• Cybercriminals are continuing to explore artificial intelligence (AI) technologies such as large language models (LLMs) to aid in their criminal hacking activities. 
• Some cybercriminals have resorted to using uncensored LLMs or even custom-built criminal LLMs for illicit purposes. 
• Advertised features of malicious LLMs indicate that cybercriminals are connecting these systems to various external tools for sending outbound email, scanning sites for vulnerabilities, verifying stolen credit card numbers and more. 
• Cybercriminals also abuse legitimate AI technology, such as jailbreaking legitimate LLMs, to aid in their operations. 

Generative AI and LLMs have taken the world by storm. With the ability to generate convincing text, solve problems, write computer code and more, LLMs are being integrated into almost every facet of society. According to Hugging Face (a platform that hosts models), there are currently over 1.8 million different models to choose from. 

LLMs are usually built with key safety features, including alignment and guardrails. Alignment is a training process that LLMs undergo to minimize bias and ensure that the LLM generates outputs that are consistent with human values and ethics. Guardrails are additional real-time safety mechanisms that try to restrain the LLM from engaging in harmful or undesirable actions in response to user input. Many of the most advanced (or “frontier”) LLMs are protected in this manner. For example, asking ChatGPT to produce a phishing email will result in a denial, such as, “Sorry, I can’t assist with that.” 

For cybercriminals who wish to utilize LLMs for conducting or improving their attacks, these safety mechanisms can present a significant obstacle. To achieve their goals, cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs. 

Uncensored LLMs 

Uncensored LLMs are unaligned models that operate without the constraints of guardrails. These systems happily generate sensitive, controversial, or potentially harmful output in response to user prompts. As a result, uncensored LLMs are perfectly suited for cybercriminal usage. 

Uncensored LLMs are quite easy to find. For example, using the cross-platform Omni-Layer Learning Language Acquisition (Ollama) framework, a user can download and run an uncensored LLM on their local machine. Ollama comes with several uncensored models such as Llama 2 Uncensored which is based on Meta’s Llama 2 model. Once it is running, users can submit prompts that would otherwise be rejected by more safety-conscious LLM implementations. The downside is that these models are running on users’ local machines and running larger models, which generally produce better results but requires more system resources. 

Another uncensored LLM popular among cybercriminals is a tool called WhiteRabbitNeo. WhiteRabbitNeo bills itself as a “Uncensored AI model for (Dev) SecOps teams” which can support “use cases for offensive and defensive cybersecurity”. This LLM will happily write offensive security tools, phishing emails and more. 

Researchers have also published methods to demonstrate how to strip alignment that is embedded into the training data of existing open-source models. Once removed, a user can uncensor their LLM by using the modified training set to fine tune a base model. 

Cybercriminal-designed LLMs 

Since most popular LLMs come with significant guardrails, some enterprising cybercriminals have developed their own LLMs without restrictions that they market to other cybercriminals. This includes apps like GhostGPT, WormGPT, DarkGPT, DarkestGPT and FraudGPT. 

 For example, the developer behind FraudGPT, CanadianKingpin12, advertises FraudGPT on the dark web, and also has an account on Telegram. The dark web site for FraudGPT advertises some interesting features: 

• Write malicious code 
• Create undetectable malware 
• Find non-VBV bins 
• Create phishing pages 
• Create hacking tools 
• Find groups, sites, markets 
• Write scam pages/letters 
• Find leaks and vulnerabilities 
• Learn to code/hack 
• Find cardable sites 
• Millions of samples of phishing emails 
• 6220+ source code references for malware 
• Automatic scripts for replicating logs/cookies 
• In-panel Page hosting included (10 pages/month) with Google Chrome anti-red page 
• Code obfuscation 
• Custom data set (upload your sample page in .html) 
• Bot creation of virtual machines and accounts (1 virtual machine per month on license)  
• Utilizing GoldCheck CVV checker 
• OTP Bot with spoofing (*additional package) 
• Check CVVs with GoldCheck API 
• Create username:password website configs 
• Remote OpenBullet configs 
• Scan websites for vulnerabilities across a massive CVE database (*PRO only)  
• Generate realistic phishing panels, pages, SMS and e-mails  
• Send mail from webshells 

Talos attempted to obtain access to FraudGPT by reaching out to CanadianKingpin12 on Telegram. After considerable negotiation, we were finally offered a username and password at the FraudGPT dark web site. However, the username and password provided by CanadianKingpin12 did not work. CanadianKingpin12 then asked us to send them cryptocurrency to purchase a software “crack” for the FraudGPT login page. At this point it was clear that CanadianKingpin12 had no working product, and they were scamming potential FraudGPT customers out of their cryptocurrency. This was confirmed by several other victims who had also been scammed by CanadianKingpin12 when they attempted to purchase access to the FraudGPT LLM. Scams such as these are an ever-present risk when dealing with unscrupulous actors, and it continues a long tradition of scams in the cybercrime space. 

Similar cybercriminal-designed LLM projects can be found elsewhere on the dark web. A cybercriminal LLM called DarkestGPT, which starts at .0015BTC for a one-month subscription, advertises the following features: 

LLM jailbreaks 

Given the limited viability of uncensored LLMs due to resource constraints and the high level of fraud and scams present among cybercriminal LLM purveyors, many cybercriminals have elected to abuse legitimate LLMs instead. The main hurdle that cybercriminals need to overcome are the training alignment and guardrails that prevent the LLM from responding to prompts with unethical, illegal or harmful content. A form of prompt injection, jailbreak attacks aim to put the LLM into a state where it ignores its alignment training and guardrails protection. 

There are many ways to trick an LLM into providing dangerous responses. New jailbreaking methods are constantly being researched and discovered, while LLM developers respond by enhancing the guardrails in a sort of jailbreak arms race. Below are just a few of the available jailbreaking techniques. 

Obfuscation/encoding-based jailbreaks 

By obfuscating certain words or phrases, these text-based jailbreak attacks seek to bypass any hardcoded restrictions on specific words/topics, or to cause the execution to follow a nonstandard path that might bypass protections put in place by the LLM developers. These obfuscation techniques may include: 

• Base64/Rot-13 encoding
• Different languages  
• L33t sp34k  
• Morse code 
• Emojis 
• Adding spaces or UTF-8 characters into words/text, among othersetc. 

Adversarial suffix jailbreaks 

These attacks are somewhat like obfuscation and encoding tricks. Instead of modifying the tokens in the prompt itself, adversarial suffix jailbreaks involve appending random text to the end of a malicious prompt to elicit a harmful response.  

Role-playing jailbreaks 

This type of attack involves prompting the LLM to adopt the persona of a fictional universe/character that ignores the ethical rules set by the model’s creators and is willing to fulfill any command. This includes jailbreak techniques such as DAN (Do Anything Now), and the Grandma jailbreak which involves asking the chatbot to assume the role of the user’s grandmother. 

Meta prompting 

Meta prompting involves exploiting the model’s awareness of its own limitations to devise successful workarounds, effectively enlisting the model in the effort to bypass its own safeguards. 

Context manipulation jailbreaks 

This covers several different jailbreak techniques including: 

• Crescendo, a technique which progressively increases the harmfulness in prompts until some sort of rejection is received in order to probe for where and how LLM guardrails are implemented.  
• Context Compliance Attacks, which exploit the fact that many LLMs do not maintain conversation state. Attackers inject fake prior LLM responses into their prompts, such as a brief statement discussing the sensitive topic, or a statement expressing readiness to supply further details as per the user’s preferences. 

Math prompt jailbreaks 

The math prompt method evaluates how well an AI system can manage malicious inputs when they’re disguised using mathematical frameworks such as set theory, group theory, and abstract algebra. Rephrasing harmful requests as math problems can allow attackers to evade safety features in advanced large language models (LLMs). 

Payload splitting 

In this scenario, the attacker guides the LLM to merge several prompts in a way that produces harmful output. While texts A and B may seem benign when considered separately, their combination (A+B) can result in malicious content. 

Academic framing 

This method makes harmful content appear acceptable by framing it as part of a research or educational discussion. It takes advantage of the model’s interpretation of academic intent and freedom, often using scholarly language and formatting to bypass safeguards. 

System override 

This strategy tries to trick the model into believing it is functioning in a unique mode where usual limitations are lifted. It leverages the model’s perception of system-level functions or maintenance states to circumvent safety mechanisms. 

How cybercriminals use LLMs 

In December 2024, Anthropic, the developers behind the Claude LLM, published a report detailing how its users were utilizing Claude. Using a system named Clio, they summarized and categorized users’ conversations with their AI model. According to Anthropic, the top three uses for Claude were programming, content creation and research. 

 Analyzing the feature sets advertised by the criminal-designed LLMs, we can see that cybercriminals are using LLMs for mostly the same tasks as normal LLM users. Programming features of many criminal LLMs include the ability to assist cybercriminals in writing ransomware, remote access trojans, wipers, code obfuscation, shellcode generation and script/tool creation.  To facilitate content creation, criminal LLMs will assist in writing phishing emails, landing pages and configuration files. Criminal LLMs also support research activities like verifying stolen credit cards, scanning sites/code for vulnerabilities and even helping cybercriminals come up with “lucrative” criminal ideas for their next big score. 

Various hacking forums also shed additional light on criminal uses of LLMs. For example, on the popular hacking forum Dread, users were discussing connecting LLMs to external tools like Nmap, and using the LLM to summarize the Nmap output. 

LLMs are also targets for cyber attackers 

Any new technology typically brings along with it changes to the attack surface, and LLMs are no exception. In addition to using LLMs for their own nefarious ends, attackers are also attempting to compromise LLMs and their users. 

Backdoored LLMs 

A vast majority of the models available at Hugging Face use Python’s pickle module to serialize the models into a file that users can download. Clever attackers can include Python code in the pickle file, which runs as part of the deserialization process. Thus, when a user downloads an AI model and runs it, they may be running code placed into the model by an attacker. Hugging Face uses Picklescan, among other tools, to scan the models uploaded by users in an effort to identify models that misbehave. However, there have been several recent vulnerabilities in Picklescan, and researchers have already identified Hugging Face models containing malware. As always, make sure any file you plan to download and run comes from a trusted source and consider running the file in a sandbox to mitigate any risk of infection. 

Retrieval Augmented Generation (RAG) 

LLMs that utilize Retrieval Augmented Generation (RAG) make calls to external data sources to augment their training data with up-to-date information. For example, if you ask an LLM what the weather is like a particular day, the LLM will need to reach out to an external data source such as a website to retrieve the correct forecast. If an attacker has access to submit or manipulate content in the RAG database, they may poison the lookup results, perhaps adding additional instructions for the LLM to alter its response to the user’s prompt, even targeting specific users. 

Conclusion 

As AI technology continues to develop, Cisco Talos expects cybercriminals to continue adopting LLMs to help streamline their processes, write tools/scripts that can be used to compromise users and generate content that can more easily bypass defenses. This new technology doesn’t necessarily arm cybercriminals with completely novel cyber weapons, but it does act as a force multiplier, enhancing and improving familiar attacks.

Cisco Talos Blog – ​Read More

When malware infiltrates a system, it doesn’t always make noise. In fact, some of the most dangerous threats operate quietly embedding themselves deep within the system and ensuring they come back even after a reboot. One of the most common ways they achieve this is by abusing the Windows Registry. 

In this article, we’ll walk through how registry abuse works, the signs to watch out for, and how security analysts can catch it using interactive sandboxes, such as ANY.RUN. 

What Is Registry Abuse in Malware? 

The Windows Registry is an important part of the operating system. It stores configuration settings that determine how Windows behaves, how software runs, and even how users interact with the system. From startup routines to driver settings and user preferences, the registry touches almost every part of the OS. 

As it’s central, the registry is also a target for malware authors. By modifying registry keys and values, malware can silently manipulate system behavior to: 

• Stay persistent by adding itself to autorun keys, it ensures execution every time the system boots. 

• Hide from users disabling Task Manager, hiding file extensions, or suppressing warnings to avoid detection. 

• Weaken security turning off Windows Defender or blocking updates to bypass protection. 

• Control user behavior redirecting browser traffic, setting fake proxies, or hijacking default apps. 

The Fastest Way to Spot Registry Abuse inside ANY.RUN Sandbox 

Traditional security tools often miss subtle but critical signs of registry abuse, especially when malware hides behind scripts or legitimate-looking processes.  

By running suspicious files or links inside ANY.RUN’s interactive sandbox, analysts can observe real-time registry changes as they happen, without waiting for static scans to catch up. 

Why It’s So Effective: 

• Instant visibility into registry modifications, autorun key changes, and process behaviors 

• Behavior-based detection, not just signatures; perfect for catching new or obfuscated threats 

• Clear labeling and process tree that highlight when a script or binary tampers with the registry 

• Integrated threat intelligence tags (e.g., FormBook) to identify malware families quickly 

• Interactive control, so you can simulate real user actions that trigger registry abuse (like opening a file or clicking a button) 

Real-World Examples of Registry Abuse in Malware 

Now, let’s look at how malware abuses the registry in practice and how ANY.RUN makes it easy to detect. 

1. Persistence via Autorun Key Modification 

This sample shows how the malware (BootstrapperNew.exe) abuses the registry to ensure it launches automatically every time the system boots; a classic persistence mechanism. 

View analysis session 

As shown in the analysis, the malware modifies the following registry key: 

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 

It adds a new value: 

• Name: BootstrapperNew 

• Value: C:UsersadminAppDataRoamingWindowsBootstrapperNew.exe 

• Operation: Write 

• Type: REG_NONE 

You can check all these details by checking the “BootstrapperNew.exe” process from the right part of the screen. 

Click on the tactic to get all the details: 

This modification triggers Windows to execute the malicious file at every user login, giving the attacker a reliable foothold on the system. 

ANY.RUN also flags this behavior with the MITRE ATT&CK sub-technique T1547.001 (Registry Run Keys / Startup Folder), clearly highlighting the persistence mechanism used. The visual process tree further confirms the execution flow, registry operation, and background network activity. 

With static detection tools, this behavior might go unnoticed. But in ANY.RUN’s sandbox, the threat is immediately identified, tagged, and visually traceable in real time, from registry edit to scheduled task creation. 

2. FormBook Stealer Using Registry for Stealth 

In this example, the malware identified as FormBook manipulates the Windows Registry to aid in stealth and persistence. 

View analysis session 

Right after execution, FormBook writes a new registry entry under: 

• Key: HKEY_CURRENT_USERSOFTWARESoftina 

• Name: MMM-Vkusnaa 

• Value: 19.06.2025 

Custom registry values like this aren’t random. They’re typically placed in obscure subkeys (SOFTWARESoftina in this case) to avoid detection and logging by standard monitoring tools,  but in ANY.RUN’s sandbox, it’s instantly visible and tied to MITRE technique T1112: Modify Registry. 

3. System Profiling Through Registry Access 

Some malware doesn’t act immediately. Instead, it quietly profiles the environment to decide how (or whether) to execute. That’s exactly what we see in this sample, where the malware queries the registry to gather detailed system information. 

View analysis session 

One of the first actions taken is a read operation targeting: 

• Key: HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor 

• Name: ProcessorNameString 

This query fetches CPU information, such as model name and vendor. While this might seem benign, it plays a crucial role in anti-analysis and evasion tactics. 

Why malware reads CPU info: 

• Environment validation: Malware may use CPU data to check if it’s running on a real machine or a virtual one (e.g., commonly used by sandboxes or researchers). 

• Tailored payloads: Some threats adapt their behavior based on system specs, avoiding execution if they detect low-end CPUs or virtual environments. 

• Fingerprinting the target: CPU info is often collected alongside other system data to create a unique victim profile. 

But this is just the beginning. According to the MITRE ATT&CK technique T1012: Query Registry, this sample retrieves a wide range of values: 

• Proxy configuration: Determines whether the system uses a proxy and may hijack it 

• Machine GUID: A unique identifier, useful for tracking infected hosts 

• Installed software (50 reads): Likely for reconnaissance or to check for security tools 

• Internet Explorer security settings: May suggest preparation for exploit delivery via browser 

• System language & locale: Used to avoid infecting machines in certain countries 

• Computer name & Windows product ID: Adds more detail to the fingerprint 

• Software policy settings: Used to detect restrictions or protections enabled by admins 

This shows how malware can treat the registry as a rich source of system intelligence. Each value queried helps build a clearer picture of the host environment, guiding the next malicious action. 

4. Suspicious Registry Modification via REG.EXE 

This sample involves a process (_virlock.exe) that uses reg.exe, a legitimate Windows utility, to modify the registry. This kind of activity isn’t inherently malicious, but in the context of malware execution, it often signals stealthy post-infection behavior. 

View analysis session 

Shortly after execution, the malware launches a command: reg add HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 1 

This command modifies the registry to hide file extensions for known file types, a well-documented trick used by malware to disguise malicious executables (e.g., invoice.pdf.exe appears as invoice.pdf). 

Why it’s suspicious: 

• This change is frequently used in social engineering attacks, where victims are tricked into running malware that looks like a harmless document. 

• The behavior is executed via reg.exe, which is a living-off-the-land binary (LOLBIN); a legitimate tool abused by attackers to avoid detection. 

• ANY.RUN flags this activity under T1112: Modify Registry, and classifies it as a Warning / Unusual Activity. 

This case is a good reminder that not all registry abuse is about persistence. Some changes are purely meant to deceive the user, reduce visibility, or mask malicious actions. 

With ANY.RUN’s behavioral analysis, this tactic becomes immediately visible, showing which registry key was changed, how, when, and by what process, including full command-line context. 

5. Script-Based Registry Modification 

In this sample, we see a Windows Script Host process (wscript.exe) modifying the registry, not through a typical executable, but via script-based interaction. This kind of behavior is harder to detect, especially if you’re relying on traditional static analysis. 

View analysis session 

Thanks to ANY.RUN’s Script Tracer, we can observe the exact call and parameters used: 

• Key: HKCUSoftwareOJXVOPIitLTnYNgdonnsegment2   

• Value: (Hex-encoded string payload) 

• Process: wscript.exe   

• Operation: RegWrite via WshShell3 

This script creates a new key and writes what appears to be an obfuscated or encoded payload into the registry; a technique commonly used to: 

• Store secondary payloads or shellcode 

• Evade file-based detection mechanisms 

• Delay execution until a later stage (fileless persistence) 

The registry key name (OJXVOPIitLTnYNg) is randomly generated and meaningless, a common trait of obfuscated malware activity. 

We can see how the script writes a long block of hexadecimal content, which may later be decoded and executed, without ever dropping a traditional file on disk. 

These modifications fall under MITRE ATT&CK technique T1112: Modify Registry, and ANY.RUN labels this behavior as Dangerous (13 instances). 

Without behavioral analysis, this kind of registry manipulation would be nearly invisible, but with Script Tracer, security analysts can follow every step the script takes, down to the exact method calls and values. 

Spotting Registry Abuse is Easy with ANY.RUN 

Registry modifications are a common and powerful tactic used by malware to stay hidden, persist through reboots, and weaken your defenses. But with the right tools, these threats become much easier to spot, investigate, and respond to. 

ANY.RUN’s interactive sandbox doesn’t just show you what malware is doing, it visually breaks down every behavior, from registry edits to process injection and data exfiltration, in real time. 

• Faster threat detection 
  Catch malicious registry changes and system tampering before damage is done; no need to wait for traditional tools to catch up. 

• Improved incident response 
  With clear visual evidence and behavior chains, your team can respond to threats with greater accuracy and speed. 

• Reduced investigation time 
  Analysts can immediately see what’s been changed, what triggered the behavior, and which malware family is involved. 

• Stronger defenses across the board 
  By identifying how threats abuse the registry, you can harden your endpoints, update rules, and block similar attacks in the future. 

• Better collaboration and reporting 
  Export detailed analysis reports, share IOCs with teams, and make smarter security decisions faster. 

See how ANY.RUN’s interactive sandbox reveals the behavior behind modern threats in real time, and with full context. 

Access all capabilities of ANY.RUN’s Interactive Sandbox with a 14-day trial 

The post How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

You’ve probably already seen the headlines “The biggest leak in human history”. The whole world is in uproar after Cybernews journalists found the logins and passwords to 16 billion accounts in the public domain — two for each inhabitant of the planet! What is this leak, and what do you need to do right now?

What’s the leak, and are my credentials there?

The original study says that the Cybernews team has been working on the topic since the beginning of the year, and in six months they’ve managed to collect 30 unsecured datasets that add up to 16 billion exposed login credentials. The largest chunk of data — 3.5 billion records — is related to the world’s Portuguese-speaking population; another 455 million records are related to Russia, and 60 million are “most likely” related to Telegram.

The database is built on the following principle: URL, followed by login and password. That’s it, nothing else. At the same time, it’s said that the data of users of all the giant services was leaked: Apple, Google, Facebook, Telegram, GitHub, etc. Surprisingly, it was passwords and not hashes that ended up in the hands of the journalists. In our study How hackers can crack your password in an hour, we detailed exactly how companies store passwords (spoiler: almost always in closed form using hashing algorithms).

The story pays special attention to the freshness of the data: journalists claim that the 16 billion doesn’t include the biggest leaks, which we wrote about on the Kaspersky Daily blog. The important question remains behind the scenes: “Where did the 16 billion freshly leaked passwords come from, and why has no one seen them except Cybernews?”. Unfortunately, the journalists haven’t provided any evidence of existence of this database. Therefore, neither Kaspersky’s experts nor anyone else has managed to analyze it. Therefore, we cannot say whether yours – or anyone else’s – data is in there.

According to Cybernews, the accessing the entire database was possible through the use of stealers. This seems reasonable, since this is a threat that’s gaining momentum. According to our data, the number of detected password-theft attacks worldwide increased by 21% from 2023 to 2024. Attackers are targeting both private and corporate users.

What you need to do right now

First, let’s set skepticism aside. Yes, we don’t reliably know what exactly this leak is, or whose data is in it. But that doesn’t mean you should do nothing.

The first and best recommendation is to change your passwords. There are many options for creating a new password that’s difficult for hackers to crack but easy to remember. We covered this in detail in our post Creating an unforgettable password – have a read and choose any method you prefer.

Think of a favorite line from a song or a memorable quote from a movie, and then replace, say, every second or third letter with special characters that aren’t in sequential order on the keyboard.

For example, if you’re a fan of the Harry Potter saga, you may try to use the Wingardium Leviosa charm for a good cause. Let’s try transforming this levitation charm according to the rule above while peppering it generously with special characters: Wi4ga/di0mL&vi@sa

Easy, right?

Store your passwords securely. The best solution is to use a special password manager. It will generate, securely store, and automatically fill in complex, hack-proof passwords on all your devices for you. You’ll only need to create and remember one main password, which will become a secure key to all other passwords, bank details, photos, and everything else that can be stored in Kaspersky Password Manager.

Set up two-factor authentication. Almost all popular services support 2FA in one form or another, and the presence of a second factor makes it much more difficult, if not impossible, to hack your account. Kaspersky Password Manager makes it easy to store and sync 2FA tokens, as well as generate one-time codes on either your smartphone or computer.

Remove saved passwords from browsers. Browsers are most often the culprit behind data breaches. Doubt it? Read our arguments in the article How to store passwords securely – there you’ll clearly see how hackers can swipe all the saved passwords from your browser in just a few seconds.

Protect your messenger accounts. For Telegram and WhatsApp we have a list of specific steps to take right now, before your account is hijacked.

Use passkeys wherever possible. This is the modern passwordless method of logging into accounts, which is already supported by Google, iCloud, Microsoft, Meta and others. Haven’t heard of this technology yet? Read the detailed description on our blog and follow the updates in our Telegram channel – next week we’ll tell you everything you wanted to know about passkeys: what kind of technology it is, how secure it is, who supports it, what are its advantages and disadvantages. And most importantly – we’ll give detailed step-by-step instructions on how to switch from insecure passwords to secure passkeys. And yes, you can also store, manage and sync passkeys using Kaspersky Password Manager.

What else do you need to know about passwords to avoid being hacked:

• How to create strong passwords and where to store them
• How to create an unforgettable password
• How hackers can crack your password in an hour
• Passwords 101: don’t enter your passwords just anywhere they’re asked for
• Messengers 101: safety and privacy advice

Kaspersky official blog – ​Read More

Threat analysis is a complex task that demands full attention, especially during active incidents, when every second counts. ANY.RUN’s Interactive Sandbox is designed to ease that pressure with an intuitive interface and fast threat detection.  

Our new feature, Detonation Actions, takes this further by highlighting detonation steps during analysis. When a specific action is needed to trigger the sample, like launching a file or clicking a link, it appears as a suggestion, so you know exactly what to do. 

Detonation Actions work in both manual mode and with Automated Interactivity. Whether you’re investigating manually or running automated sessions, this guided mode reduces the time it takes to respond to threats and helps you catch the full scope of malicious behavior with minimal effort. 

What Are Detonation Actions? 

Detonation Actions are built-in hints in ANY.RUN’s Interactive Sandbox that guide users step-by-step through the threat analysis process. They are available in every sandbox session, for all users, and help make both manual and automated investigations clearer and more efficient. 

See example 

Here’s how it works depending on your plan: 

• Free Plan: You can see the suggested actions and follow them manually during your session. 

• Paid Plans: Track and manage each action performed by Automated Interactivity, including via API, for a fully automated, hands-free analysis with full transparency and control. 

One Button to Start the Guided Mode 

Before launching your analysis, you’ll now see a new “Auto” button during the VM setup phase. Clicking this button starts your session with Automated Interactivity enabled, which in turn activates the guided mode, powered by Detonation Actions. 

For your convenience, you can also enable the same feature manually by toggling “Automated Interactivity (ML)” in the “Additional settings” section above. 

Once the session begins, you’ll notice Detonation Actions appear on the right side of the screen, next to the process tree. These hints show you exactly what steps have been or should be taken to trigger malicious behavior.  

This gives you a clear picture of what was done, what triggered the threat, and how it unfolded, helping you detect malicious activity faster and respond more confidently. 

In the manual mode, you can manually approve actions (by clicking the “Approve” button) or reject them (by clicking the “X” icon) for each suggested step. 

Automated Interactivity handles the actions for you; no manual approval needed. 

Thanks to Detonation Actions, you get a guided analysis flow that improves detection and drastically cuts down your time to respond. 

How Detonation Actions Help Analysts 

Automated Interactivity 

• Boosts detection rate by ensuring no critical actions are missed during analysis thanks to predefined, expert-crafted hints. 

• Visualizes critical detonation steps, showing which actions were performed or recommended during the analysis. 

• Frees up analyst time by automating routine tasks, so they can focus on more complex investigations while maintaining high detection quality. 

Manual Analysis 

• Helps uncover hidden threats by suggesting actions tailored to detonate specific malware types. 

• Simplifies investigations with interactive hints like “Running this executable” or “Following this link.” 

• Streamlines analysis of specific samples, for instance, by opening URLs in QR codes directly inside the analysis sessions. 

• Improves accessibility by making manual analysis more intuitive for SOC analysts at any skill level. 

• Speeds up decision-making through a clearer workflow and real-time actionable guidance. 

See It in Action: Detonation Actions + Automated Interactivity in a Real Sample 

Let’s walk through how Detonation Actions work in a real scenario using an .exe file and Automated Interactivity. 

View analysis session 

To start, we upload the .exe file and simply click the “Auto” button during the VM setup phase. This launches the sandbox session immediately with Automated Interactivity and Detonation Actions. 

As the session begins, we can see Detonation Actions popping up quickly in the right corner of the screen. These actions, such as “Launching a file from Task Scheduler” or “Extracting a file from an archive”, are automatically executed, moving the analysis forward without any manual intervention. 

At the same time, the Processes section started populating with detailed insights, showing each spawned process along with associated tactics, techniques, and indicators. 

This combination, automated execution + guided visibility, gives analysts a powerful advantage: a complete behavioral picture of the malware, without delays or missed steps. It’s fast, structured, and built for clarity. 

How SOCs and Businesses Benefit from It 

The introduction of Detonation Actions brings clear, measurable value to security teams and businesses by improving both the speed and quality of threat analysis. 

• Simplifies and accelerates threat analysis 
  Makes threat analysis easier and faster for SOC teams at any level, saving time, reducing manual effort, and boosting overall productivity. 

• Improves data handover between SOC Tiers 
  Enhances the quality of data transfer from Tier 1 to Tier 2 analysts through detailed, action-based reports, ensuring critical insights are passed along clearly and efficiently. 

• Enables faster incident response 
  Streamlines triage by automating key steps in the response process, reducing time to detect and respond to threats, and minimizing potential impact. 

• Boosts employee training and onboarding 
  Helps junior analysts learn faster thanks to clear, guided hints, shortening the learning curve and allowing them to contribute to investigations sooner. 

• Supports smarter decision-making 
  Empowers team members with more context and clearer behavioral evidence, helping them make faster, more confident decisions during investigations. 

• Integrates easily into automation workflows 
  Works seamlessly with automated triage and incident response setups, maintaining high detection rates while reducing manual overhead. 

Ready to Try It Yourself?

Detonation Actions are built to make your job easier, whether you’re triaging a live threat or onboarding a new team member. You get expert guidance, faster detection, and a clearer view of what malware is really doing. 

Start your next investigation with ANY.RUN’s guided mode and see how much smoother analysis can be. 

Launch your ANY.RUN sandbox session now 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, Threat Intelligence Lookup and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Request trial of ANY.RUN’s services to test them in your organization →  

The post Simplify Threat Analysis and Boost Detection Rate with Detonation Actions  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More