In early October, Unity announced that game developers have a lot of work to do. The popular game engine, used for PC, console and mobile games, has a software vulnerability in it that requires all published games to be updated. The vulnerability was added eight years ago, in engine version 2017.01, so it affects all modern Unity games and applications on Android, Linux, MacOS, and Windows platforms.

It wasn’t only developers who reacted to the announcement. Valve announced that it would block Steam from launching games with unsafe settings, and Microsoft went further and recommended temporarily uninstalling vulnerable games until they can be patched.

So what is the threat from this vulnerability, and how to fix it without uninstalling games?

How the Unity vulnerability works

Exploitation of the CVE-2025-59489 vulnerability can cause a game to run malicious code, or give an attacker access to information on the given device. An attacker can pass startup parameters to the game, and vulnerable versions of Unity Runtime will process several commands intended for debugging: -xrsdk-pre-init-library, – dataFolder , overrideMonoSearchPath, and -monoProfiler, among others. With these commands, the Unity engine loads any libraries specified in the startup parameters – including malicious ones. It can load .dll files on Windows, .so libraries on Android and Linux, and .dylib libraries on macOS.

This way, a malicious application with low privileges can launch a game with modified startup parameters, and make it download and run the malicious library. Thus it will have the same privileges and access as the game itself.

Another type of attack that can exploit this vulnerability can be carried out remotely. If a game can be launched by clicking on certain hyperlinks in the browser (the game must be registered as a URI schema handler), the malicious site can first convince the user to download the malicious library file, and then launch the vulnerable game along with this library.

The danger of exploitation of this vulnerability depends largely on the game’s settings, version and OS settings, but Unity, Valve and Microsoft unanimously recommend updating all games on the system.

What’s the danger of a vulnerability in a game?

Exploitation of this vulnerability serves to escalate privileges and bypass defenses. An unknown application in modern operating systems is usually isolated from others and deprived of access to sensitive information. But it can still launch already installed applications. So when the game is launched with parameters crafted by an attacker, it loads a malicious library, and this library is considered by the system and its defense mechanisms to be part of the game. It has the same rights and access as the game itself, and can also slip under the radar of some antiviruses. Games sometimes require relatively high privileges in the system, so this is a way for an attacker to become, if not the administrator of the device, at least a “respected user”.

Is this vulnerability being exploited in real-world attacks?

Unity emphasizes that the flaw was discovered by ethical hackers and there is no evidence to date that the vulnerability is being used in real attacks. But given the widespread publicity of the issue and the ease of exploitation, any willing attacker could arm themselves with CVE-2025-59489 in just a couple of days. So taking precautionary measures won’t be unreasonable.

How to fix the vulnerability

The main work should be done by game developers. Having updated Unity Editor, they should recompile the game with the patched version of Unity Runtime, and publish it on the website or in app stores. Users need to keep track of updates to their Unity-based games, and update them promptly.

Valve has updated the Steam client and fixed this issue for those games that run via the client. Now it blocks the launch of games with the aforementioned dangerous parameters.

Microsoft has confirmed that the vulnerability doesn’t affect Xbox versions of games, but provides an extensive list of vulnerable games available in its app stores for other platforms. Until the vulnerabilities in the specified games are fixed, Microsoft recommends uninstalling them.

In addition to updating your games, be sure your computers and smartphones are protected by a comprehensive cyberthreat prevention system such as Kaspersky Premium. It not only prevents many vulnerabilities from being exploited, but also prevents first-stage malware from running.

How to fix a vulnerability if the game is no longer updated

For developers who don’t have access to the Unity editor or don’t support the game anymore, Unity offers the Unity Application Patcher app. It detects which version of Unity the game is using, and downloads an updated library (libunity.so for Android, UnityPlayer.dll for Windows, UnityPlayer.dylib for macOS), fixing the flaw. The patched game still needs to be republished on the website or app stores.

For gamers, only the Windows version of the patcher will be useful, since it’s very problematic to change the game component for MacOS or Android while keeping the game functional.

Kaspersky official blog – ​Read More

In September 2025, researchers at ETH Zurich (the Swiss Federal Institute of Technology) published a paper introducing Phoenix, a modification of the Rowhammer attack that works on DDR5 memory modules. The authors not only demonstrated the new attack’s effectiveness against 15 tested modules, but also proposed three practical use cases: reading and writing data from memory, stealing a private encryption key stored in memory, and bypassing Linux’s sudo utility protections to escalate privileges.

The Rowhammer attack: a brief history

To understand this rather complex study, we need to first briefly revisit the history of Rowhammer. The Rowhammer attack was first described in a 2014 research paper. Back then, researchers from both Carnegie Mellon University and Intel showed how repeatedly accessing rows of memory cells could cause adjacent memory cells to change value. These neighboring cells could contain critical data — the alteration of which could have serious consequences (such as privilege escalation).

This happens because each cell in a memory chip is essentially a capacitor: a simple component that can hold an electrical charge for only a short time. That’s why such memory is volatile: turn off the computer or server, and the data disappears. For the same reason the charge in cells must be frequently refreshed — even if no one is accessing that memory region.

Memory cells aren’t isolated; they’re organized in rows and columns, interconnected in ways that can cause interference. Accessing one row can affect a neighboring row; for example, refreshing one row can corrupt data in another. For years, this effect was only known to memory manufacturers — who tried their best to mitigate it in order to improve reliability. But as cells became smaller and therefore packed more tightly together, the “row hammering” effect became exploitable in real-world attacks.

After the Rowhammer attack was demonstrated, memory developers began to introduce defenses, resulting in Target Row Refresh (TRR) hardware technology. In theory, TRR is simple: it monitors aggressive access to rows and, if detected, forcibly refreshes adjacent rows. In practice, it wasn’t so effective. In 2021, researchers described the Blacksmith attack, which bypassed TRR by using more sophisticated memory-cell access patterns.

Developers adapted again — adding even more advanced defenses against Rowhammer-like attacks in DDR5 modules and increasing the enforced refresh rate. To further impede new attacks, manufacturers avoided disclosing which countermeasures were in place. This led many to believe that DDR5 had effectively solved the Rowhammer problem. However, just last year, researchers from the same ETH Zurich managed to successfully attack DDR5 modules — albeit under certain conditions: the memory had to be paired with AMD Zen 2 or Zen 3 CPUs, and, even then, some modules remained unaffected.

Features of the new attack

To develop Phoenix, the researchers reverse-engineered the TRR mechanism. They analyzed its behavior under various memory row access patterns and checked whether the protection triggered for adjacent rows. It turned out that TRR has become significantly more complex, and previously known access patterns no longer work — the protection now correctly flags those patterns as potentially dangerous and forcibly refreshes adjacent rows. As a result, the researchers discovered that after 128 TRR-tracked memory accesses, a “window of opportunity” of 64 accesses appears, during which defenses are weaker. It’s not that the protection system completely fails, but its responses are insufficient to prevent a value change in a targeted memory cell. The second window presents itself after accessing memory cells over the course of 2608 refresh intervals.

The researchers then studied these vulnerable points in detail to deliver a highly targeted strike on memory cells while knocking out the defenses. Put simply, the attack works like this: malicious code performs a series of dummy accesses that effectively lull the TRR mechanism into a false sense of security. Then the active phase of the attack occurs, which ultimately modifies the target cell value. As a result, the team confirmed that the attack reliably worked against all 15 tested DDR5 modules manufactured by SK Hynix, one of the market leaders.

Three real-world attack scenarios

A realistic attack must change a value in a precisely defined memory region — a difficult task. Firstly, an attacker needs detailed knowledge of the target software. They must bypass multiple conventional security controls, and missing the target by just one or two bits can result in a system crash instead of a successful hack.

The Swiss researchers set out to prove that Phoenix could be used to cause real-world damage. They evaluated three attack scenarios. The first (PTE) involved accessing the page table to create conditions for arbitrary reading/writing of RAM data. The second (RSA) aimed to steal an RSA-2048 private encryption key from memory. The third (sudo) involved bypassing the protections of the standard Linux sudo utility with the aim of privilege escalation. The study’s final results are shown in this table:

[phoenix-rowhammer-attack-results.jpg]

For some modules, the first attack variant (128 refresh intervals) was effective, while for others only the second (2608 intervals) method worked. In some experiments the RSA key theft and sudo exploits didn’t succeed. However, a method for arbitrary memory read/write was found for all modules, and the exploitation time was relatively short for this class of attacks — from about five seconds up to seven minutes. That’s enough to demonstrate that Rowhammer attacks pose a real risk, albeit in a highly constrained set of scenarios.

Relevance and countermeasures

The Phoenix attack shows that Rowhammer-style attacks can be carried out against DDR5 modules just as effectively as on DDR4 and DDR3. Though modules from a just single vendor were tested and the researchers uncovered a fairly simple weakness in that vendor’s TRR algorithm that will most likely be easy to fix, this is a significant step forward in the security research of memory modules.

The authors proposed several countermeasures against Rowhammer-type attacks. First, reducing the enforced refresh interval across all cells can significantly impede the attack. This may increase power consumption and chip temperature, but it’s a straightforward solution. Second, memory with an error correction code (ECC) can be used. This complicates Rowhammer attacks, although — somewhat paradoxically — it doesn’t make them completely impossible.

Beyond these obvious measures, the authors mention two more. The first is the Fine Granularity Refresh protection method, which is already being implemented. Built into the processor’s memory controller, it modifies memory-cell refresh behavior in order to resist Rowhammer attacks. As for the second, the researchers urge memory-module and chip developers to stop relying on proprietary security measures (“security through obscurity”). Instead, they recommend adopting an approach common in cryptography — where security algorithms are publicly available and subject to independent testing.

Kaspersky official blog – ​Read More

September brought big updates to ANY.RUN. From four new connectors that plug our sandbox and threat intelligence straight into the world’s top SIEM and SOAR platforms, to a redesigned Threat Intelligence Lookup home screen built for speed and simplicity, your SOC now works smarter and faster than ever.  

Add in 99 fresh signatures, 11 new YARA rules, and 2,322 Suricata rules, and you’ve got sharper coverage against the latest ransomware, stealers, and phishing campaigns. 

Product Updates 

Expanding the Ecosystem: New Connectors for Top SIEMs & SOARs 

We continue to grow the ANY.RUN ecosystem so security teams can work inside familiar platforms while gaining richer, faster visibility into threats. The new integrations with IBM QRadar SIEM, Palo Alto Networks Cortex XSOAR, Microsoft Sentinel, and Microsoft Defender bring sandboxing and real-time IOCs directly into your daily workflows. 

Instead of switching platforms or manually enriching alerts, analysts can now automate malware analysis, correlate logs with high-fidelity IOCs, and prioritize incidents faster; all without disrupting existing workflows. 

1. IBM QRadar SIEM: Enrich log and event correlation with real-time IOCs from ANY.RUN’s Threat Intelligence Feeds. Analysts can pivot from QRadar alerts straight into sandbox context for faster triage. 

2. Palo Alto Networks Cortex XSOAR: Build automated playbooks that include sandbox analysis enrichment, IOCs from TI Feeds, and Threat Intelligence lookup without leaving XSOAR. 

3. Microsoft Sentinel: Detonate suspicious files and links directly from Sentinel alerts and get enriched verdicts and IOCs fed back automatically. 

4. Microsoft Defender: Enhance endpoint alerts with Interactive Sandbox insights and live Threat Intelligence Feeds, reducing manual enrichment and improving accuracy. 

What Security Teams Achieve with ANY.RUN Connectors 

• Early Detection: Spot threats earlier in the kill chain with live IOCs from sandbox detonations, reducing breach risk by up to 42% compared to static feeds. 

• Reduced MTTR: Automating enrichment and triage cuts investigation time by up to 21 minutes per incident, accelerating containment and remediation. 

• Lower Alert Fatigue: With nearly 100% malicious IOCs, analysts waste less time chasing false positives, freeing focus for true high-risk alerts. 

• Higher Productivity: SOC efficiency improves by up to 3x as routine checks and manual correlation are eliminated. 

Connectors use API and STIX/TAXII standards, ensuring smooth deployment with no need for workflow redesign or extra infrastructure. By leveraging existing SIEM and SOAR platforms, teams avoid duplicate tools and infrastructure, reducing total cost of ownership (TCO). 

Updated Threat Intelligence Home Screen 

We’ve redesigned the Threat Intelligence (TI) Lookup home screen to make it more user-friendly and accessible for analysts of all levels. 

The new layout now includes: 

• Explore & Learn section: Quick access to daily top threats, public requests from the community, and expert-curated TI reports. 

• Beginner-friendly video tutorial: A short guide to help new users start searching, enriching, and analyzing IOCs right away. 

• Streamlined navigation: Cleaner interface for running lookups, YARA searches, or custom requests with advanced logic. 

With these improvements, both new and experienced analysts can get to actionable threat intelligence faster, learn from the community, and explore the latest attack trends all in one place. 

Along with the TI home screen, we’ve also updated the Threat Intelligence Feeds page. Now you can easily request a trial, download a sample, or set up an integration with your security systems in just a couple of clicks.  

Threat Coverage Update 

In September, our team continued to strengthen detection capabilities so SOCs can stay ahead of new and evolving threats: 

• 99 new signatures were added to improve coverage across malware families and techniques. 

• 11 new YARA rules went live in production, enhancing accuracy and hunting capabilities. 

• 2,322 new Suricata rules were deployed, expanding detection for network-based attacks. 

These updates mean analysts gain faster, more confident verdicts in the sandbox and can enrich SIEM, SOAR, and IDS workflows with fresh, actionable IOCs. 

New Behavior Signatures 

This month’s signatures help analysts detect obfuscation, destructive activity, and persistence earlier in the attack chain. The new coverage spans ransomware, loaders, stealers, and RATs, alongside mutex detections of legitimate tools abused by attackers. 

Highlighted families and techniques include: 

YARA Rule Updates 

In September, we introduced 11 new YARA rules into production to help SOC teams detect emerging malware families, improve hunting accuracy, and broaden coverage across RATs, stealers, loaders, and C2 infrastructure. These rules give analysts faster verdicts and deeper visibility during investigations. 

Key additions include: 

New Suricata Rules 

In September, we added 2,322 new Suricata rules to strengthen network-based detections against phishing, exfiltration, and evasive malware activity. These rules help SOCs identify threats earlier at the network layer and reduce investigation blind spots. 

Key highlights include: 

• Google Auth Phishing Activity (sid:85003912): Detects phishing attempts based on mismatched domains and authorization URLs. 

• Generic Phishkit Exfiltration Attempt (sid:85003960): Flags HTTP requests from newly observed phishing frameworks, potentially PhaaS-based. 

• Tycoon 2FA Domain Generation Algorithms (sids: 85004041–85004047): Identifies DGA patterns across multiple TLD zones used by Tycoon 2FA infrastructure. 

About ANY.RUN 

ANY.RUN supports more than 15,000 organizations worldwide across industries like banking, manufacturing, telecom, healthcare, retail, and technology, helping them build faster, smarter, and more resilient cybersecurity operations. 

Our cloud-based Interactive Sandbox enables teams to safely analyze threats targeting Windows, Linux, and Android systems in under 40 seconds, with no complex infrastructure required.

Combined with Threat Intelligence Lookup and Threat Intelligence Feeds, ANY.RUN empowers SOC teams to accelerate investigations, cut risks, and improve efficiency at every stage of the threat detection workflow. 

The post Release Notes: Palo Alto Networks, Microsoft, IBM Connectors and 2,300+ Suricata Rules appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

• Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data. 
• Cisco’s file census and DNS analysis show affected Internet Information Services (IIS) servers in India, Thailand, Vietnam, Canada, and Brazil, targeting organizations such as universities, tech firms and telecom providers. 
• UAT-8099 manipulates search rankings by focusing on reputable, high-value IIS servers in targeted regions. 
• The group maintains persistence and alters SEO rankings using web shells, open-source hacking tools, Cobalt Strike, and various BadIIS malware; their automation scripts are customized to evade defenses and hide activity. 
• Talos found several new BadIIS malware samples in this campaign on VirusTotal this year — one cluster with very low detection and another containing simplified Chinese debug strings. 

---

In April 2025, Cisco Talos identified a Chinese-speaking cybercrime group, tracked as UAT-8099, which targets a broad range of vulnerable IIS servers across specific regions. This group focuses on high-value IIS servers that have a good reputation within these areas to manipulate search engine results for financial gain.  

UAT-8099 operates as a cybercrime group conducting SEO fraud. Additionally, UAT-8099 uses Remote Desktop Protocol (RDP) to access IIS servers and search for valuable data such as logs, credentials, configuration files and sensitive certificates, which they package for possible resale or further exploitation. 

Upon discovering a vulnerability in a target server, the group uploads a web shell to collect system information and conduct reconnaissance on the host network. They then enable the guest account, escalate its privileges to administrator level, and use this account to enable RDP. For persistence, they combine RDP access with SoftEther VPN, EasyTier (a decentralized virtual private network tool) and FRP reverse proxy tool. Subsequently, the group performs further privilege escalation using shared tools to gain system-level permissions and install BadIIS malware. To secure their foothold, they deploy defense mechanisms to prevent other threat actors from compromising the same server or disrupting their setup.

This blog post provides a comprehensive overview of the campaign’s victimology, including the regions affected and the potential consequences of BadIIS infections. It also details the attack chain, automation scripts employed, and the malware and shared hacking tools UAT-8099 commonly uses.

Victimology 

Based on Cisco’s file census and DNS traffic analysis, the affected IIS server regions include India, Thailand, Vietnam, Canada and Brazil. The targeted IIS servers are owned by organizations such as universities, technology companies and telecommunications providers. The compromised IIS servers redirect users to unauthorized advertisements or illegal gambling websites. The languages used on these websites assists with identifying the targeted regions or countries. While Talos observed that most victims were located within the same region as the compromised servers, some victims were affected when accessing compromised servers in different regions.

The majority of their targets are mobile users, encompassing not only Android devices but also Apple iPhone devices.

Attack chain 

In this campaign, the UAT-8099 group took advantage of weak settings in the web server’s file upload feature.

The target web server allowed users to upload files to the server, but did not restrict the file type, which allowed UAT-8099 to upload the web shell. This established initial access and gave them control over the compromised server. The following is the detected location of the web shell used in this campaign, which is identified as the open-source “ASP.NET Web BackDoor” web shell:

C:/inetpub/wwwroot/[REDACTED]/Html/hw/server.ashx

After dropping the web shell, Talos observed the actor utilizing it to execute commands such as ipconfig, whoami, arp and tasklist to collect system information and discover the host network information. Once the collection of information is complete, UAT-8099 enables the guest account, setss a password, and elevate the guest user privileges to administrator level, including the ability to access the system using RDP. Then, the actor uses another command to identify the network ports on which the TermService (Remote Desktop Services) process is actively listening. After completing creating a guest account and enabling the RDP on that target IIS server, the actor created a hidden account “admin$” and added it to Administrator permission privilege for long-term persistence.

Command	MITRE
cmd /c net user guest /active:yes & net user guest P@ssw0rd & net localgroup administrators guest /add & net localgroup Remote Desktop Users guest /add	T1136.001
cmd /c cd /d C:/Windows/SysWOW64/inetsrv/&for /f tokens=2 %i in (‘tasklist /FI SERVICES eq TermService /NH’) do netstat –ano | findstr %i | findstr LISTENING 2>&1	T1049  T1007  T1057
cmd /c net user admin$ P@ssw0rd /add	T1136.001
cmd /c net localgroup Administrators admin$ /add	T1098
cmd.exe /C net user test [REDACTED] /add	T1136.001
cmd.exe /C net localgroup administrators test /add	T1098

Table 1. Initial access, reconnaissance and addition of user credentials.

To maintain access to the target IIS server and install the BadIIS malware for SEO fraud, Talos observed the actor completing three steps to achieve persistence, escalate privileges, install malware and build a self-defense solution: 

1. UAT-8099 is deploying SoftEther VPN, EasyTier (a decentralized virtual private network tool) and fast reverse proxy (FRP). This setup enabled them to use RDP remotely to control the server.  
2. The actor also leveraged a shared public tool to escalate privileges on the IIS server. They then used Procdump to extract victim credentials, which were subsequently compressed with WinRAR. We assess that these actions were taken to finalize the installation of BadIIS for their SEO fraud activities.  
3. The actor installed D_Safe_Manage, a well-known Windows IIS security tool, to prevent other attackers from compromising the server and tampering with their BadIIS setup.

Command	MITRE
cmd /c C:/Users/Public/Libraries/install_VPN.bat	T1059.003
C:UsersPublicLibrariesmass.exe -c C:UsersPublicLibrariesconfig.yaml	T1133
cmd.exe /C frpc.exe -c frpc.ini	T1133
cmd /c C:/Users/Public/Music/mess.exe /install	T1133
C:UsersPublicVideosa.exe	T1548
C:UsersPublicVideosD_Safe_Manage.exe	N/A
C:/Users/Public/Videos/xmiis32.dll	T1496
C:/Users/Public/Videos/xmiis64.dll	T1496
C:/Users/admin$/Desktop/procdump.exe –accepteula -ma lsass.exe lsass.dmp	T1003
C:Program FilesWinRARWinRAR.exe a -ep1 –scul -r0 –iext — Videos.rar C:UsersPublicVideossystem.hive C:UsersPublicVideossam.hive	T1560

Table 2. Installation of tools, dumping user credentials for exfiltration and securing the installation.

Talos did not only observe UAT-8099 conducting SEO fraud, but also stealing high-value credentials, configuration files and certificate data. After successfully compromising the target IIS server and deploying their BadIIS tool, their next step was to search for valuable credentials, configuration files, and certificate data within the compromised system.

The commands Talos observed indicate the actor utilizes RDP to access the IIS server. Once inside, they leverage the ‘Everything’ graphical user interface (GUI) tool — a fast filename search engine for Windows — to locate high-value data such as logs, credentials, configuration files and sensitive certificates. Upon identifying relevant files, the actor used Notepad to review the content and employed Windows Crypto Shell Extensions (via rundll32.exe cryptext.dll) to open and inspect .crt certificate files, examining their properties and details.

Finally, all collected high-value files were consolidated into a hidden directory, specifically “Usersadmin$Desktoploade”. These files were then archived using WinRAR before being exfiltrated to the actor.

Command	MITRE
C:Usersadmin$DesktopEverything.exe -enable-run-as-admin	T1083
C:Windowssystem32NOTEPAD.EXE C:[REDACTED]Log10-09-2024.txt	T1005
C:Windowssystem32NOTEPAD.EXE C:[REDACTED]Log19-03-2025.txt	T1005
C:Windowssystem32NOTEPAD.EXE E:[REDACTED]-csr[REDACTED]-csr.txt	T1649
C:Windowssystem32rundll32.exe cryptext.dll,CryptExtOpenCER E:.[REDACTED]-csrSTAR_[REDACTED]AAACertificateServices.crt	T1649
C:Windowssystem32rundll32.exe cryptext.dll,CryptExtOpenCER E:.[REDACTED]-csrSTAR_[REDACTED]SectigoRSADomainValidationSecureServerCA.crt	T1649
C:Windowssystem32rundll32.exe cryptext.dll,CryptExtOpenCER E:.[REDACTED]-csrSTAR_[REDACTED]STAR_[REDACTED].crt	T1649
C:Windowssystem32rundll32.exe cryptext.dll,CryptExtOpenCER E:.[REDACTED]-csrSTAR_[REDACTED]USERTrustRSAAAACA.crt	T1649
C:Windowssystem32rundll32.exe cryptext.dll,CryptExtOpenCER E:AAACertificateServices.crt	T1649
C:Windowssystem32rundll32.exe cryptext.dll,CryptExtOpenCER E:SectigoRSADomainValidationSecureServerCA.crt	T1649
C:Windowssystem32rundll32.exe cryptext.dll,CryptExtOpenCER E:USERTrustRSAAAACA.crt	T1649
C:Windowssystem32NOTEPAD.EXE C:UsersadmissionportalDesktop[REDACTED]_DB_UPDATE.txt	T1528
C:Program FilesNotepad++notepad++.exe C:UsersAdministrator.gitconfig	T1528
C:Program FilesNotepad++notepad++.exe C:UsersAdministrator.awsconfig	T1528
C:Program FilesNotepad++notepad++.exe C:UsersAdministrator.awscredentials	T1649
C:Windowssystem32NOTEPAD.EXE C:UsersAdministratorOneDrive – [REDACTED]website[REDACTED]-website.gitignore	T1528
C:Program FilesNotepad++notepad++.exe C:UsersAdministratorAppDataRoamingS3Browseraccounts.xml	T1528
C:Windowssystem32NOTEPAD.EXE C:WindowsdebugPASSWD.LOG	T1528
C:Windowssystem32NOTEPAD.EXE C:inetpubwwwrootHtml-[REDACTED]Htmlimagespasswd_web.xml	T1528
C:Windowssystem32NOTEPAD.EXE C:Users[REDACTED]AppDataLocalGoogleChromed_emxqyvqZxcvbnData3passwords.txt	T1528
C:Windowssystem32NOTEPAD.EXE C:Usersadmin$AppDataRoamingS3Browserlogss3browser-win32-2025-04-24-log.txt	T1528
C:Windowssystem32NOTEPAD.EXE C:Usersadmin$AppDataRoamingS3Browsers3 browser.settings-v3	T1528
C:Program FilesWinRARWinRAR.exe x –iext -ow –ver — C:Usersadmin$Desktoploade.zip C:Usersadmin$Desktoploade	T1560

Table 3. Searching and preparing credentials and certificates for exfiltration.

Automation script used 

Talos also observed UAT-8099 dropping and executing three batch script files in some attacks to automate their tasks or to set up the compromised server for persistence and SEO fraud. The first script is for IIS module installation, as documented in Talos DragonRank and Trend Micro blog posts.

C:Windowssystem32cmd.exe /c C:ProgramDataiis.bat

The second script is for configuring RDP settings and related network activity on a Windows system, including past RDP usage, the RDP listening port, the status of the RDP service, associated network activity, and to configure the Windows firewall to allow RDP.

C:Windowssystem32cmd.exe /c C:ProgramDatafuck.bat

The third set of scripts is designed to establish and immediately trigger a persistent, high privilege scheduled task using “inetinfo.exe”, and then list all system scheduled tasks. The inetinfo.exe is a legitimate file “WMI V2 provider code generation tool” that is used by the actor to do DLL sideloading and run the Cobalt Strike in memory. The detailed Cobalt Strike analysis will be described in the next section.

C:Windowssystem32cmd.exe /c C:ProgramData1.bat

User-defined reflective loader of Cobalt Strike beacon 

Talos observed UAT-8099 utilized Cobalt Strike as their backdoor in this campaign. They employed DLL sideloading as a method to execute the backdoor and also established a scheduled task to maintain persistence on the compromised systems.

The encrypted first-stage payload is embedded within the wmicodegen.dll file. When this DLL is loaded by the legitimate WMI V2 provider code generation tool, it uses the VirtualQuery API to allocate a block of memory specifically for this first-stage payload.

After decrypting the first stage payload, we can see both the second stage payload combined with a small piece of shellcode, and the third stage payload, which is encrypted and encoded with Base64.

When jumping into the third stage payload, we observed it is a DLL file but without the original PE header. We also identify this third stage payload as the User-Defined Reflective Loader for the Cobalt Strike beacon. The erased original PE header and heavy obfuscation in each stage are consistent with the blog description. In addition, the machine information collection structure is also the same as the beacon structure such as listener name, computer name, username and process name. The listener name in this campaign is PUBG.

Most importantly, the DLL file contains the “udrl.x64.dll” and “customLoader” inside that also match with the User-Defined Reflective Loader blog description. Using a URL that mimics a legitimate content delivery network (CDN), along with ports and paths typical of Exchange servers, enables the attacker to blend in with normal network traffic and avoid detection by security analysts.

New BadIIS variant  

Talos’ analysis of the BadIIS variants used in this campaign revealed functional and URL pattern similarities to a variant previously documented in the Black Hat USA 2021 white paper and a Trend Micro blog. However, this new BadIIS malware has altered its code structure and functional workflow to evade detection by antivirus products. Additionally, we identified several instances of the BadIIS malware on VirusTotal this year. One cluster exhibited very low detection rates and the other showed simplified Chinese debug strings inside the malware.

First cluster of new BadIIS

The first cluster of new BadIIS malware implements handlers named “CHttpModule::OnBeginRequest” and “CHttpModule::OnSendResponse”. Both handlers use the “User-Agent” and “Referer” fields from the incoming HTTP headers to determine which malicious function to execute. Specifically, this malware targets requests where the “User-Agent” is Googlebot and the “Referer” is google.com, confirming that the user and crawler accessed the compromised website via the Google search engine only. Below, we describe how the malicious functions, including proxy, injector and SEO fraud, trigger.

SEO manipulation schemes 

The OnBeginRequest handler processes incoming requests by examining the “User-Agent” and “Referer” HTTP headers to proxy or Injector responses. When the request is detected as originating from Googlebot and meets a specific URL path condition, the request is forwarded through a Proxy function. The targeted URL path pattern is as follows:

news|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|nohu|yono|apks|android|hots|vna|craps|banca|online|sicbo|uono|yono|cocs|matkas

Alternatively, if the request is not from Googlebot, the system then checks if it was referred by a Google search and if the same URL path condition is satisfied, in which case it proceeds to inject JavaScript. The injected JavaScript embeds a C2 URL such as “http://[C2]/jump.html” or “http://[C2]/pg888.js”. This injection enables the actor to compromise users’ browsers by downloading malicious scripts from the C2 server.

The OnSendResponse handler first performs SEO fraud by delivering specific content from C2 server to requests where the “User-Agent” is Googlebot, manipulating search rankings to increase the visibility of the malicious content. This C2 content typically appears as a URL like “http://[C2]/u.php”. Subsequently, the function targets human users by conditionally injecting JavaScript when a request comes from a Google search and results in a 404 or 500 error page.

Technical highlights of each mode

Proxy mode

When operating in proxy mode, BadIIS first verifies the URL path to ensure the process is running in the correct mode. It then extracts the embedded C2 server address, which is encoded in hexadecimal bytes, and uses this C2 as a proxy to retrieve content from a secondary C2 server, subsequently responding to the IIS server.

Before responding to the Google crawler, it modifies the response data to resemble a valid HTTP response and uses the native HTTP module API “WriteEntityChunks” to insert data into the body of the HTTP response.

SEO fraud mode 

Talos identified that the actor employs a conventional SEO technique known as backlinking to boost website visibility. Google’s search engine uses backlinks to discover additional sites and assess keyword relevance. A higher number of backlinks increases the likelihood of Google crawlers visiting a site, which can accelerate ranking improvements and enhance exposure for the webpages. However, simply accumulating backlinks without regard to quality can lead to penalties from Google. Algorithms like Penguin, introduced in 2012, and SpamBrain, launched in 2022, rigorously evaluate backlink quality. To exploit this, the actor compromises multiple IIS servers across the internet to conduct SEO fraud. In this SEO fraud mode, BadIIS serves numerous backlinks with HTML content to Google crawlers to improve search engine rankings.

One example of a backlink from the C2 server is shown in Figure 25, with additional compromised IIS servers performing similar backlink SEO fraud.

Injector mode 

In injector mode, BadIIS intercepts browser requests originating from Google search results. It connects to the C2 server to retrieve JavaScript code, then uses the “WriteEntityChunks” API to embed the downloaded JavaScript into the HTML content of the response. It then returns the altered response to redirect the user to the destination intended by the actor.

BadIIS retrieves malicious JavaScript code from a C2 server and redirects users to malicious websites instead of legitimate ones. By not embedding the JavaScript code directly in the binary, it allows easier modification of the redirect targets and helps evade detection by antivirus security products. The script is programmed to show a brief loading message before automatically redirecting the user to a malicious site. The redirect function and alert message vary across different C2 servers; some scripts reference two C2 servers and randomly select one with a 50% probability. Additionally, the alert message language is tailored to match the target region of the user.

Second cluster of new BadIIS 

The second cluster of the new BadIIS malware also includes handlers named “CHttpModule::OnBeginRequest” and “CHttpModule::OnSendResponse”. In this cluster, OnBeginRequest is used as a decision point to execute before any intensive processing occurs, while OnSendResponse handles output modification to ensure that no other module can override the redirect. This cluster also features three modes: SEO fraud mode, injector mode and proxy mode. Notably, the injector and proxy modes operate under the SEO fraud mode umbrella, which itself has four variants tailored to different scenarios: 

• All interface hijacking targets all webpages on the webserver, replacing original content for both search engine crawlers and users.

• Homepage hijacking targets only the homepage, substituting its content for search engine crawlers and users.

• Global reverse proxy configures a proxy to automatically replace content for search engine crawlers and users.

• Specify URL path reverse proxy configures a proxy to automatically replace content for search engine crawlers and users.

The URL path pattern referred to as “Tezhengma” in the debug strings by the actor includes multiple versions. Some of these versions partially match the patterns found in the first cluster of BadIIS malware.

xxm|dabo|lingdu|images

cash|bet|gambling|betting|casino|fishing|deposit|bonus

news|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap

news|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|nohu

app|news|ios|android|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|qsj|rna|muv|zop|vna|apk|hots|cocs|mohu|banc

The injector mode injects JavaScript in each SEO fraud type when the user-agent and referer do not match its criteria. The algorithm is same as the first cluster BadIIS; it verifies the user-agent to identify search engine crawlers and checks the referer to determine if the user is browsing from an expected source.

User-agent	Referer
Baiduspider  Sogouspider  Sogou web spider  360spider  YisouSpider  Googlebot  Bingbot  BingPreview  MicrosoftPreview	baidu  sogou  sm[.]cn  360  so[.]com  toutiao  google  bing

Table 4. Combination of User-Agent and Referer headers used for injecting JavaScript to redirect the browser.

Coverage  

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for the threats are: 65346, 65345

ClamAV detections are also available for this threat:

• Win.Malware.SysShell-10058032-0
• Win.Malware.NewBadIIS-10058033-0
• Win.Malware.BadIISCR45-10058034-0
• Win.Malware.WebShellCn-10058035-0
• Win.Packed.CSBeaconCn-10058036-0

Indicators of compromise (IOCs)

The IOCs can also be found in our GitHub repository here.

Cisco Talos Blog – ​Read More

AI is part of our lives whether we like it or not. Even if you are not quite a fan, or not a user at all, you probably came across multiple AI-generated avatars, pictures, scenes, videos, articles and even malware. 

All technological advancements are taken advantage of by society. They were discovered to be used, but some people just abuse them, and AI used for software development is not the exception. 

This time we’ll analyze FunkLocker, a ransomware strain by the FunkSec Ransomware group, whose creation was aided in an important part by artificial Intelligence. 

Key Takeaways 

• AI-assisted development: FunkSec ransomware strains, including FunkLocker, show signs of “AI snippet” coding patterns (Ask AI → Paste snippet), making them easy to build but inconsistent in quality. 

• Multiple builds, mixed stability: Some versions are barely functional, while others integrate advanced features such as anti-VM checks. 

• Aggressive disruption: FunkLocker forcefully terminates processes and services using predefined lists, often causing unnecessary errors but still leading to full system disruption. 

• System tools abused: Legitimate Windows utilities like taskkill.exe, sc.exe, net.exe, and PowerShell are heavily misused to stop apps, disable defenses, and prepare for encryption. 

• Local-only encryption: Unlike many modern ransomware groups, FunkSec encrypts files locally without contacting a command-and-control server, using the .funksec extension. 

• Ransom note quirks: Notes are dropped on the desktop, but system instability sometimes prevents victims from viewing them without a reboot. 

• Weak operational security: Reused BTC wallets and locally derived or hardcoded keys suggest sloppy practices. This has allowed researchers (e.g., Avast Labs) to build a public decryptor for FunkSec victims. 

• Key MITRE ATT&CK techniques: FunkLocker activity maps to techniques such as Masquerading (T1036.005), Service Stop (T1489), PowerShell execution (T1059.001), Network Share Discovery (T1135), and Inhibit System Recovery (T1490), among others. 
• Detection and Response: SOCs can utilize ANY.RUN’s Interactive Sandbox to safely detonate samples of FunkLocker, identify its malicious activities in seconds, and gather critical threat insights for fast mitigation of the attack.

Artificial Intelligence, Natural Evil 

This is not the first time we see AI-aided malware, or even malware fully written by an AI. Just recently, another strain, PromptLocker, made it to the news. But FunkSec has been active for quite a while and even managed to publish many victims in their DLS. 

There are many samples, some more stable than others, and a few barely functional. Interestingly, the older builds (dating back to January of this year) included an anti-VM capability that detected virtualized environments with high accuracy before refusing to run. 

That build was also characterized by its livid colours displayed in the terminal text while running. This one, found in late July, features a monochromatic style and is missing the anti-VM feature. While this could indicate it being an older build, the lack of a standardized versioning schema, like other groups such as LockBit,  makes it hard to confirm. 

Here is FunkSec’s AI-assisted ransomware sample analyzed inside ANY.RUN’s sandbox:  

The sandbox exposes the threat in seconds, providing an actionable TTP and IOC report for fast, confident response and mitigation.

Victims and Target Regions 

By early 2025, FunkSec had been linked to more than 120 compromized organizations worldwide, hitting targets in government institutions, the defense sector, tech companies, financial services, and higher education. 

The group’s first reported attacks surfaced in November 2024, and in December they launched a dedicated data leak site to publicize stolen information. Since then, the tally of known victims has continued to grow, with estimates ranging from 120 to 170, and some trackers recording as many as 172 cases. Notably, at least 30 of these incidents involved organizations in the United States, alongside confirmed cases in India, Spain, and Mongolia. 

Execution and Process Disruption 

Immediately after execution, all our setup will go dark, and this is caused by the malware bashing its way through different processes in order to stop them. Why bashing? Because it doesn’t take a fraction of a second to list the running applications and stop them in a strategic way; it just acts on a predefined list, causing multiple errors when trying to stop non-existing ones. 

It will also attempt to stop multiple services, again, matching them with a hardcoded predefined list, causing another set of errors. Some of these occur because the services are not running at all, and others because they simply can’t be stopped due to dependencies from other services that rely on them to function. 

This seems like the result of someone individually studying which services to stop and adding them to a list, without adding a layer of context on which ones depend on others or which ones could actually not be running (optional). 

This doesn’t stop the malware from continuing its raid, and eventually the file system is encrypted. The first and most obvious change is the extension of our files, which is now .funksec, but there’s more than meets the eye. 

Let’s take a look at the process tree behind the sample. FunkLocker — aside from clubbing everything in its reach — is pretty “structured”, where each of its steps is represented by a legit system tool being abused or a PowerShell script executed procedurally, suggesting an “Ask AI → Get snippet → Paste snippet” development cycle. 

PowerShell and System Abuse 

The PowerShell routine is based on four commands: 

• The first one stops Windows Defender via DisableRealtimeMonitoring. 

• The second one relies on wevtutil to deactivate Security Events logging. 

• The third one uses wevtutil again to deactivate Application Events logging. 

• The fourth and final one sets the Execution Policy to Bypass, allowing unrestricted PowerShell execution during that session. 

Abused tools include net.exe and its compatibility-mode counterpart net1.exe, used to check if there are any network sessions established. 

taskkill.exe is used naturally to stop applications or tasks — in this case used to forcefully stop browsers like Chrome, Firefox, and Edge, daily-use apps like Notepad, Skype, Spotify, programming environments like Java, Python, and Node, and even Steam, among a long list of other apps. 

sc.exe, which is Windows Service Control, is used as a tool (or club) to stop services like Windows Defender & Firewall, SMB (Shared Folders), the Event Log, the Shell Experience Host (which is why our screen turns black), and other absolutely not-necessary services like Bluetooth or Audio. 

Encryption and Ransom Note 

After that, Shadow Volume Copies are taken care of, deleted, by abusing the Volume Shadow Service Administrator (vssadmin) to wipe them silently. This prevents the victim from locally restoring the system to a previous state, effectively removing any chance of rollback using Windows’ built-in recovery mechanisms. 

Now for the encryption part — FunkLocker didn’t attempt to contact a remote server at any time, as all the encryption process occurred locally. We’ve seen similar behavior in a previous article when we analyzed Mamona Ransomware. 

While this may seem like it could make the malware easier to hide and harder to track — due to the lack of network infrastructure in the short term — it is beneficial in the long run, and you’ll soon see why. 

The ransom note is dropped right on the desktop but, with the unnecessary killing of the Shell Experience Host service, we’re left with few chances but to reboot our server to view it (if it ever boots again after its intense contusions session). 

Luckily, ANY.RUN’s Interactive Sandbox has a reliable system which allows us to capture any created, deleted or modified file directly from its GUI. So, let’s take a look. 

From here we can notice a BTC address which, after a quick inspection, shows that it has transacted just a few times for around $3,000 USD, suggesting once again that this wallet is shared across different victims or is a default one. 

Using this instead of receiving a unique wallet, summed up with the technical aspects we saw before. And the chances of encryption keys being either derived locally or hardcoded, highlights the “homemade AI-assisted” fashion of this strain. 

This is where things get shinier for victims, because deriving keys locally (or having them hardcoded) greatly improves the chances of a decryptor being made. And this is exactly what happened: Avast Labs was able to create a decryptor for FunkSec, which will give some hope to affected organisations. 

After sharing the bad news (ransomware) and the good news (decryptors), it’s time to move on to the ATT&CK Matrix, which ANY.RUN does automatically for us. 

MITRE ATT&CK Techniques 

FunkLocker does a lot of things which could be pinned down individually and used as “footprints” to understand how it works:

How Security Teams Should Respond 

FunkSec shows how AI is changing the pace and style of ransomware development. For security leaders, the lesson is less about one strain and more about the trend it represents. A few priorities stand out: 

• Prioritize behavioral detection: Static indicators aren’t enough when code can be generated and tweaked with AI. Monitoring behaviors, especially misuse of system tools, becomes essential. 

• Invest in rapid visibility: The longer it takes to understand what’s happening inside an endpoint, the higher the cost of downtime. Tools that reveal the full execution chain within minutes are critical. 

• Test your recovery: With shadow copies removed, recovery depends on isolated backups and practiced response playbooks. Tabletop exercises should assume ransomware disables standard rollback options. 

• Close the skill gap: AI makes it easier for criminals to write malware, but defenders can also lean on AI-driven or interactive platforms to augment analysts and shorten investigation times. 

The takeaway: FunkSec isn’t just about today’s attacks. It’s a signal that the future of ransomware will be faster, messier, and more frequent, and security leaders should prepare their defenses accordingly. 

About ANY.RUN 

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN to streamline malware investigations worldwide.  

Speed up triage and response by detonating suspicious files in ANY.RUN’s Interactive Sandbox, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with Threat Intelligence Lookup and Threat Intelligence Feeds, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.  

Explore more ANY.RUN’s capabilities during 14-day trial→ 

Further Reading and IOCs 

ANY RUN Session: https://app.any.run/tasks/4032b92d-c9bf-463b-a93b-dc2f95b73797  

FunkLocker Decrypted: https://www.gendigital.com/blog/insights/research/funksec-ai 

SHA256: c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c 

FileName: C:UsersadminDesktopREADME-ZasRvdSR44.md 

SHA256: e29d95bfb815be80075f0f8bef4fa690abcc461e31a7b3b73106bfcd5cd79033 

The post FunkSec’s FunkLocker: How AI Is Powering the Next Wave of Ransomware  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More