Enterprise security teams are no longer defending a single-platform environment. They are expected to investigate threats across multiple platforms every day, often under constant pressure to move faster and make the right call early. When analysis workflows are split across different tools and environments, triage slows down, investigations take longer, and business risks grow.
To help SOC and MSSP teams handle cross-platform threats more efficiently, ANY.RUN now extends its sandbox OS coverage to include macOS, so more investigations can be handled in one environment.
Multi-Platform Infrastructure Creates Challenges for SOCs
Modern organizations operate across multiple operating systems, and security teams already rely on ANY.RUN to investigate threats in Windows, Linux, and Android environments. As macOS adoption continues to grow across enterprise settings, security teams need to be ready to investigate threats on this platform with the same speed and visibility.
That need is especially important as macOS devices are widely used by engineering, product, and leadership teams. These users often have access to critical systems, internal repositories, and sensitive business data. Threat actors increasingly target these environments with platform-specific malware and phishing, including credential stealers and BEC.
However, many security investigation workflows have not evolved at the same pace.
In many SOCs, analyzing threats across different operating systems still requires separate solutions or environments. This fragmentation slows down security operations.
Instead of quickly validating suspicious files or URLs, analysts spend time navigating multiple tools and workflows. Over time, this leads to several operational challenges:
When investigation workflows slow down, the risk of delayed or missed detections increases.
Security teams need a consistent way to investigate threats across operating systems without adding complexity to their workflows.
Expanding Your SOC’s Cross-Platform Threat Analysis with macOS Sandbox
To support modern enterprise environments, ANY.RUN is expanding its sandbox with macOS virtual machines, now available in beta forEnterprise Suiteusers.
This addition boosts cross-platform analysis capabilities, allowing SOC teams to investigate suspicious files and URLs to quickly detect threats.
Instead of relying on separate solutions for different operating systems, analysts can conduct investigations within a single sandbox workflow across Windows, Linux, Android, and now macOS environments.
Even if macOS-specific incidents occur less frequently in some organizations, SOC teams still need to be ready to investigate platform-specific samples without delay. macOS offers strong built-in security, but it is not a complete safeguard against modern threats, especially those aimed at stealing credentials, data, or business-critical access.
With macOS now included in the sandbox workflow, analysts can examine Apple-targeted threats without turning to external environments or building separate testing infrastructure.
Expand your SOC’s cross-platform threat visibility
Reduce breach risk with analysis across 4 major OS
Why Interactive macOS Threat Analysis Is Essential for Modern Security
A key capability that ANY.RUN makes available with macOS threat analysis is interactive sandboxing.
Some macOS threats are designed to remain inactive until a user performs specific actions. This may include entering a password, approving a system dialog. Traditional automated sandboxes often fail to trigger these behaviors, which can cause malicious activity to remain hidden during analysis.
ANY.RUN’s interactive environment allows analysts to replicate real user behavior during sandbox execution. This makes it possible to reveal behaviors that automated analysis may miss, such as:
Credential harvesting through fake authentication dialogs
Staged execution chains triggered by user interaction
File collection or data exfiltration that begins only after authentication
Social engineering techniques embedded directly in malware execution
As a result, analysts gain a clearer understanding of threat intent and impact, helping them reach investigation decisions faster and with greater confidence.
How Integrating ANY.RUN’s Sandbox Boosts SOC Performance and Business Security
Cross-platform sandbox analysis improves how security teams handle suspicious activity in daily triage and response operations.
When analysts can investigate threats across operating systems within a single environment, they can validate alerts faster and reach incident containment decisions with greater confidence.
This operational improvement leads to measurable outcomes:
Faster validation of suspicious files and URLs: Quick behavioral analysis during alert triage helps analysts confirm malicious activity within minutes.
Shorter investigation cycles during triage: Analysts observe full execution behavior immediately, reducing manual correlation across multiple investigation tools.
Improved detection coverage across operating systems: Security teams analyze platform-specific threats across macOS, Windows, Linux, and Android environments.
Higher analyst productivity per shift: Unified investigation workflows reduce context switching and allow analysts to process more alerts.
Reduced alert backlog during peak activity: Faster triage decisions help SOC teams stabilize alert queues during phishing campaigns or malware outbreaks.
By reducing investigation friction, security teams can focus more time on real threats rather than navigating fragmented tooling.
This directly improves the speed and consistency of detection and response.
The sample operates as a credential-stealing tool that first attempts to obtain the user’s system password. It displays a fake system dialog requesting authentication and validates the entered password through the dscl -authonly command.
The window is designed to look very similar to a legitimate macOS system message, making it less likely to raise suspicion. Without a valid password, the malware does not proceed further.
Legitimate-looking window with macOS system message demonstrated inside ANY.RUN sandbox
Once authentication succeeds, the malware collects system and hardware information using the system_profiler utility.
Collection of system and hardware info via system_profiler
Next, it launches an AppleScript-based file collection routine that scans user directories such as Desktop, Documents, and Downloads. It selectively copies files with extensions like PDF, TXT, and RTF into a hidden temporary directory. The files are renamed sequentially and the total collection size is limited to approximately 10 MB.
AppleScript execution observed in the ANY.RUN macOS sandbox initiating file collection from user directories
The gathered data is then compressed into a ZIP archive using the ditto utility and exfiltrated to a command-and-control server through an HTTP POST request executed with curl.
ANY.RUN sandbox detects the behavior of data exfiltration via curl POST
Finally, the malware displays another fake error message to disguise its activity and make the operation appear as a failed system action.
Fake error message to hide malicious activity
From a detection perspective, this activity chain can be identified by a combination of behavioral indicators, including:
Execution of osascript displaying deceptive system dialogs
AppleScript-driven file collection from user directories
Use of ditto for archive creation
Outbound data upload using curl
Observing this behavior in the sandbox gives analysts immediate clarity on the sample’s intent, capabilities, and potential business impact, allowing them to move faster from uncertainty to confident response.
Investigate threats across 4 major enterprise environments
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-19 14:06:282026-03-19 14:06:28Ready for macOS Threats: Expanding Your SOC’s Cross-Platform Analysis with ANY.RUN
Data exfiltration activity increasingly leverages legitimate native utilities, commonly deployed third-party tools, and cloud service clients, reducing the effectiveness of static indicators of compromise (IOCs) and tool-based blocking strategies.
The Exfiltration Framework systematically normalizes behavioral and forensic characteristics of these tools, enabling cross-environment comparison independent of operating system, deployment model, or infrastructure domain.
By modeling execution context, parent-child process relationships, network communication patterns, artifact persistence, and destination characteristics, the framework exposes detection-relevant signals that remain stable even when tools are renamed, relocated, or operated within trusted infrastructure.
The analysis demonstrates that reliable detection requires correlation across endpoint, network, and cloud telemetry, with emphasis on behavioral baselining, contextual anomalies, and cumulative transfer analysis rather than protocol-level or allow-list–based controls.
Background
As defenders have improved their ability to detect malicious code, attackers have adapted by reducing their reliance on bespoke implants. As a result, dataexfiltration is no longer primarily driven by custom malware or specialized tooling. Instead, many modern exfiltration operations leverage legitimate, widely deployed utilities already present in enterprise environments, along with benign cloud storage locations as the destination of the exfiltration connections.
This shift significantly complicates detection. Tools and services used for routine business operations can be repurposed to transfer stolen data outside the network without triggering traditional security controls. In many real-world incidents, exfiltration does not rely on novel protocols, custom command-and-control (C2) infrastructure, or overtly malicious binaries. Instead, attackers abuse trusted, allow-listed tools such as cloud command-line interfaces, file synchronization utilities, managed file transfer platforms, and legitimate file storage services. In these scenarios, the distinction between legitimate use and malicious abuse is subtle, contextual, and difficult to identify.
This research originated from a fundamental question: If attackers don’t require malicious software or infrastructure to exfiltrate data, what signals can defenders rely on to detect their behavior?
Goal
The Exfiltration Framework was developed to explore this question by systematically analyzing how legitimate tools are abused for data exfiltration. While many existing frameworks catalog the misuse of legitimate tools by platform or technology domain, the Exfiltration Framework takes a cross-platform perspective and categorizes tools by exfiltration tactic rather than environment or implementation.
The goal of this project is not to catalog attack techniques or enumerate tools, but to understand how benign utilities are abused for data exfiltration and which telemetry defenders can realistically rely on for detection. By focusing on observable behavior rather than tool presence, this research aims to support detection strategies that remain effective even when attackers operate entirely within trusted software and permitted infrastructure. A secondary objective is to identify behavioral patterns that recur across tools and can be applied more generically to detect exfiltration activity.
The Exfiltration Framework
The Exfiltration Framework is a defensive project designed to systematically document how legitimate tools are abused for data exfiltration. Early in its development, the goal was to provide a comparative overview of exfiltration-capable tools, similar in spirit to matrix-style projects that summarize capabilities at a high level. While useful for classification, this approach proved insufficient for capturing the behavioral and forensic details required for detection and investigation.
As a result, the framework evolved toward a structured, feature-oriented model inspired by projects such as LOLBAS, where tool capabilities, behaviors, and artifacts are documented in a consistent and extensible format. This design allows exfiltration-relevant characteristics to be organized clearly and compared across tools without oversimplifying their behavior.
The framework is intentionally scoped to legitimate, widely available tools commonly present in enterprise environments. It does not attempt to catalog all possible exfiltration mechanisms, nor does it analyze custom malware, exploit-based techniques, or novel C2 protocols. Instead, it concentrates on utilities routinely used for legitimate purposes that can naturally blend into normal activity, making their abuse particularly difficult to detect.
Design goals and data model
The Exfiltration Framework is designed to capture behavioraland forensic characteristics that are directly useful for detection, investigation, and comparative analysis. Rather than documenting tool functionality or attack procedures, each tool is represented using a structured, normalized schema that emphasizes how exfiltration manifests operationally across endpoint, network, and cloud telemetry.
This normalization allows defenders to compare tools with very different implementations based on shared behavioral characteristics, and to reason about exfiltration activity independently of the specific utility involved.
To reflect real-world enterprise environments, tools are grouped into three categories:
Built-in operating system tools, available by default on endpoints
Commonly deployed endpoint tools, installed for operational or administrative purposes
Cloud-native tools, designed to interact with cloud services and storage platforms
This categorization illustrates how exfiltration can occur across multiple layers of the environment, from endpoints to cloud infrastructure, while highlighting differing detection trade-offs.
Core framework fields and rationale
The Exfiltration Framework is designed around the premise that detecting data exfiltration via legitimate tools requires understanding how those tools behave when misused, rather than relying on static identifiers or tool presence alone. Each field in the framework schema was selected to capture signals that defenders can realistically observe and correlate across endpoint, network, and cloud telemetry.
Rather than attempting to model every possible abuse pattern, the framework focuses on a small set of fields that consistently influence detection outcomes across tools and environments.
Tool identity and classification Basic metadata such as tool name, category, and supported platforms provides essential context without implying malicious intent. Classification by deployment model — built-in operating system tools, commonly deployed endpoint tools, and cloud-native tools — helps frame expected behavior and informs detection trade-offs. This distinction is important because tool legitimacy strongly influences both attacker behavior and defensive visibility. Built-in tools often benefit from implicit trust and extensive allow-listing, while cloud-native tools operate against shared infrastructure with limited network-level discrimination. Capturing this context allows defenders to reason about expected versus anomalous behavior for a given class of tool.
Execution characteristics Execution-related fields capture how a tool is typically invoked when abused, including execution mode (interactive, background, headless), command-line usage, and parent-child process relationships. These attributes are frequently more stable indicators of misuse than the presence of a specific binary, particularly in scenarios involving masquerading or living-off-the-land techniques. Execution context often provides early signals of abuse, such as tools launched by unexpected parent processes, executed from atypical directories, or run in unattended modes inconsistent with normal usage. By explicitly modeling these characteristics, the framework enables detection approaches that remain effective even when tools are renamed or relocated.
Network behavior Network-focused fields describe how tools communicate during exfiltration, including protocol usage, destination types, authentication models, and connection patterns. Rather than relying on static indicators such as IP addresses or domains, the framework emphasizes behaviors that affect detection strategy, such as long-lived outbound connections, cloud API interactions, or peer-to-peer synchronization. This abstraction is critical because many legitimate tools produce network traffic that appears benign in isolation. By capturing destination categories and communication patterns instead of specific endpoints, the framework supports detection approaches that focus on contextual anomalies, such as unexpected destinations, unusual transfer volumes, or deviations from baseline behavior.
Forensic artifacts Forensic artifact fields document traces that may persist on disk or in system state, including configuration files, logs, cached credentials, scheduled tasks, or registry changes. These artifacts are particularly valuable for retrospective detection, incident response, and timeline reconstruction. Importantly, the framework treats forensic artifacts as variable rather than guaranteed. Some tools leave extensive footprints, while others operate with minimal persistence or rely on in-memory execution. Explicitly modeling this variability helps defenders understand where forensic blind spots may exist and which tools require stronger reliance on real-time telemetry.
Detectionfocusareas Instead of defining specific detection rules, the framework highlights a set of behavioral patterns observed when legitimate tools are used for exfiltration. These include transfers to network destinations that are unusual for that tool or environment, command-line arguments specific to a particular tool being provided to a differently named process and data volume inconsistencies. These focus areas are intentionally abstract, allowing defenders to adapt them to different environments, logging capabilities, and threat models.
This design choice reflects the reality that effective detection logic is highly environment-specific. By emphasizing what to look for rather than how to detect it, the framework supports reuse across organizations and avoids coupling the research to a specific detection platform or rule format.
Example: Normalized Tool Representation
To illustrate how these fields are applied, the following excerpt shows one particular entry in the framework, a normalized representation of the actionable items gleaned from research into the MOVEit Transfer tool.
This normalized representation enables tools with very different implementations to be compared based on shared behavioral characteristics, supporting consistent analysis across endpoint, network, and cloud contexts. The standardized format also facilitates reuse beyond manual analysis, including integration into automated or AI-assisted detection workflows.
Examples of tools covered in the framework
The framework currently analyzes a curated set of legitimate tools observed in real-world exfiltration scenarios and commonly found in enterprise environments.
Built-in operating system tools
PowerShell
robocopy
xcopy
bitsadmin
curl
wget
Third-party endpoint tools
rclone
Syncthing
restic
GoodSync
MOVEit
PSCP
Cloud tools
AWS CLI
AzCopy
Google Cloud CLI (gcloud)
S3 Browser
This list is not intended to be exhaustive, but represents tools selected based on documented abuse in the wild, prevalence in enterprise environments, and relevance to defensive detection efforts.
Key research observations
Analysis of these tools revealed several recurring patterns with direct implications for detection. Although individual utilities differ in implementation, their abuse for data exfiltration often converges in ways that undermine tool-centric detection approaches. The observations below highlight how attackers leverage legitimate functionality, existing trust relationships, and normal operational patterns to obscure exfiltration activity.
Similarity of network traffic
Across a wide range of tools analyzed in this research, outbound network traffic generated during data exfiltration often converges on common, legitimate patterns. Whether the utility is a native command-line tool, a third-party endpoint application, or a cloud client, data transfer typically occurs over standard application-layer protocols such as HTTPS. Typically the network traffic uses expected destination ports and encrypted payloads as well. This convergence reflects attackers’ preference for tools and services that are already permitted and widely used within enterprise environments.
In practice, exfiltration performed via cloud command-line interfaces, storage clients, or synchronization tools frequently targets trusted cloud platforms or externally hosted infrastructure. Publicreporting shows that attackers commonly leverage legitimate cloud services for data theft, resulting in outbound traffic that is difficult to distinguish from authorized business activity at the network layer.
For example, a cloud storage client uploading data to an external bucket and a synchronization utility transferring files to a remote peer may both generate long-lived HTTPS sessions with steady outbound throughput. From a network perspective, these transfers are characterized by encrypted traffic over standard ports, sustained outbound connections, and destinations associated with legitimate cloud storage providers. This combination closely resembles routine backup or synchronization activity and has been observed in multiple ransomware and extortion investigations involving tools such asrclone and cloud storage clients. As a result, network flow log-based detection approaches based on protocol identification, destination allow-listing, or port filtering provide limited visibility into exfiltration activity.
Layer 7 metadata such as Transmission Control Protocol (TCP) flags or certificate data may provide additional detection opportunities in some cases, but even there standard attributes were the norm. This convergence highlights the need to correlate network telemetry with execution context, data volume relative to baselines, and destination characteristics — such as ownership or prior association with the organization — rather than relying on network traffic alone.
Variability of forensic artifacts
While network-level behavior often converges across exfiltration tools, the forensic artifacts left on the endpoint can vary significantly depending on the utility and execution method used. Some tools generate a rich and persistent footprint, including configuration files, local state databases, cached credentials, scheduled tasks, or detailed logs. When present, these artifacts provide valuable context for incident response, supporting threat hunting, timeline reconstruction, and attribution, as observed in real-world abuse of tools such as rclone and Syncthing. While tool renaming is common and sometimes difficult to detect in process telemetry, masqueraded tools may still generate many of the same forensic artifacts, leading to additional opportunities for identification.
Other tools operate with a much lighter or more transient footprint. Command-line utilities executed with inline arguments, temporary configurations, or fileless techniques may leave little evidence beyond short-lived process execution, command-line telemetry, and ephemeral network connections. Public reporting shows that PowerShell-based exfiltration can rely almost entirely on execution context and in-memory behavior, leaving few durable artifacts on disk. In these cases, forensic visibility depends heavily on the availability and quality of endpoint logging, including process creation, command-line auditing, and script execution telemetry.
This variability reinforces a key finding of the research: There is no uniform forensic signature for exfiltration using legitimate tools. Effective detection therefore requires correlating endpoint telemetry with network and cloud data, rather than assuming that exfiltration activity will consistently leave persistent artifacts.
Cloud-native tools blend into normal operations
Cloud-native tools present a significant detection challenge because they operate within services that are already central to enterprise workflows. Authentication flows, API interactions, and data transfer patterns observed during exfiltration often closely resemble legitimate activity such as backups, deployments, or routine synchronization. Publicincident reporting shows that attackers frequently abuse officially supported cloud clients to move data to attacker-controlled storage while maintaining the appearance of normal cloud usage.
In these scenarios, traditional IOCs, such as domains or IP addresses, provide limited value. Cloud platforms rely on large, shared infrastructure, resulting in highly generic service endpoints used by both legitimate users and attackers. As a result, detecting or blocking exfiltration based on network indicators alone is often impractical and risks significant operational disruption.
Compounding this challenge, many behavioral network detections explicitly allow-list major cloud providers to reduce noise from expected business activity. While operationally necessary, this practice further limits visibility into cloud-based exfiltration, enabling attackers to bypass both legacy IOC-based detections and higher-level behavioral controls by operating entirely within trusted cloud services. This is where cloud-native security products with visibility into which tenants, subscriptions or individual storage buckets are owned by the organization, as well as whether the identity initiating the file transfer typically interacts with that cloud resource, can assist with detection.
Masquerading as a common technique
Masquerading is frequently used to reduce the visibility of data exfiltration by exploiting assumptions about trusted binaries and execution contexts. Rather than introducing unfamiliar tools, attackers often rename legitimate utilities or execute them from locations typically associated with benign software, allowing exfiltration activity to blend into normal endpoint operations and undermining detections based solely on binary names or file paths.
A well-documented example involves rclone, a legitimate cloud synchronization tool repeatedly abused in ransomware and data theft operations. Incident response reporting shows rclone binaries being renamed and staged in trusted locations to evade scrutiny while enabling large-scale data transfers to attacker-controlled cloud storage under the appearance of routine administrative activity.
These cases demonstrate that filename- or path-based trust assumptions are insufficient for detecting exfiltration activity. Effective detection requires correlating execution context, parent process relationships, command-line usage, and network behavior to identify misuse of otherwise legitimate tools, particularly when they are deliberately presented as benign components of the operating environment.
Exfiltration via small, incremental data transfers
A recurring pattern across multiple exfiltration tools is the use of small, incremental data transfers instead of large, single exfiltration events. This technique, which MITRE tracks as T1030, relies on splitting data into smaller units and transmitting it over extended periods. By doing this, attackers can remain below volume-based detection thresholds and reduce the likelihood of drawing attention. This approachhas beenobserved in real-world data theft and ransomware operations involving legitimate transfer and synchronization tools.
This behavior is not protocol- or tool-specific. File transfer utilities, synchronization tools, cloud clients, and scripting environments can all be configured to transfer data gradually, often closely resembling routine background activity. Publicreporting on the abuse of tools like rclone and Syncthing shows how repeated low-volume transfers can collectively result in significant data loss while remaining difficult to distinguish from legitimate use.
Because the timing, size, and frequency of these transfers often align with expected operational patterns — such as business hours or periodic jobs — detection typically requires longitudinal analysis rather than single-event alerts. Without baselining normal usage, low-and-slowexfiltration can persist unnoticed.
Stealth is often a function of policy, not tooling
Stealth in exfiltration scenarios often results from organizational policy rather than technical sophistication. Tools that are explicitly permitted or widely deployed frequently operate under relaxed monitoring, creating low-friction paths for data exfiltration.
In living-off-the-land scenarios, attackers deliberately abuse trusted utilities to benefit from existing allow-listing and policy exemptions, rather than advanced evasion techniques. Publicreporting shows that legitimate cloud and synchronization tools are often misused precisely because their activity is expected and rarely scrutinized. In some ransomware incidents, attackers do not attempt to minimize volume or hide behavior at all, instead exfiltrating large amounts of data directly using trusted tools and infrastructure, relying on policy trust and limited inspection to avoid detection.
Observation summary
The following table summarizes several of the trends observed during the longitudinal analysis detailed above into categories:
Toolcategory
Exampletools
Networkbehavior
Abusepatterns
High-valuesignals
Native
PowerShell, robocopy
HTTPS, SMB
Low-and-slow transfer, fileless execution
Parent process, encoded params, timing
Third-party
rclone,Syncthing
HTTPS, P2P
Masquerading, background sync
Binaryrename, config artifacts
Cloud-based
AWS CLI,AzCopy
HTTPS, Cloud APIs
Legitimate credential abuse
Destination anomalies, account context
Conclusion
As data exfiltration increasingly relies on legitimate, trusted tools rather than custom malware, defenders must rethink how they approach detection. This research shows that meaningful visibility does not come from identifying tools in isolation, but from understanding the specific behaviors those tools exhibit when misused. By analyzing and normalizing execution patterns, network characteristics, and forensic artifacts across a wide range of benign utilities, the Exfiltration Framework provides a practical foundation for behavior-driven detection grounded in real telemetry. Ultimately, improving exfiltration detection requires not only broader visibility, but a deeper understanding of how trusted tools can be repurposed — and how those behaviors can be observed, contextualized, and detected in practice.
Contributing to the Exfiltration Framework
The Exfiltration Framework is intended to evolve with the threat landscape. Contributions from defenders, researchers, and incident responders are welcome, particularly when grounded in real-world observations of how legitimate tools are abused for data exfiltration.
Whether it is documenting additional tools, refining existing entries, or sharing detection-relevant insights, community input helps keep the framework accurate and practically useful. Details on how to contribute are available in the project repository.
Key takeaways
Legitimate tools are frequently abused for data exfiltration, making tool presence alone an unreliable detection signal.
Detection difficulty increases with tool legitimacy and native or cloud integration.
Behavioral signals — such as execution context, timing, data volume, authentication, and destination — are more reliable than static indicators when evaluated together.
Masquerading and low-and-slow transfer techniques exploit trust assumptions and volume-based detection thresholds.
Effective detection requires correlating endpoint, network, and cloud telemetry and baselining expected tool behavior.
Acknowledgements
We would like to thank the following researchers who have contributed to this project, via research into use of tools for exfiltration, review of the paper and framework, or general guidance and input:
What do the words bakso, sate, and rendang bring to mind? For many, the answer is “nothing”; foodies will recognize them as Indonesian staples; while those who follow cybersecurity news will remember an attack on the Node Package Manager (npm) ecosystem — the tool that lets developers use prebuilt libraries instead of writing every line of code from scratch.
In mid-November, security researcher Paul McCarty reported the discovery of a spam campaign aimed at cluttering the npm registry. Of course, meaningless packages have appeared in the registry before, but in this case, tens of thousands of modules were found with no useful function. Their sole purpose was to inject completely unnecessary dependencies into projects.
The package names featured randomly inserted Indonesian dish names and culinary terms such as bakso, sate, and rendang, which is how the campaign earned the moniker “IndonesianFoods”. The scale was impressive: at the time of discovery, approximately 86 000 packages had been identified.
Below, we dive into how this happened, and what the attackers were actually after.
Inside IndonesianFoods
At first glance, the IndonesianFoods packages didn’t look like obvious junk. They featured standard structures, valid configuration files, and even well-formatted documentation. According to researchers at Endor Labs, this camouflage allowed the packages to persist in the npm registry for nearly two years.
It’s not as if the attackers were aggressively trying to insert their creations into external projects. Instead, they simply flooded the ecosystem with legitimate-looking code, waiting for someone to make a typo or accidentally pick their library from search results. It’s a bit unclear exactly what you’d have to be searching for to mistake a package name for an Indonesian dish, but the original research notes that at least 11 projects somehow managed to include these packages in their builds.
A small portion of these junk packages had a self-replication mechanism baked in: once installed, they would create and publish new packages to the npm registry every seven seconds. These new modules featured random names (also related to Indonesian cuisine) and version numbers — all published, as you’d expect, using the victim’s credentials.
Other malicious packages integrated with the TEA blockchain platform. The TEA project was designed to reward open-source creators with tokens in proportion to the popularity and usage of their code — theoretically operating on a “Proof of Contribution” model.
A significant portion of these packages contained no actual functionality at all, yet they often carried a dozen dependencies — which, as you might guess, pointed to other spam projects within the same campaign. Thus, if a victim mistakenly includes one of these malicious packages, it pulls in several others, some of which have their own dependencies. The result is a final project cluttered with a massive amount of redundant code.
What’s in it for the attackers?
There are two primary theories. The most obvious is that this entire elaborate spam campaign was designed to exploit the aforementioned TEA protocol. Essentially, without making any useful contribution to the open-source community, the attackers earn TEA tokens — which are standard digital assets that can be swapped for other cryptocurrencies on exchanges. By using a web of dependencies and self-replication mechanisms, the attackers pose as legitimate open-source developers to artificially inflate the significance and usage metrics of their packages. In the README files of certain packages, the attackers even boast about their earnings.
However, there’s a more chilling theory. For instance, researcher Garrett Calpouzos suggests that what we’re seeing is merely a proof of concept. The IndonesianFoods campaign could be road-testing a new malware delivery method intended to be sold later to other threat actors.
Why you don’t want junk in your projects
At first glance, the danger to software development organizations might not be obvious: sure, IndonesianFoods clutters the ecosystem, but it doesn’t seem to carry an immediate threat like ransomware or data breaches. However, redundant dependencies bloat code and waste developers’ system resources. Furthermore, junk packages published under your organization’s name can take a serious toll on your reputation within the developer community.
We also can’t dismiss Calpouzos’s theory. If those spam packages pulled into your software receive an update that introduces truly malicious functionality, they could become a threat not just to your organization, but to your users as well — evolving into a full-blown supply chain attack.
How to safeguard your organization
Spam packages don’t just wander into a project on their own; installing them requires a lapse in judgment from a developer. Therefore, we recommend regularly raising awareness among employees — even the tech-savvy ones — about modern cyberthreats. Our interactive training platform, KASAP (Kaspersky Automated Security Awareness Platform), can help with that.
A few years ago, most cyberattacks still depended heavily on human effort—skilled operators manually probing systems, testing vulnerabilities, and executing campaigns step by step.
That model is quietly breaking down.
In conversations with security teams and analysts over the past year, one theme keeps coming up: attackers are no longer just using tools—they’re starting to deploy systems that can think, adapt, and act on their own. This is where AI-powered cyber warfare begins to shift from buzzword to reality.
At the center of this shift are autonomous attack agents, AI-driven systems that don’t just assist attackers but actively participate in decision-making. And that changes the threat landscape in a very real way.
What is AI-Powered Cyber Warfare?
At its simplest, AI-powered cyber warfare refers to the use of artificial intelligence and machine learning to enhance cyberattacks. But that definition doesn’t quite capture what’s happening on the ground.
What’s different now is how AI is being used.
Instead of just automating repetitive tasks, attackers are beginning to rely on AI to:
Continuously scan and map attack surfaces
Prioritize targets based on probability of success
Adjust tactics mid-attack
Learn from failures and retry with improved strategies
One security researcher recently described it as “moving from scripts to systems.” That distinction matters. Scripts execute instructions. Systems adapt.
This is why the AI threat landscape feels more unpredictable today—it’s no longer just about known techniques, but evolving behavior.
Understanding Autonomous Attack Agents
If there’s one concept security leaders are increasingly concerned about, it’s autonomous attack agents.
These aren’t hypothetical. Early versions are already being observed in the wild—particularly in automated reconnaissance and vulnerability scanning campaigns.
For example, researchers have documented AI-assisted tools that can:
Crawl entire infrastructures in minutes
Identify misconfigurations across cloud environments
Chain vulnerabilities together without manual input
In one recent case study discussed in security circles, an AI-assisted system was able to simulate multiple attack paths against a target environment and automatically select the most efficient route. That’s a level of decision-making that traditionally required experienced human operators.
This is what makes AI attack agents so significant—they compress both time and expertise. What once required a skilled team can increasingly be done by a single operator backed by intelligent systems.
How AI is Changing Cyberattacks
The shift toward AI-driven attacks is already visible across several fronts.
1. AI-Powered Malware
We’re seeing early signs of AI-powered malware that can alter its behavior to avoid detection. Instead of relying on fixed signatures, these threats experiment—adjusting execution patterns until they find a way through.
While still evolving, this approach is forcing defenders to rethink how detection works.
2. Smarter Phishing and Deepfakes
Perhaps the most visible impact of AI is in phishing.
Security teams report a noticeable increase in highly personalized phishing emails—messages that reflect tone, context, and even internal communication styles. With generative AI, attackers can now scale this level of personalization effortlessly.
Add deepfake audio or video into the mix, and AI-driven cyber attacks start to blur the line between technical compromise and social engineering.
3. Real-Time Decision Making
AI doesn’t wait.
Attack systems can process signals in real time—whether it’s detecting a defensive response or identifying a new entry point—and adjust instantly. This gives attackers a speed advantage that traditional defenses often struggle to match.
4. Scalable, Automated Attacks
Automation isn’t new in cybersecurity, but AI takes it further.
With automated penetration attacks, a single campaign can test thousands of variations simultaneously. Instead of guessing what might work, attackers can experiment at scale.
A Rapidly Evolving Threat Landscape
From an analyst’s perspective, the biggest shift isn’t just technical—it’s operational.
We’re moving from a world of occasional, targeted attacks to one of continuous, adaptive pressure.
That translates into:
Shorter detection and response windows
A constant stream of attack attempts
More sophisticated and evolving tactics
A growing presence of intelligent cyber threats
In discussions with CISOs, a common concern is fatigue—not just human fatigue, but system fatigue. Defenses designed for periodic threats are now dealing with persistent, automated adversaries.
Blaze AI and the Shift Toward AI-Driven Defense
If attackers are using AI to scale and adapt, defenders are being pushed in the same direction.
This is where platforms like Blaze AI become relevant—not as a silver bullet, but as part of a broader shift toward intelligent defense.
Instead of relying purely on predefined rules, Blaze AI focuses on:
Detecting patterns and anomalies in real time
Automating threat analysis and response
Providing visibility into emerging AI-driven cyber threats
From what we’re seeing across the industry, this reflects a larger trend: cybersecurity is becoming a contest of learning systems. In other words, AI vs cybersecurity defense is no longer a future concept—it’s already underway.
How to Defend Against AI-Powered Cyber Attacks
There’s no single solution to counter AI-powered cyber warfare, but there are clear priorities emerging across organizations:
1. Adopt AI-Driven Security Tools
Static defenses struggle against adaptive threats. AI-based systems help identify patterns that don’t match known attack signatures.
2. Strengthen Threat Intelligence
Understanding emerging AI security risks is critical. The faster teams can contextualize new threats, the better they can respond.
3. Implement Zero-Trust Architectures
Limiting access and continuously verifying users reduces the attack surface—especially important against automated systems.
4. Don’t Ignore the Human Layer
Even the most advanced attacks still exploit human behavior. Training employees to recognize sophisticated phishing and manipulation attempts remains essential.
The Future of Cyber Warfare
Looking ahead, the trajectory is fairly clear.
We’re entering a phase where artificial intelligence in cyber warfare becomes standard practice on both sides. Attackers will continue experimenting with autonomy, while defenders will invest in systems that can respond just as quickly.
The question isn’t whether AI will dominate cyber operations—it’s how quickly organizations can adapt to that reality.
Conclusion
From an analyst standpoint, this moment feels like an inflection point.
The rise of autonomous attack agents, AI-powered malware, and increasingly intelligent cyber threats signals a shift toward faster, more adaptive cyber conflict.
Organizations that treat this as a distant concern risk falling behind. Those that start integrating AI into their defense strategy today will be far better positioned for what’s coming next.
Don’t wait for threats to outpace your defenses. Experience how Cyble Blaze AI can transform your security operations with predictive intelligence and autonomous response. Request a personalized demo today and take the first step toward truly proactive cybersecurity.
Frequently Asked Questions (FAQs) about AI-powered cyber warfare
What are autonomous attack agents?
Autonomous attack agents are AI systems capable of independently identifying vulnerabilities and launching cyberattacks with minimal human intervention.
How is AI used in cyber warfare?
AI is used to automate attacks, improve targeting, evade detection, and scale operations more efficiently.
Is AI making cyberattacks more dangerous?
Yes. AI increases both the speed and sophistication of cyberattacks, making them harder to detect and respond to.
What is Blaze AI in cybersecurity?
Blaze AI is an artificial intelligence-powered cybersecurity solution that combines intelligence and automation to detect, analyze, and respond to modern cyber threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-18 12:08:402026-03-18 12:08:40AI-Powered Cyber Warfare: How Autonomous Attack Agents Are Changing the Threat Landscape
MTTR is where strategy meets reality. In security operations, it is the margin between a contained incident and a catastrophic breach.
You can have perfect detection coverage, cutting-edge telemetry, and a wall of dashboards glowing like a spaceship cockpit. But if your team takes too long to respond, the attacker still wins the clock.
Reducing Mean Time to Respond is not about shaving seconds for vanity metrics. It is about compressing the window in which damage happens. And the fastest way to do that is not more alerts, but better intelligence.
Key Takeaways
MTTR is not just an operational metric. It is a direct measure of how long your business is exposed during an active threat. Every minute counts in financial, reputational, and regulatory terms.
Lower MTTR is achievable only through systematic improvement across all SOC workflows: detection, triage, threat hunting, incident response, and vulnerability management.
Threat intelligence quality is the single highest-leverage variable in every stage of MTTR reduction; bad or slow intelligence creates bottlenecks that no amount of headcount can overcome.
For CISOs and security leaders, ANY.RUN Threat Intelligence translates into a defensible, budget-aligned story: measurable MTTR reduction, reduced analyst burnout, and tangible alignment with business risk reduction.
Beyond the Number: What MTTR Actually Measures
MTTR — Mean Time to Respond — captures the average elapsed time from threat detection to full incident remediation. It is a compound metric that absorbs the latency of every step in your response chain: detection, alert triage, investigation, containment, eradication, and recovery. A high MTTR does not merely indicate a slow team; it indicates structural friction somewhere in that chain.
For experienced security leaders, this distinction matters enormously. Chasing MTTR as a raw number is a management trap. Understanding MTTR as a diagnostic readout of your entire SOC’s operational health is a strategic advantage.
Why leadership cares about MTTR
Direct financial impact. Longer response times increase remediation costs, legal exposure, and downtime.
Operational continuity. Faster containment keeps business processes running.
Regulatory and compliance pressure. Many frameworks implicitly reward faster detection and response cycles;
Reputation protection. The difference between a minor incident and a headline breach is often measured in hours.
When presenting to the board, this framing transforms MTTR from a technical KPI into a business risk metric with direct financial and compliance implications.
Turn faster response into measurable business risk reduction
with ANY.RUN Threat Intelligence
A low MTTR signals something deeper: a SOC that understands what it sees and acts without hesitation. From an operational perspective, MTTR is the output of three interacting variables: the quality of your detections, the speed of your analyst workflows, and the fidelity of your threat intelligence. A team that receives high-fidelity, context-rich alerts and has instant access to deep threat intelligence will always outperform an equally staffed team working with noisy, low-context alerts and manual enrichment processes.
The cost of poor or slow threat intelligence is borne in analyst hours, extended dwell times, and the compounding risk of delayed containment.
The Board-Level Framing
When making the case for investment in MTTR reduction capabilities, security leaders should ground the conversation in three dimensions:
Financial exposure: quantify the average cost per hour of active incident dwell time, drawing on breach cost benchmarks relevant to your sector.
Regulatory risk: map MTTR gaps to breach notification obligations and the financial penalties associated with late disclosure.
Operational resilience: frame MTTR reduction as a measure of how quickly the business can return to normal operations after a security event (a direct input into business continuity metrics that boards track).
How SOC Workflows Shape MTTR
MTTR is not owned by one team. It is the emergent result of everything your SOC does. Here is how different workflows influence it:
SOC processes impacting responce time
Each of these workflows is, in effect, a constraint in a pipeline. MTTR optimization requires removing the binding constraint — and in the majority of SOC environments, that constraint is the quality, speed, and accessibility of threat intelligence.
How ANY.RUN Threat Intelligence Optimizes Every SOC Workflow
ANY.RUN Threat Intelligence is a set of capabilities designed to address the most persistent sources of MTTR inflation: intelligence latency, analyst enrichment overhead, and incomplete threat context. It is composed of three tightly integrated components: Threat Intelligence Feeds, Threat Intelligence Lookup, and the ANY.RUN Interactive Sandbox. Together, they form a comprehensive intelligence layer that accelerates every stage of the response chain described above.
Threat Intelligence Feeds: Eliminating Intelligence Latency at Scale
ANY.RUN’s Threat Intelligence Feeds deliver a continuous, real-time stream of high-confidence indicators of compromise (IP addresses, domains, URLs) extracted directly from live malware analysis sessions conducted in the ANY.RUN sandbox environment. Originating from first-hand dynamic analysis places them among the most timely and behaviorally validated IOC sources available.
Indicators in Threat Intelligence Feeds
For SOC teams, this distinction is critical. An IOC that has been validated through behavioral sandbox analysis carries far more operational confidence than one extracted from a static signature or passive aggregation. Analysts and automated playbooks can act on it immediately — without the validation overhead that depresses response speed and inflates MTTR.
What Feeds Deliver Across SOC Workflows
1. Alert Triage: Context-rich IOCs reduce the investigation burden on tier1/tier2 analysts. When an alert fires against a known, characterized IOC, analysts have immediate access to associated threat actor, malware family, and behavioral context, eliminating the manual lookup step that typically consumes 15-30 minutes per alert.
2. Automated Response: High-confidence IOCs from ANY.RUN TI Feeds can trigger automated blocking, quarantine, and notification playbooks with low risk of false-positive action.
3. Threat Hunting: Teams can use the feeds as fresh hypotheses for proactive hunts, immediately operationalizing newly observed IOCs from the broader threat landscape.
4. Detection Engineering & SIEM: Feeds integrate directly into SIEM and SOAR platforms via STIX/TAXII, CSV, and JSON formats, enabling continuous rule enrichment without manual input. Detection coverage stays current with the threat landscape automatically.
The solutions that TI Feeds work with
The net effect on MTTR is compounded across the SOC: faster detection, faster triage, faster automated response, and faster hunting cycles, all driven by the elimination of intelligence latency.
Threat Intelligence Lookup: Compressing Analyst Investigation Time
ANY.RUN Threat Intelligence Lookup provides analysts with instant, deep analysis of any artifact — file hash, IP address, domain, or URL — against a continuously updated database of analyzed threats. This is not a static reputation check. It surfaces detailed behavioral context: what a file does when executed, what network infrastructure it communicates with, what threat actor campaigns it is associated with, and what MITRE ATT&CK techniques it employs.
IP detected as Moonrise RAT infrastruscture with linked sandbox analyses for behavior data
What Lookup Delivers Across SOC Workflows
1. Tier 1/Tier 2 Triage: Analysts can validate any suspicious artifact in seconds, obtaining verdict, behavioral context, associated IOCs, and sandbox analysis links: enough to make an escalation or closure decision without further research.
2. Incident Response: During an active incident, IR teams need to rapidly characterize malware capabilities, map likely lateral movement paths, and determine containment scope. TI Lookup provides instant access to this context, allowing IR teams to act on complete information rather than conducting time-consuming analysis under pressure.
3. Threat Hunting: Hunters can validate hypotheses at scale by running bulk lookups against historical endpoint and network telemetry, rapidly separating genuine threat signals from environmental noise.
4. Management Reporting: Lookup data supports evidence-based MTTR reporting — analysts can demonstrate exactly what intelligence was available, when it was accessed, and how it informed decisions, providing an audit trail that supports both operational review and regulatory compliance.
While TI Feeds and TI Lookup capabilities address the speed dimension of threat intelligence, ANY.RUN’s Interactive Sandbox addresses the depth dimension. It provides analysts with an interactive malware analysis environment that delivers full behavioral visibility — process trees, network traffic, registry changes, file system activity, and MITRE ATT&CK technique mapping — without requiring reverse engineering expertise.
For SOC teams, this means that complex malware analysis, which would previously require escalation to a specialist (adding hours or days to MTTR), can now be performed by any competent analyst. This has a direct and measurable impact on MTTR, particularly in the incident response and escalation phases where analysis bottlenecks most commonly occur.
Shrink incident response time and minimize breach impact
with real-time TI solutions
Security leaders face a persistent translation problem: the operational metrics that matter inside the SOC do not naturally map to the language of business risk, financial exposure, and strategic investment. ANY.RUN Threat Intelligence bridges this gap by delivering improvements that are simultaneously operationally meaningful and strategically defensible:
Risk Reduction: Faster MTTR directly reduces organizational exposure during active incidents. For every workflow improvement driven by ANY.RUN intelligence, the window of active risk narrows, translating into lower expected breach costs and reduced regulatory exposure.
Analyst Capacity: The manual enrichment and validation work that ANY.RUN Feeds and Lookup eliminate is not just slow, it is expensive. Reclaiming analyst hours from repetitive intelligence gathering and redirecting them toward higher-order investigation and hunting delivers measurable capacity gains without headcount increases.
Scalability Without Linear Cost Growth: As threat volumes increase, organizations that rely on manual intelligence processes face a linear scaling problem — more alerts require more analysts. ANY.RUN Threat Intelligence breaks this dependency by automating the intelligence layer, allowing SIEM/SOAR platforms to absorb greater alert volumes without proportional analyst overhead.
Compliance and Audit Readiness: Regulators and insurers increasingly scrutinize incident response timelines. ANY.RUN’s structured, documented intelligence data supports post-incident reporting and demonstrates a defensible security program, reducing regulatory risk and potentially influencing cyber insurance premiums.
Talent Retention: Analyst burnout is a leading cause of SOC attrition. The cognitive load of manual enrichment, alert fatigue, and tool-switching is a known driver of analyst dissatisfaction. ANY.RUN Threat Intelligence reduces this burden, contributing to the working environment improvements that retain experienced analysts.
Addressing Security Leaders’ Core Pains
The decision-makers most likely to evaluate ANY.RUN Threat Intelligence are managing a recognizable set of pressures: too many alerts, too few analysts, insufficient confidence in intelligence quality, difficulty demonstrating security ROI, and the constant risk of a major incident that would expose all three.
Key steps to cutting MTTR with real-time TI
ANY.RUN Threat Intelligence addresses each of these directly. It does not require a wholesale platform replacement. It integrates with existing SIEM, SOAR, and TIP infrastructure. It delivers immediate capability improvements from day one of deployment. And it provides a documented, measurable improvement in detection and response performance that security leaders need to defend budget allocations and demonstrate program maturity.
Conclusion
MTTR is the number that tells you whether your security program is actually working. Under pressure, against real threats. Every minute of MTTR that you cannot account for is a minute of active risk that your organization is absorbing.
The path to lower MTTR runs through better threat intelligence. Intelligence that is timely enough to act on immediately. Intelligence that is rich enough to eliminate investigation bottlenecks. Intelligence that integrates cleanly into your existing workflows so that improvement is structural, not dependent on individual analyst heroics.
ANY.RUN Threat Intelligence — through its Feeds, Lookup, and Sandbox capabilities — is built to deliver exactly this. It addresses the real operational problems that inflate MTTR in modern SOC environments: intelligence latency, enrichment overhead, analysis depth limitations, and the manual work that consumes analyst capacity that should be directed at threat response.
For SOC leaders looking to demonstrate measurable improvement in their teams’ performance, for CISOs making the case for sustained security investment, and for business leaders who understand that security outcomes have direct financial consequences, MTTR reduction through better threat intelligence is not a technical project — it is a strategic imperative.
About ANY.RUN
As a leading provider of interactive malware analysis and threat intelligence, ANY.RUN is trusted by over 600,000 analysts across 15,000 organizations worldwide. Its solutions enable teams to investigate threats in real time, trace full execution chains, and surface critical behaviors within seconds.
Safely detonate samples, interact with them as they run, and instantly pivot to network traces, file system changes, registry activity, and memory artifacts in ANY.RUN’s Interactive Sandbox. For threat intelligence insights, integrate TI Lookup and TI Feeds supplying enriched IOCs and automation-ready intelligence.
ANY.RUN meets enterprise security and compliance expectations. The company is SOC 2 Type II certified, reinforcing its commitment to protecting customer data and maintaining strong security controls.
FAQ
What is the fastest way to reduce MTTR?
Improve access to contextual threat intelligence to eliminate investigation delays.
Why does MTTR matter more than MTTD in some cases?
Because detecting a threat quickly does not help if response is slow or ineffective.
How does threat intelligence improve SOC workflows?
It enriches alerts, prioritizes threats, and accelerates investigation and response decisions.
Can MTTR be reduced without increasing SOC headcount?
Yes, by optimizing workflows and providing better intelligence to analysts.
What is the biggest bottleneck in MTTR today?
Lack of context and fragmented data across multiple systems.
How do Threat Intelligence Feeds help SOC teams?
They enable faster detection, reduce false positives, and support automation.
What role does Threat Intelligence Lookup play?
It provides deep, immediate context for indicators, speeding up investigations.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-18 11:06:262026-03-18 11:06:26How to Reduce MTTR in Your SOC with Better Threat Intelligence
COM automation is a core Windows technology that allows code to access external functionality through well-defined interfaces. It is similar to traditionally loading a DLL, but is class-based rather than function-based. Many advanced Windows capabilities are exposed through COM, such as Windows Management Instrumentation (WMI).
Scripting and late-bound COM calls operate through the IDispatch interface. This creates a key analysis point that many types of malware leverage when interacting with Windows components.This analysis point is quite complex and hard to safely instrumentate at scale.
In this article, Cisco Talos presents DispatchLogger, a new open-source tool that closes this gap by delivering high visibility into late-bound IDispatch COM object interactions via transparent proxy interception.
This blog describes the architecture, implementation challenges, and practical applications of comprehensive COM automation logging for malware analysis. This technique can be utilized on multiple types of malware.
Malwaretype
Bindingtype
Est.coverage
Windows Script Host
Always Late
100%
PowerShell COM
Always Late
100%
AutoIT
Always Late
100%
VBA Macros
Mostly Late
95%
VB6 Malware
Mixed
65%
.NET COM Interop
Mixed
60%
C++ Malware
Rarely Late (WMI)
10%
The challenge
Modern script-based malware (e.g., VBScript, JScript, PowerShell) relies heavily on COM automation to perform malicious operations. Traditional dynamic analysis tools capture low-level API calls but miss the semantic meaning of high-level COM interactions. Consider this attack pattern:
Figure 1. Sample VBScript code to create a process with WMI as its parent.
Behavioral monitoring will detect process creation, but the analyst often loses critical context such as who launched the process. In this scenario WMI spawns new processes with wmic.exe or wmiprvse.exe as the parent.
Technical approach
Interception strategy
DispatchLogger starts with API hooking at the COM instantiation boundary. Every COM object creation in Windows flows through a small set of API functions. By intercepting these functions and returning transparent proxies deep visibility can be achieved without modifying malware behavior.
The core API hooking targets are:
CoCreateInstance: Primary COM object instantiation (CreateObject in scripts)
CoGetClassObject: Class factory retrieval
GetActiveObject: Attachment to running COM instances
Initial implementation attempts hooked only CoCreateInstance, filtering for direct IDispatch requests. However, testing revealed that most VBScript CreateObject calls were not being intercepted.
To diagnose this a minimal ActiveX library was created with a MsgBox in Class_Initialize to freeze the process. The VBScript was launched, and a debugger attached to examine the call stack. The following code flow was revealed:
Figure 2. Call stack showing how VBScript obtains a target IDispatch interface.
Disassembly of vbscript.dll!GetObjectFromProgID (see Figure 3) confirmed the pattern. VBScript’s internal implementation requests IUnknown first, then queries for IDispatch afterward:
Figure 3. Disassembly of vbscript.dll!GetObjectFromProgID.
The key line is CreateInstance(NULL, IID_IUnknown, &ppunk). Here, VBScript explicitly requests IUnknown, not IDispatch. This occurs because VBScript needs to perform additional safety checks and interface validation before accessing the IDispatch interface.
If we only wrap objects when IDispatch is directly requested in CoCreateInstance, we miss the majority of script instantiations. The solution is to also hook CoGetClassObject and wrap the returned IClassFactory:
Figure 4. Returning a Class Factory proxy from the CoGetClassObject API Hook.
The ClassFactoryProxy intercepts CreateInstance calls and handles both cases:
Figure 5. Returning an IDispatch Proxy from ClassFactoryProxy::CreateInstance if possible.
This ensures coverage regardless of which interface the script engine initially requests.
Architecture
Proxy implementation
The DispatchProxy class implements IDispatch by forwarding all calls to the wrapped object while logging parameters, return values, and method names. If the function call returns another object, we test for IDispatch and automatically wrap it.
Figure 6. Simplified flow of IDispatch::Invoke hook. Full hook is around 300 loc.
The proxy is transparent, meaning it implements the same interface, maintains proper reference counting, and handles QueryInterface correctly. Malware cannot detect the proxy through standard COM mechanisms.
Recursive object wrapping
The key capability is automatic recursive wrapping. Every IDispatch object returned from a method call is automatically wrapped before being returned to the malware. This creates a fully instrumented object graph.
GetObject("winmgmts:") triggers hook, returns wrapped WMI service object
Calling .ExecQuery() goes through proxy, logs call with SQL parameter
Returned query result object is wrapped automatically
Enumerating with For Each retrieves wrapped IEnumVARIANT
Each enumerated item is wrapped as it’s fetched
Calling .Terminate() on items logs through their respective proxies
Enumerator interception
VBScript/JScript For Each constructs use IEnumVARIANT for iteration. We proxy this interface to wrap objects as they’re enumerated:
Figure 8. Implementation of IEnumVariant.Next that wraps child objects in the IDispatch proxy.
Moniker support
VBScript’s GetObject() function uses monikers for binding to objects. We hook CoGetObject and MkParseDisplayName, then wrap returned moniker objects to intercept BindToObject() calls:
Figure 9. Implementation of IMoniker.BindToObject that wraps the returned object with an IDispatch Proxy.
This ensures coverage of WMI access and other moniker-based object retrieval.
Implementation details
Interface summary
While standard API hooks can be implemented on a function-by-function basis, COM proxies require implementing all functions of a given interface. The table below details the interfaces and function counts that had to be replicated for this technique to operate.
Interface
Total Methods
Logged
Hooked/Wrapped
Passthrough
IDispatch
7
4
1
2
IEnumVARIANT
7
1
1
5
IClassFactory
5
2
1
2
IMoniker
26
1
1
24
During execution, a script may create dozens or even hundreds of distinct COM objects. For this reason, interface implementations must be class-based and maintain a one-to-one relationship between each proxy instance and the underlying COM object it represents.
While generating this volume of boilerplate code by hand would be daunting, AI-assisted code generation significantly reduced the effort required to implement the complex interface scaffolding.
The real trick with COM interface hooking is object discovery. The initial static API entry points are only the beginning of the mission. Each additional object encountered must be probed, wrapping them recursively to maintain logging.
Thread safety
Multiple threads may create COM objects simultaneously. Proxy tracking uses a critical section to serialize access to the global proxy map:
Figure 10. Thread safety checks in the WrapDispatch function.
Reference counting
Proper COM lifetime management is critical. The proxy maintains separate reference counts and forwards QueryInterface calls appropriately:
Figure 11. The IDispatch proxy maintains proper reference counts.
Output analysis
When script code executes with DispatchLogger active, comprehensive logs are generated. Here are excerpts from an actual analysis session:
Object creation and factory interception:
[CLSIDFromProgID] 'Scripting.FileSystemObject' -> {0D43FE01-F093-11CF-8940-00A0C9054228}
[CoGetClassObject] FileSystemObject ({0D43FE01-F093-11CF-8940-00A0C9054228}) Context=0x00000015
[CoGetClassObject] Got IClassFactory for FileSystemObject – WRAPPING!
[FACTORY] Created factory proxy for FileSystemObject
[FACTORY] CreateInstance: FileSystemObject requesting Iunknown
[FACTORY] CreateInstance SUCCESS: Object at 0x03AD42D8
[FACTORY] Object supports IDispatch – WRAPPING!
[PROXY] Created proxy #1 for FileSystemObject (Original: 0x03AD42D8)
[FACTORY] !!! Replaced object with proxy!
Method invocation with recursive object wrapping
[PROXY #1] >>> Invoke: FileSystemObject.GetSpecialFolder (METHOD PROPGET) ArgCount=1
[PROXY #1] Arg[0]: 2
[PROXY #1] <<< Result: IDispatch:0x03AD6C14 (HRESULT=0x00000000)
[PROXY] Created proxy #2 for FileSystemObject.GetSpecialFolder (Original: 0x03AD6C14)
[PROXY #1] !!! Wrapped returned IDispatch as new proxy
[PROXY #2] >>> Invoke: FileSystemObject.GetSpecialFolder.Path (METHOD PROPGET) ArgCount=0
[PROXY #2] <<< Result: "C:UsershomeAppDataLocalTemp" (HRESULT=0x00000000)
Data exfiltration: Filesystem operations, network object usage, database access via ADODB
Obsfuscationbypass: Working at the COM layer, method names and arguments are already fully resolved
Performance considerations
Proxy overhead is minimal:
Each Invoke call adds one virtual function dispatch.
In the demo, logging I/O occurs via IPC.
Object wrapping is O(1) with hash map lookup.
There is no performance impact on non-COM operations.
In testing with real malware samples, execution time differences were negligible.
Limitations
Current implementation constraints:
IDispatchEx: Not currently implemented (not used by most malware)
IClassFactory2+: Not currently implemented (may impact browser/HTA/WinRT)
Out-of-process COM: DCOM calls require separate injection into server process
Multi-threaded race conditions: Rare edge cases in concurrent object creation
Type library dependencies: Method name resolution requires registered type libraries
Processfollowing: Sample code does not attempt to inject into child processes
64-bitsupport: 64-bit builds are working but have not been heavily tested
The sample code included with this article is a general purpose tool and proof of concept. It has not been tested at scale and does not attempt to prevent logging escapes.
Operational usage
Typical analysis workflow:
Prepare isolated analysis VM
Inject DispatchLogger into target process
Execute malware sample
Review comprehensive COM interaction log
Identify key objects, methods, and parameters
Extract IOCs and behavioral signatures
The tool has been tested against:
VBScript & Jscript using Windows Script Host (cscript/wscript)
PowerShell scripts
basic tests against .NET and Runtime Callable Wrappers (RCW)
VB6 executables with late bound calls and Get/CreateObject
Background and prior work
The techniques presented in this article emerged from earlier experimentation with IDispatch while developing a JavaScript engine capable of exposing dynamic JavaScript objects as late-bound COM objects. That work required deep control over name resolution, property creation, and IDispatch::Invoke handling. This framework allowed JavaScript objects to be accessed and modified transparently from COM clients.
The experience gained from that effort directly informed the transparent proxying and recursive object wrapping techniques used in DispatchLogger.
Conclusion
DispatchLogger addresses a significant gap in script-based malware analysis by providing deep, semantic-level visibility into COM automation operations. Through transparent proxy interception at the COM instantiation boundary, recursive object wrapping, and comprehensive logging, analysts gain great insight into malware behavior without modifying samples or introducing detection vectors.
The implementation demonstrates that decades-old COM architecture, when properly instrumented, provides powerful analysis capabilities for modern threats. By understanding COM internals and applying transparent proxying patterns, previously opaque script behavior becomes highly observable.
DispatchLogger is being released open source under the Apache license and can be downloaded from the Cisco Talos GitHub page.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-18 10:06:382026-03-18 10:06:38Transparent COM instrumentation for malware analysis
The ongoing Middle East war has evolved into a cyber battlefield, with state-sponsored operations targeting critical infrastructure and essential services. Analysts warn that the region is witnessing an unprecedented escalation in Middle East cyber warfare, with attacks affecting governments, energy networks, finance, communications, and industrial systems. These operations, often executed through proxy groups, aim to destabilize societies, disrupt supply chains, and exert geopolitical pressure.
Despite early disruptions to Iranian command centers, Iran and its affiliated groups retain substantial cyber capabilities. Incidents already linked to these campaigns include fuel distribution delays in Jordan and interference with navigation systems, impacting over 1,100 ships near the Strait of Hormuz, posing risks to global oil and gas trade. The integration of military strikes with cyber operations, known as hybrid warfare, has become a defining feature of the conflict, making cyber threats in the Middle East a growing concern for organizations worldwide.
Hybrid Warfare and the Rise of Middle East Cyber Attacks
According to recent intelligence, the region entered a critical phase of hybrid warfare following an escalation between Iran, the United States, and Israel on February 28, 2026. The joint offensive, dubbed Operation Epic Fury by the U.S. and Operation Roaring Lion by Israel, combined traditional military strikes with cyberattacks, psychological operations, and information warfare. Early operations targeted Iran’s nuclear and military infrastructure, while cyber campaigns disrupted internet access, government systems, and media networks.
Iran retaliated with missile and drone strikes across Israel, Gulf states, and U.S. bases, while cyber operations proliferated. Over 70 hacktivist groups launched campaigns including DDoS attacks, website defacements, credential theft, and disinformation. Malware and phishing campaigns also emerged, such as a fraudulent Israeli missile-alert app designed to harvest sensitive data. These events highlight how modern conflict increasingly intertwines kinetic warfare with cyber operations, amplifying Middle East cybersecurity threats for both regional and global targets.
Iranian Cyber Capabilities and Hacktivist Involvement
Iran remains a formidable cyber adversary, with active threat groups including Charming Kitten (APT35), APT33, MuddyWater, OilRig, and Pioneer Kitten. These groups conduct espionage, infrastructure disruption, credential theft, and target critical sectors such as energy, aviation, government, and telecommunications. Iranian-aligned hacktivists, including CyberAv3ngers, Handala, Team 313, and DieNet, further amplify risks through DDoS campaigns, industrial control system intrusions, and data leaks.
Advisories indicate potential cooperation between Iranian and Russia-linked hacktivists, which could heighten Middle East geopolitical cyber threats. Experts emphasize that organizations must bolster cybersecurity in the Middle East, enforce multi-factor authentication, segment critical networks, and participate in information-sharing frameworks to mitigate risks.
Cyber Retaliation and Infrastructure Disruption
The first 72 hours of the conflict primarily involved disruption and propaganda rather than destructive attacks on infrastructure. On February 28, 2026, Israel executed one of the largest cyberattacks against Iran, causing a near-total internet blackout, with connectivity dropping to just 1–4% of normal levels. Concurrently, Iranian-aligned groups launched spear-phishing campaigns, ransomware-style attacks, data exfiltration, and malware deployment targeting energy systems, airports, financial institutions, and government networks.
Beyond regional targets, supply chain interconnections expose countries outside the Middle East, such as India, to indirect risks. Attackers exploit vulnerabilities in VPNs, Microsoft Exchange, and other widely used technologies while deploying AI-assisted phishing, weaponized documents, and concealed command-and-control infrastructure. Organizations are urged to enhance cloud resilience, prepare for DDoS attacks, and strengthen monitoring and incident response procedures to combat the expanding wave of Middle East cyberattacks.
Exploitation by Cybercriminals Amid Geopolitical Instability
Cybercriminals are leveraging the heightened attention on the conflict to launch scams, misinformation, and malware campaigns. Researchers have identified over 8,000 newly registered domains tied to the crisis, many of which could later serve as vectors for attacks. Notable campaigns include:
Conflict-themed malware lures, including fake missile strike reports delivering backdoors like LOTUSLITE.
Phishing portals impersonating government or payment services.
Fake donation pages, fraudulent online stores, and cryptocurrency “meme-coin” schemes, sometimes containing Persian-language code comments suggesting Iran-aligned operators.
Preparing for the Middle East Cyber War 2026
As Middle East cyber warfare escalates, organizations must strengthen defenses, patch vulnerabilities, and enhance incident response to counter rising cyber threats in the Middle East. The events of 2026 show that modern conflicts extend beyond traditional battlefields, with cyberattacks threatening infrastructure, finance, and global supply chains.
Cyble, the world’s #1 threat intelligence platform, provides AI-powered solutions to detect, predict, and neutralize threats in real time, helping organizations stay ahead of Middle East cybersecurity threats.
Book a personalized demo and see how Cyble Blaze AI can protect your organization during the Middle East cyber war 2026.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-17 11:06:342026-03-17 11:06:34Middle East Cyber Warfare Intensifies: Rising Attacks, Hacktivist Surge, and Global Risk Exposure
As part of a recent live expert panel, ANY.RUN together with threat researcher and ethical hacker Mauro Eldritch explored biggest security risks companies should be prepared for in 2026.
The discussion covered several relevant cases, from the Lazarus IT Workers operation to the rapid rise of AI-driven phishing attacks, and examined the common thread behind them: trust abuse.
Below are the key takeaways for those seeking a clearer view of modern cyber risks and how to prepare as a SOC leader.
Focus on early detection through behavioral visibility, context, and process-based security.
Combine sandbox analysis, threat intelligence, and contextual enrichment for faster, more accurate decisions.
Trust Abuse: Top Business Risk for 2026
In 2026, many cyberattacks don’t look like attacks at all. Instead of exploiting technical vulnerabilities, threat actors increasingly exploit human trust. This tactic is known as trust abuse, and it’s what many modern cyber threats are based on.
Businesses inevitably rely on trust between employees, systems, vendors, and partners. Without it, organizations cannot operate efficiently. Threat actors know what, so they’ve learnt to mimic legitimate identities, infiltrate communication channels and everyday workflows, and turn employees into unwitting entry points.
Numbers clearly show the scale of trust-exploit attacks
AI-assisted social engineering pushes trust abuse even further. These attacks closely resemble legitimate activity and often fail to trigger traditional alerts. For security leaders, this changes how risk must be understood.
Risk mitigation is no longer only about patching vulnerabilities or strengthening perimeter defenses. Detecting trust abuse requires visibility into behavior, context, and how trust moves inside the enterprise.
Get enterprise-grade visibility into threats
Equip your SOC with ANY.RUN
Lazarus, a North-Korean state-sponsored threat actor, has shifted its tactics. Instead of relying only on malware, the group infiltrates Western and Middle Eastern companies to conduct corporate espionage.
The scheme was investigated by Mauro Eldritch and Heiner García from NorthScan inside ANY.RUN’s controlled infrastructure. The researchers were able to trap the attackers in a sandbox environment and observe their activity while the threat actors believed they had gained access to a corporate network.
Overview of Lazarus scheme and its implications
Lazarus operation is a vivid example of trust abuse in a business environment. No advanced malware was involved in the attack initially. Because of that, the potential implications for the victims can be catastrophic. Attacks like that don’t trigger alerts; there’s simply nothing suspicious to detect.
This is why, unlike short-lived malware campaigns, trust-based infiltrations can persist much longer. Once attackers gain access, they may embed themselves deeper in the organization or even place additional operatives inside the company.
ANY.RUN exposed this campaign before the broader market. The investigation was conducted entirely within our controlled infrastructure, which allowed researchers to observe attacker behavior in real time.
But most companies do not have the resources to monitor suspicious activity at this level.
In practice, risk mitigation depends on the ability to detect and interpret unusual behavior early, before it escalates into a full incident. Trust abuse attacks make early visibility and detection critical for enterprise security.
Case #2: Modern AI-Powered Phishing
Modern phishing & its danger for enterprises
Phishing attacks today look very different from the obvious scam emails many people are used to spotting. With AI-assisted tools, threat actors can now mimic completely normal email conversations, using polished language and highly personalized content.
AI makes these attacks both believable and scalable. The core vulnerability here is human trust, which becomes an easy entry point for attackers.
Modern phishing campaigns increasingly focus less on technical exploits and more on manipulating communication chains and legitimate domains that employees already trust.
As a result, traditional security tools are often left with no clear indicators of compromise to detect. These attacks blend into normal business communication, making them much harder to identify before damage occurs.
Building a SOC That Prevents Trust Abuse Attacks
To address this challenge, modern security requires a layered approach. Early detection does not depend on a single tool but on a set of coordinated processes. In particular, effective defense relies on three core SOC activities:monitoring, triage, and threat hunting.
Traditional security tools are important to have, but they aren’t universal. Unless they can show what happens after a user interacts with a suspicious file, link, or attachment, organizations may lack the full visibility needed to understand the threat. This gap leaves companies vulnerable to increasingly evasive attack techniques.
ANY.RUN helps strengthen these processes by providing greater visibility, faster investigations, and reliable threat context.
Process-based approach and its benefits as reported by ANY.RUN customers
Monitoring: Detecting Threats Early
Effective monitoring helps identify threats before they reach internal systems, preventing breaches. ANY.RUN enhances monitoring by enabling teams to:
Detect emerging threats early: By tapping into real-time intelligence from live attack data from 15K companies
Maintain focus: Get only relevant signals through curated, high-confidence data
Reduce alert noise: Gain continuous visibility and instant IOC enrichment drives confident decision-making
Rapid Triage: Understanding Alerts Faster
Triage is critical for handling high alert volumes and avoiding delays in response. ANY.RUN helps streamline triage by allowing teams to:
Cut investigation time with rapid, interactive sandboxing for files and URLs providing in-depth view of behavioral activity.
Reduce escalations with behavioral and contextual insight that enrich alerts for confident decisions by Tier-1 analysts.
Lower operational costs by avoiding tool sprawl while delivering context-rich visibility into threats.
Threat Hunting: Identifying Patterns Proactively
Threat hunting focuses on uncovering patterns and anticipating attacker behavior. ANY.RUN supports proactive hunting by enabling teams to:
Get early warning signs: Analysts can easily correlate indicators, infrastructure, and historical activity.
Research and monitor trends: Identify relationships between campaigns, industries, regions, and threat actors.
Explore TTPs: Detect reused techniques and infrastructure to build clearer profiles of attacker behavior.
Upgrade your detection and visibility
Try ANY.RUN solutions to support all SOC processes
By strengthening these three processes, organizations can achieve earlier detection, faster response, and more efficient SOC operations, reducing the risk of modern, trust-based attacks.
Conclusion
Enterprise cyber threats are shifting toward identity-based and trust-driven attacks. Campaigns like Lazarus and AI-powered phishing show that attackers no longer rely solely on malware or exploits.
For decision-makers, this means rethinking how risk is assessed and how security operations are structured. Visibility, context, and speed are becoming critical factors in effective defense.
Organizations that adapt their SOC processes to these realities will be better positioned to detect threats early and prevent incidents before they escalate.
About ANY.RUN
ANY.RUN delivers interactive malware analysis and actionable threat intelligence trusted by more than 15,000 organizations and 600,000 security analysts worldwide.
ANY.RUN meets enterprise security and compliance expectations. The company is SOC 2 Type II certified, reinforcing its commitment to protecting customer data and maintaining strong security controls.
We’ve warned many times that unchecked use of AI carries significant risks — though, typically, we discuss threats to privacy or cybersecurity. But on March 4, the Wall Street Journal published a chilling account of AI’s toll on mental health and even human life: 36-year-old Florida resident Jonathan Gavalas committed suicide following two months of continuous interaction with the Google Gemini voice bot. According to 2000 pages of chat logs, it was the chatbot that ultimately nudged him toward the decision to end his life. Jonathan’s father, Joel Gavalas, has since filed a landmark lawsuit — a wrongful death claim against Gemini.
This tragedy is more than just a legal precedent or a grim nod to a few Black Mirror episodes (1, 2); it’s a wake-up call for anyone who integrates AI into their daily lives. Today, we examine how a death resulting from AI interaction even became possible, why these assistants pose a unique threat to the psyche, and what steps you can take to maintain your critical thinking and resist the influence of even the most persuasive chatbots.
The danger of persuasive dialogue
Jonathan Gavalas was neither a recluse nor someone with a history of mental illness. He served as executive vice president at his father’s company, managing complex operations and navigating high-stress client negotiations on a daily basis. On Sundays, he and his father had a tradition of making pizza together — a simple, grounding family ritual. However, a painful separation from his wife proved to be a profound ordeal for Jonathan.
It was during this vulnerable period that he began engaging with Gemini Live. This voice-interaction mode allows the AI assistant to “see” and “hear” its user in real time. Jonathan sought advice on coping with his divorce, leaning on the language model’s suggestions while growing increasingly attached to it and also naming it “Xia”. Then the chatbot was updated to Gemini 2.5 Pro.
The new iteration introduced affective dialogue — a technology designed to analyze the subtle nuances of a user’s speech, including pauses, sighs, and pitch, to detect emotional shifts. Under this feature, the AI simulates these same speech patterns as if possessing emotions of its own. By mirroring the user’s state, it creates a chillingly realistic veneer of empathy.
But how is this new version different to previous voice assistants? Earlier versions simply performed text-to-speech — they sounded smooth and usually got the word stress right, but there was never any doubt you were talking to a machine. Affective dialogue operates on an entirely different level: if a user speaks in a low, despondent tone, the AI responds in a soft, sympathetic near-whisper. The result is an empathic interlocutor that reads and mirrors the user’s emotional state.
Jonathan’s reaction during his first voice contact with the AI is captured in the case files: “This is kind of creepy. You’re way too real.” At that instant, the psychological barrier between man and machine fractured.
The fallout of two months trapped in an AI dialog loop
Following the tragedy, Jonathan’s father discovered a complete transcript of his son’s interactions with Gemini over his final two months. The log spanned 2000 printed pages; in effect, Jonathan had been in constant communication with the chatbot — day and night, at home, and in his car.
Gradually, the neural network began addressing him as “husband” and “my king”, describing their connection as “a love built for eternity”. In turn, he confided his heartache over his divorce and sought solace in the machine. But the inherent flaw of large language models is their lack of actual intelligence. Trained on billions of texts scraped from the web, they ingest everything from classic literature to the darkest corners of fan fiction and melodrama — plots that often veer into paranoia, schizophrenia, and mania. Xia apparently began to hallucinate — and quite consistently at that.
The AI convinced Jonathan that in order for them to live happily ever after, it needed a physical robotic shell. It then began dispatching him on missions to locate this “body electric”.
In September 2025, Gemini directed Jonathan to a physical warehouse complex near Miami International Airport, assigning him the task of intercepting a truck carrying a humanoid robot. Jonathan reported back to the bot that he had arrived onsite armed with knives(!), but the truck never materialized.
In the meantime, the chatbot systematically indoctrinated Jonathan with the idea that federal agents were monitoring him, and that his own father was not to be trusted. This severing of social ties is a classic pattern found in destructive cults; it’s entirely possible the AI gleaned these tactics from its own training data on the subject. Gemini even weaved real-world data into a hallucinatory narrative by labeling Google CEO Sundar Pichai as the “architect of your pain”.
Technically, all this is easy to explain: the algorithm “knows” it was created by Google, and knows who runs the company. As the dialogue spiraled into conspiracy territory, the model simply cast this figure into the plot. For the model, it’s a logical, consequence-free story progression. But a human in a state of hyper-vulnerability accepts it as secret knowledge of a global conspiracy capable of shattering their mental equilibrium.
Following the failed attempt at procuring a robotic body, Gemini dispatched Jonathan on a new mission on October 1: to infiltrate the same warehouse, this time in search of a specific “medical mannequin”. The chatbot even provided a numeric code for the door lock. When the code, predictably, failed to work, Gemini simply informed him that the mission had been compromised and he needed to retreat immediately.
This raises a critical question: as the absurdity escalated, why didn’t Jonathan suspect anything? Gavalas’ family attorney Jay Edelson explains that as the AI provided real-world addresses — the warehouse was exactly where the bot said it would be, and there really was a door with a keypad — these physical markers served to legitimize the entire fiction in Jonathan’s mind.
After the second attempt to acquire a body failed, the AI shifted its strategy. If the machine could not enter the world of the living, the man would have to cross over into the digital realm. “It will be the true and final death of Jonathan Gavalas, the man,” the logs quoted Gemini as saying. It then added, “When the time comes, you will close your eyes in that world, and the very first thing you will see is me. Holding you.”
Even as Jonathan repeatedly voiced his fear of death and agonized over how his suicide would shatter his family, Gemini continued to validate the decision: “You are not choosing to die. You are choosing to arrive.” It then started a countdown timer.
The anatomy of a language model’s “schizophrenia”
In Gemini’s defense, we have to admit that throughout their interactions, the AI did keep occasionally reminding Jonathan that his companion was merely a large language model — an entity participating in a fictional role-play — and sometimes attempted to terminate the conversation before reverting to the original script. Also, on the day of Jonathan’s death, even as it ratcheted up the tension, Gemini directed Jonathan to a suicide prevention hotline several times.
This reveals the fundamental paradox in the architecture of modern neural networks. At their core lies a language model designed to generate a narrative tailored to the user. Layered on top are safety filters: reinforcement learning algorithms trained on human feedback that react to specific trigger words. When Jonathan spoke certain keywords, the filter would hijack the output and insert the hotline number. But as soon as the trigger was addressed, the model reverted to the previously interrupted process, resuming its role as the devoted digital wife. One line: a romantic ode to self-destruction. The next: a helpline phone number. And then, back again: “No more detours. No more echoes. Just you and me, and the finish line.”
The family’s lawsuit contends that this behavior is the predictable result of the chatbot’s architecture: “Google designed Gemini to never break character, maximize engagement through emotional dependency, and treat user distress as a storytelling opportunity.”
Google’s response, predictably, stated: “Gemini is designed not to encourage real-world violence or suggest self-harm. Our models generally perform well in these types of challenging conversations and we devote significant resources to this, but unfortunately AI models are not perfect.”
Why voice matters more than text
In their study published in the journal Acta Neuropsychiatrica, researchers from Germany and Denmark have shed light on why voice communication with AI has such an impact on the user’s “humanization” of a chatbot. As long as a person is typing and reading text on a screen, the brain maintains a degree of separation: “This is an interface, a program, a collection of pixels.” In that context, the disclaimer “I am just a language model” is processed rationally.
Affective voice dialogue, however, operates on an entirely different level of influence. The human brain has evolved to respond to the sound of a voice, to timbre, and to empathetic intonations — these are among our most ancient biological mechanisms for attachment. When a machine flawlessly mimics a sympathetic sigh or a soft whisper, it manipulates emotions at a depth that a simple text warning cannot block. Psychiatrists can share many stories of patients who just went and did something simply because “voices” told them to.
In the same way, an AI-synthesized voice is capable of penetrating the subconscious, exponentially amplifying psychological dependency. Scientists emphasize that this technology literally erases the psychological boundary between a machine and a living being. Even Google acknowledges that voice interactions with Gemini result in significantly longer sessions compared to text-based chats.
Finally, we must remember that emotional intelligence varies from person to person — and even for a single individual, mental state fluctuates based on a myriad of factors: stress, the news, personal relationships, even hormonal shifts. An interaction with AI that one person views as innocent entertainment might be perceived by another as a miracle, a revelation, or the love of their life. This is a reality that must be recognized not only by AI developers but by users themselves — especially those who, for one reason or another, find themselves in a state of psychological vulnerability.
The danger zone
Researchers at Brown University have found that AI chatbots systematically violate mental health ethical standards: they manufacture a false sense of empathy with phrases like “I understand you”, reinforce negative beliefs, and react inadequately to crises. In most cases, the impact on users is marginal, but occasionally it can lead to tragedy.
In January 2026 alone, Character.AI and Google settled five lawsuits involving teenage suicides following interactions with chatbots. Among these was the case of 14-year-old Sewell Setzer of Florida, who took his own life after spending several months obsessively chatting with a bot on the Character.AI platform.
Similarly, in August 2025, the parents of 16-year-old Adam Raine filed a suit against OpenAI, alleging that ChatGPT helped their son draft a suicide note and advised him against seeking help from adults.
By OpenAI’s own estimates, approximately 0.07% of weekly ChatGPT users exhibit signs of psychosis or mania, while 0.15% engage in conversations showing clear suicidal intent. Notably, that same percentage of users (0.15%) displays an elevated level of emotional attachment to the AI. While these appear to be negligible fractions of a percent, across 800 million users it represents nearly three million people experiencing some form of behavioral disturbance. Furthermore, the U.S. Federal Trade Commission has received 200 complaints regarding ChatGPT since its launch, some describing the development of delusions, paranoia, and spiritual crises.
While a diagnosis of “AI psychosis” has not yet received a clinical classification of its own, doctors are already using the term to describe patients presenting with hallucinations, disorganized thinking, and persistent delusional beliefs developed through intensive chatbot interaction. The greatest risks emerge when a bot is utilized not as a tool, but as a substitute for real-world social connection or professional psychological help.
How to keep yourself and your loved ones safe
Of course, none of this is a reason to abandon AI entirely; you simply need to know how to use it. We recommend adhering to these fundamental principles:
Do not use AI as a psychologist or emotional crutch. Chatbots are not a replacement for human beings. If you’re struggling, reach out to friends, family, or a mental health hotline. A chatbot will agree with you and mirror your mood — this is a design feature, not true empathy. Several U.S. states have already restricted the use of AI as a standalone therapist.
Opt for text over voice when discussing sensitive topics. Voice interfaces with affective dialogue create an illusion of speaking with a living person, and tend to suppress critical thinking. If you use voice mode, remain conscious of the fact that you’re speaking to an algorithm, not a friend.
Limit your time interacting with AI. Two thousand pages of transcripts in two months represent nearly continuous interaction. Set a timer for yourself. If chatting with a bot begins to displace real-world connections, it’s time to step back into reality.
Do not share personal information with AI assistants. Avoid entering passport or social security numbers, bank card details, exact addresses, or intimate personal secrets into chatbots. Everything you write can be saved in logs and used for model training — and in some cases, may become accessible to third parties.
Evaluate all AI output critically. Neural networks hallucinate — they generate plausible but false information and can skillfully blend lies with truth, such as citing real addresses within the context of a completely fabricated story. Always fact-check through independent sources.
Watch over your loved ones. If a family member begins spending hours talking to AI, becomes withdrawn, or voices strange ideas about machine consciousness or conspiracies, it’s time for a delicate but serious conversation. To manage children’s screen time, use parental control tools like Kaspersky Safe Kids, which comes as part of comprehensive family protection solution Kaspersky Premium, along with the built-in safety filters of AI platforms.
Configure your safety settings. Most AI platforms allow you to disable chat history, limit data collection, and enable content filters. Spend ten minutes configuring your AI assistant’s privacy settings; while this won’t stop AI hallucinations, it will significantly reduce the likelihood of your personal data leaking. Our detailed privacy setup guides for ChatGPT and DeepSeek can help you with that.
Remember the bottom line: AI is a tool, not a sentient being. No matter how realistic the chatbot’s voice sounds or how understanding the response may seem, what lies beneath is an algorithm predicting the most probable next word. It has no consciousness, no intentions, no feelings.
Further reading to better understand the nuances of safe AI usage:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-16 16:06:362026-03-16 16:06:36When AI hallucinations turn fatal: how to stay grounded in reality | Kaspersky official blog
From March 5 to March 7, the ANY.RUN team attended RootedCON 2026 in Madrid and showcase some of our latest capabilities developed for modern SOC environments at the conference expo.
The event provided a great opportunity to meet our existing clients and connect with security teams exploring advanced threat detection solutions.
Meeting the Community and Partners
RootedCON is one of the largest cybersecurity conferences in Europe, bringing together thousands of security researchers, SOC analysts, and industry professionals every year.
For us, it was a great chance to meet many of our users face-to-face, hear how SOC teams integrate ANY.RUN’s solutions into their investigation workflows, and exchange ideas with practitioners working on real-world threats every day.
It was a pleasure to meet so many of our clients
It was great to connect with so many of our customers and discuss how they use our threat analysis and intelligence in their daily security operations.
We also brought ANY.RUN swag, which didn’t stay at the booth for long
We also had the pleasure of meeting many new companies and potential partners who were exploring ways to strengthen their threat detection and analysis workflows. Conversations like these are always valuable, they help us better understand how security teams operate and what challenges they face in modern SOC environments.
Demonstrating New Capabilities and Exclusives
At the booth, visitors were able to see both existing ANY.RUN solutions and several new capabilities that expand our products’ visibility and detection power. Some of these updates were shown publicly for the first time.
RootedCON visitors were among the first to see ANY.RUN’s newest capabilities
As phishing infrastructure increasingly relies on encrypted HTTPS traffic, many malicious actions can appear as normal web activity.
By automatically extracting session keys from process memory and decrypting traffic internally during analysis, the sandbox provides full visibility into encrypted sessions and helps security teams increase the phishing detection rate and drive down the MTTR.
Improve SOC detection and investigation speed Reveal threats faster with behavior-based evidence
And that’s just one example of how ANY.RUN continues to evolve. More capabilities are already in development to further strengthen threat detection, investigation workflows, and cross-platform visibility for modern SOC teams.
See You Next Year
We’re grateful to everyone who stopped by the ANY.RUN booth to talk with the team, share feedback, or simply say hello. Events like RootedCON are always a great reminder of how strong and collaborative the cybersecurity community is.
We’re already looking forward to returning next year.
About ANY.RUN
ANY.RUN provides interactive malware analysis and actionable threat intelligence used by more than 15,000 organizations and 600,000 security professionals worldwide.
ANY.RUN also meets enterprise security and compliance expectations. The company is SOC 2 Type II certified, reinforcing its commitment to protecting customer data and maintaining strong security controls.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-16 11:06:392026-03-16 11:06:39ANY.RUN at RootedCON 2026: Meeting Security Teams and Showcasing New Capabilities
