According to global research, the market share of highly automated, driverless vehicles is growing rapidly. Analysts estimate that the next 10 to 15 years will mark a major shift from pilot projects to the mass adoption of autonomous transport. The momentum is building worldwide: Europe has already rolled out over 35 autonomous vehicle pilots, while the U.S. and China log more than 450 000 and 250 000 commercial trips per week, respectively. However, the report notes several roadblocks slowing down this progress. One such hurdle is the uncertainty surrounding legal liability and regulation, including in the areas of safety and security. The allocation of responsibility among suppliers, manufacturers, enterprise clients, and end users remains a major point of discussion.

Each market stakeholder sees the issue of ensuring the safety of autonomous vehicles differently. For automakers, it means taking responsibility for how a vehicle behaves on the road and for vetting their suppliers. For the suppliers themselves, it means designing security mechanisms directly into their solution architecture from day one and guaranteeing their adequacy. For insurance companies, it means completely overhauling their risk models to account for not just accidents, but also potential software glitches and cyberattacks. Ultimately, everyone agrees on one fundamental point: security must be a foundational feature of the vehicle — not an optional add-on.

Ensuring vehicle security in the modern era

For years, discussions around automotive safety focused strictly on functional safety. In other words, the goal was to ensure that vehicle systems operated correctly, and that risks associated with potential failures were fully mitigated or reduced to an acceptable level. The ISO 26262 standard “Road vehicles — Functional safety” helps address this very challenge, and serves as the baseline for the automotive industry.

However, the modern connected vehicle is a complex cyberphysical system that stores and processes massive amounts of data, including sensitive information. And this leads to the emergence of new basic needs. To draw an analogy with two levels of Maslow’s hierarchy of needs, a modern vehicle must:

• Satisfy the need for “esteem” — meaning it must securely and reliably store user profile data, such as account credentials, biometric data, payment details, and more.
• Satisfy the user’s cognitive needs — meaning it must provide secure internet connectivity, transmit vehicle telemetry, and send reminders for scheduled or emergency maintenance.

All of this means equipping vehicles with a wide array of interfaces — telematics, Bluetooth, Wi-Fi, cellular connectivity, OTA updates, and V2X — which opens the door to remote attacks. Therefore, it becomes necessary to ensure not only the functional security, but also the information security of the vehicle. As a result, specialized industry standards that help address automotive cybersecurity challenges have emerged in most countries. The key international standards are ISO/SAE 21434 “Road vehicles — Cybersecurity engineering”, UNECE R155, and UNECE R156.

China’s regulations are evolving too. In 2024, the country published the national standard GB 44495-2024 “Technical Requirements for Vehicle Cybersecurity”, which went into effect on January 1, 2026. The document introduces mandatory cybersecurity requirements for vehicles, including communications protection, security event management, threat monitoring, and secure vehicle interaction with external infrastructure.

Understanding and applying these standards is becoming absolutely critical. Research shows that cybersecurity risks are escalating daily, and their impact on functional safety can sometimes trigger far more dangerous incidents than an internal system failure. What happens if an attacker gains access to a self-driving truck’s remote-control system, or manages to reflash a critical electronic control unit during an unauthorized diagnostic session?

One of the key components for mitigating these scenarios is a security gateway, which isolates the vehicle’s architecture into different domains based on criticality, while providing secure routing, filtering, and traffic control. Developing this type of software solution is precisely what our team focuses on as we build the Kaspersky Automotive Secure Gateway based on KasperskyOS.

Why Kaspersky Automotive Secure Gateway?

The primary purpose of Kaspersky Automotive Secure Gateway (KASG) is to secure the vehicle’s CAN domain, since the CAN bus is used to transmit a vast number of critical control commands. This impacts nearly 80% of the electronic control units inside the car, which handle engine management, braking, body electronics, and more. Because of this, we utilize the Safety-Aware Cybersecurity approach — a unified architecture that accounts for both functional safety and cybersecurity requirements.

For example, standard End-to-End Protection (E2E) mechanisms are typically used to mitigate risks associated with dropped, out-of-order, or corrupted CAN messages. However, these mechanisms were not originally designed to counter targeted cyberattacks. If an attacker manages to construct a malicious frame that conforms to the required E2E format, the system may accept it as valid.

This introduces a new factor: it’s critical not only to verify that a message was delivered without errors, but also to ensure that it was actually generated by a trusted electronic control unit (ECU), and was not altered in transit. This is particularly vital for transmitting control commands — such as those sent to the vehicle’s braking system — or for implementing keyless entry (NFC) systems.

To address that challenge, Secure Onboard Communication (SecOC) mechanisms are integrated into the vehicle’s architecture. They use cryptographic methods to verify message authenticity and integrity, protecting the system against message spoofing and replay attacks. KASG successfully implements these mechanisms, which, in addition to message verification, perform the crucial function of centralized key management. This allows encryption keys to be distributed and updated from a single point within the vehicle, reducing both the cost and the processing load on the ECUs involved in SecOC-backed data exchange.

Automotive IDS

However, in complex systems, it’s no longer enough to apply security mechanisms only to individual messages or separate network segments. It’s essential to provide vehicle-wide monitoring and control, tracking behavioral anomalies, unusual cross-domain interactions, and unauthorized tampering attempts. In the IT domain, this is known as an Intrusion Detection System (IDS). These systems have been successfully adopted by the automotive industry as well.

At the same time, it’s important to realize that for a modern vehicle, an IDS is not a single magic point of data collection and analysis; the vehicle requires a distributed monitoring system. Monitoring is carried out at various architectural levels: within domains, at the individual controller level, and at network boundaries.

The security gateway becomes a critical monitoring point because all cross-domain interaction passes through. Additionally, the gateway provides visibility into data exchange across different segments of the vehicle network. Its job is to detect deviations from normal behavior and generate security events.

When it comes to the CAN domain monitoring implemented in KASG, the IDS looks at the following criteria for traffic analysis:

• Alignment of CAN message parameters (CAN ID, DLC) with their descriptions in the DBC specification.
• Frequency and periodicity of CAN messages.
• Allowable ranges for CAN signals.

In practice, however, an important limitation becomes clear: even with an onboard IDS, more context is required to determine the exact characteristics of an attack. Furthermore, when operating highly automated vehicles — where fleet-wide monitoring is essential — such isolated analysis becomes inherently insufficient.

Connecting a vehicle to an SIEM

Multi-object monitoring, data correlation, and data analysis can be efficiently handled externally — specifically in SIEM (Security Information and Event Management) systems, which are traditionally used in corporate and industrial cybersecurity operations centers. Therefore, utilizing a SIEM system fleet-wide is a logical step that makes it possible to:

• Collect security events from multiple vehicles.
• Correlate events over time and across contexts.
• Detect advanced and distributed attacks.
• Provide incident auditing and investigation.
• Respond to individual incidents and manage cyber-risks fleet-wide.

When integrating with external SIEM systems, several critical tasks must be addressed: ensuring a secure connection, tuning the security event transmission process, and establishing baseline rules for event processing and correlation. We are actively working through all of these challenges using our own SIEM system — Kaspersky Unified Monitoring and Analysis Platform — as a blueprint.

There are still many issues ahead that need to be resolved. This article covered only a fraction of the approaches currently used in KASG to ensure vehicle safety and security. Yet even this small part demonstrates that automotive security cannot be achieved by solving a single problem or applying a single mechanism. Achieving it requires an approach that enables methodical architecture development — balancing diverse requirements for vehicle functionality, security, and reliability.

Kaspersky official blog – ​Read More

A previously unidentified cyberattack is quietly spreading through US businesses — and most security tools are not catching it. Researchers at ANY.RUN have identified a new backdoor called JS.MonoGlyphRAT, an advanced piece of malware delivered as an ordinary-looking JavaScript file disguised as a purchase order, quote, or business proposal. Once an employee opens the file, the attacker gains silent, persistent access to the company’s systems.

This threat is currently active and primarily targeting organizations in the United States, with victims confirmed across the technology sector, managed security service providers (MSSPs), telecommunications, and education. It has also been observed in Germany, Sweden, Australia, and several other countries.

The financial consequences can quickly escalate beyond incident response costs. Organizations may face operational downtime, regulatory penalties, contractual liabilities, lost business opportunities, reputational damage, and increased cyber insurance expenses. Because MonoGlyphRAT functions as a loader capable of delivering additional malware, even a seemingly minor infection can become the first step toward a large-scale breach with significant business impact.

Key Takeaways

• It is actively targeting US businesses. JS.MonoGlyphRAT is an operational threat, with confirmed victims in the US technology, MSSP, and telecom sectors, delivered via convincing sales-themed phishing lures.
• Most security tools are blind to it. The malware is currently classified as ‘Unknown malware’ on VirusTotal and ThreatFox. Standard signature-based antivirus provides little to no protection.
• It is designed for persistence and deep access. The RAT establishes a permanent foothold via the Windows registry, runs silently in the background, and can pivot to download ransomware, exfiltrate data, or deploy further stages.
• The attack begins with a single click. Employees in procurement, sales, and finance are the primary targets. A .js file disguised as a purchase order or quote is all it takes to compromise a machine.
• The financial exposure is real and immediate. From ransomware deployment to data breach fines and incident response costs, a successful compromise can cost a mid-sized US business millions of dollars — plus reputational damage that is harder to quantify.
• Behavioral detection is the key defense. The malware’s most reliable detection artifacts are behavioral: unusual wscript.exe activity, PowerShell chains launched from a user directory, suspicious registry writes, and HTTP beaconing to non-standard ports. Hunt for these patterns actively.
• ANY.RUN detects and analyzes this threat in real time. ANY.RUN’s Interactive Sandbox first identified and documented JS.MonoGlyphRAT, providing full behavioral analysis, C2 traffic capture, and MITRE ATT&CK mapping. The ANY.RUN Threat Intelligence suit allows defenders to query related IOCs — including C2 IPs, domains, URI patterns, and Suricata rule IDs — to proactively hunt for this threat across their environments. Organizations using ANY.RUN can analyze suspicious .js files in seconds before they reach endpoints, dramatically reducing the window of exposure.

What This Attack Means for Your Business

JS.MonoGlyphRAT is not a smash-and-grab attack. It is designed for persistence — staying hidden on infected machines for as long as possible while giving attackers full remote control. The financial consequences for affected organizations can be severe and varied:

• Ransomware deployment: The malware can silently download and execute ransomware or other destructive payloads, potentially locking businesses out of critical systems and demanding seven-figure ransoms.
• Data theft and regulatory fines: Attackers can exfiltrate sensitive data — customer records, financial information, intellectual property — triggering GDPR, HIPAA, or SEC disclosure obligations and associated penalties.
• Business email compromise (BEC) and fraud: With full access to an employee’s machine, attackers can pivot to email systems and initiate fraudulent wire transfers or supplier fraud.
• Operational disruption: A compromised endpoint in a network operations center or a managed service provider can cascade into downtime for dozens of downstream clients.
• Incident response costs: The average cost of a data breach in the US exceeded $9.4 million in 2024. Detection, containment, forensics, legal counsel, and notification alone typically run into hundreds of thousands of dollars.
• Reputational damage: Clients who learn their MSSP or technology vendor was compromised often terminate contracts, compounding the financial blow.

Because this malware cluster is currently unattributed in public threat intelligence feeds (flagged only as ‘Unknown malware’ on VirusTotal and ThreatFox), standard signature-based antivirus provides little protection. Behavioral detection and sandbox analysis are essential to identify and stop it.

Technical Analysis of a WSH/JScript Backdoor with Monoglyph Obfuscation and PowerShell Stagers

During analysis of Generic clusters of tracked activity, researchers identified an obfuscated JScript sample executed via Windows Script Host (WSH).

The malware uses a distinctive monoglyph obfuscation technique for identifiers: variable and function names are constructed from repeated characters in mixed case (e.g., IiIiIiIiiIII, KkkKKKkKkK, and so on), making the code difficult to read and hampering static analysis.

This cluster has not been publicly identified. In open threat intelligence sources, related samples are classified as unknown malware: ThreatFox marks one of the C2 addresses as ‘Unknown malware’ with threat type ‘payload delivery’, while VirusTotal shows Malicious activity (29/59 detections) but no specific family name.

For tracking purposes, ANY.RUN researchers have designated this cluster JS.MonoGlyphRAT, named after the monoglyph identifier obfuscation method (IiiIIii…, KkkKkKk…, etc.).

The malware implements persistent RAT/loader functionality running on the JS/WScript platform. It achieves persistence via the HKCU Run registry key, collects system and process information via WMI, communicates with its C2 server over HTTP, receives commands through control headers, launches AES-encrypted PowerShell stagers, and supports file execution, remote shell access, payload download, and self-update.

Delivery Vector & Victimology

Based on filenames submitted to the sandbox, the presumed delivery vector is social engineering (phishing with malicious JS attachments) using sales-themed lures: purchase orders, requests for proposals (RFPs), requests for quotations (RFQs), and similar documents.

Sample filenames observed:

• PURCHASE ORDER_12258.js (Analysis session: https://app.any.run/tasks/e39d92e9-a8c3-4c71-8009-2087847fb669/)
• QUOTE_B2026.js (Analysis session: https://app.any.run/tasks/0bd61201-efaf-4b40-ae7b-4af1042a3d17/)
• CKML220066 – MSRS no. 812399.js (Analysis session: https://app.any.run/tasks/8b78c1a7-119b-4980-8639-7756e9bc3edc/)
• QUOTATION2026115.js (Analysis session: https://app.any.run/tasks/040bddbf-3952-4b6d-afa4-56fefa0c3741/)

Industries affected: Technology sector, MSSPs, Education, Telecommunications.
Geographic distribution of victims: primarily the United States, Germany, and Sweden; to a lesser extent Australia, Costa Rica, Greece, Poland, and Turkey.

Execution Chain

The following analysis is based on sandbox session: https://app.any.run/tasks/e39d92e9-a8c3-4c71-8009-2087847fb669/

Initialization

The analyzed sample is a heavily obfuscated JS script (SHA256: 5446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d200f).

The defining characteristic is the repeating pattern of object and function names in the code: sequences of the same letter in alternating case — for example, ‘function iiiiiiiiiiiiii()’, ‘var IiIiiiiiiIiIIi’, ‘function Iiiiiiiiiiiiii(iIiiiiiiiiiiii, IIiiiiiiiiiiii)’, and so on.

In the sandbox, the script runs under the wscript.exe process. Shortly after execution, a series of behavioral signatures fire with Malicious and Suspicious severity levels.

Network activity is also visible: the script sends HTTP requests to an unknown IP address.

Observed URLs:

• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=GEZHOV8LBB7PY4KX&df=0
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=GEZHOV8LBB7PY4KX
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=UDP3HIP4P5SH3U5R&df=0
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=UDP3HIP4P5SH3U5R

WSH Bindings

The malware creates wrapper objects for interacting with WScript and WMI.

These provide the following capabilities:

• Process execution;
• PowerShell payload execution;
• WMI data collection;
• File system operations;
• C2 HTTP communication;
• Registry value writing;
• Persistence mechanisms and self-copying to the installation path.

Installation and Persistence

On the first run, the script copies itself into a subdirectory of %USERPROFILE%. After a successful C2 exchange, it adds itself to the Windows autorun mechanism by writing to the registry:

C2 Implementation and Capabilities

C2 connection parameters are defined in a static configuration within the main RAT class.

HTTP C2 addresses are hardcoded; the connectionMode parameter determines the communication scheme: header C2 mode (commands delivered via HTTP response headers) or legacy mode.

On initial connection, the client collects basic host telemetry:

• USERDOMAIN
• USERNAME
• Win32_SystemEnclosure.SerialNumber (via WMI)
• Win32_OperatingSystem.Caption (via WMI)

This data is sent to the C2 in an HTTP POST request.

The server responds with two control headers:

• X-S: <session ID>
• X-A: <command_id>

If the response status code is not 200, or if the X-S header is absent, the RAT client considers the connection failed and enters a shutdown state.

After successful registration, MonoGlyphRAT enters a beacon loop.

The beacon URL format is:
http://<c2_host>/<endpoint>?ia=<session_id>[&<param>=<value>]

If the response status is below 300, the response is passed to the command dispatcher. Otherwise, the connection is considered broken and the client attempts to reconnect.

The command dispatcher reads the command code from the ‘X-A’ header. Supported commands:

The following POST-requests from the client also add parameters to the URL (along with ‘?ia=<session_id>’):

• “&ex=<token>”: file download
• “&sb=<token>”: loader/stage
• “&vc=<token>”: payload URL for stage
• “&df=0”: host telemetry upload

X-A: -7 “Update client”

X-A: 1 “Execute file”

C2 response body format:

• [0:12] — file token
• [12:44] — AES encryption key
• [44:] — hex-encoded file extension

The extracted parameters are passed to SystemUtilities.DownloadAesEncryptedFile, which interpolates them into a PowerShell command executed via the WSH/WMI wrapper objects.

Encryption parameters used:

• Mode: AES-128-CBC
• Padding: PKCS #7
• Key: 16 bytes, supplied per-task in the C2 response body
• IV: ‘sixteenbyteslong’ — static across samples, stored as reverse-hex

X-A: 2 “Execute shell”

C2 response body format:

• [0:32] — AES encryption key
• [32:] — hex-encoded encrypted PowerShell command

Parameters are passed to SystemUtilities.RunEncryptedPowerShellCommand, which constructs and executes a PowerShell command in the same manner as the Execute File handler.

X-A: 3 — In-Memory .NET Execution

This is the most sophisticated C2 handler. C2 response body format:

• [0:12] — loader token
• [12:44] — loader AES encryption key
• [44:] — loader host / argument encrypted blob (hex-encoded)

The handler builds two URLs (loaderUrl and payloadUrl), encodes them as reversed hex, then downloads and executes an additional payload in memory within a newly created .NET process.

The PowerShell command used for execution:

• Reconstructs loaderUrl from its obfuscated form
• Downloads the additional payload
• Decrypts the payload
• Patches AmsiScanBuffer to bypass AMSI
• Assembles the decrypted bytes into a memory buffer
• Reflectively loads a .NET Assembly via [System.Reflection.Assembly]::Load()
• Transfers execution to the entry point: [Software.Program].GetMethod(‘Main’).Invoke()

AMSI patching is implemented using LoadLibrary(‘amsi.dll’), GetProcAddress(‘AmsiScanBuffer’), VirtualProtect(), and Marshal.Copy().

X-A: 4 “Host telemetry”

C2 response body format:

• [0:32] — XOR key from server
• [32] — extended telemetry flag

In the request body:

• “X-A: 4” — “Get host telemetry” command
• “766BBAE98154B60B381CE91BFB5473ED” — XOR encryption key (in hex)
• “1” – get extended info flag

When the flag is set to ‘1’, the client collects an extended host profile:

The data collected:

• USERDOMAIN / USERNAME
• Win32_SystemEnclosure.SerialNumber
• Win32_OperatingSystem.Caption
• Win32_ComputerSystem.TotalPhysicalMemory
• Win32_ComputerSystem.Model
• Win32_Processor.Name
• Win32_VideoController.Name
• Win32_Process.Name (unique entries list, via separate WMI call)

The collected data is XOR-encoded and sent as a JSON payload via POST:

{
    “b”: “<xored_host_info>”,
    “c”: “<xored_process_list>”
}

The POST-request:

POST /<endpoint>?ia=<session_id>&df=0
Content-Type: application/json
<JSON host info payload in request body>

MonoGlyphRAT C2 protocol operation scheme:

The RAT client configuration is set statically in the JS script code:

Threat Landscape

Based on available sources, JS.MonoGlyphRAT is supported by a stable infrastructure cluster — IP addresses, C2 domains, and non-standard URI paths — that remains without attribution (classified as Unknown RAT/malware in public feeds).

ANY.RUN TI related samples query:

destinationIP:”158.94.211.76″ or url:”?ia=&df=” or domainName:”aryamint.com$” or destinationIP:”91.92.243.79″ or url:”/gATIjh” or url:”/ceoznp” or suricataID:”85006579″ or suricataID:”85006580″ or suricataID:”85006581″

Within the kill chain, MonoGlyphRAT occupies the role of a first- or mid-stage RAT/loader: it establishes persistence on the victim host, sets up a persistent C2 session, and can download and execute additional stage payloads (files, shell commands, in-memory .NET execution).

Attribution to a specific campaign or threat actor cannot be confirmed on the current dataset. While there are consistent infrastructure artifacts, network traffic patterns, and a shared execution chain, these are insufficient for reliable actor attribution.

MITRE ATT&CK Mapping

How ANY.RUN Helps Defend Against JS.MonoGlyphRAT

Defending against threats like JS.MonoGlyphRAT requires visibility across the entire attack chain, from the initial phishing attachment to command-and-control communications and follow-on payload delivery. ANY.RUN’s security solutions help organizations identify and stop such activity at multiple stages.

Using Interactive Sandbox, analysts can safely execute suspicious JavaScript attachments and immediately observe malicious behaviors associated with MonoGlyphRAT, including the execution of wscript.exe, PowerShell spawning, registry-based persistence, C2 communications, and payload delivery attempts.

AI Summary in the Sandbox analysis results automatically highlights key malicious actions, helping analysts understand the attack chain faster and reducing investigation time. In addition, AI Recommendations provide actionable guidance for further analysis, threat hunting, and incident response, helping teams move from detection to remediation more efficiently.

Tier 1 Reports provide ready-made analysis summaries that explain malware behavior, attack techniques, indicators of compromise, and detection opportunities in a structured, easy-to-consume format. This enables teams to quickly understand threats without requiring extensive reverse engineering expertise..

Threat Intelligence Lookup enables defenders to investigate indicators associated with the malware cluster, including IP addresses, domains, URLs, process chains, Suricata detections, and behavioral artifacts. Analysts can quickly determine whether their organization has encountered related infrastructure or attack patterns and pivot across connected indicators to uncover broader malicious activity.

For proactive defense, Threat Intelligence Feeds help security teams enrich SIEM, EDR, XDR, SOAR, and other security controls with continuously updated threat data. By automatically incorporating fresh indicators linked to emerging malware campaigns, organizations can improve detection coverage and block malicious infrastructure before attackers establish persistence.

Together, ANY.RUN’s Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds provide security teams with the visibility needed to detect, investigate, and respond to MonoGlyphRAT infections early, reducing the likelihood of costly incidents, operational disruption, and follow-on attacks such as ransomware deployment.

Conclusions

JS.MonoGlyphRAT is a fully featured persistent RAT/loader built around Windows Script Host, PowerShell, and a custom HTTP C2 protocol. Its purpose is to establish persistence on the victim host, register with the C2, receive operator commands, and download additional payloads and stages.

The defining characteristic of this cluster is monoglyph obfuscation of JavaScript identifiers: class and variable names are constructed from repeated characters in mixed case, making the code difficult to read and hampering manual analysis.

C2 communication is conducted via HTTP headers X-S and X-A, where X-S carries the session identifier and X-A acts as a command selector. The C2 response body contains task parameters: tokens, encryption keys, and encrypted PowerShell or stager payloads.

Functionally, MonoGlyphRAT supports a broad capability set: host telemetry collection, active process enumeration, HKCU Run persistence, AES-encrypted payload download and execution, PowerShell task execution, in-memory .NET code execution, client self-update, and installed copy removal. The implant can also serve as an intermediate platform for delivering subsequent payloads.

From a Threat Intelligence perspective, a distinct code/infrastructure cluster is consistently observed; public TI sources currently classify related IOCs as ‘Unknown malware’, so attribution to a known group or family remains unconfirmed. The working designation JS.MonoGlyphRAT is proposed for analysis and indicator-sharing purposes.

In defensive practice, the most valuable detection artifacts are behavioral:

• wscript.exe executing JS files from user-writable directories
• Registry write to HKCU Run pointing to a .js file
• Process chain: wscript.exe → powershell.exe -nop –enc …
• HTTP POST requests to non-standard ports
• Presence of query parameters ia=, df=, ex=, sb=, vc= and HTTP response headers X-S: and X-A:

Indicators of Compromise (IOCs)

Network Artifacts:

hxxp[://]158[.]94[.]211[.]76:34567/ceoznp

158[.]94[.]211[.]76

91[.]92[.]243[.]79

scan[.]aryamint[.]com

aryamint[.]com

HTTP / C2 protocol Artifacts:

HTTP Header: ‘X-A:’

HTTP Header: ‘X-S:’

POST body pattern: ‘a=iz&b=<data>’

Query parameter: ‘ia=<session_id>’

Query parameter: ‘ex=<token>’

Query parameter: ‘sb=<token>’

Query parameter: ‘vc=<token>’

Query parameter: ‘df=0’ or ‘df=<token>’

Query parameter: ‘kp=<token>’

Query parameter: ‘tw=<token>’

Query parameter: ‘fp=1’

Host-based Artifacts:

File path: %USERPROFILE%<random letters><random letters>.js

Registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRun<random letters>

Crypto IV:

Static string: ‘sixteenbyteslong’

Encoded IV: ‘76E6F6C63756479726E6565647879637’ (reversed hex)

Detection patterns:

Process tree: ‘wscript.exe -> powershell.exe -nop –enc …’

Registry key record: ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun*’, value contains: ‘wscript.exe | .js’

HTTP POST body: ‘a=iz&b=…’

HTTP response headers: ‘X-S:’ + ‘X-A:’

HTTP query parameters:

• ‘?ia=<session_id>&ex=’
• ‘?ia=<session_id>&sb=’
• ‘?ia=<session_id>&vc=’
• ‘?ia=<session_id>&df=’

JavaScript strings:

• MSXML2.XMLHTTP
• Scripting.FileSystemObject
• Wscript.Shell
• winmgmts:{impersonationLevel=impersonate}!\.rootcimv2
• powershell
• -nop
• -enc
• 76E6F6C63756479726E6565647879637

About ANY.RUN  

Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.  

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.  

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks. ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. 

Try ANY.RUN to strengthen your proactive defense 

FAQ

The post From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

It starts with the familiar: a short message, a trusted name, a routine tone. Delivery updates, work pings, brand alerts hum in the background, rarely attracting scrutiny. You check, you answer… — until minutes later you’ve slipped into a trap built to lower your guard and hijack your trust.

That’s why messaging scams cut deep: they exploit everyday habits where instinct, not caution, leads. Communication once moved slowly, leaving room for doubt. Now it’s instant — and that speed is a weapon in criminal hands.

On our blog, we’ve already examined numerous scam schemes in messaging apps — from pig butchering, where the victim is groomed for a very long time, or catfishing, where the scammer creates a fake identity, to phishing via chatbots or through gift-giving campaigns in messaging apps.

Now, for the first time, Kaspersky has set out to capture the full end-to-end reality of messaging-based scams to understand how quickly harm occurs, how they impact trust and what remains after the interaction ends. What emerges is a highly organized and industrialized scam ecosystem embedded within everyday messaging channels such as SMS, WhatsApp, and email.

Kaspersky experts have prepared a report on targeted scams in messaging apps, detailing not only the financial but also the emotional damage caused by such attacks, as well as providing tips on how to protect yourself and avoid them. In this post, we explore the most interesting facts, but you can find more details in the full report.

The damage is underestimated

How much do you think a single successful attack via a messaging app costs the average victim? Ten dollars? Or maybe 50? You’re underestimating the scammers. Although more than a third (36%) of victims incur losses of less than $135, on average a victim loses… $733!

Country	Average loss per victim
Senegal	$392.94
Serbia	$493.32
Morocco	$504.28
Greece	$609.32
United Kingdom	$617.38
Côte d’Ivoire	$654.11
Spain	$672.67
United States	$724.73
Portugal	$868.20
Italy	$896.02
France	$1,193.58
Germany	$1,369.35

On the one hand, the financial hit doesn’t look catastrophic in isolation. These are micro-losses by design. Small enough that some never report them to the police. Small enough that banks don’t always investigate. Small enough to be dismissed as bad luck rather than organized crime.

But $733 is not nothing. It’s enough to cover a month’s worth of groceries, school or daycare fees, or utility bills. Against the backdrop of the global cost-of-living crisis, a single such loss can seriously dent a family’s budget.

In 11% of cases, losses exceed $1,350, and more than a quarter of victims (28%) report having been scammed three or more times in the past six months. Once scammers discover that a phone number responds, that contact becomes an asset, circulating from one database to another.

Now imagine the scale of the problem: if just 10% of the three billion messaging‑app users worldwide fell victim with the average loss, the total damage would amount to… nearly $220 billion! This is comparable to the GDP of Greece, and exceeds that of Morocco, Serbia, or Côte d’Ivoire.

It becomes clear that behind the daily flood of fraudulent schemes lie large scam cartels operating on an industrial scale, using AI to personalize messages that mimic those of family members, friends, and familiar brands. This, in essence, forms the basis of a full-fledged economy built on digital identity theft.

Speed beats scrutiny

More than half of successful messaging scams (52%) unfold in under 30 minutes — from first contact to the moment money or personal data changes hands — or even faster, before the victim begins to doubt the legitimacy of the sender. In fact, one in seven scams takes less than five minutes — quicker than boiling an egg!

The speed isn’t accidental. It’s the method. Scammers structure their schemes to deny the victim a chance to come to their senses. Every element is engineered to compress the decision-making window: the urgency of the scenario, the familiarity of the format, the plausibility of the request.

They rush you — faster, faster, don’t tell anyone, you only have a few minutes, solve the problem, don’t ask questions. Click the link, fill in the details, approve the transaction, or else… Or else what? The scammers’ imagination knows no bounds here, but if you don’t do something right now, you’ll definitely regret it.

Alas, the realization of what has happened usually comes when the damage is already irreversible. More than half of victims (51%) lose money; another 43% hand over their personal data — most commonly phone numbers, names, and email addresses — to scammers, and often the victim loses both.

Where and how attacks occur

A delivery notification, a bank alert, a message from a merchant you ordered from last week — messaging apps permeate every aspect of everyday life, making such interactions completely normal. An attack shouldn’t feel like an attack. It should feel like the same message you’ve received hundreds of times.

It’s no surprise that scammers focus their attention on this method of communication first and foremost. The most popular platforms for scams are predictable: WhatsApp (43%), SMS/iMessage (40%), Facebook (27%), Telegram (22%), and Instagram (19%) — these are the ones that people trust most.

A wide variety of schemes is used. Brand impersonation is now one of the three most common types of messaging scam worldwide — accounting for 31% of cases. Fake delivery notifications top the list at 38%, followed by investment scams at 37%.

At the same time, nearly two-thirds (63%) of fraudulent schemes span multiple platforms, moving from SMS to WhatsApp, from WhatsApp to Telegram, etc. In this way, scammers achieve two goals: they mimic organic messaging and evade moderation algorithms.

AI has taken scams to a new level

Just a couple of years ago, fraudulent messages gave themselves away with bad grammar, awkward phrasing, illogical requests, and an obsessive sense of urgency. Today, a phishing message looks, sounds, and reads just like the real thing.

Scam cartels want to catch people in motion — between meetings, on a commute, or during everyday tasks — when your attention is already fragmented. They mimic your mother’s turn of phrase. They match your bank’s tone of voice. They copy your courier’s format exactly. They mirror the rhythm, structure, and style of authentic brand communications across messaging platforms. And AI is accelerating all of it.

What this creates is overlap. Legitimate and fraudulent messages appear in the same environment, using the same formats, language, and triggers. The difference between them is no longer obvious.

The data shows that two-thirds of victims (66%) believe AI was used in the scam against them, 42% cite messages written by AI, 31% report generated or cloned voices, and 25% encountered deepfake images or videos.

That’s why mere awareness and “tech-savviness” may no longer be enough to protect oneself. From Gen Z to Gen X, messaging scams cut across every generation.

And what about the emotional toll?

But money is far from the only problem a victim is left with after an attack. After what they’ve been through, people develop distrust toward incoming messages, unfamiliar numbers, and any requests for action. As a result, 99% of fraud victims say they no longer trust incoming notifications in messaging apps.

This creates a crisis of trust in all digital channels in general. Every legitimate message can now be perceived as a scam. Brands, banks, and delivery services are forced to operate in an environment where the customer is, by default, in a state of distrust.

Dr. Elizabeth Carter, a forensic linguist and criminologist at Kingston University in London, notes that scammers use familiar contexts, common social settings and embedded linguistic norms to create the illusion for the victim that their decision-making is rational and reasonable in the moment. However, what is actually happening is that they construct false realities in which those decisions end up causing financial and psychological harm. She also notes that it is very hard to identify a false reality while you are in it.

After realizing they had been deceived, more than half of victims felt anger — the kind that comes from having trusted something and discovering it was used against you. 42% of victims report frustration, 38% — feeling upset. Moreover, several months later, these feelings haven’t gone away: nearly half of all victims (48%) are still angry, a third (33%) remain frustrated, and 30% are upset.

And nearly one in 10 victims don’t tell anyone what happened. They feel shame, a sense of having fallen for something so obvious. This leaves a significant portion of the actual damage unreported: only 24% of victims contact the police, and only 23% report it to their bank.

So what can be done?

The crisis of trust — and even a touch of paranoia — that has arisen due to widespread attacks on users can linger in victims’ minds for a long time, affecting their quality of life. To prevent this, follow these guidelines:

• Pause before you act. The sense of urgency you feel is almost always artificial. A legitimate bank, retailer, or delivery service won’t penalize you for taking 30 seconds to verify before clicking a link or confirming details. It’s precisely this instinct to resolve the situation quickly that scammers are counting on.
• Verify through another channel. If a message appears to be from a relative, colleague, or company you trust — contact them through another channel before taking any action. Use secure verification methods, and cross-check identities when something doesn’t feel right. For families, agreeing on a “safe word” in advance can defeat even the most convincing voice clones.
• Use a password manager. It will not only help you generate strong, unique passwords for all your accounts and store them securely, syncing them across all your devices, but also protect you from spoofed sites. Even if you click a phishing link and land on such a site, our password manager will notify you about the domain mismatch and refuse to autofill your username and password.
• Use protection that works in real time. Modern security solutions, such as Kaspersky Premium, provide real-time protection against malicious links and phishing attempts in the apps and websites you use every day. On Android devices, a dedicated layer of anti-phishing security scans and neutralizes suspicious links as they appear, even within notifications, before you even have a chance to click them.

We’ve covered other threats in messaging apps in similar articles:

• Pig butchering: large-scale cryptocurrency fraud
• How to safely meet people online
• How phishers and scammers use AI
• How to avoid falling for scammers in Telegram mini-apps

Kaspersky official blog – ​Read More

Threat actors are already gearing up for this year’s biggest football (soccer) event, the FIFA World Cup 2026. With millions of fans looking for ways to stream matches online, many will turn to IPTV apps to watch live TV broadcasts over the internet. It’s no surprise, then, that cybersecurity researchers have discovered multiple campaigns over the past few months where malware was disguised as fake Android IPTV apps.

In this post, we discuss what IPTV apps are, how criminals use fake versions to spread malware, what this malware is capable of, and, most importantly, how to avoid becoming a victim.

What are IPTV apps?

IPTV stands for Internet Protocol Television. This technology delivers TV content over the internet instead of through cable, over-the-air antennas, or satellites. Naturally, the simplest and most common examples of IPTV are the official platforms of TV networks, which can include both websites and dedicated apps.

However, alongside official options, pirate IPTV services also exist. They usually lure users with free or dirt-cheap access to content that can otherwise be hard to find without expensive subscriptions — most notably broadcasts of various sporting events; football matches in particular.

As is typically the case with pirated content, these apps are blocked from official app stores, forcing users to download them from third-party sites. Consequently, the risk of using these services isn’t tied to IPTV technology itself, but rather to the fake apps and modified APK files distributed under the guise of well-known platforms — both official and pirated.

Massiv banking Trojan disguised as IPTV apps

For instance, in February researchers found the Massiv banking Trojan distributed under the guise of fake IPTV apps. Even then, experts noted that this wasn’t the only malware leveraging this tactic — several others were also spotted in the wild. The primary targets of these IPTV-mimicking malicious fakes have mostly been users in Portugal, Spain, France, and Türkiye.

In most cases, the discovered fake IPTV apps lacked the advertised functionality, so users didn’t get access to any content after installing the apps. Instead, the fake app would open the website of a legitimate IPTV service in a built-in browser to mimic normal functioning and avoid raising user suspicion.

Of course, the most interesting activity happened out of the user’s sight. These are some of the features the malware did have:

• Displaying fake windows on top of legitimate ones: fake forms for entering bank details or signing in to official services, as shown in the screenshot below.
• Activating a keylogger: recording and transmitting screen keyboard taps to the attackers.
• Hijacking control of the compromised device.

Perseus steals valuable information from users’ notes

In March, researchers reported on a new campaign where several fake IPTV apps were used to distribute an even more advanced and feature-rich malware strain: Perseus.

Research into Perseus shows that the malware is based on the source code of an Android banking Trojan called Cerberus, which leaked nearly six years ago. Perseus comes in two different versions: Turkish and English. The English-language version is more advanced and shows clear signs of AI-driven refinement.

Perseus abuses Accessibility Services, a set of Android features originally designed to make life easier for users with severe visual impairments. Fraudsters learned long ago how to leverage this tool to steal data from Android devices — a topic we’ve covered in detail across several of our posts.

By abusing Accessibility Services, Perseus gains remote control over the victim’s device. Here’s what it can do:

• Continuously capture and exfiltrate screenshots.
• Send a structured map of the device’s UI for remote manipulation.
• Mimic taps, swipes, text input, long presses, and other UI interactions.
• Turn on the screen, launch apps, and block them from running.
• Trigger a pitch-black screen overlay to hide its activities.
• Log keystrokes.

On top of that, the English-language version of Perseus boasts another notable feature. The malware can hunt for sensitive information like passwords, recovery phrases, and financial data across an entire range of note-taking apps: Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes.

All of these capabilities help criminals drain football fans’ money not just from various banking services, but from cryptocurrency apps as well.

How not to let cybercrooks ruin your World Cup

The World Cup is just around the corner, and millions of fans worldwide will definitely want to tune in to this year’s premier football event. Past experience shows that cybercriminals frequently cash in on major spectacles like this. So, how can you watch the  matches safely?

• Don’t download apps from unofficial stores.
• Even when downloading an app from an official store — since malware occasionally slips through the cracks there, too— read the reviews carefully. Users who have been burned by fakes and malware often leave comments to warn others.
• Install a robust security app to keep all your devices safe from malware.
• Avoid storing passwords or other sensitive information in note-taking apps. To ensure your data and finances stay secure, use a reliable password manager. By the way, Kaspersky Password Manager includes an encrypted note-taking feature, allowing you to store your valuable information safely.

You can’t even watch TV safely anymore these days! Check out other threats facing TV lovers:

• Is your TV box renting out your network?
• The perfect storm of Android threats
• Are your TV, smartphone, and smart speakers eavesdropping on you?
• The hidden risks of cheap Android devices

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

Recently, Martin closed his introduction with a warning: Ready or not, the time of much patching is coming. I’ve been chewing on that one for a while because I’m rethinking my own enrichment pipelines along these lines, and the questions Martin raised are the ones I keep running into — with one or two ideas on what practitioners can actually do about it. 

Honestly speaking, most of us are still prioritising the wrong way. CVSS has been the default for over a decade — but it only answers one question: How bad could this be in theory? It’s a severity score, not a risk score. A CVSS 9.8 on something nobody is exploiting (and nobody ever will) is a very different problem from a CVSS 7.2 that’s being weaponised in the wild this morning. If your patch queue is sorted purely by CVSS, you’respending finite operations capacity on hypotheticals. 

This is where EPSS (Exploit Prediction Scoring System) earns its place next to CVSS. EPSS is a probability — between 0 and 1 — that a given CVE will be exploited in the next 30 days, based on real-world signals. The two answer different questions:

Feature	CVSS	EPSS
Focus	Severity (impact)	Risk (likelihood of exploitation)
Nature	Static (usually)	Dynamic (updated daily)
Output	0.0 to 10.0 score	0.0 to 1.0 probability
Primary use	Assesses technical impact	Prioritizes remediation

CVSS tells you how bad it would be if exploited. EPSS tells you how likely it is to actually happen to you soon. Used together, a high CVSS and a high EPSS is your “drop everything” pile, while a high CVSS and a very lowEPSS can probably wait behind a medium with an EPSS of 0.7. That single change in triage logic can meaningfully shrink the patch backlog without weakening your posture. 

The second ingredient is knowing what is actually being exploited — and here, many teams default to CISA’s KEV catalog. KEV is excellent, and I’ve quoted KEV numbers in this newsletter more times than I can count. CISA contributes as an Authorized Data Publisher (ADP) in the CVE Program, enriching records alongside the original CNA’s data. That model works well, but it’s also why KEV is structurally centralized, conservative in what it admits, and naturally scoped to what U.S. federal visibility surfaces. For a global practitioner — and writing this from Germany, I notice — “Is this being exploited?” deserves a broader lens. 

That broader lens is starting to take shape with GCVE (Global CVE), a decentralized approach to vulnerability identification and enrichment. Two properties matter for the surge that’s coming: 

1. Speed of enrichment. Because GCVE is decentralized, enrichment data — references, affected products, exploit indicators — doesn’t have to wait in a single queue. In practice, actionable context arrives meaningfully faster than the traditional NVD pipeline, which has visibly struggled with backlog over the past two years. 
2. Broader exploitation signal. Rather than a single authoritative list of what is being exploited, GCVE makes room for multiple sources of exploitation evidence to surface against the same identifier. That gives defenders outside the U.S. (and frankly, inside it too) a more complete picture than KEV alone. 

Pair that with EPSS on top of CVSS, and you end up with a triage stack that is faster, broader, and probability-informed rather than only severity. 

None of this removes the patching workload that is coming, but it does change which patches you sprint on at 2:00 a.m. and which ones can ride the normal cycle. Before the surge arrives, that’s a worthwhile thing to get right.

The one big thing 

Cisco Talos released EvidenceForge, a new open-source tool designed to generate highly realistic, correlated synthetic security logs. This tool solves the chronic shortage of high-quality, labeled datasets needed to train threat hunters and validate detection logic. By using a single canonical event model and AI-assisted scenario authoring, EvidenceForge ensures causal and temporal consistency across more than 20 log formats. 

Why do I care? 

Relying on heavily scrubbed public datasets or red team engagements often leaves security teams with incomplete telemetry. While most synthetic generators spit out independent events that fail to tell a coherent story, EvidenceForge injects realistic background noise, red herrings, and proper causal sequencing into the mix. This allows your team to work with synchronized datasets that (more) accurately mimic real-world network visibility without the compliance headaches of using production data. 

So now what? 

Security teams can head over to GitHub to clone the EvidenceForge repository and use its guided conversation feature to build custom attack scenarios. Defenders can then use these newly generated datasets to build robust SOC analyst training programs, stress-test a new SIEM, and validate detection pipelines before they touch a production environment. You can find the full details and the link to the open-source repository in the blog post. 

Top security headlines of the week 

Lawmakers demand answers as CISA tries to contain data leak 
Lawmakers are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after a contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. (KrebsOnSecurity) 

Over 5,500 GitHub repositories infected in “Megalodon” supply chain attack 
The campaign relies on GitHub Actions workflows containing a payload designed to steal credentials, keys, tokens, and other secrets. The workflows were injected through over 5,700 malicious commits pushed to the impacted repositories on May 18. (SecurityWeek) 

Authorities seized 800 servers of hosting company used to launch cyber attacks 
The investigation centers on a web hosting company established on Feb. 10, 2022, weeks before Russia invaded Ukraine. The infrastructure was allegedly used to support cyber attacks, disinformation campaigns, and sanctions evasion linked to Russia. (CyberSecurityNews) 

Content delivery exploit opens websites to brand hijacking 
The Underminr domain-fronting attack allows threat actors to modify web requests and leverage trusted websites to cloak malicious activity. (Dark Reading) 

Cisco’s risk-based vulnerability disclosure in the age of AI 
Cisco is adapting its vulnerability disclosure practices, focusing on increasing the visibility of detailed technical information for vulnerabilities that are critical, actively exploited, or have a higher likelihood of exploitation. (Cisco blog) 

Can’t get enough Talos? 

DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap 
Hospitals rely on DICOM-based PACS systems, and those systems often automatically ingest files received over the network. Our latest white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format. 

MediaArea heap-based buffer overflow vulnerabilities 
MediaArea produces digital media analysis open-source software, as well as support tools for file investigation. Talos discovered four vulnerabilities in MediaInfoLib, which provides a UI for technical and tag data for video and audio media files.

Breaking things to keep them safe with Philippe Laulheret 
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research. 

Upcoming events where you can find Talos 

• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: sample.exe  
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe  
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
MD5: cc4d231df34e57f59eb970353c7d9de2 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
Example Filename: AutoPico.exe 
Detection Name: PUA.Win.Tool.Kmsactivator::1201 

Cisco Talos Blog – ​Read More