Why are SOC teams still struggling to keep up despite heavy investments in security tools? False positives pile up, evasive threats slip through, and critical alerts often get buried under noise. For CISOs, the challenge is giving teams the visibility and speed they need to respond before damage is done. 

ANY.RUN helps close that gap. 95% of companies using the solution report faster investigations and shorter response times because their teams aren’t waiting on static reports or incomplete data. Instead, they get real-time insight into how threats behave, enabling faster decisions, fewer delays, and a measurable boost in SOC performance. 

This CISO blueprint outlines five strategic steps to help your enterprise SOC reach new levels of resilience with proven results. 

Proven Results from the Front Lines of the SOC 

Security leaders are seeing real operational gains after integrating ANY.RUN into their workflows. 

Take Expertware, for example, a leading European IT consultancy. Facing growing pressure to shorten investigation timelines and scale without hiring, they adopted ANY.RUN’s sandbox. What used to take hours of manual work now happens in minutes thanks to real-time, interactive malware analysis. 

What changed after implementing ANY.RUN’s sandbox? 

• 50% reduction in malware investigation time 

• Improved team collaboration, with shared reports and interactive analysis reducing handoff delays 

• Deeper threat visibility, including multi-stage and fileless malware 

• Faster client response, with clearer reports enabling quicker decision-making 

ANY.RUN helped them eliminate the overhead of manual setups while improving threat clarity, leading to stronger security outcomes for both their team and their clients. 

1. Deploy Real-Time Threat Analysis for Early Detection

When time is everything, waiting on static scans or post-execution reports just doesn’t cut it. To respond effectively, SOCs need a clear view of the threat as it happens. 

ANY.RUN’s sandbox delivers that clarity through live detonation, giving your team an immediate look at the full scope of any malware or phishing attack. From execution flow to network connections and dropped payloads, everything is visible in real time. 

What sets ANY.RUN sandbox apart is interactivity. Analysts can engage with the sample mid-execution, clicking buttons, opening files, entering credentials, just like a real user. That means no waiting for analysis to complete and no relying on partial data. Threat behavior becomes obvious in seconds, allowing your team to move faster and with greater confidence. 

2. Automate Triage to Reduce Analyst Workload and Alert Fatigue 

Not all threats reveal themselves with a simple scan. Many phishing kits and malware samples are designed to evade detection unless specific user actions are taken, like solving a CAPTCHA, clicking a hidden button, or opening a malicious link embedded in a QR code. 

View real case with QR code analysis 

ANY.RUN tackles this head-on. With Automated Interactivity, available in the Enterprise plan, it simulates real user behavior, solving CAPTCHAs, navigating redirects, opening files and links hidden inside QR codes or archives. This allows the sandbox to detonate even evasive threats automatically, giving your team faster, more accurate results with less manual effort. 

The outcome? 

• Higher detection rates 

• Faster triage 

• Reduced alert fatigue 

• More time to focus on high-impact threats 

This type of automation also lowers the pressure on junior analysts, who can now complete complex investigations without relying on senior teammates to step in. With ANY.RUN handling the hard parts of triage, your team detects threats faster and stays focused on response, not troubleshooting. 

3. Boost SOC Performance through Collaboration and a Unified Security Stack 

Tools alone won’t fix slow investigations or fragmented response workflows; collaboration is just as critical. 

ANY.RUN is built to support this from the ground up. Designed for high-performing SOCs, its Teamwork feature gives analysts a shared workspace where roles are clearly defined, tasks are tracked in real time, and managers can supervise without disrupting the flow. Whether your team is in one office or spread across time zones, everyone stays aligned and productive. 

• Clear task ownership to prevent duplication and confusion 

• Role-based access and oversight for team leads 

• Scalable structure that grows with your team 

• Built-in activity tracking to monitor productivity 

And it doesn’t stop there. ANY.RUN integrates seamlessly with your existing SOAR, XDR, or SIEM platforms, allowing teams to analyze suspicious files straight from alerts, enrich incidents with fresh IOCs, and manage security workflows without leaving their familiar interfaces.  

One of the latest integrations is with IBM QRadar SOAR, a widely used platform for incident response. With ANY.RUN’s official app, teams can: 

• Launch sandbox analyses directly from SOAR playbooks 

• Enrich cases with real-time IOCs and behavioral insights 

• Automate repetitive steps to reduce Mean Time to Respond (MTTR) 

Setup takes just minutes; plug in your API key, and your team is ready to go. 

Together, this connected and collaborative approach leads to faster decisions, higher output, and a stronger, more efficient SOC. 

4. Ensure Privacy and Compliance to Prevent Data Leaks 

Threat detection means little if it compromises sensitive data in the process. For CISOs, building a resilient security program also means ensuring that investigations don’t create new risks, like exposing internal files, violating client confidentiality, or falling out of compliance. 

ANY.RUN addresses this risk with robust privacy controls designed for enterprise SOCs. Teams can conduct investigations in a fully private sandbox, ensuring that no data is accidentally exposed or shared outside the organization. Role-based visibility settings let team leads define who sees what, while granular access controls prevent analysts from unintentionally publishing sensitive tasks. 

You also get flexible private analysis options that scale with your team: 

• Unlimited private analyses per user 

• Or unlimited users with per-analysis pricing 

This means your investigations stay confidential without compromising collaboration or growth. 

To further tighten access and simplify security management, ANY.RUN supports Single Sign-On (SSO). Analysts can log in using existing organizational credentials, improving both security and ease of use. Onboarding, offboarding, and daily access become seamless, reducing risk and helping you stay compliant with internal policies and external standards. 

5. Move From Reactive to Proactive Security 

Staying ahead of modern threats demands proactive insight into what’s coming next. But for many CISOs, building that foresight into daily workflows is still a challenge. With queues overflowing and teams focused on triage, opportunities to uncover patterns, enrich investigations, and harden defenses often slip through the cracks. 

That’s where ANY.RUN’s Threat Intelligence Lookup (TI Lookup) delivers a clear advantage. 

TI Lookup gives your SOC team instant access to threat data sourced from millions of malware detonation sessions, with real-world samples, IOCs, IOBs, IOAs, and TTPs updated within hours of an attack, not days or weeks later. It’s built to accelerate investigation, support informed decisions, and drive proactive defense across your infrastructure. 

With free access, your team can: 

• Enrich alerts with context from recent sandbox sessions 

• Link artifacts to real-world malware campaigns targeting over 15,000 companies globally 

• Reduce MTTR by quickly identifying behaviors, payloads, and known threat families 

• Explore malware trends, TTPs, and MITRE mappings directly from the interactive sandbox 

• Gather intelligence to improve SIEM, IDS/IPS, or EDR rule creation 

Build a Smarter, More Resilient SOC Starting Now 

Resilience is built with visibility, automation, and collaboration that work together across your entire SOC. From accelerating detection to reducing manual workload, ANY.RUN gives security teams the tools they need to respond faster, dig deeper, and stay ahead of evolving threats. 

Whether you’re modernizing your stack or scaling operations, a live, interactive sandbox can be the force multiplier your team needs. 

Ready to see how it fits into your environment? 
Contact us for integration and start strengthening your threat response with speed and precision. 

About ANY.RUN 

ANY.RUN is built to help security teams detect threats faster and respond with greater confidence. Our interactive sandbox platform delivers real-time malware analysis and threat intelligence, giving analysts the clarity they need when it matters most. 

With support for Windows, Linux, and Android environments, our cloud-based sandbox enables deep behavioral analysis without the need for complex setup. Paired with Threat Intelligence Lookup and Feeds, ANY.RUN provides rich context, actionable IOCs, and automation-ready outputs, all with zero infrastructure burden. 

Start your 14-day trial now → 

The post CISO Blueprint: 5 Steps to Enterprise Cyber Threat Resilience  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Phishing emails typically end up in the spam folder, because today’s security systems easily recognize most of them; however, these systems aren’t completely reliable, so some bona fide email messages land in the junk folder too. This article explains how to detect phishing emails, and what to do about them.

Signs of phishing email

There are several markers that are widely believed to indicate a message sent by scammers. Below are some examples.

• Catchy subject line. A phishing message will likely represent a fraction of all the mail landing in your inbox. This is why scammers usually try to make their subject lines stand out by using trigger words like “urgent”, “prize”, “cash”, “giveaway”, or similar, designed to prompt you to open the message as quickly as possible.
• Call to action. You can bet the message will encourage you to do at least one of the following: click a link, pay for something you don’t really need, or check the details in an attachment. The attackers’ primary goal is to lure victims away from their email and into unsafe spaces where they’re tricked into spending money or surrendering access to their accounts.
• Expiring timer. The message might feature a timer that says, “Follow this link. It expires in 24 hours.” All these tricks are just nonsense. Scammers want to rush you so you start to panic and stop thinking carefully about your money.
• Mistakes in the email body. In the past year, there’s been an increase in phishing emails sent in multiple languages at once, often with some odd mistakes.
• Suspicious sender address. If you live in, say, Brazil, and you get an email message from an Italian address, that’s a red flag and a good reason to completely ignore its contents.

An impersonal greeting like “Dear %username%” used to be a sure sign of a phishing email, but scammers have moved on from that. Targeted messages addressing the victim by name are becoming increasingly common. Ignore those too.

What to do if you get a phishing email

If you’ve managed to spot one using the signs described above, well done — you’re awesome! You can go ahead and delete it without even opening. And if you want to do your good deed for the day, report the phishing attempt via Outlook or Gmail to make this world a tiny bit safer. We understand that spotting phishing in your email right away isn’t easy — so here’s a short list of don’ts to help with detection.

Don’t open attachments

Scammers can hide malware inside various types of email attachments: images, HTML files, and even voice messages. Here’s a recent example: you get an email with an attachment that appears to be a voice message with the SVG extension, but that’s typically an image format… To listen to the recording, you have to open the attachment, and what do you know — you find yourself on a phishing site that masquerades as Google Voice! And no, you don’t hear any audio. Instead, you’re redirected to another website where you’ll be prompted to enter the login and password for your email account. If you’re interested in learning more, here’s a Securelist blog post on this.

This and other stories just go to show you shouldn’t open attachments. Any attachments. At all. Especially if you weren’t expecting the message in the first place.

Don’t open links

This is a golden rule that will help keep your money and accounts safe. A healthy dose of caution is exactly what everyone needs when using the internet. Let’s take a look at this phishing message.

Does this look odd? It’s written in two languages: Russian and Dutch. It shows the return address of a language school in the Netherlands, yet it references the Russian online marketplace Ozon. The message body congratulates the recipient: “You are one of our few lucky clients who get a chance to compete for uncredible prizes.” “Competing for prizes” is easy: just click the link, which has been thoughtfully included twice.

A week later, another message landed in the same inbox. Again, it came in two languages: Italian and Russian. This one came from a real Italian email address associated with the archive of Giovanni Korompay‘s works. The artist passed away in 1988. No, this wasn’t an offer to commemorate the painter. Most likely, hackers have breached the archive’s email account and are now sending phishing mail about soccer betting pretending to be from that source. All of that looks a rather fishy.

These messages have a lot in common. One thing we didn’t mention is how phishing links are disguised. Scammers deliberately use the TinyURL link shortener to make links look as legitimate as possible. But the truth is, a link that starts with tinyurl.com could point to anything: from the Kaspersky Daily blog to something malicious.

Don’t believe what’s written down

Scammers come up with all sorts of tricks: pretending to be Nigerian princes, sending fake Telegram Premium subscriptions, or congratulating people on winning fake giveaways. Every week, I get email with text like this: “Congratulations! You can claim your personal prize.” Sometimes they even add the amount of the supposed winnings to make sure I open the message. And once, I did.

Inside, it’s all by the book: a flashy headline, congratulations, and calls to click the link. To make it seem even more convincing, the email is supposedly signed by a representative from the “Prize Board of the Fund”. What fund? What prize board? And how could I possibly have won something I never even entered into? That part is unclear.

You may have noticed the unusual design of this message: it clearly stands out from the previous examples. To add credibility, the scammers used Google Forms, Google’s official service for surveys and polls. The scheme is a simple one: they create a survey, set it up to send response copies to the email addresses of their future victims, and collect their answers. Read Beware of Google Forms bearing crypto gifts to find out what happens if you open a link like that.

The bottom line

Following these rules will protect you from many — but not all — of the tricks that attackers might come up with. That’s why we recommend trusting a reliable solution: Kaspersky Premium. Every year, our products undergo testing by the independent Austrian organization AV-Comparatives to evaluate their ability to detect phishing threats. We described the testing procedure in a post a year ago. In June 2025, Kaspersky Premium for Windows successfully met the certification criteria again and received the Approved certificate, a mark of quality in protecting users from phishing.

Important clarification: at Kaspersky, we use a unified stack of security technologies, which is what the experts tested. This means the Kaspersky Premium for Windows award also applies to our other products for home users (Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium) and for businesses (such as Kaspersky Endpoint Security for Business and Kaspersky Small Office Security).

More about phishing:

• 6 antiphishing tips
• Spam 101: what is spam, and how to defeat it
• Turnkey phishing
• How cybercriminals disguise URLs
• How to spot you’re on a hacked website

Kaspersky official blog – ​Read More

When the NIS2 Directive arrived in 2023, organizations across Europe began preparing for enhanced cybersecurity requirements. Many focused on obligations such as rapid incident notifications and comprehensive security policies. However, while the directive provided the “what,” it left the “how” largely undefined. Organizations understood that they needed incident response capabilities and swift reporting mechanisms, but the details of implementation remained unclear.  

The release of ENISA’s Technical Implementation Guidance in June 2025 revealed the true complexity of compliance with the NIS2 standard. The technical guidance now reveals requirements that fundamentally challenge conventional security operations, particularly during incidents. Organizations that once prioritized operational continuity over forensic response and detailed analysis must now balance all three.

Competing objectives in incident response 

Under the old approach, organizations had the flexibility to isolate, investigate and report incidents at their own pace. These processes were typically be dictated by business needs, with exceptions for when personal data was involved under GDPR. 

Now, the clock starts ticking toward a 24-hour deadline from the moment an incident happens (Article 23 of the NIS2 Directive). 

The incident response procedures outlined in Section 3.5.2 of the ENISA guidance illustrate this shift perfectly. Security teams must now “recognize and address potential conflicts between forensic activities, incident response activities, and operational continuity.” The guidance explicitly acknowledges that teams face competing objectives: 

1. Preserve evidence for legal purposes 
2. Mitigate current threats to minimize business disruption 
3. Minimize IT service downtime to maintain operational continuity 

Traditional incident response playbooks assume you can prioritize one or two of these objectives. NIS2 demands all three simultaneously. 

Let’s consider an example. A ransomware attack hits payment processing systems at midnight. According to Section 3.2.3, teams must maintain comprehensive logs including “all privileged access to systems and applications and activities performed by administrative accounts,” while Section 3.5.4 requires logging all incident response activities and recording evidence. At the same time, the business operations would require system restoration to process morning transactions so that the bottom line is not impacted.  

Throughout this process, someone must compile an initial report meeting the notification requirements within 24 hours as mandated by Article 23(3) of the NIS2 Directive. This is followed by a more detailed report with impact assessment details within 72 hours. Not to mention, organizations operating across borders may need country-specific procedures to support notification timelines.   

The guidance acknowledges the inherent conflict in these objectives and requires organizations to “establish a clear decision-making process that prioritizes based on the accepted risk tolerance levels, business impact and legal obligations.”

Logging requirements 

Another key challenge lies in the depth of logging requires. Section 3.2.3 specifies that logs shall include, where appropriate: “(a) relevant outbound and inbound network traffic; (b) creation, modification or deletion of users of the relevant entities’ network and information systems and extension of the permissions; (c) access to systems and applications; (d) authentication-related events; (e) all privileged access to systems and applications and activities performed by administrative accounts” as well as 7 additional categories, for 12 total. All this assumes visibility into shadow IT and appropriate configuration of user activity tracking so that a proper audit trail can be constructed, reviewed and stored for analysis.  

Furthermore, the guidance notes in Section 3.2.6 that monitoring and logging systems must be redundant, and that “the availability of the monitoring and logging systems shall be monitored independent of the systems they are monitoring.” Although this is music to an incident responder’s ears, setting up the complex systems needed to correlate, analyze, store and retrieve detailed audits is a significant challenge.

Forensic activities vs. business recovery 

Traditional incident response strategies often prioritize rapid recovery to ensure that business operations can return to normal while simultaneously analyzing evidence. Incident response teams often want to acquire all evidence upfront so that business recovery can begin alongside the forensic investigation. The business can also decide what to recover and even go as far as to simply make decision to rebuild the environment from scratch and thus accelerate recovery and eradication. 

Section 3.5.2 explicitly calls for creation of a playbook to ensure that evidence handling, incident response and threat eradication take place during appropriate stages of the business cycle. The playbook must manage tradeoffs so that there is no impact on preservation of evidence for compliance and legal purposes. 

In addition, Section 3.5.4 mandates that entities “log incident response activities” and “record evidence.” The guidance suggests this should include “time of detection, containment and eradication,” “indicators of compromise,” “root cause” and “actions taken during each phase.” To meet this requirement, organizations must develop procedures that capture this critical information while managing active incidents. Typically, incident response teams already do this when creating a detailed timeline of all activities. Close collaboration between business stakeholders and IR teams is a must for NIS2 compliance.

Looking beyond compliance 

While the guidance focuses on meeting technical requirements, organizations that implement these capabilities also gain broader operational benefits. For example, comprehensive logging not only satisfies compliance, but also supports threat hunting and delivers valuable operational insights. With these capabilities, IR teams can review the environment for malicious activities. Enhanced monitoring, especially when automated, can identify security incidents quicker and reduce adversary dwell time.  

Structured incident response procedures improve overall operational resilience by ensuring every team member knows what to do and when to act. Talos IR services directly align with these key ENISA Technical Implementation Guidance requirements, helping organizations bridge the gap between current capabilities and NIS2 compliance. 

Log Architecture Assessment (Section 3.2 Requirements) 

Section 3.2.3  mandates logging across 12 categories of events “where appropriate,” while Section 3.2.6 requires redundant logging systems with synchronized time sources. Talos IR’s Log Architecture Assessment evaluates current logging capabilities against best practices, identifying deficiencies and providing a roadmap to strengthen an organization’s logging posture. 

Incident Response Playbooks (Section 3.5.2 Requirements)  

Perhaps the most challenging aspect of the NIS2 is the explicit requirement for “incident response playbooks that incorporate decision making and escalation paths for managing trade-offs between evidence preservation, threat containment and operational continuity.” Talos IR develops customized playbooks that address these competing priorities, giving your team a clear process tailored for each incident type.  

Incident Response Plans (Section 3.1 and 3.5 Requirements) 

Section 3.1.1 requires establishing comprehensive “procedures for detecting, analyzing, containing or responding to, recovering from, documenting and reporting of incidents.” Talos IR helps organizations develop IR plans that reflect their internal processes and operational needs. 

Threat Hunting and Compromise Assessments (Section 3.4 Requirements) 

Section 3.4.1 requires organizations to assess “suspicious events to determine whether they constitute incidents.” Talos IR provides proactive Threat Hunting and Compromise Assessment services to identify suspicious events before they escalate into major incidents. We look to answer critical questions such as “Am I currently compromised?” or “Is there any evidence of historical compromise?” 

Incident Support (Section 3.6 Requirements) 

Talos IR provides 24/7 incident support to help organizations respond swiftly and effectively during emergencies. Our team engages quickly to understand the situation, address immediate concerns and analyze threats. In addition to deep forensic expertise, Talos IR provides comprehensive root cause analysis and actionable recommendations that transform each incident into an opportunity to strengthen the organization’s security posture.

Cisco Talos Blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

Yesterday, Cisco Talos debuted the first Humans of Talos episode, where I interviewed Hazel Burton, a face and voice you’re probably familiar with. In our conversation, Hazel shared not just the story of how she found her way onto the team, but also the passions and hobbies that energize her work. Plus, she offered a sneak peek into what she’s most looking forward to at Black Hat this year! With future Humans of Talos episodes, you’ll get to learn not only about the people behind the research, but the people behind the communications, operations, and design, too.

My team chose to name the series “Humans of Talos” as a cheeky wink to the world of machine learning (ML) and a reminder that no matter how sophisticated our technology gets, it’s always our humanity that makes the difference. 

I’m a sci-fi nerd who loves a captive audience, so let’s consider Murderbot from Martha Wells’ “The Murderbot Diaries” (now a TV show starring Alexander Skarsgård). Designed as a security unit with both organic and mechanic parts, self-named Murderbot secretly hacks its own governor module and, instead of turning on humans, spends its free time watching soap operas like “The Rise and Fall of Sanctuary Moon.” So relatable, right? What draws readers in isn’t its technical specs. It’s Murderbot’s dry humor, awkwardness, struggle with newfound autonomy, and the way it wrestles with what it means to care for others (even if it pretends not to). Despite its past, when it was treated as a piece of equipment rather than a living thing, Murderbot is both highly analytical and empathetic. Advanced technology is most powerful when paired with genuine human creativity and insight, and this is a balance we seek every day at Talos.

If cozy, found family sci-fi is more your vibe, take Lovey (aka Sidra) from Becky Chambers’ “A Long Way to a Small, Angry Planet” and “A Closed and Common Orbit.” Originally an AI managing a tunneling spaceship, Lovey is suddenly transferred into a human-like body kit and faces the challenge of living in a world she was never designed for, which is where her story really gets interesting. She has to learn everything from how to move and act to how to build friendships and find her own purpose. Learning to ask for help, make mistakes and trust the people around us is familiar to many of us in the cybersecurity community. No matter how advanced our tools become, it’s our willingness to learn from each other, collaborate and grow together that truly makes us stronger and better at our work.

So while Talos has practically always used ML in our work, I’ll always say that it is nothing without the humans behind it. We all share one mission: protecting our customers.

Tune into the next episode mid-August, and whether you’re streaming “Sanctuary Moon” or finding your place in the universe like Lovey, stay safe and secure out there!

The one big thing 

Cisco Talos Incident Response (Talos IR) has identified a new ransomware-as-a-service (RaaS) group called Chaos, which is actively targeting organizations worldwide with sophisticated attacks involving phishing, remote management tool abuse, and double extortion tactics.  

We assess with moderate confidence that Chaos was likely formed by former members of the BlackSuit (Royal) gang. They use advanced encryption, anti-analysis techniques, and target both local and networked systems for maximum disruption. We believe the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, and the group uses the same name to create confusion.   

Why do I care? 

Chaos is going after organizations of all sizes across verticals using techniques that can bypass common security measures, steal sensitive data and disrupt business operations. Even if you’re not a direct target, your company could be affected if you work with a business that is attacked, or if similar tactics are used against your sector.

So now what? 

Review your organization’s security posture, especially around email, remote access and backup systems. Make sure you’re using multi-factor authentication, keeping software up-to-date and educating employees about phishing and social engineering.

Top security headlines of the week 

Microsoft rushes emergency patch for actively exploited SharePoint “ToolShell” bug 
Malicious actors already have already pounced on the zero-day vulnerability in Microsoft Sharepoint Server, tracked as CVE-2025-53770, to compromise US government agencies and other businesses in ongoing and widespread attacks. (DarkReading) (Cisco Talos) 

Europol sting leaves Russian cybercrime’s “NoName057(16)” group fractured 
National authorities have issued seven arrest warrants in total relating to the cybercrime collective known as NoName057(16), which recruits followers to carry out DDoS attacks on perceived enemies of Russia. (DarkReading) 

Indian crypto exchange CoinDCX confirms $44M stolen during hack 
On Saturday, CoinDCX co-founder and CEO Sumit Gupta disclosed in a post on X that an internal account was compromised during the hack. The executive assured that the incident did not affect customer funds and that all its customer assets remain secure. (TechCrunch) 

Ryuk ransomware operator extradited to US, faces five years in federal prison 
Justice Department officials said the operators received about 1,160 bitcoins — valued at more than $15 million at the time — in ransom payments from victim companies. (CyberScoop)

Can’t get enough Talos? 

We have lots of videos to share, so queue them up and let’s get learning!

SnortML in 60 seconds 
Most detection engines rely on signatures, but when threats evolve or the exploit is brand new, these rules can fall short. Enter SnortML! 

Humans of Talos: Hazel Burton 
Okay, I know I hammered this into you in the intro, but Hazel is a delight to listen to, and she gives a lot of wonderful insights. Watch here.

Upcoming events where you can find Talos 

• NIRMA (July 28 – 30) St. Augustine, FL 
• Black Hat USA (Aug. 2 – 7) Las Vegas, NV 
• BlueTeamCon (Sept. 4 – 7) Chicago, IL

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376 
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details 
Typical Filename: IMG001.exe  
Detection Name: Simple_Custom_Detection

SHA 256: ee33aaa05be135969d86452a49a8e50a5313efdfc46ae2e7fc8a9af33556046c 
MD5: 17e33efb1b100397c3a9908df7032da1 
VirusTotal: https://www.virustotal.com/gui/file/ee33aaa05be135969d86452a49a8e50a5313efdfc46ae2e7fc8a9af33556046c/details  
Typical Filename: tacticalrmm.exe 
Claimed Product: N/A 
Detection Name: W32.EE33AAA05B-95.SBX.TG

SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442 
MD5: 7854b00a94921b108f0aed00f77c7833 
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details  
Typical Filename: winword.exe 
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote 
Detection Name: W32.0581BD9F0E.in12.Talos

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa 
MD5: df11b3105df8d7c70e7b501e210e3cc3 
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details 
Typical Filename: DOC001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08 
MD5: 906282640ae3088481d19561c55025e4 
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details 
Typical Filename: AAct_x64.exe 
Claimed Product: N/A 
Detection Name: PUA.Win.Tool.Winactivator::1201

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 
MD5: 8c69830a50fb85d8a794fa46643493b2  
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details 
Typical Filename: AAct.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201

Cisco Talos Blog – ​Read More