Today, phishing accounts for the majority of all cyberattacks. The availability of low-cost, easy-to-use Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, EvilProxy, and Sneaky2FA only makes the problem worse. 

These services are actively maintained by their operators; new evasion techniques are regularly added, and the multi-layered infrastructure behind the phishing kits continues to evolve and expand. 

But beyond these established players in the PhaaS market, the ANY.RUN team sometimes comes across phishing campaigns that use tools unlike anything we’ve seen before. 

One such example is a framework we’ve dubbed Salty 2FA, whose execution chain and infrastructure have not previously been documented.

Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials. It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis. 

Let’s dive deeper into how Salty 2FA works. 

Key Takeaways 

• Salty 2FA is a newly discovered PhaaS framework, with overlaps to Storm-1575/1747 but distinct enough to stand apart. 

• It uses a unique domain pattern (.com subdomains paired with .ru domains) and unfolds in a multi-stage execution chain designed to resist detection. 

• The kit can bypass multiple 2FA methods (push, SMS, voice), giving attackers access beyond stolen credentials. 

• Victims span global industries including finance, telecom, energy, consulting, logistics, and education. 

• Static IOCs are unreliable; detection requires spotting behavioral patterns that persist across samples. 

• ANY.RUN’s interactive sandbox was essential in mapping its execution flow and exposing its infrastructure in real time. 

Discovery of Salty 2FA 

During phishing campaign hunting, several ANY.RUN sandbox sessions were identified that had not yet been flagged as malicious. At first glance, they showed familiar traits: Cloudflare Turnstile, a fake Microsoft login page, and unknown domains. 

Check analysis sessions:  

Analysis session 1 

Analysis session 2 

What stood out in these cases was the domain infrastructure. In the IOCs section of the sessions, a pattern became clear: the consistent use of compound domains in “.com” zones (e.g., .com.de, .it.com) in combination with domains registered under the .ru TLD. The phishing pages themselves also followed a recurring format, embedding “.com” subdomains within a pattern of <sub_domain>.<main_domain>.??.com. 

The URI paths hosting the phishing content also appeared unusual. While they initially looked randomly generated and unrelated, further inspection suggested they might share commonalities worth examining. 

With this hypothesis in mind, a query was run in Threat Intelligence Lookup: 

domainName:”*.*.??.com$” AND domainName:”.ru$” 

The results confirmed that this domain pairing is indeed a recurring element tied to phishing activity. Moreover, it highlighted that this indicator had not yet been fully integrated into the detection system, leaving a potential coverage gap. 

The initial results left some uncertainty. In addition to the incomplete detection coverage at the time of analysis, the sample included tasks with potential true negative verdicts, as well as tasks tagged under different categories. These ranged from generic phishing labels to Tycoon and EvilProxy; campaigns that had not previously demonstrated the observed behavior (the .??.com + .ru domain combination). 

To reduce ambiguity, the query was refined with contextual filters, focusing on specific resources such as requests to Cloudflare. 

The updated TI query produced much clearer results, confirming that this activity is almost certainly tied to a distinct phishing operation. However, it cannot yet be definitively attributed to any of the known actors. 

Refined TI query: 

domainName:”*.*.??.com$” AND domainName:”a.nel.cloudflare.com” AND domainName:”challenges.cloudflare.com” AND NOT domainName:”cdnjs.cloudflare.com” AND domainName:”.ru$” 

After a quick review of the external indicators, the next step was to examine the client-side code used in this phishing campaign to better understand its functionality and capabilities. 

Technical Deep Dive: Execution Chain 

To capture decrypted traffic and analyze the payload step by step, a similar session was rerun with the MITM proxy enabled. 

Check analysis session with MITM enabled 

When the page loads from parochially[.]frankfurtwebs[.]com[.]de, a small “trampoline” JavaScript executes. It initializes the Cloudflare Turnstile widget, runs the associated checks, and returns a cf_response token. After that validation, the server delivers the HTML that initiates the main execution chain. 

Stage 1: Obfuscated Entry Script 

The source code contains comment inserts with inspiring quotes. These do not affect functionality but act as filler “noise,” making static analysis more challenging. 

A small JavaScript snippet contains an obfuscated function designed to decode the address of the next stage, retrieve it, decode it in the same way, and then write the result into the DOM of the current page. 

Decoding the value lPwICAQHzsPDAfUG//kIBAD19/nGyPn9wgYJw8M= reveals the URL of the next payload: 
hxxps[://]marketplace24ei[.]ru// 

Stage 2: Encrypted Payload and Fake Login Page 

After loading and decoding the payload, the result is a large HTML page—again padded with non-functional “noise” just like the previous stage—with an obfuscated JavaScript snippet at the end. 

A quick search through the HTML for <input> tags revealed several matches. One stood out: 

<input hidden id=”lessen” value=”aHR0cHM6Ly9tYXJrZXRwbGFjZTI0ZWkucnUvNzkwNjI4LnBocA”> 

Decoding the Base64 value exposes another URL that becomes relevant later: 

hxxps[://]marketplace24ei[.]ru/790628[.]php 

Comparing the HTML source to the session’s runtime behavior also shows that the attacker obfuscates the page text itself. For example, the string: 

“Because you’re accessing sensitive info, you need to verify your password.” 

appears obfuscated in the code rather than in plain text. 

Stage 3: Client-Side Logic and Anti-Analysis Mechanisms 

All of the logic for switching between page states, as well as the collection and exfiltration of user input, is handled by the previously mentioned JavaScript code. 

After deobfuscating this script, we can walk through its key technical details and capabilities. 

To begin with, nearly all of the front-end logic relies on calls to page elements through jQuery. The identifiers for these elements are generated dynamically, making analysis more difficult. In addition, the element IDs themselves are encoded using a combination of Base64 and XOR with a fixed generated value, which must be decoded through a dedicated routine. 

The phishing payload also includes several basic defense mechanisms commonly seen in such campaigns: 

• Blocking keyboard shortcuts that open debugging tools (e.g., DevTools). 

• Measuring execution time when a debugger is triggered and halting further activity if a delay is detected, which may indicate the code is running in a controlled or lab environment. 

For exfiltration of the victim’s input, the data is “encrypted” using the same Base64 + XOR technique. This time, however, the key parameter is derived from the victim’s session identifier. 

Stage 4: Data Exfiltration and Server Interaction 

The stolen data is sent to servers using .ru domains from the observed cluster, with endpoints following the format: 

/<5-6_digits>.php 

The data itself is encoded and placed in the request= parameter of the POST request, while the decoding key (along with the victim’s session ID) is stored in the session= parameter. 

Using a POST request captured in the session as an example, the data can be examined by applying the same encoding routine in reverse: 

Utilize the following CyberChef recipe to decode the data: https://gchq.github.io/CyberChef/#recipe=URL_Decode(true)From_Base64(%27A-Za-z0-9%2B/%3D%27,true,false)XOR(%7B%27option%27:%27UTF8%27,%27string%27:%27b17be01b20c089141058415728fd66ff%27%7D,%27Standard%27,false)&input=R1JOWUVrY0tFeFpBUlFZU0ZCdFVXUk1LRjFWZFdsQjNVMW9GU2xWWkMwUWY&oeol=VT

Stage 5: Multi-State 2FA Handling 

In response to the POST request, the server returns a JSON object. The value of the response field depends on the current state of the phishing page; that is, on which opcode was specified when the data was submitted. 

Analysis of the code revealed several possible states of the phishing page, along with the data structures transmitted to the attacker as the page transitions between these states. 

The identified states are as follows: 

Capabilities and Evasion Techniques 

Based on the complexity of its infrastructure, such as the use of multiple domains across specific TLDs, including a dedicated domain for data exfiltration, the presence of evasion techniques, and its extensive functionality (credential validation, handling multiple 2FA methods, and intercepting OTP codes), this campaign appears to represent a new PhaaS framework. Its behavioral patterns differ from those of the major players in the phishing ecosystem, such as Tycoon, EvilProxy, and others. 

Is it Storm-1575 or Storm-1747? 

At the time of initial research, no clear evidence was found to indicate who operates or develops this phishing kit, how the attackers obtain access (e.g., whether they purchase software), or any distinctive technical traits that would link it to other known kits. 

After updating detection methods and re-hunting indicators in the ANY.RUN Sandbox and TI, some overlap in IOCs (specifically domains) emerged with activity tracked as Storm-1575 and Storm-1747. 

Storm-1575 is associated with the PhaaS platform Dadsec and is presumed to be its developer. However, Dadsec activity has not been observed recently, and attribution boundaries for Storm-1575 remain unclear. 

Storm-1747, on the other hand, is well known for Tycoon 2FA—a state-of-the-art phishing kit that has ranked among the most active in terms of both attacks and related samples for several years. That said, Tycoon relies on a different infrastructure (mainly es-ru-es domain chains) and implements distinct client-side code, including its obfuscation and exfiltration techniques. 

To track and assess this phishing activity, the framework was designated Salty 2FA, a name inspired by its “salted” payloads, which consistently helped distinguish its code from other kits during analysis. More importantly, a unique threat name was required, one easier to work with than YetAnotherPhishkitActivity2FA, and “Salty 2FA” struck the right balance of clarity and memorability. 

Check potential overlaps between Salty 2FA and Storm-1575/1747 

Salty 2FA Targets and Activity Timeline 

Analysis of phishing emails, their content themes, and pre-filled victim email addresses (automatically inserted via the #email anchor in URLs) made it possible to identify the targets of this campaign, including affected countries and industries. 

Observed targets include: 

Common phishing email lures included: 

• “Voice message was left…” 

• “Access full document…” 

• “Payroll amendment…” 

• “Request for Proposal…” 

• “Bid invitation…” 

• “Billing Statement…” 

Additional IOCs extracted from SPF records in email headers: 

• 153[.]127[.]234[.]4 

• 51[.]89[.]33[.]171 

• 191[.]96[.]207[.]129 

• 153[.]127[.]234[.]5 

• izumi[@]yurikamome[.]com 

Activity timeline: 

Based on data from the ANY.RUN Sandbox and TI, activity resembling Salty 2FA began gaining momentum in June 2025, although it is possible that early or “raw” variants of the kit, or samples similar to it, were already being deployed as early as March–April 2025. 

Confirmed activity attributed to Salty 2FA has been observed since late July 2025 and continues to this day, generating dozens of new public analysis sessions in the Sandbox every day. 

How to Spot Salty 2FA 

Basic indicators such as domain names (hashes are not applicable here due to constant obfuscation and code mutation) can be useful for threat hunting and expanding the threat landscape. In some cases, they may even lead to detections. However, for phishing kits like Salty 2FA, these indicators are generally unreliable for long-term or consistent detection. 

Threat detection specialists and engineers instead need to identify behavioral patterns that remain consistent across samples, even when those samples appear completely different at first glance. 

Any recurring clue, whether it is a particular chain of TLD zones in domain names, distinctive URL structures, unusual web page headers, or a characteristic set of resources loaded from legitimate CDNs, contributes to the behavioral profile of a PhaaS framework. These recurring traits allow analysts to track and detect it over time without relying on volatile details such as email hashes or specific phishing domains. 

Detect and Distinguish Similar Emerging Threats in Seconds 

With solutions like ANY.RUN‘s Interactive Sandbox, analysts can observe phishing kits in real time, uncover hidden behaviors, and distinguish between similar frameworks. By focusing on behavioral patterns rather than fragile indicators, it becomes possible to track evolving PhaaS activity more reliably, while also enjoying a smoother, less resource-heavy investigation process. 

• Real-time visibility into phishing execution chains and payload delivery. 

• IOC enrichment with domains, infrastructure elements, and threat behavior insights linked to wider campaigns. 

• Faster investigations with reduced manual workload and clearer insights. 

• Seamless collaboration between analysts through shared interactive sessions. 

Conclusion 

The ecosystem of Phishing-as-a-Service (PhaaS) platforms is constantly evolving. Existing kits adapt their attack methods, while new players emerge, some entirely brand-new, others reimagined versions of tools once used by well-known threat actors. 

The analyzed framework, Salty 2FA, shares certain traits with Storm-1575, the group behind the Dadsec platform. However, a deeper examination revealed too many unique characteristics to reliably attribute it to any of the known threats, such as Tycoon2FA, Sneaky2FA, Mamba2FA, Gabagool, or EvilProxy. 

With its ability to distribute phishing payloads at scale, maintain dynamic infrastructure, intercept and process most known 2FA authentication methods beyond simple credentials, and manage a complex communication model between phishing pages and C2 servers, Salty 2FA stands on par with the “major” kits in today’s phishing landscape. 

For SOC teams triaging phishing-related incidents, it is critical to quickly and accurately confirm the malicious nature of collected artifacts and correlate them with the threat actor likely to be targeting their organization. 

ANY.RUN’s Interactive Sandbox enables security professionals worldwide to detect and analyze threats like Salty 2FA by replicating victim interactions and tracking execution chains in real time, while leveraging behavior-based detection to expose previously unknown samples and indicators. 

Try It Yourself 

See how Salty 2FA and other emerging phishing kits unfold in real time. ANY.RUN’s Interactive Sandbox lets you safely detonate samples, follow execution chains, and uncover hidden IOCs in seconds. 

Request 14-day trial for your SOC → 

Gathered IOCs 

Domains 

• innovationsteams[.]com 

• marketplace24ei[.]ru 

• nexttradeitaly[.]it[.]com 

• frankfurtwebs[.]com[.]de 

URLs

• hxxps[://]telephony[.]nexttradeitaly[.]com/SSSuWBTmYwu/ 

• hxxps[://]parochially[.]frankfurtwebs[.]com[.]de/ps6VzZb/ 

• hxxps[://]marketplace24ei[.]ru// 

• hxxps[://]marketplace24ei[.]ru/790628[.]php 

E-mail extracted IOCs

• 153[.]127[.]234[.]4 

• 51[.]89[.]33[.]171 

• 191[.]96[.]207[.]129 

• 153[.]127[.]234[.]5 

• izumi [at] yurikamome[.]com 

Sandbox Sessions 

https://app.any.run/tasks/91e777dd-603b-47e4-ad8f-96e8bddf2cba

https://app.any.run/tasks/7d8e3a4d-5226-40b9-9e94-0f833c784abc

https://app.any.run/tasks/a601b5c4-c178-4a8e-b941-230636d11a1c

TI Lookup Search Queries 

https://intelligence.any.run/analysis/lookup#{%22query%22:%22domainName:%5C%22*.*.??.com$%5C%22%20AND%20domainName:%5C%22challenges.cloudflare.com%5C%22%20AND%20NOT%20domainName:%5C%22cdnjs.cloudflare.com%5C%22%20AND%20domainName:%5C%22code.jquery.com%5C%22%20AND%20domainName:%5C%22.ru$%5C%22%22,%22dateRange%22:180}

https://intelligence.any.run/analysis/lookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%22,%22dateRange%22:180}

https://intelligence.any.run/analysis/lookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%20AND%20threatName:%5C%22storm*%5C%22%22,%22dateRange%22:180}

The post Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Welcome to the second episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco’s threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet safe. This episode, let’s meet JJ Cummings, who leads our Threat Intelligence and Interdiction team, focusing on nation-state security and intelligence. Read (or watch) on for JJ’s story, his thoughts on burnout and motivation, and advice for anyone looking to join Talos.

Amy Ciminnisi: Hello and welcome to the second episode of Humans of Talos. I’m here with JJ Cummings today, who leads a team on our Threat Intelligence and Interdiction team, focused on nation state security and intelligence matters. What led you to your role at Talos?

JJ Cummings: Prior to Talos’ formal formation, or creation, I was a part of the Sourcefire acquisition, and I was a part of Sourcefire for many years. We helped with deep investigations and analysis and incident response and threat hunting. Then that moved into the Cisco world when Cisco acquired us. We determined that there was kind of the need for a Threat Intelligence team. There was an opportunity for me to come over to start to build out the capabilities and the path forward with Matt Olney, Ryan Pentney and several others. From there, the Threat Intelligence and Interdiction team grew to what it is today.

AC: What is something about your day to day role at Talos that people might be particularly surprised by or interested in?

JC: One of the challenges when we’re working with a lot of different partners is how we control the information. Some partners tell us, “Hey, we want feedback, but you can’t tell anybody else,” which is really difficult. We take that information and we try to identify our own ways to point to how we identified it so it doesn’t burn that partner. We have to find ways to highlight things in unattributable or alternatively attributable ways. But the good news is that I’ve got an amazing team behind me. They’re force multipliers and they are beasts when it comes to getting the job done.

---

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!

Cisco Talos Blog – ​Read More

Almost one in three members of Generation Alpha dreams of becoming a blogger. Today’s influencers inspire kids to create content online even before they reach their teens. Therefore, it’s critical for adults to get involved — especially when it comes to very young bloggers. Exploring digital platforms together with your kids not only helps keep them safe, but also lays a solid foundation for their confident and comfortable growth as digital natives.

To help parents, Kaspersky experts have created the Digital Schoolbag: A Parent’s Guide for the School Year (available as a PDF). It’s a compilation of essential tips to help keep kids safe online. And today, we dive into how parents can help their aspiring young bloggers.

1. Be curious — not critical

If your kid says they want to be a blogger, the safest first step you should take is not to ignore or criticize them, but to discuss this new venture together. Ask them why they want to be a blogger, and what kind of content they plan to create. This approach accomplishes two important things. One, it shows your child that you take their interests seriously — which helps build trust. And two, it gives you a natural opportunity to bring up the topic of online safety.

To make these conversations easier and more engaging, start with age-appropriate resources. If your budding blogger is quite young, a great option is our Cybersecurity Alphabet — a free book that helps kids master the basics of digital hygiene in a simple, fun way.

2. Set up accounts together

Instead of just handing your child your phone and leaving them to figure things out themselves (come on Gen-X; it’s 2025:), take the time to set up their accounts with them — whether it’s for YouTube, TikTok, Instagram, or another platform. This is a great opportunity to help your child go through these key steps:

• Choose appropriate privacy settings — for example, to control who can view their posts, comment on them, and send personal messages.
• Disable geolocation sharing.
• Use a strong, unique password.
• Enable two-factor authentication (2FA) for an extra layer of security.

This both reduces the risk of your kid’s account being hacked in the future, and teaches them good digital hygiene habits.

3. What’s better left unposted

If left to their own devices, child bloggers would probably post most anything online: where they are, what they’re up to, and who they’re spending time with. Enter the parent/guardian: teach your kid how to tell what’s safe to post and what’s potentially dangerous. Explain that they should never share their home address, school name, daily schedule, vacation plans, or places they visit regularly. These details can inadvertently make them easier to track — especially when combined with photos, geotags, and metadata.

4. Look up your kid’s usernames in search engines

Once your child begins posting under a username, it’s important to monitor their visibility and searchability. A simple way to do this is to regularly search for their username on Google or other search engines. Just type their social media handle into the search bar and see what comes up. Are there any personal photos, geolocation tags, or comments that reveal too much? Has anyone cloned their content or tried to impersonate them? Be sure to check for any of these issues.

5. Warn your child about shady online offers

When young bloggers start catching some buzz, they might receive messages from brands or accounts offering free products, sponsorships, or other collaboration opportunities. For a child, this might feel like a dream come true, but in reality, these messages are often from scammers.

Teach your child to treat every unexpected message with caution. Fake collaboration offers often arrive in email or direct messages, and may contain links to phishing sites designed to steal login credentials, personal information, or even payment-card details. Another common scam involves fraudsters promising to send a product after the blogger pays a “shipping fee” for a package that never arrives. We’ve covered these kinds of delivery scams in detail on our Kaspersky Daily blog.

A great option for young bloggers is to have their own manager or agent. Sounds very business-y and fancy, but actually a parent/guardian is the best person for this role. This way, you can work together to negotiate with brands and respond to offers from strangers. Discuss which brands are worth collaborating with, and explain why some offers may not be as harmless as they seem.

6. Talk to your kids about stalkers

As your kid gains more followers, they may attract not only genuine admirers but also individuals with malicious intent who claim to be “fans”. Unfortunately, doxing and stalking are real threats, especially for young, open, and trusting bloggers who share every detail of their lives.

Explain to your child that not everyone who seems nice is actually a good person. These “fans” often act like friends — praising content, offering help, or even pretending to share the same interests. Over time, however, they might start asking for personal details, more photos, or try to move the conversation to less secure platforms.

Teach your child to recognize these red flags:

• A stranger who messages them frequently, or who shows undue interest in them personally.
• Someone who insists on secrecy and asks them not to tell their parents.
• A person who tries to guilt-trip, threaten, or pressure them to share personal information.

Most importantly, whether your child becomes a successful blogger or not, you need to ensure they trust you, their parents/guardians, more than any strangers they meet online.

How to better understand your child blogger

Wanting to be a blogger is a form of self-expression and creativity for both children and adults alike. Your role as a parent is simple but crucial: support their aspirations, talk to them, and teach them the basics of digital safety.

• Find out what your child is into. A quick way to prepare for this conversation is to read our blog post, What kids are doing online, to get a basic idea of popular memes, games, and music.
• Install [placeholder Safe Kids] on your devices. Our app helps parents stay involved in their kids’ digital lives without being intrusive.
• Study our Cybersecurity Alphabet with your child. It explains complex concepts — like Keyloggers, NFTs, and oversharing — in simple terms.

If you want to learn more about keeping your child safe online, check out our guide, Digital School Bag: A School Year Guide for Parents.

How to make the online space even safer for your kid:

• Back-to-school threats: social networking
• Back-to-school: security tips
• What kids are doing online
• Do Apple’s new child safety initiatives do the job?
• Parents’ handbook for a kids’ first gadget

Kaspersky official blog – ​Read More

You get a delivery notification — or simply find a package sitting by your front door. But you didn’t order anything! Of course, everyone loves a free gift, but in this case you should be wary. There are several scams that start with the delivery of a package to your home.

Of course, check with friends and family first — someone might have sent you something without mentioning it. But if nobody steps forward, there’s a good chance you’re facing one of the schemes described below.

Spoiler alert: under no circumstances scan QR codes or call phone numbers printed on the packaging.

Polishing orders

The term brushing scam comes from Chinese e-commerce slang. 刷单 literally means “to polish orders” — effectively referring to a kind of sales-pumping scam. Originally, this “brushing” was relatively harmless: you received a product you didn’t order, and the seller posted a glowing review in your name to boost their sales ranking. To pull this off, unscrupulous sellers buy leaked databases of personal data, then register new marketplace accounts using victims’ names and mailing addresses — but their (the sellers’) own email address and payment method. As such, the victims don’t suffer direct financial loss.

Lucky you; but first — your review

Over time, such relatively gentle “brushing” has evolved into a much rougher sweep up. These days, scammers try to rip off package recipients by luring them to a malicious website. To do this, they include a card or sticker with a QR code with the delivery. The story accompanying the code varies, with common examples including the following:

• “You’ve received a gift! Scan the code to find out who sent it”
• “Leave a review of our product and get a $100 gift card!”
• “Confirm receipt of your free delivered item!”

If the victim scans the QR code to find out who the sender is or claim another gift, the rest follows the classic pattern of quishing (QR phishing): either coaxing the victim into entering their payment data (for example, to “activate” the gift card) or codes from banking/government apps, or urging them to install an app for “confirmation” or “activation” — which, of course, is malware.

What if there’s no product at all?

The above schemes only work when an online store can afford to “give away” products as a promotional tactic. But can scammers still get your data without sending any goods? They can — and do.

Instead of a package, the victim finds a professionally printed postcard at their door: “Unfortunately, our courier service couldn’t deliver your parcel because you weren’t home. A gift valued at $200 can only be handed over in person — please contact us to arrange redelivery.” The postcard includes a QR code, a website address, and sometimes even a phone number to “reschedule” delivery.

If you call the number or visit the malicious site linked in the QR code, you’ll be tricked into giving payment details, passwords, or one-time codes through one of the common “delivery” scam scenarios:

• “Choose a delivery time right away so the item won’t be returned to sender”
• “Pay a $2 fee for redelivery”. The goal here is to get your payment data and then charge much larger amounts.
• “Pay the customs duty”. You’re told a valuable parcel has been sent to you, but you must pay the duty yourself. And these amounts can be quite significant (depending on the supposed item’s value). In some countries, a “courier” may even come in person to collect the fee in cash.

All these schemes can lead to the loss of personal and financial information — but sometimes they escalate into phone fraud with much larger losses. For example, after you pay a fake delivery fee, scammers may call you and claim the parcel cannot be delivered because it contains drugs. This is followed by the psychological pressure of calls from a “police officer”, and attempts to extort a large sum of money to “protect” you from criminal charges.

Cash on delivery

Another popular scam involves products with payment upon delivery. Sometimes scammers advertise a product in advance and send it to the victim with their consent — but there’s also a version where a parcel arrives out of the blue. One day, a courier turns up at your door with a package in your name. Usually, an attractive product name is prominently displayed on the box — for example, a high-end smartphone. But… you have to pay for it. The price is 2–3 times lower than the market rate. The scammers count on greed and urgency (“the courier’s in a hurry, let’s get this done quickly!”) to make the victim pay without checking the item properly. The courier rushes off, and the victim opens the box to find either a cheap knockoff of the claimed product — or just plain garbage.

If the target refuses to pay for the mystery item, the scammers may have a “Plan B” ready — tricking them into giving a one-time verification code for a marketplace or bank, under the pretext of “confirming the order cancellation”.

Targeted attacks

Sometimes, physical delivery scams target specific victims. For example, criminals have attempted to steal cryptocurrency by sending Ledger hardware wallet owners packages claiming to be a free warranty replacement for defective devices. Inside the package was a “new” crypto wallet — actually a USB stick loaded with malware designed to steal the wallet’s seed phrase. Mailing USB sticks has also been used by the FIN7 ransomware gang as part of targeted ransomware attacks on selected organizations.

The hidden threat

Brushing and quishing scams have an unpleasant root cause. If you’re receiving these packages, it means your address and other contact information have been leaked in databases and are circulating on underground forums. These data sets are sold repeatedly, so you may well be targeted by other types of scam too. Be prepared: enable two-factor authentication everywhere, expect scam calls, install to protect yourself from such spam calls, check your bank statements frequently, and be sure to install reliable protection on all your devices.

What to do if you receive an unexpected package?

• Carefully examine the packaging, labels, and any accompanying documents.
• Take a photo of the package just in case, but never follow any links from QR codes or printed text. Keep the packaging in case there’s an investigation later.
• Never call the phone numbers or, again, visit the links printed on the parcel.
• Never pay any “delivery fees” or “customs duties”, and never provide your payment details.
• Never connect unexpectedly received digital storage devices to your computer or smartphone.
• If the package was delivered by a major, well-known courier service (Amazon, eBay, DHL Express, UPS, FedEx, AliExpress, national postal services, etc.), go to the company’s official website, find their contact numbers, online tracking service, or live chat, and check the shipment status and sender information. If the parcel has a tracking number, enter it manually — don’t scan any QR codes on the label.
• Report the suspicious package to the courier service and the police — even if no money was stolen from you.

Read more on scams involving QR codes, marketplaces, and delivery services:

• “Package for you. Please scan the QR code”
• (Un)safe QR codes
• QR: quick response or quite risky?
• Message boards hit by new video-call scam

Kaspersky official blog – ​Read More

Editor’s note: The current article was originally published on March 11, 2024, and updated on August 14, 2025.

Security Operations Centers (SOCs) face an overwhelming volume of threat alerts, making it difficult to separate real threats from false positives without heavy resource use. 

For teams already working with, or planning to adopt Filigran’s OpenCTI, ANY.RUN now offers powerful interoperability that bring real-time malware analysis and fresh threat intelligence directly into your existing workflows. This helps SOCs boost efficiency, cut response times, and act with confidence, all without replacing current tools.

Build Faster Response in OpenCTI with ANY.RUN 

ANY.RUN now offers dedicated OpenCTI connectors for its main products, allowing SOC teams to use them with their existing security stack seamlessly. This means there is no need to change existing processes and tools, making interoperability simple for those already using OpenCTI. 

Available for ANY.RUN’s Enterprise plan users, it is designed to improve SOC metrics for incident detection and response, streamline routine tasks, reduce response times, and provide deep analytics. 

• Interactive Sandbox: Automate analysis of suspicious files and URLs to quickly understand their threat level, TTPs, and collect IOCs. 

• Threat Intelligence Lookup: Enrich observables with threat context based on fresh live attack data. 

• Threat Intelligence Feeds: Stay updated on the active threats with filtered, actionable network IOCs from the latest malware samples. 

You can connect any combination of these connectors based on their specific needs and licenses. 

View documentation on GitHub → 

This connectors ensure that accurate threat info is accessible in just a few clicks, significantly boosting SOC effectiveness. 

Automate Threat Analysis for Early Detection with Interactive Sandbox 

ANY.RUN’s Interactive Sandbox is a cloud-based service that provides SOC teams with instant access to fully interactive Windows, Linux, and Android virtual machines for analyzing suspicious files and URLs.  

With the OpenCTI connector, SOC teams can: 

• Send files or URLs directly from OpenCTI for instant analysis in ANY.RUN’s Interactive Sandbox. 

• Automate the execution of multi-stage attacks to reach the final stage of an attack. 

• Enrich observables in OpenCTI with indicators obtained from the sandbox analysis. 

Use documentation to set up the connector → 

The connector leverages the Automated Interactivity feature. It allows for automated execution of user actions like archive extraction, CAPTCHA solution, and payload launching to trigger each stage of an attack and ensure complete detection of the most evasive threats.  

The sandbox logs and marks malicious network traffic, processes, registry, and file modifications, providing immediate visibility into threat behavior. 

Here’s a typical scenario of how you can use the connector in your SOC: 

• Analysis: Analysts can send files or URLs for automated sandbox analysis directly from OpenCTI. 

• Decision Making: Results from the sandbox analysis are used to assess threats and make informed decisions. 

• Response and Escalation: Based on the results, analysts can isolate threats, block malicious activities, or escalate incidents as needed. 

Enrich Incidents with Live Attack Data from 15K Organizations via Threat Intelligence Lookup 

ANY.RUN’s Threat Intelligence Lookup provides a searchable database of fresh Indicators of Compromise (IOCs), Behavior (IOBs), and Action (IOAs). This data is extracted from live sandbox analyses of active malware and phishing attacks across 15,000 organizations, ensuring the indicators are fresh and available quickly after an attack. 

With the OpenCTI connector, SOC teams can: 

• Browse indicators in TI Lookup without leaving OpenCTI  

• Receive data related to URL, IP, domain, and hash observables to gain actionable insights  

• Use collected intel for incident response, to create new rules, train models, update playbooks, etc. 

Use documentation to set up the connector → 

Here’s a typical scenario of how you can use the connector in your SOC: 

• Incident Enrichment: Analysts use TI Lookup to enrich incidents with detailed threat intelligence directly from OpenCTI. 

• Threat Assessment: Analysts rapidly assess threats using up-to-date data and behavioral context. 

• Response and Process Improvement: Enriched data aids in creating effective rules, updating playbooks, and improving detection models. 

Expand Threat Coverage and Proactive Defense with Threat Intelligence Feeds 

Threat Intelligence Feeds help MSSPs and SOCs fortify their security with filtered, high-fidelity indicators of compromise (IPs, domains, URLs) enriched with context from ANY.RUN’s Interactive Sandbox. Sourced from real-time sandbox investigations of active attacks across 15,000 organizations, ANY.RUN’s feeds are updated every two hours, allowing you to track threats as they emerge, develop, and spread to take critical security actions early. 

With the OpenCTI connector, SOC teams can: 

• Retrieve real-time, up-to-date indicators and insights derived from attack investigations. 

• Use ANY.RUN’s data in real-time or on a schedule as a source of malicious indicators for analyzing or investigating alerts and incidents. 

• Send data to other security systems like SIEM or EDR, further improving detection quality. 

Use documentation to set up the connector → 

Here’s a typical scenario of how you can use the connector in your SOC: 

• Expanded Threat Monitoring: Clients connect TI Feeds to OpenCTI to use real-time threat data for analyzing alerts and incidents. 

• Detection and Response: Enhanced detection quality allows for better threat identification and response. 

• Proactive Defense: Data from TI Feeds supports the creation of new rules, training models, and updating playbooks and dashboards. 

How OpenCTI Connectors Can Help Your Business 

The interoperability of ANY.RUN with OpenCTI provides significant user and business value, leading to measurable performance gains across the SOC. 

• Reduced costs and time savings by eliminating the need for custom development and allowing analysts to focus on critical threats. 

• Increased SOC efficiency through streamlined triage, investigation, and escalation for Tier 1 and Tier 2 analysts. 

• Automation of routine tasks, such as manually copying artifacts or launching analyses, which reduces analyst burnout. 

• Reduced Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), enhancing overall SOC metrics. 

• Enhanced decision-making and process improvement by providing detailed reports and enriched data for creating effective rules, updating response playbooks, and training detection models. 

• Proactive threat management and early threat detection by uncovering stealthy or multi-stage attacks that traditional tools might miss. 

• Stronger ROI from existing tools by extending the capabilities of OpenCTI with behavioral analysis and contextual enrichment without additional infrastructure. 

About ANY.RUN 

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy. 

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions. 

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks. 

Ready to see the difference? Start your 14-day trial of ANY.RUN today → 

The post ANY.RUN & OpenCTI: Transform SOC for Maximum Performance appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More