SMB cyber readiness: the road to resilience starts here
Your business may be small, but its attack surface is anything but. Readiness is the first step to resilience.
WeLiveSecurity – Read More
Your business may be small, but its attack surface is anything but. Readiness is the first step to resilience.
WeLiveSecurity – Read More
Stories about supply chain attacks appear in the news with alarming regularity. In most cases they begin when attackers compromise publicly available packages. This may give the impression that the main danger of public repositories lies in the fact that someone could steal a developer’s credentials and inject malicious code into the software they create. However, in reality, this isn’t the only thing to be wary of when working with repositories hosting open-source projects. Misconfigurations of key components can also be a source of problems.
In particular, GitHub Actions — automation scripts that enable the creation of continuous integration and continuous delivery (CI/CD) pipelines — can pose a risk. Errors and misconfigurations in these scripts are periodically exploited by attackers in real-world attacks. A prime example is the recent Mini Shai-Hulud malware campaign. While it also began with the compromise of a popular project’s maintainer, the malware distributed during this campaign stole secrets specifically by exploiting a flaw in GitHub Actions.
Using a new set of rules for Kaspersky Container Security, our experts from the Global Research and Analysis Team (GReAT) conducted a security analysis of GitHub Actions across ~30,000 popular GitHub repositories. In short, automation pipelines in only 10% of these repositories raised no concerns.
In total, the rules implemented as part of the latest KCS release were used to scan ~130,000 pipelines. They identified more than 250,000 potential deviations from recommendations for secure CI/CD configuration. Of course, these deviations cannot be considered vulnerabilities in and of themselves, but they do indicate areas where the configuration may require additional review and more careful tuning.
Of these 250,000+ deviations, 59.8% can be classified as low risk, and 39.8% — medium risk. However, in 0.4% of cases, more serious misconfigurations were found, which our technologies classified as high risk. Furthermore, critical flaws found in eight repositories could potentially lead to supply chain compromise. The affected repositories covered a wide range of use cases — including AI integration in enterprise environments, services for developers and automation, and as well as security testing tools. Of course, our experts reported these critical issues to the maintainers of the relevant repositories.
Here are the most common flaws found in the GitHub Actions we reviewed:
In addition, more dangerous patterns were found: (i) exposure of secrets at the top level, (ii) potentially insecure run conditions, and (iii) insecure handling of external data. Fortunately, however, these were much less common.
Misconfigurations in GitHub Actions can potentially turn development pipelines into tools for attackers, allowing them to compromise the development environment or attack a company’s infrastructure. Issues identified in a timely manner will enable developers to build more secure processes and minimize the risk of supply chain compromise.
The set of rules mentioned above, which was used in this study, is now available to Kaspersky Container Security users following the latest update. With this set of rules, our solution can detect misconfigurations in GitHub Actions both by scanning repositories and by being integrated directly into CI/CD pipelines. You can learn more about the KSC solution on its page.
Kaspersky official blog – Read More
ESET Research analyzes Gamaredon’s new toolset and the group’s growing reliance on legitimate online services to hide its C&C infrastructure and exfiltrate stolen data
WeLiveSecurity – Read More
Lack of alert context makes it difficult for Security Operations Centers (SOC) to distinguish actual threats from false positives. ANY.RUN’s integration with Torq, a no-code/AI SOC automation platform, bridges this gap by delivering conclusive malware & phishing verdicts and actionable intelligence.
The result for your team is faster incident resolution, reduced alert fatigue, and proactive threat detection.
Unlike legacy SOAR approaches that often require custom code and months of implementation, Torq allows SOC and MSSP teams to build response logic visually. The ANY.RUN integration adds a critical layer of malware analysis, phishing detection, and IOC enrichment to these workflows.
At launch, users have access to 5 ready-to-use templates designed to accelerate time-to-verdict and standardize the investigation process.
Teams can edit the current templates to fit their specific processes, adding actions, changing conditions, or using ANY.RUN as one specific step in a complex, multi-tool automation.
Available on ANY.RUN Threat Intelligence and Interactive Sandbox plans with API access, the integration helps analysts streamline their workflows, gaining full alert or threat context quickly with an average reduction in MTTR of 21 minutes.
The Interactive Sandbox workflows allow analysts to detonate suspicious objects in real-time environments (Windows, Linux, macOS or Android) to uncover evasive behaviors. There are two types of templates available for sandbox analysis:

These are triggered directly from a Torq Case, where observables and attachments are automatically ingested from sources like EDR, SIEM, XDR, or email security tools.
The list of case-based templates:
These templates are designed to be embedded as a specific step within a larger, custom incident response flow.
The list of sandbox analysis templates:

The Threat Intelligence (TI) Lookup integration focuses on rapid enrichment of “raw” observables found in alerts, such as IPs, domains, hashes, and URLs.
Explore the TI Lookup template.
Setting up the integration is straightforward and requires no custom coding:
By default, these playbooks are configured to be launched manually. This is a deliberate design choice to ensure that only appropriate objects are sent for analysis.
However, for high-volume environments, these templates can be easily integrated into broader, fully automated playbooks.
ANY.RUN’s deep behavioral visibility with Torq’s hyper-automated orchestration levels up the efficiency of modern security operations, moving beyond simple automation toward maximizing security ROI.
Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations worldwide, ANY.RUN helps security teams investigate threats faster and with greater accuracy.
Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, while our Threat Intelligence solutions (TI Lookup and TI Feeds) provide the necessary context to anticipate and stop today’s most advanced attacks.
The integration of ANY.RUN with Torq adds a specialized layer of malware analysis, phishing detection, and IOC enrichment to your security operations. By utilizing these automated workflows, SOC teams can seamlessly embed ANY.RUN’s deep visibility into their existing triage and incident response flows.
The post ANY.RUN & Torq Integration: Scale Triage & Respond with Confidence appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
ESET researchers assisted in the global disruption of the Amadey botnet and Stealc infostealer, providing technical analysis, infrastructure tracking, and affiliate-level insights
WeLiveSecurity – Read More
There are dozens of ways to break into someone else’s Telegram account. We’ve frequently covered phishing in Telegram Mini Apps, scams with bots, gifts, and giveaways, and many other tactics. Today, we’re looking at yet another account hijacking method, one that relies on a PowerShell script.
The script, deceptively named “Windows Telemetry Update”, actually serves as a tool for hijacking Telegram sessions. It harvests data from completely defenseless user computers and forwards it to the attackers via a Telegram bot.
Cybercriminals frequently rely on PowerShell scripts to covertly download malware or harvest data. This time, researchers uncovered a script on Pastebin masquerading as a routine Windows update. In reality, it was an infostealer designed to hijack Telegram for Windows session data and allow hackers to take over accounts without a password or verification code.
What’s a PowerShell script anyway? Think of it as a text file packed with commands for a Windows computer. Instead of a human spending time clicking through tasks manually, the computer follows these quick instructions to get everything done automatically in a matter of seconds.
This PowerShell script steals Telegram for Windows session data, letting hackers hijack accounts without a password or verification codes
Right at the top of the script, researchers immediately spotted a Telegram bot token and a chat ID, alongside multiple references to the tdata folder. This specific folder is where Telegram for Windows keeps the authorization keys used to log users in to its servers. If attackers grab this data, they can access the victim’s Telegram account without a password or verification code. Once inside, they maintain access until the victim checks their active sessions in the app and manually terminates the suspicious ones.
The malware lands on the victim’s computer disguised as a PowerShell script for a Windows telemetry update. As soon as it runs, it gathers basic system information: the username, hostname, and public IP address. It then checks if Telegram Desktop is installed. If it is, the script forces the app to close so it can unlock Telegram files for editing.
From there, the rest is simple: the script zips up the entire contents of the tdata folder into a temporary directory, forwards the archive straight to the attackers, and wipes the file from the computer to erase its tracks.
The good news is that the stealer likely hasn’t compromised any accounts yet, as experts found no evidence of actual data transfers. It appears researchers caught this malicious PowerShell script while it was still in the prototype testing phase.
Another giveaway is its surprisingly suspicious name. Cybercriminals typically use neutral names to hide their bots and apps. In this case, when researchers found it, the bot was running under the burner handle afhbhfsdvfh_bot with a dead-honest description: Telegram attacker. Researchers noted that while the bot had likely undergone functional testing, it hadn’t yet been deployed at scale, which explains the placeholder name.
Defending against this nameless stealer requires a layered approach to security. First, it helps to understand how a PowerShell script ends up on your PC in the first place. Usually, they slip in unnoticed through malicious email attachments, software vulnerabilities, infected apps, or social engineering tricks. That’s why we recommend installing a robust security suite on your device and staying highly cautious about the links you click and the files you download.
Make sure to install Kaspersky Premium on every device where you run Telegram. Our security solution will block malware, malicious attachments, spam, phishing attempts, and sketchy websites. Kaspersky Premium subscription additionally includes a password manager. It’ll generate and securely store strong and unique passwords, stop you from entering your credentials on fake sites, and come in handy for tightening your Telegram security, which we’ll cover next.
To protect your Telegram account from these types of hijacking schemes, make sure to:
If your Telegram account has already been hijacked, you have a strict 24-hour window to kick the attackers out by terminating their sessions. We broke down exactly why this rule exists — and mapped out every possible way to reclaim your account — in our detailed guide: What to do if your Telegram account is hacked.
In the meantime, beefing up your account security is a must. First, set up a cloud password by heading to Settings → Privacy and Security → Two-Step Verification. Just any password won’t cut it — you need something unique and unhackable. We recommend reading our post on the subject: Creating an unforgettable password.
Better yet, make the switch to passkeys — a passwordless technology that offers top-tier protection against leaks and phishing. To set up that login method, go to Settings → Privacy and Security → Passkeys. The easiest way to manage your passkeys is with Kaspersky Password Manager. Our cross-platform app ensures you can seamlessly log in to Telegram using your saved passkeys whether you are on Windows, Android, iOS, or macOS.
To learn more about how cybercriminals can breach your Telegram account and how to lock it down, check out our other posts:
- Phishing in Telegram Mini Apps: what’s Habib’s papakha got to do with it?
- Telegram scams with bots, gifts, and crypto
- WhatsApp and Telegram account hijacking: How to protect yourself against scams
- You’ve been sent a “gift” — a Telegram Premium subscription
- What to do if your Telegram account is hacked
Kaspersky official blog – Read More
EvilTokens can hide serious account takeover risk from your SOC through “ghost” code that appears only after browser-side decryption.
As a result, static URL analysis may miss the most important part of the attack, leaving teams with incomplete evidence, slower triage, and longer exposure to a potential Microsoft 365 compromise.
Full browser-level inspection closes this gap by revealing how the page behaves after execution in a dynamic environment. This gives teams the evidence they need to validate the threat and respond faster.
According to ANY.RUN Threat Intelligence data, recent EvilTokens activity is concentrated mainly in the United States and Europe.
View recent EvilTokens activity in ANY.RUN Threat Intelligence

The kit has been observed targeting organizations in:
These findings show that EvilTokens is aimed largely at organizations where access to a single Microsoft 365 account can expose sensitive data, internal communications, and connected business services.
EvilTokens continues to rank among the most frequently observed phishing kits in ANY.RUN’s weekly threat reports.
A recent analysis session showed how the kit uses Microsoft Device Code Phishing to compromise accounts without stealing credentials directly. Instead, it convinces the victim to complete Microsoft’s legitimate device login flow and unknowingly authorize access to their account.
Check analysis session with recent EvilTokens attack

What makes the attack difficult to investigate is the way it hides its phishing content. The landing page HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and renders it in the DOM.
Static URL checks and network-level detection may therefore capture the initial response without showing what the victim actually sees in the browser. This can leave SOC teams with an incomplete verdict, force additional manual checks, trigger unnecessary escalations, and delay containment.
This visibility gap becomes a business risk. When SOC teams cannot see what a suspicious page does after browser execution, the impact goes beyond a slower investigation. It can lead to:
To validate the threat quickly, teams need visibility into what happens after the page begins running. In the following walkthrough, we use ANY.RUN’s in-browser data inspection to uncover the decrypted page, trace the requests behind the device-code flow, and collect evidence for response and further detection.
With in-browser data inspection inside ANY.RUN’s Interactive Sandbox, investigators can examine cases like this across several layers:
HTML DOM Changes: Tracks changes to the DOM over time and allows investigators to compare different snapshots of the same page. It highlights byte-level differences from the previous DOM state, making it easier to identify the exact moment when the decrypted phishing page appears.
HTTP Requests: Provides visibility into browser-level network activity, including requests involving HTML, JavaScript, Fetch/XHR, scripts, static assets, binary files, archives, and other request categories.
URL Details: Displays the final URL and domain, SSL certificate information, DNS A records, request statistics, and triggered detection signatures.
Indicators: Collects indicators of compromise associated with the page, including top-level domains, subdomains, URL endpoints, file hashes, IP addresses, and ASN information.
The network traffic shows that EvilTokens delivers the landing page in an HTTP response encrypted with AES-GCM:

The decrypted HTML DOM of the page can be viewed in the Browser Data panel:

Here, you can view snapshots of the DOM structure after the AES-GCM-encrypted code has been decrypted:

The HTML DOM Changes fields contain the following information:
The value that should draw your attention most is the green +48-byte size diff. By selecting the fourth snapshot, you can see which line was removed and which line was added compared with the previous snapshot:

Looking at the Render panel on the left, we can confirm that a user code has appeared on the page. The attackers will later use this code to take over the victim’s Microsoft 365 account:

This suggests that the landing page dynamically requested the user code from the backend through a Fetch/XHR request. The request can be examined in the HTTP Requests tab:

By comparing the Timeshift values of the HTTP request and the DOM snapshot, we can conclude that the user code was obtained through a request to the /api/device/start endpoint. Clicking the URL confirms this:

The findings from a single analysis session can be used to uncover related phishing infrastructure and activity.
Start with URL Details, where the code exposed in the DOM triggered the Microsoft OAuth device-code phishing signature.

Searching for this signature in ANY.RUN’s Threat Intelligence reveals other phishing resources that use similar code patterns:
TI Query: ruleName:”^Microsoft OAuth device-code phishing has been detected$”

The results show that this behavior is not unique to EvilTokens. Other phishing kits use similar code and techniques, allowing teams to move beyond one isolated case and identify a broader set of related threats.
To narrow the search specifically to EvilTokens, use the following query: threatName:”eviltokens”
Threat Intelligence data shows that recent EvilTokens activity is concentrated mainly in the United States and Europe:

Teams can also track device code phishing activity more broadly using the oauth-ms-phish threat tag:
TI Query: threatName:”oauth-ms-phish”

This wider search helps teams identify related campaigns even when they are associated with a different phishing kit or infrastructure.
Next, return to Browser Data and open the Indicators tab:
Not every artifact collected during the analysis should be added to detection rules. For example, the observed IP address belongs to the CloudflareNet autonomous system. Blocking or detecting this shared infrastructure could produce false positives and affect legitimate services.
More specific indicators from the session, including the domain, URI, and hash, are stronger candidates for further validation and detection:

By pivoting on signatures, threat names, tags, and carefully selected IOCs, teams can connect an individual alert to wider phishing activity, improve detection coverage, and respond proactively to related attacks.
The HTML DOM Changes view is useful not only for triage but also for deeper code analysis. By examining the decrypted page logic, teams can identify recurring patterns that may support low-level phishing detection rules.
The following code shows the Device Code Flow Configuration:

The first fragment shows the client sending a gate check request to:
/api/device/gate/<PAGE_ID>
The backend returns a killed flag that determines what happens next. If the phishing flow remains active, the attack continues. Otherwise, the victim is shown a decoy page designed to resemble a Microsoft error or expired-link message.

This mechanism allows operators to disable the phishing page or hide its true behavior when certain visitors or conditions are detected.
The next fragment sends a POST request to _startUrl:
/api/device/start
The backend returns the userCode, sessionId, and verification URI. The script then stores the session, constructs _verificationUrl, and writes the user code into the DOM for the victim.

This is the same activity observed earlier in the HTTP Requests view, connecting the browser-side code directly to the network request and the user code displayed on the page.
The frontend then checks the status of the device-code session through:
/api/device/status/{sessionId}
It repeatedly sends GET requests containing the current sessionId and receives the latest status from the backend.
Once the status changes to completed, the script stops polling, displays a success screen, and redirects the victim to the legitimate OneDrive website.

This final redirect helps the attack appear successful and legitimate, while the attackers retain the access authorized through the completed Microsoft device login flow.
By connecting the decrypted DOM code with browser requests and visible page changes, teams can reconstruct the full phishing logic and identify code patterns, endpoints, and behaviors that may strengthen future detection.
The EvilTokens investigation shows the practical value of browser-level evidence. Instead of stopping at the encrypted HTTP response, teams can see the decrypted DOM, identify the request that generated the user code, trace the device-code session, and extract artifacts for detection and threat hunting.

This improves the investigation workflow in several ways:
Faster triage and fewer unnecessary escalations: Tier 1 analysts can validate suspicious URLs using direct browser-level evidence rather than relying on incomplete indicators. This reduces uncertainty, speeds up verdicts, and keeps more benign cases from reaching senior teams.
Smoother handoff and faster response: When escalation is necessary, Tier 2 receives the full attack context, including DOM changes, HTTP requests, triggered signatures, rendered content, and relevant indicators. This reduces repeated work and supports faster containment decisions.
Stronger detection engineering: Decrypted page code, browser requests, endpoints, and behavioral patterns provide useful material for custom phishing signatures, hunting hypotheses, and detection rules based on observed attacker behavior.
More focused threat hunting: Teams can pivot from one EvilTokens session to related domains, code patterns, phishing kits, and device-code attacks in ANY.RUN’s Threat Intelligence, expanding the investigation beyond a single URL.
Clearer reporting: Structured investigation results turn complex browser activity into evidence that is easier to use during triage, escalation, incident response, and stakeholder communication.
For SOC and MSSP teams, this means less time spent reconstructing browser activity manually, better use of senior resources, and a faster path from a suspicious URL to a confident response decision.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions.
Its cloud-based Interactive Sandbox lets teams safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior as it unfolds, and collect clear evidence for faster response.
ANY.RUN’s Threat Intelligence solutions add broader context around threats, infrastructure, and attacker activity. Together, these capabilities support faster triage, stronger detection, better-informed response decisions, and more efficient security operations at scale.
The post EvilTokens: How “Ghost” Code Threatens US and European Businesses appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
In early June, cybersecurity researchers discovered that a compromised version of the Israel-based Hola Browser for Windows (version 1.251.91.0) was secretly downloading a Monero crypto miner to users’ devices. Shortly after the discovery, Hola confirmed that it had fallen victim to a supply chain attack. In this article, we break down how the attack went down, how the crypto miner works, and what it means for affected users.
The Israeli company Hola is best known for its VPN service, which users primarily rely on to bypass geo-restrictions and access region-locked content. In addition to the VPN, the company develops Hola Browser — a Chromium-based browser that comes with built-in VPN and proxy features.
Researchers first spotted signs of trouble during a standard compliance check for the AppEsteem Windows Certified Application program. As part of this certification process, independent cybersecurity firms audit software to ensure it only contains the components it claims to have and is free of unwanted or malicious features. Even after a certificate is granted, apps are regularly re-evaluated to ensure they continue to meet AppEsteem’s strict guidelines.
It was during one of these routine follow-up checks that experts noticed an unauthorized file bundling itself with version 1.251.91.0 of Hola Browser for Windows. Once installed, the file saved itself to the hard drive at C:Program FilesHolame{.}exe. The file immediately raised red flags for researchers due to a laundry list of suspicious characteristics: it wasn’t on the list of approved application files, lacked a timestamp, and had no digital signature. On top of that, its code was heavily obfuscated, and it possessed the ability to inject itself directly into system memory.
Interestingly, researchers noted that the file didn’t show up in every single installation. Because the infection wasn’t widespread across all users, experts suspected early on that a specific stage in the Hola Browser distribution pipeline had been compromised. Hola later confirmed this theory, admitting it had fallen victim to a supply chain attack.
As for the suspicious me{.}exe file itself, closer analysis revealed that it was a stealthy crypto miner configured to mine Monero. We’ll now dive into the technical details of how it works.
Crypto miners are programs that harness a computer’s processing power to mine cryptocurrency. While some users install this software intentionally to generate a bit of income, miners that run on a machine without the owner’s knowledge are typically classified as unwanted.
Running a hidden miner can noticeably slow down the device, spike the user’s electricity bill, and shorten the hardware’s lifespan. That being said, it’s worth noting that a crypto miner infection will not actually steal the owner’s cryptocurrency; the damage is strictly limited to the hijackers leeching your computer’s hardware resources to line their own pockets.
As we mentioned above, the malicious download bundled with Hola Browser sneaked a Monero crypto miner onto victims’ devices. Launched in 2014 and built on the CryptoNote protocol, Monero currently trades at around US$330 per coin.
Compared to heavyweights like Bitcoin or Ethereum, Monero is a bit exotic and lesser-known to the general public. This niche status shows in its relatively modest price growth and smaller market capitalization — which is roughly 200 times lower than Bitcoin’s. However, Monero has one defining feature: privacy. While Bitcoin and Ethereum operate on fully transparent, public blockchains, where anyone can trace transactions, Monero is a “privacy coin”. It uses advanced cryptographic mechanisms to mask the sender, receiver, and transaction amounts. This extreme anonymity is exactly why hackers love hidden Monero miners — it makes it difficult for law enforcement and cybersecurity professionals to follow the money trail.
Additionally, Monero’s underlying algorithm is explicitly designed to mine efficiently using standard computer processors (CPUs). This stands in stark contrast to many other popular cryptocurrencies, which require specialized ASIC hardware or high-end graphics cards (GPUs) to be profitable.
But let’s look closer at how this played out with Hola Browser. When researchers dissected the malicious me{.}exe code, they found it was automatically adding its own files to the Microsoft Defender exclusion list. By allowlisting itself, the malware successfully blinded Windows’ built-in antivirus, allowing the crypto miner to run in the background completely unhindered.
Once inside, the program made a copy of itself under the name HolaMonitorService{.}exe, and set up a persistent Windows background service called hola_monitor_svc. This maneuver allowed the malware to entrench itself in the system, automatically launching every time the computer restarted. To avoid raising any red flags with sudden massive performance drops, the miner was programmed to stay dormant, kicking into gear only when the computer was idle.
To their credit, Hola’s development team responded swiftly to the initial reports of the suspicious file. They confirmed the supply chain breach, but stated that the incident only impacted 0.1% of their user base. The company has since tightened up security around its update distribution pipeline to guarantee that users only receive approved, certified, and digitally-signed software components moving forward.
In light of this incident, we highly recommend that all Hola Browser users update to the latest version immediately — especially those running the application on Windows.
More broadly, this situation is a textbook reminder of why it’s so critical to keep all your software up to date and run a robust cybersecurity solution on all your gadgets. For instance, Kaspersky Premium provides real-time alerts about suspicious software behavior and blocks threats instantly. As an added bonus, a Kaspersky Premium subscription includes a secure and reliable VPN.
Don’t forget that malicious crypto miners don’t just target PCs; they also go after smartphones, often disguising themselves as anything from popular mobile games to official government service apps. Check out our previous posts to learn more:
Kaspersky official blog – Read More
ANY.RUN has been recognized as the Best Security Investigation Platform 2026 at the Cybersecurity Stars Awards by The Hacker News.
This award reflects our dedication to building solutions that make a real impact on daily security operations.
At ANY.RUN, we help SOC and MSSP teams worldwide streamline threat investigation workflows through confident decision-making, full malware and phishing visibility, and actionable insights thataccelerate incident investigations and response.
We thank our global community of security professionals for continuously trusting our solutions and supporting our growth!
The Cybersecurity Stars Awards are organized by The Hacker News, one of the industry’s leading cybersecurity publications, delivering industry news, threat intelligence insights, and practical security guidance to more than 50 million security professionals annually.
The award recognizes companies and individuals who have demonstrated excellence in cybersecurity through innovation, impact, and technical achievement.
As the organizers noted:
“[ANY.RUN’s] work helps SOC and MSSP teams move faster in the critical moments when every second counts in threat investigation.”
This recognition reflects our mission to simplify complex investigations and help security teams in companies and organizations accelerate detection, analysis, and response at scale.

Winners were selected by an independent panel of cybersecurity experts based on criteria including innovation, industry impact, and technical excellence. At ANY.RUN, we translate these principles into tangible business outcomes for security teams:
ANY.RUN’s enterprise-ready solutions are designed to meet the needs of modern SOC and MSSP environments. Our recent releases reinforce this mission by delivering:
ANY.RUN provides cybersecurity solutions for SOC and MSSP teams that enable stronger operations across threat investigation workflows.
Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection.
The company’s mission is to deliver fast threat understanding and confident incident response.
ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection.
The post The Hacker News Recognizes ANY.RUN as the Best Security Investigation Platform 2026 appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
ESET Research shares the results of a months-long investigation into the suite of EDR killers maintained by the RaaS gang Gentlemen
WeLiveSecurity – Read More