Phishing pages don’t sit still anymore. They redirect, load scripts, harvest credentials through dynamic forms, and rebuild their DOM after the initial load — and most URL analysis workflows still only see the finish line, not the race. This June, ANY.RUN closed that gap directly inside the Interactive Sandbox and extended its automation reach with a new integration built for scale.
Here’s what your team can put to work this month: full browser-level visibility for every URL analysis, a no-code path to embed ANY.RUN in Torq playbooks, and over 1,100 new detections across behavior signatures, Suricata rules, and YARA rules.
Product Updates
June’s releases focus on closing the visibility gap in phishing investigations and giving SOC and MSSP teams a faster route from alert to automated response. The headline update is in-browser data inspection, a new investigation layer in the Interactive Sandbox, alongside a new integration with the Torq AI SOC Platform.
Closing the Phishing Blind Spot with In-Browser Data Inspection
Modern phishing campaigns rarely stop at a malicious URL. They rely on dynamic content, JavaScript, multi-stage redirects, credential harvesting forms, and browser-based tricks that often remain invisible to traditional analysis methods.
This month, ANY.RUN introduced In-Browser Data Inspection, a new capability that captures browser-rendered content during URL analysis, revealing exactly what users would experience when interacting with a suspicious website.
Instead of relying solely on page source or network data, analysts can now inspect:
Fully rendered web pages and dynamic content;
Phishing forms and credential collection attempts;
Client-side JavaScript execution;
Redirect chains and browser behavior;
Hidden elements designed to evade detection.
See all URL details, DOM changes, network requests, and IOCs in one place
For SOC analysts, this means fewer blind spots during phishing investigations and faster validation of suspicious URLs.
For security managers and CISOs, it means higher confidence in phishing detection, quicker incident triage, and better protection against increasingly sophisticated browser-based attacks.
Scaling Triage and Response with the ANY.RUN & Torq Integration
Alert volume keeps growing faster than SOC headcount, and every alert that lands without context costs an analyst time they don’t have. ANY.RUN’s new integration with the Torq AI SOC Platform puts conclusive malware and phishing verdicts directly into the automated workflows teams already build in Torq: no custom code, no months-long rollout.
The integration ships with five ready-to-use Torq HyperAgents covering two workflow types: case-based templates that pull observables straight from an open Torq case for enrichment, and standalone sandbox workflows that accept a URL or file as input and return a full verdict, IOC list, and report link anywhere in a custom automation chain. Results — reputation data, threat names, tags, and structured JSON — land directly in Torq Case Management, ready to branch on.
Teams integrating ANY.RUN into Torq gain:
Faster incident resolution, with an average MTTR reduction of 21 minutes per case.
Operational scaling without added headcount, as HyperAgents absorb routine Tier 1 enrichment work.
Zero development overhead, with a no-code setup that’s live in minutes rather than months.
Standardized investigation logic, so every alert is checked against the same high-fidelity criteria regardless of analyst experience.
Higher ROI on existing tools, as ANY.RUN enriches the SIEM, EDR, and XDR data already flowing into Torq.
ANY.RUN’s Sandbox provides fast case enrichment in Torq
The integration is available on ANY.RUN Threat Intelligence and Interactive Sandbox plans with API access, giving SOC and MSSP teams a direct path to scale triage and response without scaling the team itself.
Experience the latest ANY.RUN capabilities. Gain deeper browser visibility and accelerate investigations with Torq-powered automation.
Keeping pace with evolving malware remains a core priority for our detection team. During June, we significantly expanded threat coverage with:
1,055 new Suricata rules,
65 new behavior signatures,
14 new YARA rules.
These additions improve detection across network traffic, behavioral activity, and malware samples, helping analysts identify emerging threats faster while increasing investigation accuracy. The continuous expansion of detection logic also strengthens the quality of intelligence powering ANY.RUN’s Interactive Sandbox and Threat Intelligence solutions.
New Behavior Signatures
The 65 new behavior signatures added this month target malware-specific activity helping analysts confirm what a sample actually does inside the sandbox, rather than inferring it from static traits alone. Coverage this month spans commodity stealers and loaders, RATs, and ransomware families active across recent phishing and malvertising campaigns.
A total of 1,055 new Suricata rules were implemented in June to improve visibility into malicious network activity, including:
Phishing Redirect Engine related URL (sid: 89003883) – Identifies various PhaaS operators’ infrastructure used as routing layer, delivering victim to specific phishkit landing pages.
Adobe-themed RMM phishing (sid: 84003399) – Tracks attempts to lure user into installing remote management tool, disguised as shared secure documents.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps businesses and organizations strengthen security operations with faster threat understanding andclearer evidence for response.
Its solutions include the Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as Threat Intelligence solutions built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, detect active threats earlier, and support investigation and response workflows with relevant context.
ANY.RUN is SOC 2 Type II attested, reflecting its strong security controls and commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, the platform helps reduce investigationuncertainty, improve triage speed, and turn threat analysis into actionable insights for faster, better-informed decisions.
Three-day patching deadlines, exposed fuel-tank systems, scams costing billions of dollars, and social media bans for children all gave Tony plenty to unpack in June 2026
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-07-01 09:06:262026-07-01 09:06:26This month in security with Tony Anscombe – June 2026 edition
For a US automotive manufacturer working with more than 200 active vendors, supplier file intake had become a growing security and cost challenge. Suspicious submissions often reached the SOC without enough context, forcing Tier 1 analysts to escalate most cases and slowing detection and response across the business.
By introducing a scalable triage and analysis process with behavioral sandboxing and threat intelligence, the company made alert processing and threat analysis 2x faster, improved MTTD and MTTR, increased its detection rate, reduced escalation pressure, and analyzed hundreds of files every week without adding headcount.
A US Automotive Manufacturer Built Around a Large Supplier Ecosystem
The company is a US-based automotive manufacturer operating within a highly interconnected supply chain. Its daily operations depend on continuous collaboration with more than 200 active vendors and third-party contractors.
These external partners regularly exchange files with the organization to support ongoing manufacturing, technical, and business processes. This makes supplier communication essential to keeping operations moving, but it also creates a large and constantly changing entry point for risk.
The SOC is responsible for protecting the company’s environment while ensuring legitimate supplier activity is not delayed. As the volume of incoming files grew, the team needed a way to analyzesubmissions consistently, improve detection and response speed, and reduce third-party exposure without increasing staffing costs.
The Challenge: Supplier Files Were Entering Without a Consistent Analysis Process
Before ANY.RUN, the company had no systematic process for analyzing files received from vendors and third-party contractors.
US Manufacturer’s security challenges
Existing security controls could flag a submission as suspicious, but they did not always show what the file would actually do after execution. Without behavioral evidence, analysts were left with incomplete indicators and uncertain verdicts.
“The volume itself was not the only challenge. The bigger issue was that analysts did not have enough context to quickly decide which supplier files were safe and which required further action.”
Head of SOC, US automotive manufacturer
This created several problems for the SOC:
A Security Gap in Supplier File Intake
Files could enter the environment without passing through a dedicated behavioral analysis layer.
This limited the company’s ability to identify threats that appeared harmless during static inspection but revealed malicious activity only after execution.
For a manufacturer with a large supplier ecosystem, this created meaningful third-party risk. A compromised vendor could become an indirect route into the organization, even when the manufacturer’s own internal defenses remained strong.
High Escalation Rates
Tier 1 analysts often lacked enough context to confidently close suspicious submissions.
As a result, the majority of these files were escalated to more experienced analysts. Senior team members had to spend time reviewing cases that could have been resolved earlier with clearer evidence.
Rising Investigation Costs
The supplier network continued to generate a high volume of files. Handling that growth through manual investigation would have required more analyst hours and, eventually, additional headcount.
Without a more scalable process, the company risked paying more just to maintain the same level of protection.
Longer Exposure to Potential Threats
Every delay in validating a suspicious file extended the period during which the organization could not confidently allow, block, or contain it.
In a manufacturing environment, a missed threat can affect more than an individual endpoint. It can disrupt operations, expose sensitive data, and weaken trust across the supplier network.
Building a Scalable Supplier File Triage and Analysis Process with ANY.RUN
The manufacturer introduced a consistent process for analyzing files received from vendors and third-party contractors.
By combining behavioral analysis with threat intelligence, the SOC gained both the evidence needed to understand what a file does and the context required to assess the wider threat behind it.
“We have over 200 active vendors sending files into the environment. ANY.RUN gave us a scalable way to analyze that volume and make triage much faster without adding headcount”
Head of SOC, automotive manufacturer
Instead of relying on isolated alerts or incomplete indicators, analysts could detect malicious submissions more accurately, reach verdicts faster, resolve more cases at Tier 1, and reduce the amount of senior analyst time spent on routine reviews.
This improved detection quality while contributing to lower MTTD and MTTR across supplier-related investigations.
Reaching Faster Verdicts with Behavioral Evidence
The SOC reduced triage time by giving analysts direct visibility into what suspicious supplier files did after execution.
Files were safely analyzed in ANY.RUN’s cloud-based Interactive Sandbox, where the team could review process activity, network connections, system changes, commands, and other behavior without exposing the production environment.
Full chain of a complicated EvilTokens attack on US companies analyzed in just 1 minute
This replaced incomplete indicators with clear evidence of whether a submission was malicious and how it could affect the business.
“We no longer have to spend time piecing together what a supplier file might do. The behavior is visible in one place, which makes decisions faster and easier to defend.”
Head of SOC, US automotive manufacturer
Structured and visual results also helped Tier 1 analysts move from alert to verdict with fewer manual checks. Instead of reconstructing file behavior across disconnected tools, they could validatesuspicious submissions faster and make more confident decisions.
The faster path from alert to confirmed verdict contributed to improved MTTD, while clearer evidence and fewer repeated checks helped reduce MTTR.
Cut investigation time with clear behavioral evidence Help analysts reach faster decisions.
Connecting Supplier Files to Wider Threat Activity
Behavioral analysis showed the team what each suspicious file did. Threat intelligence helped reveal whether the submission was connected to a larger risk.
Indicators uncovered during analysis could be linked to malicious infrastructure, related samples, known campaigns, and attacker activity. This gave analysts a clearer view of whether they were dealing with an isolated file or broader activity involving the company’s supplier ecosystem.
ANY.RUN’s Threat Intelligence used to explore broader threat context
The SOC also used this context to uncover additional indicators and behavioral patterns, strengthening internal detection controls beyond the original submission.
As a result, each investigation contributed to wider threat visibility. The team could resolve the immediate case while also identifying related activity that might otherwise remain hidden across the supply chain.
Resolving More Supplier Files at Tier 1
Before ANY.RUN, suspicious supplier files often moved up the escalation chain because Tier 1 analysts lacked enough evidence to confidently determine whether they were safe or malicious.
With behavioral analysis, threat intelligence, and structured Tier 1 Reports available in the same workflow, first-line analysts received clearer summaries of each case, along with practical recommendations for the next step.
AI Summary generated inside ANY.RUN’s sandbox for deeper analysis and faster handoff
This reduced the need to interpret every technical detail manually and helped analysts reach decisions faster. The company recorded a significant reduction in Tier 1 escalations, while Tier 2 received fewer low-context cases.
“Cases that can be resolved at the first level no longer consume Tier 2 time. When escalation is necessary, senior analysts receive the relevant evidence instead of having to restart the investigation.”
Head of SOC, US automotive manufacturer
The change reduced duplicated work and made better use of specialist expertise. Senior analysts spent less time repeating initial validation and more time investigating complex or high-impact threats.
More supplier files were resolved at the right level the first time, helping investigation queues move faster and lowering the cost of each case.
Analyzing Hundreds of Files Without Adding Headcount
The company now analyzes hundreds of supplier files every week without hiring additional analysts.
For the business, this is one of the clearest returns from the new process. The manufacturer increased its triage and analysis capacity while keeping staffing costs stable.
Instead of treating headcount growth as the only solution to rising file volumes, the company gave its existing team a faster and more consistent way to detect malicious activity and reach verdicts.
The SOC now absorbs more supplier activity without creating the same increase in labor costs or investigation backlogs.
This also gives the company a more sustainable foundation for growth. As the vendor network expands or file volume rises, the security team has a triage process that can scale with it.
Reduce third-party exposure before it affects operations. Increase security capacity without increasing headcount.
The manufacturer achieved a 2x improvement in alert processing and threat analysis speed, contributing to lower mean time to detect and mean time to respond.
Suspicious supplier files moved through triage twice as fast. Analysts identified malicious behavior sooner, reached confirmed verdicts with less delay, and passed high-risk cases into response with clearer evidence already collected.
Legitimate submissions were also cleared faster, reducing the time business teams spent waiting for a security decision.
“We cut the time it takes to move from a suspicious supplier file to a clear decision in half. That gave the business faster answers and reduced the time potential threats remained unresolved.”
Head of SOC, US automotive manufacturer
This faster process also reduced the company’s exposure window. Analysts reached evidence-backed verdicts sooner without sacrificing investigation depth, helping the SOC protect operations while keeping supplier workflows moving.
Before ANY.RUN
Result with ANY.RUN
Business Impact
No systematic process for analyzing vendor files
Hundreds of supplier files analyzed weekly
Greater triage capacity without additional hiring
No behavioral analysis layer in supplier file intake
Malicious behaviordetected through direct execution evidence
Higher detection rate and lower third-party exposure
Most suspicious submissions escalated by Tier 1
Significant reduction in Tier 1 escalations
More senior analyst capacity for critical incidents
Slow, context-limited investigations
2x faster alert processing and threat analysis
Improved MTTD and MTTR with a shorter exposure window
A Practical Model for Manufacturing Leaders Managing Third-Party Risk
For manufacturing leaders, supplier security is not only a SOC issue. It affects operational continuity, staffing costs, executive accountability, and the company’s ability to grow without increasing exposure.
A scalable approach should combine consistent file validation, broader threat context, and measurable outcomes.
Turn Supplier File Intake into a Defined Risk Control
A consistent triage helps the SOC apply the same standard to files received from vendors and contractors.
With behavioral evidence from the Interactive Sandbox and additional context from Threat Intelligence, teams can replace inconsistent manual checks with a repeatable validation workflow.
For leadership, this creates clearer oversight of one of the company’s most exposed third-party risk channels.
Increase Capacity Without Matching Growth with Headcount
Faster verdicts and fewer unnecessary escalations allow the existing team to handle more supplier submissions.
ANY.RUN reduces duplicated work, protects senior analyst capacity, and helps the SOC process higher file volumes without expanding at the same rate.
The result is lower investigation cost and greater value from existing security resources.
Protect Operations Without Slowing Supplier Activity
Suspicious files can be analyzed in a controlled environment before they reach internal systems, while legitimate submissions move through review faster.
This helps reduce the risk of supplier-borne threats without creating unnecessary delays for manufacturing, procurement, engineering, or other teams that depend on third-party collaboration.
Connect Individual Submissions to Wider Exposure
A suspicious file may be only one part of a larger campaign.
ANY.RUN’s Threat Intelligence solutions help teams connect indicators to known infrastructure, related samples, active campaigns, and broader attacker activity.
This gives leadership a clearer view of whether the company is dealing with an isolated submission or wider exposure involving suppliers and other external partners.
Demonstrate Measurable Business Value
The strongest supplier security programs are measured by outcomes, not by the number of files processed.
With ANY.RUN, organizations can track improvements such as lower MTTD and MTTR, higher detection rates, fewer Tier 1 escalations, greater analysis capacity, and shorter exposure windows.
These results make it easier to show how supplier security investments reduce risk, avoid additional staffing costs, and support business growth.
Improve MTTD and shorten the business exposure window.
Reduce supplier-driven risk before it affects operations.
For this US automotive manufacturer, supplier file intake had become both a security risk and a growing cost center. More than 200 vendors were sending files into the environment, while analysts lacked a consistent way to validate behavior, add threat context, and reach fast decisions.
With ANY.RUN, the company built a scalable triage process that now supports hundreds of supplier files every week without additional headcount. Threat analysis became 2x faster, MTTD and MTTR improved, detection increased, and fewer cases required Tier 2 escalation.
The result is a stronger security model for a complex supplier ecosystem: lower third-party exposure, better use of analyst time, and faster decisions that keep business operations moving.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate cyber threats faster and make evidence-based security decisions.
Its cloud-based Interactive Sandbox enables teams to safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior as it unfolds, and collect clear evidence for triage and response.
ANY.RUN’s Threat Intelligence solutions provide additional context around indicators, malicious infrastructure, emerging campaigns, and attacker activity. Together, these capabilities help organizations improve threat detection, reduce investigation time, and manage growing security demands without adding unnecessary operational costs.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-06-30 11:07:212026-06-30 11:07:21Closing the Supplier Security Gap: How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-06-30 02:06:292026-06-30 02:06:29Inside the inbox: Why cybercriminals want to break into your email account
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-06-27 03:06:272026-06-27 03:06:27SMB cyber readiness: the road to resilience starts here
Stories about supply chain attacks appear in the news with alarming regularity. In most cases they begin when attackers compromise publicly available packages. This may give the impression that the main danger of public repositories lies in the fact that someone could steal a developer’s credentials and inject malicious code into the software they create. However, in reality, this isn’t the only thing to be wary of when working with repositories hosting open-source projects. Misconfigurations of key components can also be a source of problems.
In particular, GitHub Actions — automation scripts that enable the creation of continuous integration and continuous delivery (CI/CD) pipelines — can pose a risk. Errors and misconfigurations in these scripts are periodically exploited by attackers in real-world attacks. A prime example is the recent Mini Shai-Hulud malware campaign. While it also began with the compromise of a popular project’s maintainer, the malware distributed during this campaign stole secrets specifically by exploiting a flaw in GitHub Actions.
Using a new set of rules for Kaspersky Container Security, our experts from the Global Research and Analysis Team (GReAT) conducted a security analysis of GitHub Actions across ~30,000 popular GitHub repositories. In short, automation pipelines in only 10% of these repositories raised no concerns.
Detailed research results
In total, the rules implemented as part of the latest KCS release were used to scan ~130,000 pipelines. They identified more than 250,000 potential deviations from recommendations for secure CI/CD configuration. Of course, these deviations cannot be considered vulnerabilities in and of themselves, but they do indicate areas where the configuration may require additional review and more careful tuning.
Of these 250,000+ deviations, 59.8% can be classified as low risk, and 39.8% — medium risk. However, in 0.4% of cases, more serious misconfigurations were found, which our technologies classified as high risk. Furthermore, critical flaws found in eight repositories could potentially lead to supply chain compromise. The affected repositories covered a wide range of use cases — including AI integration in enterprise environments, services for developers and automation, and as well as security testing tools. Of course, our experts reported these critical issues to the maintainers of the relevant repositories.
Here are the most common flaws found in the GitHub Actions we reviewed:
implicitly defined or overly broad access permissions,
lack of version pinning for used dependances,
configuration settings applied at the workflow level.
In addition, more dangerous patterns were found: (i) exposure of secrets at the top level, (ii) potentially insecure run conditions, and (iii) insecure handling of external data. Fortunately, however, these were much less common.
How can you stay safe?
Misconfigurations in GitHub Actions can potentially turn development pipelines into tools for attackers, allowing them to compromise the development environment or attack a company’s infrastructure. Issues identified in a timely manner will enable developers to build more secure processes and minimize the risk of supply chain compromise.
Searching for misconfigurations in GitHub Actions.
The set of rules mentioned above, which was used in this study, is now available to Kaspersky Container Security users following the latest update. With this set of rules, our solution can detect misconfigurations in GitHub Actions both by scanning repositories and by being integrated directly into CI/CD pipelines. You can learn more about the KSC solution on its page.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-06-26 12:06:352026-06-26 12:06:35250,000 misconfigurations in GitHub Actions | Kaspersky official blog
ESET Research analyzes Gamaredon’s new toolset and the group’s growing reliance on legitimate online services to hide its C&C infrastructure and exfiltrate stolen data
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-06-26 03:06:252026-06-26 03:06:25Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances
Lack of alert context makes it difficult for Security Operations Centers (SOC) to distinguish actual threats from false positives. ANY.RUN’s integration with Torq, a no-code/AI SOC automation platform, bridges this gap by delivering conclusive malware & phishing verdicts and actionable intelligence.
The result for your team is faster incident resolution, reduced alert fatigue, and proactive threat detection.
ANY.RUN & Torq Integration
Unlike legacy SOAR approaches that often require custom code and months of implementation, Torq allows SOC and MSSP teams to build response logic visually. The ANY.RUN integration adds a critical layer of malware analysis, phishing detection, and IOC enrichment to these workflows.
At launch, users have access to 5 ready-to-use templates designed to accelerate time-to-verdict and standardize the investigation process.
Teams can edit the current templates to fit their specific processes, adding actions, changing conditions, or using ANY.RUN as one specific step in a complex, multi-tool automation.
Available on ANY.RUN Threat Intelligence and Interactive Sandbox planswith API access, the integration helps analysts streamline their workflows, gaining full alert or threat context quickly with an average reduction in MTTR of 21 minutes.
Speed up triage & response inside Torq with ANY.RUN Scale your SOC capability without adding headcount
The Interactive Sandbox workflows allow analysts to detonate suspicious objects in real-time environments (Windows, Linux, macOS or Android) to uncover evasive behaviors. There are two types of templates available for sandbox analysis:
1. Case-Based Workflows
ANY.RUN’s Sandbox provides fast case enrichment in Torq
These are triggered directly from a Torq Case, where observables and attachments are automatically ingested from sources like EDR, SIEM, XDR, or email security tools.
Process: The analyst opens a case and launches the workflow. The system automatically retrieves observables or attachments, filtering for supported objects such as URLs or files. Analysts can then select specific objects for detonation.
Result: Analysis data is added to the case notes in real-time. This includes a brief context, reputation, threat names or tags, and a structured JSON response. Additionally, a direct link is provided, allowing the analyst to jump into the ANY.RUN session to continue a manual, interactive analysis.
These templates are designed to be embedded as a specific step within a larger, custom incident response flow.
Process: Unlike case-based templates, these function independently of a specific case. They accept a URL or File as an input parameter and initiate the ANY.RUN Sandbox analysis.
Result: The workflow waits for the analysis to complete and returns a structured JSON object containing the final verdict, analysis metadata, a list of IOCs, and a link to the full report. This data can then be passed further down the custom automation chain.
TI Lookup adds context to isolated indicators, giving SOC teams the clarity for correct decisions
The Threat Intelligence (TI) Lookup integration focuses on rapid enrichment of “raw” observables found in alerts, such as IPs, domains, hashes, and URLs.
Automation at Scale: When a case contains suspicious indicators, the TI Lookup workflow queries ANY.RUN’s vast database of threat data—continuously updated from millions of sandbox sessions.
Instant Context: The workflow returns high-fidelity data including the reputation of the indicator, threat names, and specific tags. This allows analysts to immediately understand the nature of a threat and decide whether to block the indicator or escalate the incident.
Enrichment Integration: Much like the sandbox workflows, TI Lookup results are delivered directly into the Torq interface as JSON data or case notes, ensuring that the analyst never has to leave their primary workspace to gather intelligence.
Setting up the integration is straightforward and requires no custom coding:
Navigate to Integrations within Torq and locate ANY.RUN.
Click Add, create a new instance, and enter your API key.
Go to the Templates tab and search for ANY.RUN templates.
Select your previously configured ANY.RUN integration to begin using the workflows.
By default, these playbooks are configured to be launched manually. This is a deliberate design choice to ensure that only appropriate objects are sent for analysis.
However, for high-volume environments, these templates can be easily integrated into broader, fully automated playbooks.
Key SOC & MSSP Benefits of Integrating ANY.RUN in Torq
ANY.RUN’s deep behavioral visibility with Torq’s hyper-automated orchestration levels up the efficiency of modern security operations, moving beyond simple automation toward maximizing security ROI.
Faster incident resolution (MTTR): Automating sandbox analysis and threat intelligence correlation allows you to cut incident resolution time by tens of percent. Analysts get clear verdicts in seconds, enabling them to block threats before they spread.
Operational scaling: You can handle a growing volume of alerts with your current staff. By automating routine Tier 1 tasks, your team can focus on complex threats without a proportional increase in headcount.
Zero development overhead: Unlike custom integrations that require months of engineering, this no-code setup is ready in minutes. You get a functional automation foundation without the cost of writing or maintaining scripts.
Standardized investigation logic: Every alert is checked using the same high-fidelity criteria. This ensures consistent results and reduces the risk of human error, regardless of an analyst’s experience level.
Higher ROI on existing tools: ANY.RUN works as an enrichment layer inside Torq, making your SIEM, EDR, and other security investments more effective by providing them with immediate, actionable context.
Reduced analyst burnout: By eliminating manual data entry and constant switching between tools, you allow your team to focus on meaningful security work, which improves overall SOC productivity.
Integrate ANY.RUN’s solutions in Torq Close security gaps and reduce MTTR with confidence
Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations worldwide, ANY.RUN helps security teams investigate threats faster and with greater accuracy.
Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, while our Threat Intelligence solutions (TI Lookup and TI Feeds) provide the necessary context to anticipate and stop today’s most advanced attacks.
The integration of ANY.RUN with Torq adds a specialized layer of malware analysis, phishing detection, and IOC enrichment to your security operations. By utilizing these automated workflows, SOC teams can seamlessly embed ANY.RUN’s deep visibility into their existing triage and incident response flows.
ESET researchers assisted in the global disruption of the Amadey botnet and Stealc infostealer, providing technical analysis, infrastructure tracking, and affiliate-level insights
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-06-25 03:06:322026-06-25 03:06:32ESET takes part in Operation Endgame to disrupt Amadey and Stealc
There are dozens of ways to break into someone else’s Telegram account. We’ve frequently covered phishing in Telegram Mini Apps, scams with bots, gifts, and giveaways, and many other tactics. Today, we’re looking at yet another account hijacking method, one that relies on a PowerShell script.
The script, deceptively named “Windows Telemetry Update”, actually serves as a tool for hijacking Telegram sessions. It harvests data from completely defenseless user computers and forwards it to the attackers via a Telegram bot.
An evil script with a stealer inside
Cybercriminals frequently rely on PowerShell scripts to covertly download malware or harvest data. This time, researchers uncovered a script on Pastebin masquerading as a routine Windows update. In reality, it was an infostealer designed to hijack Telegram for Windows session data and allow hackers to take over accounts without a password or verification code.
What’s a PowerShell script anyway? Think of it as a text file packed with commands for a Windows computer. Instead of a human spending time clicking through tasks manually, the computer follows these quick instructions to get everything done automatically in a matter of seconds.
This PowerShell script steals Telegram for Windows session data, letting hackers hijack accounts without a password or verification codes
Right at the top of the script, researchers immediately spotted a Telegram bot token and a chat ID, alongside multiple references to the tdata folder. This specific folder is where Telegram for Windows keeps the authorization keys used to log users in to its servers. If attackers grab this data, they can access the victim’s Telegram account without a password or verification code. Once inside, they maintain access until the victim checks their active sessions in the app and manually terminates the suspicious ones.
How the stealer works
The malware lands on the victim’s computer disguised as a PowerShell script for a Windows telemetry update. As soon as it runs, it gathers basic system information: the username, hostname, and public IP address. It then checks if Telegram Desktop is installed. If it is, the script forces the app to close so it can unlock Telegram files for editing.
From there, the rest is simple: the script zips up the entire contents of the tdata folder into a temporary directory, forwards the archive straight to the attackers, and wipes the file from the computer to erase its tracks.
The good news is that the stealer likely hasn’t compromised any accounts yet, as experts found no evidence of actual data transfers. It appears researchers caught this malicious PowerShell script while it was still in the prototype testing phase.
Another giveaway is its surprisingly suspicious name. Cybercriminals typically use neutral names to hide their bots and apps. In this case, when researchers found it, the bot was running under the burner handle afhbhfsdvfh_bot with a dead-honest description: Telegram attacker. Researchers noted that while the bot had likely undergone functional testing, it hadn’t yet been deployed at scale, which explains the placeholder name.
How to defend against PowerShell scripts
Defending against this nameless stealer requires a layered approach to security. First, it helps to understand how a PowerShell script ends up on your PC in the first place. Usually, they slip in unnoticed through malicious email attachments, software vulnerabilities, infected apps, or social engineering tricks. That’s why we recommend installing a robust security suite on your device and staying highly cautious about the links you click and the files you download.
Be careful what you download. Always double-check the websites you use to download files. Stick to trusted, official sources — and remember that Telegram and Discord channels, and sketchy, fly-by-night websites definitely don’t fit that description.
Watch out for email links and attachments. Keep in mind that email remains a favorite delivery method for cybercriminals. They might drop a PowerShell script directly into your inbox as an attachment or bait you into clicking a link that triggers an automatic download.
Keep your apps and OS updated. Software vulnerabilities pop up unexpectedly, but patches are usually released very quickly. We recommend installing updates as soon as they become available. To make life easier, just turn on automatic updates wherever possible.
Make sure to install Kaspersky Premium on every device where you run Telegram. Our security solution will block malware, malicious attachments, spam, phishing attempts, and sketchy websites. Kaspersky Premium subscription additionally includes a password manager. It’ll generate and securely store strong and unique passwords, stop you from entering your credentials on fake sites, and come in handy for tightening your Telegram security, which we’ll cover next.
How to secure your Telegram account
To protect your Telegram account from these types of hijacking schemes, make sure to:
Regularly monitor your Telegram activity. Ultimately, hackers steal accounts to blast out spam and run scams. It’s a good idea to periodically check your chat history to ensure no new conversations or messages have appeared that you didn’t send yourself.
Immediately terminate unrecognized sessions. If you suspect you’ve fallen victim to this infostealer or any other cyberattack, terminate all other Telegram sessions as soon as possible by going to Settings → Devices → Terminate all other sessions.
If your Telegram account has already been hijacked, you have a strict 24-hour window to kick the attackers out by terminating their sessions. We broke down exactly why this rule exists — and mapped out every possible way to reclaim your account — in our detailed guide: What to do if your Telegram account is hacked.
In the meantime, beefing up your account security is a must. First, set up a cloud password by heading to Settings → Privacy and Security → Two-Step Verification. Just any password won’t cut it — you need something unique and unhackable. We recommend reading our post on the subject: Creating an unforgettable password.
Better yet, make the switch to passkeys — a passwordless technology that offers top-tier protection against leaks and phishing. To set up that login method, go to Settings → Privacy and Security → Passkeys. The easiest way to manage your passkeys is with Kaspersky Password Manager. Our cross-platform app ensures you can seamlessly log in to Telegram using your saved passkeys whether you are on Windows, Android, iOS, or macOS.
To learn more about how cybercriminals can breach your Telegram account and how to lock it down, check out our other posts:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-06-23 19:06:312026-06-23 19:06:31How hackers use PowerShell scripts to steal Telegram accounts | Kaspersky official blog