While developing our Security Training Lab educational program, we at ANY.RUN have turned to well-established theories of education, cognitive skill development, and the psychology of learning. Their foundational principles emphasize one critical truth: practice is indispensable for mastering complex skills.  

In the field of cybersecurity—especially in malware analysis—the ability to apply theoretical knowledge in real-world scenarios is what separates competent professionals from novices. Inspired by this understanding, we designed the Security Training Lab to bridge the gap between classroom theory and the practical demands of the cybersecurity industry. Students, we believe, are to be equipped to tackle real threats from day one. 

As a malware analysis solutions developer, ANY.RUN has all the resources and capabilities to provide the audience of its educational program with as much practice as it’s ready to digest.  

How Security Training Lab Offers Practice-Oriented Training 

Of course, nobody is going to toss future malware analysts in at the deep end unprepared and watch them flounder in a lake of real cyber threats. Security Training Lab is based on 30 hours of academic content including texts and video lectures.

The program includes modules on:

• Advanced static and dynamic malware analysis
• Study of malware behavior, malicious scripts, files, and macros
• The basics of encryption  

Interactive tasks and tests appear at the end of each module and in the final exam. But real-world examples of detonated, dissected, and analyzed malware run through the entirety of learning material encouraging trainees to find an example or perform a task of their own, to practice their newly acquired skills.

How Security Training Lab Benefits Universities

The emphasis on applicable knowledge and practical experience are not the only features of the Security Training Lab valuable for educational organizations. As a ready-made, expert-supported solution, it offers universities the following benefits:  

• No setup hassle: full access to ANY.RUN’s Interactive Sandbox for instructors and students. The course is available and ready for use on the Seturon platform. There is no need to set up complex environments or worry about local security.

• Up-to-date: based on the latest malware samples, techniques, and real-world scenarios, keeping the curriculum relevant. 

• Scalable for classrooms and remote learners: supports self-paced, instructor-led, and hybrid learning formats. 

• Built-in analytics: instructors can track progress and assess students’ practical skills. 

The Key to Effective Learning: Interactive Sandbox 

Students don’t just read about malicious scripts, ransomware, or phishing kits—they dissect them. Through ANY.RUN’s Interactive Sandbox, they gain full access to a virtualized environment where they can upload, execute, and analyze live threats. 

They also gain access to a repository of malware samples submitted by ANY.RUN’s user community of more than 500,000 cybersecurity professionals. These users (including 15,000 corporate SOC teams that face the most current and dangerous threats) leave public reports on their analysis sessions that students can explore and analyze of their own.

All students of the Security Training Lab have an unlimited access to the Sandbox, so they can go far beyond examples and tasks in the program. 

For example, a student might analyze a phishing link disguised as a legitimate URL, interact with it in the sandbox, and observe how it attempts to steal credentials or deploy secondary malware. Another might de-obfuscate a malicious script, uncovering its hidden payload step-by-step.

These exercises simulate the real-life scenarios analysts face — whether it’s investigating a targeted attack on a corporate network or responding to a widespread malware campaign. By engaging with authentic samples, students learn to recognize patterns, anticipate attacker tactics, and develop effective mitigation strategies. 

A Dive into Practice: Full Scope of Tools 

Of course, the hands-on part of the Security Training Lab curriculum is not based solely on ANY.RUN’s tools.

A malware analysis expert is to employ an arsenal of instruments, so it’s vital for the students to start acquainting with them early and intensely.

Conclusion  

The cybersecurity industry is experiencing a global talent shortage, particularly in skilled threat researchers and malware analysts. With the Security Training Lab, we help to address this gap by providing a practice-first, job-relevant learning experience. 

Through hands-on training with real malware samples and simulations of workplace challenges, we’re preparing students not just to understand cyber threats, but to defeat them.  

By integrating ANY.RUN’s course into the academic program, universities meet the challenges of offering a competitive educational product, answering to the market urges, and providing their students with the most promising career opportunities.  

For Universities: Contact ANY.RUN to integrate Security Training Lab in your curriculum 

About ANY.RUN

ANY.RUN supports over 15,000 organizations across numerous industries, including banking, manufacturing, and healthcare. Our interactive malware analysis and threat intelligence tools allow companies and SOC teams to speed up their threat investigations, ensure proactive security, and build stronger and more resilient operations.

The post Why Practice Is Key to Training Top Malware Analysts and How ANY.RUN Supports It appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

At ANY.RUN, we love hearing about clients’ experiences. Quality feedback helps us improve and gives new and existing users a clearer understanding of our tools in actual security scenarios. 

That’s why when we spoke with Augustin Alexandrovici, who leads Cyber Intelligence Operations at Expertware, we knew we had to share our conversation.  

Check out the highlights to see how a Managed Security Service Provider employs ANY.RUN in its operations. 

Company Overview 

Expertware is a leading IT consultancy with over 18 years of experience, specializing in cybersecurity and Security Operations Center (SOC) services. With a dedicated team of over 30 cyber experts, we can seamlessly build or extend internal teams to address evolving threats and ensure robust protection for businesses. 

Our expertise spans AI and machine learning, full-stack development, IT architecture, and business optimization. Having completed over 500 successful projects for leading European clients across industries such as banking, insurance, retail, telecom, and more, we deliver innovative, high-impact solutions that foster growth and resilience. 

What Made Expertware Look for a Malware Sandbox 

We started looking for a sandbox, because we wanted to offer to our customers an in-depth view of security incidents targeting their IT Infrastructure. 

Before, we had to manually set up reverse-engineering environments, which was a time-consuming process. The extra steps required slowed down our ability to analyze and respond to malware threats in an efficient way. 

We also wanted to improve the average turnaround time for malware investigations to make operations faster and be able to process more threats.  

Another challenge we sought to address was the limited visibility into attacks. We needed a solution that would present us with an intuitive and streamlined view of threats’ entire kill chain. 

With all of these taken into consideration, ANY.RUN’s sandbox became our choice. 

ANY.RUN has enabled us to actually interact with malicious files on the fly, which saves us from risky manual setups and cuts down on the resources we allocate to daily tasks

One of the main factors behind our decision was the interactivity. It instantly solved the problem of building and maintaining our custom VMs for malware analysis. ANY.RUN has enabled us to actually interact with malicious files on the fly, which saves us from risky manual setups and cuts down on the resources we allocate to daily tasks. 

How Expertware Use ANY.RUN 

Our organization has been using ANY.RUN for over a year. Initially, we started with a proof of concept (POC) phase to see how it would fit into our SOC workflow, and we found it very effective, so we fully integrated it soon afterwards. 

Now we use all the core products provided by ANY.RUN: the Interactive Sandbox, TI Feeds, and Threat Intelligence Lookup complementing and enriching our SIEMBIOT cyber security. Our team relies on them for malware analysis, dynamic execution of files, and rapid threat intelligence analysis. 

We use the sandbox specifically for: 

• Malware Investigations: We submit suspicious files for dynamic analysis to observe malicious behavior, network indicators, and potential dropper actions. 

• Phishing Analysis: We examine advanced phishing campaigns to see how attachments or malicious scripts are executed within a controlled environment. 

• Indicator Extraction and Mapping: We extract IOCs, map the full scope of the attack to the MITRE ATT&CK framework, and quickly integrate them into our threat intelligence feeds and detection systems. 

• Training & Collaboration: We share interactive reports across the SOC and Incident Response teams to facilitate collaborative analysis and help junior analysts develop their skills. 

Examples of Cyber Threats ANY.RUN Helps Address 

At Expertware, we routinely confront threats like advanced infostealers (e.g., RedLine, Raccoon Stealer), persistent backdoors (like NanoCore or Remcos), and botnet malware (such as Emotet). ANY.RUN’s Interactive Sandbox and real-time analysis tools are invaluable in helping us quickly detect, investigate, and neutralize these evolving threats. 

Notable Use Case: XLoader Phishing Attack 

One notable case involved a highly obfuscated phishing campaign distributing XLoader malware in a multi-stage infection chain. Initially, the malicious attachment was a seemingly benign Microsoft Office document containing VBA macros. Once the macro was enabled, it executed a PowerShell command that retrieved additional payloads from a remote server.

This was followed by fileless techniques, such as reflective loading of DLLs directly into memory, making static detection difficult. When we ran the sample in ANY.RUN’s Interactive Sandbox, we could manually walk through each stage of the infection process. Specifically: 

1. Macro Execution: We triggered the VBA macro inside the sandbox, capturing real-time logs of spawned processes (e.g., powershell.exe) and network connections. 

2. Decoding the PowerShell Script: The script was obfuscated using string concatenation and base64 encoding. ANY.RUN’s interactive approach lets us step through and decode the script in real time, exposing the URLs used for Command & Control. 

3. Memory Analysis: By pausing and resuming processes, we pinpointed the exact moment the additional payload was written directly to memory. This was crucial in revealing the second-stage DLL that XLoader injected, bypassing traditional on-disk detection. 

4. Network Traffic Inspection: We observed the malware connecting to its C2 infrastructure, sending beacon requests with system reconnaissance data. ANY.RUN’s detailed packet capture allowed us to extract and analyze these indicators (e.g., domain names, IP addresses, and request parameters). 

5. Persistence Mechanisms: XLoader used several registry-based techniques to maintain persistence. We tracked registry changes within the sandbox session, which helped us craft custom detection rules in our SIEM and endpoint solutions. 

Without the ability to dynamically interact with the malware (e.g., clicking through the macros, responding to execution prompts, and examining in-memory behavior), many of these steps would have remained hidden, especially given the extensive use of fileless and obfuscation techniques. ANY.RUN gave us the granularity to uncover each stage, correlate events, and produce comprehensive IOCs to better protect our environment and inform our incident response. 

In short, ANY.RUN’s interactive approach was critical in dissecting this complex multi-stage XLoader campaign and swiftly mitigating its impact across our network. 

Security and Operational Improvements After Adopting ANY.RUN 

With ANY.RUN, our malware investigation and IOC extraction processes have seen over a 50% reduction in turnaround time.  

The time saved in malware investigations means threats are contained and remediated faster, right? So, I believe the real added value is the opportunity to reduce potential damage. Which is really the one and only scope of our work. 

With ANY.RUN, our malware investigation and IOC extraction processes have seen over a 50% reduction in turnaround time

The visual process tree and network analysis allow us to see an attack’s full scope in one place, which really speeds up our containment and remediation processes. 

Plus, collaborating got easier—everyone’s on the same page when we can share those interactive reports. 

Implementation Challenges and Solutions 

To integrate ANY.RUN into our SIEM and SOAR platforms for real-time data flow, we used APIs and custom scripts, supported by OpenCTI integration. Initial challenges included interoperability issues with our Filigran system, data formatting mismatches, and security constraints. Collaboration with vendors and iterative testing resolved these issues, achieving reliable performance. 

To help colleagues fully utilize ANY.RUN’s interactive features, we conducted in-house training sessions. These covered the platform’s core functionalities, best practices for malware analysis, and real-time collaboration techniques. This ensured all team members, from junior analysts to experienced responders, could effectively use the new workflows and maximize the platform’s capabilities. 

Employee Feedback 

Our employees are generally very positive about ANY.RUN’s products. Analysts appreciate the intuitive interface and the ability to manipulate malware in real-time. Junior analysts find it educational, since they can watch suspicious processes unfold step by step, learning about Tactics, Techniques, and Procedures (TTPs) in a hands-on manner. Senior analysts value the time savings and the visual clarity of the results. 

Junior analysts find it educational, since they can watch suspicious processes unfold step by step

Advice for Those Planning to Integrate ANY.RUN 

We advise starting with a pilot project on the most suspicious files—you’ll see the value right away. Take advantage of ANY.RUN’s API documentation and support channels to make integration smoother. And if you’re training new analysts, definitely have them dive into the interactive side of things. It’s a real game-changer. 

Plans 

We’re upping our SOC game by adding more automation. ANY.RUN’s API integration makes it easy to connect with our CTI/SOAR platform, so when something malicious is detected, it can trigger containment steps automatically. ANY.RUN will be a core piece of our future setup. 

Conclusion 

A big thank you to Augustine and Expertware for sharing their insight into the day-to-day operations of a security team during our meeting. The expertise and unique perspectives you provided as part of the interview will help other organizations understand the benefits of integrating ANY.RUN’s Interactive Sandbox for stronger security. 

If you are using ANY.RUN’s products and willing to share your experiences with the community, please send us an email at content@any.run. 

About ANY.RUN

ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.

With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with our Threat Intelligence solutions, TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency.

The post How MSSP Expertware Uses ANY.RUN’s Interactive Sandbox for Faster Threat Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

What do you do when you need a program but can’t buy an official license yet? Correct answer: “Use the trial version” or “Find a free alternative.” Wrong answer: “Search online for a cracked version.”

Sketchy alternative sources are known to offer cracked versions of software, along with other goodies. After wading through sites stuffed with ads, you may get the program you want (usually minus the future updates and network functionality), but with a miner, stealer, or whatever else thrown in for good measure.

Based on real-world examples, we explain why you should avoid sites that offer instant downloads of in-demand programs.

Miner and stealer on SourceForge

SourceForge was once the largest site for all things open source, the forerunner of GitHub. But don’t think that SourceForge is dead – today it provides software hosting and distribution services. Its software portal hosts multiple projects, uploaded by anyone who wants to.

And, as with GitHub, it’s this cosmopolitanism that is a barrier to high-level security. Let’s take just one example: our experts found a project called officepackage on SourceForge. At first glance, it looks harmless: a clear description, no-nonsense name, even a positive review.

“Officepackage” page on SourceForge

But what if we told you that the description and files were copied outright from an unrelated project on GitHub? Alarm bells are already ringing. That said, no malware lands on your computer when you click the Download button – the project is apparently clean. Apparently, because the malicious payload was not distributed directly through the officepackage project, but through the web page associated with it. How is this possible?

The fact is that every project created on SourceForge gets its own domain name and hosting on sourceforge.io. So a project named officepackage is given a web page at officepackage.sourceforge[.]io. Such pages are easily indexed by search engines and rank high in search results. This is how attackers attract victims.

When visiting officepackage.sourceforge[.]io from a search engine brought users to a page offering downloads of almost any version of the Microsoft Office suite. But, as ever, the devil was in the detail: when you hovered over the Download button, the browser’s status bar showed a link to https[:]//loading.sourceforge[.]io/download. Spotted the trap? The new link has nothing to do with officepackage; loading is an entirely different project.

The “Download” button on the “officepackage” page of the SourceForge software portal leads to a completely different project

And after clicking, users were redirected not to the page of the loading project, but to another intermediary site with another Download button. And only after clicking this did the user, weary of surfing, finally receive a file – an archive named vinstaller.zip. Inside was another archive, and inside this second archive was a malicious Windows Installer.

At the heart of this evil nesting doll were two nasties: instead of Microsoft products, a miner and ClipBanker – malware for substituting crypto wallet addresses in the clipboard – were let loose on the victim’s device after running the installer. Details of the infection scheme can be found in the full version of the study on our Securelist blog.

Malicious TookPS installer disguised as legitimate software

Cybercriminals do not limit themselves to SourceForge and GitHub. In another recent case unearthed by our experts, attackers were found distributing the malicious TookPS downloader, already familiar to us from the fake DeepSeek and Grok clients, through fake websites offering free downloads of specialized software. We discovered a whole series of such sites offering users cracked versions of UltraViewer, AutoCAD, SketchUp and other popular professional software, meaning that the attack was not only aimed at home users, but also at professional freelancers and organizations. Other malicious files detected included the names Ableton.exe and QuickenApp.exe, purported versions of the popular music creation and money management applications.

Fake pages distributing TookPS

By circuitous means, the installer downloaded two backdoors to the victim’s device: Backdoor.Win32.TeviRat and Backdoor.Win32.Lapmon. See another Securelist post to find out exactly how the malware was delivered to the victim’s device. The malware gave the attackers full access to the victim’s computer.

How to protect yourself

First, do not download pirated software. Under any circumstances. Ever. A cracked program may be temptingly free and instantly available, but the price you pay will be measured not in money, but in data – your data. And no, that doesn’t mean family photos and chats with friends. Cybercriminals are after your crypto wallets, payment card details, account passwords – and even your computer’s resources for cryptocurrency mining.

Here’s a list of rules we recommend for anyone who uses SourceForge, GitHub and other software portals.

• If you can’t buy the full version of an application, use alternatives or trial versions, not cracked software. You might not get the full functionality, but at least your device is guaranteed to be safe.
• Only download programs from trusted sources. As SourceForge and GitHub practice shows, even then you should proceed with caution and scan all downloaded files with an antivirus.
• Protect your cryptocurrency and banking data with reliable tools. Treat virtual wallets with the same reverence as physical ones.

Further reading in support of not downloading pirated software:

• The dangers of pirated games
• NullMixer: multiple malware in one
• XMRig miner as a New Year’s gift
• Malware lurking in “official” GitHub and GitLab links

Kaspersky official blog – ​Read More

Payment card security is constantly improving, but attackers keep finding new ways to steal money. In days gone by, having tricked the victim into handing over card credentials on a fake online store or through another scam, cybercriminals would make a physical duplicate card by writing the stolen data onto a magnetic stripe. Such cards could then be used in stores and even at ATMs without a hitch. The advent of chip cards and one-time passwords (OTPs) made life much harder for scammers, but they adapted. The shift to mobile payments using smartphones increased resilience against some types of scams — but also opened up new avenues for it. Now, having phished a card number, they try to link it to their own Apple Pay or Google Wallet account. That done, they use this account from a smartphone to pay for goods using the victim’s card — either in a regular store or at a fake outlet with an NFC-enabled payment terminal.

How card credentials are phished

Such cyberattacks entail preparation on an industrial scale. Attackers create networks of fake websites designed to phish for payment data. These might imitate delivery services, large online stores, and even portals for paying utility bills or traffic fines. The cybercriminals also buy up dozens of smartphones, create Apple or Google accounts on them, and install contactless payment apps.

Next comes the juicy bit. When a victim lands on a bait site, they’re asked to link their card or make a mandatory small payment. This requires entering their card details and confirming ownership of the card by entering an OTP. In fact, the card is not charged at this point.

What actually happens? The victim’s data is almost instantly transferred to the cybercriminals, who attempt to link the card to a mobile wallet on their smartphone. The OTP code is needed to authorize this operation. To speed up and simplify the process, the attackers use special software that takes the data supplied by the victim and generates an image of the card that replicates it perfectly. After that, it’s enough just to take a photo of this image from Apple Pay or Google Wallet. The exact process of linking a card to a mobile wallet depends on the specific country and bank, but usually, no data is required other than the number, expiration date, cardholder name, CVV/CVC, and OTP. All this can be phished in a single session and put to use immediately.

To make attacks even more effective, cybercriminals employ additional tricks. First, if the victim comes to their senses before tapping the Submit button, any data already entered into the forms is still passed to the criminals — even if it’s just a few characters or an incomplete entry. Second, the fake site may report that the payment failed and prompt the victim to try a different card. This way, the criminals might phish details for two or three cards in one go.

The cards aren’t charged right away, and many people, seeing nothing suspicious on their bank statement, forget all about the incident.

How money is stolen from cards

Cybercriminals might link dozens of cards to one smartphone without immediately trying to spend money from them. This smartphone, stuffed with card numbers, is then resold on the dark web. Often, weeks or even months go by between the phishing and the spending. But when that unpleasant day eventually comes, the criminals might decide to splash out on luxury items in a physical store simply by making a contactless payment from a phone full of phished card numbers. Alternatively, they might set up their own fake store on a legitimate e-commerce platform and charge money for non-existent goods. Some countries even allow ATM withdrawals using an NFC-enabled smartphone. In all of the above cases, no confirmation of the transaction via PIN or OTP is required, so money can be siphoned off until the victim blocks the card.

To speed up transferring mobile wallets to clandestine buyers, as well as to reduce the risk for those making payments in stores, attackers have begun to use an NFC relay technique dubbed Ghost Tap. They start by installing a legitimate app such as NFCGate on two smartphones — one with the mobile wallet and stolen cards, the other used directly for payments. This app transmits, in real time over the internet, the NFC data of the wallet from the first phone to the NFC antenna of the second, which the cybercriminals’ accomplice (known as a “mule”) taps on the payment terminal.

Most terminals in offline stores and many ATMs are unable to tell the relayed signal from an original one, allowing the mule to easily pay for goods (or gift cards, which make it easier to launder the stolen funds). And if the mule is detained in the store, there is nothing incriminating on the smartphone, only the legitimate NFCGate app. No stolen card numbers are there, for these are tucked away on the smartphone of the mastermind behind the operation, who can be anywhere, even in another country. This method allows scammers to quickly and safely cash out large sums because there can be multiple mules paying almost simultaneously with the same stolen card.

How to lose money by tapping your card on your phone

In late 2024, fraudsters came up with another NFC relay scheme and successfully tested it on users from Russia, and there’s nothing to stop the operation from being scaled up worldwide. In this scheme, victims aren’t even asked for their card credentials. Instead, the attackers socially engineer them into installing a supposedly handy app on their smartphone under the guise of a government, banking, or other service. Since many such banking and government apps in Russia were removed from official stores due to sanctions, unsuspecting users readily agree to install them. The victim is then prompted to hold their card to their smartphone and enter their PIN for “authorization” or “verification” purposes.

As you might have guessed, the installed app has nothing in common with its description. In the first wave of such attacks, what victims received was the same NFC relay, repackaged as a “handy app”. It read the card when held to the smartphone, and transmitted its data along with the PIN to the attackers, who used it to make purchases or withdraw cash from NFC-enabled ATMs. Anti-fraud systems of major Russian banks quickly learned to identify such payments due to mismatches in the victim’s and the payer’s geolocation, so in 2025 the scheme — but not the essence — changed.

Now, the victim receives an app for creating a duplicate card, and the relay is installed on the attackers’ side. Next, under the bogus pretext of the risk of theft, the victim is persuaded to deposit money into a “safe account” through an ATM, using their smartphone to authorize the payment. When the victim holds their phone to the ATM, the scammer relays their own card details to it, and the money ends up in their account. Such operations are hard to track for automatic anti-fraud systems since the transaction looks perfectly legitimate — someone walked up to an ATM and deposited cash onto a card. The anti-fraud system doesn’t know that the card belonged to someone else.

How to protect your cards from scammers

First of all, Google and Apple themselves, together with payment systems, should implement additional protective measures in the payment infrastructure. However, users can also take steps to protect themselves:

• Use virtual cards for online payments. Don’t keep large amounts of money on them, and only top up just before making an online purchase. If your card issuer allows it, disable offline payments and cash withdrawals from such cards.
• Get a new virtual card and block your old one at least once a year.
• For offline payments, link a different card to Apple Pay, Google Wallet, or a similar service. Never use this card online, and if possible, use a mobile wallet on your smartphone when paying in stores.
• Be very wary of apps asking you to hold your payment card to your smartphone, never mind enter your PIN. If it’s a long-trusted banking app, then okay; but if it’s something dodgy you only just installed from an obscure link outside an official app store, then stay clear.
• Use plastic cards at ATMs, not an NFC-enabled smartphone.
• Install a comprehensive security solution on all computers and smartphones to minimize the risk of landing on phishing sites and installing malicious apps.
• Enable the Safe Money component, available in all our security solutions, to protect financial transactions and online purchases.
• Activate the fastest possible transaction notifications (text and push) for all payment cards, and contact your bank or issuer immediately if you notice anything suspicious.

Want to learn more about how scammers can steal money from your cards? Read our posts:

• Web skimmers: why are they particularly sneaky and dangerous?
• How cybercriminals steal funds from bank cards — and how to protect yourself from such theft
• Rules for safe online shopping
• Five Kaspersky technologies to protect your finances

Kaspersky official blog – ​Read More