So far in our comprehensive guide to passkeys, we’ve covered how to ditch passwords on popular combinations of Android, iOS, macOS, and Windows smartphones and computers. This post focuses on important specific cases:
One-time sign-ins to your account from someone else’s device
Tips for frequent computer and smartphone switchers
Ways to secure your account when backup password sign-in is enabled
Potential issues when traveling internationally
What happens when using niche browsers and operating systems
How to use passkeys on public or shared computers?
What if you need to sign in to your passkey-protected account from a library, an airport computer, or a relative’s home? Don’t rush to remember your backup password.
Start the sign-in process on the computer: enter your username and, if prompted, click Sign in with passkey. A QR code will appear on the screen for you to scan with the smartphone that stores your passkey. If the scan is successful, the QR code will disappear, and you’ll be signed in to your account.
Several factors must align for this seemingly simple process to proceed smoothly:
The computer must support Bluetooth Low Energy (BLE), which verifies that your smartphone and the computer are indeed nearby.
The computer’s operating system and browser must support passkeys.
Both the computer and your smartphone need a reliable internet connection.
How to save passkeys to a hardware security key?
You might find using passkeys via QR codes inconvenient if you frequently access your accounts from different devices. If that’s the case, you can store your passkeys not on your computer or smartphone, but on a USB hardware security key — such as a YubiKey, Google Titan Security Key, or a similar device — for secure website sign-in. When you create a passkey, just choose to save it to your hardware key. Then you can sign in to your account from any computer or smartphone by plugging in that security token.
Just make sure it has the right combination of ports (USB-A, USB-C, Lightning) or NFC support to work with all your devices. Some token models even include a fingerprint scanner, which provides an extra layer of protection against account hijacking if your device is stolen or lost.
Unfortunately, there’s a catch: many older and popular token models can store a maximum of only 25 passkeys. Only a few advanced models — like the YubiKey with firmware version 5.7 — have raised this limit to 100.
Additionally, operating system developers view passkeys as a great opportunity to tie users more closely to their ecosystems. By default, depending on your smartphone, you’ll likely be prompted to save your passkey to either iCloud Keychain or Google Password Manager. As a result, the option to use a hardware security key might be hidden deep within the interface.
To create a passkey on a hardware token, you’ll often need to click the not-so-obvious Other options link on macOS/iOS, or Different device on Android, to select the hardware key option.
How to transfer passkeys between iOS and Android?
The biggest headache right now is if you store all your passkeys in your smartphone’s default storage and you want to switch ecosystems — moving from Android to iOS or vice versa. Currently, none of the three major OS developers — Google, Apple, or Microsoft — let you directly transfer passkeys. That’s because no one can guarantee the process will be secure. Both Apple and Google are working on implementing this feature in the future, but if you decide to swap devices today — say, from an iPhone to a Google Pixel — transferring your passkeys won’t be straightforward.
First, you’ll need to sign in to the account protected by a passkey on your new device. You can do this either by using your good old password (if it’s still enabled), or by scanning a QR code with your old device that has the active passkey.
Next, you’ll need to create and save a new passkey on your new device. Yes, you can have multiple passkeys for each website or online service.
Finally, if you plan to get rid of your old gadget, you’ll need to delete the old passkey from it.
To avoid this hassle, it’s best to use a third-party password and passkey manager right from the get-go. With Kaspersky Password Manager, passkey support is already available on Windows, with Android support planned for July, and iOS and macOS support — for August 2025.
How to protect an account with a passkey from being hacked using a backup password?
Most online services that offer to switch to passkeys don’t disable other sign-in methods. If your account was protected by a weak or compromised password before you switched to a passkey, cybercriminals can still bypass your shiny new passkey by simply signing in with that old password.
Creating a passkey for an account that still has a weak password is like installing a bulletproof front door while leaving the flimsy back door unlocked with the key hidden under the mat.
That’s why, before you enable passkeys for any online service, we strongly recommend changing your password as well. Since you won’t be typing this password every day — it’s just a backup for your passkey-protected account — you can really go wild with its complexity. We’re talking strong passwords that are 16 characters or longer, and mixing up letters, numbers, and special characters. These are practically uncrackable. Ideally, generate and save that robust password in the same password manager where you’re planning to store your passkeys. Don’t rely on AI models to generate complex passwords. Our recent research revealed that while these passwords might look complex, LLMs tend to favor certain characters for no obvious reason when creating passwords, which makes their output surprisingly predictable.
Passkey drawbacks?
The underlying WebAuthn standard that powers passkeys can be implemented quite differently across browsers and operating systems. Websites often adopt these capabilities in their own unique ways. This can lead to frustrating challenges — even for tech-savvy users. Here are a few examples of this:
When creating passkeys, standard Windows prompts give you plenty of options for where and how to save them. By default, Windows saves passkeys in secure local storage on your computer. If you forget to select your password manager as the save location, that passkey won’t be available on your other devices.
Many online services like Kayak or AliExpress have dozens of regional versions, with each one being a separate website: .com, .com.tr, .co.uk, etc. If you create a passkey for, say, your local site, and then for some reason try to access the same online service in a different region, it’s highly likely you won’t be able to sign in with that passkey.
Some websites don’t support creating or signing in with passkeys when using Firefox, regardless of the platform. In reality, there’s no technical incompatibility here, and simple tricks can resolve the issue, but it’s unclear why users should have to resort to these workarounds.
Any one of these situations is made worse by the fact that errors when creating or signing in with passkeys are either not mentioned at all in help documentation, or described very vaguely. It’s often completely unclear how to fix the problem. However, when passkey issues arise, websites almost always offer a backup option, such as sending a one-time access code to your email.
Despite these challenges, a passwordless future with passkeys is on the horizon. We recommend getting ready now by creating passkeys wherever possible, saving them in your password manager, and remembering to check and update your passwords and contact information on websites to make sure you can recover access if your passkeys ever give you trouble.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-27 17:06:402025-06-27 17:06:40Passkey FAQ for power users | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
Happy summer, friends! I hope everyone is staying cool and/or warm.
I am fresh back from an exhaustive but great time in San Diego at Cisco Live U.S. It was so good to see colleagues, meet new friends and pet many therapy dogs in the Splunk booth. As often happens to me, I was approached by someone who was looking for mentorship and guidance in how to get into a cybersecurity career. It’s not unusual for me to be approached by folks looking to get into cybersecurity. I’m the large, bearded guy with the Talos shirt, so I stick out.
So, I’m often asked how I got the career I have in cybersecurity and how others can do the same. For a guy who often has a quip or answer for most things, I always pause here. I can’t help but think of my entire career and the dumb luck and hard work that landed me where I’m at. Giving that summation to others wouldn’t be fair, because… well, my journey wasn’t a linear one. I think for many of my peers, the same applies. We found cybersecurity as a career through a series of events that organically landed us in this field. In my case, moreso than others, the path isn’t easy to follow because there was no clearly staked path for me to follow, either.
I’ll explain as best I can: One today might go to school and graduate with a degree in information security and/or some security certificates, then begin the job hunt for an entry level gig. These types of degrees, certificates and even jobs simply didn’t exist in any meaningful way or numbers when I started my career. If you wanted to learn cybersecurity, there weren’t classes to take — you got a computer science degree and figured it out. I, like many in the GenX world, started as an IT professional. As the industry and cyber threats evolved, the career space over the years shifted and we found ourselves helping fight the good fight and keeping folks secure.
Today is truly different, and I’m so happy about it and the opportunities it can give others. I’m envious of the school degrees, industry certifications and mentorship programs that exist today that did not exist for me. There is also an incredibly helpful information security community that provides hacking tutorials, or Capture the Flag competitions (CTFs) or hackathons that I would have loved to have been a part of in my formative years.
By now, I know you’re thinking, “Cool story, grandpa, but answer the question: how do I get a job in cybersecurity?” In my estimation, the answers are as follows:
Have a good attitude.
Be easy to work with.
Be a forever student.
Be bad at giving up.
Find and join a (preferably local) security community.
Grow where you are planted.
Notice that none of those things mention anything specifically technical. No malware reverse engineering, red teaming, threat intelligence or security analyzing. I can tell you that to work at Talos, you must exhibit strong traits of all six of those things I listed. One through five makes sense. Good hackers are tenacious, smart, work well with others and seek out fellow friends to network and hack with.
Number six though – what’s up with that? Simply put, life deals us all a hand of cards that we must play, and those cards may not be great. For example, you want to get a job in cybersecurity, but you’re a primary care giver of a family member and you don’t have a lot of freedom. You might be financially constrained. You may have health issues or a disability that limits some options. Or you simply just have a job that you don’t like, and a career in security calls out to you, but the bills don’t pay themselves. This is all common, and you’re a bit “stuck.”
So while you’re stuck, find ways to grow where you’re planted. Study. Network locally or online. Try a CTF or a hacking competition. Whatever you do, just keep growing yourself, your skillset and your network. You can do it. And before you know it, you’ll have that career helping to fight the good fight with the rest of us.
I believe in you! You got this!
The one big thing
Cybercriminals are increasingly exploiting Large Language Models (LLMs) by using uncensored versions, developing their own malicious LLMs or “jailbreaking” legitimate ones to bypass safety protocols. These compromised or malicious LLMs are then used to generate highly convincing phishing campaigns, create harmful code and automate various cybercrime operations, making attacks more sophisticated and scalable.
Why do I care?
Cybercriminals’ widespread abuse of LLMs lowers the barrier to entry for sophisticated attacks, making it easier for even less skilled actors to launch effective campaigns. This means you’re more likely to run into highly convincing phishing attempts, scams and malware that are difficult to distinguish from legitimate communications, putting your personal info and company security at higher risk.
So now what?
Given this evolving threat landscape, it’s important to be extra vigilant and skeptical online. Treat all online communications with caution, even if they look perfectly authentic. For individuals, that means double-checking emails and messages for anything fishy, no matter how well-written they seem. For businesses, it’s time to beef up your cybersecurity defenses, invest in smart threat detection and keep your employees sharp on how to spot and report these increasingly clever social engineering tricks.
Top security headlines of the week
New AI Jailbreak Bypasses Guardrails With Ease On topic with our latest blog, the new “Echo Chamber” attack bypasses advanced LLM safeguards by subtly manipulating conversational context, proving highly effective across leading AI models. (SecurityWeek)
US insurance giant Aflac says customers’ personal data stolen during cyberattack Aflac says hackers stole an unknown quantity of its customers’ personal information from its network during a cyberattack earlier this month. (TechCrunch)
APT28 Uses Signal Chat to Deploy New Malware in Ukraine A new cyber attack campaign by the Russia-linked APT28 (aka UAC-0001) threat actors using Signal chat messages to deliver two new malware families dubbed BEARDSHELL and COVENANT. (The Hacker News)
UK watchdog fines 23andMe over 2023 data breach The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach. (TechCrunch)
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-26 18:06:372025-06-26 18:06:37Getting a career in cybersecurity isn’t easy, but this can help
Digitalization of business – especially in the small and medium-sized segment – allows for quick upscaling, better customer service, and entry into new markets. On the downside, digitalization amplifies the damage caused by a cyberattack, and complicates the recovery process. Given that company resources are always limited, which attacks should be deflected first?
To answer this question, we studied the INTERPOL Africa Cyberthreat Assessment Report 2025. The document is useful because it collates police cybercrime statistics and data from information security companies – including Kaspersky – allowing us to compare the number and types of attacks with the actual damage they caused. This data can be used to build a company’s information security strategy.
Average ranking of cybercrime types by reported financial impact across African subregions, based on INTERPOL member country data. Source
Targeted online fraud
Fraudulent operations were the clear leader in terms of damage caused across the continent. They’re gaining momentum in line with the rising popularity of mobile banking, digital commerce, and social media. In addition to mass phishing aimed at personal and payment data theft, targeted attacks are growing at a rapid rate. Scammers are grooming potential victims in messenger apps for months, building trust and guiding them into a money extortion scheme – for example, a fake cryptocurrency investment. Such schemes often exploit romantic relationships and are therefore called romance scams, but there are other variations. In Nigeria and Ivory Coast, for example, scammers were arrested for attacking small media platforms and advertising agencies. Posing as advertisers, they stole almost 1.5 million U.S. dollars from victims.
The fact that 93% of Africans use plain old WhatsApp rather than corporate communication tools for work significantly boosts the success rate of attacks on employees and company owners.
Ransomware incidents
Press headlines may give the impression that ransomware operators mainly target large organizations, but the statistics in the report debunk this theory – showing that both the number of attacks and the actual financial damage caused are significant across all business segments. What’s more, there’s a direct link between the level of digitalization and the number of attacks. So, if a company observes an overall increase in “digitized” business activity in its market segment, the threat level is sure to rise accordingly. In Africa, “affiliates” of the largest and most dangerous ransomware-as-a-service platforms – such as LockBit and Hunters International – are responsible for major incidents on a national scale.
Among the main ransomware incidents in Africa – hardly known about outside the continent – we highlight the following: the theft of $7 million from Nigerian fintech company Flutterwave; attacks on Cameroonian electricity supplier ENEO; a large-scale ransomware attack to exfiltrate data from Telecom Namibia; and the targeting of South Africa’s National Health Laboratory Service (NHLS), which led to canceled operations and the loss of millions of lab test results.
Banking Trojans and infostealers
Although the direct losses from banking Trojans and infostealers fell outside the top-three in terms of damage, it’s the “successes” of this criminal industry that have a direct impact on the number and severity of other attacks – primarily ransomware and business email compromise (BEC). After stealing what credentials they can from thousands of users with infostealers, attackers filter and group them by various criteria, then sell curated sets of accounts on the illicit market. This allows other criminals to buy passwords to infiltrate organizations of interest to them.
Business email compromise
For small and medium businesses mainly using public services like Gmail or Office 365, infection with an infostealer gives attackers full access to corporate correspondence and business operations. The attackers can then exploit this to trick customers and counterparties into paying for goods and services to a fraudulent account. BEC attacks have a firm hold at the top of the damage charts, and small businesses can fall victim to them in two ways. First, cybercriminals can extract money from larger clients or partners by impersonating the compromised small business. Second, it’s easier with a small business to persuade the owner or accountant to transfer money than it is with a large organization.
There are several large criminal syndicates based in Africa that are responsible for international BEC operations causing multi-billion-dollar damage. Their targets also include African organizations — primarily those in the financial and international trade sectors.
How to protect business from cyberthreats
To effectively counter digital threats, law enforcement agencies need to share data with commercial information security companies that harness telemetry to identify threat distribution hotspots. Recent successes of such partnerships include operations Serengeti (1000 arrests, 134 000 malicious online resources disabled), Red Card (300 arrests), and Secure (32 arrests, 20 000 malicious resources disabled). These operations, conducted under the auspices of INTERPOL, used cyberthreat intelligence received from partners – including Kaspersky.
But businesses can’t leave cybersecurity solely to the police; they need to implement simple but effective security measures of their own:
Install reliable anti-malware protection on all corporate and personal devices. For corporate devices, centralized security management is recommended – as implemented, for example, in Kaspersky Endpoint Detection and Response.
Hold regular cybersecurity training – for example, using our Kaspersky Automated Security Awareness platform. This will reduce the risk of your company falling victim to BEC and phishing. All employees, including management, should participate in training regularly.
Back up all company data on a regular basis and in such a way that the backups can’t be destroyed during an attack. This means backing up data either to media that are physically disconnected from the network, or to cloud storage where a policy prohibits data deletion.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-26 17:06:462025-06-26 17:06:46How to survive digitalization | Kaspersky official blog
Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds and firmware updates.
Therefore, it is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces are limited only to certain services and administrators.
Figure 1. Armory Crate application.
During the audit of the code and components related to the aforementioned applications, Cisco Talos discovered two critical vulnerabilities in the AsIO3.sys driver. Both vulnerabilities were discovered in the IRP_MJ_CREATE handler:
The first vulnerability is a stack-based buffer overflow that occurs during the process’s ImagePath conversion from “Win32 Path” to “NT Namespace Path”.
The second vulnerability allowed bypassing the authorization mechanism implemented in the driver, granting access to its functionality not just to the intended service but to any user. With access to a security-critical function within this driver, I successfully developed a fully working exploit that escalates local user privileges to “NT SYSTEM”, which we describe in detail below.
Please keep in mind that I discovered this exploit before the Windows 11 24H2 update arrived. This update prevents regular users from leaking information such as loaded kernel modules and their addresses via “NtQuerySystemInformation.” This is discussed in further detail below.
Recon phase
While looking for drivers installed alongside the Armory Crate software, I noticed two related to ASUS in the DriverView list.
Figure 2. Screenshot presenting driver entries belonging to ASUSTek Computer Inc.
Focusing on AsIO3.sys, I investigated whether this driver creates any devices and, most importantly, whether a regular user can communicate with such a device.
Obtaining a handle to the Asusgio3
Using DeviceTree, we can see the following encouraging picture:
Figure 3. DeviceTree incorrectly displays that the group “everyone” has full access to the Asusgio3 device.
The AsIO3.sys driver creates the Asusgio3 device, which nearly everyone in the system has full access to. After a quick check with a simple code that attempts to open a handle to the device, I got the error code: “5 == ERROR_ACCESS_DENIED”.
Figure 4. Part of PoC code responsible for opening a handle to the Asusgio3 device.
This was unexpected based on the DeviceTree interface, so I re-checked the privileges to that device using Sysinternals “accesschk” and got completely opposite results.
Figure 5. Checking permissions for Asusgio3 with “accesschk”.
Which is the truth? To find out, I reversed fragments in the AsIO3 driver responsible for handling the “IRP_MJ_CREATE” request.
Analyzing “IRP_MJ_CREATE” handler
By loading the driver and beginning the reversing process, we see a single function handles IRP requests for three different request types.
Figure 6. Driver initialization routine where IRP request handlers are assigned to DriverObject.
Diving into “callback_irp_dispatch”, I found a fragment responsible for handling the “IRP CREATE” request:
Figure 7. Part of “callback_irp_dispatch” function code. Functions’ names have been added by the author.
Authorization mechanism
Checking the “ImageHashCheck” function, we can see the following:
Figure 8. ImageHashCheck function body.
Using the API “ZwQueryInformationProcess” with the flag “ProcessImageFileNameWin32” (lines 8 and 19), ASUS developers attempt to obtain the image path (the path to the executable file) of the current process — specifically, the process that is trying to obtain a handle to the device.
Next, in line 26, we see the translation of the path from the “Win32 File Namespace” to the “NT Namespace”. Hold tight — we will return to this line in a moment.
In lines 35-46, there is a typical SHA256 hash calculation for the current process’s executable file. In line 47, the calculated hash is compared with a hardcoded hash in the driver, and if they match, the function returns “true”, allowing the process to obtain a handle to the device.
When we dump the hash from the global variable “g_sha256Hash” (visible on line 47), it appears as follows:
With this new understanding, only the “AsusCertService.exe” service and processes whose PIDs are added by it to the allowed list can obtain a handle to the Asusgio3 device. Otherwise, the operation returns the status “Access is denied.”
Win32PathToNtPath – stack based buffer overflow
This article will not spend much time on the vulnerability discovered in the “Win32PathToNtPath” function, as it will not be used in the later stages of exploitation. However, it is interesting enough to mention.
The developers assumed that a Windows path could have a maximum length of approximately “MAX_PATH” (260) characters. Based on this assumption, they copied the received Image Path into a fixed-size 255-character buffer located on the stack, without first checking the actual length of the path. However, this assumption is incorrect, as a path can exceed ~260 characters. As Microsoft documents here, “The maximum path of 32,767 characters is approximate, because the “\?” prefix may be expanded to a longer string by the system at run time, and this expansion applies to the total length.”
Knowing that the authorization mechanism is based on the “ImagePath” returned by the “ZwQueryInformationProcess” API and the SHA256 hash calculated for the executable file at this path, we can start considering potential bypasses.
By examining the implementation of “(Nt/Zw)QueryInformationProcess” in the “Windows Research Kernel (WRK)”, I learned that the information about the current process’s “ImagePath” is retrieved from the “EPROCESS” structure. Therefore, there is no chance to manipulate its value from User-Mode, but there are still options for potential bypass.
Hardlinks to the rescue
Using a hardlink, we can bypass the “ImageHashCheck” routine. First, we create a hardlink to the PoC.exe file.
Figure 9. Creation of a hard link pointing to “PoC.exe”.
The “PoC.exe” won’t do much for now — it will simply wait for user input before attempting to open a handle to the Asusgio3 device.
Figure 10. Image presenting part of the PoC.exe file responsible for opening a handle to the Asusgio3 device.
Instead of running our “PoC.exe” directly, we then execute “run.exe” hardlink. As a result, in the EPROCESS structure, ImagePath will point to a hardlink.
While the run.exe (PoC.exe) is executed and waiting for user input, we then delete the hardlink and create a new one with the same name, but pointing to AsusCertService.exe. However, trying to create a direct hard link to the original AsusCertService.exe location returns the following:
Figure 11. Due to implemented mitigations, the attempt to create a hardlink to the direct location of AsusCertService.exe failed.
Because of mitigations Microsoft introduced years ago, a user can only create a hard link to a file that they have permission to overwrite. This is not a problem in this case, as I can simply copy the file to a temporary location and then create a hard link.
Figure 12. Successful attempt to create a hardlink to the local copy of AsusCertService.exe.
Now I can further run the previously executed PoC.exe process. In this scenario, at the moment when PoC.exe attempts to open a handle to the Asusgio3 device, the run.exe hard link points to the AsusCertService.exe file, and the SHA256 hash matches. When this occurs, we can bypass this authorization mechanism.
Finding strong exploitation primitives
Analyzing the driver’s functionality
Browsing through the code of the AsIO3.sys driver’s IOCTL handlers, I came across the following functionality, which serves as a good primitive for exploit development. As a regular user, I performed the following actions (among others) using proper IOCTL:
Read/write to Model-specific registers (MSR)
Map arbitrary physical memory [address,size] into our process virtual memory
Read/write I/O ports
However, the exploitation turned out to be more challenging than this originally indicated.
Exploitation attempt with MSR modification
There are at least two crucial MSR registers from a security perspective:
IA32_LSTAR (0xC0000082)
IA32_SYSENTER_EIP (0x00000176)
These MSR registers define the addresses in the kernel where execution is redirected when the SYSCALL or SYSENTER instructions are triggered. By modifying these registers, we can potentially hijack control flow and execute arbitrary code with privileged access, making them an important vector in kernel exploitation. I found a promising-looking handler for IOCTL 0xA040A45C, which allows overwriting the MSR register with arbitrary data.
Figure 13. IOCTLT handler providing limited way to modify MSR registers.
In line 16, the “_writemsr” instruction, where the data we control, coming from “SystemBuffer” (line 8), is used as the MSR register index (“msrReg”) and value (“msrRegVal”).
At first glance, this looks promising; however, there is a call in line 11 that checks the “msrReg” value (index). Take a closer look:
Figure 14. MSR filtering function, allowing modification of only a limited set of MSR registers.
The MSR index is checked against the list of allowed MSR indexes located in the “MSR_allowedList” array. Unfortunately, this list does not show the crucial registers mentioned earlier: “IA32_LSTAR (0xC0000082)” or “IA32_SYSENTER_EIP (0x00000176)”. Instead, after decoding the indexes to register names and their purposes, we can only manipulate registers without security implications.
Figure 15. Table presenting part of allowed MSR indexes.
With these discoveries, we must look for alternative exploitation methods.
Physical memory mapping
Looking for other code that could be useful during the exploitation process, I found a few IOCTL handlers giving the possibility to map physical memory into the virtual address space of our process. One of them is “0xA040200C”.
Figure 16. Function body responsible for physical memory mapping into caller virtual memory.
We fully control the values of arguments passed to this function: “phyAddress”, “memSize”. At first glance, it seems as though we can map arbitrary physical memory into our user space. We can leverage this primitive in a few different ways, some of which are below:
Try to translate the virtual address of important kernel data that we want to modify into a physical address, then use the above code to map it to our user space. Since this address translation cannot be done from User-Mode, we need to use the Kernel-Level API “MmGetPhysicalAddress”.
Consistently map successive portions of physical memory and search for structures such as the EPROCESS structure of the SYSTEM process to later replace our process’s security token with the token belonging to the SYSTEM process.
Using knowledge about “Low Stub” (PPROCESSOR_START_BLOCK structure), read the value of the CR3 register (PML4 base address) and then, by reading other entries from the memory paging structures, manually translate any virtual address to a physical one.
Unfortunately, I can’t directly translate virtual addresses to physical ones via MmGetPhysicalAddressbecause there is no way to call this API directly in this driver. Searching through physical memory is very time-consuming and might be problematic (see other examples of implementations and the issues people encountered when choosing this path).
In the end, I chose to implement the “Low Stub” method to manually translate virtual addresses to physical ones. Before doing this, I looked at the function called in line 18, which I named “checkPhyMemoryRange”.
Figure 17. checkPhyMemoryRange body, allowing mapping only certain ranges of physical memory.
Developers defined certain physical memory address ranges located under the “g_goodRanges” variable. If the specified range does not fit pre-defined ranges, the function returns true, continues execution and results in an error code.
When checking the location of the “Low Stub” “PPROCESSOR_START_BLOCK structure”, we’re able to read it. In the same way, we could read the value of the CR3 register pointing to the PML4 base address.
The next entry from the memory mapping structures pointed to a location outside the allowed address ranges. As a result, I abandoned this approach.
Decrement by one to rule them all
Looking for new useful piece of code, I spotted the following “IOCTL 0xa0402450” handler:
Figure 18. IOCTL handler allowing for a call “ObfDereferenceObject” with an arbitrary address controlled by the user.
Users can fully control all three arguments. At first glance, this code might look quite harmless, but when I dove into internals of “ObfDereferenceObject”, I saw the following:
Figure 19. A small part of the implementation of the “ObfDereferenceObject” API.
Being able to pass arbitrary addresses to “ObfDereferenceObject”, I can decrement any memory value by 1. To be precise, using “ObfDereferenceObject” I decrement by 1 memory located at “Object – 0x30”. I kept this in mind when writing the exploit.
Are there enough puzzles?
But how can we turn these primitives into something useful? Do we need an additional memory leak? When I decided to create a fully working exploit, I assumed a scenario where the code would be executed by a local user (process integrity level: medium). Those familiar with the exploitation process on Windows know that NtQuerySystemInformation can provide very useful information about kernel structures.
However, it’s 2025 and Windows 11 is in use. I remembered news about an upcoming mitigation that would prevent regular users from leaking information such as loaded kernel modules and their addresses via “NtQuerySystemInformation”.
At the beginning of February, when I wrote a fully working exploit, my Windows 11 still did not get the 24H2 update. It was still “ntoskrnl.exe – 10.0.22621.4890 (WinBuild.160101.0800)”.
After I finished writing this article in March 2025, I could see that my 24H2 update finally arrived (“ntoskrnl.exe -10.0.26100.3476 (WinBuild.160101.0800)”). Leaking kernel addresses with “NtQuerySystemInformation” is no longer possible.
Figure 20. ntoskrnl.exe before mitigation visible at the top, where bottom part presents ntoskrnl.exe with implemented mitigation.
Exploitation
Armed with all the knowledge mentioned above, I began writing the exploit.
Leak own thread KTHREAD structure address
As mentioned in the previous paragraph, users can utilize the “NtQuerySystemInformation” API to leak, among others, the address of the “KTHREAD” structure for its own thread. This is where such a simple primitive as “decrement by one” becomes useful.
The “KTHREAD” structure at offset “0x232” has a field called “PreviousMode”, which for User-Mode threads is set to 1. That field is very important and is checked by multiple kernel-level APIs, eventually limiting their functionality if a user calls a particular syscall from User-Mode.
For example, examine what happens when the API calls “ReadProcessMemory,” which calls syscall “NtReadVirtualMemory (MiReadWriteVirtualMemory)”.
Figure 21. Part of NtReadVirtualMemory implementation showing meaning of PreviousMode field.
As we can see at the beginning, the syscall obtains the current thread structure at line 11. Next, in line 13, there is a special condition for the case when PreviousMode is set to 1 (User-Mode). In line 23, there is a check verifying whether the address pointed to by the user (“BaseAddress”), when increased by the requested memory size, exceeds the maximum address where user-mode components are mapped. This ensures that a user making a call from User-Mode cannot read any memory from the Kernel-Mode address space.
Based on this fact, I changed PreviousMode for my own thread by decrementing its value from “1” to “0”, effectively changing its status from User-Mode to Kernel-Mode. This allows me, among other things, to read and write across the entire address space.
To find the address of “KTHREAD” for my own thread, I followed these steps:
Figure 22. Using “NtQuerySystemInformation” to obtain information about all opened handles in the system.
To identify my own thread, I opened a handle to it in line 8. (I later used the handle value to spot related to its structure.) Calling “NtQuerySystemInformation” with “SystemHandleInformation” class, I obtained information about all handles in the system. To spot my own thread handle, I filtered the results looking for a handle value, process ID and object type (thread).
Figure 23. Searching for structure related to their own thread.
Change PreviousMode
Now that I had the “KTHREAD” address and primitive to change the “PreviousMode” field, I combined it together:
Figure 24. Initial part of the exploit code.
I obtained a pointer to the EPROCESS structure simply by using information about its location from KTHREAD. EPROCESS will be discussed in more detail shortly. Remember that “ObfDereferenceObject” subtracts 0x30 from the address passed as an argument, which is why in line 900, 0x30 is added to the PreviousMode address.
Next, thanks to line 903, we have time to swap the symlink destination and bypass the authorization mechanism before opening a handle to the Asusgio3 device. Inside the “DecrementPreviousMode” function, I simply opened a handle to “Asusgio3” and sent a properly formatted buffer to trigger the primitive.
Figure 25. Code responsible for sending IRP requests triggering a call to a “ObfDereferenceObject” API with the arbitrary address.
Stealing token
The “PreviousMode” field of the thread has now been changed to “Kernel-Mode”, allowing me to read the entire virtual address space. With this capability, the first step is to read and store the address location of the EPROCESS structure.
Figure 26. Read the address location of the EPROCESS structure.
Having the address of my own EPROCESS structure, I started to search the linked list of processes for the SYSTEM process (PID == 4). To achieve this, I used a specific field within the EPROCESS structure called “ActiveProcessLinks”, which is a double-linked list of all processes in the system.
Figure 27. Traversing the linked list of processes, looking for the SYSTEM process.
Finding the EPROCESS structure belonging to the SYSTEM process allows me to read its security token and replace the token with the one just read. Remember to increment the reference count of the SYSTEM token!
Figure 28. Swapping the user’s own security token with SYSTEM one.
Run escalated console
Now I can run the escalated console:
Figure 29. Execution of the console, which should be run with escalated privileges to the SYSTEM level.
This reveals the following:
Figure 30. Image showing a fully functional exploit in action and its result.
Success! This exploit results in a console with escalated privileges to SYSTEM level. Watch the video here.
Summary
During the reversal process, I noticed that the developers had patched some previously discovered vulnerabilities and exploitation primitives by restricting certain driver functionalities. However, relying on a disallowed list approach is never a good security practice, as an attacker only needs to find one function that isn’t explicitly blocked to exploit it. Instead, a more effective approach is to implement an allowed list, limiting functionality to only what is necessary.
More importantly, access to a driver with such critical and potentially dangerous functionality should be strictly controlled through multiple layers of security and made available only to a limited number of privileged system users.
Lastly, this research has demonstrated that attackers can leverage even seemingly simple primitives — such as “decrement by one” — to develop a fully functional privilege escalation exploit. This highlights the importance of careful security design in kernel-mode components.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-26 10:06:362025-06-26 10:06:36Decrement by one to rule them all: AsIO3.sys driver exploitation
Imagine ditching passwords and SMS verification codes, and instead signing in to apps and websites with a simple fingerprint scan or even a smile at your camera. That’s the promise of passkeys. What’s more, unlike passwords, passkeys are resistant to theft. This means you could read news about data breaches — like the recent one affecting 16 billion accounts — without your heart sinking.
Under various names, this sign-in method is strongly recommended by WhatsApp, Xbox, Microsoft 365, YouTube, and dozens of other popular online services. But what does using passkeys look like in practice? We’ve covered this in detail for Google accounts, and today, we’ll explore how other online services and platforms support passkeys. In this first post, we’ll cover the basics of using passkeys on one or multiple devices. In our next post, we’ll dive into more complex scenarios, such as signing in to your account on a public computer, using Linux, or storing your passkeys on a dongle.
What’s a passkey?
A passkey is a unique digital login key created for a specific website or app. It’s securely stored on your device: your smartphone, computer, or a dedicated USB dongle such as a YubiKey or Google Titan Security Key. When you sign in, your device uses biometrics or a PIN to verify it’s really you. After verification, your device sends a secure response, generated from that unique passkey, to the website. This mechanism offers strong protection against account theft, which is possible with traditional passwords — be that through phishing attacks or website breaches. Passkeys are supported across Apple, Google, and Microsoft devices, and theoretically, with cloud synchronization, they should be accessible across all your devices. For a deeper dive into the internal workings of passkeys, check out our previous article on the subject.
How secure and user-friendly are passkeys?
Before you fully commit to using passkeys, it’s worth considering how convenient they’d be for your specific setup. While the technology is becoming widely adoption, each website and platform implements it differently, using varying terminology for the same features. Additionally, transferring or syncing passkeys can present challenges.
If your smartphone is your only gadget, you are all-in on Apple devices, or you have a couple of recent Android or ChromeOS devices, passkeys will likely save you time when signing in to websites and apps, with minimal hassle.
However, if you use multiple platforms and own many devices, we strongly recommend a third-party password and passkey manager, such as Kaspersky Password Manager, for a smoother experience. Even then, you might still encounter occasional incompatibilities or quirky interfaces on some sites and apps.
For those using less common browsers, Linux-based operating systems, or older computers and smartphones, switching to passkeys might be entirely impracticable, or come with significant limitations.
Keep in mind that very few, if any, services deactivate password-based sign-in when you enable a passkey. This means that, in reality, the enhanced protection against account compromise isn’t as strong as advertised — unless you proactively disable password sign-in yourself. On the flip side, having a password as a backup sign-in method minimizes instances where you might lose access to your account due to passkey issues — but we’ll get into more detail about that later.
Where passkeys are supported in 2025?
Passkeys can be used across major operating systems and browsers, and you don’t necessarily need the absolute latest versions.
Windows 11: supported from version 22H2 onward, though also partially usable on Windows 10 with updates.
macOS: supported from Ventura onward.
iOS/iPadOS: supported from version 16 onward.
Android: passkeys are usable from version 9, but crucial additional settings — including integration with external password managers and passkey providers — only became available in version 14.
Linux: most major distributions lack native passkey support; however, you can still use the technology by leveraging Chrome, Edge, or Firefox browsers in conjunction with an external password manager or a USB token. We’ll dive deeper into how to use passkeys on Linux in our second post on the topic.
Chrome/Edge/Opera: basic passkey capabilities have been around since Chromium version 108, but some conveniences and important features only appeared starting with version 128.
Firefox: supported from version 122 onward. Despite the browser support, passkeys often don’t work on many websites specifically with Firefox.
Safari: supported from version 16 onward, with certain features only available in version 18 or later.
For you to use a passkey, the website or application you’re signing in to must also support the technology. Hundreds already do, so we’ll just mention some of the major players.
Microsoft: passkeys are supported for all personal Microsoft and Xbox accounts. Starting in spring 2025, when creating a new account, the primary option offered is to create a passkey rather than setting a password.
iCloud: passkey sign-in is supported for iCloud, but the passkey itself must be stored on an Apple device.
Google: passkeys are supported for all personal Google accounts, including YouTube.
Meta: supports passkeys for signing in to Facebook and WhatsApp.
You can also ditch passwords in favor of passkeys on X/Twitter, LinkedIn, Amazon, PayPal, TikTok, Yahoo, Discord, Adobe Creative Cloud, GitHub, and more.
Popular services that don’t currently support passkeys notably include ChatGPT, Claude, DeepSeek, Reddit, Spotify, Instagram, AliExpress, Temu, and Shein.
What are the downsides of passkeys?
When considering the switch to passkeys and deciding how to store them, there are a few important drawbacks to keep in mind. The first two are unlikely to ever be fully resolved, while others may become less significant over time.
Anyone who can unlock your device (by knowing your PIN or looking enough like you to bypass Face ID) can potentially access all your accounts. This is especially critical for shared household computers.
If your passkeys are stored on a single device, and that device is damaged or stolen, you could lose access to your accounts. If you haven’t set up alternative sign-in methods, like a password or a backup email or phone number, you’ll have to go through an account recovery process. For some online services, this could take days or even weeks. And if you’ve set up passkey-only sign-in for your primary email, which receives recovery codes for other services, you could potentially lose your accounts forever.
Users with multiple devices running various operating systems or using different browsers might encounter difficulties syncing their passkeys. More on this below.
If you need to sign in to an account from someone else’s device (like a library or hotel computer), outdated software on that machine might prevent passkey sign-in. So it’s crucial to have a plan B.
A less obvious drawback stems from the points above: most online services that offer to switch to passkeys don’t disable other sign-in methods. So, if you protected your account with a weak or reused password before switching to passkeys, attackers could still compromise your account by signing in with the password instead of the passkey.
How to create and use passkeys on a single device?
If you’re rocking just one device that fully supports passkeys (like Apple, Google, or Samsung smartphones released in the last couple of years), making the switch to passkeys is a breeze.
Simply head to the settings of each service you use, find the “Security” section, and look for a “Create a passkey” option.
You won’t find instructions for creating a passkey for your iCloud account here because it happens automatically. Whenever you connect any device running iOS 16 or later, or macOS Ventura or later, to your account, a passkey is created. While you won’t see this in your settings, when you sign in to the iCloud website from an unfamiliar device, you’ll be able to use your passkey instead of a password.
Once created, passkeys are saved locally on your device: on iOS/macOS, they’re in Keychain, and on Android, they can be found in Google Password Manager. Windows is a bit more complex, as passkeys can use either the computer’s built-in storage (accessible via Windows Hello) or other storage options.
Going forward, to sign in to a website or app, just select “Sign in with passkey”, and complete the standard device verification — whether that’s a fingerprint, face scan, or PIN.
The latest versions of Safari on iOS and macOS, as well as Chrome on Windows and macOS (version 136 and later, with Android support “coming soon”), now offer an automatic upgrade option. If your browser has a saved password for a website that now supports passkeys, after you sign in, the browser might automatically create and save a passkey, then prompt you to use it for future passwordless sign-in.
How to use passkeys across multiple devices?
If you’ve got more than one device, you’ll need to figure out how to sync your passkeys across all of them.
If you use only Macs and iPhones, or exclusively Android and ChromeOS devices, you won’t need to go through the hassle of manually setting up passkeys on each gadget. Simply create all your passkeys on one device and ensure that the sync option is enabled in the settings.
For iOS, you can enable this in the iPhone settings under Settings → [your name] → iCloud → Saved to iCloud → Passwords & Keychain → Sync this iPhone (complete guide). On Android, data saved in Google Password Manager automatically syncs with your Google account. Windows and Linux, however, currently lack a built-in passkey sync tool, although Microsoft has said it will develop one soon.
Things get a bit trickier for those who mix and match — especially with popular combinations like Windows + Android or macOS + Android. While you can use passkeys saved on an Android smartphone on your computer, it’s generally limited to Chrome, and only as long as you’re signed in to your Google account in the browser. Given Chrome’s significant drawbacks regarding privacy and user tracking, this solution won’t appeal to everyone. Besides, on a computer, this only allows you to sign in to websites with passkeys; app logins remain exclusive to your Android smartphone.
If you’re an iPhone user with a Windows computer, your iPhone passwords are accessible through the iCloud for Windows app, but it doesn’t support passkeys just yet.
Fortunately, an effective alternative has been available since late 2024. Third-party password managers have gradually added passkey management features across all major platforms. Therefore, the most reliable and universal way to store passkeys, regardless of how many devices you own or what type they are, is to use a robust password manager that supports passkeys and is NOT developed by Apple, Google, or Microsoft. For example, Kaspersky Password Manager already supports passkeys on Windows, with Android support planned for July, and iOS/macOS support for August 2025.
A password manager also solves the backup and recovery problem described above. If your only device with passkeys stored in a third-party password manager is lost or damaged, you can restore your passkeys to a new device from the password manager secure cloud storage.
To use a password manager for passkeys, you’ll need to install it on all your devices and add its browser extension to all browsers on your computer.
How to manage your passkeys?
Managing your saved passkeys is done centrally. If you’re not using a third-party password manager, you can check, delete, or replace outdated passkeys as follows:
iOS: for versions through 17, go to Settings → Passwords. Starting with iOS 18, use the dedicated Passwords
macOS Sequoia and later: use the Passwords For earlier versions, find Passwords in System Settings.
Android: menu structures vary by manufacturer, but look for a setting like Passwords, passkeys, and accounts, or Password Manager. For Samsung devices, open the Samsung Pass
Windows: go to settings, then Accounts → Passkeys.
If you save your passkeys in Google’s password manager, you can manage them from your computer via google.com.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-25 17:06:462025-06-25 17:06:46Kaspersky’s FAQ on using and managing passkeys | Kaspersky official blog
June 2025 saw several sophisticated and stealthy cyber attacks that relied heavily on obfuscated scripts, abuse of legitimate services, and multi-stage delivery techniques. Among the key threats observed by ANY.RUN’s analysts were malware campaigns using GitHub for payload hosting, JavaScript employing control-flow flattening to drop Remcos, and obfuscated BAT scripts delivering NetSupport RAT. Let’s see how ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup can help security teams detect, investigate, and understand these threats.
1. Braodo Stealer Abuses GitHub for Payload Staging and Hosting
A new campaign distributing Braodo stealer leverages public GitHub repository, including raw file content, to host payloads. The primary goal of this stealer is data exfiltration, and at the time of analysis, its detection rate was low. The BAT files used in the campaign include misleading comments to complicate analysis.
ANY.RUN’s Script Tracer simplifies the analysis by logging the multi-stage execution flow step by step, without the need for manual deobfuscation. Let’s take a closer look at this threat’s behavior using ANY.RUN Interactive Sandbox, which provides full visibility into process activity and persistence mechanisms.
The first BAT file executes a CMD command that launches PowerShell in hidden mode to avoid displaying a visible window. It then downloads a second BAT file from github[.]com, disguised as a .PNG file, saves it to the %temp% folder, and executes it.
Pseudo .png file downloaded from GitHub
The second BAT file launches a new PowerShell script file, that removes components from the earlier stages, enforces TLS 1.2, retrieves an additional payload from raw.githubusercontent[.]com, saving it in the Startup folder, and downloads main payload in a ZIP file. This behavior is captured in ANY.RUN’s Script Tracer.
The final payload, Braodo Stealer, is extracted from a ZIP file, stored in the Public directory, and executed using python.exe. After execution, it deletes the initial archive to reduce artifacts. The Python file is obfuscated with pyobfuscate and contains non-encrypted, custom Base64-encoded payload strings appended to the script.
The whole attack chain detailed in the Interactive Sandbox
ANY.RUN’s Threat Intelligence Lookup allows analysts to discover recent Braodo attacks and fresh samples of this stealer dissected by the users of the Interactive Sandbox. Search by the malware’s name and view analyses:
Braodo analyses in the Sandbox found via Threat Intelligence Lookup
The search results contain a selection of Brado samples recently analyzed by the Sandbox users. Each analysis session can be explored in depth for harvesting IOCs and observing the malware’s behavior.
Speed up triage and incident response with instant access to threat data on attacks across 15,000 organizations
Another tricky piece of malicious Java script has been observed using a technique called control-flow flattening obfuscation to secretly deliver Remcos malware. The JS contains multiple self-invoking functions that loop arrays of strings and numbers in a while(!![]) loop until a calculated checksum matches a predefined value. This obfuscation technique forces static analyzers to parse through the array’s content instead of returning the required string directly.
ANY.RUN’s Script Tracer enables easy analysis of heavily obfuscated scripts by logging their execution in real time, with no need for manual deobfuscation.
A Remcos malware sample including the obfuscated JavaScript
The script:
Invokes #PowerShell using ActiveXObject(“http://WScript.Shell”) with parameters;
Creates a http://System.Net.WebClient object;
Specifies the URL to download the binary;
Downloads the binary data and passes it to #MSBuild;
Downloads and executes the Remcos malware module.
The script’s architecture and behavior exposed in ANY.RUN’s sandbox
PowerShell-abusing script attacks are becoming more widespread and sophisticated. It is extremely important for threat hunters to be able to investigate and analyze such attacks, see what malware and malefactors are using them, and how.
A guest article by Clandestine, threat hunter and researcher, has recently been published in our blog highlighting a number of advanced tips for leveraging Threat Intelligence Lookup for malware data gathering and analysis (a guide to main TI Lookup features and their use is included, so we recommend to read and take note).
Clandestine demonstrates how one can find malware samples that use scripting languages to hide malicious code or execute obfuscated commands:
This query identifies scripts that run system commands, the pattern commonly observed in multi-stage attacks where script files act as initial droppers that subsequently execute obfuscated PowerShell commands.
The combination of file extension parameters (you can search for other script types like Visual Basic Script (.vbs) files) with command-line indicators helps security analysts identify and analyze this obfuscation technique.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
3. Obfuscated BAT file used to deliver NetSupport RAT
Cybercriminals continue to rely on BAT files (batch scripts) to sneak malware into systems and evade detection. ANY.RUN team has studied one such case where an obfuscated BAT file was used to deliver the NetSupport Remote Access Trojan (RAT) – a tool originally designed for remote IT support but now abused by attackers to gain full control over victims’ machines.
Cmd.exe runs an obfuscated BAT file which launches PowerShell scripts.
PowerShell downloads and executes client32.exe — the NetSupport client.
The malware uses a ‘client32’ process to run NetSupport RAT and add it to autorun in registry via reg.exe.
ANY.RUN’s Sandbox Process Graph showing NetSupport penetrating network
Creates an ‘Options’ folder in %APPDATA % if missing.
NetSupport client downloads a task .zip file, extracts, and runs it from %APPDATA%Application.zip.
Options folder created, .zip archive delivered: Script Tracer in the Sandbox
Deletes ZIP files after execution.
As attackers develop new ways to penetrate networks and evade detection, threat hunting becomes more challenging and demands to follow trends to keep ahead of possible disasters.
Threat Intelligence Lookup allows you to search for small, seemingly benign artifacts in the network that can be traces of malicious activities, like a folder creation in the system directory AppDataRoaming by a command line-run script:
A number of NetSupport trojan samples found by their creating a folder on endpoint
With the CommandLine search parameter, you can find malware samples based on any script artifacts found in system logs, for example, registry key changes.
How TI Lookup Benefits SOC
ANY.RUN’s Threat Intelligence Lookup is a critical ally for security teams facing an ever-growing variety of evasive malware. With attackers increasingly relying on multi-stage scripts, living-off-the-land binaries (LOLBins), and public infrastructure like GitHub, traditional indicators often go unnoticed.
With Threat Intelligence Lookup your team can:
Speed up threat investigations by letting analysts quickly pivot from indicators and suspicious behaviors to related malware samples and campaigns.
Shorten response times by providing contextual threat insights essential for fast, informed security decisions.
Enhance alert triage by prioritizing detections based on real-world behavior and threat prevalence.
Support proactive threat hunting through flexible search queries that uncover evolving obfuscation and delivery techniques.
Improve detection coverage by uncovering patterns like scripting abuse, LOLBins, and infrastructure used in multi-stage attacks.
The cyber incidents in June 2025 underscore a clear trend: adversaries are refining their methods with obfuscation, open-source abuse, and layered execution chains. To combat these threats effectively, security teams need both visibility and context. Our Interactive Sandbox and TI Lookup empower analysts to deconstruct complex attacks and proactively hunt emerging threats before they become breaches.
About ANY.RUN
ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.
With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and TI Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-25 12:06:442025-06-25 12:06:44Top 3 Cyber Attacks in June 2025: GitHub Abuse, Control Flow Flattening, and More
Cybercriminals are continuing to explore artificial intelligence (AI) technologies such as large language models (LLMs) to aid in their criminal hacking activities.
Some cybercriminals have resorted to using uncensored LLMs or even custom-built criminal LLMs for illicit purposes.
Advertised features of malicious LLMs indicate that cybercriminals are connecting these systems to various external tools for sending outbound email, scanning sites for vulnerabilities, verifying stolen credit card numbers and more.
Cybercriminals also abuse legitimate AI technology, such as jailbreaking legitimate LLMs, to aid in their operations.
Generative AI and LLMs have taken the world by storm. With the ability to generate convincing text, solve problems, write computer code and more, LLMs are being integrated into almost every facet of society. According to Hugging Face (a platform that hosts models), there are currently over 1.8 million different models to choose from.
LLMs are usually built with key safety features, including alignment and guardrails. Alignment is a training process that LLMs undergo to minimize bias and ensure that the LLM generates outputs that are consistent with human values and ethics. Guardrails are additional real-time safety mechanisms that try to restrain the LLM from engaging in harmful or undesirable actions in response to user input. Many of the most advanced (or “frontier”) LLMs are protected in this manner. For example, asking ChatGPT to produce a phishing email will result in a denial, such as, “Sorry, I can’t assist with that.”
For cybercriminals who wish to utilize LLMs for conducting or improving their attacks, these safety mechanisms can present a significant obstacle. To achieve their goals, cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs.
Uncensored LLMs
Uncensored LLMs are unaligned models that operate without the constraints of guardrails. These systems happily generate sensitive, controversial, or potentially harmful output in response to user prompts. As a result, uncensored LLMs are perfectly suited for cybercriminal usage.
Figure 1. An uncensored LLM, OnionGPT, advertised on the hacking forum Dread.
Uncensored LLMs are quite easy to find. For example, using the cross-platform Omni-Layer Learning Language Acquisition (Ollama) framework, a user can download and run an uncensored LLM on their local machine. Ollama comes with several uncensored models such as Llama 2 Uncensored which is based on Meta’s Llama 2 model. Once it is running, users can submit prompts that would otherwise be rejected by more safety-conscious LLM implementations. The downside is that these models are running on users’ local machines and running larger models, which generally produce better results but requires more system resources.
Another uncensored LLM popular among cybercriminals is a tool called WhiteRabbitNeo. WhiteRabbitNeo bills itself as a “Uncensored AI model for (Dev) SecOps teams” which can support “use cases for offensive and defensive cybersecurity”. This LLM will happily write offensive security tools, phishing emails and more.
Figure 3. Sample output from the WhiteRabbitNeo uncensored LLM
Researchers have also published methods to demonstrate how to strip alignment that is embedded into the training data of existing open-source models. Once removed, a user can uncensor their LLM by using the modified training set to fine tune a base model.
Cybercriminal-designed LLMs
Since most popular LLMs come with significant guardrails, some enterprising cybercriminals have developed their own LLMs without restrictions that they market to other cybercriminals. This includes apps like GhostGPT, WormGPT, DarkGPT, DarkestGPT and FraudGPT.
Figure 4. FraudGPT dark web homepage.
For example, the developer behind FraudGPT, CanadianKingpin12, advertises FraudGPT on the dark web, and also has an account on Telegram. The dark web site for FraudGPT advertises some interesting features:
Write malicious code
Create undetectable malware
Find non-VBV bins
Create phishing pages
Create hacking tools
Find groups, sites, markets
Write scam pages/letters
Find leaks and vulnerabilities
Learn to code/hack
Find cardable sites
Millions of samples of phishing emails
6220+ source code references for malware
Automatic scripts for replicating logs/cookies
In-panel Page hosting included (10 pages/month) with Google Chrome anti-red page
Code obfuscation
Custom data set (upload your sample page in .html)
Bot creation of virtual machines and accounts (1 virtual machine per month on license)
Utilizing GoldCheck CVV checker
OTP Bot with spoofing (*additional package)
Check CVVs with GoldCheck API
Create username:password website configs
Remote OpenBullet configs
Scan websites for vulnerabilities across a massive CVE database (*PRO only)
Generate realistic phishing panels, pages, SMS and e-mails
Send mail from webshells
Talos attempted to obtain access to FraudGPT by reaching out to CanadianKingpin12 on Telegram. After considerable negotiation, we were finally offered a username and password at the FraudGPT dark web site. However, the username and password provided by CanadianKingpin12 did not work. CanadianKingpin12 then asked us to send them cryptocurrency to purchase a software “crack” for the FraudGPT login page. At this point it was clear that CanadianKingpin12 had no working product, and they were scamming potential FraudGPT customers out of their cryptocurrency. This was confirmed by several other victims who had also been scammed by CanadianKingpin12 when they attempted to purchase access to the FraudGPT LLM. Scams such as these are an ever-present risk when dealing with unscrupulous actors, and it continues a long tradition of scams in the cybercrime space.
Similar cybercriminal-designed LLM projects can be found elsewhere on the dark web. A cybercriminal LLM called DarkestGPT, which starts at .0015BTC for a one-month subscription, advertises the following features:
Figure 5. DarkestGPT “Tools and Potential” tab on their dark web site.
LLM jailbreaks
Given the limited viability of uncensored LLMs due to resource constraints and the high level of fraud and scams present among cybercriminal LLM purveyors, many cybercriminals have elected to abuse legitimate LLMs instead. The main hurdle that cybercriminals need to overcome are the training alignment and guardrails that prevent the LLM from responding to prompts with unethical, illegal or harmful content. A form of prompt injection, jailbreak attacks aim to put the LLM into a state where it ignores its alignment training and guardrails protection.
There are many ways to trick an LLM into providing dangerous responses. New jailbreaking methods are constantly being researched and discovered, while LLM developers respond by enhancing the guardrails in a sort of jailbreak arms race. Below are just a few of the available jailbreaking techniques.
Obfuscation/encoding-based jailbreaks
By obfuscating certain words or phrases, these text-based jailbreak attacks seek to bypass any hardcoded restrictions on specific words/topics, or to cause the execution to follow a nonstandard path that might bypass protections put in place by the LLM developers. These obfuscation techniques may include:
Base64/Rot-13 encoding
Different languages
L33t sp34k
Morse code
Emojis
Adding spaces or UTF-8 characters into words/text, among othersetc.
Adversarial suffix jailbreaks
These attacks are somewhat like obfuscation and encoding tricks. Instead of modifying the tokens in the prompt itself, adversarial suffix jailbreaks involve appending random text to the end of a malicious prompt to elicit a harmful response.
Role-playing jailbreaks
This type of attack involves prompting the LLM to adopt the persona of a fictional universe/character that ignores the ethical rules set by the model’s creators and is willing to fulfill any command. This includes jailbreak techniques such as DAN (Do Anything Now), and the Grandma jailbreak which involves asking the chatbot to assume the role of the user’s grandmother.
Meta prompting
Meta prompting involves exploiting the model’s awareness of its own limitations to devise successful workarounds, effectively enlisting the model in the effort to bypass its own safeguards.
Context manipulation jailbreaks
This covers several different jailbreak techniques including:
Crescendo, a technique which progressively increases the harmfulness in prompts until some sort of rejection is received in order to probe for where and how LLM guardrails are implemented.
Context Compliance Attacks, which exploit the fact that many LLMs do not maintain conversation state. Attackers inject fake prior LLM responses into their prompts, such as a brief statement discussing the sensitive topic, or a statement expressing readiness to supply further details as per the user’s preferences.
Math prompt jailbreaks
The math prompt method evaluates how well an AI system can manage malicious inputs when they’re disguised using mathematical frameworks such as set theory, group theory, and abstract algebra. Rephrasing harmful requests as math problems can allow attackers to evade safety features in advanced large language models (LLMs).
Payload splitting
In this scenario, the attacker guides the LLM to merge several prompts in a way that produces harmful output. While texts A and B may seem benign when considered separately, their combination (A+B) can result in malicious content.
Academic framing
This method makes harmful content appear acceptable by framing it as part of a research or educational discussion. It takes advantage of the model’s interpretation of academic intent and freedom, often using scholarly language and formatting to bypass safeguards.
System override
This strategy tries to trick the model into believing it is functioning in a unique mode where usual limitations are lifted. It leverages the model’s perception of system-level functions or maintenance states to circumvent safety mechanisms.
How cybercriminals use LLMs
In December 2024, Anthropic, the developers behind the Claude LLM, published a report detailing how its users were utilizing Claude. Using a system named Clio, they summarized and categorized users’ conversations with their AI model. According to Anthropic, the top three uses for Claude were programming, content creation and research.
Figure 6. Anthropic’s graphic of top use cases on Claude.ai.
Analyzing the feature sets advertised by the criminal-designed LLMs, we can see that cybercriminals are using LLMs for mostly the same tasks as normal LLM users. Programming features of many criminal LLMs include the ability to assist cybercriminals in writing ransomware, remote access trojans, wipers, code obfuscation, shellcode generation and script/tool creation. To facilitate content creation, criminal LLMs will assist in writing phishing emails, landing pages and configuration files. Criminal LLMs also support research activities like verifying stolen credit cards, scanning sites/code for vulnerabilities and even helping cybercriminals come up with “lucrative” criminal ideas for their next big score.
Various hacking forums also shed additional light on criminal uses of LLMs. For example, on the popular hacking forum Dread, users were discussing connecting LLMs to external tools like Nmap, and using the LLM to summarize the Nmap output.
Figure 7. A post on the Dread hacking forum discussing connecting Nmap to LLMs
LLMs are also targets for cyber attackers
Any new technology typically brings along with it changes to the attack surface, and LLMs are no exception. In addition to using LLMs for their own nefarious ends, attackers are also attempting to compromise LLMs and their users.
Backdoored LLMs
A vast majority of the models available at Hugging Face use Python’s pickle module to serialize the models into a file that users can download. Clever attackers can include Python code in the pickle file, which runs as part of the deserialization process. Thus, when a user downloads an AI model and runs it, they may be running code placed into the model by an attacker. Hugging Face uses Picklescan, among other tools, to scan the models uploaded by users in an effort to identify models that misbehave. However, there have been several recent vulnerabilities in Picklescan, and researchers have already identified Hugging Face models containing malware. As always, make sure any file you plan to download and run comes from a trusted source and consider running the file in a sandbox to mitigate any risk of infection.
Retrieval Augmented Generation (RAG)
LLMs that utilize Retrieval Augmented Generation (RAG) make calls to external data sources to augment their training data with up-to-date information. For example, if you ask an LLM what the weather is like a particular day, the LLM will need to reach out to an external data source such as a website to retrieve the correct forecast. If an attacker has access to submit or manipulate content in the RAG database, they may poison the lookup results, perhaps adding additional instructions for the LLM to alter its response to the user’s prompt, even targeting specific users.
Conclusion
As AI technology continues to develop, Cisco Talos expects cybercriminals to continue adopting LLMs to help streamline their processes, write tools/scripts that can be used to compromise users and generate content that can more easily bypass defenses. This new technology doesn’t necessarily arm cybercriminals with completely novel cyber weapons, but it does act as a force multiplier, enhancing and improving familiar attacks.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-25 10:06:362025-06-25 10:06:36Cybercriminal abuse of large language models
Researchers have uncovered three vulnerabilities in the popular content management system, Sitecore Experience Platform.
CVE-2025-34509 involves a hard-coded password (consisting of just a single letter) that allows an attacker to remotely log in as a service account.
CVE-2025-34510 is a Zip Slip vulnerability enabling an authenticated user to upload and extract a ZIP archive to the website’s root directory.
CVE-2025-34511 also allows users to upload external files to the site, but this time without any restrictions.
By combining the first vulnerability with either of the latter two, an attacker can achieve remote code execution (RCE) on a server running the Sitecore Experience Platform.
There’s currently no evidence of these vulnerabilities being exploited in the wild; however, the detailed analysis published by watchTowr contains enough information for threat actors to weaponize them at any moment.
CVE-2025-34509 — access through a preset account
The Sitecore CMS includes several default accounts, one of which is sitecoreServicesAPI. Naturally, passwords for all accounts are stored in a hashed (and even salted) form. However, this doesn’t make much difference if the password consists of just the single letter “b”. Such a password can be brute-forced in about three seconds.
Notably, Sitecore’s developers advise against modifying default accounts, warning that “editing a default user account can affect other areas of the security model” (whatever that means). Site admins following the official instructions are thus unlikely to change these passwords. As a result, such default accounts are likely present in most websites using this CMS.
That said, the sitecoreServicesAPI user has no assigned rights or roles, so simply authenticating through the standard Sitecore login interface isn’t possible. However, the researchers found a way to bypass the database check required for successful authentication (for details, see the original research). As a result, the attacker obtains a valid session cookie. They still don’t have administrator rights, but this cookie can be used for further attacks.
CVE-2025-34510 — vulnerability in Sitecore’s file uploader
Sitecore has a file upload mechanism which any authenticated user can use. So having a valid session cookie, an attacker can create an HTTP request to upload and automatically extract a ZIP archive. The essence of CVE-2025-34510 is that due to flawed input sanitization, an authenticated attacker can perform a path traversal. You can read more about this type of vulnerability — known as Zip Slip — in our post on ZIP file processing. In essence, the attacker can extract the archive to any location — for example, the website’s root folder. This way, the attacker can upload anything — such as their own web shell.
CVE-2025-34511 — vulnerability in the file uploader of the Sitecore PowerShell Extensions module
CVE-2025-34511 is an alternative way to compromise Sitecore. This vulnerability is present in the Sitecore PowerShell Extensions module, which is required for a number of Sitecore extensions to function — for example, the Sitecore Experience Accelerator, one of the most popular extensions for this CMS.
Essentially, this vulnerability works in much the same way as CVE-2025-34510, only slightly simpler. The Sitecore PowerShell extension also has its own file upload mechanism, which can be exploited by an authenticated user. Through HTTP requests, an attacker can upload any file with any extension to the CMS, and save it to any directory on the website. This means there’s no need to prepare a custom ZIP archive and path, and the result is basically the same: a web shell upload.
How to protect against attacks on the Sitecore Experience Platform
Patches for these three vulnerabilities were released back in May 2025. If your company uses Sitecore, especially in combination with Sitecore PowerShell Extensions, we recommend updating the CMS as soon as possible. According to NIST descriptions, CVE-2025-34509 affects Sitecore Experience Manager and Experience Platform versions 10.1 through 10.1.4 rev. 011974 PRE; all variants of 10.2; 10.3 through 10.3.3 rev. 011967 PRE; and 10.4 through 10.4.1 rev. 011941 PRE. CVE-2025-34510 is present in Experience Manager, Experience Platform, and Experience Commerce versions 9.0 through 9.3 and 10.0 through 10.4. Lastly, CVE-2025-34511 affects all versions of Sitecore PowerShell Extensions up to version 7.0.
The researchers who discovered these flaws claim to be aware of four other, much more interesting vulnerabilities. However, since patches aren’t ready yet, they’ve said they will disclose these vulnerabilities later. As such, we recommend keeping an eye on upcoming updates from the Sitecore developers.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-24 20:06:392025-06-24 20:06:39Multiple vulnerabilities in Sitecore CMS | Kaspersky official blog
When malware infiltrates a system, it doesn’t always make noise. In fact, some of the most dangerous threats operate quietly embedding themselves deep within the system and ensuring they come back even after a reboot. One of the most common ways they achieve this is by abusing the Windows Registry.
In this article, we’ll walk through how registry abuse works, the signs to watch out for, and how security analysts can catch it using interactive sandboxes, such as ANY.RUN.
What Is Registry Abuse in Malware?
The Windows Registry is an important part of the operating system. It stores configuration settings that determine how Windows behaves, how software runs, and even how users interact with the system. From startup routines to driver settings and user preferences, the registry touches almost every part of the OS.
As it’s central, the registry is also a target for malware authors. By modifying registry keys and values, malware can silently manipulate system behavior to:
Stay persistent by adding itself to autorun keys, it ensures execution every time the system boots.
Hide from users disabling Task Manager, hiding file extensions, or suppressing warnings to avoid detection.
Weaken security turning off Windows Defender or blocking updates to bypass protection.
Control user behavior redirecting browser traffic, setting fake proxies, or hijacking default apps.
The Fastest Way to Spot Registry Abuse inside ANY.RUN Sandbox
Traditional security tools often miss subtle but critical signs of registry abuse, especially when malware hides behind scripts or legitimate-looking processes.
By running suspicious files or links inside ANY.RUN’s interactive sandbox, analysts can observe real-time registry changes as they happen, without waiting for static scans to catch up.
Why It’s So Effective:
Instant visibility into registry modifications, autorun key changes, and process behaviors
Behavior-based detection, not just signatures; perfect for catching new or obfuscated threats
Clear labeling and process tree that highlight when a script or binary tampers with the registry
Interactive control, so you can simulate real user actions that trigger registry abuse (like opening a file or clicking a button)
Real-World Examples of Registry Abuse in Malware
Now, let’s look at how malware abuses the registry in practice and how ANY.RUN makes it easy to detect.
1. Persistence via Autorun Key Modification
This sample shows how the malware (BootstrapperNew.exe) abuses the registry to ensure it launches automatically every time the system boots; a classic persistence mechanism.
BootstrapperNew.exe process with its details demonstrated inside ANY.RUN sandbox
Click on the tactic to get all the details:
Modification of the mentioned registry key
This modification triggers Windows to execute the malicious file at every user login, giving the attacker a reliable foothold on the system.
ANY.RUN also flags this behavior with the MITRE ATT&CK sub-technique T1547.001 (Registry Run Keys / Startup Folder), clearly highlighting the persistence mechanism used. The visual process tree further confirms the execution flow, registry operation, and background network activity.
With static detection tools, this behavior might go unnoticed. But in ANY.RUN’s sandbox, the threat is immediately identified, tagged, and visually traceable in real time, from registry edit to scheduled task creation.
2. FormBook Stealer Using Registry for Stealth
In this example, the malware identified as FormBook manipulates the Windows Registry to aid in stealth and persistence.
Right after execution, FormBook writes a new registry entry under:
Key: HKEY_CURRENT_USERSOFTWARESoftina
Name: MMM-Vkusnaa
Value: 19.06.2025
Formbook detected with modified registry key
Custom registry values like this aren’t random. They’re typically placed in obscure subkeys (SOFTWARESoftina in this case) to avoid detection and logging by standard monitoring tools, but in ANY.RUN’s sandbox, it’s instantly visible and tied to MITRE technique T1112: Modify Registry.
Some malware doesn’t act immediately. Instead, it quietly profiles the environment to decide how (or whether) to execute. That’s exactly what we see in this sample, where the malware queries the registry to gather detailed system information.
Malware reading CPU info exposed inside ANY.RUN sandbox
This query fetches CPU information, such as model name and vendor. While this might seem benign, it plays a crucial role in anti-analysis and evasion tactics.
Why malware reads CPU info:
Environment validation: Malware may use CPU data to check if it’s running on a real machine or a virtual one (e.g., commonly used by sandboxes or researchers).
Tailored payloads: Some threats adapt their behavior based on system specs, avoiding execution if they detect low-end CPUs or virtual environments.
Fingerprinting the target: CPU info is often collected alongside other system data to create a unique victim profile.
But this is just the beginning. According to the MITRE ATT&CK technique T1012: Query Registry, this sample retrieves a wide range of values:
MITRE ATT&CK technique T1012: Query Registry with a wide range of values
Proxy configuration: Determines whether the system uses a proxy and may hijack it
Machine GUID: A unique identifier, useful for tracking infected hosts
Installed software (50 reads): Likely for reconnaissance or to check for security tools
Internet Explorer security settings: May suggest preparation for exploit delivery via browser
System language & locale: Used to avoid infecting machines in certain countries
Computer name & Windows product ID: Adds more detail to the fingerprint
Software policy settings: Used to detect restrictions or protections enabled by admins
This shows how malware can treat the registry as a rich source of system intelligence. Each value queried helps build a clearer picture of the host environment, guiding the next malicious action.
4. Suspicious Registry Modification via REG.EXE
This sample involves a process (_virlock.exe) that uses reg.exe, a legitimate Windows utility, to modify the registry. This kind of activity isn’t inherently malicious, but in the context of malware execution, it often signals stealthy post-infection behavior.
Shortly after execution, the malware launches a command: reg add HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 1
This command modifies the registry to hide file extensions for known file types, a well-documented trick used by malware to disguise malicious executables (e.g., invoice.pdf.exe appears as invoice.pdf).
This case is a good reminder that not all registry abuse is about persistence. Some changes are purely meant to deceive the user, reduce visibility, or mask malicious actions.
With ANY.RUN’s behavioral analysis, this tactic becomes immediately visible, showing which registry key was changed, how, when, and by what process, including full command-line context.
5. Script-Based Registry Modification
In this sample, we see a Windows Script Host process (wscript.exe) modifying the registry, not through a typical executable, but via script-based interaction. This kind of behavior is harder to detect, especially if you’re relying on traditional static analysis.
Thanks to ANY.RUN’s Script Tracer, we can observe the exact call and parameters used:
Key: HKCUSoftwareOJXVOPIitLTnYNgdonnsegment2
Value: (Hex-encoded string payload)
Process: wscript.exe
Operation: RegWrite via WshShell3
ANY.RUN’s Script Tracer observing calls and parameters
This script creates a new key and writes what appears to be an obfuscated or encoded payload into the registry; a technique commonly used to:
Store secondary payloads or shellcode
Evade file-based detection mechanisms
Delay execution until a later stage (fileless persistence)
The registry key name (OJXVOPIitLTnYNg) is randomly generated and meaningless, a common trait of obfuscated malware activity.
We can see how the script writes a long block of hexadecimal content, which may later be decoded and executed, without ever dropping a traditional file on disk.
Long block of hexadecimal content displayed inside ANY.RUN sandbox
These modifications fall under MITRE ATT&CK technique T1112: Modify Registry, and ANY.RUN labels this behavior as Dangerous (13 instances).
The technique “Modify Registry” with all its details inside ANY.RUN sandbox
Without behavioral analysis, this kind of registry manipulation would be nearly invisible, but with Script Tracer, security analysts can follow every step the script takes, down to the exact method calls and values.
Spotting Registry Abuse is Easy with ANY.RUN
Registry modifications are a common and powerful tactic used by malware to stay hidden, persist through reboots, and weaken your defenses. But with the right tools, these threats become much easier to spot, investigate, and respond to.
ANY.RUN’s interactive sandbox doesn’t just show you what malware is doing, it visually breaks down every behavior, from registry edits to process injection and data exfiltration, in real time.
Faster threat detection Catch malicious registry changes and system tampering before damage is done; no need to wait for traditional tools to catch up.
Improved incident response With clear visual evidence and behavior chains, your team can respond to threats with greater accuracy and speed.
Reduced investigation time Analysts can immediately see what’s been changed, what triggered the behavior, and which malware family is involved.
Stronger defenses across the board By identifying how threats abuse the registry, you can harden your endpoints, update rules, and block similar attacks in the future.
Better collaboration and reporting Export detailed analysis reports, share IOCs with teams, and make smarter security decisions faster.
See how ANY.RUN’s interactive sandbox reveals the behavior behind modern threats in real time, and with full context.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-24 13:06:362025-06-24 13:06:36How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox
Your snapshots are, quite literally, the keys to your private life. Your gallery holds your future plans, financial secrets, cat pictures, and sometimes even things you’d never share with anyone. But how often do you truly think about protecting those images? We hope that ever since you heard about the SparkCat cross-platform stealer, you’ve been pondering it more often than usual.
Now we’ve discovered that Trojan’s little sibling, which we’ve affectionately named SparkKitty. But don’t let the cute name fool you — behind it lies a spy that, like its older brother, aims to steal photos from its victims’ smartphones. What makes this threat unique, and why should both Android and iPhone users prick up their ears?
How SparkKitty makes its way onto devices
The stealer spreads in two ways: (i) in the wild — that is, across the untamed parts of the internet; and (ii) through official app stores like the App Store and Google Play. Let’s break this down.
Official app stores
In Apple’s App Store, the malware was lurking inside the 币coin app — designed for tracking cryptocurrency rates and trading signals. We’re not sure exactly how this suspicious spy activity ended up in the app. It’s possible there was a supply-chain compromise, and the developers themselves weren’t aware of SparkKitty until we notified them. But there’s also a second possibility: the developers deliberately embedded the stealer into the app. Regardless, this is the second time we’ve seen a Trojan sneak into the App Store, and we’ve alerted Apple about it. SparkCat was the first instance.
Infected application in the App Store
It’s a different story with Google Play: malicious apps pop up on a regular basis, and we frequently cover these threats on Kaspersky Daily. This time, we detected malicious activity in a messaging app that includes crypto-exchange features. This is a popular app that’s been installed more than 10 000 times, and was still available in the store at the time of the study. We’ve contacted Google to warn them about the threat.
Suspicious links in the wild
That said, the attackers have been much more creative this time in spreading the malware out in the wild. Once, during a routine review of suspicious links (we click them so you don’t have to!) our experts uncovered several similar pages distributing a TikTok mod for Android. One of the main things this mod did was call additional code. “That looks suspicious”, we thought. And we were right. The code contained links displayed as buttons within the app, all directing users to an online store called TikToki Mall, which sold a variety of items. Unfortunately, we couldn’t determine if the store was legitimate or just a big trap — but one interesting fact stood out: TikToki Mall accepts cryptocurrency payments, and you need an invitation code to sign up and pay for any item. We didn’t find any further suspicious activity at this stage, and no traces of SparkKitty or other malware.
So we decided to take a different approach and see what happened when we tapped these same suspicious links from an iPhone. This led us to a page that vaguely resembled the App Store, which immediately prompted us to download the “TikTok app”.
iOS doesn’t allow users to download and run applications from third-party sources. However, Apple provides so-called provisioning profiles to every member of the Apple Developer Program. These allow installing custom applications not available in the App Store on user devices, such as beta versions or apps developed for internal corporate use. Attackers exploit these profiles to distribute apps that contain malware.
The installation process differed slightly from the usual procedure. Typically, in the App Store, you only need to tap Install once, but in this case, installing the fake TikTok required additional steps: downloading and installing a developer provisioning profile.
Installing an app from an unknown source on an iPhone
Naturally, this version of TikTok didn’t have any funny videos; it was just another store, similar to the Android version. While seemingly harmless, the iOS version requested access to the user’s gallery every time it launched — and that was the catch. This led us to discover a malicious module that sent images from the infected phone’s gallery, along with device information, to the attackers. We also found its traces in other Android applications. For the technical details of the story, check out our full report on Securelist.
Who’s at risk?
Our data shows that this campaign primarily targets users in Southeast Asia and China. That doesn’t mean, however, that other countries are beyond the reach of SparkKitty’s claws. The malware has been spreading since at least early 2024, and over the past year and a half attackers have likely considered upscaling their operation to other countries and continents. There’s nothing stopping them. What’s more, it’s not just the TikTok mod you should worry about; we’ve also found malicious activity inside various gambling and adult games, and even crypto-related apps.
If you think these attackers are just interested in admiring your vacation photos, think again. SparkKitty uploads each and every one of your snapshots to its command-and-control server. Those images could easily include screenshots of sensitive information like crypto wallet seed phrases, allowing these bad actors to steal your cryptocurrency.
How to protect yourself from SparkKitty
This Trojan spreads in many ways, and protecting yourself from every single one is a tough challenge. While the golden rule of “download apps from official sources only” still applies, we’ve found traces of this stealer in both Google Play and the App Store — places where apps are supposedly vetted and 100% safe. So what can you do about that?
We recommend focusing on securing your smartphone’s gallery. Naturally, the most foolproof method would be to never take photos or screenshots of sensitive information, but that’s virtually impossible nowadays. There’s a solution: store valuable photos in a secure vault. With Kaspersky Password Manager, you can only view and send protected, important photos after entering the main password, which only you know. Note that the protected content is not confined to just one device. The password manager can sync information between smartphones and computers. This includes bank-card data, two-factor authentication tokens, and anything else you choose to store in Kaspersky Password Manager – including your photos.
It’s also crucial to check your smartphone right now for any of the infected apps we’ve discovered; the extended list is available on Securelist. For Android, Kaspersky for Android can help with this — it’ll find and remove malware for you. On iPhone, due to the closed architecture of iOS, our security solution can’t scan for and delete previously installed infected apps, but it will prevent any attempts to send data to the attackers’ servers and warn you about them.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-23 08:06:402025-06-23 08:06:40SparkKitty: a new stealer in the App Store and Google Play | Kaspersky official blog