Cyble Research & Intelligence Labs (CRIL) tracked 1,102 vulnerabilities last week. Of these, 166 vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks. A total of 49 vulnerabilities were rated critical under CVSS v3.1, while 32 received critical severity under CVSS v4.0.
Additionally, CISA added 9 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed active exploitation.
On the industrial front, CISA issued 8 ICS advisories covering 18 vulnerabilities impacting Siemens, Honeywell, Delta Electronics, GE Vernova, PUSR, EnOcean, Valmet, and Welker products.
Cyble Weekly Vulnerability Report: New Flaws and CVEs
CVE-2026-1357 is a critical unauthenticated arbitrary file upload and remote code execution vulnerability affecting the WPvivid Backup & Migration plugin for WordPress. The flaw stems from improper handling of RSA decryption errors combined with unsanitized filename inputs, allowing attackers to upload malicious PHP shells to publicly accessible directories
A public PoC is available, and the vulnerability surfaced in underground discussions shortly after disclosure, significantly lowering the barrier to exploitation.
CVE-2026-1731 — BeyondTrust Remote Support & PRA (Critical)
CVE-2026-1731 is a critical OS command injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The flaw exists within a WebSocket-based endpoint, allowing unauthenticated attackers to execute arbitrary commands on internet-facing instances.
Successful exploitation enables full system compromise, data exfiltration, lateral movement, and persistent access. A PoC is publicly available.
CVE-2025-49132 — Pterodactyl Panel (Critical)
CVE-2025-49132 affects the Pterodactyl Panel game-server management platform and allows unauthenticated remote code execution through improper validation of user-controlled parameters.
Threat actors were observed sharing weaponized exploits on underground forums, highlighting the vulnerability’s operational risk.
CVE-2026-25639 is a denial-of-service vulnerability in the Axios HTTP client, where crafted JSON payloads exploiting improper configuration merging can crash Node.js or browser applications.
The vulnerability was captured in underground forums shortly after disclosure and has a public PoC.
CVE-2026-20841 — Windows Notepad (High Severity)
CVE-2026-20841 is a command injection vulnerability in the Windows Notepad app, enabling execution of malicious payloads via specially crafted files. Exploitation could enable privilege escalation and malware deployment.
Vulnerabilities Added to CISA KEV
CISA added 9 vulnerabilities to the KEV catalog during the reporting period.
Notable additions include:
CVE-2026-2441 — Google Chrome use-after-free vulnerability enabling potential arbitrary code execution via crafted HTML.
CVE-2025-15556 — Notepad++ update integrity verification vulnerability reportedly exploited by the China-linked threat actor Lotus Blossom.
KEV additions serve as strong indicators of exploitation maturity and heightened ransomware or espionage risk.
Critical ICS Vulnerabilities
During the reporting period, CISA issued 8 ICS advisories covering 18 vulnerabilities. The majority were rated high severity.
CVE-2026-1670 affects Honeywell CCTV products and carries a CVSS score of 9.8. The vulnerability allows an unauthenticated attacker to remotely alter the password recovery email address, effectively hijacking administrator accounts.
Successful exploitation enables:
Full administrative account takeover
Unauthorized access to live surveillance feeds
Potential lateral movement into connected networks
Because no credentials or user interaction are required, this vulnerability presents a high mass-exploitation risk.
CVE-2026-25715 — PUSR USR-W610 Router (Critical)
CVE-2026-25715 impacts the PUSR USR-W610 router and involves weak password requirements. If exploited, attackers can bypass authentication, compromise administrator credentials, or disrupt services.
The risk is amplified by the vendor’s acknowledgment that the product has reached end-of-life and no patches are planned. Organizations are urged to isolate or replace affected devices immediately.
Multiple high-severity out-of-bounds read/write and buffer overflow vulnerabilities were disclosed in Siemens Simcenter Femap and Nastran products (CVE-2026-23715 through CVE-2026-23720). These flaws may enable memory corruption and potential code execution in industrial engineering environments.
Impacted Critical Infrastructure Sectors
Analysis of the 18 disclosed ICS vulnerabilities shows that Critical Manufacturing accounts for 61.1% of cases, with the sector appearing in 83.3% of all reported vulnerabilities. This concentration highlights the continued exposure of manufacturing environments and their interdependencies with Energy, Water, and Chemical sectors.
Conclusion
The combination of high-volume IT vulnerabilities, publicly available PoCs, underground exploit discussions, and critical ICS exposures underscores the evolving threat landscape across enterprise and industrial environments.
With 166 PoCs already available and 9 KEV additions confirming active exploitation, organizations must adopt a risk-based vulnerability management approach that prioritizes:
Rapid patching of internet-facing assets
Strict network segmentation between IT and OT environments
Removal or isolation of end-of-life devices
Deployment of multi-factor authentication
Continuous monitoring for anomalous behavior
Routine vulnerability assessments and penetration testing
Cyble’s attack surface management solutions enable organizations to continuously monitor exposures, prioritize remediation, and detect early warning signals of exploitation. Additionally, Cyble’s threat intelligence and third-party risk intelligence capabilities provide visibility into vulnerabilities actively discussed in underground communities, empowering proactive defense against both IT and ICS threats.
Threat monitoring is treated as one capability among many. Something that sits alongside incident response and threat hunting on an org chart. That framing undersells how central it actually is.
Monitoring is the connective tissue of the entire security operation. Every other SOC function depends on it working well.
For SOC and MSSP leaders, building effective threat monitoring is not about “more alerts.” It is about designing the core process that connects detection, triage, hunting, response, intelligence, reporting, and ultimately business resilience.
Key Takeaways
Threat monitoring is structural, not supplemental. Every core SOC workflow (triage, threat hunting, forensics, vuln management, MSSP SLA delivery) depends on monitoring quality. Weaknesses propagate everywhere.
More alerts do not equal better visibility. Context and prioritization define effectiveness.
Inefficient monitoring increases business risk. Missed early-stage attacks lead to higher remediation costs and regulatory exposure. Dwell time reduction translates directly to breach loss reduction.
Intelligence must be operationalized, not stored. Threat intelligence only creates value when embedded into monitoring workflows.
Behavior-backed indicators outperform static IOC lists. Fresh, validated data improves detection accuracy and reduces false positives.
Monitoring should reflect business risk, not system capabilities. Crown-jewel assets and regulatory drivers must shape detection priorities.
Threat Monitoring: Not a Feature But the Foundation
Consider how the core workflows intersect with monitoring:
Detection engineering: Monitoring consumes detection rules and reveals where they fail.
Alert triage and incident response cannot function without a continuous stream of prioritized, contextualized signals. When monitoring is weak — too noisy, too narrow, or too slow — analysts drown in false positives or miss real incidents entirely. Neither outcome is tolerable.
Vulnerability management and patch prioritization increasingly depend on live threat intelligence to decide what gets fixed first.
Even threat hunting is informed by monitoring outputs: analysts use baseline behavioral data, detection gaps, and historical alert patterns to define their hunting hypotheses.
Digital forensics and incident investigation rely on monitoring having captured enough data — the right logs, network flows, endpoint telemetry — to reconstruct attack timelines after the fact.
MSSP client reporting and SLA management live and die by monitoring quality. When clients ask “are we covered against this new ransomware family?”, the answer depends entirely on whether detection rules exist, whether indicators are up to date, and whether the monitoring stack is generating meaningful signal.
This is why threat monitoring must be treated as a first-class, continuously maintained operational capability, not a set-and-forget configuration.
Signal vs. Noise: The Battle That Defines Your SOC
Effective threat monitoring is:
Context-rich rather than alert-dense;
Intelligence-driven rather than purely rule-based;
Adaptive rather than static;
Prioritized by risk rather than by volume;
Aligned with business-critical assets rather than generic telemetry.
How to tell if your monitoring works at its best? Ask these questions:
Does it consistently reduce mean time to detect (MTTD)?
Are high-risk alerts surfaced early, or buried in noise?
Do detections map to real-world adversary behavior?
Is intelligence automatically operationalized, or manually researched?
Does monitoring adapt when new campaigns emerge?
If analysts spend most of their time enriching alerts manually, chasing false positives, or investigating low-impact noise, monitoring is underperforming. Inefficient monitoring does more than exhaust analysts. It leads to delayed breach discovery, higher remediation costs, and regulatory exposure. Leadership questions investment, and security becomes reactive instead of strategic.
Powering Monitoring with Real-World Adversary Data
That’s where the separation between reactive and proactive monitoring happens. Threat intelligence — continuously updated, high-fidelity data on active threats — transforms a monitoring program from one that reacts to known indicators to one that anticipates emerging attack patterns.
The mechanism is straightforward: if your monitoring infrastructure receives a live stream of newly identified malicious IPs, domains, and URLs extracted from real attacks happening right now, your detection coverage extends beyond what your own environment has encountered.
ANY.RUN operates one of the world’s largest interactive malware analysis sandboxes, used by over 600,000 security professionals and SOC teams from more than 15,000 organizations globally.
Here Interactive Sandbox exposes the attack chain and infrastructure of Moonrise – a RAT recently discovered by ANY.RUN’s analysts.
Every analysis session generates structured threat data — IOCs, IOAs (Indicators of Attack), IOBs (Indicators of Behavior), and TTPs mapped to the MITRE ATT&CK framework. ANY.RUN’s Threat Intelligence Feeds channel that data directly into customers’ detection infrastructure in real time.
This creates a network effect with genuine security value: organizations that were the first to face incidents help others anticipate and prevent them. In a documented case, Interlock ransomware targeting healthcare organizations appeared in ANY.RUN’s data nearly a month before the first public threat reports, giving subscribers time to build detections and harden defenses while most of the industry was still unaware.
Instead of simply adding more indicators, these feeds strengthen the connective tissue between intelligence and monitoring workflows. Monitoring becomes intelligence-infused rather than indicator-overloaded.
Metrics that matter: how TI Feeds influence key performance indicators
Strengthen monitoring with fresh, validated intelligence
that reduces response time and minimizes business disruption.
Integration: Minimal Friction, Maximum Compatibility
ANY.RUN delivers Threat Intelligence Feeds in the STIX/TAXII format, making it straightforward for security teams to integrate the data into their existing infrastructure — including popular platforms like OpenCTI and ThreatConnect and solutions like Microsoft Sentinel and Google SecOps. The standardized format means integration with existing SIEM, TIP, IDS/IPS, and EDR platforms is achievable without custom development work.
API access and SDK support allow teams to automate indicator ingestion and build custom workflows around the data. For MSSPs managing multiple client environments, this integration flexibility is essential — feed data can be channeled into per-client SIEM instances with consistent formatting and attribution.
Integrating TI Feeds into the cybersecurity ecosystem
ANY.RUN’s TI Lookup: The Investigative Layer That Makes Feed Intelligence Actionable
TI Feeds solve the automation problem: keeping your SIEM and detection rules continuously stocked with validated, current indicators. But automated ingestion has a natural limit. When an analyst needs to understand why an indicator is malicious, how the associated malware behaves, what else in the environment may be connected, and whether this alert is part of a larger campaign — a feed delivering STIX records into a detection platform cannot answer those questions on its own. That is where Threat Intelligence Lookup completes the picture.
TI Lookup is a database queryable through both a web interface and an API that surfaces IOCs, IOAs, IOBs, and TTPs extracted from millions of sandbox analysis sessions. Searches can be run against URLs, TTPs, file paths, command lines, process behaviors, registry activity, network connections, port numbers, JA3/JA3S TLS fingerprints, Suricata rule IDs, and more.
This means an analyst isn’t limited to checking a hash or IP address against a known-bad list; they can search for behavioral patterns, specific command-line strings observed in active malware, or infrastructure characteristics.
Search TI Lookup for malware that performs certain registry changes
In this example, we can identify threats that aim to execute malicious code through scheduled tasks.
The workflow goes in the other direction too. Proactive threat hunting using TI Lookup — searching for TTPs or behavioral patterns associated with a threat actor targeting the organization’s industry — can surface indicators that have not yet appeared in automated feeds. Those indicators can then be manually added to detection rules, extending the monitoring program’s coverage before a feed update would have caught them.
Monitoring That Speaks the Language of the Board
The operational case for investing in threat monitoring is clear. The business case is sometimes harder to communicate — but it is just as strong.
Risk Reduction That Translates to Financial Terms
The cost of a breach scales with dwell time. Every day an attacker remains undetected in a network is another day of potential data exfiltration, lateral movement, and preparation for a destructive payload. Monitoring that cuts dwell time from 120 days to 5 days is not just an operational improvement. It is a material reduction in breach severity and cost. For organizations in regulated industries, it is also a meaningful factor in whether a regulatory notification obligation is triggered and whether a fine is proportionate.
Meeting SLAs and Client Expectations
For MSSPs, detection speed and coverage breadth are effectively product features. Clients sign contracts expecting that known threats will be detected and responded to within defined timeframes. TI Feeds that update continuously with indicators from active threats extend the detection surface without requiring proportional growth in headcount.
Enabling SOC Efficiency
Analyst time is expensive and scarce. When monitoring is well-designed (contextual, high-fidelity, and supported by rich threat intelligence) analysts spend more time on decisions and less time on manual enrichment, alert validation, and IOC lookups. The triage process shortens. MTTR decreases. The SOC can handle more volume with the same team, or the same volume with better quality of investigation.
Demonstrating Proactive Security Posture to the Board
Security leaders increasingly need to demonstrate not just that they respond well to incidents, but that they are actively working to prevent them. Monitoring informed by real-time threat intelligence that detects and blocks indicators of a major ransomware group weeks before public disclosure is a compelling proof point in that conversation. It shifts the narrative from incident response to threat prevention, which is where business leadership wants security programs to operate.
Turn threat monitoring into a cost-control strategy.
Improve detection accuracy and demonstrate measurable ROI with ANY.RUN TI Feeds
Conclusion: The Standard for Monitoring Has Changed
The threat landscape that SOC and MSSP teams operate in today is faster-moving, better-resourced, and more creative than it was even three years ago. Monitoring built for a previous era of threat activity will fail against current adversary techniques.
Effective threat monitoring in 2026 and beyond requires more than log aggregation and static detection rules. It requires continuous intelligence input from real attack data, behavioral detection that doesn’t depend on known signatures, and the operational discipline to keep detection logic current as threats evolve.
ANY.RUN’s Threat Intelligence Feeds represent one of the most direct paths to that standard: validated, contextualized, continuously updated IOCs and behavioral indicators sourced from millions of real malware analysis sessions, integrated directly into the security stack.
About ANY.RUN
ANY.RUN is part of modern SOC workflows, integrating easily into existing processes and strengthening the entire operational cycle across Tier 1, Tier 2, and Tier 3.
Today, more than 600,000 security professionals and 15,000 organizations rely on ANY.RUN to accelerate triage, reduce unnecessary escalations, and stay ahead of evolving phishing and malware campaigns.
To stay informed about newly discovered threats and real-world attack analysis, follow ANY.RUN’s team on LinkedIn and X, where weekly updates highlight the latest research, detections, and investigation insights.
FAQ
What is threat monitoring in a SOC?
Threat monitoring is the continuous process of collecting, correlating, and analyzing security telemetry to detect malicious activity in real time.
How is threat monitoring different from detection?
Detection refers to the logic or rules that identify malicious behavior. Monitoring is the broader operational process that consumes detections, prioritizes alerts, and drives response workflows.
What makes threat monitoring “effective”?
It is risk-aligned, intelligence-driven, adaptive, and capable of surfacing high-impact threats early while minimizing noise.
How can I measure whether monitoring is working?
Key indicators include reduced MTTD, lower false positive rates, improved alert prioritization accuracy, and faster containment times.
Why do many SOCs struggle with monitoring?
Common issues include over-collection of logs, static IOC feeds, lack of intelligence integration, and weak feedback loops between incidents and detection updates.
How does threat intelligence improve monitoring?
It provides contextual, real-world adversary data that enhances detection logic, prioritization, enrichment, and proactive hunting.
How can MSSPs benefit from enhanced monitoring?
Intelligence-driven monitoring improves service differentiation, reduces analyst workload, increases detection accuracy, and strengthens client trust.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-02-25 11:06:472026-02-25 11:06:47Turn Your SOC Into a Detection Engine: Rethinking Threat Monitoring
Security professionals rely on early detection signals to prioritize and contain incidents. But what happens when a fully capable RAT generates none?
In a recent investigation, the ANY.RUN experts uncovered a new Go-based remote access trojan we named Moonrise. At the time of analysis, it wasn’t detected on VirusTotal and had no vendor signatures tied to it.
That’s the problem teams can’t ignore: credential theft, remote command execution, and persistence can be active while static checks stay silent. The result is slower triage, and more escalations.
Let’s break down Moonrise’s full attack chain and show how you can detect similar threats earlier, before they turn into longer investigations and real business impact.
Key Takeaways
Moonrise operated without early static detection, establishing active C2 communication before any vendor alerts were triggered.
The RAT supports credential theft, remote command execution, persistence, and user monitoring, enabling full remote control of an infected endpoint.
Silent C2 activity increases business exposure, extending dwell time and raising the risk of data loss, operational disruption, and financial impact.
Static reputation checks alone are not enough. Behavior-based analysis is critical to confirm real attacker activity quickly.
What Moonrise Means for Organizations
Moonrise isn’t just a remote access tool. Its command set shows how an attacker can move from access to impact.
Credential theft and clipboard monitoring can expose passwords, session tokens, and sensitive data copied between systems.
Remote command execution and process control let operators run scripts, interfere with defenses, and manipulate business applications.
File upload and execution creates a clean path to drop additional payloads, including stealers or ransomware.
Screen capture, webcam, and microphone access can reveal what’s happening inside finance workflows, admin panels, and internal communications.
Persistence and privilege-related functions increase dwell time and make removal harder.
One compromised endpoint can disrupt operations and lead to financial and reputational damage, especially when the malware stays below static detection thresholds long enough to expand access.
Reduce escalation and investigation costs Detect threats earlier with behavior-first clarity
Moonrise RAT detected inside ANY.RUN sandbox, revealing its full attack chain
Within minutes of execution, Moonrise established outbound communication and began responding to operator-driven commands. What looked harmless in static checks immediately revealed interactive control once behavior was observed.
1. Session Registration and Persistent Communication
The communication begins with:
client_hello
connected
ping/pong
These commands handle client identification and keep the WebSocket session alive. This confirms that the infected system is actively connected and ready to receive instructions.
At this stage, traditional static checks still show nothing suspicious. But behaviorally, the endpoint is already under remote control.
C2 communication overview of Moonrise RAT
2. Visibility Into the Host Environment
Once the session is established, the operator starts requesting information about the system.
Observed commands include:
process_list
file_list
webcam_list
monitors_list
screenshot
This allows the attacker to inspect running processes, review directory structures, identify connected displays, and check for available multimedia devices. Even when screen capture fails in a headless environment, the attempt itself signals active operator-driven interaction.
YARA rule match confirming screenshot functionality inside the Moonrise process
This stage provides the attacker with enough context to determine what data is accessible and which actions to take next.
3. Direct System Interaction and Control
Moonrise supports active command execution and process manipulation:
cmd
process_kill
file_upload
file_run
file_execute
file_delete
mkdir
explorer_restart
Through these commands, the operator can run system commands remotely, terminate selected processes, upload additional payloads, execute them, modify directories, and restart system components.
svchost.exe spawning cmd.exe to execute system commands inside the ANY.RUN sandbox
This shifts the attack from observation to full control. At this point, the endpoint is no longer just compromised. It can be used to deploy further tools or prepare deeper access.
4. Credential Access and Data Extraction
The sample includes commands associated with data theft and credential harvesting:
stealer
steam
file_download
keylogger_logs
clipboard_history
These functions enable collection of stored credentials, extracted files, logged keystrokes, and clipboard content. If sensitive data is copied between applications, such as passwords or financial details, it becomes accessible to the operator.
This is where technical compromise transitions into business exposure.
Reduce the risk of silent data exfiltration Turn weak signals into clear decisions fast
Moonrise includes extensive user interaction monitoring capabilities:
keylogger_start
keylogger_stop
keylogger_logs
input
clipboard_monitor_start
clipboard_monitor_stop
clipboard_history
clipper_get_addresses
clipper_set_address
screenshot
screen_stream_start
screen_stream_stop
webcam_capture
microphone_record
These commands allow the operator to monitor user input, track clipboard changes, capture screen content, and access audio or video devices.
The infected endpoint effectively becomes a live surveillance point.
Moonrise RAT actively checks for available and operational camera hardware before attempting capture
6. Privilege and System-Level Capabilities
Moonrise also contains commands related to privilege handling and system configuration:
uac_bypass
rootkit_enable
rootkit_disable
watchdog_status
protection_config
uxlocker_trigger
voltage_drop
These suggest support for privilege manipulation, system configuration changes, and persistence-related behavior. While not all commands may be triggered in every session, their presence indicatesextended control options.
7. Lifecycle Management and Disruption
Moonrise includes lifecycle management functions:
update
uninstall
These allow the operator to modify or remove the deployed version of the malware. This indicates support for maintaining or adjusting the infection over time.
The command set also contains user-facing system interaction functions:
fun
fun_message
fun_wallpaper
fun_openurl
fun_shake
fun_sound
fun_restart
fun_shutdown
fun_bsod
These commands suggest the ability to trigger visible system actions, including restarts or shutdown events, depending on operator intent.
Their presence reinforces that Moonrise provides broad remote interaction capabilities beyond silent monitoring.
Early Detection: 3-Step Loop That Works for Stealth RATs
Moonrise is a good example of an annoying reality: sometimes a RAT shows up with no clean static verdict, no reputation you can trust, and nothing obvious to latch onto. In those cases, early detection comes down to how quickly your team can move from unclear signals to evidence-based containment.
1. Monitoring: Catch the First Weak Signal Early
A lot of RAT incidents start with infrastructure: a fresh IP, a new domain, traffic that doesn’t match your baseline.
This is where ANY.RUN’s Threat Intelligence Feeds help. They continuously surface newly observed indicators and patterns based on telemetry and submissions from 15,000+ organizations and 600,000+ security professionals.
100% actionable IOCs delivered by TI Feeds to your existing stack
For SOC managers, that means fewer blind spots in day-to-day monitoring and earlier detection of suspicious infrastructure before it becomes a bigger incident.
99% unique threat data for your SOC Catch attacks early to protect your business
2. Triage: Enrich Fast, Then Confirm with Behavior
When static checks don’t help, teams often lose time debating severity. That’s where MTTR grows and escalation pressure builds.
A cleaner path is enrich → execute → decide. Use Threat Intelligence Lookup to pull immediate context around a hash, URL, domain, or IP (relationships, related samples, historical sightings). Then run the artifact in the ANY.RUN Sandbox to confirm what it actually does in a safe environment.
ANY.RUN’s sandbox detected full attack chain of Moonrise, including the implemented TTPs in a few minutes, instead of hours
This is how teams replace uncertainty with evidence, reduce unnecessary Tier-1 escalations, and contain earlier, before a RAT turns into credential loss or broader access.
74% of Fortune 100 companies rely on ANY.RUN for earlier detection and faster SOC response
3. Threat Hunting: Turn One Confirmed Case into Wider Coverage
Once you confirm a RAT-like incident, the next step is making sure it doesn’t repeat under a slightly different wrapper. Threat Intelligence Lookup helps you pivot from confirmed indicators to related infrastructure and nearby samples, so hunting stays tied to what’s active now.
From there, you can pivot into related IPs/domains, cluster similar samples, and validate behavior in the sandbox to decide whether it’s the same activity or a lookalike.
Below is an example of a TI Lookup query for the Moonrise C2 IP observed in the attack:
TI Lookup displays sandbox analyses related to the IP address used in the Moonrise attack
When these three motions run as a loop, monitoring, fast triage, and targeted hunting, stealth RATs stop being “late discoveries” and become manageable security events with lower response cost and less business exposure.
Conclusion: Reducing Exposure Starts with Faster Clarity
Moonrise is a reminder that the biggest risk isn’t the RAT itself but the time lost before it’s clearly identified. When static checks stay silent, attackers can steal credentials, stage more payloads, and lock in persistence while teams are still debating severity.
Reducing exposure comes down to one thing: faster clarity. Feed fresh infrastructure signals into monitoring, enrich quickly with TI Lookup, and confirm behavior in the sandbox before the case grows into a costly incident.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, fits naturally into modern SOC workflows and supports investigations from initial alert to final containment.
It allows teams to safely execute suspicious files and URLs to observe real behavior, enrich indicators with immediate context through TI Lookup, and continuously monitor emerging infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce uncertainty, accelerate triage, and limit unnecessary escalations.
Today, more than 600,000 security professionals across 15,000+ organizations rely on ANY.RUN to make faster decisions, strengthen detection coverage, and stay ahead of evolving phishing and malware campaigns.
To stay informed about newly discovered threats and real-world attack analysis, follow ANY.RUN’s team on LinkedIn and X, where weekly updates highlight the latest research, detections, and investigation insights.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-02-24 11:06:372026-02-24 11:06:37Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-02-24 08:30:062026-02-24 08:30:06Faking it on the phone: How to tell if a voice call is AI or not
SURXRAT is an actively developed Android Remote Access Trojan (RAT) commercially distributed through a Telegram-based malware-as-a-service (MaaS) ecosystem under the SURXRAT V5 branding.
The malware is marketed using structured reseller and partner licensing tiers, allowing affiliates to generate and distribute customized builds while the operator maintains centralized infrastructure and operational control.
This distribution model reflects the increasing professionalization of the Android threat landscape, where malware developers focus on scalability and monetization through affiliate-driven campaigns.
Technical analysis shows that SURXRAT operates as a full-featured surveillance and device-control platform capable of extensive data exfiltration, real-time remote command execution, and ransomware-style device locking.
The malware abuses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure to manage infected devices. Code similarities suggest that it evolved from the ArsinkRAT family.
We have identified the latest samples that conditionally download a large LLM module, indicating experimentation with AI-assisted capabilities, device performance manipulation, and alternative monetization strategies alongside traditional surveillance and extortion activities.
While it may not always be possible to avoid these threats entirely, prompt action can help reduce the impact of compromise. Threat intelligence tools such as Vision provide users with a real-time view of their digital threat landscape, alerting them to any compromise and enabling them to take corrective action.
Key Takeaways
SURXRAT is sold openly via Telegram, with reseller and partner licensing tiers, enabling scalable distribution through affiliate operators rather than centralized campaigns.
Source code references and functional overlap indicate SURXRAT likely evolved from ArsinkRAT, highlighting continued reuse and rapid enhancement of Android RAT frameworks.
The malware collects sensitive data, including SMS messages, contacts, call logs, device information, location data, and browser activity, enabling credential theft and financial fraud operations.
Use of Firebase Realtime Database infrastructure allows attackers to blend malicious communications with legitimate cloud traffic, improving reliability and complicating detection.
SURXRAT conditionally downloads a large LLM module from external repositories, suggesting experimentation with AI-driven functionality, device performance manipulation, or evasion techniques.
The integrated ransomware-style screen locker enables attackers to deny device access and demand payment, allowing flexible monetization through surveillance, fraud, or extortion.
Overview
Cyble Research and Intelligence Labs (CRIL) identified a new variant of SURXRAT, an actively developed Android Remote Access Trojan (RAT) being openly commercialized through a dedicated Telegram-based distribution ecosystem. Unlike opportunistic commodity malware, SURXRAT is positioned as a subscription-style cybercrime product, indicating an increasing level of professionalization in the Android malware-as-a-service (MaaS) landscape.
The Indonesian threat actor (TA) operates a Telegram channel through which the malware is marketed, regularly updated, and distributed to resellers and partners. The channel was created in late 2024, suggesting that active malware development likely began in early 2025. At the time of analysis, we identified more than 180 related samples, indicating continuous development activity and demonstrating that the threat actor is actively maintaining and evolving the malware.
Figure 1 – SURXRAT V5 advertisement on Telegram Channel
The structured pricing tiers, operational announcements, and feature updates demonstrate a mature commercialization model similar to underground SaaS platforms, suggesting the operator is targeting aspiring cybercriminals rather than conducting attacks directly.
SURXRAT is marketed under a structured licensing scheme branded as SURXRAT V5, indicating active development and ongoing version iteration by the operator. The threat actor offers two primary purchase tiers within a “Ready Plan” model designed to attract both individual operators and larger resellers.
Figure 2 – Pricing Plan for SURXRAT posted on Telegram channel
The Reseller Plan, advertised at a one-time payment of 200k, provides permanent access, allows buyers to generate up to three malware builds per day, includes free server upgrades, and permits users to create and sell SURXRAT builds while adhering to the operator’s predefined market pricing.
The Partner Plan, priced at 500k as a permanent license, expands these capabilities by increasing the daily build limit to ten accounts, maintaining free server upgrades, and granting buyers the ability to establish their own reseller networks, effectively enabling further distribution.
Both tiers emphasize a one-time payment structure (“anti pt pt”), suggesting no recurring subscription fees. This tiered commercialization approach demonstrates the operator’s deliberate attempt to scale malware adoption through affiliate-style distribution, decentralizing infection operations while retaining centralized control over infrastructure and ecosystem governance.
The threat actor periodically posts operational statistics to reinforce legitimacy and attract buyers. One such announcement revealed:
Bot Status: Active
Total Users: 1,318 registered accounts within the system
Operational confirmation timestamp: January 2026
Figure 3 – Telegram post indicating the registered accounts
While these figures cannot be independently verified, public disclosure of user metrics is a common underground marketing tactic intended to establish credibility and demonstrate adoption among cybercriminal customers. If accurate, the numbers suggest a growing ecosystem of operators leveraging SURXRAT for Android surveillance and financial fraud operations.
SURXRAT V5 provides a comprehensive surveillance and remote-control feature set consistent with modern Android RATs. The functionality indicates a strong emphasis on data harvesting, device monitoring, and full remote manipulation.
Data Collection and Surveillance Features
The malware enables extensive extraction of sensitive user information, including:
SMS monitoring
Contact list and call logs
System information and installed applications
Gmail account data
Device location tracking
Network and connectivity information
Notification interception
Clipboard monitoring
Web browsing history
Cellular tower intelligence
WiFi scanning and connection history
Full file manager access
This level of visibility allows attackers to perform credential harvesting, OTP interception, profiling, and reconnaissance for secondary fraud operations.
Remote Device Control Capabilities
SURXRAT extends beyond passive surveillance by enabling attackers to manipulate compromised devices actively:
Remote device unlocking
Triggering phone calls
Wallpaper modification via remote URL
Remote audio playback
Network lag manipulation
Push notification delivery
Forced website opening
Flashlight activation
Device vibration control
On-screen text overlays
Device locking using attacker-defined PIN
Complete storage wipe functionality
During analysis of the SURXRAT sample, references to ArsinkRAT were found in the source code, suggesting a developmental relationship between the two malware families. In January 2026, Zimperium reported an increase in activity associated with ArsinkRAT campaigns targeting Android devices.
A comparative analysis indicates notable functional and structural similarities between SURXRAT and ArsinkRAT, suggesting that the threat actor likely leveraged the ArsinkRAT source code. Using this foundation, an enhanced variant incorporating additional capabilities and updated features was subsequently developed.
Figure 4 – ArsinkRAT string mentioned in SURXRAT malware
This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities.
During our analysis of the latest SURXRAT variant, we identified a deliberate mechanism to manipulate network lag. The malware initiates the download of a large LLM module (>23GB) hosted on Hugging Face. This approach is highly atypical for a mobile-based device.
Notably, this download is conditionally triggered when specific gaming applications are active on the victim’s device, namely Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax) and Free Fire x JUJUTSU KAISEN (com.dts.freefireth), or when the malware receives alternative target package names dynamically from the threat actor–controlled server.
This indicates that the download behavior is remotely configurable, allowing operators to initiate the module retrieval based on applications specified through backend commands.
Figure 5 – Downloads LLM module from Hugging Face
While downloading a model of this size on a mobile device may initially appear impractical, the observed behavior indicates intentional implementation rather than a misconfiguration. The LLM module appears to be under active development and may be leveraged to:
Deliberately introduce device or network latency during gameplay, potentially supporting paid cheating or disruption services mask malicious background activity by degrading overall device performance, leading users to attribute abnormal behavior to system issues rather than malware enable future AI-driven capabilities, such as automated interactions or adaptive social engineering techniques
The selective and conditional deployment of this module suggests that the threat actor is actively experimenting with AI-based components to enhance monetization strategies, improve evasion techniques, and expand operational capabilities.
Technical Analysis
Upon execution, the malware prompts the victim to grant multiple high-risk permissions, including access to location services, contacts, SMS messages, and device storage.
Following initial permission approval, the malware displays additional prompts guiding the user to enable Accessibility Services. This commonly abused Android feature allows applications to monitor screen content and perform automated actions. The abuse of accessibility permissions significantly increases attacker control, enabling surveillance and facilitating further malicious operations without continuous user interaction.
Figure 6 – Malware prompting to enable permissions
After acquiring the required permissions, SURXRAT establishes communication with a backend infrastructure hosted on a Firebase Realtime Database:
The malware connects using a database reference labeled “arsinkRAT,” further reinforcing the developmental linkage between SURXRAT and the previously observed ArsinkRAT malware family.
Once connectivity is established, the malware performs device registration by generating a random UUID, which serves as a unique identifier for tracking infected devices. Following registration, SURXRAT immediately begins exfiltrating sensitive information to the Firebase backend.
Figure 7 – Device registration
The malware collects and transmits a wide range of victim data, enabling comprehensive device profiling. Exfiltrated information includes:
Contact lists
SMS messages
Call logs
Device brand and model
Android OS version
Battery level and status
SIM card details
Network information
Public IP address
This dataset allows attackers to uniquely identify victims, monitor communications, and prepare follow-on fraud or surveillance activities such as OTP interception and account takeover.
After successful device registration, SURXRAT launches a persistent background service that maintains continuous communication with the Firebase command-and-control (C&C) infrastructure and receives commands. The malware initializes multiple internal manager classes that handle surveillance, device control, and data collection.
Figure 8 – Background service
The infected device periodically sends status updates to the backend while simultaneously polling for incoming commands issued by the operator. This near real-time synchronization enables attackers to execute actions on compromised devices remotely with minimal delay.
Analysis of command handlers revealed several instructions received from the Firebase backend that allow attackers to perform surveillance and active device manipulation:
Spy Commands
Description
accounts
Collects Google account information associated with the device
apps_list
Retrieves the list of installed applications
device_info
Collects detailed device metadata
audio_record
Records audio
file_list
Enumerates files and extracts metadata
flashlight
Remotely controls the device flashlight
camera_photo
Captures images using the device camera
contacts
Collects contacts
call_log
Collects call log
sms_read
Collects SMSs
Sms_send
Sends SMSs from the infected device
tts
Execute text to speech
call
Makes a call from the infected device
toast
Display a toast message
vibrate
Remotely vibrates the device
file_delete
Deletes file
location
Collects the victim’s location
file_upload
Sends file to the server
RAT Commands
Description
access
Collects clipboard data
unlock
Remove locks
app
Sync app list
Cal
Dail calls
fla
Handles flashlight
for
Wipe data
Mus
Play music
Not
Send System update notification
url
Opens URL
vib
Vibrates device
voi
Executes text-to-speech
wal
Changes wallpapers
Brow
Collects browser history
Cell
Collects the device’s cell info
Lock
Execute the Screen Locker feature
wifih
Collect Wi-Fi history
wifis
Execute text-to-speech
The figure below shows the admin panel image shared on the threat actor’s Telegram account, highlighting the various actions and controls available through SURXRAT.
Figure 9 – SURXRAT admin panel
Screen Locker Activity
The SURXRAT sample also contains a ransomware-style screen locker module that allows a remote attacker to seize control of the victim’s device and temporarily deny access to it. When activated, the malware forces the device to display a persistent full-screen lock message that the user cannot easily dismiss. The attacker can remotely customize both the displayed message and the unlock PIN, enabling them to demand a ransom payment directly from the victim.
Figure 10 – Screen Locker activity
The malware continuously reports user interactions back to the attacker’s server. Each incorrect PIN entry is transmitted to the backend, allowing the operator to monitor victim behavior and response attempts in real time. The lock screen can also be remotely removed by the attacker, giving them complete control over when the device becomes usable again. Overall, this functionality appears intended to coerce victims through disruption and intimidation, ultimately facilitating ransom-based monetization.
Figure 11 – Malware sends a wrong attempts log
The integration of ransomware-style locking into a surveillance RAT indicates hybrid monetization, allowing operators to switch between espionage, fraud, and direct extortion based on the value of the victim.
Conclusion
SURXRAT represents a notable evolution in Android malware, combining MaaS-style commercialization, cloud-based command infrastructure, and modular capabilities into a single adaptable threat platform. The malware’s extensive surveillance features, real-time remote control functions, and ransomware-style device locking demonstrate a shift toward multi-functional mobile threats designed for flexible monetization.
The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection. As Android malware ecosystems continue to mature, threats like SURXRAT highlight the increasing accessibility of advanced mobile attack capabilities to a broader cybercriminal audience, reinforcing the need for improved mobile threat visibility, behavioral detection, and user awareness.
Prevention is ideal, but it isn’t always an option. Threat Intelligence platforms such as Cyble Vision provide users with insight into their digital risk profile and can notify them of any breaches or unauthorized access, enabling them to take immediate corrective action.
Our Recommendations
We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:
Install Apps Only from Trusted Sources: Download apps exclusively from official platforms, such as the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
Be Cautious with Permissions and Installs: Never grant permissions and install an application unless you’re certain of an app’s legitimacy.
Watch for Phishing Pages: Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
Enable Multi-Factor Authentication (MFA): Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
Report Suspicious Activity: If you suspect you’ve been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
Use Mobile Security Solutions: Install a mobile security application that includes real-time scanning.
Keep Your Device Updated: Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities exploited by malware.
The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-02-20 09:06:272026-02-20 09:06:27PromptSpy ushers in the era of Android threats using GenAI
Welcome to this week’s edition of the Threat Source newsletter.
Generative AI and agentic AI are here to stay. Although I believe that the advantages that AI brings to bad guys may be overstated, these new technologies allow threat actors to conduct attacks at a faster rate than before.
One capability that AI improves for threat actors is the ability to reconnoitre employees, discover their interests, and craft social engineering lures specific to them. Being able to deliver tailored, targeted social engineering using the language and tone most likely to trick an individual is a useful tool for the bad guys.
However, if AI brings advantages to those who seek to attack us, we shouldn’t overlook the benefits that it brings to defenders and the new weaknesses it exposes in the bad guys. If AI agents are searching for employees who are vulnerable to social engineering; then let us serve them exactly what that are looking for.
AI tools can create a whole army of fictitious employees who can be a rich source of threat intelligence. With AI we can easily create social media profiles of fake employees to entice malicious profiling agents. These AI avatars can post social media content or upload AI generated CVs or other documents to AI systems, leaving a trail of breadcrumbs for malicious agents to discover and follow.
Clearly, any message sent to the email address of an AI-generated employee is certain to be spam. We can update our lists of potentially malicious IP addresses and URLs appropriately. Similarly, we can create accounts on messaging platforms for our fake employees and wait for the social engineering attempts to analyse and block
Any attempt to access services or log-in using the credentials of an AI employee can only be malicious. Again, defensive teams can quickly and easily block the connecting IP address to nip in the bud any malicious campaign.
Malicious use of AI doesn’t need to be thought of only as a threat. It can be a way to turn the tables on threat actors and use their own tools against them. By understanding how AI tools are profiling and collecting information about our users, we can flood these tools with disinformation and treat any resulting attacks as a rich source of threat intelligence rather than as a source of concern.
AI is changing things for both attackers and defenders. New tools and capabilities allow us to think differently about defense and how we can increasingly make life difficult for the bad guys.
The one big thing
In our latest Vulnerability Deep Dive, a Cisco Talos researcher discovered six vulnerabilities in the Socomec DIRIS M-70 industrial gateway by emulating just the Modbus protocol handling thread, rather than the whole system. Using tools like Unicorn Engine, AFL, and Qiling for fuzzing and debugging, this “good enough” approach made it possible to find and analyze weaknesses despite hardware protections. The vulnerabilities were responsibly disclosed and have been patched by the manufacturer.
Why do I care?
Vulnerabilities in industrial gateways like the M-70 can cause major disruptions, especially in critical infrastructure, data centers, and health care. Attackers could exploit these flaws to stop operations or manipulate processes, leading to financial loss and equipment damage. The research highlights how even devices with strong hardware protections can still be vulnerable through their communication protocols.
So now what?
Organizations using Socomec DIRIS M-70 gateways should apply the manufacturer’s patches to fix the vulnerabilities. To detect exploitation attempts, defenders should download and use the latest Snort rulesets from Snort.org, as recommended in the blog. Finally, regularly monitor industrial devices for unusual activity and review security controls around critical gateways.
Top security headlines of the week
CISA navigates DHS shutdown with reduced staff CISA is currently operating at roughly 38% capacity (888 out of 2,341 staff) due to the U.S. Department of Homeland Security shutdown that began February 14, 2026. KEV is one area that remains. (SecurityWeek)
EU Parliament blocks AI tools over cyber, privacy fears According to an internal email seen by POLITICO, EU Parliament had disabled “built-in artificial intelligence features” on corporate tablets after its IT department assessed it couldn’t guarantee the security of the tools’ data. (POLITICO)
Supply chain attack embeds malware in Android devices Researchers have spotted new malware embedded in the firmware of Android devices from multiple vendors that injects itself into every app on infected systems, giving attackers virtually unrestricted remote access to them. (Dark Reading)
Data breach at fintech giant Figure affects close to a million customers Troy Hunt, security researcher and creator of the site Have I Been Pwned, analyzed the data allegedly taken from Figure and found it contained 967,200 unique email addresses associated with Figure customers. (TechCrunch)
Amnesty International:Intellexa’sPredator spyware used to hack iPhone of journalist in Angola Government customers of commercial surveillance vendors are increasingly using spyware to target journalists, politicians, and other ordinary citizens, including critics. (TechCrunch)
Humans of Talos:Ryan Liles, master of technical diplomacy Amy chats with Ryan Liles, who bridges the gap between Cisco’s product teams and the third-party testing labs that put Cisco products through their paces. Hear how speaking up has helped him reshape industry standards and create strong relationships in the field.
Talos Takes: Ransomware chills and phishing heats up Amy is joined by Dave Liebenberg, Strategic Analysis Team Lead, to break down Talos IR’s Q4 trends. What separates organizations that successfully fend off ransomware from those that don’t? What were the top threats facing organizations? Can we (pretty please) get a sneak peek into the 2025 Year in Review?
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-02-19 20:06:452026-02-19 20:06:45Using AI to defeat AI
Cyble Research & Intelligence Labs (CRIL) tracked 1,158 vulnerabilities last week. Of these, 251 vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks.
A total of 94 vulnerabilities were rated critical under CVSS v3.1, while 43 were rated critical under CVSS v4.0.
In parallel, CISA issued 15 ICS advisories covering 87 vulnerabilities affecting industrial environments. These vulnerabilities impacted vendors including Siemens, Yokogawa, AVEVA, Hitachi Energy, ZLAN, ZOLL, and Airleader.
Additionally, 8 vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reflecting confirmed exploitation in the wild.
The Week’s Top Vulnerabilities
CVE-2025-40554 — SolarWinds Web Help Desk (Critical)
CVE-2025-40554 is a critical authentication bypass vulnerability affecting SolarWinds Web Help Desk versions prior to 2026.1. The flaw allows unauthenticated remote attackers to invoke privileged functionality without valid credentials, potentially leading to full compromise of helpdesk systems.
Cyble observed this vulnerability being discussed on underground forums shortly after disclosure, and a public PoC is available. The vulnerability’s presence in enterprise environments increases the risk of initial access and lateral movement.
CVE-2026-1340 — Ivanti Endpoint Manager Mobile (Critical)
CVE-2026-1340 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM). A remote, unauthenticated attacker can exploit the flaw to achieve arbitrary remote code execution without user interaction.
The vulnerability has been captured in dark web discussions and has a publicly available PoC , significantly lowering the barrier to exploitation.
CVE-2026-21509 — Microsoft Office (High Severity, Actively Exploited)
CVE-2026-21509 is a feature-bypass vulnerability in Microsoft Office that allows crafted documents to circumvent built-in security protections. Attackers can deliver malicious Office files that execute payloads once opened by the victim.
The flaw has been actively exploited by threat actors including APT28 and RomCom , highlighting its operational impact.
CVE-2026-1529 — Keycloak (High Impact)
CVE-2026-1529 affects Red Hat’s Keycloak and involves improper validation of JWT invitation token signatures. Attackers can manipulate trusted token contents to gain unauthorized access to organizational resources.
A PoC is available, and the vulnerability surfaced on underground forums shortly after disclosure.
CVE-2026-23906 — Apache Druid (Critical)
CVE-2026-23906 is a critical authentication bypass vulnerability in Apache Druid, enabling unauthorized access to sensitive data stores.
CVE-2026-0488 — SAP CRM & SAP S/4HANA (Critical)
CVE-2026-0488 is a critical code injection vulnerability affecting SAP CRM and SAP S/4HANA. An authenticated attacker can exploit improper function module calls to execute arbitrary SQL statements, potentially resulting in full database compromise.
Vulnerabilities Added to CISA KEV
CISA added 8 vulnerabilities to the KEV catalog during the reporting period. The most important of these were:
These critical vulnerabilities in ZLAN Information Technology Co.’s ZLAN5143D device involve missing authentication for critical functions.
Successful exploitation could allow attackers to bypass authentication controls or reset device passwords, potentially enabling unauthorized configuration changes and interference with industrial communications. Researchers also identified internet-facing instances, increasing exposure risk.
CVE-2025-52533 — Siemens SINEC OS (Critical)
CVE-2025-52533 is a critical out-of-bounds write vulnerability in Siemens SINEC OS before version 3.3, potentially enabling memory corruption and system compromise in industrial network environments.
CVE-2026-1358 — Airleader Master (Critical)
CVE-2026-1358 is a critical, unrestricted file-upload vulnerability in Airleader Master systems. Successful exploitation could allow attackers to upload malicious files, potentially resulting in remote code execution in OT environments.
Impacted Critical Infrastructure Sectors
Analysis of the ICS advisories shows that Critical Manufacturing and Energy sectors appear in 98.9% of reported vulnerabilities, showcasing concentrated exposure in these environments.
The cross-sector nature of these vulnerabilities underscores the interdependencies between Energy, Manufacturing, Transportation, Water, and Food systems.
Conclusion
The convergence of high-volume IT vulnerabilities and significant ICS exposure highlights the continued expansion of the attack surface across enterprise and industrial environments. With over 250 PoCs publicly available and multiple KEV additions confirming active exploitation, organizations must prioritize rapid remediation and risk-based vulnerability management.
Security best practices include:
Prioritizing vulnerabilities based on risk and exploit availability
Protecting web-facing and internet-exposed assets
Implementing strict IT/OT network segmentation
Deploying multi-factor authentication and strong access controls
Conducting regular vulnerability assessments and penetration testing
Monitoring underground forums and KEV updates for early warning signals
Cyble’s comprehensive attack surface management solutions help organizations continuously monitor internal and external assets, prioritize remediation, and detect early warning signals of exploitation. Additionally, Cyble’s threat intelligence and third-party risk intelligence capabilities provide visibility into vulnerabilities actively discussed in underground communities, enabling proactive defense against both IT and ICS threats.
G2, the world’s largest and most trusted software marketplace, has recognized ANY.RUN among the Best Software Companies.
The ranking is based on verified reviews from organizations actively using ANY.RUN’s solutions. It reflects the company’s strong international presence and measurable impact across global cybersecurity markets.
Thank You to Our Community
Recognition on G2’s Top 50 Best Software Companies list is a reflection of peer validation, powered by customer reviews and feedback. We are very grateful to all analysts, SOC teams, and experts whose insights and evaluations contributed to the ranking.
For ANY.RUN, entering the G2 ranking is a milestone, not a finish line. We will continue to invest in product innovation, community-driven improvements, and measurable outcomes for security operations worldwide.
Impact with ANY.RUN: Customer-Reported Outcomes
ANY.RUN optimizes SOC workflows across processes
ANY.RUN delivers measurable operational value to security teams with demanding workloads and strict SLAs. Among results reported by our customers are 50%+ reduction in investigation & IOC extraction time and 30–55% fewer irrelevant escalations.
Beyond the metrics, ANY.RUN’s rising position in software rankings is by its ability to solve operational challenges across the SOC lifecycle:
Unified SOC Workflow: ANY.RUN delivers solutions that support processes from monitoring to triage and incident response in a single ecosystem, enabling investigation without switching tools.
Accelerated Decision-Making: Interactive malware analysis combined with contextual threat data provides immediate behavioral insight and evidence.
Solved SOCs and MSSP Challenges: Standardized workflows and integrated intelligence enable efficient operations at scale, filling the gaps in work processes.
ANY.RUN: one workflow to cover all SOC needs.
Upgrade to enterprise-grade solutions today.
Trusted by the World’s Most Demanding Organizations
We support analysts in accelerating investigations, reducing risk, and improving operational outcomes across industries. Among 15,000 SOC teams applying our solutions, there are 3,102 IT & technology companies, 1,778 financial institutions, 1,059 government entities, and 919 healthcare providers.
The results companies get when using ANY.RUN in their security operations
ANY.RUN is used broadly by organizations with high security requirements, including the world’s largest enterprises:
74% of Fortune 100 companies rely on ANY.RUN for malware analysis and threat investigation workflows.
64% of Fortune 500 companies incorporate ANY.RUN into broader threat detection and response strategies.
“We just stopped losing time to uncertainty. Now we can confirm what’s happening faster and escalate only when it actually makes sense.”
ANY.RUN has become an integral component of modern security operations, enabling teams to make faster, more confident decisions across Tier 1, Tier 2, and Tier 3. It integrates seamlessly into existing workflows and reinforces the full investigation lifecycle from initial validation to in-depth analysis and continuous threat monitoring.
By exposing real attacker behavior, enriching investigations with critical context, and ensuring detections reflect the evolving threat landscape, ANY.RUN helps SOC teams reduce alert fatigue, accelerate response times, and minimize operational impact.
Today, more than 600,000 security professionals and 15,000 organizations worldwide rely on ANY.RUN to streamline triage, reduce unnecessary escalations, and stay ahead of constantly shifting phishing and malware campaigns.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-02-19 12:06:282026-02-19 12:06:28G2 Recognizes ANY.RUN Among the Top 50 Best Software Companies in the Region
I believe we’re witnessing the most significant event India has ever experienced. The nation stands at the cusp of a major global shift, and I want to share why I’m so bullish about India’s role in the AI revolution—and the critical security challenges we must address together.
India: Right Place, Right Time
No country will prosper without making significant changes in their AI capabilities. India is uniquely positioned to lead this transformation. We’ve already pioneered the entire FinTech ecosystem, processing payments for more than half a billion people globally. This foundation puts India at the perfect intersection of technological capability and market opportunity to ride the AI wave.
At the same time, scale brings responsibility. As AI becomes embedded across financial systems, digital public infrastructure, enterprise workflows, and citizen services, the attack surface expands alongside innovation. If India is to lead the AI revolution, we must lead in securing it as well.
Cyble’s Commitment to India’s AI Future
At Cyble, we’re incredibly excited to invest and continue growing our AI capabilities from India—from infrastructure to applications to talent. We’re not just talking about supplying talent to the world; we’re building core infrastructure, services, and capabilities right here. That’s why we’ve invested millions of dollars and will continue doing so. India’s potential extends far beyond being a service provider—we’re becoming a global AI powerhouse.
Beenu Arora, Co-Founder & CEO, Cyble, speaking during the session “Responsible AI at Scale: Governance, Integrity, and Cyber Readiness for a Changing World” at the India AI Impact Summit 2026.
As we build, I am also conscious that AI is not just another infrastructure layer. It is increasingly a cognitive system — capable of reasoning, contextual learning, and autonomous decision-making. That means it must be secured differently. Protecting AI systems requires thinking beyond traditional perimeter defenses and anticipating new risk categories such as model manipulation, data poisoning, prompt injection, AI-assisted reconnaissance, and sensitive data leakage.
The AI Security Challenge: A New Battlefield
But let me be candid about the challenge ahead. AI has fundamentally changed the game—it’s a massive structural shift. The threat landscape has evolved dramatically:
The Democratization of Cyber Attacks
What once took hours to execute—a basic phishing attack—now happens at scale with high contextual accuracy and perfect timing.
AI agents continuously monitor user activities on LinkedIn and social media, knowing exactly who you are, what interests you, and who you communicate with.
We’re seeing over 100,000 deepfake videos being created. With apps like Grok, anyone can generate a convincing deepfake in just 60 seconds.
I’ve seen this shift firsthand.
Three years ago, a member of my leadership team received a WhatsApp call that convincingly mimicked my voice and requested a financial transaction. It was a deepfake attempt. We identified it only after careful scrutiny.
At the time, such attacks were considered sophisticated and relatively rare.
Recently, my eight-year-old son wrote a simple program that deepfaked my own mother.
The point is not novelty. It is accessibility.
What once required specialized expertise and resources is now democratized. Consumer-grade AI systems can generate convincing synthetic audio with minimal effort. The barrier to entry has collapsed. Cybercrime is being industrialized.
Phishing has entered a new era as well. For decades, phishing attempts were often detectable through poor grammar, awkward phrasing, or generic messaging. That signal has largely disappeared. AI-driven agents now scrape publicly available information, analyze behavioral patterns, and craft highly personalized messages tailored to specific individuals and roles. These agents continuously learn, retain context, and refine their attacks. Precision has replaced volume as the dominant strategy.
The Defender’s Dilemma
AI is already democratized. Bad actors have access to the same technologies as defenders. This fight will be relentless. I believe attackers will initially gain the upper hand because AI systems weren’t designed with security in mind from the beginning.
Consider this: $4.6 trillion has been invested in building AI infrastructure, applications, and toolkits. Security, as always, is catching up.
Beyond social engineering, AI is influencing technical intrusion methods as well. AI systems are increasingly capable of identifying and chaining vulnerabilities across systems, discovering weaknesses with notable efficiency. In controlled environments, AI-assisted approaches have demonstrated the ability to map exploit pathways faster than traditional methods. This compresses the time between vulnerability discovery and exploitation, shrinking defensive response windows and amplifying attacker efficiency.
AI is not simply another tool in the attacker’s arsenal. It is a multiplier.
And while organizations rapidly integrate AI into customer experiences, analytics platforms, and internal decision-making systems, security investments do not always scale proportionately.
AI is often treated as infrastructure rather than as a cognitive system requiring dedicated protection mechanisms. This creates exposure across model integrity, training data pipelines, inference layers, and external integrations.
The enterprise attack surface is expanding — and becoming more intelligent.
Hope on the Horizon
Despite these challenges, I’m optimistic. As defenders gain access to the right governance frameworks and infrastructure, we’ll be positioned to make these systems better and safer for everyone. This is exactly why Cyble exists—to bridge that gap and protect organizations in this new AI-driven world.
Defending against AI-driven threats requires more than traditional controls. It requires continuous external threat intelligence, early detection of impersonation campaigns, dark web visibility into emerging AI-enabled tactics, proactive attack surface management, and context-aware anomaly detection.
The race is on, and India is ready to lead not just in AI innovation but in AI security. The question isn’t whether we’ll rise to this challenge—it’s how quickly we can mobilize our talent, infrastructure, and innovation to secure the AI future.
About the Author
Beenu Arora is the Co-Founder and CEO of Cyble, a leading AI-powered threat intelligence company investing heavily in India’s cybersecurity and AI infrastructure.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-02-19 11:06:432026-02-19 11:06:43India’s AI Revolution: Why This Is India’s Most Significant Moment
