Your snapshots are, quite literally, the keys to your private life. Your gallery holds your future plans, financial secrets, cat pictures, and sometimes even things you’d never share with anyone. But how often do you truly think about protecting those images? We hope that ever since you heard about the SparkCat cross-platform stealer, you’ve been pondering it more often than usual.
Now we’ve discovered that Trojan’s little sibling, which we’ve affectionately named SparkKitty. But don’t let the cute name fool you — behind it lies a spy that, like its older brother, aims to steal photos from its victims’ smartphones. What makes this threat unique, and why should both Android and iPhone users prick up their ears?
How SparkKitty makes its way onto devices
The stealer spreads in two ways: (i) in the wild — that is, across the untamed parts of the internet; and (ii) through official app stores like the App Store and Google Play. Let’s break this down.
Official app stores
In Apple’s App Store, the malware was lurking inside the 币coin app — designed for tracking cryptocurrency rates and trading signals. We’re not sure exactly how this suspicious spy activity ended up in the app. It’s possible there was a supply-chain compromise, and the developers themselves weren’t aware of SparkKitty until we notified them. But there’s also a second possibility: the developers deliberately embedded the stealer into the app. Regardless, this is the second time we’ve seen a Trojan sneak into the App Store, and we’ve alerted Apple about it. SparkCat was the first instance.
Infected application in the App Store
It’s a different story with Google Play: malicious apps pop up on a regular basis, and we frequently cover these threats on Kaspersky Daily. This time, we detected malicious activity in a messaging app that includes crypto-exchange features. This is a popular app that’s been installed more than 10 000 times, and was still available in the store at the time of the study. We’ve contacted Google to warn them about the threat.
Suspicious links in the wild
That said, the attackers have been much more creative this time in spreading the malware out in the wild. Once, during a routine review of suspicious links (we click them so you don’t have to!) our experts uncovered several similar pages distributing a TikTok mod for Android. One of the main things this mod did was call additional code. “That looks suspicious”, we thought. And we were right. The code contained links displayed as buttons within the app, all directing users to an online store called TikToki Mall, which sold a variety of items. Unfortunately, we couldn’t determine if the store was legitimate or just a big trap — but one interesting fact stood out: TikToki Mall accepts cryptocurrency payments, and you need an invitation code to sign up and pay for any item. We didn’t find any further suspicious activity at this stage, and no traces of SparkKitty or other malware.
So we decided to take a different approach and see what happened when we tapped these same suspicious links from an iPhone. This led us to a page that vaguely resembled the App Store, which immediately prompted us to download the “TikTok app”.
iOS doesn’t allow users to download and run applications from third-party sources. However, Apple provides so-called provisioning profiles to every member of the Apple Developer Program. These allow installing custom applications not available in the App Store on user devices, such as beta versions or apps developed for internal corporate use. Attackers exploit these profiles to distribute apps that contain malware.
The installation process differed slightly from the usual procedure. Typically, in the App Store, you only need to tap Install once, but in this case, installing the fake TikTok required additional steps: downloading and installing a developer provisioning profile.
Installing an app from an unknown source on an iPhone
Naturally, this version of TikTok didn’t have any funny videos; it was just another store, similar to the Android version. While seemingly harmless, the iOS version requested access to the user’s gallery every time it launched — and that was the catch. This led us to discover a malicious module that sent images from the infected phone’s gallery, along with device information, to the attackers. We also found its traces in other Android applications. For the technical details of the story, check out our full report on Securelist.
Who’s at risk?
Our data shows that this campaign primarily targets users in Southeast Asia and China. That doesn’t mean, however, that other countries are beyond the reach of SparkKitty’s claws. The malware has been spreading since at least early 2024, and over the past year and a half attackers have likely considered upscaling their operation to other countries and continents. There’s nothing stopping them. What’s more, it’s not just the TikTok mod you should worry about; we’ve also found malicious activity inside various gambling and adult games, and even crypto-related apps.
If you think these attackers are just interested in admiring your vacation photos, think again. SparkKitty uploads each and every one of your snapshots to its command-and-control server. Those images could easily include screenshots of sensitive information like crypto wallet seed phrases, allowing these bad actors to steal your cryptocurrency.
How to protect yourself from SparkKitty
This Trojan spreads in many ways, and protecting yourself from every single one is a tough challenge. While the golden rule of “download apps from official sources only” still applies, we’ve found traces of this stealer in both Google Play and the App Store — places where apps are supposedly vetted and 100% safe. So what can you do about that?
We recommend focusing on securing your smartphone’s gallery. Naturally, the most foolproof method would be to never take photos or screenshots of sensitive information, but that’s virtually impossible nowadays. There’s a solution: store valuable photos in a secure vault. With Kaspersky Password Manager, you can only view and send protected, important photos after entering the main password, which only you know. Note that the protected content is not confined to just one device. The password manager can sync information between smartphones and computers. This includes bank-card data, two-factor authentication tokens, and anything else you choose to store in Kaspersky Password Manager – including your photos.
It’s also crucial to check your smartphone right now for any of the infected apps we’ve discovered; the extended list is available on Securelist. For Android, Kaspersky for Android can help with this — it’ll find and remove malware for you. On iPhone, due to the closed architecture of iOS, our security solution can’t scan for and delete previously installed infected apps, but it will prevent any attempts to send data to the attackers’ servers and warn you about them.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-23 08:06:402025-06-23 08:06:40SparkKitty: a new stealer in the App Store and Google Play | Kaspersky official blog
You’ve probably already seen the headlines “The biggest leak in human history”. The whole world is in uproar after Cybernews journalists found the logins and passwords to 16 billion accounts in the public domain — two for each inhabitant of the planet! What is this leak, and what do you need to do right now?
What’s the leak, and are my credentials there?
The original study says that the Cybernews team has been working on the topic since the beginning of the year, and in six months they’ve managed to collect 30 unsecured datasets that add up to 16 billion exposed login credentials. The largest chunk of data — 3.5 billion records — is related to the world’s Portuguese-speaking population; another 455 million records are related to Russia, and 60 million are “most likely” related to Telegram.
The database is built on the following principle: URL, followed by login and password. That’s it, nothing else. At the same time, it’s said that the data of users of all the giant services was leaked: Apple, Google, Facebook, Telegram, GitHub, etc. Surprisingly, it was passwords and not hashes that ended up in the hands of the journalists. In our study How hackers can crack your password in an hour, we detailed exactly how companies store passwords (spoiler: almost always in closed form using hashing algorithms).
The story pays special attention to the freshness of the data: journalists claim that the 16 billion doesn’t include the biggest leaks, which we wrote about on the Kaspersky Daily blog. The important question remains behind the scenes: “Where did the 16 billion freshly leaked passwords come from, and why has no one seen them except Cybernews?”. Unfortunately, the journalists haven’t provided any evidence of existence of this database. Therefore, neither Kaspersky’s experts nor anyone else has managed to analyze it. Therefore, we cannot say whether yours – or anyone else’s – data is in there.
According to Cybernews, the accessing the entire database was possible through the use of stealers. This seems reasonable, since this is a threat that’s gaining momentum. According to our data, the number of detected password-theft attacks worldwide increased by 21% from 2023 to 2024. Attackers are targeting both private and corporate users.
What you need to do right now
First, let’s set skepticism aside. Yes, we don’t reliably know what exactly this leak is, or whose data is in it. But that doesn’t mean you should do nothing.
The first and best recommendation is to change your passwords. There are many options for creating a new password that’s difficult for hackers to crack but easy to remember. We covered this in detail in our post Creating an unforgettable password – have a read and choose any method you prefer.
Think of a favorite line from a song or a memorable quote from a movie, and then replace, say, every second or third letter with special characters that aren’t in sequential order on the keyboard.
For example, if you’re a fan of the Harry Potter saga, you may try to use the Wingardium Leviosa charm for a good cause. Let’s try transforming this levitation charm according to the rule above while peppering it generously with special characters: Wi4ga/di0mL&vi@sa
Easy, right?
Store your passwords securely. The best solution is to use a special password manager. It will generate, securely store, and automatically fill in complex, hack-proof passwords on all your devices for you. You’ll only need to create and remember one main password, which will become a secure key to all other passwords, bank details, photos, and everything else that can be stored in Kaspersky Password Manager.
Set up two-factor authentication. Almost all popular services support 2FA in one form or another, and the presence of a second factor makes it much more difficult, if not impossible, to hack your account. Kaspersky Password Manager makes it easy to store and sync 2FA tokens, as well as generate one-time codes on either your smartphone or computer.
Remove saved passwords from browsers. Browsers are most often the culprit behind data breaches. Doubt it? Read our arguments in the article How to store passwords securely – there you’ll clearly see how hackers can swipe all the saved passwords from your browser in just a few seconds.
Protect your messenger accounts. For Telegram and WhatsApp we have a list of specific steps to take right now, before your account is hijacked.
Use passkeys wherever possible. This is the modern passwordless method of logging into accounts, which is already supported by Google, iCloud, Microsoft, Meta and others. Haven’t heard of this technology yet? Read the detailed description on our blog and follow the updates in our Telegram channel – next week we’ll tell you everything you wanted to know about passkeys: what kind of technology it is, how secure it is, who supports it, what are its advantages and disadvantages. And most importantly – we’ll give detailed step-by-step instructions on how to switch from insecure passwords to secure passkeys. And yes, you can also store, manage and sync passkeys using Kaspersky Password Manager.
What else do you need to know about passwords to avoid being hacked:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-20 12:06:482025-06-20 12:06:48The world’s biggest data breach: what should folks do? | Kaspersky official blog
Researchers have published technical details and a proof of concept (PoC) for vulnerability CVE-2025-6019 in the libblockdev library, which allows an attacker to gain root privileges in most Linux distributions. Exploitation of this vulnerability has not been observed in the wild as yet, but since the PoC is freely available, attackers could start exploiting it at any time.
Under what conditions can CVE-2025-6019 be exploited?
The libblockdev library is used for low-level operations with block devices (e.g., hard disks) in Linux. The CVE-2025-6019 vulnerability is exploited by accessing the udisks2 daemon (used to manage storage devices) — provided that the attackers manage to obtain the privileges of the active user present on the computer (allow_active).
Almost all modern popular Linux builds include udisks, and enthusiasts have already tested the exploitability of the CVE-2025-6019 vulnerability on Ubuntu, Debian, Fedora and openSUSE. In theory, only the user physically using the computer can have allow_active privileges. However, in reality, an attacker may have the means to obtain allow_active remotely.
For example, the researchers who discovered CVE-2025-6019 initially demonstrated it in the exploitation chain, where allow_active privileges are obtained through another vulnerability — CVE-2025-6018 — which is contained in the configuration of pluggable authentication modules (PAMs). CVE-2025-6018 is present in at least openSUSE Leap 15 and SUSE Linux Enterprise 15, but may be relevant for other distributions as well.
How to stay safe?
The teams responsible for the development of most popular Linux builds immediately started working on fixes for vulnerabilities. Patches for Uubuntu are ready. Users of other distributions are advised to keep an eye out for updates, and promptly install them as they’re released.
If the patch is not yet available for your Linux distribution, or you cannot install it for some reason, the Qualys experts who found the vulnerability recommend changing the setting allow_active of the polkit rule org.freedesktop.udisks2.modify-device from yes to auth_admin.
In addition, we recommend forgetting the myth that Linux doesn’t need additional security. It, like any other operating system, can be a target for a cyberattack, so it also needs protection .
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-19 17:06:492025-06-19 17:06:49CVE-2025-6019: time to upgrade Linux | Kaspersky official blog
Threat analysis is a complex task that demands full attention, especially during active incidents, when every second counts. ANY.RUN’s Interactive Sandbox is designed to ease that pressure with an intuitive interface and fast threat detection.
Our new feature, Detonation Actions, takes this further by highlighting detonation steps during analysis. When a specific action is needed to trigger the sample, like launching a file or clicking a link, it appears as a suggestion, so you know exactly what to do.
Detonation Actions work in both manual mode and with Automated Interactivity. Whether you’re investigating manually or running automated sessions, this guided mode reduces the time it takes to respond to threats and helps you catch the full scope of malicious behavior with minimal effort.
What Are Detonation Actions?
You can find the Actions tab next to the Processes tab
Detonation Actions are built-in hints in ANY.RUN’s Interactive Sandbox that guide users step-by-step through the threat analysis process. They are available in every sandbox session, for all users, and help make both manual and automated investigations clearer and more efficient.
Free Plan: You can see the suggested actions and follow them manually during your session.
Paid Plans: Track and manage each action performed by Automated Interactivity, including via API, for a fully automated, hands-free analysis with full transparency and control.
Speed up threat analysis in your SOC with ANY.RUN boost detection rate and extract IOCs for effective response
Before launching your analysis, you’ll now see a new “Auto” button during the VM setup phase. Clicking this button starts your session with Automated Interactivity enabled, which in turn activates the guided mode, powered by Detonation Actions.
Use the new “Auto” button for faster activation of Automated Interactivity
For your convenience, you can also enable the same feature manually by toggling “Automated Interactivity (ML)” in the “Additional settings” section above.
Automated Interactivity (ML) toggle enabled instead of using the “Auto” button
Once the session begins, you’ll notice Detonation Actions appear on the right side of the screen, next to the process tree. These hints show you exactly what steps have been or should be taken to trigger malicious behavior.
This gives you a clear picture of what was done, what triggered the threat, and how it unfolded, helping you detect malicious activity faster and respond more confidently.
In the manual mode, you can manually approve actions (by clicking the “Approve” button) or reject them (by clicking the “X” icon) for each suggested step.
You can trigger actions by clicking the Approve button
Automated Interactivity handles the actions for you; no manual approval needed.
Thanks to Detonation Actions, you get a guided analysis flow that improves detection and drastically cuts down your time to respond.
How Detonation Actions Help Analysts
Automated Interactivity
Boosts detection rate by ensuring no critical actions are missed during analysis thanks to predefined, expert-crafted hints.
Visualizes critical detonation steps, showing which actions were performed or recommended during the analysis.
Frees up analyst time by automating routine tasks, so they can focus on more complex investigations while maintaining high detection quality.
Manual Analysis
Helps uncover hidden threats by suggesting actions tailored to detonate specific malware types.
Simplifies investigations with interactive hints like “Running this executable” or “Following this link.”
Some of the Actions include launching a file from a Registry key and Task Scheduler
Streamlines analysis of specific samples, for instance, by opening URLs in QR codes directly inside the analysis sessions.
Improves accessibility by making manual analysis more intuitive for SOC analysts at any skill level.
Speeds up decision-making through a clearer workflow and real-time actionable guidance.
See It in Action: Detonation Actions + Automated Interactivity in a Real Sample
Let’s walk through how Detonation Actions work in a real scenario using an .exe file and Automated Interactivity.
To start, we upload the .exe file and simply click the “Auto” button during the VM setup phase. This launches the sandbox session immediately with Automated Interactivity and Detonation Actions.
As the session begins, we can see Detonation Actions popping up quickly in the right corner of the screen. These actions, such as “Launching a file from Task Scheduler” or “Extracting a file from an archive”, are automatically executed, moving the analysis forward without any manual intervention.
Detonation Actions approved automatically
At the same time, the Processes section started populating with detailed insights, showing each spawned process along with associated tactics, techniques, and indicators.
Tree of processes displayed along with Detonation Actions
This combination, automated execution + guided visibility, gives analysts a powerful advantage: a complete behavioral picture of the malware, without delays or missed steps. It’s fast, structured, and built for clarity.
How SOCs and Businesses Benefit from It
The introduction of Detonation Actions brings clear, measurable value to security teams and businesses by improving both the speed and quality of threat analysis.
Simplifies and accelerates threat analysis Makes threat analysis easier and faster for SOC teams at any level, saving time, reducing manual effort, and boosting overall productivity.
Improves data handover between SOC Tiers Enhances the quality of data transfer from Tier 1 to Tier 2 analysts through detailed, action-based reports, ensuring critical insights are passed along clearly and efficiently.
Enables faster incident response Streamlines triage by automating key steps in the response process, reducing time to detect and respond to threats, and minimizing potential impact.
Boosts employee training and onboarding Helps junior analysts learn faster thanks to clear, guided hints, shortening the learning curve and allowing them to contribute to investigations sooner.
Supports smarter decision-making Empowers team members with more context and clearer behavioral evidence, helping them make faster, more confident decisions during investigations.
Integrates easily into automation workflows Works seamlessly with automated triage and incident response setups, maintaining high detection rates while reducing manual overhead.
Ready to Try It Yourself?
Detonation Actions are built to make your job easier, whether you’re triaging a live threat or onboarding a new team member. You get expert guidance, faster detection, and a clearer view of what malware is really doing.
Start your next investigation with ANY.RUN’s guided mode and see how much smoother analysis can be.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, Threat Intelligence Lookup and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Welcome to this week’s edition of the Threat Source newsletter.
June 9 was Whit Monday — a bank holiday here in Germany — so I decided to take the whole week off. It turned out to be the perfect opportunity to try out a brand new car. Little did I know, I was about to get a crash course in modern vehicle technology (and a few unexpected life lessons).
There’s an EU regulation that requires new cars to come equipped with “Advanced Vehicle Systems,” which include features like driver drowsiness and attention warnings, lane-keeping systems and intelligent speed assistance. I hadn’t swapped cars in over a decade, so I was blissfully unaware of just how intrusive these systems could be.
While I generally appreciate technology that makes our life safer, these features gave me a tough time. The car seemed to beep at me constantly, so much so that the beeping itself became a distraction. Instead of focusing on the road, I found myself trying to decipher what each alert meant. After a few kilometers, I had to pull over and consult the manual just to figure out how to disable these “helpful” assistants.
Problem solved? Not quite. Every time I turned off and restarted the car, the systems re-enabled themselves. Disabling the lane-keeping assistant was just a button press, but turning off the “intelligent” speed assistant required a convoluted sequence: six menu clicks, a long press then a short click. I had to dig out the manual every time.
You might think I’m just cutting corners, or that I should pay better attention to speed limits. But here’s the thing: Technology fails, and these systems are no exception. Sometimes the cameras miss speed signs, or worse, pick up the wrong ones. I’ve read about people putting stickers on their windshields to block the camera, only to discover the system then falls back to GPS data, which can be outdated or just plain wrong. On one occasion, it thought a car was on a 50 km/h road when the person was actually on the Autobahn directly next and parallel to the road, which famously has no speed limit.
Some drivers try to muffle the alerts by gluing the speaker, but in modern cars, the system also lowers the radio volume to make sure you hear the alarm. Pulling the fuse would disable the emergency brake, too — not something I’m willing to risk, regardless of how insurance would feel about it.
I ended up learning two important lessons that week. The first was technical: I dove into the world of Controller Area Network (CAN) bus wiring, protocols, network gateways and tools like SavvyCAN to understand how these systems work… and maybe how to disable a few, purely for educational purposes.
The second lesson hit me later, and it was more personal. In my job, I often preach about deploying multi-factor authentication (MFA) everywhere. My focus has always been on keeping out the bad guys, not on the user experience. I never understood why anyone would use apps to automatically accept authentication pushes — it seemed crazy to me. But after a a few days with the car, I finally saw things from the user’s perspective. Security tools can’t just be effective; they also have to be easy to use. Reducing friction, like using single sign-on or minimizing unnecessary clicks, matters just as much. Users also need to understand why these barriers are in place.
Tomorrow is another holiday. Maybe I’ll spend it exploring Kali Linux 2025.2 and the latest CARsenal tools (formerly CAN Arsenal). Who knows? I might just tap a wire or two — for educational purposes only, of course.
The one big thing
Cisco Talos has discovered that the North Korean-aligned threat actor Famous Chollima has been actively targeting cryptocurrency and blockchain professionals (primarily in India) through sophisticated phishing campaigns. Previously known for using the GolangGhost trojan, they’ve now introduced a Python-based variant called PylangGhost, which retains the same capabilities. Recent campaigns have targeted Windows users with the Python version, while MacOS users are still being hit with the Golang-based variant.
Why do I care?
Even if you’re not in the cryptocurrency or blockchain space, this campaign highlights how threat actors are constantly evolving their tools. It’s a reminder that no matter how niche or localized an attack might seem, the techniques could easily be adapted to broader campaigns. Plus, if attackers succeed in these targeted efforts, stolen credentials could ripple across networks and platforms globally.
So now what?
Take this as your cue to double-check your defenses. Ensure your organization’s security tools can detect Python and Golang-based malware, and educate your teams on recognizing phishing attempts, especially fake job offers. Stay proactive by monitoring emerging threats like PylangGhost, because even if you’re not the target today, tomorrow isn’t a guarantee.
Top security headlines of the week
AI Scraping Bots Are Breaking Open Libraries, Archives, and Museums AI bots that scrape the internet for training data are hammering the servers of libraries, archives, museums and galleries, and are in some cases knocking their collections offline. (404 Media)
Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web Hackers leaked the personal data of 7.4 million people in Paraguay on the dark web. A cybercriminal group called “Cyber PMC” demanded $7.4 million, blaming government corruption and poor security. (Security Affairs)
Trend Micro fixes critical vulnerabilities in multiple products Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities. (Bleeping Computer)
Can’t get enough Talos?
When legitimate tools go rogue From LOLBins to open-source utilities like DonPAPI, threat actors are leveraging legitimate tools to evade detection and carry out attacks. Read the blog here.
Microsoft Patch Tuesday for June 2025 Microsoft released its monthly security update last week, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-18 18:06:372025-06-18 18:06:37A week with a “smart” car
Editor’s note: The current article is authored by Clandestine, threat researcher and threat hunter. You can find Clandestine on X.
Threat actors today are continuously developing sophisticated techniques to evade traditional detection methods. ANY.RUN’s Threat Intelligence Lookup offers advanced capabilities for threat data gathering and analysis. As a specialized search engine, it allows security analysts to query various indicators of compromise (IOCs), behaviors (IOBs), and attacks (IOAs), providing valuable insights into real-world malware activity observed in sandboxed environments.
We shall review several advanced threat hunting techniques using ANY.RUN’s TI Lookup to provide cybersecurity researchers and threat intelligence analysts of SOC and MSSP teams with effective strategies to identify and analyze various types of threats.
Threat Intelligence Lookup Key Capabilities
Threat Intelligence Lookup provides analysts with access to a vast malware database topped up by over 500,000 users of the Interactive Sandbox, including 15,000 corporate SOC teams. A single search request can deliver hundreds of relevant analysis sessions, malware samples, or indicators for further research and refining the results with more specific queries.
Besides the ability to instantly get a verdict and context on a potential indicator of compromise, TI Lookup offers a number of functions that enable effective threat hunting and analysis:
IOC Lookups: Detailed searches of various indicators of compromise, including IP addresses, file hashes, URLs, and domain names.
Behavioral Lookups: Beyond traditional IOCs, the service enables searches based on behavioral indicators, such as registry modifications, process activities, network communications, and mutex creations. It is particularly effective for identifying unknown or emerging threats that may not have established IOCs.
MITRE Techniques Detection: The incorporation of the MITRE ATT&CK framework allows analysts to search for specific tactics, techniques, and procedures (TTPs) used by threat actors. This capability facilitates a more structured and comprehensive approach to threat hunting.
File/Event Correlation: The ability to correlate files and events helps analysts identify relationships between different components of an attack and understand the broader context of malicious activities.
YARA-based Threat Hunting: This capability allows for highly specific searches based on file characteristics and patterns.
Wildcards and Logical Operators: The search supports various wildcards and logical operators for the construction of complex and precise queries.
The sophisticated query syntax of Threat Intelligence Lookup supports over 40 parameters, allowing for highly specific and contextualized searches. The basic structure of a query typically includes a parameter, a colon, and a value, often enclosed in quotation marks (e.g., submissionCountry:”us” ).
Logical operators play a crucial role in constructing effective queries:
The AND operator requires both conditions to be true.
The OR operator requires at least one condition to be.
The NOT operator excludes results that match a specific condition.
Parentheses can be used to group conditions and establish precedence.
Wildcards and special characters enhance the flexibility of queries:
The asterisk (*) represents any number of characters.
The question mark (?) represents a single character.
The caret (^) matches the beginning of a string.
The dollar sign ($) matches the end of a string.
The search parameter set covers various aspects of threat analysis, including file properties (e.g., fileExtension, filePath), process activities (e.g., commandLine, imagePath), network communications (e.g., destinationIp, URL), registry operations (e.g., registryKey, registryValue), and threat classifications (e.g., threatName, threatLevel).
Key Tasks Solved by Threat Intelligence Lookup
Threat Intelligence Lookup is used by security teams worldwide to detect, prioritize, and contain threats faster. With TI Lookup, your SOC can:
Speed Up Incident Response: Flexible queries across 40+ IOCs, IOAs, and IOBs with 2-second response times and exclusive indicators enable SOC teams to quickly investigate and mitigate incidents, slashing Mean Time to Respond (MTTR) and minimizing damage.
Enhance Alert Triage with Contextual Insights: An extensive database of indicators on the latest attacks provides analysts with quick insights into any artifact, letting them enrich alerts, pin them to threats, and prioritize critical incidents.
Accelerate Threat Detection and Containment: Query Updates subscriptions and proactive searches using network artifacts help uncover hidden threats, allowing SOC teams to detect, escalate, and mitigate attacks early, preventing spread and protecting business operations.
Uncover critical threat context for faster triage and response with ANY.RUN’s Threat Intelligence Lookup
Now let’s see how this architecture works on a number of hands-on use cases of peculiar threat hunting tasks.
1. Country-based Threat Detection
Geographic analysis of threats provides valuable insights into the origin and distribution of malicious activities. ANY.RUN’s TI Lookup enables country-based threat detection through the submissionCountry parameter, which can be combined with other parameters to create highly specific queries. Many organizations that employ TI Lookup in their SOC, utilize this feature.
Geographic threat analysis typically involves identifying submissions from specific countries and filtering them based on threat levels, threat names, or behavioral indicators. This approach helps security analysts understand regional threat landscapes, identify country-specific attack campaigns, and establish geopolitical context for observed threats.
Several example queries demonstrate the application of country-based threat detection.
The query below targets phishing attacks originating from Brazil. By combining the submissionCountry parameter with the threatName parameter, it focuses on a specific type of threat within a geographic context.
Samples of phishing added to the Sandbox by users from Brazil
This approach helps identify regional trends in phishing campaigns, which may target local institutions or use language-specific social engineering techniques.
The next identifies malicious submissions from India that involve PowerShell commands. It combines geographic filtering with a behavioral indicator and threat classification, providing a more comprehensive view of specific attack methodologies within a regional context.
Malicious samples from Indian users containing PowerShell commands
This approach is particularly valuable for identifying sophisticated attacks that leverage legitimate system tools like PowerShell.
Country-based threat detection can be further enhanced by analyzing temporal patterns, comparing threat distributions across different regions, and correlating geographic data with other threat indicators. This multidimensional approach provides a more comprehensive understanding of the global threat landscape and helps security teams prioritize their defensive efforts based on regional risk profiles.
2. MITRE Technique-Focused Queries
TI Lookup incorporates this framework through the MITRE parameter, enabling highly specific searches based on known attack techniques.
Command and Script Execution (T1059)
Command and script execution involves the use of command-line interfaces or scripting languages to execute commands, scripts, or binaries. This technique is commonly used by threat actors for various purposes, including initial access, execution, and persistence. The following query targets this technique:
Endpoint events with script and application calls linked to malware samples
Here we identify submissions that exhibit command and script execution behavior, as defined by the MITRE technique T1059, and involve either PowerShell commands or the Microsoft HTML Application Host (mshta.exe). The combination of the MITRE parameter with specific command-line or image path indicators provides insights into how threat actors leverage legitimate system tools for malicious purposes.
TI Lookup returns hundreds of relevant results, including numerous sandbox sessions
This example also gives us a representation of TI Lookup’s search volume and comprehensiveness: it can deliver hundreds and thousands of relevant malware samples, indicators, artifacts, and other types of data. An analyst can limit and refine the search employing the parameters and setting, for instance, changing the search period (circled on the screenshot) from the minimum of one day to the maximum of 180 days.
Registry-Based Persistence (T1547)
Registry-based persistence involves modifying the Windows Registry to ensure that malware runs automatically when the system starts or when specific conditions are met. This technique is commonly used by threat actors to maintain access to compromised systems. The following query targets this technique:
Search results for malware changing Windows registry
This query identifies submissions that exhibit registry-based persistence behavior, as defined by the MITRE technique T1547, and specifically target the Run key in the Windows Registry. This key is commonly used for persistence, as any executable listed here will run automatically when a user logs in.
Advanced MITRE Correlation
Advanced threat hunting often involves correlating multiple MITRE techniques to identify sophisticated attack patterns. The following query illustrates this approach:
Malware strains and types combining several attack techniques
This query identifies submissions that exhibit three distinct MITRE techniques: process injection (T1055), registry-based persistence (T1547), and system information discovery (T1082).
The correlation of these techniques suggests a sophisticated attack that injects code into legitimate processes, establishes persistence through registry modifications, and attempts to collect information about the system.
MITRE technique-focused queries can be further enhanced by incorporating additional parameters related to file properties, network communications, or threat classifications. This multidimensional approach provides a more comprehensive understanding of how specific techniques are implemented in real-world attacks and helps security teams develop more effective detection and mitigation strategies.
3. Obfuscated File Behavior Detection
Obfuscation is a common technique used by malware authors to hide malicious code and evade analysis. ANY.RUN TI Lookup enables the detection of various obfuscation techniques through specialized queries that focus on file behaviors and characteristics.
Executables in Non-Standard Directories
Malware often places executable files in non-standard directories to avoid detection and blend in with legitimate system files. The following query targets this behavior:
Samples with executable files in directories except for the queried
This query identifies executable files (.exe) that are not located in the standard Windows or Program Files directories. The combination of the fileExtension parameter with negative conditions for standard file paths helps security analysts identify potentially suspicious executables that may be attempting to hide in unusual locations.
Script-Based Obfuscation
Script-based obfuscation involves the use of scripting languages to hide malicious code or execute obfuscated commands. The following query targets this behavior:
This query identifies JavaScript (.js) files that execute PowerShell commands (you can also search for other script types, like Visual Basic Script (.vbs) files). This pattern is commonly observed in multi-stage attacks where script files are used as initial droppers that subsequently execute obfuscated PowerShell commands. The combination of file extension parameters with command-line indicators helps security analysts identify and analyze this obfuscation technique.
4. Persistence and Mutex Creation
Persistence mechanisms and mutex creation are common techniques used by malware to maintain access to compromised systems and ensure that only one instance of the malware is running at a time.
Mutexes can be explored with the aid of Object parameters:
This query identifies submissions that contain a mutex (a synchronization object often used by malware to ensure single-instance execution) with the name “rmc”. TI Lookup provides numerous analysis results, demonstrating that this mutex belongs to the Remcos trojan.
This approach helps security analysts identify sophisticated malware based on artifacts found in system logs. Further analysis of persistence and mutex creation can involve examining the specific values written to registry keys, analyzing the naming conventions of mutexes, and correlating these indicators with other malicious behaviors.
5. Domain Generation Algorithm (DGA) Detection
Domain Generation Algorithms (DGAs) are techniques used by malware to dynamically generate domain names for command and control (C2) communication. This approach helps malware evade detection and blocking by constantly changing the domains used for communication. ANY.RUN TI Lookup enables the detection of DGA-based malware through specialized queries that focus on domain characteristics and communication patterns.
Random TLD with Active Communication
DGA-generated domains often use uncommon or cheaper top-level domains (TLDs) to reduce costs and avoid detection. The following query targets this behavior:
Domains utilizing cheap-TLD domains found across analyses of malicious samples
This query identifies malicious submissions that communicate with domains using the .top or .xyz TLDs over HTTP (port 80) or HTTPS (port 443). These TLDs are relatively inexpensive and are commonly used in DGA implementations. The combination of domain name patterns, communication ports, and threat classification helps security analysts identify potential DGA-based malware.
Domain Name Patterns
This query identifies submissions that communicate with domains deployed on Cloudflare Workers. This is a common way for attackers to host phishing pages:
Malware of known families that abuses legitimate CDN services
This query identifies submissions associated with RedLine or Lumma malware families that communicate with any domain resolved to Cloudflare’s infrastructure. These malware families are known to use DGAs, and the correlation with Cloudflare ASN (Autonomous System Number) may indicate attempts to hide behind legitimate CDN services. This approach helps security analysts identify specific malware families that employ DGAs for C2 communication.
DGA detection can be further enhanced by analyzing temporal patterns of domain generation, examining the linguistic characteristics of generated domains, and correlating domain communications with other malicious behaviors.
6. Malware Family Behavior Queries
Different malware families exhibit distinct behavioral patterns that can be used for identification and analysis. ANY.RUN TI Lookup enables the detection of specific malware families through queries that target their characteristic behaviors.
Formbook
Formbook is a data-stealing malware that captures screenshots, logs keystrokes, and steals data from web browsers.
Sandbox analyses of fresh Formbook samples found via TI Lookup
This query identifies submissions explicitly classified as Formbook or exhibiting behaviors characteristic of this malware family, including process injection (MITRE T1055) combined with Run registry modifications and executable files, or communication with PHP endpoints using specific content types. These indicators collectively provide strong evidence of Formbook activity.
AsyncRAT
AsyncRAT is a remote access trojan that provides attackers with full control over infected systems.
This query identifies submissions explicitly classified as AsyncRAT or exhibiting behaviors characteristic of this malware family, including the use of mshta.exe or PowerShell.
Malware family behavior queries can be further enhanced by incorporating additional indicators specific to each family, analyzing temporal evolution of behaviors, and correlating family-specific indicators with broader threat intelligence. This comprehensive approach provides deeper insights into malware family behaviors and helps security teams develop more effective detection and mitigation strategies.
7. Thematic Search Query Updates
TI Lookup lets you subscribe to receive updates on your custom search queries. For example, you can focus on specific malware families, enabling more efficient and targeted threat hunting.
Credential Stealers
Credential stealing is a common objective for various malware families. The following query targets three popular credential stealers Redline, Lumma, and Formbook that access the Security Account Manager (SAM) registry key, which stores user account information.
You can subscribe to query updates via the bell icon on the right
By subscribing to this query, we’ll receive updates each time new search results become available in TI Lookup. This thematic approach helps security analysts focus specifically on threats targeting credentials, regardless of the specific malware family involved.
Conclusion
We have reviewed a number of advanced threat hunting techniques using ANY.RUN TI Lookup.
Through detailed exploration of various query methodologies, including country-based threat detection, MITRE technique-focused queries, obfuscated file behavior detection, persistence mechanisms, domain generation algorithm detection, and malware family behavior analysis, the research demonstrates the power and flexibility of query-based threat intelligence in modern security operations.
The correlation of different indicators through logical operators and grouping enhances detection precision and reduces false positives, allowing security analysts to focus their efforts on the most relevant threats.
By focusing on specific threat categories and leveraging advanced query techniques, security teams can develop more efficient and effective threat detection strategies.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, Threat Intelligence Lookup and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Late one Tuesday night, Elena’s phone buzzed with an alert from her company’s SIEM. Her team had set up a rule to flag when certain system tools — whoami, nltest and nslookup—were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance Department. The time? 2:13 a.m.
Concerned, Elena logged in from home to investigate. Almost immediately, two more alerts appeared. One signaled that Mimikatz (a tool popular with threat actors to steal credentials) had been used on the same Finance machine. The other reported a PsExec download (a command line tool used to execute processes) on a domain controller.
Elena and her team began isolating systems and tracing the activity, determined to stop it before it spread any further. What first looked like routine system commands now clearly pointed to something more serious.
This story is a compartmentalized version of something we’re seeing more and more often in Cisco Talos Incident Response engagements: Rather than inventing their own tools, attackers are making use of familiar, legitimate software — just with a very different purpose.
What exactly are LOLBins?
A big part of this trend revolves around “living off the land binaries,” or LOLBins. LOLBins are tools built into an operating system that attackers can use to carry out malicious actions without having to download or install any new software or utilities.
They’re especially concerning because they’re already installed, trusted, and frequently used for normal IT tasks, making them difficult to detect or block without disrupting operations.
Defenders can reference the “Living Off The Land Binaries, Scripts and Libraries” or LOLBAS project, which maintains a list of known LOLBins on GitHub.
But it’s not just LOLBins…
LOLBins were used often across Talos IR engagements in 2024, but we actually saw a wider variety of commercial and open-source tools used as well. Threat actors likely gravitate towards these because they can choose which tools best suit their needs best (or which commercial tools will blend into the victim environment).
Take DonPAPI, for example. This is an open-source tool observed in several recent Talos IR engagements that automates credential dumping remotely on multiple Windows computers. It locates and retrieves Windows Data Protection API (DPAPI) protected credentials, a process also known as “DPAPI dumping.” DonPAPI searches for certain files, including Wi-Fi keys, RDP passwords and credentials saved in web browsers, to help authenticate and move laterally to identify other assets in the environment.
From an identity perspective, open-source tools like DonPAPI pose a significant risk to organizations based on their wide availability on code repositories like GitHub and their ease of installation.
Legit tool, suspicious intent
Here’s how this plays out in the field, using the top three examples of most used tools as observed in Cisco Talos’ 2024 Year in Review:
These tools weren’t built for attackers, but they’ve become some of the most common ingredients in ransomware and advanced persistent threat (APT) campaigns.
In a recent episode of The Talos Threat Perspective, one of our senior Talos IR consultants spoke about tools that were created for legitimate purposes (e.g., HRSword, REMCOS RAT and Cobalt Strike), but played a large part in the ransomware engagements investigated by Talos IR in 2025.
Remote Access Management tools
Lately, Talos has seen an increase in the use of remote monitoring and management (RMM) tools during attacks — the same kind of software IT teams and managed service providers rely on to access systems remotely. These tools are designed for legitimate use, but in the wrong hands, they become a stealthy way to maintain persistence on compromised systems without raising alarms.
One colleague shared a story that stuck with me: In some incidents, the attackers showed up with an entire toolkit of RMM software, testing each one to see which would slip through unnoticed (or not get blocked). Often, they’d use exactly the same tools already trusted by the target or their service provider, such as ScreenConnect or AnyDesk.
It’s like they arrived at the front door with a ring full of keys, trying each one until something clicked. And when the tool they use is something the environment already knows — already trusts — the question becomes: how do you spot the intruder when they’re using your own keys?
How do you detect something that looks normal?
Let’s go back to Elena. Her team stopped the attack not just because of the alert, but because they knew what should be running on that workstation. They had clear asset inventories and network behavior baselines, and they conducted continuous anomaly monitoring.
That’s really the heart of what works best when it comes to detecting these types of attacks:
Asset management: Know what’s installed and where. Know who owns what assets and what high-privileged accounts are for.
Behavioral baselining: Understand what “normal” looks like.
Continuous monitoring: Configure detections to catch known TTPs and subtle deviations from baselines.
Threat intel alignment: Use current trends like the DonPAPI surge to inform what you log and watch for. Talos’ blog and IR reports are great resources to keep up with industry trends.
Bottom line
Whether it’s PsExec, DonPAPI or TeamViewer, attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations.
Detecting malicious use of legitimate tools isn’t just about recognizing what’s running. It’s about asking why it’s running.
Sometimes, the only difference between a routine operation and a breach is the analyst who stopped to ask: “Why was that tool running at 2:13 a.m.?”
In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities.
In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns.
The attacks are targeting employees with experience in cryptocurrency and blockchain technologies.
Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users.
Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.
Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns.
In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.”
Fake job interview sites mislead users to PylangGhost infection
Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.
This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application.
Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.
Figure 1. Examples of initial fake job sites.
Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.
Figure 2. Example of questions asked for an illegitimate Business Development Manager position at Robinhood.
Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button.
Figure 3. A camera setup page displayed once questions are answered.
Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.
Figure 4. Windows instructions to copy, paste and execute a malicious command. Figure 5. MacOS instructions to copy, paste and execute a malicious command.
Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.
Figure 6. Command Shell, PowerShell or Bash instructions to download a payload.
PylangGhost – Python variant of GolangGhost
As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute.
The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run.
Figure 7. The first stage simply unzips a Python distribution library and launches the RAT.
PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable.
The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.
Figure 8. ”nvidia.py” executes the main loop for communication with the C2 server
The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.
The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.
Command
Functionality
qwer
COMMAND_INFORMATION – collect information about the infected system, username, OS version etc
asdf
COMMAND_FILE_UPLOAD – file upload
zxcv
COMMAND_FILE_DOWNLOAD – file download
vbcx
COMMAND_OS_SHELL – launch an OS shell for remote access and control of the infected system
ghdj
COMMAND_WAIT – sleep for a number of seconds specified by the C2 server
r4ys
COMMAND_AUTO – browser information stealing command
89io
AUTO_CHROME_GATHER_COMMAND – subcommand of the browser information stealer command
gi%#
AUTO_CHROME_COOKIE_COMMAND – subcommand of the browser information stealer command
dghh
COMMAND_EXIT
Table 1. Commands and functionalities.
The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.
“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.
Finally, “util.py” handles the compression and decompression of files.
Comparison of Python and Golang modules
To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.
Module
Python name
Golang name
Main function module
nvidia.py
cloudfixer.go
Configuration module
config.py
config/constans.go
Main command loop
nvidia.py
core/loop.go
Command handlers
command.py
core/loop.go
Browser Stealer functionality
auto.py
auto/* modules
File compression
util.py
util/compress.go
Base64 message encoding
command.py
command/stackcmd.go
Duplicate process check
nvidia.py
instance/check.go
Communications protocol
api.py
transport/htxp.go
Table 2. Comparison of Python and Golang RAT module names.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-18 10:06:402025-06-18 10:06:40Famous Chollima deploying Python version of GolangGhost RAT
It usually starts with something small: an app download, a strange text message, a tap on the wrong link. But when that device is also connected to company email, Slack, or cloud storage, it’s no longer just a personal problem.
Android malware has become a serious risk for businesses. Attackers know mobile devices are often the easiest way into a company’s internal systems, and they’re getting better at using that to their advantage.
Let’s take a closer look at why businesses are exposed, the kinds of risks these attacks create, and why it’s worth addressing them before they hit you first.
When Phones Become Attack Vectors against Businesses
Here are some of the most common and dangerous ways Android malware can put your business at risk:
1. Employee Devices with Work Access Get Infected
Personal phones are often used to check work emails, join internal chats, or access shared drives. If an employee installs a malicious app or clicks a phishing link, malware can sneak in and quietly start stealing data without triggering corporate security alerts.
2. Compromised MFA and Authenticator Apps
Many employees use their phones for two-factor authentication. If malware gains access to these apps, it can intercept or extract one-time codes, letting attackers bypass logins that were supposed to be protected.
3. Phishing Through Messaging Apps
Attackers are getting smarter about how they deliver malware. A casual-looking message via SMS, WhatsApp, or Telegram can include a link that installs malware or tricks someone into giving away credentials.
4. Sideloaded Apps from Untrusted Sources
While Google Play has basic protections, sideloaded apps don’t. If an employee downloads something from a third-party site, it could be hiding spyware, screen recorders, or backdoors that give attackers long-term access.
5. Malware Reaching Into Cloud Drives
If a compromised phone is synced with cloud services like Google Drive or OneDrive, attackers may gain access to shared folders filled with contracts, reports, or customer data.
Real-World Android Malware Attacks That Hit Businesses
The risks of Android malware aren’t hypothetical. They are already out there, actively targeting mobile users. Let’s take a closer look at how these threats operate and what they look like when analyzed inside a safe environment of ANY.RUN’s Interactive Sandbox.
Protect your company against malware and phishing with proactive analysis in ANY.RUN’s Interactive Sandbox
Salvador Stealer: Fake Banking App That Collects Sensitive Data in Real Time
Some Android malware doesn’t need advanced tricks to be effective; it just needs to look trustworthy. Salvador Stealer is a perfect example. Masquerading as a legitimate banking app, it lures users into handing over their most sensitive information, then quietly sends it off to the attacker.
At first glance, it looks like just another banking app. But once launched, Salvador Stealer kicks off a multi-stage attack designed to harvest personal and financial data. Inside the sandbox, the full scope of its behavior becomes immediately clear; everything from fake interfaces to live credential theft is laid bare.
Here’s what we observed inside ANY.RUN’s Android sandbox:
The APK drops a second payload (base.apk), which acts as the real data stealer.
The dropper APK designed to install and launch a secondary payload (base.apk) as a new activity
A phishing-style login page embedded in the app tricks users into entering Aadhaar numbers, PAN cards, banking credentials, and more.
The interface of the fake banking app displayed inside ANY.RUN Android sandbox
As soon as data is entered, it’s exfiltrated in real time, sent simultaneously to a phishing site and a Telegram bot.
Stolen data sent to phishing site
SMS access is abused to intercept OTPs, allowing the attacker to bypass MFA protections.
ANY.RUN sandbox exposes how attackers monitor and intercept incoming messages
If the app is stopped or the device is rebooted, it restarts automatically, making removal difficult without deeper system access.
Business Impact: How This Threat Could Compromise Financial Operations
When malware like Salvador Stealer slips onto an employee’s phone, it doesn’t only steal personal information but can also open the door to your company’s financial systems.
If that employee has access to payroll platforms, vendor payment portals, or internal banking credentials, the attacker could:
Extract login tokens or session cookies from financial apps
Capture 2FA codes via SMS interception to bypass login security
Impersonate the employee and initiate unauthorized transactions
Use stolen identity data (like PAN or Aadhaar) to access linked accounts
Exfiltrate sensitive data synced with corporate drives or mobile finance apps
Even worse, because Salvador uses multiple exfiltration channels and persistence mechanisms, it can continue collecting and forwarding data long after the initial infection without triggering most mobile security alerts.
Analyze sensitive files and URLs in a private sandbox to detect threats early and avoid incident escalation
SpyNote: Remote Access Malware That Turns Phones into Listening Devices
SpyNote is a remote access trojan (RAT) designed to turn infected phones into full-on surveillance tools. Disguised as a legitimate app, it silently gains deep access to the device and starts recording, tracking, and exfiltrating everything in the background.
Once installed, SpyNote immediately requests Accessibility Service permissions, a common trick to quietly escalate privileges. That one tap is all it needs. From there, it clicks through remaining prompts on its own, granting itself dangerous capabilities without alerting the user.
Permissions requested inside ANY.RUN sandbox
Now the attacker can activate the microphone and cameras, record calls, track GPS location, and access contacts, files, and SMS, all silently.
Audio capture technique exposed by interactive sandbox
To see all the tactics and techniques used in this attack, you can click the “ATT&CK” button in the top-right corner of the ANY.RUN sandbox session. This instantly maps every malicious action to the MITRE ATT&CK framework, giving your team a clear breakdown of the attacker’s behavior, connected directly to the processes that triggered them.
MITRE ATT&CK techniques used by attackers
Business Risk: Surveillance on Corporate Phones
SpyNote’s goal isn’t only to steal but also to observe. When installed on a phone used for work, the risks escalate fast.
Think of what could be exposed:
Internal meetings recorded via microphone
Conversations in HR or legal teams captured via keylogs or screenshots
GPS-tracked business travel or client visits
Shared files, documents, and client data pulled from storage
2FA codes intercepted and forwarded to attackers
The stealthy nature of SpyNote means an infected phone might remain under attacker control for weeks, gathering intelligence, watching operations, and quietly spreading further into your network.
How ANY.RUN Helps You Detect and Respond Faster
As you’ve seen with Salvador Stealer and SpyNote, Android malware can be stealthy, persistent, and devastating. These two samples used different methods, phishing, privilege escalation, surveillance, but both were fully exposed inside ANY.RUN’s interactive sandbox.
By analyzing malware in a real Android environment, ANY.RUN helps security teams see the full picture quickly and clearly. Instead of sifting through logs or relying on static reports, you can observe how threats behave in real time and understand their true intent in minutes.
Here’s what that means for your business:
Faster incident response: Spot and contain threats before they escalate into breaches or downtime
Smarter decision-making: Understand the risk level and prioritize based on actual behavior, not guesses
Clear communication: Visual reports and mapped behavior make it easier to explain threats to leadership or compliance teams
Reduced investigation time: Automatically extract IOCs and behavioral data that would take hours to collect manually
Stronger mobile security posture: Detect threats that specifically target mobile workflows, BYOD environments, and remote access apps
ANY.RUN shows you what malware does and helps you act on it faster, defend your organization more effectively, and avoid costly consequences.
Final Thoughts: Mobile Threats Need Real-Time Visibility
Android malware is a growing threat to business continuity, security, and trust. From stolen credentials to full-device surveillance, these attacks demand more than traditional defenses.
With ANY.RUN, your team can uncover malicious behavior in real time, trace how it works, and act before it spreads.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-17 13:06:402025-06-17 13:06:40Why Businesses Are at Risk of Android Malware Attacks and How to Detect Them Early
In today’s world, staying connected isn’t just a habit — it’s a necessity. We’re used to sharing beach photos on social media, keeping in touch with loved ones across time zones, and handling work from anywhere. All of this is possible if your smartphone has a reliable internet connection.
For years, the main barriers to seamless connectivity abroad were high roaming costs and the hassle associated with physical SIM cards, which you had to find, buy, activate, figure out how to top up, and swap out — risking losing your primary one in the process. With the invention of eSIMs (embedded digital SIM cards) — supported by most modern smartphones — the fuss with physical SIMs became a thing of the past. However, you still had to find a suitable, usually single-use, eSIM for the specific region you were visiting, and do it all over again for each trip.
The new Kaspersky eSIM Store is a game-changer for mobile internet, providing a simple way to find, pay for, and activate available mobile-data plans from local carriers worldwide. What’s more, you won’t have to buy and activate a new eSIM every time. Once you install it, you can use it indefinitely, connecting to data plans for different regions with the amount of data you need through a user-friendly app or website. Plus, with non-expiring Kaspersky eSIM Store plans, the mobile data you paid for doesn’t expire, which means any unused GBs will be there for you for your next trip. Let’s dive into the details…
What’s an eSIM?
First, let’s refresh our memory (or learn for the first time) what an eSIM — embedded SIM — is, and how it differs from traditional physical SIM cards.
Every cell phone has one or more slots for mini, micro, or nano-SIM cards. This small piece of plastic with contacts and a chip — essentially a microcomputer — stores GSM identification keys, which the given network uses to identify the subscriber. The SIM card can also store your contacts, SMS messages, lists of incoming, outgoing, and missed calls, as well as pre-installed carrier apps. However, the memory capacity of SIM cards is usually small, which limits their functionality.
But why not extract the chip from the plastic and install it into the phone directly? That’s exactly how eSIMs emerged in 2016. The data identifying the subscriber is no longer hardwired into the SIM card’s chip during manufacturing. Instead, it’s transmitted by the carrier to the subscriber in encrypted form and written to the eSIM on their device. Thanks to its larger memory capacity, an eSIM can store multiple carrier profiles, so you can have several virtual SIMs in your phone at once.
This doesn’t mean they’ll all work simultaneously, though. Most often, you can store multiple profiles and switch between them, but the upside is you don’t have to fiddle with swapping tiny pieces of plastic and risk losing them. Depending on the smartphone, one or more profiles can be active simultaneously.
What almost all modern smartphones allow you to do is choose which SIM to use for voice calls and text messages, and which for data. And this is one of the main advantages of eSIMs. To avoid huge roaming bills for mobile internet, you install Kaspersky eSIM Store on your smartphone, select your travel country or region, the plan type — either with a time limit or non-expiring — and the amount of data you need, then buy and activate the eSIM. If you buy the eSIM in advance, you can choose not to activate it immediately but schedule the desired activation date.
Installing and activating the eSIM takes a few minutes, and you can do it either in your destination country or at home. You’ll need a stable internet connection for this, so we recommend doing it beforehand. When you arrive at your destination, the eSIM will automatically connect to a local carrier — but don’t forget to enable roaming and switch data-transmission to the eSIM in your phone’s settings, following the instructions provided.
eSIMs acquired from Kaspersky eSIM Store don’t support voice calls — only data transmission. However, your regular SIM card stays in your phone, meaning you’ll still receive text messages and incoming calls. You don’t necessarily have to answer them while roaming, but you can always call back through messaging apps without breaking the bank on roaming. Now that’s handy!
You can find out if your smartphone supports eSIM on the Kaspersky eSIM Store website.
Unlike traditional SIM cards, activating an eSIM requires neither an ID/passport, nor verification through local government services. Payment can be made in the mobile app or on the secure website. Thus, your personal and banking details won’t leak from some local SIM card stand.
Unified account
When you first use it, you’ll need to register on the website or in the app. But if you already have a My Kaspersky account, just link that, and you’ll be logged in automatically. In your personal account on the website or in the app, you can track your mobile data usage in real time, receive notifications when you’re about to run out of data, and instantly top up your eSIM with any amount of data you need.
You can track your mobile data usage in real time and instantly top up your eSIM
In some countries, a Smart Top-up feature is available. When your data balance drops below 100MB, we’ll automatically boost your eSIM with the same amount of gigabytes that you purchased earlier and extend your plan’s validity. That way, you won’t be caught off guard by a sudden loss of connectivity.
Value
Our wide selection of plans allows you to find the perfect fit. You can choose (i) a Local plan — valid in one of the 177 available countries and territories, (ii) one of nine Regional plans, or (iii) the Global plan — valid in 122 countries worldwide.
In the Kaspersky eSIM Store, you can choose between Local and Regional plans
Next, you can select the type of plan (Expiring or Non-expiring), specify how much data you need, and pay for it with your bank card in just a few clicks.
With Expiring plans, you need to use all your data within a fixed period, which is 30 days for most plans. With Non-expiring plans, your mobile data remains assigned to your account indefinitely. Even if you’ve bought too much data and haven’t been able to use it all up, or if you had to cut your trip short for some reason, you can use the remainder on your next journey to the same region.
With Expiring plans, you need to use all the data within a specific period; with Non-expiring plans, your data will wait patiently for your next journey
Planning
Conveniently, you can activate your eSIM immediately upon purchase — for example, if you’re already abroad — or postpone its activation to a specific date. By default, the eSIM starts working at the moment of purchase, and for Expiring plans, the validity period begins at that time too. However, if you like to plan and get everything ready in advance, you can buy a data plan ahead of time from home. At checkout, select the Schedule activation option, and specify your trip’s start date. If your plans change, you can alter the activation date even after purchase.
Rollover and flexibility
The issue with most travel eSIMs is that they’re effectively single-use. You buy it, install it, use it, and that’s it. You have to delete the eSIM from your phone and get a new one for your next trip. With Kaspersky eSIM Store, you buy the eSIM once, install it on your smartphone, and then connect different data plans to it as needed. Still, there’s nothing stopping you from buying more than one eSIM. For example, you could get one for each family member traveling with you. This way, you can monitor each person’s data usage in a single personal account (and remind your teens to go easy on the social media if they’re burning through their data too quickly!). Or, if you have an eSIM with remaining data on a Non-expiring plan for a specific country or region, but you’re heading to a different part of the world, you can simply purchase another eSIM for your new destination. If you frequently travel to the same few countries, it’s more cost-effective to set up multiple eSIMs, one for each country, and use a Non-expiring plan on each. That way, you won’t lose a single byte. Kaspersky eSIM Store provides all the flexibility you need for eSIM juggling.
Security
Let’s start with something we’ve covered in previous articles: when in a foreign country, it’s much safer to use mobile internet than to connect to public Wi-Fi, and here’s why. However, buying a local SIM card isn’t as easy as it seems. You need to find a mobile operator’s store (or a booth selling SIMs), navigate a dizzying array of plans often described in the local language, and make sure they’re not trying to push unnecessary services on you. Moreover, in most countries, you have to give the seller a copy of your passport to buy a SIM card. Are you sure you want to share your passport (and also maybe bank card details) with a stranger? And let’s not forget the difficulties of tracking remaining data and topping up local SIM cards.
That’s why using an eSIM — which doesn’t require a passport to purchase, offers clear and transparent pricing, comes with no hidden fees or unwanted add-ons, and processes payments through a secure connection — is really the smartest way to go. To further enhance your gadgets’ security while traveling, our robust protection will shield you from viruses, secure online payments, and warn you about connecting to unsafe networks. And for Android smartphone owners, it can even help locate a lost or stolen phone.
And Kaspersky VPN Secure Connection, included with a Kaspersky Premiumsubscription, or available separately, will encrypt your internet traffic — preventing interception, and helping you connect to banking sites, government services, or streaming platforms in your home country as if you never left it.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-17 08:06:442025-06-17 08:06:44How to buy and connect a travel eSIM with Kaspersky eSIM Store | Kaspersky official blog
