a security budget for the next quarter, or gathering information on the key cybersecurity risks, it provides crucial context about the current threat landscape.
ANY.RUN’s TI Reports contain manually collected intel on APTs, as well as malware and phishing campaigns that pose a danger to businesses right now. The reports help security teams gain greater visibility into the threats active at the moment and proactively defend their infrastructure.
A security-first culture isn’t just about tech — it’s about people, processes, and a shared commitment to staying safe. By embedding cyber threat intelligence into every step, from leadership to daily operations, organizations can stay ahead of attackers, protect their data, and build trust with customers.
Organizations that successfully implement security-first culture supported by robust threat intelligence capabilities don’t just survive in today’s threat environment. They thrive, using their security posture as a foundation for innovation, growth, and competitive advantage.
Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.
Start 14-day trial of ANY.RUN’s solutions in your SOC today
The post A Guide to Developing Security-First Culture Powered by Threat Intelligence appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation.
Brand impersonation is a social engineering technique that exploits the popularity of well-known brands to persuade email recipients to disclose sensitive information. As discussed in our previous blog, adversaries can deliver brand logos and names to victims using multiple types of payloads. One of the most common methods of delivering brand logos and names is through PDF payloads (or attachments).
In some cases, the entire email, including a brand’s logo, is embedded within a PDF attachment. Figure 1 displays an example of a QR code phishing email that impersonates the Microsoft Corporation brand. The threat actor used an enticing subject line, “Paycheck Increment,” timed strategically during periods when promotions or merit changes are likely to occur in various organizations.
In other cases, the company’s logo is included in a separate image or PDF attachment and is displayed to the victim as soon as they open the email. Below is an example of a QR code phishing email that impersonates both the Microsoft and Adobe Inc. brands. Figure 2 shows the Adobe logo attached to an email as an image file.
A brand’s logo may not always be present in every brand impersonation attempt. For example, the following phishing email, which impersonates the Adobe brand, does not include any logos.
When the victim clicks on the “View the Attached online here” hyperlink, they are redirected to a phishing page impersonating a Dropbox, Inc. webpage.
A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique: telephone-oriented attack delivery (TOAD), also known as callback phishing.
Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction. Once the victim calls, the attacker poses as a legitimate representative and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.
Phishing typically involves sending emails or messages with malicious links or attachments that direct the victim to a counterfeit website. Callback phishing, however, does not rely on fake websites or phishing links. Instead, attackers use direct voice communication to exploit the victim’s trust in phone calls and the perception that phone communication is a secure way to interact with an organization. Additionally, the live interaction during a phone call enables attackers to manipulate the victim’s emotions and responses by employing social engineering tactics. Callback phishing is, therefore, a social engineering technique rather than a traditional email threat.
Most phone numbers found in email threats leveraging this social engineering technique are Voice over Internet Protocol (VoIP) numbers, as it is significantly harder to trace a VoIP number back to a specific individual or physical location compared to a traditional phone number. Below is an example of a TOAD attack that impersonates the McAfee LLC brand.
Talos has observed that phone numbers are sometimes reused on consecutive days. This could happen for multiple reasons. First, intelligence about phone numbers is collected and distributed at a slower pace compared to other artifacts like URLs and files. In most cases, phone numbers observed in emails by cybersecurity companies are not shared with third-party reputation services, or vice versa. As a result, these phone numbers often remain under the radar for several days. Second, the reuse of phone numbers provides logistical advantages for scam call centers. It enables consistent contact for multi-stage social engineering attacks, scheduling callbacks, and maintaining a credible “brand” presence with victims. Lastly, phone numbers may be reused to minimize costs, particularly if the VoIP service is not free. The plot below illustrates a case where the number +1-818-675-1874 was used in TOAD emails impersonating Best Buy’s Geek Squad brand for four consecutive days.
Talos has also observed several cases of e-signature service abuse on the Adobe platform between April and May 2025. Figure 8 shows an example email that impersonates the PayPal brand. In this case, the entire PDF file (i.e., the body of the email) was uploaded to Adobe and sent directly to the victim through the e-signature service.
Adversaries extensively use QR codes alongside brand impersonation phishing emails, a tactic known as QR code phishing. As seen in Figures 10 – 12, attackers exploit the legitimacy of popular brands to convince users to scan the QR code, ultimately redirecting them to a phishing page, which is often protected by some form of CAPTCHA.
In most QR code phishing emails with PDF payloads, the entire email body is embedded in the attachment and is rendered for the victim as soon as they open the email. This technique easily evades email filters and detection engines that rely on textual features and keywords, unless preceded by optical character recognition (OCR) analysis. However, OCR is an error-prone process and increases computational costs.
Although the PDF format is an open standard, its structure is not straightforward to understand (this book provides an excellent explanation). PDFs can contain both visible and hidden information within their three main components: the text layer, the image layer and the internal structure (e.g., comments and annotations). This flexibility allows certain elements within a PDF to make it appear legitimate, helping it evade spam filters and detection systems.
To make QR code phishing emails more evasive, attackers often exploit otherwise legitimate PDF annotations. For example, a phishing URL might be embedded in a text annotation, sticky note, comment, or form field within a PDF attachment. Alternatively, attackers may add irrelevant text (or “noise”) to bypass detection systems.
Figures 13 and 14 demonstrate how multiple URLs can be embedded in a PDF attachment using annotations. In this case, the QR code may link to a legitimate web page to build the recipient’s trust, while the embedded annotation points to the actual phishing page. To further obscure the attack, attackers may use shortened URLs, making it harder for users to verify the link’s legitimacy before clicking.
Brand impersonation remains a prevalent social engineering tactic in phishing attacks, with Talos frequently observing PDF payloads delivering brand names or logos in recent months.
Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered how widespread these attacks are. The plot in Figure 15, reflecting the period between May 5 and June 5, 2025, highlights the most impersonated brands detected in emails with PDF attachments. Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments. Similarly, NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in TOAD emails with PDF attachments.
The map in Figure 16 indicates where brand impersonation attempts using PDF attachments originated for the above brands, both locally and internationally, during this time period.
Brand impersonation is one of the most popular social engineering techniques, and it is continuously being used by attackers in different types of email threats. Therefore, a brand impersonation detection engine plays a pivotal role in defending against cyber attacks.
Cisco Talos relies on a wide range of systems to detect this type of threat and protect our customers, from rule-based engines to advanced machine learning-based systems. Learn more about Cisco Secure Email Threat Defense’s brand impersonation detection engine here.
Cisco Talos Blog – Read More
On this here blog of ours we constantly write about all sorts of cyberattacks and their devastating effects — from cryptocurrency theft to personal data leaks. Yet there’s a different category of high-profile hacks: those where the hackers aren’t after money, but instead pull off silly stunts that are mostly harmless enough and just for fun (though some (one in particular — the Ecovacs hack, below) could be more serious than others). Today, we tell you about five of these and discuss the lessons we can learn from them…
In the spring of 2025, unknown individuals hacked crosswalk buttons on traffic lights across Silicon Valley. These audio-enabled buttons are widely installed on pedestrian signals across the United States. As you might expect, they’re designed for people with visual impairments: their main purpose is to play voice messages that help pedestrians who can’t see well understand when it’s safe to cross the road.
The unknown individuals replaced the standard voice messages on crosswalk buttons in several Silicon Valley towns with their own — featuring AI-generated imitations of the ubiquitous tech-billionaires Mark Zuckerberg and Elon Musk. Videos recorded by local residents show the hacked buttons playing the messages.
In a voice imitating Mark Zuckerberg: “It’s normal to feel uncomfortable or even violated, as we forcefully insert AI into every facet of your conscious experience. I just want to assure you, you don’t need to worry because there’s absolutely nothing you can do to stop it.”
In a voice imitating Elon Musk: “You know, they say money can’t buy happiness… I guess that’s true. God knows I’ve tried. But it can buy a Cybertruck and that’s pretty sick, right? F***, I’m so alone.”
Another message in a simulated Musk voice: “You know, people keep saying cancer is bad, but have you tried being a cancer? It’s f****** awesome. Call me Elonoma. Heh-heh-heh.”
The billionaires’ voices were clearly AI-generated, but exactly how the hackers managed to breach the traffic light audio buttons remains unknown. Security experts have noted, however, that default passwords are often used when connecting these kinds of buttons, and nobody bothers to change them after installation.
It looks like no one was hurt by the prank – except maybe the billionaires’ pride.
On the last Friday of the 2021 school year, all the TVs and projectors in classrooms across six schools in Cook County, Illinois, turned on by themselves. A message appeared on the screens: “Please remain where you are. An important announcement will be made shortly.” A five-minute countdown timer was displayed below the unsettling message…
Five minutes later, 500 screens simultaneously started showing the famous Rick Astley video for Never Gonna Give You Up. Later that same day, the song played again over the schools’ public address systems.
The hackers behind this surprise pop… classic’s airing were four American students, and what they did was pull off one of the biggest Rickrolls in history that day. A Rickroll is a popular online prank where an unsuspecting user is sent a seemingly important or exciting link, only to be redirected to the video for English singer Rick Astley’s 1987 hit, Never Gonna Give You Up. Rickrolling achieved cult status back in 2007 after spreading on the 4chan imageboard.
Let’s get back to the four students. Their massive Rickroll was a hi-tech twist on a classic American tradition known as the senior prank: basically, a good-natured prank pulled by high-school, college, or university seniors before graduation.
However, the four Illinois students clearly took it to a new level. To pull off their Rickroll, they exploited fairly basic vulnerabilities in the school’s infrastructure. For example, the pranksters gained access to the system controlling hundreds of projectors and TVs across the entire school district because the default usernames and passwords hadn’t been changed after setup.
Similarly, the students were able to log into the schools’ audio public address systems. The person who originally configured the PAs diligently changed the default system password to the one provided as an example in the user manual, which of course was available online. While they were at it, the hacking team discovered an administrator account with “password” used as the password.
It’s worth highlighting just how responsibly the hackers approached the whole operation. Before carrying out the Rickroll, the prankster team prepared a detailed 26-page report, which they sent to the school administrators immediately after the incident. In it, the students thoroughly described their actions and provided recommendations for improving the schools’ cybersecurity. Additionally, once the Rickroll was over, the script they wrote restored the school systems back to their original state.
Last year, reports surfaced online about a series of hacks targeting Chinese-made Ecovacs Deebot X2 robot vacuums in cities across the United States. Pranksters assumed control of the robots’ movements and shouted expletives through the built-in speakers. Additionally, they could spy on the owners through the integrated cameras.
The story seemingly had its beginnings at the DEF CON 32 hacker conference, where cybersecurity researchers Dennis Giese and Braelynn Luedtke presented their talk, Reverse engineering and hacking Ecovacs robots. The presentation described vulnerabilities they’d discovered in Ecovacs robot vacuums and lawnmowers, as well as methods for exploiting them. As part of their study, the researchers were able to gain remote access to the built-in microphones and cameras and control the vacuums’ movements. We previously covered their work in detail in our post Ecovacs robot vacuums get hacked.
(By the way, during their presentation at DEF CON, Giese and Luedtke themselves became the target of a hacker prank: a member of the audience managed to take control of the presenter’s clicker and spent several minutes messing with the speakers by randomly flipping through their slides.)
Giese and Luedtke reported their findings to the vendor in a responsible manner. Ecovacs engineers attempted to patch the vulnerabilities, but didn’t have much luck. Several months after the report went out, unknown tech enthusiasts, likely inspired by the study, were able to recreate the techniques described in it to execute a series of attacks on other people’s robot vacuums. For example, in one such attack in California, a robot chased the owner’s dog around the house while shouting obscenities.
The exact number of victims from this series of hacks remains unknown, as it’s plausible that the pranksters didn’t always make their presence obvious — they might have simply observed the vacuum owners’ lives. That, clearly, would have been a very serious infringement of those owners’ privacy – and could in no way be described as mere “fun and games”; neither could this: what if Ecovacs lawnmowers are next?
Here’s another playful attack by teenagers, this time targeting Lenovo. A decade ago, the computer manufacturer’s website was hacked. Visitors were redirected to a slideshow featuring photos of bored-looking adolescents, presumably the hackers themselves, all set to the song Breaking Free from Disney’s High School Musical.
Clicking on the slideshow would lead users to the hacking group Lizard Squad’s account on X, which was still known as Twitter at the time. The hackers left a jab at the webmasters in the source code: “The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey”. These two individuals had previously been linked to Lizard Squad.
The attack was orchestrated via DNS hijacking. The hackers altered the DNS records for lenovo.com, causing all users attempting to reach the official company website to be automatically redirected to a fake page controlled by the pranksters.
The attack was apparently a protest against what was seen as the computer vendor’s lax attitude toward security and user protection. Shortly before the defacement, it was revealed that Lenovo had been selling laptops preloaded with Superfish malware. This made users who purchased infected devices potentially vulnerable to data interception and man-in-the-middle attacks. Thus, the hack seems kind of wrong, but at the same time feels justified.
These days, when the X account of a high-profile individual or major company gets hacked, it almost invariably leads to some kind of cryptocurrency scam. But it wasn’t always this way. Just a decade ago, popular accounts on what was then still known as Twitter were more often hijacked for giggles than for illicit financial gain.
Take February 2013, for example. Unknown hackers breached Burger King’s Twitter account to post this gem: “We just got sold to McDonalds! Look for McDonalds in a hood near you.”
On top of that, Burger King’s profile picture was swapped out for the McDonald’s logo, and their bio read: “Just got sold to McDonalds because the whopper flopped.” The bio also included the misspelled line “FREDOM IS FAILURE” and a dead link to a press release.
For about an hour, the attackers posted increasingly outrageous messages before Twitter finally suspended the account. Interestingly, Burger King’s arch-rival, McDonald’s, tweeted a message of support — while making sure to clarify they had nothing to do with the breach.
Fast-forward to August 2017, which was when the Ourmine hacking outfit targeted the Twitter account of soccer giant Real Madrid. The hackers used the club’s account to announce that none other than Lionel Messi, who then played for Real Madrid’s fiercest rival, FC Barcelona, was transferring to Real Madrid.
The post quickly racked up 2800 likes and 3100 retweets. Ourmine also posted a series of tweets claiming responsibility for the hack, with one declaring, “Internet security is s*** and we proved that.” It’s hard to argue with that.
Perhaps the most crucial lesson to learn from these online shenanigans is this: using weak — or even worse, default — passwords is a surefire way to hand control of your device, account, or website to internet pranksters… if you’re lucky. Weak passwords were what tripped up city infrastructure and school administrators, and it’s highly likely that the Twitter account hacks were also linked to a careless approach to password policies.
This blog has frequently discussed how to create strong passwords. But to wrap things up, let’s reiterate a few basic rules of password hygiene:
Of course, any user today signs up for dozens, if not hundreds, of online services. So, remembering long and unique passwords for each one isn’t feasible. That’s where Kaspersky Password Manager can help you manage this and protect yourself not just from pranks, but from far more serious consequences.
Additionally, the app automatically checks all your passwords for uniqueness, and helps you create truly strong and random combinations of characters. So, when using Kaspersky Password Manager, you don’t need to keep all those complex rules in mind — the password manager does it all for you. Beyond passwords, Kaspersky Password Manager can store and sync two-factor authentication tokens and passkeys. We recently thoroughly explored this new passwordless technology for accessing websites and services in our complete guide to using passkeys in 2025.
Kaspersky official blog – Read More
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.
New ransomware strains continue to surface frequently, and many of them are loosely built on or repackaged from existing families. One such case involves a sample resembling DragonForce ransomware, yet bearing several unique traits and identifiers suggesting the involvement of a separate entity known as DEVMAN.
A previously analyzed campaign connected to the Mamona strain, itself linked to BlackLock affiliates and the Embargo group, also intersected with DragonForce activity. During one such attack, DragonForce actors exfiltrated a target’s .env file and published it on their Dedicated Leak Site (DLS) on Tor with the caption: “Is this your .env file?”
This newer sample, uploaded by TheRavenFile, appears related but not entirely identical to the DragonForce lineage. Despite being labeled as a DragonForce or Conti variant by most AV engines, the sample displays unique behaviors that point toward DEVMAN involvement.
Some time ago, DragonForce introduced their RaaS (Ransomware-as-a-Service) model, aiming to recruit both affiliates to operate their ransomware and others who wanted to use their infrastructure, branding, and reputation as a platform to publish stolen data.
This shift brought new actors into the landscape, increasing overall activity, noise, and irregularities, including the sample analyzed here. Depending on the analyst or tool, it may be labeled as DragonForce, Conti (the base framework for DragonForce), or DEVMAN.
DEVMAN? A relatively new actor has recently emerged under this name, featuring its own Dedicated Leak Site (DLS) called Devman’s Place, a separate infrastructure, and nearly 40 claimed victims, primarily in Asia and Africa, with occasional incidents in Latin America and Europe.
Let’s analyze the sample inside ANY.RUN’s secure interactive sandbox:
This sample, flagged by most antivirus engines as a DragonForce (or Conti), is actually, modified to behave like a new variant belonging to DEVMAN. It uses that name as the file extension for encrypted data but otherwise shares a large part of its codebase with DragonForce, including leftover strings and identifiers. That strongly suggests DEVMAN may be using a DragonForce build for some of its operations.
This appears to be a lightly customized version; one that hasn’t attracted much attention, either from the threat intelligence community or from its own operator. The result is a tangled ransomware crossbreed with overlapping traits.
A closer look reveals more.
First things first — our newborn dragon does what dragons do: it burns down the village. Files are encrypted rapidly and automatically, also attempting to locate SMB shared folders to spread further — but in our lab environment, it wasn’t that lucky.
Two things caught our attention immediately. First, on Windows 11, the sample was unable to change the wallpaper for unknown reasons, while on Windows 10 it worked flawlessly.
Second, although desktop files are the most visible, they are not the last to be encrypted. The process continues beyond them.
The ransom notes were not dropped as expected. Instead, every location where a note should have appeared contained, quite mysteriously, a file with a scrambled name and the .DEVMAN extension, suggesting the sample might be malfunctioning and targeting its own files.
Fortunately, ANY.RUN logs all activity, not just network traffic, but disk writes as well, allowing us to reconstruct one of those files right at the moment it was created. And, interestingly enough, the ransom note isn’t just similar to the ones used by DragonForce. It is, in fact, a DragonForce ransom note.
When retrieving the list of created and modified files, we noticed an interesting pattern: the sample scrambles file names instead of simply appending an extension.
And here’s the most curious part; its own readme.txt files, once encrypted, are always renamed to e47qfsnz2trbkhnt.devman. This strongly suggests the use of a deterministic function that produces static outputs for identical inputs.
So, let’s focus on those local oddities, and a good place to start it’s the binary itself.
Aside from the aforementioned SMB connections, no suspicious network dialogue was observed, suggesting that all malicious activity takes place locally and offline.
Using FLOSS, a tool by Mandiant, we can decode and extract additional strings to better understand the sample’s internal logic prior to disassembly.
The first thing we notice is that the sample checks for Shadow Copies (probably just to make sure we’ve got a solid backup policy in place) and lists a series of file extensions that it deliberately avoids encrypting.
Further analysis reveals multiple encryption modes: full encryption, header-only encryption, and custom encryption, designed to prioritize either speed or complexity, depending on the intended scenario.
Header-only encryption, in particular, allows the malware to corrupt large volumes of data in less time, trading completeness for speed.
Further exploration reveals a bit more detail about the sample’s attempts to connect to SMB folders, explicitly referencing local network octets and hardcoding the ADMIN$ share name, along with several error and debug messages.
Another interesting behaviour that further supports the Conti lineage of this sample is its interaction with the Windows Restart Manager. The malware creates temporary sessions under the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftRestartManagerSession0000
There, it logs metadata such as Owner, SessionHash, RegFiles0000, and RegFilesHash, pointing to system-critical files like NTUSER.DAT and its corresponding logs.
Each of these entries is quickly deleted after being written, likely an attempt to avoid leaving persistent forensic traces. This pattern mirrors behaviour seen in Conti and later carried on by DragonForce, which now appears to be inherited by DEVMAN (what a Zoo!).
The goal seems clear: use the Restart Manager to bypass file locks and ensure encrypted access to active user session files. It’s noisy, and somewhat old, but it works.
Another notable behavior involves the use of synchronization primitives, particularly mutexes, to coordinate the sample’s execution and possibly prevent multiple instances from running in parallel. This is standard among ransomware families derived from Conti, and this case is no exception.
Right from the beginning, the sample creates a mutex named: hsfjuukjzloqu28oajh727190
This mutex is not randomly generated; it is hardcoded into the binary, as confirmed by decoded strings extracted using FLOSS. Its presence suggests that the sample uses it to detect existing instances of itself, a basic anti-reentry mechanism.
The sample also creates several mutexes and interacts with objects under the naming pattern:
These mutexes are tied to the Windows Restart Manager API and match the behaviour seen in previous ransomware families (notably Conti and its derivatives), which use this mechanism to query which processes are holding handles to specific files.
This facilitates forced encryption of locked resources, including user profile data like NTUSER.DAT.
The reuse of fixed strings can serve as a strong indicator of compromise (IOC) for future detection or correlation with other samples likely created using the same packer or builder. However, this is a volatile indicator that is likely to change over time.
When possible, assign a “trust” expiration date (or half-life) to indicators; it can be a valuable practice for maintaining detection accuracy over time.
This sample looks more like an affiliate testing a new build than something currently being deployed that you’d casually run into in a production environment. While not particularly sophisticated, it presents a number of unusual behaviors worth highlighting, particularly its tendency to encrypt its own ransom notes.
While it’s ironic that no one could, at least not easily, pay the ransom without knowing who to pay (because the ransom note gets encrypted), the underlying message here is more serious: there’s a core design flaw in the builder that allows it to self-encrypt key components.
That simple .txt file is often the only clue victims have to identify the threat actor and initiate negotiation; and for the threat actor, it’s the best chance of getting paid.
I spoke with DEVMAN, who stated “[…] we stopped using DragonForce months ago […]”.
One noteworthy indicator of a threat actor’s maturity is their ability to maintain polite, detailed, and respectful communication; a trait that also applies to DEVMAN. This attitude seems to echo in their technical approach, even in cases where their ransomware encrypts its own ransom notes.
Now, if we strip this sample of its oddities, there’s not much to talk about it on its own merits (no offense meant to the developers), or at least nothing to say that we haven’t covered in other articles about ransomware.
Still, its oddities make it a valuable case study, not for technical innovation, but for the way it reflects shifting actor dynamics and common development pitfalls in the ransomware ecosystem.
Unusual samples like this DEVMAN variant can easily slip past traditional analysis workflows. With ransom note encrypted, scrambled filenames, and unexpected behavior across operating systems, manual investigation becomes time-consuming and risky to overlook.
This is where ANY.RUN’s Interactive Sandbox proves invaluable. By logging every action in real time, from file system changes to mutex creation and registry modifications, it enables analysts to trace even fragmented or malfunctioning ransomware behavior.
This kind of visibility gives security teams a real operational advantage:
Start 14-day trial of ANY.RUN’s Interactive Sandbox in your SOC today
Let’s jump to drafting a quick ATT&CK matrix for this sample, which ANYRUN does automatically for us:
The executable requires user (or threat actor) interaction to launch.
Presence of scheduling-related strings implies possible persistence via tasking.
Internal file renaming and readme scrambling suggest static obfuscation logic.
The sample deletes registry keys and values shortly after writing them.
Explicit scanning for SMB shares (ADMIN$, IP ranges like 192.x, 172.x).
Uses netapi32, srvcli, and netutils to interact with administrative shares.
Enumerates and encrypts user data including NTUSER.DAT and log files.
Core functionality: encrypting files with .DEVMAN extension.
Attempts to interact with volume shadow copies.
MD5:e84270afa3030b48dc9e0c53a35c65aa
SHA256:df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7
403
FileName:hsfjuukjzloqu28oajh727190
FileName:e47qfsnz2trbkhnt.devman
SHA256:018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8
Analysis: https://app.any.run/tasks/64918027-01e6-415a-85b3-474fca5fc5c4
VirusTotal Analysis (multiple labeling/attribution): https://www.virustotal.com/gui/file/
df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
Original Intel Pulse (OTX): https://otx.alienvault.com/pulse/
68535853fe15cff17229577d
The post DEVMAN Ransomware: Analysis of New DragonForce Variant appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More