This year marks the 20^th anniversary of the Common Vulnerability Scoring System (CVSS), which has become a widely accepted standard for describing software vulnerabilities. Despite decades of use and four generations of the standard — now at version 4.0 — CVSS scoring rules continue to be misused, and the system itself remains the subject of intense debate. So, what do you need to know about CVSS to effectively protect your IT assets?

The CVSS Base Score

According to its developers, CVSS is a tool for describing the characteristics and severity of software vulnerabilities. CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST). It was created to help experts speak a common language about vulnerabilities, and to facilitate automatic processing of data on software flaws. Almost every vulnerability published in major vulnerability registries like CVE, EUVD, or CNNVD includes a severity assessment based on the CVSS scale.

An assessment typically consists of two main parts:

• A numerical rating (CVSS score), which shows how severe the vulnerability is on a scale from 0 to 10. A score of 10 means it’s an extremely dangerous, critical vulnerability.
• A vector, which is a standardized text string that describes the vulnerability’s key characteristics. This includes details like whether it can be exploited remotely over a network or only locally, if elevated privileges are needed, how complex it is to exploit, and what aspects (such as availability, integrity, or confidentiality) of the vulnerable system are affected by exploitation.

Here’s an example using the highly severe and actively exploited vulnerability CVE-2021-44228 (Log4Shell): Base Score 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Let’s break that down: the attack vector is network-based, attack complexity is low, privileges required: none, user interaction isn’t required, the scope indicates the vulnerability impacts other system components, and the impact on confidentiality, integrity, and availability is high. Detailed descriptions of each component are available in the CVSS 3.1 and CVSS 4.0 specifications.

A crucial part of the CVSS system is its scoring methodology — also known as the calculator, and available for both 4.0 and 3.1. By filling in all the vector components, you can automatically get a numerical criticality score.

The original CVSS calculation methodology included three metric groups: Base, Temporal, and Environmental. The first group covers the fundamental and unchanging characteristics of a vulnerability, and forms the basis for calculating the CVSS Base Score. The second group includes characteristics that can change over time — such as the availability of published exploit code. The third group is designed for internal organizational use to account for context-specific factors like the vulnerable application’s scope or the presence of mitigating security controls in the organization’s infrastructure. In CVSS 4.0, the Temporal metrics have evolved into Threat metrics, and a new group of Supplemental metrics has been introduced.

Here’s how the metrics are interconnected. Software vendors or cybersecurity companies typically assess the Base criticality of a vulnerability (referred to as “CVSS-B” in the 4.0 specification). They also often provide an assessment related to the availability and public disclosure of an exploit (CVSS-BT in 4.0, and Temporal in 3.1). This assessment is a modified Base Score; therefore CVSS-B can be higher or lower than CVSS-BT. As for the Environmental score (CVSS-BTE), it’s calculated within a specific organization based on the CVSS-BT, with adjustments made for their unique conditions of using the vulnerable software.

The Evolution of CVSS

The first two versions of CVSS, released in 2005 and 2007, are hardly used today. While you might still find older CVSS scores for modern vulnerabilities, CVSS 3.1 (2019) and CVSS 4.0 (2023) are the most common scoring systems. However, many software vendors and vulnerability registries aren’t in a rush to adopt version 4.0, and they continue to provide CVSS 3.1 scores.

The core idea behind the first CVSS version was to quantify the severity of vulnerabilities via a scoring system — with an initial separation into Base, Temporal, and Environmental metrics. At that stage, the textual descriptions were loosely formalized, and the three groups of metrics were calculated independently.

CVSS 2.0 introduced a standardized vector string and a new logic: a mandatory and unchangeable Base score, a Temporal score calculated from the Base score but accounting for changing factors, and an Environmental score used within specific organizations and conditions derived from either the Base or Temporal score.

Versions 3.0 and 3.1 added the concept of Scope (impact on other system components). They also more precisely defined parameters related to required privileges and user interaction, and they generalized and refined the values of many parameters. Most importantly, these versions attempted to solidify the fact that CVSS measures the severity of a vulnerability — not the risks it creates.

In version 4.0, the creators aimed to make the CVSS metric more useful for business-level assessments of how vulnerabilities impact risk. This is still not a risk metric, though. Attack complexity was split into two distinct components: attack requirements and attack complexity. This highlights the difference between the inherent engineering difficulty of an attack and the external factors or conditions necessary for the attack to succeed. In practical terms, this means a flaw that requires a specific, non-default configuration on the vulnerable product to be exploited will have higher attack requirements and, consequently, a lower overall CVSS score.

The often-misunderstood Scope metric, which simply offered “yes” or “no” options for “impact on other components”, has been replaced. Developers have introduced the clearer concept of “subsequent systems”, which now specifies what aspect of their operation the vulnerability affects. Additionally, a range of supporting indicators has been added — such as the automatability of an exploit and the impact of exploitation on human physical safety. The formulas themselves have also undergone substantial revisions. The influence of various components on the numerical threat score has been re-evaluated based on a vast database of vulnerabilities and real-world exploitation data.

How CVSS 4.0 is changing vulnerability prioritization

For cybersecurity professionals, CVSS 4.0 aims to be more practical and relevant to today’s realities. We’re facing tens of thousands of vulnerabilities — many of which receive a high CVSS score. This often leads to them being automatically flagged for immediate remediation in many organizations. The problem is, these lists are constantly growing, and the average time to fix a vulnerability is nearing seven months.

When vulnerabilities are re-evaluated from CVSS 3.1 to CVSS 4.0, the Base Score for defects with a severity between 4.0 and 9.0 tends to slightly increase. However, for vulnerabilities that were considered critically severe in CVSS 3.1, the score often remains unchanged or even decreases. More importantly, while Temporal metrics had little impact on a vulnerability’s numerical rating before, the influence of Threat and Environmental metrics is now much more significant. Orange Cyberdefense conducted a study to illustrate this. Imagine a company is tracking 8000 vulnerabilities, and their IT and security teams are required to fix all defects with a Base CVSS score above 8 within a specified timeframe. What percentage of these 8000 real-world vulnerabilities would fall into that category — with or without considering exposure of the exploit to the public (Temporal/Threat adjustment)? The study found that CVSS 4.0, in its base version, assigns a score of 8 or higher to a larger percentage of vulnerabilities (33% compared to 18% in version 3.1). However, when adjusted for the availability of exploits, this number drops significantly — leaving fewer truly critical flaws to prioritize (8% versus 10%).

Critical, High, and everything in between

What’s the difference between a “critical” vulnerability and one that’s just plain dangerous? A text-based severity description is part of the specification — but it’s not always required in a vulnerability description:

• Low Severity: 0.1–3.9
• Medium Severity: 4.0–6.9
• High Severity: 7.0–8.9
• Critical Severity: 9.0–10.0

In practice, many software vendors take a creative approach to these text descriptions. They might modify the names or incorporate their own assessments and factors not included in CVSS. A case in point is June’s Microsoft Patch Tuesday — specifically CVE-2025-33064 and CVE-2025-32710. The first is described as “Important” and the second as “Critical”, yet their CVSS 3.1 scores are 8.8 and 8.1, respectively.

Kaspersky official blog – ​Read More

Many companies today operate a Bring Your Own Device (BYOD) policy, allowing employees to use their own devices for work purposes. This practice is especially prevalent in organizations that embrace remote working. BYOD brings many obvious advantages, but its implementation creates new risks for companies in terms of cybersecurity.

To protect systems from threats, information security departments often require that security software is installed on all devices used for work. At the same time, some employees – especially hotshot techies – may view antivirus software more as a hindrance than a help.

Not the most sensible attitude for sure, but convincing them otherwise can be hard. The main problem is that employees who believe they know better may find a way to dupe the system. Today, we investigate one such method: a new research tool known as Defendnot, which disables Microsoft Defender on Windows devices by registering fake antivirus software.

How no-defender blazed the trail using fake antivirus to disable Microsoft Defender

To understand exactly how Defendnot disables Microsoft Defender, we need to turn the clock back a year. Back then, a researcher with the X handle es3n1n created and published the first version of the tool on GitHub. Called no-defender, it was tasked with disabling the built-in Windows Defender antivirus.

To accomplish this task, es3n1n exploited a weakness in the Windows Security Center (WSC) API. Through it, antivirus software informs the system that it is installed and ready to start protecting the device in real time. Upon receiving such a message, Windows automatically disables Microsoft Defender to avoid conflicts between different security solutions all running on the same device.

Using the code of an existing security solution, the researcher created their own fake antivirus that registered in the system and passed all Windows checks. Once Microsoft Defender was disabled, the device was left unprotected – since no-defender offered no protection of its own.

The no-defender project quickly drew a following on GitHub, where it was starred over two thousand times. However, the antivirus developer company whose code was reused filed a complaint for violation of the Digital Millennium Copyright Act (DMCA). So es3n1n was forced to remove the project code from GitHub, leaving only a description page.

How Defendnot succeeded no-defender

But the story doesn’t end there. Almost a year later, New Zealand programmer MrBruh prompted es3n1n into developing a version of no-defender that didn’t rely on third-party code. Piqued by the challenge and poor sleep, es3n1n wrote a new tool in four days flat, which was dubbed Defendnot.

At the heart of Defendnot was a stub DLL posing as a legitimate antivirus. To bypass all WSC API checks – including Protected Process Light (PPL), digital signatures and other mechanisms – Defendnot injects its DLL into Taskmgr.exe, which is signed and already considered as trusted by Microsoft. The tool then registers the fake antivirus, prompting Microsoft Defender to immediately turn off and leave the device without active protection.

On top of that, Defendnot allows the user to assign any name to the “antivirus”. Similarly to its predecessor, this project became a hit on GitHub, having been starred 2100 times at the time of writing. To install Defendnot, the user must have administrator rights (which employees most likely have on personal devices).

How to protect corporate infrastructure from BYOD misuse

Defendnot and no-defender are positioned as research projects, with both tools demonstrating how trusted system mechanisms can be manipulated to disable protective functions. The conclusion is obvious: you can’t always trust what Windows says.

Therefore, so as not to endanger your company’s digital infrastructure, we recommend beefing up its BYOD policy with a number of additional security measures:

• Where possible, make it mandatory for BYOD device owners to install reliable corporate protection administered by the company’s information security team.
• If this is not possible, do not consider BYOD devices as trusted simply for having antivirus software installed, and limit their access to corporate systems.
• Strictly control access permissions to ensure they correspond to employees’ job responsibilities.
• Pay special attention to BYOD device activity in corporate systems, and deploy an XDR solution to monitor behavioral anomalies.
• Train employees in the basics of cybersecurity so that they understand how antivirus software works, and why they shouldn’t try to disable it. To help with this, our Kaspersky Automated Security Awareness Platform delivers all you need and more.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter.

We’ve made it halfway through 2025 already! It’s been a while since I last wrote about CVEs and how free support for Windows 10 will end on October 14, 2025, leaving you with no more security fixes.

While the CVE system remains the global standard for vulnerability reporting, recent developments have sparked concerns within the community about its long-term stability. Currently, the program operates solely as a U.S. government-funded initiative. Following the last-minute funding extension, we’re now seeing competing ideas and projects emerging. Whether it’s the CVE Foundation working to transition from a single funding stream to a diversified and stable model, ENISA’s EUVD, or the Global CVE Allocation System (GCVE), the landscape is changing.

On one hand, a multi-source environment enhances availability and resilience. On the other, this fragmentation raises practical concerns for both researchers and practitioners. We now face questions like “Where should I report a vulnerability?” and “How do I integrate and correlate vulnerability data across multiple sources with multiple identifiers?”

Looking back at the first six months of this year, we see that the rapid pace of CVE publications in 2024 has continued into 2025, with no signs of slowing down. In fact, the current trend suggests that 2025 will surpass last year’s total of a little more than 40,000 CVEs. To illustrate: the first half of 2024 saw an average of 113 CVEs published per day, whereas the first half of 2025 is running at a rate of 131 CVEs per day.

What concerns me even more is the steep increase in Known Exploited Vulnerabilities (KEVs). It wasn’t just the spike in March — we’re seeing a generally sharper rise overall.

Vendor diversity also continues to expand, increasing from 45 vendors during the first half of last year to 61 so far this year. Additionally, the proportion of KEVs affecting network-related gear has grown from 22.5% in 2024 to 25% in 2025.

But there’s a small piece of good news: So far, I haven’t seen any CVEs from as far back as 2012 being added to the KEV catalogue like we saw last year. This time, the oldest additions “only” go back to 2017.

Keep in mind that the CVE year merely indicates when a vulnerability was reserved or assigned. The vulnerability itself may have existed for many years prior. For example, the recent sudo/chroot issue remained undiscovered for over 12 years. 

In a nutshell: Keep tracking, keep patching. Vulnerabilities certainly won’t patch themselves.

The one big thing 

Microsoft’s July 2025 security update addresses 132 vulnerabilities, including 14 marked as “critical,” with several remote code execution (RCE) issues affecting Windows, Office, SharePoint and Hyper-V. Although none have been exploited in the wild yet, some vulnerabilities — like those in SharePoint and SPNEGO NEGOEX — are more likely to be targeted and could allow attackers to execute code remotely or locally.

Why do I care? 

These vulnerabilities could let attackers take control of your systems, steal information or disrupt business operations, even if you haven’t seen any attacks yet. If you’re running Windows servers, SharePoint or Microsoft Office, your environment could be at risk, especially for organizations that rely on these products daily.

So now what? 

Don’t wait. Make sure you’re applying Microsoft’s July patches as soon as possible. If you use Cisco Security Firewall or SNORT®, update your rulesets to the latest versions to maximize your protection.

Top security headlines of the week 

Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage
A Chinese national was arrested in Milan, Italy for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which is responsible for cyberattacks against U.S. organizations and government agencies. (Bleeping Computer) 

Jailbreaking AI with information overload 
Researchers say you can trick AI chatbots like ChatGPT or Gemini into teaching you how to make a bomb or hack an ATM if you make the question complicated, full of academic jargon, and cite sources that do not exist. (404 Media) 

SatanLock is shutting down
The announcement that the group was closing its doors first came through its official Telegram channel and dark web leak site. Hunters International, another well-known ransomware group, also recently announced that it was shutting down its operations. (Dark Reading) 

Ingram Micro scrambling to restore systems after ransomware attack
The IT distributor giant confirmed over the weekend that a ransomware attack was responsible for a widespread outage over its services, and they were forced to take certain systems offline on Friday afternoon, in response to the incident. (SecurityWeek) 

Malicious Chrome extensions with 1.7M installs found on Web Store
Malicious extensions with 1.7 million downloads in Google’s Chrome Web Store pose as legitimate tools but could track users, steal browser activity, and redirect to potentially unsafe web addresses. (Bleeping Computer)

Can’t get enough Talos? 

Scams, jailbreaks and poetic justice
In this episode of the TTP, Hazel Burton sits down with Talos’ Jaeson Schultz to explore the underground world of criminal LLM abuse, from elaborate scams to role-playing jailbreak prompts designed to trick AI into ignoring its own rules.

Vulnerability Roundup
Cisco Talos’ Vulnerability Discovery & Research team has disclosed and coordinated patches for two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat.

PDFs: Portable documents, or perfect deliveries for phish? 
A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

Beers with Talos: Terms and conceptions may apply 
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

Upcoming events where you can find Talos 

• NIRMA (July 28 – 30) St. Augustine, FL 
• Black Hat USA (Aug. 2 – 7) Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376 
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details 
Typical Filename: IMG001.exe 
Detection Name: Simple_Custom_Detection   

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

Cisco Talos Blog – ​Read More

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Asus Armoury Crate stack-based buffer overflow and authorization bypass  vulnerabilities

Discovered by Marcin 'Icewall' Noga of Cisco Talos.   

These vulnerabilities were recently covered in a deep-dive post, Decrement by one to rule them all.

Asus Armoury Crate is a software utility used to manage Asus and ROG lighting, performance, and updates.

TALOS-2025-2144 (CVE-2025-1533) is a stack-based buffer overflow vulnerability in the AsIO3.sys kernel driver of Asus Armoury Crate 5.9.13.0. A specially crafted I/O request packet (IRP) can lead to stack-based buffer overflow. An unprivileged attacker can run a program from user mode to trigger this vulnerability.

TALOS-2025-2150 (CVE-2025-3464) is an authorization bypass vulnerability in the AsIO3.sys functionality of Asus Armoury Crate 5.9.13.0. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability.

Adobe Acrobat Reader out-of-bounds read and use-after-free vulnerabilities 

Discovered by Kamlapati Choubey of Cisco Talos.   

Adobe Acrobat Reader is one of the most popular PDF reading software currently available. Talos found an out-of-bounds read vuln, TALOS-2025-2159 (CVE-2025-43578), in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information.

TALOS-2025-2170 (CVE-2025-43576) is a use-after-free vulnerability in the annotation object processing functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution.

An attacker needs to trick the user into opening the malicious file to trigger either of these vulnerabilities.

Cisco Talos Blog – ​Read More

Alert triage as one of the critical SOC and MSSP workflows implies evaluating, prioritizing, and categorizing security alerts to determine which threats require immediate attention and which can be safely dismissed or handled through automated processes. 

Efficient alert triage, supported by robust threat intelligence, ensures that organizations stay ahead of adversaries while maintaining analyst productivity and morale. We shall see how it works on the example of ANY.RUN’s Threat Intelligence Lookup.  

Why Triage is the Key to Efficiency 

For SOCs, triage ensures that internal teams focus on high-priority incidents that could compromise critical systems or data. MSSPs, managing multiple clients, rely on triage to allocate resources efficiently across diverse environments, ensuring timely responses tailored to each client’s needs.  

The triage process acts as the gateway between detection and action — the critical juncture where security alerts either trigger appropriate defensive measures or fade into background noise. 

Challenges and Problems of Alert Triage 

Alert triage is fraught with challenges that compromise its effectiveness in many organizations. 

• Alert Overload: Modern SOCs generate thousands to millions of alerts daily from tools like SIEMs, EDRs, and network monitoring systems. Analysts can only investigate a fraction of these, leading to potential oversight of critical threats. 

• False Positives: Many alerts are benign or irrelevant, consuming valuable time and resources.  

• Lack of Context: Alerts often require analysts to manually gather data from disparate sources, slowing down investigations and increasing the risk of errors. 

• Resource Constraints: Limited staffing and budget constraints stretch SOC teams thin, making it difficult to handle high alert volumes efficiently; the same goes for MSSPs managing multiple clients. 

• Evolving Threats: The complexity and variety of modern cyberattacks demand constant adaptation, challenging analysts to stay ahead with limited tools and time. 

These obstacles create inefficiencies, delay responses, and increase organizational risk.

Speed as a Critical Key Performance Indicator

Speed in alert triage, measured by metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), is a critical KPI for SOCs and MSSPs. Rapid triage minimizes the window of opportunity for attackers, reducing potential damage from breaches, data loss, or system downtime. For businesses, fast triage aligns with key objectives: 

• Minimizing Financial Impact 

• Protecting Customer Trust 

• Operational Continuity  

• Regulatory Compliance 

Organizations with efficient triage processes can handle larger volumes of security data without proportionally increasing staff, improving operational efficiency and ROI on security investments.

Analyst Fatigue: The Hidden Threat to Security Effectiveness 

Analyst fatigue occurs when security professionals become mentally and emotionally exhausted from processing endless streams of alerts, many of which prove to be false positives or low-priority events. 

Cognitive overload increases when analysts must process more information than their mental capacity allows, leading to lower accuracy in threat assessment. Emotional exhaustion develops from the constant pressure of potentially missing critical threats, creating a state of chronic stress that affects both performance and well-being. 

The business impact is profound and multifaceted. Fatigued analysts are more likely to miss genuine threats, increasing the exposure to successful attacks. They may also escalate false positives to avoid responsibility. High fatigue levels contribute to analyst turnover, creating recruitment and training costs while leaving organizations vulnerable during transition periods. 

A negative feedback loop emerges where stressed analysts make more mistakes, leading to increased scrutiny and pressure, which further exacerbates fatigue. This cycle can devastate team morale.  

Balancing Speed and Accuracy: The Dual Challenge of Analyst Overload 

The “need for speed” in alert triage is inseparable from the problem of analyst overload and fatigue. SOCs and MSSPs must analyze threats, incidents, and artifacts quickly to contain risks, but this analysis must be accurate and comprehensive to avoid missing critical threats or wasting resources on false positives.  

Solutions that streamline triage without sacrificing accuracy are essential for overcoming this paradox. You do not choose between speed and accuracy but develop systems and processes that enable both.

ANY.RUN’s Threat Intelligence Lookup: A Comprehensive Solution

ANY.RUN’s Threat Intelligence Lookup addresses both the speed and fatigue challenges by providing rapid, comprehensive threat context for indicators like files, URLs, domains, and IP addresses, and enabling teams to make informed decisions quickly.  
 
Besides basic IOCs, this data contains attack and behavioral indicators including: 

• registry changes, 

• file modifications, 

• processes, 

• network activity, 

• TTPs mapped to the MITRE ATT&CK Matrix, 

• malware configurations, Suricata IDS signatures. 

The data is derived from investigations of real-world cyberattacks on over 15,000 companies using ANY.RUN’s services.   

When analysts encounter suspicious artifacts during triage, they can quickly query the service to obtain detailed information about the threat. This eliminates the time-consuming process of manually researching threats across multiple sources. 

TI Lookup Use Cases: Faster and Smarter Alert Triage

Instead of spending valuable time manually investigating suspicious artifacts, analysts can focus on higher-level analysis and decision-making. Here are a couple of examples.  

1. Artifact Quick Check 

A suspicious IP spotted in network connections can be checked against TI Lookup’s vast indicator database in a matter of seconds.   

destinationIP:”195.177.94.58″ 

The IP address is exposed as malicious and a part of Quasar RAT inventory. It has been detected in recent malware samples, so it is an indicator of an actual threat.   

2. Process Investigation 

Suppose an analyst notices a legitimate utility like certutil.exe is used for retrieving content from an external URL. All they have to do is copy a snippet of command line contents and paste it into TI Lookup search bar with the CommandLine search parameter:  

commandLine:”certutil.exe -urlcache -split -f http” 

Switching to the Analyses tab of the search results, the analyst observes a selection of malware samples that performed this command during their execution chain. Now he knows that this behavior is typical for Glupteba trojan acting as a loader. Each sample analysis can be researched in depth and used for collecting IOCs.  

3. Registry Change Understanding 

Could it be okay if an app changes Windows registry key \CurrentVersion\Run responsible for default autoruns at system startup, by adding a command that initiates a script execution chain via mshta.exe using built-in VBScript? Query TI Lookup using RegistryKey and RegistryValue search parameters:  

registryKey:”SOFTWAREMicrosoftWindowsCurrentVersionRun” AND registryValue:”mshtavbscript” 

As we can notice looking at the found sandbox analyses, such registry modification is often associated with malware evasion and persistence techniques, and is typical for XWorm RAT.  

4. Mutex detection 

When a new malware emerges, the available intelligence on it can be scarce. Nitrogen ransomware became notorious for targeting the valuable and vulnerable financial sector back in mid-2024. For months, a single research report was the source of public data on this strain. It provided analysts with two IOCs and two IOBs, one of the formers was a mutex.  

Before encrypting files, Nitrogen creates a unique mutex (nvxkjcv7yxctvgsdfjhv6esdvsx) to ensure only one instance of the ransomware runs at a time. The mutex can be used for Nitrogen detection, and searching for it via Threat Intelligence Lookup delivers Nitrogen samples detonated in the Interactive Sandbox.  

syncObjectName:”nvxkjcv7yxctvgsdfjhv6esdvsx” 

Each sample can be explored to enrich the understanding of the threat and gather additional indicators not featured in public research. 

5. Payload recognition 

File hashes as unique digital fingerprints of a particular file are popular indicators of compromise. TI Lookup supports md5, sha256 and sha1 search parameters, but also allows to use a file name as a query. 

filePath:”Electronic_Receipt_ATT0001″ 

These lookup results show that a certain file name pattern can emerge in both malicious and benign samples: phishing kit campaigns often use filenames typical for popular documentation formats. 

We can observe several samples of phishing attacks using the file with such name pattern in the Interactive Sandbox:  

File name search can help understand the general mechanics of phishkit attacks and see a broader picture of emerging threats.

Fast, Fatigue-Free Alert Triage with Threat Intelligence 

It’s up to you not to choose between speed and accuracy, nor to accept analyst fatigue as an unavoidable cost of doing business. Instead, embrace solutions that enable both rapid response and meticulous analysis. 

ANY.RUN’s Threat Intelligence Lookup fuels this strategy by providing immediate, context-rich insights into suspicious artifacts and transforming reactive, manual investigations into proactive, informed decision-making. This translates into tangible business values: 

• Enhanced Operational Efficiency: Teams can process a higher volume of alerts with existing staff, optimizing the return on investment in security tools and personnel. 

• Reduced Organizational Risk: Faster and more accurate identification of genuine threats minimizes the window of opportunity for attackers, thereby reducing the likelihood of successful breaches, data loss, and system downtime.   

• Improved Analyst Productivity and Morale: Automating the initial stages of threat intelligence gathering frees analysts from repetitive, cognitively taxing tasks.  

• Preserved Customer Trust and Brand Reputation: Swift and effective handling of security incidents demonstrates a commitment to protecting sensitive data and maintaining operational integrity. 

Investing in solutions like ANY.RUN’s Threat Intelligence Lookup is not just about technology; it’s about building a sustainable and resilient security posture that protects an organization’s financial health, its most valuable assets, and its people. 

About ANY.RUN  

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.  

• Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions.  

• Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats. 

Start 14-day trial of ANY.RUN’s solutions in your SOC today 

The post How to Maintain Fast and Fatigue-Free Alert Triage with Threat Intelligence  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More