SMB cyber-readiness: What makes or breaks it
A company that’s expecting a cyberattack but hasn’t actively prepared for it risks making the hardest decisions at the worst possible moment
WeLiveSecurity – Read More
Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss
Talk to any threat hunter long enough, and beneath the polished case studies and conference talks, the same frustrations surface. Hunting is supposed to be proactive. In practice, it often feels reactive. You are chasing whispers of activity through log noise, querying SIEM fields that barely reflect real attacker behavior and writing detections against technique descriptions that were never meant to be operationalized directly.
The challenge is not that analysts lack skill. Most hunting teams are sharp, methodical, and deeply familiar with attacker playbooks. The real friction is structural: the intelligence feeding hunts is often stale, decontextualized, or missing the behavioral granularity needed to write anything more than a broad, noisy detection.
The core tension
Threat hunting is a high-skill, time-intensive activity that justifies itself by finding what automated systems miss. But when the intelligence inputs are low-fidelity, even the most skilled hunters spend the majority of their time generating work rather than reducing risk.
MITRE ATT&CK tells you a technique exists. It does not tell you how it behaves in a real attack chain against a real target. That gap between abstract TTP and concrete execution behavior is where many hunts quietly die. IOCs arrive stripped of context: you block an IP, a rotated domain from the same campaign lands in your environment three days later, and sails straight through.
And then there is the false-positive problem. Not a technical inconvenience but a morale and process killer. Every alert that turns out to be Outlook talking to a Microsoft licensing server erodes confidence in the detection pipeline. Over-tuned rules miss real threats; under-tuned rules train analysts to discount the queue.
In this article, we’ll explore how threat intelligence supports core hunting workflows and how ANY.RUN’s Threat Intelligence solutions help analysts investigate threats with greater speed and confidence.
Key Takeaways
- Threat hunting fails structurally, not skillfully. The bottleneck is intelligence quality.
- Behavioral context beats indicators. A single IOC blocked solves nothing if the campaign behind it isn’t understood. Pivoting from one artifact — a mutex, a file path, a Suricata tag — into a full attack chain is what separates hunting from blocklisting.
- Hypothesis validation requires real attack data. ATT&CK describes techniques in the abstract. Effective hunting needs to know how a technique behaves in live, active campaigns — which tools operationalize it, what infrastructure it touches, what artifacts it leaves.
- False positives are a strategy problem, not just a noise problem. Every low-fidelity alert that consumes analyst attention is a detection that wasn’t built right. Validating rules against real samples before deployment is the difference between a detection pipeline and a distraction pipeline.
- Intelligence layers serve different operational needs. TI Lookup drives active investigations; TI Feeds keep automated defenses current; TI Reports bridge the gap between raw campaign data and detection engineering or executive briefings.
- AI-assisted triage is a force multiplier, not a replacement. Tier 1 reports, AI summaries, and sandbox recommendations don’t replace analyst judgment — they eliminate the translation work between analysis output and operational action, freeing analysts for work that actually requires them.
- Hunting ROI is measurable — if you instrument it correctly. Earlier detection, defense calibrated to active threats, and analyst time redirected to genuine risk: each is quantifiable. Programs that cannot demonstrate these outcomes don’t lack value — they lack the intelligence infrastructure to produce it consistently.
1. Hypothesis Validation: Device Code Phishing
Scenario: A hunter develops a hypothesis: adversaries may be abusing Microsoft’s Device Code authentication flow to compromise organizational accounts without triggering MFA. The technique is real, but the team needs evidence it is active now and a way to identify the behavioral signatures that distinguish attacks from legitimate device authorization.
The struggle: Generic queries against authentication logs produce enormous volume. Without knowing what a malicious device code flow actually looks like in practice — which referrer domains initiate the redirect, which PhaaS kits are operationalizing the technique, what the email delivery chain looks like — the team is essentially querying blind.
The solution: TI Lookup allows the hunter to query the Microsoft device auth endpoint directly and immediately retrieve sandboxed sessions where the technique is observed in the wild.
url:”https://login.microsoftonline.com/common/oauth2/deviceauth?code=*”
Sessions are tagged automatically: Phishing, oauth-ms-phish, and kit-specific tags like Kali365 (a PhaaS platform specializing in Device Code Phishing).
We can view any of the analyses sessions, for example: https://app.any.run/tasks/fc973b26-7cc8-4253-a313-1b77ff27f04c/
The hunter can inspect the full referrer chain:
In live cases, the redirect to Microsoft’s legitimate device auth endpoint originates from external domains, including those with unusual TLDs.
Subsequent queries can filter by TLD against the device code URL, giving the team a concrete list of suspicious referring domains to feed into SIEM monitoring or block lists.
url:”https://login.microsoftonline.com/common/oauth2/deviceauth” and domainName:”.de$”
For more targeted investigation, the hunter can also query by threat name and file path to retrieve the actual phishing emails (.eml files) used to deliver the initial lure, exposing sender patterns, subject line templates, and infrastructure metadata.
Impact:
- Hypothesis validated against real, live attack data rather than technique abstractions.
- Concrete IOCs and behavioral signatures ready for SIEM query development.
- Email metadata exposed for deeper organizational log correlation.
2. Behavioral Pivots: Tracking a Stealer Family via Mutex
Scenario: A suspicious executable is submitted for analysis and identified as a stealer. The analyst notices a mutex with a hardcoded prefix — GlobalEVOLUTION — followed by a randomized suffix. The question is whether this prefix is unique to this malware family and, if so, how widely deployed it is.
The struggle: A mutex with a random suffix has no stable IOC value. Standard threat feeds will not carry it. Searching for the full string is guaranteed to miss variants. The behavioral pattern is clearly significant but there is no obvious path from a single sample to campaign-level coverage.
The solution: A wildcard query in TI Lookup (syncObjectName:”Global\EVOLUTION*”) immediately surfaces a number of additional samples sharing the same hardcoded prefix with different randomized tails, confirming the pattern is not incidental but a structural artifact of this malware family.
Cross-referencing the mutex results against file path artifacts reveals that affected systems consistently produce a dump archive at C:UsersadminAppDataLocalTempevo_[random]stolen.zip — a second independent behavioral indicator that definitely looks like a stealer.
Running OR and AND lookup combinations of both indicators allows the hunter to tune coverage: OR for maximum reach, AND for high-confidence, low-noise detections:
- filePath:”C:UsersadminAppDataLocalTempevo_stolen.zip” OR syncObjectName:”GlobalEVOLUTION”
- filePath:”C:\Users\admin\AppData\Local\Temp\evo_*\stolen.zip” AND syncObjectName:”Global\EVOLUTION*”
Starting from a single mutex observation, the hunter has now built a multi-indicator behavioral profile of an entire malware family.
Impact:
- Single behavioral artifact expands into full campaign coverage.
- Multi-indicator detection logic developed and validated before touching production systems.
- No reliance on stable IOCs — detection survives malware updates.
3. Enrichment: Suspicious Domain in an Inbound Email
Scenario: An email from an unknown sender arrives containing a link to an unfamiliar domain. Standard policy would flag this for review. The analyst needs to determine quickly whether the domain is genuinely malicious or simply unknown, and if malicious, what the full attack chain looks like.
The struggle: WHOIS data shows the domain is recently registered. Passive DNS shows limited history. Reputation feeds return no verdict. The analyst has a suspicious domain but no behavioral context — no sense of what the domain delivers, what it steals, or what infrastructure it connects to.
The solution: The domain search in TI Lookup returns sandbox sessions where the domain has been analyzed.
domainName:”miracleplayssystems.com”
The hunter opens one and immediately sees a Microsoft 365 login page clone hosted on the suspicious domain, automatically tagged by ANY.RUN.
Suricata network threat detections reveal the specific phishing kit — FlowerStorm.
The rule details expose the exfiltration endpoint:
HTTP tab features a separate domain to which stolen credentials are posted:
The HTTP traffic view makes the data flow explicit: M365 credentials submitted to the fake login page are forwarded to infrastructure the attacker controls, not to any Microsoft domain.
This gives the analyst not just a verdict but a full attack chain — delivery domain, phishing kit identity, exfiltration endpoint — all from a single lookup.
Impact:
- Unknown domain enriched with full attack chain in minutes.
- Exfiltration infrastructure identified and added to block lists proactively.
- Phishing kit attribution enables broader campaign hunting.
4. Expansion: LOLBin Abuse and Campaign Attribution
Scenario: An alert fires: MSBuild.exe — a standard Microsoft .NET build component — is establishing a network connection to an unknown IP on a non-standard port. This is a textbook living-off-the-land technique, but the specific context (which campaign, which malware family, how widespread) is unknown.
The struggle: MSBuild.exe connecting outbound is not inherently malicious; it is used legitimately in CI/CD pipelines. The challenge is distinguishing targeted abuse from normal build activity and understanding whether the destination IP is part of a broader campaign or an isolated incident.
The solution: Combining the destination IP with the MSBuild.exe command-line pattern in a TI Lookup query surfaces sessions where the same combination has been observed.
destinationIP:”212.34.141.103″ and commandLine:”C:\Windows\Microsoft.NET\Framework64\v*\MSBuild.exe”
Opening a representative session shows MSBuild.exe establishing a C2 connection and exfiltrating host reconnaissance data — CPU, OS version, running processes:
The Processes tab in the sandbox shows what user data gets exfiltrated:
A vendor-specific detection tag (rmrlx) links this activity to a named malware family:
Pivoting on that tag reveals associated infrastructure across multiple IP addresses and exposes the threat actor group responsible — Colombian Smugglers — which uses SVG smuggling as a delivery mechanism and has evolved from targeting Colombian organizations to targeting US and European companies. The hunter can now see the full threat actor profile: initial delivery technique (SVG smuggling), malware families used (vjw0rm, quasar, remcos, xworm, rmrlx), geographic targeting, and infrastructure overlap with adjacent groups like BlindEagle.
threatName:”colombian-smugglers”
Use this TI Lookup request to find sandbox analyses exposing SVG smuggling technique:
threatName:”colombian-smugglers” and filePath:”.svg$”
Impact:
- Single alert pivots into full threat actor profile and campaign map.
- Infrastructure correlation surfaces additional C2 endpoints for blocking.
- Geographic and targeting intelligence enables prioritized defensive response.
5. False Positive Validation: Hunting Rule Noise Reduction
Scenario: ANY.RUN’s hunting rules include a signature that fires when a Windows PC hostname is observed being transmitted in network traffic — a behavior common to stealers and RATs that use hostname as a victim identifier.
suricataMessage:”HUNTING [ANY.RUN] Windows PC hostname observed”
The rule catches real threats, but the analyst needs to verify that every hit is genuinely malicious before adding it to production detection.
The struggle: Hunting rules cast wide nets by design. A rule targeting hostname exfiltration will fire on legitimate software that also transmits device identifiers. Without behavioral context, distinguishing malicious exfiltration from legitimate telemetry requires manual investigation of every hit.
The solution: Let’s view one of the found sandbox analyses: https://app.any.run/tasks/56e01444-87a2-4cf4-874a-41e56ce60221/
The analyst sees the Suricata alert firing on Outlook.exe, but the destination is licensing.m365.svc.cloud.microsoft, a legitimate Microsoft licensing endpoint.
The HTTP details confirm the behavior: Outlook is sending device and license metadata as part of a standard Office perpetual license renewal (renewperpetuallicense), and the server responds with a 200 OK confirming the HomeBusiness2021Retail license status. This is unambiguously legitimate. The analyst documents this as a known false-positive pattern and adds an exclusion for Microsoft licensing endpoints — keeping the rule sharp without discarding it.
Impact:
- False positive identified and documented before reaching production.
- Detection logic refined without reducing coverage of genuine threats.
- Analyst time focused on confirmed malicious activity.
6. Detection Engineering: YARA Rule Development and Validation
Scenario: During stealer sample collection, an analyst encounters a .NET executable that drops a zip archive named with a consistent pattern: Unix-[HOSTNAME]-[ID].zip. The behavioral artifact is interesting but the analyst wants to build a durable, validated detection rule, not just add a file path indicator that will break when the malware author changes the naming convention.
The struggle: Writing YARA rules against behavioral artifacts requires understanding what strings are genuinely hardcoded into the binary versus what is generated at runtime. Testing rules against a small sample set risks both false positives from broad string matches and false negatives from a sample set too small to represent the full malware family.
The solution: Static analysis of the .NET binary in Detect It Easy reveals human-readable strings embedded in the assembly — a common characteristic of .NET malware.
Filtering for strings containing “Unix” surfaces several hardcoded identifiers specific for this malware:
- Unix Stealer Log
- UnixStealer
- UnixStealerIV!@#
- UnixStealer2024Key!
A YARA rule built around these strings uses wide matching for Unicode-encoded strings and fullword to minimize false positives.
rule UnixStealer {
meta:
description = "Detects UnixStealer malware"
date = "2025-12-18"
author = "ANY.RUN:A.Adhikara"
strings:
$x1 = "Unix Stealer Log" fullword wide
$x2 = "UnixStealer" fullword
$x3 = "UnixStealerIV!@#" fullword wide
$x4 = "UnixStealer2024Key" fullword wide
condition:
uint16(0) == 0x5A4D and any of ($x*)
}Running the rule through TI Lookup’s YARA Search validates it against millions of real malware samples — returning 17 matching samples with no unrelated hits.
Noticing that the year is hardcoded in one string, the analyst refines it to a regex pattern (/UnixStealer20d{2}Key/ wide) to ensure the rule covers future builds where the author updates the year.
Re-validation against the corpus confirms the refined rule catches the same 17 samples and introduces no new noise.
Impact:
- YARA rule validated against millions of real samples before deployment.
- Rule designed to survive malware version updates through regex generalization.
- Detection shipped with high confidence — no post-deployment tuning required.
How Threat Intelligence Feeds Support Threat Hunting
WhileTI Lookup excels at interactive investigations, Threat Intelligence Feeds help operationalize hunting at scale.
Threat Intelligence Feeds can be integrated directly into SIEM, EDR, XDR, SOAR, firewalls, and other security platforms, providing continuously updated indicators and threat context.
For threat hunters, this supports several key workflows:
- Prioritizing investigations involving known malicious infrastructure.
- Correlating internal telemetry with active attacker infrastructure.
- Identifying emerging campaigns before internal detections trigger.
- Automating enrichment during hunts.
- Reducing manual IOC collection and maintenance.
By continuously injecting fresh intelligence into security tooling, feeds allow hunting teams to focus on analysis rather than data gathering.
Accelerating Hunts with Sandbox Intelligence
ANY.RUN’s Interactive Sandbox provides additional capabilities that reduce investigation time and improve analyst productivity.
Tier 1 Reports
Tier 1 Reports automatically summarize malware behavior in analyst-friendly language, making it easier for junior and mid-level analysts to understand threats without spending significant time reviewing every artifact manually.
This helps SOC teams rapidly assess suspicious files and decide whether deeper hunting activities are necessary.
AI Summary
AI Summary condenses complex malware executions into concise narratives, highlighting the most important findings, suspicious behaviors, and attack stages. Hunters can quickly understand what happened during execution before diving into technical details.
AI Recommendations
AI Recommendations suggest potential next steps for investigation, including relevant artifacts, indicators, and behaviors worth examining further. This helps analysts identify additional hunting opportunities and reduces the likelihood of missing important evidence.
Why Threat Hunting Matters to the Business
Threat hunting is often discussed as a purely technical discipline, but its ultimate purpose is business protection. Organizations invest in hunting because reactive security alone is no longer sufficient. Modern attackers frequently evade automated detections, abuse legitimate tools, and remain hidden for extended periods.
However, threat hunting itself introduces operational challenges:
- Significant analyst time requirements.
- Skill shortages.
- Investigation fatigue.
- High volumes of telemetry.
- Difficulty prioritizing hunting activities.
- Challenges demonstrating measurable business value.
Without proper intelligence support, threat hunting can become expensive and inefficient. Threat intelligence helps address these challenges by reducing investigation time, improving prioritization, increasing analyst productivity, and enabling teams to focus on the threats that matter most to the business.
The result is faster threat discovery, reduced dwell time, lower incident response costs, and improved resilience against advanced attacks.
For MSSPs, intelligence-driven hunting also enables more scalable operations, allowing analysts to investigate more environments without proportionally increasing staffing requirements.
Conclusion
Threat hunting is no longer about manually searching through massive volumes of logs and hoping to uncover something suspicious.
Successful hunting depends on context.
Threat intelligence provides that context by connecting indicators, behaviors, infrastructure, malware families, campaigns, and threat actors into a coherent picture. It transforms hunting from a reactive research exercise into a focused, intelligence-driven process.
With Threat Intelligence Lookup, Threat Intelligence Feeds, Threat Intelligence Reports, YARA Search, and AI-assisted analysis capabilities, SOC teams can validate hypotheses, enrich investigations, expand discoveries, improve detections, and reduce time spent on manual research.
The result is a threat hunting program that is faster, more scalable, and more closely aligned with both security and business objectives.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions.
With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, links, and emails in real time, observe malicious behavior, and receive clear evidence for response without maintaining complex in-house infrastructure.
ANY.RUN’s Threat Intelligence solutions also help organizations uncover threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale.
ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection.
Scale your SOC with faster threat validation →
FAQ
What is threat hunting in a SOC?
Threat hunting is a proactive security practice where analysts search for hidden threats, attacker activity, or signs of compromise that may not trigger traditional security alerts.
How is threat hunting different from incident response?
Incident response starts after a security event is detected. Threat hunting begins before an alert exists and focuses on discovering threats that may otherwise remain unnoticed.
Why is threat intelligence important for threat hunting?
Threat intelligence provides context about attackers, malware, infrastructure, and campaigns, helping analysts prioritize investigations and validate findings faster.
What hunting workflows benefit most from threat intelligence?
Hypothesis validation, behavioral hunting, threat enrichment, investigation expansion, false-positive analysis, and detection engineering all benefit significantly from threat intelligence.
How do threat intelligence feeds support hunters?
Threat intelligence feeds continuously provide fresh indicators and context that can be integrated into SIEM, EDR, SOAR, XDR, and other security platforms for automated enrichment and prioritization.
Can threat intelligence help reduce false positives?
Yes. Intelligence provides historical and behavioral context that helps analysts quickly determine whether suspicious activity is malicious or legitimate.
How do AI-powered investigation features help threat hunters?
AI summaries, recommendations, and analyst reports help hunters understand threats faster, identify relevant artifacts, and reduce time spent on manual investigation.
The post Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
The guide on blocking ChatGPT, Gemini, Claude, and other AI tools at work | Kaspersky official blog
Unchecked AI in the workplace quickly becomes a massive loophole for data leaks and security breaches. All too often, employees drop sensitive company data into public chatbots, or install rogue AI assistants on their own — in the process handing over way too much access. In a previous post, we broke down the different types of risky AI systems, and later shared some tips on how to turn off the built-in AI features on major tech platforms. Today let’s take a look at practical ways to block or restrict the unauthorized “helpers” employees might be using — from ChatGPT and Grammarly, to meeting bots like Fireflies and Read AI.
How to detect and restrict ChatGPT
ChatGPT is the biggest culprit when it comes to unauthorized AI use worldwide. A quick word of warning, though: an outright ban only sends users hunting for sketchy third-party sites or messaging app chatbots that hook into the same service. That’s why it’s always a good idea to offer an approved alternative before pulling the plug.
Detecting it: keep an eye on the NGFW or web filter for traffic heading to chat.openai.com, chatgpt.com, oaistatic.com, oaiusercontent.com, or cdn.oaistatic.com. It’s also smart to use EDR/EPP tools to scan browser histories, installed apps, and browser extensions across corporate devices.
Locking it down: use the firewall or web filter to block the entire AI Services category, and set up DNS to reroute traffic away from those OpenAI domains. Browser policies can also be used to ban ChatGPT-powered extensions. Better yet, block all extensions not on a pre-approved allowlist. Finally, use application controls and EPP solutions to stop users from installing the official desktop app (ChatGPT.exe or com.openai.chat).
How to detect and restrict Claude and Claude Code
Detecting it: use the NGFW or web filter to track traffic going to claude.ai, anthropic.com, *.anthropic.com, and api.anthropic.com. EDR/EPP or application control tools can also be used to scan employee computers for the desktop app (claude.exe).
Locking it down: drop a blanket block on the AI Services category through the NGFW or web filter, and tweak DNS settings to reroute traffic away from the aforementioned Anthropic domains. Next, use browser policies to shut down Claude-powered extensions. Finally, use application controls and the EPP platform to prevent users from installing the desktop app.
How to detect and restrict Perplexity AI
Detecting it: keep tabs on the NGFW or web filter to flag any traffic heading to *.perplexity.ai or pplx.ai.
Locking it down: just like the others, add the AI Services category to the NGFW or web filter blocklist, and use DNS routing to redirect traffic away from those domains.
Configure the browser to block third-party extensions from being installed. If Firefox is used in the organization, be aware that recent versions come with Perplexity built in. Luckily, these AI features can be turned-off company-wide using enterprise policies — specifically, by setting SidebarChatbot = blocked. The full list of tweaks can be found in the Firefox documentation.
How to detect and restrict DeepSeek
Detecting it: keep an eye on the NGFW or web filter for traffic hitting deepseek.com, chat.deepseek.com, api.deepseek.com, or platform.deepseek.com. For better precision, analyze the SNI (server name identification) in TLS connection requests. For mobile devices, look out for the official app (com.deepseek.chat).
Locking it down: blocklist the AI Services category on the NGFW or web filter, and reroute traffic to DeepSeek’s domains via DNS settings. Use browser policies to block third-party extensions, and lean on MDM/EMM tools to restrict the mobile app.
How to detect and restrict Mistral, xAI Grok, and Character.ai
The playbook for these tools is exactly the same as DeepSeek, so here’s the quick list of domains to watch for and block: chat.mistral.ai, mistral.ai, console.mistral.ai, grok.com, x.ai, api.x.ai, character.ai, beta.character.ai, and c.ai.
A quick word of warning on Grok: because Grok is baked into X, blocking this specific AI access point means blocking the entire social media platform.
How to detect and restrict Slack AI
Detecting it: in the Slack workspace admin dashboard, look under Analytics → Slack AI usage. If an enterprise plan is used, the detailed Slack logs can be searched for any events starting with the ai_ prefix.
Blocking it with policies: in the organization’s Slack settings, click through the Workspace settings → Roles & permissions → Feature access, and change the permission to “no one”. Slack has a step-by-step guide in their help center.
Locking it down: shutting this down at the network level is tricky; it can be pulled off with a finely tuned CASB solution in place. Also, don’t forget the importance of blocking rogue integrations and keeping external AI services from tapping into Slack data in the first place. We covered how to lock this down using OAuth controls in a previous post.
How to detect and restrict Zoom AI Companion
Detecting it: if a corporate Zoom subscription is in use, just head to Admin Center → Reports → AI Companion usage. Detecting Zoom’s AI when employees join external meetings or use free accounts is a lot tougher, but email filters can be set up to flag incoming AI-generated meeting notes by scanning for subject lines or text containing “Meeting summary” or “Meeting assets”.
Blocking it with policies: for the company’s own Zoom subscription, go to the Admin Portal → Account Management → Account Settings → Meeting → AI Companion and toggle it OFF for everyone.
Locking it down: unfortunately, AI Companion is baked into Zoom’s DNA, so the only real option is blocking Zoom altogether.
How to detect and restrict Grammarly
What looks like an innocent spellchecker is actually one of the biggest culprits for workplace data leaks.
Detecting it: check the NGFW or web filter logs for traffic hitting grammarly.com, *.grammarly.com, and gnar.grammarly.com. EDR and MDM/EMM tools can also be used to hunt down the standalone desktop apps (Grammarly Desktop.exe and the macOS version), as well as the Grammarly browser extension.
Locking it down: use firewalls to block those domains at the network level, and EPP to stop employees from installing the desktop app, browser extensions, or the Grammarly add-ins for Microsoft Word and Excel.
How to detect and restrict meeting assistants: Fireflies, Read.ai, Tactiq, Fathom, and Granola
This massive category of third-party SaaS tools records and analyzes meetings — creating a massive risk for data leaks. The trickiest part? Outside clients or vendors can bring these bots into a meeting just as easily as employees can.
Detecting them: run an audit on calendar invites, and look for bot participants using email domains like @fireflies.ai, @read.ai, @tactiq.io, @fathom.video, or @granola.ai. Zoom, Teams, or Google Meet logs can also be used to review external participants who joined past calls.
Locking them down: since it’s impossible to control what outsiders do, blocking these bots comes down to tightening meeting rules. The best moves are: blocking users from granting OAuth permissions for bots to join calls, restricting employees from inviting unapproved external participants, or locking down meeting recording access for external users. That last option is usually the least painful way to keep bots out without disrupting business.
How to detect and restrict AI code editors: Cursor, Windsurf, and the like
Detecting them: use EDR/EPP tools to scan for executables like cursor.exe or windsurf.exe. It’s also worth monitoring network traffic heading to cursor.com and windsurf.com, as well as traffic hitting various AI model API providers. Keep in mind that there’s a pretty extensive list of API hosts to monitor here, since these editors aren’t tied to just one specific AI vendor.
Blocking them with policies: these apps can be prevented from being installed by setting up filters based on the developer’s digital signature certificate. Alternatively, a strict application allowlist can be employed where only pre-approved software is allowed to run.
Locking them down: rely on the EPP/EDR platform to actively detect and block these applications from running.
How to detect and restrict local AI tools: Ollama, LM Studio, and GPT4All
On one hand, this category carries fewer data leak risks because the AI models run completely locally on the user’s machine. On the other hand, it opens up a whole new can of worms: these apps themselves aren’t always highly secure, and can become targets for cyberattacks. Plus, it still means that employees can misuse models or process data in unauthorized ways.
Detecting them: EDR/EPP tools are the best line of defense here. They should be used to flag known local AI files and processes like ollama.exe, ollama serve, lmstudio.exe, LM Studio.app, jan.exe, or gpt4all.exe. From a network perspective, it’s worth scanning for open ports on local devices — typically port 1234 for Ollama and LM Studio, or port 8080 for WebUIs (using an additional fingerprint check of the server response). Another massive red flag is the presence of large files (often several gigabytes) containing language model weights. Look out for extensions like .gguf, .bin, or sometimes .safetensors.
Locking them down: use EPP/EDR platforms or windows AppLocker to block these applications by name, or switch to an application allowlist.
How to detect and restrict autonomous agents: OpenClaw, NemoClaw, and NanoClaw
This is easily one of the most dangerous categories of AI tools out there. These agents mix high-level independence with access to untrusted data, making them a massive security headache.
Detecting them: use EPP/EDR tools to sniff out active processes like openclaw, nanoclaw, nemoclaw, or clawdbot. Also keep an eye out for devices running Node.js that suddenly start launching Bash or Python scripts. Another dead giveaway is the appearance of system folders like ~/openclaw, ~/nanoclaw, ~/.claw*, or ~/clawhub. At the network level, monitor connections to the AI model APIs we mentioned earlier, as well as traffic hitting servers like openclaw.ai, nanoclaw.dev, or clawhub.*.
Locking them down: the safest bet is to use strict application allowlisting (only allowing approved software to run), or to specifically ban the known agent apps listed above. On top of that, consider blocking non-developers from installing Node.js and Docker, neither of which they need on their computers anyway.
Kaspersky official blog – Read More
Cybercriminals: the ‘auditors’ you never hired
Every organisation gets audited. The question is who does the auditing.
WeLiveSecurity – Read More
Argamal RAT: attackers distributing a remote access Trojan through hentai games | Kaspersky official blog
In April 2026, we discovered a new campaign targeting users of hentai games. Attackers are embedding a remote access Trojan named Argamal into game installers. While concealing its presence, it can remotely control the computer and steal files and personal data.
Here’s how to avoid falling victim to this new Trojan — and how to safely and anonymously enjoy spicy content with (or without) anime girls.
How computers get infected with Argamal
Most of the infected games are distributed through adult game and torrent sites. In some cases, they are posted for download on file-sharing services and linked on gaming websites.
Example of a trojanized game hosted on the AniRena torrent tracker
Interestingly, instead of finding a dummy file inside the archive — as is often the case — the user gets the actual game built on popular engines like RenPy or RPG Maker. Infected pirated versions usually turn out to be scams: games fail to launch, folders are full of files with bizarre extensions, making it rather easy to put two and two together. Here, however, the user gets the actual gameplay they expected. Meanwhile, the Trojan lets itself in and keeps a completely low profile.
Example of a trojanized game hosted on the AniRena torrent tracker
Tucked right alongside the legitimate files in the archive is a DLL that the game relies on to run, but it’s been rigged: as soon as the user launches the game, the infected DLL automatically loads into memory. There are no outward signs of infection: neither an installer popping up in the background, nor a scary window or prompt asking you to disable your antivirus.
Argamal takes things real slow: instead of immediately rushing to steal files and passwords or throwing a digital rager on your computer, the Trojan first checks whether it’s running in a virtual machine or sandbox, and then goes into standby mode.
During this time, the malware writes hidden parameters to the system, conceals the paths to its DLLs, and delays its own execution. Three days later, the computer connects to GitHub, downloads an encrypted file, decrypts it, and turns it into a working Trojan module.
To ensure persistence, the attackers register the malware under the WindowsColorSystem Calibration Loader system task, a built-in Windows feature that triggers at every user logon to load monitor color profiles. Before shutting down, the malware deletes temporary files and covers its tracks to make it even harder to detect.
What makes Argamal dangerous?
Argamal is a remote access Trojan (RAT), which means attackers can use it to remotely control the victim’s computer. Here’s just a short list of what it may entail:
- Executing arbitrary commands on the computer
- Downloading and running files
- Checking if an antivirus is installed on the PC (by the way, our security solution detects and neutralizes Argamal before it can harm you)
- Searching for and exfiltrating sensitive data from files and system settings
- Taking screenshots and streaming video from the device
- Sending data to the attackers’ server
- Monitoring user activity
- Shutting down or restarting the device
Essentially, the infected computer turns into a remotely controlled machine. The owner may keep calmly going about their day, completely unaware that their device has been compromised. Yet the consequences of such an infection can be devastating.
For example, a single password stolen from a text note can lead to multiple compromised accounts at once if the victim reuses the same credentials across different sites. That’s why we recommend storing strong and unique passwords in an encrypted vault of a password manager rather than in plain text files.
Beyond hijacking accounts, the Trojan lets attackers literally spy on the user — reading their chats, digging into secret files, studying their sexual preferences… The cybercriminals can then use this highly sensitive information for subsequent attacks, blackmail, and extortion. We’ve covered what to do if you find yourself being targeted by extortionists in a previous post.
Another common scenario involves quietly stealing or substituting financial data — for instance, intercepting credentials from banking apps or replacing crypto-wallet addresses in the clipboard, which sends all your money straight to the attackers’ accounts.
In short, there’s a whole laundry list of ways attackers can exploit a victim’s device and data.
Argamal, yamete kudasai! How to protect yourself from similar threats
If you’ve decided to become the proud owner of “Waifu Simulator Ultra Definitive Edition”, stay on your guard:
- Use security software that runs in real time and catches sophisticated malware. Despite the attackers’ best efforts to make the Trojan invisible, Kaspersky Premium instantly detects and removes Argamal from users’ devices.
- Avoid downloading adult apps, installation files, and spicy content from untrusted sources. Clicking a “free XXX game, no signup needed” is a surefire way to invite malware onto your device. That said, even official platforms like Google Play and the App Store unfortunately let infected apps slip through the cracks at times. To stop worrying about accidentally downloading a Trojan or an infostealer, use Kaspersky Premium on all your devices.
- Don’t share more data than you absolutely have to. If an adult game or website insists you sign up, enter personal data, or link third-party accounts instead of just checking your birth date, that’s a huge red flag. Sites rarely collect sensitive data for no reason. In the best-case scenario, it ends up with marketers and ad trackers. In the worst-case, it falls into the hands of bad actors who will use it for blackmail, phishing, or breaking into your other accounts.
- Don’t click ad banners on adult websites. Even the most popular platforms like Pornhub occasionally host ads laced with malware. If you find it hard to hold back, use a security solution that will block malware downloads and prevent redirects to suspicious sites.
Kaspersky official blog – Read More
Protecting 50,000 Users: How ANY.RUN Drives Incident Prevention at UMass Boston
Securing a university means defending a highly open environment, where thousands of users, devices, and external connections create constant exposure to risk. We had a unique opportunity to get an inside look at how these operations are run at a powerhouse R1 institution, the University of Massachusetts Boston.
We sat down with Daniel Mayer, Endpoint Security and Threat Hunting Specialist, and Alison Murray, Senior Information Security Specialist, to discuss how ANY.RUN’s solutions help their team scale triage, prevent incidents, and achieve consistent security risk reduction.
Lean Team, Broad Responsibility
UMass Boston operates as a premier R1 research university with a digital footprint encompassing a population of over 50,000 students, faculty, and staff.
The core security operations team tasked with defending this environment is remarkably compact, consisting of only three specialists and the SISO. Because of this lean staffing model, the team utilizes a cross-pollination strategy where each member manages various roles, including endpoint security, threat hunting, and threat management.
This small group of professionals carries the primary responsibility for the entire institution’s digital safety.
The Challenge of Balancing Threat Response and Infrastructure Overhead
Before adopting a cloud-based sandbox, the team was under constant operational pressure to keep up with incoming threats while maintaining speed and accuracy in triage.
At the time, their setup included an internal detection lab for threat analysis and validation. Yet, managing physical space, equipment, software licensing, and constant updates for an in-house environment pulled limited team resources away from active security operations.
The recent departure of two team members further increased this strain, making it difficult to balance infrastructure maintenance with the daily requirement to fight incoming threats.
“We had a detection lab that was also used to help teach the students, but you have to maintain it as well as fight the things that are coming in as they’re happening.”
The university needed more than a safe, secluded environment to test and validate malware without risking the production network. It needed a way to support faster triage, consistent threat validation, and real-time decision-making as part of everyday SOC workflows, without adding operational overhead.
Introducing ANY.RUN’s Sandbox into the Security Loop
Integration of the Interactive Sandbox was a necessity driven by the critical goal to support faster and more scalable threat validation. The team also needed to teach students in the SOC, within a safe, secluded environment that would not put the institution’s production network at risk.
The university integrated ANY.RUN’s solution as a behavioral validation layer within their defense stack alongside Microsoft Defender and Abnormal Security.
“It’s kind of a big lift to be able to just rely that when I go to ANY.RUN, I know that it’s being maintained.”
The solution was easy to set up and fit into the team’s existing workflows without disruption.
Instead of spending time maintaining their own lab, the team now had a ready-to-use, air-gapped environment for analyzing malicious content at scale. This provided immediate operational value, freeing up time, and allowing the SOC to focus on detecting and responding to critical threats more efficiently.
Scaling Detection and Speeding up Triage with the Same Team
At UMass Boston, the ANY.RUN sandbox now acts as a central component of the daily triage process for the phishing and abuse of mailboxes.
By utilizing ANY.RUN’s API integration with Abnormal, the team automatically sends suspicious emails, links, and attachments for analysis at the click of a button, removing manual steps and standardizing the triage process.
Where previously analysts relied on incomplete signals, they now have a visual confirmation of threats’ behavior.
“Having ANY.RUN’s API connection with our email security vendor has really increased our performance in detecting and being able to tell whether it’s actually phishing.”
The automation transformed how quickly detection and verification happen, reducing the time required to analyze and get conclusive verdicts on suspicious submissions.
“Instead of minutes, [investigations] take seconds.”
Faster, evidence-based triage reduced uncertainty, stabilized operations, and ensured that real threats are identified and handled without delay.
As a result, the team can make confident security decisions at speed and scale, allowing them to process higher volumes of alerts without increasing the headcount or sacrificing decision quality.
Preventing a Phishing Incident Missed by Email Filters
The effectiveness of the team’s sandbox-based defense was demonstrated during a mass email campaign that occurred just before Christmas in 2025, a holiday period when attack volume increases and users are more likely to engage with incoming emails.
Despite having established email security controls in place, the attack passed through primary filters undetected. This is exactly where most organizations become exposed, as missed threats can lead to incidents without a sandbox layer in place.
Instead of relying on the initial verdict, the team escalated the suspicious emails through their sandbox workflow. Using the API integration, they detonated the content and observed its behavior in a controlled environment.
This analysis revealed that the email was a sophisticated phishing scam hosted through Google.
“If we didn’t have ANY.RUN, we would have never picked that up.”
The combination of a proactive team and immediate access to sandbox capabilities allowed UMass Boston to validate the threat, make a confident decision, and contain it before it reached users.
Without this step, the attack could have resulted in credential theft and unauthorized access to internal systems, putting users, research continuity, and institutional trust at risk.
Reducing Risk in Access Control
Beyond email security, ANY.RUN’s solution helps the team manage internal requests regarding blocked websites. When students or staff encounter a firewall block, the security team uses the sandbox to determine if a site is truly malicious or merely misclassified.
“We can take a look at a [potential threat] and see what’s going on and have actual analytics around it.”
This visual verification allows them to see if a legitimate website has been hijacked to serve malware, providing the analytics needed to make accurate access decisions. The team confidently requests re-categorization from their firewall vendor based on observed behavior.
With ANY.RUN, access decisions have become faster and more defensible. Analysts have concrete behavioral evidence to support allow or block actions, reducing unnecessary restrictions for users while maintaining security.
Meeting Compliance and Cyber Insurance Requirements
UMass Boston operates under frequent state audits that require detailed evidence of security processes. These are directly tied to regulations such as FERPA, which governs the protection of student data, and the Massachusetts Data Security Law, which mandates safeguards around personal information and access control.
Modern auditors demand documented artifacts and evidence of how the university manages security. ANY.RUN’s sandbox gives the team this proof. Each analysis shows what the threat does, making it easier to explain decisions and demonstrate how incidents are handled.
Having a dedicated sandbox environment is also a mandatory requirement for many cyber insurance brokers to maintain coverage. Adopting the solution allowed the university to fill a previous gap in their compliance posture and meet these rigorous insurance standards.
A Practical Model for Teams Facing Similar Challenges
The security model developed at UMass Boston is starting to extend beyond a single campus, particularly among teams operating with similar staffing constraints. The team regularly shares real cases and demos with other SISOs and security teams, including peers at Bridgewater State University.
“We have shown people demos and told them that we have also had that problem and this is how we fixed it.”
For teams with limited resources, the sandbox-driven approach provides a way to handle more threats without increasing headcount, while lowering the risk of missed or misclassified incidents.
Conclusion
The UMass Boston case highlights how a lean team can successfully defend a massive research institution by relying on a multi-layered “mesh approach” in security and powering it with effective solutions like ANY.RUN’s Interactive Sandbox.
We would like to thank the University of Massachusetts Boston for allowing us an inside look at their security operations. We are especially grateful to Daniel Mayer, Endpoint Security and Threat Hunting Specialist, and Alison Murray, Senior Information Security Specialist, for sharing their time and professional insights.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions.
With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, links, and emails in real time, observe malicious behavior, and receive clear evidence for response without maintaining complex in-house infrastructure.
ANY.RUN’s Threat Intelligence solutions also help organizations uncover threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale.
Scale your SOC with faster threat validation →
The post Protecting 50,000 Users: How ANY.RUN Drives Incident Prevention at UMass Boston appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Elon Musk’s XChat: how secure is the new messaging app? | Kaspersky official blog
Pavel Durov and his “private” messaging app have a brand new rival, and it’s — drumroll, please — Elon Musk and his XChat. On our blog, we’ve discussed more than once why Durov’s claims about Telegram privacy and security are exaggerated, to put it mildly. Here, I’ll just remind the reader that standard (non-secret) chats on Telegram aren’t protected by end-to-end encryption — the bare minimum required for user data to stay private.
But let’s get back to Musk. In late April 2026, the XChat app launched for iOS users. The tech mogul had been touting his messaging app for a long time, pitching it from day one as an incredibly private and secure way to communicate, and as a direct threat to Signal, WhatsApp, Telegram, and iMessage. Today, we look at whether we should actually trust Musk’s promises this new service, break down its core features, and stack it up against the competition.
Bitcoin-style encryption
Musk initially teased XChat on June 1, 2025, naturally via his X (formerly Twitter) account. Responding to another user’s question about when to expect the new service, Musk wrote: “This week if there are no scaling issues.”
Apparently, scaling issues there were: the app’s beta didn’t drop until September 2025, and iOS users didn’t get full access until April 2026. As for Android, there is zero info on when that version would launch at the time of this writing. That said, an XChat page is already live on Google Play where users can queue up “pre-register”, whatever that means.
But let’s go back to Musk’s post announcing XChat. That specific post turned a lot of heads in the privacy and cybersecurity community, and here’s why: the tech mogul wrote that the service would be built on an “entirely new architecture”, written in Rust, and featuring “Bitcoin-style encryption”.
Elon Musk announces the launch of XChat, claiming the new messaging app is written in Rust and uses “Bitcoin-style encryption”. Source
The expert community spent a long time scratching their heads and trying to figure out what Musk actually meant. After all, Bitcoin isn’t an anonymous, encrypted data exchange system. The blockchain does use public and private cryptographic keys, but for something entirely different: signing transactions. Meanwhile, these transactions aren’t hidden from prying eyes; they’re out in the open for anyone to see, forever. Simply put, Bitcoin protects its users not by ensuring privacy, but quite the opposite — through ultimate transparency.
Most likely, Musk used “Bitcoin-style encryption” as a marketing gimmick. Bitcoin was trading near all-time highs at the time of his announcement, and cryptocurrency was the talk of the town. Technically, the XChat beta that dropped in September 2025 protected user chats with a “kind of” end-to-end encryption, but this was implemented in a way that raised serious doubts among cryptography experts.
And not without a reason. Normally, setting up an end-to-end encrypted chat automatically generates a public and private key pair. The public key is used to encrypt messages, while the private key decrypts them. Because other users need your public key to start a secure chat with you, these keys are usually stored on the app’s servers.
The private key, however, should ideally live only on the user’s device — which is exactly how Signal does it. This serves as a simple, ironclad guarantee that neither the company itself nor any third party breaching its infrastructure can access user chats, even if they really want to.
But Elon Musk’s projects always march to the beat of their own drum: the XChat developers decided it would be a great idea to store users’ private keys on XChat servers. X claims they’ll use hardware security modules (HSMs) to store these private keys — specialized appliances designed to prevent even the system owner from easily accessing the data inside. However, experts are also questioning the reliability of this setup, and coming to a grim conclusion: if X really wants to get a user’s private key, they will most likely be able to do so.
How encrypted messaging in XChat works in practice
Finally, once the scaling issues were ironed out nearly a year after the announcement, X officially rolled out the XChat app for iOS in April 2026. Now anyone can use it, but from a practical standpoint, the situation with encrypted chats seems even more convoluted than in Telegram.
According to the social network’s help center, to use end-to-end chat encryption in XChat, both users must have an X account, set up XChat, and have some sort of connection between them:
- Follow, or be subscribed to each other
- Have exchanged messages before
- Have previously accepted a direct message request
- Be a member of the same Premium Business / Premium Organization subscription on X
If users don’t follow each other and haven’t interacted before, XChat might still let them send a message request. However, that initial request goes out without end-to-end encryption.
Again, this is how the process is described in the messaging app’s official help documentation. Sound overly complicated? Let me reassure you: in practice, it works — or rather, doesn’t — completely differently. I personally managed to send a message to another user who had NOT set up XChat. The app itself, of course, gave me absolutely no warning about this.
The app allows you to start a chat with a user who hasn’t even set up XChat yet, without giving the sender any heads-up.
It gets even better. The user I messaged saw a notification for it on the web version of X, but couldn’t actually access the message. Here’s the catch: to start using XChat, the user first has to create a four-digit PIN. Yet, the app asks for this PIN the very first time the user tries to open it — meaning, before they even get a chance to create one. Along with this prompt, the user also sees a warning stating that without the PIN, they won’t be able to view past encrypted chats.
The user is prompted to enter a PIN to decrypt past messages before even completing the initial XChat setup.
The only workaround I found to actually start using XChat is to tap “Forgot PIN?” — even though that PIN never existed in the first place — confirm your identity, and create a new (well, your first) PIN. Naturally, you lose access to your chat history this way, so you won’t be able to read any messages sent to you in XChat before you officially set up the app.
XChat: the new Telegram, WhatsApp, Signal… or Facebook Messenger?
All these PIN hurdles actually exist for a reason. Remember, unlike WhatsApp and Signal, the XChat developers decided to store users’ private keys on their own servers. Consequently, the app uses these four-digit PINs to encrypt those keys.
According to the XChat help documentation, this mechanism was designed to ensure a “seamless” multi-device experience. It’s impossible not to point out that both WhatsApp and Signal managed to pull this off without sketchy workarounds like PIN requirements or server-side private key storage.
The problem is, workarounds like these undermine any claims of app privacy and security. First and chief among them, a PIN isn’t exactly the most secure way to protect sensitive data. We’ve mentioned time and again that four-digit combinations are easy to crack via brute force — especially since XChat gives you a generous 20 attempts to guess the right code.
The app allows up to 20 attempts to enter the four-digit PIN. Once the limit is reached, XChat warns that access to messages will be permanently lost.
Stepping away from the bizarre implementation of end-to-end encryption compared to other messaging apps, it’s hard to ignore the overall sense of pointlessness that comes with trying to use XChat. As a Wired journalist rightly pointed out, the app feels less like a relative of WhatsApp, Signal, or Telegram, and much more like Facebook Messenger. Except people usually open Messenger to read a text from their mom or grandma, whereas XChat seems meant for anyone wanting to check in on that weird nephew who spends all his free time on X, still believes John McAfee’s promise of $500 000 Bitcoin, and fanboys over Elon Musk.
So, what’s the bottom line on XChat?
The best way to wrap up this post is with a quote from a cybersecurity expert: “If what you want is good security, use Signal. If what you want is to be able to talk to pretty much anybody using encrypted messages, use WhatsApp. If your whole life is based around X, I guess this is better than nothing.”
If you do use XChat, rule number one is to avoid a predictable PIN — absolutely don’t use your birth year or, worse, 1234. It’s also crucial not to forget this code, because if you do, your entire chat history is gone for good. Finally, just like your other passwords, you shouldn’t keep it in your notes app, but rather in a secure password manager. This won’t only save you from having to memorize dozens of character combinations, but will also reduce the risk of losing access to your vital data and conversations.
To learn more about secure messaging in other apps, check out our other posts:
Kaspersky official blog – Read More
Leader in Malware Analysis: ANY.RUN Named Top Vendor in G2 Summer 2026 Awards
We are proud to announce that ANY.RUN has earned the title of Momentum Leader and ranked #1 in the Relationship Index in the latest G2 Summer Reports. Reflecting real security teams’ actual experience, these rankings once again prove how critical ANY.RUN’s solutions are for daily SOC operations in modern enterprises.
Why ANY.RUN’s Momentum Leader Title Matters for Your Team
G2 awards the Momentum Leader spot to companies that show high growth and strong market resonance. They calculate this score by looking at real customer feedback and how quickly teams are adopting the solution.
Modern SOCs often deal with high alert volumes and evasive attacks that beat traditional defenses. The ranking shows that more security teams are choosing ANY.RUN as a better way to respond to these challenges and detect malware & phishing early.
When an analyst can clearly see what a suspicious file or link is doing in real-time, they stop guessing and start taking action. This speed directly improves both security metrics like MTTR and overall business security, helping prevent incidents, downtime, and financial losses.
Building Strong Relationships Through Usability
G2 also awarded ANY.RUN with the title of a #1 Malware Analysis Vendor in the Relationship Index, demonstrating customers’ high regard for our products’ usability, support, and overall reliability over time.
As noted by ANY.RUN CEO, we aim to provide “a burnout-free environment SOC teams actually want to return to”. Recognition by G2 shows that we deliver on our vision by creating a consistent experience for everyone on the client’s team:
- Tier 1 analysts use ANY.RUN’s products to reach accurate threat verdicts faster.
- Tier 2/3 professionals save time on routine tasks so they can focus on deep, complex investigations.
- CISOs, Heads of SOC, and other security leaders see more stable performance across different shifts and a significant risk reduction for the company.
Stronger Results for Modern Security Operations
When SOC and MSSP teams use ANY.RUN’s malware analysis & threat intelligence solutions, they get full context on files, URLs, IOCs, IOAs, and IOBs for fast and confident decisions.
The clarity ANY.RUN provides, reduces uncertainty and leads to measurable improvements in security posture:
- Accelerated Triage and Detection: Direct observation lets teams move from uncertainty to action fast, lowering investigation time and operational costs.
- Immediate Confirmation of Business Exposure: Instant visibility helps leaders understand threat impact earlier and prevent successful breaches.
- Enhanced SOC Efficiency and Stability: ANY.RUN supports decision-making across tiers, enabling consistent quality of investigations and reduced operational friction.
- Comprehensive Multi-Platform Analysis: Broad visibility across Windows, macOS, Linux, and Android environments provides the exact execution context needed for precise, enterprise-scale incident response.
- Secure and Controlled Investigations: Private analysis, SSO, and team-based access let teams collaborate within shared workflows without compromising investigation security.
Conclusion
At the end of the day, a successful SOC needs three things: speed, clarity, and consistency. The recognition from G2 confirms that ANY.RUN empowers teams to achieve those goals.
We help SOC professionals understand threats earlier and make confident decisions even under pressure. We are excited to keep building solutions that reduce risk and make security operations more efficient.
About ANY.RUN
ANY.RUN develops cybersecurity solutions for SOC and MSSP teams that enable stronger operations across threat investigation workflows. The company’s mission is to deliver fast threat understanding and confident incident response.
Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection.
ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection.
The post Leader in Malware Analysis: ANY.RUN Named Top Vendor in G2 Summer 2026 Awards appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
A guide to disabling Copilot, Gemini, and Apple Intelligence | Kaspersky official blog
Lately, software developers have been baking AI features straight into everyday work tools, operating systems, and browsers. In some cases, they’re genuinely handy. However, their presence introduces specific risks, which means plenty of companies are hesitant to give employees access to these tools. In a previous post, we categorized these unwanted AI systems, looked at how to spot them at the network and endpoint levels, and covered the ultimate universal kill switch: managing OAuth access across major corporate platforms. In this deep dive, we’re getting tactical: breaking down how to disable or restrict the AI built into popular platforms.
A quick heads-up: major software vendors occasionally change the names of their AI settings and tweak how they function. If any of the options mentioned below are missing or aren’t working as expected, a quick web search for the setting’s name will usually point you to its new location or branding.
How to turn off Microsoft 365 Copilot
Detection: you can check actual Copilot usage in the logs by going to Microsoft 365 admin → Copilot usage report.
Disabling via policies: in the Microsoft 365Admin Center, go to Settings → Integrated Apps, find Copilot in the Available Apps list, and select Block. More granular configuration policies are available under Customization → Policy Management. The Policies page here contains over two thousand entries, so you’ll want to filter them by the keyword “Copilot” (detailed guide). Given that Copilot is a paid add-on for Office, another way to block it — and save money by doing so — is to simply avoid assigning users SKUs that include Copilot.
We recommend separately blocking Copilot Chat, which is available in Teams, Edge, Outlook, and several other services. Yes, it’s not Copilot itself. And yes, it has to be blocked separately by following this guide.
Additional layer of protection: you can block the domains copilot.cloud.microsoft and m365.cloud.microsoft/chat at the web filter or NGFW level. However, Microsoft explicitly advises against this, warning that it could break other Microsoft 365 features.
How to turn off Windows Copilot
Beyond the Office version of Copilot, you also need to manage its consumer-facing cousin.
Detection: look through your NGFW or other network logs for traffic hitting copilot.microsoft.com, bing.com/chat, or edgeservices.bing.com.
Disabling via policies: in Windows Group Policy, navigate to Computer Config → Admin Templates → Windows Components → Windows Copilot. In Microsoft 365 Group Policy, go to Admin center → Block consumer Copilot for organizational accounts.
Additional layer of protection: block the Copilot.exe executable from running entirely.
How to turn off the Copilot sidebar in Edge
Detection: look through your NGFW or other network logs for traffic hitting copilot.microsoft.com, bing.com/chat, or edgeservices.bing.com.
Blocking: configure the following MS Edge Group Policies: HubsSidebarEnabled = false, EdgeShoppingAssistantEnabled = false, CopilotPageContext = Disabled (false), CopilotNewTabPageEnabled = false, Microsoft365CopilotChatIconEnabled = false, GenAILocalFoundationalModelSettings = 1 (note that disabling this unexpectedly requires a 1 instead of a 0).
Second layer of protection: block the domains copilot.cloud.microsoft and m365.cloud.microsoft/chat at the web filter or NGFW level. However, Microsoft explicitly advises against this, warning that it could break other features.
How to turn off the Gemini Assistant in Google Workspace
Detection: check the Workspace Admin Console (admin.google.com), Gemini usage report section.
Blocking via policies: in the Admin Console, navigate to Apps → Additional Google services → > Gemini app, and set it to OFF. Then, go to Manage Workspace smart feature settings → Smart features in Google Workspace, and set it to OFF.
Second layer of protection: block network traffic to the domains gemini.google.com, bard.google.com, and aistudio.google.com.
How to turn off Gemini in Google Chrome
Detection: check your Chrome Enterprise reports (Chrome management → Reports), or look through network traffic logs for connections to the previously mentioned domains.
Blocking via policies: in your Chrome Enterprise policies, configure the following settings: GenAILocalFoundationalModelSettings = 0, HelpMeWriteSettings = 2 (disabled), TabOrganizerSettings = 2, CreateThemesSettings = 2, DevToolsGenAiSettings = 2.
Additional layer of protection: block network traffic to the domains gemini.google.com, bard.google.com, and aistudio.google.com. Additionally, block unauthorized Chrome/Chromium installations (those outside your policy management) with the help of host-based application control tools like EPP/EDR or AppLocker.
How to turn off Apple Intelligence
Detection: on your NGFW and web filters, traffic hitting apple-relay.apple.com and *.apple-cloudkit.com is a clear indicator that Apple Intelligence is active.
Blocking via policies: any managed Apple device allows you to disable individual AI features, though there isn’t a master switch you can flip to shut down “all AI”. In your MDM profile, you need to set the following keys to false (disabled): allowWritingTools, allowMailSummary, allowGenmoji, allowImagePlayground, allowImageWand, allowPersonalizedHandwritingResults, allowExternalIntelligenceIntegrations, allowExternalIntelligenceIntegrationsSignIn, allowNotesTranscription, and allowNotesTranscriptionSummary. Here is a brief configuration example:
<dict>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>allowWritingTools</key>
<false/>
<key>allowMailSummary</key>
<false/>
</dict>
Despite Apple’s shift toward declarative device management, these AI features still need to be managed through traditional MDM payload settings.
Second layer of protection: block network traffic to the hosts mentioned above — though the obvious downside for mobile devices is that this won’t work once they leave the corporate network.
Kaspersky official blog – Read More
Q1 2026 Cyber Risk Report: Insights from 2.1 Million Malware and Phishing Investigations
Based on 2,101,483 malware and phishing investigations from Q1 2026, ANY.RUN‘s Cyber Risk report provides a real-world view of modern attack trends.
It covers trending malware families, TTPs, and other technical observations, while also delivering executive insights CISOs and SOC teams can use to connect attacker behavior to business risk.
Combining data-backed malware trends with strategic guidance for security leaders, the report reveals critical gaps in detection, response, and visibility that directly impact business resilience, and outlines solutions organizations can use in their defense strategy.
Explore the full report to discover seven key cyber risk trends, their strategic implications, and the security priorities organizations should consider for Q2 2026.
What the Data Shows
- Early-stage compromise is an overlooked risk: Loader-based attacks nearly doubled, highlighting the expanding role of these tools used for initial compromise in organizations.
- Identity remains a primary target: A 14.7% increase in credential theft activity shows that attackers prioritize gaining valid credentials that allow them to operate in a low-noise way.
- Trusted tools are increasingly weaponized: For instance, LOLBAS attacks leveraging JavaScript rose by 58.4%.
- Detection and attribution are becoming more challenging: The growing popularity of credential abuse and trusted tool exploitation makes behavior-based monitoring and anomaly investigation increasingly important.
The full report expands these and other threat intelligence insights, including trending malware families and attack vectors, as well as the evolving nature of modern cyber risk and its strategic implications for Q2 2026, supported by data and actionable recommendations.
The Growing Cost of Delayed Response
One of the clearest messages from ANY.RUN’s Q1 2026 Cyber Risk report is that defenders have less time than ever to detect and respond.
Median times such as 21 seconds to persistence establishment and 16 seconds to Living-off-the-Land (LOTL) execution using native system tools prove that the window between initial compromise and attackers foothold continues to shrink.
In this environment, speed and certainty in investigations become a key advantage for security teams. Establishing early threat detection and rapid investigation flow is what allows successful SOCs to act before incidents escalate to financial impact.
This is where enterprise-scale malware analysis and threat intelligence solutions become critical. By providing faster visibility into attack behavior, the help reduce investigation time, accelerate decision-making, and ultimately limit the business impact of security incidentsthrough early detection and response.
Give Your SOC the Threat Visibility It Needs with ANY.RUN
ANY.RUN gives security leaders stronger control. With malware analysis and threat intelligence solutions get in-depth threat visibility, private analyses, multi-platform analysis across Windows, macOS, Linux, and Android, advanced privacy controls, SSO, team management, API access, workspace analytics, and fast validation of threats without losing visibility or control.
With these capabilities, enterprise teams can:
- Reduce investigation delays by safely analyzing suspicious files, URLs, scripts, and phishing flows in real time.
- Confirm business exposure faster by seeing whether credentials, OTPs, remote access tools, C2 traffic, or fileless execution were involved.
- Protect sensitive investigations with private analyses, advanced privacy controls, SSO, and team-based access.
- Improve SOC efficiency with shared workflows, workspace analytics, API access, and full task history.
- Strengthen detection coverage to connect related infrastructure, IOCs, and attack patterns.
- Support enterprise-scale response with analysis across major operating systems.
About ANY.RUN
ANY.RUN provides cybersecurity solutions that help organizations strengthen security operations and respond to threats with greater speed and confidence. The company’s mission is to enable security teams to understand threats faster, make informed decisions, and operationalize threat intelligence across detection, investigation, and response workflows.
Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection.
ANY.RUN is SOC 2 Type II attested, demonstrating its commitment to strong security controls and customer data protection. For SOCs, MSSPs, and enterprise security teams, ANY.RUN helps reduce investigation uncertainty, accelerate triage, and transform threat analysis into actionable intelligence.
The post Q1 2026 Cyber Risk Report: Insights from 2.1 Million Malware and Phishing Investigations appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More