Microsoft has released its monthly security update for July 2025, which includes 132 vulnerabilities affecting a range of products, including 14 that Microsoft marked as “critical.”
In this month’s release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 14 “critical” entries, 11 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including KDC Proxy service, Microsoft Office and SharePoint server.
CVE-2025-49735 is an RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given a CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially-crafted application to leverage a cryptographic protocol vulnerability in KPSSVC to perform RCE against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and domain controllers are not affected. Microsoft assessed that the attack complexity is “high,” and exploitation is “more likely.”
CVE-2025-49704 is an RCE vulnerability in Microsoft SharePoint server given a CVSS 3.1 score of 7.7. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper control of generation of code (“code injection”) which would allow an authenticated attacker to execute code over a network. To exploit this vulnerability, an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft assessed that the attack complexity is “low,” and exploitation is “more likely.”
CVE-2025-48822 is an RCE vulnerability in Windows Hyper-V Discrete Device Assignment (DDA) given a CVSS 3.1 score of 8.6. This vulnerability is an out-of-bounds read in Hyper-V that could allow an unauthorized attacker to execute code locally. Microsoft assessed that the attack complexity is “low,” and exploitation is “less likely.”
CVE-2025-47981is an RCE vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism given a CVSS 3.1 score of 9.8. This vulnerability is a heap-based buffer overflow that could allow an unauthorized attacker to execute code over a network. According to Microsoft, this vulnerability affects Windows client machines running Windows 10, version 1607 and above, due to the following GPO being enabled by default on these operating systems: “Network security: Allow PKU2U authentication requests to this computer to use online identities.” Microsoft has assessed that the attack complexity is “low,” and exploitation is “more likely.”
CVE-2025-49717 is an RCE vulnerability in Microsoft SQL Server, given a CVSS 3.1 score of 8.5. This vulnerability is a heap-based buffer overflow that could allow an unauthorized attacker to execute code over a network. However, Microsoft has assessed “exploitation unlikely”.
The last critical vulnerability listed (CVE-2025-47980) is an information disclosure in Windows Imaging Component that, if exploited, could allow an attacker to read small portions of heap memory. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely.”
Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely:”
CVE-2025-49701: Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2025-49724: Windows Connected Devices Platform Service Remote Code Execution Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 64435, 64436, 65092, 65096 – 65107, 65110 – 65113.
The following Snort 3 rules are also available: 301114, 301268 – 301272.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-08 21:06:462025-07-08 21:06:46Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
Many have probably heard of the modular malware for mobile devices called Triada. Even nine years after its first mention in 2016, it remains one of the most advanced Android trojans out there. Recently, our team at ANY.RUN came across an interesting sample of this malicious software. The sample in question was embedded in a fake Telegram app.
Since the capabilities of this threat have been extensively studied and described by other researchers, we focused on the packer used by the malware that we named Ducex.
Here’s a detailed breakdown of our analysis and key findings.
Key Takeaways
Triada’s Android Packer: Ducex is an advanced Chinese Android packer found in Triada samples, whose primary goal is to complicate analysis and confuse the detection of its payload.
Encrypted Functions: The packer employs serious obfuscation through function encryption using a modified RC4 algorithm with added shuffling.
XORed Strings: Beyond functions, all strings used by Ducex are also encrypted using a simple sequential XOR algorithm with a changing 16-byte key.
Debugging Challenges: Ducex creates major roadblocks for debugging. It performs APK signature verification, failing if the app is re-signed. It also employs self-debugging using fork and ptrace to block external tracing.
Analysis Tool Detection: The packer actively detects the presence of popular analysis tools such as Frida, Xposed, and Substrate. If any of these tools are found in memory, the process terminates its execution.
Payload Storage & Encryption: The Triada payload is uniquely stored within Ducex’s own classes.dex file in a large, additional section after the main application code, avoiding detection as separate files.
Not malicious itself, Ducex is still quite interesting. Its developers tried their best to complicate analysis as much as possible and confuse detection of the payload it carries using various techniques that will be discussed below.
We have not obtained the source code of this tool, so we relied exclusively on its reverse engineering. For the same reason, we gave it a name ourselves. Studying the classes in the code, we noticed that its authors used the word “Duce” a lot.
“Duce” names of code entities
The library they utilize is called “libducex”. Based on this, we called the packer “Ducex”.
Ducex: The Architecture
Before proceeding to detailed analysis of the tool, let’s look at the general operation scheme of Ducex:
General Ducex scheme
We have outlined all the stages of the tool’s execution; we will demonstrate and discuss them below in their interplay.
Analyzing App’s Java Code
When opening the malicious APK in an Android decompiler (e.g., JADX), the AndroidManifest shows the following data under the application tag:
Application tag contents in AndroidManifest
The com.m.a.DuceApplication class immediately catches our attention. It is specified in android:name, which means an instance of this class is created immediately after the application is launched. Going to its code, we see two methods: attachBaseContext() and onCreate().
Methods within com.m.a.DuceApplication class
We are interested in these methods specifically, as they will be called when creating an instance of the class, in the specified order. Inside them, we see calls to methods of the CoreUtils class:
Methods of CoreUtils class
That’s where it gets interesting. As can be seen in the screenshot above, most methods of this class are native, and they are implemented in the “libducex.so” library.
Additionally, if we decrypt the presented strings, we get, respectively, “org.telegram.messenger.ApplicationLoaderImpl” and “androidx.core.app.CoreComponentFactory“.
As can be seen in DuceApplication.onCreate() and DuceApplication.attachBaseContext(), it is org.telegram.messenger.ApplicationLoaderImpl that will be called to launch the fake Telegram using the CoreUtils.runOn() and CoreUtils.runOnC() methods, and androidx.core.app.CoreComponentFactory will be used in DuceAppComponentFactory, which overrides the creation of various application components (Application, Activity, etc.) to inject custom logic during their initialization using the same methods from CoreUtils:
A CoreUtils method is used to override the creation of Application
Since the most interesting things happen in the libducex.so library, let’s proceed to its analysis.
Libducex.so Library Analysis
Encrypted Functions
It turned out, you can’t just start analyzing the library. For example, the program entry point looks like this:
Entry point with obfuscation
Most instructions are displayed incorrectly. It looks like very serious obfuscation or a completely non-working function. At this point we estimated what would be called even before the program entry point and moved to JNI_OnLoad.
JNI_OnLoad is called after the library is loaded into memory and the control is passed to the JVM.
JNI_OnLoad with obfuscation
As we can see in the screenshot, the situation is exactly the same. The code looks non-working, which makes you think that it might not even be obfuscated but encrypted. So, if even JNI_OnLoad is encrypted, then we need to turn to functions that execute earlier than both it and Entry Point, which means before control is transferred to the JVM.
This function could be .init_proc, which executes immediately after loading the library into memory. And indeed, it was there that we found correct code capable of being decompiled:
.init_proc function
Getting a little ahead of ourselves, we’ll say that the functions were indeed encrypted, and their decryption occurs in .init_proc, in the nested create_key__decrypt_funcs function. Now back to the analysis.
The first thing that interests us is the configuration that is passed as the second argument to the function called in the figure above:
Configuration used to decrypt functions
It consists of the following fields, presented in the same order as in the screenshot above:
Magic value ‘mxe’;
Decryption start address (in our case, Entry Point);
Number of bytes for decryption;
Function that will be called after completion of decryption;
16-byte buffer – key that will be used during decryption.
The decryption itself, occurring in create_key__decrypt_funcs, is carried out according to the configuration data. At first it seemed to us that the code had been encrypted using classic RC4, but this is not quite so. The developers slightly modified the algorithm by adding additional shuffling, so standard RC4 implementations didn’t work; we had to implement it ourselves.
Our decryption script takes a key as input, as well as the part of the file containing encrypted functions. The necessary parameters (the key, the start address of the encrypted part, and its size) are taken from the configuration described above.
def rc4_init(key):
s = list(range(256))
s += [0, 0]
j = 0
for i in range(256):
key_byte = key[i & 0xf]
j = (j + s[i] + key_byte) &0xff
s[i], s[j] = s[j], s[i]
return s
def rc4_process(s, encoded_data):
i = s[256]
j = s[257]
output = bytearray(encoded_data)
for n in range(len(encoded_data)):
i = (i + 1) & 0xff
a = s[i]
j = (j + a) & 0xff
b = s[j]
s[i], s[j] = b, a
output[n] ^= s[(a + b) & 0xff]
for _ in range(2):
i = (i + 1) & 0xff
a = s[i]
j = (j + a) & 0xff
b = s[j]
s[i], s[j] = b, a
return bytearray(output)
def decrypt(key, func_buf):
s = rc4_init(key)
decoded_funcs = rc4_process(s, func_buf)
return decoded_funcs
Applying the script to our library, we got the correct code. Entry Point, for example, now looks as follows:
Decrypted Entry Point code
Now all instructions are correct, and there are no problems with code decompilation.
Encrypted Strings
The encrypted functions, as it turned out, are not the only thing that developers decided to hide from the researcher’s eyes. All strings used by the packer are also encrypted. The algorithm is quite simple: it’s sequential XOR with a given key consisting of 16 bytes. The algorithm is unchanged throughout the entire sample, only the key changes. Example script with a given key:
def xor_data(data, key):
result = bytearray()
for i in range(len(data)):
result.append(data[i] ^ key[i % len(key)]) return result
key = b"GeGrE0tX`:0^6qLS"
encoded_buf = bytearray([0x1d, 0x0c, 0x37, 0x52, 0x2c, 0x5e, 0x12, 0x34, 0x01, 0x4e, 0x55, 0x5e])
decrypted = xor_data(encoded_buf, key)
print(decrypted)
In the output after running this simple script, you can see: bytearray(b’Zip inflatex00′).
What’s interesting here is that all the functions used for decryption are called immediately upon initialization, not when required in the code. And the reference to the array with pointers to these functions is located, respectively, in .init_array, there are a huge number of them there:
.init_array section with functions for decryption
Control Flow Obfuscation
In case the researcher breaks through the encryption, the developers have further obfuscated the code. For example, this is how the structure of the function in which native method names are decrypted looks:
Structure of the function responsible for native methods names decryption
And this is not even half of the function’s code, which could have been about 20 lines long. And all because of such constructions of cycles and conditions, which do not serve any purpose except to complicate the code:
Cycles with the sole purpose to complicate the code
At this point you might think that it would be enough to run the sample under a debugger and go through all these conditional jumps, see the decrypted functions and strings, but if only it were that simple.
APK Signature Verification
The first thing we attempted was to parse the APK using Apktool utility and insert the line android:debuggable=”true” under the application tag in AndroidManifest, then rebuild and sign the APK again.
Upon doing this in the smartphone settings, it’s possible to set up the application to wait for a debugger to connect. It also makes it possible to utilize the following command for adb: adb shell am set-debug-app -w –persistent <package>. On the next launch, a window “Waiting For Debugger” should appear and disappear after the debugger is connected.
But in our case this didn’t work. After rebuilding the application, it began to “crash” immediately after loading libducex. The app checks the APK signature and terminates if it doesn’t match the expected one. Below you can see decrypted strings used when obtaining APK signatures:
Decrypted strings used when obtaining APK signatures
Self-Debugging
Thus, debugging the application by changing the APK didn’t work. Fortunately, there is a way to debug Android applications without setting the debuggable flag and, accordingly, without the need to rebuild and re-sign the file.
This method is more laborious, as it involves building your own Android image and then using it in the emulator. Its description can be found here.
Thus, we built the image, used the debug command given above, and tried to run the application under the debugger. However, the packer held another surprise: after launching the application, the “Waiting For Debugger” window appears only for a fraction of a second, after which normal launch occurs, without waiting for the debugger. This may indicate that the application “debugs itself” so that no one else can debug it.
We found the corresponding functions: a process sets handlers using the rt_sigaction system call, for example, for the SIGCHLD event. This handler checks what happened to the child process, after which it can either terminate or continue its execution.
rt_sigaction call
In x8 – rt_sigaction call code;
In x0 – SIGCHLD code;
In x1 – handler structure address;
In x2 – flags, in our case 0.
And then another interesting thing occurs: the parent process uses the fork system call to create a child process, which, in turn, will work to monitor the state of the parent process. It uses the ptrace system call with the PTRACE_ATTACH parameter to attach to the parent process, after which it waits for events from it and, depending on what happened, resumes the process or terminates it and its own execution.
ptrace call
In x8 – ptrace call code;
In x0 – PTRACE_ATTACH code;
In x1 – value from global variable – parent process pid;
In x2 – unused addr argument;
In x3 – unused data argument.
So, parent and child processes monitor each other’s state and react in case of certain events. Additionally, considering that a process can have only one tracer, connecting an external debugger becomes impossible in this case.
Detection of Frida, Xposed, and Others
At this point, two options remain: either static code analysis, at most using tools capable of emulating instructions (e.g., emulators on the Unicorn engine), or installing Frida hooks to change application behavior without actual APK modification and still be able to dynamically analyze the unpacking process.
But Frida wouldn’t work either, because the packer has built-in checks for the presence of frida_server, as well as Xposed, Substrate, etc.
Decrypted strings in memory
If any of these strings are found in memory, the process terminates execution. This can be patched, but it’ll take time to find the implementations in the code. And we shouldn’t forget about the signature verification used in the library. So we continue with static code analysis.
Where Does the Packer Get Code to Run?
Ducex doesn’t create a separate encrypted file with a payload, instead it stores this code inside its own classes.dex, in a special additional section that goes after the main application code, thus avoiding detection of additional files:
The large section after the map section contains the payload
The screenshot shows that after the map section, where everything should have ended, there is an additional section, and a very large one in size. That’s where the payload is located.
The payload, i.e., Triada, is stored as additional dex modules. It’s noteworthy that despite all its complexity, this tool doesn’t fully compress and encrypt the dex files that it later runs. Instead only 2048 == 0x800 bytes from the beginning of each module are encrypted, while the rest remains untouched. Thus, at least the dex module header will always be completely encrypted, as it has a fixed size of 0x70 bytes, further sections do not have a fixed size. There are 5 modules in the file.
There is also a configuration shared by all modules:
Another configuration common to all modules
Here there is a certain magic value starting with “mx”, but now with additional bytes x01x02. The most useful thing here is the 16-byte key. It is highlighted in red in the screenshot above.
Additionally, there are configurations for each of the modules storing information for decrypting them:
Configuration with info for decrypting a module
The first 4 bytes of this structure are very important, here we have the value 0x100==256, which means that the first 0x800 bytes of this dex are encrypted. If there was, for example, the number 258, this would mean that part of the dex is compressed using zlib. Then come the highlighted fields with module sizes and another 16-bit decryption key, immediately after which the encrypted module block begins.
File structure can be represented like this:
Classes.dex file structure
This scheme doesn’t depict all fields in the configurations, but those that were required for our analysis.
How Is Decryption Performed?
Decryption here is quite complex. Two algorithms are used for it: a modified RC4 and SM4.
The first one is well known, but not the second. SM4 is a Chinese block encryption standard. It is not as popular as, for example, AES, and we managed to identify it by the substitution table:
The substitution table used by SM4
It’s important to note that even the table was encrypted, as well as all the strings used by the tool.
As we know, the unpacker’s dex file contains one main configuration and configurations for each of the 5 modules. All of them require a key. Tracking the execution flow, we can draw the following conclusions:
native_init method: first, the module is decrypted using the key specified in the module’s configuration. This is a preparatory action that can change depending on the first four bytes of the configuration. In our case it’s 256, which means decryption is needed, as indicated above;
native_dl method: here, the same decryption function is called, only now a different key is used, the one specified in the configuration shared by all modules.
What Happens Next?
Let’s turn back to our Java code and remember what happens in the attachBaseContext method:
attachBaseContext method
The native init() and dl() methods are called, and there the main decryptions occur. Immediately after this the CoreUtils.runOn() method is called with the method name org.telegram.messenger.ApplicationLoaderImpl as an argument by the decrypted string CoreUtils.ran. Here no decryptions are observed, only the method launch. Now Triada begins its work.
Summary
Ducex is indeed a very complex and interesting Chinese tool, worthy of the malware that it carries as payload. Its developers tried to foresee as much as possible to confuse Triada detection and complicate analyst research.
In today’s world, having an online presence is practically unavoidable. More and more of our daily lives happen online, and unless you’re a sailor out at sea or a forest ranger, living completely offline is a rare luxury. It’s estimated that each of us generates roughly two to three gigabytes of data every hour through our smartphones, IoT devices, and online services. So, it’s no wonder that, for example, around 70% of Americans are concerned about the government collecting their data, and a staggering ~80% worry about corporations doing the same. Today, we explore where and how our everyday actions leave digital trails, and what we can do about it.
Your morning routine: how your smartphone and browser track you
You wake up, check the weather, maybe scroll through some reels, like a few posts, and check your commute to see the possible traffic jams. When it comes to social media privacy settings, it’s pretty straightforward: you tweak them so your parents and colleagues don’t get a heart attack from your edgy humor. Our Privacy Checker website can help with that. But it gets trickier with geolocation data, which seemingly everyone wants to collect. We’ve already dived deep into how smartphones build detailed profiles on you, and explained what geolocation data brokers are and what happens when their data leaks.
Just imagine: about half of popular Android apps ask for your geolocation even though they don’t need it. And by default, Chrome and Safari allow cross-domain cookie tracking. This lets advertising networks build detailed user profiles for personalized ads. Pretty much all of your smartphone’s telemetry is used to create a thorough consumer portrait — no need for customer interviews or focus groups. The best marketer is in your pocket, but it’s not working for you. What should you do?
Normal measures
Head to Settings → Privacy → Permission Manager. From there, disable background access to the device’s location for messaging apps, weather widgets, and any other apps that needn’t be tracking your movements in the background.
Go to Settings → Privacy & Security → Tracking and turn off Allow Apps to Request to Track. Also, in newer iOS versions, under Settings → Privacy & Security, you’ll find a Safety Check section. This is a great place to review and adjust app and user access to your data, and even reset all access types in an emergency.
Enable Prevent cross-site tracking in Safari’s privacy and security settings on both your mobile devices and computers. Then, in the advanced settings, turn on Use advanced tracking and fingerprinting protection for all browsing.
Paranoid measures
Consider getting a Google Pixel and flashing it with GrapheneOS modified firmware that has Google Play Services disabled. Alternatively, research if AOSP firmware is available for your current Android phone. AOSP gives you a bare-bones Android experience where you choose exactly which services to install.
Enable Lockdown Mode (found under Settings → Privacy & Security). While it significantly limits functionality, it drastically reduces your chances of being tracked or having your iPhone compromised. We’ve covered this mode in detail in our article Protection through restriction: Apple’s new Lockdown Mode.
Set up a local DNS filter: for example, Pi-hole can block more than 280,000 trackers. Alternatively, you can install browser extensions like Privacy Badger for Firefox, Opera, Edge, and Chrome. Many modern routers also allow you to configure DNS filters that can block most ad network traffic on websites. For more on this, check out our post Why you should set up secure DNS — and how.
Hitting the road: the dangers of connected cars
You’re ready for your commute, hop into your car, hit the ignition… The system automatically plays your favorite playlist and has your loved ones on speed dial. Convenient, right? Absolutely, but there’s a caveat. Modern vehicles can transmit a staggering 25 GB of (your!) data per hour!
This creates two categories of problems. First, connected cars are often easier to hack because automotive manufacturers generally have a less-than-stellar approach to cybersecurity. While compromising a car’s onboard systems doesn’t always lead to theft, many vulnerabilities allow attackers to track you, or even remotely control your vehicle. For instance, in November 2024, a vulnerability was discovered in the Mazda Connect onboard system that allowed attackers to execute arbitrary code with root privileges. Before that, significant vulnerabilities were found in vehicles from Kia, Tesla, Jeep, and dozens of other carmakers.
Install an immobilizer that breaks the data bus connection. Some vehicles come with one built-in, but if yours doesn’t, consider a third-party immobilizer.
Regularly update your ECU firmware through official service centers. This helps patch known vulnerabilities, though it’s worth noting that new, undiscovered vulnerabilities could emerge with updates.
Paranoid measures
If you’re serious about minimizing data collection, consider buying a used car with minimal data-gathering and transmission capabilities. The absence of its own cellular module (GSM/3G/4G) in the car is a reliable sign that you’re on the right track.
Embrace public transport or cycling!
Lunch time: the hidden dangers of delivery apps
That much-anticipated lunch break is the perfect time to unwind… and leave a few more digital footprints. Whether you’re ordering coffee through an app or checking in to your favorite bakery on social media, you’re constantly adding to your online profile. This includes your location, payment details, and even your order history from delivery apps.
Food delivery apps, in particular, are incredibly data hungry. On average, they collect 21 categories of personal data, and a staggering 95% of this information is directly linked to your identity. Much of this data doesn’t stay with the delivery service; it gets sent elsewhere. Uber Eats, for instance, shares 12 out of 21 collected data points with partner companies, including your phone number, address, and search and order histories.
What’s more, food delivery services can experience data breaches. When that happens, your personal information — everything from your name, phone number and address to your shopping list and order costs — can end up exposed.
So, it’s clear: we need to do something about this too.
Normal measures
Check your app’s location settings. Instead of granting always-on access, switch it to “only while using the app”. If you’re extra cautious, you can turn off location services entirely and manually enter your address.
Set up a burner email address and use a different name for all your food orders. Even more radically, consider a second smartphone exclusively for delivery apps and other potentially risky applications.
Avoid providing your exact apartment number. Meet the courier at the entrance to the building instead. This can prevent your precise living location from being linked to your spending habits in case of a data breach.
Opting for cash payments ensures your purchase details aren’t stored in a payment system profile.
For a drastically reduced digital footprint, skip electronic lunch ordering altogether. Grab some cash, leave your phone at the office, and head to a local eatery. No phone means no GPS tracking, and cash transactions leave no digital trace whatsoever. While this won’t make you completely invisible (security cameras are still a thing!), it significantly shrinks your digital footprint.
Home sweet home: what your smart devices know about you
There’s nothing quite like relaxing at home after a long day. You ask your voice assistant to turn on the lights or recommend a movie. Smart speakers, TVs, robot vacuums, and other gadgets certainly make life easier. However, they also create a host of vulnerabilities for your home network, and often have questionable privacy practices. For instance, in 2023, Amazon faced a $25 million fine for retaining children’s voice recordings and other privacy violations related to Alexa.
And it’s not just corporations misusing voice assistant capabilities. Surveillance cameras, smart plugs, and even smart kettles are frequently hacked — often being roped into botnets for DDoS attacks. There have even been unsettling cases where malicious actors gained access to home cameras, using them for surveillance or pranks like speaking through a compromised baby monitor.
Normal measures
Dive into your smart home management app (Google Home, Apple Home, the Alexa app, and so on) and look for sections titled Privacy or similar. Turn off options that send your voice recordings for analysis. For Alexa, this is typically Use of Voice Recordings. For Google Assistant, opt out of the quality improvement program. Enable automatic deletion of your voice history. You can also manually clear your query history. With Alexa, just say, “Alexa, delete everything I said today”. For Google Assistant, manage and delete recordings through your Google account. This significantly reduces the amount of data stored.
Every smart speaker has a microphone mute button. If you don’t need the assistant, especially during private conversations, hit that mute button.
Laptops and some smart cameras come with built-in privacy shutters or covers. Use them! It’s a simple way to prevent unwanted peeping.
Many smart TVs allow you to disable the collection of viewing statistics (often called ACR). It’s a good idea to turn this off to stop your TV from sending reports about every channel you flip through.
Modern routers often let you set up a secondary or guest Wi-Fi network. Connect all your IoT devices to that network. This prevents the gadgets from “seeing” your main computers and phones on your home network. Even if one of your smart devices gets hacked, the attacker won’t be able to access your personal data. Plus, it makes it easier to cut off internet access to IoT devices when they’re not in use.
Use a strong, unique password for every device. When you first set up a smart device, always change the default login and password. A reliable password manager like Kaspersky Password Manager can help you generate and store secure passwords.
Paranoid measures
The most drastic option is to completely abandon voice assistants and cloud-based smart home services. Flip those light switches manually, and use mechanical timers for your appliances. The fewer microphones and cameras in your home, the more peace of mind you’ll have. If you absolutely must have an assistant, consider offline alternatives. There are open-source projects like Mycroft AI that can be configured to process commands locally — without sending data to the cloud.
If you’re concerned about covert listening, consider purchasing a bug detector – if it’s allowed in your country. These devices help locate hidden cameras and microphones when, for example, you suspect that a smart light bulb is actually a spy cam. You can also check the four ways to find spy cameras, which we described earlier.
During confidential meetings, either unplug suspicious gadgets or remove them from the room entirely.
Look for IoT devices that can function autonomously. Examples include cameras with local storage that don’t stream to the cloud, or smart home systems built on a local server like openHAB where all your data stays right in your home.
Takeaways
In today’s digital world, your data is a valuable commodity. While it’s impossible to completely erase your digital footprint, that doesn’t mean you should give up doing what you can. By staying aware and implementing smart security measures, you can control a significant portion of your data exposure. The extra protection services found in Kaspersky Premium can further enhance your privacy and payment protection. And our Privacy Checker website offers a wealth of comprehensive guides: these cover privacy settings for smartphones, computers, social networks, apps, and even entire operating systems. Whether you’re looking for simple adjustments or more thorough security measures — we’ve got you covered.
While achieving absolute anonymity often requires an extreme, almost paranoid level of effort, while most people don’t need anonymity, adopting even the “normal” measures from our recommendations will significantly limit the ability of both cybercriminals and corporations to track you.
What other steps should you take to stay safe? Below are some examples:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-08 11:06:392025-07-08 11:06:39Shrinking your digital footprint: a checklist by Kaspersky | Kaspersky official blog
According to Juniper Research data, global e-commerce turnover surpassed $7 trillion in 2024, and is projected to grow by 1.5 times over the next five years. But cybercriminal interest in this field is growing even faster. Last year, losses from fraud exceeded $44 billion — and they’re expected to reach US$107 billion within five years.
Any online platform — regardless of size or industry — can become a target, whether it’s a content marketplace, a hardware store, a travel agency, or a water park website. If you accept payments, run a loyalty program, and allow creation of customer accounts, fraudsters will definitely come knocking. So which attack schemes are most common, what kind of damage can they cause, and how can you stop them?
Account theft
Thanks to infostealers and various database leaks, attackers have access to billions of email-password combinations used on various sites. They can try these combinations on any other site with user accounts, on the assumption that humans often use the same password for different services. This attack method is known as “credential stuffing”, and if successful, attackers can place orders using the victim’s linked bank card or spend loyalty points. Criminals can also use compromised accounts to make fraudulent payments with other credit cards.
Testing stolen cards
Just as with login credentials, attackers may have a database of credit-card data stolen using malware. They need to test which cards are still valid and can process online payments — and for this, any e-commerce site will do. These “test” purchases are usually small. Working cards are then resold to other criminals, who go on to drain the funds in various ways.
From the store’s side, this looks like a customer adding a bunch of random inexpensive items to their cart and repeatedly trying to check out, each time with a different card. Even small stores can end up with hundreds of abandoned carts. Eventually, the payment gateway may block the store for exceeding the allowed number of failed payment attempts.
Buyer fraud
Sometimes real customers may complete an order, only to later tell their bank they never made the purchase — and demand a refund. This could be a case of deliberate fraud, or simply one family member using another’s card without permission — for instance, a teenager using a parent’s card. Although such incidents are usually small-scale, they can still cause serious damage — especially if the store becomes known in “lifehacker” communities as a site that easily refunds money.
Fraudulent purchases
Depending on your store’s niche, location, and other factors, criminals may try to use stolen credit cards to “cash out” by purchasing goods or services. This can result in a wave of orders followed by a flood of disputes and cancellations. In some extreme cases, the volume alone becomes a threat — one store received 118 000 fraudulent orders, with criminals placing a fake order every three seconds.
Gift card attacks
If your store accepts gift cards, bots may attempt to brute-force thousands of card numbers and verification codes to find valid ones. Once found, they’re either used to make purchases or resold on the secondary market.
Loyalty points theft
If your store allows purchases using accumulated loyalty points without requiring additional verification via SMS or other methods, attackers can either immediately drain any account they manage to access, or wait for the victim to accumulate more points. The latter often happens with stores that sell high-value products and have a loyal customer base.
Scalping exclusive products
If you sell, say, tickets to popular concerts or limited-edition sneakers, be prepared for resellers. Scalper bots can snap up all exclusive stock within minutes, triggering justified outrage from loyal customers. There’s an active black market for bots designed for popular e-commerce platforms, such as Shopifybot.
Mass account registration
To successfully run the schemes described above, attackers often create hundreds or thousands of accounts in your store, increasing operational costs — for instance, by triggering welcome SMS messages and follow-up email campaigns.
Direct and indirect business losses
Even if neither you nor your customers lose money or goods, any of the above schemes can lead to a wide range of problems and expenses:
Costs from fraudulent transactions and repeated failed payments. Depending on the situation and the terms of your agreement with the payment gateway, you might have to cover transaction and chargeback fees, fines, and other costs. You might also exceed your transaction limits and temporarily lose access to the payment gateway — effectively paralyzing normal operations.
Advertising costs and distorted analytics. Bots often arrive via referral links, paid search ads, and other forms of online advertising. This means your real advertising budget may be wasted attracting fake users. Even if the bots don’t consume your budget directly, their activity can mess up ad platform algorithms, resulting in lower-quality traffic to your site.
Costs for marketing campaigns and promotions that are misused by exploiting newly created accounts. Already registered users create new accounts to spend welcome bonuses for the first purchase, and fraudsters look for vulnerabilities and try to obtain bonuses en masse by dishonest means. As a result, the marketing budget allocated for attracting and increasing user loyalty is wasted.
Poor planning. Numerous fake orders can be hard to filter out of your analytics — especially if you rely on the default analytics tools built into your e-commerce platform. As a result, planning for demand and stock becomes much more difficult.
Wasted time. Dealing with hundreds of abandoned carts, thousands of bogus accounts, and countless failed payment attempts consumes your employees’ time and energy, leading to operational delays and losses.
Customer dissatisfaction. Depending on the attack type, customers may suffer direct losses (money stolen, loyalty points drained, fraudulent activity on their account) or indirect inconveniences (product shortages, failed transactions). Whatever the issue, your support and marketing teams will have to handle it — offering discounts, compensation and so on. But many customers will simply walk away and never come back.
It’s no surprise that, according to some estimates, for every hundred dollars in fraudulent orders, businesses lose over double that in total costs.
How to protect your online business
The days of blocking bots by filtering IP addresses or adding a CAPTCHA at checkout are over. The AI boom has empowered not only automation in marketing and customer support — but also a new generation of dangerous fraud bots that easily bypass traditional protection.
That’s why businesses of all sizes need next-generation security technologies that monitor every user session from the moment they land on the site until checkout. This kind of continuous protection helps detect any anomalies — whether it’s a compromised legitimate account, abuse of the payment gateway API, mass fake account creation, or attempts to circumvent security measures.
A leading solution in this space is Kaspersky Fraud Prevention. By continuously analyzing the user’s device, behavior, environment, and metadata in real time, it builds a profile of a legitimate user, detects anomalies early on, and protects against account compromise and fraud. Kaspersky Fraud Prevention can be tailored to the specific needs of your store using flexible rules that leverage both your own data and global analytics. The solution does not require installation on the user’s device and is integrated into an existing website and mobile application with minimal effort.
Many site owners report that advanced anti-fraud analytics actually improve the customer experience — since legitimate users encounter fewer CAPTCHAs, SMS verifications, and other friction points. And ultimately, your business faces fewer losses — and can focus more on developing your product range and service.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-07 15:06:452025-07-07 15:06:45How to protect your online store from fraud attacks
Cracking the code of a successful cybersecurity career starts here. Hear from ESET’s Robert Lipovsky as he reveals how to break into and thrive in this fast-paced field.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-05 07:06:382025-07-05 07:06:38How to get into cybersecurity | Unlocked 403 cybersecurity podcast (S2E3)
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-05 07:06:382025-07-05 07:06:38Task scams: Why you should never pay to get paid
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-04 09:06:382025-07-04 09:06:38How government cyber cuts will affect you and your business
Welcome to this week’s edition of the Threat Source newsletter.
Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”
This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.”
I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for.
Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.
There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.
My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend.
And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar?
I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes…
“You’re gonna need a bigger boat.” Overprepare. Expect things to go wrong.
“It’s only an island if you look at it from the water.” Perspective matters. Make sure your alerts are honed to spot the things that really matter.
“Smile, you son of a…” Sometimes, your last line of defense is your defining moment. Should everything else fail, make sure you have something left in the tank.
In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points.
If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open…
Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with.
Bruce’s story is why Cisco Talos Incident Response exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see.
Enjoy the Fourth of July weekend, and remember to listen out for the duh dun.
The one big thing
Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems.
Why do I care?
Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you’re not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate.
So now what?
Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.
Top security headlines of the week
Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News)
International Criminal Court hit by new ‘sophisticated’ cyberattack In a statement yesterday, the ICC revealed that it had contained a “sophisticated and targeted” cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer)
Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek)
Ahold Delhaize Data Breach Impacts 2.2 Million People The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek)
Germany asks Google, Apple remove DeepSeek AI from app stores The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)
Beers with Talos: Terms and conceptions may apply In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-03 18:06:442025-07-03 18:06:44A message from Bruce the mechanical shark
Summer is in full swing, and that means one thing — it’s time to travel! Remember how people used to prepare for trips? Buying pocket guidebooks and phrasebooks, bombarding all our well-traveled friends with questions: “What should I see?”, “How much do tours cost?”, “And how do I get a SIM card?“.
These days, the world has changed. You can plan a comfortable trip while lounging on your sofa with a smartphone in hand — or even while waiting at the airport gate. All you need do is download the right apps. In this guide, we’ll help you prep both yourself and your phone for your journey:
Sure, you could buy a paper map in advance, but it’s much easier to download a few mapping apps. Yes, a few — don’t rely on just one.
Google Maps. An absolute must-have for any traveler. Plan routes and find nearby hotels, cafes, currency exchanges, and attractions. Read folks’ reviews for insider knowledge on the best spots (and the ones to avoid). Google Maps is every traveler’s digital Swiss Army knife — useful for a ton of different things (as long as you’ve downloaded offline maps in advance or have an internet connection).
Organic Maps. If you’re going somewhere beyond the reach of mobile networks, offline maps are your best bet. You can download a detailed map of your destination before your trip. It includes everything you’d find in Google Maps — restaurants, shops, transport stops — just without user ratings and reviews.
One standout feature is route planning for walking, biking, and hiking. You can even switch to a topographic view to see elevation changes — great for mountainous terrain or outdoor adventures.
Guru Maps. Among tourists, this app is known as “the king of navigation” — and for good reason. With Guru Maps you can venture far off the grid without getting lost. It’s made for finding hiking trails, routes through the wilderness, even swamp-trekking — perfect for when Google Maps and Organic Maps find no route at all.
Like the other two, Guru Maps is free to use, but there’s also a paid Pro version. This lets you download unlimited maps and create enough pins and GPS tracks for even the most hardcore traveler.
How to stay connected?
Offline apps are great, but pre-downloaded information alone isn’t always enough. Especially in big cities, it’s essential to stay online. There are a few ways to do this.
eSIM. Get a local SIM card, or better yet, an eSIM. You can use the Kaspersky eSIM Store app to find and activate affordable local data plans — no roaming fees or plastic SIM cards needed.
It’s simple: install Kaspersky eSIM Store, choose your destination, and buy a data plan that suits your needs. Along with the data package, you’ll receive your free eSIM — simply install it in your device in a couple of clicks. Later you can top up your eSIM for the same or different destinations with more great plans from local operators. And you’re not limited to just one country at a time — if you’re traveling across several countries, choose a regional plan or even get global coverage in 122 countries for constant connection.
eSIMs from Kaspersky eSIM Store don’t include a phone number — they only support data transfer. But your regular SIM stays in your device, so you can still receive texts and calls. Of course, you don’t need to answer roaming calls — but you can see who contacted you and respond via messenger using your eSIM data.
The cool thing is that you can set up eSIMs in advance, including the date your data plan will activate. Kaspersky eSIM Store offers both expiring plans (valid for 30 days in most countries) and non-expiring ones where unused gigabytes are saved for your next trip.
eSIMs and related services are provided by our tech partner BNESIM Limited. For more on all the benefits of eSIMs, check out our blog post: Internet on the go with Kaspersky eSIM Store
Mobile operator app. If you still plan to use roaming from your usual operator, be sure to install their app to monitor your data use, enable roaming options, and top up.
However, there’s a downside here: roaming usually costs much more than using an eSIM from Kaspersky eSIM Store. Yes, some providers offer special plans like unlimited messaging or map access, but relying on them could backfire in a crucial moment. For example, what if you’re in a small town where Google Maps’ timetables for public transportation aren’t up to date? You’ll need to look for an alternative transport app or take a completely different route. That could mean using a search engine — which can be painfully expensive on roaming data.
How to get around comfortably?
This is where specialized apps come to the rescue — reliable in big cities and helpful even in small towns where you could otherwise get stuck.
Moovit. An app to help you navigate public transport almost anywhere in the world. It sources real-time data from transport providers — including private companies — so seasoned travelers trust Moovit in cities with a well-developed public transit system. But don’t expect it to tell you exactly when a local bus is going to arrive in a tiny remote village. In such cases, it’s best to rely on taxis.
Uber. If you’ve ever taken a taxi, there’s a good chance you already have Uber on your phone. It’s one of the world’s biggest ride-hailing platforms: just enter your destination, choose a rate, and wait for your driver. Simple and intuitive — but there’s a catch: Uber isn’t available everywhere. You’ll have no trouble getting a ride in North America, Europe, and parts of Asia, but elsewhere your best bet is often a local taxi app.
Yandex Go. Great for rides in Russia, Georgia, Kazakhstan, Belarus, Moldova, Armenia, Kyrgyzstan, Lithuania, Serbia, and Uzbekistan.
DiDi. Use this app in China, Argentina, Australia, Brazil, Chile, Colombia, Costa Rica, Ecuador, Egypt, Japan, Mexico, New Zealand, Panama, Peru, and the Dominican Republic.
Grab. The go-to ride-hailing app for Southeast Asia: Singapore, Cambodia, Myanmar, Malaysia, the Philippines, Thailand, Vietnam, and Indonesia.
Careem. Ideal for travel in Egypt, Bahrain, Iraq, Jordan, Pakistan, Saudi Arabia, Kuwait, Morocco, and the UAE.
Bonus: InDrive is a unique app that lets you name your price for a ride and choose a driver. Available in 48 countries.
How to enjoy a city like a local?
Sometimes you only have a few hours or a couple of days to explore a huge city. So how do you quickly decide what to see and where to go? Previously, you could find such answers on Foursquare — but what now?
Visit a City. According to its developers, this app covers more than 3000 cities worldwide. Choose free mini-guides, buy tickets to museums and attractions, or book tours. With just a few clicks, you can plan a trip — say, two days in Istanbul — and get a detailed itinerary down to the minute.
Many major cities now offer their own travel apps — so check those out too. For a Thames-side stroll, try Visit London; if it’s mosques and markets you’re after, check Istanbul Tourist Pass; and if you’ve always dreamed of seeing Park Güell, use Hola Barcelona.
ChatGPT. Yes, artificial intelligence can help here too, creating an itinerary for any city on Earth and offering it in a neat PDF or spreadsheet. Just bear in mind that AI can’t always account for real-world factors like traffic or opening hours — things that are kept up-to-date by real people in specialized apps like Visit a City.
But for general plans, ChatGPT works wonderfully. Just tell it something like, “Plan a 2-day trip to Istanbul for two people in their 30s. The pace should be relaxed and must include Galata Tower, a San Sebastián cheesecake stop, and a Bosphorus cruise. Break it down by time, considering traffic.”
How to find good food?
If you’re just looking for a quick bite while exploring, Google Maps or any other map app will do the trick — as long as you’ve got an internet connection, you’ll see nearby food options in seconds. But if you’re after something more authentic or sophisticated, there are dedicated apps for that.
The MICHELIN Guide. Not sure where to eat and want a guaranteed good spot? Pick any restaurant in this guide — and you can even book a table right in the app. A common myth is that Michelin is only for expensive fine dining, but that’s not true anymore: today the guide includes plenty of local gems with reasonable prices and great service. So whether you’re a foodie or just want a reliable recommendation, the MICHELIN Guide has something for every budget.
TheFork. This popular app makes sure no tourist goes hungry — at least in Europe. It’s packed with everything you need: addresses, menus, cuisine types, food photos, average prices, real reviews, and the ability to book a table directly. Sounds ideal, but as usual there’s a catch: TheFork only works in certain major European cities — for now: Paris, Amsterdam, Barcelona, Lisbon, Madrid, Milan, Rome, Geneva, Brussels, Stockholm, Marseille, and Bordeaux.
Local apps. Just like with taxis, every country — or even every city — tends to have its own version of TheFork. So it’s worth doing a little research to see what app is popular at your destination. For example, in the United States, you’ll want Resy and Yelp, while in China, Dianping is the go-to (if your Chinese is ok: it’s only available in Chinese).
Bonus: Flush Toilet Finder. This handy app helps you locate public toilets all over the world — a perfect companion to your restaurant guide. While general maps might also show toilet locations, Flush Toilet Finder provides extra details such as wheelchair accessibility, whether access codes or keys are required, and how much it costs.
How to travel safely?
Connecting to the first open Wi-Fi spot you find is not a great idea — and neither is storing a passport scan in your photo gallery. Here’s how to add a dash of digital safety to your perfect trip mix:
Obsidian. You’ll probably want to plan your trip in advance — and most likely, you’ll try to do so using the standard Notes app on your phone. That’s not the safest option, and sometimes not the most convenient either when it comes to storing important information. Consider Obsidian — it protects your notes with end-to-end encryption and syncs them across your devices. But there are other similar apps out there, which we wrote about in our article Keep it under wraps: encrypted note-taking apps and to-do lists.
Kaspersky Password Manager. Store photos or PDFs of your passports, tickets, vouchers, and other important documents in secure storage — they can only be decrypted and viewed after entering a main password that only you know. At the same time, you can easily add or open any document on any device — the app is cross-platform and constantly syncs information between your smartphone and computer. In addition, our password manager can store two-factor authentication tokens. Remember that traditional one-time passwords may not arrive via SMS while roaming, or they may be severely delayed. Take a couple of minutes at home to configure your frequently used apps and websites so that 2FA codes are generated in Kaspersky Password Manager instead of being sent via SMS.
Kaspersky VPN Secure Connection. If you’ll be connecting to unfamiliar Wi-Fi networks often during your trip, your best bet is to protect your connection. You can do this with the help of one of the fastest VPNs in the world. Plus, VPN also lets you change your phone’s location in advance — so your search results become local! That way, even from home, you can plan visits to the events that locals actually go to, not just tourist traps.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-03 14:06:372025-07-03 14:06:37Best travel apps: maps, taxis, food, internet | Kaspersky official blog
We’ve packed June with updates designed to make your day-to-day analysis faster, clearer, and easier than before. Whether you’re just getting started or deep into reverse engineering every day, these improvements are here to save you time and help you catch more threats.
In this update:
Real-time Detonation Action hints that guide you through the steps needed to keep the analysis forward
Enhanced QR code extraction, making it easier to detect phishing links hidden in documents, images, or dropped during runtime
Expanded threat coverage, including 120 new behavior signatures, 12 YARA rules, and 1,320 Suricata rules across Windows, Linux, and Android
Scroll down to see what’s new and how these updates can help your team work faster, spot threats earlier, and get more from your ANY.RUN sessions.
Product Updates
Detonation Actions: Faster, Clearer Malware Analysis with Real-Time Guidance
In June, we focused on helping analysts work faster and with more clarity, especially during high-pressure investigations. That’s why we introduced Detonation Actions: real-time execution hints that keep your analysis moving forward without guesswork.
Now, when a sample requires interaction to detonate, like opening a file or following a link, Detonation Actions will show exactly what needs to be done.
You can find the Actions tab next to the Processes tab
Whether you’re clicking through manually or relying on automation, you’ll see helpful hints to understand how the threat at hand unfolds.
Manual Mode (Community plan): You’ll see suggested actions during the session and can approve or reject them individually, helping you uncover hidden behavior faster.
Automated Interactivity (Paid plans): Detonation Actions are automatically followed as part of a guided flow. Each step is logged and visible, so your team gets full transparency, even when analysis is fully hands-off.
You’ll find Detonation Actions inside the Actions tab, right next to the process tree. They work across all samples and help analysts of any skill level trigger and observe malware behavior with confidence.
Speeds up threat analysis by guiding analysts through key detonation steps.
Improves SOC handover with action-based insights for smoother investigations.
Accelerates incident response by automating detonation and surfacing behavior fast.
Simplifies onboarding by helping junior analysts learn through guided workflows.
Enables smarter decisions with clearer behavioral context during investigations.
Supports automation by integrating with existing workflows and API-based pipelines.
Test Automated Interactivity with 14-day trial See how you can streamline analysis and boost detection
You can activate Detonation Actions by clicking the new Auto button when launching your VM or toggle Automated Interactivity (ML) manually in Advanced Settings.
Options for enabling Detonation Actions with Automated Interactivity
Enhanced QR Code Auto-Extraction for Broader Use Cases
We’ve improved how the sandbox detects and extracts QR codes, making it easier to investigate threats hidden in documents, images, and archives.
Now, QR code detection works more reliably across a wider range of file types and delivery methods. Whether it’s a malicious link embedded in a PDF or a code inside an SVG file, the sandbox will automatically pick it up and display the decoded URL in the QR tab under Static Discovering.
QR code decoded under Static Discovering
QR-based phishing is still on the rise. This improvement makes it even easier to detect and investigate QR code threats before a user ever scans them.
Threat Coverage Updates
This month, we expanded threat detection across all supported platforms, Windows, Linux, and Android, with major additions to our rule base and signature library.
These updates improve detection accuracy, shorten triage time, and give analysts better visibility into evasive threats. From commodity malware to nation-state actors, the latest rules reflect real-world samples seen in the wild and analyzed inside ANY.RUN.
New Behavior Signatures
We added 120 behavior signatures targeting stealers, ransomware, RATs, loaders, and evasive techniques, many of which were observed in active campaigns.
Some highlights:
PurpleFox – A rootkit-enabled malware that abuses SMB vulnerabilities for lateral movement
Bert Loader – Dropper with obfuscated payload delivery tactics
Bondy Loader – Frequently used to stage ransomware and remote control tools
XData Ransomware – Resurfaces with updated infection logic and encryption flow
LD_PRELOAD Hijacking – A Linux-based persistence technique now tracked as standalone behavior
Winlocker – Known for fake law enforcement messages and aggressive blocking behavior
Ransomblox – Displays error pop-ups while communicating with its C2 during encryption
Conti-style variant – Exhibits callbacks to infrastructure overlapping with known Conti and DragonForce setups
Dacic ransomware – Recently observed in campaigns with custom servers and DNS-based C2
Cyberkiller – Attempts stealthy exfiltration before launching destructive behavior
Platform-Specific Threats
New behavior detections were also added for threats targeting specific operating systems:
Windows:
Kiwistealer – Stealer that extracts browser data, passwords, and system information
KimJongRAT – Remote access trojan that abuses trusted binaries and uses a GUI-based control panel
Byakugan – Leverages signed binaries to inject into processes and maintain stealth
Linux:
DSLogdRAT – Lightweight Linux backdoor with keylogging, reverse shell access, and simple evasion logic
Android:
Antidot – Spyware disguised as a system utility app, capable of remote monitoring
Zanubis – Banking trojan that abuses accessibility services to intercept credentials
Godfather – Targets financial apps and intercepts MFA codes to bypass login security
YARA Rule Updates
We released 12 new and updated YARA rules this month to support faster static detection and classification of threats across all platforms. These rules help flag malicious files before execution and enhance attribution in multi-stage attacks.
Some of the key additions include:
Katz – Credential-dumping tool used in post-exploitation phases
Ryuk – Ransomware version attributed to the hacker group WIZARD SPIDER
WirelessKeyView – Tool that extracts stored Wi-Fi credentials from Windows systems
Mail PassView – Password-recovery tool that reveals the passwords and other account details for email clients
SmartSniff – Network sniffer commonly abused in data exfiltration scenarios
LClipper – Clipper malware that hijacks clipboard data to redirect crypto transactions
Phantom – Stealer with anti-analysis techniques, commonly used in phishing kits
Suricata Rule Updates
To improve detection of phishing threats at the network layer, we added 1,320 new Suricata rules in June. These rules help security teams identify malicious domains, redirection chains, and phishing infrastructure early in the attack flow.
EvilProxy domain chain (sid:85000494): Tracks EvilProxy phishing kit activity by sequence of queried domains
New Detection Techniques
We added behavior-based detection for a tactic used by malware to bypass standard execution monitoring:
Command execution via FileFix technique – This method involves abusing renamed or repurposed legitimate executables (e.g., “FileFix.exe”) to stealthily launch payloads. It’s commonly used in commodity loaders to blend in with normal activity.
This new detection helps analysts flag unusual execution chains earlier in the process tree and trace hidden payload delivery paths more efficiently.
About ANY.RUN
ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.
With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-07-02 14:06:412025-07-02 14:06:41Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules