Social media influencers can provide reach and trust for scams and malware distribution. Robust account protection is key to stopping the fraudsters.
WeLiveSecurity – Read More
Why your business needs the best-of-breed combination of technology and human expertise
WeLiveSecurity – Read More
Alert overload is one of the hardest ongoing challenges for a Tier 1 SOC analyst. Every day brings hundreds, sometimes thousands of alerts waiting to be triaged, categorized, and escalated. Many of them are false positives, duplicates, or low-value notifications that muddy the signal.
When the queue never stops growing, even experienced analysts start losing clarity, missing patterns, and risking oversight of critical threats.
Alert overload isn’t just unproductive — it’s toxic. Constant false positives create chronic stress, anxiety, and decision fatigue. Analysts doubt themselves, experience imposter syndrome, and burn out fast. Many leave the industry within years, citing mental health tolls like sleep loss and eroded confidence from missing “the big one” amid the chaos.
Tier 1 analysts who triage efficiently using context gain sharp investigation skills, earn trust for escalations, and accelerate to Tier 2/3 roles. They avoid burnout, stay passionate about cybersecurity, and position themselves as indispensable experts in a high-demand field. Solutions like ANY.RUN’s Threat Intelligence Lookup can provide a master key not only to an analyst’s career, but to the next level of SOC efficiency.
Alert overload at Tier 1 creates bottlenecks: unnecessary escalations flood senior analysts, response times balloon, and real breaches slip through. This drains budgets on prolonged incidents, erodes team morale, and weakens organizational defenses, turning a proactive SOC into a reactive firefighting unit.
Threat intelligence gives analysts the missing piece they often need during triage: context. Instead of manually searching for data across multiple sources, TI instantly tells you what the alert is truly about.
Was this domain seen in phishing attacks? Is this hash connected to a malware family? Is the mutex associated with known malicious samples?
With enriched data, Tier 1 analysts spend less time guessing and more time making confident decisions. Context transforms alerts from ambiguous into actionable and significantly reduces both cognitive load and triage time.
The key is having threat intelligence that’s immediately accessible during your investigation workflow, comprehensive enough to cover the indicators you encounter, and current enough to reflect the latest threat landscape. When used effectively, threat intelligence doesn’t just help you process alerts faster. It improves your accuracy, reduces the anxiety of uncertainty, and helps you develop the threat intuition that distinguishes experienced analysts.
ANY.RUN’s Threat Intelligence Lookup provides immediate, precise context from one of the largest ecosystems of analyst-generated data worldwide. It connects information from 15,000+ SOCs and security teams and presents it in a clean, friendly format.
Instead of digging through scattered reports, teams get immediate answers: malware classification, sample behavior, network connections, relationships, and IOCs — all based on real sandbox runs.
This dramatically shortens triage time and reduces the chance of overlooking critical details hidden inside the noise.
An alert flags a weird domain in network traffic. Paste it into ANY.RUN TI Lookup: instantly reveal if it’s a known C2 server, tied to ransomware like LockBit, with resolved IPs, associated hashes, and full attack chains from recent sandbox runs. Result? Confident closure or escalation, saving hours and stopping lateral movement cold.
domainName:”edurestunningcrackyow.fun”
EDR alerts on a dropped executable hash. Query TI Lookup: uncover the exact malware family (e.g., RedLine stealer), prevalence stats, extraction TTPs, and behavioral details from detonations. Benefit: Precise containment (block similar hashes), updated detections, and proof for stakeholders: no deep dives needed.
md5:”dfe60536382cc0d30416bce4c85e6044″
A process creates an odd mutex (mutual exclusion object). Search it in TI Lookup’s synchronizations tab: link it to families like DCRat or AsyncRAT, view creating processes, and jump to sandbox sessions showing persistence tactics. Outcome: Rapid hunting across endpoints, stronger YARA rules, and blocking reinfection before damage spreads.
syncObjectName:”*sm0:4360:304:wilstaging_02″
Alert overload is not an inevitable curse of SOC work, it’s a solvable problem that demands both systemic improvements and individual strategy.
The difference between analysts who burn out and those who thrive often comes down to their ability to extract context quickly, make confident decisions, and focus their limited time on high-value investigations. Threat intelligence platforms like ANY.RUN’s Threat Intelligence Lookup are not magic solutions that eliminate alerts, but they are force multipliers that transform your effectiveness by providing the context that turns ambiguous indicators into clear decisions.
By integrating threat intelligence into your daily workflow, you reduce investigation times from minutes to seconds, improve accuracy by relying on aggregated community knowledge, and build the pattern recognition skills that define senior analysts. The critical incidents hiding in your alert queue will only become visible when you clear away the noise efficiently enough to spot them.
Take control of your alerts before they control you, leverage the intelligence resources available to you, and remember that becoming a great analyst isn’t about handling every alert. It’s about handling the right alerts in the right way.
Tier 1 analysts are the first responders to every alert. High volume, repetitive tasks, and time pressure make it easy to overlook critical incidents and lead to burnout, stress, and reduced accuracy.
Overwhelmed analysts escalate incorrectly, miss key signals, and slow down triage. This cascades across the SOC, delaying incident response and weakening the organization’s security posture.
Threat intelligence adds immediate context to alerts, helping analysts understand whether an IOC is benign or malicious without manual research. This shortens triage time and reduces cognitive load.
TI Lookup provides fast, behavior-based context from millions of real sandbox runs. Analysts can check domains, hashes, IPs, and mutexes in seconds and see relationships, malware families, and activity patterns.
Yes. By revealing whether an indicator is tied to known malware, seen in threats before, or associated with clean activity, TI Lookup allows analysts to make confident classification decisions.
TI Lookup supports enrichment for domains, URLs, IP addresses, file hashes, mutexes, and many other IOCs, each supplemented by sandbox-based behavioral insights and real analyst data.
By reducing guesswork and manual searching, TI Lookup lowers stress, improves accuracy, and helps analysts manage workloads more sustainably — supporting long-term career growth instead of fatigue-driven turnover.
ANY.RUN is a leading provider of interactive malware analysis and threat intelligence solutions. Today, 15,000+ organizations worldwide use ANY.RUN to speed up investigations, strengthen detection pipelines, and give their teams a clearer view of what’s really happening on their endpoints.
SOC teams using ANY.RUN report measurable improvements, including:
Start your 14-day trial of ANY.RUN today →
The post How to See Critical Incidents in Alert Overload: A Guide for SOCs and MSSPs appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
We recently detected a new malicious campaign that employs a rather intriguing approach. The actor creates their own signed builds of a legitimate remote access tool. To distribute them, they use an AI-powered service to mass-generate malicious web pages that convincingly masquerade as the official sites of various applications.
Read on to find out how this attack works, why it’s particularly dangerous for users, and how to protect yourself.
It appears that the malicious actor is utilizing several launchpad options for their attacks. First, they are clearly banking on a significant number of users landing on their fake pages through simple Google searches. This is because the fake sites most often have addresses that match — or are very close to — what users are searching for.
Looking through Google search results, you can sometimes catch a bunch of Pokémon fake sites masquerading as legitimate ones. In this case, we’re looking at Polymarket clones.
Second, they employ malicious email campaigns as an alternative. In this scenario, the attack kicks off with the user getting an email that contains a link to a fake website. The content might look something like this:
Dear $DOP holders,
The migration window from DOP-v1 to DOP-v2 has officially closed, with over 8B+ tokens successfully migrated.
We're excited to announce that the DOP-v2 Claim Portal is now OPEN!
All $DOP holders can now visit the portal to securely claim their tokens and step into the next phase of the ecosystem.
Claim Your DOP-v2 Tokens Now https://migrate-dop[dot]org/
Welcome to DOP-v2 — a stronger, smarter, and more rewarding chapter begins today.
Thank you for being part of this journey.
The DOP Team
Some of the malicious pages we discovered in this campaign masquerade as the websites of antivirus or password management applications. Their content is clearly designed to scare the user with fake warnings about some kind of security issue.
A fake Avira website warns of a vulnerability and offers to download an “update”
So, the attackers are also leveraging a well-known tactic known as scareware: foisting an unsafe application on users under the guise of protection against an imaginary threat.
A fake Dashlane page warns of a “high-severity encryption-metadata exposure affecting cloud relay synchronization”, whatever that’s supposed to mean. And of course, you can’t fix it unless you download something
Despite differences in content, the fake websites involved in this malicious campaign share several common features. For starters, their addresses are most often constructed according to the formula: {popular app name} + desktop.com — a URL that closely matches an obviously common search query.
Besides, the fake pages themselves look quite professional. Interestingly, the appearance of the fake sites doesn’t exactly replicate the design of the originals — these are not direct clones. Rather, they are very convincing variations on a theme. As an example, we can look at some fake versions of the Lace crypto wallet page. One of them looks like this:
The first variant of the fake Lace website
And the other looks like this:
The second variant of the fake Lace website
The original Lace website looks a lot like these fakes, but it still differs from them in many obvious ways:
The real Lace website is simultaneously similar and dissimilar to the fake versions. Source
It turns out the attackers have weaponized an AI-powered web builder to create fake pages. Because the attackers cut corners and inadvertently left a few tell-tale artifacts, we managed to identify the exact service they are leveraging: Lovable.
Using an AI tool allowed them to significantly reduce the time required to create a fake, thereby churning out forgeries on an industrial scale.
Another common feature of the fake sites involved in this campaign is that they all distribute the exact same payload. The malicious actor neither created their own Trojan nor bought one off the black market. Instead, they are using their own build of a perfectly legitimate remote access tool, Syncro.
The original app facilitates centralized monitoring and remote access for corporate IT support teams and managed service providers (MSPs). Syncro services are relatively inexpensive, starting at $129 per month with an unlimited number of managed devices.
Fake Yoroi crypto wallet site
At the same time, the tool possesses serious capabilities: in addition to screen sharing, the service also provides remote command execution, file transfer, log analysis, registry editing, and other background actions. However, Syncro’s main appeal is a simplified installation and connection process. The user — or, in this case, the victim — only has to download and run the installation file.
From that point, the installation runs completely in the background, secretly loading a malicious Syncro build onto the computer. Because this build has the attacker’s CUSTOMER_ID hardcoded, they instantly gain full control over the victim’s machine.
The Syncro installer window flashes on the screen for mere seconds, and only a keen-eyed user might notice that the wrong software is being set up.
Once Syncro is installed on the victim’s device, the attackers gain full access and can use it to achieve their objectives. Given the context, these appear to be stealing crypto wallet keys from victims and siphoning off funds into the attackers’ own accounts.
Another fake site, now for the Liqwid DeFi protocol. Although Liqwid offers only a web application, the fake site allows users to download versions for Windows, macOS, and even Linux
This malicious campaign poses a heightened threat to users for two main reasons. First, the fake sites crafted with the AI service look quite professional, and their URLs aren’t overly suspicious. Of course, both the design of the fake pages and the domains used differ noticeably from the real ones, but this only becomes apparent in direct comparison. At a glance, however, it’s easy to mistake the fake for the original.
Second, the attackers are using a legitimate remote access tool to infect users. This means that detecting the infection can be difficult.
Our security solution has a special verdict, Not-a-virus for cases like this. This verdict is assigned, among other things, when various remote access tools — including the legitimate Syncro — are detected on the device. As for Syncro builds used for malicious purposes, our security solution detects them as HEUR:Backdoor.OLE2.RA-Based.gen.
It’s important to remember that an antivirus won’t block all legitimate remote administration tools by default to avoid interfering with intentional usage. Therefore, we recommend that you pay close attention to notifications from your security solution. If you see a warning that Not-a-virus software has been detected on your device, take it seriously and, at the very least, check which application triggered it.
If you have Kaspersky Premium installed, use the Remote Access Detection feature — and, if necessary, the app removal option — that come with your premium subscription. This feature detects around 30 of the most popular legitimate remote access applications, and if you know you didn’t install them yourself, that is cause for concern.
Further recommendations:
Kaspersky official blog – Read More
Here’s how open-source intelligence helps trace your digital footprint and uncover your weak points, plus a few essential tools to connect the dots
WeLiveSecurity – Read More
Welcome to this week’s edition of the Threat Source newsletter.
This week, we explore how advances in agentic AI are rapidly transforming the cyber crime business.
Agentic AI programming gives AI agents autonomy, allowing them to interact with external systems to collect information, make decisions with the help of a generative AI system, and then effect changes in the external environment. The activity takes place through various APIs according to the instructions provided to the agent and in the context of a defined workflow.
The advantage for human operators is that these systems can efficiently execute routine activities that would otherwise require accessing multiple systems. Essentially, the AI agent acts as a trusted assistant who is able to get on with things with minimal supervision while the human operator can focus on other things.
As this approach brings advantages to the legitimate economy, so it brings similar efficiencies to the cyber crime economy. More recently, the publication of the discovery of the first AI-orchestrated cyber campaign should give us pause. It signals a new era for cybersecurity teams.
We’re entering a time when we can expect to see much experimentation and innovation with AI in both the legitimate and cyber crime economies. AI can act as a force enabler, making tasks easier and faster to perform. Similarly, AI can lower barriers to entry, allowing lower skilled actors to perform tasks that they lack the skills to perform. While AI does not bring new capabilities, it can make existing capabilities easier to execute. However, AI systems still require skillful instruction and supervision.
AI is not infallible, it gets things wrong, and it is prone to inventing nonsense. When it does go off the rails, a human needs to step in and resolve the situation. This is not necessarily easy to do and may prove tricky for low-skilled threat actors.
Don’t be discouraged: We can also leverage these developments to our advantage. Defensive teams can write their own agentic systems to find and fix weaknesses in their own systems before malicious actors identify them. We can deploy honeypot systems designed to be found by malicious AI systems, engage with them and tie up their resources.
The threat landscape has never been static. While AI does make some tasks more accessible to threat actors, it is a double-edged sword and also brings opportunities to defenders.
Cisco Talos has introduced new features for Snort3 users within Cisco Secure Firewall. A new “Severity” rule group allows you to organize detection rules by CVSS-based vulnerability severity (low, medium, high, critical). This allows teams to better prioritize and manage rules according to risk and urgency. You can also select rules based on vulnerability age (e.g., last 2, 5, or 10 years).
This update allows you greater flexibility and control. It makes it simpler to maintain consistent, targeted detection coverage, whether you’re running large, distributed networks or smaller environments with tailored security priorities.
Review your current Snort3 rule configurations in Cisco Secure Firewall and consider adopting the new Severity and time-based grouping features. By tailoring rule sets to your organization’s specific risk tolerance and patching cycles, you can optimize detection coverage, streamline management, and better protect your environments.
Critical railway braking systems open to tampering
Researchers have figured out how to spoof the signals that tell train conductors to brake, opening the door to any number of dangerous attack scenarios. (Dark Reading)
EchoGram flaw bypasses guardrails in major LLMs
A flaw discovered in early 2025 and dubbed EchoGram allows simple, specially chosen words or code sequences to completely trick the automated defences, or guardrails, meant to keep the AI safe. (HackRead)
Over 67,000 fake npm packages flood registry in worm-like spam attack
The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods Worm. The bogus packages masquerade as Next.js projects. (The Hacker News)
Cornerstone Staffing ransomware attack leaks 120,000 resumes, claims Qilin gang
The notorious Qilin gang posted the industry-leading recruitment agency on its dark leak blog last Thursday. The group claims to have exfiltrated 300GB of sensitive information from Cornerstone. (Cybernews)
Surveillance tech provider Protei was hacked, its data stolen, and its website defaced
It’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8 and restored soon after. (TechCrunch)
The TTP: How Talos built an AI model into one of the internet’s most abused layers
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet).
Humans of Talos: On epic reads, lifelong learning, and empathy
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.
Unleashing the Kraken ransomware group
In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe
Detection Name: Win.Worm.Coinminer::1201
SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: ck8yh2og.dll
Detection Name: Auto.90B145.282358.in02
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
MD5: bf9672ec85283fdf002d83662f0b08b7
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
Example Filename: f_0008d7.html
Detection Name: W32.C0AD494457-95.SBX.TG
SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg
Cisco Talos Blog – Read More
In many SOCs, phishing analysis still follows the same old pattern: manually pull apart URLs, inspect attachments by hand, take screenshots, collect indicators one by one… and hope nothing slips through in the process.
It’s careful work, but slow.
A sandbox flips that workflow on its head.
Every step analysts normally handle themselves is condensed into a few seconds of automated detonation, real-time behavior tracking, and instant IOC extraction.
That’s how a 15-minute job becomes a 60-second answer.
Once the email is flagged as suspicious, analysts usually move through a predictable checklist: review the link or attachment, open it inside a safe environment, observe what happens, and extract indicators manually. Each phase takes time, and even small tasks, decoding a URL, grabbing a screenshot, checking a redirect; slow the investigation down.
When the same message is detonated inside ANY.RUN sandbox, the whole chain is captured automatically. The VM loads the content, follows redirects in real time, records every network request, and pulls out indicators as soon as the activity appears. Instead of digging piece by piece, analysts simply watch the behavior unfold and confirm the verdict.
A good example of this speed is a recent phishing case where attackers used Figma pages to kick off a credential-harvesting chain. Inside the sandbox, the entire Figma → Microsoft microdomain → Azure Blob Storage flow becomes visible in under a minute.
You can view the attack pattern here: Real Example: FigmaRedirects Used in Phishing
Without a sandbox:
Analysts usually begin by checking links manually, opening attachments in a VM environment, or trying to reproduce the user’s click path. Even simple emails take time to decode and verify, often adding up to 5–10 minutes before any real behavior is observed.
With a sandbox:
Upload the email or attachment, and the sandbox detonates it instantly inside a controlled VM. Initial behavior, connections, redirects, script execution, appears in 20–40 seconds, giving analysts a fast idea of whether the file is benign or dangerous.
Without a sandbox:
Once the link or attachment is opened in a controlled VM, analysts have to follow the behavior manually; redirects, process launches, hidden scripts, background network calls. None of it is being tracked in a custom VM deployed locally by default.
The workflow is slow because everything happens in small pieces that need to be captured one by one. Depending on the complexity of the email, this phase can take anywhere from several minutes to well over ten, especially if the chain includes multiple hops or short-lived activity.
With a sandbox:
The moment the detonation starts, the sandbox records each action as it happens.
Processes, redirects, and network requests appear live in the interface, so analysts see the full flow without chasing events across different tools. In most cases, the main behavior is already visible within 20–40 seconds, including activity that would be easy to miss during observation in a custom VM.
Without a sandbox:
Collecting indicators is usually one of the most time-consuming parts of phishing analysis. Analysts have to pull out every domain, IP address, hash, and dropped file path manually, sometimes by repeating the execution to catch fast or hidden activity. Cross-checking each indicator across logs, browsers, and tools can stretch this phase to 5–10 minutes or more, especially when the redirect chain is long.
With a sandbox:
Indicators appear as soon as the activity occurs. Domains, IPs, file hashes, registry changes, and dropped objects are captured automatically and displayed in a single view. Instead of hunting for details, analysts simply review the list. This typically takes 10–20 seconds, even when multiple indicators are created during detonation.
Without a sandbox:
After gathering indicators, analysts typically check each domain, IP, and file hash in external reputation portals or TI sources. Moving between tools and validating each indicator one by one often adds 5–10 minutes, especially when the phishing chain produces several IOCs.
With a sandbox:
Reputation details appear automatically as soon as indicators show up. The ANY.RUN sandbox displays the name of the threat, whether it is a malware family, a phishing kit, or even an APT. The threat coverage is continuously updated by ANY.RUN’s in-house team of threat hunters, researchers, and analysts.
Suspicious findings are also labeled with clickable threat names, allowing analysts to jump directly to related public submissions for deeper comparison. Besides, a link to the Malware Trends Tracker provides broader context, showing how the threat behaves across other samples.
What normally requires several manual lookups takes 10–20 seconds, because the essential context is already available in the interface.
Without a sandbox:
Documenting findings is one of the most tedious parts of phishing analysis.
Analysts need to capture screenshots, save URLs, gather indicators, describe behavior, and assemble everything into a ticket or report by hand. Even when the case is simple, this often requires 5–10 minutes, and much longer when multiple steps or redirects are involved.
With a sandbox:
A complete report is generated automatically as the detonation runs. Screenshots, network activity, redirects, process events, indicators, and threat labels are all captured and stored in a structured format.
Analysts can export the report instantly or link directly to it, so the case can move forward without manual writing or screenshot collection. This entire phase usually takes 10–20 seconds, since the documentation is created for you.
When you put each step side by side, the gap becomes obvious.
Manual phishing analysis breaks the workflow into several slow checks, while an interactive sandbox condenses everything into one fast detonation.
| Step | Without a Sandbox | With a Sandbox |
| URL / Attachment Analysis | 5–10 minutes | 20–40 seconds |
| Behavior Observation | 10–15 minutes | 20–40 seconds |
| IOC Extraction | 5–10 minutes | 10–20 seconds |
| Threat Matching | 5–10 minutes | 10–20 seconds |
| Incident Documentation | 5–10 minutes | 10–20 seconds |
| Total Time | ~15 minutes | ~60 seconds |
What’s usually a long, repetitive workflow turns into a one-minute verdict.
When a phishing wave hits and dozens of suspicious emails land in the queue, those saved minutes quickly add up, often freeing hours across a single shift.
Cutting phishing analysis from 15 minutes to 60 seconds drives measurable improvements across the entire SOC.
ANY.RUN’s data shows:
This combination, fast verdicts, clear behavior visibility, and automated context, transforms phishing analysis from a slow manual chore into a fast, reliable, repeatable process.
Want to see how your SOC can speed up phishing investigations?
Discover how interactive analysis cuts investigation time and exposes phishing behavior in under a minute.
Get a 14-Day Trial of ANY.RUN →
ANY.RUN helps security teams investigate threats faster and with far greater clarity. The Interactive Sandbox reveals full attack behavior in real time, from process execution and redirects to network activity and dropped files, giving analysts the visibility they need to make confident, evidence-based decisions.
Cloud-based and ready to use, ANY.RUN supports Windows, Linux, and Android environments, making it easy to analyze phishing emails, URLs, and malware without managing complex infrastructure.
Its Threat Intelligence Lookup and continuously updated TI Feeds provide automation-ready indicators that strengthen detection, enrichment, response, and reporting across security operations.
Together, these capabilities give analysts a fast, transparent, and reliable way to understand modern attacks and improve overall SOC performance.
The post Detected in 60 Seconds: How to Identify Phishing with a Malware Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks
WeLiveSecurity – Read More
Black Friday is an annual bargain hunt that often spirals into chaotic impulse buying. Stores promise incredible discounts of 50–70%, but are those savings really as significant as they seem? In 2025, we’ve got a new ally on our side in the fight for smart spending: artificial intelligence. Here’s how you can use powerful LLMs like ChatGPT and Claude to save money and never fall for a shady seller’s tricks again.
Before we enlist AI to help you save, it’s crucial we understand the battlefield. Studies paint a grim picture: a significant portion of those Black Friday “super discounts” are nothing more than a marketing illusion.
The tactic is simple and effective: in early October, stores hike up their prices, sometimes by fifty to a hundred percent. Then, when Black Friday finally hits, they “slash” the price by that same 50% and proudly tout the impressive discount on the tag. In reality, you’re just buying the item at its regular price — or sometimes even paying a premium.
While the European Union’s Omnibus Directive mandates that retailers display the lowest price from the last 30 days, even this rule is easily skirted. Retailers just hike the price up 30 days before the event, which allows them to technically adhere to the directive while still duping consumers.
Artificial intelligence is changing the game. Analysts estimate that in 2024, AI tools helped consumers make a staggering $60 billion in transactions during Cyber Week, and that number is only projected to climb in 2025. Already, one in three U.S. shoppers plans to lean on AI for their shopping needs.
As you know, an LLM is immune to emotion; it won’t react to marketing triggers like “2 hours left!” or “only one left in stock!” Instead, the model analyzes huge volumes of data, compares prices, tracks price history, and helps you make rational decisions.
In seconds, AI can crawl hundreds of online stores, zeroing in not only on the product you want at the lowest price but also on cheaper alternatives with comparable specs. Modern LLMs can help you figure out if a discount is truly beneficial — or if you’re falling for a scam. Amazon, for example, has already integrated a price-tracking feature into its AI assistant, Rufus, though users have noted that the tool still has some kinks to work out. Using just a few prompts, the AI can factor in your preferences, budget, and past purchases to suggest exactly what you need, cutting through all the marketing noise. Instead of wasting hours poring over spec sheets, just ask the assistant, “What’s the difference between vacuum cleaner A and vacuum cleaner B?” And you get your answer — regardless of whether the seller’s website features a comparison tool. You can use the prompts below for ChatGPT, Claude, or Gemini.
Don’t wait for the sales to start; your goal is to gather all the baseline data upfront.
Help me create a shopping list for Black Friday. My budget is: [amount].
I'm interested in the following categories: [electronics/clothing/home goods].
Priorities: [performance/quality/brand/price].
Create a structured list with explanations of why each item is worth considering.
This is a critical stage. You need to know the real price of an item before the Black Friday marketing hype machine starts rolling. On Amazon, tools like CamelCamelCamel and Keepa can help, and for AliExpress, look at AliPrice and AliTools.
Collected the price data? Excellent. If you see a sharp price spike in October followed by a corresponding drop in November, you’re looking at the classic scam tactic. But if the data on the charts seems unclear, use the prompt below. The months we used are just examples, so feel free to use your own date ranges. The larger the intervals between the price checks, the higher your chances of catching an unjustified price hike.
I'm tracking [product name] on [platform]. Here's the price data:
- September: [price]
- Early October: [price]
- Late October: [price]
- Current price: [price]
- Advertised discount: [percentage]
- Analyze this data. Is this a genuine discount or is the store manipulating prices?
When is the best time to buy? Should I wait for Black Friday or buy now?
Don’t get fixated on a single product. There may be more advantageous alternatives available.
I want to buy [product, model]. My goal is to [what it's needed for]. Budget: [amount].
Find 3–5 alternative products that solve the same problem but might be more cost-effective.
Compare them based on features, price, and reviews. Display the results in a table.
Experience shows that LLM models are particularly good at comparative analysis, highlighting key differences between similar products.
Black Friday is an absolute field day for scammers. In the third quarter of 2025 we saw the number of fake online stores skyrocket by 20% compared to the monthly average. Let’s run through the immediate red flags that should raise your suspicions:
Finally, just in case, run the following prompt through the AI of your choice to check the store’s legitimacy:
I have found [product name] on [URL]. The price is very attractive: [price], which is [percentage]% below the average. How can I verify that this is not a scam?
What are the signs of a fake store? What should I pay attention to?
This is the all-in-one prompt containing all the data you gathered in the previous steps; it works in any LLM:
You are an expert in spotting retail price manipulation.
Product: [name]
Store: [name]
Current price: [price]
Advertised discount: [percentage]%
Stated old price [price]
Price history I tracked:
[state data for several months]
Tasks:
1. Is this a genuine discount or a manipulation?
2. What was the real average price before the alleged sale?
3. Should I buy now, or is the price likely to drop even further?
4. Your verdict: buy / wait / look for alternatives?
Note that neural networks’ cybersecurity is still far from perfect: vulnerabilities continue to be discovered within them. Therefore, to shield yourself from phishing and spam links you might accidentally follow, be sure to install a proven and reliable security solution, such as Kaspersky Premium. It’ll keep your Black Friday from turning into a financial Black Monday for both your assets and personal data.
One of the core issues with global AI models is that they often deliver information that’s not region-specific, or is relevant to a region other than yours. But you can adapt them to your needs with this prompt:
You are an AI shopping assistant for [country, city]. All your recommendations must factor in the local market, available stores, and regional platforms ([list of stores, if desired]). State prices in [currency]. Speak [language].
My task is to find [product] at the best price for Black Friday.
Which local platforms should I check? What kind of sales are common in [region]?
Each LLM has its strengths (also weaknesses). With these in mind, we’ve created prompts that unlock the potential of each language model. For the highest quality results, we recommend utilizing models with a larger number of parameters (usually available via paid subscriptions), and activating deep thinking when submitting your requests.
ChatGPT excels at structuring information and generating lists. Here’s a prompt for budget planning:
Create a shopping strategy for Black Friday.
Budget: [amount]
Priority categories: [list]
For each category, specify:
1. Average price before discounts
2. Expected discounted price
3. Best time to buy (before/during/after Black Friday)
4. Alternatives
Format the results as a table.
And here’s a prompt for store comparison:
Product: [name and model]
Found in stores:
- [Store 1]: [price], shipping [terms]
- [Store 2]: [price], shipping [terms]
- [Store 3]: [price], shipping [terms]
Which option is more cost-effective considering the total cost? Analyze the reliability of the stores.
Claude is particularly good at analyzing large volumes of text and highlighting key points. Here’s a Claude prompt for analyzing reviews:
Here's a selection of reviews for [name] from various platforms: [insert reviews].
Analyze them and highlight:
1. Key advantages (top 3)
2. Key disadvantages (top 3)
3. Who is this product best suited for, and who should avoid it?
4. Are there any alarming issues mentioned?
5. Overall recommendation: is this worth buying?
Long-term planning prompt:
You're a financial consultant. I'm planning a major purchase: [product] for [price].
My monthly income: [amount]. My savings: [amount].
Should I buy this on Black Friday or should I wait?
What alternative saving and purchasing strategies can you offer?
Gemini offers seamless integration with the Google ecosystem and provides in-depth capabilities when working with images. Attach a screenshot of the banner or the offer on the website and write the prompt:
This is a Black Friday offer. Evaluate:
1. How attractive is this discount?
2. What information should I check additionally?
3. What should I pay attention to in the description?
4. Signs of a possible scam
Quick search prompt:
Find the best Black Friday 2025 offers in [category].
I'm looking for: [product characteristics]
Budget: [amount]
Region: [country/city]
Show the top-5 options and provide a justification for each choice.
What else to read on the topic of AI:
Kaspersky official blog – Read More
Welcome to another episode of Humans of Talos! This week, Amy sits down with William (Bill) Largent from the Strategic Planning and Communications team. Bill’s role as Senior Security Researcher spans from threat research to communicating Talos’s critical work to internal teams, partners, and customers.
Join us as Bill shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.
Amy Ciminnisi: Bill, it’s great to have you on. You’re part of my team in Strategic Planning and Communications. Can you tell us a little bit about what you do here at Talos?
Bill Largent: Generally speaking, most of my time is still spent on threat research and hunting. About 25 to 30% of the time, they have me talk to people. They let me out of the cage for a little while and put me in front of people. I get to talk to internal Cisco teams and to a lot of partners, which is really interesting. I discuss the state of things, help them understand what’s going on in the threat landscape, and explain what Talos is and how we do things. I also get to talk to customers, which is really fun. My background is in vendor-agnostic remote managed services, so I ran SOCs for years. Talking to people who are doing that now is really refreshing.
AC: You’ve been at Cisco for a while. What made you want to join Talos, and how did that career transition go for you?
BL: It’s really interesting. I’ve been here a long time. If you look me up in the directory, you’ll see my photo is about 24 years old. It was taken on a Saturday or Sunday night at 2 or 3 a.m. because I was working overnight shifts, so it looks exactly like you’d imagine. Getting to Talos was about seeking out smarter people. I believe if you’re the smartest person in the room, you’re in the wrong room, so I started tracking where the smarter people were and went there.
As a member of Talos, there’s never a smarter room than the Talos room. It’s insane, and I mean that for any topic you can think of — chaos theory, mathematics, planetary science, beer making… You name it, someone in Talos is an expert. It’s honestly great. That’s how I came to Talos: trying to find the smartest people in the room.
AC: Is working with people and especially people on Talos your favorite thing about your role, or are there other aspects you love?
BL: For me, the people are a massive differentiator from working anywhere else. I feel super supported and engaged all the time. Beyond the people, what’s interesting about cybersecurity is that it evolves so fast and changes so much that you’re never in a state of stasis. There’s always something new to learn, and even though it’s all cyclical and some things come back around, there’s a lot of difference day to day. It keeps my brain occupied. I also have the support of people who encourage me to go learn things that interest me.
Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.
Cisco Talos Blog – Read More