How long would it take your team to realize ransomware is already running? 

The newly identified ransomware families are already causing real business disruption. These threats can disrupt operations fast while also reducing visibility through stealth or cleanup activity, shrinking the time teams have to detect and contain the attack. 

Here’s what you should know about BQTLock and GREENBLOOD, and how your team can detect and contain them before the impact escalates. 

TL;DR  

• BQTLock is a stealthy ransomware-linked chain. It injects Remcos into explorer.exe, performs UAC bypass via fodhelper.exe, and sets autorun persistence to keep elevated access after reboot, then shifts into credential theft / screen capture, turning the incident into both ransomware + data breach risk. 

• GREENBLOOD is a Go-based ransomware built for rapid impact: ChaCha8-based encryption can disrupt operations in minutes, followed by self-deletion / cleanup attempts to reduce forensic visibility, plus TOR leak-site pressure to add extortion leverage beyond recovery. 

• In both cases, the critical window is pre-encryption / early execution: stealth setup (BQTLock) and fast encryption (GREENBLOOD) compress response time and raise cost fast. 

• Behavior-first triage in ANY.RUN’s Interactive Sandbox lets teams confirm key actions (process injection, UAC bypass, persistence, encryption, self-delete) during execution, extract IOCs immediately, and pivot into Threat Intelligence Lookup (e.g., commandLine:”greenblood”) to find related runs/variants and harden detections faster. 

BQTLock: A Stealth Attack That Escalates into Data Theft and Business Risk 

Details on X 

BQTLock is a ransomware-linked threat designed to hide in normal system activity, gain elevated privileges, and quietly prepare for deeper impact before defenders can react. 

Instead of triggering obvious alerts immediately, it blends into trusted Windows processes and delays visible damage. This makes early detection difficult and increases the chance of data exposure, operational disruption, and financial loss for affected organizations. 

How the Attack Was Revealed Through Behavioral Analysis  

Using the ANY.RUN interactive sandbox, analysts were able to observe the full behavioral chain in real time. 

See full execution chain of BQTLock

The analysis revealed that the malware: 

• Injects the Remcos payload into explorer.exe to remain hidden inside legitimate system activity 

• Performs a UAC bypass via fodhelper.exe to obtain elevated privileges 

• Establishes autorun persistence to survive system restarts with higher access rights 

Once privilege escalation is complete, the threat moves beyond stealth and into active harm, including: 

• data theft capabilities that increase breach severity 

• screen capture activity that may expose sensitive corporate information 

This sequence shows how quickly a seemingly quiet infection can evolve into a full security and compliance incident. 

GREENBLOOD: Fast Encryption, Evidence Removal, and Immediate Business Exposure 

Details on X 

GREENBLOOD is a newly observed Go-based ransomware built for speed, stealth, and pressure. 

Rather than relying only on encryption, it combines rapid file locking, self-deletion to reduce forensic visibility, and data-leak threats through a TOR-based site. 
This transforms a technical incident into a full business crisis involving downtime, regulatory exposure, reputational damage, and recovery cost. 

For organizations, the biggest risk is timing. By the moment encryption becomes visible, sensitive data may already be stolen and operational disruption already underway. 

How the Attack Was Uncovered During Real-Time Detection and Triage 

Inside the ANY.RUN interactive sandbox, ransomware behavior and cleanup activity became visible while execution was still unfolding, allowing early detection during the most critical stage of the attack. 

Check full attack chain of GREENBLOOD 

The sandbox analysis exposed: 

• Fast ChaCha8-based encryption capable of disrupting operations within minutes 

• Attempts to delete the executable, limiting post-incident forensic visibility 

• Actionable indicators of compromise that enable earlier detection across endpoints and environments 

Because this behavior is captured in real time, SOC teams can move directly from detection to triage and containment before encryption spreads widely. 

Using ANY.RUN Threat Intelligence, teams can search for other sandbox analyses related to GREENBLOOD and track how the threat appears across different environments. A simple query like helps uncover related executions, recurring patterns, and potential variants that may not match the exact same sample. 

Use this query link to explore related activity: commandLine:”greenblood” 

This is valuable as ANY.RUN Threat Intelligence is connected to real sandbox activity from 15,000+ organizations and 600,000+ security professionals. In practice, that means you can use community-scale execution evidence to strengthen detections faster, tune response playbooks, and stay ahead as ransomware changes. 

How These Ransomware Attacks Impact Businesses 

BQTLock and GREENBLOOD may use different techniques, but they point to the same operational reality: modern ransomware is designed to create maximum business damage in the shortest possible time. 

Instead of slow, visible attacks, today’s ransomware combines stealth, speed, privilege escalation, and data-leak pressure to overwhelm traditional response workflows before containment begins.

For most companies, the fallout comes in a few predictable ways: 

• Data theft before encryption: After privilege escalation, BQTLock moves into data theft and screen capture, turning ransomware into a breach and compliance issue. 

• Disruption in minutes: GREENBLOOD encrypts fast, which can cause rapid downtime and immediate operational impact. 

• Stealth and cleanup slow response: BQTLock hides in normal processes and persists with elevated rights, while GREENBLOOD attempts self-deletion, reducing visibility and increasing recovery cost. 

• Extortion pressure beyond recovery: GREENBLOOD includes leak-site threats via a TOR-based platform. That adds a second layer of pressure: even if systems are restored, the business may still face data exposure, compliance issues, and long-term brand damage. 

• Short response window, higher cost: Between stealth setup and fast encryption, delays quickly translate into bigger financial damage. 

How SOC Teams Can Detect and Contain Modern Ransomware Before It Spreads 

Stealthy privilege escalation, rapid encryption, and leak-site extortion leave security teams with very little time to react. 

To stop ransomware before it reaches full business impact, SOC teams need an operational cycle that moves from early detection → confirmed behavior → broader visibility → proactive defense in minutes, without any complicated steps and setups. 

With ANY.RUN, this cycle happens inside a single connected workflow, allowing teams to shift from late response to early containment. 

1. Confirm Ransomware Behavior Before Encryption Spreads 

The first and most critical step is safe behavioral detonation. 

Ransomware like BQTLock hides inside trusted processes and escalates privileges quietly. GREENBLOOD encrypts files quickly and attempts to remove traces. 

Running suspicious files or links inside ANY.RUN’s controlled environment exposes: 

• privilege escalation attempts 

• persistence mechanisms 

• encryption activity 

• data theft or screen capture behavior 

As this visibility appears during execution, teams can reach a clear verdict in seconds instead of discovering the attack after downtime begins. 

This early proof translates directly into operational gains, with 94% of teams reporting faster triage, Tier-1 to Tier-2 escalations reduced by up to 30%, and MTTR shortened by an average of 21 minutes per case, helping contain ransomware before downtime and financial impact grow. 

2. Expand Investigation Using Real-World Threat Intelligence 

Stopping a single sample is not enough if the campaign continues elsewhere. 

Indicators extracted from sandbox analysis can be used to search across ANY.RUN Threat Intelligence, revealing: 

• related ransomware executions 

• reused infrastructure or tooling 

• emerging variants and evolving tactics 

The payoff is earlier campaign-level detection and clearer evidence for decision-making, which lowers breach exposure, strengthens compliance readiness, and reduces the business impact of repeat attacks. 

3. Strengthen Prevention and Reduce Future Incident Cost 

The final step is turning investigation insight into ongoing protection. 

Fresh indicators and behavioral signals can flow directly into your existing stack through ANY.RUN TI Feeds, keeping detections current without manual copy-paste or constant rule rewrites. This helps teams block repeat attempts faster and react to shifting ransomware infrastructure as it changes. 

This ongoing flow shifts teams from reactive detection to proactive monitoring, so attacks are discovered earlier and contained with less business impact. 

About ANY.RUN 

ANY.RUN is part of modern SOC workflows, integrating easily into existing processes and strengthening the entire operational cycle across Tier 1, Tier 2, and Tier 3. 

It supports every stage of investigation, from exposing real behavior during safe detonation, to enriching analysis with broader threat context, and delivering continuous intelligence that helps teams move faster and make confident decisions. 

Today, more than 600,000 security professionals and 15,000 organizations rely on ANY.RUN to accelerate triage, reduce unnecessary escalations, and stay ahead of evolving phishing and malware campaigns. 

To stay informed about newly discovered threats and real-world attack analysis, follow ANY.RUN’s team on LinkedIn and X, where weekly updates highlight the latest research, detections, and investigation insights. 

Frequently Asked Questions

The post Emerging Ransomware BQTLock & GREENBLOOD Disrupt Businesses in Minutes  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

• Cisco Talos recently discovered a new threat actor, UAT-9921, leveraging VoidLink in campaigns. Their activities may go as far back as 2019, even without VoidLink.
• The VoidLink compile-on-demand feature lays down the foundations for AI-enabled attack frameworks, which can create tools on-demand for their operators.
• Cisco Talos found clear indications that implants also exist for Windows, with the capability to load plugins.
• VoidLink is a near-production-ready proof of concept for an enterprise grade implant management framework, and features auditability and oversight for non-operators.

VoidLink is a new modular framework that targets Linux based systems. Modular frameworks are prevalent on the landscape today with the likes of Cobalt Strike, Manjusaka, Alchimist, and SuperShell among the many operating today. This framework is yet another implant management framework denoting a consistent and concerning evolution with shorter development cycles.

Cisco Talos is tracking the threat actor first seen to be using the VoidLink framework as UAT-9921. This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity.  UAT-9921 uses compromised hosts to install VoidLink command and control (C2) which are then used to launch scanning activities both internal and external to the network.

Who is UAT-9921?

Cisco Talos assesses that this threat actor has knowledge of Chinese language based on the language of the framework, code comments and code planning done using the AI enabled IDE. We also assess with medium confidence that they have been active since at least 2019, not necessarily using VoidLink.

VoidLink development appears to be a more recent addition with the aid of large language model (LLM) based  integrated development environment (IDE). However, in their compromise and post-compromise operations, UAT-9921 does not seem to be using AI-enabled tools. 

Cisco Talos was able to determine that the operators deploying VoidLink have access to the source code of some modules and some tools to interact with the implants without the C2. This indicates inner knowledge of the communication protocols of the implants.

While the development of VoidLink seems to be split into teams, it is unclear what level of compartmentalization exists between the development and the operation. We do know that UAT-9921 operators have access to VoidLink source code of kernel modules, as well as tools that enable interaction with the implant without the C2.

Talos assesses with high confidence that UAT-9921 compromises servers with the usage of pre-obtained credentials or exploiting Java serialization vulnerabilities which allow remote code execution, namely Apache Dubbo project. We also found indications of possible initial compromise via malicious documents, but no samples were obtained.

In their post-compromise activities, UAT-9921 deploys the VoidLink implant. This allows the threat actor to hide their presence and the VoidLink C2, once deployed.

To find new targets and perform lateral movement, UAT-9921 deploys a SOCKS server on their compromised servers, which is used by FSCAN to perform internal reconnaissance.

With regard to victimology, UAT-9921 appears to focus on the technology sector, but we have also seen victims from financial services. However, the cloud-aware nature of VoidLink and scanning of entire Class C networks indicates that there is no specific targeting.

Given VoidLink’s auditability and oversight features, it is worth noting that even though UAT-9921 activity involves usage of exploits and pre-obtained credentials, Talos cannot discount the possibility that this activity is part of red team exercises.

Timeline

Talos is aware of multiple VoidLink-related victims dating back to September with the activity continuing through to January 2026. This finding does not necessarily contradict the Checkpoint Research mentions of late November since the presented documents show development dates from version 2.0 and Cisco Talos access that this was still version 1.0.

The future of attack frameworks

Talos has been tracking fast deployment frameworks since 2022, with reports on Manjusaka and Alchimist/Insekt. These two projects were tightly linked in their development philosophy, features, and architectural design. There were obvious inspirations from CobaltStrike and Sliver; however, one fundamental difference was the single file infrastructure and the lack of integrated initial infector vector.

The VoidLink framework represents a giant leap in this predictable evolution, while keeping the same, single file infrastructure philosophy. This is a clear example of a “defense contractor grade” implant management framework, which represents one natural next step of other single file infrastructure frameworks like Manjusaka and Alchimist. 

The development of VoidLink was fast, supported on AI-enabled integrated development environments. It uses three different programing languages: ZigLang for the implant, C for the plugins and GoLang for the backend. It supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The reported development timeline of around two months would be hard to achieve by a small team of developers without the help of an AI-enabled IDE.

While Talos will discuss the framework in more detail below, it is important to reflect on what is to come in the framework landscape. With the current level of AI agents, it will not be surprising to find implants that ask their C2 for a “tool” that allows them to access certain resources.

The C2 will provide that implant with a plugin to read a specific database the operator has found or an exploit for a known vulnerability, which just happens to be on an internal web server. The C2 doesn’t necessarily need to have all these tools available — it may have an agent that will do its research and prepare the tool for the operator to use. With the current VoidLink compile-on-demand capability, integrating such feature should not be complex. Keep in mind that all of this will happen while the operator continues to explore the environment.

Of course, this may just be an intermediate step, assuming that there is a human operator managing the environment exploration. However, it likely will not be long before we begin to uncover malicious agents doing the initial stages of exploration and lateral movement before human intervention.

This has an impact of reducing compromise attack metrics — namely, the time to lateral movement and time to focused data exfiltration. It also allows the generation of never-before-seen tools and the constant change in the attacker’s behavior, making detection more difficult.

VoidLink Overview

VoidLink contains features that make it “defense contractor grade,” such as the auditability of all actions and the existence of a role-based access control (RBAC). The RBAC consists of three different levels of roles: “SuperAdmin,” “Operator,” and “Viewer.” This feature is not often seen in other similar frameworks, but it is crucial when operations need to have legal and corporate oversight.

The mesh peer-to-peer (P2P) and dead-letter queue routing capabilities allow some implants to communicate with others, creating hidden networks with-in the same environment allowing the bypass of network access restrictions, as one implant may serve as external gateway for other implants.

The development timeline reported by CP<R> indicates that this is a near-production-ready proof of concept. Most frameworks support Windows and MacOS from their early stages of development; VoidLink only appears to have implants developed for Linux, although the implant code is written in such a way that can easily be adapted to other languages. The main implant is written in ZigLang, a rather uncommon language; however the plugins are written in C. When needed these are loaded via an ELF linker and loader.

Talos has found clear indications that the main implant has been compiled for Windows and that it can load plugins via dynamic-link library (DLL) sideloading. Unfortunately, we were unable to obtain a sample to confirm these indications.

The Linux implants have advanced features, such as an eBPF or Loadable Kernel Module (LKM) based rootkit, container privilege escalation, and sandbox escape. These are often related with the server side, but there are a multitude of plugins in the implant targeting Linux as a desktop and not a server, something which is not often seen on malware since the Linux desktop base is not as prevalent as Windows or MacOS.

Most of the modular frameworks Talos observes support a wide variety of platforms typically inclusive of Linux, Windows, and MacOS — but VoidLink is different. The VoidLink framework specifically targets Linux devices without any current support for Windows or MacOS. Linux is a particularly large landscape, with the Internet of Things (IoT) and critical infrastructure heavily relying on the Linux OS.

As with most frameworks, VoidLink can generate implants consisting of a variety of plugins. The plugins themselves are standard, with the ability to interact and extract information from end systems, as well as capabilities allowing for lateral movement and anti-forensics. VoidLink is also cloud-aware and can determine if it is running in a Kubernetes or Docker environment, then gather additional information to make use of the vendor’s respective APIs. It has stealth mechanisms in place, including the ability to detect endpoint detection and response (EDR) solutions and create an evasion strategy based on the findings. There are also a variety of obfuscation and anti-analysis capabilities built into the framework designed to either obfuscate the data being exfiltrated or hinder the analysis and removal of the malware itself.

VoidLink is positioned to become an even more powerful framework based on its capabilities and flexibility, as demonstrated through this apparent proof of concept.

Coverage

The following Snort Rules (SIDs) detect and block this threat:

• Snort2: 1:65915 – 1:65922, 1:65834-65842
• Snort3: 1:65915 – 1:65922, 1:65834-65838, 1:310388-1:310389

The following ClamAV signature detects and blocks this threat:

• Unix.Trojan.VoidLink-10059283

More details on how Cisco detects threats like VoidLink is available here.

Cisco Talos Blog – ​Read More

Threat hunting is widely recognized as one of the most important capabilities of a mature SOC. It uncovers stealthy attackers early, reduces dwell time, and prevents security incidents from impacting the business. Yet, in practice, many organizations find that their threat hunting efforts don’t consistently deliver these outcomes. 

Let’s take a look at how high-performing security teams make threat hunting more repeatable, measurable, and effective. 

Why Threat Hunting Programs Often Fail Before They Start 

Most threat hunting teams are doing many things right. They understand attacker techniques, follow threat intelligence reports, and rely on established frameworks. Even so, translating this knowledge into reliable detections can be harder than expected. 

The challenge is rarely about analyst skill or methodology. More often, it comes down to the lack of rich, current, behavior-driven intelligence that makes hunts actionable at scale. 

Most teams operate with fragmented and incomplete inputs:  

1. Teams know attacker techniques but don’t see them in action: Without real execution data such as processes, files, registry and network behavior, TTP hunts stay theoretical and detections remain generic, leaving real business exposure undiscovered. 

2. Indicators come without context: IOCs alone don’t explain how attacks unfold, what happens next, or which assets are at risk, leading to late detection and higher incident impact for the business. 

3. Third-part threat reports cost more effort than they deliver value: Being outdated, fragmented, and too high-level, they slow down hunting and detection engineering, increasing the likelihood of incidents and response costs. 

The result is predictable. Threat hunting consumes significant analyst time while delivering low ROI. Hunts take weeks, detections are rolled out with low confidence, and leadership struggles to see a clear business outcome. 

What Ineffective Threat Hunting Means for the Business 

When threat hunting fails, the security risks and expenses for companies start to grow, leading to: 

• Later detection of active threats: Attacks are identified after user interaction, credential abuse, or persistence, expanding impact and recovery effort. 

• Higher and less predictable incident costs: Delayed visibility forces broader containment, longer investigations, and extended recovery timelines. 

• Unclear risk posture at the executive level: Leadership lacks evidence that proactive security efforts are reducing exposure, limiting informed decision-making. 

• Inefficient use of security resources: Analyst time is spent on activities that do not measurably reduce incident likelihood or impact. 

How to Make Threat Hunting Work in Your SOC or MSSP

Effective and scalable threat hunting starts with real attacker behavior, not theory. Teams build hunting ideas around how attacks actually happen today and continuously adjust them based on what they observe in real investigations. 

This keeps threat hunting practical, repeatable, and aligned with what is actually happening in the threat landscape, rather than relying on abstract models or outdated intelligence. 

This is where ANY.RUN’s Threat Intelligence Lookup proves to be essential for hundreds of SOC teams in companies across finance and transportation to technology and MSSPs in healthcare.  

How TI Lookup Transforms Your Hunts for Maximum Business Impact 

TI Lookup supports instant search across a vast database of threats and indicators. It is built on real-time attack investigations from ANY.RUN’s Interactive Sandbox, where 15,000+ SOC teams and 600,000+ analysts manually analyze live malware and phishing every day. Each investigation immediately feeds fresh data into TI Lookup. 

While most threat intelligence on the market is recycled from other sources, TI Lookup delivers original intelligence derived from live attack activity.  

As a result, TI Lookup acts as a powerful starting point for hunters, giving them access to: 

• Massive attack volume for broader threat coverage: Millions of real executions across industries, regions, and campaigns, expanding your SOC’s visibility and reducing blind spots.

• Near real-time freshness for faster business risk awareness: Intelligence appears hours after attacks are observed, not days or weeks later, enabling earlier risk assessment and response.

• 40+ types of indicators for higher detection rate: Rich telemetry, spanning IOCs, IOBs, and IOAs (from IPs and domains to registry keys and TTPs) is searchable and available to hunters in 2 seconds, reducing the chance of missed threats.

• Behavior-first context for quick prioritization: Every indicator is tied to an actual malware or phishing attack, helping teams quickly separate business-critical risk from low-impact noise.

• Integration with SOC tools for scalability: Thanks to ready-made connectors and API/SDK support, TI Lookup works seamlessly with SIEM/SOAR/TIP and other types of solutions. 

By giving hunters direct access to real attacker behavior, TI Lookup turns threat hunting into a process that delivers measurable outcomes. 

By giving hunters direct access to real attack behavior from millions of sandbox sessions, TI Lookup turns threat hunting into a process that delivers measurable value for SOC performance and business risk reduction. 

• SOC effort shifts from research to risk reduction: TI Lookup helps teams concentrate on threats that are actively used in real attacks, instead of spending time on low-impact hypotheses. 

• Hunting turns into visible results: Instead of producing observations, threat hunting leads to clear decisions: what to investigate, block, monitor, or escalate. 

• Threat hunting becomes a repeatable SOC process: With consistent context and validation, hunting no longer depends on individual expertise and produces predictable outcomes across teams and shifts. 

• Business relevance is built into every hunt: Hunts are aligned with real attack targets and objectives, making their value clear for both SOC management and leadership. 

• Threat hunting delivers measurable security impact: Earlier discovery of hidden threats reduces incident probability and justifies threat hunting as a cost-effective risk control. 

TI Lookup enables SOC teams to validate and refine hunting patterns, understand which malware families and campaigns they truly correlate with, and prioritize threats based on real activity levels, affected industries, and geographic spread.

As a result, threat hunting becomes faster, more precise, and firmly grounded in observed attacker behavior rather than assumptions or isolated IOCs. 

Earlier detection and better prioritization reduce incident likelihood, minimize response costs, protect critical assets, and allow security teams to focus resources on threats that pose real, measurable risk to the organization. 

5 Use Cases for Intelligence-Driven Threat Hunting in Your SOC 

Use Case 1: Turn MITRE Techniques into Detectable Attacks 

Hunting problem 

Teams know which MITRE techniques matter, but lack concrete data to build high-quality hunts. 

How hunters usually struggle 

They write generic detections based on technique descriptions, leading to noisy alerts and weak coverage. 

How TI Lookup helps 

Hunters can search directly by MITRE technique, for example T1036.003, one of the top techniques in 2025 according to ANY.RUN’s research. TI Lookup returns dozens of real attack executions, including processes, file artifacts, registry changes, and network activity. 

MITRE:”T1036.003″ 

Click any of the links to view an analysis session, observe a malware’s detonation, and watch the technique you explore in action.

Instead of guessing how a technique might look, hunters see how it actually behaves in live attacks. 

SOC / Business impact: 

• More precise hunts based on observed adversary behavior; 

• Fewer false positives due to less generic detection logic; 

• Faster time-to-detection for new implementations of known techniques. 

Use Case 2: Catch Relevant Threats while They’re Still Active 

Hunting problem 

Most security incidents escalate because detections lag behind fast-moving attack campaigns. By the time indicators are deployed, the campaign has already evolved and the business is exposed. 

How hunters usually struggle  

Teams rely on vendor reports and shared IOCs that arrive too late. By the time blocking rules are deployed, attackers have already rotated domains or delivery methods. 
 
How TI Lookup helps 

Hunters can validate campaign patterns against real, recent sandbox data.  

For example, when tracking enterprise email phishing using fake Microsoft login pages, hunters can search for domain patterns to identify the latest malicious domains. Sandbox sessions reveal full attack chains and associated artifacts. 

domainName:”^loginmicrosoft” 

Correlation with malware families such as EvilProxy provides additional context. Collected data is immediately usable for detection updates. 

SOC / Business impact: 

• Earlier disruption of active campaigns; 

• Higher confidence in detection updates with less post-deployment noise; 

• Reduced risk of compromise thanks to timely blocking. 

Use Case 3: Test YARA Rules Before They Flood Your SOC With False Positives 

Hunting problem 

YARA rules are powerful, but deploying them without proper validation often creates noise, blind spots, or both, directly impacting business security. 

How hunters usually struggle 

Rules are tested on limited sample sets, increasing the risk of false positives. 

How TI Lookup helps 

Test your YARA rule against millions of real malware samples before deployment and immediately see which samples it matches. 

Examine the matched files to understand precisely what your rule detects. You can identify false positives early, refine your rule to be more specific, or broaden it to catch additional variants. This validation happens in minutes rather than weeks, and in a controlled environment rather than production. 

See how it works on an example of an AgentTesla rule available in TI Lookup.

The rule targets the strings that Agent Tesla typically uses when building and sending stolen data reports (via email/SMTP, HTTP, Telegram bots, etc.). These strings come from the formatted logs or HTML-like reports the malware creates. 

SOC / Business impact: 

• Higher true positive rates for file-based detections; 

• Reduced false positives that would otherwise waste analyst time; 

• Confidence in detection coverage before production deployment. 

Use Case 4: Hunt What Actually Threatens Your Business 

Hunting problem 

Your team has a backlog of potential hunting hypotheses, but limited time and resources. You need to prioritize based on what’s actually threatening your organization right now. 

How hunters usually struggle 

They rely on intuition or outdated threat reports, wasting time on low-impact scenarios. 

How TI Lookup helps 

TI Lookup allows teams to focus hunts using real, recent attack data, filtered by industry, geography, and timeframe. 

Hunters can immediately see which malware families, campaigns, and techniques are actively targeting organizations like theirs right now. 

Let’s try to search for attack data relevant to financial organizations based in the United States. 

submissionCountry:”US” and industry:”finance” 

Contextual filtering reveals which malware families, attack techniques, and delivery methods are currently active against organizations like yours.  

• EvilProxy is linked to multiple campaigns in 2023-2025 specifically targeted senior executives in US banking and financial services (FinCEN). 

• As of early 2025, Tycoon is the most widespread phishing kit threatening the financial sector (Invenio IT).  

You can prioritize hunting efforts based on actual observed threats rather than general industry chatter. 

SOC / Business impact 

• Focus on real business risk rather than theoretical threats; 

• Less wasted hunting time on irrelevant attack patterns; 

• Better alignment between security operations and business priorities.  

Use Case 5: Turn TI Reports into Actionable Hunts 

Hunting problem 

By the time threat intelligence reports are published, many of the described attack patterns are already outdated or no longer active. 

How hunters usually struggle 

SOC teams invest effort into reports that no longer reflect active threats, resulting in delayed detections and wasted hunting time. 

How TI Lookup helps 

ANY.RUN’s Threat Intelligence Reports are created by analysts based on the freshest sandbox investigation data and come with ready-to-use TI Lookup queries. 

Instead of manually extracting indicators, teams can immediately test report findings against current, real attack data, verify whether the described patterns are still active, and collect fresh indicators for detections. 

Intelligence moves directly from the report to a hunt, enabling SOC teams to quickly gather additional details for enriching the company’s proactive defense. 

commandLine:”powershell*=Get-Date” 

By tying indicators from the reports to sandbox sessions, threat hunting teams get to observe the entire attack execution and use the evidence to build effective detection rules.  

SOC / Business impact 

• Faster hunt cycles from intelligence to detection; 

• Better ROI from threat intelligence research and subscriptions; 

• Continuous learning loop between intelligence and operations. 

What SOCs Gain, and Why the Business Cares 

For SOC teams:  

• Faster hunt planning: Reduce the research phase of threat hunting from hours to minutes. Access real attack examples immediately rather than piecing together information from multiple sources. 

• Better detection quality: Build detection rules based on actual attack behavior, not assumptions. Test and validate detections against real malware before production deployment, reducing both false positives and false negatives. 

• Less manual research: Eliminate the tedious work of correlating IOCs, searching through OSINT repositories, and extracting technical details from reports. Focus analyst time on analysis and decision-making rather than data collection. 

For businesses:  

• Earlier risk exposure: Identify threats proactively before they impact operations. Detect active campaigns targeting your industry while they’re still developing, not after damage occurs. 

• Fewer missed attacks: Close detection gaps by building comprehensive coverage of current attack techniques. Reduce the window between attack and detection through intelligence-driven hunting. 

• Higher ROI from existing security stack: Maximize the value of your current tools by feeding them better detection logic. Improve the signal-to-noise ratio across your security infrastructure, making every tool more effective. 

Your Move: From Reactive Defense to Proactive Discovery 

Threat hunting is only as effective as the intelligence that drives it. Without access to current, contextual attack data, even skilled analysts struggle to build detections that protect the business. 

TI Lookup and YARA Search change this equation by providing direct access to millions of real attack sessions. This intelligence-first approach, starting with observable attack behavior rather than isolated indicators, enables SOC teams to hunt more effectively and demonstrate clear business value. 

About ANY.RUN 

ANY.RUN develops advanced solutions for malware analysis and threat hunting, trusted by 600,000+ cybersecurity professionals worldwide.  

Its interactive malware analysis sandbox enables hands-on investigation of threats targeting Windows, Linux, and Android environments. ANY.RUN’s Threat Intelligence Lookup and Threat Intelligence Feeds help security teams quickly identify indicators of compromise, enrich alerts with context, and investigate incidents early. Together, the solutions empowers analysts to strengthen overall security posture at enterprises.   

Request ANY.RUN access for your company   

The post How to Build Threat Hunting that Defends Your Organization Against Real Attacks appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More