Editor’s note: The current article was originally published on April 10, 2024, and updated on July 15, 2025.

Modern cybersecurity teams face growing pressure: more threats, tighter SLAs, and less time to investigate. The difference between fast containment and a damaging breach often comes down to visibility, collaboration, and control. 

ANY.RUN’s Enterprise plan is a complete malware analysis plan built for organizations that can’t afford to miss a threat. It combines interactive sandboxing, robust privacy settings, centralized team management, and flexible integrations.  

It provides SOCs with the full picture of every threat, helping them respond quickly and accurately, no matter the size or sector of your organization. 

Why Leading Security Teams Choose ANY.RUN’s Enterprise Plan 

Enterprise gives security teams all the essentials in a single, unified solution—from threat visibility and secure collaboration to automation and ecosystem integration. With a setup designed to fit into existing workflows, it removes bottlenecks and accelerates decision-making at every stage of investigation. 

The results speak for themselves: 

• 90% of companies report higher detection rates after adopting ANY.RUN 

• 95% say they resolve investigations significantly faster 

• 80% of Fortune 100 companies rely on ANY.RUN in their security operations 

• Trusted by 15,000+ organizations across finance, telecom, retail, government, and healthcare 

ANY.RUN helps teams cut through alert noise, validate threats faster, and stay ahead of what’s coming next. 

Real-World Success Stories: How Security Teams Win with ANY.RUN Enterprise 

ANY.RUN’s Enterprise plan is trusted by leading organizations to solve real problems, streamline operations, and stay ahead of threats. 

From managed security providers to financial institutions, more than 15,000 organizations around the world use Enterprise to improve visibility, accelerate response, and strengthen their security posture. 

Expertware Cuts Investigation Time by 50% with ANY.RUN Enterprise 

Expertware, a leading European IT consultancy, needed to accelerate investigations, reduce manual overhead, and deliver faster results to clients. With Enterprise, they achieved a 50% reduction in malware investigation turnaround time. 

By replacing time-consuming manual setups with interactive sandboxing, Expertware improved visibility into complex threats, streamlined collaboration across their SOC, and scaled operations without adding overhead. 

Besides the faster investigation, Expertware achieved: 

• Greater SOC efficiency: Interactive analysis and shared reports improved collaboration and reduced rework 

• Deeper visibility: Full insight into multi-stage and fileless attacks, from macro execution to C2 communication 

• Stronger client outcomes: Faster, clearer reporting helps clients respond before threats escalate 

Investment Bank Improves SOC Efficiency and Stops Ransomware with ANY.RUN Enterprise 

A Brussels-based investment bank adopted ANY.RUN’s Enterprise plan to overhaul its overloaded cybersecurity operations. Facing constant phishing and ransomware threats, their lean SOC team needed a solution that could speed up investigations, enhance visibility, and reduce manual work. 

With ANY.RUN, they replaced slow, manual triage processes with interactive sandboxing and automated analysis, allowing them to detect and contain attacks faster, without adding headcount. 

The combination of speed and knowledge allowed us to identify and prevent cyber attacks better than ever before.

Head of Cybersecurity, EU-based investment bank

Key improvements after adopting the Enterprise plan: 

• Faster triage and response: Analysts process alerts twice as fast using automated sandbox submissions and interactivity 

• Smarter planning and decision-making: Deeper behavioral insights help the team prioritize threats more effectively 

• Prevented major ransomware incident: A suspicious supplier email was detonated in the sandbox, revealing ransomware and saving the company from significant financial and reputational damage 

ANY.RUN became a central part of their modernized SOC, delivering speed, visibility, and control without increasing complexity. 

Privacy: Keep Investigations Secure and Under Control 

In threat investigations, privacy plays an important role. A single public task launched by mistake can expose sensitive data, damage trust, or break compliance. The Enterprise plan helps your team avoid those risks with flexible private analysis options, role-based visibility controls, and secure access through SSO. 

Flexible Private Analysis Quotas 

Enterprise customers can choose the model that fits their team structure best: 

• Unlimited private analyses per user with a per-user pricing model 

• Unlimited users with a per-analysis pricing model 

This flexibility makes sure your investigations stay private, without limiting your team’s ability to scale or collaborate. 

Granular Privacy Controls 

You can control each user’s access to the sandbox, including the default privacy level of their analyses; whether tasks are visible only to the user, shared with the team, or accessible via a link. Team masters can define what analysts are allowed to share and ensure sensitive investigations aren’t exposed by mistake. 

In large or distributed teams, one misconfigured setting can lead to accidental data leaks. Granular privacy controls help reduce that risk by enforcing visibility rules at the user level, keeping your analysis environment secure without slowing your team down. 

Let us show you how ANY.RUN can help your SOC team – book a call with us

Single Sign-On (SSO): Simpler Access, Stronger Control 

For busy security teams, managing multiple logins can slow things down, and increase risk. With Single Sign-On (SSO) in the Enterprise plan, your team can log in to ANY.RUN using the same credentials they use across the rest of your organization. 

That means: 

• Fewer login issues and less time wasted on password resets 

• Stronger access control, especially as your team grows 

• Easier onboarding and offboarding for analysts and contractors 

SSO helps your SOC stay efficient and secure, giving every team member fast, reliable access to the sandbox, without extra friction. It also reduces the chance of human error, making it easier to stay compliant with internal policies and external standards. 

Automated Interactivity: Streamline Analysis for Faster Response

Automated Interactivity, powered by machine learning, enables security teams to automate file/URL analysis by letting the sandbox simulate human actions to outsmart evasion tactics like CAPTCHAs and redirects. Available exclusively in Enterprise plan, it gives a massive boost to SOC efficiency by automating detonation of attacks and accelerating threat detection.

It identifies and detonates malicious content, such as email attachments, payloads inside archives, URLs in QR codes. Thanks to this feature, your SOC team can reduce workload, improve the detection rate and alert processing capabilities, while focusing on critical incidents only.

This sandbox has provided features we didn’t have previously and helps to make the team more efficient

Joel P., Enterprise (> 1000 emp.)

API/SDK: Integrate ANY.RUN for Faster SOC Workflows 

The Enterprise plan gives your team full access to API and SDK integrations, so you can embed ANY.RUN directly into your existing workflows, automate routine tasks, and enrich investigations with real-time behavioral data. 

Whether you use a SIEM, SOAR, or case management platform, ANY.RUN connects seamlessly, helping analysts cut down on manual effort and focus on what matters most. 

One of our latest integrations is with IBM QRadar SOAR, a popular platform for incident response. With ANY.RUN’s official app, teams can: 

• Launch sandbox analyses directly from SOAR playbooks 

• Enrich cases with fresh IOCs and behavioral insights 

• Automate repetitive tasks to reduce Mean Time to Respond (MTTR) 

Setup takes minutes; just plug in your API key and get started. 

With integrations like this, ANY.RUN becomes a natural part of your security workflow, helping your team move faster, stay aligned, and act with greater precision. 

Teamwork: Smarter Collaboration for Analysts 

Even the most advanced tools fall short when teams can’t work together effectively. In many SOCs, analysts work in silos, communication breaks down, and duplicated work or missed alerts slow down investigations. 

The Teamwork feature in Enterprise makes collaboration seamless, whether your team sits in the same room or operates across time zones. Analysts can join a shared workspace, while team leads assign roles, track progress, and manage licenses, all from one central interface. 

• Faster coordination across analysts, team leads, and managers 

• Clear task ownership and role definitions to avoid confusion or rework 

• Real-time supervision for team leads, without disrupting workflow 

• Scalable team structure, ready to support fast-growing SOCs 

When every analyst knows what to focus on, and team leads can oversee without micromanaging, you reduce delays, avoid duplication, and build a stronger response process. 

Other Enterprise-Grade Capabilities for Deeper, More Accurate Investigations 

The Enterprise plan gives your analysts the technical depth and flexibility to run more realistic, multi-stage investigations and uncover even the most evasive threats. 

• Ensure full sandbox coverage without feature limitations: Enterprise users get access to 100% of sandbox functionality, unlocking every detection layer and configuration option available. 

• Investigate advanced malware without time pressure: With 1,200-second VM timeout, your team has the time needed to observe full execution chains, from initial dropper to final payload. 

• Reveal location-based behavior and evasion techniques: Use residential proxy and locale selection to simulate real-world environments and detect malware that hides its behavior under generic settings. 

• Analyze threats across real-world environments: Run samples in Windows (11 64-bit, 10 32-bit, and Windows 10 64-bit for Developers, exclusive to Enterprise), Linux, and Android to detect OS-specific behavior and expand coverage across your attack surface. 

• Uncover stealthy or delayed malicious actions: Rely on system process monitoring and reboot support to catch techniques that only activate during system events or over time. 

• Enable external reporting and automation with precision: Export results using JSON and MISP formats, making it easier to integrate analysis findings into your internal tools or client reporting. 

• Support managed services and external collaboration: Work with confidence using a commercial license, built for MSSPs and enterprise security teams with external commitments. 

These capabilities make Enterprise more practical for real-world, high-stakes investigations that demand clarity, completeness, and context. 

Trusted by Industry Leaders and Backed by the Community 

ANY.RUN is consistently rated as a leading solution on major platforms. 

• G2 Rating: 4.7/5 → Read Reviews on G2 

• Gartner Peer Insights Rating: 4.8/5 → See on Gartner 

From MSSPs to financial institutions, teams around the world choose ANY.RUN to investigate faster, detect smarter, and simplify their daily workflows. These ratings reflect what thousands of users already know: interactive analysis makes all the difference. 

Boost SOC Performance with Real-Time Threat Intelligence 

Teams using ANY.RUN’s Interactive Sandbox also utilize advanced Threat Intelligence solutions that help you enrich your security, from detection to prevention. 

Threat Intelligence Lookup 

Quickly assess suspicious IPs, domains, hashes, and URLs with real-time context from live sandbox detonations across 15,000 organizations. TI Lookup lets you uses over 40 behavioral and static indicators to help SOC teams make faster decisions, reduce false positives, and respond to threats before they escalate, minimizing business risk and cutting investigation time. 

Explore Threat Intelligence Lookup 

Threat Intelligence Feeds 

Receive continuously updated network indicators pulled from the latest malware samples analyzed in our sandbox. ANY.RUN’s TI Feeds help you proactively block threats and improve detection rules across your entire security stack. 

Explore Threat Intelligence Feeds 

About ANY.RUN 

Designed to accelerate threat detection and improve response times, ANY.RUN equips teams with interactive malware analysis capabilities and real-time threat intelligence. 

ANY.RUN’s cloud-based sandbox supports investigations across Windows, Linux, and Android environments. Combined with Threat Intelligence Lookup and Feeds, our solutions give security teams full behavioral visibility, context-rich IOCs, and automation-ready outputs, all with zero infrastructure overhead. 

Ready to see how ANY.RUN’s services can power your SOC?   

Start your 14-day trial now → 

The post Enterprise Plan: Boost SOC Performance, Reduce Business Risks with ANY.RUN appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Fake text messages pretending to be from banks, delivery services, or municipal agencies are scammers’ tactic of choice to trick people into revealing financial information and passwords. This type of phishing is often referred to as “smishing” (from “SMS phishing”). While nearly every carrier filters dangerous text messages, and only a fraction reach recipients, scammers have come up with something new. Over the past year, criminals have been arrested in the UK, Thailand, and New Zealand for sending messages that bypassed carrier networks and went directly to victims’ phones. This technology is known as “SMS blasting”.

What is an SMS blaster?

An SMS blaster pretends to be a cellular base station. About the size of an old computer tower, it bristles with antennas. Scammers often stash it in the trunk of a car or even in a backpack. Once activated, the blaster prompts all nearby phones to connect to it, as it appears to be the most powerful base station with the best signal. When a phone connects, it receives a fake SMS. Depending on the blaster model and reception conditions, the SMS broadcast range is between around 500 and 2000 meters. This is why criminals prefer to operate in crowded areas like shopping malls, or tourist and business centers: these are where all known attacks have been recorded. What’s more, the tech the scammers use provides them with all sorts of tricks: they don’t pay for the messages, they can spoof any sender, and they’re free to include any links at all; they don’t even need to know victims’ phone numbers: any phone will receive a message if it connects to the fake cell tower.

How an SMS blaster works

An SMS blaster exploits vulnerabilities in the 2G (GSM) communication standard. While 2G is primarily used today in remote, sparsely populated areas, all phones still support it. First, the blaster sends a technical signal over modern 4G/5G networks. When any phone or smartphone receives this signal, it attempts to switch to a 2G network. Simultaneously, the blaster broadcasts fake 2G base-station signals. The victim’s smartphone recognizes these as legitimate carrier signals and connects. Unlike the 3G, 4G, and 5G standards – where the smartphone and base station always perform a mutual cryptographic check during connection – this feature was only optional in 2G. This loophole allows an SMS blaster to mimic any carrier. Once connected, it can send any text message to a smartphone. After transmitting the SMS, the fake base station disconnects, and the smartphone reverts to its normal 4G/5G network with its legitimate carrier.

Perhaps surprisingly, this technology isn’t new. Similar to blasters, devices known as IMSI catchers, StingRays, or cell site simulators, have been used by law enforcement and intelligence agencies to gather data on individuals attending events of interest. However, criminals have found a new use for the technology.

Defending against SMS blasters

You can block fake text messages by disabling 2G network connectivity on your smartphone, but that’s a double-edged sword. If you live in an area with poor signal or far from major cities, your phone might still occasionally use 2G. This is why many carriers haven’t completely phased out the outdated technology.

If you haven’t seen the 2G icon (an “E” or “G” next to your signal-strength indicator) in years, you might want to consider this option. Android phones running version 12 or newer offer the ability to disable 2G, but not every vendor makes this toggle visible and accessible. Android 16 introduced notifications that alert you if your smartphone might be connected to a fake 2G tower, but due to hardware limitations these only work on certain newer smartphones.

There’s no similar option in iOS, but you can effectively disable 2G by activating Lockdown Mode. Unfortunately, this does far more than just turn off 2G; it significantly restricts many iPhone functions in the name of maximum security (many would say it renders an iPhone practically unusable).

To avoid sacrificing your phone’s functionality while still protecting yourself from dangerous text messages, consider using a comprehensive smartphone security system. SMS blasts will still be delivered to your phone, but they won’t cause harm thanks to two layers of protection. The system identifies malicious messages regardless of the cellular network and blocks SMS spam (only on Android devices), while phishing protection prevents you from navigating to dangerous websites (on all smartphones).

Beyond technical measures, vigilance and general precautions are crucial in combating fake text messages. Instead of tapping links, sign in to your banking app or delivery service website directly from your bookmarks, your smartphone’s home screen, or by manually typing the address into your browser.

What other tricks do scammers use to try and sneak into your smartphone?

• Data theft during smartphone charging
• Trojan embedded in fake Android smartphones
• Remote hacking of Samsung, Google and Vivo smartphones: the problem and the solution
• How smartphones build a dossier on you
• Are your TV, smartphone, and smart speakers eavesdropping on you?

Kaspersky official blog – ​Read More

Our researchers have uncovered several malicious fake extensions targeting Solidity developers in the Open VSX marketplace. At least one company has fallen victim to the attackers distributing these extensions — losing approximately US$500 000 in crypto assets.

Threats associated with malware distribution in open-source repositories have been known about for a long time. Despite this, users of AI-powered code editors like Cursor AI and Windsurf are forced to use the open-source extension marketplace Open VSX, as they have no other source for the extensions these platforms need.

However, extensions on Open VSX do not undergo the same rigorous checks as those on the Visual Studio Marketplace. This loophole allows attackers to distribute malicious software disguised as legitimate solutions. In this post, we dive into the details of the malicious Open VSX extensions investigated by our experts, and explain how to prevent similar incidents within your organization.

Risks for users of Open VSX extensions

In June 2025, a blockchain developer who had just lost approximately US$500 000 in crypto assets to attackers reached out to our experts and requested an incident investigation. While examining a disk image from the compromised system, our researchers noticed a suspicious component of an extension named Solidity Language for the Cursor AI development environment. The component was executing a PowerShell script — a sure sign of malicious activity.

The extension was installed from the Open VSX marketplace, where it had tens of thousands of downloads (presumably inflated by bot activity). The description claimed to optimize development of smart contract code written in the Solidity language. However, analysis of the extension revealed it had no useful functionality whatsoever. The developers who installed it mistook the lack of advertised features for a bug, didn’t immediately investigate, and just continued their work.

The browser extension wasn’t actually faulty; it was fake. Once installed, it contacted a command-and-control server to download and run a malicious script. This script then installed ScreenConnect — a remote access application — on the victim’s computer.

The attackers used ScreenConnect to upload additional malicious payloads. In the incident our experts investigated, these tools specifically allowed the attackers to steal passphrases for the developer’s crypto wallets and then syphon off cryptocurrency. A detailed technical description of the attack, along with indicators of compromise, is available in a Securelist blog post.

Manipulating search: how attackers promote malicious extensions

A look into the Open VSX marketplace revealed a concerning trend: a fake extension, deceptively named “Solidity Language”, ranked fourth in search results, while the legitimate extension, simply called solidity, appeared all the way down at eighth. It’s no surprise then that the developer downloaded the counterfeit instead of the genuine article.

This ranking is quite surprising, especially considering that at the time of the search, the legitimate extension had more downloads: 61 000 compared to the fake’s 54 000.

The key lies in Open VSX’s ranking algorithm. It doesn’t solely rely on download counts to determine relevance; it also considers other factors like verification status, ratings, and recency. This is exactly how the attackers managed to outrank the genuine extension in search results: the fake one had a more recent update date.

The fake plugin was removed from the Open VSX marketplace on July 2, 2025, right after the cryptocurrency heist. However, the very next day, we found another malicious package with the same name as the original extension, “solidity”, and the same harmful functionality as Solidity Language.

Additionally, our researchers used an open-source component-monitoring tool to discover yet another malicious package in Open VSX. Several details link this package to the same cybercriminals.

Why do developers have to rely on the Open VSX marketplace?

The Visual Studio Marketplace, Microsoft’s official store, has long been the primary industry source for extensions. It includes automatic scanning for malicious code, sandboxed execution of extensions for behavioral analysis, monitoring for anomalies in extension usage, and a number of other features to help identify harmful extensions. However, its licensing agreement dictates that only solutions for use with Visual Studio products can be published in the Visual Studio Marketplace.

Consequently, users of increasingly popular AI-powered code editors like Cursor AI and Windsurf must install extensions from an alternative store: Open VSX. The problem is that this platform has less stringent extension vetting, which makes it easier to distribute malicious packages compared to Microsoft’s official marketplace.

To be fair, attackers sometimes manage to publish malicious extensions even in the more secure Visual Studio Marketplace. For instance, this spring, experts found three malicious extensions there with an infection scheme very similar to the one described in this post, also targeting Solidity developers.

How to stay safe?

No matter where you’re installing extensions from, we recommend the following:

• Be careful when searching marketplaces.
• Always take note of who the developer of an extension is.
• Check the code and behavior of extensions you install.
• Use an XDR solution to monitor any suspicious activity inside the corporate network.

Kaspersky official blog – ​Read More

On July 7, 2025, Google rolled out a Gemini update that gives its AI-powered assistant access to Phone, Messages, WhatsApp, and Utilities data on Android devices. The company announced this update via an email to the users of its chatbot — essentially presenting them with a fait accompli. “We’ve made it easier for Gemini to interact with your device”, the email read. “Gemini will soon be able to help you use Phone, Messages, WhatsApp, and Utilities on your phone, whether your Gemini Apps Activity is on or off”.

The update applies regardless of whether the Gemini Apps Activity feature is enabled or not. Google pushed the update to all Android versions that support Gemini, starting with Android 10. So, although the company warned users, it clearly failed to ask for their explicit consent. Google has already practiced subtle coercion to use its features before: just a month ago, Gemini was integrated into the Gmail client without any warning.

The email itself contained neither clear instructions for how to disable the new features, nor detailed explanations as to what exactly Gemini would do with the collected data. Users received the email just two weeks before the update was launched.

As you’d expect, the tech community was on the verge of panic. Previously, users who wanted to integrate Gemini with their apps had to explicitly enable Gemini Apps Activity. This allowed Gemini to store and use their data long-term, and potentially gave developers access to it – of course, “only for the purpose of improving Google AI”.

Google isn’t alone in this. OpenAI, Anthropic, and other AI companies are guilty of the same “improving service quality” excuse. At least Google gives users the illusion of choice. What makes this case different is that, even with Gemini Apps Activity turned off, Google will still retain your conversations with the AI assistant for up to 72 hours — all for the same purposes of safety, security, and feedback.

We won’t debate whether this is good or bad — we’ll just show you how to completely block Gemini’s access to your apps and data. Grab your phone, and let’s go!…

How to disable Gemini via the app?

1. Open Gemini on your Android device.
2. Tap your profile picture or initials in the top-right corner.
3. Select Gemini Apps Activity.
4. Tap Turn off, or select Turn off and delete activity.

How to disable Gemini via the web interface?

1. Open Gemini in a browser.
2. Click the hamburger menu in the top-left corner.
3. Select Activity or Settings & Help → Activity.
4. Tap Turn off, or select Turn off and delete activity.

Alternatively, you can reach that option directly to turn off Gemini Apps Activity right there.

How to block Gemini from accessing individual apps and services?

If rather than disabling the AI assistant altogether you want to restrict Gemini’s access to data only from certain services like your email or photos, you can customize which apps it can work with and which it cannot.

Disabling Gemini’s access to individual services via the app:

1. Open the Gemini app.
2. Go to your profile and select Apps.
3. Turn off the toggle next to each app or service whose data you don’t want to share with Gemini.

Disabling Gemini’s access to individual services via the web interface:

1. Open Gemini in a browser.
2. Click the hamburger menu in the top-left corner.
3. Select Settings & help → Apps.
4. Turn off the toggle next to each app or service whose data you don’t want to share with Gemini.

Alternatively, you can reach that section of the settings directly.

How to configure additional privacy settings for Gemini?

Deleting saved Gemini data:

1. While in the Gemini app, go to your profile and select Gemini Apps Activity. In a browser, open Activity, click Delete, and select a time range.
   • Last hour/day clears your recent activity.
   • All time clears all your activity.
   • Custom range lets you select a range of data to clear.
2. Confirm deletion.

Setting up auto-delete for Gemini data:

1. While in the Gemini app, go to your profile, and select Gemini Apps Activity. In a browser, open Activity.
2. Choose how long saved data will be kept before it’s deleted: three, 18, or 36 months.

How to completely remove Gemini from your smartphone?

If you plan not to use Gemini on your phone altogether, you can simply uninstall the app:

1. Go to Settings and select Apps.
2. Find Gemini, and tap Uninstall if that option is available.
3. If you don’t see Uninstall, tap Disable Gemini is a system app on some phones and thus not easy to remove. For more details on how to deal with this, see Delete the undeletable: how to disable and remove Android bloatware.

If you’re determined not to have any Google services on your phone, consider installing GrapheneOS; however, be forewarned that this is a solution for geeks with a Pixel phone only.

How to check that you’ve successfully disabled Gemini?

When you’re done with the settings, it’s a good idea to verify if your changes have been applied successfully:

1. Go to the Gemini Activity.
2. Check that there are no records of your activity.
3. In the Gemini app, check the state of the toggles in the Apps.
4. Repeat these checks after each Google update you install.

To protect your Android device, use tried-and-true security solutions like Kaspersky for Android. This will give you peace of mind knowing you don’t have to worry about malware, your privacy, passwords, or personal and payment data.

Here are a few other posts about the subtleties of privacy in Google services and beyond.

• Google forcing Android System SafetyCore on users to scan for nudes
• What Google Ad Topics is, and how to disable it
• Google Location History is now stored offline… or maybe not
• The incognito myth: how private browsing really works
• Privacy under attack: nasty surprises in Chrome, Edge, and Firefox

Kaspersky official blog – ​Read More